No critical extension indication in openssl_x509_parse() output. #20310
Description
Description
The following code:
<?PHP $cert = "-----BEGIN CERTIFICATE----- MIIC4DCCAkmgAwIBAgIUXulKXzpxr33sV/2LwI0+yhpUAZgwDQYJKoZIhvcNAQEF BQAwgYExHjAcBgNVBAMMFUhlbnJpcXVlIGRvIE4uIEFuZ2VsbzELMAkGA1UEBhMC QlIxGjAYBgNVBAgMEVJpbyBHcmFuZGUgZG8gU3VsMRUwEwYDVQQHDAxQb3J0byBB bGVncmUxHzAdBgkqhkiG9w0BCQEWEGhuYW5nZWxvQHBocC5uZXQwHhcNMjUxMDAy MTgwNjMwWhcNMjYxMDAyMTgwNjMwWjCBgTEeMBwGA1UEAwwVSGVucmlxdWUgZG8g Ti4gQW5nZWxvMQswCQYDVQQGEwJCUjEaMBgGA1UECAwRUmlvIEdyYW5kZSBkbyBT dWwxFTATBgNVBAcMDFBvcnRvIEFsZWdyZTEfMB0GCSqGSIb3DQEJARYQaG5hbmdl bG9AcGhwLm5ldDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAy16ej5ArW6Vf j9YMBUFh+hM9FPN7hJkvCBp6XiPBZPK2P7xzmc2WWsUQsPpaMnN+NqggyEIXjDgj ZuRZHr89Oqu+e/6KKIi0d8q8mBioihtSGSIqZZrbAveaCq81EipOtMLiNZm4KTFD +Syov078XrOT5pFLV34ps9qoJHlHD6UCAwEAAaNTMFEwHQYDVR0OBBYEFNt+QHK9 XDWF7CkpgRLoYmhqtz99MB8GA1UdIwQYMBaAFNt+QHK9XDWF7CkpgRLoYmhqtz99 MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAc6jR36JD6xkzq2r0 uIEjhiieDfFXcAVgisqymPHt6DDMSajRskfWPO58ayBKmT2J1yPxx2vdjAZxIRcg 2a06ef2OxE62X4+WNm6skIKLCXmc3AgkT//cqCjOs54EQMpdCJ/mkkYo9gZMB1aQ jgozP+80FNIaioaDWVZsTsg3q0Q= -----END CERTIFICATE-----"; print_r( openssl_x509_parse( $cert ) );Resulted in this output:
Array ( [name] => /CN=Henrique do N. Angelo/C=BR/ST=Rio Grande do Sul/L=Porto Alegre/emailAddress=hnangelo@php.net [subject] => Array ( [CN] => Henrique do N. Angelo [C] => BR [ST] => Rio Grande do Sul [L] => Porto Alegre [emailAddress] => hnangelo@php.net ) [hash] => 0206b91d [issuer] => Array ( [CN] => Henrique do N. Angelo [C] => BR [ST] => Rio Grande do Sul [L] => Porto Alegre [emailAddress] => hnangelo@php.net ) [version] => 2 [serialNumber] => 0x5EE94A5F3A71AF7DEC57FD8BC08D3ECA1A540198 [serialNumberHex] => 5EE94A5F3A71AF7DEC57FD8BC08D3ECA1A540198 [validFrom] => 251002180630Z [validTo] => 261002180630Z [validFrom_time_t] => 1759428390 [validTo_time_t] => 1790964390 [signatureTypeSN] => RSA-SHA1 [signatureTypeLN] => sha1WithRSAEncryption [signatureTypeNID] => 65 [purposes] => Array ( ... ) [extensions] => Array ( [subjectKeyIdentifier] => DB:7E:40:72:BD:5C:35:85:EC:29:29:81:12:E8:62:68:6A:B7:3F:7D [authorityKeyIdentifier] => DB:7E:40:72:BD:5C:35:85:EC:29:29:81:12:E8:62:68:6A:B7:3F:7D [basicConstraints] => CA:TRUE ) ) Feeding that same certificate through openssl x509 -noout -text results in this output:
Certificate: Data: Version: 3 (0x2) Serial Number: 5e:e9:4a:5f:3a:71:af:7d:ec:57:fd:8b:c0:8d:3e:ca:1a:54:01:98 Signature Algorithm: sha1WithRSAEncryption Issuer: CN = Henrique do N. Angelo, C = BR, ST = Rio Grande do Sul, L = Porto Alegre, emailAddress = hnangelo@php.net Validity Not Before: Oct 2 18:06:30 2025 GMT Not After : Oct 2 18:06:30 2026 GMT Subject: CN = Henrique do N. Angelo, C = BR, ST = Rio Grande do Sul, L = Porto Alegre, emailAddress = hnangelo@php.net Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus: ... Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: DB:7E:40:72:BD:5C:35:85:EC:29:29:81:12:E8:62:68:6A:B7:3F:7D X509v3 Authority Key Identifier: DB:7E:40:72:BD:5C:35:85:EC:29:29:81:12:E8:62:68:6A:B7:3F:7D X509v3 Basic Constraints: critical CA:TRUE Signature Algorithm: sha1WithRSAEncryption Signature Value: ... Note that the Basic Constraints is critical, but there is no indication of that in the openssl_x509_parse() output. I propose adding [basicConstraints:critical] => true to the output to provide that information in a backwards compatible way.
PHP Version
PHP 8.3.6 (cli) (built: Aug 26 2025 13:10:20) (NTS) Copyright (c) The PHP Group Zend Engine v4.3.6, Copyright (c) Zend Technologies with Zend OPcache v8.3.6, Copyright (c), by Zend Technologies Operating System
Ubuntu 24.04