Fix wrong translations

And simplify revocation descriptions

Remove PublicKeyMismatch as this redundant with
PrivateKeyMismatch (was CertificateMismatch)

Resources/translations/validators+intl-icu.en.xliff

@@ -3,95 +3,102 @@
     <file source-language="en" datatype="plaintext" original="file.ext">
         <body>
             <trans-unit id="1">
-                <source>Unable to process PEM X.509 data of private key "{name}". Only PEM encoded X.509 files are supported.</source>
-                <target>Unable to process PEM X.509 data of private key "{name}". Only PEM encoded X.509 files are supported.</target>
+                <source>Unable to process certificate "{name}". Only PEM encoded X.509 files are supported.</source>
+                <target>Unable to process certificate "{name}". Only PEM encoded X.509 files are supported.</target>
             </trans-unit>
             <trans-unit id="2">
-                <source>The certificate public-key does not match with the private-key "public-key" data.</source>
-                <target>The certificate public-key does not match with the private-key "public-key" data.</target>
+                <source>Unable to process certificate. Only PEM encoded X.509 files are supported.</source>
+                <target>Unable to process certificate. Only PEM encoded X.509 files are supported.</target>
             </trans-unit>
             <trans-unit id="3">
-                <source>The certificate does not match with the provided private-key.</source>
-                <target>The certificate does not match with the provided private-key.</target>
+                <source>Unable to process private key. Only PEM encoded X.509 files are supported.</source>
+                <target>Unable to process private key. Only PEM encoded X.509 files are supported.</target>
             </trans-unit>
             <trans-unit id="4">
-                <source>This certificate was signed using the weak "{provided}" algorithm. Expected at least algorithm "{expected}".".</source>
-                <target>This certificate was signed using the weak "{provided}" algorithm. Expected at least algorithm "{expected}".".</target>
+                <source>The certificate does not match with the provided private-key.</source>
+                <target>The certificate does not match with the provided private-key.</target>
             </trans-unit>
             <trans-unit id="5">
-                <source>The private-key bits-size {provided} is too low. Expected at least {expected} bits.</source>
-                <target>The private-key bits-size {provided} is too low. Expected at least {expected} bits.</target>
+                <source>The certificate was signed using the weak "{provided}" algorithm. Expected at least algorithm "{expected}".".</source>
+                <target>The certificate was signed using the weak "{provided}" algorithm. Expected at least algorithm "{expected}".".</target>
             </trans-unit>
             <trans-unit id="6">
-                <source>The certificate with serial-number "{serial}" was marked as revoked on { revoked_on, date, short } with ({reason_code}) {reason}.</source>
-                <target>The certificate with serial-number "{serial}" was marked as revoked on { revoked_on, date, short } with ({reason_code}) {reason}.</target>
+                <source>The private-key bits-size {provided} is too low. Expected at least {expected} bits.</source>
+                <target>The private-key bits-size {provided} is too low. Expected at least {expected} bits.</target>
             </trans-unit>
             <trans-unit id="7">
-                <source>The certificate with common-name "{common_name}" contains a CA extension. Expected a leaf certificate.</source>
-                <target>The certificate with common-name "{common_name}" contains a CA extension. Expected a leaf certificate.</target>
+                <source>The certificate with serial-number "{serial}" was marked as revoked on { revoked_on, date, short } with reason: ({reason_code}) {reason}.</source>
+                <target>The certificate with serial-number "{serial}" was marked as revoked on { revoked_on, date, short } with reason: ({reason_code}) {reason}.</target>
             </trans-unit>
             <trans-unit id="8">
-                <source>This certificate has expired on { expired_on, date, short }.</source>
-                <target>This certificate has expired on { expired_on, date, short }.</target>
+                <source>The certificate with common-name "{common_name}" contains a CA extension. Expected a leaf certificate.</source>
+                <target>The certificate with common-name "{common_name}" contains a CA extension. Expected a leaf certificate.</target>
             </trans-unit>
             <trans-unit id="9">
-                <source>This certificate should support host pattern "{required_pattern}". But only the following patterns are {supported}</source>
-                <target>This certificate should support host pattern "{required_pattern}". But only the following patterns are {supported}</target>
+                <source>Certificate with common-name "{common_name}" does not contain required CA extension.</source>
+                <target>Certificate with common-name "{common_name}" does not contain required CA extension.</target>
             </trans-unit>
             <trans-unit id="10">
-                <source>This certificate does not support the {required_purpose}</source>
-                <target>This certificate does not support the {required_purpose}</target>
+                <source>The certificate has expired on { expired_on, date, short }.</source>
+                <target>The certificate has expired on { expired_on, date, short }.</target>
             </trans-unit>
             <trans-unit id="11">
+                <source>The certificate should support host pattern "{required_pattern}". But only the following patterns are supported: {supported}.</source>
+                <target>The certificate should support host pattern "{required_pattern}". But only the following patterns are supported: {supported}.</target>
+            </trans-unit>
+            <trans-unit id="12">
+                <source>The certificate does not support the purpose: {required_purpose}.</source>
+                <target>The certificate does not support the purpose: {required_purpose}.</target>
+            </trans-unit>
+            <trans-unit id="13">
                 <source>The certificate host "{provided}" contains an invalid global-wildcard pattern.</source>
                 <target>The certificate host "{provided}" contains an invalid global-wildcard pattern.</target>
             </trans-unit>
-            <trans-unit id="12">
+            <trans-unit id="14">
                 <source>The certificate host "{provided}" contains an invalid public-suffix wildcard pattern "{suffix_pattern}".</source>
                 <target>The certificate host "{provided}" contains an invalid public-suffix wildcard pattern "{suffix_pattern}".</target>
             </trans-unit>
-            <trans-unit id="13">
+            <trans-unit id="15">
                 <source>Unable to resolve the CA of certificate "{name}", issued by {parent}.</source>
                 <target>Unable to resolve the CA of certificate "{name}", issued by {parent}.</target>
             </trans-unit>
+            <trans-unit id="16">
+                <source>Too many CAs were provided. A maximum of 4 is accepted.</source>
+                <target>Too many CAs were provided. A maximum of 4 is accepted.</target>
+            </trans-unit>
 
             <!-- Revocation reason -->
-            <trans-unit id="14">
-                <source>unspecified (no specific reason was given).</source>
-                <target>unspecified (no specific reason was given).</target>
-            </trans-unit>
-            <trans-unit id="15">
-                <source>the private key associated with the certificate has been compromised.</source>
-                <target>the private key associated with the certificate has been compromised.</target>
+            <trans-unit id="revoke-1">
+                <source>no specific reason was given</source>
+                <target>no specific reason was given</target>
             </trans-unit>
-            <trans-unit id="16">
-                <source>the CAs private key is has been compromised and is in the possession of an unauthorized individual. When a CAs private key is revoked, this results in all certificates issued by the CA that are signed using the private key associated with the revoked certificate being considered revoked.</source>
-                <target>the CAs private key is has been compromised and is in the possession of an unauthorized individual. When a CAs private key is revoked, this results in all certificates issued by the CA that are signed using the private key associated with the revoked certificate being considered revoked.</target>
+            <trans-unit id="revoke-2">
+                <source>the private key associated with the certificate has been compromised</source>
+                <target>the private key associated with the certificate has been compromised</target>
             </trans-unit>
-            <trans-unit id="17">
-                <source>the user has terminated their relationship with the organization indicated in the Distinguished Name attribute of the certificate. This revocation code is typically used when an individual is terminated or has resigned from an organization.</source>
-                <target>the user has terminated their relationship with the organization indicated in the Distinguished Name attribute of the certificate. This revocation code is typically used when an individual is terminated or has resigned from an organization.</target>
+            <trans-unit id="revoke-3">
+                <source>the CA's private key is has been compromised and is in the possession of an unauthorized individual</source>
+                <target>the CA's private key is has been compromised and is in the possession of an unauthorized individual</target>
             </trans-unit>
-            <trans-unit id="18">
-                <source>a replacement certificate has been issued to a user.</source>
-                <target>a replacement certificate has been issued to a user.</target>
+            <trans-unit id="revoke-4">
+                <source>the user has terminated their relationship with the organization indicated in the Distinguished Name attribute of the certificate</source>
+                <target>the user has terminated their relationship with the organization indicated in the Distinguished Name attribute of the certificate</target>
             </trans-unit>
-            <trans-unit id="19">
-                <source>the CA is decommissioned, no longer to be used.</source>
-                <target>the CA is decommissioned, no longer to be used.</target>
+            <trans-unit id="revoke-5">
+                <source>a replacement certificate has been issued to a user</source>
+                <target>a replacement certificate has been issued to a user</target>
             </trans-unit>
-            <trans-unit id="20">
-                <source>the certificate (public-key or attribute certificate) was revoked because a privilege contained within that certificate has been withdrawn.</source>
-                <target>the certificate (public-key or attribute certificate) was revoked because a privilege contained within that certificate has been withdrawn.</target>
+            <trans-unit id="revoke-6">
+                <source>the CA is decommissioned, no longer to be used</source>
+                <target>the CA is decommissioned, no longer to be used</target>
             </trans-unit>
-            <trans-unit id="21">
-                <source>it is known or suspected that aspects of the AA validated in the attribute certificate have been compromised.</source>
-                <target>it is known or suspected that aspects of the AA validated in the attribute certificate have been compromised.</target>
+            <trans-unit id="revoke-7">
+                <source>the certificate (public-key or attribute certificate) was revoked because a privilege contained within that certificate has been withdrawn</source>
+                <target>the certificate (public-key or attribute certificate) was revoked because a privilege contained within that certificate has been withdrawn</target>
             </trans-unit>
-
-            <trans-unit id="22">
-                <source>Too many CAs were provided. A maximum of 4 is accepted.</source>
-                <target>Too many CAs were provided. A maximum of 4 is accepted.</target>
+            <trans-unit id="revoke-8">
+                <source>it is known or suspected that aspects of the AA validated in the attribute certificate have been compromised</source>
+                <target>it is known or suspected that aspects of the AA validated in the attribute certificate have been compromised</target>
             </trans-unit>
         </body>
     </file>

UPGRADE.md

@@ -1,6 +1,13 @@
 UPGRADE
 =======
 
+
+## Upgrade FROM 0.2.1 to 0.2.2
+
+* Translation ids have changed to fix some mismatches.
+* The `PublicKeyMismatch` violation was removed
+* 
+
 ## Upgrade FROM 0.1.0 to 0.2.0
 
 * The `CertificateValidator` now expects a `\Pdp\PublicSuffixList` instance 

composer.json

@@ -32,6 +32,7 @@
         "rollerscapes/standards": "^1.0",
         "rollerworks/pdb-symfony-bridge": "^1.0",
         "symfony/clock": "^6.3",
+        "symfony/config": "^6.4 || ^7.0",
         "symfony/error-handler": "^6.3",
         "symfony/http-client": "^6.3",
         "symfony/phpunit-bridge": "^6.3 || ^7.0",

docs/index.md

@@ -129,12 +129,12 @@ final class EmailFieldRequired extends Violation
 {
     public function __construct()
     {
-        parent::__construct('This certificate should contains an emails extension.');
+        parent::__construct('The certificate should contains an emails extension.');
     }
 
     public function getTranslatorMsg(): string
     {
-        return 'This certificate should contains an emails extension.';
+        return 'The certificate should contains an emails extension.';
     }
 }
 

src/KeyValidator.php

@@ -14,9 +14,8 @@
 namespace Rollerworks\Component\X509Validator;
 
 use ParagonIE\HiddenString\HiddenString;
-use Rollerworks\Component\X509Validator\Violation\CertificateMismatch;
 use Rollerworks\Component\X509Validator\Violation\KeyBitsTooLow;
-use Rollerworks\Component\X509Validator\Violation\PublicKeyMismatch;
+use Rollerworks\Component\X509Validator\Violation\PrivateKeyMismatch;
 use Rollerworks\Component\X509Validator\Violation\UnprocessableKey;
 use Rollerworks\Component\X509Validator\Violation\UnprocessablePEM;
 
@@ -31,14 +30,14 @@ class KeyValidator
      * matches with the public key of the certificate. And Then performs
      * an additional check to ensure the key was not tempered with.
      *
-     * @param HiddenString|string $privateKey  Private-key as PEM X509. Use HiddenString to prevent leaking
-     *                                         sensitive information
+     * @param HiddenString|string $privateKey  Private-key as PEM X509.
+     *                                         Use HiddenString to prevent leaking sensitive information
      * @param string              $certificate Certificate as PEM X509 format string
      *
-     * @throws UnprocessablePEM    when the data cannot be parsed or processed
-     * @throws PublicKeyMismatch   when the public-keys don't match
-     * @throws CertificateMismatch when the private doesn't match the certificate
-     * @throws KeyBitsTooLow       when the private bits count is less than $minimumBitCount
+     * @throws UnprocessablePEM   when the certificate cannot be parsed or processed
+     * @throws UnprocessableKey   when the private-key cannot be parsed or processed
+     * @throws PrivateKeyMismatch when the private doesn't match the certificate
+     * @throws KeyBitsTooLow      when the private bits count is less than $minimumBitCount
      */
     public function validate(HiddenString | string $privateKey, string $certificate, int $minimumBitCount = self::MINIMUM_BIT_COUNT): void
     {
@@ -64,7 +63,7 @@ public function validate(HiddenString | string $privateKey, string $certificate,
             }
 
             if (! @openssl_x509_check_private_key($certR, $privateR)) {
-                throw new PublicKeyMismatch();
+                throw new PrivateKeyMismatch();
             }
 
             // Note: technically it's rather difficult to replace the public-key
@@ -81,7 +80,7 @@ public function validate(HiddenString | string $privateKey, string $certificate,
             }
 
             if (! @openssl_private_decrypt($encrypted, $decrypted, $privateR, \OPENSSL_PKCS1_OAEP_PADDING) || $decrypted !== $original) {
-                throw new CertificateMismatch();
+                throw new PrivateKeyMismatch();
             }
 
             $details = @openssl_pkey_get_details($privateR);

src/Violation.php

@@ -37,6 +37,6 @@ public function __debugInfo(): array
 
     public function trans(TranslatorInterface $translator, string $locale = null): string
     {
-        return $translator->trans($this->getMessage(), $this->getParameters(), 'validators', $locale);
+        return $translator->trans($this->getTranslatorMsg(), $this->getParameters(), 'validators', $locale);
     }
 }

src/Violation/CertificateHasExpired.php

@@ -28,7 +28,7 @@ public function __construct(\DateTimeInterface $expiredOn)
 
     public function getTranslatorMsg(): string
     {
-        return 'This certificate has expired on { expired_on, date, short }.';
+        return 'The certificate has expired on { expired_on, date, short }.';
     }
 
     public function getParameters(): array

src/Violation/CertificateIsRevoked.php

@@ -47,16 +47,16 @@ final class CertificateIsRevoked extends Violation
     ];
 
     private const TRANSLATOR_ID = [
-        'unspecified' => 'unspecified (no specific reason was given).',
-        'keyCompromise' => 'the private key associated with the certificate has been compromised.',
-        'cACompromise' => 'the CA\'s private key is has been compromised and is in the possession of an unauthorized individual. When a CA\'s private key is revoked, this results in all certificates issued by the CA that are signed using the private key associated with the revoked certificate being considered revoked.',
-        'affiliationChanged' => 'the user has terminated their relationship with the organization indicated in the Distinguished Name attribute of the certificate. This revocation code is typically used when an individual is terminated or has resigned from an organization.',
-        'superseded' => 'a replacement certificate has been issued to a user.',
-        'cessationOfOperation' => 'the CA is decommissioned, no longer to be used.',
+        'unspecified' => 'no specific reason was given',
+        'keyCompromise' => 'the private key associated with the certificate has been compromised',
+        'cACompromise' => 'the CA\'s private key is has been compromised and is in the possession of an unauthorized individual',
+        'affiliationChanged' => 'the user has terminated their relationship with the organization indicated in the Distinguished Name attribute of the certificate',
+        'superseded' => 'a replacement certificate has been issued to a user',
+        'cessationOfOperation' => 'the CA is decommissioned, no longer to be used',
         'certificateHold' => 'the certificate is currently on hold, try again later',
         'removeFromCRL' => 'certificate revocation is removed', // This might possible not be an error
-        'privilegeWithdrawn' => 'the certificate (public-key or attribute certificate) was revoked because a privilege contained within that certificate has been withdrawn.',
-        'aACompromise' => 'it is known or suspected that aspects of the AA validated in the attribute certificate have been compromised.',
+        'privilegeWithdrawn' => 'the certificate (public-key or attribute certificate) was revoked because a privilege contained within that certificate has been withdrawn',
+        'aACompromise' => 'it is known or suspected that aspects of the AA validated in the attribute certificate have been compromised',
     ];
 
     private readonly ?\DateTimeInterface $revokedOn;