sop / x509

lib/X509/CertificationRequest/Attributes.php

Indentation +97 added lines, -97 removed lines

@@ -20,108 +20,108 @@
  */
 class Attributes implements \Countable, \IteratorAggregate
 {
-    use AttributeContainer;
+	use AttributeContainer;
 
-    /**
-     * Mapping from OID to attribute value class name.
-     *
-     * @internal
-     *
-     * @var array
-     */
-    const MAP_OID_TO_CLASS = [
-        ExtensionRequestValue::OID => ExtensionRequestValue::class,
-    ];
+	/**
+	 * Mapping from OID to attribute value class name.
+	 *
+	 * @internal
+	 *
+	 * @var array
+	 */
+	const MAP_OID_TO_CLASS = [
+		ExtensionRequestValue::OID => ExtensionRequestValue::class,
+	];
 
-    /**
-     * Constructor.
-     *
-     * @param Attribute ...$attribs Attribute objects
-     */
-    public function __construct(Attribute ...$attribs)
-    {
-        $this->_attributes = $attribs;
-    }
+	/**
+	 * Constructor.
+	 *
+	 * @param Attribute ...$attribs Attribute objects
+	 */
+	public function __construct(Attribute ...$attribs)
+	{
+		$this->_attributes = $attribs;
+	}
 
-    /**
-     * Initialize from attribute values.
-     *
-     * @param AttributeValue ...$values
-     *
-     * @return self
-     */
-    public static function fromAttributeValues(AttributeValue ...$values): Attributes
-    {
-        $attribs = array_map(
-            function (AttributeValue $value) {
-                return $value->toAttribute();
-            }, $values);
-        return new self(...$attribs);
-    }
+	/**
+	 * Initialize from attribute values.
+	 *
+	 * @param AttributeValue ...$values
+	 *
+	 * @return self
+	 */
+	public static function fromAttributeValues(AttributeValue ...$values): Attributes
+	{
+		$attribs = array_map(
+			function (AttributeValue $value) {
+				return $value->toAttribute();
+			}, $values);
+		return new self(...$attribs);
+	}
 
-    /**
-     * Initialize from ASN.1.
-     *
-     * @param Set $set
-     *
-     * @return self
-     */
-    public static function fromASN1(Set $set): Attributes
-    {
-        $attribs = array_map(
-            function (UnspecifiedType $el) {
-                return Attribute::fromASN1($el->asSequence());
-            }, $set->elements());
-        // cast attributes
-        $attribs = array_map(
-            function (Attribute $attr) {
-                $oid = $attr->oid();
-                if (array_key_exists($oid, self::MAP_OID_TO_CLASS)) {
-                    $cls = self::MAP_OID_TO_CLASS[$oid];
-                    return $attr->castValues($cls);
-                }
-                return $attr;
-            }, $attribs);
-        return new self(...$attribs);
-    }
+	/**
+	 * Initialize from ASN.1.
+	 *
+	 * @param Set $set
+	 *
+	 * @return self
+	 */
+	public static function fromASN1(Set $set): Attributes
+	{
+		$attribs = array_map(
+			function (UnspecifiedType $el) {
+				return Attribute::fromASN1($el->asSequence());
+			}, $set->elements());
+		// cast attributes
+		$attribs = array_map(
+			function (Attribute $attr) {
+				$oid = $attr->oid();
+				if (array_key_exists($oid, self::MAP_OID_TO_CLASS)) {
+					$cls = self::MAP_OID_TO_CLASS[$oid];
+					return $attr->castValues($cls);
+				}
+				return $attr;
+			}, $attribs);
+		return new self(...$attribs);
+	}
 
-    /**
-     * Check whether extension request attribute is present.
-     *
-     * @return bool
-     */
-    public function hasExtensionRequest(): bool
-    {
-        return $this->has(ExtensionRequestValue::OID);
-    }
+	/**
+	 * Check whether extension request attribute is present.
+	 *
+	 * @return bool
+	 */
+	public function hasExtensionRequest(): bool
+	{
+		return $this->has(ExtensionRequestValue::OID);
+	}
 
-    /**
-     * Get extension request attribute value.
-     *
-     * @throws \LogicException
-     *
-     * @return ExtensionRequestValue
-     */
-    public function extensionRequest(): ExtensionRequestValue
-    {
-        if (!$this->hasExtensionRequest()) {
-            throw new \LogicException('No extension request attribute.');
-        }
-        return $this->firstOf(ExtensionRequestValue::OID)->first();
-    }
+	/**
+	 * Get extension request attribute value.
+	 *
+	 * @throws \LogicException
+	 *
+	 * @return ExtensionRequestValue
+	 */
+	public function extensionRequest(): ExtensionRequestValue
+	{
+		if (!$this->hasExtensionRequest()) {
+			throw new \LogicException('No extension request attribute.');
+		}
+		return $this->firstOf(ExtensionRequestValue::OID)->first();
+	}
 
-    /**
-     * Generate ASN.1 structure.
-     *
-     * @return Set
-     */
-    public function toASN1(): Set
-    {
-        $elements = array_map(
-            function (Attribute $attr) {
-                return $attr->toASN1();
-            }, array_values($this->_attributes));
-        $set = new Set(...$elements);
-        return $set->sortedSetOf();
-    }
+	/**
+	 * Generate ASN.1 structure.
+	 *
+	 * @return Set
+	 */
+	public function toASN1(): Set
+	{
+		$elements = array_map(
+			function (Attribute $attr) {
+				return $attr->toASN1();
+			}, array_values($this->_attributes));
+		$set = new Set(...$elements);
+		return $set->sortedSetOf();
+	}
 }

lib/X509/Feature/DateTimeHelper.php

Indentation +69 added lines, -69 removed lines

@@ -9,76 +9,76 @@
  */
 trait DateTimeHelper
 {
-    /**
-     * Create DateTime object from time string and timezone.
-     *
-     * @param null|string $time Time string, default to 'now'
-     * @param null|string $tz   Timezone, default if omitted
-     *
-     * @throws \RuntimeException
-     *
-     * @return \DateTimeImmutable
-     */
-    private static function _createDateTime(
-        ?string $time = null, ?string $tz = null): \DateTimeImmutable
-    {
-        if (!isset($time)) {
-            $time = 'now';
-        }
-        if (!isset($tz)) {
-            $tz = date_default_timezone_get();
-        }
-        try {
-            $dt = new \DateTimeImmutable($time, self::_createTimeZone($tz));
-            return self::_roundDownFractionalSeconds($dt);
-        } catch (\Exception $e) {
-            throw new \RuntimeException(
-                'Failed to create DateTime: ' .
-                     self::_getLastDateTimeImmutableErrorsStr(), 0, $e);
-        }
-    }
+	/**
+	 * Create DateTime object from time string and timezone.
+	 *
+	 * @param null|string $time Time string, default to 'now'
+	 * @param null|string $tz   Timezone, default if omitted
+	 *
+	 * @throws \RuntimeException
+	 *
+	 * @return \DateTimeImmutable
+	 */
+	private static function _createDateTime(
+		?string $time = null, ?string $tz = null): \DateTimeImmutable
+	{
+		if (!isset($time)) {
+			$time = 'now';
+		}
+		if (!isset($tz)) {
+			$tz = date_default_timezone_get();
+		}
+		try {
+			$dt = new \DateTimeImmutable($time, self::_createTimeZone($tz));
+			return self::_roundDownFractionalSeconds($dt);
+		} catch (\Exception $e) {
+			throw new \RuntimeException(
+				'Failed to create DateTime: ' .
+					 self::_getLastDateTimeImmutableErrorsStr(), 0, $e);
+		}
+	}
 
-    /**
-     * Rounds a \DateTimeImmutable value such that fractional
-     * seconds are removed.
-     *
-     * @param \DateTimeImmutable $dt
-     *
-     * @return \DateTimeImmutable
-     */
-    private static function _roundDownFractionalSeconds(
-        \DateTimeImmutable $dt): \DateTimeImmutable
-    {
-        return \DateTimeImmutable::createFromFormat('Y-m-d H:i:s',
-            $dt->format('Y-m-d H:i:s'), $dt->getTimezone());
-    }
+	/**
+	 * Rounds a \DateTimeImmutable value such that fractional
+	 * seconds are removed.
+	 *
+	 * @param \DateTimeImmutable $dt
+	 *
+	 * @return \DateTimeImmutable
+	 */
+	private static function _roundDownFractionalSeconds(
+		\DateTimeImmutable $dt): \DateTimeImmutable
+	{
+		return \DateTimeImmutable::createFromFormat('Y-m-d H:i:s',
+			$dt->format('Y-m-d H:i:s'), $dt->getTimezone());
+	}
 
-    /**
-     * Create DateTimeZone object from string.
-     *
-     * @param string $tz
-     *
-     * @throws \UnexpectedValueException
-     *
-     * @return \DateTimeZone
-     */
-    private static function _createTimeZone(string $tz): \DateTimeZone
-    {
-        try {
-            return new \DateTimeZone($tz);
-        } catch (\Exception $e) {
-            throw new \UnexpectedValueException('Invalid timezone.', 0, $e);
-        }
-    }
+	/**
+	 * Create DateTimeZone object from string.
+	 *
+	 * @param string $tz
+	 *
+	 * @throws \UnexpectedValueException
+	 *
+	 * @return \DateTimeZone
+	 */
+	private static function _createTimeZone(string $tz): \DateTimeZone
+	{
+		try {
+			return new \DateTimeZone($tz);
+		} catch (\Exception $e) {
+			throw new \UnexpectedValueException('Invalid timezone.', 0, $e);
+		}
+	}
 
-    /**
-     * Get last error caused by DateTimeImmutable.
-     *
-     * @return string
-     */
-    private static function _getLastDateTimeImmutableErrorsStr(): string
-    {
-        $errors = \DateTimeImmutable::getLastErrors()['errors'];
-        return implode(', ', $errors);
-    }
+	/**
+	 * Get last error caused by DateTimeImmutable.
+	 *
+	 * @return string
+	 */
+	private static function _getLastDateTimeImmutableErrorsStr(): string
+	{
+		$errors = \DateTimeImmutable::getLastErrors()['errors'];
+		return implode(', ', $errors);
+	}
 }

lib/X509/Feature/AttributeContainer.php

Indentation +132 added lines, -132 removed lines

@@ -14,145 +14,145 @@
  */
 trait AttributeContainer
 {
-    /**
-     * Array of attributes.
-     *
-     * @var Attribute[]
-     */
-    protected $_attributes;
+	/**
+	 * Array of attributes.
+	 *
+	 * @var Attribute[]
+	 */
+	protected $_attributes;
 
-    /**
-     * Check whether attribute is present.
-     *
-     * @param string $name OID or attribute name
-     *
-     * @return bool
-     */
-    public function has(string $name): bool
-    {
-        return null !== $this->_findFirst($name);
-    }
+	/**
+	 * Check whether attribute is present.
+	 *
+	 * @param string $name OID or attribute name
+	 *
+	 * @return bool
+	 */
+	public function has(string $name): bool
+	{
+		return null !== $this->_findFirst($name);
+	}
 
-    /**
-     * Get first attribute by OID or attribute name.
-     *
-     * @param string $name OID or attribute name
-     *
-     * @throws \OutOfBoundsException
-     *
-     * @return Attribute
-     */
-    public function firstOf(string $name): Attribute
-    {
-        $attr = $this->_findFirst($name);
-        if (!$attr) {
-            throw new \UnexpectedValueException("No {$name} attribute.");
-        }
-        return $attr;
-    }
+	/**
+	 * Get first attribute by OID or attribute name.
+	 *
+	 * @param string $name OID or attribute name
+	 *
+	 * @throws \OutOfBoundsException
+	 *
+	 * @return Attribute
+	 */
+	public function firstOf(string $name): Attribute
+	{
+		$attr = $this->_findFirst($name);
+		if (!$attr) {
+			throw new \UnexpectedValueException("No {$name} attribute.");
+		}
+		return $attr;
+	}
 
-    /**
-     * Get all attributes of given name.
-     *
-     * @param string $name OID or attribute name
-     *
-     * @return Attribute[]
-     */
-    public function allOf(string $name): array
-    {
-        $oid = AttributeType::attrNameToOID($name);
-        $attrs = array_filter($this->_attributes,
-            function (Attribute $attr) use ($oid) {
-                return $attr->oid() === $oid;
-            });
-        return array_values($attrs);
-    }
+	/**
+	 * Get all attributes of given name.
+	 *
+	 * @param string $name OID or attribute name
+	 *
+	 * @return Attribute[]
+	 */
+	public function allOf(string $name): array
+	{
+		$oid = AttributeType::attrNameToOID($name);
+		$attrs = array_filter($this->_attributes,
+			function (Attribute $attr) use ($oid) {
+				return $attr->oid() === $oid;
+			});
+		return array_values($attrs);
+	}
 
-    /**
-     * Get all attributes.
-     *
-     * @return Attribute[]
-     */
-    public function all(): array
-    {
-        return $this->_attributes;
-    }
+	/**
+	 * Get all attributes.
+	 *
+	 * @return Attribute[]
+	 */
+	public function all(): array
+	{
+		return $this->_attributes;
+	}
 
-    /**
-     * Get self with additional attributes added.
-     *
-     * @param Attribute ...$attribs
-     *
-     * @return self
-     */
-    public function withAdditional(Attribute ...$attribs): self
-    {
-        $obj = clone $this;
-        foreach ($attribs as $attr) {
-            $obj->_attributes[] = $attr;
-        }
-        return $obj;
-    }
+	/**
+	 * Get self with additional attributes added.
+	 *
+	 * @param Attribute ...$attribs
+	 *
+	 * @return self
+	 */
+	public function withAdditional(Attribute ...$attribs): self
+	{
+		$obj = clone $this;
+		foreach ($attribs as $attr) {
+			$obj->_attributes[] = $attr;
+		}
+		return $obj;
+	}
 
-    /**
-     * Get self with single unique attribute added.
-     *
-     * All previous attributes of the same type are removed.
-     *
-     * @param Attribute $attr
-     *
-     * @return self
-     */
-    public function withUnique(Attribute $attr): self
-    {
-        $obj = clone $this;
-        $obj->_attributes = array_filter($obj->_attributes,
-            function (Attribute $a) use ($attr) {
-                return $a->oid() !== $attr->oid();
-            });
-        $obj->_attributes[] = $attr;
-        return $obj;
-    }
+	/**
+	 * Get self with single unique attribute added.
+	 *
+	 * All previous attributes of the same type are removed.
+	 *
+	 * @param Attribute $attr
+	 *
+	 * @return self
+	 */
+	public function withUnique(Attribute $attr): self
+	{
+		$obj = clone $this;
+		$obj->_attributes = array_filter($obj->_attributes,
+			function (Attribute $a) use ($attr) {
+				return $a->oid() !== $attr->oid();
+			});
+		$obj->_attributes[] = $attr;
+		return $obj;
+	}
 
-    /**
-     * Get number of attributes.
-     *
-     * @see \Countable::count()
-     *
-     * @return int
-     */
-    public function count(): int
-    {
-        return count($this->_attributes);
-    }
+	/**
+	 * Get number of attributes.
+	 *
+	 * @see \Countable::count()
+	 *
+	 * @return int
+	 */
+	public function count(): int
+	{
+		return count($this->_attributes);
+	}
 
-    /**
-     * Get iterator for attributes.
-     *
-     * @see \IteratorAggregate::getIterator()
-     *
-     * @return \ArrayIterator
-     */
-    public function getIterator(): \ArrayIterator
-    {
-        return new \ArrayIterator($this->_attributes);
-    }
+	/**
+	 * Get iterator for attributes.
+	 *
+	 * @see \IteratorAggregate::getIterator()
+	 *
+	 * @return \ArrayIterator
+	 */
+	public function getIterator(): \ArrayIterator
+	{
+		return new \ArrayIterator($this->_attributes);
+	}
 
-    /**
-     * Find first attribute of given name or OID.
-     *
-     * @param string $name
-     *
-     * @return null|Attribute
-     */
-    protected function _findFirst(string $name): ?Attribute
-    {
-        $oid = AttributeType::attrNameToOID($name);
-        foreach ($this->_attributes as $attr) {
-            if ($attr->oid() === $oid) {
-                return $attr;
-            }
-        }
-        return null;
-    }
+	/**
+	 * Find first attribute of given name or OID.
+	 *
+	 * @param string $name
+	 *
+	 * @return null|Attribute
+	 */
+	protected function _findFirst(string $name): ?Attribute
+	{
+		$oid = AttributeType::attrNameToOID($name);
+		foreach ($this->_attributes as $attr) {
+			if ($attr->oid() === $oid) {
+				return $attr;
+			}
+		}
+		return null;
+	}
 }

examples/create-csr.php

Indentation +2 added lines, -2 removed lines

@@ -18,7 +18,7 @@ 
 
 // load EC private key from PEM
 $private_key_info = PrivateKeyInfo::fromPEM(
-    PEM::fromFile(dirname(__DIR__) . '/test/assets/ec/private_key.pem'));
+	PEM::fromFile(dirname(__DIR__) . '/test/assets/ec/private_key.pem'));
 // extract public key from private key
 $public_key_info = $private_key_info->publicKeyInfo();
 // DN of the subject
@@ -27,6 +27,6 @@ 
 $cri = new CertificationRequestInfo($subject, $public_key_info);
 // sign certificate request with private key
 $algo = SignatureAlgorithmIdentifierFactory::algoForAsymmetricCrypto(
-    $private_key_info->algorithmIdentifier(), new SHA256AlgorithmIdentifier());
+	$private_key_info->algorithmIdentifier(), new SHA256AlgorithmIdentifier());
 $csr = $cri->sign($algo, $private_key_info);
 echo $csr;

examples/ac-example.php

Indentation +68 added lines, -68 removed lines

@@ -38,106 +38,106 @@ 
 
 // CA private key
 openssl_pkey_export(
-    openssl_pkey_new(
-        ['private_key_type' => OPENSSL_KEYTYPE_RSA,
-            'private_key_bits' => 2048, ]), $pkey);
+	openssl_pkey_new(
+		['private_key_type' => OPENSSL_KEYTYPE_RSA,
+			'private_key_bits' => 2048, ]), $pkey);
 $ca_private_key = PrivateKeyInfo::fromPEM(PEM::fromString($pkey));
 // Issuer private key
 openssl_pkey_export(
-    openssl_pkey_new(
-        ['private_key_type' => OPENSSL_KEYTYPE_RSA,
-            'private_key_bits' => 2048, ]), $pkey);
+	openssl_pkey_new(
+		['private_key_type' => OPENSSL_KEYTYPE_RSA,
+			'private_key_bits' => 2048, ]), $pkey);
 $issuer_private_key = PrivateKeyInfo::fromPEM(PEM::fromString($pkey));
 // Holder private key
 openssl_pkey_export(
-    openssl_pkey_new(
-        ['private_key_type' => OPENSSL_KEYTYPE_RSA,
-            'private_key_bits' => 2048, ]), $pkey);
+	openssl_pkey_new(
+		['private_key_type' => OPENSSL_KEYTYPE_RSA,
+			'private_key_bits' => 2048, ]), $pkey);
 $holder_private_key = PrivateKeyInfo::fromPEM(PEM::fromString($pkey));
 
 // create trust anchor certificate (self signed)
 $tbs_cert = new TBSCertificate(
-    Name::fromString('cn=CA'),
-    $ca_private_key->publicKeyInfo(),
-    Name::fromString('cn=CA'),
-    Validity::fromStrings('now', 'now + 1 year'));
+	Name::fromString('cn=CA'),
+	$ca_private_key->publicKeyInfo(),
+	Name::fromString('cn=CA'),
+	Validity::fromStrings('now', 'now + 1 year'));
 $tbs_cert = $tbs_cert->withRandomSerialNumber()
-    ->withAdditionalExtensions(
-        new BasicConstraintsExtension(true, true),
-        new SubjectKeyIdentifierExtension(false,
-            $ca_private_key->publicKeyInfo()->keyIdentifier()),
-        new KeyUsageExtension(true,
-            KeyUsageExtension::DIGITAL_SIGNATURE |
-            KeyUsageExtension::KEY_CERT_SIGN));
+	->withAdditionalExtensions(
+		new BasicConstraintsExtension(true, true),
+		new SubjectKeyIdentifierExtension(false,
+			$ca_private_key->publicKeyInfo()->keyIdentifier()),
+		new KeyUsageExtension(true,
+			KeyUsageExtension::DIGITAL_SIGNATURE |
+			KeyUsageExtension::KEY_CERT_SIGN));
 $algo = SignatureAlgorithmIdentifierFactory::algoForAsymmetricCrypto(
-    $ca_private_key->algorithmIdentifier(),
-    new SHA256AlgorithmIdentifier());
+	$ca_private_key->algorithmIdentifier(),
+	new SHA256AlgorithmIdentifier());
 $ca_cert = $tbs_cert->sign($algo, $ca_private_key);
 
 // create AC issuer certificate
 $tbs_cert = new TBSCertificate(
-    Name::fromString('cn=Issuer'),
-    $issuer_private_key->publicKeyInfo(),
-    new Name(),
-    Validity::fromStrings('now', 'now + 6 months'));
+	Name::fromString('cn=Issuer'),
+	$issuer_private_key->publicKeyInfo(),
+	new Name(),
+	Validity::fromStrings('now', 'now + 6 months'));
 $tbs_cert = $tbs_cert->withIssuerCertificate($ca_cert)
-    ->withRandomSerialNumber()
-    ->withAdditionalExtensions(
-        // issuer must not be a CA
-        new BasicConstraintsExtension(true, false),
-        new KeyUsageExtension(true,
-            KeyUsageExtension::DIGITAL_SIGNATURE |
-             KeyUsageExtension::KEY_ENCIPHERMENT));
+	->withRandomSerialNumber()
+	->withAdditionalExtensions(
+		// issuer must not be a CA
+		new BasicConstraintsExtension(true, false),
+		new KeyUsageExtension(true,
+			KeyUsageExtension::DIGITAL_SIGNATURE |
+			 KeyUsageExtension::KEY_ENCIPHERMENT));
 $algo = SignatureAlgorithmIdentifierFactory::algoForAsymmetricCrypto(
-    $ca_private_key->algorithmIdentifier(),
-    new SHA256AlgorithmIdentifier());
+	$ca_private_key->algorithmIdentifier(),
+	new SHA256AlgorithmIdentifier());
 $issuer_cert = $tbs_cert->sign($algo, $ca_private_key);
 
 // create AC holder certificate
 $tbs_cert = new TBSCertificate(
-    Name::fromString('cn=Holder, gn=John, sn=Doe'),
-    $holder_private_key->publicKeyInfo(),
-    new Name(),
-    Validity::fromStrings('now', 'now + 6 months'));
+	Name::fromString('cn=Holder, gn=John, sn=Doe'),
+	$holder_private_key->publicKeyInfo(),
+	new Name(),
+	Validity::fromStrings('now', 'now + 6 months'));
 $tbs_cert = $tbs_cert->withIssuerCertificate($ca_cert)
-    ->withRandomSerialNumber()
-    ->withAdditionalExtensions(
-        new BasicConstraintsExtension(true, false),
-        new KeyUsageExtension(true,
-            KeyUsageExtension::DIGITAL_SIGNATURE |
-             KeyUsageExtension::KEY_ENCIPHERMENT));
+	->withRandomSerialNumber()
+	->withAdditionalExtensions(
+		new BasicConstraintsExtension(true, false),
+		new KeyUsageExtension(true,
+			KeyUsageExtension::DIGITAL_SIGNATURE |
+			 KeyUsageExtension::KEY_ENCIPHERMENT));
 $algo = SignatureAlgorithmIdentifierFactory::algoForAsymmetricCrypto(
-    $ca_private_key->algorithmIdentifier(),
-    new SHA256AlgorithmIdentifier());
+	$ca_private_key->algorithmIdentifier(),
+	new SHA256AlgorithmIdentifier());
 $holder_cert = $tbs_cert->sign($algo, $ca_private_key);
 
 // named authority that grants the attributes
 $authority = new GeneralNames(
-    new UniformResourceIdentifier('uri:trusted_authority'));
+	new UniformResourceIdentifier('uri:trusted_authority'));
 // role attribute
 $attribs = new Attributes(
-    Attribute::fromAttributeValues(
-        RoleAttributeValue::fromString('role-name', $authority)));
+	Attribute::fromAttributeValues(
+		RoleAttributeValue::fromString('role-name', $authority)));
 $aci = new AttributeCertificateInfo(
-    // holder is identified by the holder's public key certificate
-    new Holder(IssuerSerial::fromPKC($holder_cert)),
-    AttCertIssuer::fromPKC($issuer_cert),
-    AttCertValidityPeriod::fromStrings('now - 1 hour', 'now + 3 months'),
-    $attribs);
+	// holder is identified by the holder's public key certificate
+	new Holder(IssuerSerial::fromPKC($holder_cert)),
+	AttCertIssuer::fromPKC($issuer_cert),
+	AttCertValidityPeriod::fromStrings('now - 1 hour', 'now + 3 months'),
+	$attribs);
 $aci = $aci->withRandomSerialNumber()
-    ->withAdditionalExtensions(
-        // named target identifier
-        TargetInformationExtension::fromTargets(
-            new TargetName(
-                new UniformResourceIdentifier('uri:target_identifier'))),
-        // key identifier of the AC issuer
-        new AuthorityKeyIdentifierExtension(false,
-            $issuer_cert->tbsCertificate()
-                ->subjectPublicKeyInfo()
-                ->keyIdentifier()));
+	->withAdditionalExtensions(
+		// named target identifier
+		TargetInformationExtension::fromTargets(
+			new TargetName(
+				new UniformResourceIdentifier('uri:target_identifier'))),
+		// key identifier of the AC issuer
+		new AuthorityKeyIdentifierExtension(false,
+			$issuer_cert->tbsCertificate()
+				->subjectPublicKeyInfo()
+				->keyIdentifier()));
 $algo = SignatureAlgorithmIdentifierFactory::algoForAsymmetricCrypto(
-    $issuer_private_key->algorithmIdentifier(),
-    new SHA256AlgorithmIdentifier());
+	$issuer_private_key->algorithmIdentifier(),
+	new SHA256AlgorithmIdentifier());
 $ac = $aci->sign($algo, $issuer_private_key);
 
 // validate AC
@@ -149,7 +149,7 @@ 
 $validator_config = $validator_config->withTargets($target);
 $validator = new ACValidator($ac, $validator_config);
 if ($validator->validate()) {
-    fprintf(STDERR, "AC validation succeeded.\n");
+	fprintf(STDERR, "AC validation succeeded.\n");
 }
 
 fprintf(STDERR, "Root certificate:\n");

examples/issue-cert.php

Indentation +9 added lines, -9 removed lines

@@ -27,27 +27,27 @@
 $csr = CertificationRequest::fromPEM(PEM::fromFile($argv[2]));
 // verify CSR
 if (!$csr->verify()) {
-    echo "Failed to verify certification request signature.\n";
-    exit(1);
+	echo "Failed to verify certification request signature.\n";
+	exit(1);
 }
 // load CA's private key from PEM
 $private_key_info = PrivateKeyInfo::fromPEM(
-    PEM::fromFile(dirname(__DIR__) . '/test/assets/rsa/private_key.pem'));
+	PEM::fromFile(dirname(__DIR__) . '/test/assets/rsa/private_key.pem'));
 // initialize certificate from CSR and issuer's certificate
 $tbs_cert = TBSCertificate::fromCSR($csr)->withIssuerCertificate($issuer_cert);
 // set random serial number
 $tbs_cert = $tbs_cert->withRandomSerialNumber();
 // set validity period
 $tbs_cert = $tbs_cert->withValidity(
-    Validity::fromStrings('now', 'now + 3 months'));
+	Validity::fromStrings('now', 'now + 3 months'));
 // add extensions
 $tbs_cert = $tbs_cert->withAdditionalExtensions(
-    new KeyUsageExtension(true,
-        KeyUsageExtension::DIGITAL_SIGNATURE |
-             KeyUsageExtension::KEY_ENCIPHERMENT),
-    new BasicConstraintsExtension(true, false));
+	new KeyUsageExtension(true,
+		KeyUsageExtension::DIGITAL_SIGNATURE |
+			 KeyUsageExtension::KEY_ENCIPHERMENT),
+	new BasicConstraintsExtension(true, false));
 // sign certificate with issuer's private key
 $algo = SignatureAlgorithmIdentifierFactory::algoForAsymmetricCrypto(
-    $private_key_info->algorithmIdentifier(), new SHA512AlgorithmIdentifier());
+	$private_key_info->algorithmIdentifier(), new SHA512AlgorithmIdentifier());
 $cert = $tbs_cert->sign($algo, $private_key_info);
 echo $cert;

examples/create-ca-cert.php

Indentation +6 added lines, -6 removed lines

@@ -22,7 +22,7 @@ 
 
 // load RSA private key from PEM
 $private_key_info = PrivateKeyInfo::fromPEM(
-    PEM::fromFile(dirname(__DIR__) . '/test/assets/rsa/private_key.pem'));
+	PEM::fromFile(dirname(__DIR__) . '/test/assets/rsa/private_key.pem'));
 // extract public key from private key
 $public_key_info = $private_key_info->publicKeyInfo();
 // DN of the certification authority
@@ -32,12 +32,12 @@ 
 // create "to be signed" certificate object with extensions
 $tbs_cert = new TBSCertificate($name, $public_key_info, $name, $validity);
 $tbs_cert = $tbs_cert->withRandomSerialNumber()->withAdditionalExtensions(
-    new BasicConstraintsExtension(true, true),
-    new SubjectKeyIdentifierExtension(false, $public_key_info->keyIdentifier()),
-    new KeyUsageExtension(true,
-        KeyUsageExtension::DIGITAL_SIGNATURE | KeyUsageExtension::KEY_CERT_SIGN));
+	new BasicConstraintsExtension(true, true),
+	new SubjectKeyIdentifierExtension(false, $public_key_info->keyIdentifier()),
+	new KeyUsageExtension(true,
+		KeyUsageExtension::DIGITAL_SIGNATURE | KeyUsageExtension::KEY_CERT_SIGN));
 // sign certificate with private key
 $algo = SignatureAlgorithmIdentifierFactory::algoForAsymmetricCrypto(
-    $private_key_info->algorithmIdentifier(), new SHA256AlgorithmIdentifier());
+	$private_key_info->algorithmIdentifier(), new SHA256AlgorithmIdentifier());
 $cert = $tbs_cert->sign($algo, $private_key_info);
 echo $cert;

lib/X509/Certificate/Extension/AuthorityKeyIdentifierExtension.php

Indentation +181 added lines, -181 removed lines

@@ -20,185 +20,185 @@
  */
 class AuthorityKeyIdentifierExtension extends Extension
 {
-    /**
-     * Key identifier.
-     *
-     * @var null|string
-     */
-    protected $_keyIdentifier;
-
-    /**
-     * Issuer name.
-     *
-     * @var null|GeneralNames
-     */
-    protected $_authorityCertIssuer;
-
-    /**
-     * Issuer serial number as a base 10 integer.
-     *
-     * @var null|string
-     */
-    protected $_authorityCertSerialNumber;
-
-    /**
-     * Constructor.
-     *
-     * @param bool              $critical      Conforming CA's must mark as non-critical (false)
-     * @param null|string       $keyIdentifier Key identifier
-     * @param null|GeneralNames $issuer        Issuer name
-     * @param null|int|string   $serial        Issuer serial number as a base 10 integer
-     */
-    public function __construct(bool $critical, ?string $keyIdentifier,
-        ?GeneralNames $issuer = null, $serial = null)
-    {
-        parent::__construct(self::OID_AUTHORITY_KEY_IDENTIFIER, $critical);
-        $this->_keyIdentifier = $keyIdentifier;
-        $this->_authorityCertIssuer = $issuer;
-        $this->_authorityCertSerialNumber = isset($serial) ? strval($serial) : null;
-    }
-
-    /**
-     * Create from public key info.
-     *
-     * @param PublicKeyInfo $pki
-     *
-     * @return AuthorityKeyIdentifierExtension
-     */
-    public static function fromPublicKeyInfo(PublicKeyInfo $pki): self
-    {
-        return new self(false, $pki->keyIdentifier());
-    }
-
-    /**
-     * Whether key identifier is present.
-     *
-     * @return bool
-     */
-    public function hasKeyIdentifier(): bool
-    {
-        return isset($this->_keyIdentifier);
-    }
-
-    /**
-     * Get key identifier.
-     *
-     * @throws \LogicException If not set
-     *
-     * @return string
-     */
-    public function keyIdentifier(): string
-    {
-        if (!$this->hasKeyIdentifier()) {
-            throw new \LogicException('keyIdentifier not set.');
-        }
-        return $this->_keyIdentifier;
-    }
-
-    /**
-     * Whether issuer is present.
-     *
-     * @return bool
-     */
-    public function hasIssuer(): bool
-    {
-        return isset($this->_authorityCertIssuer);
-    }
-
-    /**
-     * Get issuer.
-     *
-     * @throws \LogicException If not set
-     *
-     * @return GeneralNames
-     */
-    public function issuer(): GeneralNames
-    {
-        if (!$this->hasIssuer()) {
-            throw new \LogicException('authorityCertIssuer not set.');
-        }
-        return $this->_authorityCertIssuer;
-    }
-
-    /**
-     * Whether serial is present.
-     *
-     * @return bool
-     */
-    public function hasSerial(): bool
-    {
-        return isset($this->_authorityCertSerialNumber);
-    }
-
-    /**
-     * Get serial number.
-     *
-     * @throws \LogicException If not set
-     *
-     * @return string Base 10 integer string
-     */
-    public function serial(): string
-    {
-        if (!$this->hasSerial()) {
-            throw new \LogicException('authorityCertSerialNumber not set.');
-        }
-        return $this->_authorityCertSerialNumber;
-    }
-
-    /**
-     * {@inheritdoc}
-     */
-    protected static function _fromDER(string $data, bool $critical): Extension
-    {
-        $seq = UnspecifiedType::fromDER($data)->asSequence();
-        $keyIdentifier = null;
-        $issuer = null;
-        $serial = null;
-        if ($seq->hasTagged(0)) {
-            $keyIdentifier = $seq->getTagged(0)
-                ->asImplicit(Element::TYPE_OCTET_STRING)
-                ->asOctetString()->string();
-        }
-        if ($seq->hasTagged(1) || $seq->hasTagged(2)) {
-            if (!$seq->hasTagged(1) || !$seq->hasTagged(2)) {
-                throw new \UnexpectedValueException(
-                    'AuthorityKeyIdentifier must have both' .
-                        ' authorityCertIssuer and authorityCertSerialNumber' .
-                        ' present or both absent.');
-            }
-            $issuer = GeneralNames::fromASN1($seq->getTagged(1)
-                ->asImplicit(Element::TYPE_SEQUENCE)->asSequence());
-            $serial = $seq->getTagged(2)->asImplicit(Element::TYPE_INTEGER)
-                ->asInteger()->number();
-        }
-        return new self($critical, $keyIdentifier, $issuer, $serial);
-    }
-
-    /**
-     * {@inheritdoc}
-     */
-    protected function _valueASN1(): Element
-    {
-        $elements = [];
-        if (isset($this->_keyIdentifier)) {
-            $elements[] = new ImplicitlyTaggedType(0,
-                new OctetString($this->_keyIdentifier));
-        }
-        // if either issuer or serial is set, both must be set
-        if (isset($this->_authorityCertIssuer) ||
-             isset($this->_authorityCertSerialNumber)) {
-            if (!isset($this->_authorityCertIssuer,
-                $this->_authorityCertSerialNumber)) {
-                throw new \LogicException(
-                    'AuthorityKeyIdentifier must have both' .
-                        ' authorityCertIssuer and authorityCertSerialNumber' .
-                        ' present or both absent.');
-            }
-            $elements[] = new ImplicitlyTaggedType(1,
-                $this->_authorityCertIssuer->toASN1());
-            $elements[] = new ImplicitlyTaggedType(2,
-                new Integer($this->_authorityCertSerialNumber));
-        }
-        return new Sequence(...$elements);
-    }
+	/**
+	 * Key identifier.
+	 *
+	 * @var null|string
+	 */
+	protected $_keyIdentifier;
+
+	/**
+	 * Issuer name.
+	 *
+	 * @var null|GeneralNames
+	 */
+	protected $_authorityCertIssuer;
+
+	/**
+	 * Issuer serial number as a base 10 integer.
+	 *
+	 * @var null|string
+	 */
+	protected $_authorityCertSerialNumber;
+
+	/**
+	 * Constructor.
+	 *
+	 * @param bool              $critical      Conforming CA's must mark as non-critical (false)
+	 * @param null|string       $keyIdentifier Key identifier
+	 * @param null|GeneralNames $issuer        Issuer name
+	 * @param null|int|string   $serial        Issuer serial number as a base 10 integer
+	 */
+	public function __construct(bool $critical, ?string $keyIdentifier,
+		?GeneralNames $issuer = null, $serial = null)
+	{
+		parent::__construct(self::OID_AUTHORITY_KEY_IDENTIFIER, $critical);
+		$this->_keyIdentifier = $keyIdentifier;
+		$this->_authorityCertIssuer = $issuer;
+		$this->_authorityCertSerialNumber = isset($serial) ? strval($serial) : null;
+	}
+
+	/**
+	 * Create from public key info.
+	 *
+	 * @param PublicKeyInfo $pki
+	 *
+	 * @return AuthorityKeyIdentifierExtension
+	 */
+	public static function fromPublicKeyInfo(PublicKeyInfo $pki): self
+	{
+		return new self(false, $pki->keyIdentifier());
+	}
+
+	/**
+	 * Whether key identifier is present.
+	 *
+	 * @return bool
+	 */
+	public function hasKeyIdentifier(): bool
+	{
+		return isset($this->_keyIdentifier);
+	}
+
+	/**
+	 * Get key identifier.
+	 *
+	 * @throws \LogicException If not set
+	 *
+	 * @return string
+	 */
+	public function keyIdentifier(): string
+	{
+		if (!$this->hasKeyIdentifier()) {
+			throw new \LogicException('keyIdentifier not set.');
+		}
+		return $this->_keyIdentifier;
+	}
+
+	/**
+	 * Whether issuer is present.
+	 *
+	 * @return bool
+	 */
+	public function hasIssuer(): bool
+	{
+		return isset($this->_authorityCertIssuer);
+	}
+
+	/**
+	 * Get issuer.
+	 *
+	 * @throws \LogicException If not set
+	 *
+	 * @return GeneralNames
+	 */
+	public function issuer(): GeneralNames
+	{
+		if (!$this->hasIssuer()) {
+			throw new \LogicException('authorityCertIssuer not set.');
+		}
+		return $this->_authorityCertIssuer;
+	}
+
+	/**
+	 * Whether serial is present.
+	 *
+	 * @return bool
+	 */
+	public function hasSerial(): bool
+	{
+		return isset($this->_authorityCertSerialNumber);
+	}
+
+	/**
+	 * Get serial number.
+	 *
+	 * @throws \LogicException If not set
+	 *
+	 * @return string Base 10 integer string
+	 */
+	public function serial(): string
+	{
+		if (!$this->hasSerial()) {
+			throw new \LogicException('authorityCertSerialNumber not set.');
+		}
+		return $this->_authorityCertSerialNumber;
+	}
+
+	/**
+	 * {@inheritdoc}
+	 */
+	protected static function _fromDER(string $data, bool $critical): Extension
+	{
+		$seq = UnspecifiedType::fromDER($data)->asSequence();
+		$keyIdentifier = null;
+		$issuer = null;
+		$serial = null;
+		if ($seq->hasTagged(0)) {
+			$keyIdentifier = $seq->getTagged(0)
+				->asImplicit(Element::TYPE_OCTET_STRING)
+				->asOctetString()->string();
+		}
+		if ($seq->hasTagged(1) || $seq->hasTagged(2)) {
+			if (!$seq->hasTagged(1) || !$seq->hasTagged(2)) {
+				throw new \UnexpectedValueException(
+					'AuthorityKeyIdentifier must have both' .
+						' authorityCertIssuer and authorityCertSerialNumber' .
+						' present or both absent.');
+			}
+			$issuer = GeneralNames::fromASN1($seq->getTagged(1)
+				->asImplicit(Element::TYPE_SEQUENCE)->asSequence());
+			$serial = $seq->getTagged(2)->asImplicit(Element::TYPE_INTEGER)
+				->asInteger()->number();
+		}
+		return new self($critical, $keyIdentifier, $issuer, $serial);
+	}
+
+	/**
+	 * {@inheritdoc}
+	 */
+	protected function _valueASN1(): Element
+	{
+		$elements = [];
+		if (isset($this->_keyIdentifier)) {
+			$elements[] = new ImplicitlyTaggedType(0,
+				new OctetString($this->_keyIdentifier));
+		}
+		// if either issuer or serial is set, both must be set
+		if (isset($this->_authorityCertIssuer) ||
+			 isset($this->_authorityCertSerialNumber)) {
+			if (!isset($this->_authorityCertIssuer,
+				$this->_authorityCertSerialNumber)) {
+				throw new \LogicException(
+					'AuthorityKeyIdentifier must have both' .
+						' authorityCertIssuer and authorityCertSerialNumber' .
+						' present or both absent.');
+			}
+			$elements[] = new ImplicitlyTaggedType(1,
+				$this->_authorityCertIssuer->toASN1());
+			$elements[] = new ImplicitlyTaggedType(2,
+				new Integer($this->_authorityCertSerialNumber));
+		}
+		return new Sequence(...$elements);
+	}
 }

lib/X509/CertificationPath/CertificationPath.php

Indentation +174 added lines, -174 removed lines

@@ -24,178 +24,178 @@
  */
 class CertificationPath implements \Countable, \IteratorAggregate
 {
-    /**
-     * Certification path.
-     *
-     * @var Certificate[]
-     */
-    protected $_certificates;
-
-    /**
-     * Constructor.
-     *
-     * @param Certificate ...$certificates Certificates from the trust anchor
-     *                                     to the target end-entity certificate
-     */
-    public function __construct(Certificate ...$certificates)
-    {
-        $this->_certificates = $certificates;
-    }
-
-    /**
-     * Initialize from a certificate chain.
-     *
-     * @param CertificateChain $chain
-     *
-     * @return self
-     */
-    public static function fromCertificateChain(CertificateChain $chain): self
-    {
-        return new self(...array_reverse($chain->certificates(), false));
-    }
-
-    /**
-     * Build certification path to given target.
-     *
-     * @param Certificate            $target        Target end-entity certificate
-     * @param CertificateBundle      $trust_anchors List of trust anchors
-     * @param null|CertificateBundle $intermediate  Optional intermediate certificates
-     *
-     * @return self
-     */
-    public static function toTarget(Certificate $target,
-        CertificateBundle $trust_anchors, ?CertificateBundle $intermediate = null): self
-    {
-        $builder = new CertificationPathBuilder($trust_anchors);
-        return $builder->shortestPathToTarget($target, $intermediate);
-    }
-
-    /**
-     * Build certification path from given trust anchor to target certificate,
-     * using intermediate certificates from given bundle.
-     *
-     * @param Certificate            $trust_anchor Trust anchor certificate
-     * @param Certificate            $target       Target end-entity certificate
-     * @param null|CertificateBundle $intermediate Optional intermediate certificates
-     *
-     * @return self
-     */
-    public static function fromTrustAnchorToTarget(Certificate $trust_anchor,
-        Certificate $target, ?CertificateBundle $intermediate = null): self
-    {
-        return self::toTarget($target, new CertificateBundle($trust_anchor),
-            $intermediate);
-    }
-
-    /**
-     * Get certificates.
-     *
-     * @return Certificate[]
-     */
-    public function certificates(): array
-    {
-        return $this->_certificates;
-    }
-
-    /**
-     * Get the trust anchor certificate from the path.
-     *
-     * @throws \LogicException If path is empty
-     *
-     * @return Certificate
-     */
-    public function trustAnchorCertificate(): Certificate
-    {
-        if (!count($this->_certificates)) {
-            throw new \LogicException('No certificates.');
-        }
-        return $this->_certificates[0];
-    }
-
-    /**
-     * Get the end-entity certificate from the path.
-     *
-     * @throws \LogicException If path is empty
-     *
-     * @return Certificate
-     */
-    public function endEntityCertificate(): Certificate
-    {
-        if (!count($this->_certificates)) {
-            throw new \LogicException('No certificates.');
-        }
-        return $this->_certificates[count($this->_certificates) - 1];
-    }
-
-    /**
-     * Get certification path as a certificate chain.
-     *
-     * @return CertificateChain
-     */
-    public function certificateChain(): CertificateChain
-    {
-        return new CertificateChain(...array_reverse($this->_certificates, false));
-    }
-
-    /**
-     * Check whether certification path starts with one ore more given
-     * certificates in parameter order.
-     *
-     * @param Certificate ...$certs Certificates
-     *
-     * @return bool
-     */
-    public function startsWith(Certificate ...$certs): bool
-    {
-        $n = count($certs);
-        if ($n > count($this->_certificates)) {
-            return false;
-        }
-        for ($i = 0; $i < $n; ++$i) {
-            if (!$certs[$i]->equals($this->_certificates[$i])) {
-                return false;
-            }
-        }
-        return true;
-    }
-
-    /**
-     * Validate certification path.
-     *
-     * @param PathValidationConfig $config
-     * @param null|Crypto          $crypto Crypto engine, use default if not set
-     *
-     * @throws Exception\PathValidationException
-     *
-     * @return PathValidationResult
-     */
-    public function validate(PathValidationConfig $config,
-        ?Crypto $crypto = null): PathValidationResult
-    {
-        $crypto = $crypto ?? Crypto::getDefault();
-        $validator = new PathValidator($crypto, $config, ...$this->_certificates);
-        return $validator->validate();
-    }
-
-    /**
-     * @see \Countable::count()
-     *
-     * @return int
-     */
-    public function count(): int
-    {
-        return count($this->_certificates);
-    }
-
-    /**
-     * Get iterator for certificates.
-     *
-     * @see \IteratorAggregate::getIterator()
-     *
-     * @return \ArrayIterator
-     */
-    public function getIterator(): \ArrayIterator
-    {
-        return new \ArrayIterator($this->_certificates);
-    }
+	/**
+	 * Certification path.
+	 *
+	 * @var Certificate[]
+	 */
+	protected $_certificates;
+
+	/**
+	 * Constructor.
+	 *
+	 * @param Certificate ...$certificates Certificates from the trust anchor
+	 *                                     to the target end-entity certificate
+	 */
+	public function __construct(Certificate ...$certificates)
+	{
+		$this->_certificates = $certificates;
+	}
+
+	/**
+	 * Initialize from a certificate chain.
+	 *
+	 * @param CertificateChain $chain
+	 *
+	 * @return self
+	 */
+	public static function fromCertificateChain(CertificateChain $chain): self
+	{
+		return new self(...array_reverse($chain->certificates(), false));
+	}
+
+	/**
+	 * Build certification path to given target.
+	 *
+	 * @param Certificate            $target        Target end-entity certificate
+	 * @param CertificateBundle      $trust_anchors List of trust anchors
+	 * @param null|CertificateBundle $intermediate  Optional intermediate certificates
+	 *
+	 * @return self
+	 */
+	public static function toTarget(Certificate $target,
+		CertificateBundle $trust_anchors, ?CertificateBundle $intermediate = null): self
+	{
+		$builder = new CertificationPathBuilder($trust_anchors);
+		return $builder->shortestPathToTarget($target, $intermediate);
+	}
+
+	/**
+	 * Build certification path from given trust anchor to target certificate,
+	 * using intermediate certificates from given bundle.
+	 *
+	 * @param Certificate            $trust_anchor Trust anchor certificate
+	 * @param Certificate            $target       Target end-entity certificate
+	 * @param null|CertificateBundle $intermediate Optional intermediate certificates
+	 *
+	 * @return self
+	 */
+	public static function fromTrustAnchorToTarget(Certificate $trust_anchor,
+		Certificate $target, ?CertificateBundle $intermediate = null): self
+	{
+		return self::toTarget($target, new CertificateBundle($trust_anchor),
+			$intermediate);
+	}
+
+	/**
+	 * Get certificates.
+	 *
+	 * @return Certificate[]
+	 */
+	public function certificates(): array
+	{
+		return $this->_certificates;
+	}
+
+	/**
+	 * Get the trust anchor certificate from the path.
+	 *
+	 * @throws \LogicException If path is empty
+	 *
+	 * @return Certificate
+	 */
+	public function trustAnchorCertificate(): Certificate
+	{
+		if (!count($this->_certificates)) {
+			throw new \LogicException('No certificates.');
+		}
+		return $this->_certificates[0];
+	}
+
+	/**
+	 * Get the end-entity certificate from the path.
+	 *
+	 * @throws \LogicException If path is empty
+	 *
+	 * @return Certificate
+	 */
+	public function endEntityCertificate(): Certificate
+	{
+		if (!count($this->_certificates)) {
+			throw new \LogicException('No certificates.');
+		}
+		return $this->_certificates[count($this->_certificates) - 1];
+	}
+
+	/**
+	 * Get certification path as a certificate chain.
+	 *
+	 * @return CertificateChain
+	 */
+	public function certificateChain(): CertificateChain
+	{
+		return new CertificateChain(...array_reverse($this->_certificates, false));
+	}
+
+	/**
+	 * Check whether certification path starts with one ore more given
+	 * certificates in parameter order.
+	 *
+	 * @param Certificate ...$certs Certificates
+	 *
+	 * @return bool
+	 */
+	public function startsWith(Certificate ...$certs): bool
+	{
+		$n = count($certs);
+		if ($n > count($this->_certificates)) {
+			return false;
+		}
+		for ($i = 0; $i < $n; ++$i) {
+			if (!$certs[$i]->equals($this->_certificates[$i])) {
+				return false;
+			}
+		}
+		return true;
+	}
+
+	/**
+	 * Validate certification path.
+	 *
+	 * @param PathValidationConfig $config
+	 * @param null|Crypto          $crypto Crypto engine, use default if not set
+	 *
+	 * @throws Exception\PathValidationException
+	 *
+	 * @return PathValidationResult
+	 */
+	public function validate(PathValidationConfig $config,
+		?Crypto $crypto = null): PathValidationResult
+	{
+		$crypto = $crypto ?? Crypto::getDefault();
+		$validator = new PathValidator($crypto, $config, ...$this->_certificates);
+		return $validator->validate();
+	}
+
+	/**
+	 * @see \Countable::count()
+	 *
+	 * @return int
+	 */
+	public function count(): int
+	{
+		return count($this->_certificates);
+	}
+
+	/**
+	 * Get iterator for certificates.
+	 *
+	 * @see \IteratorAggregate::getIterator()
+	 *
+	 * @return \ArrayIterator
+	 */
+	public function getIterator(): \ArrayIterator
+	{
+		return new \ArrayIterator($this->_certificates);
+	}
 }