class X509 (View source)

Pure-PHP X.509 Parser

Constants

VALIDATE_SIGNATURE_BY_CA

Flag to only accept signatures signed by certificate authorities

Not really used anymore but retained all the same to suppress E_NOTICEs from old installs

DN_ARRAY

Return internal array representation

DN_STRING

Return string

DN_ASN1

Return ASN.1 name string

DN_OPENSSL

Return OpenSSL compatible array

DN_CANON

Return canonical ASN.1 RDNs string

DN_HASH

Return name hash for file indexing

FORMAT_PEM

Save as PEM

ie. a base64-encoded PEM with a header and a footer

FORMAT_DER

Save as DER

FORMAT_SPKAC

Save as a SPKAC

FORMAT_AUTO_DETECT

Auto-detect the format

Used only by the load*() functions

ATTR_ALL

Attribute value disposition.

If disposition is >= 0, this is the index of the target value.

ATTR_APPEND

ATTR_REPLACE

Methods

__construct()

Default Constructor.

mixed
loadX509(string $cert, int $mode = self::FORMAT_AUTO_DETECT)

Load X.509 certificate

string
saveX509(array $cert, int $format = self::FORMAT_PEM)

Save X.509 certificate

bool
loadCA(string $cert)

Load an X.509 certificate as a certificate authority

bool
validateURL(string $url)

Validate an X.509 certificate against a URL

bool
validateDate(DateTimeInterface|string $date = null)

Validate a date

mixed
validateSignature(bool $caonly = true)

Validate a signature

static 
setRecurLimit(int $count)

Sets the recursion limit

static 
disableURLFetch()

Prevents URIs from being automatically retrieved

static 
enableURLFetch()

Allows URIs to be automatically retrieved

static string
decodeIP(string $ip)

Decodes an IP address

static array
decodeNameConstraintIP(string $ip)

Decodes an IP address in a name constraints extension

static string
encodeIP(string|array $ip)

Encodes an IP address

bool
setDNProp(string $propName, mixed $propValue, string $type = 'utf8String')

Set a Distinguished Name property

removeDNProp(string $propName)

Remove Distinguished Name properties

mixed
getDNProp(string $propName, array $dn = null, bool $withType = false)

Get Distinguished Name properties

bool
setDN(mixed $dn, bool $merge = false, string $type = 'utf8String')

Set a Distinguished Name

array|bool
getDN(mixed $format = self::DN_ARRAY, array $dn = null)

Get the Distinguished Name for a certificates subject

mixed
getIssuerDN(int $format = self::DN_ARRAY)

Get the Distinguished Name for a certificate/crl issuer

mixed
getSubjectDN(int $format = self::DN_ARRAY)

Get the Distinguished Name for a certificate/csr subject Alias of getDN()

mixed
getIssuerDNProp(string $propName, bool $withType = false)

Get an individual Distinguished Name property for a certificate/crl issuer

mixed
getSubjectDNProp(string $propName, bool $withType = false)

Get an individual Distinguished Name property for a certificate/csr subject

mixed
getChain()

Get the certificate chain for the current cert

array|bool
getCurrentCert()

Returns the current cert

bool
setPublicKey(PublicKey $key)

Set public key

setPrivateKey(PrivateKey $key)

Set private key

setChallenge(string $challenge)

Set challenge

mixed
getPublicKey()

Gets the public key

mixed
loadCSR(string $csr, int $mode = self::FORMAT_AUTO_DETECT)

Load a Certificate Signing Request

string
saveCSR(array $csr, int $format = self::FORMAT_PEM)

Save CSR request

mixed
loadSPKAC(string $spkac)

Load a SPKAC CSR

string
saveSPKAC(array $spkac, int $format = self::FORMAT_PEM)

Save a SPKAC CSR request

mixed
loadCRL(string $crl, int $mode = self::FORMAT_AUTO_DETECT)

Load a Certificate Revocation List

string
saveCRL(array $crl, int $format = self::FORMAT_PEM)

Save Certificate Revocation List.

mixed
sign(X509 $issuer, X509 $subject)

Sign an X.509 certificate

mixed
signCSR()

Sign a CSR

mixed
signSPKAC()

Sign a SPKAC

mixed
signCRL(X509 $issuer, X509 $crl)

Sign a CRL

setStartDate(DateTimeInterface|string $date)

Set certificate start date

setEndDate(DateTimeInterface|string $date)

Set certificate end date

setSerialNumber(string $serial, int $base = -256)

Set Serial Number

makeCA()

Turns the certificate into a certificate authority

bool
removeExtension(string $id)

Remove a certificate, CSR or CRL Extension

mixed
getExtension(string $id, array $cert = null, string $path = null)

Get a certificate, CSR or CRL Extension

array
getExtensions(array $cert = null, string $path = null)

Returns a list of all extensions in use in certificate, CSR or CRL

bool
setExtension(string $id, mixed $value, bool $critical = false, bool $replace = true)

Set a certificate, CSR or CRL Extension

bool
removeAttribute(string $id, int $disposition = self::ATTR_ALL)

Remove a CSR attribute.

mixed
getAttribute(string $id, int $disposition = self::ATTR_ALL, array $csr = null)

Get a CSR attribute

array
getAttributes(array $csr = null)

Returns a list of all CSR attributes in use

bool
setAttribute(string $id, mixed $value, int $disposition = self::ATTR_ALL)

Set a CSR attribute

setKeyIdentifier(string $value)

Sets the subject key identifier

string
computeKeyIdentifier(mixed $key = null, int $method = 1)

Compute a public key identifier.

array
setDomain(array ...$domains)

Set the domain name's which the cert is to be valid for

setIPAddress(array ...$ipAddresses)

Set the IP Addresses's which the cert is to be valid for

bool
revoke(string $serial, string $date = null)

Revoke a certificate.

bool
unrevoke(string $serial)

Unrevoke a certificate.

mixed
getRevoked(string $serial)

Get a revoked certificate.

array|bool
listRevoked(array $crl = null)

List revoked certificates

bool
removeRevokedCertificateExtension(string $serial, string $id)

Remove a Revoked Certificate Extension

mixed
getRevokedCertificateExtension(string $serial, string $id, array $crl = null)

Get a Revoked Certificate Extension

array|bool
getRevokedCertificateExtensions(string $serial, array $crl = null)

Returns a list of all extensions in use for a given revoked certificate

bool
setRevokedCertificateExtension(string $serial, string $id, mixed $value, bool $critical = false, bool $replace = true)

Set a Revoked Certificate Extension

static 
registerExtension(string $id, array $mapping)

Register the mapping for a custom/unsupported extension.

static array|null
getRegisteredExtension(string $id)

Register the mapping for a custom/unsupported extension.

setExtensionValue(string $id, mixed $value, bool $critical = false, bool $replace = false)

Register the mapping for a custom/unsupported extension.

Details

X509 __construct()

Default Constructor.

Return Value

X509

mixed loadX509(string $cert, int $mode = self::FORMAT_AUTO_DETECT)

Load X.509 certificate

Returns an associative array describing the X.509 cert or a false if the cert failed to load

Parameters

string $cert
int $mode

Return Value

mixed

string saveX509(array $cert, int $format = self::FORMAT_PEM)

Save X.509 certificate

Parameters

array $cert
int $format optional

Return Value

string

bool loadCA(string $cert)

Load an X.509 certificate as a certificate authority

Parameters

string $cert

Return Value

bool

bool validateURL(string $url)

Validate an X.509 certificate against a URL

From RFC2818 "HTTP over TLS":

Matching is performed using the matching rules specified by [RFC2459]. If more than one identity of a given type is present in the certificate (e.g., more than one dNSName name, a match in any one of the set is considered acceptable.) Names may contain the wildcard character * which is considered to match any single domain name component or component fragment. E.g., .a.com matches foo.a.com but not bar.foo.a.com. f.com matches foo.com but not bar.com.

Parameters

string $url

Return Value

bool

bool validateDate(DateTimeInterface|string $date = null)

Validate a date

If $date isn't defined it is assumed to be the current date.

Parameters

DateTimeInterface|string $date optional

Return Value

bool

mixed validateSignature(bool $caonly = true)

Validate a signature

Works on X.509 certs, CSR's and CRL's. Returns true if the signature is verified, false if it is not correct or null on error

By default returns false for self-signed certs. Call validateSignature(false) to make this support self-signed.

The behavior of this function is inspired by {@link http://php.net/openssl-verify openssl_verify}.

Parameters

bool $caonly optional

Return Value

mixed

static setRecurLimit(int $count)

Sets the recursion limit

When validating a signature it may be necessary to download intermediate certs from URI's. An intermediate cert that linked to itself would result in an infinite loop so to prevent that we set a recursion limit. A negative number means that there is no recursion limit.

Parameters

int $count

static disableURLFetch()

Prevents URIs from being automatically retrieved

static enableURLFetch()

Allows URIs to be automatically retrieved

static string decodeIP(string $ip)

Decodes an IP address

Takes in a base64 encoded "blob" and returns a human readable IP address

Parameters

string $ip

Return Value

string

static array decodeNameConstraintIP(string $ip)

Decodes an IP address in a name constraints extension

Takes in a base64 encoded "blob" and returns a human readable IP address / mask

Parameters

string $ip

Return Value

array

static string encodeIP(string|array $ip)

Encodes an IP address

Takes a human readable IP address into a base64-encoded "blob"

Parameters

string|array $ip

Return Value

string

bool setDNProp(string $propName, mixed $propValue, string $type = 'utf8String')

Set a Distinguished Name property

Parameters

string $propName
mixed $propValue
string $type optional

Return Value

bool

removeDNProp(string $propName)

Remove Distinguished Name properties

Parameters

string $propName

mixed getDNProp(string $propName, array $dn = null, bool $withType = false)

Get Distinguished Name properties

Parameters

string $propName
array $dn optional
bool $withType optional

Return Value

mixed

bool setDN(mixed $dn, bool $merge = false, string $type = 'utf8String')

Set a Distinguished Name

Parameters

mixed $dn
bool $merge optional
string $type optional

Return Value

bool

array|bool getDN(mixed $format = self::DN_ARRAY, array $dn = null)

Get the Distinguished Name for a certificates subject

Parameters

mixed $format optional
array $dn optional

Return Value

array|bool

mixed getIssuerDN(int $format = self::DN_ARRAY)

Get the Distinguished Name for a certificate/crl issuer

Parameters

int $format optional

Return Value

mixed

mixed getSubjectDN(int $format = self::DN_ARRAY)

Get the Distinguished Name for a certificate/csr subject Alias of getDN()

Parameters

int $format optional

Return Value

mixed

mixed getIssuerDNProp(string $propName, bool $withType = false)

Get an individual Distinguished Name property for a certificate/crl issuer

Parameters

string $propName
bool $withType optional

Return Value

mixed

mixed getSubjectDNProp(string $propName, bool $withType = false)

Get an individual Distinguished Name property for a certificate/csr subject

Parameters

string $propName
bool $withType optional

Return Value

mixed

mixed getChain()

Get the certificate chain for the current cert

Return Value

mixed

array|bool getCurrentCert()

Returns the current cert

Return Value

array|bool

bool setPublicKey(PublicKey $key)

Set public key

Key needs to be a \phpseclib3\Crypt\RSA object

Parameters

PublicKey $key

Return Value

bool

setPrivateKey(PrivateKey $key)

Set private key

Key needs to be a \phpseclib3\Crypt\RSA object

Parameters

PrivateKey $key

setChallenge(string $challenge)

Set challenge

Used for SPKAC CSR's

Parameters

string $challenge

mixed getPublicKey()

Gets the public key

Returns a \phpseclib3\Crypt\RSA object or a false.

Return Value

mixed

mixed loadCSR(string $csr, int $mode = self::FORMAT_AUTO_DETECT)

Load a Certificate Signing Request

Parameters

string $csr
int $mode

Return Value

mixed

string saveCSR(array $csr, int $format = self::FORMAT_PEM)

Save CSR request

Parameters

array $csr
int $format optional

Return Value

string

mixed loadSPKAC(string $spkac)

Load a SPKAC CSR

SPKAC's are produced by the HTML5 keygen element:

https://developer.mozilla.org/en-US/docs/HTML/Element/keygen

Parameters

string $spkac

Return Value

mixed

string saveSPKAC(array $spkac, int $format = self::FORMAT_PEM)

Save a SPKAC CSR request

Parameters

array $spkac
int $format optional

Return Value

string

mixed loadCRL(string $crl, int $mode = self::FORMAT_AUTO_DETECT)

Load a Certificate Revocation List

Parameters

string $crl
int $mode

Return Value

mixed

string saveCRL(array $crl, int $format = self::FORMAT_PEM)

Save Certificate Revocation List.

Parameters

array $crl
int $format optional

Return Value

string

mixed sign(X509 $issuer, X509 $subject)

Sign an X.509 certificate

$issuer's private key needs to be loaded. $subject can be either an existing X.509 cert (if you want to resign it), a CSR or something with the DN and public key explicitly set.

Parameters

X509 $issuer
X509 $subject

Return Value

mixed

mixed signCSR()

Sign a CSR

Return Value

mixed

mixed signSPKAC()

Sign a SPKAC

Return Value

mixed

mixed signCRL(X509 $issuer, X509 $crl)

Sign a CRL

$issuer's private key needs to be loaded.

Parameters

X509 $issuer
X509 $crl

Return Value

mixed

setStartDate(DateTimeInterface|string $date)

Set certificate start date

Parameters

DateTimeInterface|string $date

setEndDate(DateTimeInterface|string $date)

Set certificate end date

Parameters

DateTimeInterface|string $date

setSerialNumber(string $serial, int $base = -256)

Set Serial Number

Parameters

string $serial
int $base optional

makeCA()

Turns the certificate into a certificate authority

bool removeExtension(string $id)

Remove a certificate, CSR or CRL Extension

Parameters

string $id

Return Value

bool

mixed getExtension(string $id, array $cert = null, string $path = null)

Get a certificate, CSR or CRL Extension

Returns the extension if it exists and false if not

Parameters

string $id
array $cert optional
string $path

Return Value

mixed

array getExtensions(array $cert = null, string $path = null)

Returns a list of all extensions in use in certificate, CSR or CRL

Parameters

array $cert optional
string $path optional

Return Value

array

bool setExtension(string $id, mixed $value, bool $critical = false, bool $replace = true)

Set a certificate, CSR or CRL Extension

Parameters

string $id
mixed $value
bool $critical optional
bool $replace optional

Return Value

bool

bool removeAttribute(string $id, int $disposition = self::ATTR_ALL)

Remove a CSR attribute.

Parameters

string $id
int $disposition optional

Return Value

bool

mixed getAttribute(string $id, int $disposition = self::ATTR_ALL, array $csr = null)

Get a CSR attribute

Returns the attribute if it exists and false if not

Parameters

string $id
int $disposition optional
array $csr optional

Return Value

mixed

array getAttributes(array $csr = null)

Returns a list of all CSR attributes in use

Parameters

array $csr optional

Return Value

array

bool setAttribute(string $id, mixed $value, int $disposition = self::ATTR_ALL)

Set a CSR attribute

Parameters

string $id
mixed $value
int $disposition optional

Return Value

bool

setKeyIdentifier(string $value)

Sets the subject key identifier

This is used by the id-ce-authorityKeyIdentifier and the id-ce-subjectKeyIdentifier extensions.

Parameters

string $value

string computeKeyIdentifier(mixed $key = null, int $method = 1)

Compute a public key identifier.

Although key identifiers may be set to any unique value, this function computes key identifiers from public key according to the two recommended methods (4.2.1.2 RFC 3280). Highly polymorphic: try to accept all possible forms of key: - Key object - \phpseclib3\File\X509 object with public or private key defined - Certificate or CSR array - \phpseclib3\File\ASN1\Element object - PEM or DER string

Parameters

mixed $key optional
int $method optional

Return Value

string binary key identifier

array setDomain(array ...$domains)

Set the domain name's which the cert is to be valid for

Parameters

array ...$domains

Return Value

array

setIPAddress(array ...$ipAddresses)

Set the IP Addresses's which the cert is to be valid for

Parameters

array ...$ipAddresses

bool revoke(string $serial, string $date = null)

Revoke a certificate.

Parameters

string $serial
string $date optional

Return Value

bool

bool unrevoke(string $serial)

Unrevoke a certificate.

Parameters

string $serial

Return Value

bool

mixed getRevoked(string $serial)

Get a revoked certificate.

Parameters

string $serial

Return Value

mixed

array|bool listRevoked(array $crl = null)

List revoked certificates

Parameters

array $crl optional

Return Value

array|bool

bool removeRevokedCertificateExtension(string $serial, string $id)

Remove a Revoked Certificate Extension

Parameters

string $serial
string $id

Return Value

bool

mixed getRevokedCertificateExtension(string $serial, string $id, array $crl = null)

Get a Revoked Certificate Extension

Returns the extension if it exists and false if not

Parameters

string $serial
string $id
array $crl optional

Return Value

mixed

array|bool getRevokedCertificateExtensions(string $serial, array $crl = null)

Returns a list of all extensions in use for a given revoked certificate

Parameters

string $serial
array $crl optional

Return Value

array|bool

bool setRevokedCertificateExtension(string $serial, string $id, mixed $value, bool $critical = false, bool $replace = true)

Set a Revoked Certificate Extension

Parameters

string $serial
string $id
mixed $value
bool $critical optional
bool $replace optional

Return Value

bool

static registerExtension(string $id, array $mapping)

Register the mapping for a custom/unsupported extension.

Parameters

string $id
array $mapping

static array|null getRegisteredExtension(string $id)

Register the mapping for a custom/unsupported extension.

Parameters

string $id

Return Value

array|null

setExtensionValue(string $id, mixed $value, bool $critical = false, bool $replace = false)

Register the mapping for a custom/unsupported extension.

Parameters

string $id
mixed $value
bool $critical
bool $replace