Skip to content

X509

Pure-PHP X.509 Parser

  • Full name: \phpseclib\File\X509

Constants

Constant Visibility Type Value
VALIDATE_SIGNATURE_BY_CA public 1
DN_ARRAY public 0
DN_STRING public 1
DN_ASN1 public 2
DN_OPENSSL public 3
DN_CANON public 4
DN_HASH public 5
FORMAT_PEM public 0
FORMAT_DER public 1
FORMAT_SPKAC public 2
FORMAT_AUTO_DETECT public 3
ATTR_ALL public -1
ATTR_APPEND public -2
ATTR_REPLACE public -3

Properties

Certificate

ASN.1 syntax for X.509 certificates

public array $Certificate

DirectoryString

public $DirectoryString

PKCS9String

public $PKCS9String

AttributeValue

public $AttributeValue

Extensions

public $Extensions

KeyUsage

public $KeyUsage

ExtKeyUsageSyntax

public $ExtKeyUsageSyntax

BasicConstraints

public $BasicConstraints

KeyIdentifier

public $KeyIdentifier

CRLDistributionPoints

public $CRLDistributionPoints

AuthorityKeyIdentifier

public $AuthorityKeyIdentifier

CertificatePolicies

public $CertificatePolicies

AuthorityInfoAccessSyntax

public $AuthorityInfoAccessSyntax

SubjectInfoAccessSyntax

public $SubjectInfoAccessSyntax

SubjectAltName

public $SubjectAltName

SubjectDirectoryAttributes

public $SubjectDirectoryAttributes

PrivateKeyUsagePeriod

public $PrivateKeyUsagePeriod

IssuerAltName

public $IssuerAltName

PolicyMappings

public $PolicyMappings

NameConstraints

public $NameConstraints

CPSuri

public $CPSuri

UserNotice

public $UserNotice

netscape_cert_type

public $netscape_cert_type

netscape_comment

public $netscape_comment

netscape_ca_policy_url

public $netscape_ca_policy_url

Name

public $Name

RelativeDistinguishedName

public $RelativeDistinguishedName

CRLNumber

public $CRLNumber

CRLReason

public $CRLReason

IssuingDistributionPoint

public $IssuingDistributionPoint

InvalidityDate

public $InvalidityDate

CertificateIssuer

public $CertificateIssuer

HoldInstructionCode

public $HoldInstructionCode

SignedPublicKeyAndChallenge

public $SignedPublicKeyAndChallenge

PostalAddress

public $PostalAddress

CertificationRequest

ASN.1 syntax for Certificate Signing Requests (RFC2986)

public array $CertificationRequest

CertificateList

ASN.1 syntax for Certificate Revocation Lists (RFC5280)

public array $CertificateList

dn

Distinguished Name

public array $dn

publicKey

Public key

public string $publicKey

privateKey

Private key

public string $privateKey

oids

Object identifiers for X.509 certificates

public array $oids

See Also:

  • http://en.wikipedia.org/wiki/Object_identifier -

CAs

The certificate authorities

public array $CAs

currentCert

The currently loaded certificate

public array $currentCert

signatureSubject

The signature subject

public string $signatureSubject

There's no guarantee \phpseclib\File\X509 is going to re-encode an X.509 cert in the same way it was originally encoded so we take save the portion of the original cert that the signature would have made for.

startDate

Certificate Start Date

public string $startDate

endDate

Certificate End Date

public string $endDate

serialNumber

Serial Number

public string $serialNumber

currentKeyIdentifier

Key Identifier

public string $currentKeyIdentifier

See {@link http://tools.ietf.org/html/rfc5280#section-4.2.1.1} and {@link http://tools.ietf.org/html/rfc5280#section-4.2.1.2}.

caFlag

CA Flag

public bool $caFlag

challenge

SPKAC Challenge

public string $challenge

recur_limit

Recursion Limit

public static int $recur_limit
  • This property is static.

disable_url_fetch

URL fetch flag

public static bool $disable_url_fetch
  • This property is static.

Methods

__construct

Default Constructor.

public __construct(): \phpseclib\File\X509

loadX509

Load X.509 certificate

public loadX509(string $cert, int $mode = self::FORMAT_AUTO_DETECT): mixed

Returns an associative array describing the X.509 cert or a false if the cert failed to load

Parameters:

Parameter Type Description
$cert string
$mode int

saveX509

Save X.509 certificate

public saveX509(array $cert, int $format = self::FORMAT_PEM): string

Parameters:

Parameter Type Description
$cert array
$format int optional

_mapInExtensions

Map extension values from octet string to extension-specific internal format.

public _mapInExtensions(array& $root, string $path, object $asn1): mixed

Parameters:

Parameter Type Description
$root array (by reference)
$path string
$asn1 object

_mapOutExtensions

Map extension values from extension-specific internal format to octet string.

public _mapOutExtensions(array& $root, string $path, object $asn1): mixed

Parameters:

Parameter Type Description
$root array (by reference)
$path string
$asn1 object

_mapInAttributes

Map attribute values from ANY type to attribute-specific internal format.

public _mapInAttributes(array& $root, string $path, object $asn1): mixed

Parameters:

Parameter Type Description
$root array (by reference)
$path string
$asn1 object

_mapOutAttributes

Map attribute values from attribute-specific internal format to ANY type.

public _mapOutAttributes(array& $root, string $path, object $asn1): mixed

Parameters:

Parameter Type Description
$root array (by reference)
$path string
$asn1 object

_mapInDNs

Map DN values from ANY type to DN-specific internal format.

public _mapInDNs(array& $root, string $path, object $asn1): mixed

Parameters:

Parameter Type Description
$root array (by reference)
$path string
$asn1 object

_mapOutDNs

Map DN values from DN-specific internal format to ANY type.

public _mapOutDNs(array& $root, string $path, object $asn1): mixed

Parameters:

Parameter Type Description
$root array (by reference)
$path string
$asn1 object

_getMapping

Associate an extension ID to an extension mapping

public _getMapping(string $extnId): mixed

Parameters:

Parameter Type Description
$extnId string

loadCA

Load an X.509 certificate as a certificate authority

public loadCA(string $cert): bool

Parameters:

Parameter Type Description
$cert string

validateURL

Validate an X.509 certificate against a URL

public validateURL(string $url): bool

From RFC2818 "HTTP over TLS":

Matching is performed using the matching rules specified by [RFC2459]. If more than one identity of a given type is present in the certificate (e.g., more than one dNSName name, a match in any one of the set is considered acceptable.) Names may contain the wildcard character * which is considered to match any single domain name component or component fragment. E.g., .a.com matches foo.a.com but not bar.foo.a.com. f.com matches foo.com but not bar.com.

Parameters:

Parameter Type Description
$url string

validateDate

Validate a date

public validateDate(\DateTime|string $date = null): mixed

If $date isn't defined it is assumed to be the current date.

Parameters:

Parameter Type Description
$date \DateTime|string optional

_fetchURL

Fetches a URL

public static _fetchURL(string $url): bool|string
  • This method is static.

Parameters:

Parameter Type Description
$url string

_testForIntermediate

Validates an intermediate cert as identified via authority info access extension

public _testForIntermediate(bool $caonly, int $count): bool

See https://tools.ietf.org/html/rfc4325 for more info

Parameters:

Parameter Type Description
$caonly bool
$count int

validateSignature

Validate a signature

public validateSignature(bool $caonly = true): mixed

Works on X.509 certs, CSR's and CRL's. Returns true if the signature is verified, false if it is not correct or null on error

By default returns false for self-signed certs. Call validateSignature(false) to make this support self-signed.

The behavior of this function is inspired by {@link http://php.net/openssl-verify}.

Parameters:

Parameter Type Description
$caonly bool optional

_validateSignatureCountable

Validate a signature

public _validateSignatureCountable(bool $caonly, int $count): mixed

Performs said validation whilst keeping track of how many times validation method is called

Parameters:

Parameter Type Description
$caonly bool
$count int

_validateSignature

Validates a signature

public _validateSignature(string $publicKeyAlgorithm, string $publicKey, string $signatureAlgorithm, string $signature, string $signatureSubject): int

Returns true if the signature is verified, false if it is not correct or null on error

Parameters:

Parameter Type Description
$publicKeyAlgorithm string
$publicKey string
$signatureAlgorithm string
$signature string
$signatureSubject string

setRecurLimit

Sets the recursion limit

public static setRecurLimit(int $count): mixed

When validating a signature it may be necessary to download intermediate certs from URI's. An intermediate cert that linked to itself would result in an infinite loop so to prevent that we set a recursion limit. A negative number means that there is no recursion limit.

  • This method is static.

Parameters:

Parameter Type Description
$count int

disableURLFetch

Prevents URIs from being automatically retrieved

public static disableURLFetch(): mixed
  • This method is static.

enableURLFetch

Allows URIs to be automatically retrieved

public static enableURLFetch(): mixed
  • This method is static.

_reformatKey

Reformat public keys

public _reformatKey(string $algorithm, string $key): string

Reformats a public key to a format supported by phpseclib (if applicable)

Parameters:

Parameter Type Description
$algorithm string
$key string

_decodeIP

Decodes an IP address

public _decodeIP(string $ip): string

Takes in a base64 encoded "blob" and returns a human readable IP address

Parameters:

Parameter Type Description
$ip string

_decodeNameConstraintIP

Decodes an IP address in a name constraints extension

public _decodeNameConstraintIP(string $ip): array

Takes in a base64 encoded "blob" and returns a human readable IP address / mask

Parameters:

Parameter Type Description
$ip string

_encodeIP

Encodes an IP address

public _encodeIP(string|array $ip): string

Takes a human readable IP address into a base64-encoded "blob"

Parameters:

Parameter Type Description
$ip string|array

_translateDNProp

"Normalizes" a Distinguished Name property

public _translateDNProp(string $propName): mixed

Parameters:

Parameter Type Description
$propName string

setDNProp

Set a Distinguished Name property

public setDNProp(string $propName, mixed $propValue, string $type = 'utf8String'): bool

Parameters:

Parameter Type Description
$propName string
$propValue mixed
$type string optional

removeDNProp

Remove Distinguished Name properties

public removeDNProp(string $propName): mixed

Parameters:

Parameter Type Description
$propName string

getDNProp

Get Distinguished Name properties

public getDNProp(string $propName, array $dn = null, bool $withType = false): mixed

Parameters:

Parameter Type Description
$propName string
$dn array optional
$withType bool optional

setDN

Set a Distinguished Name

public setDN(mixed $dn, bool $merge = false, string $type = 'utf8String'): bool

Parameters:

Parameter Type Description
$dn mixed
$merge bool optional
$type string optional

getDN

Get the Distinguished Name for a certificates subject

public getDN(mixed $format = self::DN_ARRAY, array $dn = null): bool

Parameters:

Parameter Type Description
$format mixed optional
$dn array optional

getIssuerDN

Get the Distinguished Name for a certificate/crl issuer

public getIssuerDN(int $format = self::DN_ARRAY): mixed

Parameters:

Parameter Type Description
$format int optional

getSubjectDN

Get the Distinguished Name for a certificate/csr subject Alias of getDN()

public getSubjectDN(int $format = self::DN_ARRAY): mixed

Parameters:

Parameter Type Description
$format int optional

getIssuerDNProp

Get an individual Distinguished Name property for a certificate/crl issuer

public getIssuerDNProp(string $propName, bool $withType = false): mixed

Parameters:

Parameter Type Description
$propName string
$withType bool optional

getSubjectDNProp

Get an individual Distinguished Name property for a certificate/csr subject

public getSubjectDNProp(string $propName, bool $withType = false): mixed

Parameters:

Parameter Type Description
$propName string
$withType bool optional

getChain

Get the certificate chain for the current cert

public getChain(): mixed

setPublicKey

Set public key

public setPublicKey(object $key): bool

Key needs to be a \phpseclib\Crypt\RSA object

Parameters:

Parameter Type Description
$key object

setPrivateKey

Set private key

public setPrivateKey(object $key): mixed

Key needs to be a \phpseclib\Crypt\RSA object

Parameters:

Parameter Type Description
$key object

setChallenge

Set challenge

public setChallenge(string $challenge): mixed

Used for SPKAC CSR's

Parameters:

Parameter Type Description
$challenge string

getPublicKey

Gets the public key

public getPublicKey(): mixed

Returns a \phpseclib\Crypt\RSA object or a false.

loadCSR

Load a Certificate Signing Request

public loadCSR(string|array $csr, int $mode = self::FORMAT_AUTO_DETECT): mixed

Parameters:

Parameter Type Description
$csr string|array
$mode int

saveCSR

Save CSR request

public saveCSR(array $csr, int $format = self::FORMAT_PEM): string

Parameters:

Parameter Type Description
$csr array
$format int optional

loadSPKAC

Load a SPKAC CSR

public loadSPKAC(string|array $spkac): mixed

SPKAC's are produced by the HTML5 keygen element:

https://developer.mozilla.org/en-US/docs/HTML/Element/keygen

Parameters:

Parameter Type Description
$spkac string|array

saveSPKAC

Save a SPKAC CSR request

public saveSPKAC(string|array $spkac, int $format = self::FORMAT_PEM): string

Parameters:

Parameter Type Description
$spkac string|array
$format int optional

loadCRL

Load a Certificate Revocation List

public loadCRL(string $crl, int $mode = self::FORMAT_AUTO_DETECT): mixed

Parameters:

Parameter Type Description
$crl string
$mode int

saveCRL

Save Certificate Revocation List.

public saveCRL(array $crl, int $format = self::FORMAT_PEM): string

Parameters:

Parameter Type Description
$crl array
$format int optional

_timeField

Helper function to build a time field according to RFC 3280 section - 4.1.2.5 Validity - 5.1.2.4 This Update - 5.1.2.5 Next Update - 5.1.2.6 Revoked Certificates by choosing utcTime iff year of date given is before 2050 and generalTime else.

public _timeField(string $date): array

Parameters:

Parameter Type Description
$date string in format date('D, d M Y H:i:s O')

sign

Sign an X.509 certificate

public sign(\phpseclib\File\X509 $issuer, \phpseclib\File\X509 $subject, string $signatureAlgorithm = 'sha1WithRSAEncryption'): mixed

$issuer's private key needs to be loaded. $subject can be either an existing X.509 cert (if you want to resign it), a CSR or something with the DN and public key explicitly set.

Parameters:

Parameter Type Description
$issuer \phpseclib\File\X509
$subject \phpseclib\File\X509
$signatureAlgorithm string optional

signCSR

Sign a CSR

public signCSR(mixed $signatureAlgorithm = 'sha1WithRSAEncryption'): mixed

Parameters:

Parameter Type Description
$signatureAlgorithm mixed

signSPKAC

Sign a SPKAC

public signSPKAC(mixed $signatureAlgorithm = 'sha1WithRSAEncryption'): mixed

Parameters:

Parameter Type Description
$signatureAlgorithm mixed

signCRL

Sign a CRL

public signCRL(\phpseclib\File\X509 $issuer, \phpseclib\File\X509 $crl, string $signatureAlgorithm = 'sha1WithRSAEncryption'): mixed

$issuer's private key needs to be loaded.

Parameters:

Parameter Type Description
$issuer \phpseclib\File\X509
$crl \phpseclib\File\X509
$signatureAlgorithm string optional

_sign

X.509 certificate signing helper function.

public _sign(\phpseclib\File\X509 $key, string $signatureAlgorithm): mixed

Parameters:

Parameter Type Description
$key \phpseclib\File\X509
$signatureAlgorithm string

setStartDate

Set certificate start date

public setStartDate(string $date): mixed

Parameters:

Parameter Type Description
$date string

setEndDate

Set certificate end date

public setEndDate(string $date): mixed

Parameters:

Parameter Type Description
$date string

setSerialNumber

Set Serial Number

public setSerialNumber(string $serial, int $base = -256): mixed

Parameters:

Parameter Type Description
$serial string
$base int optional

makeCA

Turns the certificate into a certificate authority

public makeCA(): mixed

_isSubArrayValid

Check for validity of subarray

public _isSubArrayValid(array $root, string $path): bool

This is intended for use in conjunction with _subArrayUnchecked(), implementing the checks included in _subArray() but without copying a potentially large array by passing its reference by-value to is_array().

Parameters:

Parameter Type Description
$root array
$path string

_subArrayUnchecked

Get a reference to a subarray

public _subArrayUnchecked(array& $root, string $path, bool $create = false): array|false

This variant of _subArray() does no is_array() checking, so $root should be checked with _isSubArrayValid() first.

This is here for performance reasons: Passing a reference (i.e. $root) by-value (i.e. to is_array()) creates a copy. If $root is an especially large array, this is expensive.

Parameters:

Parameter Type Description
$root array
$path string absolute path with / as component separator
$create bool optional

_subArray

Get a reference to a subarray

public _subArray(array& $root, string $path, bool $create = false): array|false

Parameters:

Parameter Type Description
$root array
$path string absolute path with / as component separator
$create bool optional

_extensions

Get a reference to an extension subarray

public _extensions(array& $root, string $path = null, bool $create = false): array|false

Parameters:

Parameter Type Description
$root array
$path string optional absolute path with / as component separator
$create bool optional

_removeExtension

Remove an Extension

public _removeExtension(string $id, string $path = null): bool

Parameters:

Parameter Type Description
$id string
$path string optional

_getExtension

Get an Extension

public _getExtension(string $id, array $cert = null, string $path = null): mixed

Returns the extension if it exists and false if not

Parameters:

Parameter Type Description
$id string
$cert array optional
$path string optional

_getExtensions

Returns a list of all extensions in use

public _getExtensions(array $cert = null, string $path = null): array

Parameters:

Parameter Type Description
$cert array optional
$path string optional

_setExtension

Set an Extension

public _setExtension(string $id, mixed $value, bool $critical = false, bool $replace = true, string $path = null): bool

Parameters:

Parameter Type Description
$id string
$value mixed
$critical bool optional
$replace bool optional
$path string optional

removeExtension

Remove a certificate, CSR or CRL Extension

public removeExtension(string $id): bool

Parameters:

Parameter Type Description
$id string

getExtension

Get a certificate, CSR or CRL Extension

public getExtension(string $id, array $cert = null): mixed

Returns the extension if it exists and false if not

Parameters:

Parameter Type Description
$id string
$cert array optional

getExtensions

Returns a list of all extensions in use in certificate, CSR or CRL

public getExtensions(array $cert = null): array

Parameters:

Parameter Type Description
$cert array optional

setExtension

Set a certificate, CSR or CRL Extension

public setExtension(string $id, mixed $value, bool $critical = false, bool $replace = true): bool

Parameters:

Parameter Type Description
$id string
$value mixed
$critical bool optional
$replace bool optional

removeAttribute

Remove a CSR attribute.

public removeAttribute(string $id, int $disposition = self::ATTR_ALL): bool

Parameters:

Parameter Type Description
$id string
$disposition int optional

getAttribute

Get a CSR attribute

public getAttribute(string $id, int $disposition = self::ATTR_ALL, array $csr = null): mixed

Returns the attribute if it exists and false if not

Parameters:

Parameter Type Description
$id string
$disposition int optional
$csr array optional

getAttributes

Returns a list of all CSR attributes in use

public getAttributes(array $csr = null): array

Parameters:

Parameter Type Description
$csr array optional

setAttribute

Set a CSR attribute

public setAttribute(string $id, mixed $value, bool $disposition = self::ATTR_ALL): bool

Parameters:

Parameter Type Description
$id string
$value mixed
$disposition bool optional

setKeyIdentifier

Sets the subject key identifier

public setKeyIdentifier(string $value): mixed

This is used by the id-ce-authorityKeyIdentifier and the id-ce-subjectKeyIdentifier extensions.

Parameters:

Parameter Type Description
$value string

computeKeyIdentifier

Compute a public key identifier.

public computeKeyIdentifier(mixed $key = null, int $method = 1): string

Although key identifiers may be set to any unique value, this function computes key identifiers from public key according to the two recommended methods (4.2.1.2 RFC 3280). Highly polymorphic: try to accept all possible forms of key: - Key object - \phpseclib\File\X509 object with public or private key defined - Certificate or CSR array - \phpseclib\File\ASN1\Element object - PEM or DER string

Parameters:

Parameter Type Description
$key mixed optional
$method int optional

Return Value:

binary key identifier

_formatSubjectPublicKey

Format a public key as appropriate

public _formatSubjectPublicKey(): array

setDomain

Set the domain name's which the cert is to be valid for

public setDomain(): array

setIPAddress

Set the IP Addresses's which the cert is to be valid for

public setIPAddress(): mixed

_dnsName

Helper function to build domain array

public _dnsName(string $domain): array

Parameters:

Parameter Type Description
$domain string

_iPAddress

Helper function to build IP Address array

public _iPAddress(string $address): array

(IPv6 is not currently supported)

Parameters:

Parameter Type Description
$address string

_revokedCertificate

Get the index of a revoked certificate.

public _revokedCertificate(array& $rclist, string $serial, bool $create = false): int|false

Parameters:

Parameter Type Description
$rclist array
$serial string
$create bool optional

revoke

Revoke a certificate.

public revoke(string $serial, string $date = null): bool

Parameters:

Parameter Type Description
$serial string
$date string optional

unrevoke

Unrevoke a certificate.

public unrevoke(string $serial): bool

Parameters:

Parameter Type Description
$serial string

getRevoked

Get a revoked certificate.

public getRevoked(string $serial): mixed

Parameters:

Parameter Type Description
$serial string

listRevoked

List revoked certificates

public listRevoked(array $crl = null): array

Parameters:

Parameter Type Description
$crl array optional

removeRevokedCertificateExtension

Remove a Revoked Certificate Extension

public removeRevokedCertificateExtension(string $serial, string $id): bool

Parameters:

Parameter Type Description
$serial string
$id string

getRevokedCertificateExtension

Get a Revoked Certificate Extension

public getRevokedCertificateExtension(string $serial, string $id, array $crl = null): mixed

Returns the extension if it exists and false if not

Parameters:

Parameter Type Description
$serial string
$id string
$crl array optional

getRevokedCertificateExtensions

Returns a list of all extensions in use for a given revoked certificate

public getRevokedCertificateExtensions(string $serial, array $crl = null): array

Parameters:

Parameter Type Description
$serial string
$crl array optional

setRevokedCertificateExtension

Set a Revoked Certificate Extension

public setRevokedCertificateExtension(string $serial, string $id, mixed $value, bool $critical = false, bool $replace = true): bool

Parameters:

Parameter Type Description
$serial string
$id string
$value mixed
$critical bool optional
$replace bool optional

_extractBER

Extract raw BER from Base64 encoding

public _extractBER(string $str): string

Parameters:

Parameter Type Description
$str string

getOID

Returns the OID corresponding to a name

public getOID(mixed $name): string

What's returned in the associative array returned by loadX509() (or load*()) is either a name or an OID if no OID to name mapping is available. The problem with this is that what may be an unmapped OID in one version of phpseclib may not be unmapped in the next version, so apps that are looking at this OID may not be able to work from version to version.

This method will return the OID if a name is passed to it and if no mapping is avialable it'll assume that what's being passed to it already is an OID and return that instead. A few examples.

getOID('2.16.840.1.101.3.4.2.1') == '2.16.840.1.101.3.4.2.1' getOID('id-sha256') == '2.16.840.1.101.3.4.2.1' getOID('zzz') == 'zzz'

Parameters:

Parameter Type Description
$name mixed

Automatically generated on 2025-03-18