Skip to content

No critical extension indication in openssl_x509_parse() output. #20310

New issue
New issue
Open
#20311
Open
No critical extension indication in openssl_x509_parse() output.#20310
#20311
Labels
BugExtension: opensslStatus: Needs Triage
@StephenWall

Description

@StephenWall
StephenWall
opened on Oct 27, 2025

Description

The following code:

<?PHP
$cert = "-----BEGIN CERTIFICATE-----
MIIC4DCCAkmgAwIBAgIUXulKXzpxr33sV/2LwI0+yhpUAZgwDQYJKoZIhvcNAQEF
BQAwgYExHjAcBgNVBAMMFUhlbnJpcXVlIGRvIE4uIEFuZ2VsbzELMAkGA1UEBhMC
QlIxGjAYBgNVBAgMEVJpbyBHcmFuZGUgZG8gU3VsMRUwEwYDVQQHDAxQb3J0byBB
bGVncmUxHzAdBgkqhkiG9w0BCQEWEGhuYW5nZWxvQHBocC5uZXQwHhcNMjUxMDAy
MTgwNjMwWhcNMjYxMDAyMTgwNjMwWjCBgTEeMBwGA1UEAwwVSGVucmlxdWUgZG8g
Ti4gQW5nZWxvMQswCQYDVQQGEwJCUjEaMBgGA1UECAwRUmlvIEdyYW5kZSBkbyBT
dWwxFTATBgNVBAcMDFBvcnRvIEFsZWdyZTEfMB0GCSqGSIb3DQEJARYQaG5hbmdl
bG9AcGhwLm5ldDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAy16ej5ArW6Vf
j9YMBUFh+hM9FPN7hJkvCBp6XiPBZPK2P7xzmc2WWsUQsPpaMnN+NqggyEIXjDgj
ZuRZHr89Oqu+e/6KKIi0d8q8mBioihtSGSIqZZrbAveaCq81EipOtMLiNZm4KTFD
+Syov078XrOT5pFLV34ps9qoJHlHD6UCAwEAAaNTMFEwHQYDVR0OBBYEFNt+QHK9
XDWF7CkpgRLoYmhqtz99MB8GA1UdIwQYMBaAFNt+QHK9XDWF7CkpgRLoYmhqtz99
MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAc6jR36JD6xkzq2r0
uIEjhiieDfFXcAVgisqymPHt6DDMSajRskfWPO58ayBKmT2J1yPxx2vdjAZxIRcg
2a06ef2OxE62X4+WNm6skIKLCXmc3AgkT//cqCjOs54EQMpdCJ/mkkYo9gZMB1aQ
jgozP+80FNIaioaDWVZsTsg3q0Q=
-----END CERTIFICATE-----";

print_r( openssl_x509_parse( $cert ) );

Resulted in this output:

Array
(
    [name] => /CN=Henrique do N. Angelo/C=BR/ST=Rio Grande do Sul/L=Porto Alegre/[email protected]
    [subject] => Array
        (
            [CN] => Henrique do N. Angelo
            [C] => BR
            [ST] => Rio Grande do Sul
            [L] => Porto Alegre
            [emailAddress] => [email protected]
        )

    [hash] => 0206b91d
    [issuer] => Array
        (
            [CN] => Henrique do N. Angelo
            [C] => BR
            [ST] => Rio Grande do Sul
            [L] => Porto Alegre
            [emailAddress] => [email protected]
        )

    [version] => 2
    [serialNumber] => 0x5EE94A5F3A71AF7DEC57FD8BC08D3ECA1A540198
    [serialNumberHex] => 5EE94A5F3A71AF7DEC57FD8BC08D3ECA1A540198
    [validFrom] => 251002180630Z
    [validTo] => 261002180630Z
    [validFrom_time_t] => 1759428390
    [validTo_time_t] => 1790964390
    [signatureTypeSN] => RSA-SHA1
    [signatureTypeLN] => sha1WithRSAEncryption
    [signatureTypeNID] => 65
    [purposes] => Array
        (
          ...
        )

    [extensions] => Array
        (
            [subjectKeyIdentifier] => DB:7E:40:72:BD:5C:35:85:EC:29:29:81:12:E8:62:68:6A:B7:3F:7D
            [authorityKeyIdentifier] => DB:7E:40:72:BD:5C:35:85:EC:29:29:81:12:E8:62:68:6A:B7:3F:7D
            [basicConstraints] => CA:TRUE
        )
)

Feeding that same certificate through openssl x509 -noout -text results in this output:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            5e:e9:4a:5f:3a:71:af:7d:ec:57:fd:8b:c0:8d:3e:ca:1a:54:01:98
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: CN = Henrique do N. Angelo, C = BR, ST = Rio Grande do Sul, L = Porto Alegre, emailAddress = [email protected]
        Validity
            Not Before: Oct  2 18:06:30 2025 GMT
            Not After : Oct  2 18:06:30 2026 GMT
        Subject: CN = Henrique do N. Angelo, C = BR, ST = Rio Grande do Sul, L = Porto Alegre, emailAddress = [email protected]
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    ...
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                DB:7E:40:72:BD:5C:35:85:EC:29:29:81:12:E8:62:68:6A:B7:3F:7D
            X509v3 Authority Key Identifier:
                DB:7E:40:72:BD:5C:35:85:EC:29:29:81:12:E8:62:68:6A:B7:3F:7D
            X509v3 Basic Constraints: critical
                CA:TRUE
    Signature Algorithm: sha1WithRSAEncryption
    Signature Value:
        ...

Note that the Basic Constraints is critical, but there is no indication of that in the openssl_x509_parse() output. I propose adding [basicConstraints:critical] => true to the output to provide that information in a backwards compatible way.

PHP Version

PHP 8.3.6 (cli) (built: Aug 26 2025 13:10:20) (NTS)
Copyright (c) The PHP Group
Zend Engine v4.3.6, Copyright (c) Zend Technologies
    with Zend OPcache v8.3.6, Copyright (c), by Zend Technologies

Operating System

Ubuntu 24.04

Metadata

Metadata

Assignees

No one assigned

    Labels

    BugExtension: opensslStatus: Needs Triage

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions