danog/tgseclib
1
0
Fork 0
mirror of https://github.com/danog/tgseclib.git synced 2025-01-22 05:51:20 +01:00
Code Issues Projects Releases Wiki Activity
tgseclib/phpseclib/File/X509.php

1142 lines
49 KiB
PHP
Raw Blame History

<?php
/* vim: set expandtab tabstop=4 shiftwidth=4 softtabstop=4: */
/**
* Pure-PHP X.509 Parser
*
* PHP versions 4 and 5
*
* Encode and decode X.509 certificates.
*
* The extensions are from {@link http://tools.ietf.org/html/rfc5280 RFC5280} and
* {@link http://web.archive.org/web/19961027104704/http://www3.netscape.com/eng/security/cert-exts.html Netscape Certificate Extensions}.
*
* LICENSE: Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in
* all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
* THE SOFTWARE.
*
* @category File
* @package File_X509
* @author Jim Wigginton <terrafrost@php.net>
* @copyright MMXII Jim Wigginton
* @license http://www.opensource.org/licenses/mit-license.html MIT License
* @version $Id$
* @link htp://phpseclib.sourceforge.net
*/
/**
* Include File_ASN1
*/
include('File/ASN1.php');
/**
* Pure-PHP X.509 Parser
*
* @author Jim Wigginton <terrafrost@php.net>
* @version 0.3.0
* @access public
* @package File_X509
*/
class File_X509 {
/**
* ASN.1 syntax for X.509 certificates
*
* @var Array
* @access private
*/
var $Certificate;
/**#@+
* ASN.1 syntax for various extensions
*
* @access private
*/
var $KeyUsage;
var $ExtKeyUsageSyntax;
var $BasicConstraints;
var $KeyIdentifier;
var $CRLDistributionPoints;
var $AuthorityKeyIdentifier;
var $CertificatePolicies;
var $AuthorityInfoAccessSyntax;
var $SubjectAltName;
var $PrivateKeyUsagePeriod;
var $IssuerAltName;
var $PolicyMappings;
var $NameConstraints;
var $netscape_cert_type;
var $netscape_comment;
/**#@-*/
/**
* Object identifiers for X.509 certificates
*
* @var Array
* @access private
* @link http://en.wikipedia.org/wiki/Object_identifier
*/
var $oids;
/**
* The certificate authorities
*
* @var Array
* @access private
*/
var $CAs;
/**
* The currently loaded certificate
*
* @var Array
* @access private
*/
var $certificate;
/**
* Default Constructor.
*
* @return File_X509
* @access public
*/
function File_X509()
{
// Explicitly Tagged Module, 1988 Syntax
// http://tools.ietf.org/html/rfc5280#appendix-A.1
$temp = array('min' => 1, 'max' => -1);
$DirectoryString = array(
'type' => FILE_ASN1_TYPE_CHOICE,
'children' => array(
'teletexString' => $temp + array('type' => FILE_ASN1_TYPE_TELETEX_STRING),
'printableString' => $temp + array('type' => FILE_ASN1_TYPE_PRINTABLE_STRING),
'universalString' => $temp + array('type' => FILE_ASN1_TYPE_UNIVERSAL_STRING),
'utf8String' => $temp + array('type' => FILE_ASN1_TYPE_UTF8_STRING),
'bmpString' => $temp + array('type' => FILE_ASN1_TYPE_BMP_STRING)
)
);
$AttributeValue = array('type' => FILE_ASN1_TYPE_ANY);
$AttributeType = array('type' => FILE_ASN1_TYPE_OBJECT_IDENTIFIER);
$AttributeTypeAndValue = array(
'type' => FILE_ASN1_TYPE_SEQUENCE,
'children' => array(
'type' => $AttributeType,
'value'=> $AttributeValue
)
);
/*
In practice, RDNs containing multiple name-value pairs (called "multivalued RDNs") are rare,
but they can be useful at times when either there is no unique attribute in the entry or you
want to ensure that the entry's DN contains some useful identifying information.
- https://www.opends.org/wiki/page/DefinitionRelativeDistinguishedName
*/
$RelativeDistinguishedName = array(
'type' => FILE_ASN1_TYPE_SET,
'min' => 1,
'max' => -1,
'children' => $AttributeTypeAndValue
);
// http://tools.ietf.org/html/rfc5280#section-4.1.2.4
$RDNSequence = array(
'type' => FILE_ASN1_TYPE_SEQUENCE,
// RDNSequence does not define a min or a max, which means it doesn't have one
'min' => 0,
'max' => -1,
'children' => $RelativeDistinguishedName
);
$Name = array(
'type' => FILE_ASN1_TYPE_CHOICE,
'children' => array(
'rdnSequence' => $RDNSequence
)
);
// http://tools.ietf.org/html/rfc5280#section-4.1.1.2
$AlgorithmIdentifier = array(
'type' => FILE_ASN1_TYPE_SEQUENCE,
'children' => array(
'algorithm' => array('type' => FILE_ASN1_TYPE_OBJECT_IDENTIFIER),
'parameters' => array(
'type' => FILE_ASN1_TYPE_ANY,
'optional' => true
)
)
);
/*
A certificate using system MUST reject the certificate if it encounters
a critical extension it does not recognize; however, a non-critical
extension may be ignored if it is not recognized.
http://tools.ietf.org/html/rfc5280#section-4.2
*/
$Extension = array(
'type' => FILE_ASN1_TYPE_SEQUENCE,
'children' => array(
'extnId' => array('type' => FILE_ASN1_TYPE_OBJECT_IDENTIFIER),
'critical' => array(
'type' => FILE_ASN1_TYPE_BOOLEAN,
'optional' => true,
'default' => false
),
'extnValue' => array('type' => FILE_ASN1_TYPE_OCTET_STRING)
)
);
$Extensions = array(
'type' => FILE_ASN1_TYPE_SEQUENCE,
'min' => 1,
// technically, it's MAX, but we'll assume anything < 0 is MAX
'max' => -1,
// if 'children' isn't an array then 'min' and 'max' must be defined
'children' => $Extension
);
$SubjectPublicKeyInfo = array(
'type' => FILE_ASN1_TYPE_SEQUENCE,
'children' => array(
'algorithm' => $AlgorithmIdentifier,
'subjectPublicKey' => array('type' => FILE_ASN1_TYPE_BIT_STRING)
)
);
$UniqueIdentifier = array('type' => FILE_ASN1_TYPE_BIT_STRING);
$Time = array(
'type' => FILE_ASN1_TYPE_CHOICE,
'children' => array(
'utcTime' => array('type' => FILE_ASN1_TYPE_UTC_TIME),
'generalTime' => array('type' => FILE_ASN1_TYPE_GENERALIZED_TIME)
)
);
// http://tools.ietf.org/html/rfc5280#section-4.1.2.5
$Validity = array(
'type' => FILE_ASN1_TYPE_SEQUENCE,
'children' => array(
'notBefore' => $Time,
'notAfter' => $Time
)
);
$CertificateSerialNumber = array('type' => FILE_ASN1_TYPE_INTEGER);
$Version = array(
'type' => FILE_ASN1_TYPE_INTEGER,
'mapping' => array('v1', 'v2', 'v3')
);
// assert($TBSCertificate['children']['signature'] == $Certificate['children']['signatureAlgorithm'])
$TBSCertificate = array(
'type' => FILE_ASN1_TYPE_SEQUENCE,
'children' => array(
// technically, default implies optional, but we'll define it as being optional, none-the-less, just to
// reenforce that fact
'version' => array(
'constant' => 0,
'optional' => true,
'explicit' => true,
'default' => 'v1'
) + $Version,
'serialNumber' => $CertificateSerialNumber,
'signature' => $AlgorithmIdentifier,
'issuer' => $Name,
'validity' => $Validity,
'subject' => $Name,
'subjectPublicKeyInfo' => $SubjectPublicKeyInfo,
// implicit means that the T in the TLV structure is to be rewritten, regardless of the type
'issuerUniqueID' => array(
'constant' => 1,
'optional' => true,
'implicit' => true
) + $UniqueIdentifier,
'subjectUniqueID' => array(
'constant' => 2,
'optional' => true,
'implicit' => true
) + $UniqueIdentifier,
// <http://tools.ietf.org/html/rfc2459#page-74> doesn't use the EXPLICIT keyword but if
// it's not IMPLICIT, it's EXPLICIT
'extensions' => array(
'constant' => 3,
'optional' => true,
'explicit' => true
) + $Extensions
)
);
$this->Certificate = array(
'type' => FILE_ASN1_TYPE_SEQUENCE,
'children' => array(
'tbsCertificate' => $TBSCertificate,
'signatureAlgorithm' => $AlgorithmIdentifier,
'signature' => array('type' => FILE_ASN1_TYPE_BIT_STRING)
)
);
$this->KeyUsage = array(
'type' => FILE_ASN1_TYPE_BIT_STRING,
'mapping' => array(
'digitalSignature',
'nonRepudiation',
'keyEncipherment',
'dataEncipherment',
'keyAgreement',
'keyCertSign',
'cRLSign',
'encipherOnly',
'decipherOnly'
)
);
$this->BasicConstraints = array(
'type' => FILE_ASN1_TYPE_SEQUENCE,
'children' => array(
'cA' => array(
'type' => FILE_ASN1_TYPE_BOOLEAN,
'optional' => true,
'default' => false
),
'pathLenConstraint' => array(
'type' => FILE_ASN1_TYPE_INTEGER,
'optional' => true
)
)
);
$this->KeyIdentifier = array('type' => FILE_ASN1_TYPE_OCTET_STRING);
$OrganizationalUnitNames = array(
'type' => FILE_ASN1_TYPE_SEQUENCE,
'min' => 1,
'max' => 4, // ub-organizational-units
'children' => array('type' => FILE_ASN1_TYPE_PRINTABLE_STRING)
);
$PersonalName = array(
'type' => FILE_ASN1_TYPE_SET,
'children' => array(
'surname' => array(
'type' => FILE_ASN1_TYPE_PRINTABLE_STRING,
'constant' => 0,
'optional' => true,
'implicit' => true
),
'given-name' => array(
'type' => FILE_ASN1_TYPE_PRINTABLE_STRING,
'constant' => 1,
'optional' => true,
'implicit' => true
),
'initials' => array(
'type' => FILE_ASN1_TYPE_PRINTABLE_STRING,
'constant' => 2,
'optional' => true,
'implicit' => true
),
'generation-qualifier' => array(
'type' => FILE_ASN1_TYPE_PRINTABLE_STRING,
'constant' => 3,
'optional' => true,
'implicit' => true
)
)
);
$NumericUserIdentifier = array('type' => FILE_ASN1_TYPE_NUMERIC_STRING);
$OrganizationName = array('type' => FILE_ASN1_TYPE_PRINTABLE_STRING);
$PrivateDomainName = array(
'type' => FILE_ASN1_TYPE_CHOICE,
'children' => array(
'numeric' => array('type' => FILE_ASN1_TYPE_NUMERIC_STRING),
'printable' => array('type' => FILE_ASN1_TYPE_PRINTABLE_STRING)
)
);
$TerminalIdentifier = array('type' => FILE_ASN1_TYPE_PRINTABLE_STRING);
$NetworkAddress = array('type' => FILE_ASN1_TYPE_NUMERIC_STRING);
$AdministrationDomainName = array(
'type' => FILE_ASN1_TYPE_CHOICE,
// if class isn't present it's assumed to be FILE_ASN1_CLASS_UNIVERSAL or
// (if constant is present) FILE_ASN1_CLASS_CONTEXT_SPECIFIC
'class' => FILE_ASN1_CLASS_APPLICATION,
'cast' => 2,
'children' => array(
'numeric' => array('type' => FILE_ASN1_TYPE_NUMERIC_STRING),
'printable' => array('type' => FILE_ASN1_TYPE_PRINTABLE_STRING)
)
);
$CountryName = array(
'type' => FILE_ASN1_TYPE_CHOICE,
// if class isn't present it's assumed to be FILE_ASN1_CLASS_UNIVERSAL or
// (if constant is present) FILE_ASN1_CLASS_CONTEXT_SPECIFIC
'class' => FILE_ASN1_CLASS_APPLICATION,
'cast' => 1,
'children' => array(
'x121-dcc-code' => array('type' => FILE_ASN1_TYPE_NUMERIC_STRING),
'iso-3166-alpha2-code' => array('type' => FILE_ASN1_TYPE_PRINTABLE_STRING)
)
);
$AnotherName = array(
'type' => FILE_ASN1_TYPE_SEQUENCE,
'children' => array(
'type-id' => array('type' => FILE_ASN1_TYPE_OBJECT_IDENTIFIER),
'value' => array(
'type' => FILE_ASN1_TYPE_ANY,
'constant' => 0,
'optional' => true,
'explicit' => true
)
)
);
$ExtensionAttribute = array(
'type' => FILE_ASN1_TYPE_SEQUENCE,
'children' => array(
'extension-attribute-type' => array(
'type' => FILE_ASN1_TYPE_PRINTABLE_STRING,
'constant' => 0,
'optional' => true,
'implicit' => true
),
'extension-attribute-value' => array(
'type' => FILE_ASN1_TYPE_ANY,
'constant' => 1,
'optional' => true,
'explicit' => true
)
)
);
$ExtensionAttributes = array(
'type' => FILE_ASN1_TYPE_SET,
'min' => 1,
'max' => 256, // ub-extension-attributes
'children' => $ExtensionAttribute
);
$BuiltInDomainDefinedAttribute = array(
'type' => FILE_ASN1_TYPE_SEQUENCE,
'children' => array(
'type' => array('type' => FILE_ASN1_TYPE_PRINTABLE_STRING),
'value' => array('type' => FILE_ASN1_TYPE_PRINTABLE_STRING)
)
);
$BuiltInDomainDefinedAttributes = array(
'type' => FILE_ASN1_TYPE_SEQUENCE,
'min' => 1,
'max' => 4, // ub-domain-defined-attributes
'children' => $BuiltInDomainDefinedAttribute
);
$BuiltInStandardAttributes = array(
'type' => FILE_ASN1_TYPE_SEQUENCE,
'children' => array(
'country-name' => array('optional' => true) + $CountryName,
'administration-domain-name' => array('optional' => true) + $AdministrationDomainName,
'network-address' => array(
'constant' => 0,
'optional' => true,
'implicit' => trues
) + $NetworkAddress,
'terminal-identifier' => array(
'constant' => 1,
'optional' => true,
'implicit' => true
) + $TerminalIdentifier,
'private-domain-name' => array(
'constant' => 2,
'optional' => true,
'explicit' => true
) + $PrivateDomainName,
'organization-name' => array(
'constant' => 3,
'optional' => true,
'implicit' => true
) + $OrganizationName,
'numeric-user-identifier' => array(
'constant' => 4,
'optional' => true,
'implicit' => true
) + $NumericUserIdentifier,
'personal-name' => array(
'constant' => 5,
'optional' => true,
'implicit' => true
) + $PersonalName,
'organizational-unit-names' => array(
'constant' => 6,
'optional' => true,
'implicit' => true
) + $OrganizationalUnitNames
)
);
$ORAddress = array(
'type' => FILE_ASN1_TYPE_SEQUENCE,
'children' => array(
'built-in-standard-attributes' => $BuiltInStandardAttributes,
'built-in-domain-defined-attributes' => array('optional' => true) + $BuiltInDomainDefinedAttributes,
'extension-attributes' => array('optional' => true) + $ExtensionAttributes
)
);
$EDIPartyName = array(
'type' => FILE_ASN1_TYPE_SEQUENCE,
'children' => array(
'nameAssigner' => array(
'constant' => 0,
'optional' => true,
'implicit' => true
) + $DirectoryString,
// partyName is technically required but File_ASN1 doesn't currently support non-optional constants and
// setting it to optional gets the job done in any event.
'partyName' => array(
'constant' => 1,
'optional' => true,
'implicit' => true
) + $DirectoryString
)
);
$GeneralName = array(
'type' => FILE_ASN1_TYPE_CHOICE,
'children' => array(
'otherName' => array(
'constant' => 0,
'optional' => true,
'implicit' => true
) + $AnotherName,
'rfc822Name' => array(
'type' => FILE_ASN1_TYPE_IA5_STRING,
'constant' => 1,
'optional' => true,
'implicit' => true
),
'dNSName' => array(
'type' => FILE_ASN1_TYPE_IA5_STRING,
'constant' => 2,
'optional' => true,
'implicit' => true
),
'x400Address' => array(
'constant' => 3,
'optional' => true,
'implicit' => true
) + $ORAddress,
'directoryName' => array(
'constant' => 4,
'optional' => true,
'implicit' => true
) + $Name,
'ediPartyName' => array(
'constant' => 5,
'optional' => true,
'implicit' => true
) + $EDIPartyName,
'uniformResourceIdentifier' => array(
'type' => FILE_ASN1_TYPE_IA5_STRING,
'constant' => 6,
'optional' => true,
'implicit' => true
),
'iPAddress' => array(
'type' => FILE_ASN1_TYPE_OCTET_STRING,
'constant' => 7,
'optional' => true,
'implicit' => true
),
'registeredID' => array(
'type' => FILE_ASN1_TYPE_OBJECT_IDENTIFIER,
'constant' => 8,
'optional' => true,
'implicit' => true
)
)
);
$GeneralNames = array(
'type' => FILE_ASN1_TYPE_SEQUENCE,
'min' => 1,
'max' => -1,
'children' => $GeneralName
);
$this->IssuerAltName = $GeneralNames;
$ReasonFlags = array(
'type' => FILE_ASN1_TYPE_BIT_STRING,
'mapping' => array(
'unused',
'keyCompromise',
'cACompromise',
'affiliationChanged',
'superseded',
'cessationOfOperation',
'certificateHold',
'privilegeWithdrawn',
'aACompromise'
)
);
$DistributionPointName = array(
'type' => FILE_ASN1_TYPE_CHOICE,
'children' => array(
'fullName' => array(
'constant' => 0,
'optional' => true,
'implicit' => true
) + $GeneralNames,
'nameRelativeToCRLIssuer' => array(
'constant' => 1,
'optional' => true,
'implicit' => true
) + $RelativeDistinguishedName
)
);
$DistributionPoint = array(
'type' => FILE_ASN1_TYPE_SEQUENCE,
'children' => array(
'distributionPoint' => array(
'constant' => 0,
'optional' => true,
'implicit' => true
) + $DistributionPointName,
'reasons' => array(
'constant' => 1,
'optional' => true,
'implicit' => true
) + $ReasonFlags,
'cRLIssuer' => array(
'constant' => 2,
'optional' => true,
'implicit' => true
) + $GeneralNames
)
);
$this->CRLDistributionPoints = array(
'type' => FILE_ASN1_TYPE_SEQUENCE,
'min' => 1,
'max' => -1,
'children' => $DistributionPoint
);
$this->AuthorityKeyIdentifier = array(
'type' => FILE_ASN1_TYPE_SEQUENCE,
'children' => array(
'keyIdentifier' => array(
'constant' => 0,
'optional' => true,
'implicit' => true
) + $this->KeyIdentifier,
'authorityCertIssuer' => array(
'constant' => 1,
'optional' => true,
'implicit' => true
) + $GeneralNames,
'authorityCertSerialNumber' => array(
'constant' => 2,
'optional' => true,
'implicit' => true
) + $CertificateSerialNumber
)
);
$PolicyQualifierId = array('type' => FILE_ASN1_TYPE_OBJECT_IDENTIFIER);
$PolicyQualifierInfo = array(
'type' => FILE_ASN1_TYPE_SEQUENCE,
'children' => array(
'policyQualifierId' => $PolicyQualifierId,
'qualifier' => array('type' => FILE_ASN1_TYPE_ANY)
)
);
$CertPolicyId = array('type' => FILE_ASN1_TYPE_OBJECT_IDENTIFIER);
$PolicyInformation = array(
'type' => FILE_ASN1_TYPE_SEQUENCE,
'children' => array(
'policyIdentifier' => $CertPolicyId,
'policyQualifiers' => array(
'type' => FILE_ASN1_TYPE_SEQUENCE,
'min' => 1,
'max' => -1,
'children' => $PolicyQualifierInfo
)
)
);
$this->CertificatePolicies = array(
'type' => FILE_ASN1_TYPE_SEQUENCE,
'min' => 1,
'max' => -1,
'children' => $PolicyInformation
);
$this->PolicyMappings = array(
'type' => FILE_ASN1_TYPE_SEQUENCE,
'min' => 1,
'max' => -1,
'children' => array(
'type' => FILE_ASN1_TYPE_SEQUENCE,
'children' => array(
'issuerDomainPolicy' => $CertPolicyId,
'subjectDomainPolicy' => $CertPolicyId
)
)
);
$KeyPurposeId = array('type' => FILE_ASN1_TYPE_OBJECT_IDENTIFIER);
$this->ExtKeyUsageSyntax = array(
'type' => FILE_ASN1_TYPE_SEQUENCE,
'min' => 1,
'max' => -1,
'children' => $KeyPurposeId
);
$AccessDescription = array(
'type' => FILE_ASN1_TYPE_SEQUENCE,
'children' => array(
'accessMethod' => array('type' => FILE_ASN1_TYPE_OBJECT_IDENTIFIER),
'accessLocation' => $GeneralName
)
);
$this->AuthorityInfoAccessSyntax = array(
'type' => FILE_ASN1_TYPE_SEQUENCE,
'min' => 1,
'max' => -1,
'children' => $AccessDescription
);
$this->SubjectAltName = $GeneralNames;
$this->PrivateKeyUsagePeriod = array(
'type' => FILE_ASN1_TYPE_SEQUENCE,
'children' => array(
'notBefore' => array(
'constant' => 0,
'optional' => true,
'implicit' => true,
'type' => FILE_ASN1_TYPE_GENERALIZED_TIME),
'notAfter' => array(
'constant' => 1,
'optional' => true,
'implicit' => true,
'type' => FILE_ASN1_TYPE_GENERALIZED_TIME)
)
);
$BaseDistance = array('type' => FILE_ASN1_TYPE_INTEGER);
$GeneralSubtree = array(
'type' => FILE_ASN1_TYPE_SEQUENCE,
'children' => array(
'base' => $GeneralName,
'minimum' => array(
'constant' => 0,
'optional' => true,
'implicit' => true,
'default' => new Math_BigInteger(0)
) + $BaseDistance,
'maximum' => array(
'constant' => 1,
'optional' => true,
'implicit' => true,
) + $BaseDistance
)
);
$GeneralSubtrees = array(
'type' => FILE_ASN1_TYPE_SEQUENCE,
'min' => 1,
'max' => -1,
'children' => $GeneralSubtree
);
$this->NameConstraints = array(
'type' => FILE_ASN1_TYPE_SEQUENCE,
'children' => array(
'permittedSubtrees' => array(
'constant' => 0,
'optional' => true,
'implicit' => true
) + $GeneralSubtrees,
'excludedSubtrees' => array(
'constant' => 1,
'optional' => true,
'implicit' => true
) + $GeneralSubtrees
)
);
// mapping is from <http://www.mozilla.org/projects/security/pki/nss/tech-notes/tn3.html>
$this->netscape_cert_type = array(
'type' => FILE_ASN1_TYPE_BIT_STRING,
'mapping' => array(
'SSLClient',
'SSLServer',
'Email',
'ObjectSigning',
'Reserved',
'SSLCA',
'EmailCA',
'ObjectSigningCA'
)
);
$this->netscape_comment = array('type' => FILE_ASN1_TYPE_IA5_STRING);
// OIDs from RFC5280 and those RFCs mentioned in RFC5280#section-4.1.1.2
$this->oids = array(
'1.3.6.1.5.5.7' => 'id-pkix',
'1.3.6.1.5.5.7.1' => 'id-pe',
'1.3.6.1.5.5.7.2' => 'id-qt',
'1.3.6.1.5.5.7.3' => 'id-kp',
'1.3.6.1.5.5.7.48' => 'id-ad',
'1.3.6.1.5.5.7.2.1' => 'id-qt-cps',
'1.3.6.1.5.5.7.2.2' => 'id-qt-unotice',
'1.3.6.1.5.5.7.48.1' =>'id-ad-ocsp',
'1.3.6.1.5.5.7.48.2' => 'id-ad-caIssuers',
'1.3.6.1.5.5.7.48.3' => 'id-ad-timeStamping',
'1.3.6.1.5.5.7.48.5' => 'id-ad-caRepository',
'2.5.4' => 'id-at',
'2.5.4.41' => 'id-at-name',
'2.5.4.4' => 'id-at-surname',
'2.5.4.42' => 'id-at-givenName',
'2.5.4.43' => 'id-at-initials',
'2.5.4.44' => 'id-at-generationQualifier',
'2.5.4.3' => 'id-at-commonName',
'2.5.4.7' => 'id-at-localityName',
'2.5.4.8' => 'id-at-stateOrProvinceName',
'2.5.4.10' => 'id-at-organizationName',
'2.5.4.11' => 'id-at-dnQualifier',
'2.5.4.12' => 'id-at-title',
'2.5.4.46' => 'id-at-dnQualifier',
'2.5.4.6' => 'id-at-countryName',
'2.5.4.5' => 'id-at-serialNumber',
'2.5.4.65' => 'id-at-pseudonym',
'0.9.2342.19200300.100.1.25' => 'id-domainComponent',
'1.2.840.113549.1.9' => 'pkcs-9',
'1.2.840.113549.1.9.1' => 'id-emailAddress',
'2.5.29' => 'id-ce',
'2.5.29.35' => 'id-ce-authorityKeyIdentifier',
'2.5.29.14' => 'id-ce-subjectKeyIdentifier',
'2.5.29.15' => 'id-ce-keyUsage',
'2.5.29.16' => 'id-ce-privateKeyUsagePeriod',
'2.5.29.32' => 'id-ce-certificatePolicies',
'2.5.29.32.0' => 'anyPolicy',
// PolicyQualifierId ::= OBJECT IDENTIFIER ( id-qt-cps | id-qt-unotice )
'2.5.29.33' => 'id-ce-policyMappings',
'2.5.29.17' => 'id-ce-subjectAltName',
'2.5.29.18' => 'id-ce-issuerAltName',
'2.5.29.9' => 'id-ce-subjectDirectoryAttributes',
'2.5.29.19' => 'id-ce-basicConstraints',
'2.5.29.30' => 'id-ce-nameConstraints',
'2.5.29.36' => 'id-ce-policyConstraints',
'2.5.29.31' => 'id-ce-cRLDistributionPoints',
'2.5.29.37' => 'id-ce-extKeyUsage',
'2.5.29.37.0' => 'anyExtendedKeyUsage',
'1.3.6.1.5.5.7.3.1' => 'id-kp-serverAuth',
'1.3.6.1.5.5.7.3.2' => 'id-kp-clientAuth',
'1.3.6.1.5.5.7.3.3' => 'id-kp-codeSigning',
'1.3.6.1.5.5.7.3.4' => 'id-kp-emailProtection',
'1.3.6.1.5.5.7.3.8' => 'id-kp-timeStamping',
'1.3.6.1.5.5.7.3.9' => 'id-kp-OCSPSigning',
'2.5.29.54' => 'id-ce-inhibitAnyPolicy',
'2.5.29.46' => 'id-ce-freshestCRL',
'1.3.6.1.5.5.7.1.1' => 'id-pe-authorityInfoAccess',
'1.3.6.1.5.5.7.1.11' => 'id-pe-subjectInfoAccess',
'2.5.29.20' => 'id-ce-cRLNumber',
'2.5.29.28' => 'id-ce-issuingDistributionPoint',
'2.5.29.27' => 'id-ce-deltaCRLIndicator',
'2.5.29.21' => 'id-ce-cRLReasons',
'2.5.29.29' => 'id-ce-certificateIssuer',
'2.5.29.23' => 'id-ce-holdInstructionCode',
'2.2.840.10040.2' => 'holdInstruction',
'2.2.840.10040.2.1' => 'id-holdinstruction-none',
'2.2.840.10040.2.2' => 'id-holdinstruction-callissuer',
'2.2.840.10040.2.3' => 'id-holdinstruction-reject',
'2.5.29.24' => 'id-ce-invalidityDate',
'1.2.840.113549.2.2' => 'md2',
'1.2.840.113549.2.5' => 'md5',
'1.3.14.3.2.26' => 'id-sha1',
'1.2.840.10040.4.1' => 'id-dsa',
'1.2.840.10040.4.3' => 'id-dsa-with-sha1',
'1.2.840.113549.1.1' => 'pkcs-1',
'1.2.840.113549.1.1.1' => 'rsaEncryption',
'1.2.840.113549.1.1.2' => 'md2WithRSAEncryption',
'1.2.840.113549.1.1.4' => 'md5WithRSAEncryption',
'1.2.840.113549.1.1.5' => 'sha1WithRSAEncryption',
'1.2.840.10046.2.1' => 'dhpublicnumber',
'2.16.840.1.101.2.1.1.22' => 'id-keyExchangeAlgorithm',
'1.2.840.10045' => 'ansi-X9-62',
'1.2.840.10045.4' => 'id-ecSigType',
'1.2.840.10045.4.1' => 'ecdsa-with-SHA1',
'1.2.840.10045.1' => 'id-fieldType',
'1.2.840.10045.1.1' => 'prime-field',
'1.2.840.10045.1.2' => 'characteristic-two-field',
'1.2.840.10045.1.2.3' => 'id-characteristic-two-basis',
'1.2.840.10045.1.2.3.1' => 'gnBasis',
'1.2.840.10045.1.2.3.2' => 'tpBasis',
'1.2.840.10045.1.2.3.3' => 'ppBasis',
'1.2.840.10045.2' => 'id-publicKeyType',
'1.2.840.10045.2.1' => 'id-ecPublicKey',
'1.2.840.10045.3' => 'ellipticCurve',
'1.2.840.10045.3.0' => 'c-TwoCurve',
'1.2.840.10045.3.0.1' => 'c2pnb163v1',
'1.2.840.10045.3.0.2' => 'c2pnb163v2',
'1.2.840.10045.3.0.3' => 'c2pnb163v3',
'1.2.840.10045.3.0.4' => 'c2pnb176w1',
'1.2.840.10045.3.0.5' => 'c2pnb191v1',
'1.2.840.10045.3.0.6' => 'c2pnb191v2',
'1.2.840.10045.3.0.7' => 'c2pnb191v3',
'1.2.840.10045.3.0.8' => 'c2pnb191v4',
'1.2.840.10045.3.0.9' => 'c2pnb191v5',
'1.2.840.10045.3.0.10' => 'c2pnb208w1',
'1.2.840.10045.3.0.11' => 'c2pnb239v1',
'1.2.840.10045.3.0.12' => 'c2pnb239v2',
'1.2.840.10045.3.0.13' => 'c2pnb239v3',
'1.2.840.10045.3.0.14' => 'c2pnb239v4',
'1.2.840.10045.3.0.15' => 'c2pnb239v5',
'1.2.840.10045.3.0.16' => 'c2pnb272w1',
'1.2.840.10045.3.0.17' => 'c2pnb304w1',
'1.2.840.10045.3.0.18' => 'c2pnb359v1',
'1.2.840.10045.3.0.19' => 'c2pnb368w1',
'1.2.840.10045.3.0.20' => 'c2pnb431r1',
'1.2.840.10045.3.1' => 'primeCurve',
'1.2.840.10045.3.1.1' => 'prime192v1',
'1.2.840.10045.3.1.2' => 'prime192v2',
'1.2.840.10045.3.1.3' => 'prime192v3',
'1.2.840.10045.3.1.4' => 'prime239v1',
'1.2.840.10045.3.1.5' => 'prime239v2',
'1.2.840.10045.3.1.6' => 'prime239v3',
'1.2.840.10045.3.1.7' => 'prime256v1',
'1.2.840.113549.1.1.7' => 'id-RSAES-OAEP',
'1.2.840.113549.1.1.9' => 'id-pSpecified',
'1.2.840.113549.1.1.10' => 'id-RSASSA-PSS',
'1.2.840.113549.1.1.8' => 'id-mgf1',
'1.2.840.113549.1.1.14' => 'sha224WithRSAEncryption',
'1.2.840.113549.1.1.11' => 'sha256WithRSAEncryption',
'1.2.840.113549.1.1.12' => 'sha384WithRSAEncryption',
'1.2.840.113549.1.1.13' => 'sha512WithRSAEncryption',
'2.16.840.1.101.3.4.2.4' => 'id-sha224',
'2.16.840.1.101.3.4.2.1' => 'id-sha256',
'2.16.840.1.101.3.4.2.2' => 'id-sha384',
'2.16.840.1.101.3.4.2.3' => 'id-sha512',
'1.2.643.2.2.4' => 'id-GostR3411-94-with-GostR3410-94',
'1.2.643.2.2.3' => 'id-GostR3411-94-with-GostR3410-2001',
'1.2.643.2.2.20' => 'id-GostR3410-2001',
'1.2.643.2.2.19' => 'id-GostR3410-94',
// Netscape Object Identifiers from "Netscape Certificate Extensions"
'2.16.840.1.113730' => 'netscape',
'2.16.840.1.113730.1' => 'netscape-cert-extension',
'2.16.840.1.113730.1.1' => 'netscape-cert-type',
'2.16.840.1.113730.1.13' => 'netscape-comment',
// the following are not supported by phpseclib
'1.3.6.1.5.5.7.1.12' => 'id-pe-logotype',
'1.2.840.113533.7.65.0' => 'entrustVersInfo'
);
}
/**
* Load X.509 certificate
*
* @param String $cert
* @access public
*/
function loadX509($cert)
{
$asn1 = new File_ASN1();
/*
X.509 certs are assumed to be base64 encoded but sometimes they'll have additional things in them above and beyond the ceritificate. ie.
some may have the following preceeding the -----BEGIN CERTIFICATE----- line:
subject=/O=organization/OU=org unit/CN=common name
issuer=/O=organization/CN=common name
*/
$cert = preg_replace('#^(?:[^-].+[\r\n]+)+|-.+-|[\r\n]#', '', $cert);
$cert = preg_match('#^[a-zA-Z\d/+]*={0,2}$#', $cert) ? base64_decode($cert) : false;
$asn1->loadOIDs($this->oids);
$decoded = $asn1->decodeBER($cert);
$x509 = $asn1->asn1map($decoded[0], $this->Certificate);
for ($i = 0; $i < count($x509['tbsCertificate']['extensions']); $i++) {
$id = $x509['tbsCertificate']['extensions'][$i]['extnId'];
$value = base64_decode($x509['tbsCertificate']['extensions'][$i]['extnValue']);
$decoded = $asn1->decodeBER($value);
/* [extnValue] contains the DER encoding of an ASN.1 value
corresponding to the extension type identified by extnID */
$map = $this->_getMapping($id);
if ($map !== false) {
$x509['tbsCertificate']['extensions'][$i]['extnValue'] = $asn1->asn1map($decoded[0], $map);
}
}
switch ($x509['tbsCertificate']['subjectPublicKeyInfo']['algorithm']['algorithm']) {
case 'rsaEncryption':
$x509['tbsCertificate']['subjectPublicKeyInfo']['subjectPublicKey'] =
"-----BEGIN PUBLIC KEY-----\r\n" .
// subjectPublicKey is stored as a bit string in X.509 certs. the first byte of a bit string represents how many bits
// in the last byte should be ignored. the following only supports non-zero stuff but as none of the X.509 certs Firefox
// uses as a cert authority actually use a non-zero bit I think it's safe to assume that none do.
chunk_split(base64_encode(substr(base64_decode($x509['tbsCertificate']['subjectPublicKeyInfo']['subjectPublicKey']), 1))) .
'-----END PUBLIC KEY-----';
}
$this->currentCert = $x509;
return $x509;
}
/**
* Save X.509 certificate
*
* @param optional Array $cert
* @access public
*/
function saveX509($cert)
{
switch ($cert['tbsCertificate']['subjectPublicKeyInfo']['algorithm']['algorithm']) {
case 'rsaEncryption':
$cert['tbsCertificate']['subjectPublicKeyInfo']['subjectPublicKey'] =
base64_encode("\0" . base64_decode(preg_replace('#-.+-|[\r\n]#', '', $cert['tbsCertificate']['subjectPublicKeyInfo']['subjectPublicKey'])));
}
$asn1 = new File_ASN1();
$asn1->loadOIDs($this->oids);
$filters = array();
$filters['tbsCertificate']['signature']['parameters'] =
$filters['tbsCertificate']['signature']['issuer']['rdnSequence']['value'] =
$filters['tbsCertificate']['issuer']['rdnSequence']['value'] =
$filters['tbsCertificate']['subject']['rdnSequence']['value'] =
$filters['tbsCertificate']['subjectPublicKeyInfo']['algorithm']['parameters'] =
$filters['signatureAlgorithm']['parameters'] =
$filters['authorityCertIssuer']['directoryName']['rdnSequence']['value'] =
$filters['policyQualifiers']['qualifier'] =
$filters['distributionPoint']['fullName']['directoryName']['rdnSequence']['value'] =
$filters['directoryName']['rdnSequence']['value'] =
/* in the case of policyQualifiers/qualifier, the type has to be FILE_ASN1_TYPE_IA5_STRING.
FILE_ASN1_TYPE_PRINTABLE_STRING will cause OpenSSL's X.509 parser to spit out random
characters.
*/
array('type' => FILE_ASN1_TYPE_IA5_STRING);
$asn1->loadFilters($filters);
$size = count($cert['tbsCertificate']['extensions']);
for ($i = 0; $i < $size; $i++) {
$id = $cert['tbsCertificate']['extensions'][$i]['extnId'];
$value = $cert['tbsCertificate']['extensions'][$i]['extnValue'];
/* [extnValue] contains the DER encoding of an ASN.1 value
corresponding to the extension type identified by extnID */
$map = $this->_getMapping($id);
if (is_bool($map)) {
if (!$map) {
user_error($id . ' is not a currently supported extension', E_USER_NOTICE);
}
unset($cert['tbsCertificate']['extensions'][$i]);
} else {
$cert['tbsCertificate']['extensions'][$i]['extnValue'] = base64_encode($asn1->encodeDER($value, $map));
}
}
$cert = $asn1->encodeDER($cert, $this->Certificate);
return "-----BEGIN CERTIFICATE-----\r\n" . chunk_split(base64_encode($cert)) . '-----END CERTIFICATE-----';
}
/**
* Associate an extension ID to an extension mapping
*
* @param String $extnId
* @access private
*/
function _getMapping($extnId)
{
switch ($extnId) {
case 'id-ce-keyUsage':
return $this->KeyUsage;
case 'id-ce-basicConstraints':
return $this->BasicConstraints;
case 'id-ce-subjectKeyIdentifier':
return $this->KeyIdentifier;
case 'id-ce-cRLDistributionPoints':
return $this->CRLDistributionPoints;
case 'id-ce-authorityKeyIdentifier':
return $this->AuthorityKeyIdentifier;
case 'id-ce-certificatePolicies':
return $this->CertificatePolicies;
case 'id-ce-extKeyUsage':
return $this->ExtKeyUsageSyntax;
case 'id-pe-authorityInfoAccess':
return $this->AuthorityInfoAccessSyntax;
case 'id-ce-subjectAltName':
return $this->SubjectAltName;
case 'id-ce-privateKeyUsagePeriod':
return $this->PrivateKeyUsagePeriod;
case 'id-ce-issuerAltName':
return $this->IssuerAltName;
case 'id-ce-policyMappings':
return $this->PolicyMappings;
case 'id-ce-nameConstraints':
return $this->NameConstraints;
case 'netscape-cert-type':
return $this->netscape_cert_type;
case 'netscape-comment':
return $this->netscape_comment;
// the following OIDs are unsupported but we don't want them to give notices when calling saveX509().
case 'id-pe-logotype': // http://www.ietf.org/rfc/rfc3709.txt
case 'entrustVersInfo':
// http://support.microsoft.com/kb/287547
case '1.3.6.1.4.1.311.20.2': // szOID_ENROLL_CERTTYPE_EXTENSION
case '1.3.6.1.4.1.311.21.1': // szOID_CERTSRV_CA_VERSION
// "SET Secure Electronic Transaction Specification"
// http://www.maithean.com/docs/set_bk3.pdf
case '2.23.42.7.0': // id-set-hashedRootKey
return true;
}
return false;
}
}
Reference in New Issue View Git Blame Copy Permalink