sop / x509

lib/X509/Certificate/Extension/IssuerAlternativeNameExtension.php

Indentation +42 added lines, -42 removed lines

@@ -15,50 +15,50 @@
  */
 class IssuerAlternativeNameExtension extends Extension
 {
-    /**
-     * Names.
-     *
-     * @var GeneralNames
-     */
-    protected $_names;
+	/**
+	 * Names.
+	 *
+	 * @var GeneralNames
+	 */
+	protected $_names;
 
-    /**
-     * Constructor.
-     *
-     * @param bool         $critical
-     * @param GeneralNames $names
-     */
-    public function __construct(bool $critical, GeneralNames $names)
-    {
-        parent::__construct(self::OID_ISSUER_ALT_NAME, $critical);
-        $this->_names = $names;
-    }
+	/**
+	 * Constructor.
+	 *
+	 * @param bool         $critical
+	 * @param GeneralNames $names
+	 */
+	public function __construct(bool $critical, GeneralNames $names)
+	{
+		parent::__construct(self::OID_ISSUER_ALT_NAME, $critical);
+		$this->_names = $names;
+	}
 
-    /**
-     * Get names.
-     *
-     * @return GeneralNames
-     */
-    public function names(): GeneralNames
-    {
-        return $this->_names;
-    }
+	/**
+	 * Get names.
+	 *
+	 * @return GeneralNames
+	 */
+	public function names(): GeneralNames
+	{
+		return $this->_names;
+	}
 
-    /**
-     * {@inheritdoc}
-     */
-    protected static function _fromDER(string $data, bool $critical): Extension
-    {
-        return new self($critical,
-            GeneralNames::fromASN1(
-                UnspecifiedType::fromDER($data)->asSequence()));
-    }
+	/**
+	 * {@inheritdoc}
+	 */
+	protected static function _fromDER(string $data, bool $critical): Extension
+	{
+		return new self($critical,
+			GeneralNames::fromASN1(
+				UnspecifiedType::fromDER($data)->asSequence()));
+	}
 
-    /**
-     * {@inheritdoc}
-     */
-    protected function _valueASN1(): Element
-    {
-        return $this->_names->toASN1();
-    }
+	/**
+	 * {@inheritdoc}
+	 */
+	protected function _valueASN1(): Element
+	{
+		return $this->_names->toASN1();
+	}
 }

lib/X509/Certificate/Extension/AAControlsExtension.php

Indentation +203 added lines, -203 removed lines

@@ -19,207 +19,207 @@
  */
 class AAControlsExtension extends Extension
 {
-    /**
-     * Path length contraint.
-     *
-     * @var null|int
-     */
-    protected $_pathLenConstraint;
-
-    /**
-     * Permitted attributes.
-     *
-     * Array of OID's.
-     *
-     * @var null|string[]
-     */
-    protected $_permittedAttrs;
-
-    /**
-     * Excluded attributes.
-     *
-     * Array of OID's.
-     *
-     * @var null|string[]
-     */
-    protected $_excludedAttrs;
-
-    /**
-     * Whether to permit unspecified attributes.
-     *
-     * @var bool
-     */
-    protected $_permitUnSpecified;
-
-    /**
-     * Constructor.
-     *
-     * @param bool          $critical
-     * @param null|int      $path_len
-     * @param null|string[] $permitted
-     * @param null|string[] $excluded
-     * @param bool          $permit_unspecified
-     */
-    public function __construct(bool $critical, ?int $path_len = null,
-        ?array $permitted = null, ?array $excluded = null, bool $permit_unspecified = true)
-    {
-        parent::__construct(self::OID_AA_CONTROLS, $critical);
-        $this->_pathLenConstraint = $path_len;
-        $this->_permittedAttrs = $permitted;
-        $this->_excludedAttrs = $excluded;
-        $this->_permitUnSpecified = $permit_unspecified;
-    }
-
-    /**
-     * Check whether path length constraint is present.
-     *
-     * @return bool
-     */
-    public function hasPathLen(): bool
-    {
-        return isset($this->_pathLenConstraint);
-    }
-
-    /**
-     * Get path length constraint.
-     *
-     * @throws \LogicException If not set
-     *
-     * @return int
-     */
-    public function pathLen(): int
-    {
-        if (!$this->hasPathLen()) {
-            throw new \LogicException('pathLen not set.');
-        }
-        return $this->_pathLenConstraint;
-    }
-
-    /**
-     * Check whether permitted attributes are present.
-     *
-     * @return bool
-     */
-    public function hasPermittedAttrs(): bool
-    {
-        return isset($this->_permittedAttrs);
-    }
-
-    /**
-     * Get OID's of permitted attributes.
-     *
-     * @throws \LogicException If not set
-     *
-     * @return string[]
-     */
-    public function permittedAttrs(): array
-    {
-        if (!$this->hasPermittedAttrs()) {
-            throw new \LogicException('permittedAttrs not set.');
-        }
-        return $this->_permittedAttrs;
-    }
-
-    /**
-     * Check whether excluded attributes are present.
-     *
-     * @return bool
-     */
-    public function hasExcludedAttrs(): bool
-    {
-        return isset($this->_excludedAttrs);
-    }
-
-    /**
-     * Get OID's of excluded attributes.
-     *
-     * @throws \LogicException If not set
-     *
-     * @return string[]
-     */
-    public function excludedAttrs(): array
-    {
-        if (!$this->hasExcludedAttrs()) {
-            throw new \LogicException('excludedAttrs not set.');
-        }
-        return $this->_excludedAttrs;
-    }
-
-    /**
-     * Whether to permit attributes that are not explicitly specified in
-     * neither permitted nor excluded list.
-     *
-     * @return bool
-     */
-    public function permitUnspecified(): bool
-    {
-        return $this->_permitUnSpecified;
-    }
-
-    /**
-     * {@inheritdoc}
-     */
-    protected static function _fromDER(string $data, bool $critical): Extension
-    {
-        $seq = UnspecifiedType::fromDER($data)->asSequence();
-        $path_len = null;
-        $permitted = null;
-        $excluded = null;
-        $permit_unspecified = true;
-        $idx = 0;
-        if ($seq->has($idx, Element::TYPE_INTEGER)) {
-            $path_len = $seq->at($idx++)->asInteger()->intNumber();
-        }
-        if ($seq->hasTagged(0)) {
-            $attr_seq = $seq->getTagged(0)->asImplicit(Element::TYPE_SEQUENCE)
-                ->asSequence();
-            $permitted = array_map(
-                function (UnspecifiedType $el) {
-                    return $el->asObjectIdentifier()->oid();
-                }, $attr_seq->elements());
-            ++$idx;
-        }
-        if ($seq->hasTagged(1)) {
-            $attr_seq = $seq->getTagged(1)->asImplicit(Element::TYPE_SEQUENCE)
-                ->asSequence();
-            $excluded = array_map(
-                function (UnspecifiedType $el) {
-                    return $el->asObjectIdentifier()->oid();
-                }, $attr_seq->elements());
-            ++$idx;
-        }
-        if ($seq->has($idx, Element::TYPE_BOOLEAN)) {
-            $permit_unspecified = $seq->at($idx++)->asBoolean()->value();
-        }
-        return new self($critical, $path_len, $permitted, $excluded, $permit_unspecified);
-    }
-
-    /**
-     * {@inheritdoc}
-     */
-    protected function _valueASN1(): Element
-    {
-        $elements = [];
-        if (isset($this->_pathLenConstraint)) {
-            $elements[] = new Integer($this->_pathLenConstraint);
-        }
-        if (isset($this->_permittedAttrs)) {
-            $oids = array_map(
-                function ($oid) {
-                    return new ObjectIdentifier($oid);
-                }, $this->_permittedAttrs);
-            $elements[] = new ImplicitlyTaggedType(0, new Sequence(...$oids));
-        }
-        if (isset($this->_excludedAttrs)) {
-            $oids = array_map(
-                function ($oid) {
-                    return new ObjectIdentifier($oid);
-                }, $this->_excludedAttrs);
-            $elements[] = new ImplicitlyTaggedType(1, new Sequence(...$oids));
-        }
-        if (true !== $this->_permitUnSpecified) {
-            $elements[] = new Boolean(false);
-        }
-        return new Sequence(...$elements);
-    }
+	/**
+	 * Path length contraint.
+	 *
+	 * @var null|int
+	 */
+	protected $_pathLenConstraint;
+
+	/**
+	 * Permitted attributes.
+	 *
+	 * Array of OID's.
+	 *
+	 * @var null|string[]
+	 */
+	protected $_permittedAttrs;
+
+	/**
+	 * Excluded attributes.
+	 *
+	 * Array of OID's.
+	 *
+	 * @var null|string[]
+	 */
+	protected $_excludedAttrs;
+
+	/**
+	 * Whether to permit unspecified attributes.
+	 *
+	 * @var bool
+	 */
+	protected $_permitUnSpecified;
+
+	/**
+	 * Constructor.
+	 *
+	 * @param bool          $critical
+	 * @param null|int      $path_len
+	 * @param null|string[] $permitted
+	 * @param null|string[] $excluded
+	 * @param bool          $permit_unspecified
+	 */
+	public function __construct(bool $critical, ?int $path_len = null,
+		?array $permitted = null, ?array $excluded = null, bool $permit_unspecified = true)
+	{
+		parent::__construct(self::OID_AA_CONTROLS, $critical);
+		$this->_pathLenConstraint = $path_len;
+		$this->_permittedAttrs = $permitted;
+		$this->_excludedAttrs = $excluded;
+		$this->_permitUnSpecified = $permit_unspecified;
+	}
+
+	/**
+	 * Check whether path length constraint is present.
+	 *
+	 * @return bool
+	 */
+	public function hasPathLen(): bool
+	{
+		return isset($this->_pathLenConstraint);
+	}
+
+	/**
+	 * Get path length constraint.
+	 *
+	 * @throws \LogicException If not set
+	 *
+	 * @return int
+	 */
+	public function pathLen(): int
+	{
+		if (!$this->hasPathLen()) {
+			throw new \LogicException('pathLen not set.');
+		}
+		return $this->_pathLenConstraint;
+	}
+
+	/**
+	 * Check whether permitted attributes are present.
+	 *
+	 * @return bool
+	 */
+	public function hasPermittedAttrs(): bool
+	{
+		return isset($this->_permittedAttrs);
+	}
+
+	/**
+	 * Get OID's of permitted attributes.
+	 *
+	 * @throws \LogicException If not set
+	 *
+	 * @return string[]
+	 */
+	public function permittedAttrs(): array
+	{
+		if (!$this->hasPermittedAttrs()) {
+			throw new \LogicException('permittedAttrs not set.');
+		}
+		return $this->_permittedAttrs;
+	}
+
+	/**
+	 * Check whether excluded attributes are present.
+	 *
+	 * @return bool
+	 */
+	public function hasExcludedAttrs(): bool
+	{
+		return isset($this->_excludedAttrs);
+	}
+
+	/**
+	 * Get OID's of excluded attributes.
+	 *
+	 * @throws \LogicException If not set
+	 *
+	 * @return string[]
+	 */
+	public function excludedAttrs(): array
+	{
+		if (!$this->hasExcludedAttrs()) {
+			throw new \LogicException('excludedAttrs not set.');
+		}
+		return $this->_excludedAttrs;
+	}
+
+	/**
+	 * Whether to permit attributes that are not explicitly specified in
+	 * neither permitted nor excluded list.
+	 *
+	 * @return bool
+	 */
+	public function permitUnspecified(): bool
+	{
+		return $this->_permitUnSpecified;
+	}
+
+	/**
+	 * {@inheritdoc}
+	 */
+	protected static function _fromDER(string $data, bool $critical): Extension
+	{
+		$seq = UnspecifiedType::fromDER($data)->asSequence();
+		$path_len = null;
+		$permitted = null;
+		$excluded = null;
+		$permit_unspecified = true;
+		$idx = 0;
+		if ($seq->has($idx, Element::TYPE_INTEGER)) {
+			$path_len = $seq->at($idx++)->asInteger()->intNumber();
+		}
+		if ($seq->hasTagged(0)) {
+			$attr_seq = $seq->getTagged(0)->asImplicit(Element::TYPE_SEQUENCE)
+				->asSequence();
+			$permitted = array_map(
+				function (UnspecifiedType $el) {
+					return $el->asObjectIdentifier()->oid();
+				}, $attr_seq->elements());
+			++$idx;
+		}
+		if ($seq->hasTagged(1)) {
+			$attr_seq = $seq->getTagged(1)->asImplicit(Element::TYPE_SEQUENCE)
+				->asSequence();
+			$excluded = array_map(
+				function (UnspecifiedType $el) {
+					return $el->asObjectIdentifier()->oid();
+				}, $attr_seq->elements());
+			++$idx;
+		}
+		if ($seq->has($idx, Element::TYPE_BOOLEAN)) {
+			$permit_unspecified = $seq->at($idx++)->asBoolean()->value();
+		}
+		return new self($critical, $path_len, $permitted, $excluded, $permit_unspecified);
+	}
+
+	/**
+	 * {@inheritdoc}
+	 */
+	protected function _valueASN1(): Element
+	{
+		$elements = [];
+		if (isset($this->_pathLenConstraint)) {
+			$elements[] = new Integer($this->_pathLenConstraint);
+		}
+		if (isset($this->_permittedAttrs)) {
+			$oids = array_map(
+				function ($oid) {
+					return new ObjectIdentifier($oid);
+				}, $this->_permittedAttrs);
+			$elements[] = new ImplicitlyTaggedType(0, new Sequence(...$oids));
+		}
+		if (isset($this->_excludedAttrs)) {
+			$oids = array_map(
+				function ($oid) {
+					return new ObjectIdentifier($oid);
+				}, $this->_excludedAttrs);
+			$elements[] = new ImplicitlyTaggedType(1, new Sequence(...$oids));
+		}
+		if (true !== $this->_permitUnSpecified) {
+			$elements[] = new Boolean(false);
+		}
+		return new Sequence(...$elements);
+	}
 }

lib/X509/Certificate/Extension/BasicConstraintsExtension.php

Indentation +88 added lines, -88 removed lines

@@ -17,99 +17,99 @@
  */
 class BasicConstraintsExtension extends Extension
 {
-    /**
-     * Whether certificate is a CA.
-     *
-     * @var bool
-     */
-    protected $_ca;
+	/**
+	 * Whether certificate is a CA.
+	 *
+	 * @var bool
+	 */
+	protected $_ca;
 
-    /**
-     * Maximum certification path length.
-     *
-     * @var null|int
-     */
-    protected $_pathLen;
+	/**
+	 * Maximum certification path length.
+	 *
+	 * @var null|int
+	 */
+	protected $_pathLen;
 
-    /**
-     * Constructor.
-     *
-     * @param bool     $critical
-     * @param bool     $ca
-     * @param null|int $path_len
-     */
-    public function __construct(bool $critical, bool $ca, ?int $path_len = null)
-    {
-        parent::__construct(self::OID_BASIC_CONSTRAINTS, $critical);
-        $this->_ca = $ca;
-        $this->_pathLen = $path_len;
-    }
+	/**
+	 * Constructor.
+	 *
+	 * @param bool     $critical
+	 * @param bool     $ca
+	 * @param null|int $path_len
+	 */
+	public function __construct(bool $critical, bool $ca, ?int $path_len = null)
+	{
+		parent::__construct(self::OID_BASIC_CONSTRAINTS, $critical);
+		$this->_ca = $ca;
+		$this->_pathLen = $path_len;
+	}
 
-    /**
-     * Whether certificate is a CA.
-     *
-     * @return bool
-     */
-    public function isCA(): bool
-    {
-        return $this->_ca;
-    }
+	/**
+	 * Whether certificate is a CA.
+	 *
+	 * @return bool
+	 */
+	public function isCA(): bool
+	{
+		return $this->_ca;
+	}
 
-    /**
-     * Whether path length is present.
-     *
-     * @return bool
-     */
-    public function hasPathLen(): bool
-    {
-        return isset($this->_pathLen);
-    }
+	/**
+	 * Whether path length is present.
+	 *
+	 * @return bool
+	 */
+	public function hasPathLen(): bool
+	{
+		return isset($this->_pathLen);
+	}
 
-    /**
-     * Get path length.
-     *
-     * @throws \LogicException If not set
-     *
-     * @return int
-     */
-    public function pathLen(): int
-    {
-        if (!$this->hasPathLen()) {
-            throw new \LogicException('pathLenConstraint not set.');
-        }
-        return $this->_pathLen;
-    }
+	/**
+	 * Get path length.
+	 *
+	 * @throws \LogicException If not set
+	 *
+	 * @return int
+	 */
+	public function pathLen(): int
+	{
+		if (!$this->hasPathLen()) {
+			throw new \LogicException('pathLenConstraint not set.');
+		}
+		return $this->_pathLen;
+	}
 
-    /**
-     * {@inheritdoc}
-     */
-    protected static function _fromDER(string $data, bool $critical): Extension
-    {
-        $seq = UnspecifiedType::fromDER($data)->asSequence();
-        $ca = false;
-        $path_len = null;
-        $idx = 0;
-        if ($seq->has($idx, Element::TYPE_BOOLEAN)) {
-            $ca = $seq->at($idx++)->asBoolean()->value();
-        }
-        if ($seq->has($idx, Element::TYPE_INTEGER)) {
-            $path_len = $seq->at($idx)->asInteger()->intNumber();
-        }
-        return new self($critical, $ca, $path_len);
-    }
+	/**
+	 * {@inheritdoc}
+	 */
+	protected static function _fromDER(string $data, bool $critical): Extension
+	{
+		$seq = UnspecifiedType::fromDER($data)->asSequence();
+		$ca = false;
+		$path_len = null;
+		$idx = 0;
+		if ($seq->has($idx, Element::TYPE_BOOLEAN)) {
+			$ca = $seq->at($idx++)->asBoolean()->value();
+		}
+		if ($seq->has($idx, Element::TYPE_INTEGER)) {
+			$path_len = $seq->at($idx)->asInteger()->intNumber();
+		}
+		return new self($critical, $ca, $path_len);
+	}
 
-    /**
-     * {@inheritdoc}
-     */
-    protected function _valueASN1(): Element
-    {
-        $elements = [];
-        if ($this->_ca) {
-            $elements[] = new Boolean(true);
-        }
-        if (isset($this->_pathLen)) {
-            $elements[] = new Integer($this->_pathLen);
-        }
-        return new Sequence(...$elements);
-    }
+	/**
+	 * {@inheritdoc}
+	 */
+	protected function _valueASN1(): Element
+	{
+		$elements = [];
+		if ($this->_ca) {
+			$elements[] = new Boolean(true);
+		}
+		if (isset($this->_pathLen)) {
+			$elements[] = new Integer($this->_pathLen);
+		}
+		return new Sequence(...$elements);
+	}
 }

lib/X509/Certificate/CertificateBundle.php

Indentation +211 added lines, -211 removed lines

@@ -12,215 +12,215 @@
  */
 class CertificateBundle implements \Countable, \IteratorAggregate
 {
-    /**
-     * Certificates.
-     *
-     * @var Certificate[]
-     */
-    protected $_certs;
-
-    /**
-     * Mapping from public key id to array of certificates.
-     *
-     * @var null|(Certificate[])[]
-     */
-    private $_keyIdMap;
-
-    /**
-     * Constructor.
-     *
-     * @param Certificate ...$certs Certificate objects
-     */
-    public function __construct(Certificate ...$certs)
-    {
-        $this->_certs = $certs;
-    }
-
-    /**
-     * Reset internal cached variables on clone.
-     */
-    public function __clone()
-    {
-        $this->_keyIdMap = null;
-    }
-
-    /**
-     * Initialize from PEMs.
-     *
-     * @param PEM ...$pems PEM objects
-     *
-     * @return self
-     */
-    public static function fromPEMs(PEM ...$pems): self
-    {
-        $certs = array_map(
-            function ($pem) {
-                return Certificate::fromPEM($pem);
-            }, $pems);
-        return new self(...$certs);
-    }
-
-    /**
-     * Initialize from PEM bundle.
-     *
-     * @param PEMBundle $pem_bundle
-     *
-     * @return self
-     */
-    public static function fromPEMBundle(PEMBundle $pem_bundle): self
-    {
-        return self::fromPEMs(...$pem_bundle->all());
-    }
-
-    /**
-     * Get self with certificates added.
-     *
-     * @param Certificate ...$cert
-     *
-     * @return self
-     */
-    public function withCertificates(Certificate ...$cert): self
-    {
-        $obj = clone $this;
-        $obj->_certs = array_merge($obj->_certs, $cert);
-        return $obj;
-    }
-
-    /**
-     * Get self with certificates from PEMBundle added.
-     *
-     * @param PEMBundle $pem_bundle
-     *
-     * @return self
-     */
-    public function withPEMBundle(PEMBundle $pem_bundle): self
-    {
-        $certs = $this->_certs;
-        foreach ($pem_bundle as $pem) {
-            $certs[] = Certificate::fromPEM($pem);
-        }
-        return new self(...$certs);
-    }
-
-    /**
-     * Get self with single certificate from PEM added.
-     *
-     * @param PEM $pem
-     *
-     * @return self
-     */
-    public function withPEM(PEM $pem): self
-    {
-        $certs = $this->_certs;
-        $certs[] = Certificate::fromPEM($pem);
-        return new self(...$certs);
-    }
-
-    /**
-     * Check whether bundle contains a given certificate.
-     *
-     * @param Certificate $cert
-     *
-     * @return bool
-     */
-    public function contains(Certificate $cert): bool
-    {
-        $id = self::_getCertKeyId($cert);
-        $map = $this->_getKeyIdMap();
-        if (!isset($map[$id])) {
-            return false;
-        }
-        foreach ($map[$id] as $c) {
-            /** @var Certificate $c */
-            if ($cert->equals($c)) {
-                return true;
-            }
-        }
-        return false;
-    }
-
-    /**
-     * Get all certificates that have given subject key identifier.
-     *
-     * @param string $id
-     *
-     * @return Certificate[]
-     */
-    public function allBySubjectKeyIdentifier(string $id): array
-    {
-        $map = $this->_getKeyIdMap();
-        if (!isset($map[$id])) {
-            return [];
-        }
-        return $map[$id];
-    }
-
-    /**
-     * Get all certificates in a bundle.
-     *
-     * @return Certificate[]
-     */
-    public function all(): array
-    {
-        return $this->_certs;
-    }
-
-    /**
-     * @see \Countable::count()
-     *
-     * @return int
-     */
-    public function count(): int
-    {
-        return count($this->_certs);
-    }
-
-    /**
-     * Get iterator for certificates.
-     *
-     * @see \IteratorAggregate::getIterator()
-     *
-     * @return \ArrayIterator
-     */
-    public function getIterator(): \ArrayIterator
-    {
-        return new \ArrayIterator($this->_certs);
-    }
-
-    /**
-     * Get certificate mapping by public key id.
-     *
-     * @return (Certificate[])[]
-     */
-    private function _getKeyIdMap(): array
-    {
-        // lazily build mapping
-        if (!isset($this->_keyIdMap)) {
-            $this->_keyIdMap = [];
-            foreach ($this->_certs as $cert) {
-                $id = self::_getCertKeyId($cert);
-                if (!isset($this->_keyIdMap[$id])) {
-                    $this->_keyIdMap[$id] = [];
-                }
-                array_push($this->_keyIdMap[$id], $cert);
-            }
-        }
-        return $this->_keyIdMap;
-    }
-
-    /**
-     * Get public key id for the certificate.
-     *
-     * @param Certificate $cert
-     *
-     * @return string
-     */
-    private static function _getCertKeyId(Certificate $cert): string
-    {
-        $exts = $cert->tbsCertificate()->extensions();
-        if ($exts->hasSubjectKeyIdentifier()) {
-            return $exts->subjectKeyIdentifier()->keyIdentifier();
-        }
-        return $cert->tbsCertificate()->subjectPublicKeyInfo()->keyIdentifier();
-    }
+	/**
+	 * Certificates.
+	 *
+	 * @var Certificate[]
+	 */
+	protected $_certs;
+
+	/**
+	 * Mapping from public key id to array of certificates.
+	 *
+	 * @var null|(Certificate[])[]
+	 */
+	private $_keyIdMap;
+
+	/**
+	 * Constructor.
+	 *
+	 * @param Certificate ...$certs Certificate objects
+	 */
+	public function __construct(Certificate ...$certs)
+	{
+		$this->_certs = $certs;
+	}
+
+	/**
+	 * Reset internal cached variables on clone.
+	 */
+	public function __clone()
+	{
+		$this->_keyIdMap = null;
+	}
+
+	/**
+	 * Initialize from PEMs.
+	 *
+	 * @param PEM ...$pems PEM objects
+	 *
+	 * @return self
+	 */
+	public static function fromPEMs(PEM ...$pems): self
+	{
+		$certs = array_map(
+			function ($pem) {
+				return Certificate::fromPEM($pem);
+			}, $pems);
+		return new self(...$certs);
+	}
+
+	/**
+	 * Initialize from PEM bundle.
+	 *
+	 * @param PEMBundle $pem_bundle
+	 *
+	 * @return self
+	 */
+	public static function fromPEMBundle(PEMBundle $pem_bundle): self
+	{
+		return self::fromPEMs(...$pem_bundle->all());
+	}
+
+	/**
+	 * Get self with certificates added.
+	 *
+	 * @param Certificate ...$cert
+	 *
+	 * @return self
+	 */
+	public function withCertificates(Certificate ...$cert): self
+	{
+		$obj = clone $this;
+		$obj->_certs = array_merge($obj->_certs, $cert);
+		return $obj;
+	}
+
+	/**
+	 * Get self with certificates from PEMBundle added.
+	 *
+	 * @param PEMBundle $pem_bundle
+	 *
+	 * @return self
+	 */
+	public function withPEMBundle(PEMBundle $pem_bundle): self
+	{
+		$certs = $this->_certs;
+		foreach ($pem_bundle as $pem) {
+			$certs[] = Certificate::fromPEM($pem);
+		}
+		return new self(...$certs);
+	}
+
+	/**
+	 * Get self with single certificate from PEM added.
+	 *
+	 * @param PEM $pem
+	 *
+	 * @return self
+	 */
+	public function withPEM(PEM $pem): self
+	{
+		$certs = $this->_certs;
+		$certs[] = Certificate::fromPEM($pem);
+		return new self(...$certs);
+	}
+
+	/**
+	 * Check whether bundle contains a given certificate.
+	 *
+	 * @param Certificate $cert
+	 *
+	 * @return bool
+	 */
+	public function contains(Certificate $cert): bool
+	{
+		$id = self::_getCertKeyId($cert);
+		$map = $this->_getKeyIdMap();
+		if (!isset($map[$id])) {
+			return false;
+		}
+		foreach ($map[$id] as $c) {
+			/** @var Certificate $c */
+			if ($cert->equals($c)) {
+				return true;
+			}
+		}
+		return false;
+	}
+
+	/**
+	 * Get all certificates that have given subject key identifier.
+	 *
+	 * @param string $id
+	 *
+	 * @return Certificate[]
+	 */
+	public function allBySubjectKeyIdentifier(string $id): array
+	{
+		$map = $this->_getKeyIdMap();
+		if (!isset($map[$id])) {
+			return [];
+		}
+		return $map[$id];
+	}
+
+	/**
+	 * Get all certificates in a bundle.
+	 *
+	 * @return Certificate[]
+	 */
+	public function all(): array
+	{
+		return $this->_certs;
+	}
+
+	/**
+	 * @see \Countable::count()
+	 *
+	 * @return int
+	 */
+	public function count(): int
+	{
+		return count($this->_certs);
+	}
+
+	/**
+	 * Get iterator for certificates.
+	 *
+	 * @see \IteratorAggregate::getIterator()
+	 *
+	 * @return \ArrayIterator
+	 */
+	public function getIterator(): \ArrayIterator
+	{
+		return new \ArrayIterator($this->_certs);
+	}
+
+	/**
+	 * Get certificate mapping by public key id.
+	 *
+	 * @return (Certificate[])[]
+	 */
+	private function _getKeyIdMap(): array
+	{
+		// lazily build mapping
+		if (!isset($this->_keyIdMap)) {
+			$this->_keyIdMap = [];
+			foreach ($this->_certs as $cert) {
+				$id = self::_getCertKeyId($cert);
+				if (!isset($this->_keyIdMap[$id])) {
+					$this->_keyIdMap[$id] = [];
+				}
+				array_push($this->_keyIdMap[$id], $cert);
+			}
+		}
+		return $this->_keyIdMap;
+	}
+
+	/**
+	 * Get public key id for the certificate.
+	 *
+	 * @param Certificate $cert
+	 *
+	 * @return string
+	 */
+	private static function _getCertKeyId(Certificate $cert): string
+	{
+		$exts = $cert->tbsCertificate()->extensions();
+		if ($exts->hasSubjectKeyIdentifier()) {
+			return $exts->subjectKeyIdentifier()->keyIdentifier();
+		}
+		return $cert->tbsCertificate()->subjectPublicKeyInfo()->keyIdentifier();
+	}
 }

lib/X509/Certificate/CertificateChain.php

Indentation +122 added lines, -122 removed lines

@@ -13,136 +13,136 @@
  */
 class CertificateChain implements \Countable, \IteratorAggregate
 {
-    /**
-     * List of certificates in a chain.
-     *
-     * @var Certificate[]
-     */
-    protected $_certs;
+	/**
+	 * List of certificates in a chain.
+	 *
+	 * @var Certificate[]
+	 */
+	protected $_certs;
 
-    /**
-     * Constructor.
-     *
-     * @param Certificate ...$certs List of certificates, end-entity first
-     */
-    public function __construct(Certificate ...$certs)
-    {
-        $this->_certs = $certs;
-    }
+	/**
+	 * Constructor.
+	 *
+	 * @param Certificate ...$certs List of certificates, end-entity first
+	 */
+	public function __construct(Certificate ...$certs)
+	{
+		$this->_certs = $certs;
+	}
 
-    /**
-     * Initialize from a list of PEMs.
-     *
-     * @param PEM ...$pems
-     *
-     * @return self
-     */
-    public static function fromPEMs(PEM ...$pems): self
-    {
-        $certs = array_map(
-            function (PEM $pem) {
-                return Certificate::fromPEM($pem);
-            }, $pems);
-        return new self(...$certs);
-    }
+	/**
+	 * Initialize from a list of PEMs.
+	 *
+	 * @param PEM ...$pems
+	 *
+	 * @return self
+	 */
+	public static function fromPEMs(PEM ...$pems): self
+	{
+		$certs = array_map(
+			function (PEM $pem) {
+				return Certificate::fromPEM($pem);
+			}, $pems);
+		return new self(...$certs);
+	}
 
-    /**
-     * Initialize from a string containing multiple PEM blocks.
-     *
-     * @param string $str
-     *
-     * @return self
-     */
-    public static function fromPEMString(string $str): self
-    {
-        $pems = PEMBundle::fromString($str)->all();
-        return self::fromPEMs(...$pems);
-    }
+	/**
+	 * Initialize from a string containing multiple PEM blocks.
+	 *
+	 * @param string $str
+	 *
+	 * @return self
+	 */
+	public static function fromPEMString(string $str): self
+	{
+		$pems = PEMBundle::fromString($str)->all();
+		return self::fromPEMs(...$pems);
+	}
 
-    /**
-     * Get all certificates in a chain ordered from the end-entity certificate
-     * to the trust anchor.
-     *
-     * @return Certificate[]
-     */
-    public function certificates(): array
-    {
-        return $this->_certs;
-    }
+	/**
+	 * Get all certificates in a chain ordered from the end-entity certificate
+	 * to the trust anchor.
+	 *
+	 * @return Certificate[]
+	 */
+	public function certificates(): array
+	{
+		return $this->_certs;
+	}
 
-    /**
-     * Get the end-entity certificate.
-     *
-     * @throws \LogicException
-     *
-     * @return Certificate
-     */
-    public function endEntityCertificate(): Certificate
-    {
-        if (!count($this->_certs)) {
-            throw new \LogicException('No certificates.');
-        }
-        return $this->_certs[0];
-    }
+	/**
+	 * Get the end-entity certificate.
+	 *
+	 * @throws \LogicException
+	 *
+	 * @return Certificate
+	 */
+	public function endEntityCertificate(): Certificate
+	{
+		if (!count($this->_certs)) {
+			throw new \LogicException('No certificates.');
+		}
+		return $this->_certs[0];
+	}
 
-    /**
-     * Get the trust anchor certificate.
-     *
-     * @throws \LogicException
-     *
-     * @return Certificate
-     */
-    public function trustAnchorCertificate(): Certificate
-    {
-        if (!count($this->_certs)) {
-            throw new \LogicException('No certificates.');
-        }
-        return $this->_certs[count($this->_certs) - 1];
-    }
+	/**
+	 * Get the trust anchor certificate.
+	 *
+	 * @throws \LogicException
+	 *
+	 * @return Certificate
+	 */
+	public function trustAnchorCertificate(): Certificate
+	{
+		if (!count($this->_certs)) {
+			throw new \LogicException('No certificates.');
+		}
+		return $this->_certs[count($this->_certs) - 1];
+	}
 
-    /**
-     * Convert certificate chain to certification path.
-     *
-     * @return CertificationPath
-     */
-    public function certificationPath(): CertificationPath
-    {
-        return CertificationPath::fromCertificateChain($this);
-    }
+	/**
+	 * Convert certificate chain to certification path.
+	 *
+	 * @return CertificationPath
+	 */
+	public function certificationPath(): CertificationPath
+	{
+		return CertificationPath::fromCertificateChain($this);
+	}
 
-    /**
-     * Convert certificate chain to string of PEM blocks.
-     *
-     * @return string
-     */
-    public function toPEMString(): string
-    {
-        return implode("\n",
-            array_map(
-                function (Certificate $cert) {
-                    return $cert->toPEM()->string();
-                }, $this->_certs));
-    }
+	/**
+	 * Convert certificate chain to string of PEM blocks.
+	 *
+	 * @return string
+	 */
+	public function toPEMString(): string
+	{
+		return implode("\n",
+			array_map(
+				function (Certificate $cert) {
+					return $cert->toPEM()->string();
+				}, $this->_certs));
+	}
 
-    /**
-     * @see \Countable::count()
-     *
-     * @return int
-     */
-    public function count(): int
-    {
-        return count($this->_certs);
-    }
+	/**
+	 * @see \Countable::count()
+	 *
+	 * @return int
+	 */
+	public function count(): int
+	{
+		return count($this->_certs);
+	}
 
-    /**
-     * Get iterator for certificates.
-     *
-     * @see \IteratorAggregate::getIterator()
-     *
-     * @return \ArrayIterator
-     */
-    public function getIterator(): \ArrayIterator
-    {
-        return new \ArrayIterator($this->_certs);
-    }
+	/**
+	 * Get iterator for certificates.
+	 *
+	 * @see \IteratorAggregate::getIterator()
+	 *
+	 * @return \ArrayIterator
+	 */
+	public function getIterator(): \ArrayIterator
+	{
+		return new \ArrayIterator($this->_certs);
+	}
 }

lib/X509/CertificationPath/PathBuilding/CertificationPathBuilder.php

Indentation +130 added lines, -130 removed lines

@@ -16,139 +16,139 @@
  */
 class CertificationPathBuilder
 {
-    /**
-     * Trust anchors.
-     *
-     * @var CertificateBundle
-     */
-    protected $_trustList;
+	/**
+	 * Trust anchors.
+	 *
+	 * @var CertificateBundle
+	 */
+	protected $_trustList;
 
-    /**
-     * Constructor.
-     *
-     * @param CertificateBundle $trust_list List of trust anchors
-     */
-    public function __construct(CertificateBundle $trust_list)
-    {
-        $this->_trustList = $trust_list;
-    }
+	/**
+	 * Constructor.
+	 *
+	 * @param CertificateBundle $trust_list List of trust anchors
+	 */
+	public function __construct(CertificateBundle $trust_list)
+	{
+		$this->_trustList = $trust_list;
+	}
 
-    /**
-     * Get all certification paths to given target certificate from
-     * any trust anchor.
-     *
-     * @param Certificate            $target       Target certificate
-     * @param null|CertificateBundle $intermediate Optional intermediate certificates
-     *
-     * @return CertificationPath[]
-     */
-    public function allPathsToTarget(Certificate $target,
-        ?CertificateBundle $intermediate = null): array
-    {
-        $paths = $this->_resolvePathsToTarget($target, $intermediate);
-        // map paths to CertificationPath objects
-        return array_map(
-            function ($certs) {
-                return new CertificationPath(...$certs);
-            }, $paths);
-    }
+	/**
+	 * Get all certification paths to given target certificate from
+	 * any trust anchor.
+	 *
+	 * @param Certificate            $target       Target certificate
+	 * @param null|CertificateBundle $intermediate Optional intermediate certificates
+	 *
+	 * @return CertificationPath[]
+	 */
+	public function allPathsToTarget(Certificate $target,
+		?CertificateBundle $intermediate = null): array
+	{
+		$paths = $this->_resolvePathsToTarget($target, $intermediate);
+		// map paths to CertificationPath objects
+		return array_map(
+			function ($certs) {
+				return new CertificationPath(...$certs);
+			}, $paths);
+	}
 
-    /**
-     * Get shortest path to given target certificate from any trust anchor.
-     *
-     * @param Certificate            $target       Target certificate
-     * @param null|CertificateBundle $intermediate Optional intermediate certificates
-     *
-     * @throws PathBuildingException
-     *
-     * @return CertificationPath
-     */
-    public function shortestPathToTarget(Certificate $target,
-        ?CertificateBundle $intermediate = null): CertificationPath
-    {
-        $paths = $this->allPathsToTarget($target, $intermediate);
-        if (!count($paths)) {
-            throw new PathBuildingException('No certification paths.');
-        }
-        usort($paths,
-            function ($a, $b) {
-                return count($a) < count($b) ? -1 : 1;
-            });
-        return reset($paths);
-    }
+	/**
+	 * Get shortest path to given target certificate from any trust anchor.
+	 *
+	 * @param Certificate            $target       Target certificate
+	 * @param null|CertificateBundle $intermediate Optional intermediate certificates
+	 *
+	 * @throws PathBuildingException
+	 *
+	 * @return CertificationPath
+	 */
+	public function shortestPathToTarget(Certificate $target,
+		?CertificateBundle $intermediate = null): CertificationPath
+	{
+		$paths = $this->allPathsToTarget($target, $intermediate);
+		if (!count($paths)) {
+			throw new PathBuildingException('No certification paths.');
+		}
+		usort($paths,
+			function ($a, $b) {
+				return count($a) < count($b) ? -1 : 1;
+			});
+		return reset($paths);
+	}
 
-    /**
-     * Find all issuers of the target certificate from a given bundle.
-     *
-     * @param Certificate       $target Target certificate
-     * @param CertificateBundle $bundle Certificates to search
-     *
-     * @return Certificate[]
-     */
-    protected function _findIssuers(Certificate $target,
-        CertificateBundle $bundle): array
-    {
-        $issuers = [];
-        $issuer_name = $target->tbsCertificate()->issuer();
-        $extensions = $target->tbsCertificate()->extensions();
-        // find by authority key identifier
-        if ($extensions->hasAuthorityKeyIdentifier()) {
-            $ext = $extensions->authorityKeyIdentifier();
-            if ($ext->hasKeyIdentifier()) {
-                foreach ($bundle->allBySubjectKeyIdentifier(
-                    $ext->keyIdentifier()) as $issuer) {
-                    // check that issuer name matches
-                    if ($issuer->tbsCertificate()->subject()->equals($issuer_name)) {
-                        $issuers[] = $issuer;
-                    }
-                }
-            }
-        }
-        return $issuers;
-    }
+	/**
+	 * Find all issuers of the target certificate from a given bundle.
+	 *
+	 * @param Certificate       $target Target certificate
+	 * @param CertificateBundle $bundle Certificates to search
+	 *
+	 * @return Certificate[]
+	 */
+	protected function _findIssuers(Certificate $target,
+		CertificateBundle $bundle): array
+	{
+		$issuers = [];
+		$issuer_name = $target->tbsCertificate()->issuer();
+		$extensions = $target->tbsCertificate()->extensions();
+		// find by authority key identifier
+		if ($extensions->hasAuthorityKeyIdentifier()) {
+			$ext = $extensions->authorityKeyIdentifier();
+			if ($ext->hasKeyIdentifier()) {
+				foreach ($bundle->allBySubjectKeyIdentifier(
+					$ext->keyIdentifier()) as $issuer) {
+					// check that issuer name matches
+					if ($issuer->tbsCertificate()->subject()->equals($issuer_name)) {
+						$issuers[] = $issuer;
+					}
+				}
+			}
+		}
+		return $issuers;
+	}
 
-    /**
-     * Resolve all possible certification paths from any trust anchor to
-     * the target certificate, using optional intermediate certificates.
-     *
-     * Helper method for allPathsToTarget to be called recursively.
-     *
-     * @todo Implement loop detection
-     *
-     * @param Certificate            $target
-     * @param null|CertificateBundle $intermediate
-     *
-     * @return array[] Array of arrays containing path certificates
-     */
-    private function _resolvePathsToTarget(Certificate $target,
-        ?CertificateBundle $intermediate = null): array
-    {
-        // array of possible paths
-        $paths = [];
-        // signed by certificate in the trust list
-        foreach ($this->_findIssuers($target, $this->_trustList) as $issuer) {
-            // if target is self-signed, path consists of only
-            // the target certificate
-            if ($target->equals($issuer)) {
-                $paths[] = [$target];
-            } else {
-                $paths[] = [$issuer, $target];
-            }
-        }
-        if (isset($intermediate)) {
-            // signed by intermediate certificate
-            foreach ($this->_findIssuers($target, $intermediate) as $issuer) {
-                // intermediate certificate must not be self-signed
-                if ($issuer->isSelfIssued()) {
-                    continue;
-                }
-                // resolve paths to issuer
-                $subpaths = $this->_resolvePathsToTarget($issuer, $intermediate);
-                foreach ($subpaths as $path) {
-                    $paths[] = array_merge($path, [$target]);
-                }
-            }
-        }
-        return $paths;
-    }
+	/**
+	 * Resolve all possible certification paths from any trust anchor to
+	 * the target certificate, using optional intermediate certificates.
+	 *
+	 * Helper method for allPathsToTarget to be called recursively.
+	 *
+	 * @todo Implement loop detection
+	 *
+	 * @param Certificate            $target
+	 * @param null|CertificateBundle $intermediate
+	 *
+	 * @return array[] Array of arrays containing path certificates
+	 */
+	private function _resolvePathsToTarget(Certificate $target,
+		?CertificateBundle $intermediate = null): array
+	{
+		// array of possible paths
+		$paths = [];
+		// signed by certificate in the trust list
+		foreach ($this->_findIssuers($target, $this->_trustList) as $issuer) {
+			// if target is self-signed, path consists of only
+			// the target certificate
+			if ($target->equals($issuer)) {
+				$paths[] = [$target];
+			} else {
+				$paths[] = [$issuer, $target];
+			}
+		}
+		if (isset($intermediate)) {
+			// signed by intermediate certificate
+			foreach ($this->_findIssuers($target, $intermediate) as $issuer) {
+				// intermediate certificate must not be self-signed
+				if ($issuer->isSelfIssued()) {
+					continue;
+				}
+				// resolve paths to issuer
+				$subpaths = $this->_resolvePathsToTarget($issuer, $intermediate);
+				foreach ($subpaths as $path) {
+					$paths[] = array_merge($path, [$target]);
+				}
+			}
+		}
+		return $paths;
+	}
 }

lib/X509/CertificationPath/PathValidation/ValidatorState.php

Indentation +496 added lines, -496 removed lines

@@ -20,500 +20,500 @@
  */
 class ValidatorState
 {
-    /**
-     * Length of the certification path (n).
-     *
-     * @var int
-     */
-    protected $_pathLength;
-
-    /**
-     * Current index in the certification path in the range of 1..n (i).
-     *
-     * @var int
-     */
-    protected $_index;
-
-    /**
-     * Valid policy tree (valid_policy_tree).
-     *
-     * A tree of certificate policies with their optional qualifiers.
-     * Each of the leaves of the tree represents a valid policy at this stage in
-     * the certification path validation.
-     * Once the tree is set to NULL, policy processing ceases.
-     *
-     * @var null|PolicyTree
-     */
-    protected $_validPolicyTree;
-
-    /**
-     * Permitted subtrees (permitted_subtrees).
-     *
-     * A set of root names for each name type defining a set of subtrees within
-     * which all subject names in subsequent certificates in the certification
-     * path must fall.
-     *
-     * @var mixed
-     */
-    protected $_permittedSubtrees;
-
-    /**
-     * Excluded subtrees (excluded_subtrees).
-     *
-     * A set of root names for each name type defining a set of subtrees within
-     * which no subject name in subsequent certificates in the certification
-     * path may fall.
-     *
-     * @var mixed
-     */
-    protected $_excludedSubtrees;
-
-    /**
-     * Explicit policy (explicit_policy).
-     *
-     * An integer that indicates if a non-NULL valid_policy_tree is required.
-     *
-     * @var int
-     */
-    protected $_explicitPolicy;
-
-    /**
-     * Inhibit anyPolicy (inhibit_anyPolicy).
-     *
-     * An integer that indicates whether the anyPolicy policy identifier is
-     * considered a match.
-     *
-     * @var int
-     */
-    protected $_inhibitAnyPolicy;
-
-    /**
-     * Policy mapping (policy_mapping).
-     *
-     * An integer that indicates if policy mapping is permitted.
-     *
-     * @var int
-     */
-    protected $_policyMapping;
-
-    /**
-     * Working public key algorithm (working_public_key_algorithm).
-     *
-     * The digital signature algorithm used to verify the signature of a
-     * certificate.
-     *
-     * @var AlgorithmIdentifierType
-     */
-    protected $_workingPublicKeyAlgorithm;
-
-    /**
-     * Working public key (working_public_key).
-     *
-     * The public key used to verify the signature of a certificate.
-     *
-     * @var PublicKeyInfo
-     */
-    protected $_workingPublicKey;
-
-    /**
-     * Working public key parameters (working_public_key_parameters).
-     *
-     * Parameters associated with the current public key that may be required to
-     * verify a signature.
-     *
-     * @var null|Element
-     */
-    protected $_workingPublicKeyParameters;
-
-    /**
-     * Working issuer name (working_issuer_name).
-     *
-     * The issuer distinguished name expected in the next certificate in the
-     * chain.
-     *
-     * @var Name
-     */
-    protected $_workingIssuerName;
-
-    /**
-     * Maximum certification path length (max_path_length).
-     *
-     * @var int
-     */
-    protected $_maxPathLength;
-
-    /**
-     * Constructor.
-     */
-    protected function __construct()
-    {
-    }
-
-    /**
-     * Initialize variables according to RFC 5280 6.1.2.
-     *
-     * @see https://tools.ietf.org/html/rfc5280#section-6.1.2
-     *
-     * @param PathValidationConfig $config
-     * @param Certificate          $trust_anchor Trust anchor certificate
-     * @param int                  $n            Number of certificates
-     *                                           in the certification path
-     *
-     * @return self
-     */
-    public static function initialize(PathValidationConfig $config,
-        Certificate $trust_anchor, int $n): self
-    {
-        $state = new self();
-        $state->_pathLength = $n;
-        $state->_index = 1;
-        $state->_validPolicyTree = new PolicyTree(PolicyNode::anyPolicyNode());
-        $state->_permittedSubtrees = null;
-        $state->_excludedSubtrees = null;
-        $state->_explicitPolicy = $config->explicitPolicy() ? 0 : $n + 1;
-        $state->_inhibitAnyPolicy = $config->anyPolicyInhibit() ? 0 : $n + 1;
-        $state->_policyMapping = $config->policyMappingInhibit() ? 0 : $n + 1;
-        $state->_workingPublicKeyAlgorithm = $trust_anchor->signatureAlgorithm();
-        $tbsCert = $trust_anchor->tbsCertificate();
-        $state->_workingPublicKey = $tbsCert->subjectPublicKeyInfo();
-        $state->_workingPublicKeyParameters = self::getAlgorithmParameters(
-            $state->_workingPublicKey->algorithmIdentifier());
-        $state->_workingIssuerName = $tbsCert->issuer();
-        $state->_maxPathLength = $config->maxLength();
-        return $state;
-    }
-
-    /**
-     * Get self with current certification path index set.
-     *
-     * @param int $index
-     *
-     * @return self
-     */
-    public function withIndex(int $index): self
-    {
-        $state = clone $this;
-        $state->_index = $index;
-        return $state;
-    }
-
-    /**
-     * Get self with valid_policy_tree.
-     *
-     * @param PolicyTree $policy_tree
-     *
-     * @return self
-     */
-    public function withValidPolicyTree(PolicyTree $policy_tree): self
-    {
-        $state = clone $this;
-        $state->_validPolicyTree = $policy_tree;
-        return $state;
-    }
-
-    /**
-     * Get self with valid_policy_tree set to null.
-     *
-     * @return self
-     */
-    public function withoutValidPolicyTree(): self
-    {
-        $state = clone $this;
-        $state->_validPolicyTree = null;
-        return $state;
-    }
-
-    /**
-     * Get self with explicit_policy.
-     *
-     * @param int $num
-     *
-     * @return self
-     */
-    public function withExplicitPolicy(int $num): self
-    {
-        $state = clone $this;
-        $state->_explicitPolicy = $num;
-        return $state;
-    }
-
-    /**
-     * Get self with inhibit_anyPolicy.
-     *
-     * @param int $num
-     *
-     * @return self
-     */
-    public function withInhibitAnyPolicy(int $num): self
-    {
-        $state = clone $this;
-        $state->_inhibitAnyPolicy = $num;
-        return $state;
-    }
-
-    /**
-     * Get self with policy_mapping.
-     *
-     * @param int $num
-     *
-     * @return self
-     */
-    public function withPolicyMapping(int $num): self
-    {
-        $state = clone $this;
-        $state->_policyMapping = $num;
-        return $state;
-    }
-
-    /**
-     * Get self with working_public_key_algorithm.
-     *
-     * @param AlgorithmIdentifierType $algo
-     *
-     * @return self
-     */
-    public function withWorkingPublicKeyAlgorithm(AlgorithmIdentifierType $algo): self
-    {
-        $state = clone $this;
-        $state->_workingPublicKeyAlgorithm = $algo;
-        return $state;
-    }
-
-    /**
-     * Get self with working_public_key.
-     *
-     * @param PublicKeyInfo $pubkey_info
-     *
-     * @return self
-     */
-    public function withWorkingPublicKey(PublicKeyInfo $pubkey_info): self
-    {
-        $state = clone $this;
-        $state->_workingPublicKey = $pubkey_info;
-        return $state;
-    }
-
-    /**
-     * Get self with working_public_key_parameters.
-     *
-     * @param null|Element $params
-     *
-     * @return self
-     */
-    public function withWorkingPublicKeyParameters(?Element $params = null): self
-    {
-        $state = clone $this;
-        $state->_workingPublicKeyParameters = $params;
-        return $state;
-    }
-
-    /**
-     * Get self with working_issuer_name.
-     *
-     * @param Name $issuer
-     *
-     * @return self
-     */
-    public function withWorkingIssuerName(Name $issuer): self
-    {
-        $state = clone $this;
-        $state->_workingIssuerName = $issuer;
-        return $state;
-    }
-
-    /**
-     * Get self with max_path_length.
-     *
-     * @param int $length
-     *
-     * @return self
-     */
-    public function withMaxPathLength(int $length): self
-    {
-        $state = clone $this;
-        $state->_maxPathLength = $length;
-        return $state;
-    }
-
-    /**
-     * Get the certification path length (n).
-     *
-     * @return int
-     */
-    public function pathLength(): int
-    {
-        return $this->_pathLength;
-    }
-
-    /**
-     * Get the current index in certification path in the range of 1..n.
-     *
-     * @return int
-     */
-    public function index(): int
-    {
-        return $this->_index;
-    }
-
-    /**
-     * Check whether valid_policy_tree is present.
-     *
-     * @return bool
-     */
-    public function hasValidPolicyTree(): bool
-    {
-        return isset($this->_validPolicyTree);
-    }
-
-    /**
-     * Get valid_policy_tree.
-     *
-     * @throws \LogicException If not set
-     *
-     * @return PolicyTree
-     */
-    public function validPolicyTree(): PolicyTree
-    {
-        if (!$this->hasValidPolicyTree()) {
-            throw new \LogicException('valid_policy_tree not set.');
-        }
-        return $this->_validPolicyTree;
-    }
-
-    /**
-     * Get permitted_subtrees.
-     *
-     * @return mixed
-     */
-    public function permittedSubtrees()
-    {
-        return $this->_permittedSubtrees;
-    }
-
-    /**
-     * Get excluded_subtrees.
-     *
-     * @return mixed
-     */
-    public function excludedSubtrees()
-    {
-        return $this->_excludedSubtrees;
-    }
-
-    /**
-     * Get explicit_policy.
-     *
-     * @return int
-     */
-    public function explicitPolicy(): int
-    {
-        return $this->_explicitPolicy;
-    }
-
-    /**
-     * Get inhibit_anyPolicy.
-     *
-     * @return int
-     */
-    public function inhibitAnyPolicy(): int
-    {
-        return $this->_inhibitAnyPolicy;
-    }
-
-    /**
-     * Get policy_mapping.
-     *
-     * @return int
-     */
-    public function policyMapping(): int
-    {
-        return $this->_policyMapping;
-    }
-
-    /**
-     * Get working_public_key_algorithm.
-     *
-     * @return AlgorithmIdentifierType
-     */
-    public function workingPublicKeyAlgorithm(): AlgorithmIdentifierType
-    {
-        return $this->_workingPublicKeyAlgorithm;
-    }
-
-    /**
-     * Get working_public_key.
-     *
-     * @return PublicKeyInfo
-     */
-    public function workingPublicKey(): PublicKeyInfo
-    {
-        return $this->_workingPublicKey;
-    }
-
-    /**
-     * Get working_public_key_parameters.
-     *
-     * @return null|Element
-     */
-    public function workingPublicKeyParameters(): ?Element
-    {
-        return $this->_workingPublicKeyParameters;
-    }
-
-    /**
-     * Get working_issuer_name.
-     *
-     * @return Name
-     */
-    public function workingIssuerName(): Name
-    {
-        return $this->_workingIssuerName;
-    }
-
-    /**
-     * Get maximum certification path length.
-     *
-     * @return int
-     */
-    public function maxPathLength(): int
-    {
-        return $this->_maxPathLength;
-    }
-
-    /**
-     * Check whether processing the final certificate of the certification path.
-     *
-     * @return bool
-     */
-    public function isFinal(): bool
-    {
-        return $this->_index === $this->_pathLength;
-    }
-
-    /**
-     * Get the path validation result.
-     *
-     * @param Certificate[] $certificates Certificates in a certification path
-     *
-     * @return PathValidationResult
-     */
-    public function getResult(array $certificates): PathValidationResult
-    {
-        return new PathValidationResult($certificates, $this->_validPolicyTree,
-            $this->_workingPublicKey, $this->_workingPublicKeyAlgorithm,
-            $this->_workingPublicKeyParameters);
-    }
-
-    /**
-     * Get ASN.1 parameters from algorithm identifier.
-     *
-     * @param AlgorithmIdentifierType $algo
-     *
-     * @return null|Element ASN.1 element or null if parameters are omitted
-     */
-    public static function getAlgorithmParameters(AlgorithmIdentifierType $algo): ?Element
-    {
-        $seq = $algo->toASN1();
-        return $seq->has(1) ? $seq->at(1)->asElement() : null;
-    }
+	/**
+	 * Length of the certification path (n).
+	 *
+	 * @var int
+	 */
+	protected $_pathLength;
+
+	/**
+	 * Current index in the certification path in the range of 1..n (i).
+	 *
+	 * @var int
+	 */
+	protected $_index;
+
+	/**
+	 * Valid policy tree (valid_policy_tree).
+	 *
+	 * A tree of certificate policies with their optional qualifiers.
+	 * Each of the leaves of the tree represents a valid policy at this stage in
+	 * the certification path validation.
+	 * Once the tree is set to NULL, policy processing ceases.
+	 *
+	 * @var null|PolicyTree
+	 */
+	protected $_validPolicyTree;
+
+	/**
+	 * Permitted subtrees (permitted_subtrees).
+	 *
+	 * A set of root names for each name type defining a set of subtrees within
+	 * which all subject names in subsequent certificates in the certification
+	 * path must fall.
+	 *
+	 * @var mixed
+	 */
+	protected $_permittedSubtrees;
+
+	/**
+	 * Excluded subtrees (excluded_subtrees).
+	 *
+	 * A set of root names for each name type defining a set of subtrees within
+	 * which no subject name in subsequent certificates in the certification
+	 * path may fall.
+	 *
+	 * @var mixed
+	 */
+	protected $_excludedSubtrees;
+
+	/**
+	 * Explicit policy (explicit_policy).
+	 *
+	 * An integer that indicates if a non-NULL valid_policy_tree is required.
+	 *
+	 * @var int
+	 */
+	protected $_explicitPolicy;
+
+	/**
+	 * Inhibit anyPolicy (inhibit_anyPolicy).
+	 *
+	 * An integer that indicates whether the anyPolicy policy identifier is
+	 * considered a match.
+	 *
+	 * @var int
+	 */
+	protected $_inhibitAnyPolicy;
+
+	/**
+	 * Policy mapping (policy_mapping).
+	 *
+	 * An integer that indicates if policy mapping is permitted.
+	 *
+	 * @var int
+	 */
+	protected $_policyMapping;
+
+	/**
+	 * Working public key algorithm (working_public_key_algorithm).
+	 *
+	 * The digital signature algorithm used to verify the signature of a
+	 * certificate.
+	 *
+	 * @var AlgorithmIdentifierType
+	 */
+	protected $_workingPublicKeyAlgorithm;
+
+	/**
+	 * Working public key (working_public_key).
+	 *
+	 * The public key used to verify the signature of a certificate.
+	 *
+	 * @var PublicKeyInfo
+	 */
+	protected $_workingPublicKey;
+
+	/**
+	 * Working public key parameters (working_public_key_parameters).
+	 *
+	 * Parameters associated with the current public key that may be required to
+	 * verify a signature.
+	 *
+	 * @var null|Element
+	 */
+	protected $_workingPublicKeyParameters;
+
+	/**
+	 * Working issuer name (working_issuer_name).
+	 *
+	 * The issuer distinguished name expected in the next certificate in the
+	 * chain.
+	 *
+	 * @var Name
+	 */
+	protected $_workingIssuerName;
+
+	/**
+	 * Maximum certification path length (max_path_length).
+	 *
+	 * @var int
+	 */
+	protected $_maxPathLength;
+
+	/**
+	 * Constructor.
+	 */
+	protected function __construct()
+	{
+	}
+
+	/**
+	 * Initialize variables according to RFC 5280 6.1.2.
+	 *
+	 * @see https://tools.ietf.org/html/rfc5280#section-6.1.2
+	 *
+	 * @param PathValidationConfig $config
+	 * @param Certificate          $trust_anchor Trust anchor certificate
+	 * @param int                  $n            Number of certificates
+	 *                                           in the certification path
+	 *
+	 * @return self
+	 */
+	public static function initialize(PathValidationConfig $config,
+		Certificate $trust_anchor, int $n): self
+	{
+		$state = new self();
+		$state->_pathLength = $n;
+		$state->_index = 1;
+		$state->_validPolicyTree = new PolicyTree(PolicyNode::anyPolicyNode());
+		$state->_permittedSubtrees = null;
+		$state->_excludedSubtrees = null;
+		$state->_explicitPolicy = $config->explicitPolicy() ? 0 : $n + 1;
+		$state->_inhibitAnyPolicy = $config->anyPolicyInhibit() ? 0 : $n + 1;
+		$state->_policyMapping = $config->policyMappingInhibit() ? 0 : $n + 1;
+		$state->_workingPublicKeyAlgorithm = $trust_anchor->signatureAlgorithm();
+		$tbsCert = $trust_anchor->tbsCertificate();
+		$state->_workingPublicKey = $tbsCert->subjectPublicKeyInfo();
+		$state->_workingPublicKeyParameters = self::getAlgorithmParameters(
+			$state->_workingPublicKey->algorithmIdentifier());
+		$state->_workingIssuerName = $tbsCert->issuer();
+		$state->_maxPathLength = $config->maxLength();
+		return $state;
+	}
+
+	/**
+	 * Get self with current certification path index set.
+	 *
+	 * @param int $index
+	 *
+	 * @return self
+	 */
+	public function withIndex(int $index): self
+	{
+		$state = clone $this;
+		$state->_index = $index;
+		return $state;
+	}
+
+	/**
+	 * Get self with valid_policy_tree.
+	 *
+	 * @param PolicyTree $policy_tree
+	 *
+	 * @return self
+	 */
+	public function withValidPolicyTree(PolicyTree $policy_tree): self
+	{
+		$state = clone $this;
+		$state->_validPolicyTree = $policy_tree;
+		return $state;
+	}
+
+	/**
+	 * Get self with valid_policy_tree set to null.
+	 *
+	 * @return self
+	 */
+	public function withoutValidPolicyTree(): self
+	{
+		$state = clone $this;
+		$state->_validPolicyTree = null;
+		return $state;
+	}
+
+	/**
+	 * Get self with explicit_policy.
+	 *
+	 * @param int $num
+	 *
+	 * @return self
+	 */
+	public function withExplicitPolicy(int $num): self
+	{
+		$state = clone $this;
+		$state->_explicitPolicy = $num;
+		return $state;
+	}
+
+	/**
+	 * Get self with inhibit_anyPolicy.
+	 *
+	 * @param int $num
+	 *
+	 * @return self
+	 */
+	public function withInhibitAnyPolicy(int $num): self
+	{
+		$state = clone $this;
+		$state->_inhibitAnyPolicy = $num;
+		return $state;
+	}
+
+	/**
+	 * Get self with policy_mapping.
+	 *
+	 * @param int $num
+	 *
+	 * @return self
+	 */
+	public function withPolicyMapping(int $num): self
+	{
+		$state = clone $this;
+		$state->_policyMapping = $num;
+		return $state;
+	}
+
+	/**
+	 * Get self with working_public_key_algorithm.
+	 *
+	 * @param AlgorithmIdentifierType $algo
+	 *
+	 * @return self
+	 */
+	public function withWorkingPublicKeyAlgorithm(AlgorithmIdentifierType $algo): self
+	{
+		$state = clone $this;
+		$state->_workingPublicKeyAlgorithm = $algo;
+		return $state;
+	}
+
+	/**
+	 * Get self with working_public_key.
+	 *
+	 * @param PublicKeyInfo $pubkey_info
+	 *
+	 * @return self
+	 */
+	public function withWorkingPublicKey(PublicKeyInfo $pubkey_info): self
+	{
+		$state = clone $this;
+		$state->_workingPublicKey = $pubkey_info;
+		return $state;
+	}
+
+	/**
+	 * Get self with working_public_key_parameters.
+	 *
+	 * @param null|Element $params
+	 *
+	 * @return self
+	 */
+	public function withWorkingPublicKeyParameters(?Element $params = null): self
+	{
+		$state = clone $this;
+		$state->_workingPublicKeyParameters = $params;
+		return $state;
+	}
+
+	/**
+	 * Get self with working_issuer_name.
+	 *
+	 * @param Name $issuer
+	 *
+	 * @return self
+	 */
+	public function withWorkingIssuerName(Name $issuer): self
+	{
+		$state = clone $this;
+		$state->_workingIssuerName = $issuer;
+		return $state;
+	}
+
+	/**
+	 * Get self with max_path_length.
+	 *
+	 * @param int $length
+	 *
+	 * @return self
+	 */
+	public function withMaxPathLength(int $length): self
+	{
+		$state = clone $this;
+		$state->_maxPathLength = $length;
+		return $state;
+	}
+
+	/**
+	 * Get the certification path length (n).
+	 *
+	 * @return int
+	 */
+	public function pathLength(): int
+	{
+		return $this->_pathLength;
+	}
+
+	/**
+	 * Get the current index in certification path in the range of 1..n.
+	 *
+	 * @return int
+	 */
+	public function index(): int
+	{
+		return $this->_index;
+	}
+
+	/**
+	 * Check whether valid_policy_tree is present.
+	 *
+	 * @return bool
+	 */
+	public function hasValidPolicyTree(): bool
+	{
+		return isset($this->_validPolicyTree);
+	}
+
+	/**
+	 * Get valid_policy_tree.
+	 *
+	 * @throws \LogicException If not set
+	 *
+	 * @return PolicyTree
+	 */
+	public function validPolicyTree(): PolicyTree
+	{
+		if (!$this->hasValidPolicyTree()) {
+			throw new \LogicException('valid_policy_tree not set.');
+		}
+		return $this->_validPolicyTree;
+	}
+
+	/**
+	 * Get permitted_subtrees.
+	 *
+	 * @return mixed
+	 */
+	public function permittedSubtrees()
+	{
+		return $this->_permittedSubtrees;
+	}
+
+	/**
+	 * Get excluded_subtrees.
+	 *
+	 * @return mixed
+	 */
+	public function excludedSubtrees()
+	{
+		return $this->_excludedSubtrees;
+	}
+
+	/**
+	 * Get explicit_policy.
+	 *
+	 * @return int
+	 */
+	public function explicitPolicy(): int
+	{
+		return $this->_explicitPolicy;
+	}
+
+	/**
+	 * Get inhibit_anyPolicy.
+	 *
+	 * @return int
+	 */
+	public function inhibitAnyPolicy(): int
+	{
+		return $this->_inhibitAnyPolicy;
+	}
+
+	/**
+	 * Get policy_mapping.
+	 *
+	 * @return int
+	 */
+	public function policyMapping(): int
+	{
+		return $this->_policyMapping;
+	}
+
+	/**
+	 * Get working_public_key_algorithm.
+	 *
+	 * @return AlgorithmIdentifierType
+	 */
+	public function workingPublicKeyAlgorithm(): AlgorithmIdentifierType
+	{
+		return $this->_workingPublicKeyAlgorithm;
+	}
+
+	/**
+	 * Get working_public_key.
+	 *
+	 * @return PublicKeyInfo
+	 */
+	public function workingPublicKey(): PublicKeyInfo
+	{
+		return $this->_workingPublicKey;
+	}
+
+	/**
+	 * Get working_public_key_parameters.
+	 *
+	 * @return null|Element
+	 */
+	public function workingPublicKeyParameters(): ?Element
+	{
+		return $this->_workingPublicKeyParameters;
+	}
+
+	/**
+	 * Get working_issuer_name.
+	 *
+	 * @return Name
+	 */
+	public function workingIssuerName(): Name
+	{
+		return $this->_workingIssuerName;
+	}
+
+	/**
+	 * Get maximum certification path length.
+	 *
+	 * @return int
+	 */
+	public function maxPathLength(): int
+	{
+		return $this->_maxPathLength;
+	}
+
+	/**
+	 * Check whether processing the final certificate of the certification path.
+	 *
+	 * @return bool
+	 */
+	public function isFinal(): bool
+	{
+		return $this->_index === $this->_pathLength;
+	}
+
+	/**
+	 * Get the path validation result.
+	 *
+	 * @param Certificate[] $certificates Certificates in a certification path
+	 *
+	 * @return PathValidationResult
+	 */
+	public function getResult(array $certificates): PathValidationResult
+	{
+		return new PathValidationResult($certificates, $this->_validPolicyTree,
+			$this->_workingPublicKey, $this->_workingPublicKeyAlgorithm,
+			$this->_workingPublicKeyParameters);
+	}
+
+	/**
+	 * Get ASN.1 parameters from algorithm identifier.
+	 *
+	 * @param AlgorithmIdentifierType $algo
+	 *
+	 * @return null|Element ASN.1 element or null if parameters are omitted
+	 */
+	public static function getAlgorithmParameters(AlgorithmIdentifierType $algo): ?Element
+	{
+		$seq = $algo->toASN1();
+		return $seq->has(1) ? $seq->at(1)->asElement() : null;
+	}
 }

lib/X509/CertificationPath/PathValidation/PathValidationResult.php

Indentation +70 added lines, -70 removed lines

@@ -18,81 +18,81 @@
  */
 class PathValidationResult
 {
-    /**
-     * Certificates in a certification path.
-     *
-     * @var Certificate[]
-     */
-    protected $_certificates;
+	/**
+	 * Certificates in a certification path.
+	 *
+	 * @var Certificate[]
+	 */
+	protected $_certificates;
 
-    /**
-     * Valid policy tree.
-     *
-     * @var null|PolicyTree
-     */
-    protected $_policyTree;
+	/**
+	 * Valid policy tree.
+	 *
+	 * @var null|PolicyTree
+	 */
+	protected $_policyTree;
 
-    /**
-     * End-entity certificate's public key.
-     *
-     * @var PublicKeyInfo
-     */
-    protected $_publicKeyInfo;
+	/**
+	 * End-entity certificate's public key.
+	 *
+	 * @var PublicKeyInfo
+	 */
+	protected $_publicKeyInfo;
 
-    /**
-     * Public key algorithm.
-     *
-     * @var AlgorithmIdentifierType
-     */
-    protected $_publicKeyAlgo;
+	/**
+	 * Public key algorithm.
+	 *
+	 * @var AlgorithmIdentifierType
+	 */
+	protected $_publicKeyAlgo;
 
-    /**
-     * Public key parameters.
-     *
-     * @var null|Element
-     */
-    protected $_publicKeyParameters;
+	/**
+	 * Public key parameters.
+	 *
+	 * @var null|Element
+	 */
+	protected $_publicKeyParameters;
 
-    /**
-     * Constructor.
-     *
-     * @param Certificate[]           $certificates Certificates in a certification path
-     * @param null|PolicyTree         $policy_tree  Valid policy tree
-     * @param PublicKeyInfo           $pubkey_info  Public key of the end-entity certificate
-     * @param AlgorithmIdentifierType $algo         Public key algorithm of the end-entity certificate
-     * @param null|Element            $params       Algorithm parameters
-     */
-    public function __construct(array $certificates, ?PolicyTree $policy_tree,
-        PublicKeyInfo $pubkey_info, AlgorithmIdentifierType $algo,
-        ?Element $params = null)
-    {
-        $this->_certificates = array_values($certificates);
-        $this->_policyTree = $policy_tree;
-        $this->_publicKeyInfo = $pubkey_info;
-        $this->_publicKeyAlgo = $algo;
-        $this->_publicKeyParameters = $params;
-    }
+	/**
+	 * Constructor.
+	 *
+	 * @param Certificate[]           $certificates Certificates in a certification path
+	 * @param null|PolicyTree         $policy_tree  Valid policy tree
+	 * @param PublicKeyInfo           $pubkey_info  Public key of the end-entity certificate
+	 * @param AlgorithmIdentifierType $algo         Public key algorithm of the end-entity certificate
+	 * @param null|Element            $params       Algorithm parameters
+	 */
+	public function __construct(array $certificates, ?PolicyTree $policy_tree,
+		PublicKeyInfo $pubkey_info, AlgorithmIdentifierType $algo,
+		?Element $params = null)
+	{
+		$this->_certificates = array_values($certificates);
+		$this->_policyTree = $policy_tree;
+		$this->_publicKeyInfo = $pubkey_info;
+		$this->_publicKeyAlgo = $algo;
+		$this->_publicKeyParameters = $params;
+	}
 
-    /**
-     * Get end-entity certificate.
-     *
-     * @return Certificate
-     */
-    public function certificate(): Certificate
-    {
-        return $this->_certificates[count($this->_certificates) - 1];
-    }
+	/**
+	 * Get end-entity certificate.
+	 *
+	 * @return Certificate
+	 */
+	public function certificate(): Certificate
+	{
+		return $this->_certificates[count($this->_certificates) - 1];
+	}
 
-    /**
-     * Get certificate policies of the end-entity certificate.
-     *
-     * @return PolicyInformation[]
-     */
-    public function policies(): array
-    {
-        if (!$this->_policyTree) {
-            return [];
-        }
-        return $this->_policyTree->policiesAtDepth(count($this->_certificates));
-    }
+	/**
+	 * Get certificate policies of the end-entity certificate.
+	 *
+	 * @return PolicyInformation[]
+	 */
+	public function policies(): array
+	{
+		if (!$this->_policyTree) {
+			return [];
+		}
+		return $this->_policyTree->policiesAtDepth(count($this->_certificates));
+	}
 }

lib/X509/CertificationPath/PathValidation/PathValidationConfig.php

Indentation +253 added lines, -253 removed lines

@@ -14,282 +14,282 @@
  */
 class PathValidationConfig
 {
-    /**
-     * Maximum allowed certification path length.
-     *
-     * @var int
-     */
-    protected $_maxLength;
+	/**
+	 * Maximum allowed certification path length.
+	 *
+	 * @var int
+	 */
+	protected $_maxLength;
 
-    /**
-     * Reference time.
-     *
-     * @var \DateTimeImmutable
-     */
-    protected $_dateTime;
+	/**
+	 * Reference time.
+	 *
+	 * @var \DateTimeImmutable
+	 */
+	protected $_dateTime;
 
-    /**
-     * List of acceptable policy identifiers.
-     *
-     * @var string[]
-     */
-    protected $_policySet;
+	/**
+	 * List of acceptable policy identifiers.
+	 *
+	 * @var string[]
+	 */
+	protected $_policySet;
 
-    /**
-     * Trust anchor certificate.
-     *
-     * If not set, path validation uses the first certificate of the path.
-     *
-     * @var null|Certificate
-     */
-    protected $_trustAnchor;
+	/**
+	 * Trust anchor certificate.
+	 *
+	 * If not set, path validation uses the first certificate of the path.
+	 *
+	 * @var null|Certificate
+	 */
+	protected $_trustAnchor;
 
-    /**
-     * Whether policy mapping in inhibited.
-     *
-     * Setting this to true disallows policy mapping.
-     *
-     * @var bool
-     */
-    protected $_policyMappingInhibit;
+	/**
+	 * Whether policy mapping in inhibited.
+	 *
+	 * Setting this to true disallows policy mapping.
+	 *
+	 * @var bool
+	 */
+	protected $_policyMappingInhibit;
 
-    /**
-     * Whether the path must be valid for at least one policy in the
-     * initial policy set.
-     *
-     * @var bool
-     */
-    protected $_explicitPolicy;
+	/**
+	 * Whether the path must be valid for at least one policy in the
+	 * initial policy set.
+	 *
+	 * @var bool
+	 */
+	protected $_explicitPolicy;
 
-    /**
-     * Whether anyPolicy OID processing should be inhibited.
-     *
-     * Setting this to true disallows the usage of anyPolicy.
-     *
-     * @var bool
-     */
-    protected $_anyPolicyInhibit;
+	/**
+	 * Whether anyPolicy OID processing should be inhibited.
+	 *
+	 * Setting this to true disallows the usage of anyPolicy.
+	 *
+	 * @var bool
+	 */
+	protected $_anyPolicyInhibit;
 
-    /**
-     * @todo Implement
-     *
-     * @var mixed
-     */
-    protected $_permittedSubtrees;
+	/**
+	 * @todo Implement
+	 *
+	 * @var mixed
+	 */
+	protected $_permittedSubtrees;
 
-    /**
-     * @todo Implement
-     *
-     * @var mixed
-     */
-    protected $_excludedSubtrees;
+	/**
+	 * @todo Implement
+	 *
+	 * @var mixed
+	 */
+	protected $_excludedSubtrees;
 
-    /**
-     * Constructor.
-     *
-     * @param \DateTimeImmutable $dt         Reference date and time
-     * @param int                $max_length Maximum certification path length
-     */
-    public function __construct(\DateTimeImmutable $dt, int $max_length)
-    {
-        $this->_dateTime = $dt;
-        $this->_maxLength = $max_length;
-        $this->_policySet = [PolicyInformation::OID_ANY_POLICY];
-        $this->_policyMappingInhibit = false;
-        $this->_explicitPolicy = false;
-        $this->_anyPolicyInhibit = false;
-    }
+	/**
+	 * Constructor.
+	 *
+	 * @param \DateTimeImmutable $dt         Reference date and time
+	 * @param int                $max_length Maximum certification path length
+	 */
+	public function __construct(\DateTimeImmutable $dt, int $max_length)
+	{
+		$this->_dateTime = $dt;
+		$this->_maxLength = $max_length;
+		$this->_policySet = [PolicyInformation::OID_ANY_POLICY];
+		$this->_policyMappingInhibit = false;
+		$this->_explicitPolicy = false;
+		$this->_anyPolicyInhibit = false;
+	}
 
-    /**
-     * Get default configuration.
-     *
-     * @return self
-     */
-    public static function defaultConfig(): self
-    {
-        return new self(new \DateTimeImmutable(), 3);
-    }
+	/**
+	 * Get default configuration.
+	 *
+	 * @return self
+	 */
+	public static function defaultConfig(): self
+	{
+		return new self(new \DateTimeImmutable(), 3);
+	}
 
-    /**
-     * Get self with maximum path length.
-     *
-     * @param int $length
-     *
-     * @return self
-     */
-    public function withMaxLength(int $length): self
-    {
-        $obj = clone $this;
-        $obj->_maxLength = $length;
-        return $obj;
-    }
+	/**
+	 * Get self with maximum path length.
+	 *
+	 * @param int $length
+	 *
+	 * @return self
+	 */
+	public function withMaxLength(int $length): self
+	{
+		$obj = clone $this;
+		$obj->_maxLength = $length;
+		return $obj;
+	}
 
-    /**
-     * Get self with reference date and time.
-     *
-     * @param \DateTimeImmutable $dt
-     *
-     * @return self
-     */
-    public function withDateTime(\DateTimeImmutable $dt): self
-    {
-        $obj = clone $this;
-        $obj->_dateTime = $dt;
-        return $obj;
-    }
+	/**
+	 * Get self with reference date and time.
+	 *
+	 * @param \DateTimeImmutable $dt
+	 *
+	 * @return self
+	 */
+	public function withDateTime(\DateTimeImmutable $dt): self
+	{
+		$obj = clone $this;
+		$obj->_dateTime = $dt;
+		return $obj;
+	}
 
-    /**
-     * Get self with trust anchor certificate.
-     *
-     * @param Certificate $ca
-     *
-     * @return self
-     */
-    public function withTrustAnchor(Certificate $ca): self
-    {
-        $obj = clone $this;
-        $obj->_trustAnchor = $ca;
-        return $obj;
-    }
+	/**
+	 * Get self with trust anchor certificate.
+	 *
+	 * @param Certificate $ca
+	 *
+	 * @return self
+	 */
+	public function withTrustAnchor(Certificate $ca): self
+	{
+		$obj = clone $this;
+		$obj->_trustAnchor = $ca;
+		return $obj;
+	}
 
-    /**
-     * Get self with initial-policy-mapping-inhibit set.
-     *
-     * @param bool $flag
-     *
-     * @return self
-     */
-    public function withPolicyMappingInhibit(bool $flag): self
-    {
-        $obj = clone $this;
-        $obj->_policyMappingInhibit = $flag;
-        return $obj;
-    }
+	/**
+	 * Get self with initial-policy-mapping-inhibit set.
+	 *
+	 * @param bool $flag
+	 *
+	 * @return self
+	 */
+	public function withPolicyMappingInhibit(bool $flag): self
+	{
+		$obj = clone $this;
+		$obj->_policyMappingInhibit = $flag;
+		return $obj;
+	}
 
-    /**
-     * Get self with initial-explicit-policy set.
-     *
-     * @param bool $flag
-     *
-     * @return self
-     */
-    public function withExplicitPolicy(bool $flag): self
-    {
-        $obj = clone $this;
-        $obj->_explicitPolicy = $flag;
-        return $obj;
-    }
+	/**
+	 * Get self with initial-explicit-policy set.
+	 *
+	 * @param bool $flag
+	 *
+	 * @return self
+	 */
+	public function withExplicitPolicy(bool $flag): self
+	{
+		$obj = clone $this;
+		$obj->_explicitPolicy = $flag;
+		return $obj;
+	}
 
-    /**
-     * Get self with initial-any-policy-inhibit set.
-     *
-     * @param bool $flag
-     *
-     * @return self
-     */
-    public function withAnyPolicyInhibit(bool $flag): self
-    {
-        $obj = clone $this;
-        $obj->_anyPolicyInhibit = $flag;
-        return $obj;
-    }
+	/**
+	 * Get self with initial-any-policy-inhibit set.
+	 *
+	 * @param bool $flag
+	 *
+	 * @return self
+	 */
+	public function withAnyPolicyInhibit(bool $flag): self
+	{
+		$obj = clone $this;
+		$obj->_anyPolicyInhibit = $flag;
+		return $obj;
+	}
 
-    /**
-     * Get self with user-initial-policy-set set to policy OIDs.
-     *
-     * @param string ...$policies List of policy OIDs
-     *
-     * @return self
-     */
-    public function withPolicySet(string ...$policies): self
-    {
-        $obj = clone $this;
-        $obj->_policySet = $policies;
-        return $obj;
-    }
+	/**
+	 * Get self with user-initial-policy-set set to policy OIDs.
+	 *
+	 * @param string ...$policies List of policy OIDs
+	 *
+	 * @return self
+	 */
+	public function withPolicySet(string ...$policies): self
+	{
+		$obj = clone $this;
+		$obj->_policySet = $policies;
+		return $obj;
+	}
 
-    /**
-     * Get maximum certification path length.
-     *
-     * @return int
-     */
-    public function maxLength(): int
-    {
-        return $this->_maxLength;
-    }
+	/**
+	 * Get maximum certification path length.
+	 *
+	 * @return int
+	 */
+	public function maxLength(): int
+	{
+		return $this->_maxLength;
+	}
 
-    /**
-     * Get reference date and time.
-     *
-     * @return \DateTimeImmutable
-     */
-    public function dateTime(): \DateTimeImmutable
-    {
-        return $this->_dateTime;
-    }
+	/**
+	 * Get reference date and time.
+	 *
+	 * @return \DateTimeImmutable
+	 */
+	public function dateTime(): \DateTimeImmutable
+	{
+		return $this->_dateTime;
+	}
 
-    /**
-     * Get user-initial-policy-set.
-     *
-     * @return string[] Array of OID's
-     */
-    public function policySet(): array
-    {
-        return $this->_policySet;
-    }
+	/**
+	 * Get user-initial-policy-set.
+	 *
+	 * @return string[] Array of OID's
+	 */
+	public function policySet(): array
+	{
+		return $this->_policySet;
+	}
 
-    /**
-     * Check whether trust anchor certificate is set.
-     *
-     * @return bool
-     */
-    public function hasTrustAnchor(): bool
-    {
-        return isset($this->_trustAnchor);
-    }
+	/**
+	 * Check whether trust anchor certificate is set.
+	 *
+	 * @return bool
+	 */
+	public function hasTrustAnchor(): bool
+	{
+		return isset($this->_trustAnchor);
+	}
 
-    /**
-     * Get trust anchor certificate.
-     *
-     * @throws \LogicException If not set
-     *
-     * @return Certificate
-     */
-    public function trustAnchor(): Certificate
-    {
-        if (!$this->hasTrustAnchor()) {
-            throw new \LogicException('No trust anchor.');
-        }
-        return $this->_trustAnchor;
-    }
+	/**
+	 * Get trust anchor certificate.
+	 *
+	 * @throws \LogicException If not set
+	 *
+	 * @return Certificate
+	 */
+	public function trustAnchor(): Certificate
+	{
+		if (!$this->hasTrustAnchor()) {
+			throw new \LogicException('No trust anchor.');
+		}
+		return $this->_trustAnchor;
+	}
 
-    /**
-     * Get initial-policy-mapping-inhibit.
-     *
-     * @return bool
-     */
-    public function policyMappingInhibit(): bool
-    {
-        return $this->_policyMappingInhibit;
-    }
+	/**
+	 * Get initial-policy-mapping-inhibit.
+	 *
+	 * @return bool
+	 */
+	public function policyMappingInhibit(): bool
+	{
+		return $this->_policyMappingInhibit;
+	}
 
-    /**
-     * Get initial-explicit-policy.
-     *
-     * @return bool
-     */
-    public function explicitPolicy(): bool
-    {
-        return $this->_explicitPolicy;
-    }
+	/**
+	 * Get initial-explicit-policy.
+	 *
+	 * @return bool
+	 */
+	public function explicitPolicy(): bool
+	{
+		return $this->_explicitPolicy;
+	}
 
-    /**
-     * Get initial-any-policy-inhibit.
-     *
-     * @return bool
-     */
-    public function anyPolicyInhibit(): bool
-    {
-        return $this->_anyPolicyInhibit;
-    }
+	/**
+	 * Get initial-any-policy-inhibit.
+	 *
+	 * @return bool
+	 */
+	public function anyPolicyInhibit(): bool
+	{
+		return $this->_anyPolicyInhibit;
+	}
 }