sop / x509

examples/issue-cert.php

Indentation +9 added lines, -9 removed lines

@@ -25,27 +25,27 @@
 $csr = CertificationRequest::fromPEM(PEM::fromFile($argv[2]));
 // verify CSR
 if (!$csr->verify()) {
-    echo "Failed to verify certification request signature.\n";
-    exit(1);
+	echo "Failed to verify certification request signature.\n";
+	exit(1);
 }
 // load CA's private key from PEM
 $private_key_info = PrivateKeyInfo::fromPEM(
-    PEM::fromFile(dirname(__DIR__) . "/test/assets/rsa/private_key.pem"));
+	PEM::fromFile(dirname(__DIR__) . "/test/assets/rsa/private_key.pem"));
 // initialize certificate from CSR and issuer's certificate
 $tbs_cert = TBSCertificate::fromCSR($csr)->withIssuerCertificate($issuer_cert);
 // set random serial number
 $tbs_cert = $tbs_cert->withRandomSerialNumber();
 // set validity period
 $tbs_cert = $tbs_cert->withValidity(
-    Validity::fromStrings("now", "now + 3 months"));
+	Validity::fromStrings("now", "now + 3 months"));
 // add extensions
 $tbs_cert = $tbs_cert->withAdditionalExtensions(
-    new KeyUsageExtension(true,
-        KeyUsageExtension::DIGITAL_SIGNATURE |
-             KeyUsageExtension::KEY_ENCIPHERMENT),
-    new BasicConstraintsExtension(true, false));
+	new KeyUsageExtension(true,
+		KeyUsageExtension::DIGITAL_SIGNATURE |
+			 KeyUsageExtension::KEY_ENCIPHERMENT),
+	new BasicConstraintsExtension(true, false));
 // sign certificate with issuer's private key
 $algo = SignatureAlgorithmIdentifierFactory::algoForAsymmetricCrypto(
-    $private_key_info->algorithmIdentifier(), new SHA512AlgorithmIdentifier());
+	$private_key_info->algorithmIdentifier(), new SHA512AlgorithmIdentifier());
 $cert = $tbs_cert->sign($algo, $private_key_info);
 echo $cert;

examples/create-csr.php

Indentation +2 added lines, -2 removed lines

@@ -16,7 +16,7 @@ 
 
 // load EC private key from PEM
 $private_key_info = PrivateKeyInfo::fromPEM(
-    PEM::fromFile(dirname(__DIR__) . "/test/assets/ec/private_key.pem"));
+	PEM::fromFile(dirname(__DIR__) . "/test/assets/ec/private_key.pem"));
 // extract public key from private key
 $public_key_info = $private_key_info->publicKeyInfo();
 // DN of the subject
@@ -25,6 +25,6 @@ 
 $cri = new CertificationRequestInfo($subject, $public_key_info);
 // sign certificate request with private key
 $algo = SignatureAlgorithmIdentifierFactory::algoForAsymmetricCrypto(
-    $private_key_info->algorithmIdentifier(), new SHA256AlgorithmIdentifier());
+	$private_key_info->algorithmIdentifier(), new SHA256AlgorithmIdentifier());
 $csr = $cri->sign($algo, $private_key_info);
 echo $csr;

examples/path-validate.php

Indentation +8 added lines, -8 removed lines

@@ -28,19 +28,19 @@
 // build certification path from CA to end-entity certificate
 $path = CertificationPath::fromTrustAnchorToTarget($ca, $cert);
 foreach ($path->certificates() as $idx => $cert) {
-    printf("#%d: %s\n", $idx,
-        $cert->tbsCertificate()
-            ->subject()
-            ->toString());
+	printf("#%d: %s\n", $idx,
+		$cert->tbsCertificate()
+			->subject()
+			->toString());
 }
 // validate certification path with default configuration
 $config = PathValidationConfig::defaultConfig();
 $result = $path->validate($config);
 printf("Certificate '%s' is valid.\n",
-    $result->certificate()
-        ->tbsCertificate()
-        ->subject()
-        ->toString());
+	$result->certificate()
+		->tbsCertificate()
+		->subject()
+		->toString());
 // remove temporary files
 unlink($ca_file);
 unlink($csr_file);

lib/X509/Certificate/Extension/CertificatePolicy/PolicyQualifierInfo.php

Indentation +74 added lines, -74 removed lines

@@ -14,85 +14,85 @@
  */
 abstract class PolicyQualifierInfo
 {
-    /**
-     * OID for the CPS Pointer qualifier.
-     *
-     * @var string
-     */
-    const OID_CPS = "1.3.6.1.5.5.7.2.1";
+	/**
+	 * OID for the CPS Pointer qualifier.
+	 *
+	 * @var string
+	 */
+	const OID_CPS = "1.3.6.1.5.5.7.2.1";
     
-    /**
-     * OID for the user notice qualifier.
-     *
-     * @var string
-     */
-    const OID_UNOTICE = "1.3.6.1.5.5.7.2.2";
+	/**
+	 * OID for the user notice qualifier.
+	 *
+	 * @var string
+	 */
+	const OID_UNOTICE = "1.3.6.1.5.5.7.2.2";
     
-    /**
-     * Qualifier identifier.
-     *
-     * @var string $_oid
-     */
-    protected $_oid;
+	/**
+	 * Qualifier identifier.
+	 *
+	 * @var string $_oid
+	 */
+	protected $_oid;
     
-    /**
-     * Generate ASN.1 for the 'qualifier' field.
-     *
-     * @return \ASN1\Element
-     */
-    abstract protected function _qualifierASN1();
+	/**
+	 * Generate ASN.1 for the 'qualifier' field.
+	 *
+	 * @return \ASN1\Element
+	 */
+	abstract protected function _qualifierASN1();
     
-    /**
-     * Initialize from qualifier ASN.1 element.
-     *
-     * @param UnspecifiedType $el
-     * @return self
-     */
-    public static function fromQualifierASN1(UnspecifiedType $el)
-    {
-        throw new \BadMethodCallException(
-            __FUNCTION__ . " must be implemented in the derived class.");
-    }
+	/**
+	 * Initialize from qualifier ASN.1 element.
+	 *
+	 * @param UnspecifiedType $el
+	 * @return self
+	 */
+	public static function fromQualifierASN1(UnspecifiedType $el)
+	{
+		throw new \BadMethodCallException(
+			__FUNCTION__ . " must be implemented in the derived class.");
+	}
     
-    /**
-     * Initialize from ASN.1.
-     *
-     * @param Sequence $seq
-     * @throws \UnexpectedValueException
-     * @return self
-     */
-    public static function fromASN1(Sequence $seq)
-    {
-        $oid = $seq->at(0)
-            ->asObjectIdentifier()
-            ->oid();
-        switch ($oid) {
-            case self::OID_CPS:
-                return CPSQualifier::fromQualifierASN1($seq->at(1));
-            case self::OID_UNOTICE:
-                return UserNoticeQualifier::fromQualifierASN1($seq->at(1));
-        }
-        throw new \UnexpectedValueException("Qualifier $oid not supported.");
-    }
+	/**
+	 * Initialize from ASN.1.
+	 *
+	 * @param Sequence $seq
+	 * @throws \UnexpectedValueException
+	 * @return self
+	 */
+	public static function fromASN1(Sequence $seq)
+	{
+		$oid = $seq->at(0)
+			->asObjectIdentifier()
+			->oid();
+		switch ($oid) {
+			case self::OID_CPS:
+				return CPSQualifier::fromQualifierASN1($seq->at(1));
+			case self::OID_UNOTICE:
+				return UserNoticeQualifier::fromQualifierASN1($seq->at(1));
+		}
+		throw new \UnexpectedValueException("Qualifier $oid not supported.");
+	}
     
-    /**
-     * Get qualifier identifier.
-     *
-     * @return string
-     */
-    public function oid()
-    {
-        return $this->_oid;
-    }
+	/**
+	 * Get qualifier identifier.
+	 *
+	 * @return string
+	 */
+	public function oid()
+	{
+		return $this->_oid;
+	}
     
-    /**
-     * Generate ASN.1 structure.
-     *
-     * @return Sequence
-     */
-    public function toASN1()
-    {
-        return new Sequence(new ObjectIdentifier($this->_oid),
-            $this->_qualifierASN1());
-    }
+	/**
+	 * Generate ASN.1 structure.
+	 *
+	 * @return Sequence
+	 */
+	public function toASN1()
+	{
+		return new Sequence(new ObjectIdentifier($this->_oid),
+			$this->_qualifierASN1());
+	}
 }

lib/X509/CertificationPath/PathValidation/PathValidationConfig.php

Indentation +245 added lines, -245 removed lines

@@ -12,274 +12,274 @@
  */
 class PathValidationConfig
 {
-    /**
-     * Maximum allowed certification path length.
-     *
-     * @var int $_maxLength
-     */
-    protected $_maxLength;
+	/**
+	 * Maximum allowed certification path length.
+	 *
+	 * @var int $_maxLength
+	 */
+	protected $_maxLength;
     
-    /**
-     * Reference time.
-     *
-     * @var \DateTimeImmutable $_dateTime
-     */
-    protected $_dateTime;
+	/**
+	 * Reference time.
+	 *
+	 * @var \DateTimeImmutable $_dateTime
+	 */
+	protected $_dateTime;
     
-    /**
-     * List of acceptable policy identifiers.
-     *
-     * @var string[] $_policySet
-     */
-    protected $_policySet;
+	/**
+	 * List of acceptable policy identifiers.
+	 *
+	 * @var string[] $_policySet
+	 */
+	protected $_policySet;
     
-    /**
-     * Trust anchor certificate.
-     *
-     * If not set, path validation uses the first certificate of the path.
-     *
-     * @var Certificate|null $_trustAnchor
-     */
-    protected $_trustAnchor;
+	/**
+	 * Trust anchor certificate.
+	 *
+	 * If not set, path validation uses the first certificate of the path.
+	 *
+	 * @var Certificate|null $_trustAnchor
+	 */
+	protected $_trustAnchor;
     
-    /**
-     * Whether policy mapping in inhibited.
-     *
-     * Setting this to true disallows policy mapping.
-     *
-     * @var bool $_policyMappingInhibit
-     */
-    protected $_policyMappingInhibit;
+	/**
+	 * Whether policy mapping in inhibited.
+	 *
+	 * Setting this to true disallows policy mapping.
+	 *
+	 * @var bool $_policyMappingInhibit
+	 */
+	protected $_policyMappingInhibit;
     
-    /**
-     * Whether the path must be valid for at least one policy in the
-     * initial policy set.
-     *
-     * @var bool $_explicitPolicy
-     */
-    protected $_explicitPolicy;
+	/**
+	 * Whether the path must be valid for at least one policy in the
+	 * initial policy set.
+	 *
+	 * @var bool $_explicitPolicy
+	 */
+	protected $_explicitPolicy;
     
-    /**
-     * Whether anyPolicy OID processing should be inhibited.
-     *
-     * Setting this to true disallows the usage of anyPolicy.
-     *
-     * @var bool $_anyPolicyInhibit
-     */
-    protected $_anyPolicyInhibit;
+	/**
+	 * Whether anyPolicy OID processing should be inhibited.
+	 *
+	 * Setting this to true disallows the usage of anyPolicy.
+	 *
+	 * @var bool $_anyPolicyInhibit
+	 */
+	protected $_anyPolicyInhibit;
     
-    /**
-     *
-     * @todo Implement
-     * @var mixed $_permittedSubtrees
-     */
-    protected $_permittedSubtrees;
+	/**
+	 *
+	 * @todo Implement
+	 * @var mixed $_permittedSubtrees
+	 */
+	protected $_permittedSubtrees;
     
-    /**
-     *
-     * @todo Implement
-     * @var mixed $_excludedSubtrees
-     */
-    protected $_excludedSubtrees;
+	/**
+	 *
+	 * @todo Implement
+	 * @var mixed $_excludedSubtrees
+	 */
+	protected $_excludedSubtrees;
     
-    /**
-     * Constructor.
-     *
-     * @param \DateTimeImmutable $dt Reference date and time
-     * @param int $max_length Maximum certification path length
-     */
-    public function __construct(\DateTimeImmutable $dt, $max_length)
-    {
-        $this->_dateTime = $dt;
-        $this->_maxLength = (int) $max_length;
-        $this->_policySet = array((string) PolicyInformation::OID_ANY_POLICY);
-        $this->_policyMappingInhibit = false;
-        $this->_explicitPolicy = false;
-        $this->_anyPolicyInhibit = false;
-    }
+	/**
+	 * Constructor.
+	 *
+	 * @param \DateTimeImmutable $dt Reference date and time
+	 * @param int $max_length Maximum certification path length
+	 */
+	public function __construct(\DateTimeImmutable $dt, $max_length)
+	{
+		$this->_dateTime = $dt;
+		$this->_maxLength = (int) $max_length;
+		$this->_policySet = array((string) PolicyInformation::OID_ANY_POLICY);
+		$this->_policyMappingInhibit = false;
+		$this->_explicitPolicy = false;
+		$this->_anyPolicyInhibit = false;
+	}
     
-    /**
-     * Get default configuration.
-     *
-     * @return self
-     */
-    public static function defaultConfig()
-    {
-        return new self(new \DateTimeImmutable(), 3);
-    }
+	/**
+	 * Get default configuration.
+	 *
+	 * @return self
+	 */
+	public static function defaultConfig()
+	{
+		return new self(new \DateTimeImmutable(), 3);
+	}
     
-    /**
-     * Get self with maximum path length.
-     *
-     * @param int $length
-     * @return self
-     */
-    public function withMaxLength($length)
-    {
-        $obj = clone $this;
-        $obj->_maxLength = $length;
-        return $obj;
-    }
+	/**
+	 * Get self with maximum path length.
+	 *
+	 * @param int $length
+	 * @return self
+	 */
+	public function withMaxLength($length)
+	{
+		$obj = clone $this;
+		$obj->_maxLength = $length;
+		return $obj;
+	}
     
-    /**
-     * Get self with reference date and time.
-     *
-     * @param \DateTimeImmutable $dt
-     * @return self
-     */
-    public function withDateTime(\DateTimeImmutable $dt)
-    {
-        $obj = clone $this;
-        $obj->_dateTime = $dt;
-        return $obj;
-    }
+	/**
+	 * Get self with reference date and time.
+	 *
+	 * @param \DateTimeImmutable $dt
+	 * @return self
+	 */
+	public function withDateTime(\DateTimeImmutable $dt)
+	{
+		$obj = clone $this;
+		$obj->_dateTime = $dt;
+		return $obj;
+	}
     
-    /**
-     * Get self with trust anchor certificate.
-     *
-     * @param Certificate $ca
-     * @return self
-     */
-    public function withTrustAnchor(Certificate $ca)
-    {
-        $obj = clone $this;
-        $obj->_trustAnchor = $ca;
-        return $obj;
-    }
+	/**
+	 * Get self with trust anchor certificate.
+	 *
+	 * @param Certificate $ca
+	 * @return self
+	 */
+	public function withTrustAnchor(Certificate $ca)
+	{
+		$obj = clone $this;
+		$obj->_trustAnchor = $ca;
+		return $obj;
+	}
     
-    /**
-     * Get self with initial-policy-mapping-inhibit set.
-     *
-     * @param bool $flag
-     * @return self
-     */
-    public function withPolicyMappingInhibit($flag)
-    {
-        $obj = clone $this;
-        $obj->_policyMappingInhibit = (bool) $flag;
-        return $obj;
-    }
+	/**
+	 * Get self with initial-policy-mapping-inhibit set.
+	 *
+	 * @param bool $flag
+	 * @return self
+	 */
+	public function withPolicyMappingInhibit($flag)
+	{
+		$obj = clone $this;
+		$obj->_policyMappingInhibit = (bool) $flag;
+		return $obj;
+	}
     
-    /**
-     * Get self with initial-explicit-policy set.
-     *
-     * @param bool $flag
-     * @return self
-     */
-    public function withExplicitPolicy($flag)
-    {
-        $obj = clone $this;
-        $obj->_explicitPolicy = (bool) $flag;
-        return $obj;
-    }
+	/**
+	 * Get self with initial-explicit-policy set.
+	 *
+	 * @param bool $flag
+	 * @return self
+	 */
+	public function withExplicitPolicy($flag)
+	{
+		$obj = clone $this;
+		$obj->_explicitPolicy = (bool) $flag;
+		return $obj;
+	}
     
-    /**
-     * Get self with initial-any-policy-inhibit set.
-     *
-     * @param bool $flag
-     * @return self
-     */
-    public function withAnyPolicyInhibit($flag)
-    {
-        $obj = clone $this;
-        $obj->_anyPolicyInhibit = (bool) $flag;
-        return $obj;
-    }
+	/**
+	 * Get self with initial-any-policy-inhibit set.
+	 *
+	 * @param bool $flag
+	 * @return self
+	 */
+	public function withAnyPolicyInhibit($flag)
+	{
+		$obj = clone $this;
+		$obj->_anyPolicyInhibit = (bool) $flag;
+		return $obj;
+	}
     
-    /**
-     * Get self with user-initial-policy-set set to policy OIDs.
-     *
-     * @param string ...$policies List of policy OIDs
-     * @return self
-     */
-    public function withPolicySet(...$policies)
-    {
-        $obj = clone $this;
-        $obj->_policySet = $policies;
-        return $obj;
-    }
+	/**
+	 * Get self with user-initial-policy-set set to policy OIDs.
+	 *
+	 * @param string ...$policies List of policy OIDs
+	 * @return self
+	 */
+	public function withPolicySet(...$policies)
+	{
+		$obj = clone $this;
+		$obj->_policySet = $policies;
+		return $obj;
+	}
     
-    /**
-     * Get maximum certification path length.
-     *
-     * @return int
-     */
-    public function maxLength()
-    {
-        return $this->_maxLength;
-    }
+	/**
+	 * Get maximum certification path length.
+	 *
+	 * @return int
+	 */
+	public function maxLength()
+	{
+		return $this->_maxLength;
+	}
     
-    /**
-     * Get reference date and time.
-     *
-     * @return \DateTimeImmutable
-     */
-    public function dateTime()
-    {
-        return $this->_dateTime;
-    }
+	/**
+	 * Get reference date and time.
+	 *
+	 * @return \DateTimeImmutable
+	 */
+	public function dateTime()
+	{
+		return $this->_dateTime;
+	}
     
-    /**
-     * Get user-initial-policy-set.
-     *
-     * @return string[] Array of OID's
-     */
-    public function policySet()
-    {
-        return $this->_policySet;
-    }
+	/**
+	 * Get user-initial-policy-set.
+	 *
+	 * @return string[] Array of OID's
+	 */
+	public function policySet()
+	{
+		return $this->_policySet;
+	}
     
-    /**
-     * Check whether trust anchor certificate is set.
-     *
-     * @return bool
-     */
-    public function hasTrustAnchor()
-    {
-        return isset($this->_trustAnchor);
-    }
+	/**
+	 * Check whether trust anchor certificate is set.
+	 *
+	 * @return bool
+	 */
+	public function hasTrustAnchor()
+	{
+		return isset($this->_trustAnchor);
+	}
     
-    /**
-     * Get trust anchor certificate.
-     *
-     * @throws \LogicException
-     * @return Certificate
-     */
-    public function trustAnchor()
-    {
-        if (!$this->hasTrustAnchor()) {
-            throw new \LogicException("No trust anchor.");
-        }
-        return $this->_trustAnchor;
-    }
+	/**
+	 * Get trust anchor certificate.
+	 *
+	 * @throws \LogicException
+	 * @return Certificate
+	 */
+	public function trustAnchor()
+	{
+		if (!$this->hasTrustAnchor()) {
+			throw new \LogicException("No trust anchor.");
+		}
+		return $this->_trustAnchor;
+	}
     
-    /**
-     * Get initial-policy-mapping-inhibit.
-     *
-     * @return bool
-     */
-    public function policyMappingInhibit()
-    {
-        return $this->_policyMappingInhibit;
-    }
+	/**
+	 * Get initial-policy-mapping-inhibit.
+	 *
+	 * @return bool
+	 */
+	public function policyMappingInhibit()
+	{
+		return $this->_policyMappingInhibit;
+	}
     
-    /**
-     * Get initial-explicit-policy.
-     *
-     * @return bool
-     */
-    public function explicitPolicy()
-    {
-        return $this->_explicitPolicy;
-    }
+	/**
+	 * Get initial-explicit-policy.
+	 *
+	 * @return bool
+	 */
+	public function explicitPolicy()
+	{
+		return $this->_explicitPolicy;
+	}
     
-    /**
-     * Get initial-any-policy-inhibit.
-     *
-     * @return bool
-     */
-    public function anyPolicyInhibit()
-    {
-        return $this->_anyPolicyInhibit;
-    }
+	/**
+	 * Get initial-any-policy-inhibit.
+	 *
+	 * @return bool
+	 */
+	public function anyPolicyInhibit()
+	{
+		return $this->_anyPolicyInhibit;
+	}
 }

lib/X509/CertificationPath/Policy/PolicyTree.php

Indentation +393 added lines, -393 removed lines

@@ -8,411 +8,411 @@
 
 class PolicyTree
 {
-    /**
-     * Root node at depth zero.
-     *
-     * @var PolicyNode|null
-     */
-    protected $_root;
+	/**
+	 * Root node at depth zero.
+	 *
+	 * @var PolicyNode|null
+	 */
+	protected $_root;
     
-    /**
-     * Constructor.
-     *
-     * @param PolicyNode $root Initial root node
-     */
-    public function __construct(PolicyNode $root)
-    {
-        $this->_root = $root;
-    }
+	/**
+	 * Constructor.
+	 *
+	 * @param PolicyNode $root Initial root node
+	 */
+	public function __construct(PolicyNode $root)
+	{
+		$this->_root = $root;
+	}
     
-    /**
-     * Process policy information from the certificate.
-     *
-     * Certificate policies extension must be present.
-     *
-     * @param ValidatorState $state
-     * @param Certificate $cert
-     * @return ValidatorState
-     */
-    public function processPolicies(ValidatorState $state, Certificate $cert)
-    {
-        $policies = $cert->tbsCertificate()
-            ->extensions()
-            ->certificatePolicies();
-        $tree = clone $this;
-        // (d.1) for each policy P not equal to anyPolicy
-        foreach ($policies as $policy) {
-            if ($policy->isAnyPolicy()) {
-                $tree->_processAnyPolicy($policy, $cert, $state);
-            } else {
-                $tree->_processPolicy($policy, $state);
-            }
-        }
-        // if whole tree is pruned
-        if (!$tree->_pruneTree($state->index() - 1)) {
-            return $state->withoutValidPolicyTree();
-        }
-        return $state->withValidPolicyTree($tree);
-    }
+	/**
+	 * Process policy information from the certificate.
+	 *
+	 * Certificate policies extension must be present.
+	 *
+	 * @param ValidatorState $state
+	 * @param Certificate $cert
+	 * @return ValidatorState
+	 */
+	public function processPolicies(ValidatorState $state, Certificate $cert)
+	{
+		$policies = $cert->tbsCertificate()
+			->extensions()
+			->certificatePolicies();
+		$tree = clone $this;
+		// (d.1) for each policy P not equal to anyPolicy
+		foreach ($policies as $policy) {
+			if ($policy->isAnyPolicy()) {
+				$tree->_processAnyPolicy($policy, $cert, $state);
+			} else {
+				$tree->_processPolicy($policy, $state);
+			}
+		}
+		// if whole tree is pruned
+		if (!$tree->_pruneTree($state->index() - 1)) {
+			return $state->withoutValidPolicyTree();
+		}
+		return $state->withValidPolicyTree($tree);
+	}
     
-    /**
-     * Process policy mappings from the certificate.
-     *
-     * @param ValidatorState $state
-     * @param Certificate $cert
-     * @return ValidatorState
-     */
-    public function processMappings(ValidatorState $state, Certificate $cert)
-    {
-        $tree = clone $this;
-        if ($state->policyMapping() > 0) {
-            $tree->_applyMappings($cert, $state);
-        } else if ($state->policyMapping() == 0) {
-            $tree->_deleteMappings($cert, $state);
-        }
-        // if whole tree is pruned
-        if (!$tree->_root) {
-            return $state->withoutValidPolicyTree();
-        }
-        return $state->withValidPolicyTree($tree);
-    }
+	/**
+	 * Process policy mappings from the certificate.
+	 *
+	 * @param ValidatorState $state
+	 * @param Certificate $cert
+	 * @return ValidatorState
+	 */
+	public function processMappings(ValidatorState $state, Certificate $cert)
+	{
+		$tree = clone $this;
+		if ($state->policyMapping() > 0) {
+			$tree->_applyMappings($cert, $state);
+		} else if ($state->policyMapping() == 0) {
+			$tree->_deleteMappings($cert, $state);
+		}
+		// if whole tree is pruned
+		if (!$tree->_root) {
+			return $state->withoutValidPolicyTree();
+		}
+		return $state->withValidPolicyTree($tree);
+	}
     
-    /**
-     * Calculate policy intersection as specified in Wrap-Up Procedure 6.1.5.g.
-     *
-     * @param ValidatorState $state
-     * @param array $policies
-     * @return ValidatorState
-     */
-    public function calculateIntersection(ValidatorState $state, array $policies)
-    {
-        $tree = clone $this;
-        $valid_policy_node_set = $tree->_validPolicyNodeSet();
-        // 2. If the valid_policy of any node in the valid_policy_node_set
-        // is not in the user-initial-policy-set and is not anyPolicy,
-        // delete this node and all its children.
-        $valid_policy_node_set = array_filter($valid_policy_node_set,
-            function (PolicyNode $node) use ($policies) {
-                if ($node->isAnyPolicy()) {
-                    return true;
-                }
-                if (in_array($node->validPolicy(), $policies)) {
-                    return true;
-                }
-                $node->remove();
-                return false;
-            });
-        // array of valid policy OIDs
-        $valid_policy_set = array_map(
-            function (PolicyNode $node) {
-                return $node->validPolicy();
-            }, $valid_policy_node_set);
-        // 3. If the valid_policy_tree includes a node of depth n with
-        // the valid_policy anyPolicy and the user-initial-policy-set 
-        // is not any-policy
-        foreach ($tree->_nodesAtDepth($state->index()) as $node) {
-            if ($node->hasParent() && $node->isAnyPolicy()) {
-                // a. Set P-Q to the qualifier_set in the node of depth n
-                // with valid_policy anyPolicy.
-                $pq = $node->qualifiers();
-                // b. For each P-OID in the user-initial-policy-set that is not
-                // the valid_policy of a node in the valid_policy_node_set,
-                // create a child node whose parent is the node of depth n-1
-                // with the valid_policy anyPolicy.
-                $poids = array_diff($policies, $valid_policy_set);
-                foreach ($tree->_nodesAtDepth($state->index() - 1) as $parent) {
-                    if ($parent->isAnyPolicy()) {
-                        // Set the values in the child node as follows: 
-                        // set the valid_policy to P-OID, set the qualifier_set
-                        // to P-Q, and set the expected_policy_set to {P-OID}.
-                        foreach ($poids as $poid) {
-                            $parent->addChild(
-                                new PolicyNode($poid, $pq, array($poid)));
-                        }
-                        break;
-                    }
-                }
-                // c. Delete the node of depth n with the
-                // valid_policy anyPolicy.
-                $node->remove();
-            }
-        }
-        // 4. If there is a node in the valid_policy_tree of depth n-1 or less
-        // without any child nodes, delete that node. Repeat this step until
-        // there are no nodes of depth n-1 or less without children.
-        if (!$tree->_pruneTree($state->index() - 1)) {
-            return $state->withoutValidPolicyTree();
-        }
-        return $state->withValidPolicyTree($tree);
-    }
+	/**
+	 * Calculate policy intersection as specified in Wrap-Up Procedure 6.1.5.g.
+	 *
+	 * @param ValidatorState $state
+	 * @param array $policies
+	 * @return ValidatorState
+	 */
+	public function calculateIntersection(ValidatorState $state, array $policies)
+	{
+		$tree = clone $this;
+		$valid_policy_node_set = $tree->_validPolicyNodeSet();
+		// 2. If the valid_policy of any node in the valid_policy_node_set
+		// is not in the user-initial-policy-set and is not anyPolicy,
+		// delete this node and all its children.
+		$valid_policy_node_set = array_filter($valid_policy_node_set,
+			function (PolicyNode $node) use ($policies) {
+				if ($node->isAnyPolicy()) {
+					return true;
+				}
+				if (in_array($node->validPolicy(), $policies)) {
+					return true;
+				}
+				$node->remove();
+				return false;
+			});
+		// array of valid policy OIDs
+		$valid_policy_set = array_map(
+			function (PolicyNode $node) {
+				return $node->validPolicy();
+			}, $valid_policy_node_set);
+		// 3. If the valid_policy_tree includes a node of depth n with
+		// the valid_policy anyPolicy and the user-initial-policy-set 
+		// is not any-policy
+		foreach ($tree->_nodesAtDepth($state->index()) as $node) {
+			if ($node->hasParent() && $node->isAnyPolicy()) {
+				// a. Set P-Q to the qualifier_set in the node of depth n
+				// with valid_policy anyPolicy.
+				$pq = $node->qualifiers();
+				// b. For each P-OID in the user-initial-policy-set that is not
+				// the valid_policy of a node in the valid_policy_node_set,
+				// create a child node whose parent is the node of depth n-1
+				// with the valid_policy anyPolicy.
+				$poids = array_diff($policies, $valid_policy_set);
+				foreach ($tree->_nodesAtDepth($state->index() - 1) as $parent) {
+					if ($parent->isAnyPolicy()) {
+						// Set the values in the child node as follows: 
+						// set the valid_policy to P-OID, set the qualifier_set
+						// to P-Q, and set the expected_policy_set to {P-OID}.
+						foreach ($poids as $poid) {
+							$parent->addChild(
+								new PolicyNode($poid, $pq, array($poid)));
+						}
+						break;
+					}
+				}
+				// c. Delete the node of depth n with the
+				// valid_policy anyPolicy.
+				$node->remove();
+			}
+		}
+		// 4. If there is a node in the valid_policy_tree of depth n-1 or less
+		// without any child nodes, delete that node. Repeat this step until
+		// there are no nodes of depth n-1 or less without children.
+		if (!$tree->_pruneTree($state->index() - 1)) {
+			return $state->withoutValidPolicyTree();
+		}
+		return $state->withValidPolicyTree($tree);
+	}
     
-    /**
-     * Get policies at given policy tree depth.
-     *
-     * @param int $i Depth in range 1..n
-     * @return PolicyInformation[]
-     */
-    public function policiesAtDepth($i)
-    {
-        $policies = array();
-        foreach ($this->_nodesAtDepth($i) as $node) {
-            $policies[] = new PolicyInformation($node->validPolicy(),
-                ...$node->qualifiers());
-        }
-        return $policies;
-    }
+	/**
+	 * Get policies at given policy tree depth.
+	 *
+	 * @param int $i Depth in range 1..n
+	 * @return PolicyInformation[]
+	 */
+	public function policiesAtDepth($i)
+	{
+		$policies = array();
+		foreach ($this->_nodesAtDepth($i) as $node) {
+			$policies[] = new PolicyInformation($node->validPolicy(),
+				...$node->qualifiers());
+		}
+		return $policies;
+	}
     
-    /**
-     * Process single policy information.
-     *
-     * @param PolicyInformation $policy
-     * @param ValidatorState $state
-     */
-    protected function _processPolicy(PolicyInformation $policy,
-        ValidatorState $state)
-    {
-        $p_oid = $policy->oid();
-        $i = $state->index();
-        $match_count = 0;
-        // (d.1.i) for each node of depth i-1 in the valid_policy_tree...
-        foreach ($this->_nodesAtDepth($i - 1) as $node) {
-            // ...where P-OID is in the expected_policy_set
-            if ($node->hasExpectedPolicy($p_oid)) {
-                $node->addChild(
-                    new PolicyNode($p_oid, $policy->qualifiers(), array($p_oid)));
-                ++$match_count;
-            }
-        }
-        // (d.1.ii) if there was no match in step (i)...
-        if (!$match_count) {
-            // ...and the valid_policy_tree includes a node of depth i-1 with
-            // the valid_policy anyPolicy
-            foreach ($this->_nodesAtDepth($i - 1) as $node) {
-                if ($node->isAnyPolicy()) {
-                    $node->addChild(
-                        new PolicyNode($p_oid, $policy->qualifiers(),
-                            array($p_oid)));
-                }
-            }
-        }
-    }
+	/**
+	 * Process single policy information.
+	 *
+	 * @param PolicyInformation $policy
+	 * @param ValidatorState $state
+	 */
+	protected function _processPolicy(PolicyInformation $policy,
+		ValidatorState $state)
+	{
+		$p_oid = $policy->oid();
+		$i = $state->index();
+		$match_count = 0;
+		// (d.1.i) for each node of depth i-1 in the valid_policy_tree...
+		foreach ($this->_nodesAtDepth($i - 1) as $node) {
+			// ...where P-OID is in the expected_policy_set
+			if ($node->hasExpectedPolicy($p_oid)) {
+				$node->addChild(
+					new PolicyNode($p_oid, $policy->qualifiers(), array($p_oid)));
+				++$match_count;
+			}
+		}
+		// (d.1.ii) if there was no match in step (i)...
+		if (!$match_count) {
+			// ...and the valid_policy_tree includes a node of depth i-1 with
+			// the valid_policy anyPolicy
+			foreach ($this->_nodesAtDepth($i - 1) as $node) {
+				if ($node->isAnyPolicy()) {
+					$node->addChild(
+						new PolicyNode($p_oid, $policy->qualifiers(),
+							array($p_oid)));
+				}
+			}
+		}
+	}
     
-    /**
-     * Process anyPolicy policy information.
-     *
-     * @param PolicyInformation $policy
-     * @param Certificate $cert
-     * @param ValidatorState $state
-     */
-    protected function _processAnyPolicy(PolicyInformation $policy,
-        Certificate $cert, ValidatorState $state)
-    {
-        $i = $state->index();
-        // if (a) inhibit_anyPolicy is greater than 0 or
-        // (b) i<n and the certificate is self-issued
-        if (!($state->inhibitAnyPolicy() > 0 ||
-             ($i < $state->pathLength() && $cert->isSelfIssued()))) {
-            return;
-        }
-        // for each node in the valid_policy_tree of depth i-1
-        foreach ($this->_nodesAtDepth($i - 1) as $node) {
-            // for each value in the expected_policy_set
-            foreach ($node->expectedPolicies() as $p_oid) {
-                // that does not appear in a child node
-                if (!$node->hasChildWithValidPolicy($p_oid)) {
-                    $node->addChild(
-                        new PolicyNode($p_oid, $policy->qualifiers(),
-                            array($p_oid)));
-                }
-            }
-        }
-    }
+	/**
+	 * Process anyPolicy policy information.
+	 *
+	 * @param PolicyInformation $policy
+	 * @param Certificate $cert
+	 * @param ValidatorState $state
+	 */
+	protected function _processAnyPolicy(PolicyInformation $policy,
+		Certificate $cert, ValidatorState $state)
+	{
+		$i = $state->index();
+		// if (a) inhibit_anyPolicy is greater than 0 or
+		// (b) i<n and the certificate is self-issued
+		if (!($state->inhibitAnyPolicy() > 0 ||
+			 ($i < $state->pathLength() && $cert->isSelfIssued()))) {
+			return;
+		}
+		// for each node in the valid_policy_tree of depth i-1
+		foreach ($this->_nodesAtDepth($i - 1) as $node) {
+			// for each value in the expected_policy_set
+			foreach ($node->expectedPolicies() as $p_oid) {
+				// that does not appear in a child node
+				if (!$node->hasChildWithValidPolicy($p_oid)) {
+					$node->addChild(
+						new PolicyNode($p_oid, $policy->qualifiers(),
+							array($p_oid)));
+				}
+			}
+		}
+	}
     
-    /**
-     * Apply policy mappings to the policy tree.
-     *
-     * @param Certificate $cert
-     * @param ValidatorState $state
-     */
-    protected function _applyMappings(Certificate $cert, ValidatorState $state)
-    {
-        $policy_mappings = $cert->tbsCertificate()
-            ->extensions()
-            ->policyMappings();
-        // (6.1.4. b.1.) for each node in the valid_policy_tree of depth i...
-        foreach ($policy_mappings->flattenedMappings() as $idp => $sdps) {
-            $match_count = 0;
-            foreach ($this->_nodesAtDepth($state->index()) as $node) {
-                // ...where ID-P is the valid_policy
-                if ($node->validPolicy() == $idp) {
-                    // set expected_policy_set to the set of subjectDomainPolicy
-                    // values that are specified as equivalent to ID-P by
-                    // the policy mappings extension
-                    $node->setExpectedPolicies(...$sdps);
-                    ++$match_count;
-                }
-            }
-            // if no node of depth i in the valid_policy_tree has
-            // a valid_policy of ID-P...
-            if (!$match_count) {
-                $this->_applyAnyPolicyMapping($cert, $state, $idp, $sdps);
-            }
-        }
-    }
+	/**
+	 * Apply policy mappings to the policy tree.
+	 *
+	 * @param Certificate $cert
+	 * @param ValidatorState $state
+	 */
+	protected function _applyMappings(Certificate $cert, ValidatorState $state)
+	{
+		$policy_mappings = $cert->tbsCertificate()
+			->extensions()
+			->policyMappings();
+		// (6.1.4. b.1.) for each node in the valid_policy_tree of depth i...
+		foreach ($policy_mappings->flattenedMappings() as $idp => $sdps) {
+			$match_count = 0;
+			foreach ($this->_nodesAtDepth($state->index()) as $node) {
+				// ...where ID-P is the valid_policy
+				if ($node->validPolicy() == $idp) {
+					// set expected_policy_set to the set of subjectDomainPolicy
+					// values that are specified as equivalent to ID-P by
+					// the policy mappings extension
+					$node->setExpectedPolicies(...$sdps);
+					++$match_count;
+				}
+			}
+			// if no node of depth i in the valid_policy_tree has
+			// a valid_policy of ID-P...
+			if (!$match_count) {
+				$this->_applyAnyPolicyMapping($cert, $state, $idp, $sdps);
+			}
+		}
+	}
     
-    /**
-     * Apply anyPolicy mapping to the policy tree as specified in 6.1.4 (b)(1).
-     *
-     * @param Certificate $cert
-     * @param ValidatorState $state
-     * @param string $idp OID of the issuer domain policy
-     * @param array $sdps Array of subject domain policy OIDs
-     */
-    protected function _applyAnyPolicyMapping(Certificate $cert,
-        ValidatorState $state, $idp, array $sdps)
-    {
-        // (6.1.4. b.1.) ...but there is a node of depth i with
-        // a valid_policy of anyPolicy
-        foreach ($this->_nodesAtDepth($state->index()) as $node) {
-            if ($node->isAnyPolicy()) {
-                // then generate a child node of the node of depth i-1
-                // that has a valid_policy of anyPolicy as follows...
-                foreach ($this->_nodesAtDepth($state->index() - 1) as $node) {
-                    if ($node->isAnyPolicy()) {
-                        // try to fetch qualifiers of anyPolicy certificate policy
-                        $qualifiers = array();
-                        try {
-                            $qualifiers = $cert->tbsCertificate()
-                                ->extensions()
-                                ->certificatePolicies()
-                                ->anyPolicy()
-                                ->qualifiers();
-                        } catch (\LogicException $e) {
-                            // if there's no policies or no qualifiers
-                        }
-                        $node->addChild(
-                            new PolicyNode($idp, $qualifiers, $sdps));
-                        // bail after first anyPolicy has been processed
-                        break;
-                    }
-                }
-                // bail after first anyPolicy has been processed
-                break;
-            }
-        }
-    }
+	/**
+	 * Apply anyPolicy mapping to the policy tree as specified in 6.1.4 (b)(1).
+	 *
+	 * @param Certificate $cert
+	 * @param ValidatorState $state
+	 * @param string $idp OID of the issuer domain policy
+	 * @param array $sdps Array of subject domain policy OIDs
+	 */
+	protected function _applyAnyPolicyMapping(Certificate $cert,
+		ValidatorState $state, $idp, array $sdps)
+	{
+		// (6.1.4. b.1.) ...but there is a node of depth i with
+		// a valid_policy of anyPolicy
+		foreach ($this->_nodesAtDepth($state->index()) as $node) {
+			if ($node->isAnyPolicy()) {
+				// then generate a child node of the node of depth i-1
+				// that has a valid_policy of anyPolicy as follows...
+				foreach ($this->_nodesAtDepth($state->index() - 1) as $node) {
+					if ($node->isAnyPolicy()) {
+						// try to fetch qualifiers of anyPolicy certificate policy
+						$qualifiers = array();
+						try {
+							$qualifiers = $cert->tbsCertificate()
+								->extensions()
+								->certificatePolicies()
+								->anyPolicy()
+								->qualifiers();
+						} catch (\LogicException $e) {
+							// if there's no policies or no qualifiers
+						}
+						$node->addChild(
+							new PolicyNode($idp, $qualifiers, $sdps));
+						// bail after first anyPolicy has been processed
+						break;
+					}
+				}
+				// bail after first anyPolicy has been processed
+				break;
+			}
+		}
+	}
     
-    /**
-     * Delete nodes as specified in 6.1.4 (b)(2).
-     *
-     * @param Certificate $cert
-     * @param ValidatorState $state
-     */
-    protected function _deleteMappings(Certificate $cert, ValidatorState $state)
-    {
-        $idps = $cert->tbsCertificate()
-            ->extensions()
-            ->policyMappings()
-            ->issuerDomainPolicies();
-        // delete each node of depth i in the valid_policy_tree
-        // where ID-P is the valid_policy
-        foreach ($this->_nodesAtDepth($state->index()) as $node) {
-            if (in_array($node->validPolicy(), $idps)) {
-                $node->remove();
-            }
-        }
-        $this->_pruneTree($state->index() - 1);
-    }
+	/**
+	 * Delete nodes as specified in 6.1.4 (b)(2).
+	 *
+	 * @param Certificate $cert
+	 * @param ValidatorState $state
+	 */
+	protected function _deleteMappings(Certificate $cert, ValidatorState $state)
+	{
+		$idps = $cert->tbsCertificate()
+			->extensions()
+			->policyMappings()
+			->issuerDomainPolicies();
+		// delete each node of depth i in the valid_policy_tree
+		// where ID-P is the valid_policy
+		foreach ($this->_nodesAtDepth($state->index()) as $node) {
+			if (in_array($node->validPolicy(), $idps)) {
+				$node->remove();
+			}
+		}
+		$this->_pruneTree($state->index() - 1);
+	}
     
-    /**
-     * Prune tree starting from given depth.
-     *
-     * @param int $depth
-     * @return int The number of nodes left in a tree
-     */
-    protected function _pruneTree($depth)
-    {
-        for ($i = $depth; $i > 0; --$i) {
-            foreach ($this->_nodesAtDepth($i) as $node) {
-                if (!count($node)) {
-                    $node->remove();
-                }
-            }
-        }
-        // if root has no children left
-        if (!count($this->_root)) {
-            $this->_root = null;
-            return 0;
-        }
-        return $this->_root->nodeCount();
-    }
+	/**
+	 * Prune tree starting from given depth.
+	 *
+	 * @param int $depth
+	 * @return int The number of nodes left in a tree
+	 */
+	protected function _pruneTree($depth)
+	{
+		for ($i = $depth; $i > 0; --$i) {
+			foreach ($this->_nodesAtDepth($i) as $node) {
+				if (!count($node)) {
+					$node->remove();
+				}
+			}
+		}
+		// if root has no children left
+		if (!count($this->_root)) {
+			$this->_root = null;
+			return 0;
+		}
+		return $this->_root->nodeCount();
+	}
     
-    /**
-     * Get all nodes at given depth.
-     *
-     * @param int $i
-     * @return PolicyNode[]
-     */
-    protected function _nodesAtDepth($i)
-    {
-        if (!$this->_root) {
-            return array();
-        }
-        $depth = 0;
-        $nodes = array($this->_root);
-        while ($depth < $i) {
-            $nodes = self::_gatherChildren(...$nodes);
-            if (!count($nodes)) {
-                break;
-            }
-            ++$depth;
-        }
-        return $nodes;
-    }
+	/**
+	 * Get all nodes at given depth.
+	 *
+	 * @param int $i
+	 * @return PolicyNode[]
+	 */
+	protected function _nodesAtDepth($i)
+	{
+		if (!$this->_root) {
+			return array();
+		}
+		$depth = 0;
+		$nodes = array($this->_root);
+		while ($depth < $i) {
+			$nodes = self::_gatherChildren(...$nodes);
+			if (!count($nodes)) {
+				break;
+			}
+			++$depth;
+		}
+		return $nodes;
+	}
     
-    /**
-     * Get the valid policy node set as specified in spec 6.1.5.(g)(iii)1.
-     *
-     * @return PolicyNode[]
-     */
-    protected function _validPolicyNodeSet()
-    {
-        // 1. Determine the set of policy nodes whose parent nodes have
-        // a valid_policy of anyPolicy. This is the valid_policy_node_set.
-        $set = array();
-        if (!$this->_root) {
-            return $set;
-        }
-        // for each node in a tree
-        $this->_root->walkNodes(
-            function (PolicyNode $node) use (&$set) {
-                $parents = $node->parents();
-                // node has parents
-                if (count($parents)) {
-                    // check that each ancestor is an anyPolicy node
-                    foreach ($parents as $ancestor) {
-                        if (!$ancestor->isAnyPolicy()) {
-                            return;
-                        }
-                    }
-                    $set[] = $node;
-                }
-            });
-        return $set;
-    }
+	/**
+	 * Get the valid policy node set as specified in spec 6.1.5.(g)(iii)1.
+	 *
+	 * @return PolicyNode[]
+	 */
+	protected function _validPolicyNodeSet()
+	{
+		// 1. Determine the set of policy nodes whose parent nodes have
+		// a valid_policy of anyPolicy. This is the valid_policy_node_set.
+		$set = array();
+		if (!$this->_root) {
+			return $set;
+		}
+		// for each node in a tree
+		$this->_root->walkNodes(
+			function (PolicyNode $node) use (&$set) {
+				$parents = $node->parents();
+				// node has parents
+				if (count($parents)) {
+					// check that each ancestor is an anyPolicy node
+					foreach ($parents as $ancestor) {
+						if (!$ancestor->isAnyPolicy()) {
+							return;
+						}
+					}
+					$set[] = $node;
+				}
+			});
+		return $set;
+	}
     
-    /**
-     * Gather all children of given nodes to a flattened array.
-     *
-     * @param PolicyNode ...$nodes
-     * @return PolicyNode[]
-     */
-    private static function _gatherChildren(PolicyNode ...$nodes)
-    {
-        $children = array();
-        foreach ($nodes as $node) {
-            $children = array_merge($children, $node->children());
-        }
-        return $children;
-    }
+	/**
+	 * Gather all children of given nodes to a flattened array.
+	 *
+	 * @param PolicyNode ...$nodes
+	 * @return PolicyNode[]
+	 */
+	private static function _gatherChildren(PolicyNode ...$nodes)
+	{
+		$children = array();
+		foreach ($nodes as $node) {
+			$children = array_merge($children, $node->children());
+		}
+		return $children;
+	}
 }