Halaman utama Jelajahi Bantuan
Daftar Masuk
aj
/
chamilo-lms2
1
0
Fork 0
Berkas Masalah 0 Permintaan Tarik 0 Wiki
Cabang: ofajdev2017
Ranting Tag
chamilo-lms2
/
main
/
inc
/
lib
/
phpseclib
/
File
/
X509.php

X509.php 158 KB
Permalink Riwayat Mentahan

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330133113321333133413351336133713381339134013411342134313441345134613471348134913501351135213531354135513561357135813591360136113621363136413651366136713681369137013711372137313741375137613771378137913801381138213831384138513861387138813891390139113921393139413951396139713981399140014011402140314041405140614071408140914101411141214131414141514161417141814191420142114221423142414251426142714281429143014311432143314341435143614371438143914401441144214431444144514461447144814491450145114521453145414551456145714581459146014611462146314641465146614671468146914701471147214731474147514761477147814791480148114821483148414851486148714881489149014911492149314941495149614971498149915001501150215031504150515061507150815091510151115121513151415151516151715181519152015211522152315241525152615271528152915301531153215331534153515361537153815391540154115421543154415451546154715481549155015511552155315541555155615571558155915601561156215631564156515661567156815691570157115721573157415751576157715781579158015811582158315841585158615871588158915901591159215931594159515961597159815991600160116021603160416051606160716081609161016111612161316141615161616171618161916201621162216231624162516261627162816291630163116321633163416351636163716381639164016411642164316441645164616471648164916501651165216531654165516561657165816591660166116621663166416651666166716681669167016711672167316741675167616771678167916801681168216831684168516861687168816891690169116921693169416951696169716981699170017011702170317041705170617071708170917101711171217131714171517161717171817191720172117221723172417251726172717281729173017311732173317341735173617371738173917401741174217431744174517461747174817491750175117521753175417551756175717581759176017611762176317641765176617671768176917701771177217731774177517761777177817791780178117821783178417851786178717881789179017911792179317941795179617971798179918001801180218031804180518061807180818091810181118121813181418151816181718181819182018211822182318241825182618271828182918301831183218331834183518361837183818391840184118421843184418451846184718481849185018511852185318541855185618571858185918601861186218631864186518661867186818691870187118721873187418751876187718781879188018811882188318841885188618871888188918901891189218931894189518961897189818991900190119021903190419051906190719081909191019111912191319141915191619171918191919201921192219231924192519261927192819291930193119321933193419351936193719381939194019411942194319441945194619471948194919501951195219531954195519561957195819591960196119621963196419651966196719681969197019711972197319741975197619771978197919801981198219831984198519861987198819891990199119921993199419951996199719981999200020012002200320042005200620072008200920102011201220132014201520162017201820192020202120222023202420252026202720282029203020312032203320342035203620372038203920402041204220432044204520462047204820492050205120522053205420552056205720582059206020612062206320642065206620672068206920702071207220732074207520762077207820792080208120822083208420852086208720882089209020912092209320942095209620972098209921002101210221032104210521062107210821092110211121122113211421152116211721182119212021212122212321242125212621272128212921302131213221332134213521362137213821392140214121422143214421452146214721482149215021512152215321542155215621572158215921602161216221632164216521662167216821692170217121722173217421752176217721782179218021812182218321842185218621872188218921902191219221932194219521962197219821992200220122022203220422052206220722082209221022112212221322142215221622172218221922202221222222232224222522262227222822292230223122322233223422352236223722382239224022412242224322442245224622472248224922502251225222532254225522562257225822592260226122622263226422652266226722682269227022712272227322742275227622772278227922802281228222832284228522862287228822892290229122922293229422952296229722982299230023012302230323042305230623072308230923102311231223132314231523162317231823192320232123222323232423252326232723282329233023312332233323342335233623372338233923402341234223432344234523462347234823492350235123522353235423552356235723582359236023612362236323642365236623672368236923702371237223732374237523762377237823792380238123822383238423852386238723882389239023912392239323942395239623972398239924002401240224032404240524062407240824092410241124122413241424152416241724182419242024212422242324242425242624272428242924302431243224332434243524362437243824392440244124422443244424452446244724482449245024512452245324542455245624572458245924602461246224632464246524662467246824692470247124722473247424752476247724782479248024812482248324842485248624872488248924902491249224932494249524962497249824992500250125022503250425052506250725082509251025112512251325142515251625172518251925202521252225232524252525262527252825292530253125322533253425352536253725382539254025412542254325442545254625472548254925502551255225532554255525562557255825592560256125622563256425652566256725682569257025712572257325742575257625772578257925802581258225832584258525862587258825892590259125922593259425952596259725982599260026012602260326042605260626072608260926102611261226132614261526162617261826192620262126222623262426252626262726282629263026312632263326342635263626372638263926402641264226432644264526462647264826492650265126522653265426552656265726582659266026612662266326642665266626672668266926702671267226732674267526762677267826792680268126822683268426852686268726882689269026912692269326942695269626972698269927002701270227032704270527062707270827092710271127122713271427152716271727182719272027212722272327242725272627272728272927302731273227332734273527362737273827392740274127422743274427452746274727482749275027512752275327542755275627572758275927602761276227632764276527662767276827692770277127722773277427752776277727782779278027812782278327842785278627872788278927902791279227932794279527962797279827992800280128022803280428052806280728082809281028112812281328142815281628172818281928202821282228232824282528262827282828292830283128322833283428352836283728382839284028412842284328442845284628472848284928502851285228532854285528562857285828592860286128622863286428652866286728682869287028712872287328742875287628772878287928802881288228832884288528862887288828892890289128922893289428952896289728982899290029012902290329042905290629072908290929102911291229132914291529162917291829192920292129222923292429252926292729282929293029312932293329342935293629372938293929402941294229432944294529462947294829492950295129522953295429552956295729582959296029612962296329642965296629672968296929702971297229732974297529762977297829792980298129822983298429852986298729882989299029912992299329942995299629972998299930003001300230033004300530063007300830093010301130123013301430153016301730183019302030213022302330243025302630273028302930303031303230333034303530363037303830393040304130423043304430453046304730483049305030513052305330543055305630573058305930603061306230633064306530663067306830693070307130723073307430753076307730783079308030813082308330843085308630873088308930903091309230933094309530963097309830993100310131023103310431053106310731083109311031113112311331143115311631173118311931203121312231233124312531263127312831293130313131323133313431353136313731383139314031413142314331443145314631473148314931503151315231533154315531563157315831593160316131623163316431653166316731683169317031713172317331743175317631773178317931803181318231833184318531863187318831893190319131923193319431953196319731983199320032013202320332043205320632073208320932103211321232133214321532163217321832193220322132223223322432253226322732283229323032313232323332343235323632373238323932403241324232433244324532463247324832493250325132523253325432553256325732583259326032613262326332643265326632673268326932703271327232733274327532763277327832793280328132823283328432853286328732883289329032913292329332943295329632973298329933003301330233033304330533063307330833093310331133123313331433153316331733183319332033213322332333243325332633273328332933303331333233333334333533363337333833393340334133423343334433453346334733483349335033513352335333543355335633573358335933603361336233633364336533663367336833693370337133723373337433753376337733783379338033813382338333843385338633873388338933903391339233933394339533963397339833993400340134023403340434053406340734083409341034113412341334143415341634173418341934203421342234233424342534263427342834293430343134323433343434353436343734383439344034413442344334443445344634473448344934503451345234533454345534563457345834593460346134623463346434653466346734683469347034713472347334743475347634773478347934803481348234833484348534863487348834893490349134923493349434953496349734983499350035013502350335043505350635073508350935103511351235133514351535163517351835193520352135223523352435253526352735283529353035313532353335343535353635373538353935403541354235433544354535463547354835493550355135523553355435553556355735583559356035613562356335643565356635673568356935703571357235733574357535763577357835793580358135823583358435853586358735883589359035913592359335943595359635973598359936003601360236033604360536063607360836093610361136123613361436153616361736183619362036213622362336243625362636273628362936303631363236333634363536363637363836393640364136423643364436453646364736483649365036513652365336543655365636573658365936603661366236633664366536663667366836693670367136723673367436753676367736783679368036813682368336843685368636873688368936903691369236933694369536963697369836993700370137023703370437053706370737083709371037113712371337143715371637173718371937203721372237233724372537263727372837293730373137323733373437353736373737383739374037413742374337443745374637473748374937503751375237533754375537563757375837593760376137623763376437653766376737683769377037713772377337743775377637773778377937803781378237833784378537863787378837893790379137923793379437953796379737983799380038013802380338043805380638073808380938103811381238133814381538163817381838193820382138223823382438253826382738283829383038313832383338343835383638373838383938403841384238433844384538463847384838493850385138523853385438553856385738583859386038613862386338643865386638673868386938703871387238733874387538763877387838793880388138823883388438853886388738883889389038913892389338943895389638973898389939003901390239033904390539063907390839093910391139123913391439153916391739183919392039213922392339243925392639273928392939303931393239333934393539363937393839393940394139423943394439453946394739483949395039513952395339543955395639573958395939603961396239633964396539663967396839693970397139723973397439753976397739783979398039813982398339843985398639873988398939903991399239933994399539963997399839994000400140024003400440054006400740084009401040114012401340144015401640174018401940204021402240234024402540264027402840294030403140324033403440354036403740384039404040414042404340444045404640474048404940504051405240534054405540564057405840594060406140624063406440654066406740684069407040714072407340744075407640774078407940804081408240834084408540864087408840894090409140924093409440954096409740984099410041014102410341044105410641074108410941104111411241134114411541164117411841194120412141224123412441254126412741284129413041314132413341344135413641374138413941404141414241434144414541464147414841494150415141524153415441554156415741584159416041614162416341644165416641674168416941704171417241734174417541764177417841794180418141824183418441854186418741884189419041914192419341944195419641974198419942004201420242034204420542064207420842094210421142124213421442154216421742184219422042214222422342244225422642274228422942304231423242334234423542364237423842394240424142424243424442454246424742484249425042514252425342544255425642574258425942604261426242634264426542664267426842694270427142724273427442754276427742784279428042814282428342844285428642874288428942904291429242934294429542964297429842994300430143024303430443054306430743084309431043114312431343144315431643174318431943204321432243234324432543264327432843294330433143324333433443354336433743384339434043414342434343444345434643474348434943504351 
  1. <?php
    2. 

  2. /* vim: set expandtab tabstop=4 shiftwidth=4 softtabstop=4: */
    3. 

  3. 

  4. /**
    5. 

  5.  * Pure-PHP X.509 Parser
    6. 

  6.  *
    7. 

  7.  * PHP versions 4 and 5
    8. 

  8.  *
    9. 

  9.  * Encode and decode X.509 certificates.
    10. 

  10.  *
    11. 

  11.  * The extensions are from {@link http://tools.ietf.org/html/rfc5280 RFC5280} and 
    12. 

  12.  * {@link http://web.archive.org/web/19961027104704/http://www3.netscape.com/eng/security/cert-exts.html Netscape Certificate Extensions}.
    13. 

  13.  *
    14. 

  14.  * Note that loading an X.509 certificate and resaving it may invalidate the signature.  The reason being that the signature is based on a
    15. 

  15.  * portion of the certificate that contains optional parameters with default values.  ie. if the parameter isn't there the default value is
    16. 

  16.  * used.  Problem is, if the parameter is there and it just so happens to have the default value there are two ways that that parameter can
    17. 

  17.  * be encoded.  It can be encoded explicitly or left out all together.  This would effect the signature value and thus may invalidate the
    18. 

  18.  * the certificate all together unless the certificate is re-signed.
    19. 

  19.  *
    20. 

  20.  * LICENSE: Permission is hereby granted, free of charge, to any person obtaining a copy
    21. 

  21.  * of this software and associated documentation files (the "Software"), to deal
    22. 

  22.  * in the Software without restriction, including without limitation the rights
    23. 

  23.  * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
    24. 

  24.  * copies of the Software, and to permit persons to whom the Software is
    25. 

  25.  * furnished to do so, subject to the following conditions:
    26. 

  26.  * 
    27. 

  27.  * The above copyright notice and this permission notice shall be included in
    28. 

  28.  * all copies or substantial portions of the Software.
    29. 

  29.  * 
    30. 

  30.  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
    31. 

  31.  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
    32. 

  32.  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
    33. 

  33.  * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
    34. 

  34.  * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
    35. 

  35.  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
    36. 

  36.  * THE SOFTWARE.
    37. 

  37.  *
    38. 

  38.  * @category   File
    39. 

  39.  * @package    File_X509
    40. 

  40.  * @author     Jim Wigginton <terrafrost@php.net>
    41. 

  41.  * @copyright  MMXII Jim Wigginton
    42. 

  42.  * @license    http://www.opensource.org/licenses/mit-license.html  MIT License
    43. 

  43.  * @link       http://phpseclib.sourceforge.net
    44. 

  44.  */
    45. 

  45. 

  46. /**
    47. 

  47.  * Include File_ASN1
    48. 

  48.  */
    49. 

  49. if (!class_exists('File_ASN1')) {
    50. 

  50.     require_once('ASN1.php');
    51. 

  51. }
    52. 

  52. 

  53. /**
    54. 

  54.  * Flag to only accept signatures signed by certificate authorities
    55. 

  55.  *
    56. 

  56.  * Not really used anymore but retained all the same to suppress E_NOTICEs from old installs
    57. 

  57.  *
    58. 

  58.  * @access public
    59. 

  59.  */
    60. 

  60. define('FILE_X509_VALIDATE_SIGNATURE_BY_CA', 1);
    61. 

  61. 

  62. /**#@+
    63. 

  63.  * @access public
    64. 

  64.  * @see File_X509::getDN()
    65. 

  65.  */
    66. 

  66. /**
    67. 

  67.  * Return internal array representation
    68. 

  68.  */
    69. 

  69. define('FILE_X509_DN_ARRAY', 0);
    70. 

  70. /**
    71. 

  71.  * Return string
    72. 

  72.  */
    73. 

  73. define('FILE_X509_DN_STRING', 1);
    74. 

  74. /**
    75. 

  75.  * Return ASN.1 name string
    76. 

  76.  */
    77. 

  77. define('FILE_X509_DN_ASN1', 2);
    78. 

  78. /**
    79. 

  79.  * Return OpenSSL compatible array
    80. 

  80.  */
    81. 

  81. define('FILE_X509_DN_OPENSSL', 3);
    82. 

  82. /**
    83. 

  83.  * Return canonical ASN.1 RDNs string
    84. 

  84.  */
    85. 

  85. define('FILE_X509_DN_CANON', 4);
    86. 

  86. /**
    87. 

  87.  * Return name hash for file indexing
    88. 

  88.  */
    89. 

  89. define('FILE_X509_DN_HASH', 5);
    90. 

  90. /**#@-*/
    91. 

  91. 

  92. /**#@+
    93. 

  93.  * @access public
    94. 

  94.  * @see File_X509::saveX509()
    95. 

  95.  * @see File_X509::saveCSR()
    96. 

  96.  * @see File_X509::saveCRL()
    97. 

  97.  */
    98. 

  98. /**
    99. 

  99.  * Save as PEM
    100. 

  100.  *
    101. 

  101.  * ie. a base64-encoded PEM with a header and a footer
    102. 

  102.  */
    103. 

  103. define('FILE_X509_FORMAT_PEM', 0);
    104. 

  104. /**
    105. 

  105.  * Save as DER
    106. 

  106.  */
    107. 

  107. define('FILE_X509_FORMAT_DER', 1);
    108. 

  108. /**
    109. 

  109.  * Save as a SPKAC
    110. 

  110.  *
    111. 

  111.  * Only works on CSRs. Not currently supported.
    112. 

  112.  */
    113. 

  113. define('FILE_X509_FORMAT_SPKAC', 2);
    114. 

  114. /**#@-*/
    115. 

  115. 

  116. /**
    117. 

  117.  * Attribute value disposition.
    118. 

  118.  * If disposition is >= 0, this is the index of the target value.
    119. 

  119.  */
    120. 

  120. define('FILE_X509_ATTR_ALL', -1); // All attribute values (array).
    121. 

  121. define('FILE_X509_ATTR_APPEND', -2); // Add a value.
    122. 

  122. define('FILE_X509_ATTR_REPLACE', -3); // Clear first, then add a value.
    123. 

  123. 

  124. /**
    125. 

  125.  * Pure-PHP X.509 Parser
    126. 

  126.  *
    127. 

  127.  * @author  Jim Wigginton <terrafrost@php.net>
    128. 

  128.  * @version 0.3.1
    129. 

  129.  * @access  public
    130. 

  130.  * @package File_X509
    131. 

  131.  */
    132. 

  132. class File_X509 {
    133. 

  133.     /**
    134. 

  134.      * ASN.1 syntax for X.509 certificates
    135. 

  135.      *
    136. 

  136.      * @var Array
    137. 

  137.      * @access private
    138. 

  138.      */
    139. 

  139.     var $Certificate;
    140. 

  140. 

  141.     /**#@+
    142. 

  142.      * ASN.1 syntax for various extensions
    143. 

  143.      *
    144. 

  144.      * @access private
    145. 

  145.      */
    146. 

  146.     var $DirectoryString;
    147. 

  147.     var $PKCS9String;
    148. 

  148.     var $AttributeValue;
    149. 

  149.     var $Extensions;
    150. 

  150.     var $KeyUsage;
    151. 

  151.     var $ExtKeyUsageSyntax;
    152. 

  152.     var $BasicConstraints;
    153. 

  153.     var $KeyIdentifier;
    154. 

  154.     var $CRLDistributionPoints;
    155. 

  155.     var $AuthorityKeyIdentifier;
    156. 

  156.     var $CertificatePolicies;
    157. 

  157.     var $AuthorityInfoAccessSyntax;
    158. 

  158.     var $SubjectAltName;
    159. 

  159.     var $PrivateKeyUsagePeriod;
    160. 

  160.     var $IssuerAltName;
    161. 

  161.     var $PolicyMappings;
    162. 

  162.     var $NameConstraints;
    163. 

  163. 

  164.     var $CPSuri;
    165. 

  165.     var $UserNotice;
    166. 

  166. 

  167.     var $netscape_cert_type;
    168. 

  168.     var $netscape_comment;
    169. 

  169.     var $netscape_ca_policy_url;
    170. 

  170. 

  171.     var $Name;
    172. 

  172.     var $RelativeDistinguishedName;
    173. 

  173.     var $CRLNumber;
    174. 

  174.     var $CRLReason;
    175. 

  175.     var $IssuingDistributionPoint;
    176. 

  176.     var $InvalidityDate;
    177. 

  177.     var $CertificateIssuer;
    178. 

  178.     var $HoldInstructionCode;
    179. 

  179.     var $SignedPublicKeyAndChallenge;
    180. 

  180.     /**#@-*/
    181. 

  181. 

  182.     /**
    183. 

  183.      * ASN.1 syntax for Certificate Signing Requests (RFC2986)
    184. 

  184.      *
    185. 

  185.      * @var Array
    186. 

  186.      * @access private
    187. 

  187.      */
    188. 

  188.     var $CertificationRequest;
    189. 

  189. 

  190.     /**
    191. 

  191.      * ASN.1 syntax for Certificate Revocation Lists (RFC5280)
    192. 

  192.      *
    193. 

  193.      * @var Array
    194. 

  194.      * @access private
    195. 

  195.      */
    196. 

  196.     var $CertificateList;
    197. 

  197. 

  198.     /**
    199. 

  199.      * Distinguished Name
    200. 

  200.      *
    201. 

  201.      * @var Array
    202. 

  202.      * @access private
    203. 

  203.      */
    204. 

  204.     var $dn;
    205. 

  205. 

  206.     /**
    207. 

  207.      * Public key
    208. 

  208.      *
    209. 

  209.      * @var String
    210. 

  210.      * @access private
    211. 

  211.      */
    212. 

  212.     var $publicKey;
    213. 

  213. 

  214.     /**
    215. 

  215.      * Private key
    216. 

  216.      *
    217. 

  217.      * @var String
    218. 

  218.      * @access private
    219. 

  219.      */
    220. 

  220.     var $privateKey;
    221. 

  221. 

  222.     /**
    223. 

  223.      * Object identifiers for X.509 certificates
    224. 

  224.      *
    225. 

  225.      * @var Array
    226. 

  226.      * @access private
    227. 

  227.      * @link http://en.wikipedia.org/wiki/Object_identifier
    228. 

  228.      */
    229. 

  229.     var $oids;
    230. 

  230. 

  231.     /**
    232. 

  232.      * The certificate authorities
    233. 

  233.      *
    234. 

  234.      * @var Array
    235. 

  235.      * @access private
    236. 

  236.      */
    237. 

  237.     var $CAs;
    238. 

  238. 

  239.     /**
    240. 

  240.      * The currently loaded certificate
    241. 

  241.      *
    242. 

  242.      * @var Array
    243. 

  243.      * @access private
    244. 

  244.      */
    245. 

  245.     var $currentCert;
    246. 

  246. 

  247.     /**
    248. 

  248.      * The signature subject
    249. 

  249.      *
    250. 

  250.      * There's no guarantee File_X509 is going to reencode an X.509 cert in the same way it was originally
    251. 

  251.      * encoded so we take save the portion of the original cert that the signature would have made for. 
    252. 

  252.      *
    253. 

  253.      * @var String
    254. 

  254.      * @access private
    255. 

  255.      */
    256. 

  256.     var $signatureSubject;
    257. 

  257. 

  258.     /**
    259. 

  259.      * Certificate Start Date
    260. 

  260.      *
    261. 

  261.      * @var String
    262. 

  262.      * @access private
    263. 

  263.      */
    264. 

  264.     var $startDate;
    265. 

  265. 

  266.     /**
    267. 

  267.      * Certificate End Date
    268. 

  268.      *
    269. 

  269.      * @var String
    270. 

  270.      * @access private
    271. 

  271.      */
    272. 

  272.     var $endDate;
    273. 

  273. 

  274.     /**
    275. 

  275.      * Serial Number
    276. 

  276.      *
    277. 

  277.      * @var String
    278. 

  278.      * @access private
    279. 

  279.      */
    280. 

  280.     var $serialNumber;
    281. 

  281. 

  282.     /**
    283. 

  283.      * Key Identifier
    284. 

  284.      *
    285. 

  285.      * See {@link http://tools.ietf.org/html/rfc5280#section-4.2.1.1 RFC5280#section-4.2.1.1} and
    286. 

  286.      * {@link http://tools.ietf.org/html/rfc5280#section-4.2.1.2 RFC5280#section-4.2.1.2}.
    287. 

  287.      *
    288. 

  288.      * @var String
    289. 

  289.      * @access private
    290. 

  290.      */
    291. 

  291.     var $currentKeyIdentifier;
    292. 

  292. 

  293.     /**
    294. 

  294.      * CA Flag
    295. 

  295.      *
    296. 

  296.      * @var Boolean
    297. 

  297.      * @access private
    298. 

  298.      */
    299. 

  299.     var $caFlag = false;
    300. 

  300. 

  301.     /**
    302. 

  302.      * Default Constructor.
    303. 

  303.      *
    304. 

  304.      * @return File_X509
    305. 

  305.      * @access public
    306. 

  306.      */
    307. 

  307.     function File_X509()
    308. 

  308.     {
    309. 

  309.         // Explicitly Tagged Module, 1988 Syntax
    310. 

  310.         // http://tools.ietf.org/html/rfc5280#appendix-A.1
    311. 

  311. 

  312.         $this->DirectoryString = array(
    313. 

  313.             'type'     => FILE_ASN1_TYPE_CHOICE,
    314. 

  314.             'children' => array(
    315. 

  315.                 'teletexString'   => array('type' => FILE_ASN1_TYPE_TELETEX_STRING),
    316. 

  316.                 'printableString' => array('type' => FILE_ASN1_TYPE_PRINTABLE_STRING),
    317. 

  317.                 'universalString' => array('type' => FILE_ASN1_TYPE_UNIVERSAL_STRING),
    318. 

  318.                 'utf8String'      => array('type' => FILE_ASN1_TYPE_UTF8_STRING),
    319. 

  319.                 'bmpString'       => array('type' => FILE_ASN1_TYPE_BMP_STRING)
    320. 

  320.             )
    321. 

  321.         );
    322. 

  322. 

  323.         $this->PKCS9String = array(
    324. 

  324.             'type'     => FILE_ASN1_TYPE_CHOICE,
    325. 

  325.             'children' => array(
    326. 

  326.                 'ia5String'       => array('type' => FILE_ASN1_TYPE_IA5_STRING),
    327. 

  327.                 'directoryString' => $this->DirectoryString
    328. 

  328.             )
    329. 

  329.         );
    330. 

  330. 

  331.         $this->AttributeValue = array('type' => FILE_ASN1_TYPE_ANY);
    332. 

  332. 

  333.         $AttributeType = array('type' => FILE_ASN1_TYPE_OBJECT_IDENTIFIER);
    334. 

  334. 

  335.         $AttributeTypeAndValue = array(
    336. 

  336.             'type'     => FILE_ASN1_TYPE_SEQUENCE,
    337. 

  337.             'children' => array(
    338. 

  338.                 'type' => $AttributeType,
    339. 

  339.                 'value'=> $this->AttributeValue
    340. 

  340.             )
    341. 

  341.         );
    342. 

  342. 

  343.         /*
    344. 

  344.         In practice, RDNs containing multiple name-value pairs (called "multivalued RDNs") are rare,
    345. 

  345.         but they can be useful at times when either there is no unique attribute in the entry or you
    346. 

  346.         want to ensure that the entry's DN contains some useful identifying information.
    347. 

  347. 

  348.         - https://www.opends.org/wiki/page/DefinitionRelativeDistinguishedName
    349. 

  349.         */
    350. 

  350.         $this->RelativeDistinguishedName = array(
    351. 

  351.             'type'     => FILE_ASN1_TYPE_SET,
    352. 

  352.             'min'      => 1,
    353. 

  353.             'max'      => -1,
    354. 

  354.             'children' => $AttributeTypeAndValue
    355. 

  355.         );
    356. 

  356. 

  357.         // http://tools.ietf.org/html/rfc5280#section-4.1.2.4
    358. 

  358.         $RDNSequence = array(
    359. 

  359.             'type'     => FILE_ASN1_TYPE_SEQUENCE,
    360. 

  360.             // RDNSequence does not define a min or a max, which means it doesn't have one
    361. 

  361.             'min'      => 0,
    362. 

  362.             'max'      => -1,
    363. 

  363.             'children' => $this->RelativeDistinguishedName
    364. 

  364.         );
    365. 

  365. 

  366.         $this->Name = array(
    367. 

  367.             'type'     => FILE_ASN1_TYPE_CHOICE,
    368. 

  368.             'children' => array(
    369. 

  369.                 'rdnSequence' => $RDNSequence
    370. 

  370.             )
    371. 

  371.         );
    372. 

  372. 

  373.         // http://tools.ietf.org/html/rfc5280#section-4.1.1.2
    374. 

  374.         $AlgorithmIdentifier = array(
    375. 

  375.             'type'     => FILE_ASN1_TYPE_SEQUENCE,
    376. 

  376.             'children' => array(
    377. 

  377.                 'algorithm'  => array('type' => FILE_ASN1_TYPE_OBJECT_IDENTIFIER),
    378. 

  378.                 'parameters' => array(
    379. 

  379.                                     'type'     => FILE_ASN1_TYPE_ANY,
    380. 

  380.                                     'optional' => true
    381. 

  381.                                 )
    382. 

  382.             )
    383. 

  383.         );
    384. 

  384. 

  385.         /*
    386. 

  386.            A certificate using system MUST reject the certificate if it encounters
    387. 

  387.            a critical extension it does not recognize; however, a non-critical
    388. 

  388.            extension may be ignored if it is not recognized.
    389. 

  389. 

  390.            http://tools.ietf.org/html/rfc5280#section-4.2
    391. 

  391.         */
    392. 

  392.         $Extension = array(
    393. 

  393.             'type'     => FILE_ASN1_TYPE_SEQUENCE,
    394. 

  394.             'children' => array(
    395. 

  395.                 'extnId'   => array('type' => FILE_ASN1_TYPE_OBJECT_IDENTIFIER),
    396. 

  396.                 'critical' => array(
    397. 

  397.                                   'type'     => FILE_ASN1_TYPE_BOOLEAN,
    398. 

  398.                                   'optional' => true,
    399. 

  399.                                   'default'  => false
    400. 

  400.                               ),
    401. 

  401.                 'extnValue' => array('type' => FILE_ASN1_TYPE_OCTET_STRING)
    402. 

  402.             )
    403. 

  403.         );
    404. 

  404. 

  405.         $this->Extensions = array(
    406. 

  406.             'type'     => FILE_ASN1_TYPE_SEQUENCE,
    407. 

  407.             'min'      => 1,
    408. 

  408.             // technically, it's MAX, but we'll assume anything < 0 is MAX
    409. 

  409.             'max'      => -1,
    410. 

  410.             // if 'children' isn't an array then 'min' and 'max' must be defined
    411. 

  411.             'children' => $Extension
    412. 

  412.         );
    413. 

  413. 

  414.         $SubjectPublicKeyInfo = array(
    415. 

  415.             'type'     => FILE_ASN1_TYPE_SEQUENCE,
    416. 

  416.             'children' => array(
    417. 

  417.                 'algorithm'        => $AlgorithmIdentifier,
    418. 

  418.                 'subjectPublicKey' => array('type' => FILE_ASN1_TYPE_BIT_STRING)
    419. 

  419.             )
    420. 

  420.         );
    421. 

  421. 

  422.         $UniqueIdentifier = array('type' => FILE_ASN1_TYPE_BIT_STRING);
    423. 

  423. 

  424.         $Time = array(
    425. 

  425.             'type'     => FILE_ASN1_TYPE_CHOICE,
    426. 

  426.             'children' => array(
    427. 

  427.                 'utcTime'     => array('type' => FILE_ASN1_TYPE_UTC_TIME),
    428. 

  428.                 'generalTime' => array('type' => FILE_ASN1_TYPE_GENERALIZED_TIME)
    429. 

  429.             )
    430. 

  430.         );
    431. 

  431. 

  432.         // http://tools.ietf.org/html/rfc5280#section-4.1.2.5
    433. 

  433.         $Validity = array(
    434. 

  434.             'type'     => FILE_ASN1_TYPE_SEQUENCE,
    435. 

  435.             'children' => array(
    436. 

  436.                 'notBefore' => $Time,
    437. 

  437.                 'notAfter'  => $Time
    438. 

  438.             )
    439. 

  439.         );
    440. 

  440. 

  441.         $CertificateSerialNumber = array('type' => FILE_ASN1_TYPE_INTEGER);
    442. 

  442. 

  443.         $Version = array(
    444. 

  444.             'type'    => FILE_ASN1_TYPE_INTEGER,
    445. 

  445.             'mapping' => array('v1', 'v2', 'v3')
    446. 

  446.         );
    447. 

  447. 

  448.         // assert($TBSCertificate['children']['signature'] == $Certificate['children']['signatureAlgorithm'])
    449. 

  449.         $TBSCertificate = array(
    450. 

  450.             'type'     => FILE_ASN1_TYPE_SEQUENCE,
    451. 

  451.             'children' => array(
    452. 

  452.                 // technically, default implies optional, but we'll define it as being optional, none-the-less, just to
    453. 

  453.                 // reenforce that fact
    454. 

  454.                 'version'             => array(
    455. 

  455.                                              'constant' => 0,
    456. 

  456.                                              'optional' => true,
    457. 

  457.                                              'explicit' => true,
    458. 

  458.                                              'default'  => 'v1'
    459. 

  459.                                          ) + $Version,
    460. 

  460.                 'serialNumber'         => $CertificateSerialNumber,
    461. 

  461.                 'signature'            => $AlgorithmIdentifier,
    462. 

  462.                 'issuer'               => $this->Name,
    463. 

  463.                 'validity'             => $Validity,
    464. 

  464.                 'subject'              => $this->Name,
    465. 

  465.                 'subjectPublicKeyInfo' => $SubjectPublicKeyInfo,
    466. 

  466.                 // implicit means that the T in the TLV structure is to be rewritten, regardless of the type
    467. 

  467.                 'issuerUniqueID'       => array(
    468. 

  468.                                                'constant' => 1,
    469. 

  469.                                                'optional' => true,
    470. 

  470.                                                'implicit' => true
    471. 

  471.                                            ) + $UniqueIdentifier,
    472. 

  472.                 'subjectUniqueID'       => array(
    473. 

  473.                                                'constant' => 2,
    474. 

  474.                                                'optional' => true,
    475. 

  475.                                                'implicit' => true
    476. 

  476.                                            ) + $UniqueIdentifier,
    477. 

  477.                 // <http://tools.ietf.org/html/rfc2459#page-74> doesn't use the EXPLICIT keyword but if
    478. 

  478.                 // it's not IMPLICIT, it's EXPLICIT
    479. 

  479.                 'extensions'            => array(
    480. 

  480.                                                'constant' => 3,
    481. 

  481.                                                'optional' => true,
    482. 

  482.                                                'explicit' => true
    483. 

  483.                                            ) + $this->Extensions
    484. 

  484.             )
    485. 

  485.         );
    486. 

  486. 

  487.         $this->Certificate = array(
    488. 

  488.             'type'     => FILE_ASN1_TYPE_SEQUENCE,
    489. 

  489.             'children' => array(
    490. 

  490.                  'tbsCertificate'     => $TBSCertificate,
    491. 

  491.                  'signatureAlgorithm' => $AlgorithmIdentifier,
    492. 

  492.                  'signature'          => array('type' => FILE_ASN1_TYPE_BIT_STRING)
    493. 

  493.             )
    494. 

  494.         );
    495. 

  495. 

  496.         $this->KeyUsage = array(
    497. 

  497.             'type'    => FILE_ASN1_TYPE_BIT_STRING,
    498. 

  498.             'mapping' => array(
    499. 

  499.                 'digitalSignature',
    500. 

  500.                 'nonRepudiation',
    501. 

  501.                 'keyEncipherment',
    502. 

  502.                 'dataEncipherment',
    503. 

  503.                 'keyAgreement',
    504. 

  504.                 'keyCertSign',
    505. 

  505.                 'cRLSign',
    506. 

  506.                 'encipherOnly',
    507. 

  507.                 'decipherOnly'
    508. 

  508.             )
    509. 

  509.         );
    510. 

  510. 

  511.         $this->BasicConstraints = array(
    512. 

  512.             'type'     => FILE_ASN1_TYPE_SEQUENCE,
    513. 

  513.             'children' => array(
    514. 

  514.                 'cA'                => array(
    515. 

  515.                                                  'type'     => FILE_ASN1_TYPE_BOOLEAN,
    516. 

  516.                                                  'optional' => true,
    517. 

  517.                                                  'default'  => false
    518. 

  518.                                        ),
    519. 

  519.                 'pathLenConstraint' => array(
    520. 

  520.                                                  'type' => FILE_ASN1_TYPE_INTEGER,
    521. 

  521.                                                  'optional' => true
    522. 

  522.                                        )
    523. 

  523.             )
    524. 

  524.         );
    525. 

  525. 

  526.         $this->KeyIdentifier = array('type' => FILE_ASN1_TYPE_OCTET_STRING);
    527. 

  527. 

  528.         $OrganizationalUnitNames = array(
    529. 

  529.             'type'     => FILE_ASN1_TYPE_SEQUENCE,
    530. 

  530.             'min'      => 1,
    531. 

  531.             'max'      => 4, // ub-organizational-units
    532. 

  532.             'children' => array('type' => FILE_ASN1_TYPE_PRINTABLE_STRING)
    533. 

  533.         );
    534. 

  534. 

  535.         $PersonalName = array(
    536. 

  536.             'type'     => FILE_ASN1_TYPE_SET,
    537. 

  537.             'children' => array(
    538. 

  538.                 'surname'              => array(
    539. 

  539.                                            'type' => FILE_ASN1_TYPE_PRINTABLE_STRING,
    540. 

  540.                                            'constant' => 0,
    541. 

  541.                                            'optional' => true,
    542. 

  542.                                            'implicit' => true
    543. 

  543.                                          ),
    544. 

  544.                 'given-name'           => array(
    545. 

  545.                                            'type' => FILE_ASN1_TYPE_PRINTABLE_STRING,
    546. 

  546.                                            'constant' => 1,
    547. 

  547.                                            'optional' => true,
    548. 

  548.                                            'implicit' => true
    549. 

  549.                                          ),
    550. 

  550.                 'initials'             => array(
    551. 

  551.                                            'type' => FILE_ASN1_TYPE_PRINTABLE_STRING,
    552. 

  552.                                            'constant' => 2,
    553. 

  553.                                            'optional' => true,
    554. 

  554.                                            'implicit' => true
    555. 

  555.                                          ),
    556. 

  556.                 'generation-qualifier' => array(
    557. 

  557.                                            'type' => FILE_ASN1_TYPE_PRINTABLE_STRING,
    558. 

  558.                                            'constant' => 3,
    559. 

  559.                                            'optional' => true,
    560. 

  560.                                            'implicit' => true
    561. 

  561.                                          )
    562. 

  562.             )
    563. 

  563.         );
    564. 

  564. 

  565.         $NumericUserIdentifier = array('type' => FILE_ASN1_TYPE_NUMERIC_STRING);
    566. 

  566. 

  567.         $OrganizationName = array('type' => FILE_ASN1_TYPE_PRINTABLE_STRING);
    568. 

  568. 

  569.         $PrivateDomainName = array(
    570. 

  570.             'type'     => FILE_ASN1_TYPE_CHOICE,
    571. 

  571.             'children' => array(
    572. 

  572.                 'numeric'   => array('type' => FILE_ASN1_TYPE_NUMERIC_STRING),
    573. 

  573.                 'printable' => array('type' => FILE_ASN1_TYPE_PRINTABLE_STRING)
    574. 

  574.             )
    575. 

  575.         );
    576. 

  576. 

  577.         $TerminalIdentifier = array('type' => FILE_ASN1_TYPE_PRINTABLE_STRING);
    578. 

  578. 

  579.         $NetworkAddress = array('type' => FILE_ASN1_TYPE_NUMERIC_STRING);
    580. 

  580. 

  581.         $AdministrationDomainName = array(
    582. 

  582.             'type'     => FILE_ASN1_TYPE_CHOICE,
    583. 

  583.             // if class isn't present it's assumed to be FILE_ASN1_CLASS_UNIVERSAL or
    584. 

  584.             // (if constant is present) FILE_ASN1_CLASS_CONTEXT_SPECIFIC
    585. 

  585.             'class'    => FILE_ASN1_CLASS_APPLICATION,
    586. 

  586.             'cast'     => 2,
    587. 

  587.             'children' => array(
    588. 

  588.                 'numeric'   => array('type' => FILE_ASN1_TYPE_NUMERIC_STRING),
    589. 

  589.                 'printable' => array('type' => FILE_ASN1_TYPE_PRINTABLE_STRING)
    590. 

  590.             )
    591. 

  591.         );
    592. 

  592. 

  593.         $CountryName = array(
    594. 

  594.             'type'     => FILE_ASN1_TYPE_CHOICE,
    595. 

  595.             // if class isn't present it's assumed to be FILE_ASN1_CLASS_UNIVERSAL or
    596. 

  596.             // (if constant is present) FILE_ASN1_CLASS_CONTEXT_SPECIFIC
    597. 

  597.             'class'    => FILE_ASN1_CLASS_APPLICATION,
    598. 

  598.             'cast'     => 1,
    599. 

  599.             'children' => array(
    600. 

  600.                 'x121-dcc-code'        => array('type' => FILE_ASN1_TYPE_NUMERIC_STRING),
    601. 

  601.                 'iso-3166-alpha2-code' => array('type' => FILE_ASN1_TYPE_PRINTABLE_STRING)
    602. 

  602.             )
    603. 

  603.         );
    604. 

  604. 

  605.         $AnotherName = array(
    606. 

  606.             'type'     => FILE_ASN1_TYPE_SEQUENCE,
    607. 

  607.             'children' => array(
    608. 

  608.                  'type-id' => array('type' => FILE_ASN1_TYPE_OBJECT_IDENTIFIER),
    609. 

  609.                  'value'   => array(
    610. 

  610.                                   'type' => FILE_ASN1_TYPE_ANY,
    611. 

  611.                                   'constant' => 0,
    612. 

  612.                                   'optional' => true,
    613. 

  613.                                   'explicit' => true
    614. 

  614.                               )
    615. 

  615.             )
    616. 

  616.         );
    617. 

  617. 

  618.         $ExtensionAttribute = array(
    619. 

  619.             'type'     => FILE_ASN1_TYPE_SEQUENCE,
    620. 

  620.             'children' => array(
    621. 

  621.                  'extension-attribute-type'  => array(
    622. 

  622.                                                     'type' => FILE_ASN1_TYPE_PRINTABLE_STRING,
    623. 

  623.                                                     'constant' => 0,
    624. 

  624.                                                     'optional' => true,
    625. 

  625.                                                     'implicit' => true
    626. 

  626.                                                 ),
    627. 

  627.                  'extension-attribute-value' => array(
    628. 

  628.                                                     'type' => FILE_ASN1_TYPE_ANY,
    629. 

  629.                                                     'constant' => 1,
    630. 

  630.                                                     'optional' => true,
    631. 

  631.                                                     'explicit' => true
    632. 

  632.                                                 )
    633. 

  633.             )
    634. 

  634.         );
    635. 

  635. 

  636.         $ExtensionAttributes = array(
    637. 

  637.             'type'     => FILE_ASN1_TYPE_SET,
    638. 

  638.             'min'      => 1,
    639. 

  639.             'max'      => 256, // ub-extension-attributes
    640. 

  640.             'children' => $ExtensionAttribute
    641. 

  641.         );
    642. 

  642. 

  643.         $BuiltInDomainDefinedAttribute = array(
    644. 

  644.             'type'     => FILE_ASN1_TYPE_SEQUENCE,
    645. 

  645.             'children' => array(
    646. 

  646.                  'type'  => array('type' => FILE_ASN1_TYPE_PRINTABLE_STRING),
    647. 

  647.                  'value' => array('type' => FILE_ASN1_TYPE_PRINTABLE_STRING)
    648. 

  648.             )
    649. 

  649.         );
    650. 

  650. 

  651.         $BuiltInDomainDefinedAttributes = array(
    652. 

  652.             'type'     => FILE_ASN1_TYPE_SEQUENCE,
    653. 

  653.             'min'      => 1,
    654. 

  654.             'max'      => 4, // ub-domain-defined-attributes
    655. 

  655.             'children' => $BuiltInDomainDefinedAttribute
    656. 

  656.         );
    657. 

  657. 

  658.         $BuiltInStandardAttributes =  array(
    659. 

  659.             'type'     => FILE_ASN1_TYPE_SEQUENCE,
    660. 

  660.             'children' => array(
    661. 

  661.                 'country-name'               => array('optional' => true) + $CountryName,
    662. 

  662.                 'administration-domain-name' => array('optional' => true) + $AdministrationDomainName,
    663. 

  663.                 'network-address'            => array(
    664. 

  664.                                                  'constant' => 0,
    665. 

  665.                                                  'optional' => true,
    666. 

  666.                                                  'implicit' => true
    667. 

  667.                                                ) + $NetworkAddress,
    668. 

  668.                 'terminal-identifier'        => array(
    669. 

  669.                                                  'constant' => 1,
    670. 

  670.                                                  'optional' => true,
    671. 

  671.                                                  'implicit' => true
    672. 

  672.                                                ) + $TerminalIdentifier,
    673. 

  673.                 'private-domain-name'        => array(
    674. 

  674.                                                  'constant' => 2,
    675. 

  675.                                                  'optional' => true,
    676. 

  676.                                                  'explicit' => true
    677. 

  677.                                                ) + $PrivateDomainName,
    678. 

  678.                 'organization-name'          => array(
    679. 

  679.                                                  'constant' => 3,
    680. 

  680.                                                  'optional' => true,
    681. 

  681.                                                  'implicit' => true
    682. 

  682.                                                ) + $OrganizationName,
    683. 

  683.                 'numeric-user-identifier'    => array(
    684. 

  684.                                                  'constant' => 4,
    685. 

  685.                                                  'optional' => true,
    686. 

  686.                                                  'implicit' => true
    687. 

  687.                                                ) + $NumericUserIdentifier,
    688. 

  688.                 'personal-name'              => array(
    689. 

  689.                                                  'constant' => 5,
    690. 

  690.                                                  'optional' => true,
    691. 

  691.                                                  'implicit' => true
    692. 

  692.                                                ) + $PersonalName,
    693. 

  693.                 'organizational-unit-names'  => array(
    694. 

  694.                                                  'constant' => 6,
    695. 

  695.                                                  'optional' => true,
    696. 

  696.                                                  'implicit' => true
    697. 

  697.                                                ) + $OrganizationalUnitNames
    698. 

  698.             )
    699. 

  699.         );
    700. 

  700. 

  701.         $ORAddress = array(
    702. 

  702.             'type'     => FILE_ASN1_TYPE_SEQUENCE,
    703. 

  703.             'children' => array(
    704. 

  704.                  'built-in-standard-attributes'       => $BuiltInStandardAttributes,
    705. 

  705.                  'built-in-domain-defined-attributes' => array('optional' => true) + $BuiltInDomainDefinedAttributes,
    706. 

  706.                  'extension-attributes'               => array('optional' => true) + $ExtensionAttributes
    707. 

  707.             )
    708. 

  708.         );
    709. 

  709. 

  710.         $EDIPartyName = array(
    711. 

  711.             'type'     => FILE_ASN1_TYPE_SEQUENCE,
    712. 

  712.             'children' => array(
    713. 

  713.                  'nameAssigner' => array(
    714. 

  714.                                     'constant' => 0,
    715. 

  715.                                     'optional' => true,
    716. 

  716.                                     'implicit' => true
    717. 

  717.                                 ) + $this->DirectoryString,
    718. 

  718.                  // partyName is technically required but File_ASN1 doesn't currently support non-optional constants and
    719. 

  719.                  // setting it to optional gets the job done in any event.
    720. 

  720.                  'partyName'    => array(
    721. 

  721.                                     'constant' => 1,
    722. 

  722.                                     'optional' => true,
    723. 

  723.                                     'implicit' => true
    724. 

  724.                                 ) + $this->DirectoryString
    725. 

  725.             )
    726. 

  726.         );
    727. 

  727. 

  728.         $GeneralName = array(
    729. 

  729.             'type'     => FILE_ASN1_TYPE_CHOICE,
    730. 

  730.             'children' => array(
    731. 

  731.                 'otherName'                 => array(
    732. 

  732.                                                  'constant' => 0,
    733. 

  733.                                                  'optional' => true,
    734. 

  734.                                                  'implicit' => true
    735. 

  735.                                                ) + $AnotherName,
    736. 

  736.                 'rfc822Name'                => array(
    737. 

  737.                                                  'type' => FILE_ASN1_TYPE_IA5_STRING,
    738. 

  738.                                                  'constant' => 1,
    739. 

  739.                                                  'optional' => true,
    740. 

  740.                                                  'implicit' => true
    741. 

  741.                                                ),
    742. 

  742.                 'dNSName'                   => array(
    743. 

  743.                                                  'type' => FILE_ASN1_TYPE_IA5_STRING,
    744. 

  744.                                                  'constant' => 2,
    745. 

  745.                                                  'optional' => true,
    746. 

  746.                                                  'implicit' => true
    747. 

  747.                                                ),
    748. 

  748.                 'x400Address'               => array(
    749. 

  749.                                                  'constant' => 3,
    750. 

  750.                                                  'optional' => true,
    751. 

  751.                                                  'implicit' => true
    752. 

  752.                                                ) + $ORAddress,
    753. 

  753.                 'directoryName'             => array(
    754. 

  754.                                                  'constant' => 4,
    755. 

  755.                                                  'optional' => true,
    756. 

  756.                                                  'explicit' => true
    757. 

  757.                                                ) + $this->Name,
    758. 

  758.                 'ediPartyName'              => array(
    759. 

  759.                                                  'constant' => 5,
    760. 

  760.                                                  'optional' => true,
    761. 

  761.                                                  'implicit' => true
    762. 

  762.                                                ) + $EDIPartyName,
    763. 

  763.                 'uniformResourceIdentifier' => array(
    764. 

  764.                                                  'type' => FILE_ASN1_TYPE_IA5_STRING,
    765. 

  765.                                                  'constant' => 6,
    766. 

  766.                                                  'optional' => true,
    767. 

  767.                                                  'implicit' => true
    768. 

  768.                                                ),
    769. 

  769.                 'iPAddress'                 => array(
    770. 

  770.                                                  'type' => FILE_ASN1_TYPE_OCTET_STRING,
    771. 

  771.                                                  'constant' => 7,
    772. 

  772.                                                  'optional' => true,
    773. 

  773.                                                  'implicit' => true
    774. 

  774.                                                ),
    775. 

  775.                 'registeredID'              => array(
    776. 

  776.                                                  'type' => FILE_ASN1_TYPE_OBJECT_IDENTIFIER,
    777. 

  777.                                                  'constant' => 8,
    778. 

  778.                                                  'optional' => true,
    779. 

  779.                                                  'implicit' => true
    780. 

  780.                                                )
    781. 

  781.             )
    782. 

  782.         );
    783. 

  783. 

  784.         $GeneralNames = array(
    785. 

  785.             'type'     => FILE_ASN1_TYPE_SEQUENCE,
    786. 

  786.             'min'      => 1,
    787. 

  787.             'max'      => -1,
    788. 

  788.             'children' => $GeneralName
    789. 

  789.         );
    790. 

  790. 

  791.         $this->IssuerAltName = $GeneralNames;
    792. 

  792. 

  793.         $ReasonFlags = array(
    794. 

  794.             'type'    => FILE_ASN1_TYPE_BIT_STRING,
    795. 

  795.             'mapping' => array(
    796. 

  796.                 'unused',
    797. 

  797.                 'keyCompromise',
    798. 

  798.                 'cACompromise',
    799. 

  799.                 'affiliationChanged',
    800. 

  800.                 'superseded',
    801. 

  801.                 'cessationOfOperation',
    802. 

  802.                 'certificateHold',
    803. 

  803.                 'privilegeWithdrawn',
    804. 

  804.                 'aACompromise'
    805. 

  805.             )
    806. 

  806.         );
    807. 

  807. 

  808.         $DistributionPointName = array(
    809. 

  809.             'type'     => FILE_ASN1_TYPE_CHOICE,
    810. 

  810.             'children' => array(
    811. 

  811.                 'fullName'                => array(
    812. 

  812.                                                  'constant' => 0,
    813. 

  813.                                                  'optional' => true,
    814. 

  814.                                                  'implicit' => true
    815. 

  815.                                        ) + $GeneralNames,
    816. 

  816.                 'nameRelativeToCRLIssuer' => array(
    817. 

  817.                                                  'constant' => 1,
    818. 

  818.                                                  'optional' => true,
    819. 

  819.                                                  'implicit' => true
    820. 

  820.                                        ) + $this->RelativeDistinguishedName
    821. 

  821.             )
    822. 

  822.         );
    823. 

  823. 

  824.         $DistributionPoint = array(
    825. 

  825.             'type'     => FILE_ASN1_TYPE_SEQUENCE,
    826. 

  826.             'children' => array(
    827. 

  827.                 'distributionPoint' => array(
    828. 

  828.                                                  'constant' => 0,
    829. 

  829.                                                  'optional' => true,
    830. 

  830.                                                  'explicit' => true
    831. 

  831.                                        ) + $DistributionPointName,
    832. 

  832.                 'reasons'           => array(
    833. 

  833.                                                  'constant' => 1,
    834. 

  834.                                                  'optional' => true,
    835. 

  835.                                                  'implicit' => true
    836. 

  836.                                        ) + $ReasonFlags,
    837. 

  837.                 'cRLIssuer'         => array(
    838. 

  838.                                                  'constant' => 2,
    839. 

  839.                                                  'optional' => true,
    840. 

  840.                                                  'implicit' => true
    841. 

  841.                                        ) + $GeneralNames
    842. 

  842.             )
    843. 

  843.         );
    844. 

  844. 

  845.         $this->CRLDistributionPoints = array(
    846. 

  846.             'type'     => FILE_ASN1_TYPE_SEQUENCE,
    847. 

  847.             'min'      => 1,
    848. 

  848.             'max'      => -1,
    849. 

  849.             'children' => $DistributionPoint
    850. 

  850.         );
    851. 

  851. 

  852.         $this->AuthorityKeyIdentifier = array(
    853. 

  853.             'type'     => FILE_ASN1_TYPE_SEQUENCE,
    854. 

  854.             'children' => array(
    855. 

  855.                 'keyIdentifier'             => array(
    856. 

  856.                                                  'constant' => 0,
    857. 

  857.                                                  'optional' => true,
    858. 

  858.                                                  'implicit' => true
    859. 

  859.                                                ) + $this->KeyIdentifier,
    860. 

  860.                 'authorityCertIssuer'       => array(
    861. 

  861.                                                  'constant' => 1,
    862. 

  862.                                                  'optional' => true,
    863. 

  863.                                                  'implicit' => true
    864. 

  864.                                                ) + $GeneralNames,
    865. 

  865.                 'authorityCertSerialNumber' => array(
    866. 

  866.                                                  'constant' => 2,
    867. 

  867.                                                  'optional' => true,
    868. 

  868.                                                  'implicit' => true
    869. 

  869.                                                ) + $CertificateSerialNumber
    870. 

  870.             )
    871. 

  871.         );
    872. 

  872. 

  873.         $PolicyQualifierId = array('type' => FILE_ASN1_TYPE_OBJECT_IDENTIFIER);
    874. 

  874. 

  875.         $PolicyQualifierInfo = array(
    876. 

  876.             'type'     => FILE_ASN1_TYPE_SEQUENCE,
    877. 

  877.             'children' => array(
    878. 

  878.                 'policyQualifierId' => $PolicyQualifierId,
    879. 

  879.                 'qualifier'         => array('type' => FILE_ASN1_TYPE_ANY)
    880. 

  880.             )
    881. 

  881.         );
    882. 

  882. 

  883.         $CertPolicyId = array('type' => FILE_ASN1_TYPE_OBJECT_IDENTIFIER);
    884. 

  884. 

  885.         $PolicyInformation = array(
    886. 

  886.             'type'     => FILE_ASN1_TYPE_SEQUENCE,
    887. 

  887.             'children' => array(
    888. 

  888.                 'policyIdentifier' => $CertPolicyId,
    889. 

  889.                 'policyQualifiers' => array(
    890. 

  890.                                           'type'     => FILE_ASN1_TYPE_SEQUENCE,
    891. 

  891.                                           'min'      => 0,
    892. 

  892.                                           'max'      => -1,
    893. 

  893.                                           'optional' => true,
    894. 

  894.                                           'children' => $PolicyQualifierInfo
    895. 

  895.                                       )
    896. 

  896.             )
    897. 

  897.         );
    898. 

  898. 

  899.         $this->CertificatePolicies = array(
    900. 

  900.             'type'     => FILE_ASN1_TYPE_SEQUENCE,
    901. 

  901.             'min'      => 1,
    902. 

  902.             'max'      => -1,
    903. 

  903.             'children' => $PolicyInformation
    904. 

  904.         );
    905. 

  905. 

  906.         $this->PolicyMappings = array(
    907. 

  907.             'type'     => FILE_ASN1_TYPE_SEQUENCE,
    908. 

  908.             'min'      => 1,
    909. 

  909.             'max'      => -1,
    910. 

  910.             'children' => array(
    911. 

  911.                               'type'     => FILE_ASN1_TYPE_SEQUENCE,
    912. 

  912.                               'children' => array(
    913. 

  913.                                   'issuerDomainPolicy' => $CertPolicyId,
    914. 

  914.                                   'subjectDomainPolicy' => $CertPolicyId
    915. 

  915.                               )
    916. 

  916.                        )
    917. 

  917.         );
    918. 

  918. 

  919.         $KeyPurposeId = array('type' => FILE_ASN1_TYPE_OBJECT_IDENTIFIER);
    920. 

  920. 

  921.         $this->ExtKeyUsageSyntax = array(
    922. 

  922.             'type'     => FILE_ASN1_TYPE_SEQUENCE,
    923. 

  923.             'min'      => 1,
    924. 

  924.             'max'      => -1,
    925. 

  925.             'children' => $KeyPurposeId
    926. 

  926.         );
    927. 

  927. 

  928.         $AccessDescription = array(
    929. 

  929.             'type'     => FILE_ASN1_TYPE_SEQUENCE,
    930. 

  930.             'children' => array(
    931. 

  931.                 'accessMethod'   => array('type' => FILE_ASN1_TYPE_OBJECT_IDENTIFIER),
    932. 

  932.                 'accessLocation' => $GeneralName
    933. 

  933.             )
    934. 

  934.         );
    935. 

  935. 

  936.         $this->AuthorityInfoAccessSyntax = array(
    937. 

  937.             'type'     => FILE_ASN1_TYPE_SEQUENCE,
    938. 

  938.             'min'      => 1,
    939. 

  939.             'max'      => -1,
    940. 

  940.             'children' => $AccessDescription
    941. 

  941.         );
    942. 

  942. 

  943.         $this->SubjectAltName = $GeneralNames;
    944. 

  944. 

  945.         $this->PrivateKeyUsagePeriod = array(
    946. 

  946.             'type'     => FILE_ASN1_TYPE_SEQUENCE,
    947. 

  947.             'children' => array(
    948. 

  948.                 'notBefore' => array(
    949. 

  949.                                                  'constant' => 0,
    950. 

  950.                                                  'optional' => true,
    951. 

  951.                                                  'implicit' => true,
    952. 

  952.                                                  'type' => FILE_ASN1_TYPE_GENERALIZED_TIME),
    953. 

  953.                 'notAfter'  => array(
    954. 

  954.                                                  'constant' => 1,
    955. 

  955.                                                  'optional' => true,
    956. 

  956.                                                  'implicit' => true,
    957. 

  957.                                                  'type' => FILE_ASN1_TYPE_GENERALIZED_TIME)
    958. 

  958.             )
    959. 

  959.         );
    960. 

  960. 

  961.         $BaseDistance = array('type' => FILE_ASN1_TYPE_INTEGER);
    962. 

  962. 

  963.         $GeneralSubtree = array(
    964. 

  964.             'type'     => FILE_ASN1_TYPE_SEQUENCE,
    965. 

  965.             'children' => array(
    966. 

  966.                 'base'    => $GeneralName,
    967. 

  967.                 'minimum' => array(
    968. 

  968.                                  'constant' => 0,
    969. 

  969.                                  'optional' => true,
    970. 

  970.                                  'implicit' => true,
    971. 

  971.                                  'default' => new Math_BigInteger(0)
    972. 

  972.                              ) + $BaseDistance,
    973. 

  973.                 'maximum' => array(
    974. 

  974.                                  'constant' => 1,
    975. 

  975.                                  'optional' => true,
    976. 

  976.                                  'implicit' => true,
    977. 

  977.                              ) + $BaseDistance
    978. 

  978.             )
    979. 

  979.         );
    980. 

  980. 

  981.         $GeneralSubtrees = array(
    982. 

  982.             'type'     => FILE_ASN1_TYPE_SEQUENCE,
    983. 

  983.             'min'      => 1,
    984. 

  984.             'max'      => -1,
    985. 

  985.             'children' => $GeneralSubtree
    986. 

  986.         );
    987. 

  987. 

  988.         $this->NameConstraints = array(
    989. 

  989.             'type'     => FILE_ASN1_TYPE_SEQUENCE,
    990. 

  990.             'children' => array(
    991. 

  991.                 'permittedSubtrees' => array(
    992. 

  992.                                            'constant' => 0,
    993. 

  993.                                            'optional' => true,
    994. 

  994.                                            'implicit' => true
    995. 

  995.                                        ) + $GeneralSubtrees,
    996. 

  996.                 'excludedSubtrees'  => array(
    997. 

  997.                                            'constant' => 1,
    998. 

  998.                                            'optional' => true,
    999. 

  999.                                            'implicit' => true
    1000. 

  1000.                                        ) + $GeneralSubtrees
    1001. 

  1001.             )
    1002. 

  1002.         );
    1003. 

  1003. 

  1004.         $this->CPSuri = array('type' => FILE_ASN1_TYPE_IA5_STRING);
    1005. 

  1005. 

  1006.         $DisplayText = array(
    1007. 

  1007.             'type'     => FILE_ASN1_TYPE_CHOICE,
    1008. 

  1008.             'children' => array(
    1009. 

  1009.                 'ia5String'     => array('type' => FILE_ASN1_TYPE_IA5_STRING),
    1010. 

  1010.                 'visibleString' => array('type' => FILE_ASN1_TYPE_VISIBLE_STRING),
    1011. 

  1011.                 'bmpString'     => array('type' => FILE_ASN1_TYPE_BMP_STRING),
    1012. 

  1012.                 'utf8String'    => array('type' => FILE_ASN1_TYPE_UTF8_STRING)
    1013. 

  1013.             )
    1014. 

  1014.         );
    1015. 

  1015. 

  1016.         $NoticeReference = array(
    1017. 

  1017.             'type'     => FILE_ASN1_TYPE_SEQUENCE,
    1018. 

  1018.             'children' => array(
    1019. 

  1019.                 'organization'  => $DisplayText,
    1020. 

  1020.                 'noticeNumbers' => array(
    1021. 

  1021.                                        'type'     => FILE_ASN1_TYPE_SEQUENCE,
    1022. 

  1022.                                        'min'      => 1,
    1023. 

  1023.                                        'max'      => 200,
    1024. 

  1024.                                        'children' => array('type' => FILE_ASN1_TYPE_INTEGER)
    1025. 

  1025.                                    )
    1026. 

  1026.             )
    1027. 

  1027.         );
    1028. 

  1028. 

  1029.         $this->UserNotice = array(
    1030. 

  1030.             'type'     => FILE_ASN1_TYPE_SEQUENCE,
    1031. 

  1031.             'children' => array(
    1032. 

  1032.                 'noticeRef' => array(
    1033. 

  1033.                                            'optional' => true,
    1034. 

  1034.                                            'implicit' => true
    1035. 

  1035.                                        ) + $NoticeReference,
    1036. 

  1036.                 'explicitText'  => array(
    1037. 

  1037.                                            'optional' => true,
    1038. 

  1038.                                            'implicit' => true
    1039. 

  1039.                                        ) + $DisplayText
    1040. 

  1040.             )
    1041. 

  1041.         );
    1042. 

  1042. 

  1043.         // mapping is from <http://www.mozilla.org/projects/security/pki/nss/tech-notes/tn3.html>
    1044. 

  1044.         $this->netscape_cert_type = array(
    1045. 

  1045.             'type'    => FILE_ASN1_TYPE_BIT_STRING,
    1046. 

  1046.             'mapping' => array(
    1047. 

  1047.                 'SSLClient',
    1048. 

  1048.                 'SSLServer',
    1049. 

  1049.                 'Email',
    1050. 

  1050.                 'ObjectSigning',
    1051. 

  1051.                 'Reserved',
    1052. 

  1052.                 'SSLCA',
    1053. 

  1053.                 'EmailCA',
    1054. 

  1054.                 'ObjectSigningCA'
    1055. 

  1055.             )
    1056. 

  1056.         );
    1057. 

  1057. 

  1058.         $this->netscape_comment = array('type' => FILE_ASN1_TYPE_IA5_STRING);
    1059. 

  1059.         $this->netscape_ca_policy_url = array('type' => FILE_ASN1_TYPE_IA5_STRING);
    1060. 

  1060. 

  1061.         // attribute is used in RFC2986 but we're using the RFC5280 definition
    1062. 

  1062. 

  1063.         $Attribute = array(
    1064. 

  1064.             'type'     => FILE_ASN1_TYPE_SEQUENCE,
    1065. 

  1065.             'children' => array(
    1066. 

  1066.                 'type' => $AttributeType,
    1067. 

  1067.                 'value'=> array(
    1068. 

  1068.                               'type'     => FILE_ASN1_TYPE_SET,
    1069. 

  1069.                               'min'      => 1,
    1070. 

  1070.                               'max'      => -1,
    1071. 

  1071.                               'children' => $this->AttributeValue
    1072. 

  1072.                           )
    1073. 

  1073.             )
    1074. 

  1074.         );
    1075. 

  1075. 

  1076.         // adapted from <http://tools.ietf.org/html/rfc2986>
    1077. 

  1077. 

  1078.         $Attributes = array(
    1079. 

  1079.             'type'     => FILE_ASN1_TYPE_SET,
    1080. 

  1080.             'min'      => 1,
    1081. 

  1081.             'max'      => -1,
    1082. 

  1082.             'children' => $Attribute
    1083. 

  1083.         );
    1084. 

  1084. 

  1085.         $CertificationRequestInfo = array(
    1086. 

  1086.             'type'     => FILE_ASN1_TYPE_SEQUENCE,
    1087. 

  1087.             'children' => array(
    1088. 

  1088.                 'version'       => array(
    1089. 

  1089.                                        'type' => FILE_ASN1_TYPE_INTEGER,
    1090. 

  1090.                                        'mapping' => array('v1')
    1091. 

  1091.                                    ),
    1092. 

  1092.                 'subject'       => $this->Name,
    1093. 

  1093.                 'subjectPKInfo' => $SubjectPublicKeyInfo,
    1094. 

  1094.                 'attributes'    => array(
    1095. 

  1095.                                        'constant' => 0,
    1096. 

  1096.                                        'optional' => true,
    1097. 

  1097.                                        'implicit' => true
    1098. 

  1098.                                    ) + $Attributes,
    1099. 

  1099.             )
    1100. 

  1100.         );
    1101. 

  1101. 

  1102.         $this->CertificationRequest = array(
    1103. 

  1103.             'type'     => FILE_ASN1_TYPE_SEQUENCE,
    1104. 

  1104.             'children' => array(
    1105. 

  1105.                 'certificationRequestInfo' => $CertificationRequestInfo,
    1106. 

  1106.                 'signatureAlgorithm'       => $AlgorithmIdentifier,
    1107. 

  1107.                 'signature'                => array('type' => FILE_ASN1_TYPE_BIT_STRING)
    1108. 

  1108.             )
    1109. 

  1109.         );
    1110. 

  1110. 

  1111.         $RevokedCertificate = array(
    1112. 

  1112.             'type'     => FILE_ASN1_TYPE_SEQUENCE,
    1113. 

  1113.             'children' => array(
    1114. 

  1114.                               'userCertificate'    => $CertificateSerialNumber,
    1115. 

  1115.                               'revocationDate'     => $Time,
    1116. 

  1116.                               'crlEntryExtensions' => array(
    1117. 

  1117.                                                           'optional' => true
    1118. 

  1118.                                                       ) + $this->Extensions
    1119. 

  1119.                           )
    1120. 

  1120.         );
    1121. 

  1121. 

  1122.         $TBSCertList = array(
    1123. 

  1123.             'type'     => FILE_ASN1_TYPE_SEQUENCE,
    1124. 

  1124.             'children' => array(
    1125. 

  1125.                 'version'             => array(
    1126. 

  1126.                                              'optional' => true,
    1127. 

  1127.                                              'default'  => 'v1'
    1128. 

  1128.                                          ) + $Version,
    1129. 

  1129.                 'signature'           => $AlgorithmIdentifier,
    1130. 

  1130.                 'issuer'              => $this->Name,
    1131. 

  1131.                 'thisUpdate'          => $Time,
    1132. 

  1132.                 'nextUpdate'          => array(
    1133. 

  1133.                                              'optional' => true
    1134. 

  1134.                                          ) + $Time,
    1135. 

  1135.                 'revokedCertificates' => array(
    1136. 

  1136.                                              'type'     => FILE_ASN1_TYPE_SEQUENCE,
    1137. 

  1137.                                              'optional' => true,
    1138. 

  1138.                                              'min'      => 0,
    1139. 

  1139.                                              'max'      => -1,
    1140. 

  1140.                                              'children' => $RevokedCertificate
    1141. 

  1141.                                          ),
    1142. 

  1142.                 'crlExtensions'       => array(
    1143. 

  1143.                                              'constant' => 0,
    1144. 

  1144.                                              'optional' => true,
    1145. 

  1145.                                              'explicit' => true
    1146. 

  1146.                                          ) + $this->Extensions
    1147. 

  1147.             )
    1148. 

  1148.         );
    1149. 

  1149. 

  1150.         $this->CertificateList = array(
    1151. 

  1151.             'type'     => FILE_ASN1_TYPE_SEQUENCE,
    1152. 

  1152.             'children' => array(
    1153. 

  1153.                 'tbsCertList'        => $TBSCertList,
    1154. 

  1154.                 'signatureAlgorithm' => $AlgorithmIdentifier,
    1155. 

  1155.                 'signature'          => array('type' => FILE_ASN1_TYPE_BIT_STRING)
    1156. 

  1156.             )
    1157. 

  1157.         );
    1158. 

  1158. 

  1159.         $this->CRLNumber = array('type' => FILE_ASN1_TYPE_INTEGER);
    1160. 

  1160. 

  1161.         $this->CRLReason = array('type' => FILE_ASN1_TYPE_ENUMERATED,
    1162. 

  1162.            'mapping' => array(
    1163. 

  1163.                             'unspecified',
    1164. 

  1164.                             'keyCompromise',
    1165. 

  1165.                             'cACompromise',
    1166. 

  1166.                             'affiliationChanged',
    1167. 

  1167.                             'superseded',
    1168. 

  1168.                             'cessationOfOperation',
    1169. 

  1169.                             'certificateHold',
    1170. 

  1170.                             // Value 7 is not used.
    1171. 

  1171.                             8 => 'removeFromCRL',
    1172. 

  1172.                             'privilegeWithdrawn',
    1173. 

  1173.                             'aACompromise'
    1174. 

  1174.             )
    1175. 

  1175.         );
    1176. 

  1176. 

  1177.         $this->IssuingDistributionPoint = array('type' => FILE_ASN1_TYPE_SEQUENCE,
    1178. 

  1178.             'children' => array(
    1179. 

  1179.                 'distributionPoint'          => array(
    1180. 

  1180.                                                     'constant' => 0,
    1181. 

  1181.                                                     'optional' => true,
    1182. 

  1182.                                                     'explicit' => true
    1183. 

  1183.                                                 ) + $DistributionPointName,
    1184. 

  1184.                 'onlyContainsUserCerts'      => array(
    1185. 

  1185.                                                     'type'     => FILE_ASN1_TYPE_BOOLEAN,
    1186. 

  1186.                                                     'constant' => 1,
    1187. 

  1187.                                                     'optional' => true,
    1188. 

  1188.                                                     'default'  => false,
    1189. 

  1189.                                                     'implicit' => true
    1190. 

  1190.                                                 ),
    1191. 

  1191.                 'onlyContainsCACerts'        => array(
    1192. 

  1192.                                                     'type'     => FILE_ASN1_TYPE_BOOLEAN,
    1193. 

  1193.                                                     'constant' => 2,
    1194. 

  1194.                                                     'optional' => true,
    1195. 

  1195.                                                     'default'  => false,
    1196. 

  1196.                                                     'implicit' => true
    1197. 

  1197.                                                 ),
    1198. 

  1198.                 'onlySomeReasons'           => array(
    1199. 

  1199.                                                     'constant' => 3,
    1200. 

  1200.                                                     'optional' => true,
    1201. 

  1201.                                                     'implicit' => true
    1202. 

  1202.                                                 ) + $ReasonFlags,
    1203. 

  1203.                 'indirectCRL'               => array(
    1204. 

  1204.                                                     'type'     => FILE_ASN1_TYPE_BOOLEAN,
    1205. 

  1205.                                                     'constant' => 4,
    1206. 

  1206.                                                     'optional' => true,
    1207. 

  1207.                                                     'default'  => false,
    1208. 

  1208.                                                     'implicit' => true
    1209. 

  1209.                                                 ),
    1210. 

  1210.                 'onlyContainsAttributeCerts' => array(
    1211. 

  1211.                                                     'type'     => FILE_ASN1_TYPE_BOOLEAN,
    1212. 

  1212.                                                     'constant' => 5,
    1213. 

  1213.                                                     'optional' => true,
    1214. 

  1214.                                                     'default'  => false,
    1215. 

  1215.                                                     'implicit' => true
    1216. 

  1216.                                                 )
    1217. 

  1217.                           )
    1218. 

  1218.         );
    1219. 

  1219. 

  1220.         $this->InvalidityDate = array('type' => FILE_ASN1_TYPE_GENERALIZED_TIME);
    1221. 

  1221. 

  1222.         $this->CertificateIssuer = $GeneralNames;
    1223. 

  1223. 

  1224.         $this->HoldInstructionCode = array('type' => FILE_ASN1_TYPE_OBJECT_IDENTIFIER);
    1225. 

  1225. 

  1226.         $PublicKeyAndChallenge = array(
    1227. 

  1227.             'type'     => FILE_ASN1_TYPE_SEQUENCE,
    1228. 

  1228.             'children' => array(
    1229. 

  1229.                 'spki'      => $SubjectPublicKeyInfo,
    1230. 

  1230.                 'challenge' => array('type' => FILE_ASN1_TYPE_IA5_STRING)
    1231. 

  1231.             )
    1232. 

  1232.         );
    1233. 

  1233. 

  1234.         $this->SignedPublicKeyAndChallenge = array(
    1235. 

  1235.             'type'     => FILE_ASN1_TYPE_SEQUENCE,
    1236. 

  1236.             'children' => array(
    1237. 

  1237.                 'publicKeyAndChallenge' => $PublicKeyAndChallenge,
    1238. 

  1238.                 'signatureAlgorithm'    => $AlgorithmIdentifier,
    1239. 

  1239.                 'signature'             => array('type' => FILE_ASN1_TYPE_BIT_STRING)
    1240. 

  1240.             )
    1241. 

  1241.         );
    1242. 

  1242. 

  1243.         // OIDs from RFC5280 and those RFCs mentioned in RFC5280#section-4.1.1.2
    1244. 

  1244.         $this->oids = array(
    1245. 

  1245.             '1.3.6.1.5.5.7' => 'id-pkix',
    1246. 

  1246.             '1.3.6.1.5.5.7.1' => 'id-pe',
    1247. 

  1247.             '1.3.6.1.5.5.7.2' => 'id-qt',
    1248. 

  1248.             '1.3.6.1.5.5.7.3' => 'id-kp',
    1249. 

  1249.             '1.3.6.1.5.5.7.48' => 'id-ad',
    1250. 

  1250.             '1.3.6.1.5.5.7.2.1' => 'id-qt-cps',
    1251. 

  1251.             '1.3.6.1.5.5.7.2.2' => 'id-qt-unotice',
    1252. 

  1252.             '1.3.6.1.5.5.7.48.1' =>'id-ad-ocsp',
    1253. 

  1253.             '1.3.6.1.5.5.7.48.2' => 'id-ad-caIssuers',
    1254. 

  1254.             '1.3.6.1.5.5.7.48.3' => 'id-ad-timeStamping',
    1255. 

  1255.             '1.3.6.1.5.5.7.48.5' => 'id-ad-caRepository',
    1256. 

  1256.             '2.5.4' => 'id-at',
    1257. 

  1257.             '2.5.4.41' => 'id-at-name',
    1258. 

  1258.             '2.5.4.4' => 'id-at-surname',
    1259. 

  1259.             '2.5.4.42' => 'id-at-givenName',
    1260. 

  1260.             '2.5.4.43' => 'id-at-initials',
    1261. 

  1261.             '2.5.4.44' => 'id-at-generationQualifier',
    1262. 

  1262.             '2.5.4.3' => 'id-at-commonName',
    1263. 

  1263.             '2.5.4.7' => 'id-at-localityName',
    1264. 

  1264.             '2.5.4.8' => 'id-at-stateOrProvinceName',
    1265. 

  1265.             '2.5.4.10' => 'id-at-organizationName',
    1266. 

  1266.             '2.5.4.11' => 'id-at-organizationalUnitName',
    1267. 

  1267.             '2.5.4.12' => 'id-at-title',
    1268. 

  1268.             '2.5.4.13' => 'id-at-description',
    1269. 

  1269.             '2.5.4.46' => 'id-at-dnQualifier',
    1270. 

  1270.             '2.5.4.6' => 'id-at-countryName',
    1271. 

  1271.             '2.5.4.5' => 'id-at-serialNumber',
    1272. 

  1272.             '2.5.4.65' => 'id-at-pseudonym',
    1273. 

  1273.             '2.5.4.17' => 'id-at-postalCode',
    1274. 

  1274.             '2.5.4.9' => 'id-at-streetAddress',
    1275. 

  1275.             '2.5.4.45' => 'id-at-uniqueIdentifier',
    1276. 

  1276.             '2.5.4.72' => 'id-at-role',
    1277. 

  1277. 

  1278.             '0.9.2342.19200300.100.1.25' => 'id-domainComponent',
    1279. 

  1279.             '1.2.840.113549.1.9' => 'pkcs-9',
    1280. 

  1280.             '1.2.840.113549.1.9.1' => 'pkcs-9-at-emailAddress',
    1281. 

  1281.             '2.5.29' => 'id-ce',
    1282. 

  1282.             '2.5.29.35' => 'id-ce-authorityKeyIdentifier',
    1283. 

  1283.             '2.5.29.14' => 'id-ce-subjectKeyIdentifier',
    1284. 

  1284.             '2.5.29.15' => 'id-ce-keyUsage',
    1285. 

  1285.             '2.5.29.16' => 'id-ce-privateKeyUsagePeriod',
    1286. 

  1286.             '2.5.29.32' => 'id-ce-certificatePolicies',
    1287. 

  1287.             '2.5.29.32.0' => 'anyPolicy',
    1288. 

  1288. 

  1289.             '2.5.29.33' => 'id-ce-policyMappings',
    1290. 

  1290.             '2.5.29.17' => 'id-ce-subjectAltName',
    1291. 

  1291.             '2.5.29.18' => 'id-ce-issuerAltName',
    1292. 

  1292.             '2.5.29.9' => 'id-ce-subjectDirectoryAttributes',
    1293. 

  1293.             '2.5.29.19' => 'id-ce-basicConstraints',
    1294. 

  1294.             '2.5.29.30' => 'id-ce-nameConstraints',
    1295. 

  1295.             '2.5.29.36' => 'id-ce-policyConstraints',
    1296. 

  1296.             '2.5.29.31' => 'id-ce-cRLDistributionPoints',
    1297. 

  1297.             '2.5.29.37' => 'id-ce-extKeyUsage',
    1298. 

  1298.             '2.5.29.37.0' => 'anyExtendedKeyUsage',
    1299. 

  1299.             '1.3.6.1.5.5.7.3.1' => 'id-kp-serverAuth',
    1300. 

  1300.             '1.3.6.1.5.5.7.3.2' => 'id-kp-clientAuth',
    1301. 

  1301.             '1.3.6.1.5.5.7.3.3' => 'id-kp-codeSigning',
    1302. 

  1302.             '1.3.6.1.5.5.7.3.4' => 'id-kp-emailProtection',
    1303. 

  1303.             '1.3.6.1.5.5.7.3.8' => 'id-kp-timeStamping',
    1304. 

  1304.             '1.3.6.1.5.5.7.3.9' => 'id-kp-OCSPSigning',
    1305. 

  1305.             '2.5.29.54' => 'id-ce-inhibitAnyPolicy',
    1306. 

  1306.             '2.5.29.46' => 'id-ce-freshestCRL',
    1307. 

  1307.             '1.3.6.1.5.5.7.1.1' => 'id-pe-authorityInfoAccess',
    1308. 

  1308.             '1.3.6.1.5.5.7.1.11' => 'id-pe-subjectInfoAccess',
    1309. 

  1309.             '2.5.29.20' => 'id-ce-cRLNumber',
    1310. 

  1310.             '2.5.29.28' => 'id-ce-issuingDistributionPoint',
    1311. 

  1311.             '2.5.29.27' => 'id-ce-deltaCRLIndicator',
    1312. 

  1312.             '2.5.29.21' => 'id-ce-cRLReasons',
    1313. 

  1313.             '2.5.29.29' => 'id-ce-certificateIssuer',
    1314. 

  1314.             '2.5.29.23' => 'id-ce-holdInstructionCode',
    1315. 

  1315.             '1.2.840.10040.2' => 'holdInstruction',
    1316. 

  1316.             '1.2.840.10040.2.1' => 'id-holdinstruction-none',
    1317. 

  1317.             '1.2.840.10040.2.2' => 'id-holdinstruction-callissuer',
    1318. 

  1318.             '1.2.840.10040.2.3' => 'id-holdinstruction-reject',
    1319. 

  1319.             '2.5.29.24' => 'id-ce-invalidityDate',
    1320. 

  1320. 

  1321.             '1.2.840.113549.2.2' => 'md2',
    1322. 

  1322.             '1.2.840.113549.2.5' => 'md5',
    1323. 

  1323.             '1.3.14.3.2.26' => 'id-sha1',
    1324. 

  1324.             '1.2.840.10040.4.1' => 'id-dsa',
    1325. 

  1325.             '1.2.840.10040.4.3' => 'id-dsa-with-sha1',
    1326. 

  1326.             '1.2.840.113549.1.1' => 'pkcs-1',
    1327. 

  1327.             '1.2.840.113549.1.1.1' => 'rsaEncryption',
    1328. 

  1328.             '1.2.840.113549.1.1.2' => 'md2WithRSAEncryption',
    1329. 

  1329.             '1.2.840.113549.1.1.4' => 'md5WithRSAEncryption',
    1330. 

  1330.             '1.2.840.113549.1.1.5' => 'sha1WithRSAEncryption',
    1331. 

  1331.             '1.2.840.10046.2.1' => 'dhpublicnumber',
    1332. 

  1332.             '2.16.840.1.101.2.1.1.22' => 'id-keyExchangeAlgorithm',
    1333. 

  1333.             '1.2.840.10045' => 'ansi-X9-62',
    1334. 

  1334.             '1.2.840.10045.4' => 'id-ecSigType',
    1335. 

  1335.             '1.2.840.10045.4.1' => 'ecdsa-with-SHA1',
    1336. 

  1336.             '1.2.840.10045.1' => 'id-fieldType',
    1337. 

  1337.             '1.2.840.10045.1.1' => 'prime-field',
    1338. 

  1338.             '1.2.840.10045.1.2' => 'characteristic-two-field',
    1339. 

  1339.             '1.2.840.10045.1.2.3' => 'id-characteristic-two-basis',
    1340. 

  1340.             '1.2.840.10045.1.2.3.1' => 'gnBasis',
    1341. 

  1341.             '1.2.840.10045.1.2.3.2' => 'tpBasis',
    1342. 

  1342.             '1.2.840.10045.1.2.3.3' => 'ppBasis',
    1343. 

  1343.             '1.2.840.10045.2' => 'id-publicKeyType',
    1344. 

  1344.             '1.2.840.10045.2.1' => 'id-ecPublicKey',
    1345. 

  1345.             '1.2.840.10045.3' => 'ellipticCurve',
    1346. 

  1346.             '1.2.840.10045.3.0' => 'c-TwoCurve',
    1347. 

  1347.             '1.2.840.10045.3.0.1' => 'c2pnb163v1',
    1348. 

  1348.             '1.2.840.10045.3.0.2' => 'c2pnb163v2',
    1349. 

  1349.             '1.2.840.10045.3.0.3' => 'c2pnb163v3',
    1350. 

  1350.             '1.2.840.10045.3.0.4' => 'c2pnb176w1',
    1351. 

  1351.             '1.2.840.10045.3.0.5' => 'c2pnb191v1',
    1352. 

  1352.             '1.2.840.10045.3.0.6' => 'c2pnb191v2',
    1353. 

  1353.             '1.2.840.10045.3.0.7' => 'c2pnb191v3',
    1354. 

  1354.             '1.2.840.10045.3.0.8' => 'c2pnb191v4',
    1355. 

  1355.             '1.2.840.10045.3.0.9' => 'c2pnb191v5',
    1356. 

  1356.             '1.2.840.10045.3.0.10' => 'c2pnb208w1',
    1357. 

  1357.             '1.2.840.10045.3.0.11' => 'c2pnb239v1',
    1358. 

  1358.             '1.2.840.10045.3.0.12' => 'c2pnb239v2',
    1359. 

  1359.             '1.2.840.10045.3.0.13' => 'c2pnb239v3',
    1360. 

  1360.             '1.2.840.10045.3.0.14' => 'c2pnb239v4',
    1361. 

  1361.             '1.2.840.10045.3.0.15' => 'c2pnb239v5',
    1362. 

  1362.             '1.2.840.10045.3.0.16' => 'c2pnb272w1',
    1363. 

  1363.             '1.2.840.10045.3.0.17' => 'c2pnb304w1',
    1364. 

  1364.             '1.2.840.10045.3.0.18' => 'c2pnb359v1',
    1365. 

  1365.             '1.2.840.10045.3.0.19' => 'c2pnb368w1',
    1366. 

  1366.             '1.2.840.10045.3.0.20' => 'c2pnb431r1',
    1367. 

  1367.             '1.2.840.10045.3.1' => 'primeCurve',
    1368. 

  1368.             '1.2.840.10045.3.1.1' => 'prime192v1',
    1369. 

  1369.             '1.2.840.10045.3.1.2' => 'prime192v2',
    1370. 

  1370.             '1.2.840.10045.3.1.3' => 'prime192v3',
    1371. 

  1371.             '1.2.840.10045.3.1.4' => 'prime239v1',
    1372. 

  1372.             '1.2.840.10045.3.1.5' => 'prime239v2',
    1373. 

  1373.             '1.2.840.10045.3.1.6' => 'prime239v3',
    1374. 

  1374.             '1.2.840.10045.3.1.7' => 'prime256v1',
    1375. 

  1375.             '1.2.840.113549.1.1.7' => 'id-RSAES-OAEP',
    1376. 

  1376.             '1.2.840.113549.1.1.9' => 'id-pSpecified',
    1377. 

  1377.             '1.2.840.113549.1.1.10' => 'id-RSASSA-PSS',
    1378. 

  1378.             '1.2.840.113549.1.1.8' => 'id-mgf1',
    1379. 

  1379.             '1.2.840.113549.1.1.14' => 'sha224WithRSAEncryption',
    1380. 

  1380.             '1.2.840.113549.1.1.11' => 'sha256WithRSAEncryption',
    1381. 

  1381.             '1.2.840.113549.1.1.12' => 'sha384WithRSAEncryption',
    1382. 

  1382.             '1.2.840.113549.1.1.13' => 'sha512WithRSAEncryption',
    1383. 

  1383.             '2.16.840.1.101.3.4.2.4' => 'id-sha224',
    1384. 

  1384.             '2.16.840.1.101.3.4.2.1' => 'id-sha256',
    1385. 

  1385.             '2.16.840.1.101.3.4.2.2' => 'id-sha384',
    1386. 

  1386.             '2.16.840.1.101.3.4.2.3' => 'id-sha512',
    1387. 

  1387.             '1.2.643.2.2.4' => 'id-GostR3411-94-with-GostR3410-94',
    1388. 

  1388.             '1.2.643.2.2.3' => 'id-GostR3411-94-with-GostR3410-2001',
    1389. 

  1389.             '1.2.643.2.2.20' => 'id-GostR3410-2001',
    1390. 

  1390.             '1.2.643.2.2.19' => 'id-GostR3410-94',
    1391. 

  1391.             // Netscape Object Identifiers from "Netscape Certificate Extensions"
    1392. 

  1392.             '2.16.840.1.113730' => 'netscape',
    1393. 

  1393.             '2.16.840.1.113730.1' => 'netscape-cert-extension',
    1394. 

  1394.             '2.16.840.1.113730.1.1' => 'netscape-cert-type',
    1395. 

  1395.             '2.16.840.1.113730.1.13' => 'netscape-comment',
    1396. 

  1396.             '2.16.840.1.113730.1.8' => 'netscape-ca-policy-url',
    1397. 

  1397.             // the following are X.509 extensions not supported by phpseclib
    1398. 

  1398.             '1.3.6.1.5.5.7.1.12' => 'id-pe-logotype',
    1399. 

  1399.             '1.2.840.113533.7.65.0' => 'entrustVersInfo',
    1400. 

  1400.             '2.16.840.1.113733.1.6.9' => 'verisignPrivate',
    1401. 

  1401.             // for Certificate Signing Requests
    1402. 

  1402.             // see http://tools.ietf.org/html/rfc2985
    1403. 

  1403.             '1.2.840.113549.1.9.2' => 'pkcs-9-at-unstructuredName', // PKCS #9 unstructured name
    1404. 

  1404.             '1.2.840.113549.1.9.7' => 'pkcs-9-at-challengePassword', // Challenge password for certificate revocations
    1405. 

  1405.             '1.2.840.113549.1.9.14' => 'pkcs-9-at-extensionRequest' // Certificate extension request
    1406. 

  1406.         );
    1407. 

  1407.     }
    1408. 

  1408. 

  1409.     /**
    1410. 

  1410.      * Load X.509 certificate
    1411. 

  1411.      *
    1412. 

  1412.      * Returns an associative array describing the X.509 cert or a false if the cert failed to load
    1413. 

  1413.      *
    1414. 

  1414.      * @param String $cert
    1415. 

  1415.      * @access public
    1416. 

  1416.      * @return Mixed
    1417. 

  1417.      */
    1418. 

  1418.     function loadX509($cert)
    1419. 

  1419.     {
    1420. 

  1420.         if (is_array($cert) && isset($cert['tbsCertificate'])) {
    1421. 

  1421.             unset($this->currentCert);
    1422. 

  1422.             unset($this->currentKeyIdentifier);
    1423. 

  1423.             $this->dn = $cert['tbsCertificate']['subject'];
    1424. 

  1424.             if (!isset($this->dn)) {
    1425. 

  1425.                 return false;
    1426. 

  1426.             }
    1427. 

  1427.             $this->currentCert = $cert;
    1428. 

  1428. 

  1429.             $currentKeyIdentifier = $this->getExtension('id-ce-subjectKeyIdentifier');
    1430. 

  1430.             $this->currentKeyIdentifier = is_string($currentKeyIdentifier) ? $currentKeyIdentifier : NULL;
    1431. 

  1431. 

  1432.             unset($this->signatureSubject);
    1433. 

  1433. 

  1434.             return $cert;
    1435. 

  1435.         }
    1436. 

  1436. 

  1437.         $asn1 = new File_ASN1();
    1438. 

  1438. 

  1439.         $cert = $this->_extractBER($cert);
    1440. 

  1440. 

  1441.         if ($cert === false) {
    1442. 

  1442.             $this->currentCert = false;
    1443. 

  1443.             return false;
    1444. 

  1444.         }
    1445. 

  1445. 

  1446.         $asn1->loadOIDs($this->oids);
    1447. 

  1447.         $decoded = $asn1->decodeBER($cert);
    1448. 

  1448. 

  1449.         if (!empty($decoded)) {
    1450. 

  1450.             $x509 = $asn1->asn1map($decoded[0], $this->Certificate);
    1451. 

  1451.         }
    1452. 

  1452.         if (!isset($x509) || $x509 === false) {
    1453. 

  1453.             $this->currentCert = false;
    1454. 

  1454.             return false;
    1455. 

  1455.         }
    1456. 

  1456. 

  1457.         $this->signatureSubject = substr($cert, $decoded[0]['content'][0]['start'], $decoded[0]['content'][0]['length']);
    1458. 

  1458. 

  1459.         $this->_mapInExtensions($x509, 'tbsCertificate/extensions', $asn1);
    1460. 

  1460. 

  1461.         $key = &$x509['tbsCertificate']['subjectPublicKeyInfo']['subjectPublicKey'];
    1462. 

  1462.         $key = $this->_reformatKey($x509['tbsCertificate']['subjectPublicKeyInfo']['algorithm']['algorithm'], $key);
    1463. 

  1463. 

  1464.         $this->currentCert = $x509;
    1465. 

  1465.         $this->dn = $x509['tbsCertificate']['subject'];
    1466. 

  1466. 

  1467.         $currentKeyIdentifier = $this->getExtension('id-ce-subjectKeyIdentifier');
    1468. 

  1468.         $this->currentKeyIdentifier = is_string($currentKeyIdentifier) ? $currentKeyIdentifier : NULL;
    1469. 

  1469. 

  1470.         return $x509;
    1471. 

  1471.     }
    1472. 

  1472. 

  1473.     /**
    1474. 

  1474.      * Save X.509 certificate
    1475. 

  1475.      *
    1476. 

  1476.      * @param Array $cert
    1477. 

  1477.      * @param Integer $format optional
    1478. 

  1478.      * @access public
    1479. 

  1479.      * @return String
    1480. 

  1480.      */
    1481. 

  1481.     function saveX509($cert, $format = FILE_X509_FORMAT_PEM)
    1482. 

  1482.     {
    1483. 

  1483.         if (!is_array($cert) || !isset($cert['tbsCertificate'])) {
    1484. 

  1484.             return false;
    1485. 

  1485.         }
    1486. 

  1486. 

  1487.         switch (true) {
    1488. 

  1488.             // "case !$a: case !$b: break; default: whatever();" is the same thing as "if ($a && $b) whatever()"
    1489. 

  1489.             case !($algorithm = $this->_subArray($cert, 'tbsCertificate/subjectPublicKeyInfo/algorithm/algorithm')):
    1490. 

  1490.             case is_object($cert['tbsCertificate']['subjectPublicKeyInfo']['subjectPublicKey']):
    1491. 

  1491.                 break;
    1492. 

  1492.             default:
    1493. 

  1493.                 switch ($algorithm) {
    1494. 

  1494.                     case 'rsaEncryption':
    1495. 

  1495.                         $cert['tbsCertificate']['subjectPublicKeyInfo']['subjectPublicKey'] = 
    1496. 

  1496.                             base64_encode("\0" . base64_decode(preg_replace('#-.+-|[\r\n]#', '', $cert['tbsCertificate']['subjectPublicKeyInfo']['subjectPublicKey'])));
    1497. 

  1497.                 }
    1498. 

  1498.         }
    1499. 

  1499. 

  1500.         $asn1 = new File_ASN1();
    1501. 

  1501. 

  1502.         $asn1->loadOIDs($this->oids);
    1503. 

  1503. 

  1504.         $filters = array();
    1505. 

  1505.         $filters['tbsCertificate']['signature']['parameters'] = 
    1506. 

  1506.         $filters['tbsCertificate']['signature']['issuer']['rdnSequence']['value'] = 
    1507. 

  1507.         $filters['tbsCertificate']['issuer']['rdnSequence']['value'] = 
    1508. 

  1508.         $filters['tbsCertificate']['subject']['rdnSequence']['value'] = 
    1509. 

  1509.         $filters['tbsCertificate']['subjectPublicKeyInfo']['algorithm']['parameters'] = 
    1510. 

  1510.         $filters['signatureAlgorithm']['parameters'] = 
    1511. 

  1511.         $filters['authorityCertIssuer']['directoryName']['rdnSequence']['value'] = 
    1512. 

  1512.         //$filters['policyQualifiers']['qualifier'] = 
    1513. 

  1513.         $filters['distributionPoint']['fullName']['directoryName']['rdnSequence']['value'] = 
    1514. 

  1514.         $filters['directoryName']['rdnSequence']['value'] = 
    1515. 

  1515.             array('type' => FILE_ASN1_TYPE_UTF8_STRING);
    1516. 

  1516.         /* in the case of policyQualifiers/qualifier, the type has to be FILE_ASN1_TYPE_IA5_STRING.
    1517. 

  1517.            FILE_ASN1_TYPE_PRINTABLE_STRING will cause OpenSSL's X.509 parser to spit out random
    1518. 

  1518.            characters.
    1519. 

  1519.          */
    1520. 

  1520.         $filters['policyQualifiers']['qualifier'] = 
    1521. 

  1521.             array('type' => FILE_ASN1_TYPE_IA5_STRING);
    1522. 

  1522. 

  1523.         $asn1->loadFilters($filters);
    1524. 

  1524. 

  1525.         $this->_mapOutExtensions($cert, 'tbsCertificate/extensions', $asn1);
    1526. 

  1526. 

  1527.         $cert = $asn1->encodeDER($cert, $this->Certificate);
    1528. 

  1528. 

  1529.         switch ($format) {
    1530. 

  1530.             case FILE_X509_FORMAT_DER:
    1531. 

  1531.                 return $cert;
    1532. 

  1532.             // case FILE_X509_FORMAT_PEM:
    1533. 

  1533.             default:
    1534. 

  1534.                 return "-----BEGIN CERTIFICATE-----\r\n" . chunk_split(base64_encode($cert), 64) . '-----END CERTIFICATE-----';
    1535. 

  1535.         }
    1536. 

  1536.     }
    1537. 

  1537. 

  1538.     /**
    1539. 

  1539.      * Map extension values from octet string to extension-specific internal
    1540. 

  1540.      *   format.
    1541. 

  1541.      *
    1542. 

  1542.      * @param Array ref $root
    1543. 

  1543.      * @param String $path
    1544. 

  1544.      * @param Object $asn1
    1545. 

  1545.      * @access private
    1546. 

  1546.      */
    1547. 

  1547.     function _mapInExtensions(&$root, $path, $asn1)
    1548. 

  1548.     {
    1549. 

  1549.         $extensions = &$this->_subArray($root, $path);
    1550. 

  1550. 

  1551.         if (is_array($extensions)) {
    1552. 

  1552.             for ($i = 0; $i < count($extensions); $i++) {
    1553. 

  1553.                 $id = $extensions[$i]['extnId'];
    1554. 

  1554.                 $value = &$extensions[$i]['extnValue'];
    1555. 

  1555.                 $value = base64_decode($value);
    1556. 

  1556.                 $decoded = $asn1->decodeBER($value);
    1557. 

  1557.                 /* [extnValue] contains the DER encoding of an ASN.1 value
    1558. 

  1558.                    corresponding to the extension type identified by extnID */
    1559. 

  1559.                 $map = $this->_getMapping($id);
    1560. 

  1560.                 if (!is_bool($map)) {
    1561. 

  1561.                     $mapped = $asn1->asn1map($decoded[0], $map);
    1562. 

  1562.                     $value = $mapped === false ? $decoded[0] : $mapped;
    1563. 

  1563. 

  1564.                     if ($id == 'id-ce-certificatePolicies') {
    1565. 

  1565.                         for ($j = 0; $j < count($value); $j++) {
    1566. 

  1566.                             if (!isset($value[$j]['policyQualifiers'])) {
    1567. 

  1567.                                 continue;
    1568. 

  1568.                             }
    1569. 

  1569.                             for ($k = 0; $k < count($value[$j]['policyQualifiers']); $k++) {
    1570. 

  1570.                                 $subid = $value[$j]['policyQualifiers'][$k]['policyQualifierId'];
    1571. 

  1571.                                 $map = $this->_getMapping($subid);
    1572. 

  1572.                                 $subvalue = &$value[$j]['policyQualifiers'][$k]['qualifier'];
    1573. 

  1573.                                 if ($map !== false) {
    1574. 

  1574.                                     $decoded = $asn1->decodeBER($subvalue);
    1575. 

  1575.                                     $mapped = $asn1->asn1map($decoded[0], $map);
    1576. 

  1576.                                     $subvalue = $mapped === false ? $decoded[0] : $mapped;
    1577. 

  1577.                                 }
    1578. 

  1578.                             }
    1579. 

  1579.                         }
    1580. 

  1580.                     }
    1581. 

  1581.                 } elseif ($map) {
    1582. 

  1582.                     $value = base64_encode($value);
    1583. 

  1583.                 }
    1584. 

  1584.             }
    1585. 

  1585.         }
    1586. 

  1586.     }
    1587. 

  1587. 

  1588.     /**
    1589. 

  1589.      * Map extension values from extension-specific internal format to
    1590. 

  1590.      *   octet string.
    1591. 

  1591.      *
    1592. 

  1592.      * @param Array ref $root
    1593. 

  1593.      * @param String $path
    1594. 

  1594.      * @param Object $asn1
    1595. 

  1595.      * @access private
    1596. 

  1596.      */
    1597. 

  1597.     function _mapOutExtensions(&$root, $path, $asn1)
    1598. 

  1598.     {
    1599. 

  1599.         $extensions = &$this->_subArray($root, $path);
    1600. 

  1600. 

  1601.         if (is_array($extensions)) {
    1602. 

  1602.             $size = count($extensions);
    1603. 

  1603.             for ($i = 0; $i < $size; $i++) {
    1604. 

  1604.                 $id = $extensions[$i]['extnId'];
    1605. 

  1605.                 $value = &$extensions[$i]['extnValue'];
    1606. 

  1606. 

  1607.                 switch ($id) {
    1608. 

  1608.                     case 'id-ce-certificatePolicies':
    1609. 

  1609.                         for ($j = 0; $j < count($value); $j++) {
    1610. 

  1610.                             if (!isset($value[$j]['policyQualifiers'])) {
    1611. 

  1611.                                 continue;
    1612. 

  1612.                             }
    1613. 

  1613.                             for ($k = 0; $k < count($value[$j]['policyQualifiers']); $k++) {
    1614. 

  1614.                                 $subid = $value[$j]['policyQualifiers'][$k]['policyQualifierId'];
    1615. 

  1615.                                 $map = $this->_getMapping($subid);
    1616. 

  1616.                                 $subvalue = &$value[$j]['policyQualifiers'][$k]['qualifier'];
    1617. 

  1617.                                 if ($map !== false) {
    1618. 

  1618.                                     // by default File_ASN1 will try to render qualifier as a FILE_ASN1_TYPE_IA5_STRING since it's
    1619. 

  1619.                                     // actual type is FILE_ASN1_TYPE_ANY
    1620. 

  1620.                                     $subvalue = new File_ASN1_Element($asn1->encodeDER($subvalue, $map));
    1621. 

  1621.                                 }
    1622. 

  1622.                             }
    1623. 

  1623.                         }
    1624. 

  1624.                         break;
    1625. 

  1625.                     case 'id-ce-authorityKeyIdentifier': // use 00 as the serial number instead of an empty string
    1626. 

  1626.                         if (isset($value['authorityCertSerialNumber'])) {
    1627. 

  1627.                             if ($value['authorityCertSerialNumber']->toBytes() == '') {
    1628. 

  1628.                                 $temp = chr((FILE_ASN1_CLASS_CONTEXT_SPECIFIC << 6) | 2) . "\1\0";
    1629. 

  1629.                                 $value['authorityCertSerialNumber'] = new File_ASN1_Element($temp);
    1630. 

  1630.                             }
    1631. 

  1631.                         }
    1632. 

  1632.                 }
    1633. 

  1633. 

  1634.                 /* [extnValue] contains the DER encoding of an ASN.1 value
    1635. 

  1635.                    corresponding to the extension type identified by extnID */
    1636. 

  1636.                 $map = $this->_getMapping($id);
    1637. 

  1637.                 if (is_bool($map)) {
    1638. 

  1638.                     if (!$map) {
    1639. 

  1639.                         user_error($id . ' is not a currently supported extension');
    1640. 

  1640.                         unset($extensions[$i]);
    1641. 

  1641.                     }
    1642. 

  1642.                 } else {
    1643. 

  1643.                     $temp = $asn1->encodeDER($value, $map);
    1644. 

  1644.                     $value = base64_encode($temp);
    1645. 

  1645.                 }
    1646. 

  1646.             }
    1647. 

  1647.         }
    1648. 

  1648.     }
    1649. 

  1649. 

  1650.     /**
    1651. 

  1651.      * Map attribute values from ANY type to attribute-specific internal
    1652. 

  1652.      *   format.
    1653. 

  1653.      *
    1654. 

  1654.      * @param Array ref $root
    1655. 

  1655.      * @param String $path
    1656. 

  1656.      * @param Object $asn1
    1657. 

  1657.      * @access private
    1658. 

  1658.      */
    1659. 

  1659.     function _mapInAttributes(&$root, $path, $asn1)
    1660. 

  1660.     {
    1661. 

  1661.         $attributes = &$this->_subArray($root, $path);
    1662. 

  1662. 

  1663.         if (is_array($attributes)) {
    1664. 

  1664.             for ($i = 0; $i < count($attributes); $i++) {
    1665. 

  1665.                 $id = $attributes[$i]['type'];
    1666. 

  1666.                 /* $value contains the DER encoding of an ASN.1 value
    1667. 

  1667.                    corresponding to the attribute type identified by type */
    1668. 

  1668.                 $map = $this->_getMapping($id);
    1669. 

  1669.                 if (is_array($attributes[$i]['value'])) {
    1670. 

  1670.                     $values = &$attributes[$i]['value'];
    1671. 

  1671.                     for ($j = 0; $j < count($values); $j++) {
    1672. 

  1672.                         $value = $asn1->encodeDER($values[$j], $this->AttributeValue);
    1673. 

  1673.                         $decoded = $asn1->decodeBER($value);
    1674. 

  1674.                         if (!is_bool($map)) {
    1675. 

  1675.                             $mapped = $asn1->asn1map($decoded[0], $map);
    1676. 

  1676.                             if ($mapped !== false) {
    1677. 

  1677.                                 $values[$j] = $mapped;
    1678. 

  1678.                             }
    1679. 

  1679.                             if ($id == 'pkcs-9-at-extensionRequest') {
    1680. 

  1680.                                 $this->_mapInExtensions($values, $j, $asn1);
    1681. 

  1681.                             }
    1682. 

  1682.                         } elseif ($map) {
    1683. 

  1683.                             $values[$j] = base64_encode($value);
    1684. 

  1684.                         }
    1685. 

  1685.                     }
    1686. 

  1686.                 }
    1687. 

  1687.             }
    1688. 

  1688.         }
    1689. 

  1689.     }
    1690. 

  1690. 

  1691.     /**
    1692. 

  1692.      * Map attribute values from attribute-specific internal format to
    1693. 

  1693.      *   ANY type.
    1694. 

  1694.      *
    1695. 

  1695.      * @param Array ref $root
    1696. 

  1696.      * @param String $path
    1697. 

  1697.      * @param Object $asn1
    1698. 

  1698.      * @access private
    1699. 

  1699.      */
    1700. 

  1700.     function _mapOutAttributes(&$root, $path, $asn1)
    1701. 

  1701.     {
    1702. 

  1702.         $attributes = &$this->_subArray($root, $path);
    1703. 

  1703. 

  1704.         if (is_array($attributes)) {
    1705. 

  1705.             $size = count($attributes);
    1706. 

  1706.             for ($i = 0; $i < $size; $i++) {
    1707. 

  1707.                 /* [value] contains the DER encoding of an ASN.1 value
    1708. 

  1708.                    corresponding to the attribute type identified by type */
    1709. 

  1709.                 $id = $attributes[$i]['type'];
    1710. 

  1710.                 $map = $this->_getMapping($id);
    1711. 

  1711.                 if ($map === false) {
    1712. 

  1712.                     user_error($id . ' is not a currently supported attribute', E_USER_NOTICE);
    1713. 

  1713.                     unset($attributes[$i]);
    1714. 

  1714.                 }
    1715. 

  1715.                 elseif (is_array($attributes[$i]['value'])) {
    1716. 

  1716.                     $values = &$attributes[$i]['value'];
    1717. 

  1717.                     for ($j = 0; $j < count($values); $j++) {
    1718. 

  1718.                         switch ($id) {
    1719. 

  1719.                             case 'pkcs-9-at-extensionRequest':
    1720. 

  1720.                                 $this->_mapOutExtensions($values, $j, $asn1);
    1721. 

  1721.                                 break;
    1722. 

  1722.                         }
    1723. 

  1723. 

  1724.                         if (!is_bool($map)) {
    1725. 

  1725.                             $temp = $asn1->encodeDER($values[$j], $map);
    1726. 

  1726.                             $decoded = $asn1->decodeBER($temp);
    1727. 

  1727.                             $values[$j] = $asn1->asn1map($decoded[0], $this->AttributeValue);
    1728. 

  1728.                         }
    1729. 

  1729.                     }
    1730. 

  1730.                 }
    1731. 

  1731.             }
    1732. 

  1732.         }
    1733. 

  1733.     }
    1734. 

  1734. 

  1735.     /**
    1736. 

  1736.      * Associate an extension ID to an extension mapping
    1737. 

  1737.      *
    1738. 

  1738.      * @param String $extnId
    1739. 

  1739.      * @access private
    1740. 

  1740.      * @return Mixed
    1741. 

  1741.      */
    1742. 

  1742.     function _getMapping($extnId)
    1743. 

  1743.     {
    1744. 

  1744.         if (!is_string($extnId)) { // eg. if it's a File_ASN1_Element object
    1745. 

  1745.             return true;
    1746. 

  1746.         }
    1747. 

  1747. 

  1748.         switch ($extnId) {
    1749. 

  1749.             case 'id-ce-keyUsage':
    1750. 

  1750.                 return $this->KeyUsage;
    1751. 

  1751.             case 'id-ce-basicConstraints':
    1752. 

  1752.                 return $this->BasicConstraints;
    1753. 

  1753.             case 'id-ce-subjectKeyIdentifier':
    1754. 

  1754.                 return $this->KeyIdentifier;
    1755. 

  1755.             case 'id-ce-cRLDistributionPoints':
    1756. 

  1756.                 return $this->CRLDistributionPoints;
    1757. 

  1757.             case 'id-ce-authorityKeyIdentifier':
    1758. 

  1758.                 return $this->AuthorityKeyIdentifier;
    1759. 

  1759.             case 'id-ce-certificatePolicies':
    1760. 

  1760.                 return $this->CertificatePolicies;
    1761. 

  1761.             case 'id-ce-extKeyUsage':
    1762. 

  1762.                 return $this->ExtKeyUsageSyntax;
    1763. 

  1763.             case 'id-pe-authorityInfoAccess':
    1764. 

  1764.                 return $this->AuthorityInfoAccessSyntax;
    1765. 

  1765.             case 'id-ce-subjectAltName':
    1766. 

  1766.                 return $this->SubjectAltName;
    1767. 

  1767.             case 'id-ce-privateKeyUsagePeriod':
    1768. 

  1768.                 return $this->PrivateKeyUsagePeriod;
    1769. 

  1769.             case 'id-ce-issuerAltName':
    1770. 

  1770.                 return $this->IssuerAltName;
    1771. 

  1771.             case 'id-ce-policyMappings':
    1772. 

  1772.                 return $this->PolicyMappings;
    1773. 

  1773.             case 'id-ce-nameConstraints':
    1774. 

  1774.                 return $this->NameConstraints;
    1775. 

  1775. 

  1776.             case 'netscape-cert-type':
    1777. 

  1777.                 return $this->netscape_cert_type;
    1778. 

  1778.             case 'netscape-comment':
    1779. 

  1779.                 return $this->netscape_comment;
    1780. 

  1780.             case 'netscape-ca-policy-url':
    1781. 

  1781.                 return $this->netscape_ca_policy_url;
    1782. 

  1782. 

  1783.             // since id-qt-cps isn't a constructed type it will have already been decoded as a string by the time it gets
    1784. 

  1784.             // back around to asn1map() and we don't want it decoded again.
    1785. 

  1785.             //case 'id-qt-cps':
    1786. 

  1786.             //    return $this->CPSuri;
    1787. 

  1787.             case 'id-qt-unotice':
    1788. 

  1788.                 return $this->UserNotice;
    1789. 

  1789. 

  1790.             // the following OIDs are unsupported but we don't want them to give notices when calling saveX509().
    1791. 

  1791.             case 'id-pe-logotype': // http://www.ietf.org/rfc/rfc3709.txt
    1792. 

  1792.             case 'entrustVersInfo':
    1793. 

  1793.             // http://support.microsoft.com/kb/287547
    1794. 

  1794.             case '1.3.6.1.4.1.311.20.2': // szOID_ENROLL_CERTTYPE_EXTENSION
    1795. 

  1795.             case '1.3.6.1.4.1.311.21.1': // szOID_CERTSRV_CA_VERSION
    1796. 

  1796.             // "SET Secure Electronic Transaction Specification"
    1797. 

  1797.             // http://www.maithean.com/docs/set_bk3.pdf
    1798. 

  1798.             case '2.23.42.7.0': // id-set-hashedRootKey
    1799. 

  1799.                 return true;
    1800. 

  1800. 

  1801.             // CSR attributes
    1802. 

  1802.             case 'pkcs-9-at-unstructuredName':
    1803. 

  1803.                 return $this->PKCS9String;
    1804. 

  1804.             case 'pkcs-9-at-challengePassword':
    1805. 

  1805.                 return $this->DirectoryString;
    1806. 

  1806.             case 'pkcs-9-at-extensionRequest':
    1807. 

  1807.                 return $this->Extensions;
    1808. 

  1808. 

  1809.             // CRL extensions.
    1810. 

  1810.             case 'id-ce-cRLNumber':
    1811. 

  1811.                 return $this->CRLNumber;
    1812. 

  1812.             case 'id-ce-deltaCRLIndicator':
    1813. 

  1813.                 return $this->CRLNumber;
    1814. 

  1814.             case 'id-ce-issuingDistributionPoint':
    1815. 

  1815.                 return $this->IssuingDistributionPoint;
    1816. 

  1816.             case 'id-ce-freshestCRL':
    1817. 

  1817.                 return $this->CRLDistributionPoints;
    1818. 

  1818.             case 'id-ce-cRLReasons':
    1819. 

  1819.                 return $this->CRLReason;
    1820. 

  1820.             case 'id-ce-invalidityDate':
    1821. 

  1821.                 return $this->InvalidityDate;
    1822. 

  1822.             case 'id-ce-certificateIssuer':
    1823. 

  1823.                 return $this->CertificateIssuer;
    1824. 

  1824.             case 'id-ce-holdInstructionCode':
    1825. 

  1825.                 return $this->HoldInstructionCode;
    1826. 

  1826.         }
    1827. 

  1827. 

  1828.         return false;
    1829. 

  1829.     }
    1830. 

  1830. 

  1831.     /**
    1832. 

  1832.      * Load an X.509 certificate as a certificate authority
    1833. 

  1833.      *
    1834. 

  1834.      * @param String $cert
    1835. 

  1835.      * @access public
    1836. 

  1836.      * @return Boolean
    1837. 

  1837.      */
    1838. 

  1838.     function loadCA($cert)
    1839. 

  1839.     {
    1840. 

  1840.         $olddn = $this->dn;
    1841. 

  1841.         $oldcert = $this->currentCert;
    1842. 

  1842.         $oldsigsubj = $this->signatureSubject;
    1843. 

  1843.         $oldkeyid = $this->currentKeyIdentifier;
    1844. 

  1844. 

  1845.         $cert = $this->loadX509($cert);
    1846. 

  1846.         if (!$cert) {
    1847. 

  1847.             $this->dn = $olddn;
    1848. 

  1848.             $this->currentCert = $oldcert;
    1849. 

  1849.             $this->signatureSubject = $oldsigsubj;
    1850. 

  1850.             $this->currentKeyIdentifier = $oldkeyid;
    1851. 

  1851. 

  1852.             return false;
    1853. 

  1853.         }
    1854. 

  1854. 

  1855.         /* From RFC5280 "PKIX Certificate and CRL Profile":
    1856. 

  1856. 

  1857.            If the keyUsage extension is present, then the subject public key
    1858. 

  1858.            MUST NOT be used to verify signatures on certificates or CRLs unless
    1859. 

  1859.            the corresponding keyCertSign or cRLSign bit is set. */
    1860. 

  1860.         //$keyUsage = $this->getExtension('id-ce-keyUsage');
    1861. 

  1861.         //if ($keyUsage && !in_array('keyCertSign', $keyUsage)) {
    1862. 

  1862.         //    return false;
    1863. 

  1863.         //}
    1864. 

  1864. 

  1865.         /* From RFC5280 "PKIX Certificate and CRL Profile":
    1866. 

  1866. 

  1867.            The cA boolean indicates whether the certified public key may be used
    1868. 

  1868.            to verify certificate signatures.  If the cA boolean is not asserted,
    1869. 

  1869.            then the keyCertSign bit in the key usage extension MUST NOT be
    1870. 

  1870.            asserted.  If the basic constraints extension is not present in a
    1871. 

  1871.            version 3 certificate, or the extension is present but the cA boolean
    1872. 

  1872.            is not asserted, then the certified public key MUST NOT be used to
    1873. 

  1873.            verify certificate signatures. */
    1874. 

  1874.         //$basicConstraints = $this->getExtension('id-ce-basicConstraints');
    1875. 

  1875.         //if (!$basicConstraints || !$basicConstraints['cA']) {
    1876. 

  1876.         //    return false;
    1877. 

  1877.         //}
    1878. 

  1878. 

  1879.         $this->CAs[] = $cert;
    1880. 

  1880. 

  1881.         $this->dn = $olddn;
    1882. 

  1882.         $this->currentCert = $oldcert;
    1883. 

  1883.         $this->signatureSubject = $oldsigsubj;
    1884. 

  1884. 

  1885.         return true;
    1886. 

  1886.     }
    1887. 

  1887. 

  1888.     /**
    1889. 

  1889.      * Validate an X.509 certificate against a URL
    1890. 

  1890.      *
    1891. 

  1891.      * From RFC2818 "HTTP over TLS":
    1892. 

  1892.      *
    1893. 

  1893.      * Matching is performed using the matching rules specified by
    1894. 

  1894.      * [RFC2459].  If more than one identity of a given type is present in
    1895. 

  1895.      * the certificate (e.g., more than one dNSName name, a match in any one
    1896. 

  1896.      * of the set is considered acceptable.) Names may contain the wildcard
    1897. 

  1897.      * character * which is considered to match any single domain name
    1898. 

  1898.      * component or component fragment. E.g., *.a.com matches foo.a.com but
    1899. 

  1899.      * not bar.foo.a.com. f*.com matches foo.com but not bar.com.
    1900. 

  1900.      *
    1901. 

  1901.      * @param String $url
    1902. 

  1902.      * @access public
    1903. 

  1903.      * @return Boolean
    1904. 

  1904.      */
    1905. 

  1905.     function validateURL($url)
    1906. 

  1906.     {
    1907. 

  1907.         if (!is_array($this->currentCert) || !isset($this->currentCert['tbsCertificate'])) {
    1908. 

  1908.             return false;
    1909. 

  1909.         }
    1910. 

  1910. 

  1911.         $components = parse_url($url);
    1912. 

  1912.         if (!isset($components['host'])) {
    1913. 

  1913.             return false;
    1914. 

  1914.         }
    1915. 

  1915. 

  1916.         if ($names = $this->getExtension('id-ce-subjectAltName')) {
    1917. 

  1917.             foreach ($names as $key => $value) {
    1918. 

  1918.                 $value = str_replace(array('.', '*'), array('\.', '[^.]*'), $value);
    1919. 

  1919.                 switch ($key) {
    1920. 

  1920.                     case 'dNSName':
    1921. 

  1921.                         /* From RFC2818 "HTTP over TLS":
    1922. 

  1922. 

  1923.                            If a subjectAltName extension of type dNSName is present, that MUST
    1924. 

  1924.                            be used as the identity. Otherwise, the (most specific) Common Name
    1925. 

  1925.                            field in the Subject field of the certificate MUST be used. Although
    1926. 

  1926.                            the use of the Common Name is existing practice, it is deprecated and
    1927. 

  1927.                            Certification Authorities are encouraged to use the dNSName instead. */
    1928. 

  1928.                         if (preg_match('#^' . $value . '$#', $components['host'])) {
    1929. 

  1929.                             return true;
    1930. 

  1930.                         }
    1931. 

  1931.                         break;
    1932. 

  1932.                     case 'iPAddress':
    1933. 

  1933.                         /* From RFC2818 "HTTP over TLS":
    1934. 

  1934. 

  1935.                            In some cases, the URI is specified as an IP address rather than a
    1936. 

  1936.                            hostname. In this case, the iPAddress subjectAltName must be present
    1937. 

  1937.                            in the certificate and must exactly match the IP in the URI. */
    1938. 

  1938.                         if (preg_match('#(?:\d{1-3}\.){4}#', $components['host'] . '.') && preg_match('#^' . $value . '$#', $components['host'])) {
    1939. 

  1939.                             return true;
    1940. 

  1940.                         }
    1941. 

  1941.                 }
    1942. 

  1942.             }
    1943. 

  1943.             return false;
    1944. 

  1944.         }
    1945. 

  1945. 

  1946.         if ($value = $this->getDNProp('id-at-commonName')) {
    1947. 

  1947.             $value = str_replace(array('.', '*'), array('\.', '[^.]*'), $value[0]);
    1948. 

  1948.             return preg_match('#^' . $value . '$#', $components['host']);
    1949. 

  1949.         }
    1950. 

  1950. 

  1951.         return false;
    1952. 

  1952.     }
    1953. 

  1953. 

  1954.     /**
    1955. 

  1955.      * Validate a date
    1956. 

  1956.      *
    1957. 

  1957.      * If $date isn't defined it is assumed to be the current date.
    1958. 

  1958.      *
    1959. 

  1959.      * @param Integer $date optional
    1960. 

  1960.      * @access public
    1961. 

  1961.      */
    1962. 

  1962.     function validateDate($date = NULL)
    1963. 

  1963.     {
    1964. 

  1964.         if (!is_array($this->currentCert) || !isset($this->currentCert['tbsCertificate'])) {
    1965. 

  1965.             return false;
    1966. 

  1966.         }
    1967. 

  1967. 

  1968.         if (!isset($date)) {
    1969. 

  1969.             $date = time();
    1970. 

  1970.         }
    1971. 

  1971. 

  1972.         $notBefore = $this->currentCert['tbsCertificate']['validity']['notBefore'];
    1973. 

  1973.         $notBefore = isset($notBefore['generalTime']) ? $notBefore['generalTime'] : $notBefore['utcTime'];
    1974. 

  1974. 

  1975.         $notAfter = $this->currentCert['tbsCertificate']['validity']['notAfter'];
    1976. 

  1976.         $notAfter = isset($notAfter['generalTime']) ? $notAfter['generalTime'] : $notAfter['utcTime'];
    1977. 

  1977. 

  1978.         switch (true) {
    1979. 

  1979.             case $date < @strtotime($notBefore):
    1980. 

  1980.             case $date > @strtotime($notAfter):
    1981. 

  1981.                 return false;
    1982. 

  1982.         }
    1983. 

  1983. 

  1984.         return true;
    1985. 

  1985.     }
    1986. 

  1986. 

  1987.     /**
    1988. 

  1988.      * Validate a signature
    1989. 

  1989.      *
    1990. 

  1990.      * Works on X.509 certs, CSR's and CRL's.
    1991. 

  1991.      * Returns true if the signature is verified, false if it is not correct or NULL on error
    1992. 

  1992.      *
    1993. 

  1993.      * By default returns false for self-signed certs. Call validateSignature(false) to make this support
    1994. 

  1994.      * self-signed.
    1995. 

  1995.      *
    1996. 

  1996.      * The behavior of this function is inspired by {@link http://php.net/openssl-verify openssl_verify}.
    1997. 

  1997.      *
    1998. 

  1998.      * @param Boolean $caonly optional
    1999. 

  1999.      * @access public
    2000. 

  2000.      * @return Mixed
    2001. 

  2001.      */
    2002. 

  2002.     function validateSignature($caonly = true)
    2003. 

  2003.     {
    2004. 

  2004.         if (!is_array($this->currentCert) || !isset($this->signatureSubject)) {
    2005. 

  2005.             return 0;
    2006. 

  2006.         }
    2007. 

  2007. 

  2008.         /* TODO:
    2009. 

  2009.            "emailAddress attribute values are not case-sensitive (e.g., "subscriber@example.com" is the same as "SUBSCRIBER@EXAMPLE.COM")."
    2010. 

  2010.             -- http://tools.ietf.org/html/rfc5280#section-4.1.2.6
    2011. 

  2011. 

  2012.            implement pathLenConstraint in the id-ce-basicConstraints extension */
    2013. 

  2013. 

  2014.         switch (true) {
    2015. 

  2015.             case isset($this->currentCert['tbsCertificate']):
    2016. 

  2016.                 // self-signed cert
    2017. 

  2017.                 if ($this->currentCert['tbsCertificate']['issuer'] === $this->currentCert['tbsCertificate']['subject']) {
    2018. 

  2018.                     $authorityKey = $this->getExtension('id-ce-authorityKeyIdentifier');
    2019. 

  2019.                     $subjectKeyID = $this->getExtension('id-ce-subjectKeyIdentifier');
    2020. 

  2020.                     switch (true) {
    2021. 

  2021.                         case !is_array($authorityKey):
    2022. 

  2022.                         case is_array($authorityKey) && isset($authorityKey['keyIdentifier']) && $authorityKey['keyIdentifier'] === $subjectKeyID:
    2023. 

  2023.                             $signingCert = $this->currentCert; // working cert
    2024. 

  2024.                     }
    2025. 

  2025.                 }
    2026. 

  2026. 

  2027.                 if (!empty($this->CAs)) {
    2028. 

  2028.                     for ($i = 0; $i < count($this->CAs); $i++) {
    2029. 

  2029.                         // even if the cert is a self-signed one we still want to see if it's a CA;
    2030. 

  2030.                         // if not, we'll conditionally return an error
    2031. 

  2031.                         $ca = $this->CAs[$i];
    2032. 

  2032.                         if ($this->currentCert['tbsCertificate']['issuer'] === $ca['tbsCertificate']['subject']) {
    2033. 

  2033.                             $authorityKey = $this->getExtension('id-ce-authorityKeyIdentifier');
    2034. 

  2034.                             $subjectKeyID = $this->getExtension('id-ce-subjectKeyIdentifier', $ca);
    2035. 

  2035.                             switch (true) {
    2036. 

  2036.                                 case !is_array($authorityKey):
    2037. 

  2037.                                 case is_array($authorityKey) && isset($authorityKey['keyIdentifier']) && $authorityKey['keyIdentifier'] === $subjectKeyID:
    2038. 

  2038.                                     $signingCert = $ca; // working cert
    2039. 

  2039.                                     break 2;
    2040. 

  2040.                             }
    2041. 

  2041.                         }
    2042. 

  2042.                     }
    2043. 

  2043.                     if (count($this->CAs) == $i && $caonly) {
    2044. 

  2044.                         return false;
    2045. 

  2045.                     }
    2046. 

  2046.                 } elseif (!isset($signingCert) || $caonly) {
    2047. 

  2047.                     return false;
    2048. 

  2048.                 }
    2049. 

  2049.                 return $this->_validateSignature(
    2050. 

  2050.                     $signingCert['tbsCertificate']['subjectPublicKeyInfo']['algorithm']['algorithm'],
    2051. 

  2051.                     $signingCert['tbsCertificate']['subjectPublicKeyInfo']['subjectPublicKey'],
    2052. 

  2052.                     $this->currentCert['signatureAlgorithm']['algorithm'],
    2053. 

  2053.                     substr(base64_decode($this->currentCert['signature']), 1),
    2054. 

  2054.                     $this->signatureSubject
    2055. 

  2055.                 );
    2056. 

  2056.             case isset($this->currentCert['certificationRequestInfo']):
    2057. 

  2057.                 return $this->_validateSignature(
    2058. 

  2058.                     $this->currentCert['certificationRequestInfo']['subjectPKInfo']['algorithm']['algorithm'],
    2059. 

  2059.                     $this->currentCert['certificationRequestInfo']['subjectPKInfo']['subjectPublicKey'],
    2060. 

  2060.                     $this->currentCert['signatureAlgorithm']['algorithm'],
    2061. 

  2061.                     substr(base64_decode($this->currentCert['signature']), 1),
    2062. 

  2062.                     $this->signatureSubject
    2063. 

  2063.                 );
    2064. 

  2064.             case isset($this->currentCert['publicKeyAndChallenge']):
    2065. 

  2065.                 return $this->_validateSignature(
    2066. 

  2066.                     $this->currentCert['publicKeyAndChallenge']['spki']['algorithm']['algorithm'],
    2067. 

  2067.                     $this->currentCert['publicKeyAndChallenge']['spki']['subjectPublicKey'],
    2068. 

  2068.                     $this->currentCert['signatureAlgorithm']['algorithm'],
    2069. 

  2069.                     substr(base64_decode($this->currentCert['signature']), 1),
    2070. 

  2070.                     $this->signatureSubject
    2071. 

  2071.                 );
    2072. 

  2072.             case isset($this->currentCert['tbsCertList']):
    2073. 

  2073.                 if (!empty($this->CAs)) {
    2074. 

  2074.                     for ($i = 0; $i < count($this->CAs); $i++) {
    2075. 

  2075.                         $ca = $this->CAs[$i];
    2076. 

  2076.                         if ($this->currentCert['tbsCertList']['issuer'] === $ca['tbsCertificate']['subject']) {
    2077. 

  2077.                             $authorityKey = $this->getExtension('id-ce-authorityKeyIdentifier');
    2078. 

  2078.                             $subjectKeyID = $this->getExtension('id-ce-subjectKeyIdentifier', $ca);
    2079. 

  2079.                             switch (true) {
    2080. 

  2080.                                 case !is_array($authorityKey):
    2081. 

  2081.                                 case is_array($authorityKey) && isset($authorityKey['keyIdentifier']) && $authorityKey['keyIdentifier'] === $subjectKeyID:
    2082. 

  2082.                                     $signingCert = $ca; // working cert
    2083. 

  2083.                                     break 2;
    2084. 

  2084.                             }
    2085. 

  2085.                         }
    2086. 

  2086.                     }
    2087. 

  2087.                 }
    2088. 

  2088.                 if (!isset($signingCert)) {
    2089. 

  2089.                     return false;
    2090. 

  2090.                 }
    2091. 

  2091.                 return $this->_validateSignature(
    2092. 

  2092.                     $signingCert['tbsCertificate']['subjectPublicKeyInfo']['algorithm']['algorithm'],
    2093. 

  2093.                     $signingCert['tbsCertificate']['subjectPublicKeyInfo']['subjectPublicKey'],
    2094. 

  2094.                     $this->currentCert['signatureAlgorithm']['algorithm'],
    2095. 

  2095.                     substr(base64_decode($this->currentCert['signature']), 1),
    2096. 

  2096.                     $this->signatureSubject
    2097. 

  2097.                 );
    2098. 

  2098.             default:
    2099. 

  2099.                 return false;
    2100. 

  2100.         }
    2101. 

  2101.     }
    2102. 

  2102. 

  2103.     /**
    2104. 

  2104.      * Validates a signature
    2105. 

  2105.      *
    2106. 

  2106.      * Returns true if the signature is verified, false if it is not correct or NULL on error
    2107. 

  2107.      *
    2108. 

  2108.      * @param String $publicKeyAlgorithm
    2109. 

  2109.      * @param String $publicKey
    2110. 

  2110.      * @param String $signatureAlgorithm
    2111. 

  2111.      * @param String $signature
    2112. 

  2112.      * @param String $signatureSubject
    2113. 

  2113.      * @access private
    2114. 

  2114.      * @return Integer
    2115. 

  2115.      */
    2116. 

  2116.     function _validateSignature($publicKeyAlgorithm, $publicKey, $signatureAlgorithm, $signature, $signatureSubject)
    2117. 

  2117.     {
    2118. 

  2118.         switch ($publicKeyAlgorithm) {
    2119. 

  2119.             case 'rsaEncryption':
    2120. 

  2120.                 if (!class_exists('Crypt_RSA')) {
    2121. 

  2121.                     require_once('Crypt/RSA.php');
    2122. 

  2122.                 }
    2123. 

  2123.                 $rsa = new Crypt_RSA();
    2124. 

  2124.                 $rsa->loadKey($publicKey);
    2125. 

  2125. 

  2126.                 switch ($signatureAlgorithm) {
    2127. 

  2127.                     case 'md2WithRSAEncryption':
    2128. 

  2128.                     case 'md5WithRSAEncryption':
    2129. 

  2129.                     case 'sha1WithRSAEncryption':
    2130. 

  2130.                     case 'sha224WithRSAEncryption':
    2131. 

  2131.                     case 'sha256WithRSAEncryption':
    2132. 

  2132.                     case 'sha384WithRSAEncryption':
    2133. 

  2133.                     case 'sha512WithRSAEncryption':
    2134. 

  2134.                         $rsa->setHash(preg_replace('#WithRSAEncryption$#', '', $signatureAlgorithm));
    2135. 

  2135.                         $rsa->setSignatureMode(CRYPT_RSA_SIGNATURE_PKCS1);
    2136. 

  2136.                         if (!@$rsa->verify($signatureSubject, $signature)) {
    2137. 

  2137.                             return false;
    2138. 

  2138.                         }
    2139. 

  2139.                         break;
    2140. 

  2140.                     default:
    2141. 

  2141.                         return NULL;
    2142. 

  2142.                 }
    2143. 

  2143.                 break;
    2144. 

  2144.             default:
    2145. 

  2145.                 return NULL;
    2146. 

  2146.         }
    2147. 

  2147. 

  2148.         return true;
    2149. 

  2149.     }
    2150. 

  2150. 

  2151.     /**
    2152. 

  2152.      * Reformat public keys
    2153. 

  2153.      *
    2154. 

  2154.      * Reformats a public key to a format supported by phpseclib (if applicable)
    2155. 

  2155.      *
    2156. 

  2156.      * @param String $algorithm
    2157. 

  2157.      * @param String $key
    2158. 

  2158.      * @access private
    2159. 

  2159.      * @return String
    2160. 

  2160.      */
    2161. 

  2161.     function _reformatKey($algorithm, $key)
    2162. 

  2162.     {
    2163. 

  2163.         switch ($algorithm) {
    2164. 

  2164.             case 'rsaEncryption':
    2165. 

  2165.                 return
    2166. 

  2166.                     "-----BEGIN PUBLIC KEY-----\r\n" .
    2167. 

  2167.                     // subjectPublicKey is stored as a bit string in X.509 certs.  the first byte of a bit string represents how many bits
    2168. 

  2168.                     // in the last byte should be ignored.  the following only supports non-zero stuff but as none of the X.509 certs Firefox
    2169. 

  2169.                     // uses as a cert authority actually use a non-zero bit I think it's safe to assume that none do.
    2170. 

  2170.                     chunk_split(base64_encode(substr(base64_decode($key), 1)), 64) .
    2171. 

  2171.                     '-----END PUBLIC KEY-----';
    2172. 

  2172.             default:
    2173. 

  2173.                 return $key;
    2174. 

  2174.         }
    2175. 

  2175.     }
    2176. 

  2176. 

  2177.     /**
    2178. 

  2178.      * "Normalizes" a Distinguished Name property
    2179. 

  2179.      *
    2180. 

  2180.      * @param String $propName
    2181. 

  2181.      * @access private
    2182. 

  2182.      * @return Mixed
    2183. 

  2183.      */
    2184. 

  2184.     function _translateDNProp($propName)
    2185. 

  2185.     {
    2186. 

  2186.         switch (strtolower($propName)) {
    2187. 

  2187.             case 'id-at-countryname':
    2188. 

  2188.             case 'countryname':
    2189. 

  2189.             case 'c':
    2190. 

  2190.                 return 'id-at-countryName';
    2191. 

  2191.             case 'id-at-organizationname':
    2192. 

  2192.             case 'organizationname':
    2193. 

  2193.             case 'o':
    2194. 

  2194.                 return 'id-at-organizationName';
    2195. 

  2195.             case 'id-at-dnqualifier':
    2196. 

  2196.             case 'dnqualifier':
    2197. 

  2197.                 return 'id-at-dnQualifier';
    2198. 

  2198.             case 'id-at-commonname':
    2199. 

  2199.             case 'commonname':
    2200. 

  2200.             case 'cn':
    2201. 

  2201.                 return 'id-at-commonName';
    2202. 

  2202.             case 'id-at-stateorprovinceName':
    2203. 

  2203.             case 'stateorprovincename':
    2204. 

  2204.             case 'state':
    2205. 

  2205.             case 'province':
    2206. 

  2206.             case 'provincename':
    2207. 

  2207.             case 'st':
    2208. 

  2208.                 return 'id-at-stateOrProvinceName';
    2209. 

  2209.             case 'id-at-localityname':
    2210. 

  2210.             case 'localityname':
    2211. 

  2211.             case 'l':
    2212. 

  2212.                 return 'id-at-localityName';
    2213. 

  2213.             case 'id-emailaddress':
    2214. 

  2214.             case 'emailaddress':
    2215. 

  2215.                 return 'pkcs-9-at-emailAddress';
    2216. 

  2216.             case 'id-at-serialnumber':
    2217. 

  2217.             case 'serialnumber':
    2218. 

  2218.                 return 'id-at-serialNumber';
    2219. 

  2219.             case 'id-at-postalcode':
    2220. 

  2220.             case 'postalcode':
    2221. 

  2221.                 return 'id-at-postalCode';
    2222. 

  2222.             case 'id-at-streetaddress':
    2223. 

  2223.             case 'streetaddress':
    2224. 

  2224.                 return 'id-at-streetAddress';
    2225. 

  2225.             case 'id-at-name':
    2226. 

  2226.             case 'name':
    2227. 

  2227.                 return 'id-at-name';
    2228. 

  2228.             case 'id-at-givenname':
    2229. 

  2229.             case 'givenname':
    2230. 

  2230.                 return 'id-at-givenName';
    2231. 

  2231.             case 'id-at-surname':
    2232. 

  2232.             case 'surname':
    2233. 

  2233.             case 'sn':
    2234. 

  2234.                 return 'id-at-surname';
    2235. 

  2235.             case 'id-at-initials':
    2236. 

  2236.             case 'initials':
    2237. 

  2237.                 return 'id-at-initials';
    2238. 

  2238.             case 'id-at-generationqualifier':
    2239. 

  2239.             case 'generationqualifier':
    2240. 

  2240.                 return 'id-at-generationQualifier';
    2241. 

  2241.             case 'id-at-organizationalunitname':
    2242. 

  2242.             case 'organizationalunitname':
    2243. 

  2243.             case 'ou':
    2244. 

  2244.                 return 'id-at-organizationalUnitName';
    2245. 

  2245.             case 'id-at-pseudonym':
    2246. 

  2246.             case 'pseudonym':
    2247. 

  2247.                 return 'id-at-pseudonym';
    2248. 

  2248.             case 'id-at-title':
    2249. 

  2249.             case 'title':
    2250. 

  2250.                 return 'id-at-title';
    2251. 

  2251.             case 'id-at-description':
    2252. 

  2252.             case 'description':
    2253. 

  2253.                 return 'id-at-description';
    2254. 

  2254.             case 'id-at-role':
    2255. 

  2255.             case 'role':
    2256. 

  2256.                 return 'id-at-role';
    2257. 

  2257.             case 'id-at-uniqueidentifier':
    2258. 

  2258.             case 'uniqueidentifier':
    2259. 

  2259.             case 'x500uniqueidentifier':
    2260. 

  2260.                 return 'id-at-uniqueIdentifier';
    2261. 

  2261.             default:
    2262. 

  2262.                 return false;
    2263. 

  2263.         }
    2264. 

  2264.     }
    2265. 

  2265. 

  2266.     /**
    2267. 

  2267.      * Set a Distinguished Name property
    2268. 

  2268.      *
    2269. 

  2269.      * @param String $propName
    2270. 

  2270.      * @param Mixed $propValue
    2271. 

  2271.      * @param String $type optional
    2272. 

  2272.      * @access public
    2273. 

  2273.      * @return Boolean
    2274. 

  2274.      */
    2275. 

  2275.     function setDNProp($propName, $propValue, $type = 'utf8String')
    2276. 

  2276.     {
    2277. 

  2277.         if (empty($this->dn)) {
    2278. 

  2278.             $this->dn = array('rdnSequence' => array());
    2279. 

  2279.         }
    2280. 

  2280. 

  2281.         if (($propName = $this->_translateDNProp($propName)) === false) {
    2282. 

  2282.             return false;
    2283. 

  2283.         }
    2284. 

  2284. 

  2285.         foreach ((array) $propValue as $v) {
    2286. 

  2286.             if (!is_array($v) && isset($type)) {
    2287. 

  2287.                 $v = array($type => $v);
    2288. 

  2288.             }
    2289. 

  2289.             $this->dn['rdnSequence'][] = array(
    2290. 

  2290.                 array(
    2291. 

  2291.                     'type' => $propName,
    2292. 

  2292.                     'value'=> $v
    2293. 

  2293.                 )
    2294. 

  2294.             );
    2295. 

  2295.         }
    2296. 

  2296. 

  2297.         return true;
    2298. 

  2298.     }
    2299. 

  2299. 

  2300.     /**
    2301. 

  2301.      * Remove Distinguished Name properties
    2302. 

  2302.      *
    2303. 

  2303.      * @param String $propName
    2304. 

  2304.      * @access public
    2305. 

  2305.      */
    2306. 

  2306.     function removeDNProp($propName)
    2307. 

  2307.     {
    2308. 

  2308.         if (empty($this->dn)) {
    2309. 

  2309.             return;
    2310. 

  2310.         }
    2311. 

  2311. 

  2312.         if (($propName = $this->_translateDNProp($propName)) === false) {
    2313. 

  2313.             return;
    2314. 

  2314.         }
    2315. 

  2315. 

  2316.         $dn = &$this->dn['rdnSequence'];
    2317. 

  2317.         $size = count($dn);
    2318. 

  2318.         for ($i = 0; $i < $size; $i++) {
    2319. 

  2319.             if ($dn[$i][0]['type'] == $propName) {
    2320. 

  2320.                 unset($dn[$i]);
    2321. 

  2321.             }
    2322. 

  2322.         }
    2323. 

  2323. 

  2324.         $dn = array_values($dn);
    2325. 

  2325.     }
    2326. 

  2326. 

  2327.     /**
    2328. 

  2328.      * Get Distinguished Name properties
    2329. 

  2329.      *
    2330. 

  2330.      * @param String $propName
    2331. 

  2331.      * @param Array $dn optional
    2332. 

  2332.      * @param Boolean $withType optional
    2333. 

  2333.      * @return Mixed
    2334. 

  2334.      * @access public
    2335. 

  2335.      */
    2336. 

  2336.     function getDNProp($propName, $dn = NULL, $withType = false)
    2337. 

  2337.     {
    2338. 

  2338.         if (!isset($dn)) {
    2339. 

  2339.             $dn = $this->dn;
    2340. 

  2340.         }
    2341. 

  2341. 

  2342.         if (empty($dn)) {
    2343. 

  2343.             return false;
    2344. 

  2344.         }
    2345. 

  2345. 

  2346.         if (($propName = $this->_translateDNProp($propName)) === false) {
    2347. 

  2347.             return false;
    2348. 

  2348.         }
    2349. 

  2349. 

  2350.         $dn = $dn['rdnSequence'];
    2351. 

  2351.         $result = array();
    2352. 

  2352.         $asn1 = new File_ASN1();
    2353. 

  2353.         for ($i = 0; $i < count($dn); $i++) {
    2354. 

  2354.             if ($dn[$i][0]['type'] == $propName) {
    2355. 

  2355.                 $v = $dn[$i][0]['value'];
    2356. 

  2356.                 if (!$withType && is_array($v)) {
    2357. 

  2357.                     foreach ($v as $type => $s) {
    2358. 

  2358.                         $type = array_search($type, $asn1->ANYmap, true);
    2359. 

  2359.                         if ($type !== false && isset($asn1->stringTypeSize[$type])) {
    2360. 

  2360.                             $s = $asn1->convert($s, $type);
    2361. 

  2361.                             if ($s !== false) {
    2362. 

  2362.                                 $v = $s;
    2363. 

  2363.                                 break;
    2364. 

  2364.                             }
    2365. 

  2365.                         }
    2366. 

  2366.                     }
    2367. 

  2367.                     if (is_array($v)) {
    2368. 

  2368.                         $v = array_pop($v); // Always strip data type.
    2369. 

  2369.                     }
    2370. 

  2370.                 }
    2371. 

  2371.                 $result[] = $v;
    2372. 

  2372.             }
    2373. 

  2373.         }
    2374. 

  2374. 

  2375.         return $result;
    2376. 

  2376.     }
    2377. 

  2377. 

  2378.     /**
    2379. 

  2379.      * Set a Distinguished Name
    2380. 

  2380.      *
    2381. 

  2381.      * @param Mixed $dn
    2382. 

  2382.      * @param Boolean $merge optional
    2383. 

  2383.      * @param String $type optional
    2384. 

  2384.      * @access public
    2385. 

  2385.      * @return Boolean
    2386. 

  2386.      */
    2387. 

  2387.     function setDN($dn, $merge = false, $type = 'utf8String')
    2388. 

  2388.     {
    2389. 

  2389.         if (!$merge) {
    2390. 

  2390.             $this->dn = NULL;
    2391. 

  2391.         }
    2392. 

  2392. 

  2393.         if (is_array($dn)) {
    2394. 

  2394.             if (isset($dn['rdnSequence'])) {
    2395. 

  2395.                 $this->dn = $dn; // No merge here.
    2396. 

  2396.                 return true;
    2397. 

  2397.             }
    2398. 

  2398. 

  2399.             // handles stuff generated by openssl_x509_parse()
    2400. 

  2400.             foreach ($dn as $prop => $value) {
    2401. 

  2401.                 if (!$this->setDNProp($prop, $value, $type)) {
    2402. 

  2402.                     return false;
    2403. 

  2403.                 }
    2404. 

  2404.             }
    2405. 

  2405.             return true;
    2406. 

  2406.         }
    2407. 

  2407. 

  2408.         // handles everything else
    2409. 

  2409.         $results = preg_split('#((?:^|, *|/)(?:C=|O=|OU=|CN=|L=|ST=|SN=|postalCode=|streetAddress=|emailAddress=|serialNumber=|organizationalUnitName=|title=|description=|role=|x500UniqueIdentifier=))#', $dn, -1, PREG_SPLIT_DELIM_CAPTURE);
    2410. 

  2410.         for ($i = 1; $i < count($results); $i+=2) {
    2411. 

  2411.             $prop = trim($results[$i], ', =/');
    2412. 

  2412.             $value = $results[$i + 1];
    2413. 

  2413.             if (!$this->setDNProp($prop, $value, $type)) {
    2414. 

  2414.                 return false;
    2415. 

  2415.             }
    2416. 

  2416.         }
    2417. 

  2417. 

  2418.         return true;
    2419. 

  2419.     }
    2420. 

  2420. 

  2421.     /**
    2422. 

  2422.      * Get the Distinguished Name for a certificates subject
    2423. 

  2423.      *
    2424. 

  2424.      * @param Mixed $format optional
    2425. 

  2425.      * @param Array $dn optional
    2426. 

  2426.      * @access public
    2427. 

  2427.      * @return Boolean
    2428. 

  2428.      */
    2429. 

  2429.     function getDN($format = FILE_X509_DN_ARRAY, $dn = NULL)
    2430. 

  2430.     {
    2431. 

  2431.         if (!isset($dn)) {
    2432. 

  2432.             $dn = isset($this->currentCert['tbsCertList']) ? $this->currentCert['tbsCertList']['issuer'] : $this->dn;
    2433. 

  2433.         }
    2434. 

  2434. 

  2435.         switch ((int) $format) {
    2436. 

  2436.             case FILE_X509_DN_ARRAY:
    2437. 

  2437.                 return $dn;
    2438. 

  2438.             case FILE_X509_DN_ASN1:
    2439. 

  2439.                 $asn1 = new File_ASN1();
    2440. 

  2440.                 $asn1->loadOIDs($this->oids);
    2441. 

  2441.                 $filters = array();
    2442. 

  2442.                 $filters['rdnSequence']['value'] = array('type' => FILE_ASN1_TYPE_UTF8_STRING);
    2443. 

  2443.                 $asn1->loadFilters($filters);
    2444. 

  2444.                 return $asn1->encodeDER($dn, $this->Name);
    2445. 

  2445.             case FILE_X509_DN_OPENSSL:
    2446. 

  2446.                 $dn = $this->getDN(FILE_X509_DN_STRING, $dn);
    2447. 

  2447.                 if ($dn === false) {
    2448. 

  2448.                     return false;
    2449. 

  2449.                 }
    2450. 

  2450.                 $attrs = preg_split('#((?:^|, *|/)[a-z][a-z0-9]*=)#i', $dn, -1, PREG_SPLIT_DELIM_CAPTURE);
    2451. 

  2451.                 $dn = array();
    2452. 

  2452.                 for ($i = 1; $i < count($attrs); $i += 2) {
    2453. 

  2453.                     $prop = trim($attrs[$i], ', =/');
    2454. 

  2454.                     $value = $attrs[$i + 1];
    2455. 

  2455.                     if (!isset($dn[$prop])) {
    2456. 

  2456.                         $dn[$prop] = $value;
    2457. 

  2457.                     } else {
    2458. 

  2458.                         $dn[$prop] = array_merge((array) $dn[$prop], array($value));
    2459. 

  2459.                     }
    2460. 

  2460.                 }
    2461. 

  2461.                 return $dn;
    2462. 

  2462.             case FILE_X509_DN_CANON:
    2463. 

  2463.                 //  No SEQUENCE around RDNs and all string values normalized as
    2464. 

  2464.                 // trimmed lowercase UTF-8 with all spacing  as one blank.
    2465. 

  2465.                 $asn1 = new File_ASN1();
    2466. 

  2466.                 $asn1->loadOIDs($this->oids);
    2467. 

  2467.                 $filters = array();
    2468. 

  2468.                 $filters['value'] = array('type' => FILE_ASN1_TYPE_UTF8_STRING);
    2469. 

  2469.                 $asn1->loadFilters($filters);
    2470. 

  2470.                 $result = '';
    2471. 

  2471.                 foreach ($dn['rdnSequence'] as $rdn) {
    2472. 

  2472.                     foreach ($rdn as &$attr) {
    2473. 

  2473.                         if (is_array($attr['value'])) {
    2474. 

  2474.                             foreach ($attr['value'] as $type => $v) {
    2475. 

  2475.                                 $type = array_search($type, $asn1->ANYmap, true);
    2476. 

  2476.                                 if ($type !== false && isset($asn1->stringTypeSize[$type])) {
    2477. 

  2477.                                     $v = $asn1->convert($v, $type);
    2478. 

  2478.                                     if ($v !== false) {
    2479. 

  2479.                                         $v = preg_replace('/\s+/', ' ', $v);
    2480. 

  2480.                                         $attr['value'] = strtolower(trim($v));
    2481. 

  2481.                                         break;
    2482. 

  2482.                                     }
    2483. 

  2483.                                 }
    2484. 

  2484.                             }
    2485. 

  2485.                         }
    2486. 

  2486.                     }
    2487. 

  2487.                     $result .= $asn1->encodeDER($rdn, $this->RelativeDistinguishedName);
    2488. 

  2488.                 }
    2489. 

  2489.                 return $result;
    2490. 

  2490.             case FILE_X509_DN_HASH:
    2491. 

  2491.                 $dn = $this->getDN(FILE_X509_DN_CANON, $dn);
    2492. 

  2492.                 if (!class_exists('Crypt_Hash')) {
    2493. 

  2493.                     require_once('Crypt/Hash.php');
    2494. 

  2494.                 }
    2495. 

  2495.                 $hash = new Crypt_Hash('sha1');
    2496. 

  2496.                 $hash = $hash->hash($dn);
    2497. 

  2497.                 extract(unpack('Vhash', $hash));
    2498. 

  2498.                 return strtolower(bin2hex(pack('N', $hash)));
    2499. 

  2499.         }
    2500. 

  2500. 

  2501.         // Defaut is to return a string.
    2502. 

  2502.         $start = true;
    2503. 

  2503.         $output = '';
    2504. 

  2504.         $asn1 = new File_ASN1();
    2505. 

  2505.         foreach ($dn['rdnSequence'] as $field) {
    2506. 

  2506.             $prop = $field[0]['type'];
    2507. 

  2507.             $value = $field[0]['value'];
    2508. 

  2508. 

  2509.             $delim = ', ';
    2510. 

  2510.             switch ($prop) {
    2511. 

  2511.                 case 'id-at-countryName':
    2512. 

  2512.                     $desc = 'C=';
    2513. 

  2513.                     break;
    2514. 

  2514.                 case 'id-at-stateOrProvinceName':
    2515. 

  2515.                     $desc = 'ST=';
    2516. 

  2516.                     break;
    2517. 

  2517.                 case 'id-at-organizationName':
    2518. 

  2518.                     $desc = 'O=';
    2519. 

  2519.                     break;
    2520. 

  2520.                 case 'id-at-organizationalUnitName':
    2521. 

  2521.                     $desc = 'OU=';
    2522. 

  2522.                     break;
    2523. 

  2523.                 case 'id-at-commonName':
    2524. 

  2524.                     $desc = 'CN=';
    2525. 

  2525.                     break;
    2526. 

  2526.                 case 'id-at-localityName':
    2527. 

  2527.                     $desc = 'L=';
    2528. 

  2528.                     break;
    2529. 

  2529.                 case 'id-at-surname':
    2530. 

  2530.                     $desc = 'SN=';
    2531. 

  2531.                     break;
    2532. 

  2532.                 case 'id-at-uniqueIdentifier':
    2533. 

  2533.                     $delim = '/';
    2534. 

  2534.                     $desc = 'x500UniqueIdentifier=';
    2535. 

  2535.                     break;
    2536. 

  2536.                 default:
    2537. 

  2537.                     $delim = '/';
    2538. 

  2538.                     $desc = preg_replace('#.+-([^-]+)$#', '$1',  $prop) . '=';
    2539. 

  2539.             }
    2540. 

  2540. 

  2541.             if (!$start) {
    2542. 

  2542.                 $output.= $delim;
    2543. 

  2543.             }
    2544. 

  2544.             if (is_array($value)) {
    2545. 

  2545.                 foreach ($value as $type => $v) {
    2546. 

  2546.                     $type = array_search($type, $asn1->ANYmap, true);
    2547. 

  2547.                     if ($type !== false && isset($asn1->stringTypeSize[$type])) {
    2548. 

  2548.                         $v = $asn1->convert($v, $type);
    2549. 

  2549.                         if ($v !== false) {
    2550. 

  2550.                             $value = $v;
    2551. 

  2551.                             break;
    2552. 

  2552.                         }
    2553. 

  2553.                     }
    2554. 

  2554.                 }
    2555. 

  2555.                 if (is_array($value)) {
    2556. 

  2556.                     $value = array_pop($value); // Always strip data type.
    2557. 

  2557.                 }
    2558. 

  2558.             }
    2559. 

  2559.             $output.= $desc . $value;
    2560. 

  2560.             $start = false;
    2561. 

  2561.         }
    2562. 

  2562. 

  2563.         return $output;
    2564. 

  2564.     }
    2565. 

  2565. 

  2566.     /**
    2567. 

  2567.      * Get the Distinguished Name for a certificate/crl issuer
    2568. 

  2568.      *
    2569. 

  2569.      * @param Integer $format optional
    2570. 

  2570.      * @access public
    2571. 

  2571.      * @return Mixed
    2572. 

  2572.      */
    2573. 

  2573.     function getIssuerDN($format = FILE_X509_DN_ARRAY)
    2574. 

  2574.     {
    2575. 

  2575.         switch (true) {
    2576. 

  2576.             case !isset($this->currentCert) || !is_array($this->currentCert):
    2577. 

  2577.                 break;
    2578. 

  2578.             case isset($this->currentCert['tbsCertificate']):
    2579. 

  2579.                 return $this->getDN($format, $this->currentCert['tbsCertificate']['issuer']);
    2580. 

  2580.             case isset($this->currentCert['tbsCertList']):
    2581. 

  2581.                 return $this->getDN($format, $this->currentCert['tbsCertList']['issuer']);
    2582. 

  2582.         }
    2583. 

  2583. 

  2584.         return false;
    2585. 

  2585.     }
    2586. 

  2586. 

  2587.     /**
    2588. 

  2588.      * Get the Distinguished Name for a certificate/csr subject
    2589. 

  2589.      * Alias of getDN()
    2590. 

  2590.      *
    2591. 

  2591.      * @param Integer $format optional
    2592. 

  2592.      * @access public
    2593. 

  2593.      * @return Mixed
    2594. 

  2594.      */
    2595. 

  2595.     function getSubjectDN($format = FILE_X509_DN_ARRAY)
    2596. 

  2596.     {
    2597. 

  2597.         switch (true) {
    2598. 

  2598.             case !empty($this->dn):
    2599. 

  2599.                 return $this->getDN($format);
    2600. 

  2600.             case !isset($this->currentCert) || !is_array($this->currentCert):
    2601. 

  2601.                 break;
    2602. 

  2602.             case isset($this->currentCert['tbsCertificate']):
    2603. 

  2603.                 return $this->getDN($format, $this->currentCert['tbsCertificate']['subject']);
    2604. 

  2604.             case isset($this->currentCert['certificationRequestInfo']):
    2605. 

  2605.                 return $this->getDN($format, $this->currentCert['certificationRequestInfo']['subject']);
    2606. 

  2606.         }
    2607. 

  2607. 

  2608.         return false;
    2609. 

  2609.     }
    2610. 

  2610. 

  2611.     /**
    2612. 

  2612.      * Get an individual Distinguished Name property for a certificate/crl issuer
    2613. 

  2613.      *
    2614. 

  2614.      * @param String $propName
    2615. 

  2615.      * @param Boolean $withType optional
    2616. 

  2616.      * @access public
    2617. 

  2617.      * @return Mixed
    2618. 

  2618.      */
    2619. 

  2619.     function getIssuerDNProp($propName, $withType = false)
    2620. 

  2620.     {
    2621. 

  2621.         switch (true) {
    2622. 

  2622.             case !isset($this->currentCert) || !is_array($this->currentCert):
    2623. 

  2623.                 break;
    2624. 

  2624.             case isset($this->currentCert['tbsCertificate']):
    2625. 

  2625.                 return $this->getDNProp($propName, $this->currentCert['tbsCertificate']['issuer'], $withType);
    2626. 

  2626.             case isset($this->currentCert['tbsCertList']):
    2627. 

  2627.                 return $this->getDNProp($propName, $this->currentCert['tbsCertList']['issuer'], $withType);
    2628. 

  2628.         }
    2629. 

  2629. 

  2630.         return false;
    2631. 

  2631.     }
    2632. 

  2632. 

  2633.     /**
    2634. 

  2634.      * Get an individual Distinguished Name property for a certificate/csr subject
    2635. 

  2635.      *
    2636. 

  2636.      * @param String $propName
    2637. 

  2637.      * @param Boolean $withType optional
    2638. 

  2638.      * @access public
    2639. 

  2639.      * @return Mixed
    2640. 

  2640.      */
    2641. 

  2641.     function getSubjectDNProp($propName, $withType = false)
    2642. 

  2642.     {
    2643. 

  2643.         switch (true) {
    2644. 

  2644.             case !empty($this->dn):
    2645. 

  2645.                 return $this->getDNProp($propName, NULL, $withType);
    2646. 

  2646.             case !isset($this->currentCert) || !is_array($this->currentCert):
    2647. 

  2647.                 break;
    2648. 

  2648.             case isset($this->currentCert['tbsCertificate']):
    2649. 

  2649.                 return $this->getDNProp($propName, $this->currentCert['tbsCertificate']['subject'], $withType);
    2650. 

  2650.             case isset($this->currentCert['certificationRequestInfo']):
    2651. 

  2651.                 return $this->getDNProp($propName, $this->currentCert['certificationRequestInfo']['subject'], $withType);
    2652. 

  2652.         }
    2653. 

  2653. 

  2654.         return false;
    2655. 

  2655.     }
    2656. 

  2656. 

  2657.     /**
    2658. 

  2658.      * Get the certificate chain for the current cert
    2659. 

  2659.      *
    2660. 

  2660.      * @access public
    2661. 

  2661.      * @return Mixed
    2662. 

  2662.      */
    2663. 

  2663.     function getChain()
    2664. 

  2664.     {
    2665. 

  2665.         $chain = array($this->currentCert);
    2666. 

  2666. 

  2667.         if (!is_array($this->currentCert) || !isset($this->currentCert['tbsCertificate'])) {
    2668. 

  2668.             return false;
    2669. 

  2669.         }
    2670. 

  2670.         if (empty($this->CAs)) {
    2671. 

  2671.             return $chain;
    2672. 

  2672.         }
    2673. 

  2673.         while (true) {
    2674. 

  2674.             $currentCert = $chain[count($chain) - 1];
    2675. 

  2675.             for ($i = 0; $i < count($this->CAs); $i++) {
    2676. 

  2676.                 $ca = $this->CAs[$i];
    2677. 

  2677.                 if ($currentCert['tbsCertificate']['issuer'] === $ca['tbsCertificate']['subject']) {
    2678. 

  2678.                     $authorityKey = $this->getExtension('id-ce-authorityKeyIdentifier', $currentCert);
    2679. 

  2679.                     $subjectKeyID = $this->getExtension('id-ce-subjectKeyIdentifier', $ca);
    2680. 

  2680.                     switch (true) {
    2681. 

  2681.                         case !is_array($authorityKey):
    2682. 

  2682.                         case is_array($authorityKey) && isset($authorityKey['keyIdentifier']) && $authorityKey['keyIdentifier'] === $subjectKeyID:
    2683. 

  2683.                             if ($currentCert === $ca) {
    2684. 

  2684.                                 break 3;
    2685. 

  2685.                             }
    2686. 

  2686.                             $chain[] = $ca;
    2687. 

  2687.                             break 2;
    2688. 

  2688.                     }
    2689. 

  2689.                 }
    2690. 

  2690.             }
    2691. 

  2691.             if ($i == count($this->CAs)) {
    2692. 

  2692.                 break;
    2693. 

  2693.             }
    2694. 

  2694.         }
    2695. 

  2695.         foreach ($chain as $key=>$value) {
    2696. 

  2696.             $chain[$key] = new File_X509();
    2697. 

  2697.             $chain[$key]->loadX509($value);
    2698. 

  2698.         }
    2699. 

  2699.         return $chain;
    2700. 

  2700.     }
    2701. 

  2701. 

  2702.     /**
    2703. 

  2703.      * Set public key
    2704. 

  2704.      *
    2705. 

  2705.      * Key needs to be a Crypt_RSA object
    2706. 

  2706.      *
    2707. 

  2707.      * @param Object $key
    2708. 

  2708.      * @access public
    2709. 

  2709.      * @return Boolean
    2710. 

  2710.      */
    2711. 

  2711.     function setPublicKey($key)
    2712. 

  2712.     {
    2713. 

  2713.         $this->publicKey = $key;
    2714. 

  2714.     }
    2715. 

  2715. 

  2716.     /**
    2717. 

  2717.      * Set private key
    2718. 

  2718.      *
    2719. 

  2719.      * Key needs to be a Crypt_RSA object
    2720. 

  2720.      *
    2721. 

  2721.      * @param Object $key
    2722. 

  2722.      * @access public
    2723. 

  2723.      */
    2724. 

  2724.     function setPrivateKey($key)
    2725. 

  2725.     {
    2726. 

  2726.         $this->privateKey = $key;
    2727. 

  2727.     }
    2728. 

  2728. 

  2729.     /**
    2730. 

  2730.      * Gets the public key
    2731. 

  2731.      *
    2732. 

  2732.      * Returns a Crypt_RSA object or a false.
    2733. 

  2733.      *
    2734. 

  2734.      * @access public
    2735. 

  2735.      * @return Mixed
    2736. 

  2736.      */
    2737. 

  2737.     function getPublicKey()
    2738. 

  2738.     {
    2739. 

  2739.         if (isset($this->publicKey)) {
    2740. 

  2740.             return $this->publicKey;
    2741. 

  2741.         }
    2742. 

  2742. 

  2743.         if (isset($this->currentCert) && is_array($this->currentCert)) {
    2744. 

  2744.             foreach (array('tbsCertificate/subjectPublicKeyInfo', 'certificationRequestInfo/subjectPKInfo') as $path) {
    2745. 

  2745.                 $keyinfo = $this->_subArray($this->currentCert, $path);
    2746. 

  2746.                 if (!empty($keyinfo)) {
    2747. 

  2747.                     break;
    2748. 

  2748.                 }
    2749. 

  2749.             }
    2750. 

  2750.         }
    2751. 

  2751.         if (empty($keyinfo)) {
    2752. 

  2752.             return false;
    2753. 

  2753.         }
    2754. 

  2754. 

  2755.         $key = $keyinfo['subjectPublicKey'];
    2756. 

  2756. 

  2757.         switch ($keyinfo['algorithm']['algorithm']) {
    2758. 

  2758.             case 'rsaEncryption':
    2759. 

  2759.                 if (!class_exists('Crypt_RSA')) {
    2760. 

  2760.                     require_once('Crypt/RSA.php');
    2761. 

  2761.                 }
    2762. 

  2762.                 $publicKey = new Crypt_RSA();
    2763. 

  2763.                 $publicKey->loadKey($key);
    2764. 

  2764.                 $publicKey->setPublicKey();
    2765. 

  2765.                 break;
    2766. 

  2766.             default:
    2767. 

  2767.                 return false;
    2768. 

  2768.         }
    2769. 

  2769. 

  2770.         return $publicKey;
    2771. 

  2771.     }
    2772. 

  2772. 

  2773.     /**
    2774. 

  2774.      * Load a Certificate Signing Request
    2775. 

  2775.      *
    2776. 

  2776.      * @param String $csr
    2777. 

  2777.      * @access public
    2778. 

  2778.      * @return Mixed
    2779. 

  2779.      */
    2780. 

  2780.     function loadCSR($csr)
    2781. 

  2781.     {
    2782. 

  2782.         if (is_array($csr) && isset($csr['certificationRequestInfo'])) {
    2783. 

  2783.             unset($this->currentCert);
    2784. 

  2784.             unset($this->currentKeyIdentifier);
    2785. 

  2785.             unset($this->signatureSubject);
    2786. 

  2786.             $this->dn = $csr['certificationRequestInfo']['subject'];
    2787. 

  2787.             if (!isset($this->dn)) {
    2788. 

  2788.                 return false;
    2789. 

  2789.             }
    2790. 

  2790. 

  2791.             $this->currentCert = $csr;
    2792. 

  2792.             return $csr;
    2793. 

  2793.         }
    2794. 

  2794. 

  2795.         // see http://tools.ietf.org/html/rfc2986
    2796. 

  2796. 

  2797.         $asn1 = new File_ASN1();
    2798. 

  2798. 

  2799.         $csr = $this->_extractBER($csr);
    2800. 

  2800.         $orig = $csr;
    2801. 

  2801. 

  2802.         if ($csr === false) {
    2803. 

  2803.             $this->currentCert = false;
    2804. 

  2804.             return false;
    2805. 

  2805.         }
    2806. 

  2806. 

  2807.         $asn1->loadOIDs($this->oids);
    2808. 

  2808.         $decoded = $asn1->decodeBER($csr);
    2809. 

  2809. 

  2810.         if (empty($decoded)) {
    2811. 

  2811.             $this->currentCert = false;
    2812. 

  2812.             return false;
    2813. 

  2813.         }
    2814. 

  2814. 

  2815.         $csr = $asn1->asn1map($decoded[0], $this->CertificationRequest);
    2816. 

  2816.         if (!isset($csr) || $csr === false) {
    2817. 

  2817.             $this->currentCert = false;
    2818. 

  2818.             return false;
    2819. 

  2819.         }
    2820. 

  2820. 

  2821.         $this->dn = $csr['certificationRequestInfo']['subject'];
    2822. 

  2822.         $this->_mapInAttributes($csr, 'certificationRequestInfo/attributes', $asn1);
    2823. 

  2823. 

  2824.         $this->signatureSubject = substr($orig, $decoded[0]['content'][0]['start'], $decoded[0]['content'][0]['length']);
    2825. 

  2825. 

  2826.         $algorithm = &$csr['certificationRequestInfo']['subjectPKInfo']['algorithm']['algorithm'];
    2827. 

  2827.         $key = &$csr['certificationRequestInfo']['subjectPKInfo']['subjectPublicKey'];
    2828. 

  2828.         $key = $this->_reformatKey($algorithm, $key);
    2829. 

  2829. 

  2830.         switch ($algorithm) {
    2831. 

  2831.             case 'rsaEncryption':
    2832. 

  2832.                 if (!class_exists('Crypt_RSA')) {
    2833. 

  2833.                     require_once('Crypt/RSA.php');
    2834. 

  2834.                 }
    2835. 

  2835.                 $this->publicKey = new Crypt_RSA();
    2836. 

  2836.                 $this->publicKey->loadKey($key);
    2837. 

  2837.                 $this->publicKey->setPublicKey();
    2838. 

  2838.                 break;
    2839. 

  2839.             default:
    2840. 

  2840.                 $this->publicKey = NULL;
    2841. 

  2841.         }
    2842. 

  2842. 

  2843.         $this->currentKeyIdentifier = NULL;
    2844. 

  2844.         $this->currentCert = $csr;
    2845. 

  2845. 

  2846.         return $csr;
    2847. 

  2847.     }
    2848. 

  2848. 

  2849.     /**
    2850. 

  2850.      * Save CSR request
    2851. 

  2851.      *
    2852. 

  2852.      * @param Array $csr
    2853. 

  2853.      * @param Integer $format optional
    2854. 

  2854.      * @access public
    2855. 

  2855.      * @return String
    2856. 

  2856.      */
    2857. 

  2857.     function saveCSR($csr, $format = FILE_X509_FORMAT_PEM)
    2858. 

  2858.     {
    2859. 

  2859.         if (!is_array($csr) || !isset($csr['certificationRequestInfo'])) {
    2860. 

  2860.             return false;
    2861. 

  2861.         }
    2862. 

  2862. 

  2863.         switch (true) {
    2864. 

  2864.             case !($algorithm = $this->_subArray($csr, 'certificationRequestInfo/subjectPKInfo/algorithm/algorithm')):
    2865. 

  2865.             case is_object($csr['certificationRequestInfo']['subjectPKInfo']['subjectPublicKey']);
    2866. 

  2866.                 break;
    2867. 

  2867.             default:
    2868. 

  2868.                 switch ($algorithm) {
    2869. 

  2869.                     case 'rsaEncryption':
    2870. 

  2870.                         $csr['certificationRequestInfo']['subjectPKInfo']['subjectPublicKey'] = 
    2871. 

  2871.                             base64_encode("\0" . base64_decode(preg_replace('#-.+-|[\r\n]#', '', $csr['certificationRequestInfo']['subjectPKInfo']['subjectPublicKey'])));
    2872. 

  2872.                 }
    2873. 

  2873.         }
    2874. 

  2874. 

  2875.         $asn1 = new File_ASN1();
    2876. 

  2876. 

  2877.         $asn1->loadOIDs($this->oids);
    2878. 

  2878. 

  2879.         $filters = array();
    2880. 

  2880.         $filters['certificationRequestInfo']['subject']['rdnSequence']['value'] = 
    2881. 

  2881.             array('type' => FILE_ASN1_TYPE_UTF8_STRING);
    2882. 

  2882. 

  2883.         $asn1->loadFilters($filters);
    2884. 

  2884. 

  2885.         $this->_mapOutAttributes($csr, 'certificationRequestInfo/attributes', $asn1);
    2886. 

  2886.         $csr = $asn1->encodeDER($csr, $this->CertificationRequest);
    2887. 

  2887. 

  2888.         switch ($format) {
    2889. 

  2889.             case FILE_X509_FORMAT_DER:
    2890. 

  2890.                 return $csr;
    2891. 

  2891.             // case FILE_X509_FORMAT_PEM:
    2892. 

  2892.             default:
    2893. 

  2893.                 return "-----BEGIN CERTIFICATE REQUEST-----\r\n" . chunk_split(base64_encode($csr), 64) . '-----END CERTIFICATE REQUEST-----';
    2894. 

  2894.         }
    2895. 

  2895.     }
    2896. 

  2896. 

  2897.     /**
    2898. 

  2898.      * Load a SPKAC CSR
    2899. 

  2899.      *
    2900. 

  2900.      * SPKAC's are produced by the HTML5 keygen element:
    2901. 

  2901.      *
    2902. 

  2902.      * https://developer.mozilla.org/en-US/docs/HTML/Element/keygen
    2903. 

  2903.      *
    2904. 

  2904.      * @param String $csr
    2905. 

  2905.      * @access public
    2906. 

  2906.      * @return Mixed
    2907. 

  2907.      */
    2908. 

  2908.     function loadSPKAC($csr)
    2909. 

  2909.     {
    2910. 

  2910.         if (is_array($csr) && isset($csr['publicKeyAndChallenge'])) {
    2911. 

  2911.             unset($this->currentCert);
    2912. 

  2912.             unset($this->currentKeyIdentifier);
    2913. 

  2913.             unset($this->signatureSubject);
    2914. 

  2914.             $this->currentCert = $csr;
    2915. 

  2915.             return $csr;
    2916. 

  2916.         }
    2917. 

  2917. 

  2918.         // see http://www.w3.org/html/wg/drafts/html/master/forms.html#signedpublickeyandchallenge
    2919. 

  2919. 

  2920.         $asn1 = new File_ASN1();
    2921. 

  2921. 

  2922.         $temp = preg_replace('#(?:^[^=]+=)|[\r\n\\\]#', '', $csr);
    2923. 

  2923.         $temp = preg_match('#^[a-zA-Z\d/+]*={0,2}$#', $temp) ? base64_decode($temp) : false;
    2924. 

  2924.         if ($temp != false) {
    2925. 

  2925.             $csr = $temp;
    2926. 

  2926.         }
    2927. 

  2927.         $orig = $csr;
    2928. 

  2928. 

  2929.         if ($csr === false) {
    2930. 

  2930.             $this->currentCert = false;
    2931. 

  2931.             return false;
    2932. 

  2932.         }
    2933. 

  2933. 

  2934.         $asn1->loadOIDs($this->oids);
    2935. 

  2935.         $decoded = $asn1->decodeBER($csr);
    2936. 

  2936. 

  2937.         if (empty($decoded)) {
    2938. 

  2938.             $this->currentCert = false;
    2939. 

  2939.             return false;
    2940. 

  2940.         }
    2941. 

  2941. 

  2942.         $csr = $asn1->asn1map($decoded[0], $this->SignedPublicKeyAndChallenge);
    2943. 

  2943. 

  2944.         if (!isset($csr) || $csr === false) {
    2945. 

  2945.             $this->currentCert = false;
    2946. 

  2946.             return false;
    2947. 

  2947.         }
    2948. 

  2948. 

  2949.         $this->signatureSubject = substr($orig, $decoded[0]['content'][0]['start'], $decoded[0]['content'][0]['length']);
    2950. 

  2950. 

  2951.         $algorithm = &$csr['publicKeyAndChallenge']['spki']['algorithm']['algorithm'];
    2952. 

  2952.         $key = &$csr['publicKeyAndChallenge']['spki']['subjectPublicKey'];
    2953. 

  2953.         $key = $this->_reformatKey($algorithm, $key);
    2954. 

  2954. 

  2955.         switch ($algorithm) {
    2956. 

  2956.             case 'rsaEncryption':
    2957. 

  2957.                 if (!class_exists('Crypt_RSA')) {
    2958. 

  2958.                     require_once('Crypt/RSA.php');
    2959. 

  2959.                 }
    2960. 

  2960.                 $this->publicKey = new Crypt_RSA();
    2961. 

  2961.                 $this->publicKey->loadKey($key);
    2962. 

  2962.                 $this->publicKey->setPublicKey();
    2963. 

  2963.                 break;
    2964. 

  2964.             default:
    2965. 

  2965.                 $this->publicKey = NULL;
    2966. 

  2966.         }
    2967. 

  2967. 

  2968.         $this->currentKeyIdentifier = NULL;
    2969. 

  2969.         $this->currentCert = $csr;
    2970. 

  2970. 

  2971.         return $csr;
    2972. 

  2972.     }
    2973. 

  2973. 

  2974.     /**
    2975. 

  2975.      * Load a Certificate Revocation List
    2976. 

  2976.      *
    2977. 

  2977.      * @param String $crl
    2978. 

  2978.      * @access public
    2979. 

  2979.      * @return Mixed
    2980. 

  2980.      */
    2981. 

  2981.     function loadCRL($crl)
    2982. 

  2982.     {
    2983. 

  2983.         if (is_array($crl) && isset($crl['tbsCertList'])) {
    2984. 

  2984.             $this->currentCert = $crl;
    2985. 

  2985.             unset($this->signatureSubject);
    2986. 

  2986.             return $crl;
    2987. 

  2987.         }
    2988. 

  2988. 

  2989.         $asn1 = new File_ASN1();
    2990. 

  2990. 

  2991.         $crl = $this->_extractBER($crl);
    2992. 

  2992.         $orig = $crl;
    2993. 

  2993. 

  2994.         if ($crl === false) {
    2995. 

  2995.             $this->currentCert = false;
    2996. 

  2996.             return false;
    2997. 

  2997.         }
    2998. 

  2998. 

  2999.         $asn1->loadOIDs($this->oids);
    3000. 

  3000.         $decoded = $asn1->decodeBER($crl);
    3001. 

  3001. 

  3002.         if (empty($decoded)) {
    3003. 

  3003.             $this->currentCert = false;
    3004. 

  3004.             return false;
    3005. 

  3005.         }
    3006. 

  3006. 

  3007.         $crl = $asn1->asn1map($decoded[0], $this->CertificateList);
    3008. 

  3008.         if (!isset($crl) || $crl === false) {
    3009. 

  3009.             $this->currentCert = false;
    3010. 

  3010.             return false;
    3011. 

  3011.         }
    3012. 

  3012. 

  3013.         $this->signatureSubject = substr($orig, $decoded[0]['content'][0]['start'], $decoded[0]['content'][0]['length']);
    3014. 

  3014. 

  3015.         $this->_mapInExtensions($crl, 'tbsCertList/crlExtensions', $asn1);
    3016. 

  3016.         $rclist = &$this->_subArray($crl,'tbsCertList/revokedCertificates');
    3017. 

  3017.         if (is_array($rclist)) {
    3018. 

  3018.             foreach ($rclist as $i => $extension) {
    3019. 

  3019.                 $this->_mapInExtensions($rclist, "$i/crlEntryExtensions", $asn1);
    3020. 

  3020.             }
    3021. 

  3021.         }
    3022. 

  3022. 

  3023.         $this->currentKeyIdentifier = NULL;
    3024. 

  3024.         $this->currentCert = $crl;
    3025. 

  3025. 

  3026.         return $crl;
    3027. 

  3027.     }
    3028. 

  3028. 

  3029.     /**
    3030. 

  3030.      * Save Certificate Revocation List.
    3031. 

  3031.      *
    3032. 

  3032.      * @param Array $crl
    3033. 

  3033.      * @param Integer $format optional
    3034. 

  3034.      * @access public
    3035. 

  3035.      * @return String
    3036. 

  3036.      */
    3037. 

  3037.     function saveCRL($crl, $format = FILE_X509_FORMAT_PEM)
    3038. 

  3038.     {
    3039. 

  3039.         if (!is_array($crl) || !isset($crl['tbsCertList'])) {
    3040. 

  3040.             return false;
    3041. 

  3041.         }
    3042. 

  3042. 

  3043.         $asn1 = new File_ASN1();
    3044. 

  3044. 

  3045.         $asn1->loadOIDs($this->oids);
    3046. 

  3046. 

  3047.         $filters = array();
    3048. 

  3048.         $filters['tbsCertList']['issuer']['rdnSequence']['value'] = 
    3049. 

  3049.         $filters['tbsCertList']['signature']['parameters'] = 
    3050. 

  3050.         $filters['signatureAlgorithm']['parameters'] = 
    3051. 

  3051.             array('type' => FILE_ASN1_TYPE_UTF8_STRING);
    3052. 

  3052. 

  3053.         if (empty($crl['tbsCertList']['signature']['parameters'])) {
    3054. 

  3054.             $filters['tbsCertList']['signature']['parameters'] = 
    3055. 

  3055.                 array('type' => FILE_ASN1_TYPE_NULL);
    3056. 

  3056.         }
    3057. 

  3057. 

  3058.         if (empty($crl['signatureAlgorithm']['parameters'])) {
    3059. 

  3059.             $filters['signatureAlgorithm']['parameters'] = 
    3060. 

  3060.                 array('type' => FILE_ASN1_TYPE_NULL);
    3061. 

  3061.         }
    3062. 

  3062. 

  3063.         $asn1->loadFilters($filters);
    3064. 

  3064. 

  3065.         $this->_mapOutExtensions($crl, 'tbsCertList/crlExtensions', $asn1);
    3066. 

  3066.         $rclist = &$this->_subArray($crl,'tbsCertList/revokedCertificates');
    3067. 

  3067.         if (is_array($rclist)) {
    3068. 

  3068.             foreach ($rclist as $i => $extension) {
    3069. 

  3069.                 $this->_mapOutExtensions($rclist, "$i/crlEntryExtensions", $asn1);
    3070. 

  3070.             }
    3071. 

  3071.         }
    3072. 

  3072. 

  3073.         $crl = $asn1->encodeDER($crl, $this->CertificateList);
    3074. 

  3074. 

  3075.         switch ($format) {
    3076. 

  3076.             case FILE_X509_FORMAT_DER:
    3077. 

  3077.                 return $crl;
    3078. 

  3078.             // case FILE_X509_FORMAT_PEM:
    3079. 

  3079.             default:
    3080. 

  3080.                 return "-----BEGIN X509 CRL-----\r\n" . chunk_split(base64_encode($crl), 64) . '-----END X509 CRL-----';
    3081. 

  3081.         }
    3082. 

  3082.     }
    3083. 

  3083. 

  3084.     /**
    3085. 

  3085.      * Sign an X.509 certificate
    3086. 

  3086.      *
    3087. 

  3087.      * $issuer's private key needs to be loaded.
    3088. 

  3088.      * $subject can be either an existing X.509 cert (if you want to resign it),
    3089. 

  3089.      * a CSR or something with the DN and public key explicitly set.
    3090. 

  3090.      *
    3091. 

  3091.      * @param File_X509 $issuer
    3092. 

  3092.      * @param File_X509 $subject
    3093. 

  3093.      * @param String $signatureAlgorithm optional
    3094. 

  3094.      * @access public
    3095. 

  3095.      * @return Mixed
    3096. 

  3096.      */
    3097. 

  3097.     function sign($issuer, $subject, $signatureAlgorithm = 'sha1WithRSAEncryption')
    3098. 

  3098.     {
    3099. 

  3099.         if (!is_object($issuer->privateKey) || empty($issuer->dn)) {
    3100. 

  3100.             return false;
    3101. 

  3101.         }
    3102. 

  3102. 

  3103.         if (isset($subject->publicKey) && !($subjectPublicKey = $subject->_formatSubjectPublicKey())) {
    3104. 

  3104.             return false;
    3105. 

  3105.         }
    3106. 

  3106. 

  3107.         $currentCert = isset($this->currentCert) ? $this->currentCert : NULL;
    3108. 

  3108.         $signatureSubject = isset($this->signatureSubject) ? $this->signatureSubject: NULL;
    3109. 

  3109. 

  3110.         if (isset($subject->currentCert) && is_array($subject->currentCert) && isset($subject->currentCert['tbsCertificate'])) {
    3111. 

  3111.             $this->currentCert = $subject->currentCert;
    3112. 

  3112.             $this->currentCert['tbsCertificate']['signature']['algorithm'] =
    3113. 

  3113.             $this->currentCert['signatureAlgorithm']['algorithm'] =
    3114. 

  3114.                 $signatureAlgorithm;
    3115. 

  3115.             if (!empty($this->startDate)) {
    3116. 

  3116.                 $this->currentCert['tbsCertificate']['validity']['notBefore']['generalTime'] = $this->startDate;
    3117. 

  3117.                 unset($this->currentCert['tbsCertificate']['validity']['notBefore']['utcTime']);
    3118. 

  3118.             }
    3119. 

  3119.             if (!empty($this->endDate)) {
    3120. 

  3120.                 $this->currentCert['tbsCertificate']['validity']['notAfter']['generalTime'] = $this->endDate;
    3121. 

  3121.                 unset($this->currentCert['tbsCertificate']['validity']['notAfter']['utcTime']);
    3122. 

  3122.             }
    3123. 

  3123.             if (!empty($this->serialNumber)) {
    3124. 

  3124.                 $this->currentCert['tbsCertificate']['serialNumber'] = $this->serialNumber;
    3125. 

  3125.             }
    3126. 

  3126.             if (!empty($subject->dn)) {
    3127. 

  3127.                 $this->currentCert['tbsCertificate']['subject'] = $subject->dn;
    3128. 

  3128.             }
    3129. 

  3129.             if (!empty($subject->publicKey)) {
    3130. 

  3130.                 $this->currentCert['tbsCertificate']['subjectPublicKeyInfo'] = $subjectPublicKey;
    3131. 

  3131.             }
    3132. 

  3132.             $this->removeExtension('id-ce-authorityKeyIdentifier');
    3133. 

  3133.             if (isset($subject->domains)) {
    3134. 

  3134.                 $this->removeExtension('id-ce-subjectAltName');
    3135. 

  3135.             }
    3136. 

  3136.         } else if (isset($subject->currentCert) && is_array($subject->currentCert) && isset($subject->currentCert['tbsCertList'])) {
    3137. 

  3137.             return false;
    3138. 

  3138.         } else {
    3139. 

  3139.             if (!isset($subject->publicKey)) {
    3140. 

  3140.                 return false;
    3141. 

  3141.             }
    3142. 

  3142. 

  3143.             $startDate = !empty($this->startDate) ? $this->startDate : @date('D, d M y H:i:s O');
    3144. 

  3144.             $endDate = !empty($this->endDate) ? $this->endDate : @date('D, d M y H:i:s O', strtotime('+1 year'));
    3145. 

  3145.             $serialNumber = !empty($this->serialNumber) ? $this->serialNumber : new Math_BigInteger();
    3146. 

  3146. 

  3147.             $this->currentCert = array(
    3148. 

  3148.                 'tbsCertificate' =>
    3149. 

  3149.                     array(
    3150. 

  3150.                         'version' => 'v3',
    3151. 

  3151.                         'serialNumber' => $serialNumber, // $this->setserialNumber()
    3152. 

  3152.                         'signature' => array('algorithm' => $signatureAlgorithm),
    3153. 

  3153.                         'issuer' => false, // this is going to be overwritten later
    3154. 

  3154.                         'validity' => array(
    3155. 

  3155.                             'notBefore' => array('generalTime' => $startDate), // $this->setStartDate()
    3156. 

  3156.                             'notAfter' => array('generalTime' => $endDate)   // $this->setEndDate()
    3157. 

  3157.                         ),
    3158. 

  3158.                         'subject' => $subject->dn,
    3159. 

  3159.                         'subjectPublicKeyInfo' => $subjectPublicKey
    3160. 

  3160.                     ),
    3161. 

  3161.                 'signatureAlgorithm' => array('algorithm' => $signatureAlgorithm),
    3162. 

  3162.                 'signature'          => false // this is going to be overwritten later
    3163. 

  3163.             );
    3164. 

  3164. 

  3165.             // Copy extensions from CSR.
    3166. 

  3166.             $csrexts = $subject->getAttribute('pkcs-9-at-extensionRequest', 0);
    3167. 

  3167. 

  3168.             if (!empty($csrexts)) {
    3169. 

  3169.                 $this->currentCert['tbsCertificate']['extensions'] = $csrexts;
    3170. 

  3170.             }
    3171. 

  3171.         }
    3172. 

  3172. 

  3173.         $this->currentCert['tbsCertificate']['issuer'] = $issuer->dn;
    3174. 

  3174. 

  3175.         if (isset($issuer->currentKeyIdentifier)) {
    3176. 

  3176.             $this->setExtension('id-ce-authorityKeyIdentifier', array(
    3177. 

  3177.                     //'authorityCertIssuer' => array(
    3178. 

  3178.                     //    array(
    3179. 

  3179.                     //        'directoryName' => $issuer->dn
    3180. 

  3180.                     //    )
    3181. 

  3181.                     //),
    3182. 

  3182.                     'keyIdentifier' => $issuer->currentKeyIdentifier
    3183. 

  3183.                 )
    3184. 

  3184.             );
    3185. 

  3185.             //$extensions = &$this->currentCert['tbsCertificate']['extensions'];
    3186. 

  3186.             //if (isset($issuer->serialNumber)) {
    3187. 

  3187.             //    $extensions[count($extensions) - 1]['authorityCertSerialNumber'] = $issuer->serialNumber;
    3188. 

  3188.             //}
    3189. 

  3189.             //unset($extensions);
    3190. 

  3190.         }
    3191. 

  3191. 

  3192.         if (isset($subject->currentKeyIdentifier)) {
    3193. 

  3193.             $this->setExtension('id-ce-subjectKeyIdentifier', $subject->currentKeyIdentifier);
    3194. 

  3194.         }
    3195. 

  3195. 

  3196.         if (isset($subject->domains) && count($subject->domains) > 1) {
    3197. 

  3197.             $this->setExtension('id-ce-subjectAltName',
    3198. 

  3198.                 array_map(array('File_X509', '_dnsName'), $subject->domains));
    3199. 

  3199.         }
    3200. 

  3200. 

  3201.         if ($this->caFlag) {
    3202. 

  3202.             $keyUsage = $this->getExtension('id-ce-keyUsage');
    3203. 

  3203.             if (!$keyUsage) {
    3204. 

  3204.                 $keyUsage = array();
    3205. 

  3205.             }
    3206. 

  3206. 

  3207.             $this->setExtension('id-ce-keyUsage',
    3208. 

  3208.                 array_values(array_unique(array_merge($keyUsage, array('cRLSign', 'keyCertSign'))))
    3209. 

  3209.             );
    3210. 

  3210. 

  3211.             $basicConstraints = $this->getExtension('id-ce-basicConstraints');
    3212. 

  3212.             if (!$basicConstraints) {
    3213. 

  3213.                 $basicConstraints = array();
    3214. 

  3214.             }
    3215. 

  3215. 

  3216.             $this->setExtension('id-ce-basicConstraints',
    3217. 

  3217.                 array_unique(array_merge(array('cA' => true), $basicConstraints)), true);
    3218. 

  3218. 

  3219.             if (!isset($subject->currentKeyIdentifier)) {
    3220. 

  3220.                 $this->setExtension('id-ce-subjectKeyIdentifier', base64_encode($this->computeKeyIdentifier($this->currentCert)), false, false);
    3221. 

  3221.             }
    3222. 

  3222.         }
    3223. 

  3223. 

  3224.         // resync $this->signatureSubject
    3225. 

  3225.         // save $tbsCertificate in case there are any File_ASN1_Element objects in it
    3226. 

  3226.         $tbsCertificate = $this->currentCert['tbsCertificate'];
    3227. 

  3227.         $this->loadX509($this->saveX509($this->currentCert));
    3228. 

  3228. 

  3229.         $result = $this->_sign($issuer->privateKey, $signatureAlgorithm);
    3230. 

  3230.         $result['tbsCertificate'] = $tbsCertificate;
    3231. 

  3231. 

  3232.         $this->currentCert = $currentCert;
    3233. 

  3233.         $this->signatureSubject = $signatureSubject;
    3234. 

  3234. 

  3235.         return $result;
    3236. 

  3236.     }
    3237. 

  3237. 

  3238.     /**
    3239. 

  3239.      * Sign a CSR
    3240. 

  3240.      *
    3241. 

  3241.      * @access public
    3242. 

  3242.      * @return Mixed
    3243. 

  3243.      */
    3244. 

  3244.     function signCSR($signatureAlgorithm = 'sha1WithRSAEncryption')
    3245. 

  3245.     {
    3246. 

  3246.         if (!is_object($this->privateKey) || empty($this->dn)) {
    3247. 

  3247.             return false;
    3248. 

  3248.         }
    3249. 

  3249. 

  3250.         $origPublicKey = $this->publicKey;
    3251. 

  3251.         $class = get_class($this->privateKey);
    3252. 

  3252.         $this->publicKey = new $class();
    3253. 

  3253.         $this->publicKey->loadKey($this->privateKey->getPublicKey());
    3254. 

  3254.         $this->publicKey->setPublicKey();
    3255. 

  3255.         if (!($publicKey = $this->_formatSubjectPublicKey())) {
    3256. 

  3256.             return false;
    3257. 

  3257.         }
    3258. 

  3258.         $this->publicKey = $origPublicKey;
    3259. 

  3259. 

  3260.         $currentCert = isset($this->currentCert) ? $this->currentCert : NULL;
    3261. 

  3261.         $signatureSubject = isset($this->signatureSubject) ? $this->signatureSubject: NULL;
    3262. 

  3262. 

  3263.         if (isset($this->currentCert) && is_array($this->currentCert) && isset($this->currentCert['certificationRequestInfo'])) {
    3264. 

  3264.             $this->currentCert['signatureAlgorithm']['algorithm'] =
    3265. 

  3265.                 $signatureAlgorithm;
    3266. 

  3266.             if (!empty($this->dn)) {
    3267. 

  3267.                 $this->currentCert['certificationRequestInfo']['subject'] = $this->dn;
    3268. 

  3268.             }
    3269. 

  3269.             $this->currentCert['certificationRequestInfo']['subjectPKInfo'] = $publicKey;
    3270. 

  3270.         } else {
    3271. 

  3271.             $this->currentCert = array(
    3272. 

  3272.                 'certificationRequestInfo' =>
    3273. 

  3273.                     array(
    3274. 

  3274.                         'version' => 'v1',
    3275. 

  3275.                         'subject' => $this->dn,
    3276. 

  3276.                         'subjectPKInfo' => $publicKey
    3277. 

  3277.                     ),
    3278. 

  3278.                 'signatureAlgorithm' => array('algorithm' => $signatureAlgorithm),
    3279. 

  3279.                 'signature'          => false // this is going to be overwritten later
    3280. 

  3280.             );
    3281. 

  3281.         }
    3282. 

  3282. 

  3283.         // resync $this->signatureSubject
    3284. 

  3284.         // save $certificationRequestInfo in case there are any File_ASN1_Element objects in it
    3285. 

  3285.         $certificationRequestInfo = $this->currentCert['certificationRequestInfo'];
    3286. 

  3286.         $this->loadCSR($this->saveCSR($this->currentCert));
    3287. 

  3287. 

  3288.         $result = $this->_sign($this->privateKey, $signatureAlgorithm);
    3289. 

  3289.         $result['certificationRequestInfo'] = $certificationRequestInfo;
    3290. 

  3290. 

  3291.         $this->currentCert = $currentCert;
    3292. 

  3292.         $this->signatureSubject = $signatureSubject;
    3293. 

  3293. 

  3294.         return $result;
    3295. 

  3295.     }
    3296. 

  3296. 

  3297.     /**
    3298. 

  3298.      * Sign a CRL
    3299. 

  3299.      *
    3300. 

  3300.      * $issuer's private key needs to be loaded.
    3301. 

  3301.      *
    3302. 

  3302.      * @param File_X509 $issuer
    3303. 

  3303.      * @param File_X509 $crl
    3304. 

  3304.      * @param String $signatureAlgorithm optional
    3305. 

  3305.      * @access public
    3306. 

  3306.      * @return Mixed
    3307. 

  3307.      */
    3308. 

  3308.     function signCRL($issuer, $crl, $signatureAlgorithm = 'sha1WithRSAEncryption')
    3309. 

  3309.     {
    3310. 

  3310.         if (!is_object($issuer->privateKey) || empty($issuer->dn)) {
    3311. 

  3311.             return false;
    3312. 

  3312.         }
    3313. 

  3313. 

  3314.         $currentCert = isset($this->currentCert) ? $this->currentCert : NULL;
    3315. 

  3315.         $signatureSubject = isset($this->signatureSubject) ? $this->signatureSubject : NULL;
    3316. 

  3316.         $thisUpdate = !empty($this->startDate) ? $this->startDate : @date('D, d M y H:i:s O');
    3317. 

  3317. 

  3318.         if (isset($crl->currentCert) && is_array($crl->currentCert) && isset($crl->currentCert['tbsCertList'])) {
    3319. 

  3319.             $this->currentCert = $crl->currentCert;
    3320. 

  3320.             $this->currentCert['tbsCertList']['signature']['algorithm'] = $signatureAlgorithm;
    3321. 

  3321.             $this->currentCert['signatureAlgorithm']['algorithm'] = $signatureAlgorithm;
    3322. 

  3322.         } else {
    3323. 

  3323.             $this->currentCert = array(
    3324. 

  3324.                 'tbsCertList' =>
    3325. 

  3325.                     array(
    3326. 

  3326.                         'version' => 'v2',
    3327. 

  3327.                         'signature' => array('algorithm' => $signatureAlgorithm),
    3328. 

  3328.                         'issuer' => false, // this is going to be overwritten later
    3329. 

  3329.                         'thisUpdate' => array('generalTime' => $thisUpdate) // $this->setStartDate()
    3330. 

  3330.                     ),
    3331. 

  3331.                 'signatureAlgorithm' => array('algorithm' => $signatureAlgorithm),
    3332. 

  3332.                 'signature'          => false // this is going to be overwritten later
    3333. 

  3333.             );
    3334. 

  3334.         }
    3335. 

  3335. 

  3336.         $tbsCertList = &$this->currentCert['tbsCertList'];
    3337. 

  3337.         $tbsCertList['issuer'] = $issuer->dn;
    3338. 

  3338.         $tbsCertList['thisUpdate'] = array('generalTime' => $thisUpdate);
    3339. 

  3339. 

  3340.         if (!empty($this->endDate)) {
    3341. 

  3341.             $tbsCertList['nextUpdate'] = array('generalTime' => $this->endDate); // $this->setEndDate()
    3342. 

  3342.         } else {
    3343. 

  3343.             unset($tbsCertList['nextUpdate']);
    3344. 

  3344.         }
    3345. 

  3345. 

  3346.         if (!empty($this->serialNumber)) {
    3347. 

  3347.             $crlNumber = $this->serialNumber;
    3348. 

  3348.         }
    3349. 

  3349.         else {
    3350. 

  3350.             $crlNumber = $this->getExtension('id-ce-cRLNumber');
    3351. 

  3351.             $crlNumber = $crlNumber !== false ? $crlNumber->add(new Math_BigInteger(1)) : NULL;
    3352. 

  3352.         }
    3353. 

  3353. 

  3354.         $this->removeExtension('id-ce-authorityKeyIdentifier');
    3355. 

  3355.         $this->removeExtension('id-ce-issuerAltName');
    3356. 

  3356. 

  3357.         // Be sure version >= v2 if some extension found.
    3358. 

  3358.         $version = isset($tbsCertList['version']) ? $tbsCertList['version'] : 0;
    3359. 

  3359.         if (!$version) {
    3360. 

  3360.             if (!empty($tbsCertList['crlExtensions'])) {
    3361. 

  3361.                 $version = 1; // v2.
    3362. 

  3362.             }
    3363. 

  3363.             elseif (!empty($tbsCertList['revokedCertificates'])) {
    3364. 

  3364.                 foreach ($tbsCertList['revokedCertificates'] as $cert) {
    3365. 

  3365.                     if (!empty($cert['crlEntryExtensions'])) {
    3366. 

  3366.                         $version = 1; // v2.
    3367. 

  3367.                     }
    3368. 

  3368.                 }
    3369. 

  3369.             }
    3370. 

  3370. 

  3371.             if ($version) {
    3372. 

  3372.                 $tbsCertList['version'] = $version;
    3373. 

  3373.             }
    3374. 

  3374.         }
    3375. 

  3375. 

  3376.         // Store additional extensions.
    3377. 

  3377.         if (!empty($tbsCertList['version'])) { // At least v2.
    3378. 

  3378.             if (!empty($crlNumber)) {
    3379. 

  3379.                 $this->setExtension('id-ce-cRLNumber', $crlNumber);
    3380. 

  3380.             }
    3381. 

  3381. 

  3382.             if (isset($issuer->currentKeyIdentifier)) {
    3383. 

  3383.                 $this->setExtension('id-ce-authorityKeyIdentifier', array(
    3384. 

  3384.                         //'authorityCertIssuer' => array(
    3385. 

  3385.                         //    array(
    3386. 

  3386.                         //        'directoryName' => $issuer->dn
    3387. 

  3387.                         //    )
    3388. 

  3388.                         //),
    3389. 

  3389.                         'keyIdentifier' => $issuer->currentKeyIdentifier
    3390. 

  3390.                     )
    3391. 

  3391.                 );
    3392. 

  3392.                 //$extensions = &$tbsCertList['crlExtensions'];
    3393. 

  3393.                 //if (isset($issuer->serialNumber)) {
    3394. 

  3394.                 //    $extensions[count($extensions) - 1]['authorityCertSerialNumber'] = $issuer->serialNumber;
    3395. 

  3395.                 //}
    3396. 

  3396.                 //unset($extensions);
    3397. 

  3397.             }
    3398. 

  3398. 

  3399.             $issuerAltName = $this->getExtension('id-ce-subjectAltName', $issuer->currentCert);
    3400. 

  3400. 

  3401.             if ($issuerAltName !== false) {
    3402. 

  3402.                 $this->setExtension('id-ce-issuerAltName', $issuerAltName);
    3403. 

  3403.             }
    3404. 

  3404.         }
    3405. 

  3405. 

  3406.         if (empty($tbsCertList['revokedCertificates'])) {
    3407. 

  3407.             unset($tbsCertList['revokedCertificates']);
    3408. 

  3408.         }
    3409. 

  3409. 

  3410.         unset($tbsCertList);
    3411. 

  3411. 

  3412.         // resync $this->signatureSubject
    3413. 

  3413.         // save $tbsCertList in case there are any File_ASN1_Element objects in it
    3414. 

  3414.         $tbsCertList = $this->currentCert['tbsCertList'];
    3415. 

  3415.         $this->loadCRL($this->saveCRL($this->currentCert));
    3416. 

  3416. 

  3417.         $result = $this->_sign($issuer->privateKey, $signatureAlgorithm);
    3418. 

  3418.         $result['tbsCertList'] = $tbsCertList;
    3419. 

  3419. 

  3420.         $this->currentCert = $currentCert;
    3421. 

  3421.         $this->signatureSubject = $signatureSubject;
    3422. 

  3422. 

  3423.         return $result;
    3424. 

  3424.     }
    3425. 

  3425. 

  3426.     /**
    3427. 

  3427.      * X.509 certificate signing helper function.
    3428. 

  3428.      *
    3429. 

  3429.      * @param Object $key
    3430. 

  3430.      * @param File_X509 $subject
    3431. 

  3431.      * @param String $signatureAlgorithm
    3432. 

  3432.      * @access public
    3433. 

  3433.      * @return Mixed
    3434. 

  3434.      */
    3435. 

  3435.     function _sign($key, $signatureAlgorithm)
    3436. 

  3436.     {
    3437. 

  3437.         switch (strtolower(get_class($key))) {
    3438. 

  3438.             case 'crypt_rsa':
    3439. 

  3439.                 switch ($signatureAlgorithm) {
    3440. 

  3440.                     case 'md2WithRSAEncryption':
    3441. 

  3441.                     case 'md5WithRSAEncryption':
    3442. 

  3442.                     case 'sha1WithRSAEncryption':
    3443. 

  3443.                     case 'sha224WithRSAEncryption':
    3444. 

  3444.                     case 'sha256WithRSAEncryption':
    3445. 

  3445.                     case 'sha384WithRSAEncryption':
    3446. 

  3446.                     case 'sha512WithRSAEncryption':
    3447. 

  3447.                         $key->setHash(preg_replace('#WithRSAEncryption$#', '', $signatureAlgorithm));
    3448. 

  3448.                         $key->setSignatureMode(CRYPT_RSA_SIGNATURE_PKCS1);
    3449. 

  3449. 

  3450.                         $this->currentCert['signature'] = base64_encode("\0" . $key->sign($this->signatureSubject));
    3451. 

  3451.                         return $this->currentCert;
    3452. 

  3452.                 }
    3453. 

  3453.             default:
    3454. 

  3454.                 return false;
    3455. 

  3455.         }
    3456. 

  3456.     }
    3457. 

  3457. 

  3458.     /**
    3459. 

  3459.      * Set certificate start date
    3460. 

  3460.      *
    3461. 

  3461.      * @param String $date
    3462. 

  3462.      * @access public
    3463. 

  3463.      */
    3464. 

  3464.     function setStartDate($date)
    3465. 

  3465.     {
    3466. 

  3466.         $this->startDate = @date('D, d M y H:i:s O', @strtotime($date));
    3467. 

  3467.     }
    3468. 

  3468. 

  3469.     /**
    3470. 

  3470.      * Set certificate end date
    3471. 

  3471.      *
    3472. 

  3472.      * @param String $date
    3473. 

  3473.      * @access public
    3474. 

  3474.      */
    3475. 

  3475.     function setEndDate($date)
    3476. 

  3476.     {
    3477. 

  3477.         /*
    3478. 

  3478.           To indicate that a certificate has no well-defined expiration date,
    3479. 

  3479.           the notAfter SHOULD be assigned the GeneralizedTime value of
    3480. 

  3480.           99991231235959Z.
    3481. 

  3481. 

  3482.           -- http://tools.ietf.org/html/rfc5280#section-4.1.2.5
    3483. 

  3483.         */
    3484. 

  3484.         if (strtolower($date) == 'lifetime') {
    3485. 

  3485.             $temp = '99991231235959Z';
    3486. 

  3486.             $asn1 = new File_ASN1();
    3487. 

  3487.             $temp = chr(FILE_ASN1_TYPE_GENERALIZED_TIME) . $asn1->_encodeLength(strlen($temp)) . $temp;
    3488. 

  3488.             $this->endDate = new File_ASN1_Element($temp);
    3489. 

  3489.         } else {
    3490. 

  3490.             $this->endDate = @date('D, d M y H:i:s O', @strtotime($date));
    3491. 

  3491.         }
    3492. 

  3492.     }
    3493. 

  3493. 

  3494.     /**
    3495. 

  3495.      * Set Serial Number
    3496. 

  3496.      *
    3497. 

  3497.      * @param String $serial
    3498. 

  3498.      * @param $base optional
    3499. 

  3499.      * @access public
    3500. 

  3500.      */
    3501. 

  3501.     function setSerialNumber($serial, $base = -256)
    3502. 

  3502.     {
    3503. 

  3503.         $this->serialNumber = new Math_BigInteger($serial, $base);
    3504. 

  3504.     }
    3505. 

  3505. 

  3506.     /**
    3507. 

  3507.      * Turns the certificate into a certificate authority
    3508. 

  3508.      *
    3509. 

  3509.      * @access public
    3510. 

  3510.      */
    3511. 

  3511.     function makeCA()
    3512. 

  3512.     {
    3513. 

  3513.         $this->caFlag = true;
    3514. 

  3514.     }
    3515. 

  3515. 

  3516.     /**
    3517. 

  3517.      * Get a reference to a subarray
    3518. 

  3518.      *
    3519. 

  3519.      * @param array $root
    3520. 

  3520.      * @param String $path  absolute path with / as component separator
    3521. 

  3521.      * @param Boolean $create optional
    3522. 

  3522.      * @access private
    3523. 

  3523.      * @return array item ref or false
    3524. 

  3524.      */
    3525. 

  3525.     function &_subArray(&$root, $path, $create = false)
    3526. 

  3526.     {
    3527. 

  3527.         $false = false;
    3528. 

  3528. 

  3529.         if (!is_array($root)) {
    3530. 

  3530.             return $false;
    3531. 

  3531.         }
    3532. 

  3532. 

  3533.         foreach (explode('/', $path) as $i) {
    3534. 

  3534.             if (!is_array($root)) {
    3535. 

  3535.                 return $false;
    3536. 

  3536.             }
    3537. 

  3537. 

  3538.             if (!isset($root[$i])) {
    3539. 

  3539.                 if (!$create) {
    3540. 

  3540.                     return $false;
    3541. 

  3541.                 }
    3542. 

  3542. 

  3543.                 $root[$i] = array();
    3544. 

  3544.             }
    3545. 

  3545. 

  3546.             $root = &$root[$i];
    3547. 

  3547.         }
    3548. 

  3548. 

  3549.         return $root;
    3550. 

  3550.     }
    3551. 

  3551. 

  3552.     /**
    3553. 

  3553.      * Get a reference to an extension subarray
    3554. 

  3554.      *
    3555. 

  3555.      * @param array $root
    3556. 

  3556.      * @param String $path optional absolute path with / as component separator
    3557. 

  3557.      * @param Boolean $create optional
    3558. 

  3558.      * @access private
    3559. 

  3559.      * @return array ref or false
    3560. 

  3560.      */
    3561. 

  3561.     function &_extensions(&$root, $path = NULL, $create = false)
    3562. 

  3562.     {
    3563. 

  3563.         if (!isset($root)) {
    3564. 

  3564.             $root = $this->currentCert;
    3565. 

  3565.         }
    3566. 

  3566. 

  3567.         switch (true) {
    3568. 

  3568.             case !empty($path):
    3569. 

  3569.             case !is_array($root):
    3570. 

  3570.                 break;
    3571. 

  3571.             case isset($root['tbsCertificate']):
    3572. 

  3572.                 $path = 'tbsCertificate/extensions';
    3573. 

  3573.                 break;
    3574. 

  3574.             case isset($root['tbsCertList']):
    3575. 

  3575.                 $path = 'tbsCertList/crlExtensions';
    3576. 

  3576.                 break;
    3577. 

  3577.             case isset($root['certificationRequestInfo']):
    3578. 

  3578.                 $pth = 'certificationRequestInfo/attributes';
    3579. 

  3579.                 $attributes = &$this->_subArray($root, $pth, $create);
    3580. 

  3580. 

  3581.                 if (is_array($attributes)) {
    3582. 

  3582.                     foreach ($attributes as $key => $value) {
    3583. 

  3583.                         if ($value['type'] == 'pkcs-9-at-extensionRequest') {
    3584. 

  3584.                             $path = "$pth/$key/value/0";
    3585. 

  3585.                             break 2;
    3586. 

  3586.                         }
    3587. 

  3587.                     }
    3588. 

  3588.                     if ($create) {
    3589. 

  3589.                         $key = count($attributes);
    3590. 

  3590.                         $attributes[] = array('type' => 'pkcs-9-at-extensionRequest', 'value' => array());
    3591. 

  3591.                         $path = "$pth/$key/value/0";
    3592. 

  3592.                     }
    3593. 

  3593.                 }
    3594. 

  3594.                 break;
    3595. 

  3595.         }
    3596. 

  3596. 

  3597.         $extensions = &$this->_subArray($root, $path, $create);
    3598. 

  3598. 

  3599.         if (!is_array($extensions)) {
    3600. 

  3600.             $false = false;
    3601. 

  3601.             return $false;
    3602. 

  3602.         }
    3603. 

  3603. 

  3604.         return $extensions;
    3605. 

  3605.     }
    3606. 

  3606. 

  3607.     /**
    3608. 

  3608.      * Remove an Extension
    3609. 

  3609.      *
    3610. 

  3610.      * @param String $id
    3611. 

  3611.      * @param String $path optional
    3612. 

  3612.      * @access private
    3613. 

  3613.      * @return Boolean
    3614. 

  3614.      */
    3615. 

  3615.     function _removeExtension($id, $path = NULL)
    3616. 

  3616.     {
    3617. 

  3617.         $extensions = &$this->_extensions($this->currentCert, $path);
    3618. 

  3618. 

  3619.         if (!is_array($extensions)) {
    3620. 

  3620.             return false;
    3621. 

  3621.         }
    3622. 

  3622. 

  3623.         $result = false;
    3624. 

  3624.         foreach ($extensions as $key => $value) {
    3625. 

  3625.             if ($value['extnId'] == $id) {
    3626. 

  3626.                 unset($extensions[$key]);
    3627. 

  3627.                 $result = true;
    3628. 

  3628.             }
    3629. 

  3629.         }
    3630. 

  3630. 

  3631.         $extensions = array_values($extensions);
    3632. 

  3632.         return $result;
    3633. 

  3633.     }
    3634. 

  3634. 

  3635.     /**
    3636. 

  3636.      * Get an Extension
    3637. 

  3637.      *
    3638. 

  3638.      * Returns the extension if it exists and false if not
    3639. 

  3639.      *
    3640. 

  3640.      * @param String $id
    3641. 

  3641.      * @param Array $cert optional
    3642. 

  3642.      * @param String $path optional
    3643. 

  3643.      * @access private
    3644. 

  3644.      * @return Mixed
    3645. 

  3645.      */
    3646. 

  3646.     function _getExtension($id, $cert = NULL, $path = NULL)
    3647. 

  3647.     {
    3648. 

  3648.         $extensions = $this->_extensions($cert, $path);
    3649. 

  3649. 

  3650.         if (!is_array($extensions)) {
    3651. 

  3651.             return false;
    3652. 

  3652.         }
    3653. 

  3653. 

  3654.         foreach ($extensions as $key => $value) {
    3655. 

  3655.             if ($value['extnId'] == $id) {
    3656. 

  3656.                 return $value['extnValue'];
    3657. 

  3657.             }
    3658. 

  3658.         }
    3659. 

  3659. 

  3660.         return false;
    3661. 

  3661.     }
    3662. 

  3662. 

  3663.     /**
    3664. 

  3664.      * Returns a list of all extensions in use
    3665. 

  3665.      *
    3666. 

  3666.      * @param array $cert optional
    3667. 

  3667.      * @param String $path optional
    3668. 

  3668.      * @access private
    3669. 

  3669.      * @return Array
    3670. 

  3670.      */
    3671. 

  3671.     function _getExtensions($cert = NULL, $path = NULL)
    3672. 

  3672.     {
    3673. 

  3673.         $exts = $this->_extensions($cert, $path);
    3674. 

  3674.         $extensions = array();
    3675. 

  3675. 

  3676.         if (is_array($exts)) {
    3677. 

  3677.             foreach ($exts as $extension) {
    3678. 

  3678.                 $extensions[] = $extension['extnId'];
    3679. 

  3679.             }
    3680. 

  3680.         }
    3681. 

  3681. 

  3682.         return $extensions;
    3683. 

  3683.     }
    3684. 

  3684. 

  3685.     /**
    3686. 

  3686.      * Set an Extension
    3687. 

  3687.      *
    3688. 

  3688.      * @param String $id
    3689. 

  3689.      * @param Mixed $value
    3690. 

  3690.      * @param Boolean $critical optional
    3691. 

  3691.      * @param Boolean $replace optional
    3692. 

  3692.      * @param String $path optional
    3693. 

  3693.      * @access private
    3694. 

  3694.      * @return Boolean
    3695. 

  3695.      */
    3696. 

  3696.     function _setExtension($id, $value, $critical = false, $replace = true, $path = NULL)
    3697. 

  3697.     {
    3698. 

  3698.         $extensions = &$this->_extensions($this->currentCert, $path, true);
    3699. 

  3699. 

  3700.         if (!is_array($extensions)) {
    3701. 

  3701.             return false;
    3702. 

  3702.         }
    3703. 

  3703. 

  3704.         $newext = array('extnId'  => $id, 'critical' => $critical, 'extnValue' => $value);
    3705. 

  3705. 

  3706.         foreach ($extensions as $key => $value) {
    3707. 

  3707.             if ($value['extnId'] == $id) {
    3708. 

  3708.                 if (!$replace) {
    3709. 

  3709.                     return false;
    3710. 

  3710.                 }
    3711. 

  3711. 

  3712.                 $extensions[$key] = $newext;
    3713. 

  3713.                 return true;
    3714. 

  3714.             }
    3715. 

  3715.         }
    3716. 

  3716. 

  3717.         $extensions[] = $newext;
    3718. 

  3718.         return true;
    3719. 

  3719.     }
    3720. 

  3720. 

  3721.     /**
    3722. 

  3722.      * Remove a certificate, CSR or CRL Extension
    3723. 

  3723.      *
    3724. 

  3724.      * @param String $id
    3725. 

  3725.      * @access public
    3726. 

  3726.      * @return Boolean
    3727. 

  3727.      */
    3728. 

  3728.     function removeExtension($id)
    3729. 

  3729.     {
    3730. 

  3730.         return $this->_removeExtension($id);
    3731. 

  3731.     }
    3732. 

  3732. 

  3733.     /**
    3734. 

  3734.      * Get a certificate, CSR or CRL Extension
    3735. 

  3735.      *
    3736. 

  3736.      * Returns the extension if it exists and false if not
    3737. 

  3737.      *
    3738. 

  3738.      * @param String $id
    3739. 

  3739.      * @param Array $cert optional
    3740. 

  3740.      * @access public
    3741. 

  3741.      * @return Mixed
    3742. 

  3742.      */
    3743. 

  3743.     function getExtension($id, $cert = NULL)
    3744. 

  3744.     {
    3745. 

  3745.         return $this->_getExtension($id, $cert);
    3746. 

  3746.     }
    3747. 

  3747. 

  3748.     /**
    3749. 

  3749.      * Returns a list of all extensions in use in certificate, CSR or CRL
    3750. 

  3750.      *
    3751. 

  3751.      * @param array $cert optional
    3752. 

  3752.      * @access public
    3753. 

  3753.      * @return Array
    3754. 

  3754.      */
    3755. 

  3755.     function getExtensions($cert = NULL)
    3756. 

  3756.     {
    3757. 

  3757.         return $this->_getExtensions($cert);
    3758. 

  3758.     }
    3759. 

  3759. 

  3760.     /**
    3761. 

  3761.      * Set a certificate, CSR or CRL Extension
    3762. 

  3762.      *
    3763. 

  3763.      * @param String $id
    3764. 

  3764.      * @param Mixed $value
    3765. 

  3765.      * @param Boolean $critical optional
    3766. 

  3766.      * @param Boolean $replace optional
    3767. 

  3767.      * @access public
    3768. 

  3768.      * @return Boolean
    3769. 

  3769.      */
    3770. 

  3770.     function setExtension($id, $value, $critical = false, $replace = true)
    3771. 

  3771.     {
    3772. 

  3772.         return $this->_setExtension($id, $value, $critical, $replace);
    3773. 

  3773.     }
    3774. 

  3774. 

  3775.     /**
    3776. 

  3776.      * Remove a CSR attribute.
    3777. 

  3777.      *
    3778. 

  3778.      * @param String $id
    3779. 

  3779.      * @param Integer $disposition optional
    3780. 

  3780.      * @access public
    3781. 

  3781.      * @return Boolean
    3782. 

  3782.      */
    3783. 

  3783.     function removeAttribute($id, $disposition = FILE_X509_ATTR_ALL)
    3784. 

  3784.     {
    3785. 

  3785.         $attributes = &$this->_subArray($this->currentCert, 'certificationRequestInfo/attributes');
    3786. 

  3786. 

  3787.         if (!is_array($attributes)) {
    3788. 

  3788.             return false;
    3789. 

  3789.         }
    3790. 

  3790. 

  3791.         $result = false;
    3792. 

  3792.         foreach ($attributes as $key => $attribute) {
    3793. 

  3793.             if ($attribute['type'] == $id) {
    3794. 

  3794.                 $n = count($attribute['value']);
    3795. 

  3795.                 switch (true) {
    3796. 

  3796.                     case $disposition == FILE_X509_ATTR_APPEND:
    3797. 

  3797.                     case $disposition == FILE_X509_ATTR_REPLACE:
    3798. 

  3798.                         return false;
    3799. 

  3799.                     case $disposition >= $n:
    3800. 

  3800.                         $disposition -= $n;
    3801. 

  3801.                         break;
    3802. 

  3802.                     case $disposition == FILE_X509_ATTR_ALL:
    3803. 

  3803.                     case $n == 1:
    3804. 

  3804.                         unset($attributes[$key]);
    3805. 

  3805.                         $result = true;
    3806. 

  3806.                         break;
    3807. 

  3807.                     default:
    3808. 

  3808.                         unset($attributes[$key]['value'][$disposition]);
    3809. 

  3809.                         $attributes[$key]['value'] = array_values($attributes[$key]['value']);
    3810. 

  3810.                         $result = true;
    3811. 

  3811.                         break;
    3812. 

  3812.                 }
    3813. 

  3813.                 if ($result && $disposition != FILE_X509_ATTR_ALL) {
    3814. 

  3814.                     break;
    3815. 

  3815.                 }
    3816. 

  3816.             }
    3817. 

  3817.         }
    3818. 

  3818. 

  3819.         $attributes = array_values($attributes);
    3820. 

  3820.         return $result;
    3821. 

  3821.     }
    3822. 

  3822. 

  3823.     /**
    3824. 

  3824.      * Get a CSR attribute
    3825. 

  3825.      *
    3826. 

  3826.      * Returns the attribute if it exists and false if not
    3827. 

  3827.      *
    3828. 

  3828.      * @param String $id
    3829. 

  3829.      * @param Integer $disposition optional
    3830. 

  3830.      * @param Array $csr optional
    3831. 

  3831.      * @access public
    3832. 

  3832.      * @return Mixed
    3833. 

  3833.      */
    3834. 

  3834.     function getAttribute($id, $disposition = FILE_X509_ATTR_ALL, $csr = NULL)
    3835. 

  3835.     {
    3836. 

  3836.         if (empty($csr)) {
    3837. 

  3837.             $csr = $this->currentCert;
    3838. 

  3838.         }
    3839. 

  3839. 

  3840.         $attributes = $this->_subArray($csr, 'certificationRequestInfo/attributes');
    3841. 

  3841. 

  3842.         if (!is_array($attributes)) {
    3843. 

  3843.             return false;
    3844. 

  3844.         }
    3845. 

  3845. 

  3846.         foreach ($attributes as $key => $attribute) {
    3847. 

  3847.             if ($attribute['type'] == $id) {
    3848. 

  3848.                 $n = count($attribute['value']);
    3849. 

  3849.                 switch (true) {
    3850. 

  3850.                     case $disposition == FILE_X509_ATTR_APPEND:
    3851. 

  3851.                     case $disposition == FILE_X509_ATTR_REPLACE:
    3852. 

  3852.                         return false;
    3853. 

  3853.                     case $disposition == FILE_X509_ATTR_ALL:
    3854. 

  3854.                         return $attribute['value'];
    3855. 

  3855.                     case $disposition >= $n:
    3856. 

  3856.                         $disposition -= $n;
    3857. 

  3857.                         break;
    3858. 

  3858.                     default:
    3859. 

  3859.                         return $attribute['value'][$disposition];
    3860. 

  3860.                 }
    3861. 

  3861.             }
    3862. 

  3862.         }
    3863. 

  3863. 

  3864.         return false;
    3865. 

  3865.     }
    3866. 

  3866. 

  3867.     /**
    3868. 

  3868.      * Returns a list of all CSR attributes in use
    3869. 

  3869.      *
    3870. 

  3870.      * @param array $csr optional
    3871. 

  3871.      * @access public
    3872. 

  3872.      * @return Array
    3873. 

  3873.      */
    3874. 

  3874.     function getAttributes($csr = NULL)
    3875. 

  3875.     {
    3876. 

  3876.         if (empty($csr)) {
    3877. 

  3877.             $csr = $this->currentCert;
    3878. 

  3878.         }
    3879. 

  3879. 

  3880.         $attributes = $this->_subArray($csr, 'certificationRequestInfo/attributes');
    3881. 

  3881.         $attrs = array();
    3882. 

  3882. 

  3883.         if (is_array($attributes)) {
    3884. 

  3884.             foreach ($attributes as $attribute) {
    3885. 

  3885.                 $attrs[] = $attribute['type'];
    3886. 

  3886.             }
    3887. 

  3887.         }
    3888. 

  3888. 

  3889.         return $attrs;
    3890. 

  3890.     }
    3891. 

  3891. 

  3892.     /**
    3893. 

  3893.      * Set a CSR attribute
    3894. 

  3894.      *
    3895. 

  3895.      * @param String $id
    3896. 

  3896.      * @param Mixed $value
    3897. 

  3897.      * @param Boolean $disposition optional
    3898. 

  3898.      * @access public
    3899. 

  3899.      * @return Boolean
    3900. 

  3900.      */
    3901. 

  3901.     function setAttribute($id, $value, $disposition = FILE_X509_ATTR_ALL)
    3902. 

  3902.     {
    3903. 

  3903.         $attributes = &$this->_subArray($this->currentCert, 'certificationRequestInfo/attributes', true);
    3904. 

  3904. 

  3905.         if (!is_array($attributes)) {
    3906. 

  3906.             return false;
    3907. 

  3907.         }
    3908. 

  3908. 

  3909.         switch ($disposition) {
    3910. 

  3910.             case FILE_X509_ATTR_REPLACE:
    3911. 

  3911.                 $disposition = FILE_X509_ATTR_APPEND;
    3912. 

  3912.             case FILE_X509_ATTR_ALL:
    3913. 

  3913.                 $this->removeAttribute($id);
    3914. 

  3914.                 break;
    3915. 

  3915.         }
    3916. 

  3916. 

  3917.         foreach ($attributes as $key => $attribute) {
    3918. 

  3918.             if ($attribute['type'] == $id) {
    3919. 

  3919.                 $n = count($attribute['value']);
    3920. 

  3920.                 switch (true) {
    3921. 

  3921.                     case $disposition == FILE_X509_ATTR_APPEND:
    3922. 

  3922.                         $last = $key;
    3923. 

  3923.                         break;
    3924. 

  3924.                     case $disposition >= $n;
    3925. 

  3925.                         $disposition -= $n;
    3926. 

  3926.                         break;
    3927. 

  3927.                     default:
    3928. 

  3928.                         $attributes[$key]['value'][$disposition] = $value;
    3929. 

  3929.                         return true;
    3930. 

  3930.                 }
    3931. 

  3931.             }
    3932. 

  3932.         }
    3933. 

  3933. 

  3934.         switch (true) {
    3935. 

  3935.             case $disposition >= 0:
    3936. 

  3936.                 return false;
    3937. 

  3937.             case isset($last):
    3938. 

  3938.                 $attributes[$last]['value'][] = $value;
    3939. 

  3939.                 break;
    3940. 

  3940.             default:
    3941. 

  3941.                 $attributes[] = array('type' => $id, 'value' => $disposition == FILE_X509_ATTR_ALL ? $value: array($value));
    3942. 

  3942.                 break;
    3943. 

  3943.         }
    3944. 

  3944. 

  3945.         return true;
    3946. 

  3946.     }
    3947. 

  3947. 

  3948.     /**
    3949. 

  3949.      * Sets the subject key identifier
    3950. 

  3950.      *
    3951. 

  3951.      * This is used by the id-ce-authorityKeyIdentifier and the id-ce-subjectKeyIdentifier extensions.
    3952. 

  3952.      *
    3953. 

  3953.      * @param String $value
    3954. 

  3954.      * @access public
    3955. 

  3955.      */
    3956. 

  3956.     function setKeyIdentifier($value)
    3957. 

  3957.     {
    3958. 

  3958.         if (empty($value)) {
    3959. 

  3959.             unset($this->currentKeyIdentifier);
    3960. 

  3960.         } else {
    3961. 

  3961.             $this->currentKeyIdentifier = base64_encode($value);
    3962. 

  3962.         }
    3963. 

  3963.     }
    3964. 

  3964. 

  3965.     /**
    3966. 

  3966.      * Compute a public key identifier.
    3967. 

  3967.      *
    3968. 

  3968.      * Although key identifiers may be set to any unique value, this function
    3969. 

  3969.      * computes key identifiers from public key according to the two
    3970. 

  3970.      * recommended methods (4.2.1.2 RFC 3280).
    3971. 

  3971.      * Highly polymorphic: try to accept all possible forms of key:
    3972. 

  3972.      * - Key object
    3973. 

  3973.      * - File_X509 object with public or private key defined
    3974. 

  3974.      * - Certificate or CSR array
    3975. 

  3975.      * - File_ASN1_Element object
    3976. 

  3976.      * - PEM or DER string
    3977. 

  3977.      *
    3978. 

  3978.      * @param Mixed $key optional
    3979. 

  3979.      * @param Integer $method optional
    3980. 

  3980.      * @access public
    3981. 

  3981.      * @return String binary key identifier
    3982. 

  3982.      */
    3983. 

  3983.     function computeKeyIdentifier($key = NULL, $method = 1)
    3984. 

  3984.     {
    3985. 

  3985.         if (is_null($key)) {
    3986. 

  3986.             $key = $this;
    3987. 

  3987.         }
    3988. 

  3988. 

  3989.         switch (true) {
    3990. 

  3990.             case is_string($key):
    3991. 

  3991.                 break;
    3992. 

  3992.             case is_array($key) && isset($key['tbsCertificate']['subjectPublicKeyInfo']['subjectPublicKey']):
    3993. 

  3993.                 return $this->computeKeyIdentifier($key['tbsCertificate']['subjectPublicKeyInfo']['subjectPublicKey'], $method);
    3994. 

  3994.             case is_array($key) && isset($key['certificationRequestInfo']['subjectPKInfo']['subjectPublicKey']):
    3995. 

  3995.                 return $this->computeKeyIdentifier($key['certificationRequestInfo']['subjectPKInfo']['subjectPublicKey'], $method);
    3996. 

  3996.             case !is_object($key):
    3997. 

  3997.                 return false;
    3998. 

  3998.             case strtolower(get_class($key)) == 'file_asn1_element':
    3999. 

  3999.                 // Assume the element is a bitstring-packed key.
    4000. 

  4000.                 $asn1 = new File_ASN1();
    4001. 

  4001.                 $decoded = $asn1->decodeBER($key->element);
    4002. 

  4002.                 if (empty($decoded)) {
    4003. 

  4003.                     return false;
    4004. 

  4004.                 }
    4005. 

  4005.                 $raw = $asn1->asn1map($decoded[0], array('type' => FILE_ASN1_TYPE_BIT_STRING));
    4006. 

  4006.                 if (empty($raw)) {
    4007. 

  4007.                     return false;
    4008. 

  4008.                 }
    4009. 

  4009.                 $raw = base64_decode($raw);
    4010. 

  4010.                 // If the key is private, compute identifier from its corresponding public key.
    4011. 

  4011.                 if (!class_exists('Crypt_RSA')) {
    4012. 

  4012.                     require_once('Crypt/RSA.php');
    4013. 

  4013.                 }
    4014. 

  4014.                 $key = new Crypt_RSA();
    4015. 

  4015.                 if (!$key->loadKey($raw)) {
    4016. 

  4016.                     return false;   // Not an unencrypted RSA key.
    4017. 

  4017.                 }
    4018. 

  4018.                 if ($key->getPrivateKey() !== false) {  // If private.
    4019. 

  4019.                     return $this->computeKeyIdentifier($key, $method);
    4020. 

  4020.                 }
    4021. 

  4021.                 $key = $raw;    // Is a public key.
    4022. 

  4022.                 break;
    4023. 

  4023.             case strtolower(get_class($key)) == 'file_x509':
    4024. 

  4024.                 if (isset($key->publicKey)) {
    4025. 

  4025.                     return $this->computeKeyIdentifier($key->publicKey, $method);
    4026. 

  4026.                 }
    4027. 

  4027.                 if (isset($key->privateKey)) {
    4028. 

  4028.                     return $this->computeKeyIdentifier($key->privateKey, $method);
    4029. 

  4029.                 }
    4030. 

  4030.                 if (isset($key->currentCert['tbsCertificate']) || isset($key->currentCert['certificationRequestInfo'])) {
    4031. 

  4031.                     return $this->computeKeyIdentifier($key->currentCert, $method);
    4032. 

  4032.                 }
    4033. 

  4033.                 return false;
    4034. 

  4034.             default: // Should be a key object (i.e.: Crypt_RSA).
    4035. 

  4035.                 $key = $key->getPublicKey(CRYPT_RSA_PUBLIC_FORMAT_PKCS1_RAW);
    4036. 

  4036.                 break;
    4037. 

  4037.         }
    4038. 

  4038. 

  4039.         // If in PEM format, convert to binary.
    4040. 

  4040.         if (preg_match('#^-----BEGIN #', $key)) {
    4041. 

  4041.             $key = base64_decode(preg_replace('#-.+-|[\r\n]#', '', $key));
    4042. 

  4042.         }
    4043. 

  4043. 

  4044.         // Now we have the key string: compute its sha-1 sum.
    4045. 

  4045.         if (!class_exists('Crypt_Hash')) {
    4046. 

  4046.             require_once('Crypt/Hash.php');
    4047. 

  4047.         }
    4048. 

  4048.         $hash = new Crypt_Hash('sha1');
    4049. 

  4049.         $hash = $hash->hash($key);
    4050. 

  4050. 

  4051.         if ($method == 2) {
    4052. 

  4052.             $hash = substr($hash, -8);
    4053. 

  4053.             $hash[0] = chr((ord($hash[0]) & 0x0F) | 0x40);
    4054. 

  4054.         }
    4055. 

  4055. 

  4056.         return $hash;
    4057. 

  4057.     }
    4058. 

  4058. 

  4059.     /**
    4060. 

  4060.      * Format a public key as appropriate
    4061. 

  4061.      *
    4062. 

  4062.      * @access private
    4063. 

  4063.      * @return Array
    4064. 

  4064.      */
    4065. 

  4065.     function _formatSubjectPublicKey()
    4066. 

  4066.     {
    4067. 

  4067.         if (!isset($this->publicKey) || !is_object($this->publicKey)) {
    4068. 

  4068.             return false;
    4069. 

  4069.         }
    4070. 

  4070. 

  4071.         switch (strtolower(get_class($this->publicKey))) {
    4072. 

  4072.             case 'crypt_rsa':
    4073. 

  4073.                 // the following two return statements do the same thing. i dunno.. i just prefer the later for some reason.
    4074. 

  4074.                 // the former is a good example of how to do fuzzing on the public key
    4075. 

  4075.                 //return new File_ASN1_Element(base64_decode(preg_replace('#-.+-|[\r\n]#', '', $this->publicKey->getPublicKey())));
    4076. 

  4076.                 return array(
    4077. 

  4077.                     'algorithm' => array('algorithm' => 'rsaEncryption'),
    4078. 

  4078.                     'subjectPublicKey' => $this->publicKey->getPublicKey(CRYPT_RSA_PUBLIC_FORMAT_PKCS1_RAW)
    4079. 

  4079.                 );
    4080. 

  4080.             default:
    4081. 

  4081.                 return false;
    4082. 

  4082.         }
    4083. 

  4083.     }
    4084. 

  4084. 

  4085.     /**
    4086. 

  4086.      * Set the domain name's which the cert is to be valid for
    4087. 

  4087.      *
    4088. 

  4088.      * @access public
    4089. 

  4089.      * @return Array
    4090. 

  4090.      */
    4091. 

  4091.     function setDomain()
    4092. 

  4092.     {
    4093. 

  4093.         $this->domains = func_get_args();
    4094. 

  4094.         $this->removeDNProp('id-at-commonName');
    4095. 

  4095.         $this->setDNProp('id-at-commonName', $this->domains[0]);
    4096. 

  4096.     }
    4097. 

  4097. 

  4098.     /**
    4099. 

  4099.      * Helper function to build domain array
    4100. 

  4100.      *
    4101. 

  4101.      * @access private
    4102. 

  4102.      * @param String $domain
    4103. 

  4103.      * @return Array
    4104. 

  4104.      */
    4105. 

  4105.     function _dnsName($domain)
    4106. 

  4106.     {
    4107. 

  4107.         return array('dNSName' => $domain);
    4108. 

  4108.     }
    4109. 

  4109. 

  4110.     /**
    4111. 

  4111.      * Get the index of a revoked certificate.
    4112. 

  4112.      *
    4113. 

  4113.      * @param array $rclist
    4114. 

  4114.      * @param String $serial
    4115. 

  4115.      * @param Boolean $create optional
    4116. 

  4116.      * @access private
    4117. 

  4117.      * @return Integer or false
    4118. 

  4118.      */
    4119. 

  4119.     function _revokedCertificate(&$rclist, $serial, $create = false)
    4120. 

  4120.     {
    4121. 

  4121.         $serial = new Math_BigInteger($serial);
    4122. 

  4122. 

  4123.         foreach ($rclist as $i => $rc) {
    4124. 

  4124.             if (!($serial->compare($rc['userCertificate']))) {
    4125. 

  4125.                 return $i;
    4126. 

  4126.             }
    4127. 

  4127.         }
    4128. 

  4128. 

  4129.         if (!$create) {
    4130. 

  4130.             return false;
    4131. 

  4131.         }
    4132. 

  4132. 

  4133.         $i = count($rclist);
    4134. 

  4134.         $rclist[] = array('userCertificate' => $serial,
    4135. 

  4135.                           'revocationDate'  => array('generalTime' => @date('D, d M y H:i:s O')));
    4136. 

  4136.         return $i;
    4137. 

  4137.     }
    4138. 

  4138. 

  4139.     /**
    4140. 

  4140.      * Revoke a certificate.
    4141. 

  4141.      *
    4142. 

  4142.      * @param String $serial
    4143. 

  4143.      * @param String $date optional
    4144. 

  4144.      * @access public
    4145. 

  4145.      * @return Boolean
    4146. 

  4146.      */
    4147. 

  4147.     function revoke($serial, $date = NULL)
    4148. 

  4148.     {
    4149. 

  4149.         if (isset($this->currentCert['tbsCertList'])) {
    4150. 

  4150.             if (is_array($rclist = &$this->_subArray($this->currentCert, 'tbsCertList/revokedCertificates', true))) {
    4151. 

  4151.                 if ($this->_revokedCertificate($rclist, $serial) === false) { // If not yet revoked
    4152. 

  4152.                     if (($i = $this->_revokedCertificate($rclist, $serial, true)) !== false) {
    4153. 

  4153. 

  4154.                         if (!empty($date)) {
    4155. 

  4155.                             $rclist[$i]['revocationDate'] = array('generalTime' => $date);
    4156. 

  4156.                         }
    4157. 

  4157. 

  4158.                         return true;
    4159. 

  4159.                     }
    4160. 

  4160.                 }
    4161. 

  4161.             }
    4162. 

  4162.         }
    4163. 

  4163. 

  4164.         return false;
    4165. 

  4165.     }
    4166. 

  4166. 

  4167.     /**
    4168. 

  4168.      * Unrevoke a certificate.
    4169. 

  4169.      *
    4170. 

  4170.      * @param String $serial
    4171. 

  4171.      * @access public
    4172. 

  4172.      * @return Boolean
    4173. 

  4173.      */
    4174. 

  4174.     function unrevoke($serial)
    4175. 

  4175.     {
    4176. 

  4176.         if (is_array($rclist = &$this->_subArray($this->currentCert, 'tbsCertList/revokedCertificates'))) {
    4177. 

  4177.             if (($i = $this->_revokedCertificate($rclist, $serial)) !== false) {
    4178. 

  4178.                 unset($rclist[$i]);
    4179. 

  4179.                 $rclist = array_values($rclist);
    4180. 

  4180.                 return true;
    4181. 

  4181.             }
    4182. 

  4182.         }
    4183. 

  4183. 

  4184.         return false;
    4185. 

  4185.     }
    4186. 

  4186. 

  4187.     /**
    4188. 

  4188.      * Get a revoked certificate.
    4189. 

  4189.      *
    4190. 

  4190.      * @param String $serial
    4191. 

  4191.      * @access public
    4192. 

  4192.      * @return Mixed
    4193. 

  4193.      */
    4194. 

  4194.     function getRevoked($serial)
    4195. 

  4195.     {
    4196. 

  4196.         if (is_array($rclist = $this->_subArray($this->currentCert, 'tbsCertList/revokedCertificates'))) {
    4197. 

  4197.             if (($i = $this->_revokedCertificate($rclist, $serial)) !== false) {
    4198. 

  4198.                 return $rclist[$i];
    4199. 

  4199.             }
    4200. 

  4200.         }
    4201. 

  4201. 

  4202.         return false;
    4203. 

  4203.     }
    4204. 

  4204. 

  4205.     /**
    4206. 

  4206.      * List revoked certificates
    4207. 

  4207.      *
    4208. 

  4208.      * @param array $crl optional
    4209. 

  4209.      * @access public
    4210. 

  4210.      * @return array
    4211. 

  4211.      */
    4212. 

  4212.     function listRevoked($crl = NULL)
    4213. 

  4213.     {
    4214. 

  4214.         if (!isset($crl)) {
    4215. 

  4215.             $crl = $this->currentCert;
    4216. 

  4216.         }
    4217. 

  4217. 

  4218.         if (!isset($crl['tbsCertList'])) {
    4219. 

  4219.             return false;
    4220. 

  4220.         }
    4221. 

  4221. 

  4222.         $result = array();
    4223. 

  4223. 

  4224.         if (is_array($rclist = $this->_subArray($crl, 'tbsCertList/revokedCertificates'))) {
    4225. 

  4225.             foreach ($rclist as $rc) {
    4226. 

  4226.                 $result[] = $rc['userCertificate']->toString();
    4227. 

  4227.             }
    4228. 

  4228.         }
    4229. 

  4229. 

  4230.         return $result;
    4231. 

  4231.     }
    4232. 

  4232. 

  4233.     /**
    4234. 

  4234.      * Remove a Revoked Certificate Extension
    4235. 

  4235.      *
    4236. 

  4236.      * @param String $serial
    4237. 

  4237.      * @param String $id
    4238. 

  4238.      * @access public
    4239. 

  4239.      * @return Boolean
    4240. 

  4240.      */
    4241. 

  4241.     function removeRevokedCertificateExtension($serial, $id)
    4242. 

  4242.     {
    4243. 

  4243.         if (is_array($rclist = &$this->_subArray($this->currentCert, 'tbsCertList/revokedCertificates'))) {
    4244. 

  4244.             if (($i = $this->_revokedCertificate($rclist, $serial)) !== false) {
    4245. 

  4245.                 return $this->_removeExtension($id, "tbsCertList/revokedCertificates/$i/crlEntryExtensions");
    4246. 

  4246.             }
    4247. 

  4247.         }
    4248. 

  4248. 

  4249.         return false;
    4250. 

  4250.     }
    4251. 

  4251. 

  4252.     /**
    4253. 

  4253.      * Get a Revoked Certificate Extension
    4254. 

  4254.      *
    4255. 

  4255.      * Returns the extension if it exists and false if not
    4256. 

  4256.      *
    4257. 

  4257.      * @param String $serial
    4258. 

  4258.      * @param String $id
    4259. 

  4259.      * @param Array $crl optional
    4260. 

  4260.      * @access public
    4261. 

  4261.      * @return Mixed
    4262. 

  4262.      */
    4263. 

  4263.     function getRevokedCertificateExtension($serial, $id, $crl = NULL)
    4264. 

  4264.     {
    4265. 

  4265.         if (!isset($crl)) {
    4266. 

  4266.             $crl = $this->currentCert;
    4267. 

  4267.         }
    4268. 

  4268. 

  4269.         if (is_array($rclist = $this->_subArray($crl, 'tbsCertList/revokedCertificates'))) {
    4270. 

  4270.             if (($i = $this->_revokedCertificate($rclist, $serial)) !== false) {
    4271. 

  4271.                 return $this->_getExtension($id, $crl,  "tbsCertList/revokedCertificates/$i/crlEntryExtensions");
    4272. 

  4272.             }
    4273. 

  4273.         }
    4274. 

  4274. 

  4275.         return false;
    4276. 

  4276.     }
    4277. 

  4277. 

  4278.     /**
    4279. 

  4279.      * Returns a list of all extensions in use for a given revoked certificate
    4280. 

  4280.      *
    4281. 

  4281.      * @param String $serial
    4282. 

  4282.      * @param array $crl optional
    4283. 

  4283.      * @access public
    4284. 

  4284.      * @return Array
    4285. 

  4285.      */
    4286. 

  4286.     function getRevokedCertificateExtensions($serial, $crl = NULL)
    4287. 

  4287.     {
    4288. 

  4288.         if (!isset($crl)) {
    4289. 

  4289.             $crl = $this->currentCert;
    4290. 

  4290.         }
    4291. 

  4291. 

  4292.         if (is_array($rclist = $this->_subArray($crl, 'tbsCertList/revokedCertificates'))) {
    4293. 

  4293.             if (($i = $this->_revokedCertificate($rclist, $serial)) !== false) {
    4294. 

  4294.                 return $this->_getExtensions($crl, "tbsCertList/revokedCertificates/$i/crlEntryExtensions");
    4295. 

  4295.             }
    4296. 

  4296.         }
    4297. 

  4297. 

  4298.         return false;
    4299. 

  4299.     }
    4300. 

  4300. 

  4301.     /**
    4302. 

  4302.      * Set a Revoked Certificate Extension
    4303. 

  4303.      *
    4304. 

  4304.      * @param String $serial
    4305. 

  4305.      * @param String $id
    4306. 

  4306.      * @param Mixed $value
    4307. 

  4307.      * @param Boolean $critical optional
    4308. 

  4308.      * @param Boolean $replace optional
    4309. 

  4309.      * @access public
    4310. 

  4310.      * @return Boolean
    4311. 

  4311.      */
    4312. 

  4312.     function setRevokedCertificateExtension($serial, $id, $value, $critical = false, $replace = true)
    4313. 

  4313.     {
    4314. 

  4314.         if (isset($this->currentCert['tbsCertList'])) {
    4315. 

  4315.             if (is_array($rclist = &$this->_subArray($this->currentCert, 'tbsCertList/revokedCertificates', true))) {
    4316. 

  4316.                 if (($i = $this->_revokedCertificate($rclist, $serial, true)) !== false) {
    4317. 

  4317.                     return $this->_setExtension($id, $value, $critical, $replace, "tbsCertList/revokedCertificates/$i/crlEntryExtensions");
    4318. 

  4318.                 }
    4319. 

  4319.             }
    4320. 

  4320.         }
    4321. 

  4321. 

  4322.         return false;
    4323. 

  4323.     }
    4324. 

  4324. 

  4325.     /**
    4326. 

  4326.      * Extract raw BER from Base64 encoding
    4327. 

  4327.      *
    4328. 

  4328.      * @access private
    4329. 

  4329.      * @param String $str
    4330. 

  4330.      * @return String
    4331. 

  4331.      */
    4332. 

  4332.     function _extractBER($str)
    4333. 

  4333.     {
    4334. 

  4334.         /*
    4335. 

  4335.             X.509 certs are assumed to be base64 encoded but sometimes they'll have additional things in them above and beyond the ceritificate. ie.
    4336. 

  4336.             some may have the following preceding the -----BEGIN CERTIFICATE----- line:
    4337. 

  4337. 

  4338.             Bag Attributes
    4339. 

  4339.                 localKeyID: 01 00 00 00
    4340. 

  4340.             subject=/O=organization/OU=org unit/CN=common name
    4341. 

  4341.             issuer=/O=organization/CN=common name
    4342. 

  4342.         */
    4343. 

  4343.         $temp = preg_replace('#.*?^-+[^-]+-+#ms', '', $str, 1);
    4344. 

  4344.         // remove the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- stuff
    4345. 

  4345.         $temp = preg_replace('#-+[^-]+-+#', '', $temp);
    4346. 

  4346.         // remove new lines
    4347. 

  4347.         $temp = str_replace(array("\r", "\n", ' '), '', $temp);
    4348. 

  4348.         $temp = preg_match('#^[a-zA-Z\d/+]*={0,2}$#', $temp) ? base64_decode($temp) : false;
    4349. 

  4349.         return $temp != false ? $temp : $str;
    4350. 

  4350.     }
    4351. 

  4351. }
    4352.