X509
class X509 (View source)
Pure-PHP X.509 Parser
Constants
| VALIDATE_SIGNATURE_BY_CA |
Flag to only accept signatures signed by certificate authorities Not really used anymore but retained all the same to suppress E_NOTICEs from old installs |
| DN_ARRAY |
Return internal array representation |
| DN_STRING |
Return string |
| DN_ASN1 |
Return ASN.1 name string |
| DN_OPENSSL |
Return OpenSSL compatible array |
| DN_CANON |
Return canonical ASN.1 RDNs string |
| DN_HASH |
Return name hash for file indexing |
| FORMAT_PEM |
Save as PEM ie. a base64-encoded PEM with a header and a footer |
| FORMAT_DER |
Save as DER |
| FORMAT_SPKAC |
Save as a SPKAC Only works on CSRs. Not currently supported. |
| FORMAT_AUTO_DETECT |
Auto-detect the format Used only by the load*() functions |
| ATTR_ALL |
Attribute value disposition. If disposition is >= 0, this is the index of the target value. |
| ATTR_APPEND |
|
| ATTR_REPLACE |
|
Properties
| array | $Certificate | ASN.1 syntax for X.509 certificates | |
| $DirectoryString | |||
| $PKCS9String | |||
| $AttributeValue | |||
| $Extensions | |||
| $KeyUsage | |||
| $ExtKeyUsageSyntax | |||
| $BasicConstraints | |||
| $KeyIdentifier | |||
| $CRLDistributionPoints | |||
| $AuthorityKeyIdentifier | |||
| $CertificatePolicies | |||
| $AuthorityInfoAccessSyntax | |||
| $SubjectAltName | |||
| $SubjectDirectoryAttributes | |||
| $PrivateKeyUsagePeriod | |||
| $IssuerAltName | |||
| $PolicyMappings | |||
| $NameConstraints | |||
| $CPSuri | |||
| $UserNotice | |||
| $netscape_cert_type | |||
| $netscape_comment | |||
| $netscape_ca_policy_url | |||
| $Name | |||
| $RelativeDistinguishedName | |||
| $CRLNumber | |||
| $CRLReason | |||
| $IssuingDistributionPoint | |||
| $InvalidityDate | |||
| $CertificateIssuer | |||
| $HoldInstructionCode | |||
| $SignedPublicKeyAndChallenge | |||
| $PostalAddress | |||
| array | $CertificationRequest | ASN.1 syntax for Certificate Signing Requests (RFC2986) | |
| array | $CertificateList | ASN.1 syntax for Certificate Revocation Lists (RFC5280) | |
| array | $dn | Distinguished Name | |
| string | $publicKey | Public key | |
| string | $privateKey | Private key | |
| array | $oids | Object identifiers for X.509 certificates | |
| array | $CAs | The certificate authorities | |
| array | $currentCert | The currently loaded certificate | |
| string | $signatureSubject | The signature subject | |
| string | $startDate | Certificate Start Date | |
| string | $endDate | Certificate End Date | |
| string | $serialNumber | Serial Number | |
| string | $currentKeyIdentifier | Key Identifier | |
| bool | $caFlag | CA Flag | |
| string | $challenge | SPKAC Challenge | |
| static int | $recur_limit | Recursion Limit | |
| static bool | $disable_url_fetch | URL fetch flag |
Methods
Default Constructor.
Load X.509 certificate
Save X.509 certificate
Map extension values from octet string to extension-specific internal format.
Map extension values from extension-specific internal format to octet string.
Map attribute values from ANY type to attribute-specific internal format.
Map attribute values from attribute-specific internal format to ANY type.
Map DN values from ANY type to DN-specific internal format.
Map DN values from DN-specific internal format to ANY type.
Associate an extension ID to an extension mapping
Load an X.509 certificate as a certificate authority
Validate an X.509 certificate against a URL
Fetches a URL
Validates an intermediate cert as identified via authority info access extension
Validate a signature
Validate a signature
Validates a signature
Sets the recursion limit
Prevents URIs from being automatically retrieved
Allows URIs to be automatically retrieved
Reformat public keys
Decodes an IP address
Decodes an IP address in a name constraints extension
Encodes an IP address
"Normalizes" a Distinguished Name property
Set a Distinguished Name property
Remove Distinguished Name properties
Get Distinguished Name properties
Set a Distinguished Name
Get the Distinguished Name for a certificates subject
Get the Distinguished Name for a certificate/crl issuer
Get the Distinguished Name for a certificate/csr subject Alias of getDN()
Get an individual Distinguished Name property for a certificate/crl issuer
Get an individual Distinguished Name property for a certificate/csr subject
Get the certificate chain for the current cert
Set public key
Set private key
Set challenge
Gets the public key
Load a Certificate Signing Request
Save CSR request
Load a SPKAC CSR
Save a SPKAC CSR request
Load a Certificate Revocation List
Save Certificate Revocation List.
Helper function to build a time field according to RFC 3280 section - 4.1.2.5 Validity - 5.1.2.4 This Update - 5.1.2.5 Next Update - 5.1.2.6 Revoked Certificates by choosing utcTime iff year of date given is before 2050 and generalTime else.
Sign a CSR
Sign a SPKAC
Set certificate start date
Set certificate end date
Set Serial Number
Turns the certificate into a certificate authority
Check for validity of subarray
Get a reference to a subarray
Get a reference to a subarray
Get a reference to an extension subarray
Remove an Extension
Get an Extension
Returns a list of all extensions in use
Set an Extension
Remove a certificate, CSR or CRL Extension
Get a certificate, CSR or CRL Extension
Returns a list of all extensions in use in certificate, CSR or CRL
Set a certificate, CSR or CRL Extension
Remove a CSR attribute.
Get a CSR attribute
Returns a list of all CSR attributes in use
Set a CSR attribute
Sets the subject key identifier
Compute a public key identifier.
Format a public key as appropriate
Set the domain name's which the cert is to be valid for
Set the IP Addresses's which the cert is to be valid for
Helper function to build domain array
Helper function to build IP Address array
Get the index of a revoked certificate.
Revoke a certificate.
Unrevoke a certificate.
Get a revoked certificate.
List revoked certificates
Remove a Revoked Certificate Extension
Get a Revoked Certificate Extension
Returns a list of all extensions in use for a given revoked certificate
Set a Revoked Certificate Extension
Extract raw BER from Base64 encoding
Returns the OID corresponding to a name
Details
X509
__construct()
Default Constructor.
mixed
loadX509(string $cert, int $mode = self::FORMAT_AUTO_DETECT)
Load X.509 certificate
Returns an associative array describing the X.509 cert or a false if the cert failed to load
string
saveX509(array $cert, int $format = self::FORMAT_PEM)
Save X.509 certificate
_mapInExtensions(array $root, string $path, object $asn1)
Map extension values from octet string to extension-specific internal format.
_mapOutExtensions(array $root, string $path, object $asn1)
Map extension values from extension-specific internal format to octet string.
_mapInAttributes(array $root, string $path, object $asn1)
Map attribute values from ANY type to attribute-specific internal format.
_mapOutAttributes(array $root, string $path, object $asn1)
Map attribute values from attribute-specific internal format to ANY type.
_mapInDNs(array $root, string $path, object $asn1)
Map DN values from ANY type to DN-specific internal format.
_mapOutDNs(array $root, string $path, object $asn1)
Map DN values from DN-specific internal format to ANY type.
mixed
_getMapping(string $extnId)
Associate an extension ID to an extension mapping
bool
loadCA(string $cert)
Load an X.509 certificate as a certificate authority
bool
validateURL(string $url)
Validate an X.509 certificate against a URL
From RFC2818 "HTTP over TLS":
Matching is performed using the matching rules specified by [RFC2459]. If more than one identity of a given type is present in the certificate (e.g., more than one dNSName name, a match in any one of the set is considered acceptable.) Names may contain the wildcard character * which is considered to match any single domain name component or component fragment. E.g., .a.com matches foo.a.com but not bar.foo.a.com. f.com matches foo.com but not bar.com.
validateDate(DateTime|string $date = null)
Validate a date
If $date isn't defined it is assumed to be the current date.
static bool|string
_fetchURL(string $url)
Fetches a URL
bool
_testForIntermediate(bool $caonly, int $count)
Validates an intermediate cert as identified via authority info access extension
See https://tools.ietf.org/html/rfc4325 for more info
mixed
validateSignature(bool $caonly = true)
Validate a signature
Works on X.509 certs, CSR's and CRL's. Returns true if the signature is verified, false if it is not correct or null on error
By default returns false for self-signed certs. Call validateSignature(false) to make this support self-signed.
The behavior of this function is inspired by {@link http://php.net/openssl-verify openssl_verify}.
mixed
_validateSignatureCountable(bool $caonly, int $count)
Validate a signature
Performs said validation whilst keeping track of how many times validation method is called
int
_validateSignature(string $publicKeyAlgorithm, string $publicKey, string $signatureAlgorithm, string $signature, string $signatureSubject)
Validates a signature
Returns true if the signature is verified, false if it is not correct or null on error
static
setRecurLimit(int $count)
Sets the recursion limit
When validating a signature it may be necessary to download intermediate certs from URI's. An intermediate cert that linked to itself would result in an infinite loop so to prevent that we set a recursion limit. A negative number means that there is no recursion limit.
static
disableURLFetch()
Prevents URIs from being automatically retrieved
static
enableURLFetch()
Allows URIs to be automatically retrieved
string
_reformatKey(string $algorithm, string $key)
Reformat public keys
Reformats a public key to a format supported by phpseclib (if applicable)
string
_decodeIP(string $ip)
Decodes an IP address
Takes in a base64 encoded "blob" and returns a human readable IP address
array
_decodeNameConstraintIP(string $ip)
Decodes an IP address in a name constraints extension
Takes in a base64 encoded "blob" and returns a human readable IP address / mask
string
_encodeIP(string|array $ip)
Encodes an IP address
Takes a human readable IP address into a base64-encoded "blob"
mixed
_translateDNProp(string $propName)
"Normalizes" a Distinguished Name property
bool
setDNProp(string $propName, mixed $propValue, string $type = 'utf8String')
Set a Distinguished Name property
removeDNProp(string $propName)
Remove Distinguished Name properties
mixed
getDNProp(string $propName, array $dn = null, bool $withType = false)
Get Distinguished Name properties
bool
setDN(mixed $dn, bool $merge = false, string $type = 'utf8String')
Set a Distinguished Name
bool
getDN(mixed $format = self::DN_ARRAY, array $dn = null)
Get the Distinguished Name for a certificates subject
mixed
getIssuerDN(int $format = self::DN_ARRAY)
Get the Distinguished Name for a certificate/crl issuer
mixed
getSubjectDN(int $format = self::DN_ARRAY)
Get the Distinguished Name for a certificate/csr subject Alias of getDN()
mixed
getIssuerDNProp(string $propName, bool $withType = false)
Get an individual Distinguished Name property for a certificate/crl issuer
mixed
getSubjectDNProp(string $propName, bool $withType = false)
Get an individual Distinguished Name property for a certificate/csr subject
mixed
getChain()
Get the certificate chain for the current cert
bool
setPublicKey(object $key)
Set public key
Key needs to be a \phpseclib\Crypt\RSA object
setPrivateKey(object $key)
Set private key
Key needs to be a \phpseclib\Crypt\RSA object
setChallenge(string $challenge)
Set challenge
Used for SPKAC CSR's
mixed
getPublicKey()
Gets the public key
Returns a \phpseclib\Crypt\RSA object or a false.
mixed
loadCSR(string|array $csr, int $mode = self::FORMAT_AUTO_DETECT)
Load a Certificate Signing Request
string
saveCSR(array $csr, int $format = self::FORMAT_PEM)
Save CSR request
mixed
loadSPKAC(string|array $spkac)
Load a SPKAC CSR
SPKAC's are produced by the HTML5 keygen element:
https://developer.mozilla.org/en-US/docs/HTML/Element/keygen
string
saveSPKAC(string|array $spkac, int $format = self::FORMAT_PEM)
Save a SPKAC CSR request
mixed
loadCRL(string $crl, int $mode = self::FORMAT_AUTO_DETECT)
Load a Certificate Revocation List
string
saveCRL(array $crl, int $format = self::FORMAT_PEM)
Save Certificate Revocation List.
array
_timeField(string $date)
Helper function to build a time field according to RFC 3280 section - 4.1.2.5 Validity - 5.1.2.4 This Update - 5.1.2.5 Next Update - 5.1.2.6 Revoked Certificates by choosing utcTime iff year of date given is before 2050 and generalTime else.
mixed
sign(X509 $issuer, X509 $subject, string $signatureAlgorithm = 'sha1WithRSAEncryption')
Sign an X.509 certificate
$issuer's private key needs to be loaded. $subject can be either an existing X.509 cert (if you want to resign it), a CSR or something with the DN and public key explicitly set.
mixed
signCSR($signatureAlgorithm = 'sha1WithRSAEncryption')
Sign a CSR
mixed
signSPKAC($signatureAlgorithm = 'sha1WithRSAEncryption')
Sign a SPKAC
mixed
signCRL(X509 $issuer, X509 $crl, string $signatureAlgorithm = 'sha1WithRSAEncryption')
Sign a CRL
$issuer's private key needs to be loaded.
mixed
_sign(X509 $key, string $signatureAlgorithm)
X.509 certificate signing helper function.
setStartDate(string $date)
Set certificate start date
setEndDate(string $date)
Set certificate end date
setSerialNumber(string $serial, int $base = -256)
Set Serial Number
makeCA()
Turns the certificate into a certificate authority
bool
_isSubArrayValid(array $root, string $path)
Check for validity of subarray
This is intended for use in conjunction with _subArrayUnchecked(), implementing the checks included in _subArray() but without copying a potentially large array by passing its reference by-value to is_array().
array|false
_subArrayUnchecked(array $root, string $path, bool $create = false)
Get a reference to a subarray
This variant of _subArray() does no is_array() checking, so $root should be checked with _isSubArrayValid() first.
This is here for performance reasons: Passing a reference (i.e. $root) by-value (i.e. to is_array()) creates a copy. If $root is an especially large array, this is expensive.
array|false
_subArray(array $root, string $path, bool $create = false)
Get a reference to a subarray
array|false
_extensions(array $root, string $path = null, bool $create = false)
Get a reference to an extension subarray
bool
_removeExtension(string $id, string $path = null)
Remove an Extension
mixed
_getExtension(string $id, array $cert = null, string $path = null)
Get an Extension
Returns the extension if it exists and false if not
array
_getExtensions(array $cert = null, string $path = null)
Returns a list of all extensions in use
bool
_setExtension(string $id, mixed $value, bool $critical = false, bool $replace = true, string $path = null)
Set an Extension
bool
removeExtension(string $id)
Remove a certificate, CSR or CRL Extension
mixed
getExtension(string $id, array $cert = null)
Get a certificate, CSR or CRL Extension
Returns the extension if it exists and false if not
array
getExtensions(array $cert = null)
Returns a list of all extensions in use in certificate, CSR or CRL
bool
setExtension(string $id, mixed $value, bool $critical = false, bool $replace = true)
Set a certificate, CSR or CRL Extension
bool
removeAttribute(string $id, int $disposition = self::ATTR_ALL)
Remove a CSR attribute.
mixed
getAttribute(string $id, int $disposition = self::ATTR_ALL, array $csr = null)
Get a CSR attribute
Returns the attribute if it exists and false if not
array
getAttributes(array $csr = null)
Returns a list of all CSR attributes in use
bool
setAttribute(string $id, mixed $value, bool $disposition = self::ATTR_ALL)
Set a CSR attribute
setKeyIdentifier(string $value)
Sets the subject key identifier
This is used by the id-ce-authorityKeyIdentifier and the id-ce-subjectKeyIdentifier extensions.
string
computeKeyIdentifier(mixed $key = null, int $method = 1)
Compute a public key identifier.
Although key identifiers may be set to any unique value, this function computes key identifiers from public key according to the two recommended methods (4.2.1.2 RFC 3280). Highly polymorphic: try to accept all possible forms of key: - Key object - \phpseclib\File\X509 object with public or private key defined - Certificate or CSR array - \phpseclib\File\ASN1\Element object - PEM or DER string
array
_formatSubjectPublicKey()
Format a public key as appropriate
array
setDomain()
Set the domain name's which the cert is to be valid for
setIPAddress()
Set the IP Addresses's which the cert is to be valid for
array
_dnsName(string $domain)
Helper function to build domain array
array
_iPAddress(string $address)
Helper function to build IP Address array
(IPv6 is not currently supported)
int|false
_revokedCertificate(array $rclist, string $serial, bool $create = false)
Get the index of a revoked certificate.
bool
revoke(string $serial, string $date = null)
Revoke a certificate.
bool
unrevoke(string $serial)
Unrevoke a certificate.
mixed
getRevoked(string $serial)
Get a revoked certificate.
array
listRevoked(array $crl = null)
List revoked certificates
bool
removeRevokedCertificateExtension(string $serial, string $id)
Remove a Revoked Certificate Extension
mixed
getRevokedCertificateExtension(string $serial, string $id, array $crl = null)
Get a Revoked Certificate Extension
Returns the extension if it exists and false if not
array
getRevokedCertificateExtensions(string $serial, array $crl = null)
Returns a list of all extensions in use for a given revoked certificate
bool
setRevokedCertificateExtension(string $serial, string $id, mixed $value, bool $critical = false, bool $replace = true)
Set a Revoked Certificate Extension
string
_extractBER(string $str)
Extract raw BER from Base64 encoding
string
getOID($name)
Returns the OID corresponding to a name
What's returned in the associative array returned by loadX509() (or load*()) is either a name or an OID if no OID to name mapping is available. The problem with this is that what may be an unmapped OID in one version of phpseclib may not be unmapped in the next version, so apps that are looking at this OID may not be able to work from version to version.
This method will return the OID if a name is passed to it and if no mapping is avialable it'll assume that what's being passed to it already is an OID and return that instead. A few examples.
getOID('2.16.840.1.101.3.4.2.1') == '2.16.840.1.101.3.4.2.1' getOID('id-sha256') == '2.16.840.1.101.3.4.2.1' getOID('zzz') == 'zzz'