sop / x509

lib/X509/Certificate/Extension/PolicyMappings/PolicyMapping.php

Indentation +67 added lines, -67 removed lines

@@ -15,77 +15,77 @@
  */
 class PolicyMapping
 {
-    /**
-     * OID of the issuer policy.
-     *
-     * @var string $_issuerDomainPolicy
-     */
-    protected $_issuerDomainPolicy;
+	/**
+	 * OID of the issuer policy.
+	 *
+	 * @var string $_issuerDomainPolicy
+	 */
+	protected $_issuerDomainPolicy;
     
-    /**
-     * OID of the subject policy.
-     *
-     * @var string $_subjectDomainPolicy
-     */
-    protected $_subjectDomainPolicy;
+	/**
+	 * OID of the subject policy.
+	 *
+	 * @var string $_subjectDomainPolicy
+	 */
+	protected $_subjectDomainPolicy;
     
-    /**
-     * Constructor.
-     *
-     * @param string $issuer_policy OID of the issuer policy
-     * @param string $subject_policy OID of the subject policy
-     */
-    public function __construct(string $issuer_policy, string $subject_policy)
-    {
-        $this->_issuerDomainPolicy = $issuer_policy;
-        $this->_subjectDomainPolicy = $subject_policy;
-    }
+	/**
+	 * Constructor.
+	 *
+	 * @param string $issuer_policy OID of the issuer policy
+	 * @param string $subject_policy OID of the subject policy
+	 */
+	public function __construct(string $issuer_policy, string $subject_policy)
+	{
+		$this->_issuerDomainPolicy = $issuer_policy;
+		$this->_subjectDomainPolicy = $subject_policy;
+	}
     
-    /**
-     * Initialize from ASN.1.
-     *
-     * @param Sequence $seq
-     * @return self
-     */
-    public static function fromASN1(Sequence $seq): self
-    {
-        $issuer_policy = $seq->at(0)
-            ->asObjectIdentifier()
-            ->oid();
-        $subject_policy = $seq->at(1)
-            ->asObjectIdentifier()
-            ->oid();
-        return new self($issuer_policy, $subject_policy);
-    }
+	/**
+	 * Initialize from ASN.1.
+	 *
+	 * @param Sequence $seq
+	 * @return self
+	 */
+	public static function fromASN1(Sequence $seq): self
+	{
+		$issuer_policy = $seq->at(0)
+			->asObjectIdentifier()
+			->oid();
+		$subject_policy = $seq->at(1)
+			->asObjectIdentifier()
+			->oid();
+		return new self($issuer_policy, $subject_policy);
+	}
     
-    /**
-     * Get issuer domain policy.
-     *
-     * @return string OID in dotted format
-     */
-    public function issuerDomainPolicy(): string
-    {
-        return $this->_issuerDomainPolicy;
-    }
+	/**
+	 * Get issuer domain policy.
+	 *
+	 * @return string OID in dotted format
+	 */
+	public function issuerDomainPolicy(): string
+	{
+		return $this->_issuerDomainPolicy;
+	}
     
-    /**
-     * Get subject domain policy.
-     *
-     * @return string OID in dotted format
-     */
-    public function subjectDomainPolicy(): string
-    {
-        return $this->_subjectDomainPolicy;
-    }
+	/**
+	 * Get subject domain policy.
+	 *
+	 * @return string OID in dotted format
+	 */
+	public function subjectDomainPolicy(): string
+	{
+		return $this->_subjectDomainPolicy;
+	}
     
-    /**
-     * Generate ASN.1 structure.
-     *
-     * @return Sequence
-     */
-    public function toASN1(): Sequence
-    {
-        return new Sequence(new ObjectIdentifier($this->_issuerDomainPolicy),
-            new ObjectIdentifier($this->_subjectDomainPolicy));
-    }
+	/**
+	 * Generate ASN.1 structure.
+	 *
+	 * @return Sequence
+	 */
+	public function toASN1(): Sequence
+	{
+		return new Sequence(new ObjectIdentifier($this->_issuerDomainPolicy),
+			new ObjectIdentifier($this->_subjectDomainPolicy));
+	}
 }

lib/X509/Certificate/Extension/NameConstraints/GeneralSubtree.php

Indentation +81 added lines, -81 removed lines

@@ -18,91 +18,91 @@
  */
 class GeneralSubtree
 {
-    /**
-     * Constraint.
-     *
-     * @var GeneralName
-     */
-    protected $_base;
+	/**
+	 * Constraint.
+	 *
+	 * @var GeneralName
+	 */
+	protected $_base;
     
-    /**
-     * Not used, must be zero.
-     *
-     * @var int $_min
-     */
-    protected $_min;
+	/**
+	 * Not used, must be zero.
+	 *
+	 * @var int $_min
+	 */
+	protected $_min;
     
-    /**
-     * Not used, must be null.
-     *
-     * @var int|null $_max
-     */
-    protected $_max;
+	/**
+	 * Not used, must be null.
+	 *
+	 * @var int|null $_max
+	 */
+	protected $_max;
     
-    /**
-     * Constructor.
-     *
-     * @param GeneralName $base
-     * @param int $min
-     * @param int|null $max
-     */
-    public function __construct(GeneralName $base, int $min = 0, $max = null)
-    {
-        $this->_base = $base;
-        $this->_min = $min;
-        $this->_max = $max;
-    }
+	/**
+	 * Constructor.
+	 *
+	 * @param GeneralName $base
+	 * @param int $min
+	 * @param int|null $max
+	 */
+	public function __construct(GeneralName $base, int $min = 0, $max = null)
+	{
+		$this->_base = $base;
+		$this->_min = $min;
+		$this->_max = $max;
+	}
     
-    /**
-     * Initialize from ASN.1.
-     *
-     * @param Sequence $seq
-     * @return self
-     */
-    public static function fromASN1(Sequence $seq): self
-    {
-        $base = GeneralName::fromASN1($seq->at(0)->asTagged());
-        $min = 0;
-        $max = null;
-        if ($seq->hasTagged(0)) {
-            $min = $seq->getTagged(0)
-                ->asImplicit(Element::TYPE_INTEGER)
-                ->asInteger()
-                ->intNumber();
-        }
-        if ($seq->hasTagged(1)) {
-            $max = $seq->getTagged(1)
-                ->asImplicit(Element::TYPE_INTEGER)
-                ->asInteger()
-                ->intNumber();
-        }
-        return new self($base, $min, $max);
-    }
+	/**
+	 * Initialize from ASN.1.
+	 *
+	 * @param Sequence $seq
+	 * @return self
+	 */
+	public static function fromASN1(Sequence $seq): self
+	{
+		$base = GeneralName::fromASN1($seq->at(0)->asTagged());
+		$min = 0;
+		$max = null;
+		if ($seq->hasTagged(0)) {
+			$min = $seq->getTagged(0)
+				->asImplicit(Element::TYPE_INTEGER)
+				->asInteger()
+				->intNumber();
+		}
+		if ($seq->hasTagged(1)) {
+			$max = $seq->getTagged(1)
+				->asImplicit(Element::TYPE_INTEGER)
+				->asInteger()
+				->intNumber();
+		}
+		return new self($base, $min, $max);
+	}
     
-    /**
-     * Get constraint.
-     *
-     * @return GeneralName
-     */
-    public function base(): GeneralName
-    {
-        return $this->_base;
-    }
+	/**
+	 * Get constraint.
+	 *
+	 * @return GeneralName
+	 */
+	public function base(): GeneralName
+	{
+		return $this->_base;
+	}
     
-    /**
-     * Generate ASN.1 structure.
-     *
-     * @return Sequence
-     */
-    public function toASN1(): Sequence
-    {
-        $elements = array($this->_base->toASN1());
-        if (isset($this->_min) && $this->_min != 0) {
-            $elements[] = new ImplicitlyTaggedType(0, new Integer($this->_min));
-        }
-        if (isset($this->_max)) {
-            $elements[] = new ImplicitlyTaggedType(1, new Integer($this->_max));
-        }
-        return new Sequence(...$elements);
-    }
+	/**
+	 * Generate ASN.1 structure.
+	 *
+	 * @return Sequence
+	 */
+	public function toASN1(): Sequence
+	{
+		$elements = array($this->_base->toASN1());
+		if (isset($this->_min) && $this->_min != 0) {
+			$elements[] = new ImplicitlyTaggedType(0, new Integer($this->_min));
+		}
+		if (isset($this->_max)) {
+			$elements[] = new ImplicitlyTaggedType(1, new Integer($this->_max));
+		}
+		return new Sequence(...$elements);
+	}
 }

lib/X509/Certificate/Extension/DistributionPoint/DistributionPointName.php

Indentation +54 added lines, -54 removed lines

@@ -18,63 +18,63 @@
  */
 abstract class DistributionPointName
 {
-    const TAG_FULL_NAME = 0;
-    const TAG_RDN = 1;
+	const TAG_FULL_NAME = 0;
+	const TAG_RDN = 1;
     
-    /**
-     * Type.
-     *
-     * @var int $_tag
-     */
-    protected $_tag;
+	/**
+	 * Type.
+	 *
+	 * @var int $_tag
+	 */
+	protected $_tag;
     
-    /**
-     * Generate ASN.1 element.
-     *
-     * @return Element
-     */
-    abstract protected function _valueASN1();
+	/**
+	 * Generate ASN.1 element.
+	 *
+	 * @return Element
+	 */
+	abstract protected function _valueASN1();
     
-    /**
-     * Initialize from TaggedType.
-     *
-     * @param TaggedType $el
-     * @throws \UnexpectedValueException
-     * @return self
-     */
-    public static function fromTaggedType(TaggedType $el): self
-    {
-        switch ($el->tag()) {
-            case self::TAG_FULL_NAME:
-                return new FullName(
-                    GeneralNames::fromASN1(
-                        $el->asImplicit(Element::TYPE_SEQUENCE)->asSequence()));
-            case self::TAG_RDN:
-                return new RelativeName(
-                    RDN::fromASN1($el->asImplicit(Element::TYPE_SET)->asSet()));
-            default:
-                throw new \UnexpectedValueException(
-                    "DistributionPointName tag " . $el->tag() . " not supported.");
-        }
-    }
+	/**
+	 * Initialize from TaggedType.
+	 *
+	 * @param TaggedType $el
+	 * @throws \UnexpectedValueException
+	 * @return self
+	 */
+	public static function fromTaggedType(TaggedType $el): self
+	{
+		switch ($el->tag()) {
+			case self::TAG_FULL_NAME:
+				return new FullName(
+					GeneralNames::fromASN1(
+						$el->asImplicit(Element::TYPE_SEQUENCE)->asSequence()));
+			case self::TAG_RDN:
+				return new RelativeName(
+					RDN::fromASN1($el->asImplicit(Element::TYPE_SET)->asSet()));
+			default:
+				throw new \UnexpectedValueException(
+					"DistributionPointName tag " . $el->tag() . " not supported.");
+		}
+	}
     
-    /**
-     * Get type tag.
-     *
-     * @return int
-     */
-    public function tag(): int
-    {
-        return $this->_tag;
-    }
+	/**
+	 * Get type tag.
+	 *
+	 * @return int
+	 */
+	public function tag(): int
+	{
+		return $this->_tag;
+	}
     
-    /**
-     * Generate ASN.1 structure.
-     *
-     * @return ImplicitlyTaggedType
-     */
-    public function toASN1(): ImplicitlyTaggedType
-    {
-        return new ImplicitlyTaggedType($this->_tag, $this->_valueASN1());
-    }
+	/**
+	 * Generate ASN.1 structure.
+	 *
+	 * @return ImplicitlyTaggedType
+	 */
+	public function toASN1(): ImplicitlyTaggedType
+	{
+		return new ImplicitlyTaggedType($this->_tag, $this->_valueASN1());
+	}
 }

lib/X509/Certificate/Extension/DistributionPoint/RelativeName.php

Indentation +34 added lines, -34 removed lines

@@ -16,41 +16,41 @@
  */
 class RelativeName extends DistributionPointName
 {
-    /**
-     * Relative distinguished name.
-     *
-     * @var RDN $_rdn
-     */
-    protected $_rdn;
+	/**
+	 * Relative distinguished name.
+	 *
+	 * @var RDN $_rdn
+	 */
+	protected $_rdn;
     
-    /**
-     * Constructor.
-     *
-     * @param RDN $rdn
-     */
-    public function __construct(RDN $rdn)
-    {
-        $this->_tag = self::TAG_RDN;
-        $this->_rdn = $rdn;
-    }
+	/**
+	 * Constructor.
+	 *
+	 * @param RDN $rdn
+	 */
+	public function __construct(RDN $rdn)
+	{
+		$this->_tag = self::TAG_RDN;
+		$this->_rdn = $rdn;
+	}
     
-    /**
-     * Get RDN.
-     *
-     * @return RDN
-     */
-    public function rdn(): RDN
-    {
-        return $this->_rdn;
-    }
+	/**
+	 * Get RDN.
+	 *
+	 * @return RDN
+	 */
+	public function rdn(): RDN
+	{
+		return $this->_rdn;
+	}
     
-    /**
-     *
-     * {@inheritdoc}
-     * @return Set
-     */
-    protected function _valueASN1(): Set
-    {
-        return $this->_rdn->toASN1();
-    }
+	/**
+	 *
+	 * {@inheritdoc}
+	 * @return Set
+	 */
+	protected function _valueASN1(): Set
+	{
+		return $this->_rdn->toASN1();
+	}
 }

lib/X509/Certificate/Extension/DistributionPoint/FullName.php

Indentation +44 added lines, -44 removed lines

@@ -16,52 +16,52 @@
  */
 class FullName extends DistributionPointName
 {
-    /**
-     * Names.
-     *
-     * @var GeneralNames $_names
-     */
-    protected $_names;
+	/**
+	 * Names.
+	 *
+	 * @var GeneralNames $_names
+	 */
+	protected $_names;
     
-    /**
-     * Constructor.
-     *
-     * @param GeneralNames $names
-     */
-    public function __construct(GeneralNames $names)
-    {
-        $this->_tag = self::TAG_FULL_NAME;
-        $this->_names = $names;
-    }
+	/**
+	 * Constructor.
+	 *
+	 * @param GeneralNames $names
+	 */
+	public function __construct(GeneralNames $names)
+	{
+		$this->_tag = self::TAG_FULL_NAME;
+		$this->_names = $names;
+	}
     
-    /**
-     * Initialize with a single URI.
-     *
-     * @param string $uri
-     * @return self
-     */
-    public static function fromURI(string $uri): self
-    {
-        return new self(new GeneralNames(new UniformResourceIdentifier($uri)));
-    }
+	/**
+	 * Initialize with a single URI.
+	 *
+	 * @param string $uri
+	 * @return self
+	 */
+	public static function fromURI(string $uri): self
+	{
+		return new self(new GeneralNames(new UniformResourceIdentifier($uri)));
+	}
     
-    /**
-     * Get names.
-     *
-     * @return GeneralNames
-     */
-    public function names(): GeneralNames
-    {
-        return $this->_names;
-    }
+	/**
+	 * Get names.
+	 *
+	 * @return GeneralNames
+	 */
+	public function names(): GeneralNames
+	{
+		return $this->_names;
+	}
     
-    /**
-     *
-     * {@inheritdoc}
-     * @return Sequence
-     */
-    protected function _valueASN1(): Sequence
-    {
-        return $this->_names->toASN1();
-    }
+	/**
+	 *
+	 * {@inheritdoc}
+	 * @return Sequence
+	 */
+	protected function _valueASN1(): Sequence
+	{
+		return $this->_names->toASN1();
+	}
 }

lib/X509/Certificate/Extension/DistributionPoint/ReasonFlags.php

Indentation +126 added lines, -126 removed lines

@@ -15,143 +15,143 @@
  */
 class ReasonFlags
 {
-    // const UNUSED = 0x100;
-    const KEY_COMPROMISE = 0x080;
-    const CA_COMPROMISE = 0x040;
-    const AFFILIATION_CHANGED = 0x020;
-    const SUPERSEDED = 0x010;
-    const CESSATION_OF_OPERATION = 0x008;
-    const CERTIFICATE_HOLD = 0x004;
-    const PRIVILEGE_WITHDRAWN = 0x002;
-    const AA_COMPROMISE = 0x001;
+	// const UNUSED = 0x100;
+	const KEY_COMPROMISE = 0x080;
+	const CA_COMPROMISE = 0x040;
+	const AFFILIATION_CHANGED = 0x020;
+	const SUPERSEDED = 0x010;
+	const CESSATION_OF_OPERATION = 0x008;
+	const CERTIFICATE_HOLD = 0x004;
+	const PRIVILEGE_WITHDRAWN = 0x002;
+	const AA_COMPROMISE = 0x001;
     
-    /**
-     * Flags.
-     *
-     * @var int $_flags
-     */
-    protected $_flags;
+	/**
+	 * Flags.
+	 *
+	 * @var int $_flags
+	 */
+	protected $_flags;
     
-    /**
-     * Constructor.
-     *
-     * @param int $flags
-     */
-    public function __construct(int $flags)
-    {
-        $this->_flags = $flags;
-    }
+	/**
+	 * Constructor.
+	 *
+	 * @param int $flags
+	 */
+	public function __construct(int $flags)
+	{
+		$this->_flags = $flags;
+	}
     
-    /**
-     * Initialize from ASN.1.
-     *
-     * @param BitString $bs
-     * @return self
-     */
-    public static function fromASN1(BitString $bs): self
-    {
-        return new self(Flags::fromBitString($bs, 9)->intNumber());
-    }
+	/**
+	 * Initialize from ASN.1.
+	 *
+	 * @param BitString $bs
+	 * @return self
+	 */
+	public static function fromASN1(BitString $bs): self
+	{
+		return new self(Flags::fromBitString($bs, 9)->intNumber());
+	}
     
-    /**
-     * Check whether keyCompromise flag is set.
-     *
-     * @return bool
-     */
-    public function isKeyCompromise(): bool
-    {
-        return $this->_flagSet(self::KEY_COMPROMISE);
-    }
+	/**
+	 * Check whether keyCompromise flag is set.
+	 *
+	 * @return bool
+	 */
+	public function isKeyCompromise(): bool
+	{
+		return $this->_flagSet(self::KEY_COMPROMISE);
+	}
     
-    /**
-     * Check whether cACompromise flag is set.
-     *
-     * @return bool
-     */
-    public function isCACompromise(): bool
-    {
-        return $this->_flagSet(self::CA_COMPROMISE);
-    }
+	/**
+	 * Check whether cACompromise flag is set.
+	 *
+	 * @return bool
+	 */
+	public function isCACompromise(): bool
+	{
+		return $this->_flagSet(self::CA_COMPROMISE);
+	}
     
-    /**
-     * Check whether affiliationChanged flag is set.
-     *
-     * @return bool
-     */
-    public function isAffiliationChanged(): bool
-    {
-        return $this->_flagSet(self::AFFILIATION_CHANGED);
-    }
+	/**
+	 * Check whether affiliationChanged flag is set.
+	 *
+	 * @return bool
+	 */
+	public function isAffiliationChanged(): bool
+	{
+		return $this->_flagSet(self::AFFILIATION_CHANGED);
+	}
     
-    /**
-     * Check whether superseded flag is set.
-     *
-     * @return bool
-     */
-    public function isSuperseded(): bool
-    {
-        return $this->_flagSet(self::SUPERSEDED);
-    }
+	/**
+	 * Check whether superseded flag is set.
+	 *
+	 * @return bool
+	 */
+	public function isSuperseded(): bool
+	{
+		return $this->_flagSet(self::SUPERSEDED);
+	}
     
-    /**
-     * Check whether cessationOfOperation flag is set.
-     *
-     * @return bool
-     */
-    public function isCessationOfOperation(): bool
-    {
-        return $this->_flagSet(self::CESSATION_OF_OPERATION);
-    }
+	/**
+	 * Check whether cessationOfOperation flag is set.
+	 *
+	 * @return bool
+	 */
+	public function isCessationOfOperation(): bool
+	{
+		return $this->_flagSet(self::CESSATION_OF_OPERATION);
+	}
     
-    /**
-     * Check whether certificateHold flag is set.
-     *
-     * @return bool
-     */
-    public function isCertificateHold(): bool
-    {
-        return $this->_flagSet(self::CERTIFICATE_HOLD);
-    }
+	/**
+	 * Check whether certificateHold flag is set.
+	 *
+	 * @return bool
+	 */
+	public function isCertificateHold(): bool
+	{
+		return $this->_flagSet(self::CERTIFICATE_HOLD);
+	}
     
-    /**
-     * Check whether privilegeWithdrawn flag is set.
-     *
-     * @return bool
-     */
-    public function isPrivilegeWithdrawn(): bool
-    {
-        return $this->_flagSet(self::PRIVILEGE_WITHDRAWN);
-    }
+	/**
+	 * Check whether privilegeWithdrawn flag is set.
+	 *
+	 * @return bool
+	 */
+	public function isPrivilegeWithdrawn(): bool
+	{
+		return $this->_flagSet(self::PRIVILEGE_WITHDRAWN);
+	}
     
-    /**
-     * Check whether aACompromise flag is set.
-     *
-     * @return bool
-     */
-    public function isAACompromise(): bool
-    {
-        return $this->_flagSet(self::AA_COMPROMISE);
-    }
+	/**
+	 * Check whether aACompromise flag is set.
+	 *
+	 * @return bool
+	 */
+	public function isAACompromise(): bool
+	{
+		return $this->_flagSet(self::AA_COMPROMISE);
+	}
     
-    /**
-     * Generate ASN.1 element.
-     *
-     * @return BitString
-     */
-    public function toASN1(): BitString
-    {
-        $flags = new Flags($this->_flags, 9);
-        return $flags->bitString()->withoutTrailingZeroes();
-    }
+	/**
+	 * Generate ASN.1 element.
+	 *
+	 * @return BitString
+	 */
+	public function toASN1(): BitString
+	{
+		$flags = new Flags($this->_flags, 9);
+		return $flags->bitString()->withoutTrailingZeroes();
+	}
     
-    /**
-     * Check whether given flag is set.
-     *
-     * @param int $flag
-     * @return boolean
-     */
-    protected function _flagSet(int $flag): bool
-    {
-        return (bool) ($this->_flags & $flag);
-    }
+	/**
+	 * Check whether given flag is set.
+	 *
+	 * @param int $flag
+	 * @return boolean
+	 */
+	protected function _flagSet(int $flag): bool
+	{
+		return (bool) ($this->_flags & $flag);
+	}
 }

lib/X509/Certificate/Extension/DistributionPoint/DistributionPoint.php

Indentation +196 added lines, -196 removed lines

@@ -18,215 +18,215 @@
  */
 class DistributionPoint
 {
-    /**
-     * Distribution point name.
-     *
-     * @var DistributionPointName $_distributionPoint
-     */
-    protected $_distributionPoint;
+	/**
+	 * Distribution point name.
+	 *
+	 * @var DistributionPointName $_distributionPoint
+	 */
+	protected $_distributionPoint;
     
-    /**
-     * Revocation reason.
-     *
-     * @var ReasonFlags $_reasons
-     */
-    protected $_reasons;
+	/**
+	 * Revocation reason.
+	 *
+	 * @var ReasonFlags $_reasons
+	 */
+	protected $_reasons;
     
-    /**
-     * CRL issuer.
-     *
-     * @var GeneralNames $_issuer
-     */
-    protected $_issuer;
+	/**
+	 * CRL issuer.
+	 *
+	 * @var GeneralNames $_issuer
+	 */
+	protected $_issuer;
     
-    /**
-     * Constructor.
-     *
-     * @param DistributionPointName $name
-     * @param ReasonFlags $reasons
-     * @param GeneralNames $issuer
-     */
-    public function __construct(DistributionPointName $name = null,
-        ReasonFlags $reasons = null, GeneralNames $issuer = null)
-    {
-        $this->_distributionPoint = $name;
-        $this->_reasons = $reasons;
-        $this->_issuer = $issuer;
-    }
+	/**
+	 * Constructor.
+	 *
+	 * @param DistributionPointName $name
+	 * @param ReasonFlags $reasons
+	 * @param GeneralNames $issuer
+	 */
+	public function __construct(DistributionPointName $name = null,
+		ReasonFlags $reasons = null, GeneralNames $issuer = null)
+	{
+		$this->_distributionPoint = $name;
+		$this->_reasons = $reasons;
+		$this->_issuer = $issuer;
+	}
     
-    /**
-     * Initialize from ASN.1.
-     *
-     * @param Sequence $seq
-     * @return self
-     */
-    public static function fromASN1(Sequence $seq): self
-    {
-        $name = null;
-        $reasons = null;
-        $issuer = null;
-        if ($seq->hasTagged(0)) {
-            // promoted to explicit tagging because underlying type is CHOICE
-            $name = DistributionPointName::fromTaggedType(
-                $seq->getTagged(0)
-                    ->asExplicit()
-                    ->asTagged());
-        }
-        if ($seq->hasTagged(1)) {
-            $reasons = ReasonFlags::fromASN1(
-                $seq->getTagged(1)
-                    ->asImplicit(Element::TYPE_BIT_STRING)
-                    ->asBitString());
-        }
-        if ($seq->hasTagged(2)) {
-            $issuer = GeneralNames::fromASN1(
-                $seq->getTagged(2)
-                    ->asImplicit(Element::TYPE_SEQUENCE)
-                    ->asSequence());
-        }
-        return new self($name, $reasons, $issuer);
-    }
+	/**
+	 * Initialize from ASN.1.
+	 *
+	 * @param Sequence $seq
+	 * @return self
+	 */
+	public static function fromASN1(Sequence $seq): self
+	{
+		$name = null;
+		$reasons = null;
+		$issuer = null;
+		if ($seq->hasTagged(0)) {
+			// promoted to explicit tagging because underlying type is CHOICE
+			$name = DistributionPointName::fromTaggedType(
+				$seq->getTagged(0)
+					->asExplicit()
+					->asTagged());
+		}
+		if ($seq->hasTagged(1)) {
+			$reasons = ReasonFlags::fromASN1(
+				$seq->getTagged(1)
+					->asImplicit(Element::TYPE_BIT_STRING)
+					->asBitString());
+		}
+		if ($seq->hasTagged(2)) {
+			$issuer = GeneralNames::fromASN1(
+				$seq->getTagged(2)
+					->asImplicit(Element::TYPE_SEQUENCE)
+					->asSequence());
+		}
+		return new self($name, $reasons, $issuer);
+	}
     
-    /**
-     * Check whether distribution point name is set.
-     *
-     * @return bool
-     */
-    public function hasDistributionPointName(): bool
-    {
-        return isset($this->_distributionPoint);
-    }
+	/**
+	 * Check whether distribution point name is set.
+	 *
+	 * @return bool
+	 */
+	public function hasDistributionPointName(): bool
+	{
+		return isset($this->_distributionPoint);
+	}
     
-    /**
-     * Get distribution point name.
-     *
-     * @throws \LogicException
-     * @return DistributionPointName
-     */
-    public function distributionPointName(): DistributionPointName
-    {
-        if (!$this->hasDistributionPointName()) {
-            throw new \LogicException("distributionPoint not set.");
-        }
-        return $this->_distributionPoint;
-    }
+	/**
+	 * Get distribution point name.
+	 *
+	 * @throws \LogicException
+	 * @return DistributionPointName
+	 */
+	public function distributionPointName(): DistributionPointName
+	{
+		if (!$this->hasDistributionPointName()) {
+			throw new \LogicException("distributionPoint not set.");
+		}
+		return $this->_distributionPoint;
+	}
     
-    /**
-     * Check whether distribution point name is set and it's a full name.
-     *
-     * @return bool
-     */
-    public function hasFullName(): bool
-    {
-        return $this->distributionPointName()->tag() ==
-             DistributionPointName::TAG_FULL_NAME;
-    }
+	/**
+	 * Check whether distribution point name is set and it's a full name.
+	 *
+	 * @return bool
+	 */
+	public function hasFullName(): bool
+	{
+		return $this->distributionPointName()->tag() ==
+			 DistributionPointName::TAG_FULL_NAME;
+	}
     
-    /**
-     * Get full distribution point name.
-     *
-     * @throws \LogicException
-     * @return FullName
-     */
-    public function fullName(): FullName
-    {
-        if (!$this->hasFullName()) {
-            throw new \LogicException("fullName not set.");
-        }
-        return $this->_distributionPoint;
-    }
+	/**
+	 * Get full distribution point name.
+	 *
+	 * @throws \LogicException
+	 * @return FullName
+	 */
+	public function fullName(): FullName
+	{
+		if (!$this->hasFullName()) {
+			throw new \LogicException("fullName not set.");
+		}
+		return $this->_distributionPoint;
+	}
     
-    /**
-     * Check whether distribution point name is set and it's a relative name.
-     *
-     * @return bool
-     */
-    public function hasRelativeName(): bool
-    {
-        return $this->distributionPointName()->tag() ==
-             DistributionPointName::TAG_RDN;
-    }
+	/**
+	 * Check whether distribution point name is set and it's a relative name.
+	 *
+	 * @return bool
+	 */
+	public function hasRelativeName(): bool
+	{
+		return $this->distributionPointName()->tag() ==
+			 DistributionPointName::TAG_RDN;
+	}
     
-    /**
-     * Get relative distribution point name.
-     *
-     * @throws \LogicException
-     * @return RelativeName
-     */
-    public function relativeName(): RelativeName
-    {
-        if (!$this->hasRelativeName()) {
-            throw new \LogicException("nameRelativeToCRLIssuer not set.");
-        }
-        return $this->_distributionPoint;
-    }
+	/**
+	 * Get relative distribution point name.
+	 *
+	 * @throws \LogicException
+	 * @return RelativeName
+	 */
+	public function relativeName(): RelativeName
+	{
+		if (!$this->hasRelativeName()) {
+			throw new \LogicException("nameRelativeToCRLIssuer not set.");
+		}
+		return $this->_distributionPoint;
+	}
     
-    /**
-     * Check whether reasons flags is set.
-     *
-     * @return bool
-     */
-    public function hasReasons(): bool
-    {
-        return isset($this->_reasons);
-    }
+	/**
+	 * Check whether reasons flags is set.
+	 *
+	 * @return bool
+	 */
+	public function hasReasons(): bool
+	{
+		return isset($this->_reasons);
+	}
     
-    /**
-     * Get revocation reason flags.
-     *
-     * @throws \LogicException
-     * @return ReasonFlags
-     */
-    public function reasons(): ReasonFlags
-    {
-        if (!$this->hasReasons()) {
-            throw new \LogicException("reasons not set.");
-        }
-        return $this->_reasons;
-    }
+	/**
+	 * Get revocation reason flags.
+	 *
+	 * @throws \LogicException
+	 * @return ReasonFlags
+	 */
+	public function reasons(): ReasonFlags
+	{
+		if (!$this->hasReasons()) {
+			throw new \LogicException("reasons not set.");
+		}
+		return $this->_reasons;
+	}
     
-    /**
-     * Check whether cRLIssuer is set.
-     *
-     * @return bool
-     */
-    public function hasCRLIssuer(): bool
-    {
-        return isset($this->_issuer);
-    }
+	/**
+	 * Check whether cRLIssuer is set.
+	 *
+	 * @return bool
+	 */
+	public function hasCRLIssuer(): bool
+	{
+		return isset($this->_issuer);
+	}
     
-    /**
-     * Get CRL issuer.
-     *
-     * @throws \LogicException
-     * @return GeneralNames
-     */
-    public function crlIssuer(): GeneralNames
-    {
-        if (!$this->hasCRLIssuer()) {
-            throw new \LogicException("crlIssuer not set.");
-        }
-        return $this->_issuer;
-    }
+	/**
+	 * Get CRL issuer.
+	 *
+	 * @throws \LogicException
+	 * @return GeneralNames
+	 */
+	public function crlIssuer(): GeneralNames
+	{
+		if (!$this->hasCRLIssuer()) {
+			throw new \LogicException("crlIssuer not set.");
+		}
+		return $this->_issuer;
+	}
     
-    /**
-     * Generate ASN.1 structure.
-     *
-     * @return Sequence
-     */
-    public function toASN1(): Sequence
-    {
-        $elements = array();
-        if (isset($this->_distributionPoint)) {
-            $elements[] = new ExplicitlyTaggedType(0,
-                $this->_distributionPoint->toASN1());
-        }
-        if (isset($this->_reasons)) {
-            $elements[] = new ImplicitlyTaggedType(1, $this->_reasons->toASN1());
-        }
-        if (isset($this->_issuer)) {
-            $elements[] = new ImplicitlyTaggedType(2, $this->_issuer->toASN1());
-        }
-        return new Sequence(...$elements);
-    }
+	/**
+	 * Generate ASN.1 structure.
+	 *
+	 * @return Sequence
+	 */
+	public function toASN1(): Sequence
+	{
+		$elements = array();
+		if (isset($this->_distributionPoint)) {
+			$elements[] = new ExplicitlyTaggedType(0,
+				$this->_distributionPoint->toASN1());
+		}
+		if (isset($this->_reasons)) {
+			$elements[] = new ImplicitlyTaggedType(1, $this->_reasons->toASN1());
+		}
+		if (isset($this->_issuer)) {
+			$elements[] = new ImplicitlyTaggedType(2, $this->_issuer->toASN1());
+		}
+		return new Sequence(...$elements);
+	}
 }

lib/X509/CertificationPath/Policy/PolicyNode.php

Indentation +238 added lines, -238 removed lines

@@ -14,265 +14,265 @@
  */
 class PolicyNode implements \IteratorAggregate, \Countable
 {
-    /**
-     * Policy OID.
-     *
-     * @var string
-     */
-    protected $_validPolicy;
+	/**
+	 * Policy OID.
+	 *
+	 * @var string
+	 */
+	protected $_validPolicy;
     
-    /**
-     * List of qualifiers.
-     *
-     * @var \X509\Certificate\Extension\CertificatePolicy\PolicyQualifierInfo[]
-     */
-    protected $_qualifiers;
+	/**
+	 * List of qualifiers.
+	 *
+	 * @var \X509\Certificate\Extension\CertificatePolicy\PolicyQualifierInfo[]
+	 */
+	protected $_qualifiers;
     
-    /**
-     * List of expected policy OIDs.
-     *
-     * @var string[]
-     */
-    protected $_expectedPolicies;
+	/**
+	 * List of expected policy OIDs.
+	 *
+	 * @var string[]
+	 */
+	protected $_expectedPolicies;
     
-    /**
-     * List of child nodes.
-     *
-     * @var PolicyNode[]
-     */
-    protected $_children;
+	/**
+	 * List of child nodes.
+	 *
+	 * @var PolicyNode[]
+	 */
+	protected $_children;
     
-    /**
-     * Reference to the parent node.
-     *
-     * @var PolicyNode|null
-     */
-    protected $_parent;
+	/**
+	 * Reference to the parent node.
+	 *
+	 * @var PolicyNode|null
+	 */
+	protected $_parent;
     
-    /**
-     * Constructor.
-     *
-     * @param string $valid_policy Policy OID
-     * @param \X509\Certificate\Extension\CertificatePolicy\PolicyQualifierInfo[] $qualifiers
-     * @param string[] $expected_policies
-     */
-    public function __construct(string $valid_policy, array $qualifiers,
-        array $expected_policies)
-    {
-        $this->_validPolicy = $valid_policy;
-        $this->_qualifiers = $qualifiers;
-        $this->_expectedPolicies = $expected_policies;
-        $this->_children = array();
-    }
+	/**
+	 * Constructor.
+	 *
+	 * @param string $valid_policy Policy OID
+	 * @param \X509\Certificate\Extension\CertificatePolicy\PolicyQualifierInfo[] $qualifiers
+	 * @param string[] $expected_policies
+	 */
+	public function __construct(string $valid_policy, array $qualifiers,
+		array $expected_policies)
+	{
+		$this->_validPolicy = $valid_policy;
+		$this->_qualifiers = $qualifiers;
+		$this->_expectedPolicies = $expected_policies;
+		$this->_children = array();
+	}
     
-    /**
-     * Create initial node for the policy tree.
-     *
-     * @return self
-     */
-    public static function anyPolicyNode(): self
-    {
-        return new self(PolicyInformation::OID_ANY_POLICY, array(),
-            array(PolicyInformation::OID_ANY_POLICY));
-    }
+	/**
+	 * Create initial node for the policy tree.
+	 *
+	 * @return self
+	 */
+	public static function anyPolicyNode(): self
+	{
+		return new self(PolicyInformation::OID_ANY_POLICY, array(),
+			array(PolicyInformation::OID_ANY_POLICY));
+	}
     
-    /**
-     * Get the valid policy OID.
-     *
-     * @return string
-     */
-    public function validPolicy(): string
-    {
-        return $this->_validPolicy;
-    }
+	/**
+	 * Get the valid policy OID.
+	 *
+	 * @return string
+	 */
+	public function validPolicy(): string
+	{
+		return $this->_validPolicy;
+	}
     
-    /**
-     * Check whether node has anyPolicy as a valid policy.
-     *
-     * @return boolean
-     */
-    public function isAnyPolicy(): bool
-    {
-        return PolicyInformation::OID_ANY_POLICY == $this->_validPolicy;
-    }
+	/**
+	 * Check whether node has anyPolicy as a valid policy.
+	 *
+	 * @return boolean
+	 */
+	public function isAnyPolicy(): bool
+	{
+		return PolicyInformation::OID_ANY_POLICY == $this->_validPolicy;
+	}
     
-    /**
-     * Get the qualifier set.
-     *
-     * @return \X509\Certificate\Extension\CertificatePolicy\PolicyQualifierInfo[]
-     */
-    public function qualifiers(): array
-    {
-        return $this->_qualifiers;
-    }
+	/**
+	 * Get the qualifier set.
+	 *
+	 * @return \X509\Certificate\Extension\CertificatePolicy\PolicyQualifierInfo[]
+	 */
+	public function qualifiers(): array
+	{
+		return $this->_qualifiers;
+	}
     
-    /**
-     * Check whether node has OID as an expected policy.
-     *
-     * @param string $oid
-     * @return boolean
-     */
-    public function hasExpectedPolicy(string $oid): bool
-    {
-        return in_array($oid, $this->_expectedPolicies);
-    }
+	/**
+	 * Check whether node has OID as an expected policy.
+	 *
+	 * @param string $oid
+	 * @return boolean
+	 */
+	public function hasExpectedPolicy(string $oid): bool
+	{
+		return in_array($oid, $this->_expectedPolicies);
+	}
     
-    /**
-     * Get the expected policy set.
-     *
-     * @return string[]
-     */
-    public function expectedPolicies(): array
-    {
-        return $this->_expectedPolicies;
-    }
+	/**
+	 * Get the expected policy set.
+	 *
+	 * @return string[]
+	 */
+	public function expectedPolicies(): array
+	{
+		return $this->_expectedPolicies;
+	}
     
-    /**
-     * Set expected policies.
-     *
-     * @param string ...$oids Policy OIDs
-     */
-    public function setExpectedPolicies(string ...$oids)
-    {
-        $this->_expectedPolicies = $oids;
-    }
+	/**
+	 * Set expected policies.
+	 *
+	 * @param string ...$oids Policy OIDs
+	 */
+	public function setExpectedPolicies(string ...$oids)
+	{
+		$this->_expectedPolicies = $oids;
+	}
     
-    /**
-     * Check whether node has a child node with given valid policy OID.
-     *
-     * @param string $oid
-     * @return boolean
-     */
-    public function hasChildWithValidPolicy(string $oid): bool
-    {
-        foreach ($this->_children as $node) {
-            if ($node->validPolicy() == $oid) {
-                return true;
-            }
-        }
-        return false;
-    }
+	/**
+	 * Check whether node has a child node with given valid policy OID.
+	 *
+	 * @param string $oid
+	 * @return boolean
+	 */
+	public function hasChildWithValidPolicy(string $oid): bool
+	{
+		foreach ($this->_children as $node) {
+			if ($node->validPolicy() == $oid) {
+				return true;
+			}
+		}
+		return false;
+	}
     
-    /**
-     * Add child node.
-     *
-     * @param PolicyNode $node
-     * @return self
-     */
-    public function addChild(PolicyNode $node): self
-    {
-        $id = spl_object_hash($node);
-        $node->_parent = $this;
-        $this->_children[$id] = $node;
-        return $this;
-    }
+	/**
+	 * Add child node.
+	 *
+	 * @param PolicyNode $node
+	 * @return self
+	 */
+	public function addChild(PolicyNode $node): self
+	{
+		$id = spl_object_hash($node);
+		$node->_parent = $this;
+		$this->_children[$id] = $node;
+		return $this;
+	}
     
-    /**
-     * Get the child nodes.
-     *
-     * @return PolicyNode[]
-     */
-    public function children(): array
-    {
-        return array_values($this->_children);
-    }
+	/**
+	 * Get the child nodes.
+	 *
+	 * @return PolicyNode[]
+	 */
+	public function children(): array
+	{
+		return array_values($this->_children);
+	}
     
-    /**
-     * Remove this node from the tree.
-     *
-     * @return self The removed node
-     */
-    public function remove(): self
-    {
-        if ($this->_parent) {
-            $id = spl_object_hash($this);
-            unset($this->_parent->_children[$id]);
-            unset($this->_parent);
-        }
-        return $this;
-    }
+	/**
+	 * Remove this node from the tree.
+	 *
+	 * @return self The removed node
+	 */
+	public function remove(): self
+	{
+		if ($this->_parent) {
+			$id = spl_object_hash($this);
+			unset($this->_parent->_children[$id]);
+			unset($this->_parent);
+		}
+		return $this;
+	}
     
-    /**
-     * Check whether node has a parent.
-     *
-     * @return bool
-     */
-    public function hasParent(): bool
-    {
-        return isset($this->_parent);
-    }
+	/**
+	 * Check whether node has a parent.
+	 *
+	 * @return bool
+	 */
+	public function hasParent(): bool
+	{
+		return isset($this->_parent);
+	}
     
-    /**
-     * Get the parent node.
-     *
-     * @return PolicyNode|null
-     */
-    public function parent()
-    {
-        return $this->_parent;
-    }
+	/**
+	 * Get the parent node.
+	 *
+	 * @return PolicyNode|null
+	 */
+	public function parent()
+	{
+		return $this->_parent;
+	}
     
-    /**
-     * Get chain of parent nodes from this node's parent to the root node.
-     *
-     * @return PolicyNode[]
-     */
-    public function parents(): array
-    {
-        if (!$this->_parent) {
-            return array();
-        }
-        $nodes = $this->_parent->parents();
-        $nodes[] = $this->_parent;
-        return array_reverse($nodes);
-    }
+	/**
+	 * Get chain of parent nodes from this node's parent to the root node.
+	 *
+	 * @return PolicyNode[]
+	 */
+	public function parents(): array
+	{
+		if (!$this->_parent) {
+			return array();
+		}
+		$nodes = $this->_parent->parents();
+		$nodes[] = $this->_parent;
+		return array_reverse($nodes);
+	}
     
-    /**
-     * Walk tree from this node, applying a callback for each node.
-     *
-     * Nodes are traversed depth-first and callback shall be applied post-order.
-     *
-     * @param callable $fn
-     */
-    public function walkNodes(callable $fn)
-    {
-        foreach ($this->_children as $node) {
-            $node->walkNodes($fn);
-        }
-        $fn($this);
-    }
+	/**
+	 * Walk tree from this node, applying a callback for each node.
+	 *
+	 * Nodes are traversed depth-first and callback shall be applied post-order.
+	 *
+	 * @param callable $fn
+	 */
+	public function walkNodes(callable $fn)
+	{
+		foreach ($this->_children as $node) {
+			$node->walkNodes($fn);
+		}
+		$fn($this);
+	}
     
-    /**
-     * Get the total number of nodes in a tree.
-     *
-     * @return int
-     */
-    public function nodeCount(): int
-    {
-        $c = 1;
-        foreach ($this->_children as $child) {
-            $c += $child->nodeCount();
-        }
-        return $c;
-    }
+	/**
+	 * Get the total number of nodes in a tree.
+	 *
+	 * @return int
+	 */
+	public function nodeCount(): int
+	{
+		$c = 1;
+		foreach ($this->_children as $child) {
+			$c += $child->nodeCount();
+		}
+		return $c;
+	}
     
-    /**
-     * Get the number of child nodes.
-     *
-     * @see \Countable::count()
-     */
-    public function count(): int
-    {
-        return count($this->_children);
-    }
+	/**
+	 * Get the number of child nodes.
+	 *
+	 * @see \Countable::count()
+	 */
+	public function count(): int
+	{
+		return count($this->_children);
+	}
     
-    /**
-     * Get iterator for the child nodes.
-     *
-     * @see \IteratorAggregate::getIterator()
-     */
-    public function getIterator(): \ArrayIterator
-    {
-        return new \ArrayIterator($this->_children);
-    }
+	/**
+	 * Get iterator for the child nodes.
+	 *
+	 * @see \IteratorAggregate::getIterator()
+	 */
+	public function getIterator(): \ArrayIterator
+	{
+		return new \ArrayIterator($this->_children);
+	}
 }

lib/X509/CertificationPath/Policy/PolicyTree.php

Indentation +393 added lines, -393 removed lines

@@ -10,411 +10,411 @@
 
 class PolicyTree
 {
-    /**
-     * Root node at depth zero.
-     *
-     * @var PolicyNode|null
-     */
-    protected $_root;
+	/**
+	 * Root node at depth zero.
+	 *
+	 * @var PolicyNode|null
+	 */
+	protected $_root;
     
-    /**
-     * Constructor.
-     *
-     * @param PolicyNode $root Initial root node
-     */
-    public function __construct(PolicyNode $root)
-    {
-        $this->_root = $root;
-    }
+	/**
+	 * Constructor.
+	 *
+	 * @param PolicyNode $root Initial root node
+	 */
+	public function __construct(PolicyNode $root)
+	{
+		$this->_root = $root;
+	}
     
-    /**
-     * Process policy information from the certificate.
-     *
-     * Certificate policies extension must be present.
-     *
-     * @param ValidatorState $state
-     * @param Certificate $cert
-     * @return ValidatorState
-     */
-    public function processPolicies(ValidatorState $state, Certificate $cert): ValidatorState
-    {
-        $policies = $cert->tbsCertificate()
-            ->extensions()
-            ->certificatePolicies();
-        $tree = clone $this;
-        // (d.1) for each policy P not equal to anyPolicy
-        foreach ($policies as $policy) {
-            if ($policy->isAnyPolicy()) {
-                $tree->_processAnyPolicy($policy, $cert, $state);
-            } else {
-                $tree->_processPolicy($policy, $state);
-            }
-        }
-        // if whole tree is pruned
-        if (!$tree->_pruneTree($state->index() - 1)) {
-            return $state->withoutValidPolicyTree();
-        }
-        return $state->withValidPolicyTree($tree);
-    }
+	/**
+	 * Process policy information from the certificate.
+	 *
+	 * Certificate policies extension must be present.
+	 *
+	 * @param ValidatorState $state
+	 * @param Certificate $cert
+	 * @return ValidatorState
+	 */
+	public function processPolicies(ValidatorState $state, Certificate $cert): ValidatorState
+	{
+		$policies = $cert->tbsCertificate()
+			->extensions()
+			->certificatePolicies();
+		$tree = clone $this;
+		// (d.1) for each policy P not equal to anyPolicy
+		foreach ($policies as $policy) {
+			if ($policy->isAnyPolicy()) {
+				$tree->_processAnyPolicy($policy, $cert, $state);
+			} else {
+				$tree->_processPolicy($policy, $state);
+			}
+		}
+		// if whole tree is pruned
+		if (!$tree->_pruneTree($state->index() - 1)) {
+			return $state->withoutValidPolicyTree();
+		}
+		return $state->withValidPolicyTree($tree);
+	}
     
-    /**
-     * Process policy mappings from the certificate.
-     *
-     * @param ValidatorState $state
-     * @param Certificate $cert
-     * @return ValidatorState
-     */
-    public function processMappings(ValidatorState $state, Certificate $cert): ValidatorState
-    {
-        $tree = clone $this;
-        if ($state->policyMapping() > 0) {
-            $tree->_applyMappings($cert, $state);
-        } else if ($state->policyMapping() == 0) {
-            $tree->_deleteMappings($cert, $state);
-        }
-        // if whole tree is pruned
-        if (!$tree->_root) {
-            return $state->withoutValidPolicyTree();
-        }
-        return $state->withValidPolicyTree($tree);
-    }
+	/**
+	 * Process policy mappings from the certificate.
+	 *
+	 * @param ValidatorState $state
+	 * @param Certificate $cert
+	 * @return ValidatorState
+	 */
+	public function processMappings(ValidatorState $state, Certificate $cert): ValidatorState
+	{
+		$tree = clone $this;
+		if ($state->policyMapping() > 0) {
+			$tree->_applyMappings($cert, $state);
+		} else if ($state->policyMapping() == 0) {
+			$tree->_deleteMappings($cert, $state);
+		}
+		// if whole tree is pruned
+		if (!$tree->_root) {
+			return $state->withoutValidPolicyTree();
+		}
+		return $state->withValidPolicyTree($tree);
+	}
     
-    /**
-     * Calculate policy intersection as specified in Wrap-Up Procedure 6.1.5.g.
-     *
-     * @param ValidatorState $state
-     * @param array $policies
-     * @return ValidatorState
-     */
-    public function calculateIntersection(ValidatorState $state, array $policies): ValidatorState
-    {
-        $tree = clone $this;
-        $valid_policy_node_set = $tree->_validPolicyNodeSet();
-        // 2. If the valid_policy of any node in the valid_policy_node_set
-        // is not in the user-initial-policy-set and is not anyPolicy,
-        // delete this node and all its children.
-        $valid_policy_node_set = array_filter($valid_policy_node_set,
-            function (PolicyNode $node) use ($policies) {
-                if ($node->isAnyPolicy()) {
-                    return true;
-                }
-                if (in_array($node->validPolicy(), $policies)) {
-                    return true;
-                }
-                $node->remove();
-                return false;
-            });
-        // array of valid policy OIDs
-        $valid_policy_set = array_map(
-            function (PolicyNode $node) {
-                return $node->validPolicy();
-            }, $valid_policy_node_set);
-        // 3. If the valid_policy_tree includes a node of depth n with
-        // the valid_policy anyPolicy and the user-initial-policy-set 
-        // is not any-policy
-        foreach ($tree->_nodesAtDepth($state->index()) as $node) {
-            if ($node->hasParent() && $node->isAnyPolicy()) {
-                // a. Set P-Q to the qualifier_set in the node of depth n
-                // with valid_policy anyPolicy.
-                $pq = $node->qualifiers();
-                // b. For each P-OID in the user-initial-policy-set that is not
-                // the valid_policy of a node in the valid_policy_node_set,
-                // create a child node whose parent is the node of depth n-1
-                // with the valid_policy anyPolicy.
-                $poids = array_diff($policies, $valid_policy_set);
-                foreach ($tree->_nodesAtDepth($state->index() - 1) as $parent) {
-                    if ($parent->isAnyPolicy()) {
-                        // Set the values in the child node as follows: 
-                        // set the valid_policy to P-OID, set the qualifier_set
-                        // to P-Q, and set the expected_policy_set to {P-OID}.
-                        foreach ($poids as $poid) {
-                            $parent->addChild(
-                                new PolicyNode($poid, $pq, array($poid)));
-                        }
-                        break;
-                    }
-                }
-                // c. Delete the node of depth n with the
-                // valid_policy anyPolicy.
-                $node->remove();
-            }
-        }
-        // 4. If there is a node in the valid_policy_tree of depth n-1 or less
-        // without any child nodes, delete that node. Repeat this step until
-        // there are no nodes of depth n-1 or less without children.
-        if (!$tree->_pruneTree($state->index() - 1)) {
-            return $state->withoutValidPolicyTree();
-        }
-        return $state->withValidPolicyTree($tree);
-    }
+	/**
+	 * Calculate policy intersection as specified in Wrap-Up Procedure 6.1.5.g.
+	 *
+	 * @param ValidatorState $state
+	 * @param array $policies
+	 * @return ValidatorState
+	 */
+	public function calculateIntersection(ValidatorState $state, array $policies): ValidatorState
+	{
+		$tree = clone $this;
+		$valid_policy_node_set = $tree->_validPolicyNodeSet();
+		// 2. If the valid_policy of any node in the valid_policy_node_set
+		// is not in the user-initial-policy-set and is not anyPolicy,
+		// delete this node and all its children.
+		$valid_policy_node_set = array_filter($valid_policy_node_set,
+			function (PolicyNode $node) use ($policies) {
+				if ($node->isAnyPolicy()) {
+					return true;
+				}
+				if (in_array($node->validPolicy(), $policies)) {
+					return true;
+				}
+				$node->remove();
+				return false;
+			});
+		// array of valid policy OIDs
+		$valid_policy_set = array_map(
+			function (PolicyNode $node) {
+				return $node->validPolicy();
+			}, $valid_policy_node_set);
+		// 3. If the valid_policy_tree includes a node of depth n with
+		// the valid_policy anyPolicy and the user-initial-policy-set 
+		// is not any-policy
+		foreach ($tree->_nodesAtDepth($state->index()) as $node) {
+			if ($node->hasParent() && $node->isAnyPolicy()) {
+				// a. Set P-Q to the qualifier_set in the node of depth n
+				// with valid_policy anyPolicy.
+				$pq = $node->qualifiers();
+				// b. For each P-OID in the user-initial-policy-set that is not
+				// the valid_policy of a node in the valid_policy_node_set,
+				// create a child node whose parent is the node of depth n-1
+				// with the valid_policy anyPolicy.
+				$poids = array_diff($policies, $valid_policy_set);
+				foreach ($tree->_nodesAtDepth($state->index() - 1) as $parent) {
+					if ($parent->isAnyPolicy()) {
+						// Set the values in the child node as follows: 
+						// set the valid_policy to P-OID, set the qualifier_set
+						// to P-Q, and set the expected_policy_set to {P-OID}.
+						foreach ($poids as $poid) {
+							$parent->addChild(
+								new PolicyNode($poid, $pq, array($poid)));
+						}
+						break;
+					}
+				}
+				// c. Delete the node of depth n with the
+				// valid_policy anyPolicy.
+				$node->remove();
+			}
+		}
+		// 4. If there is a node in the valid_policy_tree of depth n-1 or less
+		// without any child nodes, delete that node. Repeat this step until
+		// there are no nodes of depth n-1 or less without children.
+		if (!$tree->_pruneTree($state->index() - 1)) {
+			return $state->withoutValidPolicyTree();
+		}
+		return $state->withValidPolicyTree($tree);
+	}
     
-    /**
-     * Get policies at given policy tree depth.
-     *
-     * @param int $i Depth in range 1..n
-     * @return PolicyInformation[]
-     */
-    public function policiesAtDepth(int $i): array
-    {
-        $policies = array();
-        foreach ($this->_nodesAtDepth($i) as $node) {
-            $policies[] = new PolicyInformation($node->validPolicy(),
-                ...$node->qualifiers());
-        }
-        return $policies;
-    }
+	/**
+	 * Get policies at given policy tree depth.
+	 *
+	 * @param int $i Depth in range 1..n
+	 * @return PolicyInformation[]
+	 */
+	public function policiesAtDepth(int $i): array
+	{
+		$policies = array();
+		foreach ($this->_nodesAtDepth($i) as $node) {
+			$policies[] = new PolicyInformation($node->validPolicy(),
+				...$node->qualifiers());
+		}
+		return $policies;
+	}
     
-    /**
-     * Process single policy information.
-     *
-     * @param PolicyInformation $policy
-     * @param ValidatorState $state
-     */
-    protected function _processPolicy(PolicyInformation $policy,
-        ValidatorState $state)
-    {
-        $p_oid = $policy->oid();
-        $i = $state->index();
-        $match_count = 0;
-        // (d.1.i) for each node of depth i-1 in the valid_policy_tree...
-        foreach ($this->_nodesAtDepth($i - 1) as $node) {
-            // ...where P-OID is in the expected_policy_set
-            if ($node->hasExpectedPolicy($p_oid)) {
-                $node->addChild(
-                    new PolicyNode($p_oid, $policy->qualifiers(), array($p_oid)));
-                ++$match_count;
-            }
-        }
-        // (d.1.ii) if there was no match in step (i)...
-        if (!$match_count) {
-            // ...and the valid_policy_tree includes a node of depth i-1 with
-            // the valid_policy anyPolicy
-            foreach ($this->_nodesAtDepth($i - 1) as $node) {
-                if ($node->isAnyPolicy()) {
-                    $node->addChild(
-                        new PolicyNode($p_oid, $policy->qualifiers(),
-                            array($p_oid)));
-                }
-            }
-        }
-    }
+	/**
+	 * Process single policy information.
+	 *
+	 * @param PolicyInformation $policy
+	 * @param ValidatorState $state
+	 */
+	protected function _processPolicy(PolicyInformation $policy,
+		ValidatorState $state)
+	{
+		$p_oid = $policy->oid();
+		$i = $state->index();
+		$match_count = 0;
+		// (d.1.i) for each node of depth i-1 in the valid_policy_tree...
+		foreach ($this->_nodesAtDepth($i - 1) as $node) {
+			// ...where P-OID is in the expected_policy_set
+			if ($node->hasExpectedPolicy($p_oid)) {
+				$node->addChild(
+					new PolicyNode($p_oid, $policy->qualifiers(), array($p_oid)));
+				++$match_count;
+			}
+		}
+		// (d.1.ii) if there was no match in step (i)...
+		if (!$match_count) {
+			// ...and the valid_policy_tree includes a node of depth i-1 with
+			// the valid_policy anyPolicy
+			foreach ($this->_nodesAtDepth($i - 1) as $node) {
+				if ($node->isAnyPolicy()) {
+					$node->addChild(
+						new PolicyNode($p_oid, $policy->qualifiers(),
+							array($p_oid)));
+				}
+			}
+		}
+	}
     
-    /**
-     * Process anyPolicy policy information.
-     *
-     * @param PolicyInformation $policy
-     * @param Certificate $cert
-     * @param ValidatorState $state
-     */
-    protected function _processAnyPolicy(PolicyInformation $policy,
-        Certificate $cert, ValidatorState $state)
-    {
-        $i = $state->index();
-        // if (a) inhibit_anyPolicy is greater than 0 or
-        // (b) i<n and the certificate is self-issued
-        if (!($state->inhibitAnyPolicy() > 0 ||
-             ($i < $state->pathLength() && $cert->isSelfIssued()))) {
-            return;
-        }
-        // for each node in the valid_policy_tree of depth i-1
-        foreach ($this->_nodesAtDepth($i - 1) as $node) {
-            // for each value in the expected_policy_set
-            foreach ($node->expectedPolicies() as $p_oid) {
-                // that does not appear in a child node
-                if (!$node->hasChildWithValidPolicy($p_oid)) {
-                    $node->addChild(
-                        new PolicyNode($p_oid, $policy->qualifiers(),
-                            array($p_oid)));
-                }
-            }
-        }
-    }
+	/**
+	 * Process anyPolicy policy information.
+	 *
+	 * @param PolicyInformation $policy
+	 * @param Certificate $cert
+	 * @param ValidatorState $state
+	 */
+	protected function _processAnyPolicy(PolicyInformation $policy,
+		Certificate $cert, ValidatorState $state)
+	{
+		$i = $state->index();
+		// if (a) inhibit_anyPolicy is greater than 0 or
+		// (b) i<n and the certificate is self-issued
+		if (!($state->inhibitAnyPolicy() > 0 ||
+			 ($i < $state->pathLength() && $cert->isSelfIssued()))) {
+			return;
+		}
+		// for each node in the valid_policy_tree of depth i-1
+		foreach ($this->_nodesAtDepth($i - 1) as $node) {
+			// for each value in the expected_policy_set
+			foreach ($node->expectedPolicies() as $p_oid) {
+				// that does not appear in a child node
+				if (!$node->hasChildWithValidPolicy($p_oid)) {
+					$node->addChild(
+						new PolicyNode($p_oid, $policy->qualifiers(),
+							array($p_oid)));
+				}
+			}
+		}
+	}
     
-    /**
-     * Apply policy mappings to the policy tree.
-     *
-     * @param Certificate $cert
-     * @param ValidatorState $state
-     */
-    protected function _applyMappings(Certificate $cert, ValidatorState $state)
-    {
-        $policy_mappings = $cert->tbsCertificate()
-            ->extensions()
-            ->policyMappings();
-        // (6.1.4. b.1.) for each node in the valid_policy_tree of depth i...
-        foreach ($policy_mappings->flattenedMappings() as $idp => $sdps) {
-            $match_count = 0;
-            foreach ($this->_nodesAtDepth($state->index()) as $node) {
-                // ...where ID-P is the valid_policy
-                if ($node->validPolicy() == $idp) {
-                    // set expected_policy_set to the set of subjectDomainPolicy
-                    // values that are specified as equivalent to ID-P by
-                    // the policy mappings extension
-                    $node->setExpectedPolicies(...$sdps);
-                    ++$match_count;
-                }
-            }
-            // if no node of depth i in the valid_policy_tree has
-            // a valid_policy of ID-P...
-            if (!$match_count) {
-                $this->_applyAnyPolicyMapping($cert, $state, $idp, $sdps);
-            }
-        }
-    }
+	/**
+	 * Apply policy mappings to the policy tree.
+	 *
+	 * @param Certificate $cert
+	 * @param ValidatorState $state
+	 */
+	protected function _applyMappings(Certificate $cert, ValidatorState $state)
+	{
+		$policy_mappings = $cert->tbsCertificate()
+			->extensions()
+			->policyMappings();
+		// (6.1.4. b.1.) for each node in the valid_policy_tree of depth i...
+		foreach ($policy_mappings->flattenedMappings() as $idp => $sdps) {
+			$match_count = 0;
+			foreach ($this->_nodesAtDepth($state->index()) as $node) {
+				// ...where ID-P is the valid_policy
+				if ($node->validPolicy() == $idp) {
+					// set expected_policy_set to the set of subjectDomainPolicy
+					// values that are specified as equivalent to ID-P by
+					// the policy mappings extension
+					$node->setExpectedPolicies(...$sdps);
+					++$match_count;
+				}
+			}
+			// if no node of depth i in the valid_policy_tree has
+			// a valid_policy of ID-P...
+			if (!$match_count) {
+				$this->_applyAnyPolicyMapping($cert, $state, $idp, $sdps);
+			}
+		}
+	}
     
-    /**
-     * Apply anyPolicy mapping to the policy tree as specified in 6.1.4 (b)(1).
-     *
-     * @param Certificate $cert
-     * @param ValidatorState $state
-     * @param string $idp OID of the issuer domain policy
-     * @param array $sdps Array of subject domain policy OIDs
-     */
-    protected function _applyAnyPolicyMapping(Certificate $cert,
-        ValidatorState $state, $idp, array $sdps)
-    {
-        // (6.1.4. b.1.) ...but there is a node of depth i with
-        // a valid_policy of anyPolicy
-        foreach ($this->_nodesAtDepth($state->index()) as $node) {
-            if ($node->isAnyPolicy()) {
-                // then generate a child node of the node of depth i-1
-                // that has a valid_policy of anyPolicy as follows...
-                foreach ($this->_nodesAtDepth($state->index() - 1) as $node) {
-                    if ($node->isAnyPolicy()) {
-                        // try to fetch qualifiers of anyPolicy certificate policy
-                        $qualifiers = array();
-                        try {
-                            $qualifiers = $cert->tbsCertificate()
-                                ->extensions()
-                                ->certificatePolicies()
-                                ->anyPolicy()
-                                ->qualifiers();
-                        } catch (\LogicException $e) {
-                            // if there's no policies or no qualifiers
-                        }
-                        $node->addChild(
-                            new PolicyNode($idp, $qualifiers, $sdps));
-                        // bail after first anyPolicy has been processed
-                        break;
-                    }
-                }
-                // bail after first anyPolicy has been processed
-                break;
-            }
-        }
-    }
+	/**
+	 * Apply anyPolicy mapping to the policy tree as specified in 6.1.4 (b)(1).
+	 *
+	 * @param Certificate $cert
+	 * @param ValidatorState $state
+	 * @param string $idp OID of the issuer domain policy
+	 * @param array $sdps Array of subject domain policy OIDs
+	 */
+	protected function _applyAnyPolicyMapping(Certificate $cert,
+		ValidatorState $state, $idp, array $sdps)
+	{
+		// (6.1.4. b.1.) ...but there is a node of depth i with
+		// a valid_policy of anyPolicy
+		foreach ($this->_nodesAtDepth($state->index()) as $node) {
+			if ($node->isAnyPolicy()) {
+				// then generate a child node of the node of depth i-1
+				// that has a valid_policy of anyPolicy as follows...
+				foreach ($this->_nodesAtDepth($state->index() - 1) as $node) {
+					if ($node->isAnyPolicy()) {
+						// try to fetch qualifiers of anyPolicy certificate policy
+						$qualifiers = array();
+						try {
+							$qualifiers = $cert->tbsCertificate()
+								->extensions()
+								->certificatePolicies()
+								->anyPolicy()
+								->qualifiers();
+						} catch (\LogicException $e) {
+							// if there's no policies or no qualifiers
+						}
+						$node->addChild(
+							new PolicyNode($idp, $qualifiers, $sdps));
+						// bail after first anyPolicy has been processed
+						break;
+					}
+				}
+				// bail after first anyPolicy has been processed
+				break;
+			}
+		}
+	}
     
-    /**
-     * Delete nodes as specified in 6.1.4 (b)(2).
-     *
-     * @param Certificate $cert
-     * @param ValidatorState $state
-     */
-    protected function _deleteMappings(Certificate $cert, ValidatorState $state)
-    {
-        $idps = $cert->tbsCertificate()
-            ->extensions()
-            ->policyMappings()
-            ->issuerDomainPolicies();
-        // delete each node of depth i in the valid_policy_tree
-        // where ID-P is the valid_policy
-        foreach ($this->_nodesAtDepth($state->index()) as $node) {
-            if (in_array($node->validPolicy(), $idps)) {
-                $node->remove();
-            }
-        }
-        $this->_pruneTree($state->index() - 1);
-    }
+	/**
+	 * Delete nodes as specified in 6.1.4 (b)(2).
+	 *
+	 * @param Certificate $cert
+	 * @param ValidatorState $state
+	 */
+	protected function _deleteMappings(Certificate $cert, ValidatorState $state)
+	{
+		$idps = $cert->tbsCertificate()
+			->extensions()
+			->policyMappings()
+			->issuerDomainPolicies();
+		// delete each node of depth i in the valid_policy_tree
+		// where ID-P is the valid_policy
+		foreach ($this->_nodesAtDepth($state->index()) as $node) {
+			if (in_array($node->validPolicy(), $idps)) {
+				$node->remove();
+			}
+		}
+		$this->_pruneTree($state->index() - 1);
+	}
     
-    /**
-     * Prune tree starting from given depth.
-     *
-     * @param int $depth
-     * @return int The number of nodes left in a tree
-     */
-    protected function _pruneTree(int $depth): int
-    {
-        for ($i = $depth; $i > 0; --$i) {
-            foreach ($this->_nodesAtDepth($i) as $node) {
-                if (!count($node)) {
-                    $node->remove();
-                }
-            }
-        }
-        // if root has no children left
-        if (!count($this->_root)) {
-            $this->_root = null;
-            return 0;
-        }
-        return $this->_root->nodeCount();
-    }
+	/**
+	 * Prune tree starting from given depth.
+	 *
+	 * @param int $depth
+	 * @return int The number of nodes left in a tree
+	 */
+	protected function _pruneTree(int $depth): int
+	{
+		for ($i = $depth; $i > 0; --$i) {
+			foreach ($this->_nodesAtDepth($i) as $node) {
+				if (!count($node)) {
+					$node->remove();
+				}
+			}
+		}
+		// if root has no children left
+		if (!count($this->_root)) {
+			$this->_root = null;
+			return 0;
+		}
+		return $this->_root->nodeCount();
+	}
     
-    /**
-     * Get all nodes at given depth.
-     *
-     * @param int $i
-     * @return PolicyNode[]
-     */
-    protected function _nodesAtDepth(int $i): array
-    {
-        if (!$this->_root) {
-            return array();
-        }
-        $depth = 0;
-        $nodes = array($this->_root);
-        while ($depth < $i) {
-            $nodes = self::_gatherChildren(...$nodes);
-            if (!count($nodes)) {
-                break;
-            }
-            ++$depth;
-        }
-        return $nodes;
-    }
+	/**
+	 * Get all nodes at given depth.
+	 *
+	 * @param int $i
+	 * @return PolicyNode[]
+	 */
+	protected function _nodesAtDepth(int $i): array
+	{
+		if (!$this->_root) {
+			return array();
+		}
+		$depth = 0;
+		$nodes = array($this->_root);
+		while ($depth < $i) {
+			$nodes = self::_gatherChildren(...$nodes);
+			if (!count($nodes)) {
+				break;
+			}
+			++$depth;
+		}
+		return $nodes;
+	}
     
-    /**
-     * Get the valid policy node set as specified in spec 6.1.5.(g)(iii)1.
-     *
-     * @return PolicyNode[]
-     */
-    protected function _validPolicyNodeSet(): array
-    {
-        // 1. Determine the set of policy nodes whose parent nodes have
-        // a valid_policy of anyPolicy. This is the valid_policy_node_set.
-        $set = array();
-        if (!$this->_root) {
-            return $set;
-        }
-        // for each node in a tree
-        $this->_root->walkNodes(
-            function (PolicyNode $node) use (&$set) {
-                $parents = $node->parents();
-                // node has parents
-                if (count($parents)) {
-                    // check that each ancestor is an anyPolicy node
-                    foreach ($parents as $ancestor) {
-                        if (!$ancestor->isAnyPolicy()) {
-                            return;
-                        }
-                    }
-                    $set[] = $node;
-                }
-            });
-        return $set;
-    }
+	/**
+	 * Get the valid policy node set as specified in spec 6.1.5.(g)(iii)1.
+	 *
+	 * @return PolicyNode[]
+	 */
+	protected function _validPolicyNodeSet(): array
+	{
+		// 1. Determine the set of policy nodes whose parent nodes have
+		// a valid_policy of anyPolicy. This is the valid_policy_node_set.
+		$set = array();
+		if (!$this->_root) {
+			return $set;
+		}
+		// for each node in a tree
+		$this->_root->walkNodes(
+			function (PolicyNode $node) use (&$set) {
+				$parents = $node->parents();
+				// node has parents
+				if (count($parents)) {
+					// check that each ancestor is an anyPolicy node
+					foreach ($parents as $ancestor) {
+						if (!$ancestor->isAnyPolicy()) {
+							return;
+						}
+					}
+					$set[] = $node;
+				}
+			});
+		return $set;
+	}
     
-    /**
-     * Gather all children of given nodes to a flattened array.
-     *
-     * @param PolicyNode ...$nodes
-     * @return PolicyNode[]
-     */
-    private static function _gatherChildren(PolicyNode ...$nodes): array
-    {
-        $children = array();
-        foreach ($nodes as $node) {
-            $children = array_merge($children, $node->children());
-        }
-        return $children;
-    }
+	/**
+	 * Gather all children of given nodes to a flattened array.
+	 *
+	 * @param PolicyNode ...$nodes
+	 * @return PolicyNode[]
+	 */
+	private static function _gatherChildren(PolicyNode ...$nodes): array
+	{
+		$children = array();
+		foreach ($nodes as $node) {
+			$children = array_merge($children, $node->children());
+		}
+		return $children;
+	}
 }