]> granicus.if.org Git - php/commitdiff
projects / php / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 97f10fc)
Convert resources to objects in ext/openssl
authorMáté Kocsis <kocsismate@woohoolabs.com>
Sat, 1 Aug 2020 20:42:26 +0000 (22:42 +0200)
committerMáté Kocsis <kocsismate@woohoolabs.com>
Sat, 1 Aug 2020 20:47:20 +0000 (22:47 +0200)
Closes GH-5860

Co-authored-by: Nikita Popov <nikita.ppv@gmail.com>
36 files changed:
UPGRADING patch | blob | history
ext/openssl/openssl.c patch | blob | history
ext/openssl/openssl.stub.php patch | blob | history
ext/openssl/openssl_arginfo.h patch | blob | history
ext/openssl/php_openssl.h patch | blob | history
ext/openssl/tests/001.phpt patch | blob | history
ext/openssl/tests/CertificateGenerator.inc patch | blob | history
ext/openssl/tests/bug38261.phpt patch | blob | history
ext/openssl/tests/bug61930.phpt patch | blob | history
ext/openssl/tests/bug68912.phpt patch | blob | history
ext/openssl/tests/bug73711.phpt patch | blob | history
ext/openssl/tests/bug74651.phpt patch | blob | history
ext/openssl/tests/bug79145.phpt patch | blob | history
ext/openssl/tests/ecc.phpt patch | blob | history
ext/openssl/tests/openssl_cms_decrypt_basic.phpt patch | blob | history
ext/openssl/tests/openssl_cms_decrypt_error.phpt patch | blob | history
ext/openssl/tests/openssl_cms_sign_basic.phpt patch | blob | history
ext/openssl/tests/openssl_csr_export_basic.phpt [moved from ext/openssl/tests/openssl_csr_export_bacis.phpt with 81% similarity] patch | blob | history
ext/openssl/tests/openssl_csr_export_to_file_basic.phpt patch | blob | history
ext/openssl/tests/openssl_csr_get_public_key_basic.phpt patch | blob | history
ext/openssl/tests/openssl_csr_new_basic.phpt patch | blob | history
ext/openssl/tests/openssl_csr_sign_basic.phpt patch | blob | history
ext/openssl/tests/openssl_free_key.phpt patch | blob | history
ext/openssl/tests/openssl_pkcs12_export_basic.phpt patch | blob | history
ext/openssl/tests/openssl_pkcs12_export_to_file_basic.phpt patch | blob | history
ext/openssl/tests/openssl_pkcs7_decrypt_basic.phpt patch | blob | history
ext/openssl/tests/openssl_pkcs7_decrypt_error.phpt patch | blob | history
ext/openssl/tests/openssl_pkcs7_sign_basic.phpt patch | blob | history
ext/openssl/tests/openssl_pkey_export_basic.phpt patch | blob | history
ext/openssl/tests/openssl_pkey_new_error.phpt patch | blob | history
ext/openssl/tests/openssl_x509_export_basic.phpt patch | blob | history
ext/openssl/tests/openssl_x509_export_to_file_basic.phpt patch | blob | history
ext/openssl/tests/openssl_x509_fingerprint_basic.phpt patch | blob | history
ext/openssl/tests/openssl_x509_free_basic.phpt patch | blob | history
ext/openssl/tests/openssl_x509_read_basic.phpt patch | blob | history
ext/openssl/xp_ssl.c patch | blob | history

diff --git a/UPGRADING b/UPGRADING
index f38f149236c9c8070ebf7867b0deb3de8bdd1d8f..cee09177bee1b9f18d3b17a72017c59ea5c40b32 100644 (file)
--- a/UPGRADING
+++ b/UPGRADING
@@ -366,6 +366,23 @@ PHP 8.0 UPGRADE NOTES
   . Several alias functions have been marked as deprecated.
   . oci_internal_debug() and its alias ociinternaldebug() have been removed.
 
+- OpenSSL:
+  . openssl_x509_read() and openssl_csr_sign() will now return an
+    OpenSSLCertificate object rather than a resource. Return value checks using
+    is_resource() should be replaced with checks for `false`.
+  . The openssl_x509_free() function is deprecated and no longer has an effect,
+    instead the OpenSSLCertificate instance is automatically destroyed if it is no
+    longer referenced.
+  . openssl_csr_new() will now return an OpenSSLCertificateSigningRequest object
+    rather than a resource. Return value checks using is_resource() should be
+    replaced with checks for `false`.
+  . openssl_pkey_new() will now return an OpenSSLAsymmetricKey object rather than a
+    resource. Return value checks using is_resource() should be replaced with
+    checks for `false`.
+  . The openssl_pkey_free() function is deprecated and no longer has an effect,
+    instead the OpenSSLAsymmetricKey instance is automatically destroyed if it is no
+    longer referenced.
+
 - PCRE:
   . When passing invalid escape sequences they are no longer interpreted as
     literals. This behavior previously required the X modifier - which is
diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c
index 7539dda14d5629e7d367dd96cda27111d8218b5d..3537a5be429c33c408e22d6b8425f5c96f6de5a7 100644 (file)
--- a/ext/openssl/openssl.c
+++ b/ext/openssl/openssl.c
@@ -28,6 +28,7 @@
 #include "php_ini.h"
 #include "php_openssl.h"
 #include "zend_exceptions.h"
+#include "Zend/zend_interfaces.h"
 
 /* PHP Includes */
 #include "ext/standard/file.h"
@@ -127,6 +128,118 @@ enum php_openssl_encoding {
        ENCODING_PEM,
 };
 
+/* OpenSSLCertificate class */
+
+zend_class_entry *php_openssl_certificate_ce;
+
+static zend_object_handlers php_openssl_certificate_object_handlers;
+
+static zend_object *php_openssl_certificate_create_object(zend_class_entry *class_type) {
+       php_openssl_certificate_object *intern = zend_object_alloc(sizeof(php_openssl_certificate_object), class_type);
+
+       zend_object_std_init(&intern->std, class_type);
+       object_properties_init(&intern->std, class_type);
+       intern->std.handlers = &php_openssl_certificate_object_handlers;
+
+       return &intern->std;
+}
+
+static zend_function *php_openssl_certificate_get_constructor(zend_object *object) {
+       zend_throw_error(NULL, "Cannot directly construct OpenSSLCertificate, use openssl_x509_read() instead");
+       return NULL;
+}
+
+static void php_openssl_certificate_free_obj(zend_object *object)
+{
+       php_openssl_certificate_object *x509_object = php_openssl_certificate_from_obj(object);
+
+       X509_free(x509_object->x509);
+       zend_object_std_dtor(&x509_object->std);
+}
+
+/* OpenSSLCertificateSigningRequest class */
+
+typedef struct _php_openssl_x509_request_object {
+       X509_REQ *csr;
+       zend_object std;
+} php_openssl_request_object;
+
+zend_class_entry *php_openssl_request_ce;
+
+static inline php_openssl_request_object *php_openssl_request_from_obj(zend_object *obj) {
+       return (php_openssl_request_object *)((char *)(obj) - XtOffsetOf(php_openssl_request_object, std));
+}
+
+#define Z_OPENSSL_REQUEST_P(zv) php_openssl_request_from_obj(Z_OBJ_P(zv))
+
+static zend_object_handlers php_openssl_request_object_handlers;
+
+static zend_object *php_openssl_request_create_object(zend_class_entry *class_type) {
+       php_openssl_request_object *intern = zend_object_alloc(sizeof(php_openssl_request_object), class_type);
+
+       zend_object_std_init(&intern->std, class_type);
+       object_properties_init(&intern->std, class_type);
+       intern->std.handlers = &php_openssl_request_object_handlers;
+
+       return &intern->std;
+}
+
+static zend_function *php_openssl_request_get_constructor(zend_object *object) {
+       zend_throw_error(NULL, "Cannot directly construct OpenSSLCertificateSigningRequest, use openssl_csr_new() instead");
+       return NULL;
+}
+
+static void php_openssl_request_free_obj(zend_object *object)
+{
+       php_openssl_request_object *x509_request = php_openssl_request_from_obj(object);
+
+       X509_REQ_free(x509_request->csr);
+       zend_object_std_dtor(&x509_request->std);
+}
+
+/* OpenSSLAsymmetricKey class */
+
+typedef struct _php_openssl_pkey_object {
+       EVP_PKEY *pkey;
+       zend_object std;
+} php_openssl_pkey_object;
+
+zend_class_entry *php_openssl_pkey_ce;
+
+static inline php_openssl_pkey_object *php_openssl_pkey_from_obj(zend_object *obj) {
+       return (php_openssl_pkey_object *)((char *)(obj) - XtOffsetOf(php_openssl_pkey_object, std));
+}
+
+#define Z_OPENSSL_PKEY_P(zv) php_openssl_pkey_from_obj(Z_OBJ_P(zv))
+
+static zend_object_handlers php_openssl_pkey_object_handlers;
+
+static zend_object *php_openssl_pkey_create_object(zend_class_entry *class_type) {
+       php_openssl_pkey_object *intern = zend_object_alloc(sizeof(php_openssl_pkey_object), class_type);
+
+       zend_object_std_init(&intern->std, class_type);
+       object_properties_init(&intern->std, class_type);
+       intern->std.handlers = &php_openssl_pkey_object_handlers;
+
+       return &intern->std;
+}
+
+static zend_function *php_openssl_pkey_get_constructor(zend_object *object) {
+       zend_throw_error(NULL, "Cannot directly construct OpenSSLAsymmetricKey, use openssl_pkey_new() instead");
+       return NULL;
+}
+
+static void php_openssl_pkey_free_obj(zend_object *object)
+{
+       php_openssl_pkey_object *key_object = php_openssl_pkey_from_obj(object);
+
+       EVP_PKEY *pkey = key_object->pkey;
+       assert(pkey != NULL);
+       EVP_PKEY_free(pkey);
+
+       zend_object_std_dtor(&key_object->std);
+}
+
 /* {{{ openssl_module_entry */
 zend_module_entry openssl_module_entry = {
        STANDARD_MODULE_HEADER,
@@ -152,6 +265,7 @@ ZEND_GET_MODULE(openssl)
 
 /* {{{ OpenSSL compatibility functions and macros */
 #if PHP_OPENSSL_API_VERSION < 0x10100
+
 #define EVP_PKEY_get0_RSA(_pkey) _pkey->pkey.rsa
 #define EVP_PKEY_get0_DH(_pkey) _pkey->pkey.dh
 #define EVP_PKEY_get0_DSA(_pkey) _pkey->pkey.dsa
@@ -268,6 +382,11 @@ static const unsigned char *ASN1_STRING_get0_data(const ASN1_STRING *asn1)
        return M_ASN1_STRING_data(asn1);
 }
 
+static int EVP_PKEY_up_ref(EVP_PKEY *pkey)
+{
+       return CRYPTO_add(&pkey->references, 1, CRYPTO_LOCK_EVP_PKEY);
+}
+
 #if PHP_OPENSSL_API_VERSION < 0x10002
 
 static int X509_get_signature_nid(const X509 *x)
@@ -345,38 +464,8 @@ void php_openssl_store_errors()
 }
 /* }}} */
 
-static int le_key;
-static int le_x509;
-static int le_csr;
 static int ssl_stream_data_index;
 
-int php_openssl_get_x509_list_id(void) /* {{{ */
-{
-       return le_x509;
-}
-/* }}} */
-
-/* {{{ resource destructors */
-static void php_openssl_pkey_free(zend_resource *rsrc)
-{
-       EVP_PKEY *pkey = (EVP_PKEY *)rsrc->ptr;
-
-       assert(pkey != NULL);
-
-       EVP_PKEY_free(pkey);
-}
-
-static void php_openssl_x509_free(zend_resource *rsrc)
-{
-       X509 *x509 = (X509 *)rsrc->ptr;
-       X509_free(x509);
-}
-
-static void php_openssl_csr_free(zend_resource *rsrc)
-{
-       X509_REQ * csr = (X509_REQ*)rsrc->ptr;
-       X509_REQ_free(csr);
-}
 /* }}} */
 
 /* {{{ openssl open_basedir check */
@@ -429,14 +518,14 @@ struct php_x509_request { /* {{{ */
 };
 /* }}} */
 
-static X509 * php_openssl_x509_from_zval(zval * val, int makeresource, zend_resource **resourceval);
-static EVP_PKEY * php_openssl_evp_from_zval(
-               zval * val, int public_key, char *passphrase, size_t passphrase_len,
-               int makeresource, zend_resource **resourceval);
+static X509 *php_openssl_x509_from_param(zend_object *cert_obj, zend_string *cert_str);
+static X509 *php_openssl_x509_from_zval(zval *val, bool *free_cert);
+static X509_REQ *php_openssl_csr_from_param(zend_object *csr_obj, zend_string *csr_str);
+static EVP_PKEY *php_openssl_pkey_from_zval(zval *val, int public_key, char *passphrase, size_t passphrase_len, bool *free_pkey);
+
 static int php_openssl_is_private_key(EVP_PKEY* pkey);
 static X509_STORE * php_openssl_setup_verify(zval * calist);
 static STACK_OF(X509) * php_openssl_load_all_certs_from_file(char *certfile);
-static X509_REQ * php_openssl_csr_from_zval(zval * val, int makeresource, zend_resource ** resourceval);
 static EVP_PKEY * php_openssl_generate_private_key(struct php_x509_request * req);
 
 static void php_openssl_add_assoc_name_entry(zval * val, char * key, X509_NAME * name, int shortname) /* {{{ */
@@ -1018,9 +1107,47 @@ PHP_MINIT_FUNCTION(openssl)
 {
        char * config_filename;
 
-       le_key = zend_register_list_destructors_ex(php_openssl_pkey_free, NULL, "OpenSSL key", module_number);
-       le_x509 = zend_register_list_destructors_ex(php_openssl_x509_free, NULL, "OpenSSL X.509", module_number);
-       le_csr = zend_register_list_destructors_ex(php_openssl_csr_free, NULL, "OpenSSL X.509 CSR", module_number);
+       zend_class_entry ce;
+       INIT_CLASS_ENTRY(ce, "OpenSSLCertificate", class_OpenSSLCertificate_methods);
+       php_openssl_certificate_ce = zend_register_internal_class(&ce);
+       php_openssl_certificate_ce->ce_flags |= ZEND_ACC_FINAL | ZEND_ACC_NO_DYNAMIC_PROPERTIES;
+       php_openssl_certificate_ce->create_object = php_openssl_certificate_create_object;
+       php_openssl_certificate_ce->serialize = zend_class_serialize_deny;
+       php_openssl_certificate_ce->unserialize = zend_class_unserialize_deny;
+
+       memcpy(&php_openssl_certificate_object_handlers, &std_object_handlers, sizeof(zend_object_handlers));
+       php_openssl_certificate_object_handlers.offset = XtOffsetOf(php_openssl_certificate_object, std);
+       php_openssl_certificate_object_handlers.free_obj = php_openssl_certificate_free_obj;
+       php_openssl_certificate_object_handlers.get_constructor = php_openssl_certificate_get_constructor;
+       php_openssl_certificate_object_handlers.clone_obj = NULL;
+
+       zend_class_entry csr_ce;
+       INIT_CLASS_ENTRY(csr_ce, "OpenSSLCertificateSigningRequest", class_OpenSSLCertificateSigningRequest_methods);
+       php_openssl_request_ce = zend_register_internal_class(&csr_ce);
+       php_openssl_request_ce->ce_flags |= ZEND_ACC_FINAL | ZEND_ACC_NO_DYNAMIC_PROPERTIES;
+       php_openssl_request_ce->create_object = php_openssl_request_create_object;
+       php_openssl_request_ce->serialize = zend_class_serialize_deny;
+       php_openssl_request_ce->unserialize = zend_class_unserialize_deny;
+
+       memcpy(&php_openssl_request_object_handlers, &std_object_handlers, sizeof(zend_object_handlers));
+       php_openssl_request_object_handlers.offset = XtOffsetOf(php_openssl_request_object, std);
+       php_openssl_request_object_handlers.free_obj = php_openssl_request_free_obj;
+       php_openssl_request_object_handlers.get_constructor = php_openssl_request_get_constructor;
+       php_openssl_request_object_handlers.clone_obj = NULL;
+
+       zend_class_entry key_ce;
+       INIT_CLASS_ENTRY(key_ce, "OpenSSLAsymmetricKey", class_OpenSSLAsymmetricKey_methods);
+       php_openssl_pkey_ce = zend_register_internal_class(&key_ce);
+       php_openssl_pkey_ce->ce_flags |= ZEND_ACC_FINAL | ZEND_ACC_NO_DYNAMIC_PROPERTIES;
+       php_openssl_pkey_ce->create_object = php_openssl_pkey_create_object;
+       php_openssl_pkey_ce->serialize = zend_class_serialize_deny;
+       php_openssl_pkey_ce->unserialize = zend_class_unserialize_deny;
+
+       memcpy(&php_openssl_pkey_object_handlers, &std_object_handlers, sizeof(zend_object_handlers));
+       php_openssl_pkey_object_handlers.offset = XtOffsetOf(php_openssl_pkey_object, std);
+       php_openssl_pkey_object_handlers.free_obj = php_openssl_pkey_free_obj;
+       php_openssl_pkey_object_handlers.get_constructor = php_openssl_pkey_get_constructor;
+       php_openssl_pkey_object_handlers.clone_obj = NULL;
 
 #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined (LIBRESSL_VERSION_NUMBER)
        OPENSSL_config(NULL);
@@ -1274,67 +1401,23 @@ PHP_FUNCTION(openssl_get_cert_locations)
 }
 /* }}} */
 
-
-/* {{{ php_openssl_x509_from_zval
-       Given a zval, coerce it into an X509 object.
-       The zval can be:
-               . X509 resource created using openssl_read_x509()
-               . if it starts with file:// then it will be interpreted as the path to that cert
-               . it will be interpreted as the cert data
-       If you supply makeresource, the result will be registered as an x509 resource and
-       it's value returned in makeresource.
-*/
-static X509 * php_openssl_x509_from_zval(zval * val, int makeresource, zend_resource **resourceval)
-{
+static X509 *php_openssl_x509_from_str(zend_string *cert_str) {
        X509 *cert = NULL;
        BIO *in;
 
-       if (resourceval) {
-               *resourceval = NULL;
-       }
-       if (Z_TYPE_P(val) == IS_RESOURCE) {
-               /* is it an x509 resource ? */
-               void * what;
-               zend_resource *res = Z_RES_P(val);
-
-               what = zend_fetch_resource(res, "OpenSSL X.509", le_x509);
-               if (!what) {
-                       return NULL;
-               }
-               if (resourceval) {
-                       *resourceval = res;
-                       if (makeresource) {
-                               Z_ADDREF_P(val);
-                       }
-               }
-               return (X509*)what;
-       }
-
-       if (!(Z_TYPE_P(val) == IS_STRING || Z_TYPE_P(val) == IS_OBJECT)) {
-               return NULL;
-       }
-
-       /* force it to be a string and check if it refers to a file */
-       if (!try_convert_to_string(val)) {
-               return NULL;
-       }
-
-       if (Z_STRLEN_P(val) > 7 && memcmp(Z_STRVAL_P(val), "file://", sizeof("file://") - 1) == 0) {
-
-               if (php_openssl_open_base_dir_chk(Z_STRVAL_P(val) + (sizeof("file://") - 1))) {
+       if (ZSTR_LEN(cert_str) > 7 && memcmp(ZSTR_VAL(cert_str), "file://", sizeof("file://") - 1) == 0) {
+               if (php_openssl_open_base_dir_chk(ZSTR_VAL(cert_str) + (sizeof("file://") - 1))) {
                        return NULL;
                }
 
-               in = BIO_new_file(Z_STRVAL_P(val) + (sizeof("file://") - 1), PHP_OPENSSL_BIO_MODE_R(PKCS7_BINARY));
+               in = BIO_new_file(ZSTR_VAL(cert_str) + (sizeof("file://") - 1), PHP_OPENSSL_BIO_MODE_R(PKCS7_BINARY));
                if (in == NULL) {
                        php_openssl_store_errors();
                        return NULL;
                }
                cert = PEM_read_bio_X509(in, NULL, NULL, NULL);
-
        } else {
-
-               in = BIO_new_mem_buf(Z_STRVAL_P(val), (int)Z_STRLEN_P(val));
+               in = BIO_new_mem_buf(ZSTR_VAL(cert_str), (int) ZSTR_LEN(cert_str));
                if (in == NULL) {
                        php_openssl_store_errors();
                        return NULL;
@@ -1355,32 +1438,69 @@ static X509 * php_openssl_x509_from_zval(zval * val, int makeresource, zend_reso
                return NULL;
        }
 
-       if (makeresource && resourceval) {
-               *resourceval = zend_register_resource(cert, le_x509);
-       }
        return cert;
 }
 
+/* {{{ php_openssl_x509_from_param
+       Given a parameter, extract it into an X509 object.
+       The parameter can be:
+               . X509 object created using openssl_read_x509()
+               . a path to that cert if it starts with file://
+               . the cert data otherwise
+*/
+static X509 *php_openssl_x509_from_param(zend_object *cert_obj, zend_string *cert_str) {
+       if (cert_obj) {
+               return php_openssl_certificate_from_obj(cert_obj)->x509;
+       }
+
+       ZEND_ASSERT(cert_str);
+
+       return php_openssl_x509_from_str(cert_str);
+}
+/* }}} */
+
+static X509 *php_openssl_x509_from_zval(zval *val, bool *free_cert)
+{
+       if (Z_TYPE_P(val) == IS_OBJECT && Z_OBJCE_P(val) == php_openssl_certificate_ce) {
+               *free_cert = 0;
+
+               return php_openssl_certificate_from_obj(Z_OBJ_P(val))->x509;
+       }
+
+       *free_cert = 1;
+
+       if (!try_convert_to_string(val)) {
+               return NULL;
+       }
+
+       return php_openssl_x509_from_str(Z_STR_P(val));
+}
 /* }}} */
 
 /* {{{ Exports a CERT to file or a var */
 PHP_FUNCTION(openssl_x509_export_to_file)
 {
-       X509 * cert;
-       zval * zcert;
+       X509 *cert;
+       zend_object *cert_obj;
+       zend_string *cert_str;
+
        zend_bool notext = 1;
        BIO * bio_out;
        char * filename;
        size_t filename_len;
 
-       if (zend_parse_parameters(ZEND_NUM_ARGS(), "zp|b", &zcert, &filename, &filename_len, &notext) == FAILURE) {
-               RETURN_THROWS();
-       }
+       ZEND_PARSE_PARAMETERS_START(2, 3)
+               Z_PARAM_STR_OR_OBJ_OF_CLASS(cert_str, cert_obj, php_openssl_certificate_ce)
+               Z_PARAM_PATH(filename, filename_len)
+               Z_PARAM_OPTIONAL
+               Z_PARAM_BOOL(notext)
+       ZEND_PARSE_PARAMETERS_END();
+
        RETVAL_FALSE;
 
-       cert = php_openssl_x509_from_zval(zcert, 0, NULL);
+       cert = php_openssl_x509_from_param(cert_obj, cert_str);
        if (cert == NULL) {
-               php_error_docref(NULL, E_WARNING, "Cannot get cert from parameter 1");
+               php_error_docref(NULL, E_WARNING, "X.509 Certificate cannot be retrieved");
                return;
        }
 
@@ -1402,7 +1522,8 @@ PHP_FUNCTION(openssl_x509_export_to_file)
                php_openssl_store_errors();
                php_error_docref(NULL, E_WARNING, "Error opening file %s", filename);
        }
-       if (Z_TYPE_P(zcert) != IS_RESOURCE) {
+
+       if (cert_str) {
                X509_free(cert);
        }
 
@@ -1417,25 +1538,25 @@ PHP_FUNCTION(openssl_x509_export_to_file)
 PHP_FUNCTION(openssl_spki_new)
 {
        size_t challenge_len;
-       char * challenge = NULL, * spkstr = NULL;
+       char * challenge = NULL, *spkstr = NULL;
        zend_string * s = NULL;
-       zend_resource *keyresource = NULL;
+       bool free_pkey = 0;
        const char *spkac = "SPKAC=";
        zend_long algo = OPENSSL_ALGO_MD5;
 
-       zval * zpkey = NULL;
-       EVP_PKEY * pkey = NULL;
+       zval *zpkey = NULL;
+       EVP_PKEY *pkey = NULL;
        NETSCAPE_SPKI *spki=NULL;
        const EVP_MD *mdtype;
 
-       if (zend_parse_parameters(ZEND_NUM_ARGS(), "rs|l", &zpkey, &challenge, &challenge_len, &algo) == FAILURE) {
+       if (zend_parse_parameters(ZEND_NUM_ARGS(), "Os|l", &zpkey, php_openssl_pkey_ce, &challenge, &challenge_len, &algo) == FAILURE) {
                RETURN_THROWS();
        }
        RETVAL_FALSE;
 
        PHP_OPENSSL_CHECK_SIZE_T_TO_INT(challenge_len, challenge);
-       pkey = php_openssl_evp_from_zval(zpkey, 0, challenge, challenge_len, 1, &keyresource);
 
+       pkey = php_openssl_pkey_from_zval(zpkey, 0, challenge, challenge_len, &free_pkey);
        if (pkey == NULL) {
                if (!EG(exception)) {
                        php_error_docref(NULL, E_WARNING, "Unable to use supplied private key");
@@ -1496,17 +1617,10 @@ cleanup:
        if (spki != NULL) {
                NETSCAPE_SPKI_free(spki);
        }
-       if (keyresource == NULL && pkey != NULL) {
-               EVP_PKEY_free(pkey);
-       }
 
        if (s && ZSTR_LEN(s) <= 0) {
                RETVAL_FALSE;
        }
-
-       if (keyresource == NULL && s != NULL) {
-               zend_string_release_ex(s, 0);
-       }
 }
 /* }}} */
 
@@ -1683,19 +1797,25 @@ cleanup:
 /* {{{ Exports a CERT to file or a var */
 PHP_FUNCTION(openssl_x509_export)
 {
-       X509 * cert;
-       zval * zcert, *zout;
+       X509 *cert;
+       zend_object *cert_obj;
+       zend_string *cert_str;
+       zval *zout;
        zend_bool notext = 1;
        BIO * bio_out;
 
-       if (zend_parse_parameters(ZEND_NUM_ARGS(), "zz|b", &zcert, &zout, &notext) == FAILURE) {
-               RETURN_THROWS();
-       }
+       ZEND_PARSE_PARAMETERS_START(2, 3)
+               Z_PARAM_STR_OR_OBJ_OF_CLASS(cert_str, cert_obj, php_openssl_certificate_ce)
+               Z_PARAM_ZVAL(zout)
+               Z_PARAM_OPTIONAL
+               Z_PARAM_BOOL(notext)
+       ZEND_PARSE_PARAMETERS_END();
+
        RETVAL_FALSE;
 
-       cert = php_openssl_x509_from_zval(zcert, 0, NULL);
+       cert = php_openssl_x509_from_param(cert_obj, cert_str);
        if (cert == NULL) {
-               php_error_docref(NULL, E_WARNING, "Cannot get cert from parameter 1");
+               php_error_docref(NULL, E_WARNING, "X.509 Certificate cannot be retrieved");
                return;
        }
 
@@ -1721,7 +1841,7 @@ PHP_FUNCTION(openssl_x509_export)
        BIO_free(bio_out);
 
 cleanup:
-       if (Z_TYPE_P(zcert) != IS_RESOURCE) {
+       if (cert_str) {
                X509_free(cert);
        }
 }
@@ -1757,19 +1877,23 @@ zend_string* php_openssl_x509_fingerprint(X509 *peer, const char *method, zend_b
 PHP_FUNCTION(openssl_x509_fingerprint)
 {
        X509 *cert;
-       zval *zcert;
+       zend_object *cert_obj;
+       zend_string *cert_str;
        zend_bool raw_output = 0;
        char *method = "sha1";
        size_t method_len;
        zend_string *fingerprint;
 
-       if (zend_parse_parameters(ZEND_NUM_ARGS(), "z|sb", &zcert, &method, &method_len, &raw_output) == FAILURE) {
-               RETURN_THROWS();
-       }
+       ZEND_PARSE_PARAMETERS_START(1, 3)
+               Z_PARAM_STR_OR_OBJ_OF_CLASS(cert_str, cert_obj, php_openssl_certificate_ce)
+               Z_PARAM_OPTIONAL
+               Z_PARAM_STRING(method, method_len)
+               Z_PARAM_BOOL(raw_output)
+       ZEND_PARSE_PARAMETERS_END();
 
-       cert = php_openssl_x509_from_zval(zcert, 0, NULL);
+       cert = php_openssl_x509_from_param(cert_obj, cert_str);
        if (cert == NULL) {
-               php_error_docref(NULL, E_WARNING, "Cannot get cert from parameter 1");
+               php_error_docref(NULL, E_WARNING, "X.509 Certificate cannot be retrieved");
                RETURN_FALSE;
        }
 
@@ -1780,7 +1904,7 @@ PHP_FUNCTION(openssl_x509_fingerprint)
                RETVAL_FALSE;
        }
 
-       if (Z_TYPE_P(zcert) != IS_RESOURCE) {
+       if (cert_str) {
                X509_free(cert);
        }
 }
@@ -1788,29 +1912,35 @@ PHP_FUNCTION(openssl_x509_fingerprint)
 /* {{{ Checks if a private key corresponds to a CERT */
 PHP_FUNCTION(openssl_x509_check_private_key)
 {
-       zval * zcert, *zkey;
-       X509 * cert = NULL;
+       X509 *cert;
+       zend_object *cert_obj;
+       zend_string *cert_str;
+       zval *zkey;
        EVP_PKEY * key = NULL;
-       zend_resource *keyresource = NULL;
+       bool free_pkey = 0;
 
-       RETVAL_FALSE;
+       ZEND_PARSE_PARAMETERS_START(2, 2)
+               Z_PARAM_STR_OR_OBJ_OF_CLASS(cert_str, cert_obj, php_openssl_certificate_ce)
+               Z_PARAM_ZVAL(zkey)
+       ZEND_PARSE_PARAMETERS_END();
 
-       if (zend_parse_parameters(ZEND_NUM_ARGS(), "zz", &zcert, &zkey) == FAILURE) {
-               RETURN_THROWS();
-       }
-       cert = php_openssl_x509_from_zval(zcert, 0, NULL);
+       cert = php_openssl_x509_from_param(cert_obj, cert_str);
        if (cert == NULL) {
                RETURN_FALSE;
        }
-       key = php_openssl_evp_from_zval(zkey, 0, "", 0, 1, &keyresource);
+
+       RETVAL_FALSE;
+
+       key = php_openssl_pkey_from_zval(zkey, 0, "", 0, &free_pkey);
        if (key) {
                RETVAL_BOOL(X509_check_private_key(cert, key));
        }
 
-       if (keyresource == NULL && key) {
+       if (free_pkey && key) {
                EVP_PKEY_free(key);
        }
-       if (Z_TYPE_P(zcert) != IS_RESOURCE) {
+
+       if (cert_str) {
                X509_free(cert);
        }
 }
@@ -1819,20 +1949,25 @@ PHP_FUNCTION(openssl_x509_check_private_key)
 /* {{{ Verifies the signature of certificate cert using public key key */
 PHP_FUNCTION(openssl_x509_verify)
 {
-       zval * zcert, *zkey;
-       X509 * cert = NULL;
+       X509 *cert;
+       zend_object *cert_obj;
+       zend_string *cert_str;
+       zval *zkey;
        EVP_PKEY * key = NULL;
-       zend_resource *keyresource = NULL;
+       bool free_pkey = 0;
        int err = -1;
 
-       if (zend_parse_parameters(ZEND_NUM_ARGS(), "zz", &zcert, &zkey) == FAILURE) {
-               RETURN_THROWS();
-       }
-       cert = php_openssl_x509_from_zval(zcert, 0, NULL);
+       ZEND_PARSE_PARAMETERS_START(2, 2)
+               Z_PARAM_STR_OR_OBJ_OF_CLASS(cert_str, cert_obj, php_openssl_certificate_ce)
+               Z_PARAM_ZVAL(zkey)
+       ZEND_PARSE_PARAMETERS_END();
+
+       cert = php_openssl_x509_from_param(cert_obj, cert_str);
        if (cert == NULL) {
                RETURN_LONG(err);
        }
-       key = php_openssl_evp_from_zval(zkey, 1, NULL, 0, 0, &keyresource);
+
+       key = php_openssl_pkey_from_zval(zkey, 1, NULL, 0, &free_pkey);
        if (key == NULL) {
                X509_free(cert);
                RETURN_LONG(err);
@@ -1844,10 +1979,10 @@ PHP_FUNCTION(openssl_x509_verify)
                php_openssl_store_errors();
        }
 
-       if (keyresource == NULL && key) {
+       if (free_pkey && key) {
                EVP_PKEY_free(key);
        }
-       if (Z_TYPE_P(zcert) != IS_RESOURCE) {
+       if (cert_str) {
                X509_free(cert);
        }
 
@@ -1929,8 +2064,9 @@ static int openssl_x509v3_subjectAltName(BIO *bio, X509_EXTENSION *extension)
 /* {{{ Returns an array of the fields/values of the CERT */
 PHP_FUNCTION(openssl_x509_parse)
 {
-       zval * zcert;
-       X509 * cert = NULL;
+       X509 *cert;
+       zend_object *cert_obj;
+       zend_string *cert_str;
        int i, sig_nid;
        zend_bool useshortnames = 1;
        char * tmpstr;
@@ -1947,10 +2083,13 @@ PHP_FUNCTION(openssl_x509_parse)
        char *hex_serial;
        char buf[256];
 
-       if (zend_parse_parameters(ZEND_NUM_ARGS(), "z|b", &zcert, &useshortnames) == FAILURE) {
-               RETURN_THROWS();
-       }
-       cert = php_openssl_x509_from_zval(zcert, 0, NULL);
+       ZEND_PARSE_PARAMETERS_START(1, 2)
+               Z_PARAM_STR_OR_OBJ_OF_CLASS(cert_str, cert_obj, php_openssl_certificate_ce)
+               Z_PARAM_OPTIONAL
+               Z_PARAM_BOOL(useshortnames)
+       ZEND_PARSE_PARAMETERS_END();
+
+       cert = php_openssl_x509_from_param(cert_obj, cert_str);
        if (cert == NULL) {
                RETURN_FALSE;
        }
@@ -2067,7 +2206,7 @@ PHP_FUNCTION(openssl_x509_parse)
                        } else {
                                zend_array_destroy(Z_ARR_P(return_value));
                                BIO_free(bio_out);
-                               if (Z_TYPE_P(zcert) != IS_RESOURCE) {
+                               if (cert_str) {
                                        X509_free(cert);
                                }
                                RETURN_FALSE;
@@ -2082,7 +2221,7 @@ PHP_FUNCTION(openssl_x509_parse)
                BIO_free(bio_out);
        }
        add_assoc_zval(return_value, "extensions", &subitem);
-       if (Z_TYPE_P(zcert) != IS_RESOURCE) {
+       if (cert_str) {
                X509_free(cert);
        }
 }
@@ -2178,18 +2317,24 @@ static int check_cert(X509_STORE *ctx, X509 *x, STACK_OF(X509) *untrustedchain,
 /* {{{ Checks the CERT to see if it can be used for the purpose in purpose. cainfo holds information about trusted CAs */
 PHP_FUNCTION(openssl_x509_checkpurpose)
 {
-       zval * zcert, * zcainfo = NULL;
-       X509_STORE * cainfo = NULL;
-       X509 * cert = NULL;
-       STACK_OF(X509) * untrustedchain = NULL;
+       X509 *cert;
+       zend_object *cert_obj;
+       zend_string *cert_str;
+       zval *zcainfo = NULL;
+       X509_STORE *cainfo = NULL;
+       STACK_OF(X509) *untrustedchain = NULL;
        zend_long purpose;
        char * untrusted = NULL;
        size_t untrusted_len = 0;
        int ret;
 
-       if (zend_parse_parameters(ZEND_NUM_ARGS(), "zl|a!s", &zcert, &purpose, &zcainfo, &untrusted, &untrusted_len) == FAILURE) {
-               RETURN_THROWS();
-       }
+       ZEND_PARSE_PARAMETERS_START(2, 4)
+               Z_PARAM_STR_OR_OBJ_OF_CLASS(cert_str, cert_obj, php_openssl_certificate_ce)
+               Z_PARAM_LONG(purpose)
+               Z_PARAM_OPTIONAL
+               Z_PARAM_ARRAY_OR_NULL(zcainfo)
+               Z_PARAM_STRING_OR_NULL(untrusted, untrusted_len)
+       ZEND_PARSE_PARAMETERS_END();
 
        RETVAL_LONG(-1);
 
@@ -2204,7 +2349,7 @@ PHP_FUNCTION(openssl_x509_checkpurpose)
        if (cainfo == NULL) {
                goto clean_exit;
        }
-       cert = php_openssl_x509_from_zval(zcert, 0, NULL);
+       cert = php_openssl_x509_from_param(cert_obj, cert_str);
        if (cert == NULL) {
                goto clean_exit;
        }
@@ -2215,7 +2360,7 @@ PHP_FUNCTION(openssl_x509_checkpurpose)
        } else {
                RETVAL_BOOL(ret);
        }
-       if (Z_TYPE_P(zcert) != IS_RESOURCE) {
+       if (cert_str) {
                X509_free(cert);
        }
 clean_exit:
@@ -2301,20 +2446,24 @@ static X509_STORE *php_openssl_setup_verify(zval *calist)
 /* {{{ Reads X.509 certificates */
 PHP_FUNCTION(openssl_x509_read)
 {
-       zval *cert;
-       X509 *x509;
-       zend_resource *res;
+       X509 *cert;
+       php_openssl_certificate_object *x509_cert_obj;
+       zend_object *cert_obj;
+       zend_string *cert_str;
 
-       if (zend_parse_parameters(ZEND_NUM_ARGS(), "z", &cert) == FAILURE) {
-               RETURN_THROWS();
-       }
-       x509 = php_openssl_x509_from_zval(cert, 1, &res);
-       ZVAL_RES(return_value, res);
+       ZEND_PARSE_PARAMETERS_START(1, 1)
+               Z_PARAM_STR_OR_OBJ_OF_CLASS(cert_str, cert_obj, php_openssl_certificate_ce)
+       ZEND_PARSE_PARAMETERS_END();
 
-       if (x509 == NULL) {
-               php_error_docref(NULL, E_WARNING, "Supplied parameter cannot be coerced into an X509 certificate!");
+       cert = php_openssl_x509_from_param(cert_obj, cert_str);
+       if (cert == NULL) {
+               php_error_docref(NULL, E_WARNING, "X.509 Certificate cannot be retrieved");
                RETURN_FALSE;
        }
+
+       object_init_ex(return_value, php_openssl_certificate_ce);
+       x509_cert_obj = Z_OPENSSL_CERTIFICATE_P(return_value);
+       x509_cert_obj->x509 = cert_obj ? X509_dup(cert) : cert;
 }
 /* }}} */
 
@@ -2322,15 +2471,10 @@ PHP_FUNCTION(openssl_x509_read)
 PHP_FUNCTION(openssl_x509_free)
 {
        zval *x509;
-       X509 *cert;
 
-       if (zend_parse_parameters(ZEND_NUM_ARGS(), "r", &x509) == FAILURE) {
-               RETURN_THROWS();
-       }
-       if ((cert = (X509 *)zend_fetch_resource(Z_RES_P(x509), "OpenSSL X.509", le_x509)) == NULL) {
-               RETURN_THROWS();
-       }
-       zend_list_close(Z_RES_P(x509));
+       ZEND_PARSE_PARAMETERS_START(1, 1)
+               Z_PARAM_OBJECT_OF_CLASS(x509, php_openssl_certificate_ce)
+       ZEND_PARSE_PARAMETERS_END();
 }
 /* }}} */
 
@@ -2353,19 +2497,19 @@ static STACK_OF(X509) * php_array_to_X509_sk(zval * zcerts) /* {{{ */
        zval * zcertval;
        STACK_OF(X509) * sk = NULL;
        X509 * cert;
-       zend_resource *certresource;
+       bool free_cert;
 
        sk = sk_X509_new_null();
 
        /* get certs */
        if (Z_TYPE_P(zcerts) == IS_ARRAY) {
                ZEND_HASH_FOREACH_VAL(Z_ARRVAL_P(zcerts), zcertval) {
-                       cert = php_openssl_x509_from_zval(zcertval, 0, &certresource);
+                       cert = php_openssl_x509_from_zval(zcertval, &free_cert);
                        if (cert == NULL) {
                                goto clean_exit;
                        }
 
-                       if (certresource != NULL) {
+                       if (!free_cert) {
                                cert = X509_dup(cert);
 
                                if (cert == NULL) {
@@ -2378,13 +2522,13 @@ static STACK_OF(X509) * php_array_to_X509_sk(zval * zcerts) /* {{{ */
                } ZEND_HASH_FOREACH_END();
        } else {
                /* a single certificate */
-               cert = php_openssl_x509_from_zval(zcerts, 0, &certresource);
+               cert = php_openssl_x509_from_zval(zcerts, &free_cert);
 
                if (cert == NULL) {
                        goto clean_exit;
                }
 
-               if (certresource != NULL) {
+               if (!free_cert) {
                        cert = X509_dup(cert);
                        if (cert == NULL) {
                                php_openssl_store_errors();
@@ -2402,7 +2546,9 @@ clean_exit:
 /* {{{ Creates and exports a PKCS to file */
 PHP_FUNCTION(openssl_pkcs12_export_to_file)
 {
-       X509 * cert = NULL;
+       X509 *cert;
+       zend_object *cert_obj;
+       zend_string *cert_str;
        BIO * bio_out = NULL;
        PKCS12 * p12 = NULL;
        char * filename;
@@ -2410,23 +2556,30 @@ PHP_FUNCTION(openssl_pkcs12_export_to_file)
        size_t filename_len;
        char * pass;
        size_t pass_len;
-       zval *zcert = NULL, *zpkey = NULL, *args = NULL;
+       zval *zpkey = NULL, *args = NULL;
        EVP_PKEY *priv_key = NULL;
-       zend_resource *keyresource;
+       bool free_pkey;
        zval * item;
        STACK_OF(X509) *ca = NULL;
 
-       if (zend_parse_parameters(ZEND_NUM_ARGS(), "zpzs|a", &zcert, &filename, &filename_len, &zpkey, &pass, &pass_len, &args) == FAILURE)
-               RETURN_THROWS();
+       ZEND_PARSE_PARAMETERS_START(4, 5)
+               Z_PARAM_STR_OR_OBJ_OF_CLASS(cert_str, cert_obj, php_openssl_certificate_ce)
+               Z_PARAM_PATH(filename, filename_len)
+               Z_PARAM_ZVAL(zpkey)
+               Z_PARAM_STRING(pass, pass_len)
+               Z_PARAM_OPTIONAL
+               Z_PARAM_ARRAY(args)
+       ZEND_PARSE_PARAMETERS_END();
 
        RETVAL_FALSE;
 
-       cert = php_openssl_x509_from_zval(zcert, 0, NULL);
+       cert = php_openssl_x509_from_param(cert_obj, cert_str);
        if (cert == NULL) {
-               php_error_docref(NULL, E_WARNING, "Cannot get cert from parameter 1");
+               php_error_docref(NULL, E_WARNING, "X.509 Certificate cannot be retrieved");
                return;
        }
-       priv_key = php_openssl_evp_from_zval(zpkey, 0, "", 0, 1, &keyresource);
+
+       priv_key = php_openssl_pkey_from_zval(zpkey, 0, "", 0, &free_pkey);
        if (priv_key == NULL) {
                if (!EG(exception)) {
                        php_error_docref(NULL, E_WARNING, "Cannot get private key from parameter 3");
@@ -2485,11 +2638,11 @@ PHP_FUNCTION(openssl_pkcs12_export_to_file)
 
 cleanup:
 
-       if (keyresource == NULL && priv_key) {
+       if (free_pkey && priv_key) {
                EVP_PKEY_free(priv_key);
        }
 
-       if (Z_TYPE_P(zcert) != IS_RESOURCE) {
+       if (cert_str) {
                X509_free(cert);
        }
 }
@@ -2498,30 +2651,38 @@ cleanup:
 /* {{{ Creates and exports a PKCS12 to a var */
 PHP_FUNCTION(openssl_pkcs12_export)
 {
-       X509 * cert = NULL;
+       X509 *cert;
+       zend_object *cert_obj;
+       zend_string *cert_str;
        BIO * bio_out;
        PKCS12 * p12 = NULL;
-       zval * zcert = NULL, *zout = NULL, *zpkey, *args = NULL;
+       zval *zout = NULL, *zpkey, *args = NULL;
        EVP_PKEY *priv_key = NULL;
-       zend_resource *keyresource;
+       bool free_pkey;
        char * pass;
        size_t pass_len;
        char * friendly_name = NULL;
        zval * item;
        STACK_OF(X509) *ca = NULL;
 
-       if (zend_parse_parameters(ZEND_NUM_ARGS(), "zzzs|a", &zcert, &zout, &zpkey, &pass, &pass_len, &args) == FAILURE) {
-               RETURN_THROWS();
-       }
+       ZEND_PARSE_PARAMETERS_START(4, 5)
+               Z_PARAM_STR_OR_OBJ_OF_CLASS(cert_str, cert_obj, php_openssl_certificate_ce)
+               Z_PARAM_ZVAL(zout)
+               Z_PARAM_ZVAL(zpkey)
+               Z_PARAM_STRING(pass, pass_len)
+               Z_PARAM_OPTIONAL
+               Z_PARAM_ARRAY(args)
+       ZEND_PARSE_PARAMETERS_END();
 
        RETVAL_FALSE;
 
-       cert = php_openssl_x509_from_zval(zcert, 0, NULL);
+       cert = php_openssl_x509_from_param(cert_obj, cert_str);
        if (cert == NULL) {
-               php_error_docref(NULL, E_WARNING, "Cannot get cert from parameter 1");
+               php_error_docref(NULL, E_WARNING, "X.509 Certificate cannot be retrieved");
                return;
        }
-       priv_key = php_openssl_evp_from_zval(zpkey, 0, "", 0, 1, &keyresource);
+
+       priv_key = php_openssl_pkey_from_zval(zpkey, 0, "", 0, &free_pkey);
        if (priv_key == NULL) {
                if (!EG(exception)) {
                        php_error_docref(NULL, E_WARNING, "Cannot get private key from parameter 3");
@@ -2570,10 +2731,10 @@ PHP_FUNCTION(openssl_pkcs12_export)
 
 cleanup:
 
-       if (keyresource == NULL && priv_key) {
+       if (free_pkey && priv_key) {
                EVP_PKEY_free(priv_key);
        }
-       if (Z_TYPE_P(zcert) != IS_RESOURCE) {
+       if (cert_str) {
                X509_free(cert);
        }
 }
@@ -2859,45 +3020,24 @@ static int php_openssl_make_REQ(struct php_x509_request * req, X509_REQ * csr, z
 }
 /* }}} */
 
-/* {{{ php_openssl_csr_from_zval */
-static X509_REQ * php_openssl_csr_from_zval(zval * val, int makeresource, zend_resource **resourceval)
+
+static X509_REQ *php_openssl_csr_from_str(zend_string *csr_str)
 {
        X509_REQ * csr = NULL;
        char * filename = NULL;
        BIO * in;
 
-       if (resourceval) {
-               *resourceval = NULL;
-       }
-       if (Z_TYPE_P(val) == IS_RESOURCE) {
-               void * what;
-               zend_resource *res = Z_RES_P(val);
-
-               what = zend_fetch_resource(res, "OpenSSL X.509 CSR", le_csr);
-               if (what) {
-                       if (resourceval) {
-                               *resourceval = res;
-                               if (makeresource) {
-                                       Z_ADDREF_P(val);
-                               }
-                       }
-                       return (X509_REQ*)what;
-               }
-               return NULL;
-       } else if (Z_TYPE_P(val) != IS_STRING) {
-               return NULL;
+       if (ZSTR_LEN(csr_str) > 7 && memcmp(ZSTR_VAL(csr_str), "file://", sizeof("file://") - 1) == 0) {
+               filename = ZSTR_VAL(csr_str) + (sizeof("file://") - 1);
        }
 
-       if (Z_STRLEN_P(val) > 7 && memcmp(Z_STRVAL_P(val), "file://", sizeof("file://") - 1) == 0) {
-               filename = Z_STRVAL_P(val) + (sizeof("file://") - 1);
-       }
        if (filename) {
                if (php_openssl_open_base_dir_chk(filename)) {
                        return NULL;
                }
                in = BIO_new_file(filename, PHP_OPENSSL_BIO_MODE_R(PKCS7_BINARY));
        } else {
-               in = BIO_new_mem_buf(Z_STRVAL_P(val), (int)Z_STRLEN_P(val));
+               in = BIO_new_mem_buf(ZSTR_VAL(csr_str), (int) ZSTR_LEN(csr_str));
        }
 
        if (in == NULL) {
@@ -2914,29 +3054,41 @@ static X509_REQ * php_openssl_csr_from_zval(zval * val, int makeresource, zend_r
 
        return csr;
 }
-/* }}} */
+
+static X509_REQ *php_openssl_csr_from_param(zend_object *csr_obj, zend_string *csr_str)
+{
+       if (csr_obj) {
+               return php_openssl_request_from_obj(csr_obj)->csr;
+       }
+
+       ZEND_ASSERT(csr_str);
+
+       return php_openssl_csr_from_str(csr_str);
+}
 
 /* {{{ Exports a CSR to file */
 PHP_FUNCTION(openssl_csr_export_to_file)
 {
-       X509_REQ * csr;
-       zval * zcsr = NULL;
+       X509_REQ *csr;
+       zend_object *csr_obj;
+       zend_string *csr_str;
        zend_bool notext = 1;
        char * filename = NULL;
        size_t filename_len;
        BIO * bio_out;
-       zend_resource *csr_resource;
 
-       if (zend_parse_parameters(ZEND_NUM_ARGS(), "rp|b", &zcsr, &filename, &filename_len, &notext) == FAILURE) {
-               RETURN_THROWS();
-       }
+       ZEND_PARSE_PARAMETERS_START(2, 3)
+               Z_PARAM_STR_OR_OBJ_OF_CLASS(csr_str, csr_obj, php_openssl_request_ce)
+               Z_PARAM_PATH(filename, filename_len)
+               Z_PARAM_OPTIONAL
+               Z_PARAM_BOOL(notext)
+       ZEND_PARSE_PARAMETERS_END();
+
        RETVAL_FALSE;
 
-       csr = php_openssl_csr_from_zval(zcsr, 0, &csr_resource);
+       csr = php_openssl_csr_from_param(csr_obj, csr_str);
        if (csr == NULL) {
-               if (!EG(exception)) {
-                       php_error_docref(NULL, E_WARNING, "Cannot get CSR from parameter 1");
-               }
+               php_error_docref(NULL, E_WARNING, "X.509 Certificate Signing Request cannot be retrieved");
                return;
        }
 
@@ -2961,7 +3113,7 @@ PHP_FUNCTION(openssl_csr_export_to_file)
                php_error_docref(NULL, E_WARNING, "Error opening file %s", filename);
        }
 
-       if (csr_resource == NULL && csr != NULL) {
+       if (csr_str) {
                X509_REQ_free(csr);
        }
 }
@@ -2970,23 +3122,25 @@ PHP_FUNCTION(openssl_csr_export_to_file)
 /* {{{ Exports a CSR to file or a var */
 PHP_FUNCTION(openssl_csr_export)
 {
-       X509_REQ * csr;
-       zval * zcsr = NULL, *zout=NULL;
+       X509_REQ *csr;
+       zend_object *csr_obj;
+       zend_string *csr_str;
+       zval *zout;
        zend_bool notext = 1;
        BIO * bio_out;
-       zend_resource *csr_resource;
 
-       if (zend_parse_parameters(ZEND_NUM_ARGS(), "rz|b", &zcsr, &zout, &notext) == FAILURE) {
-               RETURN_THROWS();
-       }
+       ZEND_PARSE_PARAMETERS_START(2, 3)
+               Z_PARAM_STR_OR_OBJ_OF_CLASS(csr_str, csr_obj, php_openssl_request_ce)
+               Z_PARAM_ZVAL(zout)
+               Z_PARAM_OPTIONAL
+               Z_PARAM_BOOL(notext)
+       ZEND_PARSE_PARAMETERS_END();
 
        RETVAL_FALSE;
 
-       csr = php_openssl_csr_from_zval(zcsr, 0, &csr_resource);
+       csr = php_openssl_csr_from_param(csr_obj, csr_str);
        if (csr == NULL) {
-               if (!EG(exception)) {
-                       php_error_docref(NULL, E_WARNING, "Cannot get CSR from parameter 1");
-               }
+               php_error_docref(NULL, E_WARNING, "X.509 Certificate Signing Request cannot be retrieved");
                return;
        }
 
@@ -3008,7 +3162,7 @@ PHP_FUNCTION(openssl_csr_export)
                php_openssl_store_errors();
        }
 
-       if (csr_resource == NULL && csr) {
+       if (csr_str) {
                X509_REQ_free(csr);
        }
        BIO_free(bio_out);
@@ -3018,38 +3172,51 @@ PHP_FUNCTION(openssl_csr_export)
 /* {{{ Signs a cert with another CERT */
 PHP_FUNCTION(openssl_csr_sign)
 {
-       zval * zcert = NULL, *zcsr, *zpkey, *args = NULL;
+       X509_REQ *csr;
+       zend_object *csr_obj;
+       zend_string *csr_str;
+
+       php_openssl_certificate_object *cert_object;
+       zend_object *cert_obj;
+       zend_string *cert_str;
+       zval *zpkey, *args = NULL;
        zend_long num_days;
        zend_long serial = Z_L(0);
-       X509 * cert = NULL, *new_cert = NULL;
-       X509_REQ * csr;
+       X509 *cert = NULL, *new_cert = NULL;
        EVP_PKEY * key = NULL, *priv_key = NULL;
-       zend_resource *csr_resource, *certresource = NULL, *keyresource = NULL;
+       bool free_pkey = 0;
        int i;
        struct php_x509_request req;
 
-       if (zend_parse_parameters(ZEND_NUM_ARGS(), "zz!zl|a!l", &zcsr, &zcert, &zpkey, &num_days, &args, &serial) == FAILURE) {
-               RETURN_THROWS();
-       }
+       ZEND_PARSE_PARAMETERS_START(4, 6)
+               Z_PARAM_STR_OR_OBJ_OF_CLASS(csr_str, csr_obj, php_openssl_request_ce)
+               Z_PARAM_STR_OR_OBJ_OF_CLASS_OR_NULL(cert_str, cert_obj, php_openssl_certificate_ce)
+               Z_PARAM_ZVAL(zpkey)
+               Z_PARAM_LONG(num_days)
+               Z_PARAM_OPTIONAL
+               Z_PARAM_ARRAY_OR_NULL(args)
+               Z_PARAM_LONG(serial)
+       ZEND_PARSE_PARAMETERS_END();
 
        RETVAL_FALSE;
-       PHP_SSL_REQ_INIT(&req);
 
-       csr = php_openssl_csr_from_zval(zcsr, 0, &csr_resource);
+       csr = php_openssl_csr_from_param(csr_obj, csr_str);
        if (csr == NULL) {
-               if (!EG(exception)) {
-                       php_error_docref(NULL, E_WARNING, "Cannot get CSR from parameter 1");
-               }
+               php_error_docref(NULL, E_WARNING, "X.509 Certificate Signing Request cannot be retrieved");
                return;
        }
-       if (zcert) {
-               cert = php_openssl_x509_from_zval(zcert, 0, &certresource);
+
+       PHP_SSL_REQ_INIT(&req);
+
+       if (cert_str || cert_obj) {
+               cert = php_openssl_x509_from_param(cert_obj, cert_str);
                if (cert == NULL) {
-                       php_error_docref(NULL, E_WARNING, "Cannot get cert from parameter 2");
+                       php_error_docref(NULL, E_WARNING, "X.509 Certificate cannot be retrieved");
                        goto cleanup;
                }
        }
-       priv_key = php_openssl_evp_from_zval(zpkey, 0, "", 0, 1, &keyresource);
+
+       priv_key = php_openssl_pkey_from_zval(zpkey, 0, "", 0, &free_pkey);
        if (priv_key == NULL) {
                if (!EG(exception)) {
                        php_error_docref(NULL, E_WARNING, "Cannot get private key from parameter 3");
@@ -3134,32 +3301,30 @@ PHP_FUNCTION(openssl_csr_sign)
                goto cleanup;
        }
 
-       /* Succeeded; lets return the cert */
-       ZVAL_RES(return_value, zend_register_resource(new_cert, le_x509));
-       new_cert = NULL;
+       object_init_ex(return_value, php_openssl_certificate_ce);
+       cert_object = Z_OPENSSL_CERTIFICATE_P(return_value);
+       cert_object->x509 = new_cert;
 
 cleanup:
 
        if (cert == new_cert) {
                cert = NULL;
        }
+
        PHP_SSL_REQ_DISPOSE(&req);
 
-       if (keyresource == NULL && priv_key) {
+       if (free_pkey && priv_key) {
                EVP_PKEY_free(priv_key);
        }
        if (key) {
                EVP_PKEY_free(key);
        }
-       if (csr_resource == NULL && csr) {
+       if (csr_str) {
                X509_REQ_free(csr);
        }
-       if (zcert && certresource == NULL && cert) {
+       if (cert_str && cert) {
                X509_free(cert);
        }
-       if (new_cert) {
-               X509_free(new_cert);
-       }
 }
 /* }}} */
 
@@ -3167,11 +3332,12 @@ cleanup:
 PHP_FUNCTION(openssl_csr_new)
 {
        struct php_x509_request req;
-       zval * args = NULL, * dn, *attribs = NULL;
-       zval * out_pkey;
-       X509_REQ * csr = NULL;
+       php_openssl_request_object *x509_request_obj;
+       zval *args = NULL, *dn, *attribs = NULL;
+       zval *out_pkey;
+       X509_REQ *csr = NULL;
        int we_made_the_key = 1;
-       zend_resource *key_resource;
+       bool free_pkey;
 
        if (zend_parse_parameters(ZEND_NUM_ARGS(), "az|a!a!", &dn, &out_pkey, &args, &attribs) == FAILURE) {
                RETURN_THROWS();
@@ -3186,7 +3352,7 @@ PHP_FUNCTION(openssl_csr_new)
 
                /* Generate or use a private key */
                if (Z_TYPE_P(out_pkey_val) != IS_NULL) {
-                       req.priv_key = php_openssl_evp_from_zval(out_pkey_val, 0, NULL, 0, 0, &key_resource);
+                       req.priv_key = php_openssl_pkey_from_zval(out_pkey_val, 0, NULL, 0, &free_pkey);
                        if (req.priv_key != NULL) {
                                we_made_the_key = 0;
                        }
@@ -3215,7 +3381,9 @@ PHP_FUNCTION(openssl_csr_new)
                                                RETVAL_TRUE;
 
                                                if (X509_REQ_sign(csr, req.priv_key, req.digest)) {
-                                                       ZVAL_RES(return_value, zend_register_resource(csr, le_csr));
+                                                       object_init_ex(return_value, php_openssl_request_ce);
+                                                       x509_request_obj = Z_OPENSSL_REQUEST_P(return_value);
+                                                       x509_request_obj->csr = csr;
                                                        csr = NULL;
                                                } else {
                                                        php_openssl_store_errors();
@@ -3223,10 +3391,16 @@ PHP_FUNCTION(openssl_csr_new)
                                                }
 
                                                if (we_made_the_key) {
-                                                       /* and a resource for the private key */
-                                                       ZEND_TRY_ASSIGN_REF_RES(out_pkey, zend_register_resource(req.priv_key, le_key));
+                                                       /* and an object for the private key */
+                                                       zval zkey_object;
+                                                       php_openssl_pkey_object *key_object;
+                                                       object_init_ex(&zkey_object, php_openssl_pkey_ce);
+                                                       key_object = Z_OPENSSL_PKEY_P(&zkey_object);
+                                                       key_object->pkey = req.priv_key;
+
+                                                       ZEND_TRY_ASSIGN_REF_TMP(out_pkey, &zkey_object);
                                                        req.priv_key = NULL; /* make sure the cleanup code doesn't zap it! */
-                                               } else if (key_resource != NULL) {
+                                               } else if (!free_pkey) {
                                                        req.priv_key = NULL; /* make sure the cleanup code doesn't zap it! */
                                                }
                                        }
@@ -3253,18 +3427,19 @@ PHP_FUNCTION(openssl_csr_new)
 /* {{{ Returns the subject of a CERT or FALSE on error */
 PHP_FUNCTION(openssl_csr_get_subject)
 {
-       zval * zcsr;
+       X509_REQ *csr;
+       zend_object *csr_obj;
+       zend_string *csr_str;
        zend_bool use_shortnames = 1;
-       zend_resource *csr_resource;
-       X509_NAME * subject;
-       X509_REQ * csr;
+       X509_NAME *subject;
 
-       if (zend_parse_parameters(ZEND_NUM_ARGS(), "z|b", &zcsr, &use_shortnames) == FAILURE) {
-               RETURN_THROWS();
-       }
-
-       csr = php_openssl_csr_from_zval(zcsr, 0, &csr_resource);
+       ZEND_PARSE_PARAMETERS_START(1, 2)
+               Z_PARAM_STR_OR_OBJ_OF_CLASS(csr_str, csr_obj, php_openssl_request_ce)
+               Z_PARAM_OPTIONAL
+               Z_PARAM_BOOL(use_shortnames)
+       ZEND_PARSE_PARAMETERS_END();
 
+       csr = php_openssl_csr_from_param(csr_obj, csr_str);
        if (csr == NULL) {
                RETURN_FALSE;
        }
@@ -3274,7 +3449,7 @@ PHP_FUNCTION(openssl_csr_get_subject)
        array_init(return_value);
        php_openssl_add_assoc_name_entry(return_value, NULL, subject, use_shortnames);
 
-       if (!csr_resource) {
+       if (csr_str) {
                X509_REQ_free(csr);
        }
 }
@@ -3283,19 +3458,21 @@ PHP_FUNCTION(openssl_csr_get_subject)
 /* {{{ Returns the subject of a CERT or FALSE on error */
 PHP_FUNCTION(openssl_csr_get_public_key)
 {
-       zval * zcsr;
+       X509_REQ *orig_csr, *csr;
+       zend_object *csr_obj;
+       zend_string *csr_str;
        zend_bool use_shortnames = 1;
-       zend_resource *csr_resource;
 
-       X509_REQ *orig_csr, *csr;
+       php_openssl_pkey_object *key_object;
        EVP_PKEY *tpubkey;
 
-       if (zend_parse_parameters(ZEND_NUM_ARGS(), "z|b", &zcsr, &use_shortnames) == FAILURE) {
-               RETURN_THROWS();
-       }
-
-       orig_csr = php_openssl_csr_from_zval(zcsr, 0, &csr_resource);
+       ZEND_PARSE_PARAMETERS_START(1, 2)
+               Z_PARAM_STR_OR_OBJ_OF_CLASS(csr_str, csr_obj, php_openssl_request_ce)
+               Z_PARAM_OPTIONAL
+               Z_PARAM_BOOL(use_shortnames)
+       ZEND_PARSE_PARAMETERS_END();
 
+       orig_csr = php_openssl_csr_from_param(csr_obj, csr_str);
        if (orig_csr == NULL) {
                RETURN_FALSE;
        }
@@ -3319,7 +3496,7 @@ PHP_FUNCTION(openssl_csr_get_public_key)
                X509_REQ_free(csr);
        }
 
-       if (!csr_resource) {
+       if (csr_str) {
                /* We also need to free the original CSR if it was freshly created */
                X509_REQ_free(orig_csr);
        }
@@ -3329,7 +3506,9 @@ PHP_FUNCTION(openssl_csr_get_public_key)
                RETURN_FALSE;
        }
 
-       RETURN_RES(zend_register_resource(tpubkey, le_key));
+       object_init_ex(return_value, php_openssl_pkey_ce);
+       key_object = Z_OPENSSL_PKEY_P(return_value);
+       key_object->pkey = tpubkey;
 }
 /* }}} */
 
@@ -3358,27 +3537,11 @@ static int php_openssl_pem_password_cb(char *buf, int size, int rwflag, void *us
 }
 /* }}} */
 
-/* {{{ php_openssl_evp_from_zval
-   Given a zval, coerce it into a EVP_PKEY object.
-       It can be:
-               1. private key resource from openssl_get_privatekey()
-               2. X509 resource -> public key will be extracted from it
-               3. if it starts with file:// interpreted as path to key file
-               4. interpreted as the data from the cert/key file and interpreted in same way as openssl_get_privatekey()
-               5. an array(0 => [items 2..4], 1 => passphrase)
-               6. if val is a string (possibly starting with file:///) and it is not an X509 certificate, then interpret as public key
-       NOTE: If you are requesting a private key but have not specified a passphrase, you should use an
-       empty string rather than NULL for the passphrase - NULL causes a passphrase prompt to be emitted in
-       the Apache error log!
-*/
-static EVP_PKEY * php_openssl_evp_from_zval(
-               zval * val, int public_key, char *passphrase, size_t passphrase_len,
-               int makeresource, zend_resource **resourceval)
+static EVP_PKEY *php_openssl_pkey_from_zval(zval *val, int public_key, char *passphrase, size_t passphrase_len, bool *free_pkey)
 {
-       EVP_PKEY * key = NULL;
-       X509 * cert = NULL;
-       int free_cert = 0;
-       zend_resource *cert_res = NULL;
+       EVP_PKEY *key = NULL;
+       X509 *cert = NULL;
+       bool free_cert = 0;
        char * filename = NULL;
        zval tmp;
 
@@ -3390,9 +3553,10 @@ static EVP_PKEY * php_openssl_evp_from_zval(
        } \
        return NULL;
 
-       if (resourceval) {
-               *resourceval = NULL;
+       if (free_pkey) {
+               *free_pkey = 1;
        }
+
        if (Z_TYPE_P(val) == IS_ARRAY) {
                zval * zphrase;
 
@@ -3423,47 +3587,33 @@ static EVP_PKEY * php_openssl_evp_from_zval(
                }
        }
 
-       if (Z_TYPE_P(val) == IS_RESOURCE) {
-               void * what;
-               zend_resource * res = Z_RES_P(val);
+       if (Z_TYPE_P(val) == IS_OBJECT && Z_OBJCE_P(val) == php_openssl_pkey_ce) {
+               int is_priv;
+
+               key = php_openssl_pkey_from_obj(Z_OBJ_P(val))->pkey;
+               is_priv = php_openssl_is_private_key(key);
 
-               what = zend_fetch_resource2(res, "OpenSSL X.509/key", le_x509, le_key);
-               if (!what) {
+               /* check whether it is actually a private key if requested */
+               if (!public_key && !is_priv) {
+                       php_error_docref(NULL, E_WARNING, "Supplied key param is a public key");
                        TMP_CLEAN;
                }
-               if (res->type == le_x509) {
-                       /* extract key from cert, depending on public_key param */
-                       cert = (X509*)what;
-                       free_cert = 0;
-               } else if (res->type == le_key) {
-                       int is_priv;
 
-                       is_priv = php_openssl_is_private_key((EVP_PKEY*)what);
-
-                       /* check whether it is actually a private key if requested */
-                       if (!public_key && !is_priv) {
-                               php_error_docref(NULL, E_WARNING, "Supplied key param is a public key");
-                               TMP_CLEAN;
+               if (public_key && is_priv) {
+                       php_error_docref(NULL, E_WARNING, "Don't know how to get public key from this private key");
+                       TMP_CLEAN;
+               } else {
+                       if (Z_TYPE(tmp) == IS_STRING) {
+                               zval_ptr_dtor_str(&tmp);
                        }
-
-                       if (public_key && is_priv) {
-                               php_error_docref(NULL, E_WARNING, "Don't know how to get public key from this private key");
-                               TMP_CLEAN;
-                       } else {
-                               if (Z_TYPE(tmp) == IS_STRING) {
-                                       zval_ptr_dtor_str(&tmp);
-                               }
-                               /* got the key - return it */
-                               if (resourceval) {
-                                       *resourceval = res;
-                                       Z_ADDREF_P(val);
-                               }
-                               return (EVP_PKEY*)what;
+                       /* got the key - return it */
+                       if (free_pkey) {
+                               *free_pkey = 0;
                        }
-               } else {
-                       /* other types could be used here - eg: file pointers and read in the data from them */
-                       TMP_CLEAN;
+                       return key;
                }
+       } else if (Z_TYPE_P(val) == IS_OBJECT && Z_OBJCE_P(val) == php_openssl_certificate_ce) {
+               cert = php_openssl_certificate_from_obj(Z_OBJ_P(val))->x509;
        } else {
                /* force it to be a string and check if it refers to a file */
                /* passing non string values leaks, object uses toString, it returns NULL
@@ -3484,10 +3634,11 @@ static EVP_PKEY * php_openssl_evp_from_zval(
                }
                /* it's an X509 file/cert of some kind, and we need to extract the data from that */
                if (public_key) {
-                       cert = php_openssl_x509_from_zval(val, 0, &cert_res);
-                       free_cert = (cert_res == NULL);
-                       /* actual extraction done later */
-                       if (!cert) {
+                       cert = php_openssl_x509_from_str(Z_STR_P(val));
+
+                       if (cert) {
+                               free_cert = 1;
+                       } else {
                                /* not a X509 certificate, try to retrieve public key */
                                BIO* in;
                                if (filename) {
@@ -3539,18 +3690,16 @@ static EVP_PKEY * php_openssl_evp_from_zval(
                }
        }
 
-       if (free_cert && cert) {
+       if (free_cert) {
                X509_free(cert);
        }
-       if (key && makeresource && resourceval) {
-               *resourceval = zend_register_resource(key, le_key);
-       }
+
        if (Z_TYPE(tmp) == IS_STRING) {
                zval_ptr_dtor_str(&tmp);
        }
+
        return key;
 }
-/* }}} */
 
 /* {{{ php_openssl_generate_private_key */
 static EVP_PKEY * php_openssl_generate_private_key(struct php_x509_request * req)
@@ -3946,6 +4095,7 @@ PHP_FUNCTION(openssl_pkey_new)
        struct php_x509_request req;
        zval * args = NULL;
        zval *data;
+       php_openssl_pkey_object *key_object;
 
        if (zend_parse_parameters(ZEND_NUM_ARGS(), "|a!", &args) == FAILURE) {
                RETURN_THROWS();
@@ -3962,7 +4112,10 @@ PHP_FUNCTION(openssl_pkey_new)
                                RSA *rsa = RSA_new();
                                if (rsa) {
                                        if (php_openssl_pkey_init_and_assign_rsa(pkey, rsa, data)) {
-                                               RETURN_RES(zend_register_resource(pkey, le_key));
+                                               object_init_ex(return_value, php_openssl_pkey_ce);
+                                               key_object = Z_OPENSSL_PKEY_P(return_value);
+                                               key_object->pkey = pkey;
+                                               return;
                                        }
                                        RSA_free(rsa);
                                } else {
@@ -3981,7 +4134,10 @@ PHP_FUNCTION(openssl_pkey_new)
                                if (dsa) {
                                        if (php_openssl_pkey_init_dsa(dsa, data)) {
                                                if (EVP_PKEY_assign_DSA(pkey, dsa)) {
-                                                       RETURN_RES(zend_register_resource(pkey, le_key));
+                                                       object_init_ex(return_value, php_openssl_pkey_ce);
+                                                       key_object = Z_OPENSSL_PKEY_P(return_value);
+                                                       key_object->pkey = pkey;
+                                                       return;
                                                } else {
                                                        php_openssl_store_errors();
                                                }
@@ -4003,7 +4159,11 @@ PHP_FUNCTION(openssl_pkey_new)
                                if (dh) {
                                        if (php_openssl_pkey_init_dh(dh, data)) {
                                                if (EVP_PKEY_assign_DH(pkey, dh)) {
-                                                       ZVAL_COPY_VALUE(return_value, zend_list_insert(pkey, le_key));
+                                                       php_openssl_pkey_object *key_object;
+
+                                                       object_init_ex(return_value, php_openssl_pkey_ce);
+                                                       key_object = Z_OPENSSL_PKEY_P(return_value);
+                                                       key_object->pkey = pkey;
                                                        return;
                                                } else {
                                                        php_openssl_store_errors();
@@ -4107,7 +4267,11 @@ PHP_FUNCTION(openssl_pkey_new)
                                        }
                                        if (EC_KEY_check_key(eckey) && EVP_PKEY_assign_EC_KEY(pkey, eckey)) {
                                                EC_GROUP_free(group);
-                                               RETURN_RES(zend_register_resource(pkey, le_key));
+
+                                               object_init_ex(return_value, php_openssl_pkey_ce);
+                                               key_object = Z_OPENSSL_PKEY_P(return_value);
+                                               key_object->pkey = pkey;
+                                               return;
                                        } else {
                                                php_openssl_store_errors();
                                        }
@@ -4143,7 +4307,9 @@ clean_exit:
        if (PHP_SSL_REQ_PARSE(&req, args) == SUCCESS) {
                if (php_openssl_generate_private_key(&req)) {
                        /* pass back a key resource */
-                       RETVAL_RES(zend_register_resource(req.priv_key, le_key));
+                       object_init_ex(return_value, php_openssl_pkey_ce);
+                       key_object = Z_OPENSSL_PKEY_P(return_value);
+                       key_object->pkey = req.priv_key;
                        /* make sure the cleanup code doesn't zap it! */
                        req.priv_key = NULL;
                }
@@ -4161,7 +4327,7 @@ PHP_FUNCTION(openssl_pkey_export_to_file)
        size_t passphrase_len = 0;
        char * filename = NULL;
        size_t filename_len = 0;
-       zend_resource *key_resource = NULL;
+       bool free_pkey = 0;
        int pem_write = 0;
        EVP_PKEY * key;
        BIO * bio_out = NULL;
@@ -4173,8 +4339,8 @@ PHP_FUNCTION(openssl_pkey_export_to_file)
        RETVAL_FALSE;
 
        PHP_OPENSSL_CHECK_SIZE_T_TO_INT(passphrase_len, passphrase);
-       key = php_openssl_evp_from_zval(zpkey, 0, passphrase, passphrase_len, 0, &key_resource);
 
+       key = php_openssl_pkey_from_zval(zpkey, 0, passphrase, passphrase_len, &free_pkey);
        if (key == NULL) {
                if (!EG(exception)) {
                        php_error_docref(NULL, E_WARNING, "Cannot get key from parameter 1");
@@ -4232,7 +4398,7 @@ PHP_FUNCTION(openssl_pkey_export_to_file)
 clean_exit:
        PHP_SSL_REQ_DISPOSE(&req);
 
-       if (key_resource == NULL && key) {
+       if (free_pkey && key) {
                EVP_PKEY_free(key);
        }
        if (bio_out) {
@@ -4248,7 +4414,7 @@ PHP_FUNCTION(openssl_pkey_export)
        zval * zpkey, * args = NULL, *out;
        char * passphrase = NULL; size_t passphrase_len = 0;
        int pem_write = 0;
-       zend_resource *key_resource = NULL;
+       bool free_pkey = 0;
        EVP_PKEY * key;
        BIO * bio_out = NULL;
        const EVP_CIPHER * cipher;
@@ -4259,8 +4425,8 @@ PHP_FUNCTION(openssl_pkey_export)
        RETVAL_FALSE;
 
        PHP_OPENSSL_CHECK_SIZE_T_TO_INT(passphrase_len, passphrase);
-       key = php_openssl_evp_from_zval(zpkey, 0, passphrase, passphrase_len, 0, &key_resource);
 
+       key = php_openssl_pkey_from_zval(zpkey, 0, passphrase, passphrase_len, &free_pkey);
        if (key == NULL) {
                if (!EG(exception)) {
                        php_error_docref(NULL, E_WARNING, "Cannot get key from parameter 1");
@@ -4314,7 +4480,7 @@ PHP_FUNCTION(openssl_pkey_export)
        }
        PHP_SSL_REQ_DISPOSE(&req);
 
-       if (key_resource == NULL && key) {
+       if (free_pkey && key) {
                EVP_PKEY_free(key);
        }
        if (bio_out) {
@@ -4328,16 +4494,23 @@ PHP_FUNCTION(openssl_pkey_get_public)
 {
        zval *cert;
        EVP_PKEY *pkey;
-       zend_resource *res;
+       php_openssl_pkey_object *key_object;
+       bool free_pkey;
 
        if (zend_parse_parameters(ZEND_NUM_ARGS(), "z", &cert) == FAILURE) {
                RETURN_THROWS();
        }
-       pkey = php_openssl_evp_from_zval(cert, 1, NULL, 0, 1, &res);
+       pkey = php_openssl_pkey_from_zval(cert, 1, NULL, 0, &free_pkey);
        if (pkey == NULL) {
                RETURN_FALSE;
        }
-       ZVAL_RES(return_value, res);
+
+       object_init_ex(return_value, php_openssl_pkey_ce);
+       key_object = Z_OPENSSL_PKEY_P(return_value);
+       key_object->pkey = pkey;
+       if (!free_pkey) {
+               EVP_PKEY_up_ref(pkey);
+       }
 }
 /* }}} */
 
@@ -4345,15 +4518,10 @@ PHP_FUNCTION(openssl_pkey_get_public)
 PHP_FUNCTION(openssl_pkey_free)
 {
        zval *key;
-       EVP_PKEY *pkey;
 
-       if (zend_parse_parameters(ZEND_NUM_ARGS(), "r", &key) == FAILURE) {
-               RETURN_THROWS();
-       }
-       if ((pkey = (EVP_PKEY *)zend_fetch_resource(Z_RES_P(key), "OpenSSL key", le_key)) == NULL) {
+       if (zend_parse_parameters(ZEND_NUM_ARGS(), "O", &key, php_openssl_pkey_ce) == FAILURE) {
                RETURN_THROWS();
        }
-       zend_list_close(Z_RES_P(key));
 }
 /* }}} */
 
@@ -4364,19 +4532,22 @@ PHP_FUNCTION(openssl_pkey_get_private)
        EVP_PKEY *pkey;
        char * passphrase = "";
        size_t passphrase_len = sizeof("")-1;
-       zend_resource *res;
+       php_openssl_pkey_object *key_object;
 
        if (zend_parse_parameters(ZEND_NUM_ARGS(), "z|s", &cert, &passphrase, &passphrase_len) == FAILURE) {
                RETURN_THROWS();
        }
 
        PHP_OPENSSL_CHECK_SIZE_T_TO_INT(passphrase_len, passphrase);
-       pkey = php_openssl_evp_from_zval(cert, 0, passphrase, passphrase_len, 1, &res);
 
+       pkey = php_openssl_pkey_from_zval(cert, 0, passphrase, passphrase_len, NULL);
        if (pkey == NULL) {
                RETURN_FALSE;
        }
-       ZVAL_RES(return_value, res);
+
+       object_init_ex(return_value, php_openssl_pkey_ce);
+       key_object = Z_OPENSSL_PKEY_P(return_value);
+       key_object->pkey = pkey;
 }
 
 /* }}} */
@@ -4391,12 +4562,12 @@ PHP_FUNCTION(openssl_pkey_get_details)
        char *pbio;
        zend_long ktype;
 
-       if (zend_parse_parameters(ZEND_NUM_ARGS(), "r", &key) == FAILURE) {
-               RETURN_THROWS();
-       }
-       if ((pkey = (EVP_PKEY *)zend_fetch_resource(Z_RES_P(key), "OpenSSL key", le_key)) == NULL) {
+       if (zend_parse_parameters(ZEND_NUM_ARGS(), "O", &key, php_openssl_pkey_ce) == FAILURE) {
                RETURN_THROWS();
        }
+
+       pkey = Z_OPENSSL_PKEY_P(key)->pkey;
+
        out = BIO_new(BIO_s_mem());
        if (!PEM_write_bio_PUBKEY(out, pkey)) {
                BIO_free(out);
@@ -4566,12 +4737,12 @@ PHP_FUNCTION(openssl_dh_compute_key)
        zend_string *data;
        int len;
 
-       if (zend_parse_parameters(ZEND_NUM_ARGS(), "sr", &pub_str, &pub_len, &key) == FAILURE) {
-               RETURN_THROWS();
-       }
-       if ((pkey = (EVP_PKEY *)zend_fetch_resource(Z_RES_P(key), "OpenSSL key", le_key)) == NULL) {
+       if (zend_parse_parameters(ZEND_NUM_ARGS(), "sO", &pub_str, &pub_len, &key, php_openssl_pkey_ce) == FAILURE) {
                RETURN_THROWS();
        }
+
+       pkey = Z_OPENSSL_PKEY_P(key)->pkey;
+
        if (EVP_PKEY_base_id(pkey) != EVP_PKEY_DH) {
                RETURN_FALSE;
        }
@@ -4618,8 +4789,8 @@ PHP_FUNCTION(openssl_pkey_derive)
                php_error_docref(NULL, E_WARNING, "keylen < 0, assuming NULL");
        }
        key_size = key_len;
-       if ((pkey = php_openssl_evp_from_zval(priv_key, 0, "", 0, 0, NULL)) == NULL
-               || (peer_key = php_openssl_evp_from_zval(peer_pub_key, 1, NULL, 0, 0, NULL)) == NULL) {
+       if ((pkey = php_openssl_pkey_from_zval(priv_key, 0, "", 0, NULL)) == NULL
+               || (peer_key = php_openssl_pkey_from_zval(peer_pub_key, 1, NULL, 0, NULL)) == NULL) {
                RETURN_FALSE;
        }
        EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new(pkey, NULL);
@@ -4873,7 +5044,6 @@ PHP_FUNCTION(openssl_pkcs7_encrypt)
                RETURN_THROWS();
        }
 
-
        if (php_openssl_open_base_dir_chk(infilename) || php_openssl_open_base_dir_chk(outfilename)) {
                return;
        }
@@ -4895,14 +5065,14 @@ PHP_FUNCTION(openssl_pkcs7_encrypt)
        /* get certs */
        if (Z_TYPE_P(zrecipcerts) == IS_ARRAY) {
                ZEND_HASH_FOREACH_VAL(Z_ARRVAL_P(zrecipcerts), zcertval) {
-                       zend_resource *certresource;
+                       bool free_cert;
 
-                       cert = php_openssl_x509_from_zval(zcertval, 0, &certresource);
+                       cert = php_openssl_x509_from_zval(zcertval, &free_cert);
                        if (cert == NULL) {
                                goto clean_exit;
                        }
 
-                       if (certresource != NULL) {
+                       if (!free_cert) {
                                /* we shouldn't free this particular cert, as it is a resource.
                                        make a copy and push that on the stack instead */
                                cert = X509_dup(cert);
@@ -4915,14 +5085,14 @@ PHP_FUNCTION(openssl_pkcs7_encrypt)
                } ZEND_HASH_FOREACH_END();
        } else {
                /* a single certificate */
-               zend_resource *certresource;
+               bool free_cert;
 
-               cert = php_openssl_x509_from_zval(zrecipcerts, 0, &certresource);
+               cert = php_openssl_x509_from_zval(zrecipcerts, &free_cert);
                if (cert == NULL) {
                        goto clean_exit;
                }
 
-               if (certresource != NULL) {
+               if (!free_cert) {
                        /* we shouldn't free this particular cert, as it is a resource.
                                make a copy and push that on the stack instead */
                        cert = X509_dup(cert);
@@ -5091,15 +5261,17 @@ clean_exit:
 
 PHP_FUNCTION(openssl_pkcs7_sign)
 {
-       zval * zcert, * zprivkey, * zheaders;
+       X509 *cert = NULL;
+       zend_object *cert_obj;
+       zend_string *cert_str;
+       zval *zprivkey, * zheaders;
        zval * hval;
-       X509 * cert = NULL;
        EVP_PKEY * privkey = NULL;
        zend_long flags = PKCS7_DETACHED;
        PKCS7 * p7 = NULL;
        BIO * infile = NULL, * outfile = NULL;
        STACK_OF(X509) *others = NULL;
-       zend_resource *certresource = NULL, *keyresource = NULL;
+       bool free_pkey = 0;
        zend_string * strindex;
        char * infilename;
        size_t infilename_len;
@@ -5108,12 +5280,16 @@ PHP_FUNCTION(openssl_pkcs7_sign)
        char * extracertsfilename = NULL;
        size_t extracertsfilename_len;
 
-       if (zend_parse_parameters(ZEND_NUM_ARGS(), "ppzza!|lp!",
-                               &infilename, &infilename_len, &outfilename, &outfilename_len,
-                               &zcert, &zprivkey, &zheaders, &flags, &extracertsfilename,
-                               &extracertsfilename_len) == FAILURE) {
-               RETURN_THROWS();
-       }
+       ZEND_PARSE_PARAMETERS_START(5, 7)
+               Z_PARAM_PATH(infilename, infilename_len)
+               Z_PARAM_PATH(outfilename, outfilename_len)
+               Z_PARAM_STR_OR_OBJ_OF_CLASS(cert_str, cert_obj, php_openssl_certificate_ce)
+               Z_PARAM_ZVAL(zprivkey)
+               Z_PARAM_ARRAY_OR_NULL(zheaders)
+               Z_PARAM_OPTIONAL
+               Z_PARAM_LONG(flags)
+               Z_PARAM_PATH_OR_NULL(extracertsfilename, extracertsfilename_len)
+       ZEND_PARSE_PARAMETERS_END();
 
        RETVAL_FALSE;
 
@@ -5124,7 +5300,7 @@ PHP_FUNCTION(openssl_pkcs7_sign)
                }
        }
 
-       privkey = php_openssl_evp_from_zval(zprivkey, 0, "", 0, 0, &keyresource);
+       privkey = php_openssl_pkey_from_zval(zprivkey, 0, "", 0, &free_pkey);
        if (privkey == NULL) {
                if (!EG(exception)) {
                        php_error_docref(NULL, E_WARNING, "Error getting private key");
@@ -5132,9 +5308,9 @@ PHP_FUNCTION(openssl_pkcs7_sign)
                goto clean_exit;
        }
 
-       cert = php_openssl_x509_from_zval(zcert, 0, &certresource);
+       cert = php_openssl_x509_from_param(cert_obj, cert_str);
        if (cert == NULL) {
-               php_error_docref(NULL, E_WARNING, "Error getting cert");
+               php_error_docref(NULL, E_WARNING, "X.509 Certificate cannot be retrieved");
                goto clean_exit;
        }
 
@@ -5200,10 +5376,10 @@ clean_exit:
        if (others) {
                sk_X509_pop_free(others, X509_free);
        }
-       if (privkey && keyresource == NULL) {
+       if (privkey && free_pkey) {
                EVP_PKEY_free(privkey);
        }
-       if (cert && certresource == NULL) {
+       if (cert && cert_str) {
                X509_free(cert);
        }
 }
@@ -5213,31 +5389,35 @@ clean_exit:
 
 PHP_FUNCTION(openssl_pkcs7_decrypt)
 {
-       zval * recipcert, * recipkey = NULL;
-       X509 * cert = NULL;
+       X509 *cert;
+       zval *recipcert, *recipkey = NULL;
+       bool free_recipcert;
        EVP_PKEY * key = NULL;
-       zend_resource *certresval, *keyresval;
-       BIO * in = NULL, * out = NULL, * datain = NULL;
+       bool free_pkey;
+       BIO * in = NULL, *out = NULL, *datain = NULL;
        PKCS7 * p7 = NULL;
        char * infilename;
        size_t infilename_len;
        char * outfilename;
        size_t outfilename_len;
 
-       if (zend_parse_parameters(ZEND_NUM_ARGS(), "ppz|z", &infilename, &infilename_len,
-                               &outfilename, &outfilename_len, &recipcert, &recipkey) == FAILURE) {
-               RETURN_THROWS();
-       }
+       ZEND_PARSE_PARAMETERS_START(3, 4)
+               Z_PARAM_PATH(infilename, infilename_len)
+               Z_PARAM_PATH(outfilename, outfilename_len)
+               Z_PARAM_ZVAL(recipcert)
+               Z_PARAM_OPTIONAL
+               Z_PARAM_ZVAL_OR_NULL(recipkey)
+       ZEND_PARSE_PARAMETERS_END();
 
        RETVAL_FALSE;
 
-       cert = php_openssl_x509_from_zval(recipcert, 0, &certresval);
+       cert = php_openssl_x509_from_zval(recipcert, &free_recipcert);
        if (cert == NULL) {
-               php_error_docref(NULL, E_WARNING, "Unable to coerce parameter 3 to x509 cert");
+               php_error_docref(NULL, E_WARNING, "X.509 Certificate cannot be retrieved");
                goto clean_exit;
        }
 
-       key = php_openssl_evp_from_zval(recipkey ? recipkey : recipcert, 0, "", 0, 0, &keyresval);
+       key = php_openssl_pkey_from_zval(recipkey ? recipkey : recipcert, 0, "", 0, &free_pkey);
        if (key == NULL) {
                if (!EG(exception)) {
                        php_error_docref(NULL, E_WARNING, "Unable to get private key");
@@ -5276,10 +5456,10 @@ clean_exit:
        BIO_free(datain);
        BIO_free(in);
        BIO_free(out);
-       if (cert && certresval == NULL) {
+       if (cert && free_recipcert) {
                X509_free(cert);
        }
-       if (key && keyresval == NULL) {
+       if (key && free_pkey) {
                EVP_PKEY_free(key);
        }
 }
@@ -5521,14 +5701,14 @@ PHP_FUNCTION(openssl_cms_encrypt)
        /* get certs */
        if (Z_TYPE_P(zrecipcerts) == IS_ARRAY) {
                ZEND_HASH_FOREACH_VAL(Z_ARRVAL_P(zrecipcerts), zcertval) {
-                       zend_resource *certresource;
+                       bool free_cert;
 
-                       cert = php_openssl_x509_from_zval(zcertval, 0, &certresource);
+                       cert = php_openssl_x509_from_zval(zcertval, &free_cert);
                        if (cert == NULL) {
                                goto clean_exit;
                        }
 
-                       if (certresource != NULL) {
+                       if (!free_cert) {
                                /* we shouldn't free this particular cert, as it is a resource.
                                        make a copy and push that on the stack instead */
                                cert = X509_dup(cert);
@@ -5541,14 +5721,14 @@ PHP_FUNCTION(openssl_cms_encrypt)
                } ZEND_HASH_FOREACH_END();
        } else {
                /* a single certificate */
-               zend_resource *certresource;
+               bool free_cert;
 
-               cert = php_openssl_x509_from_zval(zrecipcerts, 0, &certresource);
+               cert = php_openssl_x509_from_zval(zrecipcerts, &free_cert);
                if (cert == NULL) {
                        goto clean_exit;
                }
 
-               if (certresource != NULL) {
+               if (!free_cert) {
                        /* we shouldn't free this particular cert, as it is a resource.
                                make a copy and push that on the stack instead */
                        cert = X509_dup(cert);
@@ -5756,16 +5936,18 @@ clean_exit:
 
 PHP_FUNCTION(openssl_cms_sign)
 {
-       zval * zcert, * zprivkey, * zheaders;
+       X509 *cert = NULL;
+       zend_object *cert_obj;
+       zend_string *cert_str;
+       zval *zprivkey, *zheaders;
        zval * hval;
-       X509 * cert = NULL;
        EVP_PKEY * privkey = NULL;
        zend_long flags = 0;
        zend_long encoding = ENCODING_SMIME;
        CMS_ContentInfo * cms = NULL;
        BIO * infile = NULL, * outfile = NULL;
        STACK_OF(X509) *others = NULL;
-       zend_resource *certresource = NULL, *keyresource = NULL;
+       bool free_pkey = 0;
        zend_string * strindex;
        char * infilename;
        size_t infilename_len;
@@ -5775,12 +5957,17 @@ PHP_FUNCTION(openssl_cms_sign)
        size_t extracertsfilename_len;
        int need_final = 0;
 
-       if (zend_parse_parameters(ZEND_NUM_ARGS(), "ppzza!|llp!",
-                               &infilename, &infilename_len, &outfilename, &outfilename_len,
-                               &zcert, &zprivkey, &zheaders, &flags, &encoding, &extracertsfilename,
-                               &extracertsfilename_len) == FAILURE) {
-               RETURN_THROWS();
-       }
+       ZEND_PARSE_PARAMETERS_START(5, 8)
+               Z_PARAM_PATH(infilename, infilename_len)
+               Z_PARAM_PATH(outfilename, outfilename_len)
+               Z_PARAM_STR_OR_OBJ_OF_CLASS(cert_str, cert_obj, php_openssl_certificate_ce)
+               Z_PARAM_ZVAL(zprivkey)
+               Z_PARAM_ARRAY_OR_NULL(zheaders)
+               Z_PARAM_OPTIONAL
+               Z_PARAM_LONG(flags)
+               Z_PARAM_LONG(encoding)
+               Z_PARAM_PATH(extracertsfilename, extracertsfilename_len)
+       ZEND_PARSE_PARAMETERS_END();
 
        RETVAL_FALSE;
 
@@ -5791,7 +5978,7 @@ PHP_FUNCTION(openssl_cms_sign)
                }
        }
 
-       privkey = php_openssl_evp_from_zval(zprivkey, 0, "", 0, 0, &keyresource);
+       privkey = php_openssl_pkey_from_zval(zprivkey, 0, "", 0, &free_pkey);
        if (privkey == NULL) {
                if (!EG(exception)) {
                        php_error_docref(NULL, E_WARNING, "Error getting private key");
@@ -5799,9 +5986,9 @@ PHP_FUNCTION(openssl_cms_sign)
                goto clean_exit;
        }
 
-       cert = php_openssl_x509_from_zval(zcert, 0, &certresource);
+       cert = php_openssl_x509_from_param(cert_obj, cert_str);
        if (cert == NULL) {
-               php_error_docref(NULL, E_WARNING, "Error getting cert");
+               php_error_docref(NULL, E_WARNING, "X.509 Certificate cannot be retrieved");
                goto clean_exit;
        }
 
@@ -5926,7 +6113,7 @@ clean_exit:
                sk_X509_pop_free(others, X509_free);
        }
        EVP_PKEY_free(privkey);
-       if (cert && certresource == NULL) {
+       if (cert && cert_str) {
                X509_free(cert);
        }
 }
@@ -5936,10 +6123,11 @@ clean_exit:
 
 PHP_FUNCTION(openssl_cms_decrypt)
 {
-       zval * recipcert, * recipkey = NULL;
-       X509 * cert = NULL;
+       X509 *cert;
+       zval *recipcert, *recipkey = NULL;
+       bool free_recipcert;
        EVP_PKEY * key = NULL;
-       zend_resource *certresval, *keyresval;
+       bool free_pkey;
        zend_long encoding = ENCODING_SMIME;
        BIO * in = NULL, * out = NULL, * datain = NULL;
        CMS_ContentInfo * cms = NULL;
@@ -5948,21 +6136,24 @@ PHP_FUNCTION(openssl_cms_decrypt)
        char * outfilename;
        size_t outfilename_len;
 
-       if (zend_parse_parameters(ZEND_NUM_ARGS(), "ppz|zl", &infilename, &infilename_len,
-                               &outfilename, &outfilename_len, &recipcert,
-                               &recipkey, &encoding) == FAILURE) {
-               RETURN_THROWS();
-       }
+       ZEND_PARSE_PARAMETERS_START(3, 5)
+               Z_PARAM_PATH(infilename, infilename_len)
+               Z_PARAM_PATH(outfilename, outfilename_len)
+               Z_PARAM_ZVAL(recipcert)
+               Z_PARAM_OPTIONAL
+               Z_PARAM_ZVAL(recipkey)
+               Z_PARAM_LONG(encoding)
+       ZEND_PARSE_PARAMETERS_END();
 
        RETVAL_FALSE;
 
-       cert = php_openssl_x509_from_zval(recipcert, 0, &certresval);
+       cert = php_openssl_x509_from_zval(recipcert, &free_recipcert);
        if (cert == NULL) {
-               php_error_docref(NULL, E_WARNING, "Unable to coerce parameter 3 to x509 cert");
+               php_error_docref(NULL, E_WARNING, "X.509 Certificate cannot be retrieved");
                goto clean_exit;
        }
 
-       key = php_openssl_evp_from_zval(recipkey ? recipkey : recipcert, 0, "", 0, 0, &keyresval);
+       key = php_openssl_pkey_from_zval(recipkey ? recipkey : recipcert, 0, "", 0, &free_pkey);
        if (key == NULL) {
                if (!EG(exception)) {
                        php_error_docref(NULL, E_WARNING, "Unable to get private key");
@@ -6017,10 +6208,10 @@ clean_exit:
        BIO_free(datain);
        BIO_free(in);
        BIO_free(out);
-       if (cert && certresval == NULL) {
+       if (cert && free_recipcert) {
                X509_free(cert);
        }
-       if (key && keyresval == NULL) {
+       if (key && free_pkey) {
                EVP_PKEY_free(key);
        }
 }
@@ -6038,7 +6229,7 @@ PHP_FUNCTION(openssl_private_encrypt)
        int cryptedlen;
        zend_string *cryptedbuf = NULL;
        int successful = 0;
-       zend_resource *keyresource = NULL;
+       bool free_pkey = 0;
        char * data;
        size_t data_len;
        zend_long padding = RSA_PKCS1_PADDING;
@@ -6048,7 +6239,7 @@ PHP_FUNCTION(openssl_private_encrypt)
        }
        RETVAL_FALSE;
 
-       pkey = php_openssl_evp_from_zval(key, 0, "", 0, 0, &keyresource);
+       pkey = php_openssl_pkey_from_zval(key, 0, "", 0, &free_pkey);
 
        if (pkey == NULL) {
                if (!EG(exception)) {
@@ -6086,7 +6277,7 @@ PHP_FUNCTION(openssl_private_encrypt)
        if (cryptedbuf) {
                zend_string_release_ex(cryptedbuf, 0);
        }
-       if (keyresource == NULL) {
+       if (free_pkey) {
                EVP_PKEY_free(pkey);
        }
 }
@@ -6102,7 +6293,7 @@ PHP_FUNCTION(openssl_private_decrypt)
        unsigned char *crypttemp;
        int successful = 0;
        zend_long padding = RSA_PKCS1_PADDING;
-       zend_resource *keyresource = NULL;
+       bool free_pkey = 0;
        char * data;
        size_t data_len;
 
@@ -6111,7 +6302,7 @@ PHP_FUNCTION(openssl_private_decrypt)
        }
        RETVAL_FALSE;
 
-       pkey = php_openssl_evp_from_zval(key, 0, "", 0, 0, &keyresource);
+       pkey = php_openssl_pkey_from_zval(key, 0, "", 0, &free_pkey);
        if (pkey == NULL) {
                if (!EG(exception)) {
                        php_error_docref(NULL, E_WARNING, "key parameter is not a valid private key");
@@ -6153,7 +6344,7 @@ PHP_FUNCTION(openssl_private_decrypt)
                php_openssl_store_errors();
        }
 
-       if (keyresource == NULL) {
+       if (free_pkey) {
                EVP_PKEY_free(pkey);
        }
        if (cryptedbuf) {
@@ -6170,7 +6361,7 @@ PHP_FUNCTION(openssl_public_encrypt)
        int cryptedlen;
        zend_string *cryptedbuf;
        int successful = 0;
-       zend_resource *keyresource = NULL;
+       bool free_pkey = 0;
        zend_long padding = RSA_PKCS1_PADDING;
        char * data;
        size_t data_len;
@@ -6180,7 +6371,7 @@ PHP_FUNCTION(openssl_public_encrypt)
        }
        RETVAL_FALSE;
 
-       pkey = php_openssl_evp_from_zval(key, 1, NULL, 0, 0, &keyresource);
+       pkey = php_openssl_pkey_from_zval(key, 1, NULL, 0, &free_pkey);
        if (pkey == NULL) {
                if (!EG(exception)) {
                        php_error_docref(NULL, E_WARNING, "key parameter is not a valid public key");
@@ -6215,7 +6406,7 @@ PHP_FUNCTION(openssl_public_encrypt)
        } else {
                php_openssl_store_errors();
        }
-       if (keyresource == NULL) {
+       if (free_pkey) {
                EVP_PKEY_free(pkey);
        }
        if (cryptedbuf) {
@@ -6233,7 +6424,7 @@ PHP_FUNCTION(openssl_public_decrypt)
        zend_string *cryptedbuf = NULL;
        unsigned char *crypttemp;
        int successful = 0;
-       zend_resource *keyresource = NULL;
+       bool free_pkey = 0;
        zend_long padding = RSA_PKCS1_PADDING;
        char * data;
        size_t data_len;
@@ -6243,7 +6434,7 @@ PHP_FUNCTION(openssl_public_decrypt)
        }
        RETVAL_FALSE;
 
-       pkey = php_openssl_evp_from_zval(key, 1, NULL, 0, 0, &keyresource);
+       pkey = php_openssl_pkey_from_zval(key, 1, NULL, 0, &free_pkey);
        if (pkey == NULL) {
                if (!EG(exception)) {
                        php_error_docref(NULL, E_WARNING, "key parameter is not a valid public key");
@@ -6290,7 +6481,7 @@ PHP_FUNCTION(openssl_public_decrypt)
        if (cryptedbuf) {
                zend_string_release_ex(cryptedbuf, 0);
        }
-       if (keyresource == NULL) {
+       if (free_pkey) {
                EVP_PKEY_free(pkey);
        }
 }
@@ -6331,7 +6522,7 @@ PHP_FUNCTION(openssl_sign)
        EVP_PKEY *pkey;
        unsigned int siglen;
        zend_string *sigbuf;
-       zend_resource *keyresource = NULL;
+       bool free_pkey = 0;
        char * data;
        size_t data_len;
        EVP_MD_CTX *md_ctx;
@@ -6342,7 +6533,7 @@ PHP_FUNCTION(openssl_sign)
        if (zend_parse_parameters(ZEND_NUM_ARGS(), "szz|z", &data, &data_len, &signature, &key, &method) == FAILURE) {
                RETURN_THROWS();
        }
-       pkey = php_openssl_evp_from_zval(key, 0, "", 0, 0, &keyresource);
+       pkey = php_openssl_pkey_from_zval(key, 0, "", 0, &free_pkey);
        if (pkey == NULL) {
                if (!EG(exception)) {
                        php_error_docref(NULL, E_WARNING, "Supplied key param cannot be coerced into a private key");
@@ -6384,7 +6575,7 @@ PHP_FUNCTION(openssl_sign)
                RETVAL_FALSE;
        }
        EVP_MD_CTX_destroy(md_ctx);
-       if (keyresource == NULL) {
+       if (free_pkey) {
                EVP_PKEY_free(pkey);
        }
 }
@@ -6398,7 +6589,7 @@ PHP_FUNCTION(openssl_verify)
        int err = 0;
        EVP_MD_CTX *md_ctx;
        const EVP_MD *mdtype;
-       zend_resource *keyresource = NULL;
+       bool free_pkey = 0;
        char * data;
        size_t data_len;
        char * signature;
@@ -6428,7 +6619,7 @@ PHP_FUNCTION(openssl_verify)
                RETURN_FALSE;
        }
 
-       pkey = php_openssl_evp_from_zval(key, 1, NULL, 0, 0, &keyresource);
+       pkey = php_openssl_pkey_from_zval(key, 1, NULL, 0, &free_pkey);
        if (pkey == NULL) {
                if (!EG(exception)) {
                        php_error_docref(NULL, E_WARNING, "Supplied key param cannot be coerced into a public key");
@@ -6445,7 +6636,7 @@ PHP_FUNCTION(openssl_verify)
        }
        EVP_MD_CTX_destroy(md_ctx);
 
-       if (keyresource == NULL) {
+       if (free_pkey) {
                EVP_PKEY_free(pkey);
        }
        RETURN_LONG(err);
@@ -6458,7 +6649,7 @@ PHP_FUNCTION(openssl_seal)
        zval *pubkeys, *pubkey, *sealdata, *ekeys, *iv = NULL;
        HashTable *pubkeysht;
        EVP_PKEY **pkeys;
-       zend_resource ** key_resources; /* so we know what to cleanup */
+       bool *free_pkeys;       /* so we know what to cleanup */
        int i, len1, len2, *eksl, nkeys, iv_len;
        unsigned char iv_buf[EVP_MAX_IV_LENGTH + 1], *buf = NULL, **eks;
        char * data;
@@ -6502,14 +6693,14 @@ PHP_FUNCTION(openssl_seal)
        eksl = safe_emalloc(nkeys, sizeof(*eksl), 0);
        eks = safe_emalloc(nkeys, sizeof(*eks), 0);
        memset(eks, 0, sizeof(*eks) * nkeys);
-       key_resources = safe_emalloc(nkeys, sizeof(zend_resource*), 0);
-       memset(key_resources, 0, sizeof(zend_resource*) * nkeys);
+       free_pkeys = safe_emalloc(nkeys, sizeof(int *), 0);
+       memset(free_pkeys, 0, sizeof(int *) * nkeys);
        memset(pkeys, 0, sizeof(*pkeys) * nkeys);
 
        /* get the public keys we are using to seal this data */
        i = 0;
        ZEND_HASH_FOREACH_VAL(pubkeysht, pubkey) {
-               pkeys[i] = php_openssl_evp_from_zval(pubkey, 1, NULL, 0, 0, &key_resources[i]);
+               pkeys[i] = php_openssl_pkey_from_zval(pubkey, 1, NULL, 0, &free_pkeys[i]);
                if (pkeys[i] == NULL) {
                        if (!EG(exception)) {
                                php_error_docref(NULL, E_WARNING, "Not a public key (%dth member of pubkeys)", i+1);
@@ -6572,7 +6763,7 @@ PHP_FUNCTION(openssl_seal)
 
 clean_exit:
        for (i=0; i<nkeys; i++) {
-               if (key_resources[i] == NULL && pkeys[i] != NULL) {
+               if (free_pkeys[i] && pkeys[i] != NULL) {
                        EVP_PKEY_free(pkeys[i]);
                }
                if (eks[i]) {
@@ -6582,7 +6773,7 @@ clean_exit:
        efree(eks);
        efree(eksl);
        efree(pkeys);
-       efree(key_resources);
+       efree(free_pkeys);
 }
 /* }}} */
 
@@ -6593,7 +6784,7 @@ PHP_FUNCTION(openssl_open)
        EVP_PKEY *pkey;
        int len1, len2, cipher_iv_len;
        unsigned char *buf, *iv_buf;
-       zend_resource *keyresource = NULL;
+       bool free_pkey = 0;
        EVP_CIPHER_CTX *ctx;
        char * data;
        size_t data_len;
@@ -6608,7 +6799,7 @@ PHP_FUNCTION(openssl_open)
                RETURN_THROWS();
        }
 
-       pkey = php_openssl_evp_from_zval(privkey, 0, "", 0, 0, &keyresource);
+       pkey = php_openssl_pkey_from_zval(privkey, 0, "", 0, &free_pkey);
        if (pkey == NULL) {
                if (!EG(exception)) {
                        php_error_docref(NULL, E_WARNING, "Unable to coerce parameter 4 into a private key");
@@ -6660,7 +6851,7 @@ PHP_FUNCTION(openssl_open)
        }
 
        efree(buf);
-       if (keyresource == NULL) {
+       if (free_pkey) {
                EVP_PKEY_free(pkey);
        }
        EVP_CIPHER_CTX_free(ctx);
diff --git a/ext/openssl/openssl.stub.php b/ext/openssl/openssl.stub.php
index 0c6d3ea9f96eb042f0c80e3552f3284f17ae2730..6e088204e08363240065b63e30866ff30936dbde 100644 (file)
--- a/ext/openssl/openssl.stub.php
+++ b/ext/openssl/openssl.stub.php
@@ -2,187 +2,191 @@
 
 /** @generate-function-entries */
 
-function openssl_x509_export_to_file($x509, string $outfilename, bool $notext = true): bool {}
+final class OpenSSLCertificate
+{
+}
 
-function openssl_x509_export($x509 , &$out, bool $notext = true): bool {}
+final class OpenSSLCertificateSigningRequest
+{
+}
 
-function openssl_x509_fingerprint($x509, string $method = 'sha1', bool $raw_output = false): string|false {}
+final class OpenSSLAsymmetricKey
+{
+}
 
-function openssl_x509_check_private_key($cert, $key): bool {}
+function openssl_x509_export_to_file(OpenSSLCertificate|string $x509, string $outfilename, bool $notext = true): bool {}
 
-function openssl_x509_verify($cert, $key): int {}
+function openssl_x509_export(OpenSSLCertificate|string $x509, &$out, bool $notext = true): bool {}
 
-function openssl_x509_parse($x509, bool $shortname = true): array|false {}
+function openssl_x509_fingerprint(OpenSSLCertificate|string $x509, string $method = "sha1", bool $raw_output = false): string|false {}
 
-function openssl_x509_checkpurpose($x509cert, int $purpose, ?array $cainfo = [], string $untrustedfile = UNKNOWN): bool|int {}
+/** @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string $key */
+function openssl_x509_check_private_key(OpenSSLCertificate|string $x509, $key): bool {}
 
-/** @return resource|false */
-function openssl_x509_read($cert) {}
+/** @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string $key */
+function openssl_x509_verify(OpenSSLCertificate|string $x509, $key): int {}
 
-function openssl_x509_free($x509): ?bool {}
+function openssl_x509_parse(OpenSSLCertificate|string $x509, bool $shortname = true): array|false {}
 
-/**
- * @param resource|string $x509cert
- * @param resource|string|array $priv_key
- */
-function openssl_pkcs12_export_to_file($x509cert, string $filename, $priv_key, string $pass, array $args = UNKNOWN): bool {}
+function openssl_x509_checkpurpose(OpenSSLCertificate|string $x509, int $purpose, ?array $cainfo = [], ?string $untrustedfile = null): bool|int {}
 
-/**
- * @param resource|string $x509
- * @param resource|string|array $priv_key
- */
-function openssl_pkcs12_export($x509 , &$out, $priv_key, string $pass, array $args = UNKNOWN): bool {}
+function openssl_x509_read(OpenSSLCertificate|string $x509): OpenSSLCertificate|false {}
+
+/** @deprecated */
+function openssl_x509_free(OpenSSLCertificate $x509): void {}
 
+/** @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string $priv_key */
+function openssl_pkcs12_export_to_file(OpenSSLCertificate|string $x509cert, string $filename, $priv_key, string $pass, array $args = []): bool {}
+
+/** @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string $priv_key */
+function openssl_pkcs12_export(OpenSSLCertificate|string $x509, &$out, $priv_key, string $pass, array $args = []): bool {}
+
+/** @param array $certs */
 function openssl_pkcs12_read(string $pkcs12, &$certs, string $pass): bool {}
 
-/** @param resource $csr */
-function openssl_csr_export_to_file($csr, string $outfilename, bool $notext = true): bool {}
+function openssl_csr_export_to_file(OpenSSLCertificateSigningRequest|string $csr, string $outfilename, bool $notext = true): bool {}
 
-/** @param resource $csr */
-function openssl_csr_export($csr, &$out, bool $notext = true): bool {}
+/** @param OpenSSLAsymmetricKey $out */
+function openssl_csr_export(OpenSSLCertificateSigningRequest|string $csr, &$out, bool $notext = true): bool {}
 
-/**
- * @param resource|string $csr
- * @param resource|string $cacert
- * @param resource|string|array $priv_key
- * @return resource|false
- */
-function openssl_csr_sign($csr, $cacert = null, $priv_key, int $days, ?array $config_args = null, int $serial = 0) {}
+/** @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string $priv_key */
+function openssl_csr_sign(OpenSSLCertificateSigningRequest|string $csr, OpenSSLCertificate|string|null $cacert, $priv_key, int $days, ?array $config_args = null, int $serial = 0): OpenSSLCertificate|false {}
 
-/** @return resource|false */
-function openssl_csr_new(array $dn, &$privkey, ?array $configargs = null, ?array $extraattribs = null) {}
+/** @param OpenSSLAsymmetricKey $privkey */
+function openssl_csr_new(array $dn, &$privkey, ?array $configargs = null, ?array $extraattribs = null): OpenSSLCertificateSigningRequest|false {}
 
-/** @param resource|string $csr */
-function openssl_csr_get_subject($csr, bool $use_shortnames = true): array|false {}
+function openssl_csr_get_subject(OpenSSLCertificateSigningRequest|string $csr, bool $use_shortnames = true): array|false {}
 
-/**
- * @param resource|string $csr
- * @return resource|false
- */
-function openssl_csr_get_public_key($csr, bool $use_shortnames = true) {}
+function openssl_csr_get_public_key(OpenSSLCertificateSigningRequest|string $csr, bool $use_shortnames = true): OpenSSLAsymmetricKey|false {}
 
-/** @return resource|false */
-function openssl_pkey_new(?array $configargs = null) {}
+function openssl_pkey_new(?array $configargs = null): OpenSSLAsymmetricKey|false {}
 
-/** @param resource|string|array $key */
+/**
+ * @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string $key
+ * @param string $out
+ */
 function openssl_pkey_export_to_file($key, string $outfilename, ?string $passphrase = null, ?array $configargs = null): bool {}
 
-/** @param resource|string|array $key */
-function openssl_pkey_export($key, &$out, ?string $passphrase = null, ?array $configargs = null): bool {}
-
 /**
- * @param resource|string|array $cert
- * @return resource|false
+ * @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string $key
+ * @param string $out
  */
-function openssl_pkey_get_public($cert) {}
+function openssl_pkey_export($key, &$out, ?string $passphrase = null, ?array $configargs = null): bool {}
+
+/** @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string $cert */
+function openssl_pkey_get_public($cert): OpenSSLAsymmetricKey|false {}
 
 /**
- * @param resource|string|array $cert
- * @return resource|false
+ * @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string $cert
  * @alias openssl_pkey_get_public
  */
-function openssl_get_publickey($cert) {}
+function openssl_get_publickey($cert): OpenSSLAsymmetricKey|false {}
 
-/** @param resource $key */
-function openssl_pkey_free($key): void {}
+/** @deprecated */
+function openssl_pkey_free(OpenSSLAsymmetricKey $key): void {}
 
 /**
- * @param resource $key
  * @alias openssl_pkey_free
+ * @deprecated
  */
-function openssl_free_key($key): void {}
+function openssl_free_key(OpenSSLAsymmetricKey $key): void {}
 
-/**
- * @param resource|string|array $key
- * @return resource|false
- */
-function openssl_pkey_get_private($key, string $passphrase = UNKNOWN) {}
+/** @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string $key */
+function openssl_pkey_get_private($key, string $passphrase = UNKNOWN): OpenSSLAsymmetricKey|false {}
 
 /**
- * @param resource|string|array $key
- * @return resource|false
+ * @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string $key
  * @alias openssl_pkey_get_private
  */
-function openssl_get_privatekey($key, string $passphrase = UNKNOWN) {}
+function openssl_get_privatekey($key, string $passphrase = UNKNOWN): OpenSSLAsymmetricKey|false {}
 
-/** @param resource $key */
-function openssl_pkey_get_details($key): array|false {}
+function openssl_pkey_get_details(OpenSSLAsymmetricKey $key): array|false {}
 
 function openssl_pbkdf2(string $password, string $salt, int $key_length, int $iterations, string $digest_algorithm = 'sha1'): string|false {}
 
 function openssl_pkcs7_verify(string $filename, int $flags, string $signerscerts = UNKNOWN, array $cainfo = UNKNOWN, string $extracerts = UNKNOWN, string $content = UNKNOWN, string $pk7 = UNKNOWN): bool|int {}
 
-/** @param resource|string|array $recipcerts */
+/** @param OpenSSLCertificate|array|string $recipcerts */
 function openssl_pkcs7_encrypt(string $infile, string $outfile, $recipcerts, ?array $headers, int $flags = 0, int $cipher = OPENSSL_CIPHER_RC2_40): bool {}
 
-/**
- * @param resource|string $signcert
- * @param resource|string|array $signkey
- */
-function openssl_pkcs7_sign(string $infile, string $outfile, $signcert, $signkey, ?array $headers, int $flags = PKCS7_DETACHED, ?string $extracertsfilename = null): bool {}
+/** @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string $signkey */
+function openssl_pkcs7_sign(string $infile, string $outfile, OpenSSLCertificate|string $signcert, $signkey, ?array $headers, int $flags = PKCS7_DETACHED, ?string $extracertsfilename = null): bool {}
 
-/**
- * @param resource|string $recipcert
- * @param resource|string|array $recipkey
- */
-function openssl_pkcs7_decrypt(string $infilename, string $outfilename, $recipcert, $recipkey = UNKNOWN): bool {}
+/** @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string|null $recipkey */
+function openssl_pkcs7_decrypt(string $infilename, string $outfilename, OpenSSLCertificate|string $recipcert, $recipkey = null): bool {}
 
 function openssl_pkcs7_read(string $infilename, &$certs): bool {}
 
 function openssl_cms_verify(string $filename, int $flags = 0, ?string $signerscerts = null, ?array $cainfo = null, ?string $extracerts = null, ?string $content = null, ?string $pk7 = null, ?string $sigfile = null, $encoding = OPENSSL_ENCODING_SMIME): bool {}
 
-/** @param resource|string|array $recipcerts */
+/** @param OpenSSLCertificate|array|string $recipcerts */
 function openssl_cms_encrypt(string $infile, string $outfile, $recipcerts, ?array $headers, int $flags = 0, int $encoding = OPENSSL_ENCODING_SMIME,  int $cipher = OPENSSL_CIPHER_RC2_40): bool {}
 
-/**
- * @param resource|string $signcert
- * @param resource|string|array $signkey
- */
-function openssl_cms_sign(string $infile, string $outfile, $signcert, $signkey, ?array $headers, int $flags = 0, int $encoding = OPENSSL_ENCODING_SMIME, ?string $extracertsfilename = null): bool {}
+/** @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string $signkey */
+function openssl_cms_sign(string $infile, string $outfile, OpenSSLCertificate|string $signcert, $signkey, ?array $headers, int $flags = 0, int $encoding = OPENSSL_ENCODING_SMIME, ?string $extracertsfilename = null): bool {}
 
-/**
- * @param resource|string $recipcert
- * @param resource|string|array $recipkey
- */
-function openssl_cms_decrypt(string $infilename, string $outfilename, $recipcert, $recipkey, int $encoding = OPENSSL_ENCODING_SMIME): bool {}
+/** @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string $recipkey */
+function openssl_cms_decrypt(string $infilename, string $outfilename, OpenSSLCertificate|string $recipcert, $recipkey, int $encoding = OPENSSL_ENCODING_SMIME): bool {}
 
+/** @param array $certs */
 function openssl_cms_read(string $infilename, &$certs): bool {}
 
-
-/** @param resource|string|array $key */
+/**
+ * @param string $crypted
+ * @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string $key
+ */
 function openssl_private_encrypt(string $data, &$crypted, $key, int $padding = OPENSSL_PKCS1_PADDING): bool {}
 
-/** @param resource|string|array $key */
+/**
+ * @param string $crypted
+ * @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string $key
+ */
 function openssl_private_decrypt(string $data, &$crypted, $key, int $padding = OPENSSL_PKCS1_PADDING): bool {}
 
-/** @param resource|string|array $key */
+/**
+ * @param string $crypted
+ * @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string $key
+ */
 function openssl_public_encrypt(string $data, &$crypted, $key, int $padding = OPENSSL_PKCS1_PADDING): bool {}
 
-/** @param resource|string|array $key */
+/**
+ * @param string $crypted
+ * @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string $key
+ */
 function openssl_public_decrypt(string $data, &$crypted, $key, int $padding = OPENSSL_PKCS1_PADDING): bool {}
 
 function openssl_error_string(): string|false {}
 
 /**
- * @param resource|string|array $key
+ * @param string $signature
+ * @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string $key
  * @param int|string $method
  */
 function openssl_sign(string $data, &$signature, $key, $method = OPENSSL_ALGO_SHA1): bool {}
 
 /**
- * @param resource|string|array $key
+ * @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string $key
  * @param int|string $method
  */
 function openssl_verify(string $data, string $signature, $key, $method = OPENSSL_ALGO_SHA1): int|false {}
 
+/**
+ * @param string $sealdata
+ * @param array $ekeys
+ * @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string $pubkeys
+ * @param string $iv
+ */
 function openssl_seal(string $data, &$sealdata, &$ekeys, array $pubkeys, string $method = UNKNOWN, &$iv = UNKNOWN): int|false {}
 
-/** @param resource|string|array $privkey */
+/**
+ * @param string $opendata
+ * @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string $privkey
+ */
 function openssl_open(string $data, &$opendata, string $ekey, $privkey, string $method = UNKNOWN, string $iv = UNKNOWN): bool {}
 
-function openssl_get_md_methods($aliases = false): array {}
+function openssl_get_md_methods(bool $aliases = false): array {}
 
-function openssl_get_cipher_methods($aliases = false): array {}
+function openssl_get_cipher_methods(bool $aliases = false): array {}
 
 #ifdef HAVE_EVP_PKEY_EC
 function openssl_get_curve_names(): array|false {}
@@ -190,25 +194,25 @@ function openssl_get_curve_names(): array|false {}
 
 function openssl_digest(string $data, string $method, bool $raw_output = false): string|false {}
 
+/** @param string $tag */
 function openssl_encrypt(string $data, string $method, string $password, int $options = 0, string $iv = '', &$tag = UNKNOWN, string $aad = '', int $tag_length = 16): string|false {}
 
 function openssl_decrypt(string $data, string $method, string $password, int $options = 0, string $iv = '', string $tag = UNKNOWN, string $aad = ''): string|false {}
 
 function openssl_cipher_iv_length(string $method): int|false {}
 
-/** @param resource $dh_key */
-function openssl_dh_compute_key(string $pub_key, $dh_key): string|false {}
+function openssl_dh_compute_key(string $pub_key, OpenSSLAsymmetricKey $dh_key): string|false {}
 
 /**
- * @param resource|string|array $peer_pub_key
- * @param resource|string|array $priv_key
+ * @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string $peer_pub_key
+ * @param OpenSSLAsymmetricKey|OpenSSLCertificate|array|string $priv_key
  */
 function openssl_pkey_derive($peer_pub_key, $priv_key, int $keylen = 0): string|false {}
 
+/** @param bool $result_is_strong */
 function openssl_random_pseudo_bytes(int $length, &$result_is_strong = UNKNOWN): string {}
 
-/** @param resource $privkey */
-function openssl_spki_new($privkey, string $challenge, int $algo = OPENSSL_ALGO_MD5): string|false {}
+function openssl_spki_new(OpenSSLAsymmetricKey $privkey, string $challenge, int $algo = OPENSSL_ALGO_MD5): string|false {}
 
 function openssl_spki_verify(string $spki): bool {}
 
diff --git a/ext/openssl/openssl_arginfo.h b/ext/openssl/openssl_arginfo.h
index e9442fbdf7171df559a437be73dd927367035054..dcb13d8f43d6ca0c9e9fb057a5ab7e59b699a313 100644 (file)
--- a/ext/openssl/openssl_arginfo.h
+++ b/ext/openssl/openssl_arginfo.h
@@ -1,68 +1,68 @@
 /* This is a generated file, edit the .stub.php file instead.
- * Stub hash: 0d04e9173f45a10b9f6614b79029d96a528bec49 */
+ * Stub hash: 5189cc18305417d2566fe594f69806f72899c355 */
 
 ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(arginfo_openssl_x509_export_to_file, 0, 2, _IS_BOOL, 0)
-       ZEND_ARG_INFO(0, x509)
+       ZEND_ARG_OBJ_TYPE_MASK(0, x509, OpenSSLCertificate, MAY_BE_STRING, NULL)
        ZEND_ARG_TYPE_INFO(0, outfilename, IS_STRING, 0)
        ZEND_ARG_TYPE_INFO_WITH_DEFAULT_VALUE(0, notext, _IS_BOOL, 0, "true")
 ZEND_END_ARG_INFO()
 
 ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(arginfo_openssl_x509_export, 0, 2, _IS_BOOL, 0)
-       ZEND_ARG_INFO(0, x509)
+       ZEND_ARG_OBJ_TYPE_MASK(0, x509, OpenSSLCertificate, MAY_BE_STRING, NULL)
        ZEND_ARG_INFO(1, out)
        ZEND_ARG_TYPE_INFO_WITH_DEFAULT_VALUE(0, notext, _IS_BOOL, 0, "true")
 ZEND_END_ARG_INFO()
 
 ZEND_BEGIN_ARG_WITH_RETURN_TYPE_MASK_EX(arginfo_openssl_x509_fingerprint, 0, 1, MAY_BE_STRING|MAY_BE_FALSE)
-       ZEND_ARG_INFO(0, x509)
-       ZEND_ARG_TYPE_INFO_WITH_DEFAULT_VALUE(0, method, IS_STRING, 0, "\'sha1\'")
+       ZEND_ARG_OBJ_TYPE_MASK(0, x509, OpenSSLCertificate, MAY_BE_STRING, NULL)
+       ZEND_ARG_TYPE_INFO_WITH_DEFAULT_VALUE(0, method, IS_STRING, 0, "\"sha1\"")
        ZEND_ARG_TYPE_INFO_WITH_DEFAULT_VALUE(0, raw_output, _IS_BOOL, 0, "false")
 ZEND_END_ARG_INFO()
 
 ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(arginfo_openssl_x509_check_private_key, 0, 2, _IS_BOOL, 0)
-       ZEND_ARG_INFO(0, cert)
+       ZEND_ARG_OBJ_TYPE_MASK(0, x509, OpenSSLCertificate, MAY_BE_STRING, NULL)
        ZEND_ARG_INFO(0, key)
 ZEND_END_ARG_INFO()
 
 ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(arginfo_openssl_x509_verify, 0, 2, IS_LONG, 0)
-       ZEND_ARG_INFO(0, cert)
+       ZEND_ARG_OBJ_TYPE_MASK(0, x509, OpenSSLCertificate, MAY_BE_STRING, NULL)
        ZEND_ARG_INFO(0, key)
 ZEND_END_ARG_INFO()
 
 ZEND_BEGIN_ARG_WITH_RETURN_TYPE_MASK_EX(arginfo_openssl_x509_parse, 0, 1, MAY_BE_ARRAY|MAY_BE_FALSE)
-       ZEND_ARG_INFO(0, x509)
+       ZEND_ARG_OBJ_TYPE_MASK(0, x509, OpenSSLCertificate, MAY_BE_STRING, NULL)
        ZEND_ARG_TYPE_INFO_WITH_DEFAULT_VALUE(0, shortname, _IS_BOOL, 0, "true")
 ZEND_END_ARG_INFO()
 
 ZEND_BEGIN_ARG_WITH_RETURN_TYPE_MASK_EX(arginfo_openssl_x509_checkpurpose, 0, 2, MAY_BE_BOOL|MAY_BE_LONG)
-       ZEND_ARG_INFO(0, x509cert)
+       ZEND_ARG_OBJ_TYPE_MASK(0, x509, OpenSSLCertificate, MAY_BE_STRING, NULL)
        ZEND_ARG_TYPE_INFO(0, purpose, IS_LONG, 0)
        ZEND_ARG_TYPE_INFO_WITH_DEFAULT_VALUE(0, cainfo, IS_ARRAY, 1, "[]")
-       ZEND_ARG_TYPE_INFO(0, untrustedfile, IS_STRING, 0)
+       ZEND_ARG_TYPE_INFO_WITH_DEFAULT_VALUE(0, untrustedfile, IS_STRING, 1, "null")
 ZEND_END_ARG_INFO()
 
-ZEND_BEGIN_ARG_INFO_EX(arginfo_openssl_x509_read, 0, 0, 1)
-       ZEND_ARG_INFO(0, cert)
+ZEND_BEGIN_ARG_WITH_RETURN_OBJ_TYPE_MASK_EX(arginfo_openssl_x509_read, 0, 1, OpenSSLCertificate, MAY_BE_FALSE)
+       ZEND_ARG_OBJ_TYPE_MASK(0, x509, OpenSSLCertificate, MAY_BE_STRING, NULL)
 ZEND_END_ARG_INFO()
 
-ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(arginfo_openssl_x509_free, 0, 1, _IS_BOOL, 1)
-       ZEND_ARG_INFO(0, x509)
+ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(arginfo_openssl_x509_free, 0, 1, IS_VOID, 0)
+       ZEND_ARG_OBJ_INFO(0, x509, OpenSSLCertificate, 0)
 ZEND_END_ARG_INFO()
 
 ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(arginfo_openssl_pkcs12_export_to_file, 0, 4, _IS_BOOL, 0)
-       ZEND_ARG_INFO(0, x509cert)
+       ZEND_ARG_OBJ_TYPE_MASK(0, x509cert, OpenSSLCertificate, MAY_BE_STRING, NULL)
        ZEND_ARG_TYPE_INFO(0, filename, IS_STRING, 0)
        ZEND_ARG_INFO(0, priv_key)
        ZEND_ARG_TYPE_INFO(0, pass, IS_STRING, 0)
-       ZEND_ARG_TYPE_INFO(0, args, IS_ARRAY, 0)
+       ZEND_ARG_TYPE_INFO_WITH_DEFAULT_VALUE(0, args, IS_ARRAY, 0, "[]")
 ZEND_END_ARG_INFO()
 
 ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(arginfo_openssl_pkcs12_export, 0, 4, _IS_BOOL, 0)
-       ZEND_ARG_INFO(0, x509)
+       ZEND_ARG_OBJ_TYPE_MASK(0, x509, OpenSSLCertificate, MAY_BE_STRING, NULL)
        ZEND_ARG_INFO(1, out)
        ZEND_ARG_INFO(0, priv_key)
        ZEND_ARG_TYPE_INFO(0, pass, IS_STRING, 0)
-       ZEND_ARG_TYPE_INFO(0, args, IS_ARRAY, 0)
+       ZEND_ARG_TYPE_INFO_WITH_DEFAULT_VALUE(0, args, IS_ARRAY, 0, "[]")
 ZEND_END_ARG_INFO()
 
 ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(arginfo_openssl_pkcs12_read, 0, 3, _IS_BOOL, 0)
@@ -72,27 +72,27 @@ ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(arginfo_openssl_pkcs12_read, 0, 3, _IS_B
 ZEND_END_ARG_INFO()
 
 ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(arginfo_openssl_csr_export_to_file, 0, 2, _IS_BOOL, 0)
-       ZEND_ARG_INFO(0, csr)
+       ZEND_ARG_OBJ_TYPE_MASK(0, csr, OpenSSLCertificateSigningRequest, MAY_BE_STRING, NULL)
        ZEND_ARG_TYPE_INFO(0, outfilename, IS_STRING, 0)
        ZEND_ARG_TYPE_INFO_WITH_DEFAULT_VALUE(0, notext, _IS_BOOL, 0, "true")
 ZEND_END_ARG_INFO()
 
 ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(arginfo_openssl_csr_export, 0, 2, _IS_BOOL, 0)
-       ZEND_ARG_INFO(0, csr)
+       ZEND_ARG_OBJ_TYPE_MASK(0, csr, OpenSSLCertificateSigningRequest, MAY_BE_STRING, NULL)
        ZEND_ARG_INFO(1, out)
        ZEND_ARG_TYPE_INFO_WITH_DEFAULT_VALUE(0, notext, _IS_BOOL, 0, "true")
 ZEND_END_ARG_INFO()
 
-ZEND_BEGIN_ARG_INFO_EX(arginfo_openssl_csr_sign, 0, 0, 4)
-       ZEND_ARG_INFO(0, csr)
-       ZEND_ARG_INFO_WITH_DEFAULT_VALUE(0, cacert, "null")
+ZEND_BEGIN_ARG_WITH_RETURN_OBJ_TYPE_MASK_EX(arginfo_openssl_csr_sign, 0, 4, OpenSSLCertificate, MAY_BE_FALSE)
+       ZEND_ARG_OBJ_TYPE_MASK(0, csr, OpenSSLCertificateSigningRequest, MAY_BE_STRING, NULL)
+       ZEND_ARG_OBJ_TYPE_MASK(0, cacert, OpenSSLCertificate, MAY_BE_STRING|MAY_BE_NULL, NULL)
        ZEND_ARG_INFO(0, priv_key)
        ZEND_ARG_TYPE_INFO(0, days, IS_LONG, 0)
        ZEND_ARG_TYPE_INFO_WITH_DEFAULT_VALUE(0, config_args, IS_ARRAY, 1, "null")
        ZEND_ARG_TYPE_INFO_WITH_DEFAULT_VALUE(0, serial, IS_LONG, 0, "0")
 ZEND_END_ARG_INFO()
 
-ZEND_BEGIN_ARG_INFO_EX(arginfo_openssl_csr_new, 0, 0, 2)
+ZEND_BEGIN_ARG_WITH_RETURN_OBJ_TYPE_MASK_EX(arginfo_openssl_csr_new, 0, 2, OpenSSLCertificateSigningRequest, MAY_BE_FALSE)
        ZEND_ARG_TYPE_INFO(0, dn, IS_ARRAY, 0)
        ZEND_ARG_INFO(1, privkey)
        ZEND_ARG_TYPE_INFO_WITH_DEFAULT_VALUE(0, configargs, IS_ARRAY, 1, "null")
@@ -100,16 +100,16 @@ ZEND_BEGIN_ARG_INFO_EX(arginfo_openssl_csr_new, 0, 0, 2)
 ZEND_END_ARG_INFO()
 
 ZEND_BEGIN_ARG_WITH_RETURN_TYPE_MASK_EX(arginfo_openssl_csr_get_subject, 0, 1, MAY_BE_ARRAY|MAY_BE_FALSE)
-       ZEND_ARG_INFO(0, csr)
+       ZEND_ARG_OBJ_TYPE_MASK(0, csr, OpenSSLCertificateSigningRequest, MAY_BE_STRING, NULL)
        ZEND_ARG_TYPE_INFO_WITH_DEFAULT_VALUE(0, use_shortnames, _IS_BOOL, 0, "true")
 ZEND_END_ARG_INFO()
 
-ZEND_BEGIN_ARG_INFO_EX(arginfo_openssl_csr_get_public_key, 0, 0, 1)
-       ZEND_ARG_INFO(0, csr)
+ZEND_BEGIN_ARG_WITH_RETURN_OBJ_TYPE_MASK_EX(arginfo_openssl_csr_get_public_key, 0, 1, OpenSSLAsymmetricKey, MAY_BE_FALSE)
+       ZEND_ARG_OBJ_TYPE_MASK(0, csr, OpenSSLCertificateSigningRequest, MAY_BE_STRING, NULL)
        ZEND_ARG_TYPE_INFO_WITH_DEFAULT_VALUE(0, use_shortnames, _IS_BOOL, 0, "true")
 ZEND_END_ARG_INFO()
 
-ZEND_BEGIN_ARG_INFO_EX(arginfo_openssl_pkey_new, 0, 0, 0)
+ZEND_BEGIN_ARG_WITH_RETURN_OBJ_TYPE_MASK_EX(arginfo_openssl_pkey_new, 0, 0, OpenSSLAsymmetricKey, MAY_BE_FALSE)
        ZEND_ARG_TYPE_INFO_WITH_DEFAULT_VALUE(0, configargs, IS_ARRAY, 1, "null")
 ZEND_END_ARG_INFO()
 
@@ -127,17 +127,19 @@ ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(arginfo_openssl_pkey_export, 0, 2, _IS_B
        ZEND_ARG_TYPE_INFO_WITH_DEFAULT_VALUE(0, configargs, IS_ARRAY, 1, "null")
 ZEND_END_ARG_INFO()
 
-#define arginfo_openssl_pkey_get_public arginfo_openssl_x509_read
+ZEND_BEGIN_ARG_WITH_RETURN_OBJ_TYPE_MASK_EX(arginfo_openssl_pkey_get_public, 0, 1, OpenSSLAsymmetricKey, MAY_BE_FALSE)
+       ZEND_ARG_INFO(0, cert)
+ZEND_END_ARG_INFO()
 
-#define arginfo_openssl_get_publickey arginfo_openssl_x509_read
+#define arginfo_openssl_get_publickey arginfo_openssl_pkey_get_public
 
 ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(arginfo_openssl_pkey_free, 0, 1, IS_VOID, 0)
-       ZEND_ARG_INFO(0, key)
+       ZEND_ARG_OBJ_INFO(0, key, OpenSSLAsymmetricKey, 0)
 ZEND_END_ARG_INFO()
 
 #define arginfo_openssl_free_key arginfo_openssl_pkey_free
 
-ZEND_BEGIN_ARG_INFO_EX(arginfo_openssl_pkey_get_private, 0, 0, 1)
+ZEND_BEGIN_ARG_WITH_RETURN_OBJ_TYPE_MASK_EX(arginfo_openssl_pkey_get_private, 0, 1, OpenSSLAsymmetricKey, MAY_BE_FALSE)
        ZEND_ARG_INFO(0, key)
        ZEND_ARG_TYPE_INFO(0, passphrase, IS_STRING, 0)
 ZEND_END_ARG_INFO()
@@ -145,7 +147,7 @@ ZEND_END_ARG_INFO()
 #define arginfo_openssl_get_privatekey arginfo_openssl_pkey_get_private
 
 ZEND_BEGIN_ARG_WITH_RETURN_TYPE_MASK_EX(arginfo_openssl_pkey_get_details, 0, 1, MAY_BE_ARRAY|MAY_BE_FALSE)
-       ZEND_ARG_INFO(0, key)
+       ZEND_ARG_OBJ_INFO(0, key, OpenSSLAsymmetricKey, 0)
 ZEND_END_ARG_INFO()
 
 ZEND_BEGIN_ARG_WITH_RETURN_TYPE_MASK_EX(arginfo_openssl_pbkdf2, 0, 4, MAY_BE_STRING|MAY_BE_FALSE)
@@ -178,7 +180,7 @@ ZEND_END_ARG_INFO()
 ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(arginfo_openssl_pkcs7_sign, 0, 5, _IS_BOOL, 0)
        ZEND_ARG_TYPE_INFO(0, infile, IS_STRING, 0)
        ZEND_ARG_TYPE_INFO(0, outfile, IS_STRING, 0)
-       ZEND_ARG_INFO(0, signcert)
+       ZEND_ARG_OBJ_TYPE_MASK(0, signcert, OpenSSLCertificate, MAY_BE_STRING, NULL)
        ZEND_ARG_INFO(0, signkey)
        ZEND_ARG_TYPE_INFO(0, headers, IS_ARRAY, 1)
        ZEND_ARG_TYPE_INFO_WITH_DEFAULT_VALUE(0, flags, IS_LONG, 0, "PKCS7_DETACHED")
@@ -188,8 +190,8 @@ ZEND_END_ARG_INFO()
 ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(arginfo_openssl_pkcs7_decrypt, 0, 3, _IS_BOOL, 0)
        ZEND_ARG_TYPE_INFO(0, infilename, IS_STRING, 0)
        ZEND_ARG_TYPE_INFO(0, outfilename, IS_STRING, 0)
-       ZEND_ARG_INFO(0, recipcert)
-       ZEND_ARG_INFO(0, recipkey)
+       ZEND_ARG_OBJ_TYPE_MASK(0, recipcert, OpenSSLCertificate, MAY_BE_STRING, NULL)
+       ZEND_ARG_INFO_WITH_DEFAULT_VALUE(0, recipkey, "null")
 ZEND_END_ARG_INFO()
 
 ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(arginfo_openssl_pkcs7_read, 0, 2, _IS_BOOL, 0)
@@ -222,7 +224,7 @@ ZEND_END_ARG_INFO()
 ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(arginfo_openssl_cms_sign, 0, 5, _IS_BOOL, 0)
        ZEND_ARG_TYPE_INFO(0, infile, IS_STRING, 0)
        ZEND_ARG_TYPE_INFO(0, outfile, IS_STRING, 0)
-       ZEND_ARG_INFO(0, signcert)
+       ZEND_ARG_OBJ_TYPE_MASK(0, signcert, OpenSSLCertificate, MAY_BE_STRING, NULL)
        ZEND_ARG_INFO(0, signkey)
        ZEND_ARG_TYPE_INFO(0, headers, IS_ARRAY, 1)
        ZEND_ARG_TYPE_INFO_WITH_DEFAULT_VALUE(0, flags, IS_LONG, 0, "0")
@@ -233,7 +235,7 @@ ZEND_END_ARG_INFO()
 ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(arginfo_openssl_cms_decrypt, 0, 4, _IS_BOOL, 0)
        ZEND_ARG_TYPE_INFO(0, infilename, IS_STRING, 0)
        ZEND_ARG_TYPE_INFO(0, outfilename, IS_STRING, 0)
-       ZEND_ARG_INFO(0, recipcert)
+       ZEND_ARG_OBJ_TYPE_MASK(0, recipcert, OpenSSLCertificate, MAY_BE_STRING, NULL)
        ZEND_ARG_INFO(0, recipkey)
        ZEND_ARG_TYPE_INFO_WITH_DEFAULT_VALUE(0, encoding, IS_LONG, 0, "OPENSSL_ENCODING_SMIME")
 ZEND_END_ARG_INFO()
@@ -289,7 +291,7 @@ ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(arginfo_openssl_open, 0, 4, _IS_BOOL, 0)
 ZEND_END_ARG_INFO()
 
 ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(arginfo_openssl_get_md_methods, 0, 0, IS_ARRAY, 0)
-       ZEND_ARG_INFO_WITH_DEFAULT_VALUE(0, aliases, "false")
+       ZEND_ARG_TYPE_INFO_WITH_DEFAULT_VALUE(0, aliases, _IS_BOOL, 0, "false")
 ZEND_END_ARG_INFO()
 
 #define arginfo_openssl_get_cipher_methods arginfo_openssl_get_md_methods
@@ -332,7 +334,7 @@ ZEND_END_ARG_INFO()
 
 ZEND_BEGIN_ARG_WITH_RETURN_TYPE_MASK_EX(arginfo_openssl_dh_compute_key, 0, 2, MAY_BE_STRING|MAY_BE_FALSE)
        ZEND_ARG_TYPE_INFO(0, pub_key, IS_STRING, 0)
-       ZEND_ARG_INFO(0, dh_key)
+       ZEND_ARG_OBJ_INFO(0, dh_key, OpenSSLAsymmetricKey, 0)
 ZEND_END_ARG_INFO()
 
 ZEND_BEGIN_ARG_WITH_RETURN_TYPE_MASK_EX(arginfo_openssl_pkey_derive, 0, 2, MAY_BE_STRING|MAY_BE_FALSE)
@@ -347,7 +349,7 @@ ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(arginfo_openssl_random_pseudo_bytes, 0,
 ZEND_END_ARG_INFO()
 
 ZEND_BEGIN_ARG_WITH_RETURN_TYPE_MASK_EX(arginfo_openssl_spki_new, 0, 2, MAY_BE_STRING|MAY_BE_FALSE)
-       ZEND_ARG_INFO(0, privkey)
+       ZEND_ARG_OBJ_INFO(0, privkey, OpenSSLAsymmetricKey, 0)
        ZEND_ARG_TYPE_INFO(0, challenge, IS_STRING, 0)
        ZEND_ARG_TYPE_INFO_WITH_DEFAULT_VALUE(0, algo, IS_LONG, 0, "OPENSSL_ALGO_MD5")
 ZEND_END_ARG_INFO()
@@ -439,7 +441,7 @@ static const zend_function_entry ext_functions[] = {
        ZEND_FE(openssl_x509_parse, arginfo_openssl_x509_parse)
        ZEND_FE(openssl_x509_checkpurpose, arginfo_openssl_x509_checkpurpose)
        ZEND_FE(openssl_x509_read, arginfo_openssl_x509_read)
-       ZEND_FE(openssl_x509_free, arginfo_openssl_x509_free)
+       ZEND_DEP_FE(openssl_x509_free, arginfo_openssl_x509_free)
        ZEND_FE(openssl_pkcs12_export_to_file, arginfo_openssl_pkcs12_export_to_file)
        ZEND_FE(openssl_pkcs12_export, arginfo_openssl_pkcs12_export)
        ZEND_FE(openssl_pkcs12_read, arginfo_openssl_pkcs12_read)
@@ -454,8 +456,8 @@ static const zend_function_entry ext_functions[] = {
        ZEND_FE(openssl_pkey_export, arginfo_openssl_pkey_export)
        ZEND_FE(openssl_pkey_get_public, arginfo_openssl_pkey_get_public)
        ZEND_FALIAS(openssl_get_publickey, openssl_pkey_get_public, arginfo_openssl_get_publickey)
-       ZEND_FE(openssl_pkey_free, arginfo_openssl_pkey_free)
-       ZEND_FALIAS(openssl_free_key, openssl_pkey_free, arginfo_openssl_free_key)
+       ZEND_DEP_FE(openssl_pkey_free, arginfo_openssl_pkey_free)
+       ZEND_DEP_FALIAS(openssl_free_key, openssl_pkey_free, arginfo_openssl_free_key)
        ZEND_FE(openssl_pkey_get_private, arginfo_openssl_pkey_get_private)
        ZEND_FALIAS(openssl_get_privatekey, openssl_pkey_get_private, arginfo_openssl_get_privatekey)
        ZEND_FE(openssl_pkey_get_details, arginfo_openssl_pkey_get_details)
@@ -498,3 +500,18 @@ static const zend_function_entry ext_functions[] = {
        ZEND_FE(openssl_get_cert_locations, arginfo_openssl_get_cert_locations)
        ZEND_FE_END
 };
+
+
+static const zend_function_entry class_OpenSSLCertificate_methods[] = {
+       ZEND_FE_END
+};
+
+
+static const zend_function_entry class_OpenSSLCertificateSigningRequest_methods[] = {
+       ZEND_FE_END
+};
+
+
+static const zend_function_entry class_OpenSSLAsymmetricKey_methods[] = {
+       ZEND_FE_END
+};
diff --git a/ext/openssl/php_openssl.h b/ext/openssl/php_openssl.h
index 0ae0f9698cff833e53ee6a1db14021b872b6d009..c674ead34b28acc282045ae928bc5311c5510d82 100644 (file)
--- a/ext/openssl/php_openssl.h
+++ b/ext/openssl/php_openssl.h
@@ -111,6 +111,21 @@ PHP_OPENSSL_API zend_string* php_openssl_decrypt(
        const char *tag, zend_long tag_len,
        const char *aad, size_t aad_len);
 
+/* OpenSSLCertificate class */
+
+typedef struct _php_openssl_certificate_object {
+       X509 *x509;
+       zend_object std;
+} php_openssl_certificate_object;
+
+extern zend_class_entry *php_openssl_certificate_ce;
+
+static inline php_openssl_certificate_object *php_openssl_certificate_from_obj(zend_object *obj) {
+       return (php_openssl_certificate_object *)((char *)(obj) - XtOffsetOf(php_openssl_certificate_object, std));
+}
+
+#define Z_OPENSSL_CERTIFICATE_P(zv) php_openssl_certificate_from_obj(Z_OBJ_P(zv))
+
 PHP_MINIT_FUNCTION(openssl);
 PHP_MSHUTDOWN_FUNCTION(openssl);
 PHP_MINFO_FUNCTION(openssl);
diff --git a/ext/openssl/tests/001.phpt b/ext/openssl/tests/001.phpt
index 6e74ba7f46ee9bf033dc2af3751e09b017629b03..6d8706d7a24bc472f55be6cd29627514c93b20e4 100644 (file)
--- a/ext/openssl/tests/001.phpt
+++ b/ext/openssl/tests/001.phpt
@@ -27,7 +27,7 @@ echo "Export key to file\n";
 if (!openssl_pkey_export_to_file($privkey, $key_file_name, $passphrase, $conf)) {
     die("failed to export to file $key_file_name");
 }
-var_dump(is_resource($privkey));
+var_dump($privkey instanceof OpenSSLAsymmetricKey);
 
 echo "Load key from file - array syntax\n";
 
@@ -62,16 +62,22 @@ openssl_pkey_free($loaded_key);
 echo "OK!\n";
 
 ?>
---EXPECT--
+--CLEAN--
+<?php
+$key_file_name = __DIR__ . DIRECTORY_SEPARATOR . '001-tmp.key';
+@unlink($key_file_name);
+?>
+--EXPECTF--
 Creating private key
 Export key to file
 bool(true)
 Load key from file - array syntax
+
+Deprecated: Function openssl_pkey_free() is deprecated in %s on line %d
 Load key using direct syntax
+
+Deprecated: Function openssl_pkey_free() is deprecated in %s on line %d
 Load key manually and use string syntax
+
+Deprecated: Function openssl_pkey_free() is deprecated in %s on line %d
 OK!
---CLEAN--
-<?php
-$key_file_name = __DIR__ . DIRECTORY_SEPARATOR . '001-tmp.key';
-@unlink($key_file_name);
-?>
diff --git a/ext/openssl/tests/CertificateGenerator.inc b/ext/openssl/tests/CertificateGenerator.inc
index b409376058efe792709ad0bbec116e3cfbbda1f8..1dc378e706fba65182deb28afff18df8f6caf1d9 100644 (file)
--- a/ext/openssl/tests/CertificateGenerator.inc
+++ b/ext/openssl/tests/CertificateGenerator.inc
@@ -4,7 +4,7 @@ class CertificateGenerator
 {
     const CONFIG = __DIR__. DIRECTORY_SEPARATOR . 'openssl.cnf';
 
-    /** @var resource */
+    /** @var OpenSSLCertificate */
     private $ca;
 
     /** @var resource */
diff --git a/ext/openssl/tests/bug38261.phpt b/ext/openssl/tests/bug38261.phpt
index 971fba71c27d070b4a73728dd16a027232434814..827f3aca75535c252b44f119195d547682ff6378 100644 (file)
--- a/ext/openssl/tests/bug38261.phpt
+++ b/ext/openssl/tests/bug38261.phpt
@@ -15,12 +15,24 @@ class test {
 $t = new test;
 
 var_dump(openssl_x509_parse("foo"));
-var_dump(openssl_x509_parse($t));
-var_dump(openssl_x509_parse(array()));
+
+try {
+    var_dump(openssl_x509_parse($t));
+} catch (TypeError $e) {
+    echo $e->getMessage(), "\n";
+}
+
+try {
+    openssl_x509_parse([]);
+} catch (TypeError $e) {
+    echo $e->getMessage(), "\n";
+}
+
 var_dump(openssl_x509_parse($cert));
+
 try {
-    var_dump(openssl_x509_parse(new stdClass));
-} catch (Error $e) {
+    openssl_x509_parse(new stdClass);
+} catch (TypeError $e) {
     echo $e->getMessage(), "\n";
 }
 
@@ -28,6 +40,6 @@ try {
 --EXPECT--
 bool(false)
 bool(false)
+openssl_x509_parse(): Argument #1 ($x509) must be of type OpenSSLCertificate|string, array given
 bool(false)
-bool(false)
-Object of class stdClass could not be converted to string
+openssl_x509_parse(): Argument #1 ($x509) must be of type OpenSSLCertificate|string, stdClass given
diff --git a/ext/openssl/tests/bug61930.phpt b/ext/openssl/tests/bug61930.phpt
index c79f51eeef5151b96d67efbdc70d76a65747ba56..f63dd93ec3fecfd7d261458a76b0414048e1072e 100644 (file)
--- a/ext/openssl/tests/bug61930.phpt
+++ b/ext/openssl/tests/bug61930.phpt
@@ -21,5 +21,6 @@ var_dump(openssl_get_publickey($key));
 var_dump(openssl_verify($data, base64_decode($sig), $key));
 ?>
 --EXPECTF--
-resource(%d) of type (OpenSSL key)
+object(OpenSSLAsymmetricKey)#%d (0) {
+}
 int(1)
diff --git a/ext/openssl/tests/bug68912.phpt b/ext/openssl/tests/bug68912.phpt
index 0b796b76836ba401670cc8ca67cc445deb9ccc47..64d1a9b60a515244b165d6b8f307efe798a991e7 100644 (file)
--- a/ext/openssl/tests/bug68912.phpt
+++ b/ext/openssl/tests/bug68912.phpt
@@ -19,4 +19,4 @@ try {
 }
 ?>
 --EXPECT--
-openssl_spki_new(): supplied resource is not a valid OpenSSL X.509/key resource
+openssl_spki_new(): Argument #1 ($privkey) must be of type OpenSSLAsymmetricKey, resource given
diff --git a/ext/openssl/tests/bug73711.phpt b/ext/openssl/tests/bug73711.phpt
index c5f5575e2cf5b7d7d8acad7fddecf22f191a6442..0b3f91b8feeade9f9738b4cc12c66e8086f572a6 100644 (file)
--- a/ext/openssl/tests/bug73711.phpt
+++ b/ext/openssl/tests/bug73711.phpt
@@ -12,6 +12,8 @@ var_dump(openssl_pkey_new(["private_key_type" => OPENSSL_KEYTYPE_DH, 'config' =>
 echo "DONE";
 ?>
 --EXPECTF--
-resource(%d) of type (OpenSSL key)
-resource(%d) of type (OpenSSL key)
+object(OpenSSLAsymmetricKey)#%d (0) {
+}
+object(OpenSSLAsymmetricKey)#%d (0) {
+}
 DONE
diff --git a/ext/openssl/tests/bug74651.phpt b/ext/openssl/tests/bug74651.phpt
index b4e50a04215ac6084c2eb6a541b44f5693871a15..96c06231b283d27af4a6aef6ae14d4ddfac220fe 100644 (file)
--- a/ext/openssl/tests/bug74651.phpt
+++ b/ext/openssl/tests/bug74651.phpt
@@ -13,5 +13,6 @@ var_dump($pub_key_id);
 var_dump(openssl_seal($inputstr, $sealed, $ekeys, array($pub_key_id, $pub_key_id), 'AES-128-ECB'));
 ?>
 --EXPECTF--
-resource(%d) of type (OpenSSL key)
+object(OpenSSLAsymmetricKey)#%d (0) {
+}
 bool(false)
diff --git a/ext/openssl/tests/bug79145.phpt b/ext/openssl/tests/bug79145.phpt
index 348831189b61445a2515f363c0de2d7872b60fbd..4f3dc9e766be8123b1b12313c4624b8eec88c31f 100644 (file)
--- a/ext/openssl/tests/bug79145.phpt
+++ b/ext/openssl/tests/bug79145.phpt
@@ -17,7 +17,7 @@ C9C4JmhTOjBVAK8SewIDAQAC
 $start = memory_get_usage(true);
 for ($i = 0; $i < 100000; $i++) {
     $a = openssl_get_publickey($b);
-    openssl_free_key($a);
+    @openssl_free_key($a);
 }
 $end = memory_get_usage(true);
 var_dump($end <= 1.1 * $start);
diff --git a/ext/openssl/tests/ecc.phpt b/ext/openssl/tests/ecc.phpt
index 41567e9b32721714c345e7604b24c149f680c337..0a71393ae3351c728b9b0e459f1c05750e9baa85 100644 (file)
--- a/ext/openssl/tests/ecc.phpt
+++ b/ext/openssl/tests/ecc.phpt
@@ -81,7 +81,8 @@ foreach ($curve_names as $curve_name) {
 ?>
 --EXPECTF--
 Testing openssl_pkey_new
-resource(%d) of type (OpenSSL key)
+object(OpenSSLAsymmetricKey)#1 (0) {
+}
 
 Warning: openssl_pkey_new(): Unknown elliptic curve (short) name invalid_cuve_name in %s on line %d
 bool(false)
@@ -89,19 +90,23 @@ int(384)
 int(215)
 string(9) "secp384r1"
 bool(true)
-resource(%d) of type (OpenSSL key)
+object(OpenSSLAsymmetricKey)#%d (0) {
+}
 bool(true)
 Testing openssl_csr_new with key generation
 NULL
-resource(%d) of type (OpenSSL key)
+object(OpenSSLAsymmetricKey)#%d (0) {
+}
 Testing openssl_csr_new with existing ecc key
-resource(%d) of type (OpenSSL X.509 CSR)
+object(OpenSSLCertificateSigningRequest)#%d (0) {
+}
 bool(false)
 array(1) {
   ["d"]=>
   string(%d) "%a"
 }
-resource(%d) of type (OpenSSL X.509)
+object(OpenSSLCertificate)#%d (0) {
+}
 Testing openssl_x509_check_private_key
 bool(true)
 bool(false)
diff --git a/ext/openssl/tests/openssl_cms_decrypt_basic.phpt b/ext/openssl/tests/openssl_cms_decrypt_basic.phpt
index ec295be1b794de37aba1c6ec6fb0a3e444ae0720..86c70f4fde29a83915c0613a265c6acc1a395517 100644 (file)
--- a/ext/openssl/tests/openssl_cms_decrypt_basic.phpt
+++ b/ext/openssl/tests/openssl_cms_decrypt_basic.phpt
@@ -50,16 +50,16 @@ bool(true)
 Warning: openssl_cms_decrypt(): Unable to get private key in %s on line %d
 bool(false)
 
-Warning: openssl_cms_decrypt(): Unable to coerce parameter 3 to x509 cert in %s on line %d
+Warning: openssl_cms_decrypt(): X.509 Certificate cannot be retrieved in %s on line %d
 bool(false)
 
-Warning: openssl_cms_decrypt(): Unable to coerce parameter 3 to x509 cert in %s on line %d
+Warning: openssl_cms_decrypt(): X.509 Certificate cannot be retrieved in %s on line %d
 bool(false)
 bool(false)
 bool(false)
 bool(false)
 
-Warning: openssl_cms_decrypt(): Unable to coerce parameter 3 to x509 cert in %s on line %d
+Warning: openssl_cms_decrypt(): X.509 Certificate cannot be retrieved in %s on line %d
 bool(false)
 
 Warning: openssl_cms_decrypt(): Unable to get private key in %s on line %d
diff --git a/ext/openssl/tests/openssl_cms_decrypt_error.phpt b/ext/openssl/tests/openssl_cms_decrypt_error.phpt
index 28812c3200518c8fda847ef646eae70544914baa..66b8f71df72c030f286333e9492c3f3ba3eba8f2 100644 (file)
--- a/ext/openssl/tests/openssl_cms_decrypt_error.phpt
+++ b/ext/openssl/tests/openssl_cms_decrypt_error.phpt
@@ -33,12 +33,12 @@ echo "Done\n";
 Object of class stdClass could not be converted to string
 object(stdClass)#1 (0) {
 }
-string(64) "openssl_cms_decrypt(): Unable to coerce parameter 3 to x509 cert"
+string(60) "openssl_cms_decrypt(): X.509 Certificate cannot be retrieved"
 bool(false)
-string(64) "openssl_cms_decrypt(): Unable to coerce parameter 3 to x509 cert"
+string(60) "openssl_cms_decrypt(): X.509 Certificate cannot be retrieved"
 bool(false)
-string(64) "openssl_cms_decrypt(): Unable to coerce parameter 3 to x509 cert"
+string(60) "openssl_cms_decrypt(): X.509 Certificate cannot be retrieved"
 bool(false)
-string(64) "openssl_cms_decrypt(): Unable to coerce parameter 3 to x509 cert"
+string(60) "openssl_cms_decrypt(): X.509 Certificate cannot be retrieved"
 bool(false)
 Done
diff --git a/ext/openssl/tests/openssl_cms_sign_basic.phpt b/ext/openssl/tests/openssl_cms_sign_basic.phpt
index cbeaaf3ab26702d9373241f8ff51e482e040829c..8099272ee8a1303689e55089e5d59ca04c5dd029 100644 (file)
--- a/ext/openssl/tests/openssl_cms_sign_basic.phpt
+++ b/ext/openssl/tests/openssl_cms_sign_basic.phpt
@@ -53,10 +53,10 @@ bool(false)
 Warning: openssl_cms_sign(): Error opening output file %s in %s on line %d
 bool(false)
 
-Warning: openssl_cms_sign(): Error getting cert in %s on line %d
+Warning: openssl_cms_sign(): X.509 Certificate cannot be retrieved in %s on line %d
 bool(false)
 
-Warning: openssl_cms_sign(): Error getting cert in %s on line %d
+Warning: openssl_cms_sign(): X.509 Certificate cannot be retrieved in %s on line %d
 bool(false)
 
 Warning: openssl_cms_sign(): Error getting private key in %s on line %d
diff --git a/ext/openssl/tests/openssl_csr_export_bacis.phpt b/ext/openssl/tests/openssl_csr_export_basic.phpt
similarity index 81%
rename from ext/openssl/tests/openssl_csr_export_bacis.phpt
rename to ext/openssl/tests/openssl_csr_export_basic.phpt
index f0a258dd15557d1b01e3f24a91897c27df080c1b..5f8c9f2c6d2f3c81f1d1a39ed1b54cbeaf2ba1fb 100644 (file)
--- a/ext/openssl/tests/openssl_csr_export_bacis.phpt
+++ b/ext/openssl/tests/openssl_csr_export_basic.phpt
@@ -39,8 +39,10 @@ try {
 }
 var_dump(openssl_csr_export($csr, $output, false));
 ?>
---EXPECT--
+--EXPECTF--
 bool(true)
-openssl_csr_export(): Argument #1 ($csr) must be of type resource, string given
-openssl_csr_export(): supplied resource is not a valid OpenSSL X.509 CSR resource
+
+Warning: openssl_csr_export(): X.509 Certificate Signing Request cannot be retrieved in %s on line %d
+bool(false)
+openssl_csr_export(): Argument #1 ($csr) must be of type OpenSSLCertificateSigningRequest|string, OpenSSLAsymmetricKey given
 bool(true)
diff --git a/ext/openssl/tests/openssl_csr_export_to_file_basic.phpt b/ext/openssl/tests/openssl_csr_export_to_file_basic.phpt
index 7f6347840de5c2b027134ae847be3fa45cd6a51d..4efa6f35d5d13be2aaffe4b97f07b3d9cd84caba 100644 (file)
--- a/ext/openssl/tests/openssl_csr_export_to_file_basic.phpt
+++ b/ext/openssl/tests/openssl_csr_export_to_file_basic.phpt
@@ -36,13 +36,11 @@ $privkey_file = 'file://' . __DIR__ . '/private_rsa_2048.key';
 $csr = openssl_csr_new($dn, $privkey_file, $args);
 var_dump(openssl_csr_export_to_file($csr, $csrfile));
 var_dump(file_get_contents($csrfile));
+
+var_dump(openssl_csr_export_to_file($wrong, $csrfile));
+
 try {
-    var_dump(openssl_csr_export_to_file($wrong, $csrfile));
-} catch (TypeError $e) {
-    echo $e->getMessage(), "\n";
-}
-try {
-    var_dump(openssl_csr_export_to_file($dh, $csrfile));
+    openssl_csr_export_to_file($dh, $csrfile);
 } catch (TypeError $e) {
     echo $e->getMessage(), "\n";
 }
@@ -55,7 +53,7 @@ if (file_exists($csrfile)) {
     unlink($csrfile);
 }
 ?>
---EXPECT--
+--EXPECTF--
 bool(true)
 string(1086) "-----BEGIN CERTIFICATE REQUEST-----
 MIIC6jCCAdICAQAwgaQxCzAJBgNVBAYTAkJSMRowGAYDVQQIExFSaW8gR3JhbmRl
@@ -76,6 +74,8 @@ sfBgVeqg0P4SWez5fHXqBNcjMdMI5f0bikcDZSIfTHS8FX+PMurLBC8UPB0YNIOl
 JViHkCA9x6m8RJXAFvqmgLlWlUzbDv/cRrDfjWjR
 -----END CERTIFICATE REQUEST-----
 "
-openssl_csr_export_to_file(): Argument #1 ($csr) must be of type resource, string given
-openssl_csr_export_to_file(): supplied resource is not a valid OpenSSL X.509 CSR resource
+
+Warning: openssl_csr_export_to_file(): X.509 Certificate Signing Request cannot be retrieved in %s on line %d
+bool(false)
+openssl_csr_export_to_file(): Argument #1 ($csr) must be of type OpenSSLCertificateSigningRequest|string, OpenSSLAsymmetricKey given
 bool(true)
diff --git a/ext/openssl/tests/openssl_csr_get_public_key_basic.phpt b/ext/openssl/tests/openssl_csr_get_public_key_basic.phpt
index 185e46539e3fa4b2d5869ab9f14f0f35a628cb32..20cbbb83d693181e48c3c07e900c05908ba5cb69 100644 (file)
--- a/ext/openssl/tests/openssl_csr_get_public_key_basic.phpt
+++ b/ext/openssl/tests/openssl_csr_get_public_key_basic.phpt
@@ -40,5 +40,7 @@ var_dump(openssl_csr_get_public_key($csr));
 var_dump(openssl_csr_get_public_key($csr_file));
 ?>
 --EXPECTF--
-resource(%d) of type (OpenSSL key)
-resource(%d) of type (OpenSSL key)
+object(OpenSSLAsymmetricKey)#%d (0) {
+}
+object(OpenSSLAsymmetricKey)#%d (0) {
+}
diff --git a/ext/openssl/tests/openssl_csr_new_basic.phpt b/ext/openssl/tests/openssl_csr_new_basic.phpt
index c18ac2a22e77b4559ef65412cde22c2e27f17585..793cf03ed0f33ff3dafc93b2d983892e161f0e8a 100644 (file)
--- a/ext/openssl/tests/openssl_csr_new_basic.phpt
+++ b/ext/openssl/tests/openssl_csr_new_basic.phpt
@@ -27,6 +27,8 @@ Warning: openssl_csr_new(): Key array must be of the form array(0 => key, 1 => p
 
 Warning: openssl_csr_new(): add1_attr_by_txt challengePassword_min -> 4 (failed; check error queue and value of string_mask OpenSSL option if illegal characters are reported) in %s on line %d
 bool(false)
-resource(%d) of type (OpenSSL X.509 CSR)
-resource(%d) of type (OpenSSL X.509 CSR)
+object(OpenSSLCertificateSigningRequest)#%d (0) {
+}
+object(OpenSSLCertificateSigningRequest)#%d (0) {
+}
 Done
diff --git a/ext/openssl/tests/openssl_csr_sign_basic.phpt b/ext/openssl/tests/openssl_csr_sign_basic.phpt
index 03e070e52b156ed927ff7cc2d9002c7ad5ee40dd..ea720248d0d5562042734deca0c8cddc15661994 100644 (file)
--- a/ext/openssl/tests/openssl_csr_sign_basic.phpt
+++ b/ext/openssl/tests/openssl_csr_sign_basic.phpt
@@ -29,6 +29,7 @@ $args = array(
 
 $privkey = openssl_pkey_new($config_arg);
 $csr = openssl_csr_new($dn, $privkey, $args);
+
 var_dump(openssl_csr_sign($csr, null, $privkey, 365, $args));
 var_dump(openssl_csr_sign($csr, null, $privkey, 365, $config_arg));
 var_dump(openssl_csr_sign($csr, $cert, $priv, 365, $config_arg));
@@ -36,34 +37,46 @@ var_dump(openssl_csr_sign($csr, openssl_x509_read($cert), $priv, 365, $config_ar
 var_dump(openssl_csr_sign($csr, $wrong, $privkey, 365));
 var_dump(openssl_csr_sign($csr, null, $wrong, 365));
 var_dump(openssl_csr_sign($wrong, null, $privkey, 365));
-var_dump(openssl_csr_sign(array(), null, $privkey, 365));
-var_dump(openssl_csr_sign($csr, array(), $privkey, 365));
+
+try {
+    openssl_csr_sign(array(), null, $privkey, 365);
+} catch (TypeError $exception) {
+    echo $exception->getMessage() . "\n";
+}
+
+try {
+    var_dump(openssl_csr_sign($csr, array(), $privkey, 365));
+} catch (TypeError $exception) {
+    echo $exception->getMessage() . "\n";
+}
+
 var_dump(openssl_csr_sign($csr, null, array(), 365));
 var_dump(openssl_csr_sign($csr, null, $privkey, 365, $config_arg));
 ?>
 --EXPECTF--
-resource(%d) of type (OpenSSL X.509)
-resource(%d) of type (OpenSSL X.509)
-resource(%d) of type (OpenSSL X.509)
-resource(%d) of type (OpenSSL X.509)
+object(OpenSSLCertificate)#%d (0) {
+}
+object(OpenSSLCertificate)#%d (0) {
+}
+object(OpenSSLCertificate)#%d (0) {
+}
+object(OpenSSLCertificate)#%d (0) {
+}
 
-Warning: openssl_csr_sign(): Cannot get cert from parameter 2 in %s on line %d
+Warning: openssl_csr_sign(): X.509 Certificate cannot be retrieved in %s on line %d
 bool(false)
 
 Warning: openssl_csr_sign(): Cannot get private key from parameter 3 in %s on line %d
 bool(false)
 
-Warning: openssl_csr_sign(): Cannot get CSR from parameter 1 in %s on line %d
-bool(false)
-
-Warning: openssl_csr_sign(): Cannot get CSR from parameter 1 in %s on line %d
-bool(false)
-
-Warning: openssl_csr_sign(): Cannot get cert from parameter 2 in %s on line %d
+Warning: openssl_csr_sign(): X.509 Certificate Signing Request cannot be retrieved in %s on line %d
 bool(false)
+openssl_csr_sign(): Argument #1 ($csr) must be of type OpenSSLCertificateSigningRequest|string, array given
+openssl_csr_sign(): Argument #2 ($cacert) must be of type OpenSSLCertificate|string|null, array given
 
 Warning: openssl_csr_sign(): Key array must be of the form array(0 => key, 1 => phrase) in %s on line %d
 
 Warning: openssl_csr_sign(): Cannot get private key from parameter 3 in %s on line %d
 bool(false)
-resource(%d) of type (OpenSSL X.509)
+object(OpenSSLCertificate)#%d (0) {
+}
diff --git a/ext/openssl/tests/openssl_free_key.phpt b/ext/openssl/tests/openssl_free_key.phpt
index 0c8bdd92de0febb9ecc3b9e081c745f1f5618266..328394cc8e057630e6e9abcfbf881292fb83f8df 100644 (file)
--- a/ext/openssl/tests/openssl_free_key.phpt
+++ b/ext/openssl/tests/openssl_free_key.phpt
@@ -68,10 +68,16 @@ echo "OK!\n";
 
 @unlink($key_file_name);
 ?>
---EXPECT--
+--EXPECTF--
 Creating private key
 Export key to file
 Load key from file - array syntax
+
+Deprecated: Function openssl_free_key() is deprecated in %s on line %d
 Load key using direct syntax
+
+Deprecated: Function openssl_free_key() is deprecated in %s on line %d
 Load key manually and use string syntax
+
+Deprecated: Function openssl_free_key() is deprecated in %s on line %d
 OK!
diff --git a/ext/openssl/tests/openssl_pkcs12_export_basic.phpt b/ext/openssl/tests/openssl_pkcs12_export_basic.phpt
index 41d2fbdedd9d09b1976591f3be055f41aabbd2f8..fc8a146c0c4e43dc2dece0a95e4e3597abcd0830 100644 (file)
--- a/ext/openssl/tests/openssl_pkcs12_export_basic.phpt
+++ b/ext/openssl/tests/openssl_pkcs12_export_basic.phpt
@@ -48,11 +48,9 @@ bool(true)
 bool(true)
 int(3)
 
-Warning: openssl_pkcs12_export(): Cannot get cert from parameter 1 in %s on line %d
+Warning: openssl_pkcs12_export(): X.509 Certificate cannot be retrieved in %s on line %d
 bool(false)
 
-Warning: openssl_pkcs12_export(): Cannot get cert from parameter 1 in %s on line %d
+Warning: openssl_pkcs12_export(): X.509 Certificate cannot be retrieved in %s on line %d
 bool(false)
-
-Warning: openssl_pkcs12_export(): Cannot get cert from parameter 1 in %s on line %d
-openssl_pkcs12_export(): supplied resource is not a valid OpenSSL X.509 resource
+openssl_pkcs12_export(): Argument #1 ($x509) must be of type OpenSSLCertificate|string, OpenSSLAsymmetricKey given
diff --git a/ext/openssl/tests/openssl_pkcs12_export_to_file_basic.phpt b/ext/openssl/tests/openssl_pkcs12_export_to_file_basic.phpt
index 73dc070f3fbeaa6b55534ee73c7f462d907a9cc3..69363fe34f55a2b9aa096debe944845792c7d0d7 100644 (file)
--- a/ext/openssl/tests/openssl_pkcs12_export_to_file_basic.phpt
+++ b/ext/openssl/tests/openssl_pkcs12_export_to_file_basic.phpt
@@ -53,11 +53,9 @@ bool(true)
 bool(true)
 bool(true)
 
-Warning: openssl_pkcs12_export_to_file(): Cannot get cert from parameter 1 in %s on line %d
+Warning: openssl_pkcs12_export_to_file(): X.509 Certificate cannot be retrieved in %s on line %d
 bool(false)
 
-Warning: openssl_pkcs12_export_to_file(): Cannot get cert from parameter 1 in %s on line %d
+Warning: openssl_pkcs12_export_to_file(): X.509 Certificate cannot be retrieved in %s on line %d
 bool(false)
-
-Warning: openssl_pkcs12_export_to_file(): Cannot get cert from parameter 1 in %s on line %d
-openssl_pkcs12_export_to_file(): supplied resource is not a valid OpenSSL X.509 resource
+openssl_pkcs12_export_to_file(): Argument #1 ($x509cert) must be of type OpenSSLCertificate|string, OpenSSLAsymmetricKey given
diff --git a/ext/openssl/tests/openssl_pkcs7_decrypt_basic.phpt b/ext/openssl/tests/openssl_pkcs7_decrypt_basic.phpt
index f96fd401cde90153ecb84751c63107157c8c8f79..eb0698da9ffb2441f829075aa86cdb210f02c37e 100644 (file)
--- a/ext/openssl/tests/openssl_pkcs7_decrypt_basic.phpt
+++ b/ext/openssl/tests/openssl_pkcs7_decrypt_basic.phpt
@@ -48,16 +48,16 @@ bool(true)
 Warning: openssl_pkcs7_decrypt(): Unable to get private key in %s on line %d
 bool(false)
 
-Warning: openssl_pkcs7_decrypt(): Unable to coerce parameter 3 to x509 cert in %s on line %d
+Warning: openssl_pkcs7_decrypt(): X.509 Certificate cannot be retrieved in %s on line %d
 bool(false)
 
-Warning: openssl_pkcs7_decrypt(): Unable to coerce parameter 3 to x509 cert in %s on line %d
+Warning: openssl_pkcs7_decrypt(): X.509 Certificate cannot be retrieved in %s on line %d
 bool(false)
 bool(false)
 bool(false)
 bool(false)
 
-Warning: openssl_pkcs7_decrypt(): Unable to coerce parameter 3 to x509 cert in %s on line %d
+Warning: openssl_pkcs7_decrypt(): X.509 Certificate cannot be retrieved in %s on line %d
 bool(false)
 
 Warning: openssl_pkcs7_decrypt(): Unable to get private key in %s on line %d
diff --git a/ext/openssl/tests/openssl_pkcs7_decrypt_error.phpt b/ext/openssl/tests/openssl_pkcs7_decrypt_error.phpt
index d7ae715efb136b02ccac4d6a15f5ebdeee2a85df..39e45399fdc43bc17956ed1fc5a03dc6b9876054 100644 (file)
--- a/ext/openssl/tests/openssl_pkcs7_decrypt_error.phpt
+++ b/ext/openssl/tests/openssl_pkcs7_decrypt_error.phpt
@@ -33,12 +33,12 @@ echo "Done\n";
 Object of class stdClass could not be converted to string
 object(stdClass)#1 (0) {
 }
-string(66) "openssl_pkcs7_decrypt(): Unable to coerce parameter 3 to x509 cert"
+string(62) "openssl_pkcs7_decrypt(): X.509 Certificate cannot be retrieved"
 bool(false)
-string(66) "openssl_pkcs7_decrypt(): Unable to coerce parameter 3 to x509 cert"
+string(62) "openssl_pkcs7_decrypt(): X.509 Certificate cannot be retrieved"
 bool(false)
-string(66) "openssl_pkcs7_decrypt(): Unable to coerce parameter 3 to x509 cert"
+string(62) "openssl_pkcs7_decrypt(): X.509 Certificate cannot be retrieved"
 bool(false)
-string(66) "openssl_pkcs7_decrypt(): Unable to coerce parameter 3 to x509 cert"
+string(62) "openssl_pkcs7_decrypt(): X.509 Certificate cannot be retrieved"
 bool(false)
 Done
diff --git a/ext/openssl/tests/openssl_pkcs7_sign_basic.phpt b/ext/openssl/tests/openssl_pkcs7_sign_basic.phpt
index 9b9ff91ddd0a0f164f2da377ca6a622715549430..13eac36a79fbc03220c1f7b7a675a885c18fdaf1 100644 (file)
--- a/ext/openssl/tests/openssl_pkcs7_sign_basic.phpt
+++ b/ext/openssl/tests/openssl_pkcs7_sign_basic.phpt
@@ -49,10 +49,10 @@ bool(false)
 Warning: openssl_pkcs7_sign(): Error opening output file %s in %s on line %d
 bool(false)
 
-Warning: openssl_pkcs7_sign(): Error getting cert in %s on line %d
+Warning: openssl_pkcs7_sign(): X.509 Certificate cannot be retrieved in %s on line %d
 bool(false)
 
-Warning: openssl_pkcs7_sign(): Error getting cert in %s on line %d
+Warning: openssl_pkcs7_sign(): X.509 Certificate cannot be retrieved in %s on line %d
 bool(false)
 
 Warning: openssl_pkcs7_sign(): Error getting private key in %s on line %d
diff --git a/ext/openssl/tests/openssl_pkey_export_basic.phpt b/ext/openssl/tests/openssl_pkey_export_basic.phpt
index d71f8da9a3420c53308e50828614285686ca80d0..678b7e7299b12abd8a720b740fa21deb099096dd 100644 (file)
--- a/ext/openssl/tests/openssl_pkey_export_basic.phpt
+++ b/ext/openssl/tests/openssl_pkey_export_basic.phpt
@@ -39,17 +39,19 @@ $tempname = tempnam(sys_get_temp_dir(), 'openssl_ec');
 var_dump(openssl_pkey_export_to_file($key, $tempname, NULL, $config_arg));
 $details = openssl_pkey_get_details(openssl_pkey_get_private('file://' . $tempname));
 var_dump(OPENSSL_KEYTYPE_EC === $details['type']);
-var_dump(is_resource($key));
+var_dump($key instanceof OpenSSLAsymmetricKey);
 // Clean the temporary file
 @unlink($tempname);
 ?>
 --EXPECTF--
-resource(%d) of type (OpenSSL key)
+object(OpenSSLAsymmetricKey)#%d (0) {
+}
 bool(true)
 -----BEGIN EC PRIVATE KEY-----%a-----END EC PRIVATE KEY-----
 bool(true)
 bool(true)
-resource(%d) of type (OpenSSL key)
+object(OpenSSLAsymmetricKey)#%d (0) {
+}
 array(1) {
   ["d"]=>
   string(32) "%a"
diff --git a/ext/openssl/tests/openssl_pkey_new_error.phpt b/ext/openssl/tests/openssl_pkey_new_error.phpt
index 4bed65278c767368ae22754d49c1ea72c13c1325..f863f0637a3bee75f485871d6486d9364067f93d 100644 (file)
--- a/ext/openssl/tests/openssl_pkey_new_error.phpt
+++ b/ext/openssl/tests/openssl_pkey_new_error.phpt
@@ -28,6 +28,6 @@ try {
 }
 ?>
 --EXPECT--
-openssl_pkey_get_details(): Argument #1 ($key) must be of type resource, bool given
-openssl_pkey_get_details(): Argument #1 ($key) must be of type resource, bool given
-openssl_pkey_get_details(): Argument #1 ($key) must be of type resource, bool given
+openssl_pkey_get_details(): Argument #1 ($key) must be of type OpenSSLAsymmetricKey, bool given
+openssl_pkey_get_details(): Argument #1 ($key) must be of type OpenSSLAsymmetricKey, bool given
+openssl_pkey_get_details(): Argument #1 ($key) must be of type OpenSSLAsymmetricKey, bool given
diff --git a/ext/openssl/tests/openssl_x509_export_basic.phpt b/ext/openssl/tests/openssl_x509_export_basic.phpt
index 03baae92664409b31fac8788d05f31469f38b077..43dc843b702b3f159bfc933ba865caea9075a009 100644 (file)
--- a/ext/openssl/tests/openssl_x509_export_basic.phpt
+++ b/ext/openssl/tests/openssl_x509_export_basic.phpt
@@ -16,7 +16,12 @@ var_dump(openssl_x509_export($a, $output));  // read cert as a binary string
 var_dump(openssl_x509_export($b, $output2)); // read cert from a filename string
 var_dump(openssl_x509_export($c, $output3)); // read an invalid cert, fails
 var_dump(openssl_x509_export($d, $output4)); // read cert from a resource
-var_dump(openssl_x509_export($e, $output5)); // read an array, fails
+
+try {
+    openssl_x509_export($e, $output5); // read an array, fails
+} catch (TypeError $exception) {
+    echo $exception->getMessage() . "\n";
+}
 
 if (PHP_EOL !== "\n") {
     $a = str_replace(PHP_EOL, "\n", $a);
@@ -32,12 +37,10 @@ var_dump(strcmp($output, $output5)); // different
 bool(true)
 bool(true)
 
-Warning: openssl_x509_export(): Cannot get cert from parameter 1 in %s on line %d
+Warning: openssl_x509_export(): X.509 Certificate cannot be retrieved in %s on line %d
 bool(false)
 bool(true)
-
-Warning: openssl_x509_export(): Cannot get cert from parameter 1 in %s on line %d
-bool(false)
+openssl_x509_export(): Argument #1 ($x509) must be of type OpenSSLCertificate|string, array given
 int(0)
 int(0)
 int(%d)
diff --git a/ext/openssl/tests/openssl_x509_export_to_file_basic.phpt b/ext/openssl/tests/openssl_x509_export_to_file_basic.phpt
index 45037449a9851add98a6d0bdf06fb68dc03cf7d8..71a494f40196f7a92278e6f1e995fdf59097463c 100644 (file)
--- a/ext/openssl/tests/openssl_x509_export_to_file_basic.phpt
+++ b/ext/openssl/tests/openssl_x509_export_to_file_basic.phpt
@@ -17,7 +17,11 @@ var_dump(openssl_x509_export_to_file($a, $outfilename)); // read cert as a binar
 var_dump(openssl_x509_export_to_file($b, $outfilename)); // read cert from a filename string
 var_dump(openssl_x509_export_to_file($c, $outfilename)); // read an invalid cert, fails
 var_dump(openssl_x509_export_to_file($d, $outfilename)); // read cert from a resource
-var_dump(openssl_x509_export_to_file($e, $outfilename)); // read an array, fails
+try {
+    openssl_x509_export_to_file($e, $outfilename); // read an array, fails
+} catch (TypeError $exception) {
+    echo $exception->getMessage() . "\n";
+}
 echo "---\n";
 var_dump($exists = file_exists($outfilename));
 ?>
@@ -32,11 +36,9 @@ if (file_exists($outfilename)) {
 bool(true)
 bool(true)
 
-Warning: openssl_x509_export_to_file(): Cannot get cert from parameter 1 in %s on line %d
+Warning: openssl_x509_export_to_file(): X.509 Certificate cannot be retrieved in %s on line %d
 bool(false)
 bool(true)
-
-Warning: openssl_x509_export_to_file(): Cannot get cert from parameter 1 in %s on line %d
-bool(false)
+openssl_x509_export_to_file(): Argument #1 ($x509) must be of type OpenSSLCertificate|string, array given
 ---
 bool(true)
diff --git a/ext/openssl/tests/openssl_x509_fingerprint_basic.phpt b/ext/openssl/tests/openssl_x509_fingerprint_basic.phpt
index 14f8c0c1ce8c04baf8d6c208eb818463f65f3d4e..c4524ada0b1a0e038516b3c6cd3fa5ddf5ae0a2d 100644 (file)
--- a/ext/openssl/tests/openssl_x509_fingerprint_basic.phpt
+++ b/ext/openssl/tests/openssl_x509_fingerprint_basic.phpt
@@ -36,7 +36,7 @@ string(32) "ac77008e172897e06c0b065294487a67"
 string(40) "6e6fd1ea10a5a23071d61c728ee9b40df6dbc33c"
 ** Testing bad certification **
 
-Warning: openssl_x509_fingerprint(): Cannot get cert from parameter 1 in %s on line %d
+Warning: openssl_x509_fingerprint(): X.509 Certificate cannot be retrieved in %s on line %d
 bool(false)
 ** Testing bad hash method **
 
diff --git a/ext/openssl/tests/openssl_x509_free_basic.phpt b/ext/openssl/tests/openssl_x509_free_basic.phpt
index 6fc28f1e75842e8343ebb27858b85c8d5dc855dc..77d42fda424749c207a4e7d02484f9c5bbbccf24 100644 (file)
--- a/ext/openssl/tests/openssl_x509_free_basic.phpt
+++ b/ext/openssl/tests/openssl_x509_free_basic.phpt
@@ -9,5 +9,9 @@ openssl_x509_free($res);
 var_dump($res);
 ?>
 --EXPECTF--
-resource(%d) of type (OpenSSL X.509)
-resource(%d) of type (Unknown)
+object(OpenSSLCertificate)#1 (0) {
+}
+
+Deprecated: Function openssl_x509_free() is deprecated in %s on line %d
+object(OpenSSLCertificate)#1 (0) {
+}
diff --git a/ext/openssl/tests/openssl_x509_read_basic.phpt b/ext/openssl/tests/openssl_x509_read_basic.phpt
index d3aeadd29bc3782f7fc0566efe92340a9d551bc8..e4d956b1207060d3dc2eaeb6bda622723e237e2f 100644 (file)
--- a/ext/openssl/tests/openssl_x509_read_basic.phpt
+++ b/ext/openssl/tests/openssl_x509_read_basic.phpt
@@ -18,19 +18,29 @@ var_dump(openssl_x509_read($a)); // read cert as a string
 var_dump(openssl_x509_read($b)); // read cert as a filename string
 var_dump(openssl_x509_read($c)); // read an invalid cert, fails
 var_dump(openssl_x509_read($d)); // read cert from a resource
-var_dump(openssl_x509_read($e)); // read an array
-var_dump(openssl_x509_read($f)); // read an array with the filename
-?>
---EXPECTF--
-resource(%d) of type (OpenSSL X.509)
-resource(%d) of type (OpenSSL X.509)
 
-Warning: openssl_x509_read(): Supplied parameter cannot be coerced into an X509 certificate! in %s on line %d
-bool(false)
-resource(%d) of type (OpenSSL X.509)
+try {
+    openssl_x509_read($e); // read an array
+} catch (TypeError $exception) {
+    echo $exception->getMessage() . "\n";
+}
 
-Warning: openssl_x509_read(): Supplied parameter cannot be coerced into an X509 certificate! in %s on line %d
-bool(false)
+try {
+    openssl_x509_read($f); // read an array with the filename
+} catch (TypeError $exception) {
+    echo $exception->getMessage() . "\n";
+}
+
+?>
+--EXPECTF--
+object(OpenSSLCertificate)#%d (0) {
+}
+object(OpenSSLCertificate)#%d (0) {
+}
 
-Warning: openssl_x509_read(): Supplied parameter cannot be coerced into an X509 certificate! in %s on line %d
+Warning: openssl_x509_read(): X.509 Certificate cannot be retrieved in %s on line %d
 bool(false)
+object(OpenSSLCertificate)#%d (0) {
+}
+openssl_x509_read(): Argument #1 ($x509) must be of type OpenSSLCertificate|string, array given
+openssl_x509_read(): Argument #1 ($x509) must be of type OpenSSLCertificate|string, array given
diff --git a/ext/openssl/xp_ssl.c b/ext/openssl/xp_ssl.c
index 3e2b72d9db4e6914cca3be0fd13e3d517845c2c7..feb9ee52c11649757a51d355242920029dc1deb8 100644 (file)
--- a/ext/openssl/xp_ssl.c
+++ b/ext/openssl/xp_ssl.c
@@ -122,7 +122,6 @@ static RSA *php_openssl_tmp_rsa_cb(SSL *s, int is_export, int keylength);
 extern php_stream* php_openssl_get_stream_from_ssl_handle(const SSL *ssl);
 extern zend_string* php_openssl_x509_fingerprint(X509 *peer, const char *method, zend_bool raw);
 extern int php_openssl_get_ssl_stream_data_index();
-extern int php_openssl_get_x509_list_id(void);
 static struct timeval php_openssl_subtract_timeval(struct timeval a, struct timeval b);
 static int php_openssl_compare_timeval(struct timeval a, struct timeval b);
 static ssize_t php_openssl_sockop_io(int read, php_stream *stream, char *buf, size_t count);
@@ -1820,13 +1819,17 @@ static int php_openssl_capture_peer_certs(php_stream *stream,
                php_openssl_netstream_data_t *sslsock, X509 *peer_cert) /* {{{ */
 {
        zval *val, zcert;
+       php_openssl_certificate_object *cert_object;
        int cert_captured = 0;
 
        if (NULL != (val = php_stream_context_get_option(PHP_STREAM_CONTEXT(stream),
                        "ssl", "capture_peer_cert")) &&
                zend_is_true(val)
        ) {
-               ZVAL_RES(&zcert, zend_register_resource(peer_cert, php_openssl_get_x509_list_id()));
+               object_init_ex(&zcert, php_openssl_certificate_ce);
+               cert_object = Z_OPENSSL_CERTIFICATE_P(&zcert);
+               cert_object->x509 = peer_cert;
+
                php_stream_context_set_option(PHP_STREAM_CONTEXT(stream), "ssl", "peer_certificate", &zcert);
                zval_ptr_dtor(&zcert);
                cert_captured = 1;
@@ -1847,7 +1850,10 @@ static int php_openssl_capture_peer_certs(php_stream *stream,
 
                        for (i = 0; i < sk_X509_num(chain); i++) {
                                X509 *mycert = X509_dup(sk_X509_value(chain, i));
-                               ZVAL_RES(&zcert, zend_register_resource(mycert, php_openssl_get_x509_list_id()));
+
+                               object_init_ex(&zcert, php_openssl_certificate_ce);
+                               cert_object = Z_OPENSSL_CERTIFICATE_P(&zcert);
+                               cert_object->x509 = mycert;
                                add_next_index_zval(&arr, &zcert);
                        }
 
Unnamed repository; edit this file 'description' to name the repository.