\phpseclib\FileX509

__construct()

__construct() : \phpseclib\File\X509

Default Constructor.

Returns

loadX509()

loadX509(string  $cert, integer  $mode = self::FORMAT_AUTO_DETECT) : mixed

Load X.509 certificate

Returns an associative array describing the X.509 cert or a false if the cert failed to load

Parameters

Returns

saveX509()

saveX509(array  $cert, integer  $format = self::FORMAT_PEM) : string

Save X.509 certificate

Parameters

Returns

_mapInExtensions()

_mapInExtensions(  $root, string  $path, object  $asn1) 

Map extension values from octet string to extension-specific internal format.

Parameters

_mapOutExtensions()

_mapOutExtensions(  $root, string  $path, object  $asn1) 

Map extension values from extension-specific internal format to octet string.

Parameters

_mapInAttributes()

_mapInAttributes(  $root, string  $path, object  $asn1) 

Map attribute values from ANY type to attribute-specific internal format.

Parameters

_mapOutAttributes()

_mapOutAttributes(  $root, string  $path, object  $asn1) 

Map attribute values from attribute-specific internal format to ANY type.

Parameters

_mapInDNs()

_mapInDNs(  $root, string  $path, object  $asn1) 

Map DN values from ANY type to DN-specific internal format.

Parameters

_mapOutDNs()

_mapOutDNs(  $root, string  $path, object  $asn1) 

Map DN values from DN-specific internal format to ANY type.

Parameters

_getMapping()

_getMapping(string  $extnId) : mixed

Associate an extension ID to an extension mapping

Parameters

Returns

loadCA()

loadCA(string  $cert) : boolean

Load an X.509 certificate as a certificate authority

Parameters

Returns

validateURL()

validateURL(string  $url) : boolean

Validate an X.509 certificate against a URL

From RFC2818 "HTTP over TLS":

Matching is performed using the matching rules specified by [RFC2459]. If more than one identity of a given type is present in the certificate (e.g., more than one dNSName name, a match in any one of the set is considered acceptable.) Names may contain the wildcard character which is considered to match any single domain name component or component fragment. E.g., .a.com matches foo.a.com but not bar.foo.a.com. f*.com matches foo.com but not bar.com.

Parameters

Returns

validateDate()

validateDate(\DateTime|string  $date = null) 

Validate a date

If $date isn't defined it is assumed to be the current date.

Parameters

_fetchURL()

_fetchURL(string  $url) : boolean|string

Fetches a URL

Parameters

Returns

_testForIntermediate()

_testForIntermediate(boolean  $caonly, integer  $count) : boolean

Validates an intermediate cert as identified via authority info access extension

See https://tools.ietf.org/html/rfc4325 for more info

Parameters

Returns

validateSignature()

validateSignature(boolean  $caonly = true) : mixed

Validate a signature

Works on X.509 certs, CSR's and CRL's. Returns true if the signature is verified, false if it is not correct or null on error

By default returns false for self-signed certs. Call validateSignature(false) to make this support self-signed.

The behavior of this function is inspired by openssl_verify.

Parameters

Returns

_validateSignatureCountable()

_validateSignatureCountable(boolean  $caonly, integer  $count) : mixed

Validate a signature

Performs said validation whilst keeping track of how many times validation method is called

Parameters

Returns

_validateSignature()

_validateSignature(string  $publicKeyAlgorithm, string  $publicKey, string  $signatureAlgorithm, string  $signature, string  $signatureSubject) : integer

Validates a signature

Returns true if the signature is verified, false if it is not correct or null on error

Parameters

Returns

setRecurLimit()

setRecurLimit(integer  $count) 

Sets the recursion limit

When validating a signature it may be necessary to download intermediate certs from URI's. An intermediate cert that linked to itself would result in an infinite loop so to prevent that we set a recursion limit. A negative number means that there is no recursion limit.

Parameters

disableURLFetch()

disableURLFetch() 

Prevents URIs from being automatically retrieved

enableURLFetch()

enableURLFetch() 

Allows URIs to be automatically retrieved

_reformatKey()

_reformatKey(string  $algorithm, string  $key) : string

Reformat public keys

Reformats a public key to a format supported by phpseclib (if applicable)

Parameters

Returns

_decodeIP()

_decodeIP(string  $ip) : string

Decodes an IP address

Takes in a base64 encoded "blob" and returns a human readable IP address

Parameters

Returns

_encodeIP()

_encodeIP(string  $ip) : string

Encodes an IP address

Takes a human readable IP address into a base64-encoded "blob"

Parameters

Returns

_translateDNProp()

_translateDNProp(string  $propName) : mixed

"Normalizes" a Distinguished Name property

Parameters

Returns

setDNProp()

setDNProp(string  $propName, mixed  $propValue, string  $type = 'utf8String') : boolean

Set a Distinguished Name property

Parameters

Returns

removeDNProp()

removeDNProp(string  $propName) 

Remove Distinguished Name properties

Parameters

getDNProp()

getDNProp(string  $propName, array  $dn = null, boolean  $withType = false) : mixed

Get Distinguished Name properties

Parameters

Returns

setDN()

setDN(mixed  $dn, boolean  $merge = false, string  $type = 'utf8String') : boolean

Set a Distinguished Name

Parameters

Returns

getDN()

getDN(mixed  $format = self::DN_ARRAY, array  $dn = null) : boolean

Get the Distinguished Name for a certificates subject

Parameters

Returns

getIssuerDN()

getIssuerDN(integer  $format = self::DN_ARRAY) : mixed

Get the Distinguished Name for a certificate/crl issuer

Parameters

Returns

getSubjectDN()

getSubjectDN(integer  $format = self::DN_ARRAY) : mixed

Get the Distinguished Name for a certificate/csr subject Alias of getDN()

Parameters

Returns

getIssuerDNProp()

getIssuerDNProp(string  $propName, boolean  $withType = false) : mixed

Get an individual Distinguished Name property for a certificate/crl issuer

Parameters

Returns

getSubjectDNProp()

getSubjectDNProp(string  $propName, boolean  $withType = false) : mixed

Get an individual Distinguished Name property for a certificate/csr subject

Parameters

Returns

getChain()

getChain() : mixed

Get the certificate chain for the current cert

Returns

setPublicKey()

setPublicKey(object  $key) : boolean

Set public key

Key needs to be a \phpseclib\Crypt\RSA object

Parameters

Returns

setPrivateKey()

setPrivateKey(object  $key) 

Set private key

Key needs to be a \phpseclib\Crypt\RSA object

Parameters

setChallenge()

setChallenge(string  $challenge) 

Set challenge

Used for SPKAC CSR's

Parameters

getPublicKey()

getPublicKey() : mixed

Gets the public key

Returns a \phpseclib\Crypt\RSA object or a false.

Returns

loadCSR()

loadCSR(string  $csr,   $mode = self::FORMAT_AUTO_DETECT) : mixed

Load a Certificate Signing Request

Parameters

Returns

saveCSR()

saveCSR(array  $csr, integer  $format = self::FORMAT_PEM) : string

Save CSR request

Parameters

Returns

loadSPKAC()

loadSPKAC(  $spkac) : mixed

Load a SPKAC CSR

SPKAC's are produced by the HTML5 keygen element:

https://developer.mozilla.org/en-US/docs/HTML/Element/keygen

Parameters

Returns

saveSPKAC()

saveSPKAC(  $spkac, integer  $format = self::FORMAT_PEM) : string

Save a SPKAC CSR request

Parameters

Returns

loadCRL()

loadCRL(string  $crl,   $mode = self::FORMAT_AUTO_DETECT) : mixed

Load a Certificate Revocation List

Parameters

Returns

saveCRL()

saveCRL(array  $crl, integer  $format = self::FORMAT_PEM) : string

Save Certificate Revocation List.

Parameters

Returns

_timeField()

_timeField(string  $date) : array

Helper function to build a time field according to RFC 3280 section - 4.1.2.5 Validity - 5.1.2.4 This Update - 5.1.2.5 Next Update - 5.1.2.6 Revoked Certificates by choosing utcTime iff year of date given is before 2050 and generalTime else.

Parameters

Returns

sign()

sign(\phpseclib\File\X509  $issuer, \phpseclib\File\X509  $subject, string  $signatureAlgorithm = 'sha1WithRSAEncryption') : mixed

Sign an X.509 certificate

$issuer's private key needs to be loaded. $subject can be either an existing X.509 cert (if you want to resign it), a CSR or something with the DN and public key explicitly set.

Parameters

Returns

signCSR()

signCSR(  $signatureAlgorithm = 'sha1WithRSAEncryption') : mixed

Sign a CSR

Parameters

Returns

signSPKAC()

signSPKAC(  $signatureAlgorithm = 'sha1WithRSAEncryption') : mixed

Sign a SPKAC

Parameters

Returns

signCRL()

signCRL(\phpseclib\File\X509  $issuer, \phpseclib\File\X509  $crl, string  $signatureAlgorithm = 'sha1WithRSAEncryption') : mixed

Sign a CRL

$issuer's private key needs to be loaded.

Parameters

Returns

_sign()

_sign(object  $key, string  $signatureAlgorithm) : mixed

X.509 certificate signing helper function.

Parameters

Returns

setStartDate()

setStartDate(string  $date) 

Set certificate start date

Parameters

setEndDate()

setEndDate(string  $date) 

Set certificate end date

Parameters

setSerialNumber()

setSerialNumber(string  $serial,   $base = -256) 

Set Serial Number

Parameters

makeCA()

makeCA() 

Turns the certificate into a certificate authority

_isSubArrayValid()

_isSubArrayValid(array  $root, string  $path) : boolean

Check for validity of subarray

This is intended for use in conjunction with _subArrayUnchecked(), implementing the checks included in _subArray() but without copying a potentially large array by passing its reference by-value to is_array().

Parameters

Returns

_subArrayUnchecked()

_subArrayUnchecked(array  $root, string  $path, boolean  $create = false) : array|false

Get a reference to a subarray

This variant of _subArray() does no is_array() checking, so $root should be checked with _isSubArrayValid() first.

This is here for performance reasons: Passing a reference (i.e. $root) by-value (i.e. to is_array()) creates a copy. If $root is an especially large array, this is expensive.

Parameters

Returns

_subArray()

_subArray(array  $root, string  $path, boolean  $create = false) : array|false

Get a reference to a subarray

Parameters

Returns

_extensions()

_extensions(array  $root, string  $path = null, boolean  $create = false) : array|false

Get a reference to an extension subarray

Parameters

Returns

_removeExtension()

_removeExtension(string  $id, string  $path = null) : boolean

Remove an Extension

Parameters

Returns

_getExtension()

_getExtension(string  $id, array  $cert = null, string  $path = null) : mixed

Get an Extension

Returns the extension if it exists and false if not

Parameters

Returns

_getExtensions()

_getExtensions(array  $cert = null, string  $path = null) : array

Returns a list of all extensions in use

Parameters

Returns

_setExtension()

_setExtension(string  $id, mixed  $value, boolean  $critical = false, boolean  $replace = true, string  $path = null) : boolean

Set an Extension

Parameters

Returns

removeExtension()

removeExtension(string  $id) : boolean

Remove a certificate, CSR or CRL Extension

Parameters

Returns

getExtension()

getExtension(string  $id, array  $cert = null) : mixed

Get a certificate, CSR or CRL Extension

Returns the extension if it exists and false if not

Parameters

Returns

getExtensions()

getExtensions(array  $cert = null) : array

Returns a list of all extensions in use in certificate, CSR or CRL

Parameters

Returns

setExtension()

setExtension(string  $id, mixed  $value, boolean  $critical = false, boolean  $replace = true) : boolean

Set a certificate, CSR or CRL Extension

Parameters

Returns

removeAttribute()

removeAttribute(string  $id, integer  $disposition = self::ATTR_ALL) : boolean

Remove a CSR attribute.

Parameters

Returns

getAttribute()

getAttribute(string  $id, integer  $disposition = self::ATTR_ALL, array  $csr = null) : mixed

Get a CSR attribute

Returns the attribute if it exists and false if not

Parameters

Returns

getAttributes()

getAttributes(array  $csr = null) : array

Returns a list of all CSR attributes in use

Parameters

Returns

setAttribute()

setAttribute(string  $id, mixed  $value, boolean  $disposition = self::ATTR_ALL) : boolean

Set a CSR attribute

Parameters

Returns

setKeyIdentifier()

setKeyIdentifier(string  $value) 

Sets the subject key identifier

This is used by the id-ce-authorityKeyIdentifier and the id-ce-subjectKeyIdentifier extensions.

Parameters

computeKeyIdentifier()

computeKeyIdentifier(mixed  $key = null, integer  $method = 1) : string

Compute a public key identifier.

Although key identifiers may be set to any unique value, this function computes key identifiers from public key according to the two recommended methods (4.2.1.2 RFC 3280). Highly polymorphic: try to accept all possible forms of key:

• Key object
• \phpseclib\File\X509 object with public or private key defined
• Certificate or CSR array
• \phpseclib\File\ASN1\Element object
• PEM or DER string

Parameters

Returns

binary key identifier

_formatSubjectPublicKey()

_formatSubjectPublicKey() : array

Format a public key as appropriate

Returns

setDomain()

setDomain() : array

Set the domain name's which the cert is to be valid for

Returns

setIPAddress()

setIPAddress() 

Set the IP Addresses's which the cert is to be valid for

_dnsName()

_dnsName(string  $domain) : array

Helper function to build domain array

Parameters

Returns

_iPAddress()

_iPAddress(string  $address) : array

Helper function to build IP Address array

(IPv6 is not currently supported)

Parameters

Returns

_revokedCertificate()

_revokedCertificate(array  $rclist, string  $serial, boolean  $create = false) : integer|false

Get the index of a revoked certificate.

Parameters

Returns

revoke()

revoke(string  $serial, string  $date = null) : boolean

Revoke a certificate.

Parameters

Returns

unrevoke()

unrevoke(string  $serial) : boolean

Unrevoke a certificate.

Parameters

Returns

getRevoked()

getRevoked(string  $serial) : mixed

Get a revoked certificate.

Parameters

Returns

listRevoked()

listRevoked(array  $crl = null) : array

List revoked certificates

Parameters

Returns

removeRevokedCertificateExtension()

removeRevokedCertificateExtension(string  $serial, string  $id) : boolean

Remove a Revoked Certificate Extension

Parameters

Returns

getRevokedCertificateExtension()

getRevokedCertificateExtension(string  $serial, string  $id, array  $crl = null) : mixed

Get a Revoked Certificate Extension

Returns the extension if it exists and false if not

Parameters

Returns

getRevokedCertificateExtensions()

getRevokedCertificateExtensions(string  $serial, array  $crl = null) : array

Returns a list of all extensions in use for a given revoked certificate

Parameters

Returns

setRevokedCertificateExtension()

setRevokedCertificateExtension(string  $serial, string  $id, mixed  $value, boolean  $critical = false, boolean  $replace = true) : boolean

Set a Revoked Certificate Extension

Parameters

Returns

_extractBER()

_extractBER(string  $str) : string

Extract raw BER from Base64 encoding

Parameters

Returns

getOID()

getOID(  $name) : string

Returns the OID corresponding to a name

What's returned in the associative array returned by loadX509() (or load*()) is either a name or an OID if no OID to name mapping is available. The problem with this is that what may be an unmapped OID in one version of phpseclib may not be unmapped in the next version, so apps that are looking at this OID may not be able to work from version to version.

This method will return the OID if a name is passed to it and if no mapping is avialable it'll assume that what's being passed to it already is an OID and return that instead. A few examples.

getOID('2.16.840.1.101.3.4.2.1') == '2.16.840.1.101.3.4.2.1' getOID('id-sha256') == '2.16.840.1.101.3.4.2.1' getOID('zzz') == 'zzz'

Parameters

Returns