sop / x509

lib/X509/Certificate/Extension/Target/Targets.php

Indentation +121 added lines, -121 removed lines

@@ -14,135 +14,135 @@
  */
 class Targets implements \Countable, \IteratorAggregate
 {
-    /**
-     * Target elements.
-     *
-     * @var Target[]
-     */
-    protected $_targets;
+	/**
+	 * Target elements.
+	 *
+	 * @var Target[]
+	 */
+	protected $_targets;
 
-    /**
-     * Constructor.
-     *
-     * @param Target ...$targets
-     */
-    public function __construct(Target ...$targets)
-    {
-        $this->_targets = $targets;
-    }
+	/**
+	 * Constructor.
+	 *
+	 * @param Target ...$targets
+	 */
+	public function __construct(Target ...$targets)
+	{
+		$this->_targets = $targets;
+	}
 
-    /**
-     * Initialize from ASN.1.
-     *
-     * @param Sequence $seq
-     *
-     * @return self
-     */
-    public static function fromASN1(Sequence $seq): self
-    {
-        $targets = array_map(
-            function (UnspecifiedType $el) {
-                return Target::fromASN1($el->asTagged());
-            }, $seq->elements());
-        return new self(...$targets);
-    }
+	/**
+	 * Initialize from ASN.1.
+	 *
+	 * @param Sequence $seq
+	 *
+	 * @return self
+	 */
+	public static function fromASN1(Sequence $seq): self
+	{
+		$targets = array_map(
+			function (UnspecifiedType $el) {
+				return Target::fromASN1($el->asTagged());
+			}, $seq->elements());
+		return new self(...$targets);
+	}
 
-    /**
-     * Get all targets.
-     *
-     * @return Target[]
-     */
-    public function all(): array
-    {
-        return $this->_targets;
-    }
+	/**
+	 * Get all targets.
+	 *
+	 * @return Target[]
+	 */
+	public function all(): array
+	{
+		return $this->_targets;
+	}
 
-    /**
-     * Get all name targets.
-     *
-     * @return Target[]
-     */
-    public function nameTargets(): array
-    {
-        return $this->_allOfType(Target::TYPE_NAME);
-    }
+	/**
+	 * Get all name targets.
+	 *
+	 * @return Target[]
+	 */
+	public function nameTargets(): array
+	{
+		return $this->_allOfType(Target::TYPE_NAME);
+	}
 
-    /**
-     * Get all group targets.
-     *
-     * @return Target[]
-     */
-    public function groupTargets(): array
-    {
-        return $this->_allOfType(Target::TYPE_GROUP);
-    }
+	/**
+	 * Get all group targets.
+	 *
+	 * @return Target[]
+	 */
+	public function groupTargets(): array
+	{
+		return $this->_allOfType(Target::TYPE_GROUP);
+	}
 
-    /**
-     * Check whether given target is present.
-     *
-     * @param Target $target
-     *
-     * @return bool
-     */
-    public function hasTarget(Target $target): bool
-    {
-        foreach ($this->_allOfType($target->type()) as $t) {
-            if ($target->equals($t)) {
-                return true;
-            }
-        }
-        return false;
-    }
+	/**
+	 * Check whether given target is present.
+	 *
+	 * @param Target $target
+	 *
+	 * @return bool
+	 */
+	public function hasTarget(Target $target): bool
+	{
+		foreach ($this->_allOfType($target->type()) as $t) {
+			if ($target->equals($t)) {
+				return true;
+			}
+		}
+		return false;
+	}
 
-    /**
-     * Generate ASN.1 structure.
-     *
-     * @return Sequence
-     */
-    public function toASN1(): Sequence
-    {
-        $elements = array_map(
-            function (Target $target) {
-                return $target->toASN1();
-            }, $this->_targets);
-        return new Sequence(...$elements);
-    }
+	/**
+	 * Generate ASN.1 structure.
+	 *
+	 * @return Sequence
+	 */
+	public function toASN1(): Sequence
+	{
+		$elements = array_map(
+			function (Target $target) {
+				return $target->toASN1();
+			}, $this->_targets);
+		return new Sequence(...$elements);
+	}
 
-    /**
-     * @see \Countable::count()
-     *
-     * @return int
-     */
-    public function count(): int
-    {
-        return count($this->_targets);
-    }
+	/**
+	 * @see \Countable::count()
+	 *
+	 * @return int
+	 */
+	public function count(): int
+	{
+		return count($this->_targets);
+	}
 
-    /**
-     * Get iterator for targets.
-     *
-     * @see \IteratorAggregate::getIterator()
-     *
-     * @return \ArrayIterator
-     */
-    public function getIterator(): \ArrayIterator
-    {
-        return new \ArrayIterator($this->_targets);
-    }
+	/**
+	 * Get iterator for targets.
+	 *
+	 * @see \IteratorAggregate::getIterator()
+	 *
+	 * @return \ArrayIterator
+	 */
+	public function getIterator(): \ArrayIterator
+	{
+		return new \ArrayIterator($this->_targets);
+	}
 
-    /**
-     * Get all targets of given type.
-     *
-     * @param int $type
-     *
-     * @return Target[]
-     */
-    protected function _allOfType(int $type): array
-    {
-        return array_values(
-            array_filter($this->_targets,
-                function (Target $target) use ($type) {
-                    return $target->type() == $type;
-                }));
-    }
+	/**
+	 * Get all targets of given type.
+	 *
+	 * @param int $type
+	 *
+	 * @return Target[]
+	 */
+	protected function _allOfType(int $type): array
+	{
+		return array_values(
+			array_filter($this->_targets,
+				function (Target $target) use ($type) {
+					return $target->type() == $type;
+				}));
+	}
 }

lib/X509/Certificate/Extension/Target/Target.php

Indentation +81 added lines, -81 removed lines

@@ -14,92 +14,92 @@
  */
 abstract class Target
 {
-    const TYPE_NAME = 0;
-    const TYPE_GROUP = 1;
-    const TYPE_CERT = 2;
+	const TYPE_NAME = 0;
+	const TYPE_GROUP = 1;
+	const TYPE_CERT = 2;
 
-    /**
-     * Type tag.
-     *
-     * @var int
-     */
-    protected $_type;
+	/**
+	 * Type tag.
+	 *
+	 * @var int
+	 */
+	protected $_type;
 
-    /**
-     * Generate ASN.1 element.
-     *
-     * @return Element
-     */
-    abstract public function toASN1(): Element;
+	/**
+	 * Generate ASN.1 element.
+	 *
+	 * @return Element
+	 */
+	abstract public function toASN1(): Element;
 
-    /**
-     * Get string value of the target.
-     *
-     * @return string
-     */
-    abstract public function string(): string;
+	/**
+	 * Get string value of the target.
+	 *
+	 * @return string
+	 */
+	abstract public function string(): string;
 
-    /**
-     * Initialize concrete object from the chosen ASN.1 element.
-     *
-     * @param TaggedType $el
-     *
-     * @return self
-     */
-    public static function fromChosenASN1(TaggedType $el): Target
-    {
-        throw new \BadMethodCallException(
-            __FUNCTION__ . ' must be implemented in the derived class.');
-    }
+	/**
+	 * Initialize concrete object from the chosen ASN.1 element.
+	 *
+	 * @param TaggedType $el
+	 *
+	 * @return self
+	 */
+	public static function fromChosenASN1(TaggedType $el): Target
+	{
+		throw new \BadMethodCallException(
+			__FUNCTION__ . ' must be implemented in the derived class.');
+	}
 
-    /**
-     * Parse from ASN.1.
-     *
-     * @param TaggedType $el
-     *
-     * @throws \UnexpectedValueException
-     *
-     * @return self
-     */
-    public static function fromASN1(TaggedType $el): self
-    {
-        switch ($el->tag()) {
-            case self::TYPE_NAME:
-                return TargetName::fromChosenASN1($el->asExplicit()->asTagged());
-            case self::TYPE_GROUP:
-                return TargetGroup::fromChosenASN1($el->asExplicit()->asTagged());
-            case self::TYPE_CERT:
-                throw new \RuntimeException('targetCert not supported.');
-        }
-        throw new \UnexpectedValueException(
-            'Target type ' . $el->tag() . ' not supported.');
-    }
+	/**
+	 * Parse from ASN.1.
+	 *
+	 * @param TaggedType $el
+	 *
+	 * @throws \UnexpectedValueException
+	 *
+	 * @return self
+	 */
+	public static function fromASN1(TaggedType $el): self
+	{
+		switch ($el->tag()) {
+			case self::TYPE_NAME:
+				return TargetName::fromChosenASN1($el->asExplicit()->asTagged());
+			case self::TYPE_GROUP:
+				return TargetGroup::fromChosenASN1($el->asExplicit()->asTagged());
+			case self::TYPE_CERT:
+				throw new \RuntimeException('targetCert not supported.');
+		}
+		throw new \UnexpectedValueException(
+			'Target type ' . $el->tag() . ' not supported.');
+	}
 
-    /**
-     * Get type tag.
-     *
-     * @return int
-     */
-    public function type(): int
-    {
-        return $this->_type;
-    }
+	/**
+	 * Get type tag.
+	 *
+	 * @return int
+	 */
+	public function type(): int
+	{
+		return $this->_type;
+	}
 
-    /**
-     * Check whether target is equal to another.
-     *
-     * @param Target $other
-     *
-     * @return bool
-     */
-    public function equals(Target $other): bool
-    {
-        if ($this->_type !== $other->_type) {
-            return false;
-        }
-        if ($this->toASN1()->toDER() !== $other->toASN1()->toDER()) {
-            return false;
-        }
-        return true;
-    }
+	/**
+	 * Check whether target is equal to another.
+	 *
+	 * @param Target $other
+	 *
+	 * @return bool
+	 */
+	public function equals(Target $other): bool
+	{
+		if ($this->_type !== $other->_type) {
+			return false;
+		}
+		if ($this->toASN1()->toDER() !== $other->toASN1()->toDER()) {
+			return false;
+		}
+		return true;
+	}
 }

lib/X509/Certificate/Extension/TargetInformationExtension.php

Indentation +119 added lines, -119 removed lines

@@ -21,134 +21,134 @@
  */
 class TargetInformationExtension extends Extension implements \Countable, \IteratorAggregate
 {
-    /**
-     * Targets elements.
-     *
-     * @var Targets[]
-     */
-    protected $_targets;
+	/**
+	 * Targets elements.
+	 *
+	 * @var Targets[]
+	 */
+	protected $_targets;
 
-    /**
-     * Targets[] merged to single Targets.
-     *
-     * @var null|Targets
-     */
-    private $_merged;
+	/**
+	 * Targets[] merged to single Targets.
+	 *
+	 * @var null|Targets
+	 */
+	private $_merged;
 
-    /**
-     * Constructor.
-     *
-     * @param bool    $critical
-     * @param Targets ...$targets
-     */
-    public function __construct(bool $critical, Targets ...$targets)
-    {
-        parent::__construct(self::OID_TARGET_INFORMATION, $critical);
-        $this->_targets = $targets;
-    }
+	/**
+	 * Constructor.
+	 *
+	 * @param bool    $critical
+	 * @param Targets ...$targets
+	 */
+	public function __construct(bool $critical, Targets ...$targets)
+	{
+		parent::__construct(self::OID_TARGET_INFORMATION, $critical);
+		$this->_targets = $targets;
+	}
 
-    /**
-     * Reset internal state on clone.
-     */
-    public function __clone()
-    {
-        $this->_merged = null;
-    }
+	/**
+	 * Reset internal state on clone.
+	 */
+	public function __clone()
+	{
+		$this->_merged = null;
+	}
 
-    /**
-     * Initialize from one or more Target objects.
-     *
-     * Extension criticality shall be set to true as specified by RFC 5755.
-     *
-     * @param Target ...$target
-     *
-     * @return TargetInformationExtension
-     */
-    public static function fromTargets(Target ...$target): self
-    {
-        return new self(true, new Targets(...$target));
-    }
+	/**
+	 * Initialize from one or more Target objects.
+	 *
+	 * Extension criticality shall be set to true as specified by RFC 5755.
+	 *
+	 * @param Target ...$target
+	 *
+	 * @return TargetInformationExtension
+	 */
+	public static function fromTargets(Target ...$target): self
+	{
+		return new self(true, new Targets(...$target));
+	}
 
-    /**
-     * Get all targets.
-     *
-     * @return Targets
-     */
-    public function targets(): Targets
-    {
-        if (!isset($this->_merged)) {
-            $a = [];
-            foreach ($this->_targets as $targets) {
-                $a = array_merge($a, $targets->all());
-            }
-            $this->_merged = new Targets(...$a);
-        }
-        return $this->_merged;
-    }
+	/**
+	 * Get all targets.
+	 *
+	 * @return Targets
+	 */
+	public function targets(): Targets
+	{
+		if (!isset($this->_merged)) {
+			$a = [];
+			foreach ($this->_targets as $targets) {
+				$a = array_merge($a, $targets->all());
+			}
+			$this->_merged = new Targets(...$a);
+		}
+		return $this->_merged;
+	}
 
-    /**
-     * Get all name targets.
-     *
-     * @return Target[]
-     */
-    public function names(): array
-    {
-        return $this->targets()->nameTargets();
-    }
+	/**
+	 * Get all name targets.
+	 *
+	 * @return Target[]
+	 */
+	public function names(): array
+	{
+		return $this->targets()->nameTargets();
+	}
 
-    /**
-     * Get all group targets.
-     *
-     * @return Target[]
-     */
-    public function groups(): array
-    {
-        return $this->targets()->groupTargets();
-    }
+	/**
+	 * Get all group targets.
+	 *
+	 * @return Target[]
+	 */
+	public function groups(): array
+	{
+		return $this->targets()->groupTargets();
+	}
 
-    /**
-     * @see \Countable::count()
-     *
-     * @return int
-     */
-    public function count(): int
-    {
-        return count($this->targets());
-    }
+	/**
+	 * @see \Countable::count()
+	 *
+	 * @return int
+	 */
+	public function count(): int
+	{
+		return count($this->targets());
+	}
 
-    /**
-     * Get iterator for targets.
-     *
-     * @see \IteratorAggregate::getIterator()
-     *
-     * @return \ArrayIterator
-     */
-    public function getIterator(): \ArrayIterator
-    {
-        return new \ArrayIterator($this->targets()->all());
-    }
+	/**
+	 * Get iterator for targets.
+	 *
+	 * @see \IteratorAggregate::getIterator()
+	 *
+	 * @return \ArrayIterator
+	 */
+	public function getIterator(): \ArrayIterator
+	{
+		return new \ArrayIterator($this->targets()->all());
+	}
 
-    /**
-     * {@inheritdoc}
-     */
-    protected static function _fromDER(string $data, bool $critical): Extension
-    {
-        $targets = array_map(
-            function (UnspecifiedType $el) {
-                return Targets::fromASN1($el->asSequence());
-            }, UnspecifiedType::fromDER($data)->asSequence()->elements());
-        return new self($critical, ...$targets);
-    }
+	/**
+	 * {@inheritdoc}
+	 */
+	protected static function _fromDER(string $data, bool $critical): Extension
+	{
+		$targets = array_map(
+			function (UnspecifiedType $el) {
+				return Targets::fromASN1($el->asSequence());
+			}, UnspecifiedType::fromDER($data)->asSequence()->elements());
+		return new self($critical, ...$targets);
+	}
 
-    /**
-     * {@inheritdoc}
-     */
-    protected function _valueASN1(): Element
-    {
-        $elements = array_map(
-            function (Targets $targets) {
-                return $targets->toASN1();
-            }, $this->_targets);
-        return new Sequence(...$elements);
-    }
+	/**
+	 * {@inheritdoc}
+	 */
+	protected function _valueASN1(): Element
+	{
+		$elements = array_map(
+			function (Targets $targets) {
+				return $targets->toASN1();
+			}, $this->_targets);
+		return new Sequence(...$elements);
+	}
 }

lib/X509/Certificate/Extension/IssuerAlternativeNameExtension.php

Indentation +42 added lines, -42 removed lines

@@ -15,50 +15,50 @@
  */
 class IssuerAlternativeNameExtension extends Extension
 {
-    /**
-     * Names.
-     *
-     * @var GeneralNames
-     */
-    protected $_names;
+	/**
+	 * Names.
+	 *
+	 * @var GeneralNames
+	 */
+	protected $_names;
 
-    /**
-     * Constructor.
-     *
-     * @param bool         $critical
-     * @param GeneralNames $names
-     */
-    public function __construct(bool $critical, GeneralNames $names)
-    {
-        parent::__construct(self::OID_ISSUER_ALT_NAME, $critical);
-        $this->_names = $names;
-    }
+	/**
+	 * Constructor.
+	 *
+	 * @param bool         $critical
+	 * @param GeneralNames $names
+	 */
+	public function __construct(bool $critical, GeneralNames $names)
+	{
+		parent::__construct(self::OID_ISSUER_ALT_NAME, $critical);
+		$this->_names = $names;
+	}
 
-    /**
-     * Get names.
-     *
-     * @return GeneralNames
-     */
-    public function names(): GeneralNames
-    {
-        return $this->_names;
-    }
+	/**
+	 * Get names.
+	 *
+	 * @return GeneralNames
+	 */
+	public function names(): GeneralNames
+	{
+		return $this->_names;
+	}
 
-    /**
-     * {@inheritdoc}
-     */
-    protected static function _fromDER(string $data, bool $critical): Extension
-    {
-        return new self($critical,
-            GeneralNames::fromASN1(
-                UnspecifiedType::fromDER($data)->asSequence()));
-    }
+	/**
+	 * {@inheritdoc}
+	 */
+	protected static function _fromDER(string $data, bool $critical): Extension
+	{
+		return new self($critical,
+			GeneralNames::fromASN1(
+				UnspecifiedType::fromDER($data)->asSequence()));
+	}
 
-    /**
-     * {@inheritdoc}
-     */
-    protected function _valueASN1(): Element
-    {
-        return $this->_names->toASN1();
-    }
+	/**
+	 * {@inheritdoc}
+	 */
+	protected function _valueASN1(): Element
+	{
+		return $this->_names->toASN1();
+	}
 }

lib/X509/Certificate/Extension/AAControlsExtension.php

Indentation +203 added lines, -203 removed lines

@@ -19,207 +19,207 @@
  */
 class AAControlsExtension extends Extension
 {
-    /**
-     * Path length contraint.
-     *
-     * @var null|int
-     */
-    protected $_pathLenConstraint;
-
-    /**
-     * Permitted attributes.
-     *
-     * Array of OID's.
-     *
-     * @var null|string[]
-     */
-    protected $_permittedAttrs;
-
-    /**
-     * Excluded attributes.
-     *
-     * Array of OID's.
-     *
-     * @var null|string[]
-     */
-    protected $_excludedAttrs;
-
-    /**
-     * Whether to permit unspecified attributes.
-     *
-     * @var bool
-     */
-    protected $_permitUnSpecified;
-
-    /**
-     * Constructor.
-     *
-     * @param bool          $critical
-     * @param null|int      $path_len
-     * @param null|string[] $permitted
-     * @param null|string[] $excluded
-     * @param bool          $permit_unspecified
-     */
-    public function __construct(bool $critical, ?int $path_len = null,
-        ?array $permitted = null, ?array $excluded = null, bool $permit_unspecified = true)
-    {
-        parent::__construct(self::OID_AA_CONTROLS, $critical);
-        $this->_pathLenConstraint = $path_len;
-        $this->_permittedAttrs = $permitted;
-        $this->_excludedAttrs = $excluded;
-        $this->_permitUnSpecified = $permit_unspecified;
-    }
-
-    /**
-     * Check whether path length constraint is present.
-     *
-     * @return bool
-     */
-    public function hasPathLen(): bool
-    {
-        return isset($this->_pathLenConstraint);
-    }
-
-    /**
-     * Get path length constraint.
-     *
-     * @throws \LogicException If not set
-     *
-     * @return int
-     */
-    public function pathLen(): int
-    {
-        if (!$this->hasPathLen()) {
-            throw new \LogicException('pathLen not set.');
-        }
-        return $this->_pathLenConstraint;
-    }
-
-    /**
-     * Check whether permitted attributes are present.
-     *
-     * @return bool
-     */
-    public function hasPermittedAttrs(): bool
-    {
-        return isset($this->_permittedAttrs);
-    }
-
-    /**
-     * Get OID's of permitted attributes.
-     *
-     * @throws \LogicException If not set
-     *
-     * @return string[]
-     */
-    public function permittedAttrs(): array
-    {
-        if (!$this->hasPermittedAttrs()) {
-            throw new \LogicException('permittedAttrs not set.');
-        }
-        return $this->_permittedAttrs;
-    }
-
-    /**
-     * Check whether excluded attributes are present.
-     *
-     * @return bool
-     */
-    public function hasExcludedAttrs(): bool
-    {
-        return isset($this->_excludedAttrs);
-    }
-
-    /**
-     * Get OID's of excluded attributes.
-     *
-     * @throws \LogicException If not set
-     *
-     * @return string[]
-     */
-    public function excludedAttrs(): array
-    {
-        if (!$this->hasExcludedAttrs()) {
-            throw new \LogicException('excludedAttrs not set.');
-        }
-        return $this->_excludedAttrs;
-    }
-
-    /**
-     * Whether to permit attributes that are not explicitly specified in
-     * neither permitted nor excluded list.
-     *
-     * @return bool
-     */
-    public function permitUnspecified(): bool
-    {
-        return $this->_permitUnSpecified;
-    }
-
-    /**
-     * {@inheritdoc}
-     */
-    protected static function _fromDER(string $data, bool $critical): Extension
-    {
-        $seq = UnspecifiedType::fromDER($data)->asSequence();
-        $path_len = null;
-        $permitted = null;
-        $excluded = null;
-        $permit_unspecified = true;
-        $idx = 0;
-        if ($seq->has($idx, Element::TYPE_INTEGER)) {
-            $path_len = $seq->at($idx++)->asInteger()->intNumber();
-        }
-        if ($seq->hasTagged(0)) {
-            $attr_seq = $seq->getTagged(0)->asImplicit(Element::TYPE_SEQUENCE)
-                ->asSequence();
-            $permitted = array_map(
-                function (UnspecifiedType $el) {
-                    return $el->asObjectIdentifier()->oid();
-                }, $attr_seq->elements());
-            ++$idx;
-        }
-        if ($seq->hasTagged(1)) {
-            $attr_seq = $seq->getTagged(1)->asImplicit(Element::TYPE_SEQUENCE)
-                ->asSequence();
-            $excluded = array_map(
-                function (UnspecifiedType $el) {
-                    return $el->asObjectIdentifier()->oid();
-                }, $attr_seq->elements());
-            ++$idx;
-        }
-        if ($seq->has($idx, Element::TYPE_BOOLEAN)) {
-            $permit_unspecified = $seq->at($idx++)->asBoolean()->value();
-        }
-        return new self($critical, $path_len, $permitted, $excluded, $permit_unspecified);
-    }
-
-    /**
-     * {@inheritdoc}
-     */
-    protected function _valueASN1(): Element
-    {
-        $elements = [];
-        if (isset($this->_pathLenConstraint)) {
-            $elements[] = new Integer($this->_pathLenConstraint);
-        }
-        if (isset($this->_permittedAttrs)) {
-            $oids = array_map(
-                function ($oid) {
-                    return new ObjectIdentifier($oid);
-                }, $this->_permittedAttrs);
-            $elements[] = new ImplicitlyTaggedType(0, new Sequence(...$oids));
-        }
-        if (isset($this->_excludedAttrs)) {
-            $oids = array_map(
-                function ($oid) {
-                    return new ObjectIdentifier($oid);
-                }, $this->_excludedAttrs);
-            $elements[] = new ImplicitlyTaggedType(1, new Sequence(...$oids));
-        }
-        if (true !== $this->_permitUnSpecified) {
-            $elements[] = new Boolean(false);
-        }
-        return new Sequence(...$elements);
-    }
+	/**
+	 * Path length contraint.
+	 *
+	 * @var null|int
+	 */
+	protected $_pathLenConstraint;
+
+	/**
+	 * Permitted attributes.
+	 *
+	 * Array of OID's.
+	 *
+	 * @var null|string[]
+	 */
+	protected $_permittedAttrs;
+
+	/**
+	 * Excluded attributes.
+	 *
+	 * Array of OID's.
+	 *
+	 * @var null|string[]
+	 */
+	protected $_excludedAttrs;
+
+	/**
+	 * Whether to permit unspecified attributes.
+	 *
+	 * @var bool
+	 */
+	protected $_permitUnSpecified;
+
+	/**
+	 * Constructor.
+	 *
+	 * @param bool          $critical
+	 * @param null|int      $path_len
+	 * @param null|string[] $permitted
+	 * @param null|string[] $excluded
+	 * @param bool          $permit_unspecified
+	 */
+	public function __construct(bool $critical, ?int $path_len = null,
+		?array $permitted = null, ?array $excluded = null, bool $permit_unspecified = true)
+	{
+		parent::__construct(self::OID_AA_CONTROLS, $critical);
+		$this->_pathLenConstraint = $path_len;
+		$this->_permittedAttrs = $permitted;
+		$this->_excludedAttrs = $excluded;
+		$this->_permitUnSpecified = $permit_unspecified;
+	}
+
+	/**
+	 * Check whether path length constraint is present.
+	 *
+	 * @return bool
+	 */
+	public function hasPathLen(): bool
+	{
+		return isset($this->_pathLenConstraint);
+	}
+
+	/**
+	 * Get path length constraint.
+	 *
+	 * @throws \LogicException If not set
+	 *
+	 * @return int
+	 */
+	public function pathLen(): int
+	{
+		if (!$this->hasPathLen()) {
+			throw new \LogicException('pathLen not set.');
+		}
+		return $this->_pathLenConstraint;
+	}
+
+	/**
+	 * Check whether permitted attributes are present.
+	 *
+	 * @return bool
+	 */
+	public function hasPermittedAttrs(): bool
+	{
+		return isset($this->_permittedAttrs);
+	}
+
+	/**
+	 * Get OID's of permitted attributes.
+	 *
+	 * @throws \LogicException If not set
+	 *
+	 * @return string[]
+	 */
+	public function permittedAttrs(): array
+	{
+		if (!$this->hasPermittedAttrs()) {
+			throw new \LogicException('permittedAttrs not set.');
+		}
+		return $this->_permittedAttrs;
+	}
+
+	/**
+	 * Check whether excluded attributes are present.
+	 *
+	 * @return bool
+	 */
+	public function hasExcludedAttrs(): bool
+	{
+		return isset($this->_excludedAttrs);
+	}
+
+	/**
+	 * Get OID's of excluded attributes.
+	 *
+	 * @throws \LogicException If not set
+	 *
+	 * @return string[]
+	 */
+	public function excludedAttrs(): array
+	{
+		if (!$this->hasExcludedAttrs()) {
+			throw new \LogicException('excludedAttrs not set.');
+		}
+		return $this->_excludedAttrs;
+	}
+
+	/**
+	 * Whether to permit attributes that are not explicitly specified in
+	 * neither permitted nor excluded list.
+	 *
+	 * @return bool
+	 */
+	public function permitUnspecified(): bool
+	{
+		return $this->_permitUnSpecified;
+	}
+
+	/**
+	 * {@inheritdoc}
+	 */
+	protected static function _fromDER(string $data, bool $critical): Extension
+	{
+		$seq = UnspecifiedType::fromDER($data)->asSequence();
+		$path_len = null;
+		$permitted = null;
+		$excluded = null;
+		$permit_unspecified = true;
+		$idx = 0;
+		if ($seq->has($idx, Element::TYPE_INTEGER)) {
+			$path_len = $seq->at($idx++)->asInteger()->intNumber();
+		}
+		if ($seq->hasTagged(0)) {
+			$attr_seq = $seq->getTagged(0)->asImplicit(Element::TYPE_SEQUENCE)
+				->asSequence();
+			$permitted = array_map(
+				function (UnspecifiedType $el) {
+					return $el->asObjectIdentifier()->oid();
+				}, $attr_seq->elements());
+			++$idx;
+		}
+		if ($seq->hasTagged(1)) {
+			$attr_seq = $seq->getTagged(1)->asImplicit(Element::TYPE_SEQUENCE)
+				->asSequence();
+			$excluded = array_map(
+				function (UnspecifiedType $el) {
+					return $el->asObjectIdentifier()->oid();
+				}, $attr_seq->elements());
+			++$idx;
+		}
+		if ($seq->has($idx, Element::TYPE_BOOLEAN)) {
+			$permit_unspecified = $seq->at($idx++)->asBoolean()->value();
+		}
+		return new self($critical, $path_len, $permitted, $excluded, $permit_unspecified);
+	}
+
+	/**
+	 * {@inheritdoc}
+	 */
+	protected function _valueASN1(): Element
+	{
+		$elements = [];
+		if (isset($this->_pathLenConstraint)) {
+			$elements[] = new Integer($this->_pathLenConstraint);
+		}
+		if (isset($this->_permittedAttrs)) {
+			$oids = array_map(
+				function ($oid) {
+					return new ObjectIdentifier($oid);
+				}, $this->_permittedAttrs);
+			$elements[] = new ImplicitlyTaggedType(0, new Sequence(...$oids));
+		}
+		if (isset($this->_excludedAttrs)) {
+			$oids = array_map(
+				function ($oid) {
+					return new ObjectIdentifier($oid);
+				}, $this->_excludedAttrs);
+			$elements[] = new ImplicitlyTaggedType(1, new Sequence(...$oids));
+		}
+		if (true !== $this->_permitUnSpecified) {
+			$elements[] = new Boolean(false);
+		}
+		return new Sequence(...$elements);
+	}
 }

lib/X509/Certificate/Extension/BasicConstraintsExtension.php

Indentation +88 added lines, -88 removed lines

@@ -17,99 +17,99 @@
  */
 class BasicConstraintsExtension extends Extension
 {
-    /**
-     * Whether certificate is a CA.
-     *
-     * @var bool
-     */
-    protected $_ca;
+	/**
+	 * Whether certificate is a CA.
+	 *
+	 * @var bool
+	 */
+	protected $_ca;
 
-    /**
-     * Maximum certification path length.
-     *
-     * @var null|int
-     */
-    protected $_pathLen;
+	/**
+	 * Maximum certification path length.
+	 *
+	 * @var null|int
+	 */
+	protected $_pathLen;
 
-    /**
-     * Constructor.
-     *
-     * @param bool     $critical
-     * @param bool     $ca
-     * @param null|int $path_len
-     */
-    public function __construct(bool $critical, bool $ca, ?int $path_len = null)
-    {
-        parent::__construct(self::OID_BASIC_CONSTRAINTS, $critical);
-        $this->_ca = $ca;
-        $this->_pathLen = $path_len;
-    }
+	/**
+	 * Constructor.
+	 *
+	 * @param bool     $critical
+	 * @param bool     $ca
+	 * @param null|int $path_len
+	 */
+	public function __construct(bool $critical, bool $ca, ?int $path_len = null)
+	{
+		parent::__construct(self::OID_BASIC_CONSTRAINTS, $critical);
+		$this->_ca = $ca;
+		$this->_pathLen = $path_len;
+	}
 
-    /**
-     * Whether certificate is a CA.
-     *
-     * @return bool
-     */
-    public function isCA(): bool
-    {
-        return $this->_ca;
-    }
+	/**
+	 * Whether certificate is a CA.
+	 *
+	 * @return bool
+	 */
+	public function isCA(): bool
+	{
+		return $this->_ca;
+	}
 
-    /**
-     * Whether path length is present.
-     *
-     * @return bool
-     */
-    public function hasPathLen(): bool
-    {
-        return isset($this->_pathLen);
-    }
+	/**
+	 * Whether path length is present.
+	 *
+	 * @return bool
+	 */
+	public function hasPathLen(): bool
+	{
+		return isset($this->_pathLen);
+	}
 
-    /**
-     * Get path length.
-     *
-     * @throws \LogicException If not set
-     *
-     * @return int
-     */
-    public function pathLen(): int
-    {
-        if (!$this->hasPathLen()) {
-            throw new \LogicException('pathLenConstraint not set.');
-        }
-        return $this->_pathLen;
-    }
+	/**
+	 * Get path length.
+	 *
+	 * @throws \LogicException If not set
+	 *
+	 * @return int
+	 */
+	public function pathLen(): int
+	{
+		if (!$this->hasPathLen()) {
+			throw new \LogicException('pathLenConstraint not set.');
+		}
+		return $this->_pathLen;
+	}
 
-    /**
-     * {@inheritdoc}
-     */
-    protected static function _fromDER(string $data, bool $critical): Extension
-    {
-        $seq = UnspecifiedType::fromDER($data)->asSequence();
-        $ca = false;
-        $path_len = null;
-        $idx = 0;
-        if ($seq->has($idx, Element::TYPE_BOOLEAN)) {
-            $ca = $seq->at($idx++)->asBoolean()->value();
-        }
-        if ($seq->has($idx, Element::TYPE_INTEGER)) {
-            $path_len = $seq->at($idx)->asInteger()->intNumber();
-        }
-        return new self($critical, $ca, $path_len);
-    }
+	/**
+	 * {@inheritdoc}
+	 */
+	protected static function _fromDER(string $data, bool $critical): Extension
+	{
+		$seq = UnspecifiedType::fromDER($data)->asSequence();
+		$ca = false;
+		$path_len = null;
+		$idx = 0;
+		if ($seq->has($idx, Element::TYPE_BOOLEAN)) {
+			$ca = $seq->at($idx++)->asBoolean()->value();
+		}
+		if ($seq->has($idx, Element::TYPE_INTEGER)) {
+			$path_len = $seq->at($idx)->asInteger()->intNumber();
+		}
+		return new self($critical, $ca, $path_len);
+	}
 
-    /**
-     * {@inheritdoc}
-     */
-    protected function _valueASN1(): Element
-    {
-        $elements = [];
-        if ($this->_ca) {
-            $elements[] = new Boolean(true);
-        }
-        if (isset($this->_pathLen)) {
-            $elements[] = new Integer($this->_pathLen);
-        }
-        return new Sequence(...$elements);
-    }
+	/**
+	 * {@inheritdoc}
+	 */
+	protected function _valueASN1(): Element
+	{
+		$elements = [];
+		if ($this->_ca) {
+			$elements[] = new Boolean(true);
+		}
+		if (isset($this->_pathLen)) {
+			$elements[] = new Integer($this->_pathLen);
+		}
+		return new Sequence(...$elements);
+	}
 }

lib/X509/Certificate/CertificateBundle.php

Indentation +211 added lines, -211 removed lines

@@ -12,215 +12,215 @@
  */
 class CertificateBundle implements \Countable, \IteratorAggregate
 {
-    /**
-     * Certificates.
-     *
-     * @var Certificate[]
-     */
-    protected $_certs;
-
-    /**
-     * Mapping from public key id to array of certificates.
-     *
-     * @var null|(Certificate[])[]
-     */
-    private $_keyIdMap;
-
-    /**
-     * Constructor.
-     *
-     * @param Certificate ...$certs Certificate objects
-     */
-    public function __construct(Certificate ...$certs)
-    {
-        $this->_certs = $certs;
-    }
-
-    /**
-     * Reset internal cached variables on clone.
-     */
-    public function __clone()
-    {
-        $this->_keyIdMap = null;
-    }
-
-    /**
-     * Initialize from PEMs.
-     *
-     * @param PEM ...$pems PEM objects
-     *
-     * @return self
-     */
-    public static function fromPEMs(PEM ...$pems): self
-    {
-        $certs = array_map(
-            function ($pem) {
-                return Certificate::fromPEM($pem);
-            }, $pems);
-        return new self(...$certs);
-    }
-
-    /**
-     * Initialize from PEM bundle.
-     *
-     * @param PEMBundle $pem_bundle
-     *
-     * @return self
-     */
-    public static function fromPEMBundle(PEMBundle $pem_bundle): self
-    {
-        return self::fromPEMs(...$pem_bundle->all());
-    }
-
-    /**
-     * Get self with certificates added.
-     *
-     * @param Certificate ...$cert
-     *
-     * @return self
-     */
-    public function withCertificates(Certificate ...$cert): self
-    {
-        $obj = clone $this;
-        $obj->_certs = array_merge($obj->_certs, $cert);
-        return $obj;
-    }
-
-    /**
-     * Get self with certificates from PEMBundle added.
-     *
-     * @param PEMBundle $pem_bundle
-     *
-     * @return self
-     */
-    public function withPEMBundle(PEMBundle $pem_bundle): self
-    {
-        $certs = $this->_certs;
-        foreach ($pem_bundle as $pem) {
-            $certs[] = Certificate::fromPEM($pem);
-        }
-        return new self(...$certs);
-    }
-
-    /**
-     * Get self with single certificate from PEM added.
-     *
-     * @param PEM $pem
-     *
-     * @return self
-     */
-    public function withPEM(PEM $pem): self
-    {
-        $certs = $this->_certs;
-        $certs[] = Certificate::fromPEM($pem);
-        return new self(...$certs);
-    }
-
-    /**
-     * Check whether bundle contains a given certificate.
-     *
-     * @param Certificate $cert
-     *
-     * @return bool
-     */
-    public function contains(Certificate $cert): bool
-    {
-        $id = self::_getCertKeyId($cert);
-        $map = $this->_getKeyIdMap();
-        if (!isset($map[$id])) {
-            return false;
-        }
-        foreach ($map[$id] as $c) {
-            /** @var Certificate $c */
-            if ($cert->equals($c)) {
-                return true;
-            }
-        }
-        return false;
-    }
-
-    /**
-     * Get all certificates that have given subject key identifier.
-     *
-     * @param string $id
-     *
-     * @return Certificate[]
-     */
-    public function allBySubjectKeyIdentifier(string $id): array
-    {
-        $map = $this->_getKeyIdMap();
-        if (!isset($map[$id])) {
-            return [];
-        }
-        return $map[$id];
-    }
-
-    /**
-     * Get all certificates in a bundle.
-     *
-     * @return Certificate[]
-     */
-    public function all(): array
-    {
-        return $this->_certs;
-    }
-
-    /**
-     * @see \Countable::count()
-     *
-     * @return int
-     */
-    public function count(): int
-    {
-        return count($this->_certs);
-    }
-
-    /**
-     * Get iterator for certificates.
-     *
-     * @see \IteratorAggregate::getIterator()
-     *
-     * @return \ArrayIterator
-     */
-    public function getIterator(): \ArrayIterator
-    {
-        return new \ArrayIterator($this->_certs);
-    }
-
-    /**
-     * Get certificate mapping by public key id.
-     *
-     * @return (Certificate[])[]
-     */
-    private function _getKeyIdMap(): array
-    {
-        // lazily build mapping
-        if (!isset($this->_keyIdMap)) {
-            $this->_keyIdMap = [];
-            foreach ($this->_certs as $cert) {
-                $id = self::_getCertKeyId($cert);
-                if (!isset($this->_keyIdMap[$id])) {
-                    $this->_keyIdMap[$id] = [];
-                }
-                array_push($this->_keyIdMap[$id], $cert);
-            }
-        }
-        return $this->_keyIdMap;
-    }
-
-    /**
-     * Get public key id for the certificate.
-     *
-     * @param Certificate $cert
-     *
-     * @return string
-     */
-    private static function _getCertKeyId(Certificate $cert): string
-    {
-        $exts = $cert->tbsCertificate()->extensions();
-        if ($exts->hasSubjectKeyIdentifier()) {
-            return $exts->subjectKeyIdentifier()->keyIdentifier();
-        }
-        return $cert->tbsCertificate()->subjectPublicKeyInfo()->keyIdentifier();
-    }
+	/**
+	 * Certificates.
+	 *
+	 * @var Certificate[]
+	 */
+	protected $_certs;
+
+	/**
+	 * Mapping from public key id to array of certificates.
+	 *
+	 * @var null|(Certificate[])[]
+	 */
+	private $_keyIdMap;
+
+	/**
+	 * Constructor.
+	 *
+	 * @param Certificate ...$certs Certificate objects
+	 */
+	public function __construct(Certificate ...$certs)
+	{
+		$this->_certs = $certs;
+	}
+
+	/**
+	 * Reset internal cached variables on clone.
+	 */
+	public function __clone()
+	{
+		$this->_keyIdMap = null;
+	}
+
+	/**
+	 * Initialize from PEMs.
+	 *
+	 * @param PEM ...$pems PEM objects
+	 *
+	 * @return self
+	 */
+	public static function fromPEMs(PEM ...$pems): self
+	{
+		$certs = array_map(
+			function ($pem) {
+				return Certificate::fromPEM($pem);
+			}, $pems);
+		return new self(...$certs);
+	}
+
+	/**
+	 * Initialize from PEM bundle.
+	 *
+	 * @param PEMBundle $pem_bundle
+	 *
+	 * @return self
+	 */
+	public static function fromPEMBundle(PEMBundle $pem_bundle): self
+	{
+		return self::fromPEMs(...$pem_bundle->all());
+	}
+
+	/**
+	 * Get self with certificates added.
+	 *
+	 * @param Certificate ...$cert
+	 *
+	 * @return self
+	 */
+	public function withCertificates(Certificate ...$cert): self
+	{
+		$obj = clone $this;
+		$obj->_certs = array_merge($obj->_certs, $cert);
+		return $obj;
+	}
+
+	/**
+	 * Get self with certificates from PEMBundle added.
+	 *
+	 * @param PEMBundle $pem_bundle
+	 *
+	 * @return self
+	 */
+	public function withPEMBundle(PEMBundle $pem_bundle): self
+	{
+		$certs = $this->_certs;
+		foreach ($pem_bundle as $pem) {
+			$certs[] = Certificate::fromPEM($pem);
+		}
+		return new self(...$certs);
+	}
+
+	/**
+	 * Get self with single certificate from PEM added.
+	 *
+	 * @param PEM $pem
+	 *
+	 * @return self
+	 */
+	public function withPEM(PEM $pem): self
+	{
+		$certs = $this->_certs;
+		$certs[] = Certificate::fromPEM($pem);
+		return new self(...$certs);
+	}
+
+	/**
+	 * Check whether bundle contains a given certificate.
+	 *
+	 * @param Certificate $cert
+	 *
+	 * @return bool
+	 */
+	public function contains(Certificate $cert): bool
+	{
+		$id = self::_getCertKeyId($cert);
+		$map = $this->_getKeyIdMap();
+		if (!isset($map[$id])) {
+			return false;
+		}
+		foreach ($map[$id] as $c) {
+			/** @var Certificate $c */
+			if ($cert->equals($c)) {
+				return true;
+			}
+		}
+		return false;
+	}
+
+	/**
+	 * Get all certificates that have given subject key identifier.
+	 *
+	 * @param string $id
+	 *
+	 * @return Certificate[]
+	 */
+	public function allBySubjectKeyIdentifier(string $id): array
+	{
+		$map = $this->_getKeyIdMap();
+		if (!isset($map[$id])) {
+			return [];
+		}
+		return $map[$id];
+	}
+
+	/**
+	 * Get all certificates in a bundle.
+	 *
+	 * @return Certificate[]
+	 */
+	public function all(): array
+	{
+		return $this->_certs;
+	}
+
+	/**
+	 * @see \Countable::count()
+	 *
+	 * @return int
+	 */
+	public function count(): int
+	{
+		return count($this->_certs);
+	}
+
+	/**
+	 * Get iterator for certificates.
+	 *
+	 * @see \IteratorAggregate::getIterator()
+	 *
+	 * @return \ArrayIterator
+	 */
+	public function getIterator(): \ArrayIterator
+	{
+		return new \ArrayIterator($this->_certs);
+	}
+
+	/**
+	 * Get certificate mapping by public key id.
+	 *
+	 * @return (Certificate[])[]
+	 */
+	private function _getKeyIdMap(): array
+	{
+		// lazily build mapping
+		if (!isset($this->_keyIdMap)) {
+			$this->_keyIdMap = [];
+			foreach ($this->_certs as $cert) {
+				$id = self::_getCertKeyId($cert);
+				if (!isset($this->_keyIdMap[$id])) {
+					$this->_keyIdMap[$id] = [];
+				}
+				array_push($this->_keyIdMap[$id], $cert);
+			}
+		}
+		return $this->_keyIdMap;
+	}
+
+	/**
+	 * Get public key id for the certificate.
+	 *
+	 * @param Certificate $cert
+	 *
+	 * @return string
+	 */
+	private static function _getCertKeyId(Certificate $cert): string
+	{
+		$exts = $cert->tbsCertificate()->extensions();
+		if ($exts->hasSubjectKeyIdentifier()) {
+			return $exts->subjectKeyIdentifier()->keyIdentifier();
+		}
+		return $cert->tbsCertificate()->subjectPublicKeyInfo()->keyIdentifier();
+	}
 }

lib/X509/Certificate/CertificateChain.php

Indentation +122 added lines, -122 removed lines

@@ -13,136 +13,136 @@
  */
 class CertificateChain implements \Countable, \IteratorAggregate
 {
-    /**
-     * List of certificates in a chain.
-     *
-     * @var Certificate[]
-     */
-    protected $_certs;
+	/**
+	 * List of certificates in a chain.
+	 *
+	 * @var Certificate[]
+	 */
+	protected $_certs;
 
-    /**
-     * Constructor.
-     *
-     * @param Certificate ...$certs List of certificates, end-entity first
-     */
-    public function __construct(Certificate ...$certs)
-    {
-        $this->_certs = $certs;
-    }
+	/**
+	 * Constructor.
+	 *
+	 * @param Certificate ...$certs List of certificates, end-entity first
+	 */
+	public function __construct(Certificate ...$certs)
+	{
+		$this->_certs = $certs;
+	}
 
-    /**
-     * Initialize from a list of PEMs.
-     *
-     * @param PEM ...$pems
-     *
-     * @return self
-     */
-    public static function fromPEMs(PEM ...$pems): self
-    {
-        $certs = array_map(
-            function (PEM $pem) {
-                return Certificate::fromPEM($pem);
-            }, $pems);
-        return new self(...$certs);
-    }
+	/**
+	 * Initialize from a list of PEMs.
+	 *
+	 * @param PEM ...$pems
+	 *
+	 * @return self
+	 */
+	public static function fromPEMs(PEM ...$pems): self
+	{
+		$certs = array_map(
+			function (PEM $pem) {
+				return Certificate::fromPEM($pem);
+			}, $pems);
+		return new self(...$certs);
+	}
 
-    /**
-     * Initialize from a string containing multiple PEM blocks.
-     *
-     * @param string $str
-     *
-     * @return self
-     */
-    public static function fromPEMString(string $str): self
-    {
-        $pems = PEMBundle::fromString($str)->all();
-        return self::fromPEMs(...$pems);
-    }
+	/**
+	 * Initialize from a string containing multiple PEM blocks.
+	 *
+	 * @param string $str
+	 *
+	 * @return self
+	 */
+	public static function fromPEMString(string $str): self
+	{
+		$pems = PEMBundle::fromString($str)->all();
+		return self::fromPEMs(...$pems);
+	}
 
-    /**
-     * Get all certificates in a chain ordered from the end-entity certificate
-     * to the trust anchor.
-     *
-     * @return Certificate[]
-     */
-    public function certificates(): array
-    {
-        return $this->_certs;
-    }
+	/**
+	 * Get all certificates in a chain ordered from the end-entity certificate
+	 * to the trust anchor.
+	 *
+	 * @return Certificate[]
+	 */
+	public function certificates(): array
+	{
+		return $this->_certs;
+	}
 
-    /**
-     * Get the end-entity certificate.
-     *
-     * @throws \LogicException
-     *
-     * @return Certificate
-     */
-    public function endEntityCertificate(): Certificate
-    {
-        if (!count($this->_certs)) {
-            throw new \LogicException('No certificates.');
-        }
-        return $this->_certs[0];
-    }
+	/**
+	 * Get the end-entity certificate.
+	 *
+	 * @throws \LogicException
+	 *
+	 * @return Certificate
+	 */
+	public function endEntityCertificate(): Certificate
+	{
+		if (!count($this->_certs)) {
+			throw new \LogicException('No certificates.');
+		}
+		return $this->_certs[0];
+	}
 
-    /**
-     * Get the trust anchor certificate.
-     *
-     * @throws \LogicException
-     *
-     * @return Certificate
-     */
-    public function trustAnchorCertificate(): Certificate
-    {
-        if (!count($this->_certs)) {
-            throw new \LogicException('No certificates.');
-        }
-        return $this->_certs[count($this->_certs) - 1];
-    }
+	/**
+	 * Get the trust anchor certificate.
+	 *
+	 * @throws \LogicException
+	 *
+	 * @return Certificate
+	 */
+	public function trustAnchorCertificate(): Certificate
+	{
+		if (!count($this->_certs)) {
+			throw new \LogicException('No certificates.');
+		}
+		return $this->_certs[count($this->_certs) - 1];
+	}
 
-    /**
-     * Convert certificate chain to certification path.
-     *
-     * @return CertificationPath
-     */
-    public function certificationPath(): CertificationPath
-    {
-        return CertificationPath::fromCertificateChain($this);
-    }
+	/**
+	 * Convert certificate chain to certification path.
+	 *
+	 * @return CertificationPath
+	 */
+	public function certificationPath(): CertificationPath
+	{
+		return CertificationPath::fromCertificateChain($this);
+	}
 
-    /**
-     * Convert certificate chain to string of PEM blocks.
-     *
-     * @return string
-     */
-    public function toPEMString(): string
-    {
-        return implode("\n",
-            array_map(
-                function (Certificate $cert) {
-                    return $cert->toPEM()->string();
-                }, $this->_certs));
-    }
+	/**
+	 * Convert certificate chain to string of PEM blocks.
+	 *
+	 * @return string
+	 */
+	public function toPEMString(): string
+	{
+		return implode("\n",
+			array_map(
+				function (Certificate $cert) {
+					return $cert->toPEM()->string();
+				}, $this->_certs));
+	}
 
-    /**
-     * @see \Countable::count()
-     *
-     * @return int
-     */
-    public function count(): int
-    {
-        return count($this->_certs);
-    }
+	/**
+	 * @see \Countable::count()
+	 *
+	 * @return int
+	 */
+	public function count(): int
+	{
+		return count($this->_certs);
+	}
 
-    /**
-     * Get iterator for certificates.
-     *
-     * @see \IteratorAggregate::getIterator()
-     *
-     * @return \ArrayIterator
-     */
-    public function getIterator(): \ArrayIterator
-    {
-        return new \ArrayIterator($this->_certs);
-    }
+	/**
+	 * Get iterator for certificates.
+	 *
+	 * @see \IteratorAggregate::getIterator()
+	 *
+	 * @return \ArrayIterator
+	 */
+	public function getIterator(): \ArrayIterator
+	{
+		return new \ArrayIterator($this->_certs);
+	}
 }

lib/X509/Certificate/TBSCertificate.php

Indentation +618 added lines, -618 removed lines

@@ -27,622 +27,622 @@
  */
 class TBSCertificate
 {
-    // Certificate version enumerations
-    const VERSION_1 = 0;
-    const VERSION_2 = 1;
-    const VERSION_3 = 2;
-
-    /**
-     * Certificate version.
-     *
-     * @var null|int
-     */
-    protected $_version;
-
-    /**
-     * Serial number.
-     *
-     * @var null|string
-     */
-    protected $_serialNumber;
-
-    /**
-     * Signature algorithm.
-     *
-     * @var null|SignatureAlgorithmIdentifier
-     */
-    protected $_signature;
-
-    /**
-     * Certificate issuer.
-     *
-     * @var Name
-     */
-    protected $_issuer;
-
-    /**
-     * Certificate validity period.
-     *
-     * @var Validity
-     */
-    protected $_validity;
-
-    /**
-     * Certificate subject.
-     *
-     * @var Name
-     */
-    protected $_subject;
-
-    /**
-     * Subject public key.
-     *
-     * @var PublicKeyInfo
-     */
-    protected $_subjectPublicKeyInfo;
-
-    /**
-     * Issuer unique identifier.
-     *
-     * @var null|UniqueIdentifier
-     */
-    protected $_issuerUniqueID;
-
-    /**
-     * Subject unique identifier.
-     *
-     * @var null|UniqueIdentifier
-     */
-    protected $_subjectUniqueID;
-
-    /**
-     * Extensions.
-     *
-     * @var Extensions
-     */
-    protected $_extensions;
-
-    /**
-     * Constructor.
-     *
-     * @param Name          $subject  Certificate subject
-     * @param PublicKeyInfo $pki      Subject public key
-     * @param Name          $issuer   Certificate issuer
-     * @param Validity      $validity Validity period
-     */
-    public function __construct(Name $subject, PublicKeyInfo $pki, Name $issuer,
-        Validity $validity)
-    {
-        $this->_subject = $subject;
-        $this->_subjectPublicKeyInfo = $pki;
-        $this->_issuer = $issuer;
-        $this->_validity = $validity;
-        $this->_extensions = new Extensions();
-    }
-
-    /**
-     * Initialize from ASN.1.
-     *
-     * @param Sequence $seq
-     *
-     * @return self
-     */
-    public static function fromASN1(Sequence $seq): self
-    {
-        $idx = 0;
-        if ($seq->hasTagged(0)) {
-            ++$idx;
-            $version = $seq->getTagged(0)->asExplicit()->asInteger()->intNumber();
-        } else {
-            $version = self::VERSION_1;
-        }
-        $serial = $seq->at($idx++)->asInteger()->number();
-        $algo = AlgorithmIdentifier::fromASN1($seq->at($idx++)->asSequence());
-        if (!$algo instanceof SignatureAlgorithmIdentifier) {
-            throw new \UnexpectedValueException(
-                'Unsupported signature algorithm ' . $algo->name() . '.');
-        }
-        $issuer = Name::fromASN1($seq->at($idx++)->asSequence());
-        $validity = Validity::fromASN1($seq->at($idx++)->asSequence());
-        $subject = Name::fromASN1($seq->at($idx++)->asSequence());
-        $pki = PublicKeyInfo::fromASN1($seq->at($idx++)->asSequence());
-        $tbs_cert = new self($subject, $pki, $issuer, $validity);
-        $tbs_cert->_version = $version;
-        $tbs_cert->_serialNumber = $serial;
-        $tbs_cert->_signature = $algo;
-        if ($seq->hasTagged(1)) {
-            $tbs_cert->_issuerUniqueID = UniqueIdentifier::fromASN1(
-                $seq->getTagged(1)->asImplicit(Element::TYPE_BIT_STRING)
-                    ->asBitString());
-        }
-        if ($seq->hasTagged(2)) {
-            $tbs_cert->_subjectUniqueID = UniqueIdentifier::fromASN1(
-                $seq->getTagged(2)->asImplicit(Element::TYPE_BIT_STRING)
-                    ->asBitString());
-        }
-        if ($seq->hasTagged(3)) {
-            $tbs_cert->_extensions = Extensions::fromASN1(
-                $seq->getTagged(3)->asExplicit()->asSequence());
-        }
-        return $tbs_cert;
-    }
-
-    /**
-     * Initialize from certification request.
-     *
-     * Note that signature is not verified and must be done by the caller.
-     *
-     * @param CertificationRequest $cr
-     *
-     * @return self
-     */
-    public static function fromCSR(CertificationRequest $cr): self
-    {
-        $cri = $cr->certificationRequestInfo();
-        $tbs_cert = new self($cri->subject(), $cri->subjectPKInfo(), new Name(),
-            Validity::fromStrings(null, null));
-        // if CSR has Extension Request attribute
-        if ($cri->hasAttributes()) {
-            $attribs = $cri->attributes();
-            if ($attribs->hasExtensionRequest()) {
-                $tbs_cert = $tbs_cert->withExtensions(
-                    $attribs->extensionRequest()->extensions());
-            }
-        }
-        // add Subject Key Identifier extension
-        return $tbs_cert->withAdditionalExtensions(
-            new SubjectKeyIdentifierExtension(false,
-                $cri->subjectPKInfo()->keyIdentifier()));
-    }
-
-    /**
-     * Get self with fields set from the issuer's certificate.
-     *
-     * Issuer shall be set to issuing certificate's subject.
-     * Authority key identifier extensions shall be added with a key identifier
-     * set to issuing certificate's public key identifier.
-     *
-     * @param Certificate $cert Issuing party's certificate
-     *
-     * @return self
-     */
-    public function withIssuerCertificate(Certificate $cert): self
-    {
-        $obj = clone $this;
-        // set issuer DN from cert's subject
-        $obj->_issuer = $cert->tbsCertificate()->subject();
-        // add authority key identifier extension
-        $key_id = $cert->tbsCertificate()->subjectPublicKeyInfo()->keyIdentifier();
-        $obj->_extensions = $obj->_extensions->withExtensions(
-            new AuthorityKeyIdentifierExtension(false, $key_id));
-        return $obj;
-    }
-
-    /**
-     * Get self with given version.
-     *
-     * If version is not set, appropriate version is automatically
-     * determined during signing.
-     *
-     * @param int $version
-     *
-     * @return self
-     */
-    public function withVersion(int $version): self
-    {
-        $obj = clone $this;
-        $obj->_version = $version;
-        return $obj;
-    }
-
-    /**
-     * Get self with given serial number.
-     *
-     * @param int|string $serial Base 10 number
-     *
-     * @return self
-     */
-    public function withSerialNumber($serial): self
-    {
-        $obj = clone $this;
-        $obj->_serialNumber = strval($serial);
-        return $obj;
-    }
-
-    /**
-     * Get self with random positive serial number.
-     *
-     * @param int $size Number of random bytes
-     *
-     * @return self
-     */
-    public function withRandomSerialNumber(int $size = 16): self
-    {
-        // ensure that first byte is always non-zero and having first bit unset
-        $num = gmp_init(mt_rand(1, 0x7f), 10);
-        for ($i = 1; $i < $size; ++$i) {
-            $num <<= 8;
-            $num += mt_rand(0, 0xff);
-        }
-        return $this->withSerialNumber(gmp_strval($num, 10));
-    }
-
-    /**
-     * Get self with given signature algorithm.
-     *
-     * @param SignatureAlgorithmIdentifier $algo
-     *
-     * @return self
-     */
-    public function withSignature(SignatureAlgorithmIdentifier $algo): self
-    {
-        $obj = clone $this;
-        $obj->_signature = $algo;
-        return $obj;
-    }
-
-    /**
-     * Get self with given issuer.
-     *
-     * @param Name $issuer
-     *
-     * @return self
-     */
-    public function withIssuer(Name $issuer): self
-    {
-        $obj = clone $this;
-        $obj->_issuer = $issuer;
-        return $obj;
-    }
-
-    /**
-     * Get self with given validity.
-     *
-     * @param Validity $validity
-     *
-     * @return self
-     */
-    public function withValidity(Validity $validity): self
-    {
-        $obj = clone $this;
-        $obj->_validity = $validity;
-        return $obj;
-    }
-
-    /**
-     * Get self with given subject.
-     *
-     * @param Name $subject
-     *
-     * @return self
-     */
-    public function withSubject(Name $subject): self
-    {
-        $obj = clone $this;
-        $obj->_subject = $subject;
-        return $obj;
-    }
-
-    /**
-     * Get self with given subject public key info.
-     *
-     * @param PublicKeyInfo $pub_key_info
-     *
-     * @return self
-     */
-    public function withSubjectPublicKeyInfo(PublicKeyInfo $pub_key_info): self
-    {
-        $obj = clone $this;
-        $obj->_subjectPublicKeyInfo = $pub_key_info;
-        return $obj;
-    }
-
-    /**
-     * Get self with issuer unique ID.
-     *
-     * @param UniqueIdentifier $id
-     *
-     * @return self
-     */
-    public function withIssuerUniqueID(UniqueIdentifier $id): self
-    {
-        $obj = clone $this;
-        $obj->_issuerUniqueID = $id;
-        return $obj;
-    }
-
-    /**
-     * Get self with subject unique ID.
-     *
-     * @param UniqueIdentifier $id
-     *
-     * @return self
-     */
-    public function withSubjectUniqueID(UniqueIdentifier $id): self
-    {
-        $obj = clone $this;
-        $obj->_subjectUniqueID = $id;
-        return $obj;
-    }
-
-    /**
-     * Get self with given extensions.
-     *
-     * @param Extensions $extensions
-     *
-     * @return self
-     */
-    public function withExtensions(Extensions $extensions): self
-    {
-        $obj = clone $this;
-        $obj->_extensions = $extensions;
-        return $obj;
-    }
-
-    /**
-     * Get self with extensions added.
-     *
-     * @param Extension ...$exts One or more Extension objects
-     *
-     * @return self
-     */
-    public function withAdditionalExtensions(Extension ...$exts): self
-    {
-        $obj = clone $this;
-        $obj->_extensions = $obj->_extensions->withExtensions(...$exts);
-        return $obj;
-    }
-
-    /**
-     * Check whether version is set.
-     *
-     * @return bool
-     */
-    public function hasVersion(): bool
-    {
-        return isset($this->_version);
-    }
-
-    /**
-     * Get certificate version.
-     *
-     * @throws \LogicException If not set
-     *
-     * @return int
-     */
-    public function version(): int
-    {
-        if (!$this->hasVersion()) {
-            throw new \LogicException('version not set.');
-        }
-        return $this->_version;
-    }
-
-    /**
-     * Check whether serial number is set.
-     *
-     * @return bool
-     */
-    public function hasSerialNumber(): bool
-    {
-        return isset($this->_serialNumber);
-    }
-
-    /**
-     * Get serial number.
-     *
-     * @throws \LogicException If not set
-     *
-     * @return string Base 10 integer
-     */
-    public function serialNumber(): string
-    {
-        if (!$this->hasSerialNumber()) {
-            throw new \LogicException('serialNumber not set.');
-        }
-        return $this->_serialNumber;
-    }
-
-    /**
-     * Check whether signature algorithm is set.
-     *
-     * @return bool
-     */
-    public function hasSignature(): bool
-    {
-        return isset($this->_signature);
-    }
-
-    /**
-     * Get signature algorithm.
-     *
-     * @throws \LogicException If not set
-     *
-     * @return SignatureAlgorithmIdentifier
-     */
-    public function signature(): SignatureAlgorithmIdentifier
-    {
-        if (!$this->hasSignature()) {
-            throw new \LogicException('signature not set.');
-        }
-        return $this->_signature;
-    }
-
-    /**
-     * Get issuer.
-     *
-     * @return Name
-     */
-    public function issuer(): Name
-    {
-        return $this->_issuer;
-    }
-
-    /**
-     * Get validity period.
-     *
-     * @return Validity
-     */
-    public function validity(): Validity
-    {
-        return $this->_validity;
-    }
-
-    /**
-     * Get subject.
-     *
-     * @return Name
-     */
-    public function subject(): Name
-    {
-        return $this->_subject;
-    }
-
-    /**
-     * Get subject public key.
-     *
-     * @return PublicKeyInfo
-     */
-    public function subjectPublicKeyInfo(): PublicKeyInfo
-    {
-        return $this->_subjectPublicKeyInfo;
-    }
-
-    /**
-     * Whether issuer unique identifier is present.
-     *
-     * @return bool
-     */
-    public function hasIssuerUniqueID(): bool
-    {
-        return isset($this->_issuerUniqueID);
-    }
-
-    /**
-     * Get issuerUniqueID.
-     *
-     * @throws \LogicException If not set
-     *
-     * @return UniqueIdentifier
-     */
-    public function issuerUniqueID(): UniqueIdentifier
-    {
-        if (!$this->hasIssuerUniqueID()) {
-            throw new \LogicException('issuerUniqueID not set.');
-        }
-        return $this->_issuerUniqueID;
-    }
-
-    /**
-     * Whether subject unique identifier is present.
-     *
-     * @return bool
-     */
-    public function hasSubjectUniqueID(): bool
-    {
-        return isset($this->_subjectUniqueID);
-    }
-
-    /**
-     * Get subjectUniqueID.
-     *
-     * @throws \LogicException If not set
-     *
-     * @return UniqueIdentifier
-     */
-    public function subjectUniqueID(): UniqueIdentifier
-    {
-        if (!$this->hasSubjectUniqueID()) {
-            throw new \LogicException('subjectUniqueID not set.');
-        }
-        return $this->_subjectUniqueID;
-    }
-
-    /**
-     * Get extensions.
-     *
-     * @return Extensions
-     */
-    public function extensions(): Extensions
-    {
-        return $this->_extensions;
-    }
-
-    /**
-     * Generate ASN.1 structure.
-     *
-     * @return Sequence
-     */
-    public function toASN1(): Sequence
-    {
-        $elements = [];
-        $version = $this->version();
-        // if version is not default
-        if (self::VERSION_1 != $version) {
-            $elements[] = new ExplicitlyTaggedType(0, new Integer($version));
-        }
-        $serial = $this->serialNumber();
-        $signature = $this->signature();
-        // add required elements
-        array_push($elements, new Integer($serial), $signature->toASN1(),
-            $this->_issuer->toASN1(), $this->_validity->toASN1(),
-            $this->_subject->toASN1(), $this->_subjectPublicKeyInfo->toASN1());
-        if (isset($this->_issuerUniqueID)) {
-            $elements[] = new ImplicitlyTaggedType(1,
-                $this->_issuerUniqueID->toASN1());
-        }
-        if (isset($this->_subjectUniqueID)) {
-            $elements[] = new ImplicitlyTaggedType(2,
-                $this->_subjectUniqueID->toASN1());
-        }
-        if (count($this->_extensions)) {
-            $elements[] = new ExplicitlyTaggedType(3,
-                $this->_extensions->toASN1());
-        }
-        return new Sequence(...$elements);
-    }
-
-    /**
-     * Create signed certificate.
-     *
-     * @param SignatureAlgorithmIdentifier $algo         Algorithm used for signing
-     * @param PrivateKeyInfo               $privkey_info Private key used for signing
-     * @param null|Crypto                  $crypto       Crypto engine, use default if not set
-     *
-     * @return Certificate
-     */
-    public function sign(SignatureAlgorithmIdentifier $algo,
-        PrivateKeyInfo $privkey_info, ?Crypto $crypto = null): Certificate
-    {
-        $crypto = $crypto ?? Crypto::getDefault();
-        $tbs_cert = clone $this;
-        if (!isset($tbs_cert->_version)) {
-            $tbs_cert->_version = $tbs_cert->_determineVersion();
-        }
-        if (!isset($tbs_cert->_serialNumber)) {
-            $tbs_cert->_serialNumber = strval(0);
-        }
-        $tbs_cert->_signature = $algo;
-        $data = $tbs_cert->toASN1()->toDER();
-        $signature = $crypto->sign($data, $privkey_info, $algo);
-        return new Certificate($tbs_cert, $algo, $signature);
-    }
-
-    /**
-     * Determine minimum version for the certificate.
-     *
-     * @return int
-     */
-    protected function _determineVersion(): int
-    {
-        // if extensions are present
-        if (count($this->_extensions)) {
-            return self::VERSION_3;
-        }
-        // if UniqueIdentifier is present
-        if (isset($this->_issuerUniqueID) || isset($this->_subjectUniqueID)) {
-            return self::VERSION_2;
-        }
-        return self::VERSION_1;
-    }
+	// Certificate version enumerations
+	const VERSION_1 = 0;
+	const VERSION_2 = 1;
+	const VERSION_3 = 2;
+
+	/**
+	 * Certificate version.
+	 *
+	 * @var null|int
+	 */
+	protected $_version;
+
+	/**
+	 * Serial number.
+	 *
+	 * @var null|string
+	 */
+	protected $_serialNumber;
+
+	/**
+	 * Signature algorithm.
+	 *
+	 * @var null|SignatureAlgorithmIdentifier
+	 */
+	protected $_signature;
+
+	/**
+	 * Certificate issuer.
+	 *
+	 * @var Name
+	 */
+	protected $_issuer;
+
+	/**
+	 * Certificate validity period.
+	 *
+	 * @var Validity
+	 */
+	protected $_validity;
+
+	/**
+	 * Certificate subject.
+	 *
+	 * @var Name
+	 */
+	protected $_subject;
+
+	/**
+	 * Subject public key.
+	 *
+	 * @var PublicKeyInfo
+	 */
+	protected $_subjectPublicKeyInfo;
+
+	/**
+	 * Issuer unique identifier.
+	 *
+	 * @var null|UniqueIdentifier
+	 */
+	protected $_issuerUniqueID;
+
+	/**
+	 * Subject unique identifier.
+	 *
+	 * @var null|UniqueIdentifier
+	 */
+	protected $_subjectUniqueID;
+
+	/**
+	 * Extensions.
+	 *
+	 * @var Extensions
+	 */
+	protected $_extensions;
+
+	/**
+	 * Constructor.
+	 *
+	 * @param Name          $subject  Certificate subject
+	 * @param PublicKeyInfo $pki      Subject public key
+	 * @param Name          $issuer   Certificate issuer
+	 * @param Validity      $validity Validity period
+	 */
+	public function __construct(Name $subject, PublicKeyInfo $pki, Name $issuer,
+		Validity $validity)
+	{
+		$this->_subject = $subject;
+		$this->_subjectPublicKeyInfo = $pki;
+		$this->_issuer = $issuer;
+		$this->_validity = $validity;
+		$this->_extensions = new Extensions();
+	}
+
+	/**
+	 * Initialize from ASN.1.
+	 *
+	 * @param Sequence $seq
+	 *
+	 * @return self
+	 */
+	public static function fromASN1(Sequence $seq): self
+	{
+		$idx = 0;
+		if ($seq->hasTagged(0)) {
+			++$idx;
+			$version = $seq->getTagged(0)->asExplicit()->asInteger()->intNumber();
+		} else {
+			$version = self::VERSION_1;
+		}
+		$serial = $seq->at($idx++)->asInteger()->number();
+		$algo = AlgorithmIdentifier::fromASN1($seq->at($idx++)->asSequence());
+		if (!$algo instanceof SignatureAlgorithmIdentifier) {
+			throw new \UnexpectedValueException(
+				'Unsupported signature algorithm ' . $algo->name() . '.');
+		}
+		$issuer = Name::fromASN1($seq->at($idx++)->asSequence());
+		$validity = Validity::fromASN1($seq->at($idx++)->asSequence());
+		$subject = Name::fromASN1($seq->at($idx++)->asSequence());
+		$pki = PublicKeyInfo::fromASN1($seq->at($idx++)->asSequence());
+		$tbs_cert = new self($subject, $pki, $issuer, $validity);
+		$tbs_cert->_version = $version;
+		$tbs_cert->_serialNumber = $serial;
+		$tbs_cert->_signature = $algo;
+		if ($seq->hasTagged(1)) {
+			$tbs_cert->_issuerUniqueID = UniqueIdentifier::fromASN1(
+				$seq->getTagged(1)->asImplicit(Element::TYPE_BIT_STRING)
+					->asBitString());
+		}
+		if ($seq->hasTagged(2)) {
+			$tbs_cert->_subjectUniqueID = UniqueIdentifier::fromASN1(
+				$seq->getTagged(2)->asImplicit(Element::TYPE_BIT_STRING)
+					->asBitString());
+		}
+		if ($seq->hasTagged(3)) {
+			$tbs_cert->_extensions = Extensions::fromASN1(
+				$seq->getTagged(3)->asExplicit()->asSequence());
+		}
+		return $tbs_cert;
+	}
+
+	/**
+	 * Initialize from certification request.
+	 *
+	 * Note that signature is not verified and must be done by the caller.
+	 *
+	 * @param CertificationRequest $cr
+	 *
+	 * @return self
+	 */
+	public static function fromCSR(CertificationRequest $cr): self
+	{
+		$cri = $cr->certificationRequestInfo();
+		$tbs_cert = new self($cri->subject(), $cri->subjectPKInfo(), new Name(),
+			Validity::fromStrings(null, null));
+		// if CSR has Extension Request attribute
+		if ($cri->hasAttributes()) {
+			$attribs = $cri->attributes();
+			if ($attribs->hasExtensionRequest()) {
+				$tbs_cert = $tbs_cert->withExtensions(
+					$attribs->extensionRequest()->extensions());
+			}
+		}
+		// add Subject Key Identifier extension
+		return $tbs_cert->withAdditionalExtensions(
+			new SubjectKeyIdentifierExtension(false,
+				$cri->subjectPKInfo()->keyIdentifier()));
+	}
+
+	/**
+	 * Get self with fields set from the issuer's certificate.
+	 *
+	 * Issuer shall be set to issuing certificate's subject.
+	 * Authority key identifier extensions shall be added with a key identifier
+	 * set to issuing certificate's public key identifier.
+	 *
+	 * @param Certificate $cert Issuing party's certificate
+	 *
+	 * @return self
+	 */
+	public function withIssuerCertificate(Certificate $cert): self
+	{
+		$obj = clone $this;
+		// set issuer DN from cert's subject
+		$obj->_issuer = $cert->tbsCertificate()->subject();
+		// add authority key identifier extension
+		$key_id = $cert->tbsCertificate()->subjectPublicKeyInfo()->keyIdentifier();
+		$obj->_extensions = $obj->_extensions->withExtensions(
+			new AuthorityKeyIdentifierExtension(false, $key_id));
+		return $obj;
+	}
+
+	/**
+	 * Get self with given version.
+	 *
+	 * If version is not set, appropriate version is automatically
+	 * determined during signing.
+	 *
+	 * @param int $version
+	 *
+	 * @return self
+	 */
+	public function withVersion(int $version): self
+	{
+		$obj = clone $this;
+		$obj->_version = $version;
+		return $obj;
+	}
+
+	/**
+	 * Get self with given serial number.
+	 *
+	 * @param int|string $serial Base 10 number
+	 *
+	 * @return self
+	 */
+	public function withSerialNumber($serial): self
+	{
+		$obj = clone $this;
+		$obj->_serialNumber = strval($serial);
+		return $obj;
+	}
+
+	/**
+	 * Get self with random positive serial number.
+	 *
+	 * @param int $size Number of random bytes
+	 *
+	 * @return self
+	 */
+	public function withRandomSerialNumber(int $size = 16): self
+	{
+		// ensure that first byte is always non-zero and having first bit unset
+		$num = gmp_init(mt_rand(1, 0x7f), 10);
+		for ($i = 1; $i < $size; ++$i) {
+			$num <<= 8;
+			$num += mt_rand(0, 0xff);
+		}
+		return $this->withSerialNumber(gmp_strval($num, 10));
+	}
+
+	/**
+	 * Get self with given signature algorithm.
+	 *
+	 * @param SignatureAlgorithmIdentifier $algo
+	 *
+	 * @return self
+	 */
+	public function withSignature(SignatureAlgorithmIdentifier $algo): self
+	{
+		$obj = clone $this;
+		$obj->_signature = $algo;
+		return $obj;
+	}
+
+	/**
+	 * Get self with given issuer.
+	 *
+	 * @param Name $issuer
+	 *
+	 * @return self
+	 */
+	public function withIssuer(Name $issuer): self
+	{
+		$obj = clone $this;
+		$obj->_issuer = $issuer;
+		return $obj;
+	}
+
+	/**
+	 * Get self with given validity.
+	 *
+	 * @param Validity $validity
+	 *
+	 * @return self
+	 */
+	public function withValidity(Validity $validity): self
+	{
+		$obj = clone $this;
+		$obj->_validity = $validity;
+		return $obj;
+	}
+
+	/**
+	 * Get self with given subject.
+	 *
+	 * @param Name $subject
+	 *
+	 * @return self
+	 */
+	public function withSubject(Name $subject): self
+	{
+		$obj = clone $this;
+		$obj->_subject = $subject;
+		return $obj;
+	}
+
+	/**
+	 * Get self with given subject public key info.
+	 *
+	 * @param PublicKeyInfo $pub_key_info
+	 *
+	 * @return self
+	 */
+	public function withSubjectPublicKeyInfo(PublicKeyInfo $pub_key_info): self
+	{
+		$obj = clone $this;
+		$obj->_subjectPublicKeyInfo = $pub_key_info;
+		return $obj;
+	}
+
+	/**
+	 * Get self with issuer unique ID.
+	 *
+	 * @param UniqueIdentifier $id
+	 *
+	 * @return self
+	 */
+	public function withIssuerUniqueID(UniqueIdentifier $id): self
+	{
+		$obj = clone $this;
+		$obj->_issuerUniqueID = $id;
+		return $obj;
+	}
+
+	/**
+	 * Get self with subject unique ID.
+	 *
+	 * @param UniqueIdentifier $id
+	 *
+	 * @return self
+	 */
+	public function withSubjectUniqueID(UniqueIdentifier $id): self
+	{
+		$obj = clone $this;
+		$obj->_subjectUniqueID = $id;
+		return $obj;
+	}
+
+	/**
+	 * Get self with given extensions.
+	 *
+	 * @param Extensions $extensions
+	 *
+	 * @return self
+	 */
+	public function withExtensions(Extensions $extensions): self
+	{
+		$obj = clone $this;
+		$obj->_extensions = $extensions;
+		return $obj;
+	}
+
+	/**
+	 * Get self with extensions added.
+	 *
+	 * @param Extension ...$exts One or more Extension objects
+	 *
+	 * @return self
+	 */
+	public function withAdditionalExtensions(Extension ...$exts): self
+	{
+		$obj = clone $this;
+		$obj->_extensions = $obj->_extensions->withExtensions(...$exts);
+		return $obj;
+	}
+
+	/**
+	 * Check whether version is set.
+	 *
+	 * @return bool
+	 */
+	public function hasVersion(): bool
+	{
+		return isset($this->_version);
+	}
+
+	/**
+	 * Get certificate version.
+	 *
+	 * @throws \LogicException If not set
+	 *
+	 * @return int
+	 */
+	public function version(): int
+	{
+		if (!$this->hasVersion()) {
+			throw new \LogicException('version not set.');
+		}
+		return $this->_version;
+	}
+
+	/**
+	 * Check whether serial number is set.
+	 *
+	 * @return bool
+	 */
+	public function hasSerialNumber(): bool
+	{
+		return isset($this->_serialNumber);
+	}
+
+	/**
+	 * Get serial number.
+	 *
+	 * @throws \LogicException If not set
+	 *
+	 * @return string Base 10 integer
+	 */
+	public function serialNumber(): string
+	{
+		if (!$this->hasSerialNumber()) {
+			throw new \LogicException('serialNumber not set.');
+		}
+		return $this->_serialNumber;
+	}
+
+	/**
+	 * Check whether signature algorithm is set.
+	 *
+	 * @return bool
+	 */
+	public function hasSignature(): bool
+	{
+		return isset($this->_signature);
+	}
+
+	/**
+	 * Get signature algorithm.
+	 *
+	 * @throws \LogicException If not set
+	 *
+	 * @return SignatureAlgorithmIdentifier
+	 */
+	public function signature(): SignatureAlgorithmIdentifier
+	{
+		if (!$this->hasSignature()) {
+			throw new \LogicException('signature not set.');
+		}
+		return $this->_signature;
+	}
+
+	/**
+	 * Get issuer.
+	 *
+	 * @return Name
+	 */
+	public function issuer(): Name
+	{
+		return $this->_issuer;
+	}
+
+	/**
+	 * Get validity period.
+	 *
+	 * @return Validity
+	 */
+	public function validity(): Validity
+	{
+		return $this->_validity;
+	}
+
+	/**
+	 * Get subject.
+	 *
+	 * @return Name
+	 */
+	public function subject(): Name
+	{
+		return $this->_subject;
+	}
+
+	/**
+	 * Get subject public key.
+	 *
+	 * @return PublicKeyInfo
+	 */
+	public function subjectPublicKeyInfo(): PublicKeyInfo
+	{
+		return $this->_subjectPublicKeyInfo;
+	}
+
+	/**
+	 * Whether issuer unique identifier is present.
+	 *
+	 * @return bool
+	 */
+	public function hasIssuerUniqueID(): bool
+	{
+		return isset($this->_issuerUniqueID);
+	}
+
+	/**
+	 * Get issuerUniqueID.
+	 *
+	 * @throws \LogicException If not set
+	 *
+	 * @return UniqueIdentifier
+	 */
+	public function issuerUniqueID(): UniqueIdentifier
+	{
+		if (!$this->hasIssuerUniqueID()) {
+			throw new \LogicException('issuerUniqueID not set.');
+		}
+		return $this->_issuerUniqueID;
+	}
+
+	/**
+	 * Whether subject unique identifier is present.
+	 *
+	 * @return bool
+	 */
+	public function hasSubjectUniqueID(): bool
+	{
+		return isset($this->_subjectUniqueID);
+	}
+
+	/**
+	 * Get subjectUniqueID.
+	 *
+	 * @throws \LogicException If not set
+	 *
+	 * @return UniqueIdentifier
+	 */
+	public function subjectUniqueID(): UniqueIdentifier
+	{
+		if (!$this->hasSubjectUniqueID()) {
+			throw new \LogicException('subjectUniqueID not set.');
+		}
+		return $this->_subjectUniqueID;
+	}
+
+	/**
+	 * Get extensions.
+	 *
+	 * @return Extensions
+	 */
+	public function extensions(): Extensions
+	{
+		return $this->_extensions;
+	}
+
+	/**
+	 * Generate ASN.1 structure.
+	 *
+	 * @return Sequence
+	 */
+	public function toASN1(): Sequence
+	{
+		$elements = [];
+		$version = $this->version();
+		// if version is not default
+		if (self::VERSION_1 != $version) {
+			$elements[] = new ExplicitlyTaggedType(0, new Integer($version));
+		}
+		$serial = $this->serialNumber();
+		$signature = $this->signature();
+		// add required elements
+		array_push($elements, new Integer($serial), $signature->toASN1(),
+			$this->_issuer->toASN1(), $this->_validity->toASN1(),
+			$this->_subject->toASN1(), $this->_subjectPublicKeyInfo->toASN1());
+		if (isset($this->_issuerUniqueID)) {
+			$elements[] = new ImplicitlyTaggedType(1,
+				$this->_issuerUniqueID->toASN1());
+		}
+		if (isset($this->_subjectUniqueID)) {
+			$elements[] = new ImplicitlyTaggedType(2,
+				$this->_subjectUniqueID->toASN1());
+		}
+		if (count($this->_extensions)) {
+			$elements[] = new ExplicitlyTaggedType(3,
+				$this->_extensions->toASN1());
+		}
+		return new Sequence(...$elements);
+	}
+
+	/**
+	 * Create signed certificate.
+	 *
+	 * @param SignatureAlgorithmIdentifier $algo         Algorithm used for signing
+	 * @param PrivateKeyInfo               $privkey_info Private key used for signing
+	 * @param null|Crypto                  $crypto       Crypto engine, use default if not set
+	 *
+	 * @return Certificate
+	 */
+	public function sign(SignatureAlgorithmIdentifier $algo,
+		PrivateKeyInfo $privkey_info, ?Crypto $crypto = null): Certificate
+	{
+		$crypto = $crypto ?? Crypto::getDefault();
+		$tbs_cert = clone $this;
+		if (!isset($tbs_cert->_version)) {
+			$tbs_cert->_version = $tbs_cert->_determineVersion();
+		}
+		if (!isset($tbs_cert->_serialNumber)) {
+			$tbs_cert->_serialNumber = strval(0);
+		}
+		$tbs_cert->_signature = $algo;
+		$data = $tbs_cert->toASN1()->toDER();
+		$signature = $crypto->sign($data, $privkey_info, $algo);
+		return new Certificate($tbs_cert, $algo, $signature);
+	}
+
+	/**
+	 * Determine minimum version for the certificate.
+	 *
+	 * @return int
+	 */
+	protected function _determineVersion(): int
+	{
+		// if extensions are present
+		if (count($this->_extensions)) {
+			return self::VERSION_3;
+		}
+		// if UniqueIdentifier is present
+		if (isset($this->_issuerUniqueID) || isset($this->_subjectUniqueID)) {
+			return self::VERSION_2;
+		}
+		return self::VERSION_1;
+	}
 }