Make library a bit more generic

Author: kduma

CLAUDE.md

@@ -45,13 +45,19 @@ The system implements a hierarchical certificate authority model using flags (`s
 - `ROOT_CA` (0x0001): Self-signed root certificate authorities
 - `INTERMEDIATE_CA` (0x0002): Enables signing of CA-level certificates when combined with `CA`
 - `CA` (0x0004): Required to sign any certificate; alone it can sign only end-entity (non-CA) certificates
-- `DOCUMENT_SIGNER` (0x0100): Can sign documents
-- `TEMPLATE_SIGNER` (0x0200): Can sign templates
+- `END_ENTITY_FLAG_1` (0x0100): Generic end-entity capability 1
+- `END_ENTITY_FLAG_2` (0x0200): Generic end-entity capability 2
+- `END_ENTITY_FLAG_3` (0x0400): Generic end-entity capability 3
+- `END_ENTITY_FLAG_4` (0x0800): Generic end-entity capability 4
+- `END_ENTITY_FLAG_5` (0x1000): Generic end-entity capability 5
+- `END_ENTITY_FLAG_6` (0x2000): Generic end-entity capability 6
+- `END_ENTITY_FLAG_7` (0x4000): Generic end-entity capability 7
+- `END_ENTITY_FLAG_8` (0x8000): Generic end-entity capability 8
 
 **Key Validation Rules:**
 - Signers must have `CA` to issue any certificates
 - Signing a certificate with CA-level flags additionally requires `INTERMEDIATE_CA`
-- End-entity flags (`DOCUMENT_SIGNER`, `TEMPLATE_SIGNER`) must be a subset of the signer's flags
+- End-entity flags (END_ENTITY_FLAG_1 through END_ENTITY_FLAG_8) must be a subset of the signer's flags
 - `ROOT_CA` certificates must be self-signed
 
 ### Directory Structure

SPECIFICATION.md

@@ -44,8 +44,14 @@ The following structure applies to `AlgVer = 0x01` (Ed25519 v1 — fixed sizes,
 - `0x0001` — **Root CA**
 - `0x0002` — **Intermediate CA**
 - `0x0004` — **CA**
-- `0x0100` — **Document Signer**
-- `0x0200` — **Template Signer**
+- `0x0100` — **End Entity Flag 1**
+- `0x0200` — **End Entity Flag 2**
+- `0x0400` — **End Entity Flag 3**
+- `0x0800` — **End Entity Flag 4**
+- `0x1000` — **End Entity Flag 5**
+- `0x2000` — **End Entity Flag 6**
+- `0x4000` — **End Entity Flag 7**
+- `0x8000` — **End Entity Flag 8**
 - Other bits **reserved** (must be `0` on encode; ignore on decode).
 - Implementations **must not** modify the `Flags` field when re‑emitting a certificate. Any reserved bits present in input data
   **must be preserved** exactly to avoid altering signed bytes.
@@ -75,7 +81,7 @@ The following structure applies to `AlgVer = 0x01` (Ed25519 v1 — fixed sizes,
   - Cannot sign any certificates.
 
 ### End‑entity flags (non‑CA) inheritance
-- End‑entity flags are the non‑CA bits (e.g., `DOCUMENT_SIGNER (0x0100)`, `TEMPLATE_SIGNER (0x0200)`).
+- End‑entity flags are the non‑CA bits (e.g., flags 0x0100 through 0x8000).
 - A subject’s end‑entity flags must be a subset of its issuer’s end‑entity flags:
   - `Subject.EndEntityFlags ⊆ Issuer.EndEntityFlags`.
 
@@ -100,14 +106,14 @@ Notes:
 ### End‑Entity Inheritance Matrix
 Only illustrates the subset rule for end‑entity flags. CA‑level signing capability (issuer must have `CA` for non‑CA subjects, `INTERMEDIATE_CA` for CA‑level subjects) still applies separately.
 
-Legend: Document = `0x0100`, Template = `0x0200`.
+Legend: Flag1 = `0x0100`, Flag2 = `0x0200`, etc.
 
-| Issuer end‑entity flags | Subject: None | Subject: Document | Subject: Template | Subject: Document+Template |
-|------------------------:|:-------------:|:-----------------:|:-----------------:|:-------------------------:|
-| None                    | ✓             | ✗                 | ✗                 | ✗                         |
-| Document                | ✓             | ✓                 | ✗                 | ✗                         |
-| Template                | ✓             | ✗                 | ✓                 | ✗                         |
-| Document+Template       | ✓             | ✓                 | ✓                 | ✓                         |
+| Issuer end‑entity flags | Subject: None | Subject: Flag1 | Subject: Flag2 | Subject: Flag1+Flag2 |
+|------------------------:|:-------------:|:--------------:|:--------------:|:--------------------:|
+| None                    | ✓             | ✗              | ✗              | ✗                    |
+| Flag1                   | ✓             | ✓              | ✗              | ✗                    |
+| Flag2                   | ✓             | ✗              | ✓              | ✗                    |
+| Flag1+Flag2             | ✓             | ✓              | ✓              | ✓                    |
 
 Reminder: This matrix validates only the end‑entity subset requirement. The issuer must still have the appropriate CA‑level flag to sign the subject at all (see the Signing rules matrix above).
 
@@ -126,7 +132,7 @@ Notes
 5. For each child/parent pair (issuer = parent):
     - For non-CA children: Issuer must have `CA`.
     - For CA-level children (has any of `ROOT_CA`, `INTERMEDIATE_CA`, `CA`): issuer must have `INTERMEDIATE_CA`.
-    - End‑entity inheritance: For each end‑entity bit (`0x0100`, `0x0200`), if child has it, issuer must also have it (`Child.EndEntity ⊆ Issuer.EndEntity`).
+    - End‑entity inheritance: For each end‑entity bit (0x0100 through 0x8000), if child has it, issuer must also have it (`Child.EndEntity ⊆ Issuer.EndEntity`).
 6. A certificate with `ROOT_CA` must be self‑signed and present in the trust store.
 
 ---

examples.php

@@ -43,8 +43,8 @@
         CertificateFlag::ROOT_CA,
         CertificateFlag::CA,
         CertificateFlag::INTERMEDIATE_CA,
-        CertificateFlag::DOCUMENT_SIGNER,
-        CertificateFlag::TEMPLATE_SIGNER
+        CertificateFlag::END_ENTITY_FLAG_1,
+        CertificateFlag::END_ENTITY_FLAG_2
     ]),
     signatures: []
 );
@@ -60,7 +60,7 @@
         CertificateFlag::ROOT_CA,
         CertificateFlag::CA,
         CertificateFlag::INTERMEDIATE_CA,
-        CertificateFlag::DOCUMENT_SIGNER,
+        CertificateFlag::END_ENTITY_FLAG_1,
     ]),
     signatures: []
 );
@@ -74,8 +74,8 @@
     ],
     flags: CertificateFlagsCollection::fromList([
         CertificateFlag::INTERMEDIATE_CA,
-        CertificateFlag::DOCUMENT_SIGNER,
-        CertificateFlag::TEMPLATE_SIGNER
+        CertificateFlag::END_ENTITY_FLAG_1,
+        CertificateFlag::END_ENTITY_FLAG_2
     ]),
     signatures: []
 );
@@ -89,8 +89,8 @@
     ],
     flags: CertificateFlagsCollection::fromList([
         CertificateFlag::INTERMEDIATE_CA,
-        CertificateFlag::DOCUMENT_SIGNER,
-        CertificateFlag::TEMPLATE_SIGNER
+        CertificateFlag::END_ENTITY_FLAG_1,
+        CertificateFlag::END_ENTITY_FLAG_2
     ]),
     signatures: []
 );
@@ -104,8 +104,8 @@
     ],
     flags: CertificateFlagsCollection::fromList([
         CertificateFlag::INTERMEDIATE_CA,
-        CertificateFlag::DOCUMENT_SIGNER,
-        CertificateFlag::TEMPLATE_SIGNER
+        CertificateFlag::END_ENTITY_FLAG_1,
+        CertificateFlag::END_ENTITY_FLAG_2
     ]),
     signatures: []
 );
@@ -119,8 +119,8 @@
     ],
     flags: CertificateFlagsCollection::fromList([
         CertificateFlag::INTERMEDIATE_CA,
-        CertificateFlag::DOCUMENT_SIGNER,
-        CertificateFlag::TEMPLATE_SIGNER
+        CertificateFlag::END_ENTITY_FLAG_1,
+        CertificateFlag::END_ENTITY_FLAG_2
     ]),
     signatures: []
 );
@@ -134,8 +134,8 @@
     ],
     flags: CertificateFlagsCollection::fromList([
         CertificateFlag::CA,
-        CertificateFlag::DOCUMENT_SIGNER,
-        CertificateFlag::TEMPLATE_SIGNER
+        CertificateFlag::END_ENTITY_FLAG_1,
+        CertificateFlag::END_ENTITY_FLAG_2
     ]),
     signatures: []
 );
@@ -149,8 +149,8 @@
     ],
     flags: CertificateFlagsCollection::fromList([
         CertificateFlag::INTERMEDIATE_CA,
-        CertificateFlag::DOCUMENT_SIGNER,
-        CertificateFlag::TEMPLATE_SIGNER
+        CertificateFlag::END_ENTITY_FLAG_1,
+        CertificateFlag::END_ENTITY_FLAG_2
     ]),
     signatures: []
 );

src/DTO/CertificateFlag.php

@@ -7,17 +7,29 @@ enum CertificateFlag: int
     case ROOT_CA = 0x0001;
     case INTERMEDIATE_CA = 0x0002;
     case CA = 0x0004;
-    case DOCUMENT_SIGNER = 0x0100;
-    case TEMPLATE_SIGNER = 0x0200;
+    case END_ENTITY_FLAG_1 = 0x0100;
+    case END_ENTITY_FLAG_2 = 0x0200;
+    case END_ENTITY_FLAG_3 = 0x0400;
+    case END_ENTITY_FLAG_4 = 0x0800;
+    case END_ENTITY_FLAG_5 = 0x1000;
+    case END_ENTITY_FLAG_6 = 0x2000;
+    case END_ENTITY_FLAG_7 = 0x4000;
+    case END_ENTITY_FLAG_8 = 0x8000;
 
     public function toString(): string
     {
         return match ($this) {
             self::ROOT_CA => 'Root CA',
             self::INTERMEDIATE_CA => 'Intermediate CA',
             self::CA => 'CA',
-            self::DOCUMENT_SIGNER => 'Document Signer',
-            self::TEMPLATE_SIGNER => 'Template Signer',
+            self::END_ENTITY_FLAG_1 => 'End Entity Flag 1',
+            self::END_ENTITY_FLAG_2 => 'End Entity Flag 2',
+            self::END_ENTITY_FLAG_3 => 'End Entity Flag 3',
+            self::END_ENTITY_FLAG_4 => 'End Entity Flag 4',
+            self::END_ENTITY_FLAG_5 => 'End Entity Flag 5',
+            self::END_ENTITY_FLAG_6 => 'End Entity Flag 6',
+            self::END_ENTITY_FLAG_7 => 'End Entity Flag 7',
+            self::END_ENTITY_FLAG_8 => 'End Entity Flag 8',
         };
     }
 

src/DTO/CertificateFlagsCollection.php

@@ -25,8 +25,14 @@ private function __construct(public readonly int $value)
     public static function EndEntityFlags(): self
     {
         return self::fromList([
-            CertificateFlag::DOCUMENT_SIGNER,
-            CertificateFlag::TEMPLATE_SIGNER,
+            CertificateFlag::END_ENTITY_FLAG_1,
+            CertificateFlag::END_ENTITY_FLAG_2,
+            CertificateFlag::END_ENTITY_FLAG_3,
+            CertificateFlag::END_ENTITY_FLAG_4,
+            CertificateFlag::END_ENTITY_FLAG_5,
+            CertificateFlag::END_ENTITY_FLAG_6,
+            CertificateFlag::END_ENTITY_FLAG_7,
+            CertificateFlag::END_ENTITY_FLAG_8,
         ]);
     }
 
@@ -77,16 +83,6 @@ public function hasCA(): bool
         return $this->has(CertificateFlag::CA);
     }
 
-    public function hasDocumentSigner(): bool
-    {
-        return $this->has(CertificateFlag::DOCUMENT_SIGNER);
-    }
-
-    public function hasTemplateSigner(): bool
-    {
-        return $this->has(CertificateFlag::TEMPLATE_SIGNER);
-    }
-
     public function isCA(): bool
     {
         return $this->hasRootCA() || $this->hasIntermediateCA() || $this->hasCA();

tests/DTO/CertificateFlagTest.php

@@ -14,17 +14,29 @@ public function testToString()
         $this->assertEquals('Root CA', CertificateFlag::ROOT_CA->toString());
         $this->assertEquals('Intermediate CA', CertificateFlag::INTERMEDIATE_CA->toString());
         $this->assertEquals('CA', CertificateFlag::CA->toString());
-        $this->assertEquals('Document Signer', CertificateFlag::DOCUMENT_SIGNER->toString());
-        $this->assertEquals('Template Signer', CertificateFlag::TEMPLATE_SIGNER->toString());
+        $this->assertEquals('End Entity Flag 1', CertificateFlag::END_ENTITY_FLAG_1->toString());
+        $this->assertEquals('End Entity Flag 2', CertificateFlag::END_ENTITY_FLAG_2->toString());
+        $this->assertEquals('End Entity Flag 3', CertificateFlag::END_ENTITY_FLAG_3->toString());
+        $this->assertEquals('End Entity Flag 4', CertificateFlag::END_ENTITY_FLAG_4->toString());
+        $this->assertEquals('End Entity Flag 5', CertificateFlag::END_ENTITY_FLAG_5->toString());
+        $this->assertEquals('End Entity Flag 6', CertificateFlag::END_ENTITY_FLAG_6->toString());
+        $this->assertEquals('End Entity Flag 7', CertificateFlag::END_ENTITY_FLAG_7->toString());
+        $this->assertEquals('End Entity Flag 8', CertificateFlag::END_ENTITY_FLAG_8->toString());
     }
 
     public function testFromByte()
     {
         $this->assertEquals(CertificateFlag::ROOT_CA, CertificateFlag::fromByte(0x0001));
         $this->assertEquals(CertificateFlag::INTERMEDIATE_CA, CertificateFlag::fromByte(0x0002));
         $this->assertEquals(CertificateFlag::CA, CertificateFlag::fromByte(0x0004));
-        $this->assertEquals(CertificateFlag::DOCUMENT_SIGNER, CertificateFlag::fromByte(0x0100));
-        $this->assertEquals(CertificateFlag::TEMPLATE_SIGNER, CertificateFlag::fromByte(0x0200));
+        $this->assertEquals(CertificateFlag::END_ENTITY_FLAG_1, CertificateFlag::fromByte(0x0100));
+        $this->assertEquals(CertificateFlag::END_ENTITY_FLAG_2, CertificateFlag::fromByte(0x0200));
+        $this->assertEquals(CertificateFlag::END_ENTITY_FLAG_3, CertificateFlag::fromByte(0x0400));
+        $this->assertEquals(CertificateFlag::END_ENTITY_FLAG_4, CertificateFlag::fromByte(0x0800));
+        $this->assertEquals(CertificateFlag::END_ENTITY_FLAG_5, CertificateFlag::fromByte(0x1000));
+        $this->assertEquals(CertificateFlag::END_ENTITY_FLAG_6, CertificateFlag::fromByte(0x2000));
+        $this->assertEquals(CertificateFlag::END_ENTITY_FLAG_7, CertificateFlag::fromByte(0x4000));
+        $this->assertEquals(CertificateFlag::END_ENTITY_FLAG_8, CertificateFlag::fromByte(0x8000));
 
         try {
             CertificateFlag::fromByte(0xFFFF);