These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more
1 | <?php |
||
2 | /** |
||
3 | * Create an end-entity certificate based on CSR and sign using CA certificate. |
||
4 | * |
||
5 | * php issue-cert.php <(php create-ca-cert.php) <(php create-csr.php) |
||
6 | */ |
||
7 | |||
8 | use Sop\CryptoEncoding\PEM; |
||
9 | use Sop\CryptoTypes\AlgorithmIdentifier\Hash\SHA512AlgorithmIdentifier; |
||
10 | use Sop\CryptoTypes\AlgorithmIdentifier\Signature\SignatureAlgorithmIdentifierFactory; |
||
11 | use Sop\CryptoTypes\Asymmetric\PrivateKeyInfo; |
||
12 | use X509\Certificate\Certificate; |
||
13 | use X509\Certificate\TBSCertificate; |
||
14 | use X509\Certificate\Validity; |
||
15 | use X509\Certificate\Extension\BasicConstraintsExtension; |
||
16 | use X509\Certificate\Extension\KeyUsageExtension; |
||
17 | use X509\CertificationRequest\CertificationRequest; |
||
18 | |||
19 | require dirname(__DIR__) . "/vendor/autoload.php"; |
||
20 | |||
21 | $argc == 3 or printf("Usage: %s <ca-path> <csr-path>\n", $argv[0]) and exit(1); |
||
22 | // load issuer certificate from PEM |
||
23 | $issuer_cert = Certificate::fromPEM(PEM::fromFile($argv[1])); |
||
24 | // load certification request from PEM |
||
25 | $csr = CertificationRequest::fromPEM(PEM::fromFile($argv[2])); |
||
26 | // verify CSR |
||
27 | if (!$csr->verify()) { |
||
28 | echo "Failed to verify certification request signature.\n"; |
||
29 | exit(1); |
||
30 | } |
||
31 | // load CA's private key from PEM |
||
32 | $private_key_info = PrivateKeyInfo::fromPEM( |
||
33 | PEM::fromFile(dirname(__DIR__) . "/test/assets/rsa/private_key.pem")); |
||
34 | // initialize certificate from CSR and issuer's certificate |
||
35 | $tbs_cert = TBSCertificate::fromCSR($csr)->withIssuerCertificate($issuer_cert); |
||
36 | // set random serial number |
||
37 | $tbs_cert = $tbs_cert->withRandomSerialNumber(); |
||
38 | // set validity period |
||
39 | $tbs_cert = $tbs_cert->withValidity( |
||
40 | Validity::fromStrings("now", "now + 3 months")); |
||
41 | // add extensions |
||
42 | $tbs_cert = $tbs_cert->withAdditionalExtensions( |
||
43 | new KeyUsageExtension(true, |
||
44 | KeyUsageExtension::DIGITAL_SIGNATURE | |
||
45 | KeyUsageExtension::KEY_ENCIPHERMENT), |
||
46 | new BasicConstraintsExtension(true, false)); |
||
47 | // sign certificate with issuer's private key |
||
48 | $algo = SignatureAlgorithmIdentifierFactory::algoForAsymmetricCrypto( |
||
49 | $private_key_info->algorithmIdentifier(), new SHA512AlgorithmIdentifier()); |
||
0 ignored issues
–
show
|
|||
50 | $cert = $tbs_cert->sign($algo, $private_key_info); |
||
51 | echo $cert; |
||
52 |
This check looks for parameters that are defined as one type in their type hint or doc comment but seem to be used as a narrower type, i.e an implementation of an interface or a subclass.
Consider changing the type of the parameter or doing an instanceof check before assuming your parameter is of the expected type.