/** * Verify certificate chain * * Verifies the chain of certificates based on the first one as root certificate. * * @access private * @param int $now Unix timestamp in milliseconds * @return array An array of Cert-objects based on the identity certificates */ private function verifyChain($now) { if (!is_array($this->certs)) { throw new \Exception("certs must be an array of at least one cert"); } $rootIssuer; try { // the root $token = WebToken::parse($this->certs[0]); $rootIssuer = $token->getPayload(); $rootIssuer = $rootIssuer["iss"]; } catch (Exception $x) { // can't extract components throw new \Exception("malformed signature"); } // TODO: Check if PrimaryCache entry exists, try verifyChainAgainstKey with cached entry. // If it fails, remove the cache entry and retry verifyChainAgainstKey with newly fetched key. // TODO: Extract this into verifyChainAgainstKey $rootPK = CertBundle::getPublicKey($rootIssuer); $certResult = array(); for ($i = 0; $i < sizeof($this->certs); $i++) { $cert = Cert::parse($this->certs[$i], $rootPK); if (!$cert->verify($now)) { throw new \Exception("certificate " . $i . " is not valid"); } $certResult[] = $cert; } // TODO: Extract this into verifyChainAgainstKey return $certResult; }