v1.5.2 - Use certificate serial number for rate limiting

Vitexus · Vitexus · commit 1d063aa7c3dd · 2025-11-21T20:04:48.000+01:00
- Renamed getCertificateFingerprint() to getCertificateSerialNumber()

- Now uses decimal serial number from certificate for client identification

- Updated both ApiClient.php and template to preserve changes
diff --git a/.openapi-generator/templates/ApiClient.mustache b/.openapi-generator/templates/ApiClient.mustache
@@ -253,7 +253,7 @@ class ApiClient extends \GuzzleHttp\Client
      *
      * @return string SHA1 fingerprint of the certificate in lowercase hex format
      */
-    public function getCertificateFingerprint(): string
+    public function getCertificateSerialNumber(): string
     {
         if ($this->certFingerprint !== null) {
             return $this->certFingerprint;
@@ -312,7 +312,7 @@ class ApiClient extends \GuzzleHttp\Client
      */
     public function send(\Psr\Http\Message\RequestInterface $request, array $options = []): \Psr\Http\Message\ResponseInterface
     {
-        $certFingerprint = $this->getCertificateFingerprint();
+        $certFingerprint = $this->getCertificateSerialNumber();
 
         $this->rateLimiter->checkBeforeRequest($certFingerprint);
 
@@ -351,7 +351,7 @@ class ApiClient extends \GuzzleHttp\Client
             $remainingSecond = (int) $response->getHeaderLine('x-ratelimit-remaining-second');
             $remainingDay = (int) $response->getHeaderLine('x-ratelimit-remaining-day');
             $timestamp = time();
-            $certFingerprint = $this->getCertificateFingerprint();
+            $certFingerprint = $this->getCertificateSerialNumber();
             $this->rateLimiter->handleRateLimits($certFingerprint, $remainingSecond, $remainingDay, $timestamp);
         }
     }
diff --git a/debian/changelog b/debian/changelog
@@ -1,3 +1,12 @@
+php-vitexsoftware-rbczpremiumapi (1.5.2) unstable; urgency=medium
+
+  * Use certificate serial number instead of SHA1 fingerprint for rate limiting
+    - Renamed getCertificateFingerprint() to getCertificateSerialNumber()
+    - Now uses decimal serial number from certificate for client identification
+    - Updated both ApiClient.php and template to preserve changes
+
+ -- vitex <info@vitexsoftware.cz>  Thu, 21 Nov 2025 19:02:00 +0100
+
 php-vitexsoftware-rbczpremiumapi (1.5.1) unstable; urgency=medium
 
   * Fix rate limiting to use certificate fingerprint instead of X-IBM-Client-Id
diff --git a/lib/ApiClient.php b/lib/ApiClient.php
@@ -244,16 +244,16 @@ public static function getxRequestId()
     }
 
     /**
-     * Calculate and return the SHA1 fingerprint of the certificate used for mTLS.
+     * Get the decimal serial number of the certificate used for mTLS.
      *
-     * This fingerprint is used as the client identifier for rate limiting,
+     * This serial number is used as the client identifier for rate limiting,
      * as rate limits in the API are tied to the certificate, not to X-IBM-Client-Id.
      *
      * @throws \Exception if unable to read or parse the certificate
      *
-     * @return string SHA1 fingerprint of the certificate in lowercase hex format
+     * @return string Decimal serial number of the certificate
      */
-    public function getCertificateFingerprint(): string
+    public function getCertificateSerialNumber(): string
     {
         if ($this->certFingerprint !== null) {
             return $this->certFingerprint;
@@ -285,13 +285,14 @@ public function getCertificateFingerprint(): string
             throw new \Exception('Unable to read X509 certificate: '.openssl_error_string());
         }
 
-        $fingerprint = openssl_x509_fingerprint($certResource, 'sha1');
+        $certData = openssl_x509_parse($certResource);
 
-        if ($fingerprint === false) {
-            throw new \Exception('Unable to calculate certificate fingerprint: '.openssl_error_string());
+        if ($certData === false || !isset($certData['serialNumber'])) {
+            throw new \Exception('Unable to parse certificate data: '.openssl_error_string());
         }
 
-        $this->certFingerprint = strtolower($fingerprint);
+        // serialNumber from openssl_x509_parse is already in decimal format
+        $this->certFingerprint = $certData['serialNumber'];
 
         return $this->certFingerprint;
     }
@@ -300,7 +301,7 @@ public function getCertificateFingerprint(): string
      * Send an HTTP request while enforcing and updating client rate limits.
      *
      * Rate limits are enforced per certificate (not per X-IBM-Client-Id).
-     * The certificate fingerprint is used as the client identifier.
+     * The certificate serial number is used as the client identifier.
      *
      * @param \Psr\Http\Message\RequestInterface $request the HTTP request to send
      * @param array                              $options Request options to apply to the transfer. See \GuzzleHttp\RequestOptions.
@@ -312,7 +313,7 @@ public function getCertificateFingerprint(): string
      */
     public function send(\Psr\Http\Message\RequestInterface $request, array $options = []): \Psr\Http\Message\ResponseInterface
     {
-        $certFingerprint = $this->getCertificateFingerprint();
+        $certFingerprint = $this->getCertificateSerialNumber();
 
         $this->rateLimiter->checkBeforeRequest($certFingerprint);
 
@@ -341,7 +342,7 @@ public function send(\Psr\Http\Message\RequestInterface $request, array $options
     /**
      * Update rate limits from API response headers.
      *
-     * Uses the certificate fingerprint as the client identifier for storing rate limits.
+     * Uses the certificate serial number as the client identifier for storing rate limits.
      *
      * @param \Psr\Http\Message\ResponseInterface $response the HTTP response containing rate limit headers
      */
@@ -351,7 +352,7 @@ private function updateRateLimitsFromResponse(\Psr\Http\Message\ResponseInterfac
             $remainingSecond = (int) $response->getHeaderLine('x-ratelimit-remaining-second');
             $remainingDay = (int) $response->getHeaderLine('x-ratelimit-remaining-day');
             $timestamp = time();
-            $certFingerprint = $this->getCertificateFingerprint();
+            $certFingerprint = $this->getCertificateSerialNumber();
             $this->rateLimiter->handleRateLimits($certFingerprint, $remainingSecond, $remainingDay, $timestamp);
         }
     }

Original file line number	Diff line number	Diff line change
`@@ -253,7 +253,7 @@ class ApiClient extends \GuzzleHttp\Client`
`253`	`253`	`*`
`254`	`254`	`* @return string SHA1 fingerprint of the certificate in lowercase hex format`
`255`	`255`	`*/`
`256`		`- public function getCertificateFingerprint(): string`
	`256`	`+ public function getCertificateSerialNumber(): string`
`257`	`257`	`{`
`258`	`258`	`if ($this->certFingerprint !== null) {`
`259`	`259`	`return $this->certFingerprint;`
`@@ -312,7 +312,7 @@ class ApiClient extends \GuzzleHttp\Client`
`312`	`312`	`*/`
`313`	`313`	`public function send(\Psr\Http\Message\RequestInterface $request, array $options = []): \Psr\Http\Message\ResponseInterface`
`314`	`314`	`{`
`315`		`- $certFingerprint = $this->getCertificateFingerprint();`
	`315`	`+ $certFingerprint = $this->getCertificateSerialNumber();`
`316`	`316`
`317`	`317`	`$this->rateLimiter->checkBeforeRequest($certFingerprint);`
`318`	`318`
`@@ -351,7 +351,7 @@ class ApiClient extends \GuzzleHttp\Client`
`351`	`351`	`$remainingSecond = (int) $response->getHeaderLine('x-ratelimit-remaining-second');`
`352`	`352`	`$remainingDay = (int) $response->getHeaderLine('x-ratelimit-remaining-day');`
`353`	`353`	`$timestamp = time();`
`354`		`- $certFingerprint = $this->getCertificateFingerprint();`
	`354`	`+ $certFingerprint = $this->getCertificateSerialNumber();`
`355`	`355`	`$this->rateLimiter->handleRateLimits($certFingerprint, $remainingSecond, $remainingDay, $timestamp);`
`356`	`356`	`}`
`357`	`357`	`}`
Original file line number	Diff line number	Diff line change
`@@ -244,16 +244,16 @@ public static function getxRequestId()`
`244`	`244`	`}`
`245`	`245`
`246`	`246`	`/**`
`247`		`- * Calculate and return the SHA1 fingerprint of the certificate used for mTLS.`
	`247`	`+ * Get the decimal serial number of the certificate used for mTLS.`
`248`	`248`	`*`
`249`		`- * This fingerprint is used as the client identifier for rate limiting,`
	`249`	`+ * This serial number is used as the client identifier for rate limiting,`
`250`	`250`	`* as rate limits in the API are tied to the certificate, not to X-IBM-Client-Id.`
`251`	`251`	`*`
`252`	`252`	`* @throws \Exception if unable to read or parse the certificate`
`253`	`253`	`*`
`254`		`- * @return string SHA1 fingerprint of the certificate in lowercase hex format`
	`254`	`+ * @return string Decimal serial number of the certificate`
`255`	`255`	`*/`
`256`		`- public function getCertificateFingerprint(): string`
	`256`	`+ public function getCertificateSerialNumber(): string`
`257`	`257`	`{`
`258`	`258`	`if ($this->certFingerprint !== null) {`
`259`	`259`	`return $this->certFingerprint;`
`@@ -285,13 +285,14 @@ public function getCertificateFingerprint(): string`
`285`	`285`	`throw new \Exception('Unable to read X509 certificate: '.openssl_error_string());`
`286`	`286`	`}`
`287`	`287`
`288`		`- $fingerprint = openssl_x509_fingerprint($certResource, 'sha1');`
	`288`	`+ $certData = openssl_x509_parse($certResource);`
`289`	`289`
`290`		`- if ($fingerprint === false) {`
`291`		`- throw new \Exception('Unable to calculate certificate fingerprint: '.openssl_error_string());`
	`290`	`+ if ($certData === false \|\| !isset($certData['serialNumber'])) {`
	`291`	`+ throw new \Exception('Unable to parse certificate data: '.openssl_error_string());`
`292`	`292`	`}`
`293`	`293`
`294`		`- $this->certFingerprint = strtolower($fingerprint);`
	`294`	`+ // serialNumber from openssl_x509_parse is already in decimal format`
	`295`	`+ $this->certFingerprint = $certData['serialNumber'];`
`295`	`296`
`296`	`297`	`return $this->certFingerprint;`
`297`	`298`	`}`
`@@ -300,7 +301,7 @@ public function getCertificateFingerprint(): string`
`300`	`301`	`* Send an HTTP request while enforcing and updating client rate limits.`
`301`	`302`	`*`
`302`	`303`	`* Rate limits are enforced per certificate (not per X-IBM-Client-Id).`
`303`		`- * The certificate fingerprint is used as the client identifier.`
	`304`	`+ * The certificate serial number is used as the client identifier.`
`304`	`305`	`*`
`305`	`306`	`* @param \Psr\Http\Message\RequestInterface $request the HTTP request to send`
`306`	`307`	`* @param array $options Request options to apply to the transfer. See \GuzzleHttp\RequestOptions.`
`@@ -312,7 +313,7 @@ public function getCertificateFingerprint(): string`
`312`	`313`	`*/`
`313`	`314`	`public function send(\Psr\Http\Message\RequestInterface $request, array $options = []): \Psr\Http\Message\ResponseInterface`
`314`	`315`	`{`
`315`		`- $certFingerprint = $this->getCertificateFingerprint();`
	`316`	`+ $certFingerprint = $this->getCertificateSerialNumber();`
`316`	`317`
`317`	`318`	`$this->rateLimiter->checkBeforeRequest($certFingerprint);`
`318`	`319`
`@@ -341,7 +342,7 @@ public function send(\Psr\Http\Message\RequestInterface $request, array $options`
`341`	`342`	`/**`
`342`	`343`	`* Update rate limits from API response headers.`
`343`	`344`	`*`
`344`		`- * Uses the certificate fingerprint as the client identifier for storing rate limits.`
	`345`	`+ * Uses the certificate serial number as the client identifier for storing rate limits.`
`345`	`346`	`*`
`346`	`347`	`* @param \Psr\Http\Message\ResponseInterface $response the HTTP response containing rate limit headers`
`347`	`348`	`*/`
`@@ -351,7 +352,7 @@ private function updateRateLimitsFromResponse(\Psr\Http\Message\ResponseInterfac`
`351`	`352`	`$remainingSecond = (int) $response->getHeaderLine('x-ratelimit-remaining-second');`
`352`	`353`	`$remainingDay = (int) $response->getHeaderLine('x-ratelimit-remaining-day');`
`353`	`354`	`$timestamp = time();`
`354`		`- $certFingerprint = $this->getCertificateFingerprint();`
	`355`	`+ $certFingerprint = $this->getCertificateSerialNumber();`
`355`	`356`	`$this->rateLimiter->handleRateLimits($certFingerprint, $remainingSecond, $remainingDay, $timestamp);`
`356`	`357`	`}`
`357`	`358`	`}`