@@ -404,12 +404,12 @@ The library uses a hierarchical flag system:
404404#### Flag Inheritance Rules
405405
4064061 . ** Signing Authority** :
407- - To sign non-CA certificates: signer must have ` CA ` flag
408- - To sign CA-level certificates: signer must have ` INTERMEDIATE_CA ` flag
407+ - To sign non-CA certificates: signer must have ` CA ` flag
408+ - To sign CA-level certificates: signer must have ` INTERMEDIATE_CA ` flag
409409
4104102 . ** End-Entity Inheritance** :
411- - Certificate's end-entity flags must be a subset of signer's end-entity flags
412- - Example: If signer has ` FLAG_1 | FLAG_2 ` , certificate can have ` FLAG_1 ` , ` FLAG_2 ` , or both, but not ` FLAG_3 `
411+ - Certificate's end-entity flags must be a subset of signer's end-entity flags
412+ - Example: If signer has ` FLAG_1 | FLAG_2 ` , certificate can have ` FLAG_1 ` , ` FLAG_2 ` , or both, but not ` FLAG_3 `
413413
414414#### Certificate Chains
415415
@@ -704,7 +704,6 @@ public function has(CertificateFlag $flag): bool;
704704public function hasRootCA(): bool;
705705public function hasIntermediateCA(): bool;
706706public function hasCA(): bool;
707- public function hasEndEntityFlag1(): bool; // through hasEndEntityFlag8()
708707public function isCA(): bool;
709708public function getEndEntityFlags(): CertificateFlagsCollection;
710709public function getCAFlags(): CertificateFlagsCollection;
@@ -861,10 +860,10 @@ function validateCertificateForPurpose(Certificate $cert, string $purpose): bool
861860 $flags = $cert->flags;
862861
863862 return match ($purpose) {
864- 'document-signing' => $flags->hasEndEntityFlag1( ),
865- 'code-signing' => $flags->hasEndEntityFlag2( ),
866- 'email-encryption' => $flags->hasEndEntityFlag3( ),
867- 'server-auth' => $flags->hasEndEntityFlag4( ),
863+ 'document-signing' => $flags->has(CertificateFlag::END_ENTITY_FLAG_1 ),
864+ 'code-signing' => $flags->has(CertificateFlag::END_ENTITY_FLAG_2 ),
865+ 'email-encryption' => $flags->has(CertificateFlag::END_ENTITY_FLAG_3 ),
866+ 'server-auth' => $flags->has(CertificateFlag::END_ENTITY_FLAG_4 ),
868867 default => false
869868 };
870869}
@@ -977,29 +976,29 @@ foreach ($result->errors as $error) {
977976#### Common Error Types
978977
9799781 . ** Structure Errors** :
980- - Invalid binary format
981- - Missing required fields
982- - Invalid lengths
979+ - Invalid binary format
980+ - Missing required fields
981+ - Invalid lengths
983982
9849832 . ** Cryptographic Errors** :
985- - Invalid signatures
986- - KeyId mismatch with public key
987- - Signature verification failure
984+ - Invalid signatures
985+ - KeyId mismatch with public key
986+ - Signature verification failure
988987
9899883 . ** Authority Errors** :
990- - Insufficient signing authority
991- - Missing CA flags
992- - Invalid flag combinations
989+ - Insufficient signing authority
990+ - Missing CA flags
991+ - Invalid flag combinations
993992
9949934 . ** Inheritance Errors** :
995- - End-entity flags not subset of signer
996- - Duplicate KeyIds in chain
997- - Invalid certificate hierarchy
994+ - End-entity flags not subset of signer
995+ - Duplicate KeyIds in chain
996+ - Invalid certificate hierarchy
998997
9999985 . ** Trust Errors** :
1000- - Root CA not in trust store
1001- - Chain doesn't terminate in root CA
1002- - Self-signing validation failure
999+ - Root CA not in trust store
1000+ - Chain doesn't terminate in root CA
1001+ - Self-signing validation failure
10031002
10041003#### Exception Handling
10051004
@@ -1258,28 +1257,28 @@ The following structure applies to `AlgVer = 0x01` (Ed25519 v1 — fixed sizes,
12581257
12591258#### Roles and combinations
12601259- ** Root CA (` 0x0001 ` )**
1261- - ** Must be self‑signed.**
1262- - May also carry ` INTERMEDIATE_CA (0x0002) ` and/or ` CA (0x0004) ` .
1263- - The ability to sign depends on the presence of ` INTERMEDIATE_CA ` and/or ` CA ` flags (see signing rules below), not on ` ROOT_CA ` alone.
1260+ - ** Must be self‑signed.**
1261+ - May also carry ` INTERMEDIATE_CA (0x0002) ` and/or ` CA (0x0004) ` .
1262+ - The ability to sign depends on the presence of ` INTERMEDIATE_CA ` and/or ` CA ` flags (see signing rules below), not on ` ROOT_CA ` alone.
12641263
12651264- ** Intermediate CA (` 0x0002 ` )**
1266- - This flag ** alone** grants authority to sign CA-level certificates.
1267- - When combined with ` CA ` , allows signing of both CA-level and non-CA certificates.
1265+ - This flag ** alone** grants authority to sign CA-level certificates.
1266+ - When combined with ` CA ` , allows signing of both CA-level and non-CA certificates.
12681267
12691268- ** CA (` 0x0004 ` )**
1270- - Required to sign non-CA certificates.
1271- - Without ` INTERMEDIATE_CA ` , may sign only non‑CA certificates (no ` ROOT_CA ` , ` INTERMEDIATE_CA ` , or ` CA ` flags on the subject).
1269+ - Required to sign non-CA certificates.
1270+ - Without ` INTERMEDIATE_CA ` , may sign only non‑CA certificates (no ` ROOT_CA ` , ` INTERMEDIATE_CA ` , or ` CA ` flags on the subject).
12721271
12731272- ** Combined ` INTERMEDIATE_CA | CA ` **
1274- - Authorized to sign both CA‑level certificates (because of ` INTERMEDIATE_CA ` ) and non‑CA certificates (because of ` CA ` ).
1273+ - Authorized to sign both CA‑level certificates (because of ` INTERMEDIATE_CA ` ) and non‑CA certificates (because of ` CA ` ).
12751274
12761275- ** No CA flags**
1277- - Cannot sign any certificates.
1276+ - Cannot sign any certificates.
12781277
12791278#### End‑entity flags (non‑CA) inheritance
12801279- End‑entity flags are the non‑CA bits (e.g., flags 0x0100 through 0x8000).
12811280- A subject’s end‑entity flags must be a subset of its issuer’s end‑entity flags:
1282- - ` Subject.EndEntityFlags ⊆ Issuer.EndEntityFlags ` .
1281+ - ` Subject.EndEntityFlags ⊆ Issuer.EndEntityFlags ` .
12831282
12841283#### Signing rules matrix
12851284- To sign ** non-CA** certificates, the issuer must have ` CA ` .
0 commit comments