X509: simplify revised validation logic and add to CRL validation

2024-12-26 11:37:33 +00:00 · 2017-12-13 19:36:55 -06:00 · 2017-12-13 19:36:55 -06:00 · 247e969366
commit 247e969366
parent 340deffc98
1 changed files with 8 additions and 4 deletions
--- a/phpseclib/File/X509.php
+++ b/phpseclib/File/X509.php
@ -2182,7 +2182,7 @@ class File_X509
                        switch (true) {
                            case !is_array($authorityKey):
                            case !$subjectKeyID:
-                            case is_array($authorityKey) && isset($authorityKey['keyIdentifier']) && $authorityKey['keyIdentifier'] === $subjectKeyID:
+                            case isset($authorityKey['keyIdentifier']) && $authorityKey['keyIdentifier'] === $subjectKeyID:
                                $signingCert = $this->currentCert; // working cert
                        }
                }
@ -2200,8 +2200,8 @@ class File_X509
                                switch (true) {
                                    case !is_array($authorityKey):
                                    case !$subjectKeyID:
-                                    case is_array($authorityKey) && isset($authorityKey['keyIdentifier']) && $authorityKey['keyIdentifier'] === $subjectKeyID:
-                                        if (isset($authorityKey['authorityCertSerialNumber']) && $authorityKey['authorityCertSerialNumber'] != $ca['tbsCertificate']['serialNumber']) {
+                                    case isset($authorityKey['keyIdentifier']) && $authorityKey['keyIdentifier'] === $subjectKeyID:
+                                        if (is_array($authorityKey) && isset($authorityKey['authorityCertSerialNumber']) && $authorityKey['authorityCertSerialNumber'] != $ca['tbsCertificate']['serialNumber']) {
                                            break 2; // serial mismatch - check other ca
                                        }
                                        $signingCert = $ca; // working cert
@ -2249,7 +2249,11 @@ class File_X509
                                $subjectKeyID = $this->getExtension('id-ce-subjectKeyIdentifier', $ca);
                                switch (true) {
                                    case !is_array($authorityKey):
-                                    case is_array($authorityKey) && isset($authorityKey['keyIdentifier']) && $authorityKey['keyIdentifier'] === $subjectKeyID:
+                                    case !$subjectKeyID:
+                                    case isset($authorityKey['keyIdentifier']) && $authorityKey['keyIdentifier'] === $subjectKeyID:
+                                        if (is_array($authorityKey) && isset($authorityKey['authorityCertSerialNumber']) && $authorityKey['authorityCertSerialNumber'] != $ca['tbsCertificate']['serialNumber']) {
+                                            break 2; // serial mismatch - check other ca
+                                        }
                                        $signingCert = $ca; // working cert
                                        break 3;
                                }