check_cert() insists on all provided certificates to validate against system CA store #8371
Description
Description
The following code:
php -r "var_dump(openssl_x509_checkpurpose(file_get_contents('v_crt.pem'), X509_PURPOSE_SSL_SERVER, array('v_ca.pem')));"
Resulted in this output:
bool(false)
But I expected this output instead:
bool(true)
where v_cert.pem contains any letsencrypt issued certificate, v_ca.pem contains two intermediate certs (it's default chain from letsencrypt):
a)
Issuer: C = US, O = Internet Security Research Group, CN = ISRG Root X1
Subject: C = US, O = Let's Encrypt, CN = R3
b)
Issuer: O = Digital Signature Trust Co., CN = DST Root CA X3
Subject: C = US, O = Internet Security Research Group, CN = ISRG Root X1
b) is issued by "DST Root CA X3" which is already expired certificate [1] that (this is important) no longer exists in local (system wide) ca-certificates store (verify that on your ca-certificates store).
openssl_x509_checkpurpose() uses check_cert() which calls X509_verify_cert().
Behaviour of this is all intermediate certs need to validate agains system ca store otherwise check fails. It will fail EVEN if we have one chain path that validates agains our ca system store.
Impact of this is that perfectly valid certificate chains are considered to be not ok for any purpose.
There is a flag that changes this bahaviour to say "ok" when at least single validated chain is found - X509_V_FLAG_PARTIAL_CHAIN. It makes logic sense for what openssl_x509_checkpurpose() is trying to do.
Some other users of this flag:
curl/curl#4655
curl/curl@146ccff
https://github.com/noxxi/p5-io-socket-ssl/blob/master/lib/IO/Socket/SSL.pm#L2475
PHP Version
PHP 8.1.4
Operating System
No response