private function verifyIntermediateCert($intermCert, $type = "core") { //Root Cert revoked? if ($this->checkIfRevoked($this->coreRootCert) || $this->checkIfRevoked($this->packagesRootCert)) { $this->config->set('rootcert_revoked', 1); return false; } //Intermediate Cert revoked? if ($this->checkIfRevoked($intermCert)) { return false; } $rootCert = $type == 'core' ? $this->coreRootCert : $this->packagesRootCert; include_once $this->root_path . 'libraries/phpseclib/X509.php'; $x509 = new File_X509(); $x509->loadCA($rootCert); // see signer.crt $cert = $x509->loadX509($intermCert); // see google.crt if (!$x509->validateSignature(FILE_X509_VALIDATE_SIGNATURE_BY_CA)) { return false; } if (!$x509->validateDate()) { return false; } return true; }
/** * Validate the client certificate with the current date * * @param String $certificate_client Client certificate * * @return bool */ static function validateCertificateDate($certificate_client) { $x509 = new File_X509(); $x509->loadX509($certificate_client); return $x509->validateDate(); }
protected static function validate($certPem, $caCertPem, $crlPem = NULL, $crlDistCertPem = NULL) { $caCertObj = X509Util::loadCACert($caCertPem); $certObj = new \File_X509(); $certObj->loadCA($caCertPem); if ($crlPem !== NULL) { $crlObj = new \File_X509(); if ($crlDistCertPem) { $crlDistCertObj = X509Util::loadCrlDistCert($crlDistCertPem, NULL, $caCertPem); if ($crlDistCertObj->getSubjectDN(FILE_X509_DN_STRING) !== $caCertObj->getSubjectDN(FILE_X509_DN_STRING)) { throw new InvalidCertException(sprintf("CRL distributor (%s) does not act on behalf of this CA (%s)", $crlDistCertObj->getSubjectDN(FILE_X509_DN_STRING), $caCertObj->getSubjectDN(FILE_X509_DN_STRING))); } try { self::validate($crlDistCertPem, $caCertPem); } catch (InvalidCertException $ie) { throw new InvalidCertException("CRL distributor has an invalid certificate", 0, $ie); } $crlObj->loadCA($crlDistCertPem); } $crlObj->loadCA($caCertPem); $crlObj->loadCRL($crlPem); if (!$crlObj->validateSignature()) { throw new InvalidCertException("CRL signature is invalid"); } } $parsedCert = $certObj->loadX509($certPem); if ($crlPem !== NULL) { if (empty($parsedCert)) { throw new InvalidCertException("Identity is invalid. Empty certificate."); } if (empty($parsedCert['tbsCertificate']['serialNumber'])) { throw new InvalidCertException("Identity is invalid. No serial number."); } $revoked = $crlObj->getRevoked($parsedCert['tbsCertificate']['serialNumber']->toString()); if (!empty($revoked)) { throw new InvalidCertException("Identity is invalid. Certificate revoked."); } } if (!$certObj->validateSignature()) { throw new InvalidCertException("Identity is invalid. Certificate is not signed by proper CA."); } if (!$certObj->validateDate(Time::getTime())) { throw new ExpiredCertException("Identity is invalid. Certificate expired."); } }