An example X509\CollectionInterface implementation that uses PDO
under the hood.
During the development two additional interfaces were implemented in SetaPDF and used in this
project to get the best performance: X509\Collection\FindBySubjectKeyIdentifierInterface
and X509\Collection\FindByKeyHashInterface.
This implementation shows how you can use a database as a source of e.g. trusted certificates
for the ValidationRelatedInfo\Collector class.
For testing we use a snapshop of the EUTL (created by tl-create). Please make sure, that you implement your own update mechanism to keep the list up-to-date!
The implementation is technically independent to a database backend. It only requires a table with following columns, types and indexes:
| Column | Type | Index / PK | Info |
|---|---|---|---|
| tlVersion | varchar(400) | PK (version + digest) | A trust list version identifiaction |
| digest | char(20) | PK (version + digest) | The hash (SHA-1) of the certificate |
| keyHash | char(20) | Index | The hash (SHA-1) of the public key |
| subject | varchar(400) | Index | Longest subject in the EUTL is actually 274 bytes long. |
| issuer | varchar(400) | Index | Longest issuer in the EUTL is actually 244 bytes long. |
| validFrom | uint(11) | A unix timestamp | |
| validTo | uint(11) | A unix timestamp | |
| serialNumber | varchar(42) | Hexadecimal string | |
| subjectKeyIdentifier | varchar(64) | Index | Hexadecimal string |
| certificate | varchar(6000) | The PEM encoded certificate (Largest certificate in the EUTL is e.g. 4381 bytes). |
We use SQLite for testing purpose. You can find the script that creates the table here and fills it with certificates of the EUTL.
Just create an instance of the PdoCollection class and pass it to e.g. the trusted
certificates' collection:
$path = 'sqlite:path/to/db.sqlite';
$dbh = new PDO($path);
$collection = new PdoCollection($dbh, '<VERSION-IDENTIFIER>');
$collector = new ValidationRelatedInfo\Collector();
$collector->getTrustedCertificates()->add($collection);
// ...Please note that this class is only an example implementation and we build it in the
setasign\SetaPDF2\Demos\Signer\X509\Collection namespace to show that it is only a
demonstration. You should create your own implementation in your own namespace.
For demonstration purpose we added demos, which rely on an SQLite database.
You have to execute the script /examples/create-tbl.php to create the SQLite
database in the /assets folder and import all certificates of the EUTL dump
into it. The script will also write a timestamp into the file
/assets/version.data which is later used by all examples as its trust list
version identification.
Then you can simply execute any other script in the /examples folder.
As such collection instances are mostly used internally by the SetaPDF-Signer component, the
subject and issuer strings are internally generated by the DistinguishedName::getAsString()
method based on an underlying ASN.1 structure.
This method makes use of a static DistinguishedName::$separator property, which is used to
separate the individual parts of the name. This static property has to be kept in sync with
how the data were stored in the database.