PageRenderTime 50ms CodeModel.GetById 13ms RepoModel.GetById 1ms app.codeStats 0ms

/protected/vendors/phpseclib/File/X509.php

https://bitbucket.org/negge/tlklan2
PHP | 3766 lines | 2523 code | 376 blank | 867 comment | 285 complexity | 2a0d2414c47abea7f22333fd3680bb1e MD5 | raw file
Possible License(s): LGPL-2.1, BSD-3-Clause, BSD-2-Clause, GPL-3.0

Large files files are truncated, but you can click here to view the full file

  1. <?php
  2. /* vim: set expandtab tabstop=4 shiftwidth=4 softtabstop=4: */
  3. /**
  4. * Pure-PHP X.509 Parser
  5. *
  6. * PHP versions 4 and 5
  7. *
  8. * Encode and decode X.509 certificates.
  9. *
  10. * The extensions are from {@link http://tools.ietf.org/html/rfc5280 RFC5280} and
  11. * {@link http://web.archive.org/web/19961027104704/http://www3.netscape.com/eng/security/cert-exts.html Netscape Certificate Extensions}.
  12. *
  13. * Note that loading an X.509 certificate and resaving it may invalidate the signature. The reason being that the signature is based on a
  14. * portion of the certificate that contains optional parameters with default values. ie. if the parameter isn't there the default value is
  15. * used. Problem is, if the parameter is there and it just so happens to have the default value there are two ways that that parameter can
  16. * be encoded. It can be encoded explicitly or left out all together. This would effect the signature value and thus may invalidate the
  17. * the certificate all together unless the certificate is re-signed.
  18. *
  19. * LICENSE: Permission is hereby granted, free of charge, to any person obtaining a copy
  20. * of this software and associated documentation files (the "Software"), to deal
  21. * in the Software without restriction, including without limitation the rights
  22. * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
  23. * copies of the Software, and to permit persons to whom the Software is
  24. * furnished to do so, subject to the following conditions:
  25. *
  26. * The above copyright notice and this permission notice shall be included in
  27. * all copies or substantial portions of the Software.
  28. *
  29. * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
  30. * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
  31. * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
  32. * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
  33. * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
  34. * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
  35. * THE SOFTWARE.
  36. *
  37. * @category File
  38. * @package File_X509
  39. * @author Jim Wigginton <terrafrost@php.net>
  40. * @copyright MMXII Jim Wigginton
  41. * @license http://www.opensource.org/licenses/mit-license.html MIT License
  42. * @version $Id$
  43. * @link htp://phpseclib.sourceforge.net
  44. */
  45. /**
  46. * Include File_ASN1
  47. */
  48. if (!class_exists('File_ASN1')) {
  49. require_once('File/ASN1.php');
  50. }
  51. /**
  52. * Flag to only accept signatures signed by certificate authorities
  53. *
  54. * @access public
  55. * @see File_X509::validateSignature()
  56. */
  57. define('FILE_X509_VALIDATE_SIGNATURE_BY_CA', 1);
  58. /**#@+
  59. * @access public
  60. * @see File_X509::getDN()
  61. */
  62. /**
  63. * Return internal array representation
  64. */
  65. define('FILE_X509_DN_ARRAY', 0); // Internal array representation.
  66. /**
  67. * Return string
  68. */
  69. define('FILE_X509_DN_STRING', 1);
  70. /**
  71. * Return ASN.1 name string
  72. */
  73. define('FILE_X509_DN_ASN1', 2);
  74. /**
  75. * Return OpenSSL compatible array
  76. */
  77. define('FILE_X509_DN_OPENSSL', 3);
  78. /**
  79. * Return canonical ASN.1 RDNs string
  80. */
  81. define('FILE_X509_DN_CANON', 4);
  82. /**
  83. * Return name ash for file indexing
  84. */
  85. define('FILE_X509_DN_HASH', 5);
  86. /**#@-*/
  87. /**
  88. * Pure-PHP X.509 Parser
  89. *
  90. * @author Jim Wigginton <terrafrost@php.net>
  91. * @version 0.3.0
  92. * @access public
  93. * @package File_X509
  94. */
  95. class File_X509 {
  96. /**
  97. * ASN.1 syntax for X.509 certificates
  98. *
  99. * @var Array
  100. * @access private
  101. */
  102. var $Certificate;
  103. /**#@+
  104. * ASN.1 syntax for various extensions
  105. *
  106. * @access private
  107. */
  108. var $KeyUsage;
  109. var $ExtKeyUsageSyntax;
  110. var $BasicConstraints;
  111. var $KeyIdentifier;
  112. var $CRLDistributionPoints;
  113. var $AuthorityKeyIdentifier;
  114. var $CertificatePolicies;
  115. var $AuthorityInfoAccessSyntax;
  116. var $SubjectAltName;
  117. var $PrivateKeyUsagePeriod;
  118. var $IssuerAltName;
  119. var $PolicyMappings;
  120. var $NameConstraints;
  121. var $CPSuri;
  122. var $UserNotice;
  123. var $netscape_cert_type;
  124. var $netscape_comment;
  125. var $netscape_ca_policy_url;
  126. var $Name;
  127. var $RelativeDistinguishedName;
  128. var $CRLNumber;
  129. var $CRLReason;
  130. var $IssuingDistributionPoint;
  131. var $InvalidityDate;
  132. var $CertificateIssuer;
  133. /**#@-*/
  134. /**
  135. * ASN.1 syntax for Certificate Signing Requests (RFC2986)
  136. *
  137. * @var Array
  138. * @access private
  139. */
  140. var $CertificationRequest;
  141. /**
  142. * ASN.1 syntax for Certificate Revocation Lists (RFC5280)
  143. *
  144. * @var Array
  145. * @access private
  146. */
  147. var $CertificateList;
  148. /**
  149. * Distinguished Name
  150. *
  151. * @var Array
  152. * @access private
  153. */
  154. var $dn;
  155. /**
  156. * Public key
  157. *
  158. * @var String
  159. * @access private
  160. */
  161. var $publicKey;
  162. /**
  163. * Private key
  164. *
  165. * @var String
  166. * @access private
  167. */
  168. var $privateKey;
  169. /**
  170. * Object identifiers for X.509 certificates
  171. *
  172. * @var Array
  173. * @access private
  174. * @link http://en.wikipedia.org/wiki/Object_identifier
  175. */
  176. var $oids;
  177. /**
  178. * The certificate authorities
  179. *
  180. * @var Array
  181. * @access private
  182. */
  183. var $CAs;
  184. /**
  185. * The currently loaded certificate
  186. *
  187. * @var Array
  188. * @access private
  189. */
  190. var $currentCert;
  191. /**
  192. * The signature subject
  193. *
  194. * There's no guarantee File_X509 is going to reencode an X.509 cert in the same way it was originally
  195. * encoded so we take save the portion of the original cert that the signature would have made for.
  196. *
  197. * @var String
  198. * @access private
  199. */
  200. var $signatureSubject;
  201. /**
  202. * Certificate Start Date
  203. *
  204. * @var String
  205. * @access private
  206. */
  207. var $startDate;
  208. /**
  209. * Certificate End Date
  210. *
  211. * @var String
  212. * @access private
  213. */
  214. var $endDate;
  215. /**
  216. * Serial Number
  217. *
  218. * @var String
  219. * @access private
  220. */
  221. var $serialNumber;
  222. /**
  223. * Key Identifier
  224. *
  225. * See {@link http://tools.ietf.org/html/rfc5280#section-4.2.1.1 RFC5280#section-4.2.1.1} and
  226. * {@link http://tools.ietf.org/html/rfc5280#section-4.2.1.2 RFC5280#section-4.2.1.2}.
  227. *
  228. * @var String
  229. * @access private
  230. */
  231. var $currentKeyIdentifier;
  232. /**
  233. * CA Flag
  234. *
  235. * @var Boolean
  236. * @access private
  237. */
  238. var $caFlag = false;
  239. /**
  240. * Default Constructor.
  241. *
  242. * @return File_X509
  243. * @access public
  244. */
  245. function File_X509()
  246. {
  247. // Explicitly Tagged Module, 1988 Syntax
  248. // http://tools.ietf.org/html/rfc5280#appendix-A.1
  249. $DirectoryString = array(
  250. 'type' => FILE_ASN1_TYPE_CHOICE,
  251. 'children' => array(
  252. 'teletexString' => array('type' => FILE_ASN1_TYPE_TELETEX_STRING),
  253. 'printableString' => array('type' => FILE_ASN1_TYPE_PRINTABLE_STRING),
  254. 'universalString' => array('type' => FILE_ASN1_TYPE_UNIVERSAL_STRING),
  255. 'utf8String' => array('type' => FILE_ASN1_TYPE_UTF8_STRING),
  256. 'bmpString' => array('type' => FILE_ASN1_TYPE_BMP_STRING)
  257. )
  258. );
  259. $AttributeValue = array('type' => FILE_ASN1_TYPE_ANY);
  260. $AttributeType = array('type' => FILE_ASN1_TYPE_OBJECT_IDENTIFIER);
  261. $AttributeTypeAndValue = array(
  262. 'type' => FILE_ASN1_TYPE_SEQUENCE,
  263. 'children' => array(
  264. 'type' => $AttributeType,
  265. 'value'=> $AttributeValue
  266. )
  267. );
  268. /*
  269. In practice, RDNs containing multiple name-value pairs (called "multivalued RDNs") are rare,
  270. but they can be useful at times when either there is no unique attribute in the entry or you
  271. want to ensure that the entry's DN contains some useful identifying information.
  272. - https://www.opends.org/wiki/page/DefinitionRelativeDistinguishedName
  273. */
  274. $this->RelativeDistinguishedName = array(
  275. 'type' => FILE_ASN1_TYPE_SET,
  276. 'min' => 1,
  277. 'max' => -1,
  278. 'children' => $AttributeTypeAndValue
  279. );
  280. // http://tools.ietf.org/html/rfc5280#section-4.1.2.4
  281. $RDNSequence = array(
  282. 'type' => FILE_ASN1_TYPE_SEQUENCE,
  283. // RDNSequence does not define a min or a max, which means it doesn't have one
  284. 'min' => 0,
  285. 'max' => -1,
  286. 'children' => $this->RelativeDistinguishedName
  287. );
  288. $this->Name = array(
  289. 'type' => FILE_ASN1_TYPE_CHOICE,
  290. 'children' => array(
  291. 'rdnSequence' => $RDNSequence
  292. )
  293. );
  294. // http://tools.ietf.org/html/rfc5280#section-4.1.1.2
  295. $AlgorithmIdentifier = array(
  296. 'type' => FILE_ASN1_TYPE_SEQUENCE,
  297. 'children' => array(
  298. 'algorithm' => array('type' => FILE_ASN1_TYPE_OBJECT_IDENTIFIER),
  299. 'parameters' => array(
  300. 'type' => FILE_ASN1_TYPE_ANY,
  301. 'optional' => true
  302. )
  303. )
  304. );
  305. /*
  306. A certificate using system MUST reject the certificate if it encounters
  307. a critical extension it does not recognize; however, a non-critical
  308. extension may be ignored if it is not recognized.
  309. http://tools.ietf.org/html/rfc5280#section-4.2
  310. */
  311. $Extension = array(
  312. 'type' => FILE_ASN1_TYPE_SEQUENCE,
  313. 'children' => array(
  314. 'extnId' => array('type' => FILE_ASN1_TYPE_OBJECT_IDENTIFIER),
  315. 'critical' => array(
  316. 'type' => FILE_ASN1_TYPE_BOOLEAN,
  317. 'optional' => true,
  318. 'default' => false
  319. ),
  320. 'extnValue' => array('type' => FILE_ASN1_TYPE_OCTET_STRING)
  321. )
  322. );
  323. $Extensions = array(
  324. 'type' => FILE_ASN1_TYPE_SEQUENCE,
  325. 'min' => 1,
  326. // technically, it's MAX, but we'll assume anything < 0 is MAX
  327. 'max' => -1,
  328. // if 'children' isn't an array then 'min' and 'max' must be defined
  329. 'children' => $Extension
  330. );
  331. $SubjectPublicKeyInfo = array(
  332. 'type' => FILE_ASN1_TYPE_SEQUENCE,
  333. 'children' => array(
  334. 'algorithm' => $AlgorithmIdentifier,
  335. 'subjectPublicKey' => array('type' => FILE_ASN1_TYPE_BIT_STRING)
  336. )
  337. );
  338. $UniqueIdentifier = array('type' => FILE_ASN1_TYPE_BIT_STRING);
  339. $Time = array(
  340. 'type' => FILE_ASN1_TYPE_CHOICE,
  341. 'children' => array(
  342. 'utcTime' => array('type' => FILE_ASN1_TYPE_UTC_TIME),
  343. 'generalTime' => array('type' => FILE_ASN1_TYPE_GENERALIZED_TIME)
  344. )
  345. );
  346. // http://tools.ietf.org/html/rfc5280#section-4.1.2.5
  347. $Validity = array(
  348. 'type' => FILE_ASN1_TYPE_SEQUENCE,
  349. 'children' => array(
  350. 'notBefore' => $Time,
  351. 'notAfter' => $Time
  352. )
  353. );
  354. $CertificateSerialNumber = array('type' => FILE_ASN1_TYPE_INTEGER);
  355. $Version = array(
  356. 'type' => FILE_ASN1_TYPE_INTEGER,
  357. 'mapping' => array('v1', 'v2', 'v3')
  358. );
  359. // assert($TBSCertificate['children']['signature'] == $Certificate['children']['signatureAlgorithm'])
  360. $TBSCertificate = array(
  361. 'type' => FILE_ASN1_TYPE_SEQUENCE,
  362. 'children' => array(
  363. // technically, default implies optional, but we'll define it as being optional, none-the-less, just to
  364. // reenforce that fact
  365. 'version' => array(
  366. 'constant' => 0,
  367. 'optional' => true,
  368. 'explicit' => true,
  369. 'default' => 'v1'
  370. ) + $Version,
  371. 'serialNumber' => $CertificateSerialNumber,
  372. 'signature' => $AlgorithmIdentifier,
  373. 'issuer' => $this->Name,
  374. 'validity' => $Validity,
  375. 'subject' => $this->Name,
  376. 'subjectPublicKeyInfo' => $SubjectPublicKeyInfo,
  377. // implicit means that the T in the TLV structure is to be rewritten, regardless of the type
  378. 'issuerUniqueID' => array(
  379. 'constant' => 1,
  380. 'optional' => true,
  381. 'implicit' => true
  382. ) + $UniqueIdentifier,
  383. 'subjectUniqueID' => array(
  384. 'constant' => 2,
  385. 'optional' => true,
  386. 'implicit' => true
  387. ) + $UniqueIdentifier,
  388. // <http://tools.ietf.org/html/rfc2459#page-74> doesn't use the EXPLICIT keyword but if
  389. // it's not IMPLICIT, it's EXPLICIT
  390. 'extensions' => array(
  391. 'constant' => 3,
  392. 'optional' => true,
  393. 'explicit' => true
  394. ) + $Extensions
  395. )
  396. );
  397. $this->Certificate = array(
  398. 'type' => FILE_ASN1_TYPE_SEQUENCE,
  399. 'children' => array(
  400. 'tbsCertificate' => $TBSCertificate,
  401. 'signatureAlgorithm' => $AlgorithmIdentifier,
  402. 'signature' => array('type' => FILE_ASN1_TYPE_BIT_STRING)
  403. )
  404. );
  405. $this->KeyUsage = array(
  406. 'type' => FILE_ASN1_TYPE_BIT_STRING,
  407. 'mapping' => array(
  408. 'digitalSignature',
  409. 'nonRepudiation',
  410. 'keyEncipherment',
  411. 'dataEncipherment',
  412. 'keyAgreement',
  413. 'keyCertSign',
  414. 'cRLSign',
  415. 'encipherOnly',
  416. 'decipherOnly'
  417. )
  418. );
  419. $this->BasicConstraints = array(
  420. 'type' => FILE_ASN1_TYPE_SEQUENCE,
  421. 'children' => array(
  422. 'cA' => array(
  423. 'type' => FILE_ASN1_TYPE_BOOLEAN,
  424. 'optional' => true,
  425. 'default' => false
  426. ),
  427. 'pathLenConstraint' => array(
  428. 'type' => FILE_ASN1_TYPE_INTEGER,
  429. 'optional' => true
  430. )
  431. )
  432. );
  433. $this->KeyIdentifier = array('type' => FILE_ASN1_TYPE_OCTET_STRING);
  434. $OrganizationalUnitNames = array(
  435. 'type' => FILE_ASN1_TYPE_SEQUENCE,
  436. 'min' => 1,
  437. 'max' => 4, // ub-organizational-units
  438. 'children' => array('type' => FILE_ASN1_TYPE_PRINTABLE_STRING)
  439. );
  440. $PersonalName = array(
  441. 'type' => FILE_ASN1_TYPE_SET,
  442. 'children' => array(
  443. 'surname' => array(
  444. 'type' => FILE_ASN1_TYPE_PRINTABLE_STRING,
  445. 'constant' => 0,
  446. 'optional' => true,
  447. 'implicit' => true
  448. ),
  449. 'given-name' => array(
  450. 'type' => FILE_ASN1_TYPE_PRINTABLE_STRING,
  451. 'constant' => 1,
  452. 'optional' => true,
  453. 'implicit' => true
  454. ),
  455. 'initials' => array(
  456. 'type' => FILE_ASN1_TYPE_PRINTABLE_STRING,
  457. 'constant' => 2,
  458. 'optional' => true,
  459. 'implicit' => true
  460. ),
  461. 'generation-qualifier' => array(
  462. 'type' => FILE_ASN1_TYPE_PRINTABLE_STRING,
  463. 'constant' => 3,
  464. 'optional' => true,
  465. 'implicit' => true
  466. )
  467. )
  468. );
  469. $NumericUserIdentifier = array('type' => FILE_ASN1_TYPE_NUMERIC_STRING);
  470. $OrganizationName = array('type' => FILE_ASN1_TYPE_PRINTABLE_STRING);
  471. $PrivateDomainName = array(
  472. 'type' => FILE_ASN1_TYPE_CHOICE,
  473. 'children' => array(
  474. 'numeric' => array('type' => FILE_ASN1_TYPE_NUMERIC_STRING),
  475. 'printable' => array('type' => FILE_ASN1_TYPE_PRINTABLE_STRING)
  476. )
  477. );
  478. $TerminalIdentifier = array('type' => FILE_ASN1_TYPE_PRINTABLE_STRING);
  479. $NetworkAddress = array('type' => FILE_ASN1_TYPE_NUMERIC_STRING);
  480. $AdministrationDomainName = array(
  481. 'type' => FILE_ASN1_TYPE_CHOICE,
  482. // if class isn't present it's assumed to be FILE_ASN1_CLASS_UNIVERSAL or
  483. // (if constant is present) FILE_ASN1_CLASS_CONTEXT_SPECIFIC
  484. 'class' => FILE_ASN1_CLASS_APPLICATION,
  485. 'cast' => 2,
  486. 'children' => array(
  487. 'numeric' => array('type' => FILE_ASN1_TYPE_NUMERIC_STRING),
  488. 'printable' => array('type' => FILE_ASN1_TYPE_PRINTABLE_STRING)
  489. )
  490. );
  491. $CountryName = array(
  492. 'type' => FILE_ASN1_TYPE_CHOICE,
  493. // if class isn't present it's assumed to be FILE_ASN1_CLASS_UNIVERSAL or
  494. // (if constant is present) FILE_ASN1_CLASS_CONTEXT_SPECIFIC
  495. 'class' => FILE_ASN1_CLASS_APPLICATION,
  496. 'cast' => 1,
  497. 'children' => array(
  498. 'x121-dcc-code' => array('type' => FILE_ASN1_TYPE_NUMERIC_STRING),
  499. 'iso-3166-alpha2-code' => array('type' => FILE_ASN1_TYPE_PRINTABLE_STRING)
  500. )
  501. );
  502. $AnotherName = array(
  503. 'type' => FILE_ASN1_TYPE_SEQUENCE,
  504. 'children' => array(
  505. 'type-id' => array('type' => FILE_ASN1_TYPE_OBJECT_IDENTIFIER),
  506. 'value' => array(
  507. 'type' => FILE_ASN1_TYPE_ANY,
  508. 'constant' => 0,
  509. 'optional' => true,
  510. 'explicit' => true
  511. )
  512. )
  513. );
  514. $ExtensionAttribute = array(
  515. 'type' => FILE_ASN1_TYPE_SEQUENCE,
  516. 'children' => array(
  517. 'extension-attribute-type' => array(
  518. 'type' => FILE_ASN1_TYPE_PRINTABLE_STRING,
  519. 'constant' => 0,
  520. 'optional' => true,
  521. 'implicit' => true
  522. ),
  523. 'extension-attribute-value' => array(
  524. 'type' => FILE_ASN1_TYPE_ANY,
  525. 'constant' => 1,
  526. 'optional' => true,
  527. 'explicit' => true
  528. )
  529. )
  530. );
  531. $ExtensionAttributes = array(
  532. 'type' => FILE_ASN1_TYPE_SET,
  533. 'min' => 1,
  534. 'max' => 256, // ub-extension-attributes
  535. 'children' => $ExtensionAttribute
  536. );
  537. $BuiltInDomainDefinedAttribute = array(
  538. 'type' => FILE_ASN1_TYPE_SEQUENCE,
  539. 'children' => array(
  540. 'type' => array('type' => FILE_ASN1_TYPE_PRINTABLE_STRING),
  541. 'value' => array('type' => FILE_ASN1_TYPE_PRINTABLE_STRING)
  542. )
  543. );
  544. $BuiltInDomainDefinedAttributes = array(
  545. 'type' => FILE_ASN1_TYPE_SEQUENCE,
  546. 'min' => 1,
  547. 'max' => 4, // ub-domain-defined-attributes
  548. 'children' => $BuiltInDomainDefinedAttribute
  549. );
  550. $BuiltInStandardAttributes = array(
  551. 'type' => FILE_ASN1_TYPE_SEQUENCE,
  552. 'children' => array(
  553. 'country-name' => array('optional' => true) + $CountryName,
  554. 'administration-domain-name' => array('optional' => true) + $AdministrationDomainName,
  555. 'network-address' => array(
  556. 'constant' => 0,
  557. 'optional' => true,
  558. 'implicit' => true
  559. ) + $NetworkAddress,
  560. 'terminal-identifier' => array(
  561. 'constant' => 1,
  562. 'optional' => true,
  563. 'implicit' => true
  564. ) + $TerminalIdentifier,
  565. 'private-domain-name' => array(
  566. 'constant' => 2,
  567. 'optional' => true,
  568. 'explicit' => true
  569. ) + $PrivateDomainName,
  570. 'organization-name' => array(
  571. 'constant' => 3,
  572. 'optional' => true,
  573. 'implicit' => true
  574. ) + $OrganizationName,
  575. 'numeric-user-identifier' => array(
  576. 'constant' => 4,
  577. 'optional' => true,
  578. 'implicit' => true
  579. ) + $NumericUserIdentifier,
  580. 'personal-name' => array(
  581. 'constant' => 5,
  582. 'optional' => true,
  583. 'implicit' => true
  584. ) + $PersonalName,
  585. 'organizational-unit-names' => array(
  586. 'constant' => 6,
  587. 'optional' => true,
  588. 'implicit' => true
  589. ) + $OrganizationalUnitNames
  590. )
  591. );
  592. $ORAddress = array(
  593. 'type' => FILE_ASN1_TYPE_SEQUENCE,
  594. 'children' => array(
  595. 'built-in-standard-attributes' => $BuiltInStandardAttributes,
  596. 'built-in-domain-defined-attributes' => array('optional' => true) + $BuiltInDomainDefinedAttributes,
  597. 'extension-attributes' => array('optional' => true) + $ExtensionAttributes
  598. )
  599. );
  600. $EDIPartyName = array(
  601. 'type' => FILE_ASN1_TYPE_SEQUENCE,
  602. 'children' => array(
  603. 'nameAssigner' => array(
  604. 'constant' => 0,
  605. 'optional' => true,
  606. 'implicit' => true
  607. ) + $DirectoryString,
  608. // partyName is technically required but File_ASN1 doesn't currently support non-optional constants and
  609. // setting it to optional gets the job done in any event.
  610. 'partyName' => array(
  611. 'constant' => 1,
  612. 'optional' => true,
  613. 'implicit' => true
  614. ) + $DirectoryString
  615. )
  616. );
  617. $GeneralName = array(
  618. 'type' => FILE_ASN1_TYPE_CHOICE,
  619. 'children' => array(
  620. 'otherName' => array(
  621. 'constant' => 0,
  622. 'optional' => true,
  623. 'implicit' => true
  624. ) + $AnotherName,
  625. 'rfc822Name' => array(
  626. 'type' => FILE_ASN1_TYPE_IA5_STRING,
  627. 'constant' => 1,
  628. 'optional' => true,
  629. 'implicit' => true
  630. ),
  631. 'dNSName' => array(
  632. 'type' => FILE_ASN1_TYPE_IA5_STRING,
  633. 'constant' => 2,
  634. 'optional' => true,
  635. 'implicit' => true
  636. ),
  637. 'x400Address' => array(
  638. 'constant' => 3,
  639. 'optional' => true,
  640. 'implicit' => true
  641. ) + $ORAddress,
  642. 'directoryName' => array(
  643. 'constant' => 4,
  644. 'optional' => true,
  645. 'explicit' => true
  646. ) + $this->Name,
  647. 'ediPartyName' => array(
  648. 'constant' => 5,
  649. 'optional' => true,
  650. 'implicit' => true
  651. ) + $EDIPartyName,
  652. 'uniformResourceIdentifier' => array(
  653. 'type' => FILE_ASN1_TYPE_IA5_STRING,
  654. 'constant' => 6,
  655. 'optional' => true,
  656. 'implicit' => true
  657. ),
  658. 'iPAddress' => array(
  659. 'type' => FILE_ASN1_TYPE_OCTET_STRING,
  660. 'constant' => 7,
  661. 'optional' => true,
  662. 'implicit' => true
  663. ),
  664. 'registeredID' => array(
  665. 'type' => FILE_ASN1_TYPE_OBJECT_IDENTIFIER,
  666. 'constant' => 8,
  667. 'optional' => true,
  668. 'implicit' => true
  669. )
  670. )
  671. );
  672. $GeneralNames = array(
  673. 'type' => FILE_ASN1_TYPE_SEQUENCE,
  674. 'min' => 1,
  675. 'max' => -1,
  676. 'children' => $GeneralName
  677. );
  678. $this->IssuerAltName = $GeneralNames;
  679. $ReasonFlags = array(
  680. 'type' => FILE_ASN1_TYPE_BIT_STRING,
  681. 'mapping' => array(
  682. 'unused',
  683. 'keyCompromise',
  684. 'cACompromise',
  685. 'affiliationChanged',
  686. 'superseded',
  687. 'cessationOfOperation',
  688. 'certificateHold',
  689. 'privilegeWithdrawn',
  690. 'aACompromise'
  691. )
  692. );
  693. $DistributionPointName = array(
  694. 'type' => FILE_ASN1_TYPE_CHOICE,
  695. 'children' => array(
  696. 'fullName' => array(
  697. 'constant' => 0,
  698. 'optional' => true,
  699. 'implicit' => true
  700. ) + $GeneralNames,
  701. 'nameRelativeToCRLIssuer' => array(
  702. 'constant' => 1,
  703. 'optional' => true,
  704. 'implicit' => true
  705. ) + $this->RelativeDistinguishedName
  706. )
  707. );
  708. $DistributionPoint = array(
  709. 'type' => FILE_ASN1_TYPE_SEQUENCE,
  710. 'children' => array(
  711. 'distributionPoint' => array(
  712. 'constant' => 0,
  713. 'optional' => true,
  714. 'explicit' => true
  715. ) + $DistributionPointName,
  716. 'reasons' => array(
  717. 'constant' => 1,
  718. 'optional' => true,
  719. 'implicit' => true
  720. ) + $ReasonFlags,
  721. 'cRLIssuer' => array(
  722. 'constant' => 2,
  723. 'optional' => true,
  724. 'implicit' => true
  725. ) + $GeneralNames
  726. )
  727. );
  728. $this->CRLDistributionPoints = array(
  729. 'type' => FILE_ASN1_TYPE_SEQUENCE,
  730. 'min' => 1,
  731. 'max' => -1,
  732. 'children' => $DistributionPoint
  733. );
  734. $this->AuthorityKeyIdentifier = array(
  735. 'type' => FILE_ASN1_TYPE_SEQUENCE,
  736. 'children' => array(
  737. 'keyIdentifier' => array(
  738. 'constant' => 0,
  739. 'optional' => true,
  740. 'implicit' => true
  741. ) + $this->KeyIdentifier,
  742. 'authorityCertIssuer' => array(
  743. 'constant' => 1,
  744. 'optional' => true,
  745. 'implicit' => true
  746. ) + $GeneralNames,
  747. 'authorityCertSerialNumber' => array(
  748. 'constant' => 2,
  749. 'optional' => true,
  750. 'implicit' => true
  751. ) + $CertificateSerialNumber
  752. )
  753. );
  754. $PolicyQualifierId = array('type' => FILE_ASN1_TYPE_OBJECT_IDENTIFIER);
  755. $PolicyQualifierInfo = array(
  756. 'type' => FILE_ASN1_TYPE_SEQUENCE,
  757. 'children' => array(
  758. 'policyQualifierId' => $PolicyQualifierId,
  759. 'qualifier' => array('type' => FILE_ASN1_TYPE_ANY)
  760. )
  761. );
  762. $CertPolicyId = array('type' => FILE_ASN1_TYPE_OBJECT_IDENTIFIER);
  763. $PolicyInformation = array(
  764. 'type' => FILE_ASN1_TYPE_SEQUENCE,
  765. 'children' => array(
  766. 'policyIdentifier' => $CertPolicyId,
  767. 'policyQualifiers' => array(
  768. 'type' => FILE_ASN1_TYPE_SEQUENCE,
  769. 'min' => 0,
  770. 'max' => -1,
  771. 'optional' => true,
  772. 'children' => $PolicyQualifierInfo
  773. )
  774. )
  775. );
  776. $this->CertificatePolicies = array(
  777. 'type' => FILE_ASN1_TYPE_SEQUENCE,
  778. 'min' => 1,
  779. 'max' => -1,
  780. 'children' => $PolicyInformation
  781. );
  782. $this->PolicyMappings = array(
  783. 'type' => FILE_ASN1_TYPE_SEQUENCE,
  784. 'min' => 1,
  785. 'max' => -1,
  786. 'children' => array(
  787. 'type' => FILE_ASN1_TYPE_SEQUENCE,
  788. 'children' => array(
  789. 'issuerDomainPolicy' => $CertPolicyId,
  790. 'subjectDomainPolicy' => $CertPolicyId
  791. )
  792. )
  793. );
  794. $KeyPurposeId = array('type' => FILE_ASN1_TYPE_OBJECT_IDENTIFIER);
  795. $this->ExtKeyUsageSyntax = array(
  796. 'type' => FILE_ASN1_TYPE_SEQUENCE,
  797. 'min' => 1,
  798. 'max' => -1,
  799. 'children' => $KeyPurposeId
  800. );
  801. $AccessDescription = array(
  802. 'type' => FILE_ASN1_TYPE_SEQUENCE,
  803. 'children' => array(
  804. 'accessMethod' => array('type' => FILE_ASN1_TYPE_OBJECT_IDENTIFIER),
  805. 'accessLocation' => $GeneralName
  806. )
  807. );
  808. $this->AuthorityInfoAccessSyntax = array(
  809. 'type' => FILE_ASN1_TYPE_SEQUENCE,
  810. 'min' => 1,
  811. 'max' => -1,
  812. 'children' => $AccessDescription
  813. );
  814. $this->SubjectAltName = $GeneralNames;
  815. $this->PrivateKeyUsagePeriod = array(
  816. 'type' => FILE_ASN1_TYPE_SEQUENCE,
  817. 'children' => array(
  818. 'notBefore' => array(
  819. 'constant' => 0,
  820. 'optional' => true,
  821. 'implicit' => true,
  822. 'type' => FILE_ASN1_TYPE_GENERALIZED_TIME),
  823. 'notAfter' => array(
  824. 'constant' => 1,
  825. 'optional' => true,
  826. 'implicit' => true,
  827. 'type' => FILE_ASN1_TYPE_GENERALIZED_TIME)
  828. )
  829. );
  830. $BaseDistance = array('type' => FILE_ASN1_TYPE_INTEGER);
  831. $GeneralSubtree = array(
  832. 'type' => FILE_ASN1_TYPE_SEQUENCE,
  833. 'children' => array(
  834. 'base' => $GeneralName,
  835. 'minimum' => array(
  836. 'constant' => 0,
  837. 'optional' => true,
  838. 'implicit' => true,
  839. 'default' => new Math_BigInteger(0)
  840. ) + $BaseDistance,
  841. 'maximum' => array(
  842. 'constant' => 1,
  843. 'optional' => true,
  844. 'implicit' => true,
  845. ) + $BaseDistance
  846. )
  847. );
  848. $GeneralSubtrees = array(
  849. 'type' => FILE_ASN1_TYPE_SEQUENCE,
  850. 'min' => 1,
  851. 'max' => -1,
  852. 'children' => $GeneralSubtree
  853. );
  854. $this->NameConstraints = array(
  855. 'type' => FILE_ASN1_TYPE_SEQUENCE,
  856. 'children' => array(
  857. 'permittedSubtrees' => array(
  858. 'constant' => 0,
  859. 'optional' => true,
  860. 'implicit' => true
  861. ) + $GeneralSubtrees,
  862. 'excludedSubtrees' => array(
  863. 'constant' => 1,
  864. 'optional' => true,
  865. 'implicit' => true
  866. ) + $GeneralSubtrees
  867. )
  868. );
  869. $this->CPSuri = array('type' => FILE_ASN1_TYPE_IA5_STRING);
  870. $DisplayText = array(
  871. 'type' => FILE_ASN1_TYPE_CHOICE,
  872. 'children' => array(
  873. 'ia5String' => array('type' => FILE_ASN1_TYPE_IA5_STRING),
  874. 'visibleString' => array('type' => FILE_ASN1_TYPE_VISIBLE_STRING),
  875. 'bmpString' => array('type' => FILE_ASN1_TYPE_BMP_STRING),
  876. 'utf8String' => array('type' => FILE_ASN1_TYPE_UTF8_STRING)
  877. )
  878. );
  879. $NoticeReference = array(
  880. 'type' => FILE_ASN1_TYPE_SEQUENCE,
  881. 'children' => array(
  882. 'organization' => $DisplayText,
  883. 'noticeNumbers' => array(
  884. 'type' => FILE_ASN1_TYPE_SEQUENCE,
  885. 'min' => 1,
  886. 'max' => 200,
  887. 'children' => array('type' => FILE_ASN1_TYPE_INTEGER)
  888. )
  889. )
  890. );
  891. $this->UserNotice = array(
  892. 'type' => FILE_ASN1_TYPE_SEQUENCE,
  893. 'children' => array(
  894. 'noticeRef' => array(
  895. 'optional' => true,
  896. 'implicit' => true
  897. ) + $NoticeReference,
  898. 'explicitText' => array(
  899. 'optional' => true,
  900. 'implicit' => true
  901. ) + $DisplayText
  902. )
  903. );
  904. // mapping is from <http://www.mozilla.org/projects/security/pki/nss/tech-notes/tn3.html>
  905. $this->netscape_cert_type = array(
  906. 'type' => FILE_ASN1_TYPE_BIT_STRING,
  907. 'mapping' => array(
  908. 'SSLClient',
  909. 'SSLServer',
  910. 'Email',
  911. 'ObjectSigning',
  912. 'Reserved',
  913. 'SSLCA',
  914. 'EmailCA',
  915. 'ObjectSigningCA'
  916. )
  917. );
  918. $this->netscape_comment = array('type' => FILE_ASN1_TYPE_IA5_STRING);
  919. $this->netscape_ca_policy_url = array('type' => FILE_ASN1_TYPE_IA5_STRING);
  920. // attribute is used in RFC2986 but we're using the RFC5280 definition
  921. $Attribute = array(
  922. 'type' => FILE_ASN1_TYPE_SEQUENCE,
  923. 'children' => array(
  924. 'type' => $AttributeType,
  925. 'value'=> array(
  926. 'type' => FILE_ASN1_TYPE_SET,
  927. 'min' => 1,
  928. 'max' => -1,
  929. 'children' => $AttributeValue
  930. )
  931. )
  932. );
  933. // adapted from <http://tools.ietf.org/html/rfc2986>
  934. $Attributes = array(
  935. 'type' => FILE_ASN1_TYPE_SET,
  936. 'min' => 1,
  937. 'max' => -1,
  938. 'children' => $Attribute
  939. );
  940. $CertificationRequestInfo = array(
  941. 'type' => FILE_ASN1_TYPE_SEQUENCE,
  942. 'children' => array(
  943. 'version' => array(
  944. 'type' => FILE_ASN1_TYPE_INTEGER,
  945. 'mapping' => array('v1')
  946. ),
  947. 'subject' => $this->Name,
  948. 'subjectPKInfo' => $SubjectPublicKeyInfo,
  949. 'attributes' => array(
  950. 'constant' => 0,
  951. 'optional' => true,
  952. 'implicit' => true
  953. ) + $Attributes,
  954. )
  955. );
  956. $this->CertificationRequest = array(
  957. 'type' => FILE_ASN1_TYPE_SEQUENCE,
  958. 'children' => array(
  959. 'certificationRequestInfo' => $CertificationRequestInfo,
  960. 'signatureAlgorithm' => $AlgorithmIdentifier,
  961. 'signature' => array('type' => FILE_ASN1_TYPE_BIT_STRING)
  962. )
  963. );
  964. $RevokedCertificate = array(
  965. 'type' => FILE_ASN1_TYPE_SEQUENCE,
  966. 'children' => array(
  967. 'userCertificate' => $CertificateSerialNumber,
  968. 'revocationDate' => $Time,
  969. 'crlEntryExtensions' => array(
  970. 'optional' => true
  971. ) + $Extensions
  972. )
  973. );
  974. $TBSCertList = array(
  975. 'type' => FILE_ASN1_TYPE_SEQUENCE,
  976. 'children' => array(
  977. 'version' => array(
  978. 'optional' => true,
  979. 'default' => 'v1'
  980. ) + $Version,
  981. 'signature' => $AlgorithmIdentifier,
  982. 'issuer' => $this->Name,
  983. 'thisUpdate' => $Time,
  984. 'nextUpdate' => array(
  985. 'optional' => true
  986. ) + $Time,
  987. 'revokedCertificates' => array(
  988. 'type' => FILE_ASN1_TYPE_SEQUENCE,
  989. 'optional' => true,
  990. 'min' => 0,
  991. 'max' => -1,
  992. 'children' => $RevokedCertificate
  993. ),
  994. 'crlExtensions' => array(
  995. 'constant' => 0,
  996. 'optional' => true,
  997. 'explicit' => true
  998. ) + $Extensions
  999. )
  1000. );
  1001. $this->CertificateList = array(
  1002. 'type' => FILE_ASN1_TYPE_SEQUENCE,
  1003. 'children' => array(
  1004. 'tbsCertList' => $TBSCertList,
  1005. 'signatureAlgorithm' => $AlgorithmIdentifier,
  1006. 'signature' => array('type' => FILE_ASN1_TYPE_BIT_STRING)
  1007. )
  1008. );
  1009. $this->CRLNumber = array('type' => FILE_ASN1_TYPE_INTEGER);
  1010. $this->CRLReason = array('type' => FILE_ASN1_TYPE_ENUMERATED,
  1011. 'mapping' => array(
  1012. 'unspecified',
  1013. 'keyCompromise',
  1014. 'cACompromise',
  1015. 'affiliationChanged',
  1016. 'superseded',
  1017. 'cessationOfOperation',
  1018. 'certificateHold',
  1019. // Value 7 is not used.
  1020. 8 => 'removeFromCRL',
  1021. 'privilegeWithdrawn',
  1022. 'aACompromise'
  1023. )
  1024. );
  1025. $this->IssuingDistributionPoint = array('type' => FILE_ASN1_TYPE_SEQUENCE,
  1026. 'children' => array(
  1027. 'distributionPoint' => array(
  1028. 'constant' => 0,
  1029. 'optional' => true,
  1030. 'explicit' => true
  1031. ) + $DistributionPointName,
  1032. 'onlyContainsUserCerts' => array(
  1033. 'type' => FILE_ASN1_TYPE_BOOLEAN,
  1034. 'constant' => 1,
  1035. 'optional' => true,
  1036. 'default' => false,
  1037. 'implicit' => true
  1038. ),
  1039. 'onlyContainsCACerts' => array(
  1040. 'type' => FILE_ASN1_TYPE_BOOLEAN,
  1041. 'constant' => 2,
  1042. 'optional' => true,
  1043. 'default' => false,
  1044. 'implicit' => true
  1045. ),
  1046. 'onlySomeReasons' => array(
  1047. 'constant' => 3,
  1048. 'optional' => true,
  1049. 'implicit' => true
  1050. ) + $ReasonFlags,
  1051. 'indirectCRL' => array(
  1052. 'type' => FILE_ASN1_TYPE_BOOLEAN,
  1053. 'constant' => 4,
  1054. 'optional' => true,
  1055. 'default' => false,
  1056. 'implicit' => true
  1057. ),
  1058. 'onlyContainsAttributeCerts' => array(
  1059. 'type' => FILE_ASN1_TYPE_BOOLEAN,
  1060. 'constant' => 5,
  1061. 'optional' => true,
  1062. 'default' => false,
  1063. 'implicit' => true
  1064. )
  1065. )
  1066. );
  1067. $this->InvalidityDate = array('type' => FILE_ASN1_TYPE_GENERALIZED_TIME);
  1068. $this->CertificateIssuer = $GeneralNames;
  1069. // OIDs from RFC5280 and those RFCs mentioned in RFC5280#section-4.1.1.2
  1070. $this->oids = array(
  1071. '1.3.6.1.5.5.7' => 'id-pkix',
  1072. '1.3.6.1.5.5.7.1' => 'id-pe',
  1073. '1.3.6.1.5.5.7.2' => 'id-qt',
  1074. '1.3.6.1.5.5.7.3' => 'id-kp',
  1075. '1.3.6.1.5.5.7.48' => 'id-ad',
  1076. '1.3.6.1.5.5.7.2.1' => 'id-qt-cps',
  1077. '1.3.6.1.5.5.7.2.2' => 'id-qt-unotice',
  1078. '1.3.6.1.5.5.7.48.1' =>'id-ad-ocsp',
  1079. '1.3.6.1.5.5.7.48.2' => 'id-ad-caIssuers',
  1080. '1.3.6.1.5.5.7.48.3' => 'id-ad-timeStamping',
  1081. '1.3.6.1.5.5.7.48.5' => 'id-ad-caRepository',
  1082. '2.5.4' => 'id-at',
  1083. '2.5.4.41' => 'id-at-name',
  1084. '2.5.4.4' => 'id-at-surname',
  1085. '2.5.4.42' => 'id-at-givenName',
  1086. '2.5.4.43' => 'id-at-initials',
  1087. '2.5.4.44' => 'id-at-geneā€¦

Large files files are truncated, but you can click here to view the full file