search

tschoffelen / php-pkpass

💳 PHP class for creating passes for Wallet on iOS.
https://includable.com
MIT License
916 stars 186 forks source link

Upgrade from PHP 8.1.18 to 8.1.21 unexpected error with p12 certifcate #131

Open alexander-schranz opened 1 year ago

alexander-schranz commented 1 year ago

Expected Behavior

I'm not sure why this happening but after I updated my local dependencies this includes PHP@8.1 and I also think the linked openssl library the package is is not longer running.

Actual Behavior

It fails with: Exception:

Invalid certificate file. Make sure you have a P12 certificate that also contains a private key, and you have specified the correct password!

Steps to Reproduce the Problem

When the docker PHP Image is based on php:8.1.18-cli it works but if it is based on php:8.1.21-cli it fails for me and also in our Gitlab Runner.

But it is not directly connected to changes in 8.1.18 -> 8.1.21 because if I rebuild locally via brew from source 8.1.18 it also fails now on 8.1.18, So maybe more changes in the openssl extension or openssl itself, or maybe somebody here have a hint what lib could produce this issue.

tschoffelen commented 1 year ago

Hi there - this might be related to https://github.com/includable/php-pkpass/pull/124

Do you have the latest version of the library?

alexander-schranz commented 1 year ago

Thx locally I could fix it this way: https://stackoverflow.com/questions/73832854/php-openssl-pkcs12-read-error0308010cdigital-envelope-routinesunsupported

Do I understand this correctly that the provided certificate from Apple need to change here something not build on top of legacy hashes?

tschoffelen commented 1 year ago

I think it's more about PHP not supporting that legacy mode of OpenSSL yet.

The workaround in #124 aims to execute the openssl executable directly using shell_exec(), but this might not be supported in all PHP environments, because this function is often limited or disabled for security reasons.

alexander-schranz commented 1 year ago

Okay 🤔 but if I understand correctly there is no way creating the Certificate without requiring php pkpass legacy openssl or does it depend on which openssl version the creator of the Certificate file did use?

tschoffelen commented 1 year ago

No indeed, legacy mode needs to be used. There are two ways to do that:

  1. Tweak openssl configuration as described in the link you shared
  2. Run the openssl shell command with -legacy flag from PHP, rather than using the openssl_*() library, which is supported by the package, but only works if shell_exec() is allowed and openssl is in the $PATH
alexander-schranz commented 1 year ago

Thx for the clarification 👍

vwmoose commented 1 year ago

Afternoon guys and gals, this saved the day for me - I was editing the wrong file on my macos and the first step in this doc showed me the correct file to update. Once updated and restarted my mbp hey presto everything worked! This is a permanent change to OpenSSL. I've since implemented the exact same fix on my staging box and all works well.

https://www.practicalnetworking.net/practical-tls/openssl-3-and-legacy-providers/

Posting here in the hope it will help others! Thanks for the package btw.