On Wed, May 31, 2017 at 11:19 AM, Jelle van der Waa <je...@vdwaa.nl> wrote:
> I would like to propose the addition of openssl_pkcs7_read and extending > openssl_pkcs7_verify to also return a PKCS7 structure. The reasoning for > the addition of these functions is the requirement at work to obtain the > CA certificates usually send along with a signed email. The CA > certificates are required for OCSP verification (which is currently done > in pure PHP, I also would like to see this added in PHP in the future). > > It is currently impossible to acquire the CA certificates with the > openssl functions which PHP provides, I've also found a bug report > requesting the ability to read a PKCS7 blob. [1] > > To summarize, I would propose to add an optional parameter to > openssl_pkcs7_verify which takes a string that defines the location > where the PKCS7 blob should be stored. > > $pkcs7 = "chain.pk7"; > openssl_pkcs7_verify($file, PKCS7_NOVERIFY, $outfile, [], $outfile, > $content, $pkcs7); > > To be able to read the blob, I would propose a new function > openssl_pkcs7_read which returns an array of strings containing the PEM > certificates in the PKCS7 blob. I've based the naming and behaviour on > openssl_pkcs12_read. > > openssl_pkcs7_read($pkcs7, $data); > var_dump($data); > > I've implemented the above mentioned changes in my fork of PHP, mind > that the code isn't ready for a PR yet since there are some styling > issues, possible memory leaks and of course missing tests. The code > however works as a proof of concept. [2] > > For further background information, obtaining the pk7 output can be done > with the 'openssl' tool: > > openssl smime -verify -pk7out -in signed_email.eml > foo.pkcs7 > openssl pkcs7 -print_certs -in foo.pkcs7 > > It seems reasonable from the quick look. I don't think we need RFC unless there are some objections. Once it's ready, PR should be enough IMHO. Cheers Jakub
