sop /
x509
@@ -12,274 +12,274 @@ |
||
| 12 | 12 | */ |
| 13 | 13 | class PathValidationConfig |
| 14 | 14 | { |
| 15 | - /** |
|
| 16 | - * Maximum allowed certification path length. |
|
| 17 | - * |
|
| 18 | - * @var int $_maxLength |
|
| 19 | - */ |
|
| 20 | - protected $_maxLength; |
|
| 15 | + /** |
|
| 16 | + * Maximum allowed certification path length. |
|
| 17 | + * |
|
| 18 | + * @var int $_maxLength |
|
| 19 | + */ |
|
| 20 | + protected $_maxLength; |
|
| 21 | 21 | |
| 22 | - /** |
|
| 23 | - * Reference time. |
|
| 24 | - * |
|
| 25 | - * @var \DateTimeImmutable $_dateTime |
|
| 26 | - */ |
|
| 27 | - protected $_dateTime; |
|
| 22 | + /** |
|
| 23 | + * Reference time. |
|
| 24 | + * |
|
| 25 | + * @var \DateTimeImmutable $_dateTime |
|
| 26 | + */ |
|
| 27 | + protected $_dateTime; |
|
| 28 | 28 | |
| 29 | - /** |
|
| 30 | - * List of acceptable policy identifiers. |
|
| 31 | - * |
|
| 32 | - * @var string[] $_policySet |
|
| 33 | - */ |
|
| 34 | - protected $_policySet; |
|
| 29 | + /** |
|
| 30 | + * List of acceptable policy identifiers. |
|
| 31 | + * |
|
| 32 | + * @var string[] $_policySet |
|
| 33 | + */ |
|
| 34 | + protected $_policySet; |
|
| 35 | 35 | |
| 36 | - /** |
|
| 37 | - * Trust anchor certificate. |
|
| 38 | - * |
|
| 39 | - * If not set, path validation uses the first certificate of the path. |
|
| 40 | - * |
|
| 41 | - * @var Certificate|null $_trustAnchor |
|
| 42 | - */ |
|
| 43 | - protected $_trustAnchor; |
|
| 36 | + /** |
|
| 37 | + * Trust anchor certificate. |
|
| 38 | + * |
|
| 39 | + * If not set, path validation uses the first certificate of the path. |
|
| 40 | + * |
|
| 41 | + * @var Certificate|null $_trustAnchor |
|
| 42 | + */ |
|
| 43 | + protected $_trustAnchor; |
|
| 44 | 44 | |
| 45 | - /** |
|
| 46 | - * Whether policy mapping in inhibited. |
|
| 47 | - * |
|
| 48 | - * Setting this to true disallows policy mapping. |
|
| 49 | - * |
|
| 50 | - * @var bool $_policyMappingInhibit |
|
| 51 | - */ |
|
| 52 | - protected $_policyMappingInhibit; |
|
| 45 | + /** |
|
| 46 | + * Whether policy mapping in inhibited. |
|
| 47 | + * |
|
| 48 | + * Setting this to true disallows policy mapping. |
|
| 49 | + * |
|
| 50 | + * @var bool $_policyMappingInhibit |
|
| 51 | + */ |
|
| 52 | + protected $_policyMappingInhibit; |
|
| 53 | 53 | |
| 54 | - /** |
|
| 55 | - * Whether the path must be valid for at least one policy in the |
|
| 56 | - * initial policy set. |
|
| 57 | - * |
|
| 58 | - * @var bool $_explicitPolicy |
|
| 59 | - */ |
|
| 60 | - protected $_explicitPolicy; |
|
| 54 | + /** |
|
| 55 | + * Whether the path must be valid for at least one policy in the |
|
| 56 | + * initial policy set. |
|
| 57 | + * |
|
| 58 | + * @var bool $_explicitPolicy |
|
| 59 | + */ |
|
| 60 | + protected $_explicitPolicy; |
|
| 61 | 61 | |
| 62 | - /** |
|
| 63 | - * Whether anyPolicy OID processing should be inhibited. |
|
| 64 | - * |
|
| 65 | - * Setting this to true disallows the usage of anyPolicy. |
|
| 66 | - * |
|
| 67 | - * @var bool $_anyPolicyInhibit |
|
| 68 | - */ |
|
| 69 | - protected $_anyPolicyInhibit; |
|
| 62 | + /** |
|
| 63 | + * Whether anyPolicy OID processing should be inhibited. |
|
| 64 | + * |
|
| 65 | + * Setting this to true disallows the usage of anyPolicy. |
|
| 66 | + * |
|
| 67 | + * @var bool $_anyPolicyInhibit |
|
| 68 | + */ |
|
| 69 | + protected $_anyPolicyInhibit; |
|
| 70 | 70 | |
| 71 | - /** |
|
| 72 | - * |
|
| 73 | - * @todo Implement |
|
| 74 | - * @var unknown $_permittedSubtrees |
|
| 75 | - */ |
|
| 76 | - protected $_permittedSubtrees; |
|
| 71 | + /** |
|
| 72 | + * |
|
| 73 | + * @todo Implement |
|
| 74 | + * @var unknown $_permittedSubtrees |
|
| 75 | + */ |
|
| 76 | + protected $_permittedSubtrees; |
|
| 77 | 77 | |
| 78 | - /** |
|
| 79 | - * |
|
| 80 | - * @todo Implement |
|
| 81 | - * @var unknown $_excludedSubtrees |
|
| 82 | - */ |
|
| 83 | - protected $_excludedSubtrees; |
|
| 78 | + /** |
|
| 79 | + * |
|
| 80 | + * @todo Implement |
|
| 81 | + * @var unknown $_excludedSubtrees |
|
| 82 | + */ |
|
| 83 | + protected $_excludedSubtrees; |
|
| 84 | 84 | |
| 85 | - /** |
|
| 86 | - * Constructor. |
|
| 87 | - * |
|
| 88 | - * @param \DateTimeImmutable $dt Reference date and time |
|
| 89 | - * @param int $max_length Maximum certification path length |
|
| 90 | - */ |
|
| 91 | - public function __construct(\DateTimeImmutable $dt, $max_length) |
|
| 92 | - { |
|
| 93 | - $this->_dateTime = $dt; |
|
| 94 | - $this->_maxLength = (int) $max_length; |
|
| 95 | - $this->_policySet = array((string) PolicyInformation::OID_ANY_POLICY); |
|
| 96 | - $this->_policyMappingInhibit = false; |
|
| 97 | - $this->_explicitPolicy = false; |
|
| 98 | - $this->_anyPolicyInhibit = false; |
|
| 99 | - } |
|
| 85 | + /** |
|
| 86 | + * Constructor. |
|
| 87 | + * |
|
| 88 | + * @param \DateTimeImmutable $dt Reference date and time |
|
| 89 | + * @param int $max_length Maximum certification path length |
|
| 90 | + */ |
|
| 91 | + public function __construct(\DateTimeImmutable $dt, $max_length) |
|
| 92 | + { |
|
| 93 | + $this->_dateTime = $dt; |
|
| 94 | + $this->_maxLength = (int) $max_length; |
|
| 95 | + $this->_policySet = array((string) PolicyInformation::OID_ANY_POLICY); |
|
| 96 | + $this->_policyMappingInhibit = false; |
|
| 97 | + $this->_explicitPolicy = false; |
|
| 98 | + $this->_anyPolicyInhibit = false; |
|
| 99 | + } |
|
| 100 | 100 | |
| 101 | - /** |
|
| 102 | - * Get default configuration. |
|
| 103 | - * |
|
| 104 | - * @return self |
|
| 105 | - */ |
|
| 106 | - public static function defaultConfig() |
|
| 107 | - { |
|
| 108 | - return new self(new \DateTimeImmutable(), 3); |
|
| 109 | - } |
|
| 101 | + /** |
|
| 102 | + * Get default configuration. |
|
| 103 | + * |
|
| 104 | + * @return self |
|
| 105 | + */ |
|
| 106 | + public static function defaultConfig() |
|
| 107 | + { |
|
| 108 | + return new self(new \DateTimeImmutable(), 3); |
|
| 109 | + } |
|
| 110 | 110 | |
| 111 | - /** |
|
| 112 | - * Get self with maximum path length. |
|
| 113 | - * |
|
| 114 | - * @param int $length |
|
| 115 | - * @return self |
|
| 116 | - */ |
|
| 117 | - public function withMaxLength($length) |
|
| 118 | - { |
|
| 119 | - $obj = clone $this; |
|
| 120 | - $obj->_maxLength = $length; |
|
| 121 | - return $obj; |
|
| 122 | - } |
|
| 111 | + /** |
|
| 112 | + * Get self with maximum path length. |
|
| 113 | + * |
|
| 114 | + * @param int $length |
|
| 115 | + * @return self |
|
| 116 | + */ |
|
| 117 | + public function withMaxLength($length) |
|
| 118 | + { |
|
| 119 | + $obj = clone $this; |
|
| 120 | + $obj->_maxLength = $length; |
|
| 121 | + return $obj; |
|
| 122 | + } |
|
| 123 | 123 | |
| 124 | - /** |
|
| 125 | - * Get self with reference date and time. |
|
| 126 | - * |
|
| 127 | - * @param \DateTimeImmutable $dt |
|
| 128 | - * @return self |
|
| 129 | - */ |
|
| 130 | - public function withDateTime(\DateTimeImmutable $dt) |
|
| 131 | - { |
|
| 132 | - $obj = clone $this; |
|
| 133 | - $obj->_dateTime = $dt; |
|
| 134 | - return $obj; |
|
| 135 | - } |
|
| 124 | + /** |
|
| 125 | + * Get self with reference date and time. |
|
| 126 | + * |
|
| 127 | + * @param \DateTimeImmutable $dt |
|
| 128 | + * @return self |
|
| 129 | + */ |
|
| 130 | + public function withDateTime(\DateTimeImmutable $dt) |
|
| 131 | + { |
|
| 132 | + $obj = clone $this; |
|
| 133 | + $obj->_dateTime = $dt; |
|
| 134 | + return $obj; |
|
| 135 | + } |
|
| 136 | 136 | |
| 137 | - /** |
|
| 138 | - * Get self with trust anchor certificate. |
|
| 139 | - * |
|
| 140 | - * @param Certificate $ca |
|
| 141 | - * @return self |
|
| 142 | - */ |
|
| 143 | - public function withTrustAnchor(Certificate $ca) |
|
| 144 | - { |
|
| 145 | - $obj = clone $this; |
|
| 146 | - $obj->_trustAnchor = $ca; |
|
| 147 | - return $obj; |
|
| 148 | - } |
|
| 137 | + /** |
|
| 138 | + * Get self with trust anchor certificate. |
|
| 139 | + * |
|
| 140 | + * @param Certificate $ca |
|
| 141 | + * @return self |
|
| 142 | + */ |
|
| 143 | + public function withTrustAnchor(Certificate $ca) |
|
| 144 | + { |
|
| 145 | + $obj = clone $this; |
|
| 146 | + $obj->_trustAnchor = $ca; |
|
| 147 | + return $obj; |
|
| 148 | + } |
|
| 149 | 149 | |
| 150 | - /** |
|
| 151 | - * Get self with initial-policy-mapping-inhibit set. |
|
| 152 | - * |
|
| 153 | - * @param bool $flag |
|
| 154 | - * @return self |
|
| 155 | - */ |
|
| 156 | - public function withPolicyMappingInhibit($flag) |
|
| 157 | - { |
|
| 158 | - $obj = clone $this; |
|
| 159 | - $obj->_policyMappingInhibit = (bool) $flag; |
|
| 160 | - return $obj; |
|
| 161 | - } |
|
| 150 | + /** |
|
| 151 | + * Get self with initial-policy-mapping-inhibit set. |
|
| 152 | + * |
|
| 153 | + * @param bool $flag |
|
| 154 | + * @return self |
|
| 155 | + */ |
|
| 156 | + public function withPolicyMappingInhibit($flag) |
|
| 157 | + { |
|
| 158 | + $obj = clone $this; |
|
| 159 | + $obj->_policyMappingInhibit = (bool) $flag; |
|
| 160 | + return $obj; |
|
| 161 | + } |
|
| 162 | 162 | |
| 163 | - /** |
|
| 164 | - * Get self with initial-explicit-policy set. |
|
| 165 | - * |
|
| 166 | - * @param bool $flag |
|
| 167 | - * @return self |
|
| 168 | - */ |
|
| 169 | - public function withExplicitPolicy($flag) |
|
| 170 | - { |
|
| 171 | - $obj = clone $this; |
|
| 172 | - $obj->_explicitPolicy = (bool) $flag; |
|
| 173 | - return $obj; |
|
| 174 | - } |
|
| 163 | + /** |
|
| 164 | + * Get self with initial-explicit-policy set. |
|
| 165 | + * |
|
| 166 | + * @param bool $flag |
|
| 167 | + * @return self |
|
| 168 | + */ |
|
| 169 | + public function withExplicitPolicy($flag) |
|
| 170 | + { |
|
| 171 | + $obj = clone $this; |
|
| 172 | + $obj->_explicitPolicy = (bool) $flag; |
|
| 173 | + return $obj; |
|
| 174 | + } |
|
| 175 | 175 | |
| 176 | - /** |
|
| 177 | - * Get self with initial-any-policy-inhibit set. |
|
| 178 | - * |
|
| 179 | - * @param bool $flag |
|
| 180 | - * @return self |
|
| 181 | - */ |
|
| 182 | - public function withAnyPolicyInhibit($flag) |
|
| 183 | - { |
|
| 184 | - $obj = clone $this; |
|
| 185 | - $obj->_anyPolicyInhibit = (bool) $flag; |
|
| 186 | - return $obj; |
|
| 187 | - } |
|
| 176 | + /** |
|
| 177 | + * Get self with initial-any-policy-inhibit set. |
|
| 178 | + * |
|
| 179 | + * @param bool $flag |
|
| 180 | + * @return self |
|
| 181 | + */ |
|
| 182 | + public function withAnyPolicyInhibit($flag) |
|
| 183 | + { |
|
| 184 | + $obj = clone $this; |
|
| 185 | + $obj->_anyPolicyInhibit = (bool) $flag; |
|
| 186 | + return $obj; |
|
| 187 | + } |
|
| 188 | 188 | |
| 189 | - /** |
|
| 190 | - * Get self with user-initial-policy-set set to policy OIDs. |
|
| 191 | - * |
|
| 192 | - * @param string ...$policies List of policy OIDs |
|
| 193 | - * @return self |
|
| 194 | - */ |
|
| 195 | - public function withPolicySet(...$policies) |
|
| 196 | - { |
|
| 197 | - $obj = clone $this; |
|
| 198 | - $obj->_policySet = $policies; |
|
| 199 | - return $obj; |
|
| 200 | - } |
|
| 189 | + /** |
|
| 190 | + * Get self with user-initial-policy-set set to policy OIDs. |
|
| 191 | + * |
|
| 192 | + * @param string ...$policies List of policy OIDs |
|
| 193 | + * @return self |
|
| 194 | + */ |
|
| 195 | + public function withPolicySet(...$policies) |
|
| 196 | + { |
|
| 197 | + $obj = clone $this; |
|
| 198 | + $obj->_policySet = $policies; |
|
| 199 | + return $obj; |
|
| 200 | + } |
|
| 201 | 201 | |
| 202 | - /** |
|
| 203 | - * Get maximum certification path length. |
|
| 204 | - * |
|
| 205 | - * @return int |
|
| 206 | - */ |
|
| 207 | - public function maxLength() |
|
| 208 | - { |
|
| 209 | - return $this->_maxLength; |
|
| 210 | - } |
|
| 202 | + /** |
|
| 203 | + * Get maximum certification path length. |
|
| 204 | + * |
|
| 205 | + * @return int |
|
| 206 | + */ |
|
| 207 | + public function maxLength() |
|
| 208 | + { |
|
| 209 | + return $this->_maxLength; |
|
| 210 | + } |
|
| 211 | 211 | |
| 212 | - /** |
|
| 213 | - * Get reference date and time. |
|
| 214 | - * |
|
| 215 | - * @return \DateTimeImmutable |
|
| 216 | - */ |
|
| 217 | - public function dateTime() |
|
| 218 | - { |
|
| 219 | - return $this->_dateTime; |
|
| 220 | - } |
|
| 212 | + /** |
|
| 213 | + * Get reference date and time. |
|
| 214 | + * |
|
| 215 | + * @return \DateTimeImmutable |
|
| 216 | + */ |
|
| 217 | + public function dateTime() |
|
| 218 | + { |
|
| 219 | + return $this->_dateTime; |
|
| 220 | + } |
|
| 221 | 221 | |
| 222 | - /** |
|
| 223 | - * Get user-initial-policy-set. |
|
| 224 | - * |
|
| 225 | - * @return string[] Array of OID's |
|
| 226 | - */ |
|
| 227 | - public function policySet() |
|
| 228 | - { |
|
| 229 | - return $this->_policySet; |
|
| 230 | - } |
|
| 222 | + /** |
|
| 223 | + * Get user-initial-policy-set. |
|
| 224 | + * |
|
| 225 | + * @return string[] Array of OID's |
|
| 226 | + */ |
|
| 227 | + public function policySet() |
|
| 228 | + { |
|
| 229 | + return $this->_policySet; |
|
| 230 | + } |
|
| 231 | 231 | |
| 232 | - /** |
|
| 233 | - * Check whether trust anchor certificate is set. |
|
| 234 | - * |
|
| 235 | - * @return bool |
|
| 236 | - */ |
|
| 237 | - public function hasTrustAnchor() |
|
| 238 | - { |
|
| 239 | - return isset($this->_trustAnchor); |
|
| 240 | - } |
|
| 232 | + /** |
|
| 233 | + * Check whether trust anchor certificate is set. |
|
| 234 | + * |
|
| 235 | + * @return bool |
|
| 236 | + */ |
|
| 237 | + public function hasTrustAnchor() |
|
| 238 | + { |
|
| 239 | + return isset($this->_trustAnchor); |
|
| 240 | + } |
|
| 241 | 241 | |
| 242 | - /** |
|
| 243 | - * Get trust anchor certificate. |
|
| 244 | - * |
|
| 245 | - * @throws \LogicException |
|
| 246 | - * @return Certificate |
|
| 247 | - */ |
|
| 248 | - public function trustAnchor() |
|
| 249 | - { |
|
| 250 | - if (!$this->hasTrustAnchor()) { |
|
| 251 | - throw new \LogicException("No trust anchor."); |
|
| 252 | - } |
|
| 253 | - return $this->_trustAnchor; |
|
| 254 | - } |
|
| 242 | + /** |
|
| 243 | + * Get trust anchor certificate. |
|
| 244 | + * |
|
| 245 | + * @throws \LogicException |
|
| 246 | + * @return Certificate |
|
| 247 | + */ |
|
| 248 | + public function trustAnchor() |
|
| 249 | + { |
|
| 250 | + if (!$this->hasTrustAnchor()) { |
|
| 251 | + throw new \LogicException("No trust anchor."); |
|
| 252 | + } |
|
| 253 | + return $this->_trustAnchor; |
|
| 254 | + } |
|
| 255 | 255 | |
| 256 | - /** |
|
| 257 | - * Get initial-policy-mapping-inhibit. |
|
| 258 | - * |
|
| 259 | - * @return bool |
|
| 260 | - */ |
|
| 261 | - public function policyMappingInhibit() |
|
| 262 | - { |
|
| 263 | - return $this->_policyMappingInhibit; |
|
| 264 | - } |
|
| 256 | + /** |
|
| 257 | + * Get initial-policy-mapping-inhibit. |
|
| 258 | + * |
|
| 259 | + * @return bool |
|
| 260 | + */ |
|
| 261 | + public function policyMappingInhibit() |
|
| 262 | + { |
|
| 263 | + return $this->_policyMappingInhibit; |
|
| 264 | + } |
|
| 265 | 265 | |
| 266 | - /** |
|
| 267 | - * Get initial-explicit-policy. |
|
| 268 | - * |
|
| 269 | - * @return bool |
|
| 270 | - */ |
|
| 271 | - public function explicitPolicy() |
|
| 272 | - { |
|
| 273 | - return $this->_explicitPolicy; |
|
| 274 | - } |
|
| 266 | + /** |
|
| 267 | + * Get initial-explicit-policy. |
|
| 268 | + * |
|
| 269 | + * @return bool |
|
| 270 | + */ |
|
| 271 | + public function explicitPolicy() |
|
| 272 | + { |
|
| 273 | + return $this->_explicitPolicy; |
|
| 274 | + } |
|
| 275 | 275 | |
| 276 | - /** |
|
| 277 | - * Get initial-any-policy-inhibit. |
|
| 278 | - * |
|
| 279 | - * @return bool |
|
| 280 | - */ |
|
| 281 | - public function anyPolicyInhibit() |
|
| 282 | - { |
|
| 283 | - return $this->_anyPolicyInhibit; |
|
| 284 | - } |
|
| 276 | + /** |
|
| 277 | + * Get initial-any-policy-inhibit. |
|
| 278 | + * |
|
| 279 | + * @return bool |
|
| 280 | + */ |
|
| 281 | + public function anyPolicyInhibit() |
|
| 282 | + { |
|
| 283 | + return $this->_anyPolicyInhibit; |
|
| 284 | + } |
|
| 285 | 285 | } |
@@ -14,137 +14,137 @@ |
||
| 14 | 14 | */ |
| 15 | 15 | class CertificationPathBuilder |
| 16 | 16 | { |
| 17 | - /** |
|
| 18 | - * Trust anchors. |
|
| 19 | - * |
|
| 20 | - * @var CertificateBundle |
|
| 21 | - */ |
|
| 22 | - protected $_trustList; |
|
| 17 | + /** |
|
| 18 | + * Trust anchors. |
|
| 19 | + * |
|
| 20 | + * @var CertificateBundle |
|
| 21 | + */ |
|
| 22 | + protected $_trustList; |
|
| 23 | 23 | |
| 24 | - /** |
|
| 25 | - * Constructor. |
|
| 26 | - * |
|
| 27 | - * @param CertificateBundle $trust_list List of trust anchors |
|
| 28 | - */ |
|
| 29 | - public function __construct(CertificateBundle $trust_list) |
|
| 30 | - { |
|
| 31 | - $this->_trustList = $trust_list; |
|
| 32 | - } |
|
| 24 | + /** |
|
| 25 | + * Constructor. |
|
| 26 | + * |
|
| 27 | + * @param CertificateBundle $trust_list List of trust anchors |
|
| 28 | + */ |
|
| 29 | + public function __construct(CertificateBundle $trust_list) |
|
| 30 | + { |
|
| 31 | + $this->_trustList = $trust_list; |
|
| 32 | + } |
|
| 33 | 33 | |
| 34 | - /** |
|
| 35 | - * Get all certification paths to given target certificate from |
|
| 36 | - * any trust anchor. |
|
| 37 | - * |
|
| 38 | - * @param Certificate $target Target certificate |
|
| 39 | - * @param CertificateBundle|null $intermediate Optional intermediate |
|
| 40 | - * certificates |
|
| 41 | - * @return CertificationPath[] |
|
| 42 | - */ |
|
| 43 | - public function allPathsToTarget(Certificate $target, |
|
| 44 | - CertificateBundle $intermediate = null) |
|
| 45 | - { |
|
| 46 | - $paths = $this->_resolvePathsToTarget($target, $intermediate); |
|
| 47 | - // map paths to CertificationPath objects |
|
| 48 | - return array_map( |
|
| 49 | - function ($certs) { |
|
| 50 | - return new CertificationPath(...$certs); |
|
| 51 | - }, $paths); |
|
| 52 | - } |
|
| 34 | + /** |
|
| 35 | + * Get all certification paths to given target certificate from |
|
| 36 | + * any trust anchor. |
|
| 37 | + * |
|
| 38 | + * @param Certificate $target Target certificate |
|
| 39 | + * @param CertificateBundle|null $intermediate Optional intermediate |
|
| 40 | + * certificates |
|
| 41 | + * @return CertificationPath[] |
|
| 42 | + */ |
|
| 43 | + public function allPathsToTarget(Certificate $target, |
|
| 44 | + CertificateBundle $intermediate = null) |
|
| 45 | + { |
|
| 46 | + $paths = $this->_resolvePathsToTarget($target, $intermediate); |
|
| 47 | + // map paths to CertificationPath objects |
|
| 48 | + return array_map( |
|
| 49 | + function ($certs) { |
|
| 50 | + return new CertificationPath(...$certs); |
|
| 51 | + }, $paths); |
|
| 52 | + } |
|
| 53 | 53 | |
| 54 | - /** |
|
| 55 | - * Resolve all possible certification paths from any trust anchor to |
|
| 56 | - * the target certificate, using optional intermediate certificates. |
|
| 57 | - * |
|
| 58 | - * Helper method for allPathsToTarget to be called recursively. |
|
| 59 | - * |
|
| 60 | - * @todo Implement loop detection |
|
| 61 | - * @param Certificate $target |
|
| 62 | - * @param CertificateBundle $intermediate |
|
| 63 | - * @return array[] Array of arrays containing path certificates |
|
| 64 | - */ |
|
| 65 | - private function _resolvePathsToTarget(Certificate $target, |
|
| 66 | - CertificateBundle $intermediate = null) |
|
| 67 | - { |
|
| 68 | - // array of possible paths |
|
| 69 | - $paths = array(); |
|
| 70 | - // signed by certificate in the trust list |
|
| 71 | - foreach ($this->_findIssuers($target, $this->_trustList) as $issuer) { |
|
| 72 | - // if target is self-signed, path consists of only |
|
| 73 | - // the target certificate |
|
| 74 | - if ($target->equals($issuer)) { |
|
| 75 | - $paths[] = array($target); |
|
| 76 | - } else { |
|
| 77 | - $paths[] = array($issuer, $target); |
|
| 78 | - } |
|
| 79 | - } |
|
| 80 | - if (isset($intermediate)) { |
|
| 81 | - // signed by intermediate certificate |
|
| 82 | - foreach ($this->_findIssuers($target, $intermediate) as $issuer) { |
|
| 83 | - // intermediate certificate must not be self-signed |
|
| 84 | - if ($issuer->isSelfIssued()) { |
|
| 85 | - continue; |
|
| 86 | - } |
|
| 87 | - // resolve paths to issuer |
|
| 88 | - $subpaths = $this->_resolvePathsToTarget($issuer, $intermediate); |
|
| 89 | - foreach ($subpaths as $path) { |
|
| 90 | - $paths[] = array_merge($path, array($target)); |
|
| 91 | - } |
|
| 92 | - } |
|
| 93 | - } |
|
| 94 | - return $paths; |
|
| 95 | - } |
|
| 54 | + /** |
|
| 55 | + * Resolve all possible certification paths from any trust anchor to |
|
| 56 | + * the target certificate, using optional intermediate certificates. |
|
| 57 | + * |
|
| 58 | + * Helper method for allPathsToTarget to be called recursively. |
|
| 59 | + * |
|
| 60 | + * @todo Implement loop detection |
|
| 61 | + * @param Certificate $target |
|
| 62 | + * @param CertificateBundle $intermediate |
|
| 63 | + * @return array[] Array of arrays containing path certificates |
|
| 64 | + */ |
|
| 65 | + private function _resolvePathsToTarget(Certificate $target, |
|
| 66 | + CertificateBundle $intermediate = null) |
|
| 67 | + { |
|
| 68 | + // array of possible paths |
|
| 69 | + $paths = array(); |
|
| 70 | + // signed by certificate in the trust list |
|
| 71 | + foreach ($this->_findIssuers($target, $this->_trustList) as $issuer) { |
|
| 72 | + // if target is self-signed, path consists of only |
|
| 73 | + // the target certificate |
|
| 74 | + if ($target->equals($issuer)) { |
|
| 75 | + $paths[] = array($target); |
|
| 76 | + } else { |
|
| 77 | + $paths[] = array($issuer, $target); |
|
| 78 | + } |
|
| 79 | + } |
|
| 80 | + if (isset($intermediate)) { |
|
| 81 | + // signed by intermediate certificate |
|
| 82 | + foreach ($this->_findIssuers($target, $intermediate) as $issuer) { |
|
| 83 | + // intermediate certificate must not be self-signed |
|
| 84 | + if ($issuer->isSelfIssued()) { |
|
| 85 | + continue; |
|
| 86 | + } |
|
| 87 | + // resolve paths to issuer |
|
| 88 | + $subpaths = $this->_resolvePathsToTarget($issuer, $intermediate); |
|
| 89 | + foreach ($subpaths as $path) { |
|
| 90 | + $paths[] = array_merge($path, array($target)); |
|
| 91 | + } |
|
| 92 | + } |
|
| 93 | + } |
|
| 94 | + return $paths; |
|
| 95 | + } |
|
| 96 | 96 | |
| 97 | - /** |
|
| 98 | - * Get shortest path to given target certificate from any trust anchor. |
|
| 99 | - * |
|
| 100 | - * @param Certificate $target Target certificate |
|
| 101 | - * @param CertificateBundle|null $intermediate Optional intermediate |
|
| 102 | - * certificates |
|
| 103 | - * @throws PathBuildingException |
|
| 104 | - * @return CertificationPath |
|
| 105 | - */ |
|
| 106 | - public function shortestPathToTarget(Certificate $target, |
|
| 107 | - CertificateBundle $intermediate = null) |
|
| 108 | - { |
|
| 109 | - $paths = $this->allPathsToTarget($target, $intermediate); |
|
| 110 | - if (!count($paths)) { |
|
| 111 | - throw new PathBuildingException("No certification paths."); |
|
| 112 | - } |
|
| 113 | - usort($paths, |
|
| 114 | - function ($a, $b) { |
|
| 115 | - return count($a) < count($b) ? -1 : 1; |
|
| 116 | - }); |
|
| 117 | - return reset($paths); |
|
| 118 | - } |
|
| 97 | + /** |
|
| 98 | + * Get shortest path to given target certificate from any trust anchor. |
|
| 99 | + * |
|
| 100 | + * @param Certificate $target Target certificate |
|
| 101 | + * @param CertificateBundle|null $intermediate Optional intermediate |
|
| 102 | + * certificates |
|
| 103 | + * @throws PathBuildingException |
|
| 104 | + * @return CertificationPath |
|
| 105 | + */ |
|
| 106 | + public function shortestPathToTarget(Certificate $target, |
|
| 107 | + CertificateBundle $intermediate = null) |
|
| 108 | + { |
|
| 109 | + $paths = $this->allPathsToTarget($target, $intermediate); |
|
| 110 | + if (!count($paths)) { |
|
| 111 | + throw new PathBuildingException("No certification paths."); |
|
| 112 | + } |
|
| 113 | + usort($paths, |
|
| 114 | + function ($a, $b) { |
|
| 115 | + return count($a) < count($b) ? -1 : 1; |
|
| 116 | + }); |
|
| 117 | + return reset($paths); |
|
| 118 | + } |
|
| 119 | 119 | |
| 120 | - /** |
|
| 121 | - * Find all issuers of the target certificate from a given bundle. |
|
| 122 | - * |
|
| 123 | - * @param Certificate $target Target certificate |
|
| 124 | - * @param CertificateBundle $bundle Certificates to search |
|
| 125 | - * @return Certificate[] |
|
| 126 | - */ |
|
| 127 | - protected function _findIssuers(Certificate $target, |
|
| 128 | - CertificateBundle $bundle) |
|
| 129 | - { |
|
| 130 | - $issuers = array(); |
|
| 131 | - $issuer_name = $target->tbsCertificate()->issuer(); |
|
| 132 | - $extensions = $target->tbsCertificate()->extensions(); |
|
| 133 | - // find by authority key identifier |
|
| 134 | - if ($extensions->hasAuthorityKeyIdentifier()) { |
|
| 135 | - $ext = $extensions->authorityKeyIdentifier(); |
|
| 136 | - if ($ext->hasKeyIdentifier()) { |
|
| 137 | - foreach ($bundle->allBySubjectKeyIdentifier( |
|
| 138 | - $ext->keyIdentifier()) as $issuer) { |
|
| 139 | - // check that issuer name matches |
|
| 140 | - if ($issuer->tbsCertificate() |
|
| 141 | - ->subject() |
|
| 142 | - ->equals($issuer_name)) { |
|
| 143 | - $issuers[] = $issuer; |
|
| 144 | - } |
|
| 145 | - } |
|
| 146 | - } |
|
| 147 | - } |
|
| 148 | - return $issuers; |
|
| 149 | - } |
|
| 120 | + /** |
|
| 121 | + * Find all issuers of the target certificate from a given bundle. |
|
| 122 | + * |
|
| 123 | + * @param Certificate $target Target certificate |
|
| 124 | + * @param CertificateBundle $bundle Certificates to search |
|
| 125 | + * @return Certificate[] |
|
| 126 | + */ |
|
| 127 | + protected function _findIssuers(Certificate $target, |
|
| 128 | + CertificateBundle $bundle) |
|
| 129 | + { |
|
| 130 | + $issuers = array(); |
|
| 131 | + $issuer_name = $target->tbsCertificate()->issuer(); |
|
| 132 | + $extensions = $target->tbsCertificate()->extensions(); |
|
| 133 | + // find by authority key identifier |
|
| 134 | + if ($extensions->hasAuthorityKeyIdentifier()) { |
|
| 135 | + $ext = $extensions->authorityKeyIdentifier(); |
|
| 136 | + if ($ext->hasKeyIdentifier()) { |
|
| 137 | + foreach ($bundle->allBySubjectKeyIdentifier( |
|
| 138 | + $ext->keyIdentifier()) as $issuer) { |
|
| 139 | + // check that issuer name matches |
|
| 140 | + if ($issuer->tbsCertificate() |
|
| 141 | + ->subject() |
|
| 142 | + ->equals($issuer_name)) { |
|
| 143 | + $issuers[] = $issuer; |
|
| 144 | + } |
|
| 145 | + } |
|
| 146 | + } |
|
| 147 | + } |
|
| 148 | + return $issuers; |
|
| 149 | + } |
|
| 150 | 150 | } |
@@ -46,7 +46,7 @@ discard block |
||
| 46 | 46 | $paths = $this->_resolvePathsToTarget($target, $intermediate); |
| 47 | 47 | // map paths to CertificationPath objects |
| 48 | 48 | return array_map( |
| 49 | - function ($certs) { |
|
| 49 | + function($certs) { |
|
| 50 | 50 | return new CertificationPath(...$certs); |
| 51 | 51 | }, $paths); |
| 52 | 52 | } |
@@ -111,7 +111,7 @@ discard block |
||
| 111 | 111 | throw new PathBuildingException("No certification paths."); |
| 112 | 112 | } |
| 113 | 113 | usort($paths, |
| 114 | - function ($a, $b) { |
|
| 114 | + function($a, $b) { |
|
| 115 | 115 | return count($a) < count($b) ? -1 : 1; |
| 116 | 116 | }); |
| 117 | 117 | return reset($paths); |
@@ -20,7 +20,7 @@ discard block |
||
| 20 | 20 | |
| 21 | 21 | // load RSA private key from PEM |
| 22 | 22 | $private_key_info = PrivateKeyInfo::fromPEM( |
| 23 | - PEM::fromFile(dirname(__DIR__) . "/test/assets/rsa/private_key.pem")); |
|
| 23 | + PEM::fromFile(dirname(__DIR__) . "/test/assets/rsa/private_key.pem")); |
|
| 24 | 24 | // extract public key from private key |
| 25 | 25 | $public_key_info = $private_key_info->publicKeyInfo(); |
| 26 | 26 | // DN of the certification authority |
@@ -30,12 +30,12 @@ discard block |
||
| 30 | 30 | // create "to be signed" certificate object with extensions |
| 31 | 31 | $tbs_cert = new TBSCertificate($name, $public_key_info, $name, $validity); |
| 32 | 32 | $tbs_cert = $tbs_cert->withRandomSerialNumber()->withAdditionalExtensions( |
| 33 | - new BasicConstraintsExtension(true, true), |
|
| 34 | - new SubjectKeyIdentifierExtension(false, $public_key_info->keyIdentifier()), |
|
| 35 | - new KeyUsageExtension(true, |
|
| 36 | - KeyUsageExtension::DIGITAL_SIGNATURE | KeyUsageExtension::KEY_CERT_SIGN)); |
|
| 33 | + new BasicConstraintsExtension(true, true), |
|
| 34 | + new SubjectKeyIdentifierExtension(false, $public_key_info->keyIdentifier()), |
|
| 35 | + new KeyUsageExtension(true, |
|
| 36 | + KeyUsageExtension::DIGITAL_SIGNATURE | KeyUsageExtension::KEY_CERT_SIGN)); |
|
| 37 | 37 | // sign certificate with private key |
| 38 | 38 | $algo = SignatureAlgorithmIdentifierFactory::algoForAsymmetricCrypto( |
| 39 | - $private_key_info->algorithmIdentifier(), new SHA256AlgorithmIdentifier()); |
|
| 39 | + $private_key_info->algorithmIdentifier(), new SHA256AlgorithmIdentifier()); |
|
| 40 | 40 | $cert = $tbs_cert->sign($algo, $private_key_info); |
| 41 | 41 | echo $cert; |
@@ -25,27 +25,27 @@ |
||
| 25 | 25 | $csr = CertificationRequest::fromPEM(PEM::fromFile($argv[2])); |
| 26 | 26 | // verify CSR |
| 27 | 27 | if (!$csr->verify()) { |
| 28 | - echo "Failed to verify certification request signature.\n"; |
|
| 29 | - exit(1); |
|
| 28 | + echo "Failed to verify certification request signature.\n"; |
|
| 29 | + exit(1); |
|
| 30 | 30 | } |
| 31 | 31 | // load CA's private key from PEM |
| 32 | 32 | $private_key_info = PrivateKeyInfo::fromPEM( |
| 33 | - PEM::fromFile(dirname(__DIR__) . "/test/assets/rsa/private_key.pem")); |
|
| 33 | + PEM::fromFile(dirname(__DIR__) . "/test/assets/rsa/private_key.pem")); |
|
| 34 | 34 | // initialize certificate from CSR and issuer's certificate |
| 35 | 35 | $tbs_cert = TBSCertificate::fromCSR($csr)->withIssuerCertificate($issuer_cert); |
| 36 | 36 | // set random serial number |
| 37 | 37 | $tbs_cert = $tbs_cert->withRandomSerialNumber(); |
| 38 | 38 | // set validity period |
| 39 | 39 | $tbs_cert = $tbs_cert->withValidity( |
| 40 | - Validity::fromStrings("now", "now + 3 months")); |
|
| 40 | + Validity::fromStrings("now", "now + 3 months")); |
|
| 41 | 41 | // add extensions |
| 42 | 42 | $tbs_cert = $tbs_cert->withAdditionalExtensions( |
| 43 | - new KeyUsageExtension(true, |
|
| 44 | - KeyUsageExtension::DIGITAL_SIGNATURE | |
|
| 45 | - KeyUsageExtension::KEY_ENCIPHERMENT), |
|
| 46 | - new BasicConstraintsExtension(true, false)); |
|
| 43 | + new KeyUsageExtension(true, |
|
| 44 | + KeyUsageExtension::DIGITAL_SIGNATURE | |
|
| 45 | + KeyUsageExtension::KEY_ENCIPHERMENT), |
|
| 46 | + new BasicConstraintsExtension(true, false)); |
|
| 47 | 47 | // sign certificate with issuer's private key |
| 48 | 48 | $algo = SignatureAlgorithmIdentifierFactory::algoForAsymmetricCrypto( |
| 49 | - $private_key_info->algorithmIdentifier(), new SHA512AlgorithmIdentifier()); |
|
| 49 | + $private_key_info->algorithmIdentifier(), new SHA512AlgorithmIdentifier()); |
|
| 50 | 50 | $cert = $tbs_cert->sign($algo, $private_key_info); |
| 51 | 51 | echo $cert; |
@@ -16,7 +16,7 @@ discard block |
||
| 16 | 16 | |
| 17 | 17 | // load EC private key from PEM |
| 18 | 18 | $private_key_info = PrivateKeyInfo::fromPEM( |
| 19 | - PEM::fromFile(dirname(__DIR__) . "/test/assets/ec/private_key.pem")); |
|
| 19 | + PEM::fromFile(dirname(__DIR__) . "/test/assets/ec/private_key.pem")); |
|
| 20 | 20 | // extract public key from private key |
| 21 | 21 | $public_key_info = $private_key_info->publicKeyInfo(); |
| 22 | 22 | // DN of the subject |
@@ -25,6 +25,6 @@ discard block |
||
| 25 | 25 | $cri = new CertificationRequestInfo($subject, $public_key_info); |
| 26 | 26 | // sign certificate request with private key |
| 27 | 27 | $algo = SignatureAlgorithmIdentifierFactory::algoForAsymmetricCrypto( |
| 28 | - $private_key_info->algorithmIdentifier(), new SHA256AlgorithmIdentifier()); |
|
| 28 | + $private_key_info->algorithmIdentifier(), new SHA256AlgorithmIdentifier()); |
|
| 29 | 29 | $csr = $cri->sign($algo, $private_key_info); |
| 30 | 30 | echo $csr; |
@@ -28,19 +28,19 @@ |
||
| 28 | 28 | // build certification path from CA to end-entity certificate |
| 29 | 29 | $path = CertificationPath::fromTrustAnchorToTarget($ca, $cert); |
| 30 | 30 | foreach ($path->certificates() as $idx => $cert) { |
| 31 | - printf("#%d: %s\n", $idx, |
|
| 32 | - $cert->tbsCertificate() |
|
| 33 | - ->subject() |
|
| 34 | - ->toString()); |
|
| 31 | + printf("#%d: %s\n", $idx, |
|
| 32 | + $cert->tbsCertificate() |
|
| 33 | + ->subject() |
|
| 34 | + ->toString()); |
|
| 35 | 35 | } |
| 36 | 36 | // validate certification path with default configuration |
| 37 | 37 | $config = PathValidationConfig::defaultConfig(); |
| 38 | 38 | $result = $path->validate($config); |
| 39 | 39 | printf("Certificate '%s' is valid.\n", |
| 40 | - $result->certificate() |
|
| 41 | - ->tbsCertificate() |
|
| 42 | - ->subject() |
|
| 43 | - ->toString()); |
|
| 40 | + $result->certificate() |
|
| 41 | + ->tbsCertificate() |
|
| 42 | + ->subject() |
|
| 43 | + ->toString()); |
|
| 44 | 44 | // remove temporary files |
| 45 | 45 | unlink($ca_file); |
| 46 | 46 | unlink($csr_file); |
