This test fails because san-cert.pem and san-ca.pem have expired. We
fix that by using the CertificateGenerator to generate temporary certs
during the test run. Since san-cert.pem and san-ca.pem have been
identical, we only generate one certificate.
Closes GH-7763.
Allow $tag to be null. This is the value that openssl_encrypt()
sets it to for non-AEAD ciphers, so we should also accept this
as an input to openssl_decrypt().
Prior to PHP 8.1, null was accepted in weak mode due to the special
treatment of null arguments to internal functions.
The used error code differ signficantly, so use a separate test
file.
openssl_encrypt() no longer throws an error for invalid key length,
which looks like an upstream bug.
Instead of deprecated low-level API.
A caveat here is that when using the high-level API, OpenSSL 3
requires that if the prime factors are set, the CRT parameters
are also set. See https://github.com/openssl/openssl/issues/16271.
As such, add CRT parameters to the manual construction test.
This fixes the last deprecation warnings in openssl.c, but there
are more elsewhere.
All other private keys are exported in PKCS#8 format, while EC
keys use traditional format. Switch them to use PKCS#8 format as
well.
As the OpenSSL docs say:
> PEM_write_bio_PrivateKey_traditional() writes out a private key
> in the "traditional" format with a simple private key marker and
> should only be used for compatibility with legacy programs.
Same as with pkcs7, switch these tests to use an algorithm that
OpenSSL 3 supports out of the box.
Once again, we should consider changing the default or making it
required.
The default of OPENSSL_CIPHER_RC2_40 is no longer (non-legacy)
supported in OpenSSL 3, specify a newer cipher instead.
We should probably either change the default (if acceptable) or
make the parameter required.
This test is supposed to verify the path of the default OpenSSL config
file; it will fail, though, if OPENSSL_CONF is explicitly set, so we
explicitly unset this environment variable for this test.
openssl_pkey_new() fetches various options from the config file --
most of these are optional, and not specifying them is not an error
condition from the perspective of the user. Unfortunately, the
CONF_get_string() API pushes an error when accessing a key that
doesn't exist (_CONF_get_string does not, but that is presumably a
private API). This commit adds a helper php_openssl_conf_get_string()
that automatically clears the error in this case. I've found that
OpenSSL occasionally does the same thing internally:
https://github.com/openssl/openssl/blob/22040fb790c854cefb04bed98ed38ea6357daf83/apps/req.c#L515-L517
Closes GH-6699.
Christoph M. Becker