sop / x509

lib/X509/Certificate/Time.php

Indentation +96 added lines, -96 removed lines

@@ -17,108 +17,108 @@
  */
 class Time
 {
-    use DateTimeHelper;
+	use DateTimeHelper;
 
-    /**
-     * Datetime.
-     *
-     * @var \DateTimeImmutable
-     */
-    protected $_dt;
+	/**
+	 * Datetime.
+	 *
+	 * @var \DateTimeImmutable
+	 */
+	protected $_dt;
 
-    /**
-     * Time ASN.1 type tag.
-     *
-     * @var int
-     */
-    protected $_type;
+	/**
+	 * Time ASN.1 type tag.
+	 *
+	 * @var int
+	 */
+	protected $_type;
 
-    /**
-     * Constructor.
-     *
-     * @param \DateTimeImmutable $dt
-     */
-    public function __construct(\DateTimeImmutable $dt)
-    {
-        $this->_dt = $dt;
-        $this->_type = self::_determineType($dt);
-    }
+	/**
+	 * Constructor.
+	 *
+	 * @param \DateTimeImmutable $dt
+	 */
+	public function __construct(\DateTimeImmutable $dt)
+	{
+		$this->_dt = $dt;
+		$this->_type = self::_determineType($dt);
+	}
 
-    /**
-     * Initialize from ASN.1.
-     *
-     * @param TimeType $el
-     *
-     * @return self
-     */
-    public static function fromASN1(TimeType $el): self
-    {
-        $obj = new self($el->dateTime());
-        $obj->_type = $el->tag();
-        return $obj;
-    }
+	/**
+	 * Initialize from ASN.1.
+	 *
+	 * @param TimeType $el
+	 *
+	 * @return self
+	 */
+	public static function fromASN1(TimeType $el): self
+	{
+		$obj = new self($el->dateTime());
+		$obj->_type = $el->tag();
+		return $obj;
+	}
 
-    /**
-     * Initialize from date string.
-     *
-     * @param null|string $time
-     * @param null|string $tz
-     *
-     * @return self
-     */
-    public static function fromString(?string $time, ?string $tz = null): self
-    {
-        return new self(self::_createDateTime($time, $tz));
-    }
+	/**
+	 * Initialize from date string.
+	 *
+	 * @param null|string $time
+	 * @param null|string $tz
+	 *
+	 * @return self
+	 */
+	public static function fromString(?string $time, ?string $tz = null): self
+	{
+		return new self(self::_createDateTime($time, $tz));
+	}
 
-    /**
-     * Get datetime.
-     *
-     * @return \DateTimeImmutable
-     */
-    public function dateTime(): \DateTimeImmutable
-    {
-        return $this->_dt;
-    }
+	/**
+	 * Get datetime.
+	 *
+	 * @return \DateTimeImmutable
+	 */
+	public function dateTime(): \DateTimeImmutable
+	{
+		return $this->_dt;
+	}
 
-    /**
-     * Generate ASN.1.
-     *
-     * @throws \UnexpectedValueException
-     *
-     * @return TimeType
-     */
-    public function toASN1(): TimeType
-    {
-        $dt = $this->_dt;
-        switch ($this->_type) {
-            case Element::TYPE_UTC_TIME:
-                return new UTCTime($dt);
-            case Element::TYPE_GENERALIZED_TIME:
-                // GeneralizedTime must not contain fractional seconds
-                // (rfc5280 4.1.2.5.2)
-                if (0 != $dt->format('u')) {
-                    // remove fractional seconds (round down)
-                    $dt = self::_roundDownFractionalSeconds($dt);
-                }
-                return new GeneralizedTime($dt);
-        }
-        throw new \UnexpectedValueException(
-            'Time type ' . Element::tagToName($this->_type) . ' not supported.');
-    }
+	/**
+	 * Generate ASN.1.
+	 *
+	 * @throws \UnexpectedValueException
+	 *
+	 * @return TimeType
+	 */
+	public function toASN1(): TimeType
+	{
+		$dt = $this->_dt;
+		switch ($this->_type) {
+			case Element::TYPE_UTC_TIME:
+				return new UTCTime($dt);
+			case Element::TYPE_GENERALIZED_TIME:
+				// GeneralizedTime must not contain fractional seconds
+				// (rfc5280 4.1.2.5.2)
+				if (0 != $dt->format('u')) {
+					// remove fractional seconds (round down)
+					$dt = self::_roundDownFractionalSeconds($dt);
+				}
+				return new GeneralizedTime($dt);
+		}
+		throw new \UnexpectedValueException(
+			'Time type ' . Element::tagToName($this->_type) . ' not supported.');
+	}
 
-    /**
-     * Determine whether to use UTCTime or GeneralizedTime ASN.1 type.
-     *
-     * @param \DateTimeImmutable $dt
-     *
-     * @return int Type tag
-     */
-    protected static function _determineType(\DateTimeImmutable $dt): int
-    {
-        if ($dt->format('Y') >= 2050) {
-            return Element::TYPE_GENERALIZED_TIME;
-        }
-        return Element::TYPE_UTC_TIME;
-    }
+	/**
+	 * Determine whether to use UTCTime or GeneralizedTime ASN.1 type.
+	 *
+	 * @param \DateTimeImmutable $dt
+	 *
+	 * @return int Type tag
+	 */
+	protected static function _determineType(\DateTimeImmutable $dt): int
+	{
+		if ($dt->format('Y') >= 2050) {
+			return Element::TYPE_GENERALIZED_TIME;
+		}
+		return Element::TYPE_UTC_TIME;
+	}
 }

lib/X509/CertificationPath/PathBuilding/CertificationPathBuilder.php

Indentation +130 added lines, -130 removed lines

@@ -16,139 +16,139 @@
  */
 class CertificationPathBuilder
 {
-    /**
-     * Trust anchors.
-     *
-     * @var CertificateBundle
-     */
-    protected $_trustList;
+	/**
+	 * Trust anchors.
+	 *
+	 * @var CertificateBundle
+	 */
+	protected $_trustList;
 
-    /**
-     * Constructor.
-     *
-     * @param CertificateBundle $trust_list List of trust anchors
-     */
-    public function __construct(CertificateBundle $trust_list)
-    {
-        $this->_trustList = $trust_list;
-    }
+	/**
+	 * Constructor.
+	 *
+	 * @param CertificateBundle $trust_list List of trust anchors
+	 */
+	public function __construct(CertificateBundle $trust_list)
+	{
+		$this->_trustList = $trust_list;
+	}
 
-    /**
-     * Get all certification paths to given target certificate from
-     * any trust anchor.
-     *
-     * @param Certificate            $target       Target certificate
-     * @param null|CertificateBundle $intermediate Optional intermediate certificates
-     *
-     * @return CertificationPath[]
-     */
-    public function allPathsToTarget(Certificate $target,
-        ?CertificateBundle $intermediate = null): array
-    {
-        $paths = $this->_resolvePathsToTarget($target, $intermediate);
-        // map paths to CertificationPath objects
-        return array_map(
-            function ($certs) {
-                return new CertificationPath(...$certs);
-            }, $paths);
-    }
+	/**
+	 * Get all certification paths to given target certificate from
+	 * any trust anchor.
+	 *
+	 * @param Certificate            $target       Target certificate
+	 * @param null|CertificateBundle $intermediate Optional intermediate certificates
+	 *
+	 * @return CertificationPath[]
+	 */
+	public function allPathsToTarget(Certificate $target,
+		?CertificateBundle $intermediate = null): array
+	{
+		$paths = $this->_resolvePathsToTarget($target, $intermediate);
+		// map paths to CertificationPath objects
+		return array_map(
+			function ($certs) {
+				return new CertificationPath(...$certs);
+			}, $paths);
+	}
 
-    /**
-     * Get shortest path to given target certificate from any trust anchor.
-     *
-     * @param Certificate            $target       Target certificate
-     * @param null|CertificateBundle $intermediate Optional intermediate certificates
-     *
-     * @throws PathBuildingException
-     *
-     * @return CertificationPath
-     */
-    public function shortestPathToTarget(Certificate $target,
-        ?CertificateBundle $intermediate = null): CertificationPath
-    {
-        $paths = $this->allPathsToTarget($target, $intermediate);
-        if (!count($paths)) {
-            throw new PathBuildingException('No certification paths.');
-        }
-        usort($paths,
-            function ($a, $b) {
-                return count($a) < count($b) ? -1 : 1;
-            });
-        return reset($paths);
-    }
+	/**
+	 * Get shortest path to given target certificate from any trust anchor.
+	 *
+	 * @param Certificate            $target       Target certificate
+	 * @param null|CertificateBundle $intermediate Optional intermediate certificates
+	 *
+	 * @throws PathBuildingException
+	 *
+	 * @return CertificationPath
+	 */
+	public function shortestPathToTarget(Certificate $target,
+		?CertificateBundle $intermediate = null): CertificationPath
+	{
+		$paths = $this->allPathsToTarget($target, $intermediate);
+		if (!count($paths)) {
+			throw new PathBuildingException('No certification paths.');
+		}
+		usort($paths,
+			function ($a, $b) {
+				return count($a) < count($b) ? -1 : 1;
+			});
+		return reset($paths);
+	}
 
-    /**
-     * Find all issuers of the target certificate from a given bundle.
-     *
-     * @param Certificate       $target Target certificate
-     * @param CertificateBundle $bundle Certificates to search
-     *
-     * @return Certificate[]
-     */
-    protected function _findIssuers(Certificate $target,
-        CertificateBundle $bundle): array
-    {
-        $issuers = [];
-        $issuer_name = $target->tbsCertificate()->issuer();
-        $extensions = $target->tbsCertificate()->extensions();
-        // find by authority key identifier
-        if ($extensions->hasAuthorityKeyIdentifier()) {
-            $ext = $extensions->authorityKeyIdentifier();
-            if ($ext->hasKeyIdentifier()) {
-                foreach ($bundle->allBySubjectKeyIdentifier(
-                    $ext->keyIdentifier()) as $issuer) {
-                    // check that issuer name matches
-                    if ($issuer->tbsCertificate()->subject()->equals($issuer_name)) {
-                        $issuers[] = $issuer;
-                    }
-                }
-            }
-        }
-        return $issuers;
-    }
+	/**
+	 * Find all issuers of the target certificate from a given bundle.
+	 *
+	 * @param Certificate       $target Target certificate
+	 * @param CertificateBundle $bundle Certificates to search
+	 *
+	 * @return Certificate[]
+	 */
+	protected function _findIssuers(Certificate $target,
+		CertificateBundle $bundle): array
+	{
+		$issuers = [];
+		$issuer_name = $target->tbsCertificate()->issuer();
+		$extensions = $target->tbsCertificate()->extensions();
+		// find by authority key identifier
+		if ($extensions->hasAuthorityKeyIdentifier()) {
+			$ext = $extensions->authorityKeyIdentifier();
+			if ($ext->hasKeyIdentifier()) {
+				foreach ($bundle->allBySubjectKeyIdentifier(
+					$ext->keyIdentifier()) as $issuer) {
+					// check that issuer name matches
+					if ($issuer->tbsCertificate()->subject()->equals($issuer_name)) {
+						$issuers[] = $issuer;
+					}
+				}
+			}
+		}
+		return $issuers;
+	}
 
-    /**
-     * Resolve all possible certification paths from any trust anchor to
-     * the target certificate, using optional intermediate certificates.
-     *
-     * Helper method for allPathsToTarget to be called recursively.
-     *
-     * @todo Implement loop detection
-     *
-     * @param Certificate            $target
-     * @param null|CertificateBundle $intermediate
-     *
-     * @return array[] Array of arrays containing path certificates
-     */
-    private function _resolvePathsToTarget(Certificate $target,
-        ?CertificateBundle $intermediate = null): array
-    {
-        // array of possible paths
-        $paths = [];
-        // signed by certificate in the trust list
-        foreach ($this->_findIssuers($target, $this->_trustList) as $issuer) {
-            // if target is self-signed, path consists of only
-            // the target certificate
-            if ($target->equals($issuer)) {
-                $paths[] = [$target];
-            } else {
-                $paths[] = [$issuer, $target];
-            }
-        }
-        if (isset($intermediate)) {
-            // signed by intermediate certificate
-            foreach ($this->_findIssuers($target, $intermediate) as $issuer) {
-                // intermediate certificate must not be self-signed
-                if ($issuer->isSelfIssued()) {
-                    continue;
-                }
-                // resolve paths to issuer
-                $subpaths = $this->_resolvePathsToTarget($issuer, $intermediate);
-                foreach ($subpaths as $path) {
-                    $paths[] = array_merge($path, [$target]);
-                }
-            }
-        }
-        return $paths;
-    }
+	/**
+	 * Resolve all possible certification paths from any trust anchor to
+	 * the target certificate, using optional intermediate certificates.
+	 *
+	 * Helper method for allPathsToTarget to be called recursively.
+	 *
+	 * @todo Implement loop detection
+	 *
+	 * @param Certificate            $target
+	 * @param null|CertificateBundle $intermediate
+	 *
+	 * @return array[] Array of arrays containing path certificates
+	 */
+	private function _resolvePathsToTarget(Certificate $target,
+		?CertificateBundle $intermediate = null): array
+	{
+		// array of possible paths
+		$paths = [];
+		// signed by certificate in the trust list
+		foreach ($this->_findIssuers($target, $this->_trustList) as $issuer) {
+			// if target is self-signed, path consists of only
+			// the target certificate
+			if ($target->equals($issuer)) {
+				$paths[] = [$target];
+			} else {
+				$paths[] = [$issuer, $target];
+			}
+		}
+		if (isset($intermediate)) {
+			// signed by intermediate certificate
+			foreach ($this->_findIssuers($target, $intermediate) as $issuer) {
+				// intermediate certificate must not be self-signed
+				if ($issuer->isSelfIssued()) {
+					continue;
+				}
+				// resolve paths to issuer
+				$subpaths = $this->_resolvePathsToTarget($issuer, $intermediate);
+				foreach ($subpaths as $path) {
+					$paths[] = array_merge($path, [$target]);
+				}
+			}
+		}
+		return $paths;
+	}
 }

lib/X509/CertificationPath/PathValidation/ValidatorState.php

Indentation +496 added lines, -496 removed lines

@@ -20,500 +20,500 @@
  */
 class ValidatorState
 {
-    /**
-     * Length of the certification path (n).
-     *
-     * @var int
-     */
-    protected $_pathLength;
-
-    /**
-     * Current index in the certification path in the range of 1..n (i).
-     *
-     * @var int
-     */
-    protected $_index;
-
-    /**
-     * Valid policy tree (valid_policy_tree).
-     *
-     * A tree of certificate policies with their optional qualifiers.
-     * Each of the leaves of the tree represents a valid policy at this stage in
-     * the certification path validation.
-     * Once the tree is set to NULL, policy processing ceases.
-     *
-     * @var null|PolicyTree
-     */
-    protected $_validPolicyTree;
-
-    /**
-     * Permitted subtrees (permitted_subtrees).
-     *
-     * A set of root names for each name type defining a set of subtrees within
-     * which all subject names in subsequent certificates in the certification
-     * path must fall.
-     *
-     * @var mixed
-     */
-    protected $_permittedSubtrees;
-
-    /**
-     * Excluded subtrees (excluded_subtrees).
-     *
-     * A set of root names for each name type defining a set of subtrees within
-     * which no subject name in subsequent certificates in the certification
-     * path may fall.
-     *
-     * @var mixed
-     */
-    protected $_excludedSubtrees;
-
-    /**
-     * Explicit policy (explicit_policy).
-     *
-     * An integer that indicates if a non-NULL valid_policy_tree is required.
-     *
-     * @var int
-     */
-    protected $_explicitPolicy;
-
-    /**
-     * Inhibit anyPolicy (inhibit_anyPolicy).
-     *
-     * An integer that indicates whether the anyPolicy policy identifier is
-     * considered a match.
-     *
-     * @var int
-     */
-    protected $_inhibitAnyPolicy;
-
-    /**
-     * Policy mapping (policy_mapping).
-     *
-     * An integer that indicates if policy mapping is permitted.
-     *
-     * @var int
-     */
-    protected $_policyMapping;
-
-    /**
-     * Working public key algorithm (working_public_key_algorithm).
-     *
-     * The digital signature algorithm used to verify the signature of a
-     * certificate.
-     *
-     * @var AlgorithmIdentifierType
-     */
-    protected $_workingPublicKeyAlgorithm;
-
-    /**
-     * Working public key (working_public_key).
-     *
-     * The public key used to verify the signature of a certificate.
-     *
-     * @var PublicKeyInfo
-     */
-    protected $_workingPublicKey;
-
-    /**
-     * Working public key parameters (working_public_key_parameters).
-     *
-     * Parameters associated with the current public key that may be required to
-     * verify a signature.
-     *
-     * @var null|Element
-     */
-    protected $_workingPublicKeyParameters;
-
-    /**
-     * Working issuer name (working_issuer_name).
-     *
-     * The issuer distinguished name expected in the next certificate in the
-     * chain.
-     *
-     * @var Name
-     */
-    protected $_workingIssuerName;
-
-    /**
-     * Maximum certification path length (max_path_length).
-     *
-     * @var int
-     */
-    protected $_maxPathLength;
-
-    /**
-     * Constructor.
-     */
-    protected function __construct()
-    {
-    }
-
-    /**
-     * Initialize variables according to RFC 5280 6.1.2.
-     *
-     * @see https://tools.ietf.org/html/rfc5280#section-6.1.2
-     *
-     * @param PathValidationConfig $config
-     * @param Certificate          $trust_anchor Trust anchor certificate
-     * @param int                  $n            Number of certificates
-     *                                           in the certification path
-     *
-     * @return self
-     */
-    public static function initialize(PathValidationConfig $config,
-        Certificate $trust_anchor, int $n): self
-    {
-        $state = new self();
-        $state->_pathLength = $n;
-        $state->_index = 1;
-        $state->_validPolicyTree = new PolicyTree(PolicyNode::anyPolicyNode());
-        $state->_permittedSubtrees = null;
-        $state->_excludedSubtrees = null;
-        $state->_explicitPolicy = $config->explicitPolicy() ? 0 : $n + 1;
-        $state->_inhibitAnyPolicy = $config->anyPolicyInhibit() ? 0 : $n + 1;
-        $state->_policyMapping = $config->policyMappingInhibit() ? 0 : $n + 1;
-        $state->_workingPublicKeyAlgorithm = $trust_anchor->signatureAlgorithm();
-        $tbsCert = $trust_anchor->tbsCertificate();
-        $state->_workingPublicKey = $tbsCert->subjectPublicKeyInfo();
-        $state->_workingPublicKeyParameters = self::getAlgorithmParameters(
-            $state->_workingPublicKey->algorithmIdentifier());
-        $state->_workingIssuerName = $tbsCert->issuer();
-        $state->_maxPathLength = $config->maxLength();
-        return $state;
-    }
-
-    /**
-     * Get self with current certification path index set.
-     *
-     * @param int $index
-     *
-     * @return self
-     */
-    public function withIndex(int $index): self
-    {
-        $state = clone $this;
-        $state->_index = $index;
-        return $state;
-    }
-
-    /**
-     * Get self with valid_policy_tree.
-     *
-     * @param PolicyTree $policy_tree
-     *
-     * @return self
-     */
-    public function withValidPolicyTree(PolicyTree $policy_tree): self
-    {
-        $state = clone $this;
-        $state->_validPolicyTree = $policy_tree;
-        return $state;
-    }
-
-    /**
-     * Get self with valid_policy_tree set to null.
-     *
-     * @return self
-     */
-    public function withoutValidPolicyTree(): self
-    {
-        $state = clone $this;
-        $state->_validPolicyTree = null;
-        return $state;
-    }
-
-    /**
-     * Get self with explicit_policy.
-     *
-     * @param int $num
-     *
-     * @return self
-     */
-    public function withExplicitPolicy(int $num): self
-    {
-        $state = clone $this;
-        $state->_explicitPolicy = $num;
-        return $state;
-    }
-
-    /**
-     * Get self with inhibit_anyPolicy.
-     *
-     * @param int $num
-     *
-     * @return self
-     */
-    public function withInhibitAnyPolicy(int $num): self
-    {
-        $state = clone $this;
-        $state->_inhibitAnyPolicy = $num;
-        return $state;
-    }
-
-    /**
-     * Get self with policy_mapping.
-     *
-     * @param int $num
-     *
-     * @return self
-     */
-    public function withPolicyMapping(int $num): self
-    {
-        $state = clone $this;
-        $state->_policyMapping = $num;
-        return $state;
-    }
-
-    /**
-     * Get self with working_public_key_algorithm.
-     *
-     * @param AlgorithmIdentifierType $algo
-     *
-     * @return self
-     */
-    public function withWorkingPublicKeyAlgorithm(AlgorithmIdentifierType $algo): self
-    {
-        $state = clone $this;
-        $state->_workingPublicKeyAlgorithm = $algo;
-        return $state;
-    }
-
-    /**
-     * Get self with working_public_key.
-     *
-     * @param PublicKeyInfo $pubkey_info
-     *
-     * @return self
-     */
-    public function withWorkingPublicKey(PublicKeyInfo $pubkey_info): self
-    {
-        $state = clone $this;
-        $state->_workingPublicKey = $pubkey_info;
-        return $state;
-    }
-
-    /**
-     * Get self with working_public_key_parameters.
-     *
-     * @param null|Element $params
-     *
-     * @return self
-     */
-    public function withWorkingPublicKeyParameters(?Element $params = null): self
-    {
-        $state = clone $this;
-        $state->_workingPublicKeyParameters = $params;
-        return $state;
-    }
-
-    /**
-     * Get self with working_issuer_name.
-     *
-     * @param Name $issuer
-     *
-     * @return self
-     */
-    public function withWorkingIssuerName(Name $issuer): self
-    {
-        $state = clone $this;
-        $state->_workingIssuerName = $issuer;
-        return $state;
-    }
-
-    /**
-     * Get self with max_path_length.
-     *
-     * @param int $length
-     *
-     * @return self
-     */
-    public function withMaxPathLength(int $length): self
-    {
-        $state = clone $this;
-        $state->_maxPathLength = $length;
-        return $state;
-    }
-
-    /**
-     * Get the certification path length (n).
-     *
-     * @return int
-     */
-    public function pathLength(): int
-    {
-        return $this->_pathLength;
-    }
-
-    /**
-     * Get the current index in certification path in the range of 1..n.
-     *
-     * @return int
-     */
-    public function index(): int
-    {
-        return $this->_index;
-    }
-
-    /**
-     * Check whether valid_policy_tree is present.
-     *
-     * @return bool
-     */
-    public function hasValidPolicyTree(): bool
-    {
-        return isset($this->_validPolicyTree);
-    }
-
-    /**
-     * Get valid_policy_tree.
-     *
-     * @throws \LogicException If not set
-     *
-     * @return PolicyTree
-     */
-    public function validPolicyTree(): PolicyTree
-    {
-        if (!$this->hasValidPolicyTree()) {
-            throw new \LogicException('valid_policy_tree not set.');
-        }
-        return $this->_validPolicyTree;
-    }
-
-    /**
-     * Get permitted_subtrees.
-     *
-     * @return mixed
-     */
-    public function permittedSubtrees()
-    {
-        return $this->_permittedSubtrees;
-    }
-
-    /**
-     * Get excluded_subtrees.
-     *
-     * @return mixed
-     */
-    public function excludedSubtrees()
-    {
-        return $this->_excludedSubtrees;
-    }
-
-    /**
-     * Get explicit_policy.
-     *
-     * @return int
-     */
-    public function explicitPolicy(): int
-    {
-        return $this->_explicitPolicy;
-    }
-
-    /**
-     * Get inhibit_anyPolicy.
-     *
-     * @return int
-     */
-    public function inhibitAnyPolicy(): int
-    {
-        return $this->_inhibitAnyPolicy;
-    }
-
-    /**
-     * Get policy_mapping.
-     *
-     * @return int
-     */
-    public function policyMapping(): int
-    {
-        return $this->_policyMapping;
-    }
-
-    /**
-     * Get working_public_key_algorithm.
-     *
-     * @return AlgorithmIdentifierType
-     */
-    public function workingPublicKeyAlgorithm(): AlgorithmIdentifierType
-    {
-        return $this->_workingPublicKeyAlgorithm;
-    }
-
-    /**
-     * Get working_public_key.
-     *
-     * @return PublicKeyInfo
-     */
-    public function workingPublicKey(): PublicKeyInfo
-    {
-        return $this->_workingPublicKey;
-    }
-
-    /**
-     * Get working_public_key_parameters.
-     *
-     * @return null|Element
-     */
-    public function workingPublicKeyParameters(): ?Element
-    {
-        return $this->_workingPublicKeyParameters;
-    }
-
-    /**
-     * Get working_issuer_name.
-     *
-     * @return Name
-     */
-    public function workingIssuerName(): Name
-    {
-        return $this->_workingIssuerName;
-    }
-
-    /**
-     * Get maximum certification path length.
-     *
-     * @return int
-     */
-    public function maxPathLength(): int
-    {
-        return $this->_maxPathLength;
-    }
-
-    /**
-     * Check whether processing the final certificate of the certification path.
-     *
-     * @return bool
-     */
-    public function isFinal(): bool
-    {
-        return $this->_index === $this->_pathLength;
-    }
-
-    /**
-     * Get the path validation result.
-     *
-     * @param Certificate[] $certificates Certificates in a certification path
-     *
-     * @return PathValidationResult
-     */
-    public function getResult(array $certificates): PathValidationResult
-    {
-        return new PathValidationResult($certificates, $this->_validPolicyTree,
-            $this->_workingPublicKey, $this->_workingPublicKeyAlgorithm,
-            $this->_workingPublicKeyParameters);
-    }
-
-    /**
-     * Get ASN.1 parameters from algorithm identifier.
-     *
-     * @param AlgorithmIdentifierType $algo
-     *
-     * @return null|Element ASN.1 element or null if parameters are omitted
-     */
-    public static function getAlgorithmParameters(AlgorithmIdentifierType $algo): ?Element
-    {
-        $seq = $algo->toASN1();
-        return $seq->has(1) ? $seq->at(1)->asElement() : null;
-    }
+	/**
+	 * Length of the certification path (n).
+	 *
+	 * @var int
+	 */
+	protected $_pathLength;
+
+	/**
+	 * Current index in the certification path in the range of 1..n (i).
+	 *
+	 * @var int
+	 */
+	protected $_index;
+
+	/**
+	 * Valid policy tree (valid_policy_tree).
+	 *
+	 * A tree of certificate policies with their optional qualifiers.
+	 * Each of the leaves of the tree represents a valid policy at this stage in
+	 * the certification path validation.
+	 * Once the tree is set to NULL, policy processing ceases.
+	 *
+	 * @var null|PolicyTree
+	 */
+	protected $_validPolicyTree;
+
+	/**
+	 * Permitted subtrees (permitted_subtrees).
+	 *
+	 * A set of root names for each name type defining a set of subtrees within
+	 * which all subject names in subsequent certificates in the certification
+	 * path must fall.
+	 *
+	 * @var mixed
+	 */
+	protected $_permittedSubtrees;
+
+	/**
+	 * Excluded subtrees (excluded_subtrees).
+	 *
+	 * A set of root names for each name type defining a set of subtrees within
+	 * which no subject name in subsequent certificates in the certification
+	 * path may fall.
+	 *
+	 * @var mixed
+	 */
+	protected $_excludedSubtrees;
+
+	/**
+	 * Explicit policy (explicit_policy).
+	 *
+	 * An integer that indicates if a non-NULL valid_policy_tree is required.
+	 *
+	 * @var int
+	 */
+	protected $_explicitPolicy;
+
+	/**
+	 * Inhibit anyPolicy (inhibit_anyPolicy).
+	 *
+	 * An integer that indicates whether the anyPolicy policy identifier is
+	 * considered a match.
+	 *
+	 * @var int
+	 */
+	protected $_inhibitAnyPolicy;
+
+	/**
+	 * Policy mapping (policy_mapping).
+	 *
+	 * An integer that indicates if policy mapping is permitted.
+	 *
+	 * @var int
+	 */
+	protected $_policyMapping;
+
+	/**
+	 * Working public key algorithm (working_public_key_algorithm).
+	 *
+	 * The digital signature algorithm used to verify the signature of a
+	 * certificate.
+	 *
+	 * @var AlgorithmIdentifierType
+	 */
+	protected $_workingPublicKeyAlgorithm;
+
+	/**
+	 * Working public key (working_public_key).
+	 *
+	 * The public key used to verify the signature of a certificate.
+	 *
+	 * @var PublicKeyInfo
+	 */
+	protected $_workingPublicKey;
+
+	/**
+	 * Working public key parameters (working_public_key_parameters).
+	 *
+	 * Parameters associated with the current public key that may be required to
+	 * verify a signature.
+	 *
+	 * @var null|Element
+	 */
+	protected $_workingPublicKeyParameters;
+
+	/**
+	 * Working issuer name (working_issuer_name).
+	 *
+	 * The issuer distinguished name expected in the next certificate in the
+	 * chain.
+	 *
+	 * @var Name
+	 */
+	protected $_workingIssuerName;
+
+	/**
+	 * Maximum certification path length (max_path_length).
+	 *
+	 * @var int
+	 */
+	protected $_maxPathLength;
+
+	/**
+	 * Constructor.
+	 */
+	protected function __construct()
+	{
+	}
+
+	/**
+	 * Initialize variables according to RFC 5280 6.1.2.
+	 *
+	 * @see https://tools.ietf.org/html/rfc5280#section-6.1.2
+	 *
+	 * @param PathValidationConfig $config
+	 * @param Certificate          $trust_anchor Trust anchor certificate
+	 * @param int                  $n            Number of certificates
+	 *                                           in the certification path
+	 *
+	 * @return self
+	 */
+	public static function initialize(PathValidationConfig $config,
+		Certificate $trust_anchor, int $n): self
+	{
+		$state = new self();
+		$state->_pathLength = $n;
+		$state->_index = 1;
+		$state->_validPolicyTree = new PolicyTree(PolicyNode::anyPolicyNode());
+		$state->_permittedSubtrees = null;
+		$state->_excludedSubtrees = null;
+		$state->_explicitPolicy = $config->explicitPolicy() ? 0 : $n + 1;
+		$state->_inhibitAnyPolicy = $config->anyPolicyInhibit() ? 0 : $n + 1;
+		$state->_policyMapping = $config->policyMappingInhibit() ? 0 : $n + 1;
+		$state->_workingPublicKeyAlgorithm = $trust_anchor->signatureAlgorithm();
+		$tbsCert = $trust_anchor->tbsCertificate();
+		$state->_workingPublicKey = $tbsCert->subjectPublicKeyInfo();
+		$state->_workingPublicKeyParameters = self::getAlgorithmParameters(
+			$state->_workingPublicKey->algorithmIdentifier());
+		$state->_workingIssuerName = $tbsCert->issuer();
+		$state->_maxPathLength = $config->maxLength();
+		return $state;
+	}
+
+	/**
+	 * Get self with current certification path index set.
+	 *
+	 * @param int $index
+	 *
+	 * @return self
+	 */
+	public function withIndex(int $index): self
+	{
+		$state = clone $this;
+		$state->_index = $index;
+		return $state;
+	}
+
+	/**
+	 * Get self with valid_policy_tree.
+	 *
+	 * @param PolicyTree $policy_tree
+	 *
+	 * @return self
+	 */
+	public function withValidPolicyTree(PolicyTree $policy_tree): self
+	{
+		$state = clone $this;
+		$state->_validPolicyTree = $policy_tree;
+		return $state;
+	}
+
+	/**
+	 * Get self with valid_policy_tree set to null.
+	 *
+	 * @return self
+	 */
+	public function withoutValidPolicyTree(): self
+	{
+		$state = clone $this;
+		$state->_validPolicyTree = null;
+		return $state;
+	}
+
+	/**
+	 * Get self with explicit_policy.
+	 *
+	 * @param int $num
+	 *
+	 * @return self
+	 */
+	public function withExplicitPolicy(int $num): self
+	{
+		$state = clone $this;
+		$state->_explicitPolicy = $num;
+		return $state;
+	}
+
+	/**
+	 * Get self with inhibit_anyPolicy.
+	 *
+	 * @param int $num
+	 *
+	 * @return self
+	 */
+	public function withInhibitAnyPolicy(int $num): self
+	{
+		$state = clone $this;
+		$state->_inhibitAnyPolicy = $num;
+		return $state;
+	}
+
+	/**
+	 * Get self with policy_mapping.
+	 *
+	 * @param int $num
+	 *
+	 * @return self
+	 */
+	public function withPolicyMapping(int $num): self
+	{
+		$state = clone $this;
+		$state->_policyMapping = $num;
+		return $state;
+	}
+
+	/**
+	 * Get self with working_public_key_algorithm.
+	 *
+	 * @param AlgorithmIdentifierType $algo
+	 *
+	 * @return self
+	 */
+	public function withWorkingPublicKeyAlgorithm(AlgorithmIdentifierType $algo): self
+	{
+		$state = clone $this;
+		$state->_workingPublicKeyAlgorithm = $algo;
+		return $state;
+	}
+
+	/**
+	 * Get self with working_public_key.
+	 *
+	 * @param PublicKeyInfo $pubkey_info
+	 *
+	 * @return self
+	 */
+	public function withWorkingPublicKey(PublicKeyInfo $pubkey_info): self
+	{
+		$state = clone $this;
+		$state->_workingPublicKey = $pubkey_info;
+		return $state;
+	}
+
+	/**
+	 * Get self with working_public_key_parameters.
+	 *
+	 * @param null|Element $params
+	 *
+	 * @return self
+	 */
+	public function withWorkingPublicKeyParameters(?Element $params = null): self
+	{
+		$state = clone $this;
+		$state->_workingPublicKeyParameters = $params;
+		return $state;
+	}
+
+	/**
+	 * Get self with working_issuer_name.
+	 *
+	 * @param Name $issuer
+	 *
+	 * @return self
+	 */
+	public function withWorkingIssuerName(Name $issuer): self
+	{
+		$state = clone $this;
+		$state->_workingIssuerName = $issuer;
+		return $state;
+	}
+
+	/**
+	 * Get self with max_path_length.
+	 *
+	 * @param int $length
+	 *
+	 * @return self
+	 */
+	public function withMaxPathLength(int $length): self
+	{
+		$state = clone $this;
+		$state->_maxPathLength = $length;
+		return $state;
+	}
+
+	/**
+	 * Get the certification path length (n).
+	 *
+	 * @return int
+	 */
+	public function pathLength(): int
+	{
+		return $this->_pathLength;
+	}
+
+	/**
+	 * Get the current index in certification path in the range of 1..n.
+	 *
+	 * @return int
+	 */
+	public function index(): int
+	{
+		return $this->_index;
+	}
+
+	/**
+	 * Check whether valid_policy_tree is present.
+	 *
+	 * @return bool
+	 */
+	public function hasValidPolicyTree(): bool
+	{
+		return isset($this->_validPolicyTree);
+	}
+
+	/**
+	 * Get valid_policy_tree.
+	 *
+	 * @throws \LogicException If not set
+	 *
+	 * @return PolicyTree
+	 */
+	public function validPolicyTree(): PolicyTree
+	{
+		if (!$this->hasValidPolicyTree()) {
+			throw new \LogicException('valid_policy_tree not set.');
+		}
+		return $this->_validPolicyTree;
+	}
+
+	/**
+	 * Get permitted_subtrees.
+	 *
+	 * @return mixed
+	 */
+	public function permittedSubtrees()
+	{
+		return $this->_permittedSubtrees;
+	}
+
+	/**
+	 * Get excluded_subtrees.
+	 *
+	 * @return mixed
+	 */
+	public function excludedSubtrees()
+	{
+		return $this->_excludedSubtrees;
+	}
+
+	/**
+	 * Get explicit_policy.
+	 *
+	 * @return int
+	 */
+	public function explicitPolicy(): int
+	{
+		return $this->_explicitPolicy;
+	}
+
+	/**
+	 * Get inhibit_anyPolicy.
+	 *
+	 * @return int
+	 */
+	public function inhibitAnyPolicy(): int
+	{
+		return $this->_inhibitAnyPolicy;
+	}
+
+	/**
+	 * Get policy_mapping.
+	 *
+	 * @return int
+	 */
+	public function policyMapping(): int
+	{
+		return $this->_policyMapping;
+	}
+
+	/**
+	 * Get working_public_key_algorithm.
+	 *
+	 * @return AlgorithmIdentifierType
+	 */
+	public function workingPublicKeyAlgorithm(): AlgorithmIdentifierType
+	{
+		return $this->_workingPublicKeyAlgorithm;
+	}
+
+	/**
+	 * Get working_public_key.
+	 *
+	 * @return PublicKeyInfo
+	 */
+	public function workingPublicKey(): PublicKeyInfo
+	{
+		return $this->_workingPublicKey;
+	}
+
+	/**
+	 * Get working_public_key_parameters.
+	 *
+	 * @return null|Element
+	 */
+	public function workingPublicKeyParameters(): ?Element
+	{
+		return $this->_workingPublicKeyParameters;
+	}
+
+	/**
+	 * Get working_issuer_name.
+	 *
+	 * @return Name
+	 */
+	public function workingIssuerName(): Name
+	{
+		return $this->_workingIssuerName;
+	}
+
+	/**
+	 * Get maximum certification path length.
+	 *
+	 * @return int
+	 */
+	public function maxPathLength(): int
+	{
+		return $this->_maxPathLength;
+	}
+
+	/**
+	 * Check whether processing the final certificate of the certification path.
+	 *
+	 * @return bool
+	 */
+	public function isFinal(): bool
+	{
+		return $this->_index === $this->_pathLength;
+	}
+
+	/**
+	 * Get the path validation result.
+	 *
+	 * @param Certificate[] $certificates Certificates in a certification path
+	 *
+	 * @return PathValidationResult
+	 */
+	public function getResult(array $certificates): PathValidationResult
+	{
+		return new PathValidationResult($certificates, $this->_validPolicyTree,
+			$this->_workingPublicKey, $this->_workingPublicKeyAlgorithm,
+			$this->_workingPublicKeyParameters);
+	}
+
+	/**
+	 * Get ASN.1 parameters from algorithm identifier.
+	 *
+	 * @param AlgorithmIdentifierType $algo
+	 *
+	 * @return null|Element ASN.1 element or null if parameters are omitted
+	 */
+	public static function getAlgorithmParameters(AlgorithmIdentifierType $algo): ?Element
+	{
+		$seq = $algo->toASN1();
+		return $seq->has(1) ? $seq->at(1)->asElement() : null;
+	}
 }

lib/X509/CertificationPath/PathValidation/PathValidationResult.php

Indentation +70 added lines, -70 removed lines

@@ -18,81 +18,81 @@
  */
 class PathValidationResult
 {
-    /**
-     * Certificates in a certification path.
-     *
-     * @var Certificate[]
-     */
-    protected $_certificates;
+	/**
+	 * Certificates in a certification path.
+	 *
+	 * @var Certificate[]
+	 */
+	protected $_certificates;
 
-    /**
-     * Valid policy tree.
-     *
-     * @var null|PolicyTree
-     */
-    protected $_policyTree;
+	/**
+	 * Valid policy tree.
+	 *
+	 * @var null|PolicyTree
+	 */
+	protected $_policyTree;
 
-    /**
-     * End-entity certificate's public key.
-     *
-     * @var PublicKeyInfo
-     */
-    protected $_publicKeyInfo;
+	/**
+	 * End-entity certificate's public key.
+	 *
+	 * @var PublicKeyInfo
+	 */
+	protected $_publicKeyInfo;
 
-    /**
-     * Public key algorithm.
-     *
-     * @var AlgorithmIdentifierType
-     */
-    protected $_publicKeyAlgo;
+	/**
+	 * Public key algorithm.
+	 *
+	 * @var AlgorithmIdentifierType
+	 */
+	protected $_publicKeyAlgo;
 
-    /**
-     * Public key parameters.
-     *
-     * @var null|Element
-     */
-    protected $_publicKeyParameters;
+	/**
+	 * Public key parameters.
+	 *
+	 * @var null|Element
+	 */
+	protected $_publicKeyParameters;
 
-    /**
-     * Constructor.
-     *
-     * @param Certificate[]           $certificates Certificates in a certification path
-     * @param null|PolicyTree         $policy_tree  Valid policy tree
-     * @param PublicKeyInfo           $pubkey_info  Public key of the end-entity certificate
-     * @param AlgorithmIdentifierType $algo         Public key algorithm of the end-entity certificate
-     * @param null|Element            $params       Algorithm parameters
-     */
-    public function __construct(array $certificates, ?PolicyTree $policy_tree,
-        PublicKeyInfo $pubkey_info, AlgorithmIdentifierType $algo,
-        ?Element $params = null)
-    {
-        $this->_certificates = array_values($certificates);
-        $this->_policyTree = $policy_tree;
-        $this->_publicKeyInfo = $pubkey_info;
-        $this->_publicKeyAlgo = $algo;
-        $this->_publicKeyParameters = $params;
-    }
+	/**
+	 * Constructor.
+	 *
+	 * @param Certificate[]           $certificates Certificates in a certification path
+	 * @param null|PolicyTree         $policy_tree  Valid policy tree
+	 * @param PublicKeyInfo           $pubkey_info  Public key of the end-entity certificate
+	 * @param AlgorithmIdentifierType $algo         Public key algorithm of the end-entity certificate
+	 * @param null|Element            $params       Algorithm parameters
+	 */
+	public function __construct(array $certificates, ?PolicyTree $policy_tree,
+		PublicKeyInfo $pubkey_info, AlgorithmIdentifierType $algo,
+		?Element $params = null)
+	{
+		$this->_certificates = array_values($certificates);
+		$this->_policyTree = $policy_tree;
+		$this->_publicKeyInfo = $pubkey_info;
+		$this->_publicKeyAlgo = $algo;
+		$this->_publicKeyParameters = $params;
+	}
 
-    /**
-     * Get end-entity certificate.
-     *
-     * @return Certificate
-     */
-    public function certificate(): Certificate
-    {
-        return $this->_certificates[count($this->_certificates) - 1];
-    }
+	/**
+	 * Get end-entity certificate.
+	 *
+	 * @return Certificate
+	 */
+	public function certificate(): Certificate
+	{
+		return $this->_certificates[count($this->_certificates) - 1];
+	}
 
-    /**
-     * Get certificate policies of the end-entity certificate.
-     *
-     * @return PolicyInformation[]
-     */
-    public function policies(): array
-    {
-        if (!$this->_policyTree) {
-            return [];
-        }
-        return $this->_policyTree->policiesAtDepth(count($this->_certificates));
-    }
+	/**
+	 * Get certificate policies of the end-entity certificate.
+	 *
+	 * @return PolicyInformation[]
+	 */
+	public function policies(): array
+	{
+		if (!$this->_policyTree) {
+			return [];
+		}
+		return $this->_policyTree->policiesAtDepth(count($this->_certificates));
+	}
 }

lib/X509/CertificationPath/PathValidation/PathValidationConfig.php

Indentation +253 added lines, -253 removed lines

@@ -14,282 +14,282 @@
  */
 class PathValidationConfig
 {
-    /**
-     * Maximum allowed certification path length.
-     *
-     * @var int
-     */
-    protected $_maxLength;
+	/**
+	 * Maximum allowed certification path length.
+	 *
+	 * @var int
+	 */
+	protected $_maxLength;
 
-    /**
-     * Reference time.
-     *
-     * @var \DateTimeImmutable
-     */
-    protected $_dateTime;
+	/**
+	 * Reference time.
+	 *
+	 * @var \DateTimeImmutable
+	 */
+	protected $_dateTime;
 
-    /**
-     * List of acceptable policy identifiers.
-     *
-     * @var string[]
-     */
-    protected $_policySet;
+	/**
+	 * List of acceptable policy identifiers.
+	 *
+	 * @var string[]
+	 */
+	protected $_policySet;
 
-    /**
-     * Trust anchor certificate.
-     *
-     * If not set, path validation uses the first certificate of the path.
-     *
-     * @var null|Certificate
-     */
-    protected $_trustAnchor;
+	/**
+	 * Trust anchor certificate.
+	 *
+	 * If not set, path validation uses the first certificate of the path.
+	 *
+	 * @var null|Certificate
+	 */
+	protected $_trustAnchor;
 
-    /**
-     * Whether policy mapping in inhibited.
-     *
-     * Setting this to true disallows policy mapping.
-     *
-     * @var bool
-     */
-    protected $_policyMappingInhibit;
+	/**
+	 * Whether policy mapping in inhibited.
+	 *
+	 * Setting this to true disallows policy mapping.
+	 *
+	 * @var bool
+	 */
+	protected $_policyMappingInhibit;
 
-    /**
-     * Whether the path must be valid for at least one policy in the
-     * initial policy set.
-     *
-     * @var bool
-     */
-    protected $_explicitPolicy;
+	/**
+	 * Whether the path must be valid for at least one policy in the
+	 * initial policy set.
+	 *
+	 * @var bool
+	 */
+	protected $_explicitPolicy;
 
-    /**
-     * Whether anyPolicy OID processing should be inhibited.
-     *
-     * Setting this to true disallows the usage of anyPolicy.
-     *
-     * @var bool
-     */
-    protected $_anyPolicyInhibit;
+	/**
+	 * Whether anyPolicy OID processing should be inhibited.
+	 *
+	 * Setting this to true disallows the usage of anyPolicy.
+	 *
+	 * @var bool
+	 */
+	protected $_anyPolicyInhibit;
 
-    /**
-     * @todo Implement
-     *
-     * @var mixed
-     */
-    protected $_permittedSubtrees;
+	/**
+	 * @todo Implement
+	 *
+	 * @var mixed
+	 */
+	protected $_permittedSubtrees;
 
-    /**
-     * @todo Implement
-     *
-     * @var mixed
-     */
-    protected $_excludedSubtrees;
+	/**
+	 * @todo Implement
+	 *
+	 * @var mixed
+	 */
+	protected $_excludedSubtrees;
 
-    /**
-     * Constructor.
-     *
-     * @param \DateTimeImmutable $dt         Reference date and time
-     * @param int                $max_length Maximum certification path length
-     */
-    public function __construct(\DateTimeImmutable $dt, int $max_length)
-    {
-        $this->_dateTime = $dt;
-        $this->_maxLength = $max_length;
-        $this->_policySet = [PolicyInformation::OID_ANY_POLICY];
-        $this->_policyMappingInhibit = false;
-        $this->_explicitPolicy = false;
-        $this->_anyPolicyInhibit = false;
-    }
+	/**
+	 * Constructor.
+	 *
+	 * @param \DateTimeImmutable $dt         Reference date and time
+	 * @param int                $max_length Maximum certification path length
+	 */
+	public function __construct(\DateTimeImmutable $dt, int $max_length)
+	{
+		$this->_dateTime = $dt;
+		$this->_maxLength = $max_length;
+		$this->_policySet = [PolicyInformation::OID_ANY_POLICY];
+		$this->_policyMappingInhibit = false;
+		$this->_explicitPolicy = false;
+		$this->_anyPolicyInhibit = false;
+	}
 
-    /**
-     * Get default configuration.
-     *
-     * @return self
-     */
-    public static function defaultConfig(): self
-    {
-        return new self(new \DateTimeImmutable(), 3);
-    }
+	/**
+	 * Get default configuration.
+	 *
+	 * @return self
+	 */
+	public static function defaultConfig(): self
+	{
+		return new self(new \DateTimeImmutable(), 3);
+	}
 
-    /**
-     * Get self with maximum path length.
-     *
-     * @param int $length
-     *
-     * @return self
-     */
-    public function withMaxLength(int $length): self
-    {
-        $obj = clone $this;
-        $obj->_maxLength = $length;
-        return $obj;
-    }
+	/**
+	 * Get self with maximum path length.
+	 *
+	 * @param int $length
+	 *
+	 * @return self
+	 */
+	public function withMaxLength(int $length): self
+	{
+		$obj = clone $this;
+		$obj->_maxLength = $length;
+		return $obj;
+	}
 
-    /**
-     * Get self with reference date and time.
-     *
-     * @param \DateTimeImmutable $dt
-     *
-     * @return self
-     */
-    public function withDateTime(\DateTimeImmutable $dt): self
-    {
-        $obj = clone $this;
-        $obj->_dateTime = $dt;
-        return $obj;
-    }
+	/**
+	 * Get self with reference date and time.
+	 *
+	 * @param \DateTimeImmutable $dt
+	 *
+	 * @return self
+	 */
+	public function withDateTime(\DateTimeImmutable $dt): self
+	{
+		$obj = clone $this;
+		$obj->_dateTime = $dt;
+		return $obj;
+	}
 
-    /**
-     * Get self with trust anchor certificate.
-     *
-     * @param Certificate $ca
-     *
-     * @return self
-     */
-    public function withTrustAnchor(Certificate $ca): self
-    {
-        $obj = clone $this;
-        $obj->_trustAnchor = $ca;
-        return $obj;
-    }
+	/**
+	 * Get self with trust anchor certificate.
+	 *
+	 * @param Certificate $ca
+	 *
+	 * @return self
+	 */
+	public function withTrustAnchor(Certificate $ca): self
+	{
+		$obj = clone $this;
+		$obj->_trustAnchor = $ca;
+		return $obj;
+	}
 
-    /**
-     * Get self with initial-policy-mapping-inhibit set.
-     *
-     * @param bool $flag
-     *
-     * @return self
-     */
-    public function withPolicyMappingInhibit(bool $flag): self
-    {
-        $obj = clone $this;
-        $obj->_policyMappingInhibit = $flag;
-        return $obj;
-    }
+	/**
+	 * Get self with initial-policy-mapping-inhibit set.
+	 *
+	 * @param bool $flag
+	 *
+	 * @return self
+	 */
+	public function withPolicyMappingInhibit(bool $flag): self
+	{
+		$obj = clone $this;
+		$obj->_policyMappingInhibit = $flag;
+		return $obj;
+	}
 
-    /**
-     * Get self with initial-explicit-policy set.
-     *
-     * @param bool $flag
-     *
-     * @return self
-     */
-    public function withExplicitPolicy(bool $flag): self
-    {
-        $obj = clone $this;
-        $obj->_explicitPolicy = $flag;
-        return $obj;
-    }
+	/**
+	 * Get self with initial-explicit-policy set.
+	 *
+	 * @param bool $flag
+	 *
+	 * @return self
+	 */
+	public function withExplicitPolicy(bool $flag): self
+	{
+		$obj = clone $this;
+		$obj->_explicitPolicy = $flag;
+		return $obj;
+	}
 
-    /**
-     * Get self with initial-any-policy-inhibit set.
-     *
-     * @param bool $flag
-     *
-     * @return self
-     */
-    public function withAnyPolicyInhibit(bool $flag): self
-    {
-        $obj = clone $this;
-        $obj->_anyPolicyInhibit = $flag;
-        return $obj;
-    }
+	/**
+	 * Get self with initial-any-policy-inhibit set.
+	 *
+	 * @param bool $flag
+	 *
+	 * @return self
+	 */
+	public function withAnyPolicyInhibit(bool $flag): self
+	{
+		$obj = clone $this;
+		$obj->_anyPolicyInhibit = $flag;
+		return $obj;
+	}
 
-    /**
-     * Get self with user-initial-policy-set set to policy OIDs.
-     *
-     * @param string ...$policies List of policy OIDs
-     *
-     * @return self
-     */
-    public function withPolicySet(string ...$policies): self
-    {
-        $obj = clone $this;
-        $obj->_policySet = $policies;
-        return $obj;
-    }
+	/**
+	 * Get self with user-initial-policy-set set to policy OIDs.
+	 *
+	 * @param string ...$policies List of policy OIDs
+	 *
+	 * @return self
+	 */
+	public function withPolicySet(string ...$policies): self
+	{
+		$obj = clone $this;
+		$obj->_policySet = $policies;
+		return $obj;
+	}
 
-    /**
-     * Get maximum certification path length.
-     *
-     * @return int
-     */
-    public function maxLength(): int
-    {
-        return $this->_maxLength;
-    }
+	/**
+	 * Get maximum certification path length.
+	 *
+	 * @return int
+	 */
+	public function maxLength(): int
+	{
+		return $this->_maxLength;
+	}
 
-    /**
-     * Get reference date and time.
-     *
-     * @return \DateTimeImmutable
-     */
-    public function dateTime(): \DateTimeImmutable
-    {
-        return $this->_dateTime;
-    }
+	/**
+	 * Get reference date and time.
+	 *
+	 * @return \DateTimeImmutable
+	 */
+	public function dateTime(): \DateTimeImmutable
+	{
+		return $this->_dateTime;
+	}
 
-    /**
-     * Get user-initial-policy-set.
-     *
-     * @return string[] Array of OID's
-     */
-    public function policySet(): array
-    {
-        return $this->_policySet;
-    }
+	/**
+	 * Get user-initial-policy-set.
+	 *
+	 * @return string[] Array of OID's
+	 */
+	public function policySet(): array
+	{
+		return $this->_policySet;
+	}
 
-    /**
-     * Check whether trust anchor certificate is set.
-     *
-     * @return bool
-     */
-    public function hasTrustAnchor(): bool
-    {
-        return isset($this->_trustAnchor);
-    }
+	/**
+	 * Check whether trust anchor certificate is set.
+	 *
+	 * @return bool
+	 */
+	public function hasTrustAnchor(): bool
+	{
+		return isset($this->_trustAnchor);
+	}
 
-    /**
-     * Get trust anchor certificate.
-     *
-     * @throws \LogicException If not set
-     *
-     * @return Certificate
-     */
-    public function trustAnchor(): Certificate
-    {
-        if (!$this->hasTrustAnchor()) {
-            throw new \LogicException('No trust anchor.');
-        }
-        return $this->_trustAnchor;
-    }
+	/**
+	 * Get trust anchor certificate.
+	 *
+	 * @throws \LogicException If not set
+	 *
+	 * @return Certificate
+	 */
+	public function trustAnchor(): Certificate
+	{
+		if (!$this->hasTrustAnchor()) {
+			throw new \LogicException('No trust anchor.');
+		}
+		return $this->_trustAnchor;
+	}
 
-    /**
-     * Get initial-policy-mapping-inhibit.
-     *
-     * @return bool
-     */
-    public function policyMappingInhibit(): bool
-    {
-        return $this->_policyMappingInhibit;
-    }
+	/**
+	 * Get initial-policy-mapping-inhibit.
+	 *
+	 * @return bool
+	 */
+	public function policyMappingInhibit(): bool
+	{
+		return $this->_policyMappingInhibit;
+	}
 
-    /**
-     * Get initial-explicit-policy.
-     *
-     * @return bool
-     */
-    public function explicitPolicy(): bool
-    {
-        return $this->_explicitPolicy;
-    }
+	/**
+	 * Get initial-explicit-policy.
+	 *
+	 * @return bool
+	 */
+	public function explicitPolicy(): bool
+	{
+		return $this->_explicitPolicy;
+	}
 
-    /**
-     * Get initial-any-policy-inhibit.
-     *
-     * @return bool
-     */
-    public function anyPolicyInhibit(): bool
-    {
-        return $this->_anyPolicyInhibit;
-    }
+	/**
+	 * Get initial-any-policy-inhibit.
+	 *
+	 * @return bool
+	 */
+	public function anyPolicyInhibit(): bool
+	{
+		return $this->_anyPolicyInhibit;
+	}
 }

lib/X509/CertificationPath/PathValidation/PathValidator.php

Indentation +568 added lines, -568 removed lines

@@ -17,599 +17,599 @@
  */
 class PathValidator
 {
-    /**
-     * Crypto engine.
-     *
-     * @var Crypto
-     */
-    protected $_crypto;
+	/**
+	 * Crypto engine.
+	 *
+	 * @var Crypto
+	 */
+	protected $_crypto;
 
-    /**
-     * Path validation configuration.
-     *
-     * @var PathValidationConfig
-     */
-    protected $_config;
+	/**
+	 * Path validation configuration.
+	 *
+	 * @var PathValidationConfig
+	 */
+	protected $_config;
 
-    /**
-     * Certification path.
-     *
-     * @var Certificate[]
-     */
-    protected $_certificates;
+	/**
+	 * Certification path.
+	 *
+	 * @var Certificate[]
+	 */
+	protected $_certificates;
 
-    /**
-     * Certification path trust anchor.
-     *
-     * @var Certificate
-     */
-    protected $_trustAnchor;
+	/**
+	 * Certification path trust anchor.
+	 *
+	 * @var Certificate
+	 */
+	protected $_trustAnchor;
 
-    /**
-     * Constructor.
-     *
-     * @param Crypto               $crypto          Crypto engine
-     * @param PathValidationConfig $config          Validation config
-     * @param Certificate          ...$certificates Certificates from the trust anchor to
-     *                                              the end-entity certificate
-     */
-    public function __construct(Crypto $crypto, PathValidationConfig $config,
-        Certificate ...$certificates)
-    {
-        if (!count($certificates)) {
-            throw new \LogicException('No certificates.');
-        }
-        $this->_crypto = $crypto;
-        $this->_config = $config;
-        $this->_certificates = $certificates;
-        // if trust anchor is explicitly given in configuration
-        if ($config->hasTrustAnchor()) {
-            $this->_trustAnchor = $config->trustAnchor();
-        } else {
-            $this->_trustAnchor = $certificates[0];
-        }
-    }
+	/**
+	 * Constructor.
+	 *
+	 * @param Crypto               $crypto          Crypto engine
+	 * @param PathValidationConfig $config          Validation config
+	 * @param Certificate          ...$certificates Certificates from the trust anchor to
+	 *                                              the end-entity certificate
+	 */
+	public function __construct(Crypto $crypto, PathValidationConfig $config,
+		Certificate ...$certificates)
+	{
+		if (!count($certificates)) {
+			throw new \LogicException('No certificates.');
+		}
+		$this->_crypto = $crypto;
+		$this->_config = $config;
+		$this->_certificates = $certificates;
+		// if trust anchor is explicitly given in configuration
+		if ($config->hasTrustAnchor()) {
+			$this->_trustAnchor = $config->trustAnchor();
+		} else {
+			$this->_trustAnchor = $certificates[0];
+		}
+	}
 
-    /**
-     * Validate certification path.
-     *
-     * @throws PathValidationException
-     *
-     * @return PathValidationResult
-     */
-    public function validate(): PathValidationResult
-    {
-        $n = count($this->_certificates);
-        $state = ValidatorState::initialize(
-            $this->_config, $this->_trustAnchor, $n);
-        for ($i = 0; $i < $n; ++$i) {
-            $state = $state->withIndex($i + 1);
-            $cert = $this->_certificates[$i];
-            // process certificate (section 6.1.3.)
-            $state = $this->_processCertificate($state, $cert);
-            if (!$state->isFinal()) {
-                // prepare next certificate (section 6.1.4.)
-                $state = $this->_prepareNext($state, $cert);
-            }
-        }
-        if (!isset($cert)) {
-            throw new \LogicException('No certificates.');
-        }
-        // wrap-up (section 6.1.5.)
-        $state = $this->_wrapUp($state, $cert);
-        // return outputs
-        return $state->getResult($this->_certificates);
-    }
+	/**
+	 * Validate certification path.
+	 *
+	 * @throws PathValidationException
+	 *
+	 * @return PathValidationResult
+	 */
+	public function validate(): PathValidationResult
+	{
+		$n = count($this->_certificates);
+		$state = ValidatorState::initialize(
+			$this->_config, $this->_trustAnchor, $n);
+		for ($i = 0; $i < $n; ++$i) {
+			$state = $state->withIndex($i + 1);
+			$cert = $this->_certificates[$i];
+			// process certificate (section 6.1.3.)
+			$state = $this->_processCertificate($state, $cert);
+			if (!$state->isFinal()) {
+				// prepare next certificate (section 6.1.4.)
+				$state = $this->_prepareNext($state, $cert);
+			}
+		}
+		if (!isset($cert)) {
+			throw new \LogicException('No certificates.');
+		}
+		// wrap-up (section 6.1.5.)
+		$state = $this->_wrapUp($state, $cert);
+		// return outputs
+		return $state->getResult($this->_certificates);
+	}
 
-    /**
-     * Apply basic certificate processing according to RFC 5280 section 6.1.3.
-     *
-     * @see https://tools.ietf.org/html/rfc5280#section-6.1.3
-     *
-     * @param ValidatorState $state
-     * @param Certificate    $cert
-     *
-     * @throws PathValidationException
-     *
-     * @return ValidatorState
-     */
-    private function _processCertificate(ValidatorState $state,
-        Certificate $cert): ValidatorState
-    {
-        // (a.1) verify signature
-        $this->_verifySignature($state, $cert);
-        // (a.2) check validity period
-        $this->_checkValidity($cert);
-        // (a.3) check that certificate is not revoked
-        $this->_checkRevocation($cert);
-        // (a.4) check issuer
-        $this->_checkIssuer($state, $cert);
-        // (b)(c) if certificate is self-issued and it is not
-        // the final certificate in the path, skip this step
-        if (!($cert->isSelfIssued() && !$state->isFinal())) {
-            // (b) check permitted subtrees
-            $this->_checkPermittedSubtrees($state, $cert);
-            // (c) check excluded subtrees
-            $this->_checkExcludedSubtrees($state, $cert);
-        }
-        $extensions = $cert->tbsCertificate()->extensions();
-        if ($extensions->hasCertificatePolicies()) {
-            // (d) process policy information
-            if ($state->hasValidPolicyTree()) {
-                $state = $state->validPolicyTree()->processPolicies($state, $cert);
-            }
-        } else {
-            // (e) certificate policies extension not present,
-            // set the valid_policy_tree to NULL
-            $state = $state->withoutValidPolicyTree();
-        }
-        // (f) check that explicit_policy > 0 or valid_policy_tree is set
-        if (!($state->explicitPolicy() > 0 || $state->hasValidPolicyTree())) {
-            throw new PathValidationException('No valid policies.');
-        }
-        return $state;
-    }
+	/**
+	 * Apply basic certificate processing according to RFC 5280 section 6.1.3.
+	 *
+	 * @see https://tools.ietf.org/html/rfc5280#section-6.1.3
+	 *
+	 * @param ValidatorState $state
+	 * @param Certificate    $cert
+	 *
+	 * @throws PathValidationException
+	 *
+	 * @return ValidatorState
+	 */
+	private function _processCertificate(ValidatorState $state,
+		Certificate $cert): ValidatorState
+	{
+		// (a.1) verify signature
+		$this->_verifySignature($state, $cert);
+		// (a.2) check validity period
+		$this->_checkValidity($cert);
+		// (a.3) check that certificate is not revoked
+		$this->_checkRevocation($cert);
+		// (a.4) check issuer
+		$this->_checkIssuer($state, $cert);
+		// (b)(c) if certificate is self-issued and it is not
+		// the final certificate in the path, skip this step
+		if (!($cert->isSelfIssued() && !$state->isFinal())) {
+			// (b) check permitted subtrees
+			$this->_checkPermittedSubtrees($state, $cert);
+			// (c) check excluded subtrees
+			$this->_checkExcludedSubtrees($state, $cert);
+		}
+		$extensions = $cert->tbsCertificate()->extensions();
+		if ($extensions->hasCertificatePolicies()) {
+			// (d) process policy information
+			if ($state->hasValidPolicyTree()) {
+				$state = $state->validPolicyTree()->processPolicies($state, $cert);
+			}
+		} else {
+			// (e) certificate policies extension not present,
+			// set the valid_policy_tree to NULL
+			$state = $state->withoutValidPolicyTree();
+		}
+		// (f) check that explicit_policy > 0 or valid_policy_tree is set
+		if (!($state->explicitPolicy() > 0 || $state->hasValidPolicyTree())) {
+			throw new PathValidationException('No valid policies.');
+		}
+		return $state;
+	}
 
-    /**
-     * Apply preparation for the certificate i+1 according to rfc5280 section
-     * 6.1.4.
-     *
-     * @see https://tools.ietf.org/html/rfc5280#section-6.1.4
-     *
-     * @param ValidatorState $state
-     * @param Certificate    $cert
-     *
-     * @return ValidatorState
-     */
-    private function _prepareNext(ValidatorState $state,
-        Certificate $cert): ValidatorState
-    {
-        // (a)(b) if policy mappings extension is present
-        $state = $this->_preparePolicyMappings($state, $cert);
-        // (c) assign working_issuer_name
-        $state = $state->withWorkingIssuerName(
-            $cert->tbsCertificate()->subject());
-        // (d)(e)(f)
-        $state = $this->_setPublicKeyState($state, $cert);
-        // (g) if name constraints extension is present
-        $state = $this->_prepareNameConstraints($state, $cert);
-        // (h) if certificate is not self-issued
-        if (!$cert->isSelfIssued()) {
-            $state = $this->_prepareNonSelfIssued($state);
-        }
-        // (i) if policy constraints extension is present
-        $state = $this->_preparePolicyConstraints($state, $cert);
-        // (j) if inhibit any policy extension is present
-        $state = $this->_prepareInhibitAnyPolicy($state, $cert);
-        // (k) check basic constraints
-        $this->_processBasicContraints($cert);
-        // (l) verify max_path_length
-        $state = $this->_verifyMaxPathLength($state, $cert);
-        // (m) check pathLenContraint
-        $state = $this->_processPathLengthContraint($state, $cert);
-        // (n) check key usage
-        $this->_checkKeyUsage($cert);
-        // (o) process relevant extensions
-        return $this->_processExtensions($state, $cert);
-    }
+	/**
+	 * Apply preparation for the certificate i+1 according to rfc5280 section
+	 * 6.1.4.
+	 *
+	 * @see https://tools.ietf.org/html/rfc5280#section-6.1.4
+	 *
+	 * @param ValidatorState $state
+	 * @param Certificate    $cert
+	 *
+	 * @return ValidatorState
+	 */
+	private function _prepareNext(ValidatorState $state,
+		Certificate $cert): ValidatorState
+	{
+		// (a)(b) if policy mappings extension is present
+		$state = $this->_preparePolicyMappings($state, $cert);
+		// (c) assign working_issuer_name
+		$state = $state->withWorkingIssuerName(
+			$cert->tbsCertificate()->subject());
+		// (d)(e)(f)
+		$state = $this->_setPublicKeyState($state, $cert);
+		// (g) if name constraints extension is present
+		$state = $this->_prepareNameConstraints($state, $cert);
+		// (h) if certificate is not self-issued
+		if (!$cert->isSelfIssued()) {
+			$state = $this->_prepareNonSelfIssued($state);
+		}
+		// (i) if policy constraints extension is present
+		$state = $this->_preparePolicyConstraints($state, $cert);
+		// (j) if inhibit any policy extension is present
+		$state = $this->_prepareInhibitAnyPolicy($state, $cert);
+		// (k) check basic constraints
+		$this->_processBasicContraints($cert);
+		// (l) verify max_path_length
+		$state = $this->_verifyMaxPathLength($state, $cert);
+		// (m) check pathLenContraint
+		$state = $this->_processPathLengthContraint($state, $cert);
+		// (n) check key usage
+		$this->_checkKeyUsage($cert);
+		// (o) process relevant extensions
+		return $this->_processExtensions($state, $cert);
+	}
 
-    /**
-     * Apply wrap-up procedure according to RFC 5280 section 6.1.5.
-     *
-     * @see https://tools.ietf.org/html/rfc5280#section-6.1.5
-     *
-     * @param ValidatorState $state
-     * @param Certificate    $cert
-     *
-     * @throws PathValidationException
-     *
-     * @return ValidatorState
-     */
-    private function _wrapUp(ValidatorState $state,
-        Certificate $cert): ValidatorState
-    {
-        $tbs_cert = $cert->tbsCertificate();
-        $extensions = $tbs_cert->extensions();
-        // (a)
-        if ($state->explicitPolicy() > 0) {
-            $state = $state->withExplicitPolicy($state->explicitPolicy() - 1);
-        }
-        // (b)
-        if ($extensions->hasPolicyConstraints()) {
-            $ext = $extensions->policyConstraints();
-            if ($ext->hasRequireExplicitPolicy() &&
-                0 === $ext->requireExplicitPolicy()) {
-                $state = $state->withExplicitPolicy(0);
-            }
-        }
-        // (c)(d)(e)
-        $state = $this->_setPublicKeyState($state, $cert);
-        // (f) process relevant extensions
-        $state = $this->_processExtensions($state, $cert);
-        // (g) intersection of valid_policy_tree and the initial-policy-set
-        $state = $this->_calculatePolicyIntersection($state);
-        // check that explicit_policy > 0 or valid_policy_tree is set
-        if (!($state->explicitPolicy() > 0 || $state->hasValidPolicyTree())) {
-            throw new PathValidationException('No valid policies.');
-        }
-        // path validation succeeded
-        return $state;
-    }
+	/**
+	 * Apply wrap-up procedure according to RFC 5280 section 6.1.5.
+	 *
+	 * @see https://tools.ietf.org/html/rfc5280#section-6.1.5
+	 *
+	 * @param ValidatorState $state
+	 * @param Certificate    $cert
+	 *
+	 * @throws PathValidationException
+	 *
+	 * @return ValidatorState
+	 */
+	private function _wrapUp(ValidatorState $state,
+		Certificate $cert): ValidatorState
+	{
+		$tbs_cert = $cert->tbsCertificate();
+		$extensions = $tbs_cert->extensions();
+		// (a)
+		if ($state->explicitPolicy() > 0) {
+			$state = $state->withExplicitPolicy($state->explicitPolicy() - 1);
+		}
+		// (b)
+		if ($extensions->hasPolicyConstraints()) {
+			$ext = $extensions->policyConstraints();
+			if ($ext->hasRequireExplicitPolicy() &&
+				0 === $ext->requireExplicitPolicy()) {
+				$state = $state->withExplicitPolicy(0);
+			}
+		}
+		// (c)(d)(e)
+		$state = $this->_setPublicKeyState($state, $cert);
+		// (f) process relevant extensions
+		$state = $this->_processExtensions($state, $cert);
+		// (g) intersection of valid_policy_tree and the initial-policy-set
+		$state = $this->_calculatePolicyIntersection($state);
+		// check that explicit_policy > 0 or valid_policy_tree is set
+		if (!($state->explicitPolicy() > 0 || $state->hasValidPolicyTree())) {
+			throw new PathValidationException('No valid policies.');
+		}
+		// path validation succeeded
+		return $state;
+	}
 
-    /**
-     * Update working_public_key, working_public_key_parameters and
-     * working_public_key_algorithm state variables from certificate.
-     *
-     * @param ValidatorState $state
-     * @param Certificate    $cert
-     *
-     * @return ValidatorState
-     */
-    private function _setPublicKeyState(ValidatorState $state,
-        Certificate $cert): ValidatorState
-    {
-        $pk_info = $cert->tbsCertificate()->subjectPublicKeyInfo();
-        // assign working_public_key
-        $state = $state->withWorkingPublicKey($pk_info);
-        // assign working_public_key_parameters
-        $params = ValidatorState::getAlgorithmParameters(
-            $pk_info->algorithmIdentifier());
-        if (null !== $params) {
-            $state = $state->withWorkingPublicKeyParameters($params);
-        } else {
-            // if algorithms differ, set parameters to null
-            if ($pk_info->algorithmIdentifier()->oid() !==
-                    $state->workingPublicKeyAlgorithm()->oid()) {
-                $state = $state->withWorkingPublicKeyParameters(null);
-            }
-        }
-        // assign working_public_key_algorithm
-        return $state->withWorkingPublicKeyAlgorithm(
-            $pk_info->algorithmIdentifier());
-    }
+	/**
+	 * Update working_public_key, working_public_key_parameters and
+	 * working_public_key_algorithm state variables from certificate.
+	 *
+	 * @param ValidatorState $state
+	 * @param Certificate    $cert
+	 *
+	 * @return ValidatorState
+	 */
+	private function _setPublicKeyState(ValidatorState $state,
+		Certificate $cert): ValidatorState
+	{
+		$pk_info = $cert->tbsCertificate()->subjectPublicKeyInfo();
+		// assign working_public_key
+		$state = $state->withWorkingPublicKey($pk_info);
+		// assign working_public_key_parameters
+		$params = ValidatorState::getAlgorithmParameters(
+			$pk_info->algorithmIdentifier());
+		if (null !== $params) {
+			$state = $state->withWorkingPublicKeyParameters($params);
+		} else {
+			// if algorithms differ, set parameters to null
+			if ($pk_info->algorithmIdentifier()->oid() !==
+					$state->workingPublicKeyAlgorithm()->oid()) {
+				$state = $state->withWorkingPublicKeyParameters(null);
+			}
+		}
+		// assign working_public_key_algorithm
+		return $state->withWorkingPublicKeyAlgorithm(
+			$pk_info->algorithmIdentifier());
+	}
 
-    /**
-     * Verify certificate signature.
-     *
-     * @param ValidatorState $state
-     * @param Certificate    $cert
-     *
-     * @throws PathValidationException
-     */
-    private function _verifySignature(ValidatorState $state,
-        Certificate $cert): void
-    {
-        try {
-            $valid = $cert->verify($state->workingPublicKey(), $this->_crypto);
-        } catch (\RuntimeException $e) {
-            throw new PathValidationException(
-                'Failed to verify signature: ' . $e->getMessage(), 0, $e);
-        }
-        if (!$valid) {
-            throw new PathValidationException(
-                "Certificate signature doesn't match.");
-        }
-    }
+	/**
+	 * Verify certificate signature.
+	 *
+	 * @param ValidatorState $state
+	 * @param Certificate    $cert
+	 *
+	 * @throws PathValidationException
+	 */
+	private function _verifySignature(ValidatorState $state,
+		Certificate $cert): void
+	{
+		try {
+			$valid = $cert->verify($state->workingPublicKey(), $this->_crypto);
+		} catch (\RuntimeException $e) {
+			throw new PathValidationException(
+				'Failed to verify signature: ' . $e->getMessage(), 0, $e);
+		}
+		if (!$valid) {
+			throw new PathValidationException(
+				"Certificate signature doesn't match.");
+		}
+	}
 
-    /**
-     * Check certificate validity.
-     *
-     * @param Certificate $cert
-     *
-     * @throws PathValidationException
-     */
-    private function _checkValidity(Certificate $cert): void
-    {
-        $refdt = $this->_config->dateTime();
-        $validity = $cert->tbsCertificate()->validity();
-        if ($validity->notBefore()->dateTime()->diff($refdt)->invert) {
-            throw new PathValidationException(
-                'Certificate validity period has not started.');
-        }
-        if ($refdt->diff($validity->notAfter()->dateTime())->invert) {
-            throw new PathValidationException('Certificate has expired.');
-        }
-    }
+	/**
+	 * Check certificate validity.
+	 *
+	 * @param Certificate $cert
+	 *
+	 * @throws PathValidationException
+	 */
+	private function _checkValidity(Certificate $cert): void
+	{
+		$refdt = $this->_config->dateTime();
+		$validity = $cert->tbsCertificate()->validity();
+		if ($validity->notBefore()->dateTime()->diff($refdt)->invert) {
+			throw new PathValidationException(
+				'Certificate validity period has not started.');
+		}
+		if ($refdt->diff($validity->notAfter()->dateTime())->invert) {
+			throw new PathValidationException('Certificate has expired.');
+		}
+	}
 
-    /**
-     * Check certificate revocation.
-     *
-     * @param Certificate $cert
-     */
-    private function _checkRevocation(Certificate $cert)
-    {
-        // @todo Implement CRL handling
-    }
+	/**
+	 * Check certificate revocation.
+	 *
+	 * @param Certificate $cert
+	 */
+	private function _checkRevocation(Certificate $cert)
+	{
+		// @todo Implement CRL handling
+	}
 
-    /**
-     * Check certificate issuer.
-     *
-     * @param ValidatorState $state
-     * @param Certificate    $cert
-     *
-     * @throws PathValidationException
-     */
-    private function _checkIssuer(ValidatorState $state, Certificate $cert): void
-    {
-        if (!$cert->tbsCertificate()->issuer()->equals($state->workingIssuerName())) {
-            throw new PathValidationException('Certification issuer mismatch.');
-        }
-    }
+	/**
+	 * Check certificate issuer.
+	 *
+	 * @param ValidatorState $state
+	 * @param Certificate    $cert
+	 *
+	 * @throws PathValidationException
+	 */
+	private function _checkIssuer(ValidatorState $state, Certificate $cert): void
+	{
+		if (!$cert->tbsCertificate()->issuer()->equals($state->workingIssuerName())) {
+			throw new PathValidationException('Certification issuer mismatch.');
+		}
+	}
 
-    /**
-     * @param ValidatorState $state
-     * @param Certificate    $cert
-     */
-    private function _checkPermittedSubtrees(ValidatorState $state, Certificate $cert)
-    {
-        // @todo Implement
-        $state->permittedSubtrees();
-    }
+	/**
+	 * @param ValidatorState $state
+	 * @param Certificate    $cert
+	 */
+	private function _checkPermittedSubtrees(ValidatorState $state, Certificate $cert)
+	{
+		// @todo Implement
+		$state->permittedSubtrees();
+	}
 
-    /**
-     * @param ValidatorState $state
-     * @param Certificate    $cert
-     */
-    private function _checkExcludedSubtrees(ValidatorState $state, Certificate $cert)
-    {
-        // @todo Implement
-        $state->excludedSubtrees();
-    }
+	/**
+	 * @param ValidatorState $state
+	 * @param Certificate    $cert
+	 */
+	private function _checkExcludedSubtrees(ValidatorState $state, Certificate $cert)
+	{
+		// @todo Implement
+		$state->excludedSubtrees();
+	}
 
-    /**
-     * Apply policy mappings handling for the preparation step.
-     *
-     * @param ValidatorState $state
-     * @param Certificate    $cert
-     *
-     * @throws PathValidationException
-     *
-     * @return ValidatorState
-     */
-    private function _preparePolicyMappings(ValidatorState $state,
-        Certificate $cert): ValidatorState
-    {
-        $extensions = $cert->tbsCertificate()->extensions();
-        if ($extensions->hasPolicyMappings()) {
-            // (a) verify that anyPolicy mapping is not used
-            if ($extensions->policyMappings()->hasAnyPolicyMapping()) {
-                throw new PathValidationException('anyPolicy mapping found.');
-            }
-            // (b) process policy mappings
-            if ($state->hasValidPolicyTree()) {
-                $state = $state->validPolicyTree()->processMappings($state, $cert);
-            }
-        }
-        return $state;
-    }
+	/**
+	 * Apply policy mappings handling for the preparation step.
+	 *
+	 * @param ValidatorState $state
+	 * @param Certificate    $cert
+	 *
+	 * @throws PathValidationException
+	 *
+	 * @return ValidatorState
+	 */
+	private function _preparePolicyMappings(ValidatorState $state,
+		Certificate $cert): ValidatorState
+	{
+		$extensions = $cert->tbsCertificate()->extensions();
+		if ($extensions->hasPolicyMappings()) {
+			// (a) verify that anyPolicy mapping is not used
+			if ($extensions->policyMappings()->hasAnyPolicyMapping()) {
+				throw new PathValidationException('anyPolicy mapping found.');
+			}
+			// (b) process policy mappings
+			if ($state->hasValidPolicyTree()) {
+				$state = $state->validPolicyTree()->processMappings($state, $cert);
+			}
+		}
+		return $state;
+	}
 
-    /**
-     * Apply name constraints handling for the preparation step.
-     *
-     * @param ValidatorState $state
-     * @param Certificate    $cert
-     *
-     * @return ValidatorState
-     */
-    private function _prepareNameConstraints(ValidatorState $state,
-        Certificate $cert): ValidatorState
-    {
-        $extensions = $cert->tbsCertificate()->extensions();
-        if ($extensions->hasNameConstraints()) {
-            $state = $this->_processNameConstraints($state, $cert);
-        }
-        return $state;
-    }
+	/**
+	 * Apply name constraints handling for the preparation step.
+	 *
+	 * @param ValidatorState $state
+	 * @param Certificate    $cert
+	 *
+	 * @return ValidatorState
+	 */
+	private function _prepareNameConstraints(ValidatorState $state,
+		Certificate $cert): ValidatorState
+	{
+		$extensions = $cert->tbsCertificate()->extensions();
+		if ($extensions->hasNameConstraints()) {
+			$state = $this->_processNameConstraints($state, $cert);
+		}
+		return $state;
+	}
 
-    /**
-     * Apply preparation for a non-self-signed certificate.
-     *
-     * @param ValidatorState $state
-     *
-     * @return ValidatorState
-     */
-    private function _prepareNonSelfIssued(ValidatorState $state): ValidatorState
-    {
-        // (h.1)
-        if ($state->explicitPolicy() > 0) {
-            $state = $state->withExplicitPolicy($state->explicitPolicy() - 1);
-        }
-        // (h.2)
-        if ($state->policyMapping() > 0) {
-            $state = $state->withPolicyMapping($state->policyMapping() - 1);
-        }
-        // (h.3)
-        if ($state->inhibitAnyPolicy() > 0) {
-            $state = $state->withInhibitAnyPolicy($state->inhibitAnyPolicy() - 1);
-        }
-        return $state;
-    }
+	/**
+	 * Apply preparation for a non-self-signed certificate.
+	 *
+	 * @param ValidatorState $state
+	 *
+	 * @return ValidatorState
+	 */
+	private function _prepareNonSelfIssued(ValidatorState $state): ValidatorState
+	{
+		// (h.1)
+		if ($state->explicitPolicy() > 0) {
+			$state = $state->withExplicitPolicy($state->explicitPolicy() - 1);
+		}
+		// (h.2)
+		if ($state->policyMapping() > 0) {
+			$state = $state->withPolicyMapping($state->policyMapping() - 1);
+		}
+		// (h.3)
+		if ($state->inhibitAnyPolicy() > 0) {
+			$state = $state->withInhibitAnyPolicy($state->inhibitAnyPolicy() - 1);
+		}
+		return $state;
+	}
 
-    /**
-     * Apply policy constraints handling for the preparation step.
-     *
-     * @param ValidatorState $state
-     * @param Certificate    $cert
-     *
-     * @return ValidatorState
-     */
-    private function _preparePolicyConstraints(ValidatorState $state,
-        Certificate $cert): ValidatorState
-    {
-        $extensions = $cert->tbsCertificate()->extensions();
-        if (!$extensions->hasPolicyConstraints()) {
-            return $state;
-        }
-        $ext = $extensions->policyConstraints();
-        // (i.1)
-        if ($ext->hasRequireExplicitPolicy() &&
-                $ext->requireExplicitPolicy() < $state->explicitPolicy()) {
-            $state = $state->withExplicitPolicy($ext->requireExplicitPolicy());
-        }
-        // (i.2)
-        if ($ext->hasInhibitPolicyMapping() &&
-                $ext->inhibitPolicyMapping() < $state->policyMapping()) {
-            $state = $state->withPolicyMapping($ext->inhibitPolicyMapping());
-        }
-        return $state;
-    }
+	/**
+	 * Apply policy constraints handling for the preparation step.
+	 *
+	 * @param ValidatorState $state
+	 * @param Certificate    $cert
+	 *
+	 * @return ValidatorState
+	 */
+	private function _preparePolicyConstraints(ValidatorState $state,
+		Certificate $cert): ValidatorState
+	{
+		$extensions = $cert->tbsCertificate()->extensions();
+		if (!$extensions->hasPolicyConstraints()) {
+			return $state;
+		}
+		$ext = $extensions->policyConstraints();
+		// (i.1)
+		if ($ext->hasRequireExplicitPolicy() &&
+				$ext->requireExplicitPolicy() < $state->explicitPolicy()) {
+			$state = $state->withExplicitPolicy($ext->requireExplicitPolicy());
+		}
+		// (i.2)
+		if ($ext->hasInhibitPolicyMapping() &&
+				$ext->inhibitPolicyMapping() < $state->policyMapping()) {
+			$state = $state->withPolicyMapping($ext->inhibitPolicyMapping());
+		}
+		return $state;
+	}
 
-    /**
-     * Apply inhibit any-policy handling for the preparation step.
-     *
-     * @param ValidatorState $state
-     * @param Certificate    $cert
-     *
-     * @return ValidatorState
-     */
-    private function _prepareInhibitAnyPolicy(ValidatorState $state,
-        Certificate $cert): ValidatorState
-    {
-        $extensions = $cert->tbsCertificate()->extensions();
-        if ($extensions->hasInhibitAnyPolicy()) {
-            $ext = $extensions->inhibitAnyPolicy();
-            if ($ext->skipCerts() < $state->inhibitAnyPolicy()) {
-                $state = $state->withInhibitAnyPolicy($ext->skipCerts());
-            }
-        }
-        return $state;
-    }
+	/**
+	 * Apply inhibit any-policy handling for the preparation step.
+	 *
+	 * @param ValidatorState $state
+	 * @param Certificate    $cert
+	 *
+	 * @return ValidatorState
+	 */
+	private function _prepareInhibitAnyPolicy(ValidatorState $state,
+		Certificate $cert): ValidatorState
+	{
+		$extensions = $cert->tbsCertificate()->extensions();
+		if ($extensions->hasInhibitAnyPolicy()) {
+			$ext = $extensions->inhibitAnyPolicy();
+			if ($ext->skipCerts() < $state->inhibitAnyPolicy()) {
+				$state = $state->withInhibitAnyPolicy($ext->skipCerts());
+			}
+		}
+		return $state;
+	}
 
-    /**
-     * Verify maximum certification path length for the preparation step.
-     *
-     * @param ValidatorState $state
-     * @param Certificate    $cert
-     *
-     * @throws PathValidationException
-     *
-     * @return ValidatorState
-     */
-    private function _verifyMaxPathLength(ValidatorState $state,
-        Certificate $cert): ValidatorState
-    {
-        if (!$cert->isSelfIssued()) {
-            if ($state->maxPathLength() <= 0) {
-                throw new PathValidationException(
-                    'Certification path length exceeded.');
-            }
-            $state = $state->withMaxPathLength($state->maxPathLength() - 1);
-        }
-        return $state;
-    }
+	/**
+	 * Verify maximum certification path length for the preparation step.
+	 *
+	 * @param ValidatorState $state
+	 * @param Certificate    $cert
+	 *
+	 * @throws PathValidationException
+	 *
+	 * @return ValidatorState
+	 */
+	private function _verifyMaxPathLength(ValidatorState $state,
+		Certificate $cert): ValidatorState
+	{
+		if (!$cert->isSelfIssued()) {
+			if ($state->maxPathLength() <= 0) {
+				throw new PathValidationException(
+					'Certification path length exceeded.');
+			}
+			$state = $state->withMaxPathLength($state->maxPathLength() - 1);
+		}
+		return $state;
+	}
 
-    /**
-     * Check key usage extension for the preparation step.
-     *
-     * @param Certificate $cert
-     *
-     * @throws PathValidationException
-     */
-    private function _checkKeyUsage(Certificate $cert): void
-    {
-        $extensions = $cert->tbsCertificate()->extensions();
-        if ($extensions->hasKeyUsage()) {
-            $ext = $extensions->keyUsage();
-            if (!$ext->isKeyCertSign()) {
-                throw new PathValidationException('keyCertSign usage not set.');
-            }
-        }
-    }
+	/**
+	 * Check key usage extension for the preparation step.
+	 *
+	 * @param Certificate $cert
+	 *
+	 * @throws PathValidationException
+	 */
+	private function _checkKeyUsage(Certificate $cert): void
+	{
+		$extensions = $cert->tbsCertificate()->extensions();
+		if ($extensions->hasKeyUsage()) {
+			$ext = $extensions->keyUsage();
+			if (!$ext->isKeyCertSign()) {
+				throw new PathValidationException('keyCertSign usage not set.');
+			}
+		}
+	}
 
-    /**
-     * @param ValidatorState $state
-     * @param Certificate    $cert
-     *
-     * @return ValidatorState
-     */
-    private function _processNameConstraints(ValidatorState $state,
-        Certificate $cert): ValidatorState
-    {
-        // @todo Implement
-        return $state;
-    }
+	/**
+	 * @param ValidatorState $state
+	 * @param Certificate    $cert
+	 *
+	 * @return ValidatorState
+	 */
+	private function _processNameConstraints(ValidatorState $state,
+		Certificate $cert): ValidatorState
+	{
+		// @todo Implement
+		return $state;
+	}
 
-    /**
-     * Process basic constraints extension.
-     *
-     * @param Certificate $cert
-     *
-     * @throws PathValidationException
-     */
-    private function _processBasicContraints(Certificate $cert): void
-    {
-        if (TBSCertificate::VERSION_3 === $cert->tbsCertificate()->version()) {
-            $extensions = $cert->tbsCertificate()->extensions();
-            if (!$extensions->hasBasicConstraints()) {
-                throw new PathValidationException(
-                    'v3 certificate must have basicConstraints extension.');
-            }
-            // verify that cA is set to TRUE
-            if (!$extensions->basicConstraints()->isCA()) {
-                throw new PathValidationException(
-                    'Certificate is not a CA certificate.');
-            }
-        }
-    }
+	/**
+	 * Process basic constraints extension.
+	 *
+	 * @param Certificate $cert
+	 *
+	 * @throws PathValidationException
+	 */
+	private function _processBasicContraints(Certificate $cert): void
+	{
+		if (TBSCertificate::VERSION_3 === $cert->tbsCertificate()->version()) {
+			$extensions = $cert->tbsCertificate()->extensions();
+			if (!$extensions->hasBasicConstraints()) {
+				throw new PathValidationException(
+					'v3 certificate must have basicConstraints extension.');
+			}
+			// verify that cA is set to TRUE
+			if (!$extensions->basicConstraints()->isCA()) {
+				throw new PathValidationException(
+					'Certificate is not a CA certificate.');
+			}
+		}
+	}
 
-    /**
-     * Process pathLenConstraint.
-     *
-     * @param ValidatorState $state
-     * @param Certificate    $cert
-     *
-     * @return ValidatorState
-     */
-    private function _processPathLengthContraint(ValidatorState $state,
-        Certificate $cert): ValidatorState
-    {
-        $extensions = $cert->tbsCertificate()->extensions();
-        if ($extensions->hasBasicConstraints()) {
-            $ext = $extensions->basicConstraints();
-            if ($ext->hasPathLen()) {
-                if ($ext->pathLen() < $state->maxPathLength()) {
-                    $state = $state->withMaxPathLength($ext->pathLen());
-                }
-            }
-        }
-        return $state;
-    }
+	/**
+	 * Process pathLenConstraint.
+	 *
+	 * @param ValidatorState $state
+	 * @param Certificate    $cert
+	 *
+	 * @return ValidatorState
+	 */
+	private function _processPathLengthContraint(ValidatorState $state,
+		Certificate $cert): ValidatorState
+	{
+		$extensions = $cert->tbsCertificate()->extensions();
+		if ($extensions->hasBasicConstraints()) {
+			$ext = $extensions->basicConstraints();
+			if ($ext->hasPathLen()) {
+				if ($ext->pathLen() < $state->maxPathLength()) {
+					$state = $state->withMaxPathLength($ext->pathLen());
+				}
+			}
+		}
+		return $state;
+	}
 
-    /**
-     * @param ValidatorState $state
-     * @param Certificate    $cert
-     *
-     * @return ValidatorState
-     */
-    private function _processExtensions(ValidatorState $state,
-        Certificate $cert): ValidatorState
-    {
-        // @todo Implement
-        return $state;
-    }
+	/**
+	 * @param ValidatorState $state
+	 * @param Certificate    $cert
+	 *
+	 * @return ValidatorState
+	 */
+	private function _processExtensions(ValidatorState $state,
+		Certificate $cert): ValidatorState
+	{
+		// @todo Implement
+		return $state;
+	}
 
-    /**
-     * @param ValidatorState $state
-     *
-     * @return ValidatorState
-     */
-    private function _calculatePolicyIntersection(ValidatorState $state): ValidatorState
-    {
-        // (i) If the valid_policy_tree is NULL, the intersection is NULL
-        if (!$state->hasValidPolicyTree()) {
-            return $state;
-        }
-        // (ii) If the valid_policy_tree is not NULL and
-        // the user-initial-policy-set is any-policy, the intersection
-        // is the entire valid_policy_tree
-        $initial_policies = $this->_config->policySet();
-        if (in_array(PolicyInformation::OID_ANY_POLICY, $initial_policies)) {
-            return $state;
-        }
-        // (iii) If the valid_policy_tree is not NULL and the
-        // user-initial-policy-set is not any-policy, calculate
-        // the intersection of the valid_policy_tree and the
-        // user-initial-policy-set as follows
-        return $state->validPolicyTree()->calculateIntersection($state, $initial_policies);
-    }
+	/**
+	 * @param ValidatorState $state
+	 *
+	 * @return ValidatorState
+	 */
+	private function _calculatePolicyIntersection(ValidatorState $state): ValidatorState
+	{
+		// (i) If the valid_policy_tree is NULL, the intersection is NULL
+		if (!$state->hasValidPolicyTree()) {
+			return $state;
+		}
+		// (ii) If the valid_policy_tree is not NULL and
+		// the user-initial-policy-set is any-policy, the intersection
+		// is the entire valid_policy_tree
+		$initial_policies = $this->_config->policySet();
+		if (in_array(PolicyInformation::OID_ANY_POLICY, $initial_policies)) {
+			return $state;
+		}
+		// (iii) If the valid_policy_tree is not NULL and the
+		// user-initial-policy-set is not any-policy, calculate
+		// the intersection of the valid_policy_tree and the
+		// user-initial-policy-set as follows
+		return $state->validPolicyTree()->calculateIntersection($state, $initial_policies);
+	}
 }

lib/X509/CertificationPath/Policy/PolicyNode.php

Indentation +240 added lines, -240 removed lines

@@ -16,267 +16,267 @@
  */
 class PolicyNode implements \IteratorAggregate, \Countable
 {
-    /**
-     * Policy OID.
-     *
-     * @var string
-     */
-    protected $_validPolicy;
+	/**
+	 * Policy OID.
+	 *
+	 * @var string
+	 */
+	protected $_validPolicy;
 
-    /**
-     * List of qualifiers.
-     *
-     * @var PolicyQualifierInfo[]
-     */
-    protected $_qualifiers;
+	/**
+	 * List of qualifiers.
+	 *
+	 * @var PolicyQualifierInfo[]
+	 */
+	protected $_qualifiers;
 
-    /**
-     * List of expected policy OIDs.
-     *
-     * @var string[]
-     */
-    protected $_expectedPolicies;
+	/**
+	 * List of expected policy OIDs.
+	 *
+	 * @var string[]
+	 */
+	protected $_expectedPolicies;
 
-    /**
-     * List of child nodes.
-     *
-     * @var PolicyNode[]
-     */
-    protected $_children;
+	/**
+	 * List of child nodes.
+	 *
+	 * @var PolicyNode[]
+	 */
+	protected $_children;
 
-    /**
-     * Reference to the parent node.
-     *
-     * @var null|PolicyNode
-     */
-    protected $_parent;
+	/**
+	 * Reference to the parent node.
+	 *
+	 * @var null|PolicyNode
+	 */
+	protected $_parent;
 
-    /**
-     * Constructor.
-     *
-     * @param string                $valid_policy      Policy OID
-     * @param PolicyQualifierInfo[] $qualifiers
-     * @param string[]              $expected_policies
-     */
-    public function __construct(string $valid_policy, array $qualifiers,
-        array $expected_policies)
-    {
-        $this->_validPolicy = $valid_policy;
-        $this->_qualifiers = $qualifiers;
-        $this->_expectedPolicies = $expected_policies;
-        $this->_children = [];
-    }
+	/**
+	 * Constructor.
+	 *
+	 * @param string                $valid_policy      Policy OID
+	 * @param PolicyQualifierInfo[] $qualifiers
+	 * @param string[]              $expected_policies
+	 */
+	public function __construct(string $valid_policy, array $qualifiers,
+		array $expected_policies)
+	{
+		$this->_validPolicy = $valid_policy;
+		$this->_qualifiers = $qualifiers;
+		$this->_expectedPolicies = $expected_policies;
+		$this->_children = [];
+	}
 
-    /**
-     * Create initial node for the policy tree.
-     *
-     * @return self
-     */
-    public static function anyPolicyNode(): self
-    {
-        return new self(PolicyInformation::OID_ANY_POLICY, [],
-            [PolicyInformation::OID_ANY_POLICY]);
-    }
+	/**
+	 * Create initial node for the policy tree.
+	 *
+	 * @return self
+	 */
+	public static function anyPolicyNode(): self
+	{
+		return new self(PolicyInformation::OID_ANY_POLICY, [],
+			[PolicyInformation::OID_ANY_POLICY]);
+	}
 
-    /**
-     * Get the valid policy OID.
-     *
-     * @return string
-     */
-    public function validPolicy(): string
-    {
-        return $this->_validPolicy;
-    }
+	/**
+	 * Get the valid policy OID.
+	 *
+	 * @return string
+	 */
+	public function validPolicy(): string
+	{
+		return $this->_validPolicy;
+	}
 
-    /**
-     * Check whether node has anyPolicy as a valid policy.
-     *
-     * @return bool
-     */
-    public function isAnyPolicy(): bool
-    {
-        return PolicyInformation::OID_ANY_POLICY === $this->_validPolicy;
-    }
+	/**
+	 * Check whether node has anyPolicy as a valid policy.
+	 *
+	 * @return bool
+	 */
+	public function isAnyPolicy(): bool
+	{
+		return PolicyInformation::OID_ANY_POLICY === $this->_validPolicy;
+	}
 
-    /**
-     * Get the qualifier set.
-     *
-     * @return PolicyQualifierInfo[]
-     */
-    public function qualifiers(): array
-    {
-        return $this->_qualifiers;
-    }
+	/**
+	 * Get the qualifier set.
+	 *
+	 * @return PolicyQualifierInfo[]
+	 */
+	public function qualifiers(): array
+	{
+		return $this->_qualifiers;
+	}
 
-    /**
-     * Check whether node has OID as an expected policy.
-     *
-     * @param string $oid
-     *
-     * @return bool
-     */
-    public function hasExpectedPolicy(string $oid): bool
-    {
-        return in_array($oid, $this->_expectedPolicies);
-    }
+	/**
+	 * Check whether node has OID as an expected policy.
+	 *
+	 * @param string $oid
+	 *
+	 * @return bool
+	 */
+	public function hasExpectedPolicy(string $oid): bool
+	{
+		return in_array($oid, $this->_expectedPolicies);
+	}
 
-    /**
-     * Get the expected policy set.
-     *
-     * @return string[]
-     */
-    public function expectedPolicies(): array
-    {
-        return $this->_expectedPolicies;
-    }
+	/**
+	 * Get the expected policy set.
+	 *
+	 * @return string[]
+	 */
+	public function expectedPolicies(): array
+	{
+		return $this->_expectedPolicies;
+	}
 
-    /**
-     * Set expected policies.
-     *
-     * @param string ...$oids Policy OIDs
-     */
-    public function setExpectedPolicies(string ...$oids): void
-    {
-        $this->_expectedPolicies = $oids;
-    }
+	/**
+	 * Set expected policies.
+	 *
+	 * @param string ...$oids Policy OIDs
+	 */
+	public function setExpectedPolicies(string ...$oids): void
+	{
+		$this->_expectedPolicies = $oids;
+	}
 
-    /**
-     * Check whether node has a child node with given valid policy OID.
-     *
-     * @param string $oid
-     *
-     * @return bool
-     */
-    public function hasChildWithValidPolicy(string $oid): bool
-    {
-        foreach ($this->_children as $node) {
-            if ($node->validPolicy() == $oid) {
-                return true;
-            }
-        }
-        return false;
-    }
+	/**
+	 * Check whether node has a child node with given valid policy OID.
+	 *
+	 * @param string $oid
+	 *
+	 * @return bool
+	 */
+	public function hasChildWithValidPolicy(string $oid): bool
+	{
+		foreach ($this->_children as $node) {
+			if ($node->validPolicy() == $oid) {
+				return true;
+			}
+		}
+		return false;
+	}
 
-    /**
-     * Add child node.
-     *
-     * @param PolicyNode $node
-     *
-     * @return self
-     */
-    public function addChild(PolicyNode $node): self
-    {
-        $id = spl_object_hash($node);
-        $node->_parent = $this;
-        $this->_children[$id] = $node;
-        return $this;
-    }
+	/**
+	 * Add child node.
+	 *
+	 * @param PolicyNode $node
+	 *
+	 * @return self
+	 */
+	public function addChild(PolicyNode $node): self
+	{
+		$id = spl_object_hash($node);
+		$node->_parent = $this;
+		$this->_children[$id] = $node;
+		return $this;
+	}
 
-    /**
-     * Get the child nodes.
-     *
-     * @return PolicyNode[]
-     */
-    public function children(): array
-    {
-        return array_values($this->_children);
-    }
+	/**
+	 * Get the child nodes.
+	 *
+	 * @return PolicyNode[]
+	 */
+	public function children(): array
+	{
+		return array_values($this->_children);
+	}
 
-    /**
-     * Remove this node from the tree.
-     *
-     * @return self The removed node
-     */
-    public function remove(): self
-    {
-        if ($this->_parent) {
-            $id = spl_object_hash($this);
-            unset($this->_parent->_children[$id], $this->_parent);
-        }
-        return $this;
-    }
+	/**
+	 * Remove this node from the tree.
+	 *
+	 * @return self The removed node
+	 */
+	public function remove(): self
+	{
+		if ($this->_parent) {
+			$id = spl_object_hash($this);
+			unset($this->_parent->_children[$id], $this->_parent);
+		}
+		return $this;
+	}
 
-    /**
-     * Check whether node has a parent.
-     *
-     * @return bool
-     */
-    public function hasParent(): bool
-    {
-        return isset($this->_parent);
-    }
+	/**
+	 * Check whether node has a parent.
+	 *
+	 * @return bool
+	 */
+	public function hasParent(): bool
+	{
+		return isset($this->_parent);
+	}
 
-    /**
-     * Get the parent node.
-     *
-     * @return null|PolicyNode
-     */
-    public function parent(): ?PolicyNode
-    {
-        return $this->_parent;
-    }
+	/**
+	 * Get the parent node.
+	 *
+	 * @return null|PolicyNode
+	 */
+	public function parent(): ?PolicyNode
+	{
+		return $this->_parent;
+	}
 
-    /**
-     * Get chain of parent nodes from this node's parent to the root node.
-     *
-     * @return PolicyNode[]
-     */
-    public function parents(): array
-    {
-        if (!$this->_parent) {
-            return [];
-        }
-        $nodes = $this->_parent->parents();
-        $nodes[] = $this->_parent;
-        return array_reverse($nodes);
-    }
+	/**
+	 * Get chain of parent nodes from this node's parent to the root node.
+	 *
+	 * @return PolicyNode[]
+	 */
+	public function parents(): array
+	{
+		if (!$this->_parent) {
+			return [];
+		}
+		$nodes = $this->_parent->parents();
+		$nodes[] = $this->_parent;
+		return array_reverse($nodes);
+	}
 
-    /**
-     * Walk tree from this node, applying a callback for each node.
-     *
-     * Nodes are traversed depth-first and callback shall be applied post-order.
-     *
-     * @param callable $fn
-     */
-    public function walkNodes(callable $fn): void
-    {
-        foreach ($this->_children as $node) {
-            $node->walkNodes($fn);
-        }
-        $fn($this);
-    }
+	/**
+	 * Walk tree from this node, applying a callback for each node.
+	 *
+	 * Nodes are traversed depth-first and callback shall be applied post-order.
+	 *
+	 * @param callable $fn
+	 */
+	public function walkNodes(callable $fn): void
+	{
+		foreach ($this->_children as $node) {
+			$node->walkNodes($fn);
+		}
+		$fn($this);
+	}
 
-    /**
-     * Get the total number of nodes in a tree.
-     *
-     * @return int
-     */
-    public function nodeCount(): int
-    {
-        $c = 1;
-        foreach ($this->_children as $child) {
-            $c += $child->nodeCount();
-        }
-        return $c;
-    }
+	/**
+	 * Get the total number of nodes in a tree.
+	 *
+	 * @return int
+	 */
+	public function nodeCount(): int
+	{
+		$c = 1;
+		foreach ($this->_children as $child) {
+			$c += $child->nodeCount();
+		}
+		return $c;
+	}
 
-    /**
-     * Get the number of child nodes.
-     *
-     * @see \Countable::count()
-     */
-    public function count(): int
-    {
-        return count($this->_children);
-    }
+	/**
+	 * Get the number of child nodes.
+	 *
+	 * @see \Countable::count()
+	 */
+	public function count(): int
+	{
+		return count($this->_children);
+	}
 
-    /**
-     * Get iterator for the child nodes.
-     *
-     * @see \IteratorAggregate::getIterator()
-     */
-    public function getIterator(): \ArrayIterator
-    {
-        return new \ArrayIterator($this->_children);
-    }
+	/**
+	 * Get iterator for the child nodes.
+	 *
+	 * @see \IteratorAggregate::getIterator()
+	 */
+	public function getIterator(): \ArrayIterator
+	{
+		return new \ArrayIterator($this->_children);
+	}
 }

lib/X509/AttributeCertificate/Validation/ACValidationConfig.php

Indentation +100 added lines, -100 removed lines

@@ -12,114 +12,114 @@
  */
 class ACValidationConfig
 {
-    /**
-     * Certification path of the AC holder.
-     *
-     * @var CertificationPath
-     */
-    protected $_holderPath;
+	/**
+	 * Certification path of the AC holder.
+	 *
+	 * @var CertificationPath
+	 */
+	protected $_holderPath;
 
-    /**
-     * Certification path of the AC issuer.
-     *
-     * @var CertificationPath
-     */
-    protected $_issuerPath;
+	/**
+	 * Certification path of the AC issuer.
+	 *
+	 * @var CertificationPath
+	 */
+	protected $_issuerPath;
 
-    /**
-     * Evaluation reference time.
-     *
-     * @var \DateTimeImmutable
-     */
-    protected $_evalTime;
+	/**
+	 * Evaluation reference time.
+	 *
+	 * @var \DateTimeImmutable
+	 */
+	protected $_evalTime;
 
-    /**
-     * Permitted targets.
-     *
-     * @var Target[]
-     */
-    protected $_targets;
+	/**
+	 * Permitted targets.
+	 *
+	 * @var Target[]
+	 */
+	protected $_targets;
 
-    /**
-     * Constructor.
-     *
-     * @param CertificationPath $holder_path Certification path of the AC holder
-     * @param CertificationPath $issuer_path Certification path of the AC issuer
-     */
-    public function __construct(CertificationPath $holder_path,
-        CertificationPath $issuer_path)
-    {
-        $this->_holderPath = $holder_path;
-        $this->_issuerPath = $issuer_path;
-        $this->_evalTime = new \DateTimeImmutable();
-        $this->_targets = [];
-    }
+	/**
+	 * Constructor.
+	 *
+	 * @param CertificationPath $holder_path Certification path of the AC holder
+	 * @param CertificationPath $issuer_path Certification path of the AC issuer
+	 */
+	public function __construct(CertificationPath $holder_path,
+		CertificationPath $issuer_path)
+	{
+		$this->_holderPath = $holder_path;
+		$this->_issuerPath = $issuer_path;
+		$this->_evalTime = new \DateTimeImmutable();
+		$this->_targets = [];
+	}
 
-    /**
-     * Get certification path of the AC's holder.
-     *
-     * @return CertificationPath
-     */
-    public function holderPath(): CertificationPath
-    {
-        return $this->_holderPath;
-    }
+	/**
+	 * Get certification path of the AC's holder.
+	 *
+	 * @return CertificationPath
+	 */
+	public function holderPath(): CertificationPath
+	{
+		return $this->_holderPath;
+	}
 
-    /**
-     * Get certification path of the AC's issuer.
-     *
-     * @return CertificationPath
-     */
-    public function issuerPath(): CertificationPath
-    {
-        return $this->_issuerPath;
-    }
+	/**
+	 * Get certification path of the AC's issuer.
+	 *
+	 * @return CertificationPath
+	 */
+	public function issuerPath(): CertificationPath
+	{
+		return $this->_issuerPath;
+	}
 
-    /**
-     * Get self with given evaluation reference time.
-     *
-     * @param \DateTimeImmutable $dt
-     *
-     * @return self
-     */
-    public function withEvaluationTime(\DateTimeImmutable $dt): self
-    {
-        $obj = clone $this;
-        $obj->_evalTime = $dt;
-        return $obj;
-    }
+	/**
+	 * Get self with given evaluation reference time.
+	 *
+	 * @param \DateTimeImmutable $dt
+	 *
+	 * @return self
+	 */
+	public function withEvaluationTime(\DateTimeImmutable $dt): self
+	{
+		$obj = clone $this;
+		$obj->_evalTime = $dt;
+		return $obj;
+	}
 
-    /**
-     * Get the evaluation reference time.
-     *
-     * @return \DateTimeImmutable
-     */
-    public function evaluationTime(): \DateTimeImmutable
-    {
-        return $this->_evalTime;
-    }
+	/**
+	 * Get the evaluation reference time.
+	 *
+	 * @return \DateTimeImmutable
+	 */
+	public function evaluationTime(): \DateTimeImmutable
+	{
+		return $this->_evalTime;
+	}
 
-    /**
-     * Get self with permitted targets.
-     *
-     * @param Target ...$targets
-     *
-     * @return self
-     */
-    public function withTargets(Target ...$targets): self
-    {
-        $obj = clone $this;
-        $obj->_targets = $targets;
-        return $obj;
-    }
+	/**
+	 * Get self with permitted targets.
+	 *
+	 * @param Target ...$targets
+	 *
+	 * @return self
+	 */
+	public function withTargets(Target ...$targets): self
+	{
+		$obj = clone $this;
+		$obj->_targets = $targets;
+		return $obj;
+	}
 
-    /**
-     * Get array of permitted targets.
-     *
-     * @return Target[]
-     */
-    public function targets(): array
-    {
-        return $this->_targets;
-    }
+	/**
+	 * Get array of permitted targets.
+	 *
+	 * @return Target[]
+	 */
+	public function targets(): array
+	{
+		return $this->_targets;
+	}
 }

lib/X509/AttributeCertificate/Validation/ACValidator.php

Indentation +172 added lines, -172 removed lines

@@ -21,186 +21,186 @@
  */
 class ACValidator
 {
-    /**
-     * Attribute certificate.
-     *
-     * @var AttributeCertificate
-     */
-    protected $_ac;
+	/**
+	 * Attribute certificate.
+	 *
+	 * @var AttributeCertificate
+	 */
+	protected $_ac;
 
-    /**
-     * Validation configuration.
-     *
-     * @var ACValidationConfig
-     */
-    protected $_config;
+	/**
+	 * Validation configuration.
+	 *
+	 * @var ACValidationConfig
+	 */
+	protected $_config;
 
-    /**
-     * Crypto engine.
-     *
-     * @var Crypto
-     */
-    protected $_crypto;
+	/**
+	 * Crypto engine.
+	 *
+	 * @var Crypto
+	 */
+	protected $_crypto;
 
-    /**
-     * Constructor.
-     *
-     * @param AttributeCertificate $ac     Attribute certificate to validate
-     * @param ACValidationConfig   $config Validation configuration
-     * @param null|Crypto          $crypto Crypto engine, use default if not set
-     */
-    public function __construct(AttributeCertificate $ac,
-        ACValidationConfig $config, ?Crypto $crypto = null)
-    {
-        $this->_ac = $ac;
-        $this->_config = $config;
-        $this->_crypto = $crypto ?? Crypto::getDefault();
-    }
+	/**
+	 * Constructor.
+	 *
+	 * @param AttributeCertificate $ac     Attribute certificate to validate
+	 * @param ACValidationConfig   $config Validation configuration
+	 * @param null|Crypto          $crypto Crypto engine, use default if not set
+	 */
+	public function __construct(AttributeCertificate $ac,
+		ACValidationConfig $config, ?Crypto $crypto = null)
+	{
+		$this->_ac = $ac;
+		$this->_config = $config;
+		$this->_crypto = $crypto ?? Crypto::getDefault();
+	}
 
-    /**
-     * Validate attribute certificate.
-     *
-     * @throws ACValidationException If validation fails
-     *
-     * @return AttributeCertificate Validated AC
-     */
-    public function validate(): AttributeCertificate
-    {
-        $this->_validateHolder();
-        $issuer = $this->_verifyIssuer();
-        $this->_validateIssuerProfile($issuer);
-        $this->_validateTime();
-        $this->_validateTargeting();
-        return $this->_ac;
-    }
+	/**
+	 * Validate attribute certificate.
+	 *
+	 * @throws ACValidationException If validation fails
+	 *
+	 * @return AttributeCertificate Validated AC
+	 */
+	public function validate(): AttributeCertificate
+	{
+		$this->_validateHolder();
+		$issuer = $this->_verifyIssuer();
+		$this->_validateIssuerProfile($issuer);
+		$this->_validateTime();
+		$this->_validateTargeting();
+		return $this->_ac;
+	}
 
-    /**
-     * Validate AC holder's certification.
-     *
-     * @throws ACValidationException
-     *
-     * @return Certificate Certificate of the AC's holder
-     */
-    private function _validateHolder(): Certificate
-    {
-        $path = $this->_config->holderPath();
-        $config = PathValidationConfig::defaultConfig()
-            ->withMaxLength(count($path))
-            ->withDateTime($this->_config->evaluationTime());
-        try {
-            $holder = $path->validate($config, $this->_crypto)->certificate();
-        } catch (PathValidationException $e) {
-            throw new ACValidationException(
-                "Failed to validate holder PKC's certification path.", 0, $e);
-        }
-        if (!$this->_ac->isHeldBy($holder)) {
-            throw new ACValidationException("Name mismatch of AC's holder PKC.");
-        }
-        return $holder;
-    }
+	/**
+	 * Validate AC holder's certification.
+	 *
+	 * @throws ACValidationException
+	 *
+	 * @return Certificate Certificate of the AC's holder
+	 */
+	private function _validateHolder(): Certificate
+	{
+		$path = $this->_config->holderPath();
+		$config = PathValidationConfig::defaultConfig()
+			->withMaxLength(count($path))
+			->withDateTime($this->_config->evaluationTime());
+		try {
+			$holder = $path->validate($config, $this->_crypto)->certificate();
+		} catch (PathValidationException $e) {
+			throw new ACValidationException(
+				"Failed to validate holder PKC's certification path.", 0, $e);
+		}
+		if (!$this->_ac->isHeldBy($holder)) {
+			throw new ACValidationException("Name mismatch of AC's holder PKC.");
+		}
+		return $holder;
+	}
 
-    /**
-     * Verify AC's signature and issuer's certification.
-     *
-     * @throws ACValidationException
-     *
-     * @return Certificate Certificate of the AC's issuer
-     */
-    private function _verifyIssuer(): Certificate
-    {
-        $path = $this->_config->issuerPath();
-        $config = PathValidationConfig::defaultConfig()
-            ->withMaxLength(count($path))
-            ->withDateTime($this->_config->evaluationTime());
-        try {
-            $issuer = $path->validate($config, $this->_crypto)->certificate();
-        } catch (PathValidationException $e) {
-            throw new ACValidationException(
-                "Failed to validate issuer PKC's certification path.", 0, $e);
-        }
-        if (!$this->_ac->isIssuedBy($issuer)) {
-            throw new ACValidationException("Name mismatch of AC's issuer PKC.");
-        }
-        $pubkey_info = $issuer->tbsCertificate()->subjectPublicKeyInfo();
-        if (!$this->_ac->verify($pubkey_info, $this->_crypto)) {
-            throw new ACValidationException('Failed to verify signature.');
-        }
-        return $issuer;
-    }
+	/**
+	 * Verify AC's signature and issuer's certification.
+	 *
+	 * @throws ACValidationException
+	 *
+	 * @return Certificate Certificate of the AC's issuer
+	 */
+	private function _verifyIssuer(): Certificate
+	{
+		$path = $this->_config->issuerPath();
+		$config = PathValidationConfig::defaultConfig()
+			->withMaxLength(count($path))
+			->withDateTime($this->_config->evaluationTime());
+		try {
+			$issuer = $path->validate($config, $this->_crypto)->certificate();
+		} catch (PathValidationException $e) {
+			throw new ACValidationException(
+				"Failed to validate issuer PKC's certification path.", 0, $e);
+		}
+		if (!$this->_ac->isIssuedBy($issuer)) {
+			throw new ACValidationException("Name mismatch of AC's issuer PKC.");
+		}
+		$pubkey_info = $issuer->tbsCertificate()->subjectPublicKeyInfo();
+		if (!$this->_ac->verify($pubkey_info, $this->_crypto)) {
+			throw new ACValidationException('Failed to verify signature.');
+		}
+		return $issuer;
+	}
 
-    /**
-     * Validate AC issuer's profile.
-     *
-     * @see https://tools.ietf.org/html/rfc5755#section-4.5
-     *
-     * @param Certificate $cert
-     *
-     * @throws ACValidationException
-     */
-    private function _validateIssuerProfile(Certificate $cert): void
-    {
-        $exts = $cert->tbsCertificate()->extensions();
-        if ($exts->hasKeyUsage() && !$exts->keyUsage()->isDigitalSignature()) {
-            throw new ACValidationException(
-                "Issuer PKC's Key Usage extension doesn't permit" .
-                     ' verification of digital signatures.');
-        }
-        if ($exts->hasBasicConstraints() && $exts->basicConstraints()->isCA()) {
-            throw new ACValidationException('Issuer PKC must not be a CA.');
-        }
-    }
+	/**
+	 * Validate AC issuer's profile.
+	 *
+	 * @see https://tools.ietf.org/html/rfc5755#section-4.5
+	 *
+	 * @param Certificate $cert
+	 *
+	 * @throws ACValidationException
+	 */
+	private function _validateIssuerProfile(Certificate $cert): void
+	{
+		$exts = $cert->tbsCertificate()->extensions();
+		if ($exts->hasKeyUsage() && !$exts->keyUsage()->isDigitalSignature()) {
+			throw new ACValidationException(
+				"Issuer PKC's Key Usage extension doesn't permit" .
+					 ' verification of digital signatures.');
+		}
+		if ($exts->hasBasicConstraints() && $exts->basicConstraints()->isCA()) {
+			throw new ACValidationException('Issuer PKC must not be a CA.');
+		}
+	}
 
-    /**
-     * Validate AC's validity period.
-     *
-     * @throws ACValidationException
-     */
-    private function _validateTime(): void
-    {
-        $t = $this->_config->evaluationTime();
-        $validity = $this->_ac->acinfo()->validityPeriod();
-        if ($validity->notBeforeTime()->diff($t)->invert) {
-            throw new ACValidationException('Validity period has not started.');
-        }
-        if ($t->diff($validity->notAfterTime())->invert) {
-            throw new ACValidationException('Attribute certificate has expired.');
-        }
-    }
+	/**
+	 * Validate AC's validity period.
+	 *
+	 * @throws ACValidationException
+	 */
+	private function _validateTime(): void
+	{
+		$t = $this->_config->evaluationTime();
+		$validity = $this->_ac->acinfo()->validityPeriod();
+		if ($validity->notBeforeTime()->diff($t)->invert) {
+			throw new ACValidationException('Validity period has not started.');
+		}
+		if ($t->diff($validity->notAfterTime())->invert) {
+			throw new ACValidationException('Attribute certificate has expired.');
+		}
+	}
 
-    /**
-     * Validate AC's target information.
-     *
-     * @throws ACValidationException
-     */
-    private function _validateTargeting(): void
-    {
-        $exts = $this->_ac->acinfo()->extensions();
-        // if target information extension is not present
-        if (!$exts->has(Extension::OID_TARGET_INFORMATION)) {
-            return;
-        }
-        $ext = $exts->get(Extension::OID_TARGET_INFORMATION);
-        if ($ext instanceof TargetInformationExtension &&
-            !$this->_hasMatchingTarget($ext->targets())) {
-            throw new ACValidationException(
-                "Attribute certificate doesn't have a matching target.");
-        }
-    }
+	/**
+	 * Validate AC's target information.
+	 *
+	 * @throws ACValidationException
+	 */
+	private function _validateTargeting(): void
+	{
+		$exts = $this->_ac->acinfo()->extensions();
+		// if target information extension is not present
+		if (!$exts->has(Extension::OID_TARGET_INFORMATION)) {
+			return;
+		}
+		$ext = $exts->get(Extension::OID_TARGET_INFORMATION);
+		if ($ext instanceof TargetInformationExtension &&
+			!$this->_hasMatchingTarget($ext->targets())) {
+			throw new ACValidationException(
+				"Attribute certificate doesn't have a matching target.");
+		}
+	}
 
-    /**
-     * Check whether validation configuration has matching targets.
-     *
-     * @param Targets $targets Set of eligible targets
-     *
-     * @return bool
-     */
-    private function _hasMatchingTarget(Targets $targets): bool
-    {
-        foreach ($this->_config->targets() as $target) {
-            if ($targets->hasTarget($target)) {
-                return true;
-            }
-        }
-        return false;
-    }
+	/**
+	 * Check whether validation configuration has matching targets.
+	 *
+	 * @param Targets $targets Set of eligible targets
+	 *
+	 * @return bool
+	 */
+	private function _hasMatchingTarget(Targets $targets): bool
+	{
+		foreach ($this->_config->targets() as $target) {
+			if ($targets->hasTarget($target)) {
+				return true;
+			}
+		}
+		return false;
+	}
 }