openssl_x509_parse_basic test fails with OpenSSL 3.2+

[andypost]

Description

Attempted to build current master with the latest upgrades in Alpine (openssl 3.2.1)

The following test failed because of 2 extra fields displayed for the cert:

TEST 9775/17324 [ext/openssl/tests/openssl_x509_parse_basic.phpt]
========DIFF========
--
       ["signatureTypeNID"]=>
       int(65)
       ["purposes"]=>
-   array(9) {
+   array(10) {
         [1]=>
         array(3) {
           [0]=>
--
           [2]=>
           string(13) "timestampsign"
         }
+     [10]=>
+     array(3) {
+       [0]=>
+       bool(false)
+       [1]=>
+       bool(true)
+       [2]=>
+       string(8) "codesign"
+     }
       }
       ["extensions"]=>
       array(3) {
--
       ["signatureTypeNID"]=>
       int(65)
       ["purposes"]=>
-   array(9) {
+   array(10) {
         [1]=>
         array(3) {
           [0]=>
--
           bool(true)
           [2]=>
           string(18) "Time Stamp signing"
+     }
+     [10]=>
+     array(3) {
+       [0]=>
+       bool(false)
+       [1]=>
+       bool(true)
+       [2]=>
+       string(12) "Code signing"
         }
       }
       ["extensions"]=>
--
========DONE========
FAIL: openssl_x509_parse() tests [ext/openssl/tests/openssl_x509_parse_basic.phpt] 

PHP Version

master

Operating System

Alpinelinux

[andypost]

Attempt rebuild 8.2/8.3 showed more

TEST 9459/16950 [ext/openssl/tests/openssl_error_string_basic_openssl3.phpt]
========DIFF========
--
     openssl_pkey_export_to_file write: ok
     openssl_pkey_export: ok
     openssl_private_encrypt: ok
- openssl_private_decrypt: ok
+ openssl_private_decrypt: no error code 0200009F
+ openssl_private_decrypt: no error code 02000072
+ openssl_private_decrypt: uncaught errors
     openssl_private_(en|de)crypt padding: ok
     X509 errors
     openssl_x509_export_to_file open: ok
--
========DONE========

TEST 9482/16950 [ext/openssl/tests/openssl_private_decrypt_basic.phpt]
========DIFF========
--
     Warning: openssl_private_decrypt(): key parameter is not a valid private key in %s on line %d
     bool(false)
     NULL
- bool(false)
- NULL
+ bool(true)
+ string(110) "�b�,s#���&59L��<�ԝM�M��/	�F9�
�Ƀ�������ʉ�n:��+���f 
ˮ��ug
#��O��<�`�n�������!��,.�/��WO	D������V��P_A�����"�[0m
     Key array must be of the form array(0 => key, 1 => phrase)
     bool(true)
     string(32) "Testing openssl_public_decrypt()"
========DONE========

[bukka]

Yeah I noticed openssl_x509_parse_basic issue so will look into it later.

I will also soon merge #13667 which fixes that other reported thing - btw that test should be XFAIL in master...

[andypost]

tested with openssl 3.3 and the error is the same

[bukka]

So I just checked that additional purpose in openssl_x509_parse and it is a feature in 3.2: https://github.com/openssl/openssl/blob/3fa6dbd1be0791210853b0367b8483d4e6291e4f/CHANGES.md?plain=1#L173-L176

• Add X.509 certificate codeSigning purpose and related checks on key usage and
  extended key usage of the leaf certificate according to the CA/Browser Forum.

It means I need to modify the test to be a bit more generic and allow this difference

[bukka]

I went for additional test instead as it is probably cleaner and also easier

[andypost]

@bukka after patch it passing! meantime one more disabled test since 8.2rc2 please take a look

TEST 9692/17371 [ext/openssl/tests/bug74341.phpt]
========DIFF========
- int(1389052800)
- int(1459494000)
+ Warning: Trying to access array offset on false in /builds/...-8ce9f2e2b0bd943998aebe8829a13251edbafdc7/ext/openssl/tests/bug74341.php on line 42
+ NULL
+ 
+ Warning: Trying to access array offset on false in /builds/...-8ce9f2e2b0bd943998aebe8829a13251edbafdc7/ext/openssl/tests/bug74341.php on line 43
+ NULL
========DONE========

[andypost]

FYI all disabled openssl related test in Alpine

https://github.com/alpinelinux/aports/blob/300996aa8dd41d6a958bd2ec512ab64dead76f48/community/php83/disabled-tests.list#L31-L74

[bukka]

Hmm that's a lot of tests to be disabled. I might need to setup some convenient alpine dev env. If you could maybe create an issue listing all those broken tests including some Dockerfile (ideally using php source from volume so I can use it for development) how to quickly trigger it that would be really helpful and would save me some time.

[bukka]

There's obviously some issue with the TLS tester that needs to be looked at as all its tests are failling.

[andypost]

Filed follow-up #14036 as of new failures happening with openssl 3.3