CRL signing fails with PHP 7.2 #1243
Comments
|
Can you post your code? I tried to sign a CRL and encountered no issues: <?php
require_once __DIR__ . '/vendor/autoload.php';
error_reporting(E_ALL);
use phpseclib\Crypt\RSA;
use phpseclib\File\X509;
// Load the CA and its private key.
$pemcakey = '-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQC0N7wYdy8DdSa4DCk6gyVIndq7N896/OFFOMJ6GCacXmSIUH5+
JptX8mOsq0czAklA6InRqe8c+PCI4BP3hmvZJpANxhu/UrZOxwHxCq3twPERXoyV
hMd9+fsfKtNJWCmv5R25MrvUAisvOZvBPn1Jf7efX6vusm3WAEdDyK8hmwIDAQAB
AoGAKZVar4KAtJmJj5ouwTOVnMXfvKdKFqTXDfPk2+tKrXYSWGnKZi1eVtK1MRhs
W1bBtFpzwo8lf1fpmIurz8eShqsK5cZqY1bV/0g2nyKVFkUJJsULGkOLkOGo1Ac1
lh1bBPtQVYw5iy6WydxVNWps5/cYm60q7e2MgB7rbFxYrSECQQDsl38TAyDu5/PK
44DdY4Je/y26fXwuzkw7V/Tk2VfCv1pYqx+65Z7JG75la22Q7hlWipsRvt2M2VyX
X/pV3+0JAkEAwwBdYVORzs72fak7pJGKZPfRUgX4E4wHb3LSPfViYeXxoM7QYFIj
V/ke6FDvs51M31JqsdSjCFpygzgENn2mgwJBAMGs7uCQchhAlykife49tI6xlCyS
5uKmDG+T/CyO4zHQVVQ6mZn0uLxm0sDRZXr7/pACnRi0x0ay9QISFqrPyYkCQHoC
ymrRTVQnLxelQgpQflV6seAul/AzF5vmLiJSXUKAC9XgUYVTH4Y1+97EdZbe/3Bk
Mxodv/zECw6LiCdIK10CQQC2b11DZvuvb5CL7fWf/1Kc1bYD1Je/K+g3WWyRe3cs
I59zJcLzCoX0W6JWI6WLX3TycOWpU+Y/5k3urpNf+l4s
-----END RSA PRIVATE KEY-----';
$cakey = new RSA();
$cakey->loadKey($pemcakey);
$pemca = '-----BEGIN CERTIFICATE-----
MIIBwzCCASygAwIBAgIUUFQqs3DNCuPEHmCO7tF4btMiKD8wDQYJKoZIhvcNAQEF
BQAwHjEcMBoGA1UECgwTcGhwc2VjbGliIGRlbW8gY2VydDAeFw0xODAxMjAxNDEy
MTVaFw0xOTAxMjAxNDEyMTVaMB4xHDAaBgNVBAoME3BocHNlY2xpYiBkZW1vIGNl
cnQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALQ3vBh3LwN1JrgMKTqDJUid
2rs3z3r84UU4wnoYJpxeZIhQfn4mm1fyY6yrRzMCSUDoidGp7xz48IjgE/eGa9km
kA3GG79Stk7HAfEKre3A8RFejJWEx335+x8q00lYKa/lHbkyu9QCKy85m8E+fUl/
t59fq+6ybdYAR0PIryGbAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAES2cxZ2WopL2
35LgFDo5bfmmMgPeRutRz5+uajPen3dCX/NKLgNdynhvEtfE51xdyLkX2dOzd+FB
E2kIP8bOCn2CoW7vLB/9PSyZLlfCkZ3b0gKanU44tH5DC35IrCGke7OC8AaSKl3/
17fMuQ+Q2q0WXr1hdAmydRJwaIj00jo=
-----END CERTIFICATE-----';
$ca = new X509();
$ca->loadX509($pemca);
$ca->setPrivateKey($cakey);
// Build the (empty) certificate revocation list.
$crl = new X509();
$crl->loadCRL($crl->saveCRL($crl->signCRL($ca, $crl)));
// Revoke a certificate.
$crl->setRevokedCertificateExtension('1234', 'id-ce-cRLReasons', 'privilegeWithdrawn');
// Sign the CRL.
$crl->setSerialNumber(1, 10);
$crl->setEndDate('+3 months');
//$crl->setExtension('id-ce-keyUsage', array('encipherOnly'));
$newcrl = $crl->signCRL($ca, $crl);
// Output it.
echo $crl->saveCRL($newcrl) . "\n";By default at least one extension is added to CRL's with phpseclib: cRLNumber: https://github.com/phpseclib/phpseclib/blob/2.0.9/phpseclib/File/X509.php#L3755 Here's what setExtension does: https://github.com/phpseclib/phpseclib/blob/2.0.9/phpseclib/File/X509.php#L4146 ie. if the extension is already present it'll try to replace it. Otherwise it'll append it to the end of the extensions array using Even if you tried to remove an extension it should reindex everything after the fact: https://github.com/phpseclib/phpseclib/blob/2.0.9/phpseclib/File/X509.php#L4065 (in particular, see the |
|
Hi, What can I do to help identify the issue? |
|
I was able to duplicate the problem. This appears to be a PHP bug. phpseclib calls It looks like there's already a bug report about it: https://bugs.php.net/bug.php?id=75433 I'll contemplate possible workarounds. Thanks for reporting! |
|
8aecafc should fix this if you want to confirm. |
|
Thanks, this fixes the issue. |
|
PHP 7.2.2 released, issue fixed: https://3v4l.org/PqtOI |
|
Good to know - thanks! |
Hi,
We have tried to sign a CRL with PHP 7.2 and it gives this error:
With PHP 7.1 this works fine. I've checked the line with the error:
By printing
$extensionsI've noticed that the array starts at 1 instead of 0, causing the error.Library version is latest from composer. What can I do to help resolve the issue?
Thanks
The text was updated successfully, but these errors were encountered: