Skip to content

Commit d83f0c2

Browse files
authored
Fix
1 parent a4feaf0 commit d83f0c2

1 file changed

Lines changed: 33 additions & 34 deletions

File tree

content/3.libraries/100.php/cert-chain.md

Lines changed: 33 additions & 34 deletions
Original file line numberDiff line numberDiff line change
@@ -404,12 +404,12 @@ The library uses a hierarchical flag system:
404404
#### Flag Inheritance Rules
405405

406406
1. **Signing Authority**:
407-
- To sign non-CA certificates: signer must have `CA` flag
408-
- To sign CA-level certificates: signer must have `INTERMEDIATE_CA` flag
407+
- To sign non-CA certificates: signer must have `CA` flag
408+
- To sign CA-level certificates: signer must have `INTERMEDIATE_CA` flag
409409

410410
2. **End-Entity Inheritance**:
411-
- Certificate's end-entity flags must be a subset of signer's end-entity flags
412-
- Example: If signer has `FLAG_1 | FLAG_2`, certificate can have `FLAG_1`, `FLAG_2`, or both, but not `FLAG_3`
411+
- Certificate's end-entity flags must be a subset of signer's end-entity flags
412+
- Example: If signer has `FLAG_1 | FLAG_2`, certificate can have `FLAG_1`, `FLAG_2`, or both, but not `FLAG_3`
413413

414414
#### Certificate Chains
415415

@@ -704,7 +704,6 @@ public function has(CertificateFlag $flag): bool;
704704
public function hasRootCA(): bool;
705705
public function hasIntermediateCA(): bool;
706706
public function hasCA(): bool;
707-
public function hasEndEntityFlag1(): bool; // through hasEndEntityFlag8()
708707
public function isCA(): bool;
709708
public function getEndEntityFlags(): CertificateFlagsCollection;
710709
public function getCAFlags(): CertificateFlagsCollection;
@@ -861,10 +860,10 @@ function validateCertificateForPurpose(Certificate $cert, string $purpose): bool
861860
$flags = $cert->flags;
862861

863862
return match ($purpose) {
864-
'document-signing' => $flags->hasEndEntityFlag1(),
865-
'code-signing' => $flags->hasEndEntityFlag2(),
866-
'email-encryption' => $flags->hasEndEntityFlag3(),
867-
'server-auth' => $flags->hasEndEntityFlag4(),
863+
'document-signing' => $flags->has(CertificateFlag::END_ENTITY_FLAG_1),
864+
'code-signing' => $flags->has(CertificateFlag::END_ENTITY_FLAG_2),
865+
'email-encryption' => $flags->has(CertificateFlag::END_ENTITY_FLAG_3),
866+
'server-auth' => $flags->has(CertificateFlag::END_ENTITY_FLAG_4),
868867
default => false
869868
};
870869
}
@@ -977,29 +976,29 @@ foreach ($result->errors as $error) {
977976
#### Common Error Types
978977

979978
1. **Structure Errors**:
980-
- Invalid binary format
981-
- Missing required fields
982-
- Invalid lengths
979+
- Invalid binary format
980+
- Missing required fields
981+
- Invalid lengths
983982

984983
2. **Cryptographic Errors**:
985-
- Invalid signatures
986-
- KeyId mismatch with public key
987-
- Signature verification failure
984+
- Invalid signatures
985+
- KeyId mismatch with public key
986+
- Signature verification failure
988987

989988
3. **Authority Errors**:
990-
- Insufficient signing authority
991-
- Missing CA flags
992-
- Invalid flag combinations
989+
- Insufficient signing authority
990+
- Missing CA flags
991+
- Invalid flag combinations
993992

994993
4. **Inheritance Errors**:
995-
- End-entity flags not subset of signer
996-
- Duplicate KeyIds in chain
997-
- Invalid certificate hierarchy
994+
- End-entity flags not subset of signer
995+
- Duplicate KeyIds in chain
996+
- Invalid certificate hierarchy
998997

999998
5. **Trust Errors**:
1000-
- Root CA not in trust store
1001-
- Chain doesn't terminate in root CA
1002-
- Self-signing validation failure
999+
- Root CA not in trust store
1000+
- Chain doesn't terminate in root CA
1001+
- Self-signing validation failure
10031002

10041003
#### Exception Handling
10051004

@@ -1258,28 +1257,28 @@ The following structure applies to `AlgVer = 0x01` (Ed25519 v1 — fixed sizes,
12581257

12591258
#### Roles and combinations
12601259
- **Root CA (`0x0001`)**
1261-
- **Must be self‑signed.**
1262-
- May also carry `INTERMEDIATE_CA (0x0002)` and/or `CA (0x0004)`.
1263-
- The ability to sign depends on the presence of `INTERMEDIATE_CA` and/or `CA` flags (see signing rules below), not on `ROOT_CA` alone.
1260+
- **Must be self‑signed.**
1261+
- May also carry `INTERMEDIATE_CA (0x0002)` and/or `CA (0x0004)`.
1262+
- The ability to sign depends on the presence of `INTERMEDIATE_CA` and/or `CA` flags (see signing rules below), not on `ROOT_CA` alone.
12641263

12651264
- **Intermediate CA (`0x0002`)**
1266-
- This flag **alone** grants authority to sign CA-level certificates.
1267-
- When combined with `CA`, allows signing of both CA-level and non-CA certificates.
1265+
- This flag **alone** grants authority to sign CA-level certificates.
1266+
- When combined with `CA`, allows signing of both CA-level and non-CA certificates.
12681267

12691268
- **CA (`0x0004`)**
1270-
- Required to sign non-CA certificates.
1271-
- Without `INTERMEDIATE_CA`, may sign only non‑CA certificates (no `ROOT_CA`, `INTERMEDIATE_CA`, or `CA` flags on the subject).
1269+
- Required to sign non-CA certificates.
1270+
- Without `INTERMEDIATE_CA`, may sign only non‑CA certificates (no `ROOT_CA`, `INTERMEDIATE_CA`, or `CA` flags on the subject).
12721271

12731272
- **Combined `INTERMEDIATE_CA | CA`**
1274-
- Authorized to sign both CA‑level certificates (because of `INTERMEDIATE_CA`) and non‑CA certificates (because of `CA`).
1273+
- Authorized to sign both CA‑level certificates (because of `INTERMEDIATE_CA`) and non‑CA certificates (because of `CA`).
12751274

12761275
- **No CA flags**
1277-
- Cannot sign any certificates.
1276+
- Cannot sign any certificates.
12781277

12791278
#### End‑entity flags (non‑CA) inheritance
12801279
- End‑entity flags are the non‑CA bits (e.g., flags 0x0100 through 0x8000).
12811280
- A subject’s end‑entity flags must be a subset of its issuer’s end‑entity flags:
1282-
- `Subject.EndEntityFlags ⊆ Issuer.EndEntityFlags`.
1281+
- `Subject.EndEntityFlags ⊆ Issuer.EndEntityFlags`.
12831282

12841283
#### Signing rules matrix
12851284
- To sign **non-CA** certificates, the issuer must have `CA`.

0 commit comments

Comments
 (0)