From fe3765fe1773c9d62985d05d5b5da24c921c4bd0 Mon Sep 17 00:00:00 2001 From: terrafrost Date: Sat, 8 Jun 2013 12:40:39 -0500 Subject: [PATCH] X509: don't validate self-signed certs by default --- phpseclib/File/X509.php | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/phpseclib/File/X509.php b/phpseclib/File/X509.php index 4f7ae0b5..b7c68b2f 100644 --- a/phpseclib/File/X509.php +++ b/phpseclib/File/X509.php @@ -53,8 +53,9 @@ if (!class_exists('File_ASN1')) { /** * Flag to only accept signatures signed by certificate authorities * + * Not really used anymore but retained all the same to suppress E_NOTICEs from old installs + * * @access public - * @see File_X509::validateSignature() */ define('FILE_X509_VALIDATE_SIGNATURE_BY_CA', 1); @@ -1989,13 +1990,16 @@ class File_X509 { * Works on X.509 certs, CSR's and CRL's. * Returns true if the signature is verified, false if it is not correct or NULL on error * + * By default returns false for self-signed certs. Call validateSignature(false) to make this support + * self-signed. + * * The behavior of this function is inspired by {@link http://php.net/openssl-verify openssl_verify}. * - * @param Integer $options optional + * @param Boolean $caonly optional * @access public * @return Mixed */ - function validateSignature($options = 0) + function validateSignature($caonly = true) { if (!is_array($this->currentCert) || !isset($this->signatureSubject)) { return 0; @@ -2036,10 +2040,10 @@ class File_X509 { } } } - if (count($this->CAs) == $i && ($options & FILE_X509_VALIDATE_SIGNATURE_BY_CA)) { + if (count($this->CAs) == $i && $caonly) { return false; } - } elseif (!isset($signingCert) || ($options & FILE_X509_VALIDATE_SIGNATURE_BY_CA)) { + } elseif (!isset($signingCert) || $caonly) { return false; } return $this->_validateSignature(