/**
* Initialize from a list of PEMs.
*
* @param PEM ...$pems
* @return self
*/
public static function fromPEMs(PEM ...$pems)
{
$certs = array_map(function (PEM $pem) {
return Certificate::fromPEM($pem);
}, $pems);
return new self(...$certs);
}
/**
* Get public key id for the certificate.
*
* @param Certificate $cert
* @return string
*/
private static function _getCertKeyId(Certificate $cert)
{
$exts = $cert->tbsCertificate()->extensions();
if ($exts->hasSubjectKeyIdentifier()) {
return $exts->subjectKeyIdentifier()->keyIdentifier();
}
return $cert->tbsCertificate()->subjectPublicKeyInfo()->keyIdentifier();
}
/**
*
* @see \X509\AttributeCertificate\AttCertIssuer::identifiesPKC()
* @return bool
*/
public function identifiesPKC(Certificate $cert)
{
$name = $this->_issuerName->firstDN();
if (!$cert->tbsCertificate()->subject()->equals($name)) {
return false;
}
return true;
}
/**
* Get self with fields set from the issuer's certificate.
*
* Issuer shall be set to issuing certificate's subject.
* Authority key identifier extensions shall be added with a key identifier
* set to issuing certificate's public key identifier.
*
* @param Certificate $cert Issuing party's certificate
* @return self
*/
public function withIssuerCertificate(Certificate $cert)
{
$obj = clone $this;
// set issuer DN from cert's subject
$obj->_issuer = $cert->tbsCertificate()->subject();
// add authority key identifier extension
$key_id = $cert->tbsCertificate()->subjectPublicKeyInfo()->keyIdentifier();
$obj->_extensions = $obj->_extensions->withExtensions(new AuthorityKeyIdentifierExtension(false, $key_id));
return $obj;
}
/**
* Check whether entityName matches the given certificate.
*
* @param Certificate $cert
* @return boolean
*/
private function _checkEntityName(Certificate $cert)
{
$name = $this->_entityName->firstDN();
if ($cert->tbsCertificate()->subject()->equals($name)) {
return true;
}
$exts = $cert->tbsCertificate()->extensions();
if ($exts->hasSubjectAlternativeName()) {
$ext = $exts->subjectAlternativeName();
if ($this->_checkEntityAlternativeNames($ext->names())) {
return true;
}
}
return false;
}
/**
* Validate AC issuer's profile.
*
* @link https://tools.ietf.org/html/rfc5755#section-4.5
* @param Certificate $cert
* @throws ACValidationException
*/
private function _validateIssuerProfile(Certificate $cert)
{
$exts = $cert->tbsCertificate()->extensions();
if ($exts->hasKeyUsage() && !$exts->keyUsage()->isDigitalSignature()) {
throw new ACValidationException("Issuer PKC's Key Usage extension doesn't permit" . " verification of digital signatures.");
}
if ($exts->hasBasicConstraints() && $exts->basicConstraints()->isCA()) {
throw new ACValidationException("Issuer PKC must not be a CA.");
}
}
/**
* Initialize variables according to RFC 5280 6.1.2.
*
* @link https://tools.ietf.org/html/rfc5280#section-6.1.2
* @param PathValidationConfig $config
* @param Certificate $trust_anchor Trust anchor certificate
* @param int $n Number of certificates in the certification path
* @return self
*/
public static function initialize(PathValidationConfig $config, Certificate $trust_anchor, $n)
{
$state = new self();
$state->_pathLength = $n;
$state->_index = 1;
$state->_validPolicyTree = new PolicyTree(PolicyNode::anyPolicyNode());
$state->_permittedSubtrees = null;
$state->_excludedSubtrees = null;
$state->_explicitPolicy = $config->explicitPolicy() ? 0 : $n + 1;
$state->_inhibitAnyPolicy = $config->anyPolicyInhibit() ? 0 : $n + 1;
$state->_policyMapping = $config->policyMappingInhibit() ? 0 : $n + 1;
$state->_workingPublicKeyAlgorithm = $trust_anchor->signatureAlgorithm();
$tbsCert = $trust_anchor->tbsCertificate();
$state->_workingPublicKey = $tbsCert->subjectPublicKeyInfo();
$state->_workingPublicKeyParameters = self::getAlgorithmParameters($state->_workingPublicKey->algorithmIdentifier());
$state->_workingIssuerName = $tbsCert->issuer();
$state->_maxPathLength = $config->maxLength();
return $state;
}
/**
* Process pathLenConstraint.
*
* @param ValidatorState $state
* @param Certificate $cert
* @return ValidatorState
*/
private function _processPathLengthContraint(ValidatorState $state, Certificate $cert)
{
$extensions = $cert->tbsCertificate()->extensions();
if ($extensions->hasBasicConstraints()) {
$ext = $extensions->basicConstraints();
if ($ext->hasPathLen()) {
if ($ext->pathLen() < $state->maxPathLength()) {
$state = $state->withMaxPathLength($ext->pathLen());
}
}
}
return $state;
}
/**
* Check whether issuerUID matches given certificate.
*
* @param Certificate $cert
* @return boolean
*/
private function _checkUniqueID(Certificate $cert)
{
if (!$cert->tbsCertificate()->hasIssuerUniqueID()) {
return false;
}
$uid = $cert->tbsCertificate()->issuerUniqueID()->string();
if ($this->_issuerUID->string() != $uid) {
return false;
}
return true;
}
/**
* Delete nodes as specified in 6.1.4 (b)(2).
*
* @param Certificate $cert
* @param ValidatorState $state
*/
protected function _deleteMappings(Certificate $cert, ValidatorState $state)
{
$idps = $cert->tbsCertificate()->extensions()->policyMappings()->issuerDomainPolicies();
// delete each node of depth i in the valid_policy_tree
// where ID-P is the valid_policy
foreach ($this->_nodesAtDepth($state->index()) as $node) {
if (in_array($node->validPolicy(), $idps)) {
$node->remove();
}
}
$this->_pruneTree($state->index() - 1);
}
/**
* Initialize from an issuer's public key certificate.
*
* @param Certificate $cert
* @return self
*/
public static function fromPKC(Certificate $cert)
{
return self::fromName($cert->tbsCertificate()->subject());
}
