1
0
mirror of https://github.com/danog/phpseclib.git synced 2024-12-13 09:37:37 +01:00

X509: don't validate self-signed certs by default

This commit is contained in:
terrafrost 2013-06-08 12:40:39 -05:00
parent 9bcee47f2e
commit fe3765fe17

View File

@ -53,8 +53,9 @@ if (!class_exists('File_ASN1')) {
/** /**
* Flag to only accept signatures signed by certificate authorities * Flag to only accept signatures signed by certificate authorities
* *
* Not really used anymore but retained all the same to suppress E_NOTICEs from old installs
*
* @access public * @access public
* @see File_X509::validateSignature()
*/ */
define('FILE_X509_VALIDATE_SIGNATURE_BY_CA', 1); define('FILE_X509_VALIDATE_SIGNATURE_BY_CA', 1);
@ -1989,13 +1990,16 @@ class File_X509 {
* Works on X.509 certs, CSR's and CRL's. * Works on X.509 certs, CSR's and CRL's.
* Returns true if the signature is verified, false if it is not correct or NULL on error * Returns true if the signature is verified, false if it is not correct or NULL on error
* *
* By default returns false for self-signed certs. Call validateSignature(false) to make this support
* self-signed.
*
* The behavior of this function is inspired by {@link http://php.net/openssl-verify openssl_verify}. * The behavior of this function is inspired by {@link http://php.net/openssl-verify openssl_verify}.
* *
* @param Integer $options optional * @param Boolean $caonly optional
* @access public * @access public
* @return Mixed * @return Mixed
*/ */
function validateSignature($options = 0) function validateSignature($caonly = true)
{ {
if (!is_array($this->currentCert) || !isset($this->signatureSubject)) { if (!is_array($this->currentCert) || !isset($this->signatureSubject)) {
return 0; return 0;
@ -2036,10 +2040,10 @@ class File_X509 {
} }
} }
} }
if (count($this->CAs) == $i && ($options & FILE_X509_VALIDATE_SIGNATURE_BY_CA)) { if (count($this->CAs) == $i && $caonly) {
return false; return false;
} }
} elseif (!isset($signingCert) || ($options & FILE_X509_VALIDATE_SIGNATURE_BY_CA)) { } elseif (!isset($signingCert) || $caonly) {
return false; return false;
} }
return $this->_validateSignature( return $this->_validateSignature(