From ee939b70d316fba104a2d41b72b2c17ac711be6c Mon Sep 17 00:00:00 2001
From: "Ben Scholzen (DASPRiD)" <mail@dasprids.de>
Date: Sat, 20 Oct 2018 02:19:09 +0200
Subject: [PATCH] Add openssl_x509_verify() function

This patch introduces a wrapper around OpenSSL's X509_verify() function.
---
 ext/openssl/openssl.c                      | 46 ++++++++++++++++++++++
 ext/openssl/php_openssl.h                  |  1 +
 ext/openssl/tests/openssl_x509_verify.phpt | 32 +++++++++++++++
 ext/openssl/tests/public_rsa_2048.key      |  9 +++++
 4 files changed, 88 insertions(+)
 create mode 100644 ext/openssl/tests/openssl_x509_verify.phpt
 create mode 100644 ext/openssl/tests/public_rsa_2048.key

diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c
index 89c84b42e49..7fcab17ed66 100644
--- a/ext/openssl/openssl.c
+++ b/ext/openssl/openssl.c
@@ -153,6 +153,11 @@ ZEND_BEGIN_ARG_INFO(arginfo_openssl_x509_check_private_key, 0)
 	ZEND_ARG_INFO(0, key)
 ZEND_END_ARG_INFO()
 
+ZEND_BEGIN_ARG_INFO(arginfo_openssl_x509_verify, 0)
+	ZEND_ARG_INFO(0, cert)
+	ZEND_ARG_INFO(0, key)
+ZEND_END_ARG_INFO()
+
 ZEND_BEGIN_ARG_INFO_EX(arginfo_openssl_x509_parse, 0, 0, 1)
 	ZEND_ARG_INFO(0, x509)
 	ZEND_ARG_INFO(0, shortname)
@@ -492,6 +497,7 @@ static const zend_function_entry openssl_functions[] = {
 	PHP_FE(openssl_x509_parse,			 	arginfo_openssl_x509_parse)
 	PHP_FE(openssl_x509_checkpurpose,		arginfo_openssl_x509_checkpurpose)
 	PHP_FE(openssl_x509_check_private_key,	arginfo_openssl_x509_check_private_key)
+	PHP_FE(openssl_x509_verify,	            arginfo_openssl_x509_verify)
 	PHP_FE(openssl_x509_export,				arginfo_openssl_x509_export)
 	PHP_FE(openssl_x509_fingerprint,			arginfo_openssl_x509_fingerprint)
 	PHP_FE(openssl_x509_export_to_file,		arginfo_openssl_x509_export_to_file)
@@ -2224,6 +2230,46 @@ PHP_FUNCTION(openssl_x509_check_private_key)
 }
 /* }}} */
 
+/* {{{ proto int openssl_x509_verify(mixed cert, mixed key)
+   Verifies the signature of certificate cert using public key key */
+PHP_FUNCTION(openssl_x509_verify)
+{
+	zval * zcert, *zkey;
+	X509 * cert = NULL;
+	EVP_PKEY * key = NULL;
+	zend_resource *keyresource = NULL;
+	int err = -1;
+
+	if (zend_parse_parameters(ZEND_NUM_ARGS(), "zz", &zcert, &zkey) == FAILURE) {
+		return;
+	}
+	cert = php_openssl_x509_from_zval(zcert, 0, NULL);
+	if (cert == NULL) {
+		RETURN_LONG(err);
+	}
+	key = php_openssl_evp_from_zval(zkey, 1, NULL, 0, 0, &keyresource);
+	if (key == NULL) {
+		X509_free(cert);
+		RETURN_LONG(err);
+	}	
+	
+	err = X509_verify(cert, key);
+	
+	if (err < 0) {
+		php_openssl_store_errors();
+	}
+
+	if (keyresource == NULL && key) {
+		EVP_PKEY_free(key);
+	}
+	if (Z_TYPE_P(zcert) != IS_RESOURCE) {
+		X509_free(cert);
+	}
+	
+	RETURN_LONG(err);
+}
+/* }}} */
+
 /* Special handling of subjectAltName, see CVE-2013-4073
  * Christian Heimes
  */
diff --git a/ext/openssl/php_openssl.h b/ext/openssl/php_openssl.h
index b9026a503de..abe358fe67e 100644
--- a/ext/openssl/php_openssl.h
+++ b/ext/openssl/php_openssl.h
@@ -127,6 +127,7 @@ PHP_FUNCTION(openssl_x509_export);
 PHP_FUNCTION(openssl_x509_fingerprint);
 PHP_FUNCTION(openssl_x509_export_to_file);
 PHP_FUNCTION(openssl_x509_check_private_key);
+PHP_FUNCTION(openssl_x509_verify);
 
 PHP_FUNCTION(openssl_pkcs12_export);
 PHP_FUNCTION(openssl_pkcs12_export_to_file);
diff --git a/ext/openssl/tests/openssl_x509_verify.phpt b/ext/openssl/tests/openssl_x509_verify.phpt
new file mode 100644
index 00000000000..293c004b90e
--- /dev/null
+++ b/ext/openssl/tests/openssl_x509_verify.phpt
@@ -0,0 +1,32 @@
+--TEST--
+openssl_x509_verify() tests
+--SKIPIF--
+<?php if (!extension_loaded("openssl")) print "skip"; ?>
+--FILE--
+<?php
+$fp = fopen(dirname(__FILE__) . "/cert.crt","r");
+$a = fread($fp, 8192);
+fclose($fp);
+
+$fp = fopen(dirname(__FILE__) . "/public.key","r");
+$b = fread($fp, 8192);
+fclose($fp);
+
+$cert = "file://" . dirname(__FILE__) . "/cert.crt";
+$key = "file://" . dirname(__FILE__) . "/public.key";
+$wrongKey = "file://" . dirname(__FILE__) . "/public_rsa_2048.key";
+
+var_dump(openssl_x509_verify($cert, $key));
+var_dump(openssl_x509_verify("", $key));
+var_dump(openssl_x509_verify($cert, ""));
+var_dump(openssl_x509_verify("", ""));
+var_dump(openssl_x509_verify(openssl_x509_read($a), $b));
+var_dump(openssl_x509_verify($cert, $wrongKey));
+?>
+--EXPECT--
+int(1)
+int(-1)
+int(-1)
+int(-1)
+int(1)
+int(0)
diff --git a/ext/openssl/tests/public_rsa_2048.key b/ext/openssl/tests/public_rsa_2048.key
new file mode 100644
index 00000000000..de3bc9e7013
--- /dev/null
+++ b/ext/openssl/tests/public_rsa_2048.key
@@ -0,0 +1,9 @@
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArbUmVW1Y+rJzZRC3DYB0
+kdIgvk7MAday78ybGPPDhVlbAb4CjWbaPs4nyUCTEt9KVG0H7pXHxDbWSsC2974z
+dvqlP0L2op1/M2SteTcGCBOdwGH2jORVAZL8/WbTOf9IpKAM77oN14scsyOlQBJq
+hh+xrLg8ksB2dOos54yDqo0Tq7R5tldV+alKZXWlJnqRCfFuxvqtfWI5nGTAedVZ
+hvjQfLQQgujfXHoFWoGbXn2buzfwKGJEeqWPbQOZF/FeOJPlgOBhhDb3BAFNVCtM
+3k71Rblj54pNd3yvq152xsgFd0o3s15fuSwZgerUjeEuw/wTK9k7vyp+MrIQHQmP
+dQIDAQAB
+-----END PUBLIC KEY-----