also match client issuer (CA)

data/schema/6.sql

@@ -7,6 +7,7 @@ CREATE TABLE `sc_users_sslclientcerts` (
   `id` INT NOT NULL AUTO_INCREMENT ,
   `uId` INT NOT NULL ,
   `sslSerial` VARCHAR( 32 ) NOT NULL ,
+  `sslClientIssuerDn` VARCHAR( 1024 ) NOT NULL ,
   `sslName` VARCHAR( 64 ) NOT NULL ,
   `sslEmail` VARCHAR( 64 ) NOT NULL ,
   PRIMARY KEY ( `id` ) ,

data/tables.sql

@@ -81,6 +81,7 @@ CREATE TABLE `sc_users_sslclientcerts` (
   `id` INT NOT NULL AUTO_INCREMENT ,
   `uId` INT NOT NULL ,
   `sslSerial` VARCHAR( 32 ) NOT NULL ,
+  `sslClientIssuerDn` VARCHAR( 1024 ) NOT NULL ,
   `sslName` VARCHAR( 64 ) NOT NULL ,
   `sslEmail` VARCHAR( 64 ) NOT NULL ,
   PRIMARY KEY ( `id` ) ,

src/SemanticScuttle/Service/User.php

@@ -439,18 +439,26 @@ class SemanticScuttle_Service_User extends SemanticScuttle_DbService
     {
         if (!isset($_SERVER['SSL_CLIENT_M_SERIAL'])
             || !isset($_SERVER['SSL_CLIENT_V_END'])
+            || !isset($_SERVER['SSL_CLIENT_VERIFY'])
+            || $_SERVER['SSL_CLIENT_VERIFY'] !== 'SUCCESS'
+            || !isset($_SERVER['SSL_CLIENT_I_DN'])
         ) {
             return false;
         }
-        //TODO: verify this var is always there
+
         if ($_SERVER['SSL_CLIENT_V_REMAIN'] <= 0) {
             return false;
         }
 
-        $serial = $_SERVER['SSL_CLIENT_M_SERIAL'];
+        $serial         = $_SERVER['SSL_CLIENT_M_SERIAL'];
+        $clientIssuerDn = $_SERVER['SSL_CLIENT_I_DN'];
+
         $query = 'SELECT uId'
             . ' FROM ' . $this->getTableName() . '_sslclientcerts'
-            . ' WHERE sslSerial = \'' . $this->db->sql_escape($serial) . '\'';
+            . ' WHERE sslSerial = \'' . $this->db->sql_escape($serial) . '\''
+            . ' AND sslClientIssuerDn = \''
+            . $this->db->sql_escape($clientIssuerDn)
+            . '\'';
         if (!($dbresult = $this->db->sql_query($query))) {
             message_die(
                 GENERAL_ERROR, 'Could not load user for client certificate',