/vendors/phpseclib/File/X509.php
PHP | 2582 lines | 1773 code | 245 blank | 564 comment | 152 complexity | f1a7938a31c368b2a98cd292c03d0a64 MD5 | raw file
Large files files are truncated, but you can click here to view the full file
- <?php
- /* vim: set expandtab tabstop=4 shiftwidth=4 softtabstop=4: */
- /**
- * Pure-PHP X.509 Parser
- *
- * PHP versions 4 and 5
- *
- * Encode and decode X.509 certificates.
- *
- * The extensions are from {@link http://tools.ietf.org/html/rfc5280 RFC5280} and
- * {@link http://web.archive.org/web/19961027104704/http://www3.netscape.com/eng/security/cert-exts.html Netscape Certificate Extensions}.
- *
- * Note that loading an X.509 certificate and resaving it may invalidate the signature. The reason being that the signature is based on a
- * portion of the certificate that contains optional parameters with default values. ie. if the parameter isn't there the default value is
- * used. Problem is, if the parameter is there and it just so happens to have the default value there are two ways that that parameter can
- * be encoded. It can be encoded explicitly or left out all together. This would effect the signature value and thus may invalidate the
- * the certificate all together unless the certificate is re-signed.
- *
- * LICENSE: Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- *
- * @category File
- * @package File_X509
- * @author Jim Wigginton <terrafrost@php.net>
- * @copyright MMXII Jim Wigginton
- * @license http://www.opensource.org/licenses/mit-license.html MIT License
- * @version $Id$
- * @link htp://phpseclib.sourceforge.net
- */
- /**
- * Include File_ASN1
- */
- if (!class_exists('File_ASN1')) {
- require_once('File/ASN1.php');
- }
- /**
- * Flag to only accept signatures signed by certificate authorities
- *
- * @access public
- * @see File_X509::validateSignature()
- */
- define('FILE_X509_VALIDATE_SIGNATURE_BY_CA', 1);
- /**
- * Pure-PHP X.509 Parser
- *
- * @author Jim Wigginton <terrafrost@php.net>
- * @version 0.3.0
- * @access public
- * @package File_X509
- */
- class File_X509 {
- /**
- * ASN.1 syntax for X.509 certificates
- *
- * @var Array
- * @access private
- */
- var $Certificate;
- /**#@+
- * ASN.1 syntax for various extensions
- *
- * @access private
- */
- var $KeyUsage;
- var $ExtKeyUsageSyntax;
- var $BasicConstraints;
- var $KeyIdentifier;
- var $CRLDistributionPoints;
- var $AuthorityKeyIdentifier;
- var $CertificatePolicies;
- var $AuthorityInfoAccessSyntax;
- var $SubjectAltName;
- var $PrivateKeyUsagePeriod;
- var $IssuerAltName;
- var $PolicyMappings;
- var $NameConstraints;
- var $CPSuri;
- var $UserNotice;
- var $netscape_cert_type;
- var $netscape_comment;
- /**#@-*/
- /**
- * ASN.1 syntax for Certificate Signing Requests (RFC2986)
- *
- * @var Array
- * @access private
- */
- var $CertificationRequest;
- /**
- * Distinguished Name
- *
- * @var Array
- * @access private
- */
- var $dn;
- /**
- * Public key
- *
- * @var String
- * @access private
- */
- var $publicKey;
- /**
- * Private key
- *
- * @var String
- * @access private
- */
- var $privateKey;
- /**
- * Object identifiers for X.509 certificates
- *
- * @var Array
- * @access private
- * @link http://en.wikipedia.org/wiki/Object_identifier
- */
- var $oids;
- /**
- * The certificate authorities
- *
- * @var Array
- * @access private
- */
- var $CAs;
- /**
- * The currently loaded certificate
- *
- * @var Array
- * @access private
- */
- var $currentCert;
- /**
- * The signature subject
- *
- * There's no guarantee File_X509 is going to reencode an X.509 cert in the same way it was originally
- * encoded so we take save the portion of the original cert that the signature would have made for.
- *
- * @var String
- * @access private
- */
- var $signatureSubject;
- /**
- * Certificate Start Date
- *
- * @var String
- * @access private
- */
- var $startDate;
- /**
- * Certificate End Date
- *
- * @var String
- * @access private
- */
- var $endDate;
- /**
- * Serial Number
- *
- * @var String
- * @access private
- */
- var $serialNumber;
- /**
- * Key Identifier
- *
- * See {@link http://tools.ietf.org/html/rfc5280#section-4.2.1.1 RFC5280#section-4.2.1.1} and
- * {@link http://tools.ietf.org/html/rfc5280#section-4.2.1.2 RFC5280#section-4.2.1.2}.
- *
- * @var String
- * @access private
- */
- var $keyIdentifier;
- /**
- * CA Flag
- *
- * @var Boolean
- * @access private
- */
- var $caFlag = false;
- /**
- * Default Constructor.
- *
- * @return File_X509
- * @access public
- */
- function File_X509()
- {
- // Explicitly Tagged Module, 1988 Syntax
- // http://tools.ietf.org/html/rfc5280#appendix-A.1
- $temp = array('min' => 1, 'max' => -1);
- $DirectoryString = array(
- 'type' => FILE_ASN1_TYPE_CHOICE,
- 'children' => array(
- 'teletexString' => $temp + array('type' => FILE_ASN1_TYPE_TELETEX_STRING),
- 'printableString' => $temp + array('type' => FILE_ASN1_TYPE_PRINTABLE_STRING),
- 'universalString' => $temp + array('type' => FILE_ASN1_TYPE_UNIVERSAL_STRING),
- 'utf8String' => $temp + array('type' => FILE_ASN1_TYPE_UTF8_STRING),
- 'bmpString' => $temp + array('type' => FILE_ASN1_TYPE_BMP_STRING)
- )
- );
- $AttributeValue = array('type' => FILE_ASN1_TYPE_ANY);
- $AttributeType = array('type' => FILE_ASN1_TYPE_OBJECT_IDENTIFIER);
- $AttributeTypeAndValue = array(
- 'type' => FILE_ASN1_TYPE_SEQUENCE,
- 'children' => array(
- 'type' => $AttributeType,
- 'value'=> $AttributeValue
- )
- );
- /*
- In practice, RDNs containing multiple name-value pairs (called "multivalued RDNs") are rare,
- but they can be useful at times when either there is no unique attribute in the entry or you
- want to ensure that the entry's DN contains some useful identifying information.
- - https://www.opends.org/wiki/page/DefinitionRelativeDistinguishedName
- */
- $RelativeDistinguishedName = array(
- 'type' => FILE_ASN1_TYPE_SET,
- 'min' => 1,
- 'max' => -1,
- 'children' => $AttributeTypeAndValue
- );
- // http://tools.ietf.org/html/rfc5280#section-4.1.2.4
- $RDNSequence = array(
- 'type' => FILE_ASN1_TYPE_SEQUENCE,
- // RDNSequence does not define a min or a max, which means it doesn't have one
- 'min' => 0,
- 'max' => -1,
- 'children' => $RelativeDistinguishedName
- );
- $Name = array(
- 'type' => FILE_ASN1_TYPE_CHOICE,
- 'children' => array(
- 'rdnSequence' => $RDNSequence
- )
- );
- // http://tools.ietf.org/html/rfc5280#section-4.1.1.2
- $AlgorithmIdentifier = array(
- 'type' => FILE_ASN1_TYPE_SEQUENCE,
- 'children' => array(
- 'algorithm' => array('type' => FILE_ASN1_TYPE_OBJECT_IDENTIFIER),
- 'parameters' => array(
- 'type' => FILE_ASN1_TYPE_ANY,
- 'optional' => true
- )
- )
- );
- /*
- A certificate using system MUST reject the certificate if it encounters
- a critical extension it does not recognize; however, a non-critical
- extension may be ignored if it is not recognized.
- http://tools.ietf.org/html/rfc5280#section-4.2
- */
- $Extension = array(
- 'type' => FILE_ASN1_TYPE_SEQUENCE,
- 'children' => array(
- 'extnId' => array('type' => FILE_ASN1_TYPE_OBJECT_IDENTIFIER),
- 'critical' => array(
- 'type' => FILE_ASN1_TYPE_BOOLEAN,
- 'optional' => true,
- 'default' => false
- ),
- 'extnValue' => array('type' => FILE_ASN1_TYPE_OCTET_STRING)
- )
- );
- $Extensions = array(
- 'type' => FILE_ASN1_TYPE_SEQUENCE,
- 'min' => 1,
- // technically, it's MAX, but we'll assume anything < 0 is MAX
- 'max' => -1,
- // if 'children' isn't an array then 'min' and 'max' must be defined
- 'children' => $Extension
- );
- $SubjectPublicKeyInfo = array(
- 'type' => FILE_ASN1_TYPE_SEQUENCE,
- 'children' => array(
- 'algorithm' => $AlgorithmIdentifier,
- 'subjectPublicKey' => array('type' => FILE_ASN1_TYPE_BIT_STRING)
- )
- );
- $UniqueIdentifier = array('type' => FILE_ASN1_TYPE_BIT_STRING);
- $Time = array(
- 'type' => FILE_ASN1_TYPE_CHOICE,
- 'children' => array(
- 'utcTime' => array('type' => FILE_ASN1_TYPE_UTC_TIME),
- 'generalTime' => array('type' => FILE_ASN1_TYPE_GENERALIZED_TIME)
- )
- );
- // http://tools.ietf.org/html/rfc5280#section-4.1.2.5
- $Validity = array(
- 'type' => FILE_ASN1_TYPE_SEQUENCE,
- 'children' => array(
- 'notBefore' => $Time,
- 'notAfter' => $Time
- )
- );
- $CertificateSerialNumber = array('type' => FILE_ASN1_TYPE_INTEGER);
- $Version = array(
- 'type' => FILE_ASN1_TYPE_INTEGER,
- 'mapping' => array('v1', 'v2', 'v3')
- );
- // assert($TBSCertificate['children']['signature'] == $Certificate['children']['signatureAlgorithm'])
- $TBSCertificate = array(
- 'type' => FILE_ASN1_TYPE_SEQUENCE,
- 'children' => array(
- // technically, default implies optional, but we'll define it as being optional, none-the-less, just to
- // reenforce that fact
- 'version' => array(
- 'constant' => 0,
- 'optional' => true,
- 'explicit' => true,
- 'default' => 'v1'
- ) + $Version,
- 'serialNumber' => $CertificateSerialNumber,
- 'signature' => $AlgorithmIdentifier,
- 'issuer' => $Name,
- 'validity' => $Validity,
- 'subject' => $Name,
- 'subjectPublicKeyInfo' => $SubjectPublicKeyInfo,
- // implicit means that the T in the TLV structure is to be rewritten, regardless of the type
- 'issuerUniqueID' => array(
- 'constant' => 1,
- 'optional' => true,
- 'implicit' => true
- ) + $UniqueIdentifier,
- 'subjectUniqueID' => array(
- 'constant' => 2,
- 'optional' => true,
- 'implicit' => true
- ) + $UniqueIdentifier,
- // <http://tools.ietf.org/html/rfc2459#page-74> doesn't use the EXPLICIT keyword but if
- // it's not IMPLICIT, it's EXPLICIT
- 'extensions' => array(
- 'constant' => 3,
- 'optional' => true,
- 'explicit' => true
- ) + $Extensions
- )
- );
- $this->Certificate = array(
- 'type' => FILE_ASN1_TYPE_SEQUENCE,
- 'children' => array(
- 'tbsCertificate' => $TBSCertificate,
- 'signatureAlgorithm' => $AlgorithmIdentifier,
- 'signature' => array('type' => FILE_ASN1_TYPE_BIT_STRING)
- )
- );
- $this->KeyUsage = array(
- 'type' => FILE_ASN1_TYPE_BIT_STRING,
- 'mapping' => array(
- 'digitalSignature',
- 'nonRepudiation',
- 'keyEncipherment',
- 'dataEncipherment',
- 'keyAgreement',
- 'keyCertSign',
- 'cRLSign',
- 'encipherOnly',
- 'decipherOnly'
- )
- );
- $this->BasicConstraints = array(
- 'type' => FILE_ASN1_TYPE_SEQUENCE,
- 'children' => array(
- 'cA' => array(
- 'type' => FILE_ASN1_TYPE_BOOLEAN,
- 'optional' => true,
- 'default' => false
- ),
- 'pathLenConstraint' => array(
- 'type' => FILE_ASN1_TYPE_INTEGER,
- 'optional' => true
- )
- )
- );
- $this->KeyIdentifier = array('type' => FILE_ASN1_TYPE_OCTET_STRING);
- $OrganizationalUnitNames = array(
- 'type' => FILE_ASN1_TYPE_SEQUENCE,
- 'min' => 1,
- 'max' => 4, // ub-organizational-units
- 'children' => array('type' => FILE_ASN1_TYPE_PRINTABLE_STRING)
- );
- $PersonalName = array(
- 'type' => FILE_ASN1_TYPE_SET,
- 'children' => array(
- 'surname' => array(
- 'type' => FILE_ASN1_TYPE_PRINTABLE_STRING,
- 'constant' => 0,
- 'optional' => true,
- 'implicit' => true
- ),
- 'given-name' => array(
- 'type' => FILE_ASN1_TYPE_PRINTABLE_STRING,
- 'constant' => 1,
- 'optional' => true,
- 'implicit' => true
- ),
- 'initials' => array(
- 'type' => FILE_ASN1_TYPE_PRINTABLE_STRING,
- 'constant' => 2,
- 'optional' => true,
- 'implicit' => true
- ),
- 'generation-qualifier' => array(
- 'type' => FILE_ASN1_TYPE_PRINTABLE_STRING,
- 'constant' => 3,
- 'optional' => true,
- 'implicit' => true
- )
- )
- );
- $NumericUserIdentifier = array('type' => FILE_ASN1_TYPE_NUMERIC_STRING);
- $OrganizationName = array('type' => FILE_ASN1_TYPE_PRINTABLE_STRING);
- $PrivateDomainName = array(
- 'type' => FILE_ASN1_TYPE_CHOICE,
- 'children' => array(
- 'numeric' => array('type' => FILE_ASN1_TYPE_NUMERIC_STRING),
- 'printable' => array('type' => FILE_ASN1_TYPE_PRINTABLE_STRING)
- )
- );
- $TerminalIdentifier = array('type' => FILE_ASN1_TYPE_PRINTABLE_STRING);
- $NetworkAddress = array('type' => FILE_ASN1_TYPE_NUMERIC_STRING);
- $AdministrationDomainName = array(
- 'type' => FILE_ASN1_TYPE_CHOICE,
- // if class isn't present it's assumed to be FILE_ASN1_CLASS_UNIVERSAL or
- // (if constant is present) FILE_ASN1_CLASS_CONTEXT_SPECIFIC
- 'class' => FILE_ASN1_CLASS_APPLICATION,
- 'cast' => 2,
- 'children' => array(
- 'numeric' => array('type' => FILE_ASN1_TYPE_NUMERIC_STRING),
- 'printable' => array('type' => FILE_ASN1_TYPE_PRINTABLE_STRING)
- )
- );
- $CountryName = array(
- 'type' => FILE_ASN1_TYPE_CHOICE,
- // if class isn't present it's assumed to be FILE_ASN1_CLASS_UNIVERSAL or
- // (if constant is present) FILE_ASN1_CLASS_CONTEXT_SPECIFIC
- 'class' => FILE_ASN1_CLASS_APPLICATION,
- 'cast' => 1,
- 'children' => array(
- 'x121-dcc-code' => array('type' => FILE_ASN1_TYPE_NUMERIC_STRING),
- 'iso-3166-alpha2-code' => array('type' => FILE_ASN1_TYPE_PRINTABLE_STRING)
- )
- );
- $AnotherName = array(
- 'type' => FILE_ASN1_TYPE_SEQUENCE,
- 'children' => array(
- 'type-id' => array('type' => FILE_ASN1_TYPE_OBJECT_IDENTIFIER),
- 'value' => array(
- 'type' => FILE_ASN1_TYPE_ANY,
- 'constant' => 0,
- 'optional' => true,
- 'explicit' => true
- )
- )
- );
- $ExtensionAttribute = array(
- 'type' => FILE_ASN1_TYPE_SEQUENCE,
- 'children' => array(
- 'extension-attribute-type' => array(
- 'type' => FILE_ASN1_TYPE_PRINTABLE_STRING,
- 'constant' => 0,
- 'optional' => true,
- 'implicit' => true
- ),
- 'extension-attribute-value' => array(
- 'type' => FILE_ASN1_TYPE_ANY,
- 'constant' => 1,
- 'optional' => true,
- 'explicit' => true
- )
- )
- );
- $ExtensionAttributes = array(
- 'type' => FILE_ASN1_TYPE_SET,
- 'min' => 1,
- 'max' => 256, // ub-extension-attributes
- 'children' => $ExtensionAttribute
- );
- $BuiltInDomainDefinedAttribute = array(
- 'type' => FILE_ASN1_TYPE_SEQUENCE,
- 'children' => array(
- 'type' => array('type' => FILE_ASN1_TYPE_PRINTABLE_STRING),
- 'value' => array('type' => FILE_ASN1_TYPE_PRINTABLE_STRING)
- )
- );
- $BuiltInDomainDefinedAttributes = array(
- 'type' => FILE_ASN1_TYPE_SEQUENCE,
- 'min' => 1,
- 'max' => 4, // ub-domain-defined-attributes
- 'children' => $BuiltInDomainDefinedAttribute
- );
- $BuiltInStandardAttributes = array(
- 'type' => FILE_ASN1_TYPE_SEQUENCE,
- 'children' => array(
- 'country-name' => array('optional' => true) + $CountryName,
- 'administration-domain-name' => array('optional' => true) + $AdministrationDomainName,
- 'network-address' => array(
- 'constant' => 0,
- 'optional' => true,
- 'implicit' => true
- ) + $NetworkAddress,
- 'terminal-identifier' => array(
- 'constant' => 1,
- 'optional' => true,
- 'implicit' => true
- ) + $TerminalIdentifier,
- 'private-domain-name' => array(
- 'constant' => 2,
- 'optional' => true,
- 'explicit' => true
- ) + $PrivateDomainName,
- 'organization-name' => array(
- 'constant' => 3,
- 'optional' => true,
- 'implicit' => true
- ) + $OrganizationName,
- 'numeric-user-identifier' => array(
- 'constant' => 4,
- 'optional' => true,
- 'implicit' => true
- ) + $NumericUserIdentifier,
- 'personal-name' => array(
- 'constant' => 5,
- 'optional' => true,
- 'implicit' => true
- ) + $PersonalName,
- 'organizational-unit-names' => array(
- 'constant' => 6,
- 'optional' => true,
- 'implicit' => true
- ) + $OrganizationalUnitNames
- )
- );
- $ORAddress = array(
- 'type' => FILE_ASN1_TYPE_SEQUENCE,
- 'children' => array(
- 'built-in-standard-attributes' => $BuiltInStandardAttributes,
- 'built-in-domain-defined-attributes' => array('optional' => true) + $BuiltInDomainDefinedAttributes,
- 'extension-attributes' => array('optional' => true) + $ExtensionAttributes
- )
- );
- $EDIPartyName = array(
- 'type' => FILE_ASN1_TYPE_SEQUENCE,
- 'children' => array(
- 'nameAssigner' => array(
- 'constant' => 0,
- 'optional' => true,
- 'implicit' => true
- ) + $DirectoryString,
- // partyName is technically required but File_ASN1 doesn't currently support non-optional constants and
- // setting it to optional gets the job done in any event.
- 'partyName' => array(
- 'constant' => 1,
- 'optional' => true,
- 'implicit' => true
- ) + $DirectoryString
- )
- );
- $GeneralName = array(
- 'type' => FILE_ASN1_TYPE_CHOICE,
- 'children' => array(
- 'otherName' => array(
- 'constant' => 0,
- 'optional' => true,
- 'implicit' => true
- ) + $AnotherName,
- 'rfc822Name' => array(
- 'type' => FILE_ASN1_TYPE_IA5_STRING,
- 'constant' => 1,
- 'optional' => true,
- 'implicit' => true
- ),
- 'dNSName' => array(
- 'type' => FILE_ASN1_TYPE_IA5_STRING,
- 'constant' => 2,
- 'optional' => true,
- 'implicit' => true
- ),
- 'x400Address' => array(
- 'constant' => 3,
- 'optional' => true,
- 'implicit' => true
- ) + $ORAddress,
- 'directoryName' => array(
- 'constant' => 4,
- 'optional' => true,
- 'explicit' => true
- ) + $Name,
- 'ediPartyName' => array(
- 'constant' => 5,
- 'optional' => true,
- 'implicit' => true
- ) + $EDIPartyName,
- 'uniformResourceIdentifier' => array(
- 'type' => FILE_ASN1_TYPE_IA5_STRING,
- 'constant' => 6,
- 'optional' => true,
- 'implicit' => true
- ),
- 'iPAddress' => array(
- 'type' => FILE_ASN1_TYPE_OCTET_STRING,
- 'constant' => 7,
- 'optional' => true,
- 'implicit' => true
- ),
- 'registeredID' => array(
- 'type' => FILE_ASN1_TYPE_OBJECT_IDENTIFIER,
- 'constant' => 8,
- 'optional' => true,
- 'implicit' => true
- )
- )
- );
- $GeneralNames = array(
- 'type' => FILE_ASN1_TYPE_SEQUENCE,
- 'min' => 1,
- 'max' => -1,
- 'children' => $GeneralName
- );
- $this->IssuerAltName = $GeneralNames;
- $ReasonFlags = array(
- 'type' => FILE_ASN1_TYPE_BIT_STRING,
- 'mapping' => array(
- 'unused',
- 'keyCompromise',
- 'cACompromise',
- 'affiliationChanged',
- 'superseded',
- 'cessationOfOperation',
- 'certificateHold',
- 'privilegeWithdrawn',
- 'aACompromise'
- )
- );
- $DistributionPointName = array(
- 'type' => FILE_ASN1_TYPE_CHOICE,
- 'children' => array(
- 'fullName' => array(
- 'constant' => 0,
- 'optional' => true,
- 'implicit' => true
- ) + $GeneralNames,
- 'nameRelativeToCRLIssuer' => array(
- 'constant' => 1,
- 'optional' => true,
- 'implicit' => true
- ) + $RelativeDistinguishedName
- )
- );
- $DistributionPoint = array(
- 'type' => FILE_ASN1_TYPE_SEQUENCE,
- 'children' => array(
- 'distributionPoint' => array(
- 'constant' => 0,
- 'optional' => true,
- 'explicit' => true
- ) + $DistributionPointName,
- 'reasons' => array(
- 'constant' => 1,
- 'optional' => true,
- 'implicit' => true
- ) + $ReasonFlags,
- 'cRLIssuer' => array(
- 'constant' => 2,
- 'optional' => true,
- 'implicit' => true
- ) + $GeneralNames
- )
- );
- $this->CRLDistributionPoints = array(
- 'type' => FILE_ASN1_TYPE_SEQUENCE,
- 'min' => 1,
- 'max' => -1,
- 'children' => $DistributionPoint
- );
- $this->AuthorityKeyIdentifier = array(
- 'type' => FILE_ASN1_TYPE_SEQUENCE,
- 'children' => array(
- 'keyIdentifier' => array(
- 'constant' => 0,
- 'optional' => true,
- 'implicit' => true
- ) + $this->KeyIdentifier,
- 'authorityCertIssuer' => array(
- 'constant' => 1,
- 'optional' => true,
- 'implicit' => true
- ) + $GeneralNames,
- 'authorityCertSerialNumber' => array(
- 'constant' => 2,
- 'optional' => true,
- 'implicit' => true
- ) + $CertificateSerialNumber
- )
- );
- $PolicyQualifierId = array('type' => FILE_ASN1_TYPE_OBJECT_IDENTIFIER);
- $PolicyQualifierInfo = array(
- 'type' => FILE_ASN1_TYPE_SEQUENCE,
- 'children' => array(
- 'policyQualifierId' => $PolicyQualifierId,
- 'qualifier' => array('type' => FILE_ASN1_TYPE_ANY)
- )
- );
- $CertPolicyId = array('type' => FILE_ASN1_TYPE_OBJECT_IDENTIFIER);
- $PolicyInformation = array(
- 'type' => FILE_ASN1_TYPE_SEQUENCE,
- 'children' => array(
- 'policyIdentifier' => $CertPolicyId,
- 'policyQualifiers' => array(
- 'type' => FILE_ASN1_TYPE_SEQUENCE,
- 'min' => 0,
- 'max' => -1,
- 'optional' => true,
- 'children' => $PolicyQualifierInfo
- )
- )
- );
- $this->CertificatePolicies = array(
- 'type' => FILE_ASN1_TYPE_SEQUENCE,
- 'min' => 1,
- 'max' => -1,
- 'children' => $PolicyInformation
- );
- $this->PolicyMappings = array(
- 'type' => FILE_ASN1_TYPE_SEQUENCE,
- 'min' => 1,
- 'max' => -1,
- 'children' => array(
- 'type' => FILE_ASN1_TYPE_SEQUENCE,
- 'children' => array(
- 'issuerDomainPolicy' => $CertPolicyId,
- 'subjectDomainPolicy' => $CertPolicyId
- )
- )
- );
- $KeyPurposeId = array('type' => FILE_ASN1_TYPE_OBJECT_IDENTIFIER);
- $this->ExtKeyUsageSyntax = array(
- 'type' => FILE_ASN1_TYPE_SEQUENCE,
- 'min' => 1,
- 'max' => -1,
- 'children' => $KeyPurposeId
- );
- $AccessDescription = array(
- 'type' => FILE_ASN1_TYPE_SEQUENCE,
- 'children' => array(
- 'accessMethod' => array('type' => FILE_ASN1_TYPE_OBJECT_IDENTIFIER),
- 'accessLocation' => $GeneralName
- )
- );
- $this->AuthorityInfoAccessSyntax = array(
- 'type' => FILE_ASN1_TYPE_SEQUENCE,
- 'min' => 1,
- 'max' => -1,
- 'children' => $AccessDescription
- );
- $this->SubjectAltName = $GeneralNames;
- $this->PrivateKeyUsagePeriod = array(
- 'type' => FILE_ASN1_TYPE_SEQUENCE,
- 'children' => array(
- 'notBefore' => array(
- 'constant' => 0,
- 'optional' => true,
- 'implicit' => true,
- 'type' => FILE_ASN1_TYPE_GENERALIZED_TIME),
- 'notAfter' => array(
- 'constant' => 1,
- 'optional' => true,
- 'implicit' => true,
- 'type' => FILE_ASN1_TYPE_GENERALIZED_TIME)
- )
- );
- $BaseDistance = array('type' => FILE_ASN1_TYPE_INTEGER);
- $GeneralSubtree = array(
- 'type' => FILE_ASN1_TYPE_SEQUENCE,
- 'children' => array(
- 'base' => $GeneralName,
- 'minimum' => array(
- 'constant' => 0,
- 'optional' => true,
- 'implicit' => true,
- 'default' => new Math_BigInteger(0)
- ) + $BaseDistance,
- 'maximum' => array(
- 'constant' => 1,
- 'optional' => true,
- 'implicit' => true,
- ) + $BaseDistance
- )
- );
- $GeneralSubtrees = array(
- 'type' => FILE_ASN1_TYPE_SEQUENCE,
- 'min' => 1,
- 'max' => -1,
- 'children' => $GeneralSubtree
- );
- $this->NameConstraints = array(
- 'type' => FILE_ASN1_TYPE_SEQUENCE,
- 'children' => array(
- 'permittedSubtrees' => array(
- 'constant' => 0,
- 'optional' => true,
- 'implicit' => true
- ) + $GeneralSubtrees,
- 'excludedSubtrees' => array(
- 'constant' => 1,
- 'optional' => true,
- 'implicit' => true
- ) + $GeneralSubtrees
- )
- );
- $this->CPSuri = array('type' => FILE_ASN1_TYPE_IA5_STRING);
- $DisplayText = array(
- 'type' => FILE_ASN1_TYPE_CHOICE,
- 'children' => array(
- 'ia5String' => array('type' => FILE_ASN1_TYPE_IA5_STRING),
- 'visibleString' => array('type' => FILE_ASN1_TYPE_VISIBLE_STRING),
- 'bmpString' => array('type' => FILE_ASN1_TYPE_BMP_STRING),
- 'utf8String' => array('type' => FILE_ASN1_TYPE_UTF8_STRING)
- )
- );
- $NoticeReference = array(
- 'type' => FILE_ASN1_TYPE_SEQUENCE,
- 'children' => array(
- 'organization' => $DisplayText,
- 'noticeNumbers' => array(
- 'type' => FILE_ASN1_TYPE_SEQUENCE,
- 'min' => 1,
- 'max' => 200,
- 'children' => array('type' => FILE_ASN1_TYPE_INTEGER)
- )
- )
- );
- $this->UserNotice = array(
- 'type' => FILE_ASN1_TYPE_SEQUENCE,
- 'children' => array(
- 'noticeRef' => array(
- 'optional' => true,
- 'implicit' => true
- ) + $NoticeReference,
- 'explicitText' => array(
- 'optional' => true,
- 'implicit' => true
- ) + $DisplayText
- )
- );
- // mapping is from <http://www.mozilla.org/projects/security/pki/nss/tech-notes/tn3.html>
- $this->netscape_cert_type = array(
- 'type' => FILE_ASN1_TYPE_BIT_STRING,
- 'mapping' => array(
- 'SSLClient',
- 'SSLServer',
- 'Email',
- 'ObjectSigning',
- 'Reserved',
- 'SSLCA',
- 'EmailCA',
- 'ObjectSigningCA'
- )
- );
- $this->netscape_comment = array('type' => FILE_ASN1_TYPE_IA5_STRING);
- // attribute is used in RFC2986 but we're using the RFC5280 definition
- $Attribute = array(
- 'type' => FILE_ASN1_TYPE_SEQUENCE,
- 'children' => array(
- 'type' => $AttributeType,
- 'value'=> array(
- 'type' => FILE_ASN1_TYPE_SET,
- 'min' => 1,
- 'max' => -1,
- 'children' => $AttributeValue
- )
- )
- );
- // adapted from <http://tools.ietf.org/html/rfc2986>
- $Attributes = array(
- 'type' => FILE_ASN1_TYPE_SET,
- 'min' => 1,
- 'max' => -1,
- 'children' => $Attribute
- );
- $CertificationRequestInfo = array(
- 'type' => FILE_ASN1_TYPE_SEQUENCE,
- 'children' => array(
- 'version' => array(
- 'type' => FILE_ASN1_TYPE_INTEGER,
- 'mapping' => array('v1')
- ),
- 'subject' => $Name,
- 'subjectPKInfo' => $SubjectPublicKeyInfo,
- 'attributes' => array(
- 'constant' => 0,
- 'optional' => true,
- 'implicit' => true
- ) + $Attributes,
- )
- );
- $this->CertificationRequest = array(
- 'type' => FILE_ASN1_TYPE_SEQUENCE,
- 'children' => array(
- 'certificationRequestInfo' => $CertificationRequestInfo,
- 'signatureAlgorithm' => $AlgorithmIdentifier,
- 'signature' => array('type' => FILE_ASN1_TYPE_BIT_STRING)
- )
- );
- // OIDs from RFC5280 and those RFCs mentioned in RFC5280#section-4.1.1.2
- $this->oids = array(
- '1.3.6.1.5.5.7' => 'id-pkix',
- '1.3.6.1.5.5.7.1' => 'id-pe',
- '1.3.6.1.5.5.7.2' => 'id-qt',
- '1.3.6.1.5.5.7.3' => 'id-kp',
- '1.3.6.1.5.5.7.48' => 'id-ad',
- '1.3.6.1.5.5.7.2.1' => 'id-qt-cps',
- '1.3.6.1.5.5.7.2.2' => 'id-qt-unotice',
- '1.3.6.1.5.5.7.48.1' =>'id-ad-ocsp',
- '1.3.6.1.5.5.7.48.2' => 'id-ad-caIssuers',
- '1.3.6.1.5.5.7.48.3' => 'id-ad-timeStamping',
- '1.3.6.1.5.5.7.48.5' => 'id-ad-caRepository',
- '2.5.4' => 'id-at',
- '2.5.4.41' => 'id-at-name',
- '2.5.4.4' => 'id-at-surname',
- '2.5.4.42' => 'id-at-givenName',
- '2.5.4.43' => 'id-at-initials',
- '2.5.4.44' => 'id-at-generationQualifier',
- '2.5.4.3' => 'id-at-commonName',
- '2.5.4.7' => 'id-at-localityName',
- '2.5.4.8' => 'id-at-stateOrProvinceName',
- '2.5.4.10' => 'id-at-organizationName',
- '2.5.4.11' => 'id-at-organizationalUnitName',
- '2.5.4.12' => 'id-at-title',
- '2.5.4.46' => 'id-at-dnQualifier',
- '2.5.4.6' => 'id-at-countryName',
- '2.5.4.5' => 'id-at-serialNumber',
- '2.5.4.65' => 'id-at-pseudonym',
- '2.5.4.17' => 'id-at-postalCode',
- '2.5.4.9' => 'id-at-streetAddress',
- '0.9.2342.19200300.100.1.25' => 'id-domainComponent',
- '1.2.840.113549.1.9' => 'pkcs-9',
- '1.2.840.113549.1.9.1' => 'id-emailAddress',
- '2.5.29' => 'id-ce',
- '2.5.29.35' => 'id-ce-authorityKeyIdentifier',
- '2.5.29.14' => 'id-ce-subjectKeyIdentifier',
- '2.5.29.15' => 'id-ce-keyUsage',
- '2.5.29.16' => 'id-ce-privateKeyUsagePeriod',
- '2.5.29.32' => 'id-ce-certificatePolicies',
- '2.5.29.32.0' => 'anyPolicy',
- '2.5.29.33' => 'id-ce-policyMappings',
- '2.5.29.17' => 'id-ce-subjectAltName',
- '2.5.29.18' => 'id-ce-issuerAltName',
- '2.5.29.9' => 'id-ce-subjectDirectoryAttributes',
- '2.5.29.19' => 'id-ce-basicConstraints',
- '2.5.29.30' => 'id-ce-nameConstraints',
- '2.5.29.36' => 'id-ce-policyConstraints',
- '2.5.29.31' => 'id-ce-cRLDistributionPoints',
- '2.5.29.37' => 'id-ce-extKeyUsage',
- '2.5.29.37.0' => 'anyExtendedKeyUsage',
- '1.3.6.1.5.5.7.3.1' => 'id-kp-serverAuth',
- '1.3.6.1.5.5.7.3.2' => 'id-kp-clientAuth',
- '1.3.6.1.5.5.7.3.3' => 'id-kp-codeSigning',
- '1.3.6.1.5.5.7.3.4' => 'id-kp-emailProtection',
- '1.3.6.1.5.5.7.3.8' => 'id-kp-timeStamping',
- '1.3.6.1.5.5.7.3.9' => 'id-kp-OCSPSigning',
- '2.5.29.54' => 'id-ce-inhibitAnyPolicy',
- '2.5.29.46' => 'id-ce-freshestCRL',
- '1.3.6.1.5.5.7.1.1' => 'id-pe-authorityInfoAccess',
- '1.3.6.1.5.5.7.1.11' => 'id-pe-subjectInfoAccess',
- '2.5.29.20' => 'id-ce-cRLNumber',
- '2.5.29.28' => 'id-ce-issuingDistributionPoint',
- '2.5.29.27' => 'id-ce-deltaCRLIndicator',
- '2.5.29.21' => 'id-ce-cRLReasons',
- '2.5.29.29' => 'id-ce-certificateIssuer',
- '2.5.29.23' => 'id-ce-holdInstructionCode',
- '2.2.840.10040.2' => 'holdInstruction',
- '2.2.840.10040.2.1' => 'id-holdinstruction-none',
- '2.2.840.10040.2.2' => 'id-holdinstruction-callissuer',
- '2.2.840.10040.2.3' => 'id-holdinstruction-reject',
- '2.5.29.24' => 'id-ce-invalidityDate',
- '1.2.840.113549.2.2' => 'md2',
- '1.2.840.113549.2.5' => 'md5',
- '1.3.14.3.2.26' => 'id-sha1',
- '1.2.840.10040.4.1' => 'id-dsa',
- '1.2.840.10040.4.3' => 'id-dsa-with-sha1',
- '1.2.840.113549.1.1' => 'pkcs-1',
- '1.2.840.113549.1.1.1' => 'rsaEncryption',
- '1.2.840.113549.1.1.2' => 'md2WithRSAEncryption',
- '1.2.840.113549.1.1.4' => 'md5WithRSAEncryption',
- '1.2.840.113549.1.1.5' => 'sha1WithRSAEncryption',
- '1.2.840.10046.2.1' => 'dhpublicnumber',
- '2.16.840.1.101.2.1.1.22' => 'id-keyExchangeAlgorithm',
- '1.2.840.10045' => 'ansi-X9-62',
- '1.2.840.10045.4' => 'id-ecSigType',
- '1.2.840.10045.4.1' => 'ecdsa-with-SHA1',
- '1.2.840.10045.1' => 'id-fieldType',
- '1.2.840.10045.1.1' => 'prime-field',
- '1.2.840.10045.1.2' => 'characteristic-two-field',
- '1.2.840.10045.1.2.3' => 'id-characteristic-two-basis',
- '1.2.840.10045.1.2.3.1' => 'gnBasis',
- '1.2.840.10045.1.2.3.2' => 'tpBasis',
- '1.2.840.10045.1.2.3.3' => 'ppBasis',
- '1.2.840.10045.2' => 'id-publicKeyType',
- '1.2.840.10045.2.1' => 'id-ecPublicKey',
- '1.2.840.10045.3' => 'ellipticCurve',
- '1.2.840.10045.3.0' => 'c-TwoCurve',
- '1.2.840.10045.3.0.1' => 'c2pnb163v1',
- '1.2.840.10045.3.0.2' => 'c2pnb163v2',
- '1.2.840.10045.3.0.3' => 'c2pnb163v3',
- '1.2.840.10045.3.0.4' => 'c2pnb176w1',
- '1.2.840.10045.3.0.5' => 'c2pnb191v1',
- '1.2.840.10045.3.0.6' => 'c2pnb191v2',
- '1.2.840.10045.3.0.7' => 'c2pnb191v3',
- '1.2.840.10045.3.0.8' => 'c2pnb191v4',
- '1.2.840.10045.3.0.9' => 'c2pnb191v5',
- '1.2.840.10045.3.0.10' => 'c2pnb208w1',
- '1.2.840.10045.3.0.11' => 'c2pnb239v1',
- '1.2.840.10045.3.0.12' => 'c2pnb239v2',
- '1.2.840.10045.3.0.13' => 'c2pnb239v3',
- '1.2.840.10045.3.0.14' => 'c2pnb239v4',
- '1.2.840.10045.3.0.15' => 'c2pnb239v5',
- '1.2.840.10045.3.0.16' => 'c2pnb272w1',
- '1.2.840.10045.3.0.17' => 'c2pnb304w1',
- '1.2.840.10045.3.0.18' => 'c2pnb359v1',
- '1.2.840.10045.3.0.19' => 'c2pnb368w1',
- '1.2.840.10045.3.0.20' => 'c2pnb431r1',
- '1.2.840.10045.3.1' => 'primeCurve',
- '1.2.840.10045.3.1.1' => 'prime192v1',
- '1.2.840.10045.3.1.2' => 'prime192v2',
- '1.2.840.10045.3.1.3' => 'prime192v3',
- '1.2.840.10045.3.1.4' => 'prime239v1',
- '1.2.840.10045.3.1.5' => 'prime239v2',
- '1.2.840.10045.3.1.6' => 'prime239v3',
- '1.2.840.10045.3.1.7' => 'prime256v1',
- '1.2.840.113549.1.1.7' => 'id-RSAES-OAEP',
- '1.2.840.113549.1.1.9' => 'id-pSpecified',
- '1.2.840.113549.1.1.10' => 'id-RSASSA-PSS',
- '1.2.840.113549.1.1.8' => 'id-mgf1',
- '1.2.840.113549.1.1.14' => 'sha224WithRSAEncryption',
- '1.2.840.113549.1.1.11' => 'sha256WithRSAEncryption',
- '1.2.840.113549.1.1.12' => 'sha384WithRSAEncryption',
- '1.2.840.113549.1.1.13' => 'sha512WithRSAEncryption',
- '2.16.840.1.101.3.4.2.4' => 'id-sha224',
- '2.16.840.1.101.3.4.2.1' => 'id-sha256',
- '2.16.840.1.101.3.4.2.2' => 'id-sha384',
- '2.16.840.1.101.3.4.2.3' => 'id-sha512',
- '1.2.643.2.2.4' => 'id-GostR3411-94-with-GostR3410-94',
- '1.2.643.2.2.3' => 'id-GostR3411-94-with-GostR3410-2001',
- '1.2.643.2.2.20' => 'id-GostR3410-2001',
- '1.2.643.2.2.19' => 'id-GostR3410-94',
- // Netscape Object Identifiers from "Netscape Certificate Extensions"
- '2.16.840.1.113730' => 'netscape',
- '2.16.840.1.113730.1' => 'netscape-cert-extension',
- '2.16.840.1.113730.1.1' => 'netscape-cert-type',
- '2.16.840.1.113730.1.13' => 'netscape-comment',
- // the following are X.509 extensions not supported by phpseclib
- '1.3.6.1.5.5.7.1.12' => 'id-pe-logotype',
- '1.2.840.113533.7.65.0' => 'entrustVersInfo',
- '2.16.840.1.113733.1.6.9' => 'verisignPrivate',
- // for Certificate Signing Requests
- // see http://tools.ietf.org/html/rfc2985
- '1.2.840.113549.1.9.2' => 'unstructuredName', // PKCS #9 unstructured name
- '1.2.840.113549.1.9.7' => 'challengePassword' // Challenge password for certificate revocations
- );
- }
- /**
- * Load X.509 certificate
- *
- * Returns an associative array describing the X.509 cert or a false if the cert failed to load
- *
- * @param String $cert
- * @access public
- * @return Mixed
- */
- function loadX509($cert)
- {
- if (is_array($cert) && isset($cert['tbsCertificate'])) {
- $this->currentCert = $cert;
- unset($this->signatureSubject);
- return false;
- }
- $asn1 = new File_ASN1();
- /*
- X.509 certs are assumed to be base64 encoded but sometimes they'll have additional things in them abo…
Large files files are truncated, but you can click here to view the full file