check_cert() and php_openssl_store_errors do not pick up validation errors

[arekm]

Description

The following code:

<?php

var_dump(openssl_x509_checkpurpose(file_get_contents('a.pem'), X509_PURPOSE_SSL_SERVER));
while ($msg = openssl_error_string())
    echo $msg . "<br />\n";"

where a.pem is

wget https://raw.githubusercontent.com/fuzyll/defcon-vm/master/extras/hfd/server.pem -O a.pem

(or any other single certificate file that won't validate; without intermediates etc)

Resulted in this output:

$ php x.php
bool(false)

But I expected this output instead:

$ php x.php
bool(false)
error: certificate chain too long (depth 0)

(or similar error message).

Why this doesn't work currently? Because X509_verify_cert() in check_cert() validation errors need to be picked up by

error = X509_STORE_CTX_get_error(csc)
X509_verify_cert_error_string(error)
X509_STORE_CTX_get_error_depth(csc)

which is not done in php ext/openssl internals.

PHP Version

PHP 8.1.4

Operating System

No response

[bukka]

I thought about this and it should not be mixed to errors returned from openssl_error_string. Those are cert store specific errors and they are different than the normal errors. I think we should introduce a reference argument that would allow returning errors through the parameters as a quick solution for this. Going forward it would be good to somehow expose cert store and mimic more the OpenSSL API which would allow to get those errors in a better way.

In any case, this is a feature request.