sop / x509

lib/X509/AttributeCertificate/Validation/ACValidationConfig.php

Indentation +100 added lines, -100 removed lines

@@ -12,114 +12,114 @@
  */
 class ACValidationConfig
 {
-    /**
-     * Certification path of the AC holder.
-     *
-     * @var CertificationPath
-     */
-    protected $_holderPath;
+	/**
+	 * Certification path of the AC holder.
+	 *
+	 * @var CertificationPath
+	 */
+	protected $_holderPath;
 
-    /**
-     * Certification path of the AC issuer.
-     *
-     * @var CertificationPath
-     */
-    protected $_issuerPath;
+	/**
+	 * Certification path of the AC issuer.
+	 *
+	 * @var CertificationPath
+	 */
+	protected $_issuerPath;
 
-    /**
-     * Evaluation reference time.
-     *
-     * @var \DateTimeImmutable
-     */
-    protected $_evalTime;
+	/**
+	 * Evaluation reference time.
+	 *
+	 * @var \DateTimeImmutable
+	 */
+	protected $_evalTime;
 
-    /**
-     * Permitted targets.
-     *
-     * @var Target[]
-     */
-    protected $_targets;
+	/**
+	 * Permitted targets.
+	 *
+	 * @var Target[]
+	 */
+	protected $_targets;
 
-    /**
-     * Constructor.
-     *
-     * @param CertificationPath $holder_path Certification path of the AC holder
-     * @param CertificationPath $issuer_path Certification path of the AC issuer
-     */
-    public function __construct(CertificationPath $holder_path,
-        CertificationPath $issuer_path)
-    {
-        $this->_holderPath = $holder_path;
-        $this->_issuerPath = $issuer_path;
-        $this->_evalTime = new \DateTimeImmutable();
-        $this->_targets = [];
-    }
+	/**
+	 * Constructor.
+	 *
+	 * @param CertificationPath $holder_path Certification path of the AC holder
+	 * @param CertificationPath $issuer_path Certification path of the AC issuer
+	 */
+	public function __construct(CertificationPath $holder_path,
+		CertificationPath $issuer_path)
+	{
+		$this->_holderPath = $holder_path;
+		$this->_issuerPath = $issuer_path;
+		$this->_evalTime = new \DateTimeImmutable();
+		$this->_targets = [];
+	}
 
-    /**
-     * Get certification path of the AC's holder.
-     *
-     * @return CertificationPath
-     */
-    public function holderPath(): CertificationPath
-    {
-        return $this->_holderPath;
-    }
+	/**
+	 * Get certification path of the AC's holder.
+	 *
+	 * @return CertificationPath
+	 */
+	public function holderPath(): CertificationPath
+	{
+		return $this->_holderPath;
+	}
 
-    /**
-     * Get certification path of the AC's issuer.
-     *
-     * @return CertificationPath
-     */
-    public function issuerPath(): CertificationPath
-    {
-        return $this->_issuerPath;
-    }
+	/**
+	 * Get certification path of the AC's issuer.
+	 *
+	 * @return CertificationPath
+	 */
+	public function issuerPath(): CertificationPath
+	{
+		return $this->_issuerPath;
+	}
 
-    /**
-     * Get self with given evaluation reference time.
-     *
-     * @param \DateTimeImmutable $dt
-     *
-     * @return self
-     */
-    public function withEvaluationTime(\DateTimeImmutable $dt): self
-    {
-        $obj = clone $this;
-        $obj->_evalTime = $dt;
-        return $obj;
-    }
+	/**
+	 * Get self with given evaluation reference time.
+	 *
+	 * @param \DateTimeImmutable $dt
+	 *
+	 * @return self
+	 */
+	public function withEvaluationTime(\DateTimeImmutable $dt): self
+	{
+		$obj = clone $this;
+		$obj->_evalTime = $dt;
+		return $obj;
+	}
 
-    /**
-     * Get the evaluation reference time.
-     *
-     * @return \DateTimeImmutable
-     */
-    public function evaluationTime(): \DateTimeImmutable
-    {
-        return $this->_evalTime;
-    }
+	/**
+	 * Get the evaluation reference time.
+	 *
+	 * @return \DateTimeImmutable
+	 */
+	public function evaluationTime(): \DateTimeImmutable
+	{
+		return $this->_evalTime;
+	}
 
-    /**
-     * Get self with permitted targets.
-     *
-     * @param Target ...$targets
-     *
-     * @return self
-     */
-    public function withTargets(Target ...$targets): self
-    {
-        $obj = clone $this;
-        $obj->_targets = $targets;
-        return $obj;
-    }
+	/**
+	 * Get self with permitted targets.
+	 *
+	 * @param Target ...$targets
+	 *
+	 * @return self
+	 */
+	public function withTargets(Target ...$targets): self
+	{
+		$obj = clone $this;
+		$obj->_targets = $targets;
+		return $obj;
+	}
 
-    /**
-     * Get array of permitted targets.
-     *
-     * @return Target[]
-     */
-    public function targets(): array
-    {
-        return $this->_targets;
-    }
+	/**
+	 * Get array of permitted targets.
+	 *
+	 * @return Target[]
+	 */
+	public function targets(): array
+	{
+		return $this->_targets;
+	}
 }

lib/X509/AttributeCertificate/Validation/ACValidator.php

Indentation +172 added lines, -172 removed lines

@@ -21,186 +21,186 @@
  */
 class ACValidator
 {
-    /**
-     * Attribute certificate.
-     *
-     * @var AttributeCertificate
-     */
-    protected $_ac;
+	/**
+	 * Attribute certificate.
+	 *
+	 * @var AttributeCertificate
+	 */
+	protected $_ac;
 
-    /**
-     * Validation configuration.
-     *
-     * @var ACValidationConfig
-     */
-    protected $_config;
+	/**
+	 * Validation configuration.
+	 *
+	 * @var ACValidationConfig
+	 */
+	protected $_config;
 
-    /**
-     * Crypto engine.
-     *
-     * @var Crypto
-     */
-    protected $_crypto;
+	/**
+	 * Crypto engine.
+	 *
+	 * @var Crypto
+	 */
+	protected $_crypto;
 
-    /**
-     * Constructor.
-     *
-     * @param AttributeCertificate $ac     Attribute certificate to validate
-     * @param ACValidationConfig   $config Validation configuration
-     * @param null|Crypto          $crypto Crypto engine, use default if not set
-     */
-    public function __construct(AttributeCertificate $ac,
-        ACValidationConfig $config, ?Crypto $crypto = null)
-    {
-        $this->_ac = $ac;
-        $this->_config = $config;
-        $this->_crypto = $crypto ?? Crypto::getDefault();
-    }
+	/**
+	 * Constructor.
+	 *
+	 * @param AttributeCertificate $ac     Attribute certificate to validate
+	 * @param ACValidationConfig   $config Validation configuration
+	 * @param null|Crypto          $crypto Crypto engine, use default if not set
+	 */
+	public function __construct(AttributeCertificate $ac,
+		ACValidationConfig $config, ?Crypto $crypto = null)
+	{
+		$this->_ac = $ac;
+		$this->_config = $config;
+		$this->_crypto = $crypto ?? Crypto::getDefault();
+	}
 
-    /**
-     * Validate attribute certificate.
-     *
-     * @throws ACValidationException If validation fails
-     *
-     * @return AttributeCertificate Validated AC
-     */
-    public function validate(): AttributeCertificate
-    {
-        $this->_validateHolder();
-        $issuer = $this->_verifyIssuer();
-        $this->_validateIssuerProfile($issuer);
-        $this->_validateTime();
-        $this->_validateTargeting();
-        return $this->_ac;
-    }
+	/**
+	 * Validate attribute certificate.
+	 *
+	 * @throws ACValidationException If validation fails
+	 *
+	 * @return AttributeCertificate Validated AC
+	 */
+	public function validate(): AttributeCertificate
+	{
+		$this->_validateHolder();
+		$issuer = $this->_verifyIssuer();
+		$this->_validateIssuerProfile($issuer);
+		$this->_validateTime();
+		$this->_validateTargeting();
+		return $this->_ac;
+	}
 
-    /**
-     * Validate AC holder's certification.
-     *
-     * @throws ACValidationException
-     *
-     * @return Certificate Certificate of the AC's holder
-     */
-    private function _validateHolder(): Certificate
-    {
-        $path = $this->_config->holderPath();
-        $config = PathValidationConfig::defaultConfig()
-            ->withMaxLength(count($path))
-            ->withDateTime($this->_config->evaluationTime());
-        try {
-            $holder = $path->validate($config, $this->_crypto)->certificate();
-        } catch (PathValidationException $e) {
-            throw new ACValidationException(
-                "Failed to validate holder PKC's certification path.", 0, $e);
-        }
-        if (!$this->_ac->isHeldBy($holder)) {
-            throw new ACValidationException("Name mismatch of AC's holder PKC.");
-        }
-        return $holder;
-    }
+	/**
+	 * Validate AC holder's certification.
+	 *
+	 * @throws ACValidationException
+	 *
+	 * @return Certificate Certificate of the AC's holder
+	 */
+	private function _validateHolder(): Certificate
+	{
+		$path = $this->_config->holderPath();
+		$config = PathValidationConfig::defaultConfig()
+			->withMaxLength(count($path))
+			->withDateTime($this->_config->evaluationTime());
+		try {
+			$holder = $path->validate($config, $this->_crypto)->certificate();
+		} catch (PathValidationException $e) {
+			throw new ACValidationException(
+				"Failed to validate holder PKC's certification path.", 0, $e);
+		}
+		if (!$this->_ac->isHeldBy($holder)) {
+			throw new ACValidationException("Name mismatch of AC's holder PKC.");
+		}
+		return $holder;
+	}
 
-    /**
-     * Verify AC's signature and issuer's certification.
-     *
-     * @throws ACValidationException
-     *
-     * @return Certificate Certificate of the AC's issuer
-     */
-    private function _verifyIssuer(): Certificate
-    {
-        $path = $this->_config->issuerPath();
-        $config = PathValidationConfig::defaultConfig()
-            ->withMaxLength(count($path))
-            ->withDateTime($this->_config->evaluationTime());
-        try {
-            $issuer = $path->validate($config, $this->_crypto)->certificate();
-        } catch (PathValidationException $e) {
-            throw new ACValidationException(
-                "Failed to validate issuer PKC's certification path.", 0, $e);
-        }
-        if (!$this->_ac->isIssuedBy($issuer)) {
-            throw new ACValidationException("Name mismatch of AC's issuer PKC.");
-        }
-        $pubkey_info = $issuer->tbsCertificate()->subjectPublicKeyInfo();
-        if (!$this->_ac->verify($pubkey_info, $this->_crypto)) {
-            throw new ACValidationException('Failed to verify signature.');
-        }
-        return $issuer;
-    }
+	/**
+	 * Verify AC's signature and issuer's certification.
+	 *
+	 * @throws ACValidationException
+	 *
+	 * @return Certificate Certificate of the AC's issuer
+	 */
+	private function _verifyIssuer(): Certificate
+	{
+		$path = $this->_config->issuerPath();
+		$config = PathValidationConfig::defaultConfig()
+			->withMaxLength(count($path))
+			->withDateTime($this->_config->evaluationTime());
+		try {
+			$issuer = $path->validate($config, $this->_crypto)->certificate();
+		} catch (PathValidationException $e) {
+			throw new ACValidationException(
+				"Failed to validate issuer PKC's certification path.", 0, $e);
+		}
+		if (!$this->_ac->isIssuedBy($issuer)) {
+			throw new ACValidationException("Name mismatch of AC's issuer PKC.");
+		}
+		$pubkey_info = $issuer->tbsCertificate()->subjectPublicKeyInfo();
+		if (!$this->_ac->verify($pubkey_info, $this->_crypto)) {
+			throw new ACValidationException('Failed to verify signature.');
+		}
+		return $issuer;
+	}
 
-    /**
-     * Validate AC issuer's profile.
-     *
-     * @see https://tools.ietf.org/html/rfc5755#section-4.5
-     *
-     * @param Certificate $cert
-     *
-     * @throws ACValidationException
-     */
-    private function _validateIssuerProfile(Certificate $cert): void
-    {
-        $exts = $cert->tbsCertificate()->extensions();
-        if ($exts->hasKeyUsage() && !$exts->keyUsage()->isDigitalSignature()) {
-            throw new ACValidationException(
-                "Issuer PKC's Key Usage extension doesn't permit" .
-                     ' verification of digital signatures.');
-        }
-        if ($exts->hasBasicConstraints() && $exts->basicConstraints()->isCA()) {
-            throw new ACValidationException('Issuer PKC must not be a CA.');
-        }
-    }
+	/**
+	 * Validate AC issuer's profile.
+	 *
+	 * @see https://tools.ietf.org/html/rfc5755#section-4.5
+	 *
+	 * @param Certificate $cert
+	 *
+	 * @throws ACValidationException
+	 */
+	private function _validateIssuerProfile(Certificate $cert): void
+	{
+		$exts = $cert->tbsCertificate()->extensions();
+		if ($exts->hasKeyUsage() && !$exts->keyUsage()->isDigitalSignature()) {
+			throw new ACValidationException(
+				"Issuer PKC's Key Usage extension doesn't permit" .
+					 ' verification of digital signatures.');
+		}
+		if ($exts->hasBasicConstraints() && $exts->basicConstraints()->isCA()) {
+			throw new ACValidationException('Issuer PKC must not be a CA.');
+		}
+	}
 
-    /**
-     * Validate AC's validity period.
-     *
-     * @throws ACValidationException
-     */
-    private function _validateTime(): void
-    {
-        $t = $this->_config->evaluationTime();
-        $validity = $this->_ac->acinfo()->validityPeriod();
-        if ($validity->notBeforeTime()->diff($t)->invert) {
-            throw new ACValidationException('Validity period has not started.');
-        }
-        if ($t->diff($validity->notAfterTime())->invert) {
-            throw new ACValidationException('Attribute certificate has expired.');
-        }
-    }
+	/**
+	 * Validate AC's validity period.
+	 *
+	 * @throws ACValidationException
+	 */
+	private function _validateTime(): void
+	{
+		$t = $this->_config->evaluationTime();
+		$validity = $this->_ac->acinfo()->validityPeriod();
+		if ($validity->notBeforeTime()->diff($t)->invert) {
+			throw new ACValidationException('Validity period has not started.');
+		}
+		if ($t->diff($validity->notAfterTime())->invert) {
+			throw new ACValidationException('Attribute certificate has expired.');
+		}
+	}
 
-    /**
-     * Validate AC's target information.
-     *
-     * @throws ACValidationException
-     */
-    private function _validateTargeting(): void
-    {
-        $exts = $this->_ac->acinfo()->extensions();
-        // if target information extension is not present
-        if (!$exts->has(Extension::OID_TARGET_INFORMATION)) {
-            return;
-        }
-        $ext = $exts->get(Extension::OID_TARGET_INFORMATION);
-        if ($ext instanceof TargetInformationExtension &&
-            !$this->_hasMatchingTarget($ext->targets())) {
-            throw new ACValidationException(
-                "Attribute certificate doesn't have a matching target.");
-        }
-    }
+	/**
+	 * Validate AC's target information.
+	 *
+	 * @throws ACValidationException
+	 */
+	private function _validateTargeting(): void
+	{
+		$exts = $this->_ac->acinfo()->extensions();
+		// if target information extension is not present
+		if (!$exts->has(Extension::OID_TARGET_INFORMATION)) {
+			return;
+		}
+		$ext = $exts->get(Extension::OID_TARGET_INFORMATION);
+		if ($ext instanceof TargetInformationExtension &&
+			!$this->_hasMatchingTarget($ext->targets())) {
+			throw new ACValidationException(
+				"Attribute certificate doesn't have a matching target.");
+		}
+	}
 
-    /**
-     * Check whether validation configuration has matching targets.
-     *
-     * @param Targets $targets Set of eligible targets
-     *
-     * @return bool
-     */
-    private function _hasMatchingTarget(Targets $targets): bool
-    {
-        foreach ($this->_config->targets() as $target) {
-            if ($targets->hasTarget($target)) {
-                return true;
-            }
-        }
-        return false;
-    }
+	/**
+	 * Check whether validation configuration has matching targets.
+	 *
+	 * @param Targets $targets Set of eligible targets
+	 *
+	 * @return bool
+	 */
+	private function _hasMatchingTarget(Targets $targets): bool
+	{
+		foreach ($this->_config->targets() as $target) {
+			if ($targets->hasTarget($target)) {
+				return true;
+			}
+		}
+		return false;
+	}
 }

lib/X509/AttributeCertificate/AttributeCertificateInfo.php

Indentation +446 added lines, -446 removed lines

@@ -22,450 +22,450 @@
  */
 class AttributeCertificateInfo
 {
-    const VERSION_2 = 1;
-
-    /**
-     * AC version.
-     *
-     * @var int
-     */
-    protected $_version;
-
-    /**
-     * AC holder.
-     *
-     * @var Holder
-     */
-    protected $_holder;
-
-    /**
-     * AC issuer.
-     *
-     * @var AttCertIssuer
-     */
-    protected $_issuer;
-
-    /**
-     * Signature algorithm identifier.
-     *
-     * @var SignatureAlgorithmIdentifier
-     */
-    protected $_signature;
-
-    /**
-     * AC serial number as a base 10 integer.
-     *
-     * @var string
-     */
-    protected $_serialNumber;
-
-    /**
-     * Validity period.
-     *
-     * @var AttCertValidityPeriod
-     */
-    protected $_attrCertValidityPeriod;
-
-    /**
-     * Attributes.
-     *
-     * @var Attributes
-     */
-    protected $_attributes;
-
-    /**
-     * Issuer unique identifier.
-     *
-     * @var null|UniqueIdentifier
-     */
-    protected $_issuerUniqueID;
-
-    /**
-     * Extensions.
-     *
-     * @var Extensions
-     */
-    protected $_extensions;
-
-    /**
-     * Constructor.
-     *
-     * @param Holder                $holder   AC holder
-     * @param AttCertIssuer         $issuer   AC issuer
-     * @param AttCertValidityPeriod $validity Validity
-     * @param Attributes            $attribs  Attributes
-     */
-    public function __construct(Holder $holder, AttCertIssuer $issuer,
-        AttCertValidityPeriod $validity, Attributes $attribs)
-    {
-        $this->_version = self::VERSION_2;
-        $this->_holder = $holder;
-        $this->_issuer = $issuer;
-        $this->_attrCertValidityPeriod = $validity;
-        $this->_attributes = $attribs;
-        $this->_extensions = new Extensions();
-    }
-
-    /**
-     * Initialize from ASN.1.
-     *
-     * @param Sequence $seq
-     *
-     * @throws \UnexpectedValueException
-     *
-     * @return self
-     */
-    public static function fromASN1(Sequence $seq): self
-    {
-        $idx = 0;
-        $version = $seq->at($idx++)->asInteger()->intNumber();
-        if (self::VERSION_2 !== $version) {
-            throw new \UnexpectedValueException('Version must be 2.');
-        }
-        $holder = Holder::fromASN1($seq->at($idx++)->asSequence());
-        $issuer = AttCertIssuer::fromASN1($seq->at($idx++));
-        $signature = AlgorithmIdentifier::fromASN1($seq->at($idx++)->asSequence());
-        if (!$signature instanceof SignatureAlgorithmIdentifier) {
-            throw new \UnexpectedValueException(
-                'Unsupported signature algorithm ' . $signature->oid() . '.');
-        }
-        $serial = $seq->at($idx++)->asInteger()->number();
-        $validity = AttCertValidityPeriod::fromASN1($seq->at($idx++)->asSequence());
-        $attribs = Attributes::fromASN1($seq->at($idx++)->asSequence());
-        $obj = new self($holder, $issuer, $validity, $attribs);
-        $obj->_signature = $signature;
-        $obj->_serialNumber = $serial;
-        if ($seq->has($idx, Element::TYPE_BIT_STRING)) {
-            $obj->_issuerUniqueID = UniqueIdentifier::fromASN1(
-                $seq->at($idx++)->asBitString());
-        }
-        if ($seq->has($idx, Element::TYPE_SEQUENCE)) {
-            $obj->_extensions = Extensions::fromASN1(
-                $seq->at($idx++)->asSequence());
-        }
-        return $obj;
-    }
-
-    /**
-     * Get self with holder.
-     *
-     * @param Holder $holder
-     *
-     * @return self
-     */
-    public function withHolder(Holder $holder): self
-    {
-        $obj = clone $this;
-        $obj->_holder = $holder;
-        return $obj;
-    }
-
-    /**
-     * Get self with issuer.
-     *
-     * @param AttCertIssuer $issuer
-     *
-     * @return self
-     */
-    public function withIssuer(AttCertIssuer $issuer): self
-    {
-        $obj = clone $this;
-        $obj->_issuer = $issuer;
-        return $obj;
-    }
-
-    /**
-     * Get self with signature algorithm identifier.
-     *
-     * @param SignatureAlgorithmIdentifier $algo
-     *
-     * @return self
-     */
-    public function withSignature(SignatureAlgorithmIdentifier $algo): self
-    {
-        $obj = clone $this;
-        $obj->_signature = $algo;
-        return $obj;
-    }
-
-    /**
-     * Get self with serial number.
-     *
-     * @param int|string $serial Base 10 serial number
-     *
-     * @return self
-     */
-    public function withSerialNumber($serial): self
-    {
-        $obj = clone $this;
-        $obj->_serialNumber = strval($serial);
-        return $obj;
-    }
-
-    /**
-     * Get self with random positive serial number.
-     *
-     * @param int $size Number of random bytes
-     *
-     * @return self
-     */
-    public function withRandomSerialNumber(int $size = 16): self
-    {
-        // ensure that first byte is always non-zero and having first bit unset
-        $num = gmp_init(mt_rand(1, 0x7f), 10);
-        for ($i = 1; $i < $size; ++$i) {
-            $num <<= 8;
-            $num += mt_rand(0, 0xff);
-        }
-        return $this->withSerialNumber(gmp_strval($num, 10));
-    }
-
-    /**
-     * Get self with validity period.
-     *
-     * @param AttCertValidityPeriod $validity
-     *
-     * @return self
-     */
-    public function withValidity(AttCertValidityPeriod $validity): self
-    {
-        $obj = clone $this;
-        $obj->_attrCertValidityPeriod = $validity;
-        return $obj;
-    }
-
-    /**
-     * Get self with attributes.
-     *
-     * @param Attributes $attribs
-     *
-     * @return self
-     */
-    public function withAttributes(Attributes $attribs): self
-    {
-        $obj = clone $this;
-        $obj->_attributes = $attribs;
-        return $obj;
-    }
-
-    /**
-     * Get self with issuer unique identifier.
-     *
-     * @param UniqueIdentifier $uid
-     *
-     * @return self
-     */
-    public function withIssuerUniqueID(UniqueIdentifier $uid): self
-    {
-        $obj = clone $this;
-        $obj->_issuerUniqueID = $uid;
-        return $obj;
-    }
-
-    /**
-     * Get self with extensions.
-     *
-     * @param Extensions $extensions
-     *
-     * @return self
-     */
-    public function withExtensions(Extensions $extensions): self
-    {
-        $obj = clone $this;
-        $obj->_extensions = $extensions;
-        return $obj;
-    }
-
-    /**
-     * Get self with extensions added.
-     *
-     * @param Extension ...$exts One or more Extension objects
-     *
-     * @return self
-     */
-    public function withAdditionalExtensions(Extension ...$exts): self
-    {
-        $obj = clone $this;
-        $obj->_extensions = $obj->_extensions->withExtensions(...$exts);
-        return $obj;
-    }
-
-    /**
-     * Get version.
-     *
-     * @return int
-     */
-    public function version(): int
-    {
-        return $this->_version;
-    }
-
-    /**
-     * Get AC holder.
-     *
-     * @return Holder
-     */
-    public function holder(): Holder
-    {
-        return $this->_holder;
-    }
-
-    /**
-     * Get AC issuer.
-     *
-     * @return AttCertIssuer
-     */
-    public function issuer(): AttCertIssuer
-    {
-        return $this->_issuer;
-    }
-
-    /**
-     * Check whether signature is set.
-     *
-     * @return bool
-     */
-    public function hasSignature(): bool
-    {
-        return isset($this->_signature);
-    }
-
-    /**
-     * Get signature algorithm identifier.
-     *
-     * @throws \LogicException If not set
-     *
-     * @return SignatureAlgorithmIdentifier
-     */
-    public function signature(): SignatureAlgorithmIdentifier
-    {
-        if (!$this->hasSignature()) {
-            throw new \LogicException('signature not set.');
-        }
-        return $this->_signature;
-    }
-
-    /**
-     * Check whether serial number is present.
-     *
-     * @return bool
-     */
-    public function hasSerialNumber(): bool
-    {
-        return isset($this->_serialNumber);
-    }
-
-    /**
-     * Get AC serial number as a base 10 integer.
-     *
-     * @throws \LogicException If not set
-     *
-     * @return string
-     */
-    public function serialNumber(): string
-    {
-        if (!$this->hasSerialNumber()) {
-            throw new \LogicException('serialNumber not set.');
-        }
-        return $this->_serialNumber;
-    }
-
-    /**
-     * Get validity period.
-     *
-     * @return AttCertValidityPeriod
-     */
-    public function validityPeriod(): AttCertValidityPeriod
-    {
-        return $this->_attrCertValidityPeriod;
-    }
-
-    /**
-     * Get attributes.
-     *
-     * @return Attributes
-     */
-    public function attributes(): Attributes
-    {
-        return $this->_attributes;
-    }
-
-    /**
-     * Check whether issuer unique identifier is present.
-     *
-     * @return bool
-     */
-    public function hasIssuerUniqueID(): bool
-    {
-        return isset($this->_issuerUniqueID);
-    }
-
-    /**
-     * Get issuer unique identifier.
-     *
-     * @throws \LogicException If not set
-     *
-     * @return UniqueIdentifier
-     */
-    public function issuerUniqueID(): UniqueIdentifier
-    {
-        if (!$this->hasIssuerUniqueID()) {
-            throw new \LogicException('issuerUniqueID not set.');
-        }
-        return $this->_issuerUniqueID;
-    }
-
-    /**
-     * Get extensions.
-     *
-     * @return Extensions
-     */
-    public function extensions(): Extensions
-    {
-        return $this->_extensions;
-    }
-
-    /**
-     * Get ASN.1 structure.
-     *
-     * @return Sequence
-     */
-    public function toASN1(): Sequence
-    {
-        $elements = [new Integer($this->_version), $this->_holder->toASN1(),
-            $this->_issuer->toASN1(), $this->signature()->toASN1(),
-            new Integer($this->serialNumber()),
-            $this->_attrCertValidityPeriod->toASN1(),
-            $this->_attributes->toASN1(), ];
-        if (isset($this->_issuerUniqueID)) {
-            $elements[] = $this->_issuerUniqueID->toASN1();
-        }
-        if (count($this->_extensions)) {
-            $elements[] = $this->_extensions->toASN1();
-        }
-        return new Sequence(...$elements);
-    }
-
-    /**
-     * Create signed attribute certificate.
-     *
-     * @param SignatureAlgorithmIdentifier $algo         Signature algorithm
-     * @param PrivateKeyInfo               $privkey_info Private key
-     * @param null|Crypto                  $crypto       Crypto engine, use default if not set
-     *
-     * @return AttributeCertificate
-     */
-    public function sign(SignatureAlgorithmIdentifier $algo,
-        PrivateKeyInfo $privkey_info, ?Crypto $crypto = null): AttributeCertificate
-    {
-        $crypto = $crypto ?? Crypto::getDefault();
-        $aci = clone $this;
-        if (!isset($aci->_serialNumber)) {
-            $aci->_serialNumber = '0';
-        }
-        $aci->_signature = $algo;
-        $data = $aci->toASN1()->toDER();
-        $signature = $crypto->sign($data, $privkey_info, $algo);
-        return new AttributeCertificate($aci, $algo, $signature);
-    }
+	const VERSION_2 = 1;
+
+	/**
+	 * AC version.
+	 *
+	 * @var int
+	 */
+	protected $_version;
+
+	/**
+	 * AC holder.
+	 *
+	 * @var Holder
+	 */
+	protected $_holder;
+
+	/**
+	 * AC issuer.
+	 *
+	 * @var AttCertIssuer
+	 */
+	protected $_issuer;
+
+	/**
+	 * Signature algorithm identifier.
+	 *
+	 * @var SignatureAlgorithmIdentifier
+	 */
+	protected $_signature;
+
+	/**
+	 * AC serial number as a base 10 integer.
+	 *
+	 * @var string
+	 */
+	protected $_serialNumber;
+
+	/**
+	 * Validity period.
+	 *
+	 * @var AttCertValidityPeriod
+	 */
+	protected $_attrCertValidityPeriod;
+
+	/**
+	 * Attributes.
+	 *
+	 * @var Attributes
+	 */
+	protected $_attributes;
+
+	/**
+	 * Issuer unique identifier.
+	 *
+	 * @var null|UniqueIdentifier
+	 */
+	protected $_issuerUniqueID;
+
+	/**
+	 * Extensions.
+	 *
+	 * @var Extensions
+	 */
+	protected $_extensions;
+
+	/**
+	 * Constructor.
+	 *
+	 * @param Holder                $holder   AC holder
+	 * @param AttCertIssuer         $issuer   AC issuer
+	 * @param AttCertValidityPeriod $validity Validity
+	 * @param Attributes            $attribs  Attributes
+	 */
+	public function __construct(Holder $holder, AttCertIssuer $issuer,
+		AttCertValidityPeriod $validity, Attributes $attribs)
+	{
+		$this->_version = self::VERSION_2;
+		$this->_holder = $holder;
+		$this->_issuer = $issuer;
+		$this->_attrCertValidityPeriod = $validity;
+		$this->_attributes = $attribs;
+		$this->_extensions = new Extensions();
+	}
+
+	/**
+	 * Initialize from ASN.1.
+	 *
+	 * @param Sequence $seq
+	 *
+	 * @throws \UnexpectedValueException
+	 *
+	 * @return self
+	 */
+	public static function fromASN1(Sequence $seq): self
+	{
+		$idx = 0;
+		$version = $seq->at($idx++)->asInteger()->intNumber();
+		if (self::VERSION_2 !== $version) {
+			throw new \UnexpectedValueException('Version must be 2.');
+		}
+		$holder = Holder::fromASN1($seq->at($idx++)->asSequence());
+		$issuer = AttCertIssuer::fromASN1($seq->at($idx++));
+		$signature = AlgorithmIdentifier::fromASN1($seq->at($idx++)->asSequence());
+		if (!$signature instanceof SignatureAlgorithmIdentifier) {
+			throw new \UnexpectedValueException(
+				'Unsupported signature algorithm ' . $signature->oid() . '.');
+		}
+		$serial = $seq->at($idx++)->asInteger()->number();
+		$validity = AttCertValidityPeriod::fromASN1($seq->at($idx++)->asSequence());
+		$attribs = Attributes::fromASN1($seq->at($idx++)->asSequence());
+		$obj = new self($holder, $issuer, $validity, $attribs);
+		$obj->_signature = $signature;
+		$obj->_serialNumber = $serial;
+		if ($seq->has($idx, Element::TYPE_BIT_STRING)) {
+			$obj->_issuerUniqueID = UniqueIdentifier::fromASN1(
+				$seq->at($idx++)->asBitString());
+		}
+		if ($seq->has($idx, Element::TYPE_SEQUENCE)) {
+			$obj->_extensions = Extensions::fromASN1(
+				$seq->at($idx++)->asSequence());
+		}
+		return $obj;
+	}
+
+	/**
+	 * Get self with holder.
+	 *
+	 * @param Holder $holder
+	 *
+	 * @return self
+	 */
+	public function withHolder(Holder $holder): self
+	{
+		$obj = clone $this;
+		$obj->_holder = $holder;
+		return $obj;
+	}
+
+	/**
+	 * Get self with issuer.
+	 *
+	 * @param AttCertIssuer $issuer
+	 *
+	 * @return self
+	 */
+	public function withIssuer(AttCertIssuer $issuer): self
+	{
+		$obj = clone $this;
+		$obj->_issuer = $issuer;
+		return $obj;
+	}
+
+	/**
+	 * Get self with signature algorithm identifier.
+	 *
+	 * @param SignatureAlgorithmIdentifier $algo
+	 *
+	 * @return self
+	 */
+	public function withSignature(SignatureAlgorithmIdentifier $algo): self
+	{
+		$obj = clone $this;
+		$obj->_signature = $algo;
+		return $obj;
+	}
+
+	/**
+	 * Get self with serial number.
+	 *
+	 * @param int|string $serial Base 10 serial number
+	 *
+	 * @return self
+	 */
+	public function withSerialNumber($serial): self
+	{
+		$obj = clone $this;
+		$obj->_serialNumber = strval($serial);
+		return $obj;
+	}
+
+	/**
+	 * Get self with random positive serial number.
+	 *
+	 * @param int $size Number of random bytes
+	 *
+	 * @return self
+	 */
+	public function withRandomSerialNumber(int $size = 16): self
+	{
+		// ensure that first byte is always non-zero and having first bit unset
+		$num = gmp_init(mt_rand(1, 0x7f), 10);
+		for ($i = 1; $i < $size; ++$i) {
+			$num <<= 8;
+			$num += mt_rand(0, 0xff);
+		}
+		return $this->withSerialNumber(gmp_strval($num, 10));
+	}
+
+	/**
+	 * Get self with validity period.
+	 *
+	 * @param AttCertValidityPeriod $validity
+	 *
+	 * @return self
+	 */
+	public function withValidity(AttCertValidityPeriod $validity): self
+	{
+		$obj = clone $this;
+		$obj->_attrCertValidityPeriod = $validity;
+		return $obj;
+	}
+
+	/**
+	 * Get self with attributes.
+	 *
+	 * @param Attributes $attribs
+	 *
+	 * @return self
+	 */
+	public function withAttributes(Attributes $attribs): self
+	{
+		$obj = clone $this;
+		$obj->_attributes = $attribs;
+		return $obj;
+	}
+
+	/**
+	 * Get self with issuer unique identifier.
+	 *
+	 * @param UniqueIdentifier $uid
+	 *
+	 * @return self
+	 */
+	public function withIssuerUniqueID(UniqueIdentifier $uid): self
+	{
+		$obj = clone $this;
+		$obj->_issuerUniqueID = $uid;
+		return $obj;
+	}
+
+	/**
+	 * Get self with extensions.
+	 *
+	 * @param Extensions $extensions
+	 *
+	 * @return self
+	 */
+	public function withExtensions(Extensions $extensions): self
+	{
+		$obj = clone $this;
+		$obj->_extensions = $extensions;
+		return $obj;
+	}
+
+	/**
+	 * Get self with extensions added.
+	 *
+	 * @param Extension ...$exts One or more Extension objects
+	 *
+	 * @return self
+	 */
+	public function withAdditionalExtensions(Extension ...$exts): self
+	{
+		$obj = clone $this;
+		$obj->_extensions = $obj->_extensions->withExtensions(...$exts);
+		return $obj;
+	}
+
+	/**
+	 * Get version.
+	 *
+	 * @return int
+	 */
+	public function version(): int
+	{
+		return $this->_version;
+	}
+
+	/**
+	 * Get AC holder.
+	 *
+	 * @return Holder
+	 */
+	public function holder(): Holder
+	{
+		return $this->_holder;
+	}
+
+	/**
+	 * Get AC issuer.
+	 *
+	 * @return AttCertIssuer
+	 */
+	public function issuer(): AttCertIssuer
+	{
+		return $this->_issuer;
+	}
+
+	/**
+	 * Check whether signature is set.
+	 *
+	 * @return bool
+	 */
+	public function hasSignature(): bool
+	{
+		return isset($this->_signature);
+	}
+
+	/**
+	 * Get signature algorithm identifier.
+	 *
+	 * @throws \LogicException If not set
+	 *
+	 * @return SignatureAlgorithmIdentifier
+	 */
+	public function signature(): SignatureAlgorithmIdentifier
+	{
+		if (!$this->hasSignature()) {
+			throw new \LogicException('signature not set.');
+		}
+		return $this->_signature;
+	}
+
+	/**
+	 * Check whether serial number is present.
+	 *
+	 * @return bool
+	 */
+	public function hasSerialNumber(): bool
+	{
+		return isset($this->_serialNumber);
+	}
+
+	/**
+	 * Get AC serial number as a base 10 integer.
+	 *
+	 * @throws \LogicException If not set
+	 *
+	 * @return string
+	 */
+	public function serialNumber(): string
+	{
+		if (!$this->hasSerialNumber()) {
+			throw new \LogicException('serialNumber not set.');
+		}
+		return $this->_serialNumber;
+	}
+
+	/**
+	 * Get validity period.
+	 *
+	 * @return AttCertValidityPeriod
+	 */
+	public function validityPeriod(): AttCertValidityPeriod
+	{
+		return $this->_attrCertValidityPeriod;
+	}
+
+	/**
+	 * Get attributes.
+	 *
+	 * @return Attributes
+	 */
+	public function attributes(): Attributes
+	{
+		return $this->_attributes;
+	}
+
+	/**
+	 * Check whether issuer unique identifier is present.
+	 *
+	 * @return bool
+	 */
+	public function hasIssuerUniqueID(): bool
+	{
+		return isset($this->_issuerUniqueID);
+	}
+
+	/**
+	 * Get issuer unique identifier.
+	 *
+	 * @throws \LogicException If not set
+	 *
+	 * @return UniqueIdentifier
+	 */
+	public function issuerUniqueID(): UniqueIdentifier
+	{
+		if (!$this->hasIssuerUniqueID()) {
+			throw new \LogicException('issuerUniqueID not set.');
+		}
+		return $this->_issuerUniqueID;
+	}
+
+	/**
+	 * Get extensions.
+	 *
+	 * @return Extensions
+	 */
+	public function extensions(): Extensions
+	{
+		return $this->_extensions;
+	}
+
+	/**
+	 * Get ASN.1 structure.
+	 *
+	 * @return Sequence
+	 */
+	public function toASN1(): Sequence
+	{
+		$elements = [new Integer($this->_version), $this->_holder->toASN1(),
+			$this->_issuer->toASN1(), $this->signature()->toASN1(),
+			new Integer($this->serialNumber()),
+			$this->_attrCertValidityPeriod->toASN1(),
+			$this->_attributes->toASN1(), ];
+		if (isset($this->_issuerUniqueID)) {
+			$elements[] = $this->_issuerUniqueID->toASN1();
+		}
+		if (count($this->_extensions)) {
+			$elements[] = $this->_extensions->toASN1();
+		}
+		return new Sequence(...$elements);
+	}
+
+	/**
+	 * Create signed attribute certificate.
+	 *
+	 * @param SignatureAlgorithmIdentifier $algo         Signature algorithm
+	 * @param PrivateKeyInfo               $privkey_info Private key
+	 * @param null|Crypto                  $crypto       Crypto engine, use default if not set
+	 *
+	 * @return AttributeCertificate
+	 */
+	public function sign(SignatureAlgorithmIdentifier $algo,
+		PrivateKeyInfo $privkey_info, ?Crypto $crypto = null): AttributeCertificate
+	{
+		$crypto = $crypto ?? Crypto::getDefault();
+		$aci = clone $this;
+		if (!isset($aci->_serialNumber)) {
+			$aci->_serialNumber = '0';
+		}
+		$aci->_signature = $algo;
+		$data = $aci->toASN1()->toDER();
+		$signature = $crypto->sign($data, $privkey_info, $algo);
+		return new AttributeCertificate($aci, $algo, $signature);
+	}
 }

lib/X509/AttributeCertificate/AttributeCertificate.php

Indentation +204 added lines, -204 removed lines

@@ -21,208 +21,208 @@
  */
 class AttributeCertificate
 {
-    /**
-     * Attribute certificate info.
-     *
-     * @var AttributeCertificateInfo
-     */
-    protected $_acinfo;
-
-    /**
-     * Signature algorithm identifier.
-     *
-     * @var SignatureAlgorithmIdentifier
-     */
-    protected $_signatureAlgorithm;
-
-    /**
-     * Signature value.
-     *
-     * @var Signature
-     */
-    protected $_signatureValue;
-
-    /**
-     * Constructor.
-     *
-     * @param AttributeCertificateInfo     $acinfo
-     * @param SignatureAlgorithmIdentifier $algo
-     * @param Signature                    $signature
-     */
-    public function __construct(AttributeCertificateInfo $acinfo,
-        SignatureAlgorithmIdentifier $algo, Signature $signature)
-    {
-        $this->_acinfo = $acinfo;
-        $this->_signatureAlgorithm = $algo;
-        $this->_signatureValue = $signature;
-    }
-
-    /**
-     * Get attribute certificate as a PEM formatted string.
-     *
-     * @return string
-     */
-    public function __toString(): string
-    {
-        return $this->toPEM()->string();
-    }
-
-    /**
-     * Initialize from ASN.1.
-     *
-     * @param Sequence $seq
-     *
-     * @return self
-     */
-    public static function fromASN1(Sequence $seq): self
-    {
-        $acinfo = AttributeCertificateInfo::fromASN1($seq->at(0)->asSequence());
-        $algo = AlgorithmIdentifier::fromASN1($seq->at(1)->asSequence());
-        if (!$algo instanceof SignatureAlgorithmIdentifier) {
-            throw new \UnexpectedValueException(
-                'Unsupported signature algorithm ' . $algo->oid() . '.');
-        }
-        $signature = Signature::fromSignatureData(
-            $seq->at(2)->asBitString()->string(), $algo);
-        return new self($acinfo, $algo, $signature);
-    }
-
-    /**
-     * Initialize from DER data.
-     *
-     * @param string $data
-     *
-     * @return self
-     */
-    public static function fromDER(string $data): self
-    {
-        return self::fromASN1(UnspecifiedType::fromDER($data)->asSequence());
-    }
-
-    /**
-     * Initialize from PEM.
-     *
-     * @param PEM $pem
-     *
-     * @throws \UnexpectedValueException
-     *
-     * @return self
-     */
-    public static function fromPEM(PEM $pem): self
-    {
-        if (PEM::TYPE_ATTRIBUTE_CERTIFICATE !== $pem->type()) {
-            throw new \UnexpectedValueException('Invalid PEM type.');
-        }
-        return self::fromDER($pem->data());
-    }
-
-    /**
-     * Get attribute certificate info.
-     *
-     * @return AttributeCertificateInfo
-     */
-    public function acinfo(): AttributeCertificateInfo
-    {
-        return $this->_acinfo;
-    }
-
-    /**
-     * Get signature algorithm identifier.
-     *
-     * @return SignatureAlgorithmIdentifier
-     */
-    public function signatureAlgorithm(): SignatureAlgorithmIdentifier
-    {
-        return $this->_signatureAlgorithm;
-    }
-
-    /**
-     * Get signature value.
-     *
-     * @return Signature
-     */
-    public function signatureValue(): Signature
-    {
-        return $this->_signatureValue;
-    }
-
-    /**
-     * Get ASN.1 structure.
-     *
-     * @return Sequence
-     */
-    public function toASN1(): Sequence
-    {
-        return new Sequence($this->_acinfo->toASN1(),
-            $this->_signatureAlgorithm->toASN1(),
-            $this->_signatureValue->bitString());
-    }
-
-    /**
-     * Get attribute certificate as a DER.
-     *
-     * @return string
-     */
-    public function toDER(): string
-    {
-        return $this->toASN1()->toDER();
-    }
-
-    /**
-     * Get attribute certificate as a PEM.
-     *
-     * @return PEM
-     */
-    public function toPEM(): PEM
-    {
-        return new PEM(PEM::TYPE_ATTRIBUTE_CERTIFICATE, $this->toDER());
-    }
-
-    /**
-     * Check whether attribute certificate is issued to the subject identified
-     * by given public key certificate.
-     *
-     * @param Certificate $cert Certificate
-     *
-     * @return bool
-     */
-    public function isHeldBy(Certificate $cert): bool
-    {
-        if (!$this->_acinfo->holder()->identifiesPKC($cert)) {
-            return false;
-        }
-        return true;
-    }
-
-    /**
-     * Check whether attribute certificate is issued by given public key
-     * certificate.
-     *
-     * @param Certificate $cert Certificate
-     *
-     * @return bool
-     */
-    public function isIssuedBy(Certificate $cert): bool
-    {
-        if (!$this->_acinfo->issuer()->identifiesPKC($cert)) {
-            return false;
-        }
-        return true;
-    }
-
-    /**
-     * Verify signature.
-     *
-     * @param PublicKeyInfo $pubkey_info Signer's public key
-     * @param null|Crypto   $crypto      Crypto engine, use default if not set
-     *
-     * @return bool
-     */
-    public function verify(PublicKeyInfo $pubkey_info, ?Crypto $crypto = null): bool
-    {
-        $crypto = $crypto ?? Crypto::getDefault();
-        $data = $this->_acinfo->toASN1()->toDER();
-        return $crypto->verify($data, $this->_signatureValue, $pubkey_info,
-            $this->_signatureAlgorithm);
-    }
+	/**
+	 * Attribute certificate info.
+	 *
+	 * @var AttributeCertificateInfo
+	 */
+	protected $_acinfo;
+
+	/**
+	 * Signature algorithm identifier.
+	 *
+	 * @var SignatureAlgorithmIdentifier
+	 */
+	protected $_signatureAlgorithm;
+
+	/**
+	 * Signature value.
+	 *
+	 * @var Signature
+	 */
+	protected $_signatureValue;
+
+	/**
+	 * Constructor.
+	 *
+	 * @param AttributeCertificateInfo     $acinfo
+	 * @param SignatureAlgorithmIdentifier $algo
+	 * @param Signature                    $signature
+	 */
+	public function __construct(AttributeCertificateInfo $acinfo,
+		SignatureAlgorithmIdentifier $algo, Signature $signature)
+	{
+		$this->_acinfo = $acinfo;
+		$this->_signatureAlgorithm = $algo;
+		$this->_signatureValue = $signature;
+	}
+
+	/**
+	 * Get attribute certificate as a PEM formatted string.
+	 *
+	 * @return string
+	 */
+	public function __toString(): string
+	{
+		return $this->toPEM()->string();
+	}
+
+	/**
+	 * Initialize from ASN.1.
+	 *
+	 * @param Sequence $seq
+	 *
+	 * @return self
+	 */
+	public static function fromASN1(Sequence $seq): self
+	{
+		$acinfo = AttributeCertificateInfo::fromASN1($seq->at(0)->asSequence());
+		$algo = AlgorithmIdentifier::fromASN1($seq->at(1)->asSequence());
+		if (!$algo instanceof SignatureAlgorithmIdentifier) {
+			throw new \UnexpectedValueException(
+				'Unsupported signature algorithm ' . $algo->oid() . '.');
+		}
+		$signature = Signature::fromSignatureData(
+			$seq->at(2)->asBitString()->string(), $algo);
+		return new self($acinfo, $algo, $signature);
+	}
+
+	/**
+	 * Initialize from DER data.
+	 *
+	 * @param string $data
+	 *
+	 * @return self
+	 */
+	public static function fromDER(string $data): self
+	{
+		return self::fromASN1(UnspecifiedType::fromDER($data)->asSequence());
+	}
+
+	/**
+	 * Initialize from PEM.
+	 *
+	 * @param PEM $pem
+	 *
+	 * @throws \UnexpectedValueException
+	 *
+	 * @return self
+	 */
+	public static function fromPEM(PEM $pem): self
+	{
+		if (PEM::TYPE_ATTRIBUTE_CERTIFICATE !== $pem->type()) {
+			throw new \UnexpectedValueException('Invalid PEM type.');
+		}
+		return self::fromDER($pem->data());
+	}
+
+	/**
+	 * Get attribute certificate info.
+	 *
+	 * @return AttributeCertificateInfo
+	 */
+	public function acinfo(): AttributeCertificateInfo
+	{
+		return $this->_acinfo;
+	}
+
+	/**
+	 * Get signature algorithm identifier.
+	 *
+	 * @return SignatureAlgorithmIdentifier
+	 */
+	public function signatureAlgorithm(): SignatureAlgorithmIdentifier
+	{
+		return $this->_signatureAlgorithm;
+	}
+
+	/**
+	 * Get signature value.
+	 *
+	 * @return Signature
+	 */
+	public function signatureValue(): Signature
+	{
+		return $this->_signatureValue;
+	}
+
+	/**
+	 * Get ASN.1 structure.
+	 *
+	 * @return Sequence
+	 */
+	public function toASN1(): Sequence
+	{
+		return new Sequence($this->_acinfo->toASN1(),
+			$this->_signatureAlgorithm->toASN1(),
+			$this->_signatureValue->bitString());
+	}
+
+	/**
+	 * Get attribute certificate as a DER.
+	 *
+	 * @return string
+	 */
+	public function toDER(): string
+	{
+		return $this->toASN1()->toDER();
+	}
+
+	/**
+	 * Get attribute certificate as a PEM.
+	 *
+	 * @return PEM
+	 */
+	public function toPEM(): PEM
+	{
+		return new PEM(PEM::TYPE_ATTRIBUTE_CERTIFICATE, $this->toDER());
+	}
+
+	/**
+	 * Check whether attribute certificate is issued to the subject identified
+	 * by given public key certificate.
+	 *
+	 * @param Certificate $cert Certificate
+	 *
+	 * @return bool
+	 */
+	public function isHeldBy(Certificate $cert): bool
+	{
+		if (!$this->_acinfo->holder()->identifiesPKC($cert)) {
+			return false;
+		}
+		return true;
+	}
+
+	/**
+	 * Check whether attribute certificate is issued by given public key
+	 * certificate.
+	 *
+	 * @param Certificate $cert Certificate
+	 *
+	 * @return bool
+	 */
+	public function isIssuedBy(Certificate $cert): bool
+	{
+		if (!$this->_acinfo->issuer()->identifiesPKC($cert)) {
+			return false;
+		}
+		return true;
+	}
+
+	/**
+	 * Verify signature.
+	 *
+	 * @param PublicKeyInfo $pubkey_info Signer's public key
+	 * @param null|Crypto   $crypto      Crypto engine, use default if not set
+	 *
+	 * @return bool
+	 */
+	public function verify(PublicKeyInfo $pubkey_info, ?Crypto $crypto = null): bool
+	{
+		$crypto = $crypto ?? Crypto::getDefault();
+		$data = $this->_acinfo->toASN1()->toDER();
+		return $crypto->verify($data, $this->_signatureValue, $pubkey_info,
+			$this->_signatureAlgorithm);
+	}
 }

lib/X509/AttributeCertificate/IssuerSerial.php

Indentation +169 added lines, -169 removed lines

@@ -19,173 +19,173 @@
  */
 class IssuerSerial
 {
-    /**
-     * Issuer name.
-     *
-     * @var GeneralNames
-     */
-    protected $_issuer;
-
-    /**
-     * Serial number as a base 10 integer.
-     *
-     * @var string
-     */
-    protected $_serial;
-
-    /**
-     * Issuer unique ID.
-     *
-     * @var null|UniqueIdentifier
-     */
-    protected $_issuerUID;
-
-    /**
-     * Constructor.
-     *
-     * @param GeneralNames          $issuer
-     * @param int|string            $serial
-     * @param null|UniqueIdentifier $uid
-     */
-    public function __construct(GeneralNames $issuer, $serial,
-        ?UniqueIdentifier $uid = null)
-    {
-        $this->_issuer = $issuer;
-        $this->_serial = strval($serial);
-        $this->_issuerUID = $uid;
-    }
-
-    /**
-     * Initialize from ASN.1.
-     *
-     * @param Sequence $seq
-     *
-     * @return self
-     */
-    public static function fromASN1(Sequence $seq): IssuerSerial
-    {
-        $issuer = GeneralNames::fromASN1($seq->at(0)->asSequence());
-        $serial = $seq->at(1)->asInteger()->number();
-        $uid = null;
-        if ($seq->has(2, Element::TYPE_BIT_STRING)) {
-            $uid = UniqueIdentifier::fromASN1($seq->at(2)->asBitString());
-        }
-        return new self($issuer, $serial, $uid);
-    }
-
-    /**
-     * Initialize from a public key certificate.
-     *
-     * @param Certificate $cert
-     *
-     * @return self
-     */
-    public static function fromPKC(Certificate $cert): IssuerSerial
-    {
-        $tbsCert = $cert->tbsCertificate();
-        $issuer = new GeneralNames(new DirectoryName($tbsCert->issuer()));
-        $serial = $tbsCert->serialNumber();
-        $uid = $tbsCert->hasIssuerUniqueID() ? $tbsCert->issuerUniqueID() : null;
-        return new self($issuer, $serial, $uid);
-    }
-
-    /**
-     * Get issuer name.
-     *
-     * @return GeneralNames
-     */
-    public function issuer(): GeneralNames
-    {
-        return $this->_issuer;
-    }
-
-    /**
-     * Get serial number.
-     *
-     * @return string
-     */
-    public function serial(): string
-    {
-        return $this->_serial;
-    }
-
-    /**
-     * Check whether issuer unique identifier is present.
-     *
-     * @return bool
-     */
-    public function hasIssuerUID(): bool
-    {
-        return isset($this->_issuerUID);
-    }
-
-    /**
-     * Get issuer unique identifier.
-     *
-     * @throws \LogicException If not set
-     *
-     * @return UniqueIdentifier
-     */
-    public function issuerUID(): UniqueIdentifier
-    {
-        if (!$this->hasIssuerUID()) {
-            throw new \LogicException('issuerUID not set.');
-        }
-        return $this->_issuerUID;
-    }
-
-    /**
-     * Generate ASN.1 structure.
-     *
-     * @return Sequence
-     */
-    public function toASN1(): Sequence
-    {
-        $elements = [$this->_issuer->toASN1(), new Integer($this->_serial)];
-        if (isset($this->_issuerUID)) {
-            $elements[] = $this->_issuerUID->toASN1();
-        }
-        return new Sequence(...$elements);
-    }
-
-    /**
-     * Check whether this IssuerSerial identifies given certificate.
-     *
-     * @param Certificate $cert
-     *
-     * @return bool
-     */
-    public function identifiesPKC(Certificate $cert): bool
-    {
-        $tbs = $cert->tbsCertificate();
-        if (!$tbs->issuer()->equals($this->_issuer->firstDN())) {
-            return false;
-        }
-        if ($tbs->serialNumber() !== $this->_serial) {
-            return false;
-        }
-        if ($this->_issuerUID && !$this->_checkUniqueID($cert)) {
-            return false;
-        }
-        return true;
-    }
-
-    /**
-     * Check whether issuerUID matches given certificate.
-     *
-     * @param Certificate $cert
-     *
-     * @return bool
-     */
-    private function _checkUniqueID(Certificate $cert): bool
-    {
-        if (!$cert->tbsCertificate()->hasIssuerUniqueID()) {
-            return false;
-        }
-        $uid = $cert->tbsCertificate()->issuerUniqueID()->string();
-        if ($this->_issuerUID->string() != $uid) {
-            return false;
-        }
-        return true;
-    }
+	/**
+	 * Issuer name.
+	 *
+	 * @var GeneralNames
+	 */
+	protected $_issuer;
+
+	/**
+	 * Serial number as a base 10 integer.
+	 *
+	 * @var string
+	 */
+	protected $_serial;
+
+	/**
+	 * Issuer unique ID.
+	 *
+	 * @var null|UniqueIdentifier
+	 */
+	protected $_issuerUID;
+
+	/**
+	 * Constructor.
+	 *
+	 * @param GeneralNames          $issuer
+	 * @param int|string            $serial
+	 * @param null|UniqueIdentifier $uid
+	 */
+	public function __construct(GeneralNames $issuer, $serial,
+		?UniqueIdentifier $uid = null)
+	{
+		$this->_issuer = $issuer;
+		$this->_serial = strval($serial);
+		$this->_issuerUID = $uid;
+	}
+
+	/**
+	 * Initialize from ASN.1.
+	 *
+	 * @param Sequence $seq
+	 *
+	 * @return self
+	 */
+	public static function fromASN1(Sequence $seq): IssuerSerial
+	{
+		$issuer = GeneralNames::fromASN1($seq->at(0)->asSequence());
+		$serial = $seq->at(1)->asInteger()->number();
+		$uid = null;
+		if ($seq->has(2, Element::TYPE_BIT_STRING)) {
+			$uid = UniqueIdentifier::fromASN1($seq->at(2)->asBitString());
+		}
+		return new self($issuer, $serial, $uid);
+	}
+
+	/**
+	 * Initialize from a public key certificate.
+	 *
+	 * @param Certificate $cert
+	 *
+	 * @return self
+	 */
+	public static function fromPKC(Certificate $cert): IssuerSerial
+	{
+		$tbsCert = $cert->tbsCertificate();
+		$issuer = new GeneralNames(new DirectoryName($tbsCert->issuer()));
+		$serial = $tbsCert->serialNumber();
+		$uid = $tbsCert->hasIssuerUniqueID() ? $tbsCert->issuerUniqueID() : null;
+		return new self($issuer, $serial, $uid);
+	}
+
+	/**
+	 * Get issuer name.
+	 *
+	 * @return GeneralNames
+	 */
+	public function issuer(): GeneralNames
+	{
+		return $this->_issuer;
+	}
+
+	/**
+	 * Get serial number.
+	 *
+	 * @return string
+	 */
+	public function serial(): string
+	{
+		return $this->_serial;
+	}
+
+	/**
+	 * Check whether issuer unique identifier is present.
+	 *
+	 * @return bool
+	 */
+	public function hasIssuerUID(): bool
+	{
+		return isset($this->_issuerUID);
+	}
+
+	/**
+	 * Get issuer unique identifier.
+	 *
+	 * @throws \LogicException If not set
+	 *
+	 * @return UniqueIdentifier
+	 */
+	public function issuerUID(): UniqueIdentifier
+	{
+		if (!$this->hasIssuerUID()) {
+			throw new \LogicException('issuerUID not set.');
+		}
+		return $this->_issuerUID;
+	}
+
+	/**
+	 * Generate ASN.1 structure.
+	 *
+	 * @return Sequence
+	 */
+	public function toASN1(): Sequence
+	{
+		$elements = [$this->_issuer->toASN1(), new Integer($this->_serial)];
+		if (isset($this->_issuerUID)) {
+			$elements[] = $this->_issuerUID->toASN1();
+		}
+		return new Sequence(...$elements);
+	}
+
+	/**
+	 * Check whether this IssuerSerial identifies given certificate.
+	 *
+	 * @param Certificate $cert
+	 *
+	 * @return bool
+	 */
+	public function identifiesPKC(Certificate $cert): bool
+	{
+		$tbs = $cert->tbsCertificate();
+		if (!$tbs->issuer()->equals($this->_issuer->firstDN())) {
+			return false;
+		}
+		if ($tbs->serialNumber() !== $this->_serial) {
+			return false;
+		}
+		if ($this->_issuerUID && !$this->_checkUniqueID($cert)) {
+			return false;
+		}
+		return true;
+	}
+
+	/**
+	 * Check whether issuerUID matches given certificate.
+	 *
+	 * @param Certificate $cert
+	 *
+	 * @return bool
+	 */
+	private function _checkUniqueID(Certificate $cert): bool
+	{
+		if (!$cert->tbsCertificate()->hasIssuerUniqueID()) {
+			return false;
+		}
+		$uid = $cert->tbsCertificate()->issuerUniqueID()->string();
+		if ($this->_issuerUID->string() != $uid) {
+			return false;
+		}
+		return true;
+	}
 }

lib/X509/AttributeCertificate/AttCertIssuer.php

Indentation +64 added lines, -64 removed lines

@@ -18,72 +18,72 @@
  */
 abstract class AttCertIssuer
 {
-    /**
-     * Generate ASN.1 element.
-     *
-     * @return Element
-     */
-    abstract public function toASN1(): Element;
+	/**
+	 * Generate ASN.1 element.
+	 *
+	 * @return Element
+	 */
+	abstract public function toASN1(): Element;
 
-    /**
-     * Check whether AttCertIssuer identifies given certificate.
-     *
-     * @param Certificate $cert
-     *
-     * @return bool
-     */
-    abstract public function identifiesPKC(Certificate $cert): bool;
+	/**
+	 * Check whether AttCertIssuer identifies given certificate.
+	 *
+	 * @param Certificate $cert
+	 *
+	 * @return bool
+	 */
+	abstract public function identifiesPKC(Certificate $cert): bool;
 
-    /**
-     * Initialize from distinguished name.
-     *
-     * This conforms to RFC 5755 which states that only v2Form must be used,
-     * and issuerName must contain exactly one GeneralName of DirectoryName
-     * type.
-     *
-     * @see https://tools.ietf.org/html/rfc5755#section-4.2.3
-     *
-     * @param Name $name
-     *
-     * @return self
-     */
-    public static function fromName(Name $name): self
-    {
-        return new V2Form(new GeneralNames(new DirectoryName($name)));
-    }
+	/**
+	 * Initialize from distinguished name.
+	 *
+	 * This conforms to RFC 5755 which states that only v2Form must be used,
+	 * and issuerName must contain exactly one GeneralName of DirectoryName
+	 * type.
+	 *
+	 * @see https://tools.ietf.org/html/rfc5755#section-4.2.3
+	 *
+	 * @param Name $name
+	 *
+	 * @return self
+	 */
+	public static function fromName(Name $name): self
+	{
+		return new V2Form(new GeneralNames(new DirectoryName($name)));
+	}
 
-    /**
-     * Initialize from an issuer's public key certificate.
-     *
-     * @param Certificate $cert
-     *
-     * @return self
-     */
-    public static function fromPKC(Certificate $cert): self
-    {
-        return self::fromName($cert->tbsCertificate()->subject());
-    }
+	/**
+	 * Initialize from an issuer's public key certificate.
+	 *
+	 * @param Certificate $cert
+	 *
+	 * @return self
+	 */
+	public static function fromPKC(Certificate $cert): self
+	{
+		return self::fromName($cert->tbsCertificate()->subject());
+	}
 
-    /**
-     * Initialize from ASN.1.
-     *
-     * @param UnspecifiedType $el CHOICE
-     *
-     * @throws \UnexpectedValueException
-     *
-     * @return self
-     */
-    public static function fromASN1(UnspecifiedType $el): self
-    {
-        if (!$el->isTagged()) {
-            throw new \UnexpectedValueException('v1Form issuer not supported.');
-        }
-        $tagged = $el->asTagged();
-        switch ($tagged->tag()) {
-            case 0:
-                return V2Form::fromV2ASN1(
-                    $tagged->asImplicit(Element::TYPE_SEQUENCE)->asSequence());
-        }
-        throw new \UnexpectedValueException('Unsupported issuer type.');
-    }
+	/**
+	 * Initialize from ASN.1.
+	 *
+	 * @param UnspecifiedType $el CHOICE
+	 *
+	 * @throws \UnexpectedValueException
+	 *
+	 * @return self
+	 */
+	public static function fromASN1(UnspecifiedType $el): self
+	{
+		if (!$el->isTagged()) {
+			throw new \UnexpectedValueException('v1Form issuer not supported.');
+		}
+		$tagged = $el->asTagged();
+		switch ($tagged->tag()) {
+			case 0:
+				return V2Form::fromV2ASN1(
+					$tagged->asImplicit(Element::TYPE_SEQUENCE)->asSequence());
+		}
+		throw new \UnexpectedValueException('Unsupported issuer type.');
+	}
 }

lib/X509/AttributeCertificate/Attribute/AccessIdentityAttributeValue.php

Indentation +12 added lines, -12 removed lines

@@ -13,17 +13,17 @@
  */
 class AccessIdentityAttributeValue extends SvceAuthInfo
 {
-    const OID = '1.3.6.1.5.5.7.10.2';
+	const OID = '1.3.6.1.5.5.7.10.2';
 
-    /**
-     * Constructor.
-     *
-     * @param GeneralName $service
-     * @param GeneralName $ident
-     */
-    public function __construct(GeneralName $service, GeneralName $ident)
-    {
-        parent::__construct($service, $ident, null);
-        $this->_oid = self::OID;
-    }
+	/**
+	 * Constructor.
+	 *
+	 * @param GeneralName $service
+	 * @param GeneralName $ident
+	 */
+	public function __construct(GeneralName $service, GeneralName $ident)
+	{
+		parent::__construct($service, $ident, null);
+		$this->_oid = self::OID;
+	}
 }

lib/X509/AttributeCertificate/Attribute/SvceAuthInfo.php

Indentation +141 added lines, -141 removed lines

@@ -21,145 +21,145 @@
  */
 abstract class SvceAuthInfo extends AttributeValue
 {
-    /**
-     * Service.
-     *
-     * @var GeneralName
-     */
-    protected $_service;
-
-    /**
-     * Ident.
-     *
-     * @var GeneralName
-     */
-    protected $_ident;
-
-    /**
-     * Auth info.
-     *
-     * @var null|string
-     */
-    protected $_authInfo;
-
-    /**
-     * Constructor.
-     *
-     * @param GeneralName $service
-     * @param GeneralName $ident
-     * @param null|string $auth_info
-     */
-    public function __construct(GeneralName $service, GeneralName $ident,
-        ?string $auth_info = null)
-    {
-        $this->_service = $service;
-        $this->_ident = $ident;
-        $this->_authInfo = $auth_info;
-    }
-
-    /**
-     * {@inheritdoc}
-     *
-     * @return self
-     */
-    public static function fromASN1(UnspecifiedType $el): AttributeValue
-    {
-        $seq = $el->asSequence();
-        $service = GeneralName::fromASN1($seq->at(0)->asTagged());
-        $ident = GeneralName::fromASN1($seq->at(1)->asTagged());
-        $auth_info = null;
-        if ($seq->has(2, Element::TYPE_OCTET_STRING)) {
-            $auth_info = $seq->at(2)->asString()->string();
-        }
-        return new static($service, $ident, $auth_info);
-    }
-
-    /**
-     * Get service name.
-     *
-     * @return GeneralName
-     */
-    public function service(): GeneralName
-    {
-        return $this->_service;
-    }
-
-    /**
-     * Get ident.
-     *
-     * @return GeneralName
-     */
-    public function ident(): GeneralName
-    {
-        return $this->_ident;
-    }
-
-    /**
-     * Check whether authentication info is present.
-     *
-     * @return bool
-     */
-    public function hasAuthInfo(): bool
-    {
-        return isset($this->_authInfo);
-    }
-
-    /**
-     * Get authentication info.
-     *
-     * @throws \LogicException If not set
-     *
-     * @return string
-     */
-    public function authInfo(): string
-    {
-        if (!$this->hasAuthInfo()) {
-            throw new \LogicException('authInfo not set.');
-        }
-        return $this->_authInfo;
-    }
-
-    /**
-     * {@inheritdoc}
-     */
-    public function toASN1(): Element
-    {
-        $elements = [$this->_service->toASN1(), $this->_ident->toASN1()];
-        if (isset($this->_authInfo)) {
-            $elements[] = new OctetString($this->_authInfo);
-        }
-        return new Sequence(...$elements);
-    }
-
-    /**
-     * {@inheritdoc}
-     */
-    public function stringValue(): string
-    {
-        return '#' . bin2hex($this->toASN1()->toDER());
-    }
-
-    /**
-     * {@inheritdoc}
-     */
-    public function equalityMatchingRule(): MatchingRule
-    {
-        return new BinaryMatch();
-    }
-
-    /**
-     * {@inheritdoc}
-     */
-    public function rfc2253String(): string
-    {
-        return $this->stringValue();
-    }
-
-    /**
-     * {@inheritdoc}
-     */
-    protected function _transcodedString(): string
-    {
-        return $this->stringValue();
-    }
+	/**
+	 * Service.
+	 *
+	 * @var GeneralName
+	 */
+	protected $_service;
+
+	/**
+	 * Ident.
+	 *
+	 * @var GeneralName
+	 */
+	protected $_ident;
+
+	/**
+	 * Auth info.
+	 *
+	 * @var null|string
+	 */
+	protected $_authInfo;
+
+	/**
+	 * Constructor.
+	 *
+	 * @param GeneralName $service
+	 * @param GeneralName $ident
+	 * @param null|string $auth_info
+	 */
+	public function __construct(GeneralName $service, GeneralName $ident,
+		?string $auth_info = null)
+	{
+		$this->_service = $service;
+		$this->_ident = $ident;
+		$this->_authInfo = $auth_info;
+	}
+
+	/**
+	 * {@inheritdoc}
+	 *
+	 * @return self
+	 */
+	public static function fromASN1(UnspecifiedType $el): AttributeValue
+	{
+		$seq = $el->asSequence();
+		$service = GeneralName::fromASN1($seq->at(0)->asTagged());
+		$ident = GeneralName::fromASN1($seq->at(1)->asTagged());
+		$auth_info = null;
+		if ($seq->has(2, Element::TYPE_OCTET_STRING)) {
+			$auth_info = $seq->at(2)->asString()->string();
+		}
+		return new static($service, $ident, $auth_info);
+	}
+
+	/**
+	 * Get service name.
+	 *
+	 * @return GeneralName
+	 */
+	public function service(): GeneralName
+	{
+		return $this->_service;
+	}
+
+	/**
+	 * Get ident.
+	 *
+	 * @return GeneralName
+	 */
+	public function ident(): GeneralName
+	{
+		return $this->_ident;
+	}
+
+	/**
+	 * Check whether authentication info is present.
+	 *
+	 * @return bool
+	 */
+	public function hasAuthInfo(): bool
+	{
+		return isset($this->_authInfo);
+	}
+
+	/**
+	 * Get authentication info.
+	 *
+	 * @throws \LogicException If not set
+	 *
+	 * @return string
+	 */
+	public function authInfo(): string
+	{
+		if (!$this->hasAuthInfo()) {
+			throw new \LogicException('authInfo not set.');
+		}
+		return $this->_authInfo;
+	}
+
+	/**
+	 * {@inheritdoc}
+	 */
+	public function toASN1(): Element
+	{
+		$elements = [$this->_service->toASN1(), $this->_ident->toASN1()];
+		if (isset($this->_authInfo)) {
+			$elements[] = new OctetString($this->_authInfo);
+		}
+		return new Sequence(...$elements);
+	}
+
+	/**
+	 * {@inheritdoc}
+	 */
+	public function stringValue(): string
+	{
+		return '#' . bin2hex($this->toASN1()->toDER());
+	}
+
+	/**
+	 * {@inheritdoc}
+	 */
+	public function equalityMatchingRule(): MatchingRule
+	{
+		return new BinaryMatch();
+	}
+
+	/**
+	 * {@inheritdoc}
+	 */
+	public function rfc2253String(): string
+	{
+		return $this->stringValue();
+	}
+
+	/**
+	 * {@inheritdoc}
+	 */
+	protected function _transcodedString(): string
+	{
+		return $this->stringValue();
+	}
 }

lib/X509/AttributeCertificate/Attribute/RoleAttributeValue.php

Indentation +142 added lines, -142 removed lines

@@ -24,146 +24,146 @@
  */
 class RoleAttributeValue extends AttributeValue
 {
-    /**
-     * Issuing authority.
-     *
-     * @var null|GeneralNames
-     */
-    protected $_roleAuthority;
-
-    /**
-     * Role name.
-     *
-     * @var GeneralName
-     */
-    protected $_roleName;
-
-    /**
-     * Constructor.
-     *
-     * @param GeneralName       $name      Role name
-     * @param null|GeneralNames $authority Issuing authority
-     */
-    public function __construct(GeneralName $name,
-        ?GeneralNames $authority = null)
-    {
-        $this->_roleAuthority = $authority;
-        $this->_roleName = $name;
-        $this->_oid = AttributeType::OID_ROLE;
-    }
-
-    /**
-     * Initialize from a role string.
-     *
-     * @param string            $role_name Role name in URI format
-     * @param null|GeneralNames $authority Issuing authority
-     *
-     * @return self
-     */
-    public static function fromString(string $role_name,
-        ?GeneralNames $authority = null): self
-    {
-        return new self(new UniformResourceIdentifier($role_name), $authority);
-    }
-
-    /**
-     * {@inheritdoc}
-     *
-     * @return self
-     */
-    public static function fromASN1(UnspecifiedType $el): AttributeValue
-    {
-        $seq = $el->asSequence();
-        $authority = null;
-        if ($seq->hasTagged(0)) {
-            $authority = GeneralNames::fromASN1(
-                $seq->getTagged(0)->asImplicit(Element::TYPE_SEQUENCE)
-                    ->asSequence());
-        }
-        $name = GeneralName::fromASN1($seq->getTagged(1)
-            ->asExplicit()->asTagged());
-        return new self($name, $authority);
-    }
-
-    /**
-     * Check whether issuing authority is present.
-     *
-     * @return bool
-     */
-    public function hasRoleAuthority(): bool
-    {
-        return isset($this->_roleAuthority);
-    }
-
-    /**
-     * Get issuing authority.
-     *
-     * @throws \LogicException If not set
-     *
-     * @return GeneralNames
-     */
-    public function roleAuthority(): GeneralNames
-    {
-        if (!$this->hasRoleAuthority()) {
-            throw new \LogicException('roleAuthority not set.');
-        }
-        return $this->_roleAuthority;
-    }
-
-    /**
-     * Get role name.
-     *
-     * @return GeneralName
-     */
-    public function roleName(): GeneralName
-    {
-        return $this->_roleName;
-    }
-
-    /**
-     * {@inheritdoc}
-     */
-    public function toASN1(): Element
-    {
-        $elements = [];
-        if (isset($this->_roleAuthority)) {
-            $elements[] = new ImplicitlyTaggedType(
-                0, $this->_roleAuthority->toASN1());
-        }
-        $elements[] = new ExplicitlyTaggedType(
-            1, $this->_roleName->toASN1());
-        return new Sequence(...$elements);
-    }
-
-    /**
-     * {@inheritdoc}
-     */
-    public function stringValue(): string
-    {
-        return '#' . bin2hex($this->toASN1()->toDER());
-    }
-
-    /**
-     * {@inheritdoc}
-     */
-    public function equalityMatchingRule(): MatchingRule
-    {
-        return new BinaryMatch();
-    }
-
-    /**
-     * {@inheritdoc}
-     */
-    public function rfc2253String(): string
-    {
-        return $this->stringValue();
-    }
-
-    /**
-     * {@inheritdoc}
-     */
-    protected function _transcodedString(): string
-    {
-        return $this->stringValue();
-    }
+	/**
+	 * Issuing authority.
+	 *
+	 * @var null|GeneralNames
+	 */
+	protected $_roleAuthority;
+
+	/**
+	 * Role name.
+	 *
+	 * @var GeneralName
+	 */
+	protected $_roleName;
+
+	/**
+	 * Constructor.
+	 *
+	 * @param GeneralName       $name      Role name
+	 * @param null|GeneralNames $authority Issuing authority
+	 */
+	public function __construct(GeneralName $name,
+		?GeneralNames $authority = null)
+	{
+		$this->_roleAuthority = $authority;
+		$this->_roleName = $name;
+		$this->_oid = AttributeType::OID_ROLE;
+	}
+
+	/**
+	 * Initialize from a role string.
+	 *
+	 * @param string            $role_name Role name in URI format
+	 * @param null|GeneralNames $authority Issuing authority
+	 *
+	 * @return self
+	 */
+	public static function fromString(string $role_name,
+		?GeneralNames $authority = null): self
+	{
+		return new self(new UniformResourceIdentifier($role_name), $authority);
+	}
+
+	/**
+	 * {@inheritdoc}
+	 *
+	 * @return self
+	 */
+	public static function fromASN1(UnspecifiedType $el): AttributeValue
+	{
+		$seq = $el->asSequence();
+		$authority = null;
+		if ($seq->hasTagged(0)) {
+			$authority = GeneralNames::fromASN1(
+				$seq->getTagged(0)->asImplicit(Element::TYPE_SEQUENCE)
+					->asSequence());
+		}
+		$name = GeneralName::fromASN1($seq->getTagged(1)
+			->asExplicit()->asTagged());
+		return new self($name, $authority);
+	}
+
+	/**
+	 * Check whether issuing authority is present.
+	 *
+	 * @return bool
+	 */
+	public function hasRoleAuthority(): bool
+	{
+		return isset($this->_roleAuthority);
+	}
+
+	/**
+	 * Get issuing authority.
+	 *
+	 * @throws \LogicException If not set
+	 *
+	 * @return GeneralNames
+	 */
+	public function roleAuthority(): GeneralNames
+	{
+		if (!$this->hasRoleAuthority()) {
+			throw new \LogicException('roleAuthority not set.');
+		}
+		return $this->_roleAuthority;
+	}
+
+	/**
+	 * Get role name.
+	 *
+	 * @return GeneralName
+	 */
+	public function roleName(): GeneralName
+	{
+		return $this->_roleName;
+	}
+
+	/**
+	 * {@inheritdoc}
+	 */
+	public function toASN1(): Element
+	{
+		$elements = [];
+		if (isset($this->_roleAuthority)) {
+			$elements[] = new ImplicitlyTaggedType(
+				0, $this->_roleAuthority->toASN1());
+		}
+		$elements[] = new ExplicitlyTaggedType(
+			1, $this->_roleName->toASN1());
+		return new Sequence(...$elements);
+	}
+
+	/**
+	 * {@inheritdoc}
+	 */
+	public function stringValue(): string
+	{
+		return '#' . bin2hex($this->toASN1()->toDER());
+	}
+
+	/**
+	 * {@inheritdoc}
+	 */
+	public function equalityMatchingRule(): MatchingRule
+	{
+		return new BinaryMatch();
+	}
+
+	/**
+	 * {@inheritdoc}
+	 */
+	public function rfc2253String(): string
+	{
+		return $this->stringValue();
+	}
+
+	/**
+	 * {@inheritdoc}
+	 */
+	protected function _transcodedString(): string
+	{
+		return $this->stringValue();
+	}
 }