[ Index ]

PHP Cross Reference of DokuWiki

title

Body

[close]

/vendor/phpseclib/phpseclib/phpseclib/File/ -> X509.php (summary)

Pure-PHP X.509 Parser PHP version 5

Author: Jim Wigginton
Copyright: 2012 Jim Wigginton
License: http://www.opensource.org/licenses/mit-license.html MIT License
Link: http://phpseclib.sourceforge.net
File Size: 5088 lines (188 kb)
Included or required:0 times
Referenced: 0 times
Includes or requires: 0 files

Defines 1 class

X509:: (90 methods):
  __construct()
  loadX509()
  saveX509()
  _mapInExtensions()
  _mapOutExtensions()
  _mapInAttributes()
  _mapOutAttributes()
  _mapInDNs()
  _mapOutDNs()
  _getMapping()
  loadCA()
  validateURL()
  validateDate()
  _fetchURL()
  _testForIntermediate()
  validateSignature()
  _validateSignatureCountable()
  _validateSignature()
  setRecurLimit()
  disableURLFetch()
  enableURLFetch()
  _reformatKey()
  _decodeIP()
  _decodeNameConstraintIP()
  _encodeIP()
  _translateDNProp()
  setDNProp()
  removeDNProp()
  getDNProp()
  setDN()
  getDN()
  getIssuerDN()
  getSubjectDN()
  getIssuerDNProp()
  getSubjectDNProp()
  getChain()
  setPublicKey()
  setPrivateKey()
  setChallenge()
  getPublicKey()
  loadCSR()
  saveCSR()
  loadSPKAC()
  saveSPKAC()
  loadCRL()
  saveCRL()
  _timeField()
  sign()
  signCSR()
  signSPKAC()
  signCRL()
  _sign()
  setStartDate()
  setEndDate()
  setSerialNumber()
  makeCA()
  _isSubArrayValid()
  _subArrayUnchecked()
  _subArray()
  _extensions()
  _removeExtension()
  _getExtension()
  _getExtensions()
  _setExtension()
  removeExtension()
  getExtension()
  getExtensions()
  setExtension()
  removeAttribute()
  getAttribute()
  getAttributes()
  setAttribute()
  setKeyIdentifier()
  computeKeyIdentifier()
  _formatSubjectPublicKey()
  setDomain()
  setIPAddress()
  _dnsName()
  _iPAddress()
  _revokedCertificate()
  revoke()
  unrevoke()
  getRevoked()
  listRevoked()
  removeRevokedCertificateExtension()
  getRevokedCertificateExtension()
  getRevokedCertificateExtensions()
  setRevokedCertificateExtension()
  _extractBER()
  getOID()


Class: X509  - X-Ref

Pure-PHP X.509 Parser

__construct()   X-Ref
Default Constructor.

return: \phpseclib\File\X509

loadX509($cert, $mode = self::FORMAT_AUTO_DETECT)   X-Ref
Load X.509 certificate

Returns an associative array describing the X.509 cert or a false if the cert failed to load

return: mixed
param: string $cert
param: int $mode

saveX509($cert, $format = self::FORMAT_PEM)   X-Ref
Save X.509 certificate

return: string
param: array $cert
param: int $format optional

_mapInExtensions(&$root, $path, $asn1)   X-Ref
Map extension values from octet string to extension-specific internal
format.

param: array ref $root
param: string $path
param: object $asn1

_mapOutExtensions(&$root, $path, $asn1)   X-Ref
Map extension values from extension-specific internal format to
octet string.

param: array ref $root
param: string $path
param: object $asn1

_mapInAttributes(&$root, $path, $asn1)   X-Ref
Map attribute values from ANY type to attribute-specific internal
format.

param: array ref $root
param: string $path
param: object $asn1

_mapOutAttributes(&$root, $path, $asn1)   X-Ref
Map attribute values from attribute-specific internal format to
ANY type.

param: array ref $root
param: string $path
param: object $asn1

_mapInDNs(&$root, $path, $asn1)   X-Ref
Map DN values from ANY type to DN-specific internal
format.

param: array ref $root
param: string $path
param: object $asn1

_mapOutDNs(&$root, $path, $asn1)   X-Ref
Map DN values from DN-specific internal format to
ANY type.

param: array ref $root
param: string $path
param: object $asn1

_getMapping($extnId)   X-Ref
Associate an extension ID to an extension mapping

return: mixed
param: string $extnId

loadCA($cert)   X-Ref
Load an X.509 certificate as a certificate authority

return: bool
param: string $cert

validateURL($url)   X-Ref
Validate an X.509 certificate against a URL

From RFC2818 "HTTP over TLS":

Matching is performed using the matching rules specified by
[RFC2459].  If more than one identity of a given type is present in
the certificate (e.g., more than one dNSName name, a match in any one
of the set is considered acceptable.) Names may contain the wildcard
character * which is considered to match any single domain name
component or component fragment. E.g., *.a.com matches foo.a.com but
not bar.foo.a.com. f*.com matches foo.com but not bar.com.

return: bool
param: string $url

validateDate($date = null)   X-Ref
Validate a date

If $date isn't defined it is assumed to be the current date.

param: \DateTime|string $date optional

_fetchURL($url)   X-Ref
Fetches a URL

return: bool|string
param: string $url

_testForIntermediate($caonly, $count)   X-Ref
Validates an intermediate cert as identified via authority info access extension

See https://tools.ietf.org/html/rfc4325 for more info

return: bool
param: bool $caonly
param: int $count

validateSignature($caonly = true)   X-Ref
Validate a signature

Works on X.509 certs, CSR's and CRL's.
Returns true if the signature is verified, false if it is not correct or null on error

By default returns false for self-signed certs. Call validateSignature(false) to make this support
self-signed.

The behavior of this function is inspired by {@link http://php.net/openssl-verify openssl_verify}.

return: mixed
param: bool $caonly optional

_validateSignatureCountable($caonly, $count)   X-Ref
Validate a signature

Performs said validation whilst keeping track of how many times validation method is called

return: mixed
param: bool $caonly
param: int $count

_validateSignature($publicKeyAlgorithm, $publicKey, $signatureAlgorithm, $signature, $signatureSubject)   X-Ref
Validates a signature

Returns true if the signature is verified, false if it is not correct or null on error

return: int
param: string $publicKeyAlgorithm
param: string $publicKey
param: string $signatureAlgorithm
param: string $signature
param: string $signatureSubject

setRecurLimit($count)   X-Ref
Sets the recursion limit

When validating a signature it may be necessary to download intermediate certs from URI's.
An intermediate cert that linked to itself would result in an infinite loop so to prevent
that we set a recursion limit. A negative number means that there is no recursion limit.

param: int $count

disableURLFetch()   X-Ref
Prevents URIs from being automatically retrieved


enableURLFetch()   X-Ref
Allows URIs to be automatically retrieved


_reformatKey($algorithm, $key)   X-Ref
Reformat public keys

Reformats a public key to a format supported by phpseclib (if applicable)

return: string
param: string $algorithm
param: string $key

_decodeIP($ip)   X-Ref
Decodes an IP address

Takes in a base64 encoded "blob" and returns a human readable IP address

return: string
param: string $ip

_decodeNameConstraintIP($ip)   X-Ref
Decodes an IP address in a name constraints extension

Takes in a base64 encoded "blob" and returns a human readable IP address / mask

return: array
param: string $ip

_encodeIP($ip)   X-Ref
Encodes an IP address

Takes a human readable IP address into a base64-encoded "blob"

return: string
param: string|array $ip

_translateDNProp($propName)   X-Ref
"Normalizes" a Distinguished Name property

return: mixed
param: string $propName

setDNProp($propName, $propValue, $type = 'utf8String')   X-Ref
Set a Distinguished Name property

return: bool
param: string $propName
param: mixed $propValue
param: string $type optional

removeDNProp($propName)   X-Ref
Remove Distinguished Name properties

param: string $propName

getDNProp($propName, $dn = null, $withType = false)   X-Ref
Get Distinguished Name properties

return: mixed
param: string $propName
param: array $dn optional
param: bool $withType optional

setDN($dn, $merge = false, $type = 'utf8String')   X-Ref
Set a Distinguished Name

return: bool
param: mixed $dn
param: bool $merge optional
param: string $type optional

getDN($format = self::DN_ARRAY, $dn = null)   X-Ref
Get the Distinguished Name for a certificates subject

return: bool
param: mixed $format optional
param: array $dn optional

getIssuerDN($format = self::DN_ARRAY)   X-Ref
Get the Distinguished Name for a certificate/crl issuer

return: mixed
param: int $format optional

getSubjectDN($format = self::DN_ARRAY)   X-Ref
Get the Distinguished Name for a certificate/csr subject
Alias of getDN()

return: mixed
param: int $format optional

getIssuerDNProp($propName, $withType = false)   X-Ref
Get an individual Distinguished Name property for a certificate/crl issuer

return: mixed
param: string $propName
param: bool $withType optional

getSubjectDNProp($propName, $withType = false)   X-Ref
Get an individual Distinguished Name property for a certificate/csr subject

return: mixed
param: string $propName
param: bool $withType optional

getChain()   X-Ref
Get the certificate chain for the current cert

return: mixed

setPublicKey($key)   X-Ref
Set public key

Key needs to be a \phpseclib\Crypt\RSA object

return: bool
param: object $key

setPrivateKey($key)   X-Ref
Set private key

Key needs to be a \phpseclib\Crypt\RSA object

param: object $key

setChallenge($challenge)   X-Ref
Set challenge

Used for SPKAC CSR's

param: string $challenge

getPublicKey()   X-Ref
Gets the public key

Returns a \phpseclib\Crypt\RSA object or a false.

return: mixed

loadCSR($csr, $mode = self::FORMAT_AUTO_DETECT)   X-Ref
Load a Certificate Signing Request

return: mixed
param: string $csr

saveCSR($csr, $format = self::FORMAT_PEM)   X-Ref
Save CSR request

return: string
param: array $csr
param: int $format optional

loadSPKAC($spkac)   X-Ref
Load a SPKAC CSR

SPKAC's are produced by the HTML5 keygen element:

https://developer.mozilla.org/en-US/docs/HTML/Element/keygen

return: mixed
param: string $csr

saveSPKAC($spkac, $format = self::FORMAT_PEM)   X-Ref
Save a SPKAC CSR request

return: string
param: array $csr
param: int $format optional

loadCRL($crl, $mode = self::FORMAT_AUTO_DETECT)   X-Ref
Load a Certificate Revocation List

return: mixed
param: string $crl

saveCRL($crl, $format = self::FORMAT_PEM)   X-Ref
Save Certificate Revocation List.

return: string
param: array $crl
param: int $format optional

_timeField($date)   X-Ref
Helper function to build a time field according to RFC 3280 section
- 4.1.2.5 Validity
- 5.1.2.4 This Update
- 5.1.2.5 Next Update
- 5.1.2.6 Revoked Certificates
by choosing utcTime iff year of date given is before 2050 and generalTime else.

return: array
param: string $date in format date('D, d M Y H:i:s O')

sign($issuer, $subject, $signatureAlgorithm = 'sha1WithRSAEncryption')   X-Ref
Sign an X.509 certificate

$issuer's private key needs to be loaded.
$subject can be either an existing X.509 cert (if you want to resign it),
a CSR or something with the DN and public key explicitly set.

return: mixed
param: \phpseclib\File\X509 $issuer
param: \phpseclib\File\X509 $subject
param: string $signatureAlgorithm optional

signCSR($signatureAlgorithm = 'sha1WithRSAEncryption')   X-Ref
Sign a CSR

return: mixed

signSPKAC($signatureAlgorithm = 'sha1WithRSAEncryption')   X-Ref
Sign a SPKAC

return: mixed

signCRL($issuer, $crl, $signatureAlgorithm = 'sha1WithRSAEncryption')   X-Ref
Sign a CRL

$issuer's private key needs to be loaded.

return: mixed
param: \phpseclib\File\X509 $issuer
param: \phpseclib\File\X509 $crl
param: string $signatureAlgorithm optional

_sign($key, $signatureAlgorithm)   X-Ref
X.509 certificate signing helper function.

return: mixed
param: object $key
param: \phpseclib\File\X509 $subject
param: string $signatureAlgorithm

setStartDate($date)   X-Ref
Set certificate start date

param: string $date

setEndDate($date)   X-Ref
Set certificate end date

param: string $date

setSerialNumber($serial, $base = -256)   X-Ref
Set Serial Number

param: string $serial
param: $base optional

makeCA()   X-Ref
Turns the certificate into a certificate authority


_isSubArrayValid($root, $path)   X-Ref
Check for validity of subarray

This is intended for use in conjunction with _subArrayUnchecked(),
implementing the checks included in _subArray() but without copying
a potentially large array by passing its reference by-value to is_array().

return: boolean
param: array $root
param: string $path

_subArrayUnchecked(&$root, $path, $create = false)   X-Ref
Get a reference to a subarray

This variant of _subArray() does no is_array() checking,
so $root should be checked with _isSubArrayValid() first.

This is here for performance reasons:
Passing a reference (i.e. $root) by-value (i.e. to is_array())
creates a copy. If $root is an especially large array, this is expensive.

return: array|false
param: array $root
param: string $path  absolute path with / as component separator
param: bool $create optional

_subArray(&$root, $path, $create = false)   X-Ref
Get a reference to a subarray

return: array|false
param: array $root
param: string $path  absolute path with / as component separator
param: bool $create optional

_extensions(&$root, $path = null, $create = false)   X-Ref
Get a reference to an extension subarray

return: array|false
param: array $root
param: string $path optional absolute path with / as component separator
param: bool $create optional

_removeExtension($id, $path = null)   X-Ref
Remove an Extension

return: bool
param: string $id
param: string $path optional

_getExtension($id, $cert = null, $path = null)   X-Ref
Get an Extension

Returns the extension if it exists and false if not

return: mixed
param: string $id
param: array $cert optional
param: string $path optional

_getExtensions($cert = null, $path = null)   X-Ref
Returns a list of all extensions in use

return: array
param: array $cert optional
param: string $path optional

_setExtension($id, $value, $critical = false, $replace = true, $path = null)   X-Ref
Set an Extension

return: bool
param: string $id
param: mixed $value
param: bool $critical optional
param: bool $replace optional
param: string $path optional

removeExtension($id)   X-Ref
Remove a certificate, CSR or CRL Extension

return: bool
param: string $id

getExtension($id, $cert = null)   X-Ref
Get a certificate, CSR or CRL Extension

Returns the extension if it exists and false if not

return: mixed
param: string $id
param: array $cert optional

getExtensions($cert = null)   X-Ref
Returns a list of all extensions in use in certificate, CSR or CRL

return: array
param: array $cert optional

setExtension($id, $value, $critical = false, $replace = true)   X-Ref
Set a certificate, CSR or CRL Extension

return: bool
param: string $id
param: mixed $value
param: bool $critical optional
param: bool $replace optional

removeAttribute($id, $disposition = self::ATTR_ALL)   X-Ref
Remove a CSR attribute.

return: bool
param: string $id
param: int $disposition optional

getAttribute($id, $disposition = self::ATTR_ALL, $csr = null)   X-Ref
Get a CSR attribute

Returns the attribute if it exists and false if not

return: mixed
param: string $id
param: int $disposition optional
param: array $csr optional

getAttributes($csr = null)   X-Ref
Returns a list of all CSR attributes in use

return: array
param: array $csr optional

setAttribute($id, $value, $disposition = self::ATTR_ALL)   X-Ref
Set a CSR attribute

return: bool
param: string $id
param: mixed $value
param: bool $disposition optional

setKeyIdentifier($value)   X-Ref
Sets the subject key identifier

This is used by the id-ce-authorityKeyIdentifier and the id-ce-subjectKeyIdentifier extensions.

param: string $value

computeKeyIdentifier($key = null, $method = 1)   X-Ref
Compute a public key identifier.

Although key identifiers may be set to any unique value, this function
computes key identifiers from public key according to the two
recommended methods (4.2.1.2 RFC 3280).
Highly polymorphic: try to accept all possible forms of key:
- Key object
- \phpseclib\File\X509 object with public or private key defined
- Certificate or CSR array
- \phpseclib\File\ASN1\Element object
- PEM or DER string

return: string binary key identifier
param: mixed $key optional
param: int $method optional

_formatSubjectPublicKey()   X-Ref
Format a public key as appropriate

return: array

setDomain()   X-Ref
Set the domain name's which the cert is to be valid for

return: array

setIPAddress()   X-Ref
Set the IP Addresses's which the cert is to be valid for

param: string $ipAddress optional

_dnsName($domain)   X-Ref
Helper function to build domain array

return: array
param: string $domain

_iPAddress($address)   X-Ref
Helper function to build IP Address array

(IPv6 is not currently supported)

return: array
param: string $address

_revokedCertificate(&$rclist, $serial, $create = false)   X-Ref
Get the index of a revoked certificate.

return: int|false
param: array $rclist
param: string $serial
param: bool $create optional

revoke($serial, $date = null)   X-Ref
Revoke a certificate.

return: bool
param: string $serial
param: string $date optional

unrevoke($serial)   X-Ref
Unrevoke a certificate.

return: bool
param: string $serial

getRevoked($serial)   X-Ref
Get a revoked certificate.

return: mixed
param: string $serial

listRevoked($crl = null)   X-Ref
List revoked certificates

return: array
param: array $crl optional

removeRevokedCertificateExtension($serial, $id)   X-Ref
Remove a Revoked Certificate Extension

return: bool
param: string $serial
param: string $id

getRevokedCertificateExtension($serial, $id, $crl = null)   X-Ref
Get a Revoked Certificate Extension

Returns the extension if it exists and false if not

return: mixed
param: string $serial
param: string $id
param: array $crl optional

getRevokedCertificateExtensions($serial, $crl = null)   X-Ref
Returns a list of all extensions in use for a given revoked certificate

return: array
param: string $serial
param: array $crl optional

setRevokedCertificateExtension($serial, $id, $value, $critical = false, $replace = true)   X-Ref
Set a Revoked Certificate Extension

return: bool
param: string $serial
param: string $id
param: mixed $value
param: bool $critical optional
param: bool $replace optional

_extractBER($str)   X-Ref
Extract raw BER from Base64 encoding

return: string
param: string $str

getOID($name)   X-Ref
Returns the OID corresponding to a name

What's returned in the associative array returned by loadX509() (or load*()) is either a name or an OID if
no OID to name mapping is available. The problem with this is that what may be an unmapped OID in one version
of phpseclib may not be unmapped in the next version, so apps that are looking at this OID may not be able
to work from version to version.

This method will return the OID if a name is passed to it and if no mapping is avialable it'll assume that
what's being passed to it already is an OID and return that instead. A few examples.

getOID('2.16.840.1.101.3.4.2.1') == '2.16.840.1.101.3.4.2.1'
getOID('id-sha256') == '2.16.840.1.101.3.4.2.1'
getOID('zzz') == 'zzz'

return: string