Documentation

X509
in package

Pure-PHP X.509 Parser

Tags
author

Jim Wigginton terrafrost@php.net

access

public

Table of Contents

Constants

ATTR_ALL  = -1
Attribute value disposition.
ATTR_APPEND  = -2
ATTR_REPLACE  = -3
DN_ARRAY  = 0
Return internal array representation
DN_ASN1  = 2
Return ASN.1 name string
DN_CANON  = 4
Return canonical ASN.1 RDNs string
DN_HASH  = 5
Return name hash for file indexing
DN_OPENSSL  = 3
Return OpenSSL compatible array
DN_STRING  = 1
Return string
FORMAT_AUTO_DETECT  = 3
Auto-detect the format
FORMAT_DER  = 1
Save as DER
FORMAT_PEM  = 0
Save as PEM
FORMAT_SPKAC  = 2
Save as a SPKAC
VALIDATE_SIGNATURE_BY_CA  = 1
Flag to only accept signatures signed by certificate authorities

Properties

$caFlag  : bool
CA Flag
$CAs  : array<string|int, mixed>
The certificate authorities
$challenge  : string
SPKAC Challenge
$currentCert  : array<string|int, mixed>
The currently loaded certificate
$currentKeyIdentifier  : string
Key Identifier
$disable_url_fetch  : bool
URL fetch flag
$dn  : array<string|int, mixed>
Distinguished Name
$domains  : array<string|int, mixed>|null
$endDate  : string
Certificate End Date
$extensions  : array<string|int, mixed>
$extensionValues  : array<string|int, mixed>
$ipAddresses  : array<string|int, mixed>|null
$oids  : array<string|int, mixed>
Object identifiers for X.509 certificates
$oidsLoaded  : bool
OIDs loaded
$privateKey  : string
Private key
$publicKey  : string
Public key
$recur_limit  : int
Recursion Limit
$serialNumber  : string
Serial Number
$signatureSubject  : string
The signature subject
$startDate  : string
Certificate Start Date

Methods

__construct()  : X509
Default Constructor.
computeKeyIdentifier()  : string
Compute a public key identifier.
decodeIP()  : string
Decodes an IP address
decodeNameConstraintIP()  : array<string|int, mixed>
Decodes an IP address in a name constraints extension
disableURLFetch()  : mixed
Prevents URIs from being automatically retrieved
enableURLFetch()  : mixed
Allows URIs to be automatically retrieved
encodeIP()  : string
Encodes an IP address
getAttribute()  : mixed
Get a CSR attribute
getAttributes()  : array<string|int, mixed>
Returns a list of all CSR attributes in use
getChain()  : mixed
Get the certificate chain for the current cert
getCurrentCert()  : array<string|int, mixed>|bool
Returns the current cert
getDN()  : array<string|int, mixed>|bool
Get the Distinguished Name for a certificates subject
getDNProp()  : mixed
Get Distinguished Name properties
getExtension()  : mixed
Get a certificate, CSR or CRL Extension
getExtensions()  : array<string|int, mixed>
Returns a list of all extensions in use in certificate, CSR or CRL
getIssuerDN()  : mixed
Get the Distinguished Name for a certificate/crl issuer
getIssuerDNProp()  : mixed
Get an individual Distinguished Name property for a certificate/crl issuer
getPublicKey()  : mixed
Gets the public key
getRegisteredExtension()  : array<string|int, mixed>|null
Register the mapping for a custom/unsupported extension.
getRevoked()  : mixed
Get a revoked certificate.
getRevokedCertificateExtension()  : mixed
Get a Revoked Certificate Extension
getRevokedCertificateExtensions()  : array<string|int, mixed>|bool
Returns a list of all extensions in use for a given revoked certificate
getSubjectDN()  : mixed
Get the Distinguished Name for a certificate/csr subject Alias of getDN()
getSubjectDNProp()  : mixed
Get an individual Distinguished Name property for a certificate/csr subject
listRevoked()  : array<string|int, mixed>|bool
List revoked certificates
loadCA()  : bool
Load an X.509 certificate as a certificate authority
loadCRL()  : mixed
Load a Certificate Revocation List
loadCSR()  : mixed
Load a Certificate Signing Request
loadSPKAC()  : mixed
Load a SPKAC CSR
loadX509()  : mixed
Load X.509 certificate
makeCA()  : mixed
Turns the certificate into a certificate authority
registerExtension()  : mixed
Register the mapping for a custom/unsupported extension.
removeAttribute()  : bool
Remove a CSR attribute.
removeDNProp()  : mixed
Remove Distinguished Name properties
removeExtension()  : bool
Remove a certificate, CSR or CRL Extension
removeRevokedCertificateExtension()  : bool
Remove a Revoked Certificate Extension
revoke()  : bool
Revoke a certificate.
saveCRL()  : string
Save Certificate Revocation List.
saveCSR()  : string
Save CSR request
saveSPKAC()  : string
Save a SPKAC CSR request
saveX509()  : string
Save X.509 certificate
setAttribute()  : bool
Set a CSR attribute
setChallenge()  : mixed
Set challenge
setDN()  : bool
Set a Distinguished Name
setDNProp()  : bool
Set a Distinguished Name property
setDomain()  : array<string|int, mixed>
Set the domain name's which the cert is to be valid for
setEndDate()  : mixed
Set certificate end date
setExtension()  : bool
Set a certificate, CSR or CRL Extension
setExtensionValue()  : mixed
Register the mapping for a custom/unsupported extension.
setIPAddress()  : mixed
Set the IP Addresses's which the cert is to be valid for
setKeyIdentifier()  : mixed
Sets the subject key identifier
setPrivateKey()  : mixed
Set private key
setPublicKey()  : bool
Set public key
setRecurLimit()  : mixed
Sets the recursion limit
setRevokedCertificateExtension()  : bool
Set a Revoked Certificate Extension
setSerialNumber()  : mixed
Set Serial Number
setStartDate()  : mixed
Set certificate start date
sign()  : mixed
Sign an X.509 certificate
signCRL()  : mixed
Sign a CRL
signCSR()  : mixed
Sign a CSR
signSPKAC()  : mixed
Sign a SPKAC
unrevoke()  : bool
Unrevoke a certificate.
validateDate()  : bool
Validate a date
validateSignature()  : mixed
Validate a signature
validateURL()  : bool
Validate an X.509 certificate against a URL
dnsName()  : array<string|int, mixed>
Helper function to build domain array
extensions()  : array<string|int, mixed>|false
Get a reference to an extension subarray
fetchURL()  : bool|string
Fetches a URL
formatSubjectPublicKey()  : array<string|int, mixed>|bool
Format a public key as appropriate
getExtensionHelper()  : mixed
Get an Extension
getExtensionsHelper()  : array<string|int, mixed>
Returns a list of all extensions in use
getMapping()  : mixed
Associate an extension ID to an extension mapping
identifySignatureAlgorithm()  : string
Identify signature algorithm from key settings
iPAddress()  : array<string|int, mixed>
Helper function to build IP Address array
isSubArrayValid()  : bool
Check for validity of subarray
mapInAttributes()  : mixed
Map attribute values from ANY type to attribute-specific internal format.
mapInDNs()  : mixed
Map DN values from ANY type to DN-specific internal format.
mapInExtensions()  : mixed
Map extension values from octet string to extension-specific internal format.
mapOutAttributes()  : mixed
Map attribute values from attribute-specific internal format to ANY type.
mapOutDNs()  : mixed
Map DN values from DN-specific internal format to ANY type.
mapOutExtensions()  : mixed
Map extension values from extension-specific internal format to octet string.
removeExtensionHelper()  : bool
Remove an Extension
revokedCertificate()  : int|false
Get the index of a revoked certificate.
setExtensionHelper()  : bool
Set an Extension
subArray()  : array<string|int, mixed>|false
Get a reference to a subarray
subArrayUnchecked()  : array<string|int, mixed>|false
Get a reference to a subarray
testForIntermediate()  : bool
Validates an intermediate cert as identified via authority info access extension
timeField()  : array<string|int, mixed>|Element
Helper function to build a time field according to RFC 3280 section - 4.1.2.5 Validity - 5.1.2.4 This Update - 5.1.2.5 Next Update - 5.1.2.6 Revoked Certificates by choosing utcTime iff year of date given is before 2050 and generalTime else.
translateDNProp()  : mixed
"Normalizes" a Distinguished Name property
validateSignatureCountable()  : mixed
Validate a signature
validateSignatureHelper()  : bool
Validates a signature

Constants

ATTR_ALL

Attribute value disposition.

public mixed ATTR_ALL = -1

If disposition is >= 0, this is the index of the target value.

ATTR_APPEND

public mixed ATTR_APPEND = -2

ATTR_REPLACE

public mixed ATTR_REPLACE = -3

DN_ARRAY

Return internal array representation

public mixed DN_ARRAY = 0
Tags
access

public

see
X509::getDN()

DN_ASN1

Return ASN.1 name string

public mixed DN_ASN1 = 2
Tags
access

public

see
X509::getDN()

DN_CANON

Return canonical ASN.1 RDNs string

public mixed DN_CANON = 4
Tags
access

public

see
X509::getDN()

DN_HASH

Return name hash for file indexing

public mixed DN_HASH = 5
Tags
access

public

see
X509::getDN()

DN_OPENSSL

Return OpenSSL compatible array

public mixed DN_OPENSSL = 3
Tags
access

public

see
X509::getDN()

VALIDATE_SIGNATURE_BY_CA

Flag to only accept signatures signed by certificate authorities

public mixed VALIDATE_SIGNATURE_BY_CA = 1

Not really used anymore but retained all the same to suppress E_NOTICEs from old installs

Tags
access

public

Properties

$caFlag

CA Flag

private bool $caFlag = false
Tags
access

private

$CAs

The certificate authorities

private array<string|int, mixed> $CAs
Tags
access

private

$challenge

SPKAC Challenge

private string $challenge
Tags
access

private

$currentCert

The currently loaded certificate

private array<string|int, mixed> $currentCert
Tags
access

private

$disable_url_fetch

URL fetch flag

private static bool $disable_url_fetch = false
Tags
access

private

$dn

Distinguished Name

private array<string|int, mixed> $dn
Tags
access

private

$domains

private array<string|int, mixed>|null $domains = null
Tags
access

private

$endDate

Certificate End Date

private string $endDate
Tags
access

private

$extensions

private static array<string|int, mixed> $extensions = []
Tags
access

private

$extensionValues

private array<string|int, mixed> $extensionValues = []
Tags
access

private

$ipAddresses

private array<string|int, mixed>|null $ipAddresses = null
Tags
access

private

$oidsLoaded

OIDs loaded

private static bool $oidsLoaded = false
Tags
access

private

$privateKey

Private key

private string $privateKey
Tags
access

private

$publicKey

Public key

private string $publicKey
Tags
access

private

$recur_limit

Recursion Limit

private static int $recur_limit = 5
Tags
access

private

$serialNumber

Serial Number

private string $serialNumber
Tags
access

private

$signatureSubject

The signature subject

private string $signatureSubject

There's no guarantee \phpseclib3\File\X509 is going to re-encode an X.509 cert in the same way it was originally encoded so we take save the portion of the original cert that the signature would have made for.

Tags
access

private

$startDate

Certificate Start Date

private string $startDate
Tags
access

private

Methods

__construct()

Default Constructor.

public __construct() : X509
Tags
access

public

Return values
X509

computeKeyIdentifier()

Compute a public key identifier.

public computeKeyIdentifier([mixed $key = null ][, int $method = 1 ]) : string

Although key identifiers may be set to any unique value, this function computes key identifiers from public key according to the two recommended methods (4.2.1.2 RFC 3280). Highly polymorphic: try to accept all possible forms of key:

  • Key object
  • \phpseclib3\File\X509 object with public or private key defined
  • Certificate or CSR array
  • \phpseclib3\File\ASN1\Element object
  • PEM or DER string
Parameters
$key : mixed = null

optional

$method : int = 1

optional

Tags
access

public

Return values
string

binary key identifier

decodeIP()

Decodes an IP address

public static decodeIP(string $ip) : string

Takes in a base64 encoded "blob" and returns a human readable IP address

Parameters
$ip : string
Tags
access

private

Return values
string

decodeNameConstraintIP()

Decodes an IP address in a name constraints extension

public static decodeNameConstraintIP(string $ip) : array<string|int, mixed>

Takes in a base64 encoded "blob" and returns a human readable IP address / mask

Parameters
$ip : string
Tags
access

private

Return values
array<string|int, mixed>

disableURLFetch()

Prevents URIs from being automatically retrieved

public static disableURLFetch() : mixed
Tags
access

public

enableURLFetch()

Allows URIs to be automatically retrieved

public static enableURLFetch() : mixed
Tags
access

public

encodeIP()

Encodes an IP address

public static encodeIP(string|array<string|int, mixed> $ip) : string

Takes a human readable IP address into a base64-encoded "blob"

Parameters
$ip : string|array<string|int, mixed>
Tags
access

private

Return values
string

getAttribute()

Get a CSR attribute

public getAttribute(string $id[, int $disposition = self::ATTR_ALL ][, array<string|int, mixed> $csr = null ]) : mixed

Returns the attribute if it exists and false if not

Parameters
$id : string
$disposition : int = self::ATTR_ALL

optional

$csr : array<string|int, mixed> = null

optional

Tags
access

public

getAttributes()

Returns a list of all CSR attributes in use

public getAttributes([array<string|int, mixed> $csr = null ]) : array<string|int, mixed>
Parameters
$csr : array<string|int, mixed> = null

optional

Tags
access

public

Return values
array<string|int, mixed>

getChain()

Get the certificate chain for the current cert

public getChain() : mixed
Tags
access

public

getCurrentCert()

Returns the current cert

public & getCurrentCert() : array<string|int, mixed>|bool
Tags
access

public

Return values
array<string|int, mixed>|bool

getDN()

Get the Distinguished Name for a certificates subject

public getDN([mixed $format = self::DN_ARRAY ][, array<string|int, mixed> $dn = null ]) : array<string|int, mixed>|bool
Parameters
$format : mixed = self::DN_ARRAY

optional

$dn : array<string|int, mixed> = null

optional

Tags
access

public

Return values
array<string|int, mixed>|bool

getDNProp()

Get Distinguished Name properties

public getDNProp(string $propName[, array<string|int, mixed> $dn = null ][, bool $withType = false ]) : mixed
Parameters
$propName : string
$dn : array<string|int, mixed> = null

optional

$withType : bool = false

optional

Tags
access

public

getExtension()

Get a certificate, CSR or CRL Extension

public getExtension(string $id[, array<string|int, mixed> $cert = null ][, string $path = null ]) : mixed

Returns the extension if it exists and false if not

Parameters
$id : string
$cert : array<string|int, mixed> = null

optional

$path : string = null
Tags
access

public

getExtensions()

Returns a list of all extensions in use in certificate, CSR or CRL

public getExtensions([array<string|int, mixed> $cert = null ][, string $path = null ]) : array<string|int, mixed>
Parameters
$cert : array<string|int, mixed> = null

optional

$path : string = null

optional

Tags
access

public

Return values
array<string|int, mixed>

getIssuerDN()

Get the Distinguished Name for a certificate/crl issuer

public getIssuerDN([int $format = self::DN_ARRAY ]) : mixed
Parameters
$format : int = self::DN_ARRAY

optional

Tags
access

public

getIssuerDNProp()

Get an individual Distinguished Name property for a certificate/crl issuer

public getIssuerDNProp(string $propName[, bool $withType = false ]) : mixed
Parameters
$propName : string
$withType : bool = false

optional

Tags
access

public

getPublicKey()

Gets the public key

public getPublicKey() : mixed

Returns a \phpseclib3\Crypt\RSA object or a false.

Tags
access

public

getRegisteredExtension()

Register the mapping for a custom/unsupported extension.

public static getRegisteredExtension(string $id) : array<string|int, mixed>|null
Parameters
$id : string
Return values
array<string|int, mixed>|null

getRevoked()

Get a revoked certificate.

public getRevoked(string $serial) : mixed
Parameters
$serial : string
Tags
access

public

getRevokedCertificateExtension()

Get a Revoked Certificate Extension

public getRevokedCertificateExtension(string $serial, string $id[, array<string|int, mixed> $crl = null ]) : mixed

Returns the extension if it exists and false if not

Parameters
$serial : string
$id : string
$crl : array<string|int, mixed> = null

optional

Tags
access

public

getRevokedCertificateExtensions()

Returns a list of all extensions in use for a given revoked certificate

public getRevokedCertificateExtensions(string $serial[, array<string|int, mixed> $crl = null ]) : array<string|int, mixed>|bool
Parameters
$serial : string
$crl : array<string|int, mixed> = null

optional

Tags
access

public

Return values
array<string|int, mixed>|bool

getSubjectDN()

Get the Distinguished Name for a certificate/csr subject Alias of getDN()

public getSubjectDN([int $format = self::DN_ARRAY ]) : mixed
Parameters
$format : int = self::DN_ARRAY

optional

Tags
access

public

getSubjectDNProp()

Get an individual Distinguished Name property for a certificate/csr subject

public getSubjectDNProp(string $propName[, bool $withType = false ]) : mixed
Parameters
$propName : string
$withType : bool = false

optional

Tags
access

public

listRevoked()

List revoked certificates

public listRevoked([array<string|int, mixed> $crl = null ]) : array<string|int, mixed>|bool
Parameters
$crl : array<string|int, mixed> = null

optional

Tags
access

public

Return values
array<string|int, mixed>|bool

loadCA()

Load an X.509 certificate as a certificate authority

public loadCA(string $cert) : bool
Parameters
$cert : string
Tags
access

public

Return values
bool

loadCRL()

Load a Certificate Revocation List

public loadCRL(string $crl[, int $mode = self::FORMAT_AUTO_DETECT ]) : mixed
Parameters
$crl : string
$mode : int = self::FORMAT_AUTO_DETECT
Tags
access

public

loadCSR()

Load a Certificate Signing Request

public loadCSR(string $csr[, int $mode = self::FORMAT_AUTO_DETECT ]) : mixed
Parameters
$csr : string
$mode : int = self::FORMAT_AUTO_DETECT
Tags
access

public

loadSPKAC()

Load a SPKAC CSR

public loadSPKAC(string $spkac) : mixed

SPKAC's are produced by the HTML5 keygen element:

https://developer.mozilla.org/en-US/docs/HTML/Element/keygen

Parameters
$spkac : string
Tags
access

public

loadX509()

Load X.509 certificate

public loadX509(string $cert[, int $mode = self::FORMAT_AUTO_DETECT ]) : mixed

Returns an associative array describing the X.509 cert or a false if the cert failed to load

Parameters
$cert : string
$mode : int = self::FORMAT_AUTO_DETECT
Tags
access

public

makeCA()

Turns the certificate into a certificate authority

public makeCA() : mixed
Tags
access

public

registerExtension()

Register the mapping for a custom/unsupported extension.

public static registerExtension(string $id, array<string|int, mixed> $mapping) : mixed
Parameters
$id : string
$mapping : array<string|int, mixed>

removeAttribute()

Remove a CSR attribute.

public removeAttribute(string $id[, int $disposition = self::ATTR_ALL ]) : bool
Parameters
$id : string
$disposition : int = self::ATTR_ALL

optional

Tags
access

public

Return values
bool

removeDNProp()

Remove Distinguished Name properties

public removeDNProp(string $propName) : mixed
Parameters
$propName : string
Tags
access

public

removeExtension()

Remove a certificate, CSR or CRL Extension

public removeExtension(string $id) : bool
Parameters
$id : string
Tags
access

public

Return values
bool

removeRevokedCertificateExtension()

Remove a Revoked Certificate Extension

public removeRevokedCertificateExtension(string $serial, string $id) : bool
Parameters
$serial : string
$id : string
Tags
access

public

Return values
bool

revoke()

Revoke a certificate.

public revoke(string $serial[, string $date = null ]) : bool
Parameters
$serial : string
$date : string = null

optional

Tags
access

public

Return values
bool

saveCRL()

Save Certificate Revocation List.

public saveCRL(array<string|int, mixed> $crl[, int $format = self::FORMAT_PEM ]) : string
Parameters
$crl : array<string|int, mixed>
$format : int = self::FORMAT_PEM

optional

Tags
access

public

Return values
string

saveCSR()

Save CSR request

public saveCSR(array<string|int, mixed> $csr[, int $format = self::FORMAT_PEM ]) : string
Parameters
$csr : array<string|int, mixed>
$format : int = self::FORMAT_PEM

optional

Tags
access

public

Return values
string

saveSPKAC()

Save a SPKAC CSR request

public saveSPKAC(array<string|int, mixed> $spkac[, int $format = self::FORMAT_PEM ]) : string
Parameters
$spkac : array<string|int, mixed>
$format : int = self::FORMAT_PEM

optional

Tags
access

public

Return values
string

saveX509()

Save X.509 certificate

public saveX509(array<string|int, mixed> $cert[, int $format = self::FORMAT_PEM ]) : string
Parameters
$cert : array<string|int, mixed>
$format : int = self::FORMAT_PEM

optional

Tags
access

public

Return values
string

setAttribute()

Set a CSR attribute

public setAttribute(string $id, mixed $value[, int $disposition = self::ATTR_ALL ]) : bool
Parameters
$id : string
$value : mixed
$disposition : int = self::ATTR_ALL

optional

Tags
access

public

Return values
bool

setChallenge()

Set challenge

public setChallenge(string $challenge) : mixed

Used for SPKAC CSR's

Parameters
$challenge : string
Tags
access

public

setDN()

Set a Distinguished Name

public setDN(mixed $dn[, bool $merge = false ][, string $type = 'utf8String' ]) : bool
Parameters
$dn : mixed
$merge : bool = false

optional

$type : string = 'utf8String'

optional

Tags
access

public

Return values
bool

setDNProp()

Set a Distinguished Name property

public setDNProp(string $propName, mixed $propValue[, string $type = 'utf8String' ]) : bool
Parameters
$propName : string
$propValue : mixed
$type : string = 'utf8String'

optional

Tags
access

public

Return values
bool

setDomain()

Set the domain name's which the cert is to be valid for

public setDomain(array<string|int, mixed> ...$domains) : array<string|int, mixed>
Parameters
$domains : array<string|int, mixed>
Tags
access

public

Return values
array<string|int, mixed>

setEndDate()

Set certificate end date

public setEndDate(DateTimeInterface|string $date) : mixed
Parameters
$date : DateTimeInterface|string
Tags
access

public

setExtension()

Set a certificate, CSR or CRL Extension

public setExtension(string $id, mixed $value[, bool $critical = false ][, bool $replace = true ]) : bool
Parameters
$id : string
$value : mixed
$critical : bool = false

optional

$replace : bool = true

optional

Tags
access

public

Return values
bool

setExtensionValue()

Register the mapping for a custom/unsupported extension.

public setExtensionValue(string $id, mixed $value[, bool $critical = false ][, bool $replace = false ]) : mixed
Parameters
$id : string
$value : mixed
$critical : bool = false
$replace : bool = false

setIPAddress()

Set the IP Addresses's which the cert is to be valid for

public setIPAddress(array<string|int, mixed> ...$ipAddresses) : mixed
Parameters
$ipAddresses : array<string|int, mixed>
Tags
access

public

setKeyIdentifier()

Sets the subject key identifier

public setKeyIdentifier(string $value) : mixed

This is used by the id-ce-authorityKeyIdentifier and the id-ce-subjectKeyIdentifier extensions.

Parameters
$value : string
Tags
access

public

setPrivateKey()

Set private key

public setPrivateKey(PrivateKey $key) : mixed

Key needs to be a \phpseclib3\Crypt\RSA object

Parameters
$key : PrivateKey
Tags
access

public

setPublicKey()

Set public key

public setPublicKey(PublicKey $key) : bool

Key needs to be a \phpseclib3\Crypt\RSA object

Parameters
$key : PublicKey
Tags
access

public

Return values
bool

setRecurLimit()

Sets the recursion limit

public static setRecurLimit(int $count) : mixed

When validating a signature it may be necessary to download intermediate certs from URI's. An intermediate cert that linked to itself would result in an infinite loop so to prevent that we set a recursion limit. A negative number means that there is no recursion limit.

Parameters
$count : int
Tags
access

public

setRevokedCertificateExtension()

Set a Revoked Certificate Extension

public setRevokedCertificateExtension(string $serial, string $id, mixed $value[, bool $critical = false ][, bool $replace = true ]) : bool
Parameters
$serial : string
$id : string
$value : mixed
$critical : bool = false

optional

$replace : bool = true

optional

Tags
access

public

Return values
bool

setSerialNumber()

Set Serial Number

public setSerialNumber(string $serial[, int $base = -256 ]) : mixed
Parameters
$serial : string
$base : int = -256

optional

Tags
access

public

setStartDate()

Set certificate start date

public setStartDate(DateTimeInterface|string $date) : mixed
Parameters
$date : DateTimeInterface|string
Tags
access

public

sign()

Sign an X.509 certificate

public sign(X509 $issuer, X509 $subject) : mixed

$issuer's private key needs to be loaded. $subject can be either an existing X.509 cert (if you want to resign it), a CSR or something with the DN and public key explicitly set.

Parameters
$issuer : X509
$subject : X509
Tags
access

public

signCRL()

Sign a CRL

public signCRL(X509 $issuer, X509 $crl) : mixed

$issuer's private key needs to be loaded.

Parameters
$issuer : X509
$crl : X509
Tags
access

public

signCSR()

Sign a CSR

public signCSR() : mixed
Tags
access

public

signSPKAC()

Sign a SPKAC

public signSPKAC() : mixed
Tags
access

public

unrevoke()

Unrevoke a certificate.

public unrevoke(string $serial) : bool
Parameters
$serial : string
Tags
access

public

Return values
bool

validateDate()

Validate a date

public validateDate([DateTimeInterface|string $date = null ]) : bool

If $date isn't defined it is assumed to be the current date.

Parameters
$date : DateTimeInterface|string = null

optional

Tags
access

public

Return values
bool

validateSignature()

Validate a signature

public validateSignature([bool $caonly = true ]) : mixed

Works on X.509 certs, CSR's and CRL's. Returns true if the signature is verified, false if it is not correct or null on error

By default returns false for self-signed certs. Call validateSignature(false) to make this support self-signed.

The behavior of this function is inspired by openssl_verify.

Parameters
$caonly : bool = true

optional

Tags
access

public

validateURL()

Validate an X.509 certificate against a URL

public validateURL(string $url) : bool

From RFC2818 "HTTP over TLS":

Matching is performed using the matching rules specified by [RFC2459]. If more than one identity of a given type is present in the certificate (e.g., more than one dNSName name, a match in any one of the set is considered acceptable.) Names may contain the wildcard character * which is considered to match any single domain name component or component fragment. E.g., .a.com matches foo.a.com but not bar.foo.a.com. f.com matches foo.com but not bar.com.

Parameters
$url : string
Tags
access

public

Return values
bool

dnsName()

Helper function to build domain array

private dnsName(string $domain) : array<string|int, mixed>
Parameters
$domain : string
Tags
access

private

Return values
array<string|int, mixed>

extensions()

Get a reference to an extension subarray

private & extensions(array<string|int, mixed> &$root[, string $path = null ][, bool $create = false ]) : array<string|int, mixed>|false
Parameters
$root : array<string|int, mixed>
$path : string = null

optional absolute path with / as component separator

$create : bool = false

optional

Tags
access

private

Return values
array<string|int, mixed>|false

fetchURL()

Fetches a URL

private static fetchURL(string $url) : bool|string
Parameters
$url : string
Tags
access

private

Return values
bool|string

formatSubjectPublicKey()

Format a public key as appropriate

private formatSubjectPublicKey() : array<string|int, mixed>|bool
Tags
access

private

Return values
array<string|int, mixed>|bool

getExtensionHelper()

Get an Extension

private getExtensionHelper(string $id[, array<string|int, mixed> $cert = null ][, string $path = null ]) : mixed

Returns the extension if it exists and false if not

Parameters
$id : string
$cert : array<string|int, mixed> = null

optional

$path : string = null

optional

Tags
access

private

getExtensionsHelper()

Returns a list of all extensions in use

private getExtensionsHelper([array<string|int, mixed> $cert = null ][, string $path = null ]) : array<string|int, mixed>
Parameters
$cert : array<string|int, mixed> = null

optional

$path : string = null

optional

Tags
access

private

Return values
array<string|int, mixed>

getMapping()

Associate an extension ID to an extension mapping

private getMapping(string $extnId) : mixed
Parameters
$extnId : string
Tags
access

private

identifySignatureAlgorithm()

Identify signature algorithm from key settings

private static identifySignatureAlgorithm(PrivateKey $key) : string
Parameters
$key : PrivateKey
Tags
access

private

throws
UnsupportedAlgorithmException

if the algorithm is unsupported

Return values
string

iPAddress()

Helper function to build IP Address array

private iPAddress(string $address) : array<string|int, mixed>

(IPv6 is not currently supported)

Parameters
$address : string
Tags
access

private

Return values
array<string|int, mixed>

isSubArrayValid()

Check for validity of subarray

private isSubArrayValid(array<string|int, mixed> $root, string $path) : bool

This is intended for use in conjunction with _subArrayUnchecked(), implementing the checks included in _subArray() but without copying a potentially large array by passing its reference by-value to is_array().

Parameters
$root : array<string|int, mixed>
$path : string
Tags
access

private

Return values
bool

mapInAttributes()

Map attribute values from ANY type to attribute-specific internal format.

private mapInAttributes(array<string|int, mixed> &$root, string $path) : mixed
Parameters
$root : array<string|int, mixed>

(by reference)

$path : string
Tags
access

private

mapInDNs()

Map DN values from ANY type to DN-specific internal format.

private mapInDNs(array<string|int, mixed> &$root, string $path) : mixed
Parameters
$root : array<string|int, mixed>

(by reference)

$path : string
Tags
access

private

mapInExtensions()

Map extension values from octet string to extension-specific internal format.

private mapInExtensions(array<string|int, mixed> &$root, string $path) : mixed
Parameters
$root : array<string|int, mixed>

(by reference)

$path : string
Tags
access

private

mapOutAttributes()

Map attribute values from attribute-specific internal format to ANY type.

private mapOutAttributes(array<string|int, mixed> &$root, string $path) : mixed
Parameters
$root : array<string|int, mixed>

(by reference)

$path : string
Tags
access

private

mapOutDNs()

Map DN values from DN-specific internal format to ANY type.

private mapOutDNs(array<string|int, mixed> &$root, string $path) : mixed
Parameters
$root : array<string|int, mixed>

(by reference)

$path : string
Tags
access

private

mapOutExtensions()

Map extension values from extension-specific internal format to octet string.

private mapOutExtensions(array<string|int, mixed> &$root, string $path) : mixed
Parameters
$root : array<string|int, mixed>

(by reference)

$path : string
Tags
access

private

removeExtensionHelper()

Remove an Extension

private removeExtensionHelper(string $id[, string $path = null ]) : bool
Parameters
$id : string
$path : string = null

optional

Tags
access

private

Return values
bool

revokedCertificate()

Get the index of a revoked certificate.

private revokedCertificate(array<string|int, mixed> &$rclist, string $serial[, bool $create = false ]) : int|false
Parameters
$rclist : array<string|int, mixed>
$serial : string
$create : bool = false

optional

Tags
access

private

Return values
int|false

setExtensionHelper()

Set an Extension

private setExtensionHelper(string $id, mixed $value[, bool $critical = false ][, bool $replace = true ][, string $path = null ]) : bool
Parameters
$id : string
$value : mixed
$critical : bool = false

optional

$replace : bool = true

optional

$path : string = null

optional

Tags
access

private

Return values
bool

subArray()

Get a reference to a subarray

private & subArray(array<string|int, mixed> &$root, string $path[, bool $create = false ]) : array<string|int, mixed>|false
Parameters
$root : array<string|int, mixed>
$path : string

absolute path with / as component separator

$create : bool = false

optional

Tags
access

private

Return values
array<string|int, mixed>|false

subArrayUnchecked()

Get a reference to a subarray

private & subArrayUnchecked(array<string|int, mixed> &$root, string $path[, bool $create = false ]) : array<string|int, mixed>|false

This variant of _subArray() does no is_array() checking, so $root should be checked with _isSubArrayValid() first.

This is here for performance reasons: Passing a reference (i.e. $root) by-value (i.e. to is_array()) creates a copy. If $root is an especially large array, this is expensive.

Parameters
$root : array<string|int, mixed>
$path : string

absolute path with / as component separator

$create : bool = false

optional

Tags
access

private

Return values
array<string|int, mixed>|false

testForIntermediate()

Validates an intermediate cert as identified via authority info access extension

private testForIntermediate(bool $caonly, int $count) : bool

See https://tools.ietf.org/html/rfc4325 for more info

Parameters
$caonly : bool
$count : int
Tags
access

private

Return values
bool

timeField()

Helper function to build a time field according to RFC 3280 section - 4.1.2.5 Validity - 5.1.2.4 This Update - 5.1.2.5 Next Update - 5.1.2.6 Revoked Certificates by choosing utcTime iff year of date given is before 2050 and generalTime else.

private timeField(string $date) : array<string|int, mixed>|Element
Parameters
$date : string

in format date('D, d M Y H:i:s O')

Tags
access

private

Return values
array<string|int, mixed>|Element

translateDNProp()

"Normalizes" a Distinguished Name property

private translateDNProp(string $propName) : mixed
Parameters
$propName : string
Tags
access

private

validateSignatureCountable()

Validate a signature

private validateSignatureCountable(bool $caonly, int $count) : mixed

Performs said validation whilst keeping track of how many times validation method is called

Parameters
$caonly : bool
$count : int
Tags
access

private

validateSignatureHelper()

Validates a signature

private validateSignatureHelper(string $publicKeyAlgorithm, string $publicKey, string $signatureAlgorithm, string $signature, string $signatureSubject) : bool

Returns true if the signature is verified and false if it is not correct. If the algorithms are unsupposed an exception is thrown.

Parameters
$publicKeyAlgorithm : string
$publicKey : string
$signatureAlgorithm : string
$signature : string
$signatureSubject : string
Tags
access

private

throws
UnsupportedAlgorithmException

if the algorithm is unsupported

Return values
bool

        
On this page

Search results