Show an indicator of critical extensions in the openssl_x509_parse() … by StephenWall · Pull Request #20311 · php/php-src

StephenWall · 2025-10-27T17:31:58Z

…output in a backwards compatible way.

Fixes #20310

bukka · 2025-12-09T21:38:30Z

This looks slightly strange. How about a new field criticalExtension that would contain string array of critical extension names?

StephenWall · 2025-12-09T21:58:13Z

This looks slightly strange. How about a new field criticalExtension that would contain string array of critical extension names?

To clarify, $info['extensions'] is unchanged and a new $info['criticalExtensions'] has a list of the names of critical extensions?

$info['extensions'] => array (
  'basicConstraints' => 'CA:FALSE',
  ...
)

$info['criticalExtensions'] => array(
  'basicConstraints'
)

bukka · 2025-12-09T22:21:00Z

Yes, exactly.

…output in a backwards compatible way.

…the previous cert alone.

…" which contains the names of any critical extensions

StephenWall · 2025-12-10T16:24:53Z

OK, self test runs cleanly, I think this is set.

bukka · 2026-01-13T22:28:08Z

Looks good from a quick look. I will check it out again tomorrow and merge it if I don't find anything.

StephenWall requested a review from bukka as a code owner October 27, 2025 17:31

github-actions Bot added the Extension: openssl label Oct 27, 2025

StephenWall force-pushed the critical branch 5 times, most recently from 97e7639 to 208d4d4 Compare October 30, 2025 21:17

StephenWall added 6 commits December 10, 2025 09:27

Show an indicator of critical extensions in the openssl_x509_parse() …

acaf77d

…output in a backwards compatible way.

Beware realloc failing

b4e2a6d

move declaration of crit_name and crit_len to top of function

fc53d0b

put the "critical extension" test cert in a different file and leave …

f70d655

…the previous cert alone.

Update test for CVE 2013 4073 for new critical field

c678cca

Switch a separate entry in the return value named "criticalExtensions…

7e3162d

…" which contains the names of any critical extensions

StephenWall force-pushed the critical branch from 208d4d4 to 7e3162d Compare December 10, 2025 15:28

StephenWall added 5 commits December 10, 2025 10:30

extraneous blank line

5777fe2

Revert change to cve2013_4073.phpt

ebcec70

finish updating unit test

0fbcca2

Free critext if it is not used.

250c526

fix array count

cc0e3ef

bukka mentioned this pull request Jan 13, 2026

Add a function to parse a CSR #20344

Open

bukka closed this in c1d2875 Jan 14, 2026

StephenWall deleted the critical branch February 17, 2026 14:22

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Show an indicator of critical extensions in the openssl_x509_parse() …#20311

Show an indicator of critical extensions in the openssl_x509_parse() …#20311
StephenWall wants to merge 11 commits into
php:masterfrom
StephenWall:critical

StephenWall commented Oct 27, 2025

Uh oh!

bukka commented Dec 9, 2025

Uh oh!

StephenWall commented Dec 9, 2025

Uh oh!

bukka commented Dec 9, 2025

Uh oh!

StephenWall commented Dec 10, 2025

Uh oh!

bukka commented Jan 13, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

StephenWall commented Oct 27, 2025

Uh oh!

bukka commented Dec 9, 2025

Uh oh!

StephenWall commented Dec 9, 2025

Uh oh!

bukka commented Dec 9, 2025

Uh oh!

StephenWall commented Dec 10, 2025

Uh oh!

bukka commented Jan 13, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants