From c7ec370b4712a3d2782c310d486e0d749eed2e0d Mon Sep 17 00:00:00 2001 From: Christian Weiske Date: Thu, 5 May 2011 12:01:39 +0200 Subject: [PATCH] also match client issuer (CA) --- data/schema/6.sql | 1 + data/tables.sql | 1 + src/SemanticScuttle/Service/User.php | 14 +++++++++++--- 3 files changed, 13 insertions(+), 3 deletions(-) diff --git a/data/schema/6.sql b/data/schema/6.sql index bc85ffd..0c208ad 100644 --- a/data/schema/6.sql +++ b/data/schema/6.sql @@ -7,6 +7,7 @@ CREATE TABLE `sc_users_sslclientcerts` ( `id` INT NOT NULL AUTO_INCREMENT , `uId` INT NOT NULL , `sslSerial` VARCHAR( 32 ) NOT NULL , + `sslClientIssuerDn` VARCHAR( 1024 ) NOT NULL , `sslName` VARCHAR( 64 ) NOT NULL , `sslEmail` VARCHAR( 64 ) NOT NULL , PRIMARY KEY ( `id` ) , diff --git a/data/tables.sql b/data/tables.sql index af0c81b..d53945e 100644 --- a/data/tables.sql +++ b/data/tables.sql @@ -81,6 +81,7 @@ CREATE TABLE `sc_users_sslclientcerts` ( `id` INT NOT NULL AUTO_INCREMENT , `uId` INT NOT NULL , `sslSerial` VARCHAR( 32 ) NOT NULL , + `sslClientIssuerDn` VARCHAR( 1024 ) NOT NULL , `sslName` VARCHAR( 64 ) NOT NULL , `sslEmail` VARCHAR( 64 ) NOT NULL , PRIMARY KEY ( `id` ) , diff --git a/src/SemanticScuttle/Service/User.php b/src/SemanticScuttle/Service/User.php index 0071f9b..bf7c61d 100644 --- a/src/SemanticScuttle/Service/User.php +++ b/src/SemanticScuttle/Service/User.php @@ -439,18 +439,26 @@ class SemanticScuttle_Service_User extends SemanticScuttle_DbService { if (!isset($_SERVER['SSL_CLIENT_M_SERIAL']) || !isset($_SERVER['SSL_CLIENT_V_END']) + || !isset($_SERVER['SSL_CLIENT_VERIFY']) + || $_SERVER['SSL_CLIENT_VERIFY'] !== 'SUCCESS' + || !isset($_SERVER['SSL_CLIENT_I_DN']) ) { return false; } - //TODO: verify this var is always there + if ($_SERVER['SSL_CLIENT_V_REMAIN'] <= 0) { return false; } - $serial = $_SERVER['SSL_CLIENT_M_SERIAL']; + $serial = $_SERVER['SSL_CLIENT_M_SERIAL']; + $clientIssuerDn = $_SERVER['SSL_CLIENT_I_DN']; + $query = 'SELECT uId' . ' FROM ' . $this->getTableName() . '_sslclientcerts' - . ' WHERE sslSerial = \'' . $this->db->sql_escape($serial) . '\''; + . ' WHERE sslSerial = \'' . $this->db->sql_escape($serial) . '\'' + . ' AND sslClientIssuerDn = \'' + . $this->db->sql_escape($clientIssuerDn) + . '\''; if (!($dbresult = $this->db->sql_query($query))) { message_die( GENERAL_ERROR, 'Could not load user for client certificate',