I would like to propose the addition of openssl_pkcs7_read and extending openssl_pkcs7_verify to also return a PKCS7 structure. The reasoning for the addition of these functions is the requirement at work to obtain the CA certificates usually send along with a signed email. The CA certificates are required for OCSP verification (which is currently done in pure PHP, I also would like to see this added in PHP in the future).
It is currently impossible to acquire the CA certificates with the openssl functions which PHP provides, I've also found a bug report requesting the ability to read a PKCS7 blob. [1] To summarize, I would propose to add an optional parameter to openssl_pkcs7_verify which takes a string that defines the location where the PKCS7 blob should be stored. $pkcs7 = "chain.pk7"; openssl_pkcs7_verify($file, PKCS7_NOVERIFY, $outfile, [], $outfile, $content, $pkcs7); To be able to read the blob, I would propose a new function openssl_pkcs7_read which returns an array of strings containing the PEM certificates in the PKCS7 blob. I've based the naming and behaviour on openssl_pkcs12_read. openssl_pkcs7_read($pkcs7, $data); var_dump($data); I've implemented the above mentioned changes in my fork of PHP, mind that the code isn't ready for a PR yet since there are some styling issues, possible memory leaks and of course missing tests. The code however works as a proof of concept. [2] For further background information, obtaining the pk7 output can be done with the 'openssl' tool: openssl smime -verify -pk7out -in signed_email.eml > foo.pkcs7 openssl pkcs7 -print_certs -in foo.pkcs7 [1] https://bugs.php.net/bug.php?id=72249 [2] https://github.com/jelly/php-src/commits/pkcs7 -- Jelle van der Waa -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
