/**
* Verify certificate chain
*
* Verifies the chain of certificates based on the first one as root certificate.
*
* @access private
* @param int $now Unix timestamp in milliseconds
* @return array An array of Cert-objects based on the identity certificates
*/
private function verifyChain($now)
{
if (!is_array($this->certs)) {
throw new \Exception("certs must be an array of at least one cert");
}
$rootIssuer;
try {
// the root
$token = WebToken::parse($this->certs[0]);
$rootIssuer = $token->getPayload();
$rootIssuer = $rootIssuer["iss"];
} catch (Exception $x) {
// can't extract components
throw new \Exception("malformed signature");
}
// TODO: Check if PrimaryCache entry exists, try verifyChainAgainstKey with cached entry.
// If it fails, remove the cache entry and retry verifyChainAgainstKey with newly fetched key.
// TODO: Extract this into verifyChainAgainstKey
$rootPK = CertBundle::getPublicKey($rootIssuer);
$certResult = array();
for ($i = 0; $i < sizeof($this->certs); $i++) {
$cert = Cert::parse($this->certs[$i], $rootPK);
if (!$cert->verify($now)) {
throw new \Exception("certificate " . $i . " is not valid");
}
$certResult[] = $cert;
}
// TODO: Extract this into verifyChainAgainstKey
return $certResult;
}
