mirror of
https://github.com/phpseclib/phpseclib.git
synced 2024-11-09 15:20:58 +00:00
- make it so certs can be setup as CA's
git-svn-id: http://phpseclib.svn.sourceforge.net/svnroot/phpseclib/trunk@214 21d32557-59b3-4da0-833f-c5933fad653e
This commit is contained in:
Jim Wigginton
parent
3dd9e2b318
commit
a90bba115c
@ -203,6 +203,14 @@ class File_X509 {
|
|||||||
*/
|
*/
|
||||||
var $keyIdentifier;
|
var $keyIdentifier;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* CA Flag
|
||||||
|
*
|
||||||
|
* @var Boolean
|
||||||
|
* @access private
|
||||||
|
*/
|
||||||
|
var $caFlag = false;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Default Constructor.
|
* Default Constructor.
|
||||||
*
|
*
|
||||||
@ -1037,6 +1045,7 @@ class File_X509 {
|
|||||||
'2.5.4.65' => 'id-at-pseudonym',
|
'2.5.4.65' => 'id-at-pseudonym',
|
||||||
'2.5.4.17' => 'id-at-postalCode',
|
'2.5.4.17' => 'id-at-postalCode',
|
||||||
'2.5.4.9' => 'id-at-streetAddress',
|
'2.5.4.9' => 'id-at-streetAddress',
|
||||||
|
|
||||||
'0.9.2342.19200300.100.1.25' => 'id-domainComponent',
|
'0.9.2342.19200300.100.1.25' => 'id-domainComponent',
|
||||||
'1.2.840.113549.1.9' => 'pkcs-9',
|
'1.2.840.113549.1.9' => 'pkcs-9',
|
||||||
'1.2.840.113549.1.9.1' => 'id-emailAddress',
|
'1.2.840.113549.1.9.1' => 'id-emailAddress',
|
||||||
@ -1424,20 +1433,34 @@ class File_X509 {
|
|||||||
*/
|
*/
|
||||||
function loadCA($cert)
|
function loadCA($cert)
|
||||||
{
|
{
|
||||||
/* From RFC5280 "PKIX Certificate and CRL Profile":
|
|
||||||
|
|
||||||
If the keyUsage extension is present, then the subject public key
|
|
||||||
MUST NOT be used to verify signatures on certificates or CRLs unless
|
|
||||||
the corresponding keyCertSign or cRLSign bit is set. */
|
|
||||||
$cert = $this->loadX509($cert);
|
$cert = $this->loadX509($cert);
|
||||||
if (!$cert) {
|
if (!$cert) {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
$keyUsage = $x509->getExtension('id-ce-keyUsage');
|
/* From RFC5280 "PKIX Certificate and CRL Profile":
|
||||||
if ($keyUsage && !in_array('keyCertSign', $keyUsage)) {
|
|
||||||
return false;
|
If the keyUsage extension is present, then the subject public key
|
||||||
}
|
MUST NOT be used to verify signatures on certificates or CRLs unless
|
||||||
|
the corresponding keyCertSign or cRLSign bit is set. */
|
||||||
|
//$keyUsage = $this->getExtension('id-ce-keyUsage');
|
||||||
|
//if ($keyUsage && !in_array('keyCertSign', $keyUsage)) {
|
||||||
|
// return false;
|
||||||
|
//}
|
||||||
|
|
||||||
|
/* From RFC5280 "PKIX Certificate and CRL Profile":
|
||||||
|
|
||||||
|
The cA boolean indicates whether the certified public key may be used
|
||||||
|
to verify certificate signatures. If the cA boolean is not asserted,
|
||||||
|
then the keyCertSign bit in the key usage extension MUST NOT be
|
||||||
|
asserted. If the basic constraints extension is not present in a
|
||||||
|
version 3 certificate, or the extension is present but the cA boolean
|
||||||
|
is not asserted, then the certified public key MUST NOT be used to
|
||||||
|
verify certificate signatures. */
|
||||||
|
//$basicConstraints = $this->getExtension('id-ce-basicConstraints');
|
||||||
|
//if (!$basicConstraints || !$basicConstraints['cA']) {
|
||||||
|
// return false;
|
||||||
|
//}
|
||||||
|
|
||||||
$this->CAs[] = $cert;
|
$this->CAs[] = $cert;
|
||||||
unset($this->currentCert);
|
unset($this->currentCert);
|
||||||
@ -1557,7 +1580,9 @@ class File_X509 {
|
|||||||
|
|
||||||
/* TODO:
|
/* TODO:
|
||||||
"emailAddress attribute values are not case-sensitive (e.g., "subscriber@example.com" is the same as "SUBSCRIBER@EXAMPLE.COM")."
|
"emailAddress attribute values are not case-sensitive (e.g., "subscriber@example.com" is the same as "SUBSCRIBER@EXAMPLE.COM")."
|
||||||
-- http://tools.ietf.org/html/rfc5280#section-4.1.2.6 */
|
-- http://tools.ietf.org/html/rfc5280#section-4.1.2.6
|
||||||
|
|
||||||
|
implement pathLenConstraint in the id-ce-basicConstraints extension */
|
||||||
|
|
||||||
switch (true) {
|
switch (true) {
|
||||||
case isset($this->currentCert['tbsCertificate']):
|
case isset($this->currentCert['tbsCertificate']):
|
||||||
@ -2148,6 +2173,32 @@ class File_X509 {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if ($this->caFlag) {
|
||||||
|
$keyUsage = $this->getExtension('id-ce-keyUsage');
|
||||||
|
if (!$keyUsage) {
|
||||||
|
$keyUsage = array();
|
||||||
|
}
|
||||||
|
$this->removeExtension('id-ce-keyUsage');
|
||||||
|
|
||||||
|
$this->currentCert['tbsCertificate']['extensions'][] = array(
|
||||||
|
'extnId' => 'id-ce-keyUsage',
|
||||||
|
'critical' => false,
|
||||||
|
'extnValue' => array_values(array_unique(array_merge($keyUsage, array('cRLSign', 'keyCertSign'))))
|
||||||
|
);
|
||||||
|
|
||||||
|
$basicConstraints = $this->getExtension('id-ce-basicConstraints');
|
||||||
|
if (!$basicConstraints) {
|
||||||
|
$basicConstraints = array();
|
||||||
|
}
|
||||||
|
$this->removeExtension('id-ce-basicConstraints');
|
||||||
|
|
||||||
|
$this->currentCert['tbsCertificate']['extensions'][] = array(
|
||||||
|
'extnId' => 'id-ce-basicConstraints',
|
||||||
|
'critical' => true,
|
||||||
|
'extnValue' => array_unique(array_merge(array('cA' => true), $basicConstraints))
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
// resync $this->signatureSubject
|
// resync $this->signatureSubject
|
||||||
$this->loadX509($this->saveX509($this->currentCert));
|
$this->loadX509($this->saveX509($this->currentCert));
|
||||||
|
|
||||||
@ -2224,6 +2275,16 @@ class File_X509 {
|
|||||||
$this->serialNumber = new Math_BigInteger($serial, -256);
|
$this->serialNumber = new Math_BigInteger($serial, -256);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Turns the certificate into a certificate authority
|
||||||
|
*
|
||||||
|
* @access public
|
||||||
|
*/
|
||||||
|
function makeCA()
|
||||||
|
{
|
||||||
|
$this->caFlag = true;
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Remove an Extension
|
* Remove an Extension
|
||||||
*
|
*
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user