/vendor/phpseclib/phpseclib/phpseclib/File/X509.php
PHP | 4614 lines | 3049 code | 460 blank | 1105 comment | 390 complexity | 39ea599ff0ad62f50c4d9d4e9f8691f9 MD5 | raw file
Possible License(s): Apache-2.0, AGPL-1.0, GPL-2.0, LGPL-3.0, BSD-3-Clause, Unlicense, MPL-2.0, GPL-3.0, LGPL-2.1
Large files files are truncated, but you can click here to view the full file
- <?php
- /**
- * Pure-PHP X.509 Parser
- *
- * PHP version 5
- *
- * Encode and decode X.509 certificates.
- *
- * The extensions are from {@link http://tools.ietf.org/html/rfc5280 RFC5280} and
- * {@link http://web.archive.org/web/19961027104704/http://www3.netscape.com/eng/security/cert-exts.html Netscape Certificate Extensions}.
- *
- * Note that loading an X.509 certificate and resaving it may invalidate the signature. The reason being that the signature is based on a
- * portion of the certificate that contains optional parameters with default values. ie. if the parameter isn't there the default value is
- * used. Problem is, if the parameter is there and it just so happens to have the default value there are two ways that that parameter can
- * be encoded. It can be encoded explicitly or left out all together. This would effect the signature value and thus may invalidate the
- * the certificate all together unless the certificate is re-signed.
- *
- * @category File
- * @package X509
- * @author Jim Wigginton <terrafrost@php.net>
- * @copyright 2012 Jim Wigginton
- * @license http://www.opensource.org/licenses/mit-license.html MIT License
- * @link http://phpseclib.sourceforge.net
- */
- namespace phpseclib\File;
- use phpseclib\Crypt\Hash;
- use phpseclib\Crypt\Random;
- use phpseclib\Crypt\RSA;
- use phpseclib\File\ASN1\Element;
- use phpseclib\Math\BigInteger;
- /**
- * Pure-PHP X.509 Parser
- *
- * @package X509
- * @author Jim Wigginton <terrafrost@php.net>
- * @access public
- */
- class X509
- {
- /**
- * Flag to only accept signatures signed by certificate authorities
- *
- * Not really used anymore but retained all the same to suppress E_NOTICEs from old installs
- *
- * @access public
- */
- const VALIDATE_SIGNATURE_BY_CA = 1;
- /**#@+
- * @access public
- * @see \phpseclib\File\X509::getDN()
- */
- /**
- * Return internal array representation
- */
- const DN_ARRAY = 0;
- /**
- * Return string
- */
- const DN_STRING = 1;
- /**
- * Return ASN.1 name string
- */
- const DN_ASN1 = 2;
- /**
- * Return OpenSSL compatible array
- */
- const DN_OPENSSL = 3;
- /**
- * Return canonical ASN.1 RDNs string
- */
- const DN_CANON = 4;
- /**
- * Return name hash for file indexing
- */
- const DN_HASH = 5;
- /**#@-*/
- /**#@+
- * @access public
- * @see \phpseclib\File\X509::saveX509()
- * @see \phpseclib\File\X509::saveCSR()
- * @see \phpseclib\File\X509::saveCRL()
- */
- /**
- * Save as PEM
- *
- * ie. a base64-encoded PEM with a header and a footer
- */
- const FORMAT_PEM = 0;
- /**
- * Save as DER
- */
- const FORMAT_DER = 1;
- /**
- * Save as a SPKAC
- *
- * Only works on CSRs. Not currently supported.
- */
- const FORMAT_SPKAC = 2;
- /**
- * Auto-detect the format
- *
- * Used only by the load*() functions
- */
- const FORMAT_AUTO_DETECT = 3;
- /**#@-*/
- /**
- * Attribute value disposition.
- * If disposition is >= 0, this is the index of the target value.
- */
- const ATTR_ALL = -1; // All attribute values (array).
- const ATTR_APPEND = -2; // Add a value.
- const ATTR_REPLACE = -3; // Clear first, then add a value.
- /**
- * ASN.1 syntax for X.509 certificates
- *
- * @var array
- * @access private
- */
- var $Certificate;
- /**#@+
- * ASN.1 syntax for various extensions
- *
- * @access private
- */
- var $DirectoryString;
- var $PKCS9String;
- var $AttributeValue;
- var $Extensions;
- var $KeyUsage;
- var $ExtKeyUsageSyntax;
- var $BasicConstraints;
- var $KeyIdentifier;
- var $CRLDistributionPoints;
- var $AuthorityKeyIdentifier;
- var $CertificatePolicies;
- var $AuthorityInfoAccessSyntax;
- var $SubjectAltName;
- var $PrivateKeyUsagePeriod;
- var $IssuerAltName;
- var $PolicyMappings;
- var $NameConstraints;
- var $CPSuri;
- var $UserNotice;
- var $netscape_cert_type;
- var $netscape_comment;
- var $netscape_ca_policy_url;
- var $Name;
- var $RelativeDistinguishedName;
- var $CRLNumber;
- var $CRLReason;
- var $IssuingDistributionPoint;
- var $InvalidityDate;
- var $CertificateIssuer;
- var $HoldInstructionCode;
- var $SignedPublicKeyAndChallenge;
- /**#@-*/
- /**
- * ASN.1 syntax for Certificate Signing Requests (RFC2986)
- *
- * @var array
- * @access private
- */
- var $CertificationRequest;
- /**
- * ASN.1 syntax for Certificate Revocation Lists (RFC5280)
- *
- * @var array
- * @access private
- */
- var $CertificateList;
- /**
- * Distinguished Name
- *
- * @var array
- * @access private
- */
- var $dn;
- /**
- * Public key
- *
- * @var string
- * @access private
- */
- var $publicKey;
- /**
- * Private key
- *
- * @var string
- * @access private
- */
- var $privateKey;
- /**
- * Object identifiers for X.509 certificates
- *
- * @var array
- * @access private
- * @link http://en.wikipedia.org/wiki/Object_identifier
- */
- var $oids;
- /**
- * The certificate authorities
- *
- * @var array
- * @access private
- */
- var $CAs;
- /**
- * The currently loaded certificate
- *
- * @var array
- * @access private
- */
- var $currentCert;
- /**
- * The signature subject
- *
- * There's no guarantee \phpseclib\File\X509 is going to reencode an X.509 cert in the same way it was originally
- * encoded so we take save the portion of the original cert that the signature would have made for.
- *
- * @var string
- * @access private
- */
- var $signatureSubject;
- /**
- * Certificate Start Date
- *
- * @var string
- * @access private
- */
- var $startDate;
- /**
- * Certificate End Date
- *
- * @var string
- * @access private
- */
- var $endDate;
- /**
- * Serial Number
- *
- * @var string
- * @access private
- */
- var $serialNumber;
- /**
- * Key Identifier
- *
- * See {@link http://tools.ietf.org/html/rfc5280#section-4.2.1.1 RFC5280#section-4.2.1.1} and
- * {@link http://tools.ietf.org/html/rfc5280#section-4.2.1.2 RFC5280#section-4.2.1.2}.
- *
- * @var string
- * @access private
- */
- var $currentKeyIdentifier;
- /**
- * CA Flag
- *
- * @var bool
- * @access private
- */
- var $caFlag = false;
- /**
- * SPKAC Challenge
- *
- * @var string
- * @access private
- */
- var $challenge;
- /**
- * Default Constructor.
- *
- * @return \phpseclib\File\X509
- * @access public
- */
- function __construct()
- {
- // Explicitly Tagged Module, 1988 Syntax
- // http://tools.ietf.org/html/rfc5280#appendix-A.1
- $this->DirectoryString = array(
- 'type' => ASN1::TYPE_CHOICE,
- 'children' => array(
- 'teletexString' => array('type' => ASN1::TYPE_TELETEX_STRING),
- 'printableString' => array('type' => ASN1::TYPE_PRINTABLE_STRING),
- 'universalString' => array('type' => ASN1::TYPE_UNIVERSAL_STRING),
- 'utf8String' => array('type' => ASN1::TYPE_UTF8_STRING),
- 'bmpString' => array('type' => ASN1::TYPE_BMP_STRING)
- )
- );
- $this->PKCS9String = array(
- 'type' => ASN1::TYPE_CHOICE,
- 'children' => array(
- 'ia5String' => array('type' => ASN1::TYPE_IA5_STRING),
- 'directoryString' => $this->DirectoryString
- )
- );
- $this->AttributeValue = array('type' => ASN1::TYPE_ANY);
- $AttributeType = array('type' => ASN1::TYPE_OBJECT_IDENTIFIER);
- $AttributeTypeAndValue = array(
- 'type' => ASN1::TYPE_SEQUENCE,
- 'children' => array(
- 'type' => $AttributeType,
- 'value'=> $this->AttributeValue
- )
- );
- /*
- In practice, RDNs containing multiple name-value pairs (called "multivalued RDNs") are rare,
- but they can be useful at times when either there is no unique attribute in the entry or you
- want to ensure that the entry's DN contains some useful identifying information.
- - https://www.opends.org/wiki/page/DefinitionRelativeDistinguishedName
- */
- $this->RelativeDistinguishedName = array(
- 'type' => ASN1::TYPE_SET,
- 'min' => 1,
- 'max' => -1,
- 'children' => $AttributeTypeAndValue
- );
- // http://tools.ietf.org/html/rfc5280#section-4.1.2.4
- $RDNSequence = array(
- 'type' => ASN1::TYPE_SEQUENCE,
- // RDNSequence does not define a min or a max, which means it doesn't have one
- 'min' => 0,
- 'max' => -1,
- 'children' => $this->RelativeDistinguishedName
- );
- $this->Name = array(
- 'type' => ASN1::TYPE_CHOICE,
- 'children' => array(
- 'rdnSequence' => $RDNSequence
- )
- );
- // http://tools.ietf.org/html/rfc5280#section-4.1.1.2
- $AlgorithmIdentifier = array(
- 'type' => ASN1::TYPE_SEQUENCE,
- 'children' => array(
- 'algorithm' => array('type' => ASN1::TYPE_OBJECT_IDENTIFIER),
- 'parameters' => array(
- 'type' => ASN1::TYPE_ANY,
- 'optional' => true
- )
- )
- );
- /*
- A certificate using system MUST reject the certificate if it encounters
- a critical extension it does not recognize; however, a non-critical
- extension may be ignored if it is not recognized.
- http://tools.ietf.org/html/rfc5280#section-4.2
- */
- $Extension = array(
- 'type' => ASN1::TYPE_SEQUENCE,
- 'children' => array(
- 'extnId' => array('type' => ASN1::TYPE_OBJECT_IDENTIFIER),
- 'critical' => array(
- 'type' => ASN1::TYPE_BOOLEAN,
- 'optional' => true,
- 'default' => false
- ),
- 'extnValue' => array('type' => ASN1::TYPE_OCTET_STRING)
- )
- );
- $this->Extensions = array(
- 'type' => ASN1::TYPE_SEQUENCE,
- 'min' => 1,
- // technically, it's MAX, but we'll assume anything < 0 is MAX
- 'max' => -1,
- // if 'children' isn't an array then 'min' and 'max' must be defined
- 'children' => $Extension
- );
- $SubjectPublicKeyInfo = array(
- 'type' => ASN1::TYPE_SEQUENCE,
- 'children' => array(
- 'algorithm' => $AlgorithmIdentifier,
- 'subjectPublicKey' => array('type' => ASN1::TYPE_BIT_STRING)
- )
- );
- $UniqueIdentifier = array('type' => ASN1::TYPE_BIT_STRING);
- $Time = array(
- 'type' => ASN1::TYPE_CHOICE,
- 'children' => array(
- 'utcTime' => array('type' => ASN1::TYPE_UTC_TIME),
- 'generalTime' => array('type' => ASN1::TYPE_GENERALIZED_TIME)
- )
- );
- // http://tools.ietf.org/html/rfc5280#section-4.1.2.5
- $Validity = array(
- 'type' => ASN1::TYPE_SEQUENCE,
- 'children' => array(
- 'notBefore' => $Time,
- 'notAfter' => $Time
- )
- );
- $CertificateSerialNumber = array('type' => ASN1::TYPE_INTEGER);
- $Version = array(
- 'type' => ASN1::TYPE_INTEGER,
- 'mapping' => array('v1', 'v2', 'v3')
- );
- // assert($TBSCertificate['children']['signature'] == $Certificate['children']['signatureAlgorithm'])
- $TBSCertificate = array(
- 'type' => ASN1::TYPE_SEQUENCE,
- 'children' => array(
- // technically, default implies optional, but we'll define it as being optional, none-the-less, just to
- // reenforce that fact
- 'version' => array(
- 'constant' => 0,
- 'optional' => true,
- 'explicit' => true,
- 'default' => 'v1'
- ) + $Version,
- 'serialNumber' => $CertificateSerialNumber,
- 'signature' => $AlgorithmIdentifier,
- 'issuer' => $this->Name,
- 'validity' => $Validity,
- 'subject' => $this->Name,
- 'subjectPublicKeyInfo' => $SubjectPublicKeyInfo,
- // implicit means that the T in the TLV structure is to be rewritten, regardless of the type
- 'issuerUniqueID' => array(
- 'constant' => 1,
- 'optional' => true,
- 'implicit' => true
- ) + $UniqueIdentifier,
- 'subjectUniqueID' => array(
- 'constant' => 2,
- 'optional' => true,
- 'implicit' => true
- ) + $UniqueIdentifier,
- // <http://tools.ietf.org/html/rfc2459#page-74> doesn't use the EXPLICIT keyword but if
- // it's not IMPLICIT, it's EXPLICIT
- 'extensions' => array(
- 'constant' => 3,
- 'optional' => true,
- 'explicit' => true
- ) + $this->Extensions
- )
- );
- $this->Certificate = array(
- 'type' => ASN1::TYPE_SEQUENCE,
- 'children' => array(
- 'tbsCertificate' => $TBSCertificate,
- 'signatureAlgorithm' => $AlgorithmIdentifier,
- 'signature' => array('type' => ASN1::TYPE_BIT_STRING)
- )
- );
- $this->KeyUsage = array(
- 'type' => ASN1::TYPE_BIT_STRING,
- 'mapping' => array(
- 'digitalSignature',
- 'nonRepudiation',
- 'keyEncipherment',
- 'dataEncipherment',
- 'keyAgreement',
- 'keyCertSign',
- 'cRLSign',
- 'encipherOnly',
- 'decipherOnly'
- )
- );
- $this->BasicConstraints = array(
- 'type' => ASN1::TYPE_SEQUENCE,
- 'children' => array(
- 'cA' => array(
- 'type' => ASN1::TYPE_BOOLEAN,
- 'optional' => true,
- 'default' => false
- ),
- 'pathLenConstraint' => array(
- 'type' => ASN1::TYPE_INTEGER,
- 'optional' => true
- )
- )
- );
- $this->KeyIdentifier = array('type' => ASN1::TYPE_OCTET_STRING);
- $OrganizationalUnitNames = array(
- 'type' => ASN1::TYPE_SEQUENCE,
- 'min' => 1,
- 'max' => 4, // ub-organizational-units
- 'children' => array('type' => ASN1::TYPE_PRINTABLE_STRING)
- );
- $PersonalName = array(
- 'type' => ASN1::TYPE_SET,
- 'children' => array(
- 'surname' => array(
- 'type' => ASN1::TYPE_PRINTABLE_STRING,
- 'constant' => 0,
- 'optional' => true,
- 'implicit' => true
- ),
- 'given-name' => array(
- 'type' => ASN1::TYPE_PRINTABLE_STRING,
- 'constant' => 1,
- 'optional' => true,
- 'implicit' => true
- ),
- 'initials' => array(
- 'type' => ASN1::TYPE_PRINTABLE_STRING,
- 'constant' => 2,
- 'optional' => true,
- 'implicit' => true
- ),
- 'generation-qualifier' => array(
- 'type' => ASN1::TYPE_PRINTABLE_STRING,
- 'constant' => 3,
- 'optional' => true,
- 'implicit' => true
- )
- )
- );
- $NumericUserIdentifier = array('type' => ASN1::TYPE_NUMERIC_STRING);
- $OrganizationName = array('type' => ASN1::TYPE_PRINTABLE_STRING);
- $PrivateDomainName = array(
- 'type' => ASN1::TYPE_CHOICE,
- 'children' => array(
- 'numeric' => array('type' => ASN1::TYPE_NUMERIC_STRING),
- 'printable' => array('type' => ASN1::TYPE_PRINTABLE_STRING)
- )
- );
- $TerminalIdentifier = array('type' => ASN1::TYPE_PRINTABLE_STRING);
- $NetworkAddress = array('type' => ASN1::TYPE_NUMERIC_STRING);
- $AdministrationDomainName = array(
- 'type' => ASN1::TYPE_CHOICE,
- // if class isn't present it's assumed to be \phpseclib\File\ASN1::CLASS_UNIVERSAL or
- // (if constant is present) \phpseclib\File\ASN1::CLASS_CONTEXT_SPECIFIC
- 'class' => ASN1::CLASS_APPLICATION,
- 'cast' => 2,
- 'children' => array(
- 'numeric' => array('type' => ASN1::TYPE_NUMERIC_STRING),
- 'printable' => array('type' => ASN1::TYPE_PRINTABLE_STRING)
- )
- );
- $CountryName = array(
- 'type' => ASN1::TYPE_CHOICE,
- // if class isn't present it's assumed to be \phpseclib\File\ASN1::CLASS_UNIVERSAL or
- // (if constant is present) \phpseclib\File\ASN1::CLASS_CONTEXT_SPECIFIC
- 'class' => ASN1::CLASS_APPLICATION,
- 'cast' => 1,
- 'children' => array(
- 'x121-dcc-code' => array('type' => ASN1::TYPE_NUMERIC_STRING),
- 'iso-3166-alpha2-code' => array('type' => ASN1::TYPE_PRINTABLE_STRING)
- )
- );
- $AnotherName = array(
- 'type' => ASN1::TYPE_SEQUENCE,
- 'children' => array(
- 'type-id' => array('type' => ASN1::TYPE_OBJECT_IDENTIFIER),
- 'value' => array(
- 'type' => ASN1::TYPE_ANY,
- 'constant' => 0,
- 'optional' => true,
- 'explicit' => true
- )
- )
- );
- $ExtensionAttribute = array(
- 'type' => ASN1::TYPE_SEQUENCE,
- 'children' => array(
- 'extension-attribute-type' => array(
- 'type' => ASN1::TYPE_PRINTABLE_STRING,
- 'constant' => 0,
- 'optional' => true,
- 'implicit' => true
- ),
- 'extension-attribute-value' => array(
- 'type' => ASN1::TYPE_ANY,
- 'constant' => 1,
- 'optional' => true,
- 'explicit' => true
- )
- )
- );
- $ExtensionAttributes = array(
- 'type' => ASN1::TYPE_SET,
- 'min' => 1,
- 'max' => 256, // ub-extension-attributes
- 'children' => $ExtensionAttribute
- );
- $BuiltInDomainDefinedAttribute = array(
- 'type' => ASN1::TYPE_SEQUENCE,
- 'children' => array(
- 'type' => array('type' => ASN1::TYPE_PRINTABLE_STRING),
- 'value' => array('type' => ASN1::TYPE_PRINTABLE_STRING)
- )
- );
- $BuiltInDomainDefinedAttributes = array(
- 'type' => ASN1::TYPE_SEQUENCE,
- 'min' => 1,
- 'max' => 4, // ub-domain-defined-attributes
- 'children' => $BuiltInDomainDefinedAttribute
- );
- $BuiltInStandardAttributes = array(
- 'type' => ASN1::TYPE_SEQUENCE,
- 'children' => array(
- 'country-name' => array('optional' => true) + $CountryName,
- 'administration-domain-name' => array('optional' => true) + $AdministrationDomainName,
- 'network-address' => array(
- 'constant' => 0,
- 'optional' => true,
- 'implicit' => true
- ) + $NetworkAddress,
- 'terminal-identifier' => array(
- 'constant' => 1,
- 'optional' => true,
- 'implicit' => true
- ) + $TerminalIdentifier,
- 'private-domain-name' => array(
- 'constant' => 2,
- 'optional' => true,
- 'explicit' => true
- ) + $PrivateDomainName,
- 'organization-name' => array(
- 'constant' => 3,
- 'optional' => true,
- 'implicit' => true
- ) + $OrganizationName,
- 'numeric-user-identifier' => array(
- 'constant' => 4,
- 'optional' => true,
- 'implicit' => true
- ) + $NumericUserIdentifier,
- 'personal-name' => array(
- 'constant' => 5,
- 'optional' => true,
- 'implicit' => true
- ) + $PersonalName,
- 'organizational-unit-names' => array(
- 'constant' => 6,
- 'optional' => true,
- 'implicit' => true
- ) + $OrganizationalUnitNames
- )
- );
- $ORAddress = array(
- 'type' => ASN1::TYPE_SEQUENCE,
- 'children' => array(
- 'built-in-standard-attributes' => $BuiltInStandardAttributes,
- 'built-in-domain-defined-attributes' => array('optional' => true) + $BuiltInDomainDefinedAttributes,
- 'extension-attributes' => array('optional' => true) + $ExtensionAttributes
- )
- );
- $EDIPartyName = array(
- 'type' => ASN1::TYPE_SEQUENCE,
- 'children' => array(
- 'nameAssigner' => array(
- 'constant' => 0,
- 'optional' => true,
- 'implicit' => true
- ) + $this->DirectoryString,
- // partyName is technically required but \phpseclib\File\ASN1 doesn't currently support non-optional constants and
- // setting it to optional gets the job done in any event.
- 'partyName' => array(
- 'constant' => 1,
- 'optional' => true,
- 'implicit' => true
- ) + $this->DirectoryString
- )
- );
- $GeneralName = array(
- 'type' => ASN1::TYPE_CHOICE,
- 'children' => array(
- 'otherName' => array(
- 'constant' => 0,
- 'optional' => true,
- 'implicit' => true
- ) + $AnotherName,
- 'rfc822Name' => array(
- 'type' => ASN1::TYPE_IA5_STRING,
- 'constant' => 1,
- 'optional' => true,
- 'implicit' => true
- ),
- 'dNSName' => array(
- 'type' => ASN1::TYPE_IA5_STRING,
- 'constant' => 2,
- 'optional' => true,
- 'implicit' => true
- ),
- 'x400Address' => array(
- 'constant' => 3,
- 'optional' => true,
- 'implicit' => true
- ) + $ORAddress,
- 'directoryName' => array(
- 'constant' => 4,
- 'optional' => true,
- 'explicit' => true
- ) + $this->Name,
- 'ediPartyName' => array(
- 'constant' => 5,
- 'optional' => true,
- 'implicit' => true
- ) + $EDIPartyName,
- 'uniformResourceIdentifier' => array(
- 'type' => ASN1::TYPE_IA5_STRING,
- 'constant' => 6,
- 'optional' => true,
- 'implicit' => true
- ),
- 'iPAddress' => array(
- 'type' => ASN1::TYPE_OCTET_STRING,
- 'constant' => 7,
- 'optional' => true,
- 'implicit' => true
- ),
- 'registeredID' => array(
- 'type' => ASN1::TYPE_OBJECT_IDENTIFIER,
- 'constant' => 8,
- 'optional' => true,
- 'implicit' => true
- )
- )
- );
- $GeneralNames = array(
- 'type' => ASN1::TYPE_SEQUENCE,
- 'min' => 1,
- 'max' => -1,
- 'children' => $GeneralName
- );
- $this->IssuerAltName = $GeneralNames;
- $ReasonFlags = array(
- 'type' => ASN1::TYPE_BIT_STRING,
- 'mapping' => array(
- 'unused',
- 'keyCompromise',
- 'cACompromise',
- 'affiliationChanged',
- 'superseded',
- 'cessationOfOperation',
- 'certificateHold',
- 'privilegeWithdrawn',
- 'aACompromise'
- )
- );
- $DistributionPointName = array(
- 'type' => ASN1::TYPE_CHOICE,
- 'children' => array(
- 'fullName' => array(
- 'constant' => 0,
- 'optional' => true,
- 'implicit' => true
- ) + $GeneralNames,
- 'nameRelativeToCRLIssuer' => array(
- 'constant' => 1,
- 'optional' => true,
- 'implicit' => true
- ) + $this->RelativeDistinguishedName
- )
- );
- $DistributionPoint = array(
- 'type' => ASN1::TYPE_SEQUENCE,
- 'children' => array(
- 'distributionPoint' => array(
- 'constant' => 0,
- 'optional' => true,
- 'explicit' => true
- ) + $DistributionPointName,
- 'reasons' => array(
- 'constant' => 1,
- 'optional' => true,
- 'implicit' => true
- ) + $ReasonFlags,
- 'cRLIssuer' => array(
- 'constant' => 2,
- 'optional' => true,
- 'implicit' => true
- ) + $GeneralNames
- )
- );
- $this->CRLDistributionPoints = array(
- 'type' => ASN1::TYPE_SEQUENCE,
- 'min' => 1,
- 'max' => -1,
- 'children' => $DistributionPoint
- );
- $this->AuthorityKeyIdentifier = array(
- 'type' => ASN1::TYPE_SEQUENCE,
- 'children' => array(
- 'keyIdentifier' => array(
- 'constant' => 0,
- 'optional' => true,
- 'implicit' => true
- ) + $this->KeyIdentifier,
- 'authorityCertIssuer' => array(
- 'constant' => 1,
- 'optional' => true,
- 'implicit' => true
- ) + $GeneralNames,
- 'authorityCertSerialNumber' => array(
- 'constant' => 2,
- 'optional' => true,
- 'implicit' => true
- ) + $CertificateSerialNumber
- )
- );
- $PolicyQualifierId = array('type' => ASN1::TYPE_OBJECT_IDENTIFIER);
- $PolicyQualifierInfo = array(
- 'type' => ASN1::TYPE_SEQUENCE,
- 'children' => array(
- 'policyQualifierId' => $PolicyQualifierId,
- 'qualifier' => array('type' => ASN1::TYPE_ANY)
- )
- );
- $CertPolicyId = array('type' => ASN1::TYPE_OBJECT_IDENTIFIER);
- $PolicyInformation = array(
- 'type' => ASN1::TYPE_SEQUENCE,
- 'children' => array(
- 'policyIdentifier' => $CertPolicyId,
- 'policyQualifiers' => array(
- 'type' => ASN1::TYPE_SEQUENCE,
- 'min' => 0,
- 'max' => -1,
- 'optional' => true,
- 'children' => $PolicyQualifierInfo
- )
- )
- );
- $this->CertificatePolicies = array(
- 'type' => ASN1::TYPE_SEQUENCE,
- 'min' => 1,
- 'max' => -1,
- 'children' => $PolicyInformation
- );
- $this->PolicyMappings = array(
- 'type' => ASN1::TYPE_SEQUENCE,
- 'min' => 1,
- 'max' => -1,
- 'children' => array(
- 'type' => ASN1::TYPE_SEQUENCE,
- 'children' => array(
- 'issuerDomainPolicy' => $CertPolicyId,
- 'subjectDomainPolicy' => $CertPolicyId
- )
- )
- );
- $KeyPurposeId = array('type' => ASN1::TYPE_OBJECT_IDENTIFIER);
- $this->ExtKeyUsageSyntax = array(
- 'type' => ASN1::TYPE_SEQUENCE,
- 'min' => 1,
- 'max' => -1,
- 'children' => $KeyPurposeId
- );
- $AccessDescription = array(
- 'type' => ASN1::TYPE_SEQUENCE,
- 'children' => array(
- 'accessMethod' => array('type' => ASN1::TYPE_OBJECT_IDENTIFIER),
- 'accessLocation' => $GeneralName
- )
- );
- $this->AuthorityInfoAccessSyntax = array(
- 'type' => ASN1::TYPE_SEQUENCE,
- 'min' => 1,
- 'max' => -1,
- 'children' => $AccessDescription
- );
- $this->SubjectAltName = $GeneralNames;
- $this->PrivateKeyUsagePeriod = array(
- 'type' => ASN1::TYPE_SEQUENCE,
- 'children' => array(
- 'notBefore' => array(
- 'constant' => 0,
- 'optional' => true,
- 'implicit' => true,
- 'type' => ASN1::TYPE_GENERALIZED_TIME),
- 'notAfter' => array(
- 'constant' => 1,
- 'optional' => true,
- 'implicit' => true,
- 'type' => ASN1::TYPE_GENERALIZED_TIME)
- )
- );
- $BaseDistance = array('type' => ASN1::TYPE_INTEGER);
- $GeneralSubtree = array(
- 'type' => ASN1::TYPE_SEQUENCE,
- 'children' => array(
- 'base' => $GeneralName,
- 'minimum' => array(
- 'constant' => 0,
- 'optional' => true,
- 'implicit' => true,
- 'default' => new BigInteger(0)
- ) + $BaseDistance,
- 'maximum' => array(
- 'constant' => 1,
- 'optional' => true,
- 'implicit' => true,
- ) + $BaseDistance
- )
- );
- $GeneralSubtrees = array(
- 'type' => ASN1::TYPE_SEQUENCE,
- 'min' => 1,
- 'max' => -1,
- 'children' => $GeneralSubtree
- );
- $this->NameConstraints = array(
- 'type' => ASN1::TYPE_SEQUENCE,
- 'children' => array(
- 'permittedSubtrees' => array(
- 'constant' => 0,
- 'optional' => true,
- 'implicit' => true
- ) + $GeneralSubtrees,
- 'excludedSubtrees' => array(
- 'constant' => 1,
- 'optional' => true,
- 'implicit' => true
- ) + $GeneralSubtrees
- )
- );
- $this->CPSuri = array('type' => ASN1::TYPE_IA5_STRING);
- $DisplayText = array(
- 'type' => ASN1::TYPE_CHOICE,
- 'children' => array(
- 'ia5String' => array('type' => ASN1::TYPE_IA5_STRING),
- 'visibleString' => array('type' => ASN1::TYPE_VISIBLE_STRING),
- 'bmpString' => array('type' => ASN1::TYPE_BMP_STRING),
- 'utf8String' => array('type' => ASN1::TYPE_UTF8_STRING)
- )
- );
- $NoticeReference = array(
- 'type' => ASN1::TYPE_SEQUENCE,
- 'children' => array(
- 'organization' => $DisplayText,
- 'noticeNumbers' => array(
- 'type' => ASN1::TYPE_SEQUENCE,
- 'min' => 1,
- 'max' => 200,
- 'children' => array('type' => ASN1::TYPE_INTEGER)
- )
- )
- );
- $this->UserNotice = array(
- 'type' => ASN1::TYPE_SEQUENCE,
- 'children' => array(
- 'noticeRef' => array(
- 'optional' => true,
- 'implicit' => true
- ) + $NoticeReference,
- 'explicitText' => array(
- 'optional' => true,
- 'implicit' => true
- ) + $DisplayText
- )
- );
- // mapping is from <http://www.mozilla.org/projects/security/pki/nss/tech-notes/tn3.html>
- $this->netscape_cert_type = array(
- 'type' => ASN1::TYPE_BIT_STRING,
- 'mapping' => array(
- 'SSLClient',
- 'SSLServer',
- 'Email',
- 'ObjectSigning',
- 'Reserved',
- 'SSLCA',
- 'EmailCA',
- 'ObjectSigningCA'
- )
- );
- $this->netscape_comment = array('type' => ASN1::TYPE_IA5_STRING);
- $this->netscape_ca_policy_url = array('type' => ASN1::TYPE_IA5_STRING);
- // attribute is used in RFC2986 but we're using the RFC5280 definition
- $Attribute = array(
- 'type' => ASN1::TYPE_SEQUENCE,
- 'children' => array(
- 'type' => $AttributeType,
- 'value'=> array(
- 'type' => ASN1::TYPE_SET,
- 'min' => 1,
- 'max' => -1,
- 'children' => $this->AttributeValue
- )
- )
- );
- // adapted from <http://tools.ietf.org/html/rfc2986>
- $Attributes = array(
- 'type' => ASN1::TYPE_SET,
- 'min' => 1,
- 'max' => -1,
- 'children' => $Attribute
- );
- $CertificationRequestInfo = array(
- 'type' => ASN1::TYPE_SEQUENCE,
- 'children' => array(
- 'version' => array(
- 'type' => ASN1::TYPE_INTEGER,
- 'mapping' => array('v1')
- ),
- 'subject' => $this->Name,
- 'subjectPKInfo' => $SubjectPublicKeyInfo,
- 'attributes' => array(
- 'constant' => 0,
- 'optional' => true,
- 'implicit' => true
- ) + $Attributes,
- )
- );
- $this->CertificationRequest = array(
- 'type' => ASN1::TYPE_SEQUENCE,
- 'children' => array(
- 'certificationRequestInfo' => $CertificationRequestInfo,
- 'signatureAlgorithm' => $AlgorithmIdentifier,
- 'signature' => array('type' => ASN1::TYPE_BIT_STRING)
- )
- );
- $RevokedCertificate = array(
- 'type' => ASN1::TYPE_SEQUENCE,
- 'children' => array(
- 'userCertificate' => $CertificateSerialNumber,
- 'revocationDate' => $Time,
- 'crlEntryExtensions' => array(
- 'optional' => true
- ) + $this->Extensions
- )
- );
- $TBSCertList = array(
- 'type' => ASN1::TYPE_SEQUENCE,
- 'children' => array(
- 'version' => array(
- 'optional' => true,
- 'default' => 'v1'
- ) + $Version,
- 'signature' => $AlgorithmIdentifier,
- 'issuer' => $this->Name,
- 'thisUpdate' => $Time,
- 'nextUpdate' => array(
- 'optional' => true
- ) + $Time,
- 'revokedCertificates' => array(
- 'type' => ASN1::TYPE_SEQUENCE,
- 'optional' => true,
- 'min' => 0,
- 'max' => -1,
- 'children' => $RevokedCertificate
- ),
- 'crlExtensions' => array(
- 'constant' => 0,
- 'optional' => true,
- 'explicit' => true
- ) + $this->Extensions
- )
- );
- $this->CertificateList = array(
- 'type' => ASN1::TYPE_SEQUENCE,
- 'children' => array(
- 'tbsCertList' => $TBSCertList,
- 'signatureAlgorithm' => $AlgorithmIdentifier,
- 'signature' => array('type' => ASN1::TYPE_BIT_STRING)
- )
- );
- $this->CRLNumber = array('type' => ASN1::TYPE_INTEGER);
- $this->CRLReason = array('type' => ASN1::TYPE_ENUMERATED,
- 'mapping' => array(
- 'unspecified',
- 'keyCompromise',
- 'cACompromise',
- 'affiliationChanged',
- 'superseded',
- 'cessationOfOperation',
- 'certificateHold',
- // Value 7 is not used.
- 8 => 'removeFromCRL',
- 'privilegeWithdrawn',
- 'aACompromise'
- )
- );
- $this->IssuingDistributionPoint = array('type' => ASN1::TYPE_SEQUENCE,
- 'children' => array(
- 'distributionPoint' => array(
- 'constant' => 0,
- 'optional' => true,
- 'explicit' => true
- ) + $DistributionPointName,
- 'onlyContainsUserCerts' => array(
- 'type' => ASN1::TYPE_BOOLEAN,
- 'constant' => 1,
- 'optional' => true,
- 'default' => false,
- 'implicit' => true
- ),
- 'onlyContainsCACerts' => array(
- 'type' => ASN1::TYPE_BOOLEAN,
- 'constant' => 2,
- 'optional' => true,
- 'default' => false,
- 'implicit' => true
- ),
- 'onlySomeReasons' => array(
- 'constant' => 3,
- 'optional' => true,
- 'implicit' => true
- ) + $ReasonFlags,
- 'indirectCRL' => array(
- 'type' => ASN1::TYPE_BOOLEAN,
- 'constant' => 4,
- 'optional' => true,
- 'default' => false,
- 'implicit' => true
- ),
- 'onlyContainsAttributeCerts' => array(
- 'type' => ASN1::TYPE_BOOLEAN,
- 'constant' => 5,
- 'optional' => true,
- 'default' => false,
- 'implicit' => true
- )
- )
- );
- $this->InvalidityDate = array('type' => ASN1::TYPE_GENERALIZED_TIME);
- $this->CertificateIssuer = $GeneralNames;
- $this->HoldInstructionCode = array('type' => ASN1::TYPE_OBJECT_IDENTIFIER);
- $PublicKeyAndChallenge = array(
- 'type' => ASN1::TYPE_SEQUENCE,
- 'children' => array(
- 'spki' => $SubjectPublicKeyInfo,
- 'challenge' => array('type' => ASN1::TYPE_IA5_STRING)
- )
- );
- $this->SignedPublicKeyAndChallenge = array(
- 'type' => ASN1::TYPE_SEQUENCE,
- 'children' => array(
- 'publicKeyAndChallenge' => $PublicKeyAndChallenge,
- 'signatureAlgorithm' => $AlgorithmIdentifier,
- 'signature' => array('type' => ASN1::TYPE_BIT_STRING)
- )
- );
- // OIDs from RFC5280 and those RFCs mentioned in RFC5280#section-4.1.1.2
- $this->oids = array(
- '1.3.6.1.5.5.7' => 'id-pkix',
- '1.3.6.1.5.5.7.1' => 'id-pe',
- '1.3.6.1.5.5.7.2' => 'id-qt',
- '1.3.6.1.5.5.7.3' => 'id-kp',
- '1.3.6.1.5.5.7.48' => 'id-ad',
- '1.3.6.1.5.5.7.2.1' => 'id-qt-cps',
- '1.3.6.1.5.5.7.2.2' => 'id-qt-unotice',
- '1.3.6.1.5.5.7.48.1' =>'id-ad-ocsp',
- '1.3.6.1.5.5.7.48.2' => 'id-ad-caIssuers',
- '1.3.6.1.5.5.7.48.3' => 'id-ad-timeStamping',
- '1.3.6.1.5.5.7.48.5' => 'id-ad-caRepository',
- '2.5.4' => 'id-at',
- '2.5.4.41' => 'id-at-name',
- '2.5.4.4' => 'id-at-surname',
- '2.5.4.42' => 'id-at-givenName',
- '2.5.4.43' => 'id-at-initials',
- '2.5.4.44' => 'id-at-generationQualifier',
- '2.5.4.3' => 'id-at-commonName',
- '2.5.4.7' => 'id-at-localityName',
- '2.5.4.8' => 'id-at-stateOrProvinceName',
- '2.5.4.10' => 'id-at-organizationName',
- '2.5.4.11' => 'id-at-organizationalUnitName',
- '2.5.4.12' => 'id-at-title',
- '2.5.4.13' => 'id-at-description',
- '2.5.4.46' => 'id-at-dnQualifier',
- '2.5.4.6' => 'id-at-countryName',
- '2.5.4.5' =>…
Large files files are truncated, but you can click here to view the full file