Upgrade from PHP 8.1.18 to 8.1.21 unexpected error with p12 certifcate

[alexander-schranz]

Expected Behavior

I'm not sure why this happening but after I updated my local dependencies this includes [email protected] and I also think the linked openssl library the package is is not longer running.

Actual Behavior

It fails with: Exception:

Invalid certificate file. Make sure you have a P12 certificate that also contains a private key, and you have specified the correct password!

Steps to Reproduce the Problem

When the docker PHP Image is based on php:8.1.18-cli it works but if it is based on php:8.1.21-cli it fails for me and also in our Gitlab Runner.

But it is not directly connected to changes in 8.1.18 -> 8.1.21 because if I rebuild locally via brew from source 8.1.18 it also fails now on 8.1.18, So maybe more changes in the openssl extension or openssl itself, or maybe somebody here have a hint what lib could produce this issue.

[tschoffelen]

Hi there - this might be related to #124

Do you have the latest version of the library?

[alexander-schranz]

Thx locally I could fix it this way: https://stackoverflow.com/questions/73832854/php-openssl-pkcs12-read-error0308010cdigital-envelope-routinesunsupported

Do I understand this correctly that the provided certificate from Apple need to change here something not build on top of legacy hashes?

[tschoffelen]

I think it's more about PHP not supporting that legacy mode of OpenSSL yet.

The workaround in #124 aims to execute the openssl executable directly using shell_exec(), but this might not be supported in all PHP environments, because this function is often limited or disabled for security reasons.

[alexander-schranz]

Okay 🤔 but if I understand correctly there is no way creating the Certificate without requiring php pkpass legacy openssl or does it depend on which openssl version the creator of the Certificate file did use?

[tschoffelen]

No indeed, legacy mode needs to be used. There are two ways to do that:

1. Tweak openssl configuration as described in the link you shared
2. Run the openssl shell command with -legacy flag from PHP, rather than using the openssl_*() library, which is supported by the package, but only works if shell_exec() is allowed and openssl is in the $PATH

[alexander-schranz]

Thx for the clarification 👍

[vwmoose]

Afternoon guys and gals, this saved the day for me - I was editing the wrong file on my macos and the first step in this doc showed me the correct file to update. Once updated and restarted my mbp hey presto everything worked! This is a permanent change to OpenSSL. I've since implemented the exact same fix on my staging box and all works well.

https://www.practicalnetworking.net/practical-tls/openssl-3-and-legacy-providers/

Posting here in the hope it will help others! Thanks for the package btw.

[quinncomendant]

There may be no need to configure OpenSSL to use legacy algorithms. It's easier and more portable just to convert the encrypted certificates file. The steps below use a .p12 file but it should work to swap these commands for a .pfx file.

1. Dump the certs from the old .p12 (you'll be prompted for the certificate password):

openssl pkcs12 -in apple_wallet.p12 -out temp.pem -nodes -legacy

2. Make a new .p12 encrypted with algorithms used in OpenSSL v3 (reuse the old cert password or create a new one):

openssl pkcs12 -export -in temp.pem -out new.p12 -certpbe AES-256-CBC -keypbe AES-256-CBC -iter 2048

3. Rename the new.p12 so it's accessible by your app.

mv apple_wallet.p12 apple_wallet_legacy.p12
mv new.p12 apple_wallet.p12

I just tested this with our app and the certificate works fine now with OpenSSL v3.2.2 without having to enable legacy functions.