| Nico Huber | ee52fbc | 2023-06-24 11:52:57 +0000 | [diff] [blame] | 1 | <?php |
| 2 | /* |
| 3 | * SimpleID |
| 4 | * |
| 5 | * Copyright (C) Kelvin Mo 2012 |
| 6 | * |
| 7 | * This program is free software; you can redistribute it and/or |
| 8 | * modify it under the terms of the GNU General Public |
| 9 | * License as published by the Free Software Foundation; either |
| 10 | * version 2 of the License, or (at your option) any later version. |
| 11 | * |
| 12 | * This program is distributed in the hope that it will be useful, |
| 13 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
| 14 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU |
| 15 | * General Public License for more details. |
| 16 | * |
| 17 | * You should have received a copy of the GNU General Public |
| 18 | * License along with this program; if not, write to the Free |
| 19 | * Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. |
| 20 | * |
| 21 | * $Id$ |
| 22 | */ |
| 23 | |
| 24 | /** |
| 25 | * Authentication using a SSL client certificate. |
| 26 | * |
| 27 | * @package simpleid |
| 28 | * @subpackage extensions |
| 29 | * @filesource |
| 30 | */ |
| 31 | |
| 32 | |
| 33 | /** |
| 34 | * Attempt to login using a SSL client certificate. |
| 35 | * |
| 36 | * Note that the web server must be set up to request a SSL client certificate |
| 37 | * and pass the certificate's details to PHP. |
| 38 | */ |
| 39 | function certauth_user_auto_login() { |
| 40 | if (!_certauth_has_client_cert()) return NULL; |
| 41 | |
| 42 | $cert = trim($_SERVER['SSL_CLIENT_M_SERIAL']) . ';' . trim($_SERVER['SSL_CLIENT_I_DN']); |
| 43 | log_debug('Client SSL certificate: ' . $cert); |
| 44 | |
| 45 | $uid = store_get_uid_from_cert($cert); |
| 46 | if ($uid != NULL) { |
| 47 | log_debug('Client SSL certificate accepted for ' . $uid); |
| 48 | return user_load($uid); |
| 49 | } else { |
| 50 | log_warn('Client SSL certificate presented, but no user with that certificate exists.'); |
| 51 | return NULL; |
| 52 | } |
| 53 | } |
| 54 | |
| 55 | /** |
| 56 | * Determines whether the user agent supplied valid a certificate identifying the |
| 57 | * user. |
| 58 | * |
| 59 | * A valid certificate is supplied if all of the following occurs: |
| 60 | * |
| 61 | * - the connection is done using HTTPS (i.e. {@link is_https()} is true) |
| 62 | * - the web server has been set up to request a certificate from the user agent |
| 63 | * - the web server has been set up to pass the certificate details to PHP |
| 64 | * - the certificate has not been revoked |
| 65 | * - the certificate contains a serial number and a valid issuer |
| 66 | * |
| 67 | * @return true if the user agent has supplied a valid SSL certificate |
| 68 | */ |
| 69 | function _certauth_has_client_cert() { |
| 70 | // False if we are not in HTTP |
| 71 | if (!is_https()) return false; |
| 72 | |
| 73 | // False if certificate is not valid |
| 74 | if (!isset($_SERVER['SSL_CLIENT_VERIFY']) || ($_SERVER['SSL_CLIENT_VERIFY'] !== 'SUCCESS')) return false; |
| 75 | |
| 76 | // False if certificate is expired or has no expiry date |
| 77 | if (!isset($_SERVER['SSL_CLIENT_V_REMAIN']) || ($_SERVER['SSL_CLIENT_V_REMAIN'] < 0)) return false; |
| 78 | if (!isset($_SERVER['SSL_CLIENT_V_END'])) return false; |
| 79 | |
| 80 | // False if no serial number |
| 81 | if (!isset($_SERVER['SSL_CLIENT_M_SERIAL'])) return false; |
| 82 | |
| 83 | // False if no issuer |
| 84 | if (!isset($_SERVER['SSL_CLIENT_I_DN'])) return false; |
| 85 | |
| 86 | return true; |
| 87 | } |
| 88 | ?> |