X509
class X509 (View source)
Pure-PHP X.509 Parser
Constants
| VALIDATE_SIGNATURE_BY_CA |
Flag to only accept signatures signed by certificate authorities Not really used anymore but retained all the same to suppress E_NOTICEs from old installs |
| DN_ARRAY |
Return internal array representation |
| DN_STRING |
Return string |
| DN_ASN1 |
Return ASN.1 name string |
| DN_OPENSSL |
Return OpenSSL compatible array |
| DN_CANON |
Return canonical ASN.1 RDNs string |
| DN_HASH |
Return name hash for file indexing |
| FORMAT_PEM |
Save as PEM ie. a base64-encoded PEM with a header and a footer |
| FORMAT_DER |
Save as DER |
| FORMAT_SPKAC |
Save as a SPKAC |
| FORMAT_AUTO_DETECT |
Auto-detect the format Used only by the load*() functions |
| ATTR_ALL |
Attribute value disposition. If disposition is >= 0, this is the index of the target value. |
| ATTR_APPEND |
|
| ATTR_REPLACE |
|
Methods
Default Constructor.
Load X.509 certificate
Save X.509 certificate
Load an X.509 certificate as a certificate authority
Validate an X.509 certificate against a URL
Validate a signature
Sets the recursion limit
Prevents URIs from being automatically retrieved
Allows URIs to be automatically retrieved
Decodes an IP address
Decodes an IP address in a name constraints extension
Encodes an IP address
Set a Distinguished Name property
Remove Distinguished Name properties
Get Distinguished Name properties
Set a Distinguished Name
Get the Distinguished Name for a certificates subject
Get the Distinguished Name for a certificate/crl issuer
Get the Distinguished Name for a certificate/csr subject Alias of getDN()
Get an individual Distinguished Name property for a certificate/crl issuer
Get an individual Distinguished Name property for a certificate/csr subject
Get the certificate chain for the current cert
Returns the current cert
Set challenge
Gets the public key
Load a Certificate Signing Request
Save CSR request
Load a SPKAC CSR
Save a SPKAC CSR request
Load a Certificate Revocation List
Save Certificate Revocation List.
Sign a CSR
Sign a SPKAC
Set Serial Number
Turns the certificate into a certificate authority
Remove a certificate, CSR or CRL Extension
Get a certificate, CSR or CRL Extension
Returns a list of all extensions in use in certificate, CSR or CRL
Set a certificate, CSR or CRL Extension
Remove a CSR attribute.
Get a CSR attribute
Returns a list of all CSR attributes in use
Set a CSR attribute
Sets the subject key identifier
Compute a public key identifier.
Set the domain name's which the cert is to be valid for
Set the IP Addresses's which the cert is to be valid for
Revoke a certificate.
Unrevoke a certificate.
Get a revoked certificate.
List revoked certificates
Remove a Revoked Certificate Extension
Get a Revoked Certificate Extension
Returns a list of all extensions in use for a given revoked certificate
Set a Revoked Certificate Extension
Register the mapping for a custom/unsupported extension.
Register the mapping for a custom/unsupported extension.
Register the mapping for a custom/unsupported extension.
Details
X509
__construct()
Default Constructor.
mixed
loadX509(string $cert, int $mode = self::FORMAT_AUTO_DETECT)
Load X.509 certificate
Returns an associative array describing the X.509 cert or a false if the cert failed to load
string
saveX509(array $cert, int $format = self::FORMAT_PEM)
Save X.509 certificate
bool
loadCA(string $cert)
Load an X.509 certificate as a certificate authority
bool
validateURL(string $url)
Validate an X.509 certificate against a URL
From RFC2818 "HTTP over TLS":
Matching is performed using the matching rules specified by [RFC2459]. If more than one identity of a given type is present in the certificate (e.g., more than one dNSName name, a match in any one of the set is considered acceptable.) Names may contain the wildcard character * which is considered to match any single domain name component or component fragment. E.g., .a.com matches foo.a.com but not bar.foo.a.com. f.com matches foo.com but not bar.com.
bool
validateDate(DateTimeInterface|string $date = null)
Validate a date
If $date isn't defined it is assumed to be the current date.
mixed
validateSignature(bool $caonly = true)
Validate a signature
Works on X.509 certs, CSR's and CRL's. Returns true if the signature is verified, false if it is not correct or null on error
By default returns false for self-signed certs. Call validateSignature(false) to make this support self-signed.
The behavior of this function is inspired by {@link http://php.net/openssl-verify openssl_verify}.
static
setRecurLimit(int $count)
Sets the recursion limit
When validating a signature it may be necessary to download intermediate certs from URI's. An intermediate cert that linked to itself would result in an infinite loop so to prevent that we set a recursion limit. A negative number means that there is no recursion limit.
static
disableURLFetch()
Prevents URIs from being automatically retrieved
static
enableURLFetch()
Allows URIs to be automatically retrieved
static string
decodeIP(string $ip)
Decodes an IP address
Takes in a base64 encoded "blob" and returns a human readable IP address
static array
decodeNameConstraintIP(string $ip)
Decodes an IP address in a name constraints extension
Takes in a base64 encoded "blob" and returns a human readable IP address / mask
static string
encodeIP(string|array $ip)
Encodes an IP address
Takes a human readable IP address into a base64-encoded "blob"
bool
setDNProp(string $propName, mixed $propValue, string $type = 'utf8String')
Set a Distinguished Name property
removeDNProp(string $propName)
Remove Distinguished Name properties
mixed
getDNProp(string $propName, array $dn = null, bool $withType = false)
Get Distinguished Name properties
bool
setDN(mixed $dn, bool $merge = false, string $type = 'utf8String')
Set a Distinguished Name
array|bool
getDN(mixed $format = self::DN_ARRAY, array $dn = null)
Get the Distinguished Name for a certificates subject
mixed
getIssuerDN(int $format = self::DN_ARRAY)
Get the Distinguished Name for a certificate/crl issuer
mixed
getSubjectDN(int $format = self::DN_ARRAY)
Get the Distinguished Name for a certificate/csr subject Alias of getDN()
mixed
getIssuerDNProp(string $propName, bool $withType = false)
Get an individual Distinguished Name property for a certificate/crl issuer
mixed
getSubjectDNProp(string $propName, bool $withType = false)
Get an individual Distinguished Name property for a certificate/csr subject
mixed
getChain()
Get the certificate chain for the current cert
array|bool
getCurrentCert()
Returns the current cert
bool
setPublicKey(PublicKey $key)
Set public key
Key needs to be a \phpseclib3\Crypt\RSA object
setPrivateKey(PrivateKey $key)
Set private key
Key needs to be a \phpseclib3\Crypt\RSA object
setChallenge(string $challenge)
Set challenge
Used for SPKAC CSR's
mixed
getPublicKey()
Gets the public key
Returns a \phpseclib3\Crypt\RSA object or a false.
mixed
loadCSR(string $csr, int $mode = self::FORMAT_AUTO_DETECT)
Load a Certificate Signing Request
string
saveCSR(array $csr, int $format = self::FORMAT_PEM)
Save CSR request
mixed
loadSPKAC(string $spkac)
Load a SPKAC CSR
SPKAC's are produced by the HTML5 keygen element:
https://developer.mozilla.org/en-US/docs/HTML/Element/keygen
string
saveSPKAC(array $spkac, int $format = self::FORMAT_PEM)
Save a SPKAC CSR request
mixed
loadCRL(string $crl, int $mode = self::FORMAT_AUTO_DETECT)
Load a Certificate Revocation List
string
saveCRL(array $crl, int $format = self::FORMAT_PEM)
Save Certificate Revocation List.
mixed
sign(X509 $issuer, X509 $subject)
Sign an X.509 certificate
$issuer's private key needs to be loaded. $subject can be either an existing X.509 cert (if you want to resign it), a CSR or something with the DN and public key explicitly set.
mixed
signCSR()
Sign a CSR
mixed
signSPKAC()
Sign a SPKAC
setStartDate(DateTimeInterface|string $date)
Set certificate start date
setEndDate(DateTimeInterface|string $date)
Set certificate end date
setSerialNumber(string $serial, int $base = -256)
Set Serial Number
makeCA()
Turns the certificate into a certificate authority
bool
removeExtension(string $id)
Remove a certificate, CSR or CRL Extension
mixed
getExtension(string $id, array $cert = null, string $path = null)
Get a certificate, CSR or CRL Extension
Returns the extension if it exists and false if not
array
getExtensions(array $cert = null, string $path = null)
Returns a list of all extensions in use in certificate, CSR or CRL
bool
setExtension(string $id, mixed $value, bool $critical = false, bool $replace = true)
Set a certificate, CSR or CRL Extension
bool
removeAttribute(string $id, int $disposition = self::ATTR_ALL)
Remove a CSR attribute.
mixed
getAttribute(string $id, int $disposition = self::ATTR_ALL, array $csr = null)
Get a CSR attribute
Returns the attribute if it exists and false if not
array
getAttributes(array $csr = null)
Returns a list of all CSR attributes in use
bool
setAttribute(string $id, mixed $value, int $disposition = self::ATTR_ALL)
Set a CSR attribute
setKeyIdentifier(string $value)
Sets the subject key identifier
This is used by the id-ce-authorityKeyIdentifier and the id-ce-subjectKeyIdentifier extensions.
string
computeKeyIdentifier(mixed $key = null, int $method = 1)
Compute a public key identifier.
Although key identifiers may be set to any unique value, this function computes key identifiers from public key according to the two recommended methods (4.2.1.2 RFC 3280). Highly polymorphic: try to accept all possible forms of key: - Key object - \phpseclib3\File\X509 object with public or private key defined - Certificate or CSR array - \phpseclib3\File\ASN1\Element object - PEM or DER string
array
setDomain(array ...$domains)
Set the domain name's which the cert is to be valid for
setIPAddress(array ...$ipAddresses)
Set the IP Addresses's which the cert is to be valid for
bool
revoke(string $serial, string $date = null)
Revoke a certificate.
bool
unrevoke(string $serial)
Unrevoke a certificate.
mixed
getRevoked(string $serial)
Get a revoked certificate.
array|bool
listRevoked(array $crl = null)
List revoked certificates
bool
removeRevokedCertificateExtension(string $serial, string $id)
Remove a Revoked Certificate Extension
mixed
getRevokedCertificateExtension(string $serial, string $id, array $crl = null)
Get a Revoked Certificate Extension
Returns the extension if it exists and false if not
array|bool
getRevokedCertificateExtensions(string $serial, array $crl = null)
Returns a list of all extensions in use for a given revoked certificate
bool
setRevokedCertificateExtension(string $serial, string $id, mixed $value, bool $critical = false, bool $replace = true)
Set a Revoked Certificate Extension
static
registerExtension(string $id, array $mapping)
Register the mapping for a custom/unsupported extension.
static array|null
getRegisteredExtension(string $id)
Register the mapping for a custom/unsupported extension.
setExtensionValue(string $id, mixed $value, bool $critical = false, bool $replace = false)
Register the mapping for a custom/unsupported extension.