sop / x509

lib/X509/CertificationPath/Policy/PolicyTree.php

Indentation +392 added lines, -392 removed lines

@@ -10,410 +10,410 @@
 
 class PolicyTree
 {
-    /**
-     * Root node at depth zero.
-     *
-     * @var null|PolicyNode
-     */
-    protected $_root;
+	/**
+	 * Root node at depth zero.
+	 *
+	 * @var null|PolicyNode
+	 */
+	protected $_root;
 
-    /**
-     * Constructor.
-     *
-     * @param PolicyNode $root Initial root node
-     */
-    public function __construct(PolicyNode $root)
-    {
-        $this->_root = $root;
-    }
+	/**
+	 * Constructor.
+	 *
+	 * @param PolicyNode $root Initial root node
+	 */
+	public function __construct(PolicyNode $root)
+	{
+		$this->_root = $root;
+	}
 
-    /**
-     * Process policy information from the certificate.
-     *
-     * Certificate policies extension must be present.
-     *
-     * @param ValidatorState $state
-     * @param Certificate    $cert
-     *
-     * @return ValidatorState
-     */
-    public function processPolicies(ValidatorState $state,
-        Certificate $cert): ValidatorState
-    {
-        $policies = $cert->tbsCertificate()->extensions()->certificatePolicies();
-        $tree = clone $this;
-        // (d.1) for each policy P not equal to anyPolicy
-        foreach ($policies as $policy) {
-            if ($policy->isAnyPolicy()) {
-                $tree->_processAnyPolicy($policy, $cert, $state);
-            } else {
-                $tree->_processPolicy($policy, $state);
-            }
-        }
-        // if whole tree is pruned
-        if (!$tree->_pruneTree($state->index() - 1)) {
-            return $state->withoutValidPolicyTree();
-        }
-        return $state->withValidPolicyTree($tree);
-    }
+	/**
+	 * Process policy information from the certificate.
+	 *
+	 * Certificate policies extension must be present.
+	 *
+	 * @param ValidatorState $state
+	 * @param Certificate    $cert
+	 *
+	 * @return ValidatorState
+	 */
+	public function processPolicies(ValidatorState $state,
+		Certificate $cert): ValidatorState
+	{
+		$policies = $cert->tbsCertificate()->extensions()->certificatePolicies();
+		$tree = clone $this;
+		// (d.1) for each policy P not equal to anyPolicy
+		foreach ($policies as $policy) {
+			if ($policy->isAnyPolicy()) {
+				$tree->_processAnyPolicy($policy, $cert, $state);
+			} else {
+				$tree->_processPolicy($policy, $state);
+			}
+		}
+		// if whole tree is pruned
+		if (!$tree->_pruneTree($state->index() - 1)) {
+			return $state->withoutValidPolicyTree();
+		}
+		return $state->withValidPolicyTree($tree);
+	}
 
-    /**
-     * Process policy mappings from the certificate.
-     *
-     * @param ValidatorState $state
-     * @param Certificate    $cert
-     *
-     * @return ValidatorState
-     */
-    public function processMappings(ValidatorState $state,
-        Certificate $cert): ValidatorState
-    {
-        $tree = clone $this;
-        if ($state->policyMapping() > 0) {
-            $tree->_applyMappings($cert, $state);
-        } elseif (0 == $state->policyMapping()) {
-            $tree->_deleteMappings($cert, $state);
-        }
-        // if whole tree is pruned
-        if (!$tree->_root) {
-            return $state->withoutValidPolicyTree();
-        }
-        return $state->withValidPolicyTree($tree);
-    }
+	/**
+	 * Process policy mappings from the certificate.
+	 *
+	 * @param ValidatorState $state
+	 * @param Certificate    $cert
+	 *
+	 * @return ValidatorState
+	 */
+	public function processMappings(ValidatorState $state,
+		Certificate $cert): ValidatorState
+	{
+		$tree = clone $this;
+		if ($state->policyMapping() > 0) {
+			$tree->_applyMappings($cert, $state);
+		} elseif (0 == $state->policyMapping()) {
+			$tree->_deleteMappings($cert, $state);
+		}
+		// if whole tree is pruned
+		if (!$tree->_root) {
+			return $state->withoutValidPolicyTree();
+		}
+		return $state->withValidPolicyTree($tree);
+	}
 
-    /**
-     * Calculate policy intersection as specified in Wrap-Up Procedure 6.1.5.g.
-     *
-     * @param ValidatorState $state
-     * @param array          $policies
-     *
-     * @return ValidatorState
-     */
-    public function calculateIntersection(ValidatorState $state,
-        array $policies): ValidatorState
-    {
-        $tree = clone $this;
-        $valid_policy_node_set = $tree->_validPolicyNodeSet();
-        // 2. If the valid_policy of any node in the valid_policy_node_set
-        // is not in the user-initial-policy-set and is not anyPolicy,
-        // delete this node and all its children.
-        $valid_policy_node_set = array_filter($valid_policy_node_set,
-            function (PolicyNode $node) use ($policies) {
-                if ($node->isAnyPolicy()) {
-                    return true;
-                }
-                if (in_array($node->validPolicy(), $policies)) {
-                    return true;
-                }
-                $node->remove();
-                return false;
-            });
-        // array of valid policy OIDs
-        $valid_policy_set = array_map(
-            function (PolicyNode $node) {
-                return $node->validPolicy();
-            }, $valid_policy_node_set);
-        // 3. If the valid_policy_tree includes a node of depth n with
-        // the valid_policy anyPolicy and the user-initial-policy-set
-        // is not any-policy
-        foreach ($tree->_nodesAtDepth($state->index()) as $node) {
-            if ($node->hasParent() && $node->isAnyPolicy()) {
-                // a. Set P-Q to the qualifier_set in the node of depth n
-                // with valid_policy anyPolicy.
-                $pq = $node->qualifiers();
-                // b. For each P-OID in the user-initial-policy-set that is not
-                // the valid_policy of a node in the valid_policy_node_set,
-                // create a child node whose parent is the node of depth n-1
-                // with the valid_policy anyPolicy.
-                $poids = array_diff($policies, $valid_policy_set);
-                foreach ($tree->_nodesAtDepth($state->index() - 1) as $parent) {
-                    if ($parent->isAnyPolicy()) {
-                        // Set the values in the child node as follows:
-                        // set the valid_policy to P-OID, set the qualifier_set
-                        // to P-Q, and set the expected_policy_set to {P-OID}.
-                        foreach ($poids as $poid) {
-                            $parent->addChild(new PolicyNode($poid, $pq, [$poid]));
-                        }
-                        break;
-                    }
-                }
-                // c. Delete the node of depth n with the
-                // valid_policy anyPolicy.
-                $node->remove();
-            }
-        }
-        // 4. If there is a node in the valid_policy_tree of depth n-1 or less
-        // without any child nodes, delete that node. Repeat this step until
-        // there are no nodes of depth n-1 or less without children.
-        if (!$tree->_pruneTree($state->index() - 1)) {
-            return $state->withoutValidPolicyTree();
-        }
-        return $state->withValidPolicyTree($tree);
-    }
+	/**
+	 * Calculate policy intersection as specified in Wrap-Up Procedure 6.1.5.g.
+	 *
+	 * @param ValidatorState $state
+	 * @param array          $policies
+	 *
+	 * @return ValidatorState
+	 */
+	public function calculateIntersection(ValidatorState $state,
+		array $policies): ValidatorState
+	{
+		$tree = clone $this;
+		$valid_policy_node_set = $tree->_validPolicyNodeSet();
+		// 2. If the valid_policy of any node in the valid_policy_node_set
+		// is not in the user-initial-policy-set and is not anyPolicy,
+		// delete this node and all its children.
+		$valid_policy_node_set = array_filter($valid_policy_node_set,
+			function (PolicyNode $node) use ($policies) {
+				if ($node->isAnyPolicy()) {
+					return true;
+				}
+				if (in_array($node->validPolicy(), $policies)) {
+					return true;
+				}
+				$node->remove();
+				return false;
+			});
+		// array of valid policy OIDs
+		$valid_policy_set = array_map(
+			function (PolicyNode $node) {
+				return $node->validPolicy();
+			}, $valid_policy_node_set);
+		// 3. If the valid_policy_tree includes a node of depth n with
+		// the valid_policy anyPolicy and the user-initial-policy-set
+		// is not any-policy
+		foreach ($tree->_nodesAtDepth($state->index()) as $node) {
+			if ($node->hasParent() && $node->isAnyPolicy()) {
+				// a. Set P-Q to the qualifier_set in the node of depth n
+				// with valid_policy anyPolicy.
+				$pq = $node->qualifiers();
+				// b. For each P-OID in the user-initial-policy-set that is not
+				// the valid_policy of a node in the valid_policy_node_set,
+				// create a child node whose parent is the node of depth n-1
+				// with the valid_policy anyPolicy.
+				$poids = array_diff($policies, $valid_policy_set);
+				foreach ($tree->_nodesAtDepth($state->index() - 1) as $parent) {
+					if ($parent->isAnyPolicy()) {
+						// Set the values in the child node as follows:
+						// set the valid_policy to P-OID, set the qualifier_set
+						// to P-Q, and set the expected_policy_set to {P-OID}.
+						foreach ($poids as $poid) {
+							$parent->addChild(new PolicyNode($poid, $pq, [$poid]));
+						}
+						break;
+					}
+				}
+				// c. Delete the node of depth n with the
+				// valid_policy anyPolicy.
+				$node->remove();
+			}
+		}
+		// 4. If there is a node in the valid_policy_tree of depth n-1 or less
+		// without any child nodes, delete that node. Repeat this step until
+		// there are no nodes of depth n-1 or less without children.
+		if (!$tree->_pruneTree($state->index() - 1)) {
+			return $state->withoutValidPolicyTree();
+		}
+		return $state->withValidPolicyTree($tree);
+	}
 
-    /**
-     * Get policies at given policy tree depth.
-     *
-     * @param int $i Depth in range 1..n
-     *
-     * @return PolicyInformation[]
-     */
-    public function policiesAtDepth(int $i): array
-    {
-        $policies = [];
-        foreach ($this->_nodesAtDepth($i) as $node) {
-            $policies[] = new PolicyInformation(
-                $node->validPolicy(), ...$node->qualifiers());
-        }
-        return $policies;
-    }
+	/**
+	 * Get policies at given policy tree depth.
+	 *
+	 * @param int $i Depth in range 1..n
+	 *
+	 * @return PolicyInformation[]
+	 */
+	public function policiesAtDepth(int $i): array
+	{
+		$policies = [];
+		foreach ($this->_nodesAtDepth($i) as $node) {
+			$policies[] = new PolicyInformation(
+				$node->validPolicy(), ...$node->qualifiers());
+		}
+		return $policies;
+	}
 
-    /**
-     * Process single policy information.
-     *
-     * @param PolicyInformation $policy
-     * @param ValidatorState    $state
-     */
-    protected function _processPolicy(PolicyInformation $policy,
-        ValidatorState $state): void
-    {
-        $p_oid = $policy->oid();
-        $i = $state->index();
-        $match_count = 0;
-        // (d.1.i) for each node of depth i-1 in the valid_policy_tree...
-        foreach ($this->_nodesAtDepth($i - 1) as $node) {
-            // ...where P-OID is in the expected_policy_set
-            if ($node->hasExpectedPolicy($p_oid)) {
-                $node->addChild(new PolicyNode(
-                    $p_oid, $policy->qualifiers(), [$p_oid]));
-                ++$match_count;
-            }
-        }
-        // (d.1.ii) if there was no match in step (i)...
-        if (!$match_count) {
-            // ...and the valid_policy_tree includes a node of depth i-1 with
-            // the valid_policy anyPolicy
-            foreach ($this->_nodesAtDepth($i - 1) as $node) {
-                if ($node->isAnyPolicy()) {
-                    $node->addChild(new PolicyNode(
-                        $p_oid, $policy->qualifiers(), [$p_oid]));
-                }
-            }
-        }
-    }
+	/**
+	 * Process single policy information.
+	 *
+	 * @param PolicyInformation $policy
+	 * @param ValidatorState    $state
+	 */
+	protected function _processPolicy(PolicyInformation $policy,
+		ValidatorState $state): void
+	{
+		$p_oid = $policy->oid();
+		$i = $state->index();
+		$match_count = 0;
+		// (d.1.i) for each node of depth i-1 in the valid_policy_tree...
+		foreach ($this->_nodesAtDepth($i - 1) as $node) {
+			// ...where P-OID is in the expected_policy_set
+			if ($node->hasExpectedPolicy($p_oid)) {
+				$node->addChild(new PolicyNode(
+					$p_oid, $policy->qualifiers(), [$p_oid]));
+				++$match_count;
+			}
+		}
+		// (d.1.ii) if there was no match in step (i)...
+		if (!$match_count) {
+			// ...and the valid_policy_tree includes a node of depth i-1 with
+			// the valid_policy anyPolicy
+			foreach ($this->_nodesAtDepth($i - 1) as $node) {
+				if ($node->isAnyPolicy()) {
+					$node->addChild(new PolicyNode(
+						$p_oid, $policy->qualifiers(), [$p_oid]));
+				}
+			}
+		}
+	}
 
-    /**
-     * Process anyPolicy policy information.
-     *
-     * @param PolicyInformation $policy
-     * @param Certificate       $cert
-     * @param ValidatorState    $state
-     */
-    protected function _processAnyPolicy(PolicyInformation $policy,
-        Certificate $cert, ValidatorState $state): void
-    {
-        $i = $state->index();
-        // if (a) inhibit_anyPolicy is greater than 0 or
-        // (b) i<n and the certificate is self-issued
-        if (!($state->inhibitAnyPolicy() > 0 ||
-            ($i < $state->pathLength() && $cert->isSelfIssued()))) {
-            return;
-        }
-        // for each node in the valid_policy_tree of depth i-1
-        foreach ($this->_nodesAtDepth($i - 1) as $node) {
-            // for each value in the expected_policy_set
-            foreach ($node->expectedPolicies() as $p_oid) {
-                // that does not appear in a child node
-                if (!$node->hasChildWithValidPolicy($p_oid)) {
-                    $node->addChild(new PolicyNode(
-                        $p_oid, $policy->qualifiers(), [$p_oid]));
-                }
-            }
-        }
-    }
+	/**
+	 * Process anyPolicy policy information.
+	 *
+	 * @param PolicyInformation $policy
+	 * @param Certificate       $cert
+	 * @param ValidatorState    $state
+	 */
+	protected function _processAnyPolicy(PolicyInformation $policy,
+		Certificate $cert, ValidatorState $state): void
+	{
+		$i = $state->index();
+		// if (a) inhibit_anyPolicy is greater than 0 or
+		// (b) i<n and the certificate is self-issued
+		if (!($state->inhibitAnyPolicy() > 0 ||
+			($i < $state->pathLength() && $cert->isSelfIssued()))) {
+			return;
+		}
+		// for each node in the valid_policy_tree of depth i-1
+		foreach ($this->_nodesAtDepth($i - 1) as $node) {
+			// for each value in the expected_policy_set
+			foreach ($node->expectedPolicies() as $p_oid) {
+				// that does not appear in a child node
+				if (!$node->hasChildWithValidPolicy($p_oid)) {
+					$node->addChild(new PolicyNode(
+						$p_oid, $policy->qualifiers(), [$p_oid]));
+				}
+			}
+		}
+	}
 
-    /**
-     * Apply policy mappings to the policy tree.
-     *
-     * @param Certificate    $cert
-     * @param ValidatorState $state
-     */
-    protected function _applyMappings(Certificate $cert, ValidatorState $state): void
-    {
-        $policy_mappings = $cert->tbsCertificate()->extensions()->policyMappings();
-        // (6.1.4. b.1.) for each node in the valid_policy_tree of depth i...
-        foreach ($policy_mappings->flattenedMappings() as $idp => $sdps) {
-            $match_count = 0;
-            foreach ($this->_nodesAtDepth($state->index()) as $node) {
-                // ...where ID-P is the valid_policy
-                if ($node->validPolicy() == $idp) {
-                    // set expected_policy_set to the set of subjectDomainPolicy
-                    // values that are specified as equivalent to ID-P by
-                    // the policy mappings extension
-                    $node->setExpectedPolicies(...$sdps);
-                    ++$match_count;
-                }
-            }
-            // if no node of depth i in the valid_policy_tree has
-            // a valid_policy of ID-P...
-            if (!$match_count) {
-                $this->_applyAnyPolicyMapping($cert, $state, $idp, $sdps);
-            }
-        }
-    }
+	/**
+	 * Apply policy mappings to the policy tree.
+	 *
+	 * @param Certificate    $cert
+	 * @param ValidatorState $state
+	 */
+	protected function _applyMappings(Certificate $cert, ValidatorState $state): void
+	{
+		$policy_mappings = $cert->tbsCertificate()->extensions()->policyMappings();
+		// (6.1.4. b.1.) for each node in the valid_policy_tree of depth i...
+		foreach ($policy_mappings->flattenedMappings() as $idp => $sdps) {
+			$match_count = 0;
+			foreach ($this->_nodesAtDepth($state->index()) as $node) {
+				// ...where ID-P is the valid_policy
+				if ($node->validPolicy() == $idp) {
+					// set expected_policy_set to the set of subjectDomainPolicy
+					// values that are specified as equivalent to ID-P by
+					// the policy mappings extension
+					$node->setExpectedPolicies(...$sdps);
+					++$match_count;
+				}
+			}
+			// if no node of depth i in the valid_policy_tree has
+			// a valid_policy of ID-P...
+			if (!$match_count) {
+				$this->_applyAnyPolicyMapping($cert, $state, $idp, $sdps);
+			}
+		}
+	}
 
-    /**
-     * Apply anyPolicy mapping to the policy tree as specified in 6.1.4 (b)(1).
-     *
-     * @param Certificate    $cert
-     * @param ValidatorState $state
-     * @param string         $idp   OID of the issuer domain policy
-     * @param array          $sdps  Array of subject domain policy OIDs
-     */
-    protected function _applyAnyPolicyMapping(Certificate $cert,
-        ValidatorState $state, string $idp, array $sdps): void
-    {
-        // (6.1.4. b.1.) ...but there is a node of depth i with
-        // a valid_policy of anyPolicy
-        foreach ($this->_nodesAtDepth($state->index()) as $node) {
-            if ($node->isAnyPolicy()) {
-                // then generate a child node of the node of depth i-1
-                // that has a valid_policy of anyPolicy as follows...
-                foreach ($this->_nodesAtDepth($state->index() - 1) as $node) {
-                    if ($node->isAnyPolicy()) {
-                        // try to fetch qualifiers of anyPolicy certificate policy
-                        $qualifiers = [];
-                        try {
-                            $qualifiers = $cert->tbsCertificate()
-                                ->extensions()->certificatePolicies()
-                                ->anyPolicy()->qualifiers();
-                        } catch (\LogicException $e) {
-                            // if there's no policies or no qualifiers
-                        }
-                        $node->addChild(new PolicyNode($idp, $qualifiers, $sdps));
-                        // bail after first anyPolicy has been processed
-                        break;
-                    }
-                }
-                // bail after first anyPolicy has been processed
-                break;
-            }
-        }
-    }
+	/**
+	 * Apply anyPolicy mapping to the policy tree as specified in 6.1.4 (b)(1).
+	 *
+	 * @param Certificate    $cert
+	 * @param ValidatorState $state
+	 * @param string         $idp   OID of the issuer domain policy
+	 * @param array          $sdps  Array of subject domain policy OIDs
+	 */
+	protected function _applyAnyPolicyMapping(Certificate $cert,
+		ValidatorState $state, string $idp, array $sdps): void
+	{
+		// (6.1.4. b.1.) ...but there is a node of depth i with
+		// a valid_policy of anyPolicy
+		foreach ($this->_nodesAtDepth($state->index()) as $node) {
+			if ($node->isAnyPolicy()) {
+				// then generate a child node of the node of depth i-1
+				// that has a valid_policy of anyPolicy as follows...
+				foreach ($this->_nodesAtDepth($state->index() - 1) as $node) {
+					if ($node->isAnyPolicy()) {
+						// try to fetch qualifiers of anyPolicy certificate policy
+						$qualifiers = [];
+						try {
+							$qualifiers = $cert->tbsCertificate()
+								->extensions()->certificatePolicies()
+								->anyPolicy()->qualifiers();
+						} catch (\LogicException $e) {
+							// if there's no policies or no qualifiers
+						}
+						$node->addChild(new PolicyNode($idp, $qualifiers, $sdps));
+						// bail after first anyPolicy has been processed
+						break;
+					}
+				}
+				// bail after first anyPolicy has been processed
+				break;
+			}
+		}
+	}
 
-    /**
-     * Delete nodes as specified in 6.1.4 (b)(2).
-     *
-     * @param Certificate    $cert
-     * @param ValidatorState $state
-     */
-    protected function _deleteMappings(Certificate $cert,
-        ValidatorState $state): void
-    {
-        $idps = $cert->tbsCertificate()->extensions()
-            ->policyMappings()->issuerDomainPolicies();
-        // delete each node of depth i in the valid_policy_tree
-        // where ID-P is the valid_policy
-        foreach ($this->_nodesAtDepth($state->index()) as $node) {
-            if (in_array($node->validPolicy(), $idps)) {
-                $node->remove();
-            }
-        }
-        $this->_pruneTree($state->index() - 1);
-    }
+	/**
+	 * Delete nodes as specified in 6.1.4 (b)(2).
+	 *
+	 * @param Certificate    $cert
+	 * @param ValidatorState $state
+	 */
+	protected function _deleteMappings(Certificate $cert,
+		ValidatorState $state): void
+	{
+		$idps = $cert->tbsCertificate()->extensions()
+			->policyMappings()->issuerDomainPolicies();
+		// delete each node of depth i in the valid_policy_tree
+		// where ID-P is the valid_policy
+		foreach ($this->_nodesAtDepth($state->index()) as $node) {
+			if (in_array($node->validPolicy(), $idps)) {
+				$node->remove();
+			}
+		}
+		$this->_pruneTree($state->index() - 1);
+	}
 
-    /**
-     * Prune tree starting from given depth.
-     *
-     * @param int $depth
-     *
-     * @return int The number of nodes left in a tree
-     */
-    protected function _pruneTree(int $depth): int
-    {
-        for ($i = $depth; $i > 0; --$i) {
-            foreach ($this->_nodesAtDepth($i) as $node) {
-                if (!count($node)) {
-                    $node->remove();
-                }
-            }
-        }
-        // if root has no children left
-        if (!count($this->_root)) {
-            $this->_root = null;
-            return 0;
-        }
-        return $this->_root->nodeCount();
-    }
+	/**
+	 * Prune tree starting from given depth.
+	 *
+	 * @param int $depth
+	 *
+	 * @return int The number of nodes left in a tree
+	 */
+	protected function _pruneTree(int $depth): int
+	{
+		for ($i = $depth; $i > 0; --$i) {
+			foreach ($this->_nodesAtDepth($i) as $node) {
+				if (!count($node)) {
+					$node->remove();
+				}
+			}
+		}
+		// if root has no children left
+		if (!count($this->_root)) {
+			$this->_root = null;
+			return 0;
+		}
+		return $this->_root->nodeCount();
+	}
 
-    /**
-     * Get all nodes at given depth.
-     *
-     * @param int $i
-     *
-     * @return PolicyNode[]
-     */
-    protected function _nodesAtDepth(int $i): array
-    {
-        if (!$this->_root) {
-            return [];
-        }
-        $depth = 0;
-        $nodes = [$this->_root];
-        while ($depth < $i) {
-            $nodes = self::_gatherChildren(...$nodes);
-            if (!count($nodes)) {
-                break;
-            }
-            ++$depth;
-        }
-        return $nodes;
-    }
+	/**
+	 * Get all nodes at given depth.
+	 *
+	 * @param int $i
+	 *
+	 * @return PolicyNode[]
+	 */
+	protected function _nodesAtDepth(int $i): array
+	{
+		if (!$this->_root) {
+			return [];
+		}
+		$depth = 0;
+		$nodes = [$this->_root];
+		while ($depth < $i) {
+			$nodes = self::_gatherChildren(...$nodes);
+			if (!count($nodes)) {
+				break;
+			}
+			++$depth;
+		}
+		return $nodes;
+	}
 
-    /**
-     * Get the valid policy node set as specified in spec 6.1.5.(g)(iii)1.
-     *
-     * @return PolicyNode[]
-     */
-    protected function _validPolicyNodeSet(): array
-    {
-        // 1. Determine the set of policy nodes whose parent nodes have
-        // a valid_policy of anyPolicy. This is the valid_policy_node_set.
-        $set = [];
-        if (!$this->_root) {
-            return $set;
-        }
-        // for each node in a tree
-        $this->_root->walkNodes(
-            function (PolicyNode $node) use (&$set) {
-                $parents = $node->parents();
-                // node has parents
-                if (count($parents)) {
-                    // check that each ancestor is an anyPolicy node
-                    foreach ($parents as $ancestor) {
-                        if (!$ancestor->isAnyPolicy()) {
-                            return;
-                        }
-                    }
-                    $set[] = $node;
-                }
-            });
-        return $set;
-    }
+	/**
+	 * Get the valid policy node set as specified in spec 6.1.5.(g)(iii)1.
+	 *
+	 * @return PolicyNode[]
+	 */
+	protected function _validPolicyNodeSet(): array
+	{
+		// 1. Determine the set of policy nodes whose parent nodes have
+		// a valid_policy of anyPolicy. This is the valid_policy_node_set.
+		$set = [];
+		if (!$this->_root) {
+			return $set;
+		}
+		// for each node in a tree
+		$this->_root->walkNodes(
+			function (PolicyNode $node) use (&$set) {
+				$parents = $node->parents();
+				// node has parents
+				if (count($parents)) {
+					// check that each ancestor is an anyPolicy node
+					foreach ($parents as $ancestor) {
+						if (!$ancestor->isAnyPolicy()) {
+							return;
+						}
+					}
+					$set[] = $node;
+				}
+			});
+		return $set;
+	}
 
-    /**
-     * Gather all children of given nodes to a flattened array.
-     *
-     * @param PolicyNode ...$nodes
-     *
-     * @return PolicyNode[]
-     */
-    private static function _gatherChildren(PolicyNode ...$nodes): array
-    {
-        $children = [];
-        foreach ($nodes as $node) {
-            $children = array_merge($children, $node->children());
-        }
-        return $children;
-    }
+	/**
+	 * Gather all children of given nodes to a flattened array.
+	 *
+	 * @param PolicyNode ...$nodes
+	 *
+	 * @return PolicyNode[]
+	 */
+	private static function _gatherChildren(PolicyNode ...$nodes): array
+	{
+		$children = [];
+		foreach ($nodes as $node) {
+			$children = array_merge($children, $node->children());
+		}
+		return $children;
+	}
 }

Spacing +4 added lines, -4 removed lines

@@ -1,6 +1,6 @@ 
 <?php
 
-declare(strict_types = 1);
+declare(strict_types=1);
 
 namespace Sop\X509\CertificationPath\Policy;
 
@@ -98,7 +98,7 @@ 
         // is not in the user-initial-policy-set and is not anyPolicy,
         // delete this node and all its children.
         $valid_policy_node_set = array_filter($valid_policy_node_set,
-            function (PolicyNode $node) use ($policies) {
+            function(PolicyNode $node) use ($policies) {
                 if ($node->isAnyPolicy()) {
                     return true;
                 }
@@ -110,7 +110,7 @@ 
             });
         // array of valid policy OIDs
         $valid_policy_set = array_map(
-            function (PolicyNode $node) {
+            function(PolicyNode $node) {
                 return $node->validPolicy();
             }, $valid_policy_node_set);
         // 3. If the valid_policy_tree includes a node of depth n with
@@ -385,7 +385,7 @@ 
         }
         // for each node in a tree
         $this->_root->walkNodes(
-            function (PolicyNode $node) use (&$set) {
+            function(PolicyNode $node) use (&$set) {
                 $parents = $node->parents();
                 // node has parents
                 if (count($parents)) {

lib/X509/CertificationPath/Policy/PolicyNode.php

Indentation +240 added lines, -240 removed lines

@@ -16,267 +16,267 @@
  */
 class PolicyNode implements \IteratorAggregate, \Countable
 {
-    /**
-     * Policy OID.
-     *
-     * @var string
-     */
-    protected $_validPolicy;
+	/**
+	 * Policy OID.
+	 *
+	 * @var string
+	 */
+	protected $_validPolicy;
 
-    /**
-     * List of qualifiers.
-     *
-     * @var PolicyQualifierInfo[]
-     */
-    protected $_qualifiers;
+	/**
+	 * List of qualifiers.
+	 *
+	 * @var PolicyQualifierInfo[]
+	 */
+	protected $_qualifiers;
 
-    /**
-     * List of expected policy OIDs.
-     *
-     * @var string[]
-     */
-    protected $_expectedPolicies;
+	/**
+	 * List of expected policy OIDs.
+	 *
+	 * @var string[]
+	 */
+	protected $_expectedPolicies;
 
-    /**
-     * List of child nodes.
-     *
-     * @var PolicyNode[]
-     */
-    protected $_children;
+	/**
+	 * List of child nodes.
+	 *
+	 * @var PolicyNode[]
+	 */
+	protected $_children;
 
-    /**
-     * Reference to the parent node.
-     *
-     * @var null|PolicyNode
-     */
-    protected $_parent;
+	/**
+	 * Reference to the parent node.
+	 *
+	 * @var null|PolicyNode
+	 */
+	protected $_parent;
 
-    /**
-     * Constructor.
-     *
-     * @param string                $valid_policy      Policy OID
-     * @param PolicyQualifierInfo[] $qualifiers
-     * @param string[]              $expected_policies
-     */
-    public function __construct(string $valid_policy, array $qualifiers,
-        array $expected_policies)
-    {
-        $this->_validPolicy = $valid_policy;
-        $this->_qualifiers = $qualifiers;
-        $this->_expectedPolicies = $expected_policies;
-        $this->_children = [];
-    }
+	/**
+	 * Constructor.
+	 *
+	 * @param string                $valid_policy      Policy OID
+	 * @param PolicyQualifierInfo[] $qualifiers
+	 * @param string[]              $expected_policies
+	 */
+	public function __construct(string $valid_policy, array $qualifiers,
+		array $expected_policies)
+	{
+		$this->_validPolicy = $valid_policy;
+		$this->_qualifiers = $qualifiers;
+		$this->_expectedPolicies = $expected_policies;
+		$this->_children = [];
+	}
 
-    /**
-     * Create initial node for the policy tree.
-     *
-     * @return self
-     */
-    public static function anyPolicyNode(): self
-    {
-        return new self(PolicyInformation::OID_ANY_POLICY, [],
-            [PolicyInformation::OID_ANY_POLICY]);
-    }
+	/**
+	 * Create initial node for the policy tree.
+	 *
+	 * @return self
+	 */
+	public static function anyPolicyNode(): self
+	{
+		return new self(PolicyInformation::OID_ANY_POLICY, [],
+			[PolicyInformation::OID_ANY_POLICY]);
+	}
 
-    /**
-     * Get the valid policy OID.
-     *
-     * @return string
-     */
-    public function validPolicy(): string
-    {
-        return $this->_validPolicy;
-    }
+	/**
+	 * Get the valid policy OID.
+	 *
+	 * @return string
+	 */
+	public function validPolicy(): string
+	{
+		return $this->_validPolicy;
+	}
 
-    /**
-     * Check whether node has anyPolicy as a valid policy.
-     *
-     * @return bool
-     */
-    public function isAnyPolicy(): bool
-    {
-        return PolicyInformation::OID_ANY_POLICY === $this->_validPolicy;
-    }
+	/**
+	 * Check whether node has anyPolicy as a valid policy.
+	 *
+	 * @return bool
+	 */
+	public function isAnyPolicy(): bool
+	{
+		return PolicyInformation::OID_ANY_POLICY === $this->_validPolicy;
+	}
 
-    /**
-     * Get the qualifier set.
-     *
-     * @return PolicyQualifierInfo[]
-     */
-    public function qualifiers(): array
-    {
-        return $this->_qualifiers;
-    }
+	/**
+	 * Get the qualifier set.
+	 *
+	 * @return PolicyQualifierInfo[]
+	 */
+	public function qualifiers(): array
+	{
+		return $this->_qualifiers;
+	}
 
-    /**
-     * Check whether node has OID as an expected policy.
-     *
-     * @param string $oid
-     *
-     * @return bool
-     */
-    public function hasExpectedPolicy(string $oid): bool
-    {
-        return in_array($oid, $this->_expectedPolicies);
-    }
+	/**
+	 * Check whether node has OID as an expected policy.
+	 *
+	 * @param string $oid
+	 *
+	 * @return bool
+	 */
+	public function hasExpectedPolicy(string $oid): bool
+	{
+		return in_array($oid, $this->_expectedPolicies);
+	}
 
-    /**
-     * Get the expected policy set.
-     *
-     * @return string[]
-     */
-    public function expectedPolicies(): array
-    {
-        return $this->_expectedPolicies;
-    }
+	/**
+	 * Get the expected policy set.
+	 *
+	 * @return string[]
+	 */
+	public function expectedPolicies(): array
+	{
+		return $this->_expectedPolicies;
+	}
 
-    /**
-     * Set expected policies.
-     *
-     * @param string ...$oids Policy OIDs
-     */
-    public function setExpectedPolicies(string ...$oids): void
-    {
-        $this->_expectedPolicies = $oids;
-    }
+	/**
+	 * Set expected policies.
+	 *
+	 * @param string ...$oids Policy OIDs
+	 */
+	public function setExpectedPolicies(string ...$oids): void
+	{
+		$this->_expectedPolicies = $oids;
+	}
 
-    /**
-     * Check whether node has a child node with given valid policy OID.
-     *
-     * @param string $oid
-     *
-     * @return bool
-     */
-    public function hasChildWithValidPolicy(string $oid): bool
-    {
-        foreach ($this->_children as $node) {
-            if ($node->validPolicy() == $oid) {
-                return true;
-            }
-        }
-        return false;
-    }
+	/**
+	 * Check whether node has a child node with given valid policy OID.
+	 *
+	 * @param string $oid
+	 *
+	 * @return bool
+	 */
+	public function hasChildWithValidPolicy(string $oid): bool
+	{
+		foreach ($this->_children as $node) {
+			if ($node->validPolicy() == $oid) {
+				return true;
+			}
+		}
+		return false;
+	}
 
-    /**
-     * Add child node.
-     *
-     * @param PolicyNode $node
-     *
-     * @return self
-     */
-    public function addChild(PolicyNode $node): self
-    {
-        $id = spl_object_hash($node);
-        $node->_parent = $this;
-        $this->_children[$id] = $node;
-        return $this;
-    }
+	/**
+	 * Add child node.
+	 *
+	 * @param PolicyNode $node
+	 *
+	 * @return self
+	 */
+	public function addChild(PolicyNode $node): self
+	{
+		$id = spl_object_hash($node);
+		$node->_parent = $this;
+		$this->_children[$id] = $node;
+		return $this;
+	}
 
-    /**
-     * Get the child nodes.
-     *
-     * @return PolicyNode[]
-     */
-    public function children(): array
-    {
-        return array_values($this->_children);
-    }
+	/**
+	 * Get the child nodes.
+	 *
+	 * @return PolicyNode[]
+	 */
+	public function children(): array
+	{
+		return array_values($this->_children);
+	}
 
-    /**
-     * Remove this node from the tree.
-     *
-     * @return self The removed node
-     */
-    public function remove(): self
-    {
-        if ($this->_parent) {
-            $id = spl_object_hash($this);
-            unset($this->_parent->_children[$id], $this->_parent);
-        }
-        return $this;
-    }
+	/**
+	 * Remove this node from the tree.
+	 *
+	 * @return self The removed node
+	 */
+	public function remove(): self
+	{
+		if ($this->_parent) {
+			$id = spl_object_hash($this);
+			unset($this->_parent->_children[$id], $this->_parent);
+		}
+		return $this;
+	}
 
-    /**
-     * Check whether node has a parent.
-     *
-     * @return bool
-     */
-    public function hasParent(): bool
-    {
-        return isset($this->_parent);
-    }
+	/**
+	 * Check whether node has a parent.
+	 *
+	 * @return bool
+	 */
+	public function hasParent(): bool
+	{
+		return isset($this->_parent);
+	}
 
-    /**
-     * Get the parent node.
-     *
-     * @return null|PolicyNode
-     */
-    public function parent(): ?PolicyNode
-    {
-        return $this->_parent;
-    }
+	/**
+	 * Get the parent node.
+	 *
+	 * @return null|PolicyNode
+	 */
+	public function parent(): ?PolicyNode
+	{
+		return $this->_parent;
+	}
 
-    /**
-     * Get chain of parent nodes from this node's parent to the root node.
-     *
-     * @return PolicyNode[]
-     */
-    public function parents(): array
-    {
-        if (!$this->_parent) {
-            return [];
-        }
-        $nodes = $this->_parent->parents();
-        $nodes[] = $this->_parent;
-        return array_reverse($nodes);
-    }
+	/**
+	 * Get chain of parent nodes from this node's parent to the root node.
+	 *
+	 * @return PolicyNode[]
+	 */
+	public function parents(): array
+	{
+		if (!$this->_parent) {
+			return [];
+		}
+		$nodes = $this->_parent->parents();
+		$nodes[] = $this->_parent;
+		return array_reverse($nodes);
+	}
 
-    /**
-     * Walk tree from this node, applying a callback for each node.
-     *
-     * Nodes are traversed depth-first and callback shall be applied post-order.
-     *
-     * @param callable $fn
-     */
-    public function walkNodes(callable $fn): void
-    {
-        foreach ($this->_children as $node) {
-            $node->walkNodes($fn);
-        }
-        $fn($this);
-    }
+	/**
+	 * Walk tree from this node, applying a callback for each node.
+	 *
+	 * Nodes are traversed depth-first and callback shall be applied post-order.
+	 *
+	 * @param callable $fn
+	 */
+	public function walkNodes(callable $fn): void
+	{
+		foreach ($this->_children as $node) {
+			$node->walkNodes($fn);
+		}
+		$fn($this);
+	}
 
-    /**
-     * Get the total number of nodes in a tree.
-     *
-     * @return int
-     */
-    public function nodeCount(): int
-    {
-        $c = 1;
-        foreach ($this->_children as $child) {
-            $c += $child->nodeCount();
-        }
-        return $c;
-    }
+	/**
+	 * Get the total number of nodes in a tree.
+	 *
+	 * @return int
+	 */
+	public function nodeCount(): int
+	{
+		$c = 1;
+		foreach ($this->_children as $child) {
+			$c += $child->nodeCount();
+		}
+		return $c;
+	}
 
-    /**
-     * Get the number of child nodes.
-     *
-     * @see \Countable::count()
-     */
-    public function count(): int
-    {
-        return count($this->_children);
-    }
+	/**
+	 * Get the number of child nodes.
+	 *
+	 * @see \Countable::count()
+	 */
+	public function count(): int
+	{
+		return count($this->_children);
+	}
 
-    /**
-     * Get iterator for the child nodes.
-     *
-     * @see \IteratorAggregate::getIterator()
-     */
-    public function getIterator(): \ArrayIterator
-    {
-        return new \ArrayIterator($this->_children);
-    }
+	/**
+	 * Get iterator for the child nodes.
+	 *
+	 * @see \IteratorAggregate::getIterator()
+	 */
+	public function getIterator(): \ArrayIterator
+	{
+		return new \ArrayIterator($this->_children);
+	}
 }

Spacing +1 added lines, -1 removed lines

@@ -1,6 +1,6 @@
 <?php
 
-declare(strict_types = 1);
+declare(strict_types=1);
 
 namespace Sop\X509\CertificationPath\Policy;
 

lib/X509/CertificationPath/CertificationPath.php

Indentation +174 added lines, -174 removed lines

@@ -24,178 +24,178 @@
  */
 class CertificationPath implements \Countable, \IteratorAggregate
 {
-    /**
-     * Certification path.
-     *
-     * @var Certificate[]
-     */
-    protected $_certificates;
-
-    /**
-     * Constructor.
-     *
-     * @param Certificate ...$certificates Certificates from the trust anchor
-     *                                     to the target end-entity certificate
-     */
-    public function __construct(Certificate ...$certificates)
-    {
-        $this->_certificates = $certificates;
-    }
-
-    /**
-     * Initialize from a certificate chain.
-     *
-     * @param CertificateChain $chain
-     *
-     * @return self
-     */
-    public static function fromCertificateChain(CertificateChain $chain): self
-    {
-        return new self(...array_reverse($chain->certificates(), false));
-    }
-
-    /**
-     * Build certification path to given target.
-     *
-     * @param Certificate            $target        Target end-entity certificate
-     * @param CertificateBundle      $trust_anchors List of trust anchors
-     * @param null|CertificateBundle $intermediate  Optional intermediate certificates
-     *
-     * @return self
-     */
-    public static function toTarget(Certificate $target,
-        CertificateBundle $trust_anchors, ?CertificateBundle $intermediate = null): self
-    {
-        $builder = new CertificationPathBuilder($trust_anchors);
-        return $builder->shortestPathToTarget($target, $intermediate);
-    }
-
-    /**
-     * Build certification path from given trust anchor to target certificate,
-     * using intermediate certificates from given bundle.
-     *
-     * @param Certificate            $trust_anchor Trust anchor certificate
-     * @param Certificate            $target       Target end-entity certificate
-     * @param null|CertificateBundle $intermediate Optional intermediate certificates
-     *
-     * @return self
-     */
-    public static function fromTrustAnchorToTarget(Certificate $trust_anchor,
-        Certificate $target, ?CertificateBundle $intermediate = null): self
-    {
-        return self::toTarget($target, new CertificateBundle($trust_anchor),
-            $intermediate);
-    }
-
-    /**
-     * Get certificates.
-     *
-     * @return Certificate[]
-     */
-    public function certificates(): array
-    {
-        return $this->_certificates;
-    }
-
-    /**
-     * Get the trust anchor certificate from the path.
-     *
-     * @throws \LogicException If path is empty
-     *
-     * @return Certificate
-     */
-    public function trustAnchorCertificate(): Certificate
-    {
-        if (!count($this->_certificates)) {
-            throw new \LogicException('No certificates.');
-        }
-        return $this->_certificates[0];
-    }
-
-    /**
-     * Get the end-entity certificate from the path.
-     *
-     * @throws \LogicException If path is empty
-     *
-     * @return Certificate
-     */
-    public function endEntityCertificate(): Certificate
-    {
-        if (!count($this->_certificates)) {
-            throw new \LogicException('No certificates.');
-        }
-        return $this->_certificates[count($this->_certificates) - 1];
-    }
-
-    /**
-     * Get certification path as a certificate chain.
-     *
-     * @return CertificateChain
-     */
-    public function certificateChain(): CertificateChain
-    {
-        return new CertificateChain(...array_reverse($this->_certificates, false));
-    }
-
-    /**
-     * Check whether certification path starts with one ore more given
-     * certificates in parameter order.
-     *
-     * @param Certificate ...$certs Certificates
-     *
-     * @return true
-     */
-    public function startsWith(Certificate ...$certs): bool
-    {
-        $n = count($certs);
-        if ($n > count($this->_certificates)) {
-            return false;
-        }
-        for ($i = 0; $i < $n; ++$i) {
-            if (!$certs[$i]->equals($this->_certificates[$i])) {
-                return false;
-            }
-        }
-        return true;
-    }
-
-    /**
-     * Validate certification path.
-     *
-     * @param PathValidationConfig $config
-     * @param null|Crypto          $crypto Crypto engine, use default if not set
-     *
-     * @throws Exception\PathValidationException
-     *
-     * @return PathValidationResult
-     */
-    public function validate(PathValidationConfig $config,
-        ?Crypto $crypto = null): PathValidationResult
-    {
-        $crypto = $crypto ?? Crypto::getDefault();
-        $validator = new PathValidator($crypto, $config, ...$this->_certificates);
-        return $validator->validate();
-    }
-
-    /**
-     * @see \Countable::count()
-     *
-     * @return int
-     */
-    public function count(): int
-    {
-        return count($this->_certificates);
-    }
-
-    /**
-     * Get iterator for certificates.
-     *
-     * @see \IteratorAggregate::getIterator()
-     *
-     * @return \ArrayIterator
-     */
-    public function getIterator(): \ArrayIterator
-    {
-        return new \ArrayIterator($this->_certificates);
-    }
+	/**
+	 * Certification path.
+	 *
+	 * @var Certificate[]
+	 */
+	protected $_certificates;
+
+	/**
+	 * Constructor.
+	 *
+	 * @param Certificate ...$certificates Certificates from the trust anchor
+	 *                                     to the target end-entity certificate
+	 */
+	public function __construct(Certificate ...$certificates)
+	{
+		$this->_certificates = $certificates;
+	}
+
+	/**
+	 * Initialize from a certificate chain.
+	 *
+	 * @param CertificateChain $chain
+	 *
+	 * @return self
+	 */
+	public static function fromCertificateChain(CertificateChain $chain): self
+	{
+		return new self(...array_reverse($chain->certificates(), false));
+	}
+
+	/**
+	 * Build certification path to given target.
+	 *
+	 * @param Certificate            $target        Target end-entity certificate
+	 * @param CertificateBundle      $trust_anchors List of trust anchors
+	 * @param null|CertificateBundle $intermediate  Optional intermediate certificates
+	 *
+	 * @return self
+	 */
+	public static function toTarget(Certificate $target,
+		CertificateBundle $trust_anchors, ?CertificateBundle $intermediate = null): self
+	{
+		$builder = new CertificationPathBuilder($trust_anchors);
+		return $builder->shortestPathToTarget($target, $intermediate);
+	}
+
+	/**
+	 * Build certification path from given trust anchor to target certificate,
+	 * using intermediate certificates from given bundle.
+	 *
+	 * @param Certificate            $trust_anchor Trust anchor certificate
+	 * @param Certificate            $target       Target end-entity certificate
+	 * @param null|CertificateBundle $intermediate Optional intermediate certificates
+	 *
+	 * @return self
+	 */
+	public static function fromTrustAnchorToTarget(Certificate $trust_anchor,
+		Certificate $target, ?CertificateBundle $intermediate = null): self
+	{
+		return self::toTarget($target, new CertificateBundle($trust_anchor),
+			$intermediate);
+	}
+
+	/**
+	 * Get certificates.
+	 *
+	 * @return Certificate[]
+	 */
+	public function certificates(): array
+	{
+		return $this->_certificates;
+	}
+
+	/**
+	 * Get the trust anchor certificate from the path.
+	 *
+	 * @throws \LogicException If path is empty
+	 *
+	 * @return Certificate
+	 */
+	public function trustAnchorCertificate(): Certificate
+	{
+		if (!count($this->_certificates)) {
+			throw new \LogicException('No certificates.');
+		}
+		return $this->_certificates[0];
+	}
+
+	/**
+	 * Get the end-entity certificate from the path.
+	 *
+	 * @throws \LogicException If path is empty
+	 *
+	 * @return Certificate
+	 */
+	public function endEntityCertificate(): Certificate
+	{
+		if (!count($this->_certificates)) {
+			throw new \LogicException('No certificates.');
+		}
+		return $this->_certificates[count($this->_certificates) - 1];
+	}
+
+	/**
+	 * Get certification path as a certificate chain.
+	 *
+	 * @return CertificateChain
+	 */
+	public function certificateChain(): CertificateChain
+	{
+		return new CertificateChain(...array_reverse($this->_certificates, false));
+	}
+
+	/**
+	 * Check whether certification path starts with one ore more given
+	 * certificates in parameter order.
+	 *
+	 * @param Certificate ...$certs Certificates
+	 *
+	 * @return true
+	 */
+	public function startsWith(Certificate ...$certs): bool
+	{
+		$n = count($certs);
+		if ($n > count($this->_certificates)) {
+			return false;
+		}
+		for ($i = 0; $i < $n; ++$i) {
+			if (!$certs[$i]->equals($this->_certificates[$i])) {
+				return false;
+			}
+		}
+		return true;
+	}
+
+	/**
+	 * Validate certification path.
+	 *
+	 * @param PathValidationConfig $config
+	 * @param null|Crypto          $crypto Crypto engine, use default if not set
+	 *
+	 * @throws Exception\PathValidationException
+	 *
+	 * @return PathValidationResult
+	 */
+	public function validate(PathValidationConfig $config,
+		?Crypto $crypto = null): PathValidationResult
+	{
+		$crypto = $crypto ?? Crypto::getDefault();
+		$validator = new PathValidator($crypto, $config, ...$this->_certificates);
+		return $validator->validate();
+	}
+
+	/**
+	 * @see \Countable::count()
+	 *
+	 * @return int
+	 */
+	public function count(): int
+	{
+		return count($this->_certificates);
+	}
+
+	/**
+	 * Get iterator for certificates.
+	 *
+	 * @see \IteratorAggregate::getIterator()
+	 *
+	 * @return \ArrayIterator
+	 */
+	public function getIterator(): \ArrayIterator
+	{
+		return new \ArrayIterator($this->_certificates);
+	}
 }

Spacing +1 added lines, -1 removed lines

@@ -1,6 +1,6 @@
 <?php
 
-declare(strict_types = 1);
+declare(strict_types=1);
 
 namespace Sop\X509\CertificationPath;
 

lib/X509/CertificationPath/Exception/PathBuildingException.php

Spacing +1 added lines, -1 removed lines

@@ -1,6 +1,6 @@
 <?php
 
-declare(strict_types = 1);
+declare(strict_types=1);
 
 namespace Sop\X509\CertificationPath\Exception;
 

lib/X509/CertificationPath/Exception/PathValidationException.php

Spacing +1 added lines, -1 removed lines

@@ -1,6 +1,6 @@
 <?php
 
-declare(strict_types = 1);
+declare(strict_types=1);
 
 namespace Sop\X509\CertificationPath\Exception;
 

lib/X509/AttributeCertificate/Validation/ACValidationConfig.php

Indentation +100 added lines, -100 removed lines

@@ -12,114 +12,114 @@
  */
 class ACValidationConfig
 {
-    /**
-     * Certification path of the AC holder.
-     *
-     * @var CertificationPath
-     */
-    protected $_holderPath;
+	/**
+	 * Certification path of the AC holder.
+	 *
+	 * @var CertificationPath
+	 */
+	protected $_holderPath;
 
-    /**
-     * Certification path of the AC issuer.
-     *
-     * @var CertificationPath
-     */
-    protected $_issuerPath;
+	/**
+	 * Certification path of the AC issuer.
+	 *
+	 * @var CertificationPath
+	 */
+	protected $_issuerPath;
 
-    /**
-     * Evaluation reference time.
-     *
-     * @var \DateTimeImmutable
-     */
-    protected $_evalTime;
+	/**
+	 * Evaluation reference time.
+	 *
+	 * @var \DateTimeImmutable
+	 */
+	protected $_evalTime;
 
-    /**
-     * Permitted targets.
-     *
-     * @var Target[]
-     */
-    protected $_targets;
+	/**
+	 * Permitted targets.
+	 *
+	 * @var Target[]
+	 */
+	protected $_targets;
 
-    /**
-     * Constructor.
-     *
-     * @param CertificationPath $holder_path Certification path of the AC holder
-     * @param CertificationPath $issuer_path Certification path of the AC issuer
-     */
-    public function __construct(CertificationPath $holder_path,
-        CertificationPath $issuer_path)
-    {
-        $this->_holderPath = $holder_path;
-        $this->_issuerPath = $issuer_path;
-        $this->_evalTime = new \DateTimeImmutable();
-        $this->_targets = [];
-    }
+	/**
+	 * Constructor.
+	 *
+	 * @param CertificationPath $holder_path Certification path of the AC holder
+	 * @param CertificationPath $issuer_path Certification path of the AC issuer
+	 */
+	public function __construct(CertificationPath $holder_path,
+		CertificationPath $issuer_path)
+	{
+		$this->_holderPath = $holder_path;
+		$this->_issuerPath = $issuer_path;
+		$this->_evalTime = new \DateTimeImmutable();
+		$this->_targets = [];
+	}
 
-    /**
-     * Get certification path of the AC's holder.
-     *
-     * @return CertificationPath
-     */
-    public function holderPath(): CertificationPath
-    {
-        return $this->_holderPath;
-    }
+	/**
+	 * Get certification path of the AC's holder.
+	 *
+	 * @return CertificationPath
+	 */
+	public function holderPath(): CertificationPath
+	{
+		return $this->_holderPath;
+	}
 
-    /**
-     * Get certification path of the AC's issuer.
-     *
-     * @return CertificationPath
-     */
-    public function issuerPath(): CertificationPath
-    {
-        return $this->_issuerPath;
-    }
+	/**
+	 * Get certification path of the AC's issuer.
+	 *
+	 * @return CertificationPath
+	 */
+	public function issuerPath(): CertificationPath
+	{
+		return $this->_issuerPath;
+	}
 
-    /**
-     * Get self with given evaluation reference time.
-     *
-     * @param \DateTimeImmutable $dt
-     *
-     * @return self
-     */
-    public function withEvaluationTime(\DateTimeImmutable $dt): self
-    {
-        $obj = clone $this;
-        $obj->_evalTime = $dt;
-        return $obj;
-    }
+	/**
+	 * Get self with given evaluation reference time.
+	 *
+	 * @param \DateTimeImmutable $dt
+	 *
+	 * @return self
+	 */
+	public function withEvaluationTime(\DateTimeImmutable $dt): self
+	{
+		$obj = clone $this;
+		$obj->_evalTime = $dt;
+		return $obj;
+	}
 
-    /**
-     * Get the evaluation reference time.
-     *
-     * @return \DateTimeImmutable
-     */
-    public function evaluationTime(): \DateTimeImmutable
-    {
-        return $this->_evalTime;
-    }
+	/**
+	 * Get the evaluation reference time.
+	 *
+	 * @return \DateTimeImmutable
+	 */
+	public function evaluationTime(): \DateTimeImmutable
+	{
+		return $this->_evalTime;
+	}
 
-    /**
-     * Get self with permitted targets.
-     *
-     * @param Target ...$targets
-     *
-     * @return self
-     */
-    public function withTargets(Target ...$targets): self
-    {
-        $obj = clone $this;
-        $obj->_targets = $targets;
-        return $obj;
-    }
+	/**
+	 * Get self with permitted targets.
+	 *
+	 * @param Target ...$targets
+	 *
+	 * @return self
+	 */
+	public function withTargets(Target ...$targets): self
+	{
+		$obj = clone $this;
+		$obj->_targets = $targets;
+		return $obj;
+	}
 
-    /**
-     * Get array of permitted targets.
-     *
-     * @return Target[]
-     */
-    public function targets(): array
-    {
-        return $this->_targets;
-    }
+	/**
+	 * Get array of permitted targets.
+	 *
+	 * @return Target[]
+	 */
+	public function targets(): array
+	{
+		return $this->_targets;
+	}
 }

Spacing +1 added lines, -1 removed lines

@@ -1,6 +1,6 @@
 <?php
 
-declare(strict_types = 1);
+declare(strict_types=1);
 
 namespace Sop\X509\AttributeCertificate\Validation;
 

lib/X509/AttributeCertificate/Validation/Exception/ACValidationException.php

Spacing +1 added lines, -1 removed lines

@@ -1,6 +1,6 @@
 <?php
 
-declare(strict_types = 1);
+declare(strict_types=1);
 
 namespace Sop\X509\AttributeCertificate\Validation\Exception;
 

lib/X509/AttributeCertificate/Validation/ACValidator.php

Indentation +172 added lines, -172 removed lines

@@ -21,186 +21,186 @@
  */
 class ACValidator
 {
-    /**
-     * Attribute certificate.
-     *
-     * @var AttributeCertificate
-     */
-    protected $_ac;
+	/**
+	 * Attribute certificate.
+	 *
+	 * @var AttributeCertificate
+	 */
+	protected $_ac;
 
-    /**
-     * Validation configuration.
-     *
-     * @var ACValidationConfig
-     */
-    protected $_config;
+	/**
+	 * Validation configuration.
+	 *
+	 * @var ACValidationConfig
+	 */
+	protected $_config;
 
-    /**
-     * Crypto engine.
-     *
-     * @var Crypto
-     */
-    protected $_crypto;
+	/**
+	 * Crypto engine.
+	 *
+	 * @var Crypto
+	 */
+	protected $_crypto;
 
-    /**
-     * Constructor.
-     *
-     * @param AttributeCertificate $ac     Attribute certificate to validate
-     * @param ACValidationConfig   $config Validation configuration
-     * @param null|Crypto          $crypto Crypto engine, use default if not set
-     */
-    public function __construct(AttributeCertificate $ac,
-        ACValidationConfig $config, ?Crypto $crypto = null)
-    {
-        $this->_ac = $ac;
-        $this->_config = $config;
-        $this->_crypto = $crypto ?? Crypto::getDefault();
-    }
+	/**
+	 * Constructor.
+	 *
+	 * @param AttributeCertificate $ac     Attribute certificate to validate
+	 * @param ACValidationConfig   $config Validation configuration
+	 * @param null|Crypto          $crypto Crypto engine, use default if not set
+	 */
+	public function __construct(AttributeCertificate $ac,
+		ACValidationConfig $config, ?Crypto $crypto = null)
+	{
+		$this->_ac = $ac;
+		$this->_config = $config;
+		$this->_crypto = $crypto ?? Crypto::getDefault();
+	}
 
-    /**
-     * Validate attribute certificate.
-     *
-     * @throws ACValidationException If validation fails
-     *
-     * @return AttributeCertificate Validated AC
-     */
-    public function validate(): AttributeCertificate
-    {
-        $this->_validateHolder();
-        $issuer = $this->_verifyIssuer();
-        $this->_validateIssuerProfile($issuer);
-        $this->_validateTime();
-        $this->_validateTargeting();
-        return $this->_ac;
-    }
+	/**
+	 * Validate attribute certificate.
+	 *
+	 * @throws ACValidationException If validation fails
+	 *
+	 * @return AttributeCertificate Validated AC
+	 */
+	public function validate(): AttributeCertificate
+	{
+		$this->_validateHolder();
+		$issuer = $this->_verifyIssuer();
+		$this->_validateIssuerProfile($issuer);
+		$this->_validateTime();
+		$this->_validateTargeting();
+		return $this->_ac;
+	}
 
-    /**
-     * Validate AC holder's certification.
-     *
-     * @throws ACValidationException
-     *
-     * @return Certificate Certificate of the AC's holder
-     */
-    private function _validateHolder(): Certificate
-    {
-        $path = $this->_config->holderPath();
-        $config = PathValidationConfig::defaultConfig()
-            ->withMaxLength(count($path))
-            ->withDateTime($this->_config->evaluationTime());
-        try {
-            $holder = $path->validate($config, $this->_crypto)->certificate();
-        } catch (PathValidationException $e) {
-            throw new ACValidationException(
-                "Failed to validate holder PKC's certification path.", 0, $e);
-        }
-        if (!$this->_ac->isHeldBy($holder)) {
-            throw new ACValidationException("Name mismatch of AC's holder PKC.");
-        }
-        return $holder;
-    }
+	/**
+	 * Validate AC holder's certification.
+	 *
+	 * @throws ACValidationException
+	 *
+	 * @return Certificate Certificate of the AC's holder
+	 */
+	private function _validateHolder(): Certificate
+	{
+		$path = $this->_config->holderPath();
+		$config = PathValidationConfig::defaultConfig()
+			->withMaxLength(count($path))
+			->withDateTime($this->_config->evaluationTime());
+		try {
+			$holder = $path->validate($config, $this->_crypto)->certificate();
+		} catch (PathValidationException $e) {
+			throw new ACValidationException(
+				"Failed to validate holder PKC's certification path.", 0, $e);
+		}
+		if (!$this->_ac->isHeldBy($holder)) {
+			throw new ACValidationException("Name mismatch of AC's holder PKC.");
+		}
+		return $holder;
+	}
 
-    /**
-     * Verify AC's signature and issuer's certification.
-     *
-     * @throws ACValidationException
-     *
-     * @return Certificate Certificate of the AC's issuer
-     */
-    private function _verifyIssuer(): Certificate
-    {
-        $path = $this->_config->issuerPath();
-        $config = PathValidationConfig::defaultConfig()
-            ->withMaxLength(count($path))
-            ->withDateTime($this->_config->evaluationTime());
-        try {
-            $issuer = $path->validate($config, $this->_crypto)->certificate();
-        } catch (PathValidationException $e) {
-            throw new ACValidationException(
-                "Failed to validate issuer PKC's certification path.", 0, $e);
-        }
-        if (!$this->_ac->isIssuedBy($issuer)) {
-            throw new ACValidationException("Name mismatch of AC's issuer PKC.");
-        }
-        $pubkey_info = $issuer->tbsCertificate()->subjectPublicKeyInfo();
-        if (!$this->_ac->verify($pubkey_info, $this->_crypto)) {
-            throw new ACValidationException('Failed to verify signature.');
-        }
-        return $issuer;
-    }
+	/**
+	 * Verify AC's signature and issuer's certification.
+	 *
+	 * @throws ACValidationException
+	 *
+	 * @return Certificate Certificate of the AC's issuer
+	 */
+	private function _verifyIssuer(): Certificate
+	{
+		$path = $this->_config->issuerPath();
+		$config = PathValidationConfig::defaultConfig()
+			->withMaxLength(count($path))
+			->withDateTime($this->_config->evaluationTime());
+		try {
+			$issuer = $path->validate($config, $this->_crypto)->certificate();
+		} catch (PathValidationException $e) {
+			throw new ACValidationException(
+				"Failed to validate issuer PKC's certification path.", 0, $e);
+		}
+		if (!$this->_ac->isIssuedBy($issuer)) {
+			throw new ACValidationException("Name mismatch of AC's issuer PKC.");
+		}
+		$pubkey_info = $issuer->tbsCertificate()->subjectPublicKeyInfo();
+		if (!$this->_ac->verify($pubkey_info, $this->_crypto)) {
+			throw new ACValidationException('Failed to verify signature.');
+		}
+		return $issuer;
+	}
 
-    /**
-     * Validate AC issuer's profile.
-     *
-     * @see https://tools.ietf.org/html/rfc5755#section-4.5
-     *
-     * @param Certificate $cert
-     *
-     * @throws ACValidationException
-     */
-    private function _validateIssuerProfile(Certificate $cert): void
-    {
-        $exts = $cert->tbsCertificate()->extensions();
-        if ($exts->hasKeyUsage() && !$exts->keyUsage()->isDigitalSignature()) {
-            throw new ACValidationException(
-                "Issuer PKC's Key Usage extension doesn't permit" .
-                     ' verification of digital signatures.');
-        }
-        if ($exts->hasBasicConstraints() && $exts->basicConstraints()->isCA()) {
-            throw new ACValidationException('Issuer PKC must not be a CA.');
-        }
-    }
+	/**
+	 * Validate AC issuer's profile.
+	 *
+	 * @see https://tools.ietf.org/html/rfc5755#section-4.5
+	 *
+	 * @param Certificate $cert
+	 *
+	 * @throws ACValidationException
+	 */
+	private function _validateIssuerProfile(Certificate $cert): void
+	{
+		$exts = $cert->tbsCertificate()->extensions();
+		if ($exts->hasKeyUsage() && !$exts->keyUsage()->isDigitalSignature()) {
+			throw new ACValidationException(
+				"Issuer PKC's Key Usage extension doesn't permit" .
+					 ' verification of digital signatures.');
+		}
+		if ($exts->hasBasicConstraints() && $exts->basicConstraints()->isCA()) {
+			throw new ACValidationException('Issuer PKC must not be a CA.');
+		}
+	}
 
-    /**
-     * Validate AC's validity period.
-     *
-     * @throws ACValidationException
-     */
-    private function _validateTime(): void
-    {
-        $t = $this->_config->evaluationTime();
-        $validity = $this->_ac->acinfo()->validityPeriod();
-        if ($validity->notBeforeTime()->diff($t)->invert) {
-            throw new ACValidationException('Validity period has not started.');
-        }
-        if ($t->diff($validity->notAfterTime())->invert) {
-            throw new ACValidationException('Attribute certificate has expired.');
-        }
-    }
+	/**
+	 * Validate AC's validity period.
+	 *
+	 * @throws ACValidationException
+	 */
+	private function _validateTime(): void
+	{
+		$t = $this->_config->evaluationTime();
+		$validity = $this->_ac->acinfo()->validityPeriod();
+		if ($validity->notBeforeTime()->diff($t)->invert) {
+			throw new ACValidationException('Validity period has not started.');
+		}
+		if ($t->diff($validity->notAfterTime())->invert) {
+			throw new ACValidationException('Attribute certificate has expired.');
+		}
+	}
 
-    /**
-     * Validate AC's target information.
-     *
-     * @throws ACValidationException
-     */
-    private function _validateTargeting(): void
-    {
-        $exts = $this->_ac->acinfo()->extensions();
-        // if target information extension is not present
-        if (!$exts->has(Extension::OID_TARGET_INFORMATION)) {
-            return;
-        }
-        $ext = $exts->get(Extension::OID_TARGET_INFORMATION);
-        if ($ext instanceof TargetInformationExtension &&
-            !$this->_hasMatchingTarget($ext->targets())) {
-            throw new ACValidationException(
-                "Attribute certificate doesn't have a matching target.");
-        }
-    }
+	/**
+	 * Validate AC's target information.
+	 *
+	 * @throws ACValidationException
+	 */
+	private function _validateTargeting(): void
+	{
+		$exts = $this->_ac->acinfo()->extensions();
+		// if target information extension is not present
+		if (!$exts->has(Extension::OID_TARGET_INFORMATION)) {
+			return;
+		}
+		$ext = $exts->get(Extension::OID_TARGET_INFORMATION);
+		if ($ext instanceof TargetInformationExtension &&
+			!$this->_hasMatchingTarget($ext->targets())) {
+			throw new ACValidationException(
+				"Attribute certificate doesn't have a matching target.");
+		}
+	}
 
-    /**
-     * Check whether validation configuration has matching targets.
-     *
-     * @param Targets $targets Set of eligible targets
-     *
-     * @return bool
-     */
-    private function _hasMatchingTarget(Targets $targets): bool
-    {
-        foreach ($this->_config->targets() as $target) {
-            if ($targets->hasTarget($target)) {
-                return true;
-            }
-        }
-        return false;
-    }
+	/**
+	 * Check whether validation configuration has matching targets.
+	 *
+	 * @param Targets $targets Set of eligible targets
+	 *
+	 * @return bool
+	 */
+	private function _hasMatchingTarget(Targets $targets): bool
+	{
+		foreach ($this->_config->targets() as $target) {
+			if ($targets->hasTarget($target)) {
+				return true;
+			}
+		}
+		return false;
+	}
 }

Spacing +1 added lines, -1 removed lines

@@ -1,6 +1,6 @@
 <?php
 
-declare(strict_types = 1);
+declare(strict_types=1);
 
 namespace Sop\X509\AttributeCertificate\Validation;
 

lib/X509/AttributeCertificate/AttributeCertificateInfo.php

Indentation +446 added lines, -446 removed lines

@@ -22,450 +22,450 @@
  */
 class AttributeCertificateInfo
 {
-    const VERSION_2 = 1;
-
-    /**
-     * AC version.
-     *
-     * @var int
-     */
-    protected $_version;
-
-    /**
-     * AC holder.
-     *
-     * @var Holder
-     */
-    protected $_holder;
-
-    /**
-     * AC issuer.
-     *
-     * @var AttCertIssuer
-     */
-    protected $_issuer;
-
-    /**
-     * Signature algorithm identifier.
-     *
-     * @var SignatureAlgorithmIdentifier
-     */
-    protected $_signature;
-
-    /**
-     * AC serial number as a base 10 integer.
-     *
-     * @var string
-     */
-    protected $_serialNumber;
-
-    /**
-     * Validity period.
-     *
-     * @var AttCertValidityPeriod
-     */
-    protected $_attrCertValidityPeriod;
-
-    /**
-     * Attributes.
-     *
-     * @var Attributes
-     */
-    protected $_attributes;
-
-    /**
-     * Issuer unique identifier.
-     *
-     * @var null|UniqueIdentifier
-     */
-    protected $_issuerUniqueID;
-
-    /**
-     * Extensions.
-     *
-     * @var Extensions
-     */
-    protected $_extensions;
-
-    /**
-     * Constructor.
-     *
-     * @param Holder                $holder   AC holder
-     * @param AttCertIssuer         $issuer   AC issuer
-     * @param AttCertValidityPeriod $validity Validity
-     * @param Attributes            $attribs  Attributes
-     */
-    public function __construct(Holder $holder, AttCertIssuer $issuer,
-        AttCertValidityPeriod $validity, Attributes $attribs)
-    {
-        $this->_version = self::VERSION_2;
-        $this->_holder = $holder;
-        $this->_issuer = $issuer;
-        $this->_attrCertValidityPeriod = $validity;
-        $this->_attributes = $attribs;
-        $this->_extensions = new Extensions();
-    }
-
-    /**
-     * Initialize from ASN.1.
-     *
-     * @param Sequence $seq
-     *
-     * @throws \UnexpectedValueException
-     *
-     * @return self
-     */
-    public static function fromASN1(Sequence $seq): self
-    {
-        $idx = 0;
-        $version = $seq->at($idx++)->asInteger()->intNumber();
-        if (self::VERSION_2 !== $version) {
-            throw new \UnexpectedValueException('Version must be 2.');
-        }
-        $holder = Holder::fromASN1($seq->at($idx++)->asSequence());
-        $issuer = AttCertIssuer::fromASN1($seq->at($idx++));
-        $signature = AlgorithmIdentifier::fromASN1($seq->at($idx++)->asSequence());
-        if (!$signature instanceof SignatureAlgorithmIdentifier) {
-            throw new \UnexpectedValueException(
-                'Unsupported signature algorithm ' . $signature->oid() . '.');
-        }
-        $serial = $seq->at($idx++)->asInteger()->number();
-        $validity = AttCertValidityPeriod::fromASN1($seq->at($idx++)->asSequence());
-        $attribs = Attributes::fromASN1($seq->at($idx++)->asSequence());
-        $obj = new self($holder, $issuer, $validity, $attribs);
-        $obj->_signature = $signature;
-        $obj->_serialNumber = $serial;
-        if ($seq->has($idx, Element::TYPE_BIT_STRING)) {
-            $obj->_issuerUniqueID = UniqueIdentifier::fromASN1(
-                $seq->at($idx++)->asBitString());
-        }
-        if ($seq->has($idx, Element::TYPE_SEQUENCE)) {
-            $obj->_extensions = Extensions::fromASN1(
-                $seq->at($idx++)->asSequence());
-        }
-        return $obj;
-    }
-
-    /**
-     * Get self with holder.
-     *
-     * @param Holder $holder
-     *
-     * @return self
-     */
-    public function withHolder(Holder $holder): self
-    {
-        $obj = clone $this;
-        $obj->_holder = $holder;
-        return $obj;
-    }
-
-    /**
-     * Get self with issuer.
-     *
-     * @param AttCertIssuer $issuer
-     *
-     * @return self
-     */
-    public function withIssuer(AttCertIssuer $issuer): self
-    {
-        $obj = clone $this;
-        $obj->_issuer = $issuer;
-        return $obj;
-    }
-
-    /**
-     * Get self with signature algorithm identifier.
-     *
-     * @param SignatureAlgorithmIdentifier $algo
-     *
-     * @return self
-     */
-    public function withSignature(SignatureAlgorithmIdentifier $algo): self
-    {
-        $obj = clone $this;
-        $obj->_signature = $algo;
-        return $obj;
-    }
-
-    /**
-     * Get self with serial number.
-     *
-     * @param int|string $serial Base 10 serial number
-     *
-     * @return self
-     */
-    public function withSerialNumber($serial): self
-    {
-        $obj = clone $this;
-        $obj->_serialNumber = strval($serial);
-        return $obj;
-    }
-
-    /**
-     * Get self with random positive serial number.
-     *
-     * @param int $size Number of random bytes
-     *
-     * @return self
-     */
-    public function withRandomSerialNumber(int $size = 16): self
-    {
-        // ensure that first byte is always non-zero and having first bit unset
-        $num = gmp_init(mt_rand(1, 0x7f), 10);
-        for ($i = 1; $i < $size; ++$i) {
-            $num <<= 8;
-            $num += mt_rand(0, 0xff);
-        }
-        return $this->withSerialNumber(gmp_strval($num, 10));
-    }
-
-    /**
-     * Get self with validity period.
-     *
-     * @param AttCertValidityPeriod $validity
-     *
-     * @return self
-     */
-    public function withValidity(AttCertValidityPeriod $validity): self
-    {
-        $obj = clone $this;
-        $obj->_attrCertValidityPeriod = $validity;
-        return $obj;
-    }
-
-    /**
-     * Get self with attributes.
-     *
-     * @param Attributes $attribs
-     *
-     * @return self
-     */
-    public function withAttributes(Attributes $attribs): self
-    {
-        $obj = clone $this;
-        $obj->_attributes = $attribs;
-        return $obj;
-    }
-
-    /**
-     * Get self with issuer unique identifier.
-     *
-     * @param UniqueIdentifier $uid
-     *
-     * @return self
-     */
-    public function withIssuerUniqueID(UniqueIdentifier $uid): self
-    {
-        $obj = clone $this;
-        $obj->_issuerUniqueID = $uid;
-        return $obj;
-    }
-
-    /**
-     * Get self with extensions.
-     *
-     * @param Extensions $extensions
-     *
-     * @return self
-     */
-    public function withExtensions(Extensions $extensions): self
-    {
-        $obj = clone $this;
-        $obj->_extensions = $extensions;
-        return $obj;
-    }
-
-    /**
-     * Get self with extensions added.
-     *
-     * @param Extension ...$exts One or more Extension objects
-     *
-     * @return self
-     */
-    public function withAdditionalExtensions(Extension ...$exts): self
-    {
-        $obj = clone $this;
-        $obj->_extensions = $obj->_extensions->withExtensions(...$exts);
-        return $obj;
-    }
-
-    /**
-     * Get version.
-     *
-     * @return int
-     */
-    public function version(): int
-    {
-        return $this->_version;
-    }
-
-    /**
-     * Get AC holder.
-     *
-     * @return Holder
-     */
-    public function holder(): Holder
-    {
-        return $this->_holder;
-    }
-
-    /**
-     * Get AC issuer.
-     *
-     * @return AttCertIssuer
-     */
-    public function issuer(): AttCertIssuer
-    {
-        return $this->_issuer;
-    }
-
-    /**
-     * Check whether signature is set.
-     *
-     * @return bool
-     */
-    public function hasSignature(): bool
-    {
-        return isset($this->_signature);
-    }
-
-    /**
-     * Get signature algorithm identifier.
-     *
-     * @throws \LogicException If not set
-     *
-     * @return SignatureAlgorithmIdentifier
-     */
-    public function signature(): SignatureAlgorithmIdentifier
-    {
-        if (!$this->hasSignature()) {
-            throw new \LogicException('signature not set.');
-        }
-        return $this->_signature;
-    }
-
-    /**
-     * Check whether serial number is present.
-     *
-     * @return bool
-     */
-    public function hasSerialNumber(): bool
-    {
-        return isset($this->_serialNumber);
-    }
-
-    /**
-     * Get AC serial number as a base 10 integer.
-     *
-     * @throws \LogicException If not set
-     *
-     * @return string
-     */
-    public function serialNumber(): string
-    {
-        if (!$this->hasSerialNumber()) {
-            throw new \LogicException('serialNumber not set.');
-        }
-        return $this->_serialNumber;
-    }
-
-    /**
-     * Get validity period.
-     *
-     * @return AttCertValidityPeriod
-     */
-    public function validityPeriod(): AttCertValidityPeriod
-    {
-        return $this->_attrCertValidityPeriod;
-    }
-
-    /**
-     * Get attributes.
-     *
-     * @return Attributes
-     */
-    public function attributes(): Attributes
-    {
-        return $this->_attributes;
-    }
-
-    /**
-     * Check whether issuer unique identifier is present.
-     *
-     * @return bool
-     */
-    public function hasIssuerUniqueID(): bool
-    {
-        return isset($this->_issuerUniqueID);
-    }
-
-    /**
-     * Get issuer unique identifier.
-     *
-     * @throws \LogicException If not set
-     *
-     * @return UniqueIdentifier
-     */
-    public function issuerUniqueID(): UniqueIdentifier
-    {
-        if (!$this->hasIssuerUniqueID()) {
-            throw new \LogicException('issuerUniqueID not set.');
-        }
-        return $this->_issuerUniqueID;
-    }
-
-    /**
-     * Get extensions.
-     *
-     * @return Extensions
-     */
-    public function extensions(): Extensions
-    {
-        return $this->_extensions;
-    }
-
-    /**
-     * Get ASN.1 structure.
-     *
-     * @return Sequence
-     */
-    public function toASN1(): Sequence
-    {
-        $elements = [new Integer($this->_version), $this->_holder->toASN1(),
-            $this->_issuer->toASN1(), $this->signature()->toASN1(),
-            new Integer($this->serialNumber()),
-            $this->_attrCertValidityPeriod->toASN1(),
-            $this->_attributes->toASN1(), ];
-        if (isset($this->_issuerUniqueID)) {
-            $elements[] = $this->_issuerUniqueID->toASN1();
-        }
-        if (count($this->_extensions)) {
-            $elements[] = $this->_extensions->toASN1();
-        }
-        return new Sequence(...$elements);
-    }
-
-    /**
-     * Create signed attribute certificate.
-     *
-     * @param SignatureAlgorithmIdentifier $algo         Signature algorithm
-     * @param PrivateKeyInfo               $privkey_info Private key
-     * @param null|Crypto                  $crypto       Crypto engine, use default if not set
-     *
-     * @return AttributeCertificate
-     */
-    public function sign(SignatureAlgorithmIdentifier $algo,
-        PrivateKeyInfo $privkey_info, ?Crypto $crypto = null): AttributeCertificate
-    {
-        $crypto = $crypto ?? Crypto::getDefault();
-        $aci = clone $this;
-        if (!isset($aci->_serialNumber)) {
-            $aci->_serialNumber = '0';
-        }
-        $aci->_signature = $algo;
-        $data = $aci->toASN1()->toDER();
-        $signature = $crypto->sign($data, $privkey_info, $algo);
-        return new AttributeCertificate($aci, $algo, $signature);
-    }
+	const VERSION_2 = 1;
+
+	/**
+	 * AC version.
+	 *
+	 * @var int
+	 */
+	protected $_version;
+
+	/**
+	 * AC holder.
+	 *
+	 * @var Holder
+	 */
+	protected $_holder;
+
+	/**
+	 * AC issuer.
+	 *
+	 * @var AttCertIssuer
+	 */
+	protected $_issuer;
+
+	/**
+	 * Signature algorithm identifier.
+	 *
+	 * @var SignatureAlgorithmIdentifier
+	 */
+	protected $_signature;
+
+	/**
+	 * AC serial number as a base 10 integer.
+	 *
+	 * @var string
+	 */
+	protected $_serialNumber;
+
+	/**
+	 * Validity period.
+	 *
+	 * @var AttCertValidityPeriod
+	 */
+	protected $_attrCertValidityPeriod;
+
+	/**
+	 * Attributes.
+	 *
+	 * @var Attributes
+	 */
+	protected $_attributes;
+
+	/**
+	 * Issuer unique identifier.
+	 *
+	 * @var null|UniqueIdentifier
+	 */
+	protected $_issuerUniqueID;
+
+	/**
+	 * Extensions.
+	 *
+	 * @var Extensions
+	 */
+	protected $_extensions;
+
+	/**
+	 * Constructor.
+	 *
+	 * @param Holder                $holder   AC holder
+	 * @param AttCertIssuer         $issuer   AC issuer
+	 * @param AttCertValidityPeriod $validity Validity
+	 * @param Attributes            $attribs  Attributes
+	 */
+	public function __construct(Holder $holder, AttCertIssuer $issuer,
+		AttCertValidityPeriod $validity, Attributes $attribs)
+	{
+		$this->_version = self::VERSION_2;
+		$this->_holder = $holder;
+		$this->_issuer = $issuer;
+		$this->_attrCertValidityPeriod = $validity;
+		$this->_attributes = $attribs;
+		$this->_extensions = new Extensions();
+	}
+
+	/**
+	 * Initialize from ASN.1.
+	 *
+	 * @param Sequence $seq
+	 *
+	 * @throws \UnexpectedValueException
+	 *
+	 * @return self
+	 */
+	public static function fromASN1(Sequence $seq): self
+	{
+		$idx = 0;
+		$version = $seq->at($idx++)->asInteger()->intNumber();
+		if (self::VERSION_2 !== $version) {
+			throw new \UnexpectedValueException('Version must be 2.');
+		}
+		$holder = Holder::fromASN1($seq->at($idx++)->asSequence());
+		$issuer = AttCertIssuer::fromASN1($seq->at($idx++));
+		$signature = AlgorithmIdentifier::fromASN1($seq->at($idx++)->asSequence());
+		if (!$signature instanceof SignatureAlgorithmIdentifier) {
+			throw new \UnexpectedValueException(
+				'Unsupported signature algorithm ' . $signature->oid() . '.');
+		}
+		$serial = $seq->at($idx++)->asInteger()->number();
+		$validity = AttCertValidityPeriod::fromASN1($seq->at($idx++)->asSequence());
+		$attribs = Attributes::fromASN1($seq->at($idx++)->asSequence());
+		$obj = new self($holder, $issuer, $validity, $attribs);
+		$obj->_signature = $signature;
+		$obj->_serialNumber = $serial;
+		if ($seq->has($idx, Element::TYPE_BIT_STRING)) {
+			$obj->_issuerUniqueID = UniqueIdentifier::fromASN1(
+				$seq->at($idx++)->asBitString());
+		}
+		if ($seq->has($idx, Element::TYPE_SEQUENCE)) {
+			$obj->_extensions = Extensions::fromASN1(
+				$seq->at($idx++)->asSequence());
+		}
+		return $obj;
+	}
+
+	/**
+	 * Get self with holder.
+	 *
+	 * @param Holder $holder
+	 *
+	 * @return self
+	 */
+	public function withHolder(Holder $holder): self
+	{
+		$obj = clone $this;
+		$obj->_holder = $holder;
+		return $obj;
+	}
+
+	/**
+	 * Get self with issuer.
+	 *
+	 * @param AttCertIssuer $issuer
+	 *
+	 * @return self
+	 */
+	public function withIssuer(AttCertIssuer $issuer): self
+	{
+		$obj = clone $this;
+		$obj->_issuer = $issuer;
+		return $obj;
+	}
+
+	/**
+	 * Get self with signature algorithm identifier.
+	 *
+	 * @param SignatureAlgorithmIdentifier $algo
+	 *
+	 * @return self
+	 */
+	public function withSignature(SignatureAlgorithmIdentifier $algo): self
+	{
+		$obj = clone $this;
+		$obj->_signature = $algo;
+		return $obj;
+	}
+
+	/**
+	 * Get self with serial number.
+	 *
+	 * @param int|string $serial Base 10 serial number
+	 *
+	 * @return self
+	 */
+	public function withSerialNumber($serial): self
+	{
+		$obj = clone $this;
+		$obj->_serialNumber = strval($serial);
+		return $obj;
+	}
+
+	/**
+	 * Get self with random positive serial number.
+	 *
+	 * @param int $size Number of random bytes
+	 *
+	 * @return self
+	 */
+	public function withRandomSerialNumber(int $size = 16): self
+	{
+		// ensure that first byte is always non-zero and having first bit unset
+		$num = gmp_init(mt_rand(1, 0x7f), 10);
+		for ($i = 1; $i < $size; ++$i) {
+			$num <<= 8;
+			$num += mt_rand(0, 0xff);
+		}
+		return $this->withSerialNumber(gmp_strval($num, 10));
+	}
+
+	/**
+	 * Get self with validity period.
+	 *
+	 * @param AttCertValidityPeriod $validity
+	 *
+	 * @return self
+	 */
+	public function withValidity(AttCertValidityPeriod $validity): self
+	{
+		$obj = clone $this;
+		$obj->_attrCertValidityPeriod = $validity;
+		return $obj;
+	}
+
+	/**
+	 * Get self with attributes.
+	 *
+	 * @param Attributes $attribs
+	 *
+	 * @return self
+	 */
+	public function withAttributes(Attributes $attribs): self
+	{
+		$obj = clone $this;
+		$obj->_attributes = $attribs;
+		return $obj;
+	}
+
+	/**
+	 * Get self with issuer unique identifier.
+	 *
+	 * @param UniqueIdentifier $uid
+	 *
+	 * @return self
+	 */
+	public function withIssuerUniqueID(UniqueIdentifier $uid): self
+	{
+		$obj = clone $this;
+		$obj->_issuerUniqueID = $uid;
+		return $obj;
+	}
+
+	/**
+	 * Get self with extensions.
+	 *
+	 * @param Extensions $extensions
+	 *
+	 * @return self
+	 */
+	public function withExtensions(Extensions $extensions): self
+	{
+		$obj = clone $this;
+		$obj->_extensions = $extensions;
+		return $obj;
+	}
+
+	/**
+	 * Get self with extensions added.
+	 *
+	 * @param Extension ...$exts One or more Extension objects
+	 *
+	 * @return self
+	 */
+	public function withAdditionalExtensions(Extension ...$exts): self
+	{
+		$obj = clone $this;
+		$obj->_extensions = $obj->_extensions->withExtensions(...$exts);
+		return $obj;
+	}
+
+	/**
+	 * Get version.
+	 *
+	 * @return int
+	 */
+	public function version(): int
+	{
+		return $this->_version;
+	}
+
+	/**
+	 * Get AC holder.
+	 *
+	 * @return Holder
+	 */
+	public function holder(): Holder
+	{
+		return $this->_holder;
+	}
+
+	/**
+	 * Get AC issuer.
+	 *
+	 * @return AttCertIssuer
+	 */
+	public function issuer(): AttCertIssuer
+	{
+		return $this->_issuer;
+	}
+
+	/**
+	 * Check whether signature is set.
+	 *
+	 * @return bool
+	 */
+	public function hasSignature(): bool
+	{
+		return isset($this->_signature);
+	}
+
+	/**
+	 * Get signature algorithm identifier.
+	 *
+	 * @throws \LogicException If not set
+	 *
+	 * @return SignatureAlgorithmIdentifier
+	 */
+	public function signature(): SignatureAlgorithmIdentifier
+	{
+		if (!$this->hasSignature()) {
+			throw new \LogicException('signature not set.');
+		}
+		return $this->_signature;
+	}
+
+	/**
+	 * Check whether serial number is present.
+	 *
+	 * @return bool
+	 */
+	public function hasSerialNumber(): bool
+	{
+		return isset($this->_serialNumber);
+	}
+
+	/**
+	 * Get AC serial number as a base 10 integer.
+	 *
+	 * @throws \LogicException If not set
+	 *
+	 * @return string
+	 */
+	public function serialNumber(): string
+	{
+		if (!$this->hasSerialNumber()) {
+			throw new \LogicException('serialNumber not set.');
+		}
+		return $this->_serialNumber;
+	}
+
+	/**
+	 * Get validity period.
+	 *
+	 * @return AttCertValidityPeriod
+	 */
+	public function validityPeriod(): AttCertValidityPeriod
+	{
+		return $this->_attrCertValidityPeriod;
+	}
+
+	/**
+	 * Get attributes.
+	 *
+	 * @return Attributes
+	 */
+	public function attributes(): Attributes
+	{
+		return $this->_attributes;
+	}
+
+	/**
+	 * Check whether issuer unique identifier is present.
+	 *
+	 * @return bool
+	 */
+	public function hasIssuerUniqueID(): bool
+	{
+		return isset($this->_issuerUniqueID);
+	}
+
+	/**
+	 * Get issuer unique identifier.
+	 *
+	 * @throws \LogicException If not set
+	 *
+	 * @return UniqueIdentifier
+	 */
+	public function issuerUniqueID(): UniqueIdentifier
+	{
+		if (!$this->hasIssuerUniqueID()) {
+			throw new \LogicException('issuerUniqueID not set.');
+		}
+		return $this->_issuerUniqueID;
+	}
+
+	/**
+	 * Get extensions.
+	 *
+	 * @return Extensions
+	 */
+	public function extensions(): Extensions
+	{
+		return $this->_extensions;
+	}
+
+	/**
+	 * Get ASN.1 structure.
+	 *
+	 * @return Sequence
+	 */
+	public function toASN1(): Sequence
+	{
+		$elements = [new Integer($this->_version), $this->_holder->toASN1(),
+			$this->_issuer->toASN1(), $this->signature()->toASN1(),
+			new Integer($this->serialNumber()),
+			$this->_attrCertValidityPeriod->toASN1(),
+			$this->_attributes->toASN1(), ];
+		if (isset($this->_issuerUniqueID)) {
+			$elements[] = $this->_issuerUniqueID->toASN1();
+		}
+		if (count($this->_extensions)) {
+			$elements[] = $this->_extensions->toASN1();
+		}
+		return new Sequence(...$elements);
+	}
+
+	/**
+	 * Create signed attribute certificate.
+	 *
+	 * @param SignatureAlgorithmIdentifier $algo         Signature algorithm
+	 * @param PrivateKeyInfo               $privkey_info Private key
+	 * @param null|Crypto                  $crypto       Crypto engine, use default if not set
+	 *
+	 * @return AttributeCertificate
+	 */
+	public function sign(SignatureAlgorithmIdentifier $algo,
+		PrivateKeyInfo $privkey_info, ?Crypto $crypto = null): AttributeCertificate
+	{
+		$crypto = $crypto ?? Crypto::getDefault();
+		$aci = clone $this;
+		if (!isset($aci->_serialNumber)) {
+			$aci->_serialNumber = '0';
+		}
+		$aci->_signature = $algo;
+		$data = $aci->toASN1()->toDER();
+		$signature = $crypto->sign($data, $privkey_info, $algo);
+		return new AttributeCertificate($aci, $algo, $signature);
+	}
 }

Spacing +1 added lines, -1 removed lines

@@ -1,6 +1,6 @@
 <?php
 
-declare(strict_types = 1);
+declare(strict_types=1);
 
 namespace Sop\X509\AttributeCertificate;