From 247e969366e4bb23663ae4c9d18ee6857305b078 Mon Sep 17 00:00:00 2001
From: terrafrost <terrafrost@php.net>
Date: Wed, 13 Dec 2017 19:36:55 -0600
Subject: [PATCH] X509: simplify revised validation logic and add to CRL
 validation

---
 phpseclib/File/X509.php | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/phpseclib/File/X509.php b/phpseclib/File/X509.php
index 683e39b5..aacb187c 100644
--- a/phpseclib/File/X509.php
+++ b/phpseclib/File/X509.php
@@ -2182,7 +2182,7 @@ class File_X509
                         switch (true) {
                             case !is_array($authorityKey):
                             case !$subjectKeyID:
-                            case is_array($authorityKey) && isset($authorityKey['keyIdentifier']) && $authorityKey['keyIdentifier'] === $subjectKeyID:
+                            case isset($authorityKey['keyIdentifier']) && $authorityKey['keyIdentifier'] === $subjectKeyID:
                                 $signingCert = $this->currentCert; // working cert
                         }
                 }
@@ -2200,8 +2200,8 @@ class File_X509
                                 switch (true) {
                                     case !is_array($authorityKey):
                                     case !$subjectKeyID:
-                                    case is_array($authorityKey) && isset($authorityKey['keyIdentifier']) && $authorityKey['keyIdentifier'] === $subjectKeyID:
-                                        if (isset($authorityKey['authorityCertSerialNumber']) && $authorityKey['authorityCertSerialNumber'] != $ca['tbsCertificate']['serialNumber']) {
+                                    case isset($authorityKey['keyIdentifier']) && $authorityKey['keyIdentifier'] === $subjectKeyID:
+                                        if (is_array($authorityKey) && isset($authorityKey['authorityCertSerialNumber']) && $authorityKey['authorityCertSerialNumber'] != $ca['tbsCertificate']['serialNumber']) {
                                             break 2; // serial mismatch - check other ca
                                         }
                                         $signingCert = $ca; // working cert
@@ -2249,7 +2249,11 @@ class File_X509
                                 $subjectKeyID = $this->getExtension('id-ce-subjectKeyIdentifier', $ca);
                                 switch (true) {
                                     case !is_array($authorityKey):
-                                    case is_array($authorityKey) && isset($authorityKey['keyIdentifier']) && $authorityKey['keyIdentifier'] === $subjectKeyID:
+                                    case !$subjectKeyID:
+                                    case isset($authorityKey['keyIdentifier']) && $authorityKey['keyIdentifier'] === $subjectKeyID:
+                                        if (is_array($authorityKey) && isset($authorityKey['authorityCertSerialNumber']) && $authorityKey['authorityCertSerialNumber'] != $ca['tbsCertificate']['serialNumber']) {
+                                            break 2; // serial mismatch - check other ca
+                                        }
                                         $signingCert = $ca; // working cert
                                         break 3;
                                 }