Unverified Commit c2536ce6 authored by IKEDA Soji's avatar IKEDA Soji Committed by GitHub
Browse files

Merge pull request #571 from ikedas/update_tls_auth by ikedas

WWSympa: TLS client authentication: Get email from certificate according to S/MIME
parents 7164bc79 f72d51ac
...@@ -1282,48 +1282,32 @@ while ($query = CGI::Fast->new) { ...@@ -1282,48 +1282,32 @@ while ($query = CGI::Fast->new) {
   
## RSS does not require user authentication ## RSS does not require user authentication
unless ($rss) { unless ($rss) {
if ( $ENV{'SSL_CLIENT_VERIFY'} eq 'SUCCESS' if ( $Crypt::OpenSSL::X509::VERSION
and $ENV{SSL_CLIENT_VERIFY}
and $ENV{SSL_CLIENT_VERIFY} eq 'SUCCESS'
and $in{'action'} ne 'sso_login') { and $in{'action'} ne 'sso_login') {
# Do not check client certificate automatically if in sso_login # Get rfc822Name in X.509v3 subjectAltName, otherwise
# emailAddress attribute in subject DN (the first one of either).
$log->syslog( # Note: Earlier efforts getting attribute such as MAIL, Email in
'debug2', # subject DN are no longer supported.
'SSL verified, S_EMAIL = %s, " . " S_DN_Email = %s', my $x509 = eval {
$ENV{'SSL_CLIENT_S_EMAIL'}, Crypt::OpenSSL::X509->new_from_string($ENV{SSL_CLIENT_CERT});
$ENV{'SSL_CLIENT_S_DN_Email'} };
); my $email = Sympa::Tools::Text::canonic_email($x509->email)
if (($ENV{'SSL_CLIENT_S_EMAIL'})) { if $x509 and Sympa::Tools::Text::valid_email($x509->email);
# this is the X509v3 SubjectAlternativeName, and requires
# a patch to mod_ssl -- cm@coretec.at
$param->{'user'}{'email'} = lc($ENV{'SSL_CLIENT_S_EMAIL'});
} elsif ($ENV{SSL_CLIENT_S_DN_Email}) {
$param->{'user'}{'email'} = lc($ENV{'SSL_CLIENT_S_DN_Email'});
} elsif ($ENV{'SSL_CLIENT_S_DN'} =~ /\+MAIL=([^\+\/]+)$/) {
## Compatibility issue with old a-sign.at certs
$param->{'user'}{'email'} = lc($1);
} elsif ($Crypt::OpenSSL::X509::VERSION
and exists($ENV{SSL_CLIENT_CERT})) {
# this is the X509v3 SubjectAlternativeName, and does only
# require "SSLOptions +ExportCertData" without patching
# mod_ssl -- massar@unix-ag.uni-kl.de
$param->{'user'}{'email'} = lc(
Crypt::OpenSSL::X509->new_from_string(
$ENV{SSL_CLIENT_CERT}
)->email()
);
}
   
if ($param->{user}{email}) { if ($email) {
$session->{'email'} = $param->{user}{email}; $param->{'user'}{'email'} = $email;
$session->{'email'} = $email;
$param->{'auth_method'} = 'smime'; $param->{'auth_method'} = 'smime';
$session->{'auth'} = 'x509'; $session->{'auth'} = 'x509';
$param->{'ssl_client_s_dn'} = $ENV{'SSL_CLIENT_S_DN'}; $param->{'ssl_client_s_dn'} = $x509->subject;
$param->{'ssl_client_v_end'} = $ENV{'SSL_CLIENT_V_END'}; $param->{'ssl_client_v_end'} = $x509->notAfter;
$param->{'ssl_client_i_dn'} = $ENV{'SSL_CLIENT_I_DN'}; $param->{'ssl_client_i_dn'} = $x509->issuer;
# Only with Apache+mod_ssl or lighttpd+mod_openssl.
$param->{'ssl_cipher_usekeysize'} = $param->{'ssl_cipher_usekeysize'} =
$ENV{'SSL_CIPHER_USEKEYSIZE'}; $ENV{SSL_CIPHER_USEKEYSIZE};
} }
} elsif (($session->{'email'}) && ($session->{'email'} ne 'nobody')) { } elsif (($session->{'email'}) && ($session->{'email'} ne 'nobody')) {
$param->{'user'}{'email'} = $session->{'email'}; $param->{'user'}{'email'} = $session->{'email'};
} elsif ($in{'ticket'} =~ /(S|P)T\-/) { } elsif ($in{'ticket'} =~ /(S|P)T\-/) {
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment