ZP-429 #comment when sending a client certificate, make sure that the...

ZP-429 #comment when sending a client certificate, make sure that the certificate owner is the same as the authentication user #time 20m

git-svn-id: https://z-push.org/svn/z-push/trunk@1693 b7dd7b3b-3a3c-0410-9da9-bee62a6cc5b5

src/config.php

@@ -59,6 +59,10 @@
     // When accessing through a proxy, the "X-Forwarded-For" header contains the original remote IP
     define('USE_X_FORWARDED_FOR_HEADER', false);
 
+    // When using client certificates, we can check if the login sent matches the owner of the certificate.
+    // This setting specifies the owner parameter in the certificate to look at.
+    define("CERTIFICATE_OWNER_PARAMETER", "SSL_CLIENT_S_DN_CN");
+
 /**********************************************************************************
  *  Default FileStateMachine settings
  */

src/lib/request/requestprocessor.php

@@ -73,6 +73,10 @@ abstract class RequestProcessor {
     static public function Authenticate() {
         self::$userIsAuthenticated = false;
 
+        // when a certificate is sent, allow authentication only as the certificate owner
+        if(defined("CERTIFICATE_OWNER_PARAMETER") && isset($_SERVER[CERTIFICATE_OWNER_PARAMETER]) && strtolower($_SERVER[CERTIFICATE_OWNER_PARAMETER]) != strtolower(Request::GetAuthUser()))
+            throw new AuthenticationRequiredException(sprintf("Access denied. Access is allowed only for the certificate owner '%s'", $_SERVER[CERTIFICATE_OWNER_PARAMETER]));
+
         $backend = ZPush::GetBackend();
         if($backend->Logon(Request::GetAuthUser(), Request::GetAuthDomain(), Request::GetAuthPassword()) == false)
             throw new AuthenticationRequiredException("Access denied. Username or password incorrect");