sop /
x509
@@ -19,172 +19,172 @@ |
||
| 19 | 19 | */ |
| 20 | 20 | class IssuerSerial |
| 21 | 21 | { |
| 22 | - /** |
|
| 23 | - * Issuer name. |
|
| 24 | - * |
|
| 25 | - * @var GeneralNames $_issuer |
|
| 26 | - */ |
|
| 27 | - protected $_issuer; |
|
| 22 | + /** |
|
| 23 | + * Issuer name. |
|
| 24 | + * |
|
| 25 | + * @var GeneralNames $_issuer |
|
| 26 | + */ |
|
| 27 | + protected $_issuer; |
|
| 28 | 28 | |
| 29 | - /** |
|
| 30 | - * Serial number. |
|
| 31 | - * |
|
| 32 | - * @var string $_serial |
|
| 33 | - */ |
|
| 34 | - protected $_serial; |
|
| 29 | + /** |
|
| 30 | + * Serial number. |
|
| 31 | + * |
|
| 32 | + * @var string $_serial |
|
| 33 | + */ |
|
| 34 | + protected $_serial; |
|
| 35 | 35 | |
| 36 | - /** |
|
| 37 | - * Issuer unique ID. |
|
| 38 | - * |
|
| 39 | - * @var UniqueIdentifier|null $_issuerUID |
|
| 40 | - */ |
|
| 41 | - protected $_issuerUID; |
|
| 36 | + /** |
|
| 37 | + * Issuer unique ID. |
|
| 38 | + * |
|
| 39 | + * @var UniqueIdentifier|null $_issuerUID |
|
| 40 | + */ |
|
| 41 | + protected $_issuerUID; |
|
| 42 | 42 | |
| 43 | - /** |
|
| 44 | - * Constructor. |
|
| 45 | - * |
|
| 46 | - * @param GeneralNames $issuer |
|
| 47 | - * @param string|int $serial |
|
| 48 | - * @param UniqueIdentifier|null $uid |
|
| 49 | - */ |
|
| 50 | - public function __construct(GeneralNames $issuer, $serial, |
|
| 51 | - UniqueIdentifier $uid = null) |
|
| 52 | - { |
|
| 53 | - $this->_issuer = $issuer; |
|
| 54 | - $this->_serial = strval($serial); |
|
| 55 | - $this->_issuerUID = $uid; |
|
| 56 | - } |
|
| 43 | + /** |
|
| 44 | + * Constructor. |
|
| 45 | + * |
|
| 46 | + * @param GeneralNames $issuer |
|
| 47 | + * @param string|int $serial |
|
| 48 | + * @param UniqueIdentifier|null $uid |
|
| 49 | + */ |
|
| 50 | + public function __construct(GeneralNames $issuer, $serial, |
|
| 51 | + UniqueIdentifier $uid = null) |
|
| 52 | + { |
|
| 53 | + $this->_issuer = $issuer; |
|
| 54 | + $this->_serial = strval($serial); |
|
| 55 | + $this->_issuerUID = $uid; |
|
| 56 | + } |
|
| 57 | 57 | |
| 58 | - /** |
|
| 59 | - * Initialize from ASN.1. |
|
| 60 | - * |
|
| 61 | - * @param Sequence $seq |
|
| 62 | - * @return self |
|
| 63 | - */ |
|
| 64 | - public static function fromASN1(Sequence $seq): self |
|
| 65 | - { |
|
| 66 | - $issuer = GeneralNames::fromASN1($seq->at(0)->asSequence()); |
|
| 67 | - $serial = $seq->at(1) |
|
| 68 | - ->asInteger() |
|
| 69 | - ->number(); |
|
| 70 | - $uid = null; |
|
| 71 | - if ($seq->has(2, Element::TYPE_BIT_STRING)) { |
|
| 72 | - $uid = UniqueIdentifier::fromASN1($seq->at(2)->asBitString()); |
|
| 73 | - } |
|
| 74 | - return new self($issuer, $serial, $uid); |
|
| 75 | - } |
|
| 58 | + /** |
|
| 59 | + * Initialize from ASN.1. |
|
| 60 | + * |
|
| 61 | + * @param Sequence $seq |
|
| 62 | + * @return self |
|
| 63 | + */ |
|
| 64 | + public static function fromASN1(Sequence $seq): self |
|
| 65 | + { |
|
| 66 | + $issuer = GeneralNames::fromASN1($seq->at(0)->asSequence()); |
|
| 67 | + $serial = $seq->at(1) |
|
| 68 | + ->asInteger() |
|
| 69 | + ->number(); |
|
| 70 | + $uid = null; |
|
| 71 | + if ($seq->has(2, Element::TYPE_BIT_STRING)) { |
|
| 72 | + $uid = UniqueIdentifier::fromASN1($seq->at(2)->asBitString()); |
|
| 73 | + } |
|
| 74 | + return new self($issuer, $serial, $uid); |
|
| 75 | + } |
|
| 76 | 76 | |
| 77 | - /** |
|
| 78 | - * Initialize from a public key certificate. |
|
| 79 | - * |
|
| 80 | - * @param Certificate $cert |
|
| 81 | - * @return self |
|
| 82 | - */ |
|
| 83 | - public static function fromPKC(Certificate $cert) |
|
| 84 | - { |
|
| 85 | - $tbsCert = $cert->tbsCertificate(); |
|
| 86 | - $issuer = new GeneralNames(new DirectoryName($tbsCert->issuer())); |
|
| 87 | - $serial = $tbsCert->serialNumber(); |
|
| 88 | - $uid = $tbsCert->hasIssuerUniqueID() ? $tbsCert->issuerUniqueID() : null; |
|
| 89 | - return new self($issuer, $serial, $uid); |
|
| 90 | - } |
|
| 77 | + /** |
|
| 78 | + * Initialize from a public key certificate. |
|
| 79 | + * |
|
| 80 | + * @param Certificate $cert |
|
| 81 | + * @return self |
|
| 82 | + */ |
|
| 83 | + public static function fromPKC(Certificate $cert) |
|
| 84 | + { |
|
| 85 | + $tbsCert = $cert->tbsCertificate(); |
|
| 86 | + $issuer = new GeneralNames(new DirectoryName($tbsCert->issuer())); |
|
| 87 | + $serial = $tbsCert->serialNumber(); |
|
| 88 | + $uid = $tbsCert->hasIssuerUniqueID() ? $tbsCert->issuerUniqueID() : null; |
|
| 89 | + return new self($issuer, $serial, $uid); |
|
| 90 | + } |
|
| 91 | 91 | |
| 92 | - /** |
|
| 93 | - * Get issuer name. |
|
| 94 | - * |
|
| 95 | - * @return GeneralNames |
|
| 96 | - */ |
|
| 97 | - public function issuer(): GeneralNames |
|
| 98 | - { |
|
| 99 | - return $this->_issuer; |
|
| 100 | - } |
|
| 92 | + /** |
|
| 93 | + * Get issuer name. |
|
| 94 | + * |
|
| 95 | + * @return GeneralNames |
|
| 96 | + */ |
|
| 97 | + public function issuer(): GeneralNames |
|
| 98 | + { |
|
| 99 | + return $this->_issuer; |
|
| 100 | + } |
|
| 101 | 101 | |
| 102 | - /** |
|
| 103 | - * Get serial number. |
|
| 104 | - * |
|
| 105 | - * @return string |
|
| 106 | - */ |
|
| 107 | - public function serial(): string |
|
| 108 | - { |
|
| 109 | - return $this->_serial; |
|
| 110 | - } |
|
| 102 | + /** |
|
| 103 | + * Get serial number. |
|
| 104 | + * |
|
| 105 | + * @return string |
|
| 106 | + */ |
|
| 107 | + public function serial(): string |
|
| 108 | + { |
|
| 109 | + return $this->_serial; |
|
| 110 | + } |
|
| 111 | 111 | |
| 112 | - /** |
|
| 113 | - * Check whether issuer unique identifier is present. |
|
| 114 | - * |
|
| 115 | - * @return bool |
|
| 116 | - */ |
|
| 117 | - public function hasIssuerUID(): bool |
|
| 118 | - { |
|
| 119 | - return isset($this->_issuerUID); |
|
| 120 | - } |
|
| 112 | + /** |
|
| 113 | + * Check whether issuer unique identifier is present. |
|
| 114 | + * |
|
| 115 | + * @return bool |
|
| 116 | + */ |
|
| 117 | + public function hasIssuerUID(): bool |
|
| 118 | + { |
|
| 119 | + return isset($this->_issuerUID); |
|
| 120 | + } |
|
| 121 | 121 | |
| 122 | - /** |
|
| 123 | - * Get issuer unique identifier. |
|
| 124 | - * |
|
| 125 | - * @throws \LogicException |
|
| 126 | - * @return UniqueIdentifier |
|
| 127 | - */ |
|
| 128 | - public function issuerUID(): UniqueIdentifier |
|
| 129 | - { |
|
| 130 | - if (!$this->hasIssuerUID()) { |
|
| 131 | - throw new \LogicException("issuerUID not set."); |
|
| 132 | - } |
|
| 133 | - return $this->_issuerUID; |
|
| 134 | - } |
|
| 122 | + /** |
|
| 123 | + * Get issuer unique identifier. |
|
| 124 | + * |
|
| 125 | + * @throws \LogicException |
|
| 126 | + * @return UniqueIdentifier |
|
| 127 | + */ |
|
| 128 | + public function issuerUID(): UniqueIdentifier |
|
| 129 | + { |
|
| 130 | + if (!$this->hasIssuerUID()) { |
|
| 131 | + throw new \LogicException("issuerUID not set."); |
|
| 132 | + } |
|
| 133 | + return $this->_issuerUID; |
|
| 134 | + } |
|
| 135 | 135 | |
| 136 | - /** |
|
| 137 | - * Generate ASN.1 structure. |
|
| 138 | - * |
|
| 139 | - * @return Sequence |
|
| 140 | - */ |
|
| 141 | - public function toASN1(): Sequence |
|
| 142 | - { |
|
| 143 | - $elements = array($this->_issuer->toASN1(), new Integer($this->_serial)); |
|
| 144 | - if (isset($this->_issuerUID)) { |
|
| 145 | - $elements[] = $this->_issuerUID->toASN1(); |
|
| 146 | - } |
|
| 147 | - return new Sequence(...$elements); |
|
| 148 | - } |
|
| 136 | + /** |
|
| 137 | + * Generate ASN.1 structure. |
|
| 138 | + * |
|
| 139 | + * @return Sequence |
|
| 140 | + */ |
|
| 141 | + public function toASN1(): Sequence |
|
| 142 | + { |
|
| 143 | + $elements = array($this->_issuer->toASN1(), new Integer($this->_serial)); |
|
| 144 | + if (isset($this->_issuerUID)) { |
|
| 145 | + $elements[] = $this->_issuerUID->toASN1(); |
|
| 146 | + } |
|
| 147 | + return new Sequence(...$elements); |
|
| 148 | + } |
|
| 149 | 149 | |
| 150 | - /** |
|
| 151 | - * Check whether this IssuerSerial identifies given certificate. |
|
| 152 | - * |
|
| 153 | - * @param Certificate $cert |
|
| 154 | - * @return boolean |
|
| 155 | - */ |
|
| 156 | - public function identifiesPKC(Certificate $cert): bool |
|
| 157 | - { |
|
| 158 | - $tbs = $cert->tbsCertificate(); |
|
| 159 | - if (!$tbs->issuer()->equals($this->_issuer->firstDN())) { |
|
| 160 | - return false; |
|
| 161 | - } |
|
| 162 | - if (strval($tbs->serialNumber()) != strval($this->_serial)) { |
|
| 163 | - return false; |
|
| 164 | - } |
|
| 165 | - if ($this->_issuerUID && !$this->_checkUniqueID($cert)) { |
|
| 166 | - return false; |
|
| 167 | - } |
|
| 168 | - return true; |
|
| 169 | - } |
|
| 150 | + /** |
|
| 151 | + * Check whether this IssuerSerial identifies given certificate. |
|
| 152 | + * |
|
| 153 | + * @param Certificate $cert |
|
| 154 | + * @return boolean |
|
| 155 | + */ |
|
| 156 | + public function identifiesPKC(Certificate $cert): bool |
|
| 157 | + { |
|
| 158 | + $tbs = $cert->tbsCertificate(); |
|
| 159 | + if (!$tbs->issuer()->equals($this->_issuer->firstDN())) { |
|
| 160 | + return false; |
|
| 161 | + } |
|
| 162 | + if (strval($tbs->serialNumber()) != strval($this->_serial)) { |
|
| 163 | + return false; |
|
| 164 | + } |
|
| 165 | + if ($this->_issuerUID && !$this->_checkUniqueID($cert)) { |
|
| 166 | + return false; |
|
| 167 | + } |
|
| 168 | + return true; |
|
| 169 | + } |
|
| 170 | 170 | |
| 171 | - /** |
|
| 172 | - * Check whether issuerUID matches given certificate. |
|
| 173 | - * |
|
| 174 | - * @param Certificate $cert |
|
| 175 | - * @return boolean |
|
| 176 | - */ |
|
| 177 | - private function _checkUniqueID(Certificate $cert): bool |
|
| 178 | - { |
|
| 179 | - if (!$cert->tbsCertificate()->hasIssuerUniqueID()) { |
|
| 180 | - return false; |
|
| 181 | - } |
|
| 182 | - $uid = $cert->tbsCertificate() |
|
| 183 | - ->issuerUniqueID() |
|
| 184 | - ->string(); |
|
| 185 | - if ($this->_issuerUID->string() != $uid) { |
|
| 186 | - return false; |
|
| 187 | - } |
|
| 188 | - return true; |
|
| 189 | - } |
|
| 171 | + /** |
|
| 172 | + * Check whether issuerUID matches given certificate. |
|
| 173 | + * |
|
| 174 | + * @param Certificate $cert |
|
| 175 | + * @return boolean |
|
| 176 | + */ |
|
| 177 | + private function _checkUniqueID(Certificate $cert): bool |
|
| 178 | + { |
|
| 179 | + if (!$cert->tbsCertificate()->hasIssuerUniqueID()) { |
|
| 180 | + return false; |
|
| 181 | + } |
|
| 182 | + $uid = $cert->tbsCertificate() |
|
| 183 | + ->issuerUniqueID() |
|
| 184 | + ->string(); |
|
| 185 | + if ($this->_issuerUID->string() != $uid) { |
|
| 186 | + return false; |
|
| 187 | + } |
|
| 188 | + return true; |
|
| 189 | + } |
|
| 190 | 190 | } |
@@ -12,112 +12,112 @@ |
||
| 12 | 12 | */ |
| 13 | 13 | class ACValidationConfig |
| 14 | 14 | { |
| 15 | - /** |
|
| 16 | - * Certification path of the AC holder. |
|
| 17 | - * |
|
| 18 | - * @var CertificationPath |
|
| 19 | - */ |
|
| 20 | - protected $_holderPath; |
|
| 15 | + /** |
|
| 16 | + * Certification path of the AC holder. |
|
| 17 | + * |
|
| 18 | + * @var CertificationPath |
|
| 19 | + */ |
|
| 20 | + protected $_holderPath; |
|
| 21 | 21 | |
| 22 | - /** |
|
| 23 | - * Certification path of the AC issuer. |
|
| 24 | - * |
|
| 25 | - * @var CertificationPath |
|
| 26 | - */ |
|
| 27 | - protected $_issuerPath; |
|
| 22 | + /** |
|
| 23 | + * Certification path of the AC issuer. |
|
| 24 | + * |
|
| 25 | + * @var CertificationPath |
|
| 26 | + */ |
|
| 27 | + protected $_issuerPath; |
|
| 28 | 28 | |
| 29 | - /** |
|
| 30 | - * Evaluation reference time. |
|
| 31 | - * |
|
| 32 | - * @var \DateTimeImmutable |
|
| 33 | - */ |
|
| 34 | - protected $_evalTime; |
|
| 29 | + /** |
|
| 30 | + * Evaluation reference time. |
|
| 31 | + * |
|
| 32 | + * @var \DateTimeImmutable |
|
| 33 | + */ |
|
| 34 | + protected $_evalTime; |
|
| 35 | 35 | |
| 36 | - /** |
|
| 37 | - * Permitted targets. |
|
| 38 | - * |
|
| 39 | - * @var Target[] |
|
| 40 | - */ |
|
| 41 | - protected $_targets; |
|
| 36 | + /** |
|
| 37 | + * Permitted targets. |
|
| 38 | + * |
|
| 39 | + * @var Target[] |
|
| 40 | + */ |
|
| 41 | + protected $_targets; |
|
| 42 | 42 | |
| 43 | - /** |
|
| 44 | - * Constructor. |
|
| 45 | - * |
|
| 46 | - * @param CertificationPath $holder_path Certification path of the AC holder |
|
| 47 | - * @param CertificationPath $issuer_path Certification path of the AC issuer |
|
| 48 | - */ |
|
| 49 | - public function __construct(CertificationPath $holder_path, |
|
| 50 | - CertificationPath $issuer_path) |
|
| 51 | - { |
|
| 52 | - $this->_holderPath = $holder_path; |
|
| 53 | - $this->_issuerPath = $issuer_path; |
|
| 54 | - $this->_evalTime = new \DateTimeImmutable(); |
|
| 55 | - $this->_targets = array(); |
|
| 56 | - } |
|
| 43 | + /** |
|
| 44 | + * Constructor. |
|
| 45 | + * |
|
| 46 | + * @param CertificationPath $holder_path Certification path of the AC holder |
|
| 47 | + * @param CertificationPath $issuer_path Certification path of the AC issuer |
|
| 48 | + */ |
|
| 49 | + public function __construct(CertificationPath $holder_path, |
|
| 50 | + CertificationPath $issuer_path) |
|
| 51 | + { |
|
| 52 | + $this->_holderPath = $holder_path; |
|
| 53 | + $this->_issuerPath = $issuer_path; |
|
| 54 | + $this->_evalTime = new \DateTimeImmutable(); |
|
| 55 | + $this->_targets = array(); |
|
| 56 | + } |
|
| 57 | 57 | |
| 58 | - /** |
|
| 59 | - * Get certification path of the AC's holder. |
|
| 60 | - * |
|
| 61 | - * @return CertificationPath |
|
| 62 | - */ |
|
| 63 | - public function holderPath(): CertificationPath |
|
| 64 | - { |
|
| 65 | - return $this->_holderPath; |
|
| 66 | - } |
|
| 58 | + /** |
|
| 59 | + * Get certification path of the AC's holder. |
|
| 60 | + * |
|
| 61 | + * @return CertificationPath |
|
| 62 | + */ |
|
| 63 | + public function holderPath(): CertificationPath |
|
| 64 | + { |
|
| 65 | + return $this->_holderPath; |
|
| 66 | + } |
|
| 67 | 67 | |
| 68 | - /** |
|
| 69 | - * Get certification path of the AC's issuer. |
|
| 70 | - * |
|
| 71 | - * @return CertificationPath |
|
| 72 | - */ |
|
| 73 | - public function issuerPath(): CertificationPath |
|
| 74 | - { |
|
| 75 | - return $this->_issuerPath; |
|
| 76 | - } |
|
| 68 | + /** |
|
| 69 | + * Get certification path of the AC's issuer. |
|
| 70 | + * |
|
| 71 | + * @return CertificationPath |
|
| 72 | + */ |
|
| 73 | + public function issuerPath(): CertificationPath |
|
| 74 | + { |
|
| 75 | + return $this->_issuerPath; |
|
| 76 | + } |
|
| 77 | 77 | |
| 78 | - /** |
|
| 79 | - * Get self with given evaluation reference time. |
|
| 80 | - * |
|
| 81 | - * @param \DateTimeImmutable $dt |
|
| 82 | - * @return self |
|
| 83 | - */ |
|
| 84 | - public function withEvaluationTime(\DateTimeImmutable $dt): self |
|
| 85 | - { |
|
| 86 | - $obj = clone $this; |
|
| 87 | - $obj->_evalTime = $dt; |
|
| 88 | - return $obj; |
|
| 89 | - } |
|
| 78 | + /** |
|
| 79 | + * Get self with given evaluation reference time. |
|
| 80 | + * |
|
| 81 | + * @param \DateTimeImmutable $dt |
|
| 82 | + * @return self |
|
| 83 | + */ |
|
| 84 | + public function withEvaluationTime(\DateTimeImmutable $dt): self |
|
| 85 | + { |
|
| 86 | + $obj = clone $this; |
|
| 87 | + $obj->_evalTime = $dt; |
|
| 88 | + return $obj; |
|
| 89 | + } |
|
| 90 | 90 | |
| 91 | - /** |
|
| 92 | - * Get the evaluation reference time. |
|
| 93 | - * |
|
| 94 | - * @return \DateTimeImmutable |
|
| 95 | - */ |
|
| 96 | - public function evaluationTime(): \DateTimeImmutable |
|
| 97 | - { |
|
| 98 | - return $this->_evalTime; |
|
| 99 | - } |
|
| 91 | + /** |
|
| 92 | + * Get the evaluation reference time. |
|
| 93 | + * |
|
| 94 | + * @return \DateTimeImmutable |
|
| 95 | + */ |
|
| 96 | + public function evaluationTime(): \DateTimeImmutable |
|
| 97 | + { |
|
| 98 | + return $this->_evalTime; |
|
| 99 | + } |
|
| 100 | 100 | |
| 101 | - /** |
|
| 102 | - * Get self with permitted targets. |
|
| 103 | - * |
|
| 104 | - * @param Target ...$targets |
|
| 105 | - * @return self |
|
| 106 | - */ |
|
| 107 | - public function withTargets(Target ...$targets): self |
|
| 108 | - { |
|
| 109 | - $obj = clone $this; |
|
| 110 | - $obj->_targets = $targets; |
|
| 111 | - return $obj; |
|
| 112 | - } |
|
| 101 | + /** |
|
| 102 | + * Get self with permitted targets. |
|
| 103 | + * |
|
| 104 | + * @param Target ...$targets |
|
| 105 | + * @return self |
|
| 106 | + */ |
|
| 107 | + public function withTargets(Target ...$targets): self |
|
| 108 | + { |
|
| 109 | + $obj = clone $this; |
|
| 110 | + $obj->_targets = $targets; |
|
| 111 | + return $obj; |
|
| 112 | + } |
|
| 113 | 113 | |
| 114 | - /** |
|
| 115 | - * Get array of permitted targets |
|
| 116 | - * |
|
| 117 | - * @return Target[] |
|
| 118 | - */ |
|
| 119 | - public function targets(): array |
|
| 120 | - { |
|
| 121 | - return $this->_targets; |
|
| 122 | - } |
|
| 114 | + /** |
|
| 115 | + * Get array of permitted targets |
|
| 116 | + * |
|
| 117 | + * @return Target[] |
|
| 118 | + */ |
|
| 119 | + public function targets(): array |
|
| 120 | + { |
|
| 121 | + return $this->_targets; |
|
| 122 | + } |
|
| 123 | 123 | } |
@@ -21,178 +21,178 @@ |
||
| 21 | 21 | */ |
| 22 | 22 | class ACValidator |
| 23 | 23 | { |
| 24 | - /** |
|
| 25 | - * Attribute certificate. |
|
| 26 | - * |
|
| 27 | - * @var AttributeCertificate |
|
| 28 | - */ |
|
| 29 | - protected $_ac; |
|
| 24 | + /** |
|
| 25 | + * Attribute certificate. |
|
| 26 | + * |
|
| 27 | + * @var AttributeCertificate |
|
| 28 | + */ |
|
| 29 | + protected $_ac; |
|
| 30 | 30 | |
| 31 | - /** |
|
| 32 | - * Validation configuration. |
|
| 33 | - * |
|
| 34 | - * @var ACValidationConfig |
|
| 35 | - */ |
|
| 36 | - protected $_config; |
|
| 31 | + /** |
|
| 32 | + * Validation configuration. |
|
| 33 | + * |
|
| 34 | + * @var ACValidationConfig |
|
| 35 | + */ |
|
| 36 | + protected $_config; |
|
| 37 | 37 | |
| 38 | - /** |
|
| 39 | - * Crypto engine. |
|
| 40 | - * |
|
| 41 | - * @var Crypto |
|
| 42 | - */ |
|
| 43 | - protected $_crypto; |
|
| 38 | + /** |
|
| 39 | + * Crypto engine. |
|
| 40 | + * |
|
| 41 | + * @var Crypto |
|
| 42 | + */ |
|
| 43 | + protected $_crypto; |
|
| 44 | 44 | |
| 45 | - /** |
|
| 46 | - * Constructor. |
|
| 47 | - * |
|
| 48 | - * @param AttributeCertificate $ac Attribute certificate to validate |
|
| 49 | - * @param ACValidationConfig $config Validation configuration |
|
| 50 | - * @param Crypto|null $crypto Crypto engine, use default if not set |
|
| 51 | - */ |
|
| 52 | - public function __construct(AttributeCertificate $ac, |
|
| 53 | - ACValidationConfig $config, Crypto $crypto = null) |
|
| 54 | - { |
|
| 55 | - $this->_ac = $ac; |
|
| 56 | - $this->_config = $config; |
|
| 57 | - $this->_crypto = $crypto ?: Crypto::getDefault(); |
|
| 58 | - } |
|
| 45 | + /** |
|
| 46 | + * Constructor. |
|
| 47 | + * |
|
| 48 | + * @param AttributeCertificate $ac Attribute certificate to validate |
|
| 49 | + * @param ACValidationConfig $config Validation configuration |
|
| 50 | + * @param Crypto|null $crypto Crypto engine, use default if not set |
|
| 51 | + */ |
|
| 52 | + public function __construct(AttributeCertificate $ac, |
|
| 53 | + ACValidationConfig $config, Crypto $crypto = null) |
|
| 54 | + { |
|
| 55 | + $this->_ac = $ac; |
|
| 56 | + $this->_config = $config; |
|
| 57 | + $this->_crypto = $crypto ?: Crypto::getDefault(); |
|
| 58 | + } |
|
| 59 | 59 | |
| 60 | - /** |
|
| 61 | - * Validate attribute certificate. |
|
| 62 | - * |
|
| 63 | - * @throws ACValidationException If validation fails |
|
| 64 | - * @return AttributeCertificate Validated AC |
|
| 65 | - */ |
|
| 66 | - public function validate(): AttributeCertificate |
|
| 67 | - { |
|
| 68 | - $this->_validateHolder(); |
|
| 69 | - $issuer = $this->_verifyIssuer(); |
|
| 70 | - $this->_validateIssuerProfile($issuer); |
|
| 71 | - $this->_validateTime(); |
|
| 72 | - $this->_validateTargeting(); |
|
| 73 | - return $this->_ac; |
|
| 74 | - } |
|
| 60 | + /** |
|
| 61 | + * Validate attribute certificate. |
|
| 62 | + * |
|
| 63 | + * @throws ACValidationException If validation fails |
|
| 64 | + * @return AttributeCertificate Validated AC |
|
| 65 | + */ |
|
| 66 | + public function validate(): AttributeCertificate |
|
| 67 | + { |
|
| 68 | + $this->_validateHolder(); |
|
| 69 | + $issuer = $this->_verifyIssuer(); |
|
| 70 | + $this->_validateIssuerProfile($issuer); |
|
| 71 | + $this->_validateTime(); |
|
| 72 | + $this->_validateTargeting(); |
|
| 73 | + return $this->_ac; |
|
| 74 | + } |
|
| 75 | 75 | |
| 76 | - /** |
|
| 77 | - * Validate AC holder's certification. |
|
| 78 | - * |
|
| 79 | - * @throws ACValidationException |
|
| 80 | - * @return Certificate Certificate of the AC's holder |
|
| 81 | - */ |
|
| 82 | - private function _validateHolder(): Certificate |
|
| 83 | - { |
|
| 84 | - $path = $this->_config->holderPath(); |
|
| 85 | - $config = PathValidationConfig::defaultConfig()->withMaxLength( |
|
| 86 | - count($path))->withDateTime($this->_config->evaluationTime()); |
|
| 87 | - try { |
|
| 88 | - $holder = $path->validate($config, $this->_crypto)->certificate(); |
|
| 89 | - } catch (PathValidationException $e) { |
|
| 90 | - throw new ACValidationException( |
|
| 91 | - "Failed to validate holder PKC's certification path.", 0, $e); |
|
| 92 | - } |
|
| 93 | - if (!$this->_ac->isHeldBy($holder)) { |
|
| 94 | - throw new ACValidationException("Name mismatch of AC's holder PKC."); |
|
| 95 | - } |
|
| 96 | - return $holder; |
|
| 97 | - } |
|
| 76 | + /** |
|
| 77 | + * Validate AC holder's certification. |
|
| 78 | + * |
|
| 79 | + * @throws ACValidationException |
|
| 80 | + * @return Certificate Certificate of the AC's holder |
|
| 81 | + */ |
|
| 82 | + private function _validateHolder(): Certificate |
|
| 83 | + { |
|
| 84 | + $path = $this->_config->holderPath(); |
|
| 85 | + $config = PathValidationConfig::defaultConfig()->withMaxLength( |
|
| 86 | + count($path))->withDateTime($this->_config->evaluationTime()); |
|
| 87 | + try { |
|
| 88 | + $holder = $path->validate($config, $this->_crypto)->certificate(); |
|
| 89 | + } catch (PathValidationException $e) { |
|
| 90 | + throw new ACValidationException( |
|
| 91 | + "Failed to validate holder PKC's certification path.", 0, $e); |
|
| 92 | + } |
|
| 93 | + if (!$this->_ac->isHeldBy($holder)) { |
|
| 94 | + throw new ACValidationException("Name mismatch of AC's holder PKC."); |
|
| 95 | + } |
|
| 96 | + return $holder; |
|
| 97 | + } |
|
| 98 | 98 | |
| 99 | - /** |
|
| 100 | - * Verify AC's signature and issuer's certification. |
|
| 101 | - * |
|
| 102 | - * @throws ACValidationException |
|
| 103 | - * @return Certificate Certificate of the AC's issuer |
|
| 104 | - */ |
|
| 105 | - private function _verifyIssuer(): Certificate |
|
| 106 | - { |
|
| 107 | - $path = $this->_config->issuerPath(); |
|
| 108 | - $config = PathValidationConfig::defaultConfig()->withMaxLength( |
|
| 109 | - count($path))->withDateTime($this->_config->evaluationTime()); |
|
| 110 | - try { |
|
| 111 | - $issuer = $path->validate($config, $this->_crypto)->certificate(); |
|
| 112 | - } catch (PathValidationException $e) { |
|
| 113 | - throw new ACValidationException( |
|
| 114 | - "Failed to validate issuer PKC's certification path.", 0, $e); |
|
| 115 | - } |
|
| 116 | - if (!$this->_ac->isIssuedBy($issuer)) { |
|
| 117 | - throw new ACValidationException("Name mismatch of AC's issuer PKC."); |
|
| 118 | - } |
|
| 119 | - $pubkey_info = $issuer->tbsCertificate()->subjectPublicKeyInfo(); |
|
| 120 | - if (!$this->_ac->verify($pubkey_info, $this->_crypto)) { |
|
| 121 | - throw new ACValidationException("Failed to verify signature."); |
|
| 122 | - } |
|
| 123 | - return $issuer; |
|
| 124 | - } |
|
| 99 | + /** |
|
| 100 | + * Verify AC's signature and issuer's certification. |
|
| 101 | + * |
|
| 102 | + * @throws ACValidationException |
|
| 103 | + * @return Certificate Certificate of the AC's issuer |
|
| 104 | + */ |
|
| 105 | + private function _verifyIssuer(): Certificate |
|
| 106 | + { |
|
| 107 | + $path = $this->_config->issuerPath(); |
|
| 108 | + $config = PathValidationConfig::defaultConfig()->withMaxLength( |
|
| 109 | + count($path))->withDateTime($this->_config->evaluationTime()); |
|
| 110 | + try { |
|
| 111 | + $issuer = $path->validate($config, $this->_crypto)->certificate(); |
|
| 112 | + } catch (PathValidationException $e) { |
|
| 113 | + throw new ACValidationException( |
|
| 114 | + "Failed to validate issuer PKC's certification path.", 0, $e); |
|
| 115 | + } |
|
| 116 | + if (!$this->_ac->isIssuedBy($issuer)) { |
|
| 117 | + throw new ACValidationException("Name mismatch of AC's issuer PKC."); |
|
| 118 | + } |
|
| 119 | + $pubkey_info = $issuer->tbsCertificate()->subjectPublicKeyInfo(); |
|
| 120 | + if (!$this->_ac->verify($pubkey_info, $this->_crypto)) { |
|
| 121 | + throw new ACValidationException("Failed to verify signature."); |
|
| 122 | + } |
|
| 123 | + return $issuer; |
|
| 124 | + } |
|
| 125 | 125 | |
| 126 | - /** |
|
| 127 | - * Validate AC issuer's profile. |
|
| 128 | - * |
|
| 129 | - * @link https://tools.ietf.org/html/rfc5755#section-4.5 |
|
| 130 | - * @param Certificate $cert |
|
| 131 | - * @throws ACValidationException |
|
| 132 | - */ |
|
| 133 | - private function _validateIssuerProfile(Certificate $cert) |
|
| 134 | - { |
|
| 135 | - $exts = $cert->tbsCertificate()->extensions(); |
|
| 136 | - if ($exts->hasKeyUsage() && !$exts->keyUsage()->isDigitalSignature()) { |
|
| 137 | - throw new ACValidationException( |
|
| 138 | - "Issuer PKC's Key Usage extension doesn't permit" . |
|
| 139 | - " verification of digital signatures."); |
|
| 140 | - } |
|
| 141 | - if ($exts->hasBasicConstraints() && $exts->basicConstraints()->isCA()) { |
|
| 142 | - throw new ACValidationException("Issuer PKC must not be a CA."); |
|
| 143 | - } |
|
| 144 | - } |
|
| 126 | + /** |
|
| 127 | + * Validate AC issuer's profile. |
|
| 128 | + * |
|
| 129 | + * @link https://tools.ietf.org/html/rfc5755#section-4.5 |
|
| 130 | + * @param Certificate $cert |
|
| 131 | + * @throws ACValidationException |
|
| 132 | + */ |
|
| 133 | + private function _validateIssuerProfile(Certificate $cert) |
|
| 134 | + { |
|
| 135 | + $exts = $cert->tbsCertificate()->extensions(); |
|
| 136 | + if ($exts->hasKeyUsage() && !$exts->keyUsage()->isDigitalSignature()) { |
|
| 137 | + throw new ACValidationException( |
|
| 138 | + "Issuer PKC's Key Usage extension doesn't permit" . |
|
| 139 | + " verification of digital signatures."); |
|
| 140 | + } |
|
| 141 | + if ($exts->hasBasicConstraints() && $exts->basicConstraints()->isCA()) { |
|
| 142 | + throw new ACValidationException("Issuer PKC must not be a CA."); |
|
| 143 | + } |
|
| 144 | + } |
|
| 145 | 145 | |
| 146 | - /** |
|
| 147 | - * Validate AC's validity period. |
|
| 148 | - * |
|
| 149 | - * @throws ACValidationException |
|
| 150 | - */ |
|
| 151 | - private function _validateTime() |
|
| 152 | - { |
|
| 153 | - $t = $this->_config->evaluationTime(); |
|
| 154 | - $validity = $this->_ac->acinfo()->validityPeriod(); |
|
| 155 | - if ($validity->notBeforeTime()->diff($t)->invert) { |
|
| 156 | - throw new ACValidationException("Validity period has not started."); |
|
| 157 | - } |
|
| 158 | - if ($t->diff($validity->notAfterTime())->invert) { |
|
| 159 | - throw new ACValidationException("Attribute certificate has expired."); |
|
| 160 | - } |
|
| 161 | - } |
|
| 146 | + /** |
|
| 147 | + * Validate AC's validity period. |
|
| 148 | + * |
|
| 149 | + * @throws ACValidationException |
|
| 150 | + */ |
|
| 151 | + private function _validateTime() |
|
| 152 | + { |
|
| 153 | + $t = $this->_config->evaluationTime(); |
|
| 154 | + $validity = $this->_ac->acinfo()->validityPeriod(); |
|
| 155 | + if ($validity->notBeforeTime()->diff($t)->invert) { |
|
| 156 | + throw new ACValidationException("Validity period has not started."); |
|
| 157 | + } |
|
| 158 | + if ($t->diff($validity->notAfterTime())->invert) { |
|
| 159 | + throw new ACValidationException("Attribute certificate has expired."); |
|
| 160 | + } |
|
| 161 | + } |
|
| 162 | 162 | |
| 163 | - /** |
|
| 164 | - * Validate AC's target information. |
|
| 165 | - * |
|
| 166 | - * @throws ACValidationException |
|
| 167 | - */ |
|
| 168 | - private function _validateTargeting() |
|
| 169 | - { |
|
| 170 | - $exts = $this->_ac->acinfo()->extensions(); |
|
| 171 | - // if target information extension is not present |
|
| 172 | - if (!$exts->has(Extension::OID_TARGET_INFORMATION)) { |
|
| 173 | - return; |
|
| 174 | - } |
|
| 175 | - $ext = $exts->get(Extension::OID_TARGET_INFORMATION); |
|
| 176 | - if ($ext instanceof TargetInformationExtension && |
|
| 177 | - !$this->_hasMatchingTarget($ext->targets())) { |
|
| 178 | - throw new ACValidationException( |
|
| 179 | - "Attribute certificate doesn't have a matching target."); |
|
| 180 | - } |
|
| 181 | - } |
|
| 163 | + /** |
|
| 164 | + * Validate AC's target information. |
|
| 165 | + * |
|
| 166 | + * @throws ACValidationException |
|
| 167 | + */ |
|
| 168 | + private function _validateTargeting() |
|
| 169 | + { |
|
| 170 | + $exts = $this->_ac->acinfo()->extensions(); |
|
| 171 | + // if target information extension is not present |
|
| 172 | + if (!$exts->has(Extension::OID_TARGET_INFORMATION)) { |
|
| 173 | + return; |
|
| 174 | + } |
|
| 175 | + $ext = $exts->get(Extension::OID_TARGET_INFORMATION); |
|
| 176 | + if ($ext instanceof TargetInformationExtension && |
|
| 177 | + !$this->_hasMatchingTarget($ext->targets())) { |
|
| 178 | + throw new ACValidationException( |
|
| 179 | + "Attribute certificate doesn't have a matching target."); |
|
| 180 | + } |
|
| 181 | + } |
|
| 182 | 182 | |
| 183 | - /** |
|
| 184 | - * Check whether validation configuration has matching targets. |
|
| 185 | - * |
|
| 186 | - * @param Targets $targets Set of eligible targets |
|
| 187 | - * @return boolean |
|
| 188 | - */ |
|
| 189 | - private function _hasMatchingTarget(Targets $targets): bool |
|
| 190 | - { |
|
| 191 | - foreach ($this->_config->targets() as $target) { |
|
| 192 | - if ($targets->hasTarget($target)) { |
|
| 193 | - return true; |
|
| 194 | - } |
|
| 195 | - } |
|
| 196 | - return false; |
|
| 197 | - } |
|
| 183 | + /** |
|
| 184 | + * Check whether validation configuration has matching targets. |
|
| 185 | + * |
|
| 186 | + * @param Targets $targets Set of eligible targets |
|
| 187 | + * @return boolean |
|
| 188 | + */ |
|
| 189 | + private function _hasMatchingTarget(Targets $targets): bool |
|
| 190 | + { |
|
| 191 | + foreach ($this->_config->targets() as $target) { |
|
| 192 | + if ($targets->hasTarget($target)) { |
|
| 193 | + return true; |
|
| 194 | + } |
|
| 195 | + } |
|
| 196 | + return false; |
|
| 197 | + } |
|
| 198 | 198 | } |
@@ -15,94 +15,94 @@ |
||
| 15 | 15 | */ |
| 16 | 16 | class AttCertValidityPeriod |
| 17 | 17 | { |
| 18 | - use DateTimeHelper; |
|
| 18 | + use DateTimeHelper; |
|
| 19 | 19 | |
| 20 | - /** |
|
| 21 | - * Not before time. |
|
| 22 | - * |
|
| 23 | - * @var \DateTimeImmutable |
|
| 24 | - */ |
|
| 25 | - protected $_notBeforeTime; |
|
| 20 | + /** |
|
| 21 | + * Not before time. |
|
| 22 | + * |
|
| 23 | + * @var \DateTimeImmutable |
|
| 24 | + */ |
|
| 25 | + protected $_notBeforeTime; |
|
| 26 | 26 | |
| 27 | - /** |
|
| 28 | - * Not after time. |
|
| 29 | - * |
|
| 30 | - * @var \DateTimeImmutable |
|
| 31 | - */ |
|
| 32 | - protected $_notAfterTime; |
|
| 27 | + /** |
|
| 28 | + * Not after time. |
|
| 29 | + * |
|
| 30 | + * @var \DateTimeImmutable |
|
| 31 | + */ |
|
| 32 | + protected $_notAfterTime; |
|
| 33 | 33 | |
| 34 | - /** |
|
| 35 | - * Constructor. |
|
| 36 | - * |
|
| 37 | - * @param \DateTimeImmutable $nb |
|
| 38 | - * @param \DateTimeImmutable $na |
|
| 39 | - */ |
|
| 40 | - public function __construct(\DateTimeImmutable $nb, \DateTimeImmutable $na) |
|
| 41 | - { |
|
| 42 | - $this->_notBeforeTime = $nb; |
|
| 43 | - $this->_notAfterTime = $na; |
|
| 44 | - } |
|
| 34 | + /** |
|
| 35 | + * Constructor. |
|
| 36 | + * |
|
| 37 | + * @param \DateTimeImmutable $nb |
|
| 38 | + * @param \DateTimeImmutable $na |
|
| 39 | + */ |
|
| 40 | + public function __construct(\DateTimeImmutable $nb, \DateTimeImmutable $na) |
|
| 41 | + { |
|
| 42 | + $this->_notBeforeTime = $nb; |
|
| 43 | + $this->_notAfterTime = $na; |
|
| 44 | + } |
|
| 45 | 45 | |
| 46 | - /** |
|
| 47 | - * Initialize from ASN.1. |
|
| 48 | - * |
|
| 49 | - * @param Sequence $seq |
|
| 50 | - * @return self |
|
| 51 | - */ |
|
| 52 | - public static function fromASN1(Sequence $seq): self |
|
| 53 | - { |
|
| 54 | - $nb = $seq->at(0) |
|
| 55 | - ->asGeneralizedTime() |
|
| 56 | - ->dateTime(); |
|
| 57 | - $na = $seq->at(1) |
|
| 58 | - ->asGeneralizedTime() |
|
| 59 | - ->dateTime(); |
|
| 60 | - return new self($nb, $na); |
|
| 61 | - } |
|
| 46 | + /** |
|
| 47 | + * Initialize from ASN.1. |
|
| 48 | + * |
|
| 49 | + * @param Sequence $seq |
|
| 50 | + * @return self |
|
| 51 | + */ |
|
| 52 | + public static function fromASN1(Sequence $seq): self |
|
| 53 | + { |
|
| 54 | + $nb = $seq->at(0) |
|
| 55 | + ->asGeneralizedTime() |
|
| 56 | + ->dateTime(); |
|
| 57 | + $na = $seq->at(1) |
|
| 58 | + ->asGeneralizedTime() |
|
| 59 | + ->dateTime(); |
|
| 60 | + return new self($nb, $na); |
|
| 61 | + } |
|
| 62 | 62 | |
| 63 | - /** |
|
| 64 | - * Initialize from date strings. |
|
| 65 | - * |
|
| 66 | - * @param string|null $nb_date Not before date |
|
| 67 | - * @param string|null $na_date Not after date |
|
| 68 | - * @param string|null $tz Timezone string |
|
| 69 | - * @return self |
|
| 70 | - */ |
|
| 71 | - public static function fromStrings($nb_date, $na_date, $tz = null): self |
|
| 72 | - { |
|
| 73 | - $nb = self::_createDateTime($nb_date, $tz); |
|
| 74 | - $na = self::_createDateTime($na_date, $tz); |
|
| 75 | - return new self($nb, $na); |
|
| 76 | - } |
|
| 63 | + /** |
|
| 64 | + * Initialize from date strings. |
|
| 65 | + * |
|
| 66 | + * @param string|null $nb_date Not before date |
|
| 67 | + * @param string|null $na_date Not after date |
|
| 68 | + * @param string|null $tz Timezone string |
|
| 69 | + * @return self |
|
| 70 | + */ |
|
| 71 | + public static function fromStrings($nb_date, $na_date, $tz = null): self |
|
| 72 | + { |
|
| 73 | + $nb = self::_createDateTime($nb_date, $tz); |
|
| 74 | + $na = self::_createDateTime($na_date, $tz); |
|
| 75 | + return new self($nb, $na); |
|
| 76 | + } |
|
| 77 | 77 | |
| 78 | - /** |
|
| 79 | - * Get not before time. |
|
| 80 | - * |
|
| 81 | - * @return \DateTimeImmutable |
|
| 82 | - */ |
|
| 83 | - public function notBeforeTime(): \DateTimeImmutable |
|
| 84 | - { |
|
| 85 | - return $this->_notBeforeTime; |
|
| 86 | - } |
|
| 78 | + /** |
|
| 79 | + * Get not before time. |
|
| 80 | + * |
|
| 81 | + * @return \DateTimeImmutable |
|
| 82 | + */ |
|
| 83 | + public function notBeforeTime(): \DateTimeImmutable |
|
| 84 | + { |
|
| 85 | + return $this->_notBeforeTime; |
|
| 86 | + } |
|
| 87 | 87 | |
| 88 | - /** |
|
| 89 | - * Get not after time. |
|
| 90 | - * |
|
| 91 | - * @return \DateTimeImmutable |
|
| 92 | - */ |
|
| 93 | - public function notAfterTime(): \DateTimeImmutable |
|
| 94 | - { |
|
| 95 | - return $this->_notAfterTime; |
|
| 96 | - } |
|
| 88 | + /** |
|
| 89 | + * Get not after time. |
|
| 90 | + * |
|
| 91 | + * @return \DateTimeImmutable |
|
| 92 | + */ |
|
| 93 | + public function notAfterTime(): \DateTimeImmutable |
|
| 94 | + { |
|
| 95 | + return $this->_notAfterTime; |
|
| 96 | + } |
|
| 97 | 97 | |
| 98 | - /** |
|
| 99 | - * Generate ASN.1 structure. |
|
| 100 | - * |
|
| 101 | - * @return Sequence |
|
| 102 | - */ |
|
| 103 | - public function toASN1(): Sequence |
|
| 104 | - { |
|
| 105 | - return new Sequence(new GeneralizedTime($this->_notBeforeTime), |
|
| 106 | - new GeneralizedTime($this->_notAfterTime)); |
|
| 107 | - } |
|
| 98 | + /** |
|
| 99 | + * Generate ASN.1 structure. |
|
| 100 | + * |
|
| 101 | + * @return Sequence |
|
| 102 | + */ |
|
| 103 | + public function toASN1(): Sequence |
|
| 104 | + { |
|
| 105 | + return new Sequence(new GeneralizedTime($this->_notBeforeTime), |
|
| 106 | + new GeneralizedTime($this->_notAfterTime)); |
|
| 107 | + } |
|
| 108 | 108 | } |
@@ -20,203 +20,203 @@ |
||
| 20 | 20 | */ |
| 21 | 21 | class AttributeCertificate |
| 22 | 22 | { |
| 23 | - /** |
|
| 24 | - * Attribute certificate info. |
|
| 25 | - * |
|
| 26 | - * @var AttributeCertificateInfo $_acinfo |
|
| 27 | - */ |
|
| 28 | - protected $_acinfo; |
|
| 29 | - |
|
| 30 | - /** |
|
| 31 | - * Signature algorithm identifier. |
|
| 32 | - * |
|
| 33 | - * @var SignatureAlgorithmIdentifier $_signatureAlgorithm |
|
| 34 | - */ |
|
| 35 | - protected $_signatureAlgorithm; |
|
| 36 | - |
|
| 37 | - /** |
|
| 38 | - * Signature value. |
|
| 39 | - * |
|
| 40 | - * @var Signature $_signatureValue |
|
| 41 | - */ |
|
| 42 | - protected $_signatureValue; |
|
| 43 | - |
|
| 44 | - /** |
|
| 45 | - * Constructor. |
|
| 46 | - * |
|
| 47 | - * @param AttributeCertificateInfo $acinfo |
|
| 48 | - * @param SignatureAlgorithmIdentifier $algo |
|
| 49 | - * @param Signature $signature |
|
| 50 | - */ |
|
| 51 | - public function __construct(AttributeCertificateInfo $acinfo, |
|
| 52 | - SignatureAlgorithmIdentifier $algo, Signature $signature) |
|
| 53 | - { |
|
| 54 | - $this->_acinfo = $acinfo; |
|
| 55 | - $this->_signatureAlgorithm = $algo; |
|
| 56 | - $this->_signatureValue = $signature; |
|
| 57 | - } |
|
| 58 | - |
|
| 59 | - /** |
|
| 60 | - * Initialize from ASN.1. |
|
| 61 | - * |
|
| 62 | - * @param Sequence $seq |
|
| 63 | - * @return self |
|
| 64 | - */ |
|
| 65 | - public static function fromASN1(Sequence $seq): self |
|
| 66 | - { |
|
| 67 | - $acinfo = AttributeCertificateInfo::fromASN1($seq->at(0)->asSequence()); |
|
| 68 | - $algo = AlgorithmIdentifier::fromASN1($seq->at(1)->asSequence()); |
|
| 69 | - if (!$algo instanceof SignatureAlgorithmIdentifier) { |
|
| 70 | - throw new \UnexpectedValueException( |
|
| 71 | - "Unsupported signature algorithm " . $algo->oid() . "."); |
|
| 72 | - } |
|
| 73 | - $signature = Signature::fromSignatureData( |
|
| 74 | - $seq->at(2) |
|
| 75 | - ->asBitString() |
|
| 76 | - ->string(), $algo); |
|
| 77 | - return new self($acinfo, $algo, $signature); |
|
| 78 | - } |
|
| 79 | - |
|
| 80 | - /** |
|
| 81 | - * Initialize from DER data. |
|
| 82 | - * |
|
| 83 | - * @param string $data |
|
| 84 | - * @return self |
|
| 85 | - */ |
|
| 86 | - public static function fromDER(string $data): self |
|
| 87 | - { |
|
| 88 | - return self::fromASN1(Sequence::fromDER($data)); |
|
| 89 | - } |
|
| 90 | - |
|
| 91 | - /** |
|
| 92 | - * Initialize from PEM. |
|
| 93 | - * |
|
| 94 | - * @param PEM $pem |
|
| 95 | - * @throws \UnexpectedValueException |
|
| 96 | - * @return self |
|
| 97 | - */ |
|
| 98 | - public static function fromPEM(PEM $pem): self |
|
| 99 | - { |
|
| 100 | - if ($pem->type() !== PEM::TYPE_ATTRIBUTE_CERTIFICATE) { |
|
| 101 | - throw new \UnexpectedValueException("Invalid PEM type."); |
|
| 102 | - } |
|
| 103 | - return self::fromDER($pem->data()); |
|
| 104 | - } |
|
| 105 | - |
|
| 106 | - /** |
|
| 107 | - * Get attribute certificate info. |
|
| 108 | - * |
|
| 109 | - * @return AttributeCertificateInfo |
|
| 110 | - */ |
|
| 111 | - public function acinfo(): AttributeCertificateInfo |
|
| 112 | - { |
|
| 113 | - return $this->_acinfo; |
|
| 114 | - } |
|
| 115 | - |
|
| 116 | - /** |
|
| 117 | - * Get signature algorithm identifier. |
|
| 118 | - * |
|
| 119 | - * @return SignatureAlgorithmIdentifier |
|
| 120 | - */ |
|
| 121 | - public function signatureAlgorithm(): SignatureAlgorithmIdentifier |
|
| 122 | - { |
|
| 123 | - return $this->_signatureAlgorithm; |
|
| 124 | - } |
|
| 125 | - |
|
| 126 | - /** |
|
| 127 | - * Get signature value. |
|
| 128 | - * |
|
| 129 | - * @return Signature |
|
| 130 | - */ |
|
| 131 | - public function signatureValue(): Signature |
|
| 132 | - { |
|
| 133 | - return $this->_signatureValue; |
|
| 134 | - } |
|
| 135 | - |
|
| 136 | - /** |
|
| 137 | - * Get ASN.1 structure. |
|
| 138 | - * |
|
| 139 | - * @return Sequence |
|
| 140 | - */ |
|
| 141 | - public function toASN1(): Sequence |
|
| 142 | - { |
|
| 143 | - return new Sequence($this->_acinfo->toASN1(), |
|
| 144 | - $this->_signatureAlgorithm->toASN1(), |
|
| 145 | - $this->_signatureValue->bitString()); |
|
| 146 | - } |
|
| 147 | - |
|
| 148 | - /** |
|
| 149 | - * Get attribute certificate as a DER. |
|
| 150 | - * |
|
| 151 | - * @return string |
|
| 152 | - */ |
|
| 153 | - public function toDER(): string |
|
| 154 | - { |
|
| 155 | - return $this->toASN1()->toDER(); |
|
| 156 | - } |
|
| 157 | - |
|
| 158 | - /** |
|
| 159 | - * Get attribute certificate as a PEM. |
|
| 160 | - * |
|
| 161 | - * @return PEM |
|
| 162 | - */ |
|
| 163 | - public function toPEM(): PEM |
|
| 164 | - { |
|
| 165 | - return new PEM(PEM::TYPE_ATTRIBUTE_CERTIFICATE, $this->toDER()); |
|
| 166 | - } |
|
| 167 | - |
|
| 168 | - /** |
|
| 169 | - * Check whether attribute certificate is issued to the subject identified |
|
| 170 | - * by given public key certificate. |
|
| 171 | - * |
|
| 172 | - * @param Certificate $cert Certificate |
|
| 173 | - * @return boolean |
|
| 174 | - */ |
|
| 175 | - public function isHeldBy(Certificate $cert): bool |
|
| 176 | - { |
|
| 177 | - if (!$this->_acinfo->holder()->identifiesPKC($cert)) { |
|
| 178 | - return false; |
|
| 179 | - } |
|
| 180 | - return true; |
|
| 181 | - } |
|
| 182 | - |
|
| 183 | - /** |
|
| 184 | - * Check whether attribute certificate is issued by given public key |
|
| 185 | - * certificate. |
|
| 186 | - * |
|
| 187 | - * @param Certificate $cert Certificate |
|
| 188 | - * @return boolean |
|
| 189 | - */ |
|
| 190 | - public function isIssuedBy(Certificate $cert): bool |
|
| 191 | - { |
|
| 192 | - if (!$this->_acinfo->issuer()->identifiesPKC($cert)) { |
|
| 193 | - return false; |
|
| 194 | - } |
|
| 195 | - return true; |
|
| 196 | - } |
|
| 197 | - |
|
| 198 | - /** |
|
| 199 | - * Verify signature. |
|
| 200 | - * |
|
| 201 | - * @param PublicKeyInfo $pubkey_info Signer's public key |
|
| 202 | - * @param Crypto|null $crypto Crypto engine, use default if not set |
|
| 203 | - * @return bool |
|
| 204 | - */ |
|
| 205 | - public function verify(PublicKeyInfo $pubkey_info, Crypto $crypto = null): bool |
|
| 206 | - { |
|
| 207 | - $crypto = $crypto ?: Crypto::getDefault(); |
|
| 208 | - $data = $this->_acinfo->toASN1()->toDER(); |
|
| 209 | - return $crypto->verify($data, $this->_signatureValue, $pubkey_info, |
|
| 210 | - $this->_signatureAlgorithm); |
|
| 211 | - } |
|
| 212 | - |
|
| 213 | - /** |
|
| 214 | - * Get attribute certificate as a PEM formatted string. |
|
| 215 | - * |
|
| 216 | - * @return string |
|
| 217 | - */ |
|
| 218 | - public function __toString() |
|
| 219 | - { |
|
| 220 | - return $this->toPEM()->string(); |
|
| 221 | - } |
|
| 23 | + /** |
|
| 24 | + * Attribute certificate info. |
|
| 25 | + * |
|
| 26 | + * @var AttributeCertificateInfo $_acinfo |
|
| 27 | + */ |
|
| 28 | + protected $_acinfo; |
|
| 29 | + |
|
| 30 | + /** |
|
| 31 | + * Signature algorithm identifier. |
|
| 32 | + * |
|
| 33 | + * @var SignatureAlgorithmIdentifier $_signatureAlgorithm |
|
| 34 | + */ |
|
| 35 | + protected $_signatureAlgorithm; |
|
| 36 | + |
|
| 37 | + /** |
|
| 38 | + * Signature value. |
|
| 39 | + * |
|
| 40 | + * @var Signature $_signatureValue |
|
| 41 | + */ |
|
| 42 | + protected $_signatureValue; |
|
| 43 | + |
|
| 44 | + /** |
|
| 45 | + * Constructor. |
|
| 46 | + * |
|
| 47 | + * @param AttributeCertificateInfo $acinfo |
|
| 48 | + * @param SignatureAlgorithmIdentifier $algo |
|
| 49 | + * @param Signature $signature |
|
| 50 | + */ |
|
| 51 | + public function __construct(AttributeCertificateInfo $acinfo, |
|
| 52 | + SignatureAlgorithmIdentifier $algo, Signature $signature) |
|
| 53 | + { |
|
| 54 | + $this->_acinfo = $acinfo; |
|
| 55 | + $this->_signatureAlgorithm = $algo; |
|
| 56 | + $this->_signatureValue = $signature; |
|
| 57 | + } |
|
| 58 | + |
|
| 59 | + /** |
|
| 60 | + * Initialize from ASN.1. |
|
| 61 | + * |
|
| 62 | + * @param Sequence $seq |
|
| 63 | + * @return self |
|
| 64 | + */ |
|
| 65 | + public static function fromASN1(Sequence $seq): self |
|
| 66 | + { |
|
| 67 | + $acinfo = AttributeCertificateInfo::fromASN1($seq->at(0)->asSequence()); |
|
| 68 | + $algo = AlgorithmIdentifier::fromASN1($seq->at(1)->asSequence()); |
|
| 69 | + if (!$algo instanceof SignatureAlgorithmIdentifier) { |
|
| 70 | + throw new \UnexpectedValueException( |
|
| 71 | + "Unsupported signature algorithm " . $algo->oid() . "."); |
|
| 72 | + } |
|
| 73 | + $signature = Signature::fromSignatureData( |
|
| 74 | + $seq->at(2) |
|
| 75 | + ->asBitString() |
|
| 76 | + ->string(), $algo); |
|
| 77 | + return new self($acinfo, $algo, $signature); |
|
| 78 | + } |
|
| 79 | + |
|
| 80 | + /** |
|
| 81 | + * Initialize from DER data. |
|
| 82 | + * |
|
| 83 | + * @param string $data |
|
| 84 | + * @return self |
|
| 85 | + */ |
|
| 86 | + public static function fromDER(string $data): self |
|
| 87 | + { |
|
| 88 | + return self::fromASN1(Sequence::fromDER($data)); |
|
| 89 | + } |
|
| 90 | + |
|
| 91 | + /** |
|
| 92 | + * Initialize from PEM. |
|
| 93 | + * |
|
| 94 | + * @param PEM $pem |
|
| 95 | + * @throws \UnexpectedValueException |
|
| 96 | + * @return self |
|
| 97 | + */ |
|
| 98 | + public static function fromPEM(PEM $pem): self |
|
| 99 | + { |
|
| 100 | + if ($pem->type() !== PEM::TYPE_ATTRIBUTE_CERTIFICATE) { |
|
| 101 | + throw new \UnexpectedValueException("Invalid PEM type."); |
|
| 102 | + } |
|
| 103 | + return self::fromDER($pem->data()); |
|
| 104 | + } |
|
| 105 | + |
|
| 106 | + /** |
|
| 107 | + * Get attribute certificate info. |
|
| 108 | + * |
|
| 109 | + * @return AttributeCertificateInfo |
|
| 110 | + */ |
|
| 111 | + public function acinfo(): AttributeCertificateInfo |
|
| 112 | + { |
|
| 113 | + return $this->_acinfo; |
|
| 114 | + } |
|
| 115 | + |
|
| 116 | + /** |
|
| 117 | + * Get signature algorithm identifier. |
|
| 118 | + * |
|
| 119 | + * @return SignatureAlgorithmIdentifier |
|
| 120 | + */ |
|
| 121 | + public function signatureAlgorithm(): SignatureAlgorithmIdentifier |
|
| 122 | + { |
|
| 123 | + return $this->_signatureAlgorithm; |
|
| 124 | + } |
|
| 125 | + |
|
| 126 | + /** |
|
| 127 | + * Get signature value. |
|
| 128 | + * |
|
| 129 | + * @return Signature |
|
| 130 | + */ |
|
| 131 | + public function signatureValue(): Signature |
|
| 132 | + { |
|
| 133 | + return $this->_signatureValue; |
|
| 134 | + } |
|
| 135 | + |
|
| 136 | + /** |
|
| 137 | + * Get ASN.1 structure. |
|
| 138 | + * |
|
| 139 | + * @return Sequence |
|
| 140 | + */ |
|
| 141 | + public function toASN1(): Sequence |
|
| 142 | + { |
|
| 143 | + return new Sequence($this->_acinfo->toASN1(), |
|
| 144 | + $this->_signatureAlgorithm->toASN1(), |
|
| 145 | + $this->_signatureValue->bitString()); |
|
| 146 | + } |
|
| 147 | + |
|
| 148 | + /** |
|
| 149 | + * Get attribute certificate as a DER. |
|
| 150 | + * |
|
| 151 | + * @return string |
|
| 152 | + */ |
|
| 153 | + public function toDER(): string |
|
| 154 | + { |
|
| 155 | + return $this->toASN1()->toDER(); |
|
| 156 | + } |
|
| 157 | + |
|
| 158 | + /** |
|
| 159 | + * Get attribute certificate as a PEM. |
|
| 160 | + * |
|
| 161 | + * @return PEM |
|
| 162 | + */ |
|
| 163 | + public function toPEM(): PEM |
|
| 164 | + { |
|
| 165 | + return new PEM(PEM::TYPE_ATTRIBUTE_CERTIFICATE, $this->toDER()); |
|
| 166 | + } |
|
| 167 | + |
|
| 168 | + /** |
|
| 169 | + * Check whether attribute certificate is issued to the subject identified |
|
| 170 | + * by given public key certificate. |
|
| 171 | + * |
|
| 172 | + * @param Certificate $cert Certificate |
|
| 173 | + * @return boolean |
|
| 174 | + */ |
|
| 175 | + public function isHeldBy(Certificate $cert): bool |
|
| 176 | + { |
|
| 177 | + if (!$this->_acinfo->holder()->identifiesPKC($cert)) { |
|
| 178 | + return false; |
|
| 179 | + } |
|
| 180 | + return true; |
|
| 181 | + } |
|
| 182 | + |
|
| 183 | + /** |
|
| 184 | + * Check whether attribute certificate is issued by given public key |
|
| 185 | + * certificate. |
|
| 186 | + * |
|
| 187 | + * @param Certificate $cert Certificate |
|
| 188 | + * @return boolean |
|
| 189 | + */ |
|
| 190 | + public function isIssuedBy(Certificate $cert): bool |
|
| 191 | + { |
|
| 192 | + if (!$this->_acinfo->issuer()->identifiesPKC($cert)) { |
|
| 193 | + return false; |
|
| 194 | + } |
|
| 195 | + return true; |
|
| 196 | + } |
|
| 197 | + |
|
| 198 | + /** |
|
| 199 | + * Verify signature. |
|
| 200 | + * |
|
| 201 | + * @param PublicKeyInfo $pubkey_info Signer's public key |
|
| 202 | + * @param Crypto|null $crypto Crypto engine, use default if not set |
|
| 203 | + * @return bool |
|
| 204 | + */ |
|
| 205 | + public function verify(PublicKeyInfo $pubkey_info, Crypto $crypto = null): bool |
|
| 206 | + { |
|
| 207 | + $crypto = $crypto ?: Crypto::getDefault(); |
|
| 208 | + $data = $this->_acinfo->toASN1()->toDER(); |
|
| 209 | + return $crypto->verify($data, $this->_signatureValue, $pubkey_info, |
|
| 210 | + $this->_signatureAlgorithm); |
|
| 211 | + } |
|
| 212 | + |
|
| 213 | + /** |
|
| 214 | + * Get attribute certificate as a PEM formatted string. |
|
| 215 | + * |
|
| 216 | + * @return string |
|
| 217 | + */ |
|
| 218 | + public function __toString() |
|
| 219 | + { |
|
| 220 | + return $this->toPEM()->string(); |
|
| 221 | + } |
|
| 222 | 222 | } |
@@ -13,72 +13,72 @@ |
||
| 13 | 13 | */ |
| 14 | 14 | class UniqueIdentifier |
| 15 | 15 | { |
| 16 | - /** |
|
| 17 | - * Identifier. |
|
| 18 | - * |
|
| 19 | - * @var BitString $_uid |
|
| 20 | - */ |
|
| 21 | - protected $_uid; |
|
| 16 | + /** |
|
| 17 | + * Identifier. |
|
| 18 | + * |
|
| 19 | + * @var BitString $_uid |
|
| 20 | + */ |
|
| 21 | + protected $_uid; |
|
| 22 | 22 | |
| 23 | - /** |
|
| 24 | - * Constructor. |
|
| 25 | - * |
|
| 26 | - * @param BitString $bs |
|
| 27 | - */ |
|
| 28 | - public function __construct(BitString $bs) |
|
| 29 | - { |
|
| 30 | - $this->_uid = $bs; |
|
| 31 | - } |
|
| 23 | + /** |
|
| 24 | + * Constructor. |
|
| 25 | + * |
|
| 26 | + * @param BitString $bs |
|
| 27 | + */ |
|
| 28 | + public function __construct(BitString $bs) |
|
| 29 | + { |
|
| 30 | + $this->_uid = $bs; |
|
| 31 | + } |
|
| 32 | 32 | |
| 33 | - /** |
|
| 34 | - * Initialize from ASN.1. |
|
| 35 | - * |
|
| 36 | - * @param BitString $bs |
|
| 37 | - * @return self |
|
| 38 | - */ |
|
| 39 | - public static function fromASN1(BitString $bs): UniqueIdentifier |
|
| 40 | - { |
|
| 41 | - return new self($bs); |
|
| 42 | - } |
|
| 33 | + /** |
|
| 34 | + * Initialize from ASN.1. |
|
| 35 | + * |
|
| 36 | + * @param BitString $bs |
|
| 37 | + * @return self |
|
| 38 | + */ |
|
| 39 | + public static function fromASN1(BitString $bs): UniqueIdentifier |
|
| 40 | + { |
|
| 41 | + return new self($bs); |
|
| 42 | + } |
|
| 43 | 43 | |
| 44 | - /** |
|
| 45 | - * Initialize from string. |
|
| 46 | - * |
|
| 47 | - * @param string $str |
|
| 48 | - * @return self |
|
| 49 | - */ |
|
| 50 | - public static function fromString(string $str): UniqueIdentifier |
|
| 51 | - { |
|
| 52 | - return new self(new BitString($str)); |
|
| 53 | - } |
|
| 44 | + /** |
|
| 45 | + * Initialize from string. |
|
| 46 | + * |
|
| 47 | + * @param string $str |
|
| 48 | + * @return self |
|
| 49 | + */ |
|
| 50 | + public static function fromString(string $str): UniqueIdentifier |
|
| 51 | + { |
|
| 52 | + return new self(new BitString($str)); |
|
| 53 | + } |
|
| 54 | 54 | |
| 55 | - /** |
|
| 56 | - * Get unique identifier as a string. |
|
| 57 | - * |
|
| 58 | - * @return string |
|
| 59 | - */ |
|
| 60 | - public function string(): string |
|
| 61 | - { |
|
| 62 | - return $this->_uid->string(); |
|
| 63 | - } |
|
| 55 | + /** |
|
| 56 | + * Get unique identifier as a string. |
|
| 57 | + * |
|
| 58 | + * @return string |
|
| 59 | + */ |
|
| 60 | + public function string(): string |
|
| 61 | + { |
|
| 62 | + return $this->_uid->string(); |
|
| 63 | + } |
|
| 64 | 64 | |
| 65 | - /** |
|
| 66 | - * Get unique identifier as a bit string. |
|
| 67 | - * |
|
| 68 | - * @return BitString |
|
| 69 | - */ |
|
| 70 | - public function bitString(): BitString |
|
| 71 | - { |
|
| 72 | - return $this->_uid; |
|
| 73 | - } |
|
| 65 | + /** |
|
| 66 | + * Get unique identifier as a bit string. |
|
| 67 | + * |
|
| 68 | + * @return BitString |
|
| 69 | + */ |
|
| 70 | + public function bitString(): BitString |
|
| 71 | + { |
|
| 72 | + return $this->_uid; |
|
| 73 | + } |
|
| 74 | 74 | |
| 75 | - /** |
|
| 76 | - * Get ASN.1 element. |
|
| 77 | - * |
|
| 78 | - * @return BitString |
|
| 79 | - */ |
|
| 80 | - public function toASN1(): BitString |
|
| 81 | - { |
|
| 82 | - return $this->_uid; |
|
| 83 | - } |
|
| 75 | + /** |
|
| 76 | + * Get ASN.1 element. |
|
| 77 | + * |
|
| 78 | + * @return BitString |
|
| 79 | + */ |
|
| 80 | + public function toASN1(): BitString |
|
| 81 | + { |
|
| 82 | + return $this->_uid; |
|
| 83 | + } |
|
| 84 | 84 | } |
