protected static function validate($certPem, $caCertPem, $crlPem = NULL, $crlDistCertPem = NULL) { $caCertObj = X509Util::loadCACert($caCertPem); $certObj = new \File_X509(); $certObj->loadCA($caCertPem); if ($crlPem !== NULL) { $crlObj = new \File_X509(); if ($crlDistCertPem) { $crlDistCertObj = X509Util::loadCrlDistCert($crlDistCertPem, NULL, $caCertPem); if ($crlDistCertObj->getSubjectDN(FILE_X509_DN_STRING) !== $caCertObj->getSubjectDN(FILE_X509_DN_STRING)) { throw new InvalidCertException(sprintf("CRL distributor (%s) does not act on behalf of this CA (%s)", $crlDistCertObj->getSubjectDN(FILE_X509_DN_STRING), $caCertObj->getSubjectDN(FILE_X509_DN_STRING))); } try { self::validate($crlDistCertPem, $caCertPem); } catch (InvalidCertException $ie) { throw new InvalidCertException("CRL distributor has an invalid certificate", 0, $ie); } $crlObj->loadCA($crlDistCertPem); } $crlObj->loadCA($caCertPem); $crlObj->loadCRL($crlPem); if (!$crlObj->validateSignature()) { throw new InvalidCertException("CRL signature is invalid"); } } $parsedCert = $certObj->loadX509($certPem); if ($crlPem !== NULL) { if (empty($parsedCert)) { throw new InvalidCertException("Identity is invalid. Empty certificate."); } if (empty($parsedCert['tbsCertificate']['serialNumber'])) { throw new InvalidCertException("Identity is invalid. No serial number."); } $revoked = $crlObj->getRevoked($parsedCert['tbsCertificate']['serialNumber']->toString()); if (!empty($revoked)) { throw new InvalidCertException("Identity is invalid. Certificate revoked."); } } if (!$certObj->validateSignature()) { throw new InvalidCertException("Identity is invalid. Certificate is not signed by proper CA."); } if (!$certObj->validateDate(Time::getTime())) { throw new ExpiredCertException("Identity is invalid. Certificate expired."); } }