No critical extension indication in openssl_x509_parse() output. #20310
Description
Description
The following code:
<?PHP
$cert = "-----BEGIN CERTIFICATE-----
MIIC4DCCAkmgAwIBAgIUXulKXzpxr33sV/2LwI0+yhpUAZgwDQYJKoZIhvcNAQEF
BQAwgYExHjAcBgNVBAMMFUhlbnJpcXVlIGRvIE4uIEFuZ2VsbzELMAkGA1UEBhMC
QlIxGjAYBgNVBAgMEVJpbyBHcmFuZGUgZG8gU3VsMRUwEwYDVQQHDAxQb3J0byBB
bGVncmUxHzAdBgkqhkiG9w0BCQEWEGhuYW5nZWxvQHBocC5uZXQwHhcNMjUxMDAy
MTgwNjMwWhcNMjYxMDAyMTgwNjMwWjCBgTEeMBwGA1UEAwwVSGVucmlxdWUgZG8g
Ti4gQW5nZWxvMQswCQYDVQQGEwJCUjEaMBgGA1UECAwRUmlvIEdyYW5kZSBkbyBT
dWwxFTATBgNVBAcMDFBvcnRvIEFsZWdyZTEfMB0GCSqGSIb3DQEJARYQaG5hbmdl
bG9AcGhwLm5ldDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAy16ej5ArW6Vf
j9YMBUFh+hM9FPN7hJkvCBp6XiPBZPK2P7xzmc2WWsUQsPpaMnN+NqggyEIXjDgj
ZuRZHr89Oqu+e/6KKIi0d8q8mBioihtSGSIqZZrbAveaCq81EipOtMLiNZm4KTFD
+Syov078XrOT5pFLV34ps9qoJHlHD6UCAwEAAaNTMFEwHQYDVR0OBBYEFNt+QHK9
XDWF7CkpgRLoYmhqtz99MB8GA1UdIwQYMBaAFNt+QHK9XDWF7CkpgRLoYmhqtz99
MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAc6jR36JD6xkzq2r0
uIEjhiieDfFXcAVgisqymPHt6DDMSajRskfWPO58ayBKmT2J1yPxx2vdjAZxIRcg
2a06ef2OxE62X4+WNm6skIKLCXmc3AgkT//cqCjOs54EQMpdCJ/mkkYo9gZMB1aQ
jgozP+80FNIaioaDWVZsTsg3q0Q=
-----END CERTIFICATE-----";
print_r( openssl_x509_parse( $cert ) );Resulted in this output:
Array
(
[name] => /CN=Henrique do N. Angelo/C=BR/ST=Rio Grande do Sul/L=Porto Alegre/emailAddress=hnangelo@php.net
[subject] => Array
(
[CN] => Henrique do N. Angelo
[C] => BR
[ST] => Rio Grande do Sul
[L] => Porto Alegre
[emailAddress] => hnangelo@php.net
)
[hash] => 0206b91d
[issuer] => Array
(
[CN] => Henrique do N. Angelo
[C] => BR
[ST] => Rio Grande do Sul
[L] => Porto Alegre
[emailAddress] => hnangelo@php.net
)
[version] => 2
[serialNumber] => 0x5EE94A5F3A71AF7DEC57FD8BC08D3ECA1A540198
[serialNumberHex] => 5EE94A5F3A71AF7DEC57FD8BC08D3ECA1A540198
[validFrom] => 251002180630Z
[validTo] => 261002180630Z
[validFrom_time_t] => 1759428390
[validTo_time_t] => 1790964390
[signatureTypeSN] => RSA-SHA1
[signatureTypeLN] => sha1WithRSAEncryption
[signatureTypeNID] => 65
[purposes] => Array
(
...
)
[extensions] => Array
(
[subjectKeyIdentifier] => DB:7E:40:72:BD:5C:35:85:EC:29:29:81:12:E8:62:68:6A:B7:3F:7D
[authorityKeyIdentifier] => DB:7E:40:72:BD:5C:35:85:EC:29:29:81:12:E8:62:68:6A:B7:3F:7D
[basicConstraints] => CA:TRUE
)
)
Feeding that same certificate through openssl x509 -noout -text results in this output:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
5e:e9:4a:5f:3a:71:af:7d:ec:57:fd:8b:c0:8d:3e:ca:1a:54:01:98
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN = Henrique do N. Angelo, C = BR, ST = Rio Grande do Sul, L = Porto Alegre, emailAddress = hnangelo@php.net
Validity
Not Before: Oct 2 18:06:30 2025 GMT
Not After : Oct 2 18:06:30 2026 GMT
Subject: CN = Henrique do N. Angelo, C = BR, ST = Rio Grande do Sul, L = Porto Alegre, emailAddress = hnangelo@php.net
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
...
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
DB:7E:40:72:BD:5C:35:85:EC:29:29:81:12:E8:62:68:6A:B7:3F:7D
X509v3 Authority Key Identifier:
DB:7E:40:72:BD:5C:35:85:EC:29:29:81:12:E8:62:68:6A:B7:3F:7D
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha1WithRSAEncryption
Signature Value:
...
Note that the Basic Constraints is critical, but there is no indication of that in the openssl_x509_parse() output. I propose adding [basicConstraints:critical] => true to the output to provide that information in a backwards compatible way.
PHP Version
PHP 8.3.6 (cli) (built: Aug 26 2025 13:10:20) (NTS)
Copyright (c) The PHP Group
Zend Engine v4.3.6, Copyright (c) Zend Technologies
with Zend OPcache v8.3.6, Copyright (c), by Zend Technologies
Operating System
Ubuntu 24.04