Merge branch 'PHP-7.4'

Author: nikic

ext/openssl/tests/CertificateGenerator.inc

@@ -3,6 +3,7 @@
 class CertificateGenerator
 {
     const CONFIG = __DIR__. DIRECTORY_SEPARATOR . 'openssl.cnf';
+    const SAN_CONFIG = __DIR__ . DIRECTORY_SEPARATOR . 'san.cnf';
 
     /** @var resource */
     private $ca;
@@ -82,23 +83,36 @@ class CertificateGenerator
         openssl_x509_export_to_file($this->ca, $file);
     }
 
-    public function saveNewCertAsFileWithKey($commonNameForCert, $file, $keyLength = null)
-    {
+    public function saveNewCertAsFileWithKey(
+        $commonNameForCert, $file, $keyLength = null, $subjectAltName = null
+    ) {
         $dn = [
             'countryName' => 'BY',
             'stateOrProvinceName' => 'Minsk',
             'localityName' => 'Minsk',
             'organizationName' => 'Example Org',
-            'commonName' => $commonNameForCert,
         ];
+        if ($commonNameForCert !== null) {
+            $dn['commonName'] = $commonNameForCert;
+        }
+
+        $config = [
+            'digest_alg' => 'sha256',
+            'req_extensions' => 'v3_req',
+            'x509_extensions' => 'usr_cert',
+        ];
+        if ($subjectAltName !== null) {
+            putenv("PHP_SUBJECTALTNAME=$subjectAltName");
+            $config['config'] = self::SAN_CONFIG;
+        }
 
         $this->lastKey = self::generateKey($keyLength);
         $this->lastCert = openssl_csr_sign(
-            openssl_csr_new($dn, $this->lastKey, ['req_extensions' => 'v3_req']),
+            openssl_csr_new($dn, $this->lastKey, $config),
             $this->ca,
             $this->caKey,
             /* days */ 2,
-            ['digest_alg' => 'sha256'],
+            $config,
         );
 
         $certText = '';

ext/openssl/tests/bug68265.pem

@@ -7,19 +7,22 @@ if (!function_exists("proc_open")) die("skip no proc_open");
 ?>
 --FILE--
 <?php
+$certFile = __DIR__ . DIRECTORY_SEPARATOR . 'bug68265.pem.tmp';
+$san = 'DNS:debs.ak-online.be., DNS:debs.ak-online.net.';
+
 $serverCode = <<<'CODE'
     $serverUri = "ssl://127.0.0.1:64321";
     $serverFlags = STREAM_SERVER_BIND | STREAM_SERVER_LISTEN;
     $serverCtx = stream_context_create(['ssl' => [
-        'local_cert' => __DIR__ . '/bug68265.pem',
-        'passphrase' => 'elephpant',
+        'local_cert' => '%s',
     ]]);
 
     $server = stream_socket_server($serverUri, $errno, $errstr, $serverFlags, $serverCtx);
     phpt_notify();
 
     stream_socket_accept($server, 30);
 CODE;
+$serverCode = sprintf($serverCode, $certFile);
 
 $clientCode = <<<'CODE'
     $serverUri = "ssl://127.0.0.1:64321";
@@ -35,8 +38,16 @@ $clientCode = <<<'CODE'
     var_dump(stream_socket_client($serverUri, $errno, $errstr, 1, $clientFlags, $clientCtx));
 CODE;
 
+include 'CertificateGenerator.inc';
+$certificateGenerator = new CertificateGenerator();
+$certificateGenerator->saveNewCertAsFileWithKey('test.com', $certFile, null, $san);
+
 include 'ServerClientTestCase.inc';
 ServerClientTestCase::getInstance()->run($clientCode, $serverCode);
 ?>
+--CLEAN--
+<?php
+@unlink(__DIR__ . DIRECTORY_SEPARATOR . 'bug68265.pem.tmp');
+?>
 --EXPECTF--
 resource(%d) of type (stream)

ext/openssl/tests/bug68265.phpt

@@ -7,19 +7,22 @@ if (!function_exists("proc_open")) die("skip no proc_open");
 ?>
 --FILE--
 <?php
+$certFile = __DIR__ . DIRECTORY_SEPARATOR . 'bug68879.pem.tmp';
+$san = 'DNS:test.com, DNS:www.test.com, DNS:subdomain.test.com, IP:0:0:0:0:0:FFFF:A02:1, IP:10.2.0.1';
+
 $serverCode = <<<'CODE'
     $serverUri = "ssl://127.0.0.1:64321";
     $serverFlags = STREAM_SERVER_BIND | STREAM_SERVER_LISTEN;
     $serverCtx = stream_context_create(['ssl' => [
-        'local_cert' => __DIR__ . '/bug68879.pem',
-        'passphrase' => 'elephpant',
+        'local_cert' => '%s',
     ]]);
 
     $server = stream_socket_server($serverUri, $errno, $errstr, $serverFlags, $serverCtx);
     phpt_notify();
 
     stream_socket_accept($server, 30);
 CODE;
+$serverCode = sprintf($serverCode, $certFile);
 
 $clientCode = <<<'CODE'
     $serverUri = "ssl://127.0.0.1:64321";
@@ -35,8 +38,16 @@ $clientCode = <<<'CODE'
     var_dump(stream_socket_client($serverUri, $errno, $errstr, 30, $clientFlags, $clientCtx));
 CODE;
 
+include 'CertificateGenerator.inc';
+$certificateGenerator = new CertificateGenerator();
+$certificateGenerator->saveNewCertAsFileWithKey('test.com', $certFile, null, $san);
+
 include 'ServerClientTestCase.inc';
 ServerClientTestCase::getInstance()->run($clientCode, $serverCode);
 ?>
+--CLEAN--
+<?php
+@unlink(__DIR__ . DIRECTORY_SEPARATOR . 'bug68879.pem.tmp');
+?>
 --EXPECTF--
 resource(%d) of type (stream)

ext/openssl/tests/bug68879.pem

@@ -0,0 +1,13 @@
+[ req ]
+distinguished_name = req_distinguished_name
+
+[ req_distinguished_name ]
+
+[ v3_req ]
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+subjectAltName = ${ENV::PHP_SUBJECTALTNAME}
+
+[ usr_cert ]
+basicConstraints = CA:FALSE
+subjectAltName = ${ENV::PHP_SUBJECTALTNAME}

ext/openssl/tests/bug68879.phpt

@@ -7,11 +7,14 @@ if (!function_exists("proc_open")) die("skip no proc_open");
 ?>
 --FILE--
 <?php
+$certFile = __DIR__ . DIRECTORY_SEPARATOR . 'san_peer_matching.pem.tmp';
+$san = 'DNS:example.org, DNS:www.example.org, DNS:test.example.org';
+
 $serverCode = <<<'CODE'
     $serverUri = "ssl://127.0.0.1:64321";
     $serverFlags = STREAM_SERVER_BIND | STREAM_SERVER_LISTEN;
     $serverCtx = stream_context_create(['ssl' => [
-        'local_cert' => __DIR__ . '/san-cert.pem',
+        'local_cert' => '%s',
     ]]);
 
     $server = stream_socket_server($serverUri, $errno, $errstr, $serverFlags, $serverCtx);
@@ -20,13 +23,13 @@ $serverCode = <<<'CODE'
     @stream_socket_accept($server, 1);
     @stream_socket_accept($server, 1);
 CODE;
+$serverCode = sprintf($serverCode, $certFile);
 
 $clientCode = <<<'CODE'
     $serverUri = "ssl://127.0.0.1:64321";
     $clientFlags = STREAM_CLIENT_CONNECT;
     $clientCtx = stream_context_create(['ssl' => [
         'verify_peer' => false,
-        'cafile' => __DIR__ . '/san-ca.pem',
     ]]);
 
     phpt_wait();
@@ -38,9 +41,17 @@ $clientCode = <<<'CODE'
     var_dump(stream_socket_client($serverUri, $errno, $errstr, 1, $clientFlags, $clientCtx));
 CODE;
 
+include 'CertificateGenerator.inc';
+$certificateGenerator = new CertificateGenerator();
+$certificateGenerator->saveNewCertAsFileWithKey(null, $certFile, null, $san);
+
 include 'ServerClientTestCase.inc';
 ServerClientTestCase::getInstance()->run($clientCode, $serverCode);
 ?>
+--CLEAN--
+<?php
+@unlink(__DIR__ . DIRECTORY_SEPARATOR . 'san_peer_matching.pem.tmp');
+?>
 --EXPECTF--
 resource(%d) of type (stream)