sop /
x509
@@ -20,7 +20,7 @@ discard block |
||
| 20 | 20 | |
| 21 | 21 | // load RSA private key from PEM |
| 22 | 22 | $private_key_info = PrivateKeyInfo::fromPEM( |
| 23 | - PEM::fromFile(dirname(__DIR__) . "/test/assets/rsa/private_key.pem")); |
|
| 23 | + PEM::fromFile(dirname(__DIR__) . "/test/assets/rsa/private_key.pem")); |
|
| 24 | 24 | // extract public key from private key |
| 25 | 25 | $public_key_info = $private_key_info->publicKeyInfo(); |
| 26 | 26 | // DN of the certification authority |
@@ -30,12 +30,12 @@ discard block |
||
| 30 | 30 | // create "to be signed" certificate object with extensions |
| 31 | 31 | $tbs_cert = new TBSCertificate($name, $public_key_info, $name, $validity); |
| 32 | 32 | $tbs_cert = $tbs_cert->withRandomSerialNumber()->withAdditionalExtensions( |
| 33 | - new BasicConstraintsExtension(true, true), |
|
| 34 | - new SubjectKeyIdentifierExtension(false, $public_key_info->keyIdentifier()), |
|
| 35 | - new KeyUsageExtension(true, |
|
| 36 | - KeyUsageExtension::DIGITAL_SIGNATURE | KeyUsageExtension::KEY_CERT_SIGN)); |
|
| 33 | + new BasicConstraintsExtension(true, true), |
|
| 34 | + new SubjectKeyIdentifierExtension(false, $public_key_info->keyIdentifier()), |
|
| 35 | + new KeyUsageExtension(true, |
|
| 36 | + KeyUsageExtension::DIGITAL_SIGNATURE | KeyUsageExtension::KEY_CERT_SIGN)); |
|
| 37 | 37 | // sign certificate with private key |
| 38 | 38 | $algo = SignatureAlgorithmIdentifierFactory::algoForAsymmetricCrypto( |
| 39 | - $private_key_info->algorithmIdentifier(), new SHA256AlgorithmIdentifier()); |
|
| 39 | + $private_key_info->algorithmIdentifier(), new SHA256AlgorithmIdentifier()); |
|
| 40 | 40 | $cert = $tbs_cert->sign($algo, $private_key_info); |
| 41 | 41 | echo $cert; |
@@ -25,27 +25,27 @@ |
||
| 25 | 25 | $csr = CertificationRequest::fromPEM(PEM::fromFile($argv[2])); |
| 26 | 26 | // verify CSR |
| 27 | 27 | if (!$csr->verify()) { |
| 28 | - echo "Failed to verify certification request signature.\n"; |
|
| 29 | - exit(1); |
|
| 28 | + echo "Failed to verify certification request signature.\n"; |
|
| 29 | + exit(1); |
|
| 30 | 30 | } |
| 31 | 31 | // load CA's private key from PEM |
| 32 | 32 | $private_key_info = PrivateKeyInfo::fromPEM( |
| 33 | - PEM::fromFile(dirname(__DIR__) . "/test/assets/rsa/private_key.pem")); |
|
| 33 | + PEM::fromFile(dirname(__DIR__) . "/test/assets/rsa/private_key.pem")); |
|
| 34 | 34 | // initialize certificate from CSR and issuer's certificate |
| 35 | 35 | $tbs_cert = TBSCertificate::fromCSR($csr)->withIssuerCertificate($issuer_cert); |
| 36 | 36 | // set random serial number |
| 37 | 37 | $tbs_cert = $tbs_cert->withRandomSerialNumber(); |
| 38 | 38 | // set validity period |
| 39 | 39 | $tbs_cert = $tbs_cert->withValidity( |
| 40 | - Validity::fromStrings("now", "now + 3 months")); |
|
| 40 | + Validity::fromStrings("now", "now + 3 months")); |
|
| 41 | 41 | // add extensions |
| 42 | 42 | $tbs_cert = $tbs_cert->withAdditionalExtensions( |
| 43 | - new KeyUsageExtension(true, |
|
| 44 | - KeyUsageExtension::DIGITAL_SIGNATURE | |
|
| 45 | - KeyUsageExtension::KEY_ENCIPHERMENT), |
|
| 46 | - new BasicConstraintsExtension(true, false)); |
|
| 43 | + new KeyUsageExtension(true, |
|
| 44 | + KeyUsageExtension::DIGITAL_SIGNATURE | |
|
| 45 | + KeyUsageExtension::KEY_ENCIPHERMENT), |
|
| 46 | + new BasicConstraintsExtension(true, false)); |
|
| 47 | 47 | // sign certificate with issuer's private key |
| 48 | 48 | $algo = SignatureAlgorithmIdentifierFactory::algoForAsymmetricCrypto( |
| 49 | - $private_key_info->algorithmIdentifier(), new SHA512AlgorithmIdentifier()); |
|
| 49 | + $private_key_info->algorithmIdentifier(), new SHA512AlgorithmIdentifier()); |
|
| 50 | 50 | $cert = $tbs_cert->sign($algo, $private_key_info); |
| 51 | 51 | echo $cert; |
@@ -16,7 +16,7 @@ discard block |
||
| 16 | 16 | |
| 17 | 17 | // load EC private key from PEM |
| 18 | 18 | $private_key_info = PrivateKeyInfo::fromPEM( |
| 19 | - PEM::fromFile(dirname(__DIR__) . "/test/assets/ec/private_key.pem")); |
|
| 19 | + PEM::fromFile(dirname(__DIR__) . "/test/assets/ec/private_key.pem")); |
|
| 20 | 20 | // extract public key from private key |
| 21 | 21 | $public_key_info = $private_key_info->publicKeyInfo(); |
| 22 | 22 | // DN of the subject |
@@ -25,6 +25,6 @@ discard block |
||
| 25 | 25 | $cri = new CertificationRequestInfo($subject, $public_key_info); |
| 26 | 26 | // sign certificate request with private key |
| 27 | 27 | $algo = SignatureAlgorithmIdentifierFactory::algoForAsymmetricCrypto( |
| 28 | - $private_key_info->algorithmIdentifier(), new SHA256AlgorithmIdentifier()); |
|
| 28 | + $private_key_info->algorithmIdentifier(), new SHA256AlgorithmIdentifier()); |
|
| 29 | 29 | $csr = $cri->sign($algo, $private_key_info); |
| 30 | 30 | echo $csr; |
@@ -28,19 +28,19 @@ |
||
| 28 | 28 | // build certification path from CA to end-entity certificate |
| 29 | 29 | $path = CertificationPath::fromTrustAnchorToTarget($ca, $cert); |
| 30 | 30 | foreach ($path->certificates() as $idx => $cert) { |
| 31 | - printf("#%d: %s\n", $idx, |
|
| 32 | - $cert->tbsCertificate() |
|
| 33 | - ->subject() |
|
| 34 | - ->toString()); |
|
| 31 | + printf("#%d: %s\n", $idx, |
|
| 32 | + $cert->tbsCertificate() |
|
| 33 | + ->subject() |
|
| 34 | + ->toString()); |
|
| 35 | 35 | } |
| 36 | 36 | // validate certification path with default configuration |
| 37 | 37 | $config = PathValidationConfig::defaultConfig(); |
| 38 | 38 | $result = $path->validate($config); |
| 39 | 39 | printf("Certificate '%s' is valid.\n", |
| 40 | - $result->certificate() |
|
| 41 | - ->tbsCertificate() |
|
| 42 | - ->subject() |
|
| 43 | - ->toString()); |
|
| 40 | + $result->certificate() |
|
| 41 | + ->tbsCertificate() |
|
| 42 | + ->subject() |
|
| 43 | + ->toString()); |
|
| 44 | 44 | // remove temporary files |
| 45 | 45 | unlink($ca_file); |
| 46 | 46 | unlink($csr_file); |
@@ -13,16 +13,16 @@ |
||
| 13 | 13 | */ |
| 14 | 14 | class FreshestCRLExtension extends CRLDistributionPointsExtension |
| 15 | 15 | { |
| 16 | - /** |
|
| 17 | - * Constructor. |
|
| 18 | - * |
|
| 19 | - * @param bool $critical |
|
| 20 | - * @param DistributionPoint ...$distribution_points |
|
| 21 | - */ |
|
| 22 | - public function __construct(bool $critical, |
|
| 23 | - DistributionPoint ...$distribution_points) |
|
| 24 | - { |
|
| 25 | - Extension::__construct(self::OID_FRESHEST_CRL, $critical); |
|
| 26 | - $this->_distributionPoints = $distribution_points; |
|
| 27 | - } |
|
| 16 | + /** |
|
| 17 | + * Constructor. |
|
| 18 | + * |
|
| 19 | + * @param bool $critical |
|
| 20 | + * @param DistributionPoint ...$distribution_points |
|
| 21 | + */ |
|
| 22 | + public function __construct(bool $critical, |
|
| 23 | + DistributionPoint ...$distribution_points) |
|
| 24 | + { |
|
| 25 | + Extension::__construct(self::OID_FRESHEST_CRL, $critical); |
|
| 26 | + $this->_distributionPoints = $distribution_points; |
|
| 27 | + } |
|
| 28 | 28 | } |
@@ -1,6 +1,6 @@ |
||
| 1 | 1 | <?php |
| 2 | 2 | |
| 3 | -declare(strict_types = 1); |
|
| 3 | +declare(strict_types=1); |
|
| 4 | 4 | |
| 5 | 5 | namespace X509\Certificate\Extension; |
| 6 | 6 | |
@@ -89,16 +89,16 @@ |
||
| 89 | 89 | { |
| 90 | 90 | $dt = $this->_dt; |
| 91 | 91 | switch ($this->_type) { |
| 92 | - case Element::TYPE_UTC_TIME: |
|
| 93 | - return new UTCTime($dt); |
|
| 94 | - case Element::TYPE_GENERALIZED_TIME: |
|
| 95 | - // GeneralizedTime must not contain fractional seconds |
|
| 96 | - // (rfc5280 4.1.2.5.2) |
|
| 97 | - if ($dt->format("u") != 0) { |
|
| 98 | - // remove fractional seconds (round down) |
|
| 99 | - $dt = self::_roundDownFractionalSeconds($dt); |
|
| 100 | - } |
|
| 101 | - return new GeneralizedTime($dt); |
|
| 92 | + case Element::TYPE_UTC_TIME: |
|
| 93 | + return new UTCTime($dt); |
|
| 94 | + case Element::TYPE_GENERALIZED_TIME: |
|
| 95 | + // GeneralizedTime must not contain fractional seconds |
|
| 96 | + // (rfc5280 4.1.2.5.2) |
|
| 97 | + if ($dt->format("u") != 0) { |
|
| 98 | + // remove fractional seconds (round down) |
|
| 99 | + $dt = self::_roundDownFractionalSeconds($dt); |
|
| 100 | + } |
|
| 101 | + return new GeneralizedTime($dt); |
|
| 102 | 102 | } |
| 103 | 103 | throw new \UnexpectedValueException( |
| 104 | 104 | "Time type " . Element::tagToName($this->_type) . " not supported."); |
@@ -17,104 +17,104 @@ |
||
| 17 | 17 | */ |
| 18 | 18 | class Time |
| 19 | 19 | { |
| 20 | - use DateTimeHelper; |
|
| 20 | + use DateTimeHelper; |
|
| 21 | 21 | |
| 22 | - /** |
|
| 23 | - * Datetime. |
|
| 24 | - * |
|
| 25 | - * @var \DateTimeImmutable $_dt |
|
| 26 | - */ |
|
| 27 | - protected $_dt; |
|
| 22 | + /** |
|
| 23 | + * Datetime. |
|
| 24 | + * |
|
| 25 | + * @var \DateTimeImmutable $_dt |
|
| 26 | + */ |
|
| 27 | + protected $_dt; |
|
| 28 | 28 | |
| 29 | - /** |
|
| 30 | - * Time ASN.1 type tag. |
|
| 31 | - * |
|
| 32 | - * @var int $_type |
|
| 33 | - */ |
|
| 34 | - protected $_type; |
|
| 29 | + /** |
|
| 30 | + * Time ASN.1 type tag. |
|
| 31 | + * |
|
| 32 | + * @var int $_type |
|
| 33 | + */ |
|
| 34 | + protected $_type; |
|
| 35 | 35 | |
| 36 | - /** |
|
| 37 | - * Constructor. |
|
| 38 | - * |
|
| 39 | - * @param \DateTimeImmutable $dt |
|
| 40 | - */ |
|
| 41 | - public function __construct(\DateTimeImmutable $dt) |
|
| 42 | - { |
|
| 43 | - $this->_dt = $dt; |
|
| 44 | - $this->_type = self::_determineType($dt); |
|
| 45 | - } |
|
| 36 | + /** |
|
| 37 | + * Constructor. |
|
| 38 | + * |
|
| 39 | + * @param \DateTimeImmutable $dt |
|
| 40 | + */ |
|
| 41 | + public function __construct(\DateTimeImmutable $dt) |
|
| 42 | + { |
|
| 43 | + $this->_dt = $dt; |
|
| 44 | + $this->_type = self::_determineType($dt); |
|
| 45 | + } |
|
| 46 | 46 | |
| 47 | - /** |
|
| 48 | - * Initialize from ASN.1. |
|
| 49 | - * |
|
| 50 | - * @param TimeType $el |
|
| 51 | - * @return self |
|
| 52 | - */ |
|
| 53 | - public static function fromASN1(TimeType $el): self |
|
| 54 | - { |
|
| 55 | - $obj = new self($el->dateTime()); |
|
| 56 | - $obj->_type = $el->tag(); |
|
| 57 | - return $obj; |
|
| 58 | - } |
|
| 47 | + /** |
|
| 48 | + * Initialize from ASN.1. |
|
| 49 | + * |
|
| 50 | + * @param TimeType $el |
|
| 51 | + * @return self |
|
| 52 | + */ |
|
| 53 | + public static function fromASN1(TimeType $el): self |
|
| 54 | + { |
|
| 55 | + $obj = new self($el->dateTime()); |
|
| 56 | + $obj->_type = $el->tag(); |
|
| 57 | + return $obj; |
|
| 58 | + } |
|
| 59 | 59 | |
| 60 | - /** |
|
| 61 | - * Initialize from date string. |
|
| 62 | - * |
|
| 63 | - * @param string|null $time |
|
| 64 | - * @param string|null $tz |
|
| 65 | - * @return self |
|
| 66 | - */ |
|
| 67 | - public static function fromString($time, $tz = null): self |
|
| 68 | - { |
|
| 69 | - return new self(self::_createDateTime($time, $tz)); |
|
| 70 | - } |
|
| 60 | + /** |
|
| 61 | + * Initialize from date string. |
|
| 62 | + * |
|
| 63 | + * @param string|null $time |
|
| 64 | + * @param string|null $tz |
|
| 65 | + * @return self |
|
| 66 | + */ |
|
| 67 | + public static function fromString($time, $tz = null): self |
|
| 68 | + { |
|
| 69 | + return new self(self::_createDateTime($time, $tz)); |
|
| 70 | + } |
|
| 71 | 71 | |
| 72 | - /** |
|
| 73 | - * Get datetime. |
|
| 74 | - * |
|
| 75 | - * @return \DateTimeImmutable |
|
| 76 | - */ |
|
| 77 | - public function dateTime(): \DateTimeImmutable |
|
| 78 | - { |
|
| 79 | - return $this->_dt; |
|
| 80 | - } |
|
| 72 | + /** |
|
| 73 | + * Get datetime. |
|
| 74 | + * |
|
| 75 | + * @return \DateTimeImmutable |
|
| 76 | + */ |
|
| 77 | + public function dateTime(): \DateTimeImmutable |
|
| 78 | + { |
|
| 79 | + return $this->_dt; |
|
| 80 | + } |
|
| 81 | 81 | |
| 82 | - /** |
|
| 83 | - * Generate ASN.1. |
|
| 84 | - * |
|
| 85 | - * @throws \UnexpectedValueException |
|
| 86 | - * @return TimeType |
|
| 87 | - */ |
|
| 88 | - public function toASN1(): TimeType |
|
| 89 | - { |
|
| 90 | - $dt = $this->_dt; |
|
| 91 | - switch ($this->_type) { |
|
| 92 | - case Element::TYPE_UTC_TIME: |
|
| 93 | - return new UTCTime($dt); |
|
| 94 | - case Element::TYPE_GENERALIZED_TIME: |
|
| 95 | - // GeneralizedTime must not contain fractional seconds |
|
| 96 | - // (rfc5280 4.1.2.5.2) |
|
| 97 | - if ($dt->format("u") != 0) { |
|
| 98 | - // remove fractional seconds (round down) |
|
| 99 | - $dt = self::_roundDownFractionalSeconds($dt); |
|
| 100 | - } |
|
| 101 | - return new GeneralizedTime($dt); |
|
| 102 | - } |
|
| 103 | - throw new \UnexpectedValueException( |
|
| 104 | - "Time type " . Element::tagToName($this->_type) . " not supported."); |
|
| 105 | - } |
|
| 82 | + /** |
|
| 83 | + * Generate ASN.1. |
|
| 84 | + * |
|
| 85 | + * @throws \UnexpectedValueException |
|
| 86 | + * @return TimeType |
|
| 87 | + */ |
|
| 88 | + public function toASN1(): TimeType |
|
| 89 | + { |
|
| 90 | + $dt = $this->_dt; |
|
| 91 | + switch ($this->_type) { |
|
| 92 | + case Element::TYPE_UTC_TIME: |
|
| 93 | + return new UTCTime($dt); |
|
| 94 | + case Element::TYPE_GENERALIZED_TIME: |
|
| 95 | + // GeneralizedTime must not contain fractional seconds |
|
| 96 | + // (rfc5280 4.1.2.5.2) |
|
| 97 | + if ($dt->format("u") != 0) { |
|
| 98 | + // remove fractional seconds (round down) |
|
| 99 | + $dt = self::_roundDownFractionalSeconds($dt); |
|
| 100 | + } |
|
| 101 | + return new GeneralizedTime($dt); |
|
| 102 | + } |
|
| 103 | + throw new \UnexpectedValueException( |
|
| 104 | + "Time type " . Element::tagToName($this->_type) . " not supported."); |
|
| 105 | + } |
|
| 106 | 106 | |
| 107 | - /** |
|
| 108 | - * Determine whether to use UTCTime or GeneralizedTime ASN.1 type. |
|
| 109 | - * |
|
| 110 | - * @param \DateTimeImmutable $dt |
|
| 111 | - * @return int Type tag |
|
| 112 | - */ |
|
| 113 | - protected static function _determineType(\DateTimeImmutable $dt): int |
|
| 114 | - { |
|
| 115 | - if ($dt->format("Y") >= 2050) { |
|
| 116 | - return Element::TYPE_GENERALIZED_TIME; |
|
| 117 | - } |
|
| 118 | - return Element::TYPE_UTC_TIME; |
|
| 119 | - } |
|
| 107 | + /** |
|
| 108 | + * Determine whether to use UTCTime or GeneralizedTime ASN.1 type. |
|
| 109 | + * |
|
| 110 | + * @param \DateTimeImmutable $dt |
|
| 111 | + * @return int Type tag |
|
| 112 | + */ |
|
| 113 | + protected static function _determineType(\DateTimeImmutable $dt): int |
|
| 114 | + { |
|
| 115 | + if ($dt->format("Y") >= 2050) { |
|
| 116 | + return Element::TYPE_GENERALIZED_TIME; |
|
| 117 | + } |
|
| 118 | + return Element::TYPE_UTC_TIME; |
|
| 119 | + } |
|
| 120 | 120 | } |
@@ -1,6 +1,6 @@ |
||
| 1 | 1 | <?php |
| 2 | 2 | |
| 3 | -declare(strict_types = 1); |
|
| 3 | +declare(strict_types=1); |
|
| 4 | 4 | |
| 5 | 5 | namespace X509\Certificate; |
| 6 | 6 | |
@@ -16,85 +16,85 @@ |
||
| 16 | 16 | */ |
| 17 | 17 | class PathValidationResult |
| 18 | 18 | { |
| 19 | - /** |
|
| 20 | - * Certificates in a certification path. |
|
| 21 | - * |
|
| 22 | - * @var \X509\Certificate\Certificate[] $_certificates |
|
| 23 | - */ |
|
| 24 | - protected $_certificates; |
|
| 19 | + /** |
|
| 20 | + * Certificates in a certification path. |
|
| 21 | + * |
|
| 22 | + * @var \X509\Certificate\Certificate[] $_certificates |
|
| 23 | + */ |
|
| 24 | + protected $_certificates; |
|
| 25 | 25 | |
| 26 | - /** |
|
| 27 | - * Valid policy tree. |
|
| 28 | - * |
|
| 29 | - * @var \X509\CertificationPath\Policy\PolicyTree|null $_policyTree |
|
| 30 | - */ |
|
| 31 | - protected $_policyTree; |
|
| 26 | + /** |
|
| 27 | + * Valid policy tree. |
|
| 28 | + * |
|
| 29 | + * @var \X509\CertificationPath\Policy\PolicyTree|null $_policyTree |
|
| 30 | + */ |
|
| 31 | + protected $_policyTree; |
|
| 32 | 32 | |
| 33 | - /** |
|
| 34 | - * End-entity certificate's public key. |
|
| 35 | - * |
|
| 36 | - * @var PublicKeyInfo |
|
| 37 | - */ |
|
| 38 | - protected $_publicKeyInfo; |
|
| 33 | + /** |
|
| 34 | + * End-entity certificate's public key. |
|
| 35 | + * |
|
| 36 | + * @var PublicKeyInfo |
|
| 37 | + */ |
|
| 38 | + protected $_publicKeyInfo; |
|
| 39 | 39 | |
| 40 | - /** |
|
| 41 | - * Public key algorithm. |
|
| 42 | - * |
|
| 43 | - * @var AlgorithmIdentifierType |
|
| 44 | - */ |
|
| 45 | - protected $_publicKeyAlgo; |
|
| 40 | + /** |
|
| 41 | + * Public key algorithm. |
|
| 42 | + * |
|
| 43 | + * @var AlgorithmIdentifierType |
|
| 44 | + */ |
|
| 45 | + protected $_publicKeyAlgo; |
|
| 46 | 46 | |
| 47 | - /** |
|
| 48 | - * Public key parameters. |
|
| 49 | - * |
|
| 50 | - * @var Element|null $_publicKeyParameters |
|
| 51 | - */ |
|
| 52 | - protected $_publicKeyParameters; |
|
| 47 | + /** |
|
| 48 | + * Public key parameters. |
|
| 49 | + * |
|
| 50 | + * @var Element|null $_publicKeyParameters |
|
| 51 | + */ |
|
| 52 | + protected $_publicKeyParameters; |
|
| 53 | 53 | |
| 54 | - /** |
|
| 55 | - * Constructor. |
|
| 56 | - * |
|
| 57 | - * @param \X509\Certificate\Certificate[] $certificates Certificates in a |
|
| 58 | - * certification path |
|
| 59 | - * @param \X509\CertificationPath\Policy\PolicyTree|null $policy_tree Valid |
|
| 60 | - * policy tree |
|
| 61 | - * @param PublicKeyInfo $pubkey_info Public key of the end-entity |
|
| 62 | - * certificate |
|
| 63 | - * @param AlgorithmIdentifierType $algo Public key algorithm of the |
|
| 64 | - * end-entity certificate |
|
| 65 | - * @param Element|null $params Algorithm parameters |
|
| 66 | - */ |
|
| 67 | - public function __construct(array $certificates, $policy_tree, |
|
| 68 | - PublicKeyInfo $pubkey_info, AlgorithmIdentifierType $algo, |
|
| 69 | - Element $params = null) |
|
| 70 | - { |
|
| 71 | - $this->_certificates = array_values($certificates); |
|
| 72 | - $this->_policyTree = $policy_tree; |
|
| 73 | - $this->_publicKeyInfo = $pubkey_info; |
|
| 74 | - $this->_publicKeyAlgo = $algo; |
|
| 75 | - $this->_publicKeyParameters = $params; |
|
| 76 | - } |
|
| 54 | + /** |
|
| 55 | + * Constructor. |
|
| 56 | + * |
|
| 57 | + * @param \X509\Certificate\Certificate[] $certificates Certificates in a |
|
| 58 | + * certification path |
|
| 59 | + * @param \X509\CertificationPath\Policy\PolicyTree|null $policy_tree Valid |
|
| 60 | + * policy tree |
|
| 61 | + * @param PublicKeyInfo $pubkey_info Public key of the end-entity |
|
| 62 | + * certificate |
|
| 63 | + * @param AlgorithmIdentifierType $algo Public key algorithm of the |
|
| 64 | + * end-entity certificate |
|
| 65 | + * @param Element|null $params Algorithm parameters |
|
| 66 | + */ |
|
| 67 | + public function __construct(array $certificates, $policy_tree, |
|
| 68 | + PublicKeyInfo $pubkey_info, AlgorithmIdentifierType $algo, |
|
| 69 | + Element $params = null) |
|
| 70 | + { |
|
| 71 | + $this->_certificates = array_values($certificates); |
|
| 72 | + $this->_policyTree = $policy_tree; |
|
| 73 | + $this->_publicKeyInfo = $pubkey_info; |
|
| 74 | + $this->_publicKeyAlgo = $algo; |
|
| 75 | + $this->_publicKeyParameters = $params; |
|
| 76 | + } |
|
| 77 | 77 | |
| 78 | - /** |
|
| 79 | - * Get end-entity certificate. |
|
| 80 | - * |
|
| 81 | - * @return \X509\Certificate\Certificate |
|
| 82 | - */ |
|
| 83 | - public function certificate(): Certificate |
|
| 84 | - { |
|
| 85 | - return $this->_certificates[count($this->_certificates) - 1]; |
|
| 86 | - } |
|
| 78 | + /** |
|
| 79 | + * Get end-entity certificate. |
|
| 80 | + * |
|
| 81 | + * @return \X509\Certificate\Certificate |
|
| 82 | + */ |
|
| 83 | + public function certificate(): Certificate |
|
| 84 | + { |
|
| 85 | + return $this->_certificates[count($this->_certificates) - 1]; |
|
| 86 | + } |
|
| 87 | 87 | |
| 88 | - /** |
|
| 89 | - * Get certificate policies of the end-entity certificate. |
|
| 90 | - * |
|
| 91 | - * @return \X509\Certificate\Extension\CertificatePolicy\PolicyInformation[] |
|
| 92 | - */ |
|
| 93 | - public function policies(): array |
|
| 94 | - { |
|
| 95 | - if (!$this->_policyTree) { |
|
| 96 | - return array(); |
|
| 97 | - } |
|
| 98 | - return $this->_policyTree->policiesAtDepth(count($this->_certificates)); |
|
| 99 | - } |
|
| 88 | + /** |
|
| 89 | + * Get certificate policies of the end-entity certificate. |
|
| 90 | + * |
|
| 91 | + * @return \X509\Certificate\Extension\CertificatePolicy\PolicyInformation[] |
|
| 92 | + */ |
|
| 93 | + public function policies(): array |
|
| 94 | + { |
|
| 95 | + if (!$this->_policyTree) { |
|
| 96 | + return array(); |
|
| 97 | + } |
|
| 98 | + return $this->_policyTree->policiesAtDepth(count($this->_certificates)); |
|
| 99 | + } |
|
| 100 | 100 | } |
@@ -1,6 +1,6 @@ |
||
| 1 | 1 | <?php |
| 2 | 2 | |
| 3 | -declare(strict_types = 1); |
|
| 3 | +declare(strict_types=1); |
|
| 4 | 4 | |
| 5 | 5 | namespace X509\CertificationPath\PathValidation; |
| 6 | 6 | |
@@ -16,137 +16,137 @@ |
||
| 16 | 16 | */ |
| 17 | 17 | class CertificationPathBuilder |
| 18 | 18 | { |
| 19 | - /** |
|
| 20 | - * Trust anchors. |
|
| 21 | - * |
|
| 22 | - * @var CertificateBundle |
|
| 23 | - */ |
|
| 24 | - protected $_trustList; |
|
| 19 | + /** |
|
| 20 | + * Trust anchors. |
|
| 21 | + * |
|
| 22 | + * @var CertificateBundle |
|
| 23 | + */ |
|
| 24 | + protected $_trustList; |
|
| 25 | 25 | |
| 26 | - /** |
|
| 27 | - * Constructor. |
|
| 28 | - * |
|
| 29 | - * @param CertificateBundle $trust_list List of trust anchors |
|
| 30 | - */ |
|
| 31 | - public function __construct(CertificateBundle $trust_list) |
|
| 32 | - { |
|
| 33 | - $this->_trustList = $trust_list; |
|
| 34 | - } |
|
| 26 | + /** |
|
| 27 | + * Constructor. |
|
| 28 | + * |
|
| 29 | + * @param CertificateBundle $trust_list List of trust anchors |
|
| 30 | + */ |
|
| 31 | + public function __construct(CertificateBundle $trust_list) |
|
| 32 | + { |
|
| 33 | + $this->_trustList = $trust_list; |
|
| 34 | + } |
|
| 35 | 35 | |
| 36 | - /** |
|
| 37 | - * Get all certification paths to given target certificate from |
|
| 38 | - * any trust anchor. |
|
| 39 | - * |
|
| 40 | - * @param Certificate $target Target certificate |
|
| 41 | - * @param CertificateBundle|null $intermediate Optional intermediate |
|
| 42 | - * certificates |
|
| 43 | - * @return CertificationPath[] |
|
| 44 | - */ |
|
| 45 | - public function allPathsToTarget(Certificate $target, |
|
| 46 | - CertificateBundle $intermediate = null): array |
|
| 47 | - { |
|
| 48 | - $paths = $this->_resolvePathsToTarget($target, $intermediate); |
|
| 49 | - // map paths to CertificationPath objects |
|
| 50 | - return array_map( |
|
| 51 | - function ($certs) { |
|
| 52 | - return new CertificationPath(...$certs); |
|
| 53 | - }, $paths); |
|
| 54 | - } |
|
| 36 | + /** |
|
| 37 | + * Get all certification paths to given target certificate from |
|
| 38 | + * any trust anchor. |
|
| 39 | + * |
|
| 40 | + * @param Certificate $target Target certificate |
|
| 41 | + * @param CertificateBundle|null $intermediate Optional intermediate |
|
| 42 | + * certificates |
|
| 43 | + * @return CertificationPath[] |
|
| 44 | + */ |
|
| 45 | + public function allPathsToTarget(Certificate $target, |
|
| 46 | + CertificateBundle $intermediate = null): array |
|
| 47 | + { |
|
| 48 | + $paths = $this->_resolvePathsToTarget($target, $intermediate); |
|
| 49 | + // map paths to CertificationPath objects |
|
| 50 | + return array_map( |
|
| 51 | + function ($certs) { |
|
| 52 | + return new CertificationPath(...$certs); |
|
| 53 | + }, $paths); |
|
| 54 | + } |
|
| 55 | 55 | |
| 56 | - /** |
|
| 57 | - * Resolve all possible certification paths from any trust anchor to |
|
| 58 | - * the target certificate, using optional intermediate certificates. |
|
| 59 | - * |
|
| 60 | - * Helper method for allPathsToTarget to be called recursively. |
|
| 61 | - * |
|
| 62 | - * @todo Implement loop detection |
|
| 63 | - * @param Certificate $target |
|
| 64 | - * @param CertificateBundle $intermediate |
|
| 65 | - * @return array[] Array of arrays containing path certificates |
|
| 66 | - */ |
|
| 67 | - private function _resolvePathsToTarget(Certificate $target, |
|
| 68 | - CertificateBundle $intermediate = null): array |
|
| 69 | - { |
|
| 70 | - // array of possible paths |
|
| 71 | - $paths = array(); |
|
| 72 | - // signed by certificate in the trust list |
|
| 73 | - foreach ($this->_findIssuers($target, $this->_trustList) as $issuer) { |
|
| 74 | - // if target is self-signed, path consists of only |
|
| 75 | - // the target certificate |
|
| 76 | - if ($target->equals($issuer)) { |
|
| 77 | - $paths[] = array($target); |
|
| 78 | - } else { |
|
| 79 | - $paths[] = array($issuer, $target); |
|
| 80 | - } |
|
| 81 | - } |
|
| 82 | - if (isset($intermediate)) { |
|
| 83 | - // signed by intermediate certificate |
|
| 84 | - foreach ($this->_findIssuers($target, $intermediate) as $issuer) { |
|
| 85 | - // intermediate certificate must not be self-signed |
|
| 86 | - if ($issuer->isSelfIssued()) { |
|
| 87 | - continue; |
|
| 88 | - } |
|
| 89 | - // resolve paths to issuer |
|
| 90 | - $subpaths = $this->_resolvePathsToTarget($issuer, $intermediate); |
|
| 91 | - foreach ($subpaths as $path) { |
|
| 92 | - $paths[] = array_merge($path, array($target)); |
|
| 93 | - } |
|
| 94 | - } |
|
| 95 | - } |
|
| 96 | - return $paths; |
|
| 97 | - } |
|
| 56 | + /** |
|
| 57 | + * Resolve all possible certification paths from any trust anchor to |
|
| 58 | + * the target certificate, using optional intermediate certificates. |
|
| 59 | + * |
|
| 60 | + * Helper method for allPathsToTarget to be called recursively. |
|
| 61 | + * |
|
| 62 | + * @todo Implement loop detection |
|
| 63 | + * @param Certificate $target |
|
| 64 | + * @param CertificateBundle $intermediate |
|
| 65 | + * @return array[] Array of arrays containing path certificates |
|
| 66 | + */ |
|
| 67 | + private function _resolvePathsToTarget(Certificate $target, |
|
| 68 | + CertificateBundle $intermediate = null): array |
|
| 69 | + { |
|
| 70 | + // array of possible paths |
|
| 71 | + $paths = array(); |
|
| 72 | + // signed by certificate in the trust list |
|
| 73 | + foreach ($this->_findIssuers($target, $this->_trustList) as $issuer) { |
|
| 74 | + // if target is self-signed, path consists of only |
|
| 75 | + // the target certificate |
|
| 76 | + if ($target->equals($issuer)) { |
|
| 77 | + $paths[] = array($target); |
|
| 78 | + } else { |
|
| 79 | + $paths[] = array($issuer, $target); |
|
| 80 | + } |
|
| 81 | + } |
|
| 82 | + if (isset($intermediate)) { |
|
| 83 | + // signed by intermediate certificate |
|
| 84 | + foreach ($this->_findIssuers($target, $intermediate) as $issuer) { |
|
| 85 | + // intermediate certificate must not be self-signed |
|
| 86 | + if ($issuer->isSelfIssued()) { |
|
| 87 | + continue; |
|
| 88 | + } |
|
| 89 | + // resolve paths to issuer |
|
| 90 | + $subpaths = $this->_resolvePathsToTarget($issuer, $intermediate); |
|
| 91 | + foreach ($subpaths as $path) { |
|
| 92 | + $paths[] = array_merge($path, array($target)); |
|
| 93 | + } |
|
| 94 | + } |
|
| 95 | + } |
|
| 96 | + return $paths; |
|
| 97 | + } |
|
| 98 | 98 | |
| 99 | - /** |
|
| 100 | - * Get shortest path to given target certificate from any trust anchor. |
|
| 101 | - * |
|
| 102 | - * @param Certificate $target Target certificate |
|
| 103 | - * @param CertificateBundle|null $intermediate Optional intermediate |
|
| 104 | - * certificates |
|
| 105 | - * @throws PathBuildingException |
|
| 106 | - * @return CertificationPath |
|
| 107 | - */ |
|
| 108 | - public function shortestPathToTarget(Certificate $target, |
|
| 109 | - CertificateBundle $intermediate = null): CertificationPath |
|
| 110 | - { |
|
| 111 | - $paths = $this->allPathsToTarget($target, $intermediate); |
|
| 112 | - if (!count($paths)) { |
|
| 113 | - throw new PathBuildingException("No certification paths."); |
|
| 114 | - } |
|
| 115 | - usort($paths, |
|
| 116 | - function ($a, $b) { |
|
| 117 | - return count($a) < count($b) ? -1 : 1; |
|
| 118 | - }); |
|
| 119 | - return reset($paths); |
|
| 120 | - } |
|
| 99 | + /** |
|
| 100 | + * Get shortest path to given target certificate from any trust anchor. |
|
| 101 | + * |
|
| 102 | + * @param Certificate $target Target certificate |
|
| 103 | + * @param CertificateBundle|null $intermediate Optional intermediate |
|
| 104 | + * certificates |
|
| 105 | + * @throws PathBuildingException |
|
| 106 | + * @return CertificationPath |
|
| 107 | + */ |
|
| 108 | + public function shortestPathToTarget(Certificate $target, |
|
| 109 | + CertificateBundle $intermediate = null): CertificationPath |
|
| 110 | + { |
|
| 111 | + $paths = $this->allPathsToTarget($target, $intermediate); |
|
| 112 | + if (!count($paths)) { |
|
| 113 | + throw new PathBuildingException("No certification paths."); |
|
| 114 | + } |
|
| 115 | + usort($paths, |
|
| 116 | + function ($a, $b) { |
|
| 117 | + return count($a) < count($b) ? -1 : 1; |
|
| 118 | + }); |
|
| 119 | + return reset($paths); |
|
| 120 | + } |
|
| 121 | 121 | |
| 122 | - /** |
|
| 123 | - * Find all issuers of the target certificate from a given bundle. |
|
| 124 | - * |
|
| 125 | - * @param Certificate $target Target certificate |
|
| 126 | - * @param CertificateBundle $bundle Certificates to search |
|
| 127 | - * @return Certificate[] |
|
| 128 | - */ |
|
| 129 | - protected function _findIssuers(Certificate $target, |
|
| 130 | - CertificateBundle $bundle): array |
|
| 131 | - { |
|
| 132 | - $issuers = array(); |
|
| 133 | - $issuer_name = $target->tbsCertificate()->issuer(); |
|
| 134 | - $extensions = $target->tbsCertificate()->extensions(); |
|
| 135 | - // find by authority key identifier |
|
| 136 | - if ($extensions->hasAuthorityKeyIdentifier()) { |
|
| 137 | - $ext = $extensions->authorityKeyIdentifier(); |
|
| 138 | - if ($ext->hasKeyIdentifier()) { |
|
| 139 | - foreach ($bundle->allBySubjectKeyIdentifier( |
|
| 140 | - $ext->keyIdentifier()) as $issuer) { |
|
| 141 | - // check that issuer name matches |
|
| 142 | - if ($issuer->tbsCertificate() |
|
| 143 | - ->subject() |
|
| 144 | - ->equals($issuer_name)) { |
|
| 145 | - $issuers[] = $issuer; |
|
| 146 | - } |
|
| 147 | - } |
|
| 148 | - } |
|
| 149 | - } |
|
| 150 | - return $issuers; |
|
| 151 | - } |
|
| 122 | + /** |
|
| 123 | + * Find all issuers of the target certificate from a given bundle. |
|
| 124 | + * |
|
| 125 | + * @param Certificate $target Target certificate |
|
| 126 | + * @param CertificateBundle $bundle Certificates to search |
|
| 127 | + * @return Certificate[] |
|
| 128 | + */ |
|
| 129 | + protected function _findIssuers(Certificate $target, |
|
| 130 | + CertificateBundle $bundle): array |
|
| 131 | + { |
|
| 132 | + $issuers = array(); |
|
| 133 | + $issuer_name = $target->tbsCertificate()->issuer(); |
|
| 134 | + $extensions = $target->tbsCertificate()->extensions(); |
|
| 135 | + // find by authority key identifier |
|
| 136 | + if ($extensions->hasAuthorityKeyIdentifier()) { |
|
| 137 | + $ext = $extensions->authorityKeyIdentifier(); |
|
| 138 | + if ($ext->hasKeyIdentifier()) { |
|
| 139 | + foreach ($bundle->allBySubjectKeyIdentifier( |
|
| 140 | + $ext->keyIdentifier()) as $issuer) { |
|
| 141 | + // check that issuer name matches |
|
| 142 | + if ($issuer->tbsCertificate() |
|
| 143 | + ->subject() |
|
| 144 | + ->equals($issuer_name)) { |
|
| 145 | + $issuers[] = $issuer; |
|
| 146 | + } |
|
| 147 | + } |
|
| 148 | + } |
|
| 149 | + } |
|
| 150 | + return $issuers; |
|
| 151 | + } |
|
| 152 | 152 | } |
@@ -1,6 +1,6 @@ discard block |
||
| 1 | 1 | <?php |
| 2 | 2 | |
| 3 | -declare(strict_types = 1); |
|
| 3 | +declare(strict_types=1); |
|
| 4 | 4 | |
| 5 | 5 | namespace X509\CertificationPath\PathBuilding; |
| 6 | 6 | |
@@ -48,7 +48,7 @@ discard block |
||
| 48 | 48 | $paths = $this->_resolvePathsToTarget($target, $intermediate); |
| 49 | 49 | // map paths to CertificationPath objects |
| 50 | 50 | return array_map( |
| 51 | - function ($certs) { |
|
| 51 | + function($certs) { |
|
| 52 | 52 | return new CertificationPath(...$certs); |
| 53 | 53 | }, $paths); |
| 54 | 54 | } |
@@ -113,7 +113,7 @@ discard block |
||
| 113 | 113 | throw new PathBuildingException("No certification paths."); |
| 114 | 114 | } |
| 115 | 115 | usort($paths, |
| 116 | - function ($a, $b) { |
|
| 116 | + function($a, $b) { |
|
| 117 | 117 | return count($a) < count($b) ? -1 : 1; |
| 118 | 118 | }); |
| 119 | 119 | return reset($paths); |
@@ -52,6 +52,7 @@ |
||
| 52 | 52 | * @param PathValidationConfig $config Validation config |
| 53 | 53 | * @param Certificate ...$certificates Certificates from the trust anchor to |
| 54 | 54 | * the end-entity certificate |
| 55 | + * @param Certificate[] $certificates |
|
| 55 | 56 | */ |
| 56 | 57 | public function __construct(Crypto $crypto, PathValidationConfig $config, |
| 57 | 58 | Certificate ...$certificates) |
@@ -17,585 +17,585 @@ |
||
| 17 | 17 | */ |
| 18 | 18 | class PathValidator |
| 19 | 19 | { |
| 20 | - /** |
|
| 21 | - * Crypto engine. |
|
| 22 | - * |
|
| 23 | - * @var Crypto $_crypto |
|
| 24 | - */ |
|
| 25 | - protected $_crypto; |
|
| 20 | + /** |
|
| 21 | + * Crypto engine. |
|
| 22 | + * |
|
| 23 | + * @var Crypto $_crypto |
|
| 24 | + */ |
|
| 25 | + protected $_crypto; |
|
| 26 | 26 | |
| 27 | - /** |
|
| 28 | - * Path validation configuration. |
|
| 29 | - * |
|
| 30 | - * @var PathValidationConfig $_config |
|
| 31 | - */ |
|
| 32 | - protected $_config; |
|
| 27 | + /** |
|
| 28 | + * Path validation configuration. |
|
| 29 | + * |
|
| 30 | + * @var PathValidationConfig $_config |
|
| 31 | + */ |
|
| 32 | + protected $_config; |
|
| 33 | 33 | |
| 34 | - /** |
|
| 35 | - * Certification path. |
|
| 36 | - * |
|
| 37 | - * @var Certificate[] $_certificates |
|
| 38 | - */ |
|
| 39 | - protected $_certificates; |
|
| 34 | + /** |
|
| 35 | + * Certification path. |
|
| 36 | + * |
|
| 37 | + * @var Certificate[] $_certificates |
|
| 38 | + */ |
|
| 39 | + protected $_certificates; |
|
| 40 | 40 | |
| 41 | - /** |
|
| 42 | - * Certification path trust anchor. |
|
| 43 | - * |
|
| 44 | - * @var Certificate $_trustAnchor |
|
| 45 | - */ |
|
| 46 | - protected $_trustAnchor; |
|
| 41 | + /** |
|
| 42 | + * Certification path trust anchor. |
|
| 43 | + * |
|
| 44 | + * @var Certificate $_trustAnchor |
|
| 45 | + */ |
|
| 46 | + protected $_trustAnchor; |
|
| 47 | 47 | |
| 48 | - /** |
|
| 49 | - * Constructor. |
|
| 50 | - * |
|
| 51 | - * @param Crypto $crypto Crypto engine |
|
| 52 | - * @param PathValidationConfig $config Validation config |
|
| 53 | - * @param Certificate ...$certificates Certificates from the trust anchor to |
|
| 54 | - * the end-entity certificate |
|
| 55 | - */ |
|
| 56 | - public function __construct(Crypto $crypto, PathValidationConfig $config, |
|
| 57 | - Certificate ...$certificates) |
|
| 58 | - { |
|
| 59 | - if (!count($certificates)) { |
|
| 60 | - throw new \LogicException("No certificates."); |
|
| 61 | - } |
|
| 62 | - $this->_crypto = $crypto; |
|
| 63 | - $this->_config = $config; |
|
| 64 | - $this->_certificates = $certificates; |
|
| 65 | - // if trust anchor is explicitly given in configuration |
|
| 66 | - if ($config->hasTrustAnchor()) { |
|
| 67 | - $this->_trustAnchor = $config->trustAnchor(); |
|
| 68 | - } else { |
|
| 69 | - $this->_trustAnchor = $certificates[0]; |
|
| 70 | - } |
|
| 71 | - } |
|
| 48 | + /** |
|
| 49 | + * Constructor. |
|
| 50 | + * |
|
| 51 | + * @param Crypto $crypto Crypto engine |
|
| 52 | + * @param PathValidationConfig $config Validation config |
|
| 53 | + * @param Certificate ...$certificates Certificates from the trust anchor to |
|
| 54 | + * the end-entity certificate |
|
| 55 | + */ |
|
| 56 | + public function __construct(Crypto $crypto, PathValidationConfig $config, |
|
| 57 | + Certificate ...$certificates) |
|
| 58 | + { |
|
| 59 | + if (!count($certificates)) { |
|
| 60 | + throw new \LogicException("No certificates."); |
|
| 61 | + } |
|
| 62 | + $this->_crypto = $crypto; |
|
| 63 | + $this->_config = $config; |
|
| 64 | + $this->_certificates = $certificates; |
|
| 65 | + // if trust anchor is explicitly given in configuration |
|
| 66 | + if ($config->hasTrustAnchor()) { |
|
| 67 | + $this->_trustAnchor = $config->trustAnchor(); |
|
| 68 | + } else { |
|
| 69 | + $this->_trustAnchor = $certificates[0]; |
|
| 70 | + } |
|
| 71 | + } |
|
| 72 | 72 | |
| 73 | - /** |
|
| 74 | - * Validate certification path. |
|
| 75 | - * |
|
| 76 | - * @throws PathValidationException |
|
| 77 | - * @return PathValidationResult |
|
| 78 | - */ |
|
| 79 | - public function validate(): PathValidationResult |
|
| 80 | - { |
|
| 81 | - $n = count($this->_certificates); |
|
| 82 | - $state = ValidatorState::initialize($this->_config, $this->_trustAnchor, |
|
| 83 | - $n); |
|
| 84 | - for ($i = 0; $i < $n; ++$i) { |
|
| 85 | - $state = $state->withIndex($i + 1); |
|
| 86 | - $cert = $this->_certificates[$i]; |
|
| 87 | - // process certificate (section 6.1.3.) |
|
| 88 | - $state = $this->_processCertificate($state, $cert); |
|
| 89 | - if (!$state->isFinal()) { |
|
| 90 | - // prepare next certificate (section 6.1.4.) |
|
| 91 | - $state = $this->_prepareNext($state, $cert); |
|
| 92 | - } |
|
| 93 | - } |
|
| 94 | - if (!isset($cert)) { |
|
| 95 | - throw new \LogicException("No certificates."); |
|
| 96 | - } |
|
| 97 | - // wrap-up (section 6.1.5.) |
|
| 98 | - $state = $this->_wrapUp($state, $cert); |
|
| 99 | - // return outputs |
|
| 100 | - return $state->getResult($this->_certificates); |
|
| 101 | - } |
|
| 73 | + /** |
|
| 74 | + * Validate certification path. |
|
| 75 | + * |
|
| 76 | + * @throws PathValidationException |
|
| 77 | + * @return PathValidationResult |
|
| 78 | + */ |
|
| 79 | + public function validate(): PathValidationResult |
|
| 80 | + { |
|
| 81 | + $n = count($this->_certificates); |
|
| 82 | + $state = ValidatorState::initialize($this->_config, $this->_trustAnchor, |
|
| 83 | + $n); |
|
| 84 | + for ($i = 0; $i < $n; ++$i) { |
|
| 85 | + $state = $state->withIndex($i + 1); |
|
| 86 | + $cert = $this->_certificates[$i]; |
|
| 87 | + // process certificate (section 6.1.3.) |
|
| 88 | + $state = $this->_processCertificate($state, $cert); |
|
| 89 | + if (!$state->isFinal()) { |
|
| 90 | + // prepare next certificate (section 6.1.4.) |
|
| 91 | + $state = $this->_prepareNext($state, $cert); |
|
| 92 | + } |
|
| 93 | + } |
|
| 94 | + if (!isset($cert)) { |
|
| 95 | + throw new \LogicException("No certificates."); |
|
| 96 | + } |
|
| 97 | + // wrap-up (section 6.1.5.) |
|
| 98 | + $state = $this->_wrapUp($state, $cert); |
|
| 99 | + // return outputs |
|
| 100 | + return $state->getResult($this->_certificates); |
|
| 101 | + } |
|
| 102 | 102 | |
| 103 | - /** |
|
| 104 | - * Apply basic certificate processing according to RFC 5280 section 6.1.3. |
|
| 105 | - * |
|
| 106 | - * @link https://tools.ietf.org/html/rfc5280#section-6.1.3 |
|
| 107 | - * @param ValidatorState $state |
|
| 108 | - * @param Certificate $cert |
|
| 109 | - * @throws PathValidationException |
|
| 110 | - * @return ValidatorState |
|
| 111 | - */ |
|
| 112 | - private function _processCertificate(ValidatorState $state, Certificate $cert): ValidatorState |
|
| 113 | - { |
|
| 114 | - // (a.1) verify signature |
|
| 115 | - $this->_verifySignature($state, $cert); |
|
| 116 | - // (a.2) check validity period |
|
| 117 | - $this->_checkValidity($cert); |
|
| 118 | - // (a.3) check that certificate is not revoked |
|
| 119 | - $this->_checkRevocation($cert); |
|
| 120 | - // (a.4) check issuer |
|
| 121 | - $this->_checkIssuer($state, $cert); |
|
| 122 | - // (b)(c) if certificate is self-issued and it is not |
|
| 123 | - // the final certificate in the path, skip this step |
|
| 124 | - if (!($cert->isSelfIssued() && !$state->isFinal())) { |
|
| 125 | - // (b) check permitted subtrees |
|
| 126 | - $this->_checkPermittedSubtrees($state, $cert); |
|
| 127 | - // (c) check excluded subtrees |
|
| 128 | - $this->_checkExcludedSubtrees($state, $cert); |
|
| 129 | - } |
|
| 130 | - $extensions = $cert->tbsCertificate()->extensions(); |
|
| 131 | - if ($extensions->hasCertificatePolicies()) { |
|
| 132 | - // (d) process policy information |
|
| 133 | - if ($state->hasValidPolicyTree()) { |
|
| 134 | - $state = $state->validPolicyTree()->processPolicies($state, |
|
| 135 | - $cert); |
|
| 136 | - } |
|
| 137 | - } else { |
|
| 138 | - // (e) certificate policies extension not present, |
|
| 139 | - // set the valid_policy_tree to NULL |
|
| 140 | - $state = $state->withoutValidPolicyTree(); |
|
| 141 | - } |
|
| 142 | - // (f) check that explicit_policy > 0 or valid_policy_tree is set |
|
| 143 | - if (!($state->explicitPolicy() > 0 || $state->hasValidPolicyTree())) { |
|
| 144 | - throw new PathValidationException("No valid policies."); |
|
| 145 | - } |
|
| 146 | - return $state; |
|
| 147 | - } |
|
| 103 | + /** |
|
| 104 | + * Apply basic certificate processing according to RFC 5280 section 6.1.3. |
|
| 105 | + * |
|
| 106 | + * @link https://tools.ietf.org/html/rfc5280#section-6.1.3 |
|
| 107 | + * @param ValidatorState $state |
|
| 108 | + * @param Certificate $cert |
|
| 109 | + * @throws PathValidationException |
|
| 110 | + * @return ValidatorState |
|
| 111 | + */ |
|
| 112 | + private function _processCertificate(ValidatorState $state, Certificate $cert): ValidatorState |
|
| 113 | + { |
|
| 114 | + // (a.1) verify signature |
|
| 115 | + $this->_verifySignature($state, $cert); |
|
| 116 | + // (a.2) check validity period |
|
| 117 | + $this->_checkValidity($cert); |
|
| 118 | + // (a.3) check that certificate is not revoked |
|
| 119 | + $this->_checkRevocation($cert); |
|
| 120 | + // (a.4) check issuer |
|
| 121 | + $this->_checkIssuer($state, $cert); |
|
| 122 | + // (b)(c) if certificate is self-issued and it is not |
|
| 123 | + // the final certificate in the path, skip this step |
|
| 124 | + if (!($cert->isSelfIssued() && !$state->isFinal())) { |
|
| 125 | + // (b) check permitted subtrees |
|
| 126 | + $this->_checkPermittedSubtrees($state, $cert); |
|
| 127 | + // (c) check excluded subtrees |
|
| 128 | + $this->_checkExcludedSubtrees($state, $cert); |
|
| 129 | + } |
|
| 130 | + $extensions = $cert->tbsCertificate()->extensions(); |
|
| 131 | + if ($extensions->hasCertificatePolicies()) { |
|
| 132 | + // (d) process policy information |
|
| 133 | + if ($state->hasValidPolicyTree()) { |
|
| 134 | + $state = $state->validPolicyTree()->processPolicies($state, |
|
| 135 | + $cert); |
|
| 136 | + } |
|
| 137 | + } else { |
|
| 138 | + // (e) certificate policies extension not present, |
|
| 139 | + // set the valid_policy_tree to NULL |
|
| 140 | + $state = $state->withoutValidPolicyTree(); |
|
| 141 | + } |
|
| 142 | + // (f) check that explicit_policy > 0 or valid_policy_tree is set |
|
| 143 | + if (!($state->explicitPolicy() > 0 || $state->hasValidPolicyTree())) { |
|
| 144 | + throw new PathValidationException("No valid policies."); |
|
| 145 | + } |
|
| 146 | + return $state; |
|
| 147 | + } |
|
| 148 | 148 | |
| 149 | - /** |
|
| 150 | - * Apply preparation for the certificate i+1 according to rfc5280 section |
|
| 151 | - * 6.1.4. |
|
| 152 | - * |
|
| 153 | - * @link https://tools.ietf.org/html/rfc5280#section-6.1.4 |
|
| 154 | - * @param ValidatorState $state |
|
| 155 | - * @param Certificate $cert |
|
| 156 | - * @return ValidatorState |
|
| 157 | - */ |
|
| 158 | - private function _prepareNext(ValidatorState $state, Certificate $cert): ValidatorState |
|
| 159 | - { |
|
| 160 | - // (a)(b) if policy mappings extension is present |
|
| 161 | - $state = $this->_preparePolicyMappings($state, $cert); |
|
| 162 | - // (c) assign working_issuer_name |
|
| 163 | - $state = $state->withWorkingIssuerName( |
|
| 164 | - $cert->tbsCertificate() |
|
| 165 | - ->subject()); |
|
| 166 | - // (d)(e)(f) |
|
| 167 | - $state = $this->_setPublicKeyState($state, $cert); |
|
| 168 | - // (g) if name constraints extension is present |
|
| 169 | - $state = $this->_prepareNameConstraints($state, $cert); |
|
| 170 | - // (h) if certificate is not self-issued |
|
| 171 | - if (!$cert->isSelfIssued()) { |
|
| 172 | - $state = $this->_prepareNonSelfIssued($state); |
|
| 173 | - } |
|
| 174 | - // (i) if policy constraints extension is present |
|
| 175 | - $state = $this->_preparePolicyConstraints($state, $cert); |
|
| 176 | - // (j) if inhibit any policy extension is present |
|
| 177 | - $state = $this->_prepareInhibitAnyPolicy($state, $cert); |
|
| 178 | - // (k) check basic constraints |
|
| 179 | - $this->_processBasicContraints($cert); |
|
| 180 | - // (l) verify max_path_length |
|
| 181 | - $state = $this->_verifyMaxPathLength($state, $cert); |
|
| 182 | - // (m) check pathLenContraint |
|
| 183 | - $state = $this->_processPathLengthContraint($state, $cert); |
|
| 184 | - // (n) check key usage |
|
| 185 | - $this->_checkKeyUsage($cert); |
|
| 186 | - // (o) process relevant extensions |
|
| 187 | - $state = $this->_processExtensions($state, $cert); |
|
| 188 | - return $state; |
|
| 189 | - } |
|
| 149 | + /** |
|
| 150 | + * Apply preparation for the certificate i+1 according to rfc5280 section |
|
| 151 | + * 6.1.4. |
|
| 152 | + * |
|
| 153 | + * @link https://tools.ietf.org/html/rfc5280#section-6.1.4 |
|
| 154 | + * @param ValidatorState $state |
|
| 155 | + * @param Certificate $cert |
|
| 156 | + * @return ValidatorState |
|
| 157 | + */ |
|
| 158 | + private function _prepareNext(ValidatorState $state, Certificate $cert): ValidatorState |
|
| 159 | + { |
|
| 160 | + // (a)(b) if policy mappings extension is present |
|
| 161 | + $state = $this->_preparePolicyMappings($state, $cert); |
|
| 162 | + // (c) assign working_issuer_name |
|
| 163 | + $state = $state->withWorkingIssuerName( |
|
| 164 | + $cert->tbsCertificate() |
|
| 165 | + ->subject()); |
|
| 166 | + // (d)(e)(f) |
|
| 167 | + $state = $this->_setPublicKeyState($state, $cert); |
|
| 168 | + // (g) if name constraints extension is present |
|
| 169 | + $state = $this->_prepareNameConstraints($state, $cert); |
|
| 170 | + // (h) if certificate is not self-issued |
|
| 171 | + if (!$cert->isSelfIssued()) { |
|
| 172 | + $state = $this->_prepareNonSelfIssued($state); |
|
| 173 | + } |
|
| 174 | + // (i) if policy constraints extension is present |
|
| 175 | + $state = $this->_preparePolicyConstraints($state, $cert); |
|
| 176 | + // (j) if inhibit any policy extension is present |
|
| 177 | + $state = $this->_prepareInhibitAnyPolicy($state, $cert); |
|
| 178 | + // (k) check basic constraints |
|
| 179 | + $this->_processBasicContraints($cert); |
|
| 180 | + // (l) verify max_path_length |
|
| 181 | + $state = $this->_verifyMaxPathLength($state, $cert); |
|
| 182 | + // (m) check pathLenContraint |
|
| 183 | + $state = $this->_processPathLengthContraint($state, $cert); |
|
| 184 | + // (n) check key usage |
|
| 185 | + $this->_checkKeyUsage($cert); |
|
| 186 | + // (o) process relevant extensions |
|
| 187 | + $state = $this->_processExtensions($state, $cert); |
|
| 188 | + return $state; |
|
| 189 | + } |
|
| 190 | 190 | |
| 191 | - /** |
|
| 192 | - * Apply wrap-up procedure according to RFC 5280 section 6.1.5. |
|
| 193 | - * |
|
| 194 | - * @link https://tools.ietf.org/html/rfc5280#section-6.1.5 |
|
| 195 | - * @param ValidatorState $state |
|
| 196 | - * @param Certificate $cert |
|
| 197 | - * @throws PathValidationException |
|
| 198 | - * @return ValidatorState |
|
| 199 | - */ |
|
| 200 | - private function _wrapUp(ValidatorState $state, Certificate $cert): ValidatorState |
|
| 201 | - { |
|
| 202 | - $tbs_cert = $cert->tbsCertificate(); |
|
| 203 | - $extensions = $tbs_cert->extensions(); |
|
| 204 | - // (a) |
|
| 205 | - if ($state->explicitPolicy() > 0) { |
|
| 206 | - $state = $state->withExplicitPolicy($state->explicitPolicy() - 1); |
|
| 207 | - } |
|
| 208 | - // (b) |
|
| 209 | - if ($extensions->hasPolicyConstraints()) { |
|
| 210 | - $ext = $extensions->policyConstraints(); |
|
| 211 | - if ($ext->hasRequireExplicitPolicy() && |
|
| 212 | - $ext->requireExplicitPolicy() == 0) { |
|
| 213 | - $state = $state->withExplicitPolicy(0); |
|
| 214 | - } |
|
| 215 | - } |
|
| 216 | - // (c)(d)(e) |
|
| 217 | - $state = $this->_setPublicKeyState($state, $cert); |
|
| 218 | - // (f) process relevant extensions |
|
| 219 | - $state = $this->_processExtensions($state, $cert); |
|
| 220 | - // (g) intersection of valid_policy_tree and the initial-policy-set |
|
| 221 | - $state = $this->_calculatePolicyIntersection($state); |
|
| 222 | - // check that explicit_policy > 0 or valid_policy_tree is set |
|
| 223 | - if (!($state->explicitPolicy() > 0 || $state->hasValidPolicyTree())) { |
|
| 224 | - throw new PathValidationException("No valid policies."); |
|
| 225 | - } |
|
| 226 | - // path validation succeeded |
|
| 227 | - return $state; |
|
| 228 | - } |
|
| 191 | + /** |
|
| 192 | + * Apply wrap-up procedure according to RFC 5280 section 6.1.5. |
|
| 193 | + * |
|
| 194 | + * @link https://tools.ietf.org/html/rfc5280#section-6.1.5 |
|
| 195 | + * @param ValidatorState $state |
|
| 196 | + * @param Certificate $cert |
|
| 197 | + * @throws PathValidationException |
|
| 198 | + * @return ValidatorState |
|
| 199 | + */ |
|
| 200 | + private function _wrapUp(ValidatorState $state, Certificate $cert): ValidatorState |
|
| 201 | + { |
|
| 202 | + $tbs_cert = $cert->tbsCertificate(); |
|
| 203 | + $extensions = $tbs_cert->extensions(); |
|
| 204 | + // (a) |
|
| 205 | + if ($state->explicitPolicy() > 0) { |
|
| 206 | + $state = $state->withExplicitPolicy($state->explicitPolicy() - 1); |
|
| 207 | + } |
|
| 208 | + // (b) |
|
| 209 | + if ($extensions->hasPolicyConstraints()) { |
|
| 210 | + $ext = $extensions->policyConstraints(); |
|
| 211 | + if ($ext->hasRequireExplicitPolicy() && |
|
| 212 | + $ext->requireExplicitPolicy() == 0) { |
|
| 213 | + $state = $state->withExplicitPolicy(0); |
|
| 214 | + } |
|
| 215 | + } |
|
| 216 | + // (c)(d)(e) |
|
| 217 | + $state = $this->_setPublicKeyState($state, $cert); |
|
| 218 | + // (f) process relevant extensions |
|
| 219 | + $state = $this->_processExtensions($state, $cert); |
|
| 220 | + // (g) intersection of valid_policy_tree and the initial-policy-set |
|
| 221 | + $state = $this->_calculatePolicyIntersection($state); |
|
| 222 | + // check that explicit_policy > 0 or valid_policy_tree is set |
|
| 223 | + if (!($state->explicitPolicy() > 0 || $state->hasValidPolicyTree())) { |
|
| 224 | + throw new PathValidationException("No valid policies."); |
|
| 225 | + } |
|
| 226 | + // path validation succeeded |
|
| 227 | + return $state; |
|
| 228 | + } |
|
| 229 | 229 | |
| 230 | - /** |
|
| 231 | - * Update working_public_key, working_public_key_parameters and |
|
| 232 | - * working_public_key_algorithm state variables from certificate. |
|
| 233 | - * |
|
| 234 | - * @param ValidatorState $state |
|
| 235 | - * @param Certificate $cert |
|
| 236 | - * @return ValidatorState |
|
| 237 | - */ |
|
| 238 | - private function _setPublicKeyState(ValidatorState $state, Certificate $cert): ValidatorState |
|
| 239 | - { |
|
| 240 | - $pk_info = $cert->tbsCertificate()->subjectPublicKeyInfo(); |
|
| 241 | - // assign working_public_key |
|
| 242 | - $state = $state->withWorkingPublicKey($pk_info); |
|
| 243 | - // assign working_public_key_parameters |
|
| 244 | - $params = ValidatorState::getAlgorithmParameters( |
|
| 245 | - $pk_info->algorithmIdentifier()); |
|
| 246 | - if (null !== $params) { |
|
| 247 | - $state = $state->withWorkingPublicKeyParameters($params); |
|
| 248 | - } else { |
|
| 249 | - // if algorithms differ, set parameters to null |
|
| 250 | - if ($pk_info->algorithmIdentifier()->oid() !== |
|
| 251 | - $state->workingPublicKeyAlgorithm()->oid()) { |
|
| 252 | - $state = $state->withWorkingPublicKeyParameters(null); |
|
| 253 | - } |
|
| 254 | - } |
|
| 255 | - // assign working_public_key_algorithm |
|
| 256 | - $state = $state->withWorkingPublicKeyAlgorithm( |
|
| 257 | - $pk_info->algorithmIdentifier()); |
|
| 258 | - return $state; |
|
| 259 | - } |
|
| 230 | + /** |
|
| 231 | + * Update working_public_key, working_public_key_parameters and |
|
| 232 | + * working_public_key_algorithm state variables from certificate. |
|
| 233 | + * |
|
| 234 | + * @param ValidatorState $state |
|
| 235 | + * @param Certificate $cert |
|
| 236 | + * @return ValidatorState |
|
| 237 | + */ |
|
| 238 | + private function _setPublicKeyState(ValidatorState $state, Certificate $cert): ValidatorState |
|
| 239 | + { |
|
| 240 | + $pk_info = $cert->tbsCertificate()->subjectPublicKeyInfo(); |
|
| 241 | + // assign working_public_key |
|
| 242 | + $state = $state->withWorkingPublicKey($pk_info); |
|
| 243 | + // assign working_public_key_parameters |
|
| 244 | + $params = ValidatorState::getAlgorithmParameters( |
|
| 245 | + $pk_info->algorithmIdentifier()); |
|
| 246 | + if (null !== $params) { |
|
| 247 | + $state = $state->withWorkingPublicKeyParameters($params); |
|
| 248 | + } else { |
|
| 249 | + // if algorithms differ, set parameters to null |
|
| 250 | + if ($pk_info->algorithmIdentifier()->oid() !== |
|
| 251 | + $state->workingPublicKeyAlgorithm()->oid()) { |
|
| 252 | + $state = $state->withWorkingPublicKeyParameters(null); |
|
| 253 | + } |
|
| 254 | + } |
|
| 255 | + // assign working_public_key_algorithm |
|
| 256 | + $state = $state->withWorkingPublicKeyAlgorithm( |
|
| 257 | + $pk_info->algorithmIdentifier()); |
|
| 258 | + return $state; |
|
| 259 | + } |
|
| 260 | 260 | |
| 261 | - /** |
|
| 262 | - * Verify certificate signature. |
|
| 263 | - * |
|
| 264 | - * @param ValidatorState $state |
|
| 265 | - * @param Certificate $cert |
|
| 266 | - * @throws PathValidationException |
|
| 267 | - */ |
|
| 268 | - private function _verifySignature(ValidatorState $state, Certificate $cert) |
|
| 269 | - { |
|
| 270 | - try { |
|
| 271 | - $valid = $cert->verify($state->workingPublicKey(), $this->_crypto); |
|
| 272 | - } catch (\RuntimeException $e) { |
|
| 273 | - throw new PathValidationException( |
|
| 274 | - "Failed to verify signature: " . $e->getMessage(), 0, $e); |
|
| 275 | - } |
|
| 276 | - if (!$valid) { |
|
| 277 | - throw new PathValidationException( |
|
| 278 | - "Certificate signature doesn't match."); |
|
| 279 | - } |
|
| 280 | - } |
|
| 261 | + /** |
|
| 262 | + * Verify certificate signature. |
|
| 263 | + * |
|
| 264 | + * @param ValidatorState $state |
|
| 265 | + * @param Certificate $cert |
|
| 266 | + * @throws PathValidationException |
|
| 267 | + */ |
|
| 268 | + private function _verifySignature(ValidatorState $state, Certificate $cert) |
|
| 269 | + { |
|
| 270 | + try { |
|
| 271 | + $valid = $cert->verify($state->workingPublicKey(), $this->_crypto); |
|
| 272 | + } catch (\RuntimeException $e) { |
|
| 273 | + throw new PathValidationException( |
|
| 274 | + "Failed to verify signature: " . $e->getMessage(), 0, $e); |
|
| 275 | + } |
|
| 276 | + if (!$valid) { |
|
| 277 | + throw new PathValidationException( |
|
| 278 | + "Certificate signature doesn't match."); |
|
| 279 | + } |
|
| 280 | + } |
|
| 281 | 281 | |
| 282 | - /** |
|
| 283 | - * Check certificate validity. |
|
| 284 | - * |
|
| 285 | - * @param Certificate $cert |
|
| 286 | - * @throws PathValidationException |
|
| 287 | - */ |
|
| 288 | - private function _checkValidity(Certificate $cert) |
|
| 289 | - { |
|
| 290 | - $refdt = $this->_config->dateTime(); |
|
| 291 | - $validity = $cert->tbsCertificate()->validity(); |
|
| 292 | - if ($validity->notBefore() |
|
| 293 | - ->dateTime() |
|
| 294 | - ->diff($refdt)->invert) { |
|
| 295 | - throw new PathValidationException( |
|
| 296 | - "Certificate validity period has not started."); |
|
| 297 | - } |
|
| 298 | - if ($refdt->diff($validity->notAfter() |
|
| 299 | - ->dateTime())->invert) { |
|
| 300 | - throw new PathValidationException("Certificate has expired."); |
|
| 301 | - } |
|
| 302 | - } |
|
| 282 | + /** |
|
| 283 | + * Check certificate validity. |
|
| 284 | + * |
|
| 285 | + * @param Certificate $cert |
|
| 286 | + * @throws PathValidationException |
|
| 287 | + */ |
|
| 288 | + private function _checkValidity(Certificate $cert) |
|
| 289 | + { |
|
| 290 | + $refdt = $this->_config->dateTime(); |
|
| 291 | + $validity = $cert->tbsCertificate()->validity(); |
|
| 292 | + if ($validity->notBefore() |
|
| 293 | + ->dateTime() |
|
| 294 | + ->diff($refdt)->invert) { |
|
| 295 | + throw new PathValidationException( |
|
| 296 | + "Certificate validity period has not started."); |
|
| 297 | + } |
|
| 298 | + if ($refdt->diff($validity->notAfter() |
|
| 299 | + ->dateTime())->invert) { |
|
| 300 | + throw new PathValidationException("Certificate has expired."); |
|
| 301 | + } |
|
| 302 | + } |
|
| 303 | 303 | |
| 304 | - /** |
|
| 305 | - * Check certificate revocation. |
|
| 306 | - * |
|
| 307 | - * @param Certificate $cert |
|
| 308 | - */ |
|
| 309 | - private function _checkRevocation(Certificate $cert) |
|
| 310 | - { |
|
| 311 | - // @todo Implement CRL handling |
|
| 312 | - } |
|
| 304 | + /** |
|
| 305 | + * Check certificate revocation. |
|
| 306 | + * |
|
| 307 | + * @param Certificate $cert |
|
| 308 | + */ |
|
| 309 | + private function _checkRevocation(Certificate $cert) |
|
| 310 | + { |
|
| 311 | + // @todo Implement CRL handling |
|
| 312 | + } |
|
| 313 | 313 | |
| 314 | - /** |
|
| 315 | - * Check certificate issuer. |
|
| 316 | - * |
|
| 317 | - * @param ValidatorState $state |
|
| 318 | - * @param Certificate $cert |
|
| 319 | - * @throws PathValidationException |
|
| 320 | - */ |
|
| 321 | - private function _checkIssuer(ValidatorState $state, Certificate $cert) |
|
| 322 | - { |
|
| 323 | - if (!$cert->tbsCertificate() |
|
| 324 | - ->issuer() |
|
| 325 | - ->equals($state->workingIssuerName())) { |
|
| 326 | - throw new PathValidationException("Certification issuer mismatch."); |
|
| 327 | - } |
|
| 328 | - } |
|
| 314 | + /** |
|
| 315 | + * Check certificate issuer. |
|
| 316 | + * |
|
| 317 | + * @param ValidatorState $state |
|
| 318 | + * @param Certificate $cert |
|
| 319 | + * @throws PathValidationException |
|
| 320 | + */ |
|
| 321 | + private function _checkIssuer(ValidatorState $state, Certificate $cert) |
|
| 322 | + { |
|
| 323 | + if (!$cert->tbsCertificate() |
|
| 324 | + ->issuer() |
|
| 325 | + ->equals($state->workingIssuerName())) { |
|
| 326 | + throw new PathValidationException("Certification issuer mismatch."); |
|
| 327 | + } |
|
| 328 | + } |
|
| 329 | 329 | |
| 330 | - /** |
|
| 331 | - * |
|
| 332 | - * @param ValidatorState $state |
|
| 333 | - * @param Certificate $cert |
|
| 334 | - */ |
|
| 335 | - private function _checkPermittedSubtrees(ValidatorState $state, |
|
| 336 | - Certificate $cert) |
|
| 337 | - { |
|
| 338 | - // @todo Implement |
|
| 339 | - $state->permittedSubtrees(); |
|
| 340 | - } |
|
| 330 | + /** |
|
| 331 | + * |
|
| 332 | + * @param ValidatorState $state |
|
| 333 | + * @param Certificate $cert |
|
| 334 | + */ |
|
| 335 | + private function _checkPermittedSubtrees(ValidatorState $state, |
|
| 336 | + Certificate $cert) |
|
| 337 | + { |
|
| 338 | + // @todo Implement |
|
| 339 | + $state->permittedSubtrees(); |
|
| 340 | + } |
|
| 341 | 341 | |
| 342 | - /** |
|
| 343 | - * |
|
| 344 | - * @param ValidatorState $state |
|
| 345 | - * @param Certificate $cert |
|
| 346 | - */ |
|
| 347 | - private function _checkExcludedSubtrees(ValidatorState $state, |
|
| 348 | - Certificate $cert) |
|
| 349 | - { |
|
| 350 | - // @todo Implement |
|
| 351 | - $state->excludedSubtrees(); |
|
| 352 | - } |
|
| 342 | + /** |
|
| 343 | + * |
|
| 344 | + * @param ValidatorState $state |
|
| 345 | + * @param Certificate $cert |
|
| 346 | + */ |
|
| 347 | + private function _checkExcludedSubtrees(ValidatorState $state, |
|
| 348 | + Certificate $cert) |
|
| 349 | + { |
|
| 350 | + // @todo Implement |
|
| 351 | + $state->excludedSubtrees(); |
|
| 352 | + } |
|
| 353 | 353 | |
| 354 | - /** |
|
| 355 | - * Apply policy mappings handling for the preparation step. |
|
| 356 | - * |
|
| 357 | - * @param ValidatorState $state |
|
| 358 | - * @param Certificate $cert |
|
| 359 | - * @throws PathValidationException |
|
| 360 | - * @return ValidatorState |
|
| 361 | - */ |
|
| 362 | - private function _preparePolicyMappings(ValidatorState $state, |
|
| 363 | - Certificate $cert): ValidatorState |
|
| 364 | - { |
|
| 365 | - $extensions = $cert->tbsCertificate()->extensions(); |
|
| 366 | - if ($extensions->hasPolicyMappings()) { |
|
| 367 | - // (a) verify that anyPolicy mapping is not used |
|
| 368 | - if ($extensions->policyMappings()->hasAnyPolicyMapping()) { |
|
| 369 | - throw new PathValidationException("anyPolicy mapping found."); |
|
| 370 | - } |
|
| 371 | - // (b) process policy mappings |
|
| 372 | - if ($state->hasValidPolicyTree()) { |
|
| 373 | - $state = $state->validPolicyTree()->processMappings($state, |
|
| 374 | - $cert); |
|
| 375 | - } |
|
| 376 | - } |
|
| 377 | - return $state; |
|
| 378 | - } |
|
| 354 | + /** |
|
| 355 | + * Apply policy mappings handling for the preparation step. |
|
| 356 | + * |
|
| 357 | + * @param ValidatorState $state |
|
| 358 | + * @param Certificate $cert |
|
| 359 | + * @throws PathValidationException |
|
| 360 | + * @return ValidatorState |
|
| 361 | + */ |
|
| 362 | + private function _preparePolicyMappings(ValidatorState $state, |
|
| 363 | + Certificate $cert): ValidatorState |
|
| 364 | + { |
|
| 365 | + $extensions = $cert->tbsCertificate()->extensions(); |
|
| 366 | + if ($extensions->hasPolicyMappings()) { |
|
| 367 | + // (a) verify that anyPolicy mapping is not used |
|
| 368 | + if ($extensions->policyMappings()->hasAnyPolicyMapping()) { |
|
| 369 | + throw new PathValidationException("anyPolicy mapping found."); |
|
| 370 | + } |
|
| 371 | + // (b) process policy mappings |
|
| 372 | + if ($state->hasValidPolicyTree()) { |
|
| 373 | + $state = $state->validPolicyTree()->processMappings($state, |
|
| 374 | + $cert); |
|
| 375 | + } |
|
| 376 | + } |
|
| 377 | + return $state; |
|
| 378 | + } |
|
| 379 | 379 | |
| 380 | - /** |
|
| 381 | - * Apply name constraints handling for the preparation step. |
|
| 382 | - * |
|
| 383 | - * @param ValidatorState $state |
|
| 384 | - * @param Certificate $cert |
|
| 385 | - * @return ValidatorState |
|
| 386 | - */ |
|
| 387 | - private function _prepareNameConstraints(ValidatorState $state, |
|
| 388 | - Certificate $cert): ValidatorState |
|
| 389 | - { |
|
| 390 | - $extensions = $cert->tbsCertificate()->extensions(); |
|
| 391 | - if ($extensions->hasNameConstraints()) { |
|
| 392 | - $state = $this->_processNameConstraints($state, $cert); |
|
| 393 | - } |
|
| 394 | - return $state; |
|
| 395 | - } |
|
| 380 | + /** |
|
| 381 | + * Apply name constraints handling for the preparation step. |
|
| 382 | + * |
|
| 383 | + * @param ValidatorState $state |
|
| 384 | + * @param Certificate $cert |
|
| 385 | + * @return ValidatorState |
|
| 386 | + */ |
|
| 387 | + private function _prepareNameConstraints(ValidatorState $state, |
|
| 388 | + Certificate $cert): ValidatorState |
|
| 389 | + { |
|
| 390 | + $extensions = $cert->tbsCertificate()->extensions(); |
|
| 391 | + if ($extensions->hasNameConstraints()) { |
|
| 392 | + $state = $this->_processNameConstraints($state, $cert); |
|
| 393 | + } |
|
| 394 | + return $state; |
|
| 395 | + } |
|
| 396 | 396 | |
| 397 | - /** |
|
| 398 | - * Apply preparation for a non-self-signed certificate. |
|
| 399 | - * |
|
| 400 | - * @param ValidatorState $state |
|
| 401 | - * @return ValidatorState |
|
| 402 | - */ |
|
| 403 | - private function _prepareNonSelfIssued(ValidatorState $state): ValidatorState |
|
| 404 | - { |
|
| 405 | - // (h.1) |
|
| 406 | - if ($state->explicitPolicy() > 0) { |
|
| 407 | - $state = $state->withExplicitPolicy($state->explicitPolicy() - 1); |
|
| 408 | - } |
|
| 409 | - // (h.2) |
|
| 410 | - if ($state->policyMapping() > 0) { |
|
| 411 | - $state = $state->withPolicyMapping($state->policyMapping() - 1); |
|
| 412 | - } |
|
| 413 | - // (h.3) |
|
| 414 | - if ($state->inhibitAnyPolicy() > 0) { |
|
| 415 | - $state = $state->withInhibitAnyPolicy( |
|
| 416 | - $state->inhibitAnyPolicy() - 1); |
|
| 417 | - } |
|
| 418 | - return $state; |
|
| 419 | - } |
|
| 397 | + /** |
|
| 398 | + * Apply preparation for a non-self-signed certificate. |
|
| 399 | + * |
|
| 400 | + * @param ValidatorState $state |
|
| 401 | + * @return ValidatorState |
|
| 402 | + */ |
|
| 403 | + private function _prepareNonSelfIssued(ValidatorState $state): ValidatorState |
|
| 404 | + { |
|
| 405 | + // (h.1) |
|
| 406 | + if ($state->explicitPolicy() > 0) { |
|
| 407 | + $state = $state->withExplicitPolicy($state->explicitPolicy() - 1); |
|
| 408 | + } |
|
| 409 | + // (h.2) |
|
| 410 | + if ($state->policyMapping() > 0) { |
|
| 411 | + $state = $state->withPolicyMapping($state->policyMapping() - 1); |
|
| 412 | + } |
|
| 413 | + // (h.3) |
|
| 414 | + if ($state->inhibitAnyPolicy() > 0) { |
|
| 415 | + $state = $state->withInhibitAnyPolicy( |
|
| 416 | + $state->inhibitAnyPolicy() - 1); |
|
| 417 | + } |
|
| 418 | + return $state; |
|
| 419 | + } |
|
| 420 | 420 | |
| 421 | - /** |
|
| 422 | - * Apply policy constraints handling for the preparation step. |
|
| 423 | - * |
|
| 424 | - * @param ValidatorState $state |
|
| 425 | - * @param Certificate $cert |
|
| 426 | - * @return ValidatorState |
|
| 427 | - */ |
|
| 428 | - private function _preparePolicyConstraints(ValidatorState $state, |
|
| 429 | - Certificate $cert): ValidatorState |
|
| 430 | - { |
|
| 431 | - $extensions = $cert->tbsCertificate()->extensions(); |
|
| 432 | - if (!$extensions->hasPolicyConstraints()) { |
|
| 433 | - return $state; |
|
| 434 | - } |
|
| 435 | - $ext = $extensions->policyConstraints(); |
|
| 436 | - // (i.1) |
|
| 437 | - if ($ext->hasRequireExplicitPolicy() && |
|
| 438 | - $ext->requireExplicitPolicy() < $state->explicitPolicy()) { |
|
| 439 | - $state = $state->withExplicitPolicy($ext->requireExplicitPolicy()); |
|
| 440 | - } |
|
| 441 | - // (i.2) |
|
| 442 | - if ($ext->hasInhibitPolicyMapping() && |
|
| 443 | - $ext->inhibitPolicyMapping() < $state->policyMapping()) { |
|
| 444 | - $state = $state->withPolicyMapping($ext->inhibitPolicyMapping()); |
|
| 445 | - } |
|
| 446 | - return $state; |
|
| 447 | - } |
|
| 421 | + /** |
|
| 422 | + * Apply policy constraints handling for the preparation step. |
|
| 423 | + * |
|
| 424 | + * @param ValidatorState $state |
|
| 425 | + * @param Certificate $cert |
|
| 426 | + * @return ValidatorState |
|
| 427 | + */ |
|
| 428 | + private function _preparePolicyConstraints(ValidatorState $state, |
|
| 429 | + Certificate $cert): ValidatorState |
|
| 430 | + { |
|
| 431 | + $extensions = $cert->tbsCertificate()->extensions(); |
|
| 432 | + if (!$extensions->hasPolicyConstraints()) { |
|
| 433 | + return $state; |
|
| 434 | + } |
|
| 435 | + $ext = $extensions->policyConstraints(); |
|
| 436 | + // (i.1) |
|
| 437 | + if ($ext->hasRequireExplicitPolicy() && |
|
| 438 | + $ext->requireExplicitPolicy() < $state->explicitPolicy()) { |
|
| 439 | + $state = $state->withExplicitPolicy($ext->requireExplicitPolicy()); |
|
| 440 | + } |
|
| 441 | + // (i.2) |
|
| 442 | + if ($ext->hasInhibitPolicyMapping() && |
|
| 443 | + $ext->inhibitPolicyMapping() < $state->policyMapping()) { |
|
| 444 | + $state = $state->withPolicyMapping($ext->inhibitPolicyMapping()); |
|
| 445 | + } |
|
| 446 | + return $state; |
|
| 447 | + } |
|
| 448 | 448 | |
| 449 | - /** |
|
| 450 | - * Apply inhibit any-policy handling for the preparation step. |
|
| 451 | - * |
|
| 452 | - * @param ValidatorState $state |
|
| 453 | - * @param Certificate $cert |
|
| 454 | - * @return ValidatorState |
|
| 455 | - */ |
|
| 456 | - private function _prepareInhibitAnyPolicy(ValidatorState $state, |
|
| 457 | - Certificate $cert): ValidatorState |
|
| 458 | - { |
|
| 459 | - $extensions = $cert->tbsCertificate()->extensions(); |
|
| 460 | - if ($extensions->hasInhibitAnyPolicy()) { |
|
| 461 | - $ext = $extensions->inhibitAnyPolicy(); |
|
| 462 | - if ($ext->skipCerts() < $state->inhibitAnyPolicy()) { |
|
| 463 | - $state = $state->withInhibitAnyPolicy($ext->skipCerts()); |
|
| 464 | - } |
|
| 465 | - } |
|
| 466 | - return $state; |
|
| 467 | - } |
|
| 449 | + /** |
|
| 450 | + * Apply inhibit any-policy handling for the preparation step. |
|
| 451 | + * |
|
| 452 | + * @param ValidatorState $state |
|
| 453 | + * @param Certificate $cert |
|
| 454 | + * @return ValidatorState |
|
| 455 | + */ |
|
| 456 | + private function _prepareInhibitAnyPolicy(ValidatorState $state, |
|
| 457 | + Certificate $cert): ValidatorState |
|
| 458 | + { |
|
| 459 | + $extensions = $cert->tbsCertificate()->extensions(); |
|
| 460 | + if ($extensions->hasInhibitAnyPolicy()) { |
|
| 461 | + $ext = $extensions->inhibitAnyPolicy(); |
|
| 462 | + if ($ext->skipCerts() < $state->inhibitAnyPolicy()) { |
|
| 463 | + $state = $state->withInhibitAnyPolicy($ext->skipCerts()); |
|
| 464 | + } |
|
| 465 | + } |
|
| 466 | + return $state; |
|
| 467 | + } |
|
| 468 | 468 | |
| 469 | - /** |
|
| 470 | - * Verify maximum certification path length for the preparation step. |
|
| 471 | - * |
|
| 472 | - * @param ValidatorState $state |
|
| 473 | - * @param Certificate $cert |
|
| 474 | - * @throws PathValidationException |
|
| 475 | - * @return ValidatorState |
|
| 476 | - */ |
|
| 477 | - private function _verifyMaxPathLength(ValidatorState $state, |
|
| 478 | - Certificate $cert): ValidatorState |
|
| 479 | - { |
|
| 480 | - if (!$cert->isSelfIssued()) { |
|
| 481 | - if ($state->maxPathLength() <= 0) { |
|
| 482 | - throw new PathValidationException( |
|
| 483 | - "Certification path length exceeded."); |
|
| 484 | - } |
|
| 485 | - $state = $state->withMaxPathLength($state->maxPathLength() - 1); |
|
| 486 | - } |
|
| 487 | - return $state; |
|
| 488 | - } |
|
| 469 | + /** |
|
| 470 | + * Verify maximum certification path length for the preparation step. |
|
| 471 | + * |
|
| 472 | + * @param ValidatorState $state |
|
| 473 | + * @param Certificate $cert |
|
| 474 | + * @throws PathValidationException |
|
| 475 | + * @return ValidatorState |
|
| 476 | + */ |
|
| 477 | + private function _verifyMaxPathLength(ValidatorState $state, |
|
| 478 | + Certificate $cert): ValidatorState |
|
| 479 | + { |
|
| 480 | + if (!$cert->isSelfIssued()) { |
|
| 481 | + if ($state->maxPathLength() <= 0) { |
|
| 482 | + throw new PathValidationException( |
|
| 483 | + "Certification path length exceeded."); |
|
| 484 | + } |
|
| 485 | + $state = $state->withMaxPathLength($state->maxPathLength() - 1); |
|
| 486 | + } |
|
| 487 | + return $state; |
|
| 488 | + } |
|
| 489 | 489 | |
| 490 | - /** |
|
| 491 | - * Check key usage extension for the preparation step. |
|
| 492 | - * |
|
| 493 | - * @param Certificate $cert |
|
| 494 | - * @throws PathValidationException |
|
| 495 | - */ |
|
| 496 | - private function _checkKeyUsage(Certificate $cert) |
|
| 497 | - { |
|
| 498 | - $extensions = $cert->tbsCertificate()->extensions(); |
|
| 499 | - if ($extensions->hasKeyUsage()) { |
|
| 500 | - $ext = $extensions->keyUsage(); |
|
| 501 | - if (!$ext->isKeyCertSign()) { |
|
| 502 | - throw new PathValidationException("keyCertSign usage not set."); |
|
| 503 | - } |
|
| 504 | - } |
|
| 505 | - } |
|
| 490 | + /** |
|
| 491 | + * Check key usage extension for the preparation step. |
|
| 492 | + * |
|
| 493 | + * @param Certificate $cert |
|
| 494 | + * @throws PathValidationException |
|
| 495 | + */ |
|
| 496 | + private function _checkKeyUsage(Certificate $cert) |
|
| 497 | + { |
|
| 498 | + $extensions = $cert->tbsCertificate()->extensions(); |
|
| 499 | + if ($extensions->hasKeyUsage()) { |
|
| 500 | + $ext = $extensions->keyUsage(); |
|
| 501 | + if (!$ext->isKeyCertSign()) { |
|
| 502 | + throw new PathValidationException("keyCertSign usage not set."); |
|
| 503 | + } |
|
| 504 | + } |
|
| 505 | + } |
|
| 506 | 506 | |
| 507 | - /** |
|
| 508 | - * |
|
| 509 | - * @param ValidatorState $state |
|
| 510 | - * @param Certificate $cert |
|
| 511 | - * @return ValidatorState |
|
| 512 | - */ |
|
| 513 | - private function _processNameConstraints(ValidatorState $state, |
|
| 514 | - Certificate $cert): ValidatorState |
|
| 515 | - { |
|
| 516 | - // @todo Implement |
|
| 517 | - return $state; |
|
| 518 | - } |
|
| 507 | + /** |
|
| 508 | + * |
|
| 509 | + * @param ValidatorState $state |
|
| 510 | + * @param Certificate $cert |
|
| 511 | + * @return ValidatorState |
|
| 512 | + */ |
|
| 513 | + private function _processNameConstraints(ValidatorState $state, |
|
| 514 | + Certificate $cert): ValidatorState |
|
| 515 | + { |
|
| 516 | + // @todo Implement |
|
| 517 | + return $state; |
|
| 518 | + } |
|
| 519 | 519 | |
| 520 | - /** |
|
| 521 | - * Process basic constraints extension. |
|
| 522 | - * |
|
| 523 | - * @param Certificate $cert |
|
| 524 | - * @throws PathValidationException |
|
| 525 | - */ |
|
| 526 | - private function _processBasicContraints(Certificate $cert) |
|
| 527 | - { |
|
| 528 | - if ($cert->tbsCertificate()->version() == TBSCertificate::VERSION_3) { |
|
| 529 | - $extensions = $cert->tbsCertificate()->extensions(); |
|
| 530 | - if (!$extensions->hasBasicConstraints()) { |
|
| 531 | - throw new PathValidationException( |
|
| 532 | - "v3 certificate must have basicConstraints extension."); |
|
| 533 | - } |
|
| 534 | - // verify that cA is set to TRUE |
|
| 535 | - if (!$extensions->basicConstraints()->isCA()) { |
|
| 536 | - throw new PathValidationException( |
|
| 537 | - "Certificate is not a CA certificate."); |
|
| 538 | - } |
|
| 539 | - } |
|
| 540 | - } |
|
| 520 | + /** |
|
| 521 | + * Process basic constraints extension. |
|
| 522 | + * |
|
| 523 | + * @param Certificate $cert |
|
| 524 | + * @throws PathValidationException |
|
| 525 | + */ |
|
| 526 | + private function _processBasicContraints(Certificate $cert) |
|
| 527 | + { |
|
| 528 | + if ($cert->tbsCertificate()->version() == TBSCertificate::VERSION_3) { |
|
| 529 | + $extensions = $cert->tbsCertificate()->extensions(); |
|
| 530 | + if (!$extensions->hasBasicConstraints()) { |
|
| 531 | + throw new PathValidationException( |
|
| 532 | + "v3 certificate must have basicConstraints extension."); |
|
| 533 | + } |
|
| 534 | + // verify that cA is set to TRUE |
|
| 535 | + if (!$extensions->basicConstraints()->isCA()) { |
|
| 536 | + throw new PathValidationException( |
|
| 537 | + "Certificate is not a CA certificate."); |
|
| 538 | + } |
|
| 539 | + } |
|
| 540 | + } |
|
| 541 | 541 | |
| 542 | - /** |
|
| 543 | - * Process pathLenConstraint. |
|
| 544 | - * |
|
| 545 | - * @param ValidatorState $state |
|
| 546 | - * @param Certificate $cert |
|
| 547 | - * @return ValidatorState |
|
| 548 | - */ |
|
| 549 | - private function _processPathLengthContraint(ValidatorState $state, |
|
| 550 | - Certificate $cert): ValidatorState |
|
| 551 | - { |
|
| 552 | - $extensions = $cert->tbsCertificate()->extensions(); |
|
| 553 | - if ($extensions->hasBasicConstraints()) { |
|
| 554 | - $ext = $extensions->basicConstraints(); |
|
| 555 | - if ($ext->hasPathLen()) { |
|
| 556 | - if ($ext->pathLen() < $state->maxPathLength()) { |
|
| 557 | - $state = $state->withMaxPathLength($ext->pathLen()); |
|
| 558 | - } |
|
| 559 | - } |
|
| 560 | - } |
|
| 561 | - return $state; |
|
| 562 | - } |
|
| 542 | + /** |
|
| 543 | + * Process pathLenConstraint. |
|
| 544 | + * |
|
| 545 | + * @param ValidatorState $state |
|
| 546 | + * @param Certificate $cert |
|
| 547 | + * @return ValidatorState |
|
| 548 | + */ |
|
| 549 | + private function _processPathLengthContraint(ValidatorState $state, |
|
| 550 | + Certificate $cert): ValidatorState |
|
| 551 | + { |
|
| 552 | + $extensions = $cert->tbsCertificate()->extensions(); |
|
| 553 | + if ($extensions->hasBasicConstraints()) { |
|
| 554 | + $ext = $extensions->basicConstraints(); |
|
| 555 | + if ($ext->hasPathLen()) { |
|
| 556 | + if ($ext->pathLen() < $state->maxPathLength()) { |
|
| 557 | + $state = $state->withMaxPathLength($ext->pathLen()); |
|
| 558 | + } |
|
| 559 | + } |
|
| 560 | + } |
|
| 561 | + return $state; |
|
| 562 | + } |
|
| 563 | 563 | |
| 564 | - /** |
|
| 565 | - * |
|
| 566 | - * @param ValidatorState $state |
|
| 567 | - * @param Certificate $cert |
|
| 568 | - * @return ValidatorState |
|
| 569 | - */ |
|
| 570 | - private function _processExtensions(ValidatorState $state, Certificate $cert): ValidatorState |
|
| 571 | - { |
|
| 572 | - // @todo Implement |
|
| 573 | - return $state; |
|
| 574 | - } |
|
| 564 | + /** |
|
| 565 | + * |
|
| 566 | + * @param ValidatorState $state |
|
| 567 | + * @param Certificate $cert |
|
| 568 | + * @return ValidatorState |
|
| 569 | + */ |
|
| 570 | + private function _processExtensions(ValidatorState $state, Certificate $cert): ValidatorState |
|
| 571 | + { |
|
| 572 | + // @todo Implement |
|
| 573 | + return $state; |
|
| 574 | + } |
|
| 575 | 575 | |
| 576 | - /** |
|
| 577 | - * |
|
| 578 | - * @param ValidatorState $state |
|
| 579 | - * @return ValidatorState |
|
| 580 | - */ |
|
| 581 | - private function _calculatePolicyIntersection(ValidatorState $state): ValidatorState |
|
| 582 | - { |
|
| 583 | - // (i) If the valid_policy_tree is NULL, the intersection is NULL |
|
| 584 | - if (!$state->hasValidPolicyTree()) { |
|
| 585 | - return $state; |
|
| 586 | - } |
|
| 587 | - // (ii) If the valid_policy_tree is not NULL and |
|
| 588 | - // the user-initial-policy-set is any-policy, the intersection |
|
| 589 | - // is the entire valid_policy_tree |
|
| 590 | - $initial_policies = $this->_config->policySet(); |
|
| 591 | - if (in_array(PolicyInformation::OID_ANY_POLICY, $initial_policies)) { |
|
| 592 | - return $state; |
|
| 593 | - } |
|
| 594 | - // (iii) If the valid_policy_tree is not NULL and the |
|
| 595 | - // user-initial-policy-set is not any-policy, calculate |
|
| 596 | - // the intersection of the valid_policy_tree and the |
|
| 597 | - // user-initial-policy-set as follows |
|
| 598 | - return $state->validPolicyTree()->calculateIntersection($state, |
|
| 599 | - $initial_policies); |
|
| 600 | - } |
|
| 576 | + /** |
|
| 577 | + * |
|
| 578 | + * @param ValidatorState $state |
|
| 579 | + * @return ValidatorState |
|
| 580 | + */ |
|
| 581 | + private function _calculatePolicyIntersection(ValidatorState $state): ValidatorState |
|
| 582 | + { |
|
| 583 | + // (i) If the valid_policy_tree is NULL, the intersection is NULL |
|
| 584 | + if (!$state->hasValidPolicyTree()) { |
|
| 585 | + return $state; |
|
| 586 | + } |
|
| 587 | + // (ii) If the valid_policy_tree is not NULL and |
|
| 588 | + // the user-initial-policy-set is any-policy, the intersection |
|
| 589 | + // is the entire valid_policy_tree |
|
| 590 | + $initial_policies = $this->_config->policySet(); |
|
| 591 | + if (in_array(PolicyInformation::OID_ANY_POLICY, $initial_policies)) { |
|
| 592 | + return $state; |
|
| 593 | + } |
|
| 594 | + // (iii) If the valid_policy_tree is not NULL and the |
|
| 595 | + // user-initial-policy-set is not any-policy, calculate |
|
| 596 | + // the intersection of the valid_policy_tree and the |
|
| 597 | + // user-initial-policy-set as follows |
|
| 598 | + return $state->validPolicyTree()->calculateIntersection($state, |
|
| 599 | + $initial_policies); |
|
| 600 | + } |
|
| 601 | 601 | } |
@@ -1,6 +1,6 @@ |
||
| 1 | 1 | <?php |
| 2 | 2 | |
| 3 | -declare(strict_types = 1); |
|
| 3 | +declare(strict_types=1); |
|
| 4 | 4 | |
| 5 | 5 | namespace X509\CertificationPath\PathValidation; |
| 6 | 6 | |
