/** * * @param ValidatorState $state * @return ValidatorState */ private function _calculatePolicyIntersection(ValidatorState $state) { // (i) If the valid_policy_tree is NULL, the intersection is NULL if (!$state->hasValidPolicyTree()) { return $state; } // (ii) If the valid_policy_tree is not NULL and // the user-initial-policy-set is any-policy, the intersection // is the entire valid_policy_tree $initial_policies = $this->_config->policySet(); if (in_array(PolicyInformation::OID_ANY_POLICY, $initial_policies)) { return $state; } // (iii) If the valid_policy_tree is not NULL and the // user-initial-policy-set is not any-policy, calculate // the intersection of the valid_policy_tree and the // user-initial-policy-set as follows return $state->validPolicyTree()->calculateIntersection($state, $initial_policies); }
/** * Verify AC's signature and issuer's certification. * * @throws ACValidationException * @return Certificate Certificate of the AC's issuer */ private function _verifyIssuer() { $path = $this->_config->issuerPath(); $config = PathValidationConfig::defaultConfig()->withMaxLength(count($path))->withDateTime($this->_config->evaluationTime()); try { $issuer = $path->validate($this->_crypto, $config)->certificate(); } catch (PathValidationException $e) { throw new ACValidationException("Failed to validate issuer PKC's certification path.", null, $e); } if (!$this->_ac->isIssuedBy($issuer)) { throw new ACValidationException("Name mismatch of AC's issuer PKC."); } $pubkey_info = $issuer->tbsCertificate()->subjectPublicKeyInfo(); if (!$this->_ac->verify($this->_crypto, $pubkey_info)) { throw new ACValidationException("Failed to verify signature."); } return $issuer; }
/** * Initialize variables according to RFC 5280 6.1.2. * * @link https://tools.ietf.org/html/rfc5280#section-6.1.2 * @param PathValidationConfig $config * @param Certificate $trust_anchor Trust anchor certificate * @param int $n Number of certificates in the certification path * @return self */ public static function initialize(PathValidationConfig $config, Certificate $trust_anchor, $n) { $state = new self(); $state->_pathLength = $n; $state->_index = 1; $state->_validPolicyTree = new PolicyTree(PolicyNode::anyPolicyNode()); $state->_permittedSubtrees = null; $state->_excludedSubtrees = null; $state->_explicitPolicy = $config->explicitPolicy() ? 0 : $n + 1; $state->_inhibitAnyPolicy = $config->anyPolicyInhibit() ? 0 : $n + 1; $state->_policyMapping = $config->policyMappingInhibit() ? 0 : $n + 1; $state->_workingPublicKeyAlgorithm = $trust_anchor->signatureAlgorithm(); $tbsCert = $trust_anchor->tbsCertificate(); $state->_workingPublicKey = $tbsCert->subjectPublicKeyInfo(); $state->_workingPublicKeyParameters = self::getAlgorithmParameters($state->_workingPublicKey->algorithmIdentifier()); $state->_workingIssuerName = $tbsCert->issuer(); $state->_maxPathLength = $config->maxLength(); return $state; }