CertificateUtils
in package
X.509 certificate utilities for LTV signature support.
Provides certificate chain extraction from PKCS#7 blobs, PEM/DER conversion, OCSP responder URL extraction, CRL distribution point parsing, and certificate chain ordering.
Uses PHP's OpenSSL extension and inline ASN.1 DER parsing (same pattern as TsaClient).
Table of Contents
Methods
- buildChain() : array<int, string>
- Order certificates from leaf (signer) to root, by matching issuer/subject Distinguished Names.
- derToPem() : string
- Convert a DER-encoded certificate to PEM.
- extractCertsFromPkcs7Der() : array<int, string>
- Extract DER-encoded X.509 certificates from a PKCS#7 SignedData blob.
- getCrlDistributionPointUrls() : array<int, string>
- Extract CRL Distribution Point URLs from a certificate.
- getIssuerKeyHash() : string
- Compute SHA-256 hash of the issuer's public key (DER-encoded, without tag/length).
- getIssuerNameHash() : string
- Compute SHA-256 hash of the issuer's Distinguished Name (DER-encoded).
- getOcspResponderUrl() : string|null
- Extract the OCSP responder URL from a certificate's Authority Information Access (AIA) extension.
- getSerialNumberDer() : string
- Extract the serial number from a certificate as raw DER INTEGER content bytes.
- pemToDer() : string
- Convert a PEM-encoded certificate to DER.
Methods
buildChain()
Order certificates from leaf (signer) to root, by matching issuer/subject Distinguished Names.
public
static buildChain(array<int, string> $derCerts) : array<int, string>
Parameters
- $derCerts : array<int, string>
-
Unordered DER-encoded certificates
Return values
array<int, string> —Ordered leaf→root
derToPem()
Convert a DER-encoded certificate to PEM.
public
static derToPem(string $der) : string
Parameters
- $der : string
Return values
stringextractCertsFromPkcs7Der()
Extract DER-encoded X.509 certificates from a PKCS#7 SignedData blob.
public
static extractCertsFromPkcs7Der(string $derPkcs7) : array<int, string>
Parses the ContentInfo > SignedData > certificates [0] IMPLICIT SET structure to extract all embedded certificates.
Parameters
- $derPkcs7 : string
-
Raw DER-encoded PKCS#7 SignedData (hex-decoded /Contents value)
Tags
Return values
array<int, string> —Array of DER-encoded X.509 certificates
getCrlDistributionPointUrls()
Extract CRL Distribution Point URLs from a certificate.
public
static getCrlDistributionPointUrls(string $derOrPemCert) : array<int, string>
Parameters
- $derOrPemCert : string
-
DER or PEM certificate
Return values
array<int, string> —HTTP/HTTPS URLs
getIssuerKeyHash()
Compute SHA-256 hash of the issuer's public key (DER-encoded, without tag/length).
public
static getIssuerKeyHash(string $derIssuerCert) : string
Used in OCSP CertID.issuerKeyHash.
Parameters
- $derIssuerCert : string
Return values
stringgetIssuerNameHash()
Compute SHA-256 hash of the issuer's Distinguished Name (DER-encoded).
public
static getIssuerNameHash(string $derCert, string $derIssuerCert) : string
Used in OCSP CertID.issuerNameHash.
Parameters
- $derCert : string
- $derIssuerCert : string
Return values
stringgetOcspResponderUrl()
Extract the OCSP responder URL from a certificate's Authority Information Access (AIA) extension.
public
static getOcspResponderUrl(string $derOrPemCert) : string|null
Parameters
- $derOrPemCert : string
-
DER or PEM certificate
Return values
string|null —OCSP responder URL, or null if not present
getSerialNumberDer()
Extract the serial number from a certificate as raw DER INTEGER content bytes.
public
static getSerialNumberDer(string $derOrPemCert) : string
Parameters
- $derOrPemCert : string
Return values
stringpemToDer()
Convert a PEM-encoded certificate to DER.
public
static pemToDer(string $pem) : string
Parameters
- $pem : string