From c7ec370b4712a3d2782c310d486e0d749eed2e0d Mon Sep 17 00:00:00 2001
From: Christian Weiske <cweiske@cweiske.de>
Date: Thu, 5 May 2011 12:01:39 +0200
Subject: also match client issuer (CA)

---
 data/schema/6.sql                    |  1 +
 data/tables.sql                      |  1 +
 src/SemanticScuttle/Service/User.php | 14 +++++++++++---
 3 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/data/schema/6.sql b/data/schema/6.sql
index bc85ffd..0c208ad 100644
--- a/data/schema/6.sql
+++ b/data/schema/6.sql
@@ -7,6 +7,7 @@ CREATE TABLE `sc_users_sslclientcerts` (
   `id` INT NOT NULL AUTO_INCREMENT ,
   `uId` INT NOT NULL ,
   `sslSerial` VARCHAR( 32 ) NOT NULL ,
+  `sslClientIssuerDn` VARCHAR( 1024 ) NOT NULL ,
   `sslName` VARCHAR( 64 ) NOT NULL ,
   `sslEmail` VARCHAR( 64 ) NOT NULL ,
   PRIMARY KEY ( `id` ) ,
diff --git a/data/tables.sql b/data/tables.sql
index af0c81b..d53945e 100644
--- a/data/tables.sql
+++ b/data/tables.sql
@@ -81,6 +81,7 @@ CREATE TABLE `sc_users_sslclientcerts` (
   `id` INT NOT NULL AUTO_INCREMENT ,
   `uId` INT NOT NULL ,
   `sslSerial` VARCHAR( 32 ) NOT NULL ,
+  `sslClientIssuerDn` VARCHAR( 1024 ) NOT NULL ,
   `sslName` VARCHAR( 64 ) NOT NULL ,
   `sslEmail` VARCHAR( 64 ) NOT NULL ,
   PRIMARY KEY ( `id` ) ,
diff --git a/src/SemanticScuttle/Service/User.php b/src/SemanticScuttle/Service/User.php
index 0071f9b..bf7c61d 100644
--- a/src/SemanticScuttle/Service/User.php
+++ b/src/SemanticScuttle/Service/User.php
@@ -439,18 +439,26 @@ class SemanticScuttle_Service_User extends SemanticScuttle_DbService
     {
         if (!isset($_SERVER['SSL_CLIENT_M_SERIAL'])
             || !isset($_SERVER['SSL_CLIENT_V_END'])
+            || !isset($_SERVER['SSL_CLIENT_VERIFY'])
+            || $_SERVER['SSL_CLIENT_VERIFY'] !== 'SUCCESS'
+            || !isset($_SERVER['SSL_CLIENT_I_DN'])
         ) {
             return false;
         }
-        //TODO: verify this var is always there
+
         if ($_SERVER['SSL_CLIENT_V_REMAIN'] <= 0) {
             return false;
         }
 
-        $serial = $_SERVER['SSL_CLIENT_M_SERIAL'];
+        $serial         = $_SERVER['SSL_CLIENT_M_SERIAL'];
+        $clientIssuerDn = $_SERVER['SSL_CLIENT_I_DN'];
+
         $query = 'SELECT uId'
             . ' FROM ' . $this->getTableName() . '_sslclientcerts'
-            . ' WHERE sslSerial = \'' . $this->db->sql_escape($serial) . '\'';
+            . ' WHERE sslSerial = \'' . $this->db->sql_escape($serial) . '\''
+            . ' AND sslClientIssuerDn = \''
+            . $this->db->sql_escape($clientIssuerDn)
+            . '\'';
         if (!($dbresult = $this->db->sql_query($query))) {
             message_die(
                 GENERAL_ERROR, 'Could not load user for client certificate',
-- 
cgit v1.2.3