d3/df9/X509userCert_8php_source.html

 <?php

 class sspmod_authX509_Auth_Source_X509userCert extends SimpleSAML_Auth_Source
 {

     private $x509attributes = array('UID' => 'uid');


     private $ldapusercert = array('userCertificate;binary');


     private $ldapcf;


     public function __construct($info, &$config)
     {
         assert(is_array($info));
         assert(is_array($config));

         if (isset($config['authX509:x509attributes'])) {
             $this->x509attributes = $config['authX509:x509attributes'];
         }

         if (array_key_exists('authX509:ldapusercert', $config)) {
             $this->ldapusercert = $config['authX509:ldapusercert'];
         }

         parent::__construct($info, $config);

         $this->ldapcf = new sspmod_ldap_ConfigHelper(
             $config,
             'Authentication source ' . var_export($this->authId, true)
         );

         return;
     }


     public function authFailed(&$state)
     {
         $config = SimpleSAML_Configuration::getInstance();

         $t = new SimpleSAML_XHTML_Template($config, 'authX509:X509error.php');
         $t->data['errorcode'] = $state['authX509.error'];
         $t->data['errorcodes'] = SimpleSAML\Error\ErrorCodes::getAllErrorCodeMessages();

         $t->show();
         exit();
     }


     public function authenticate(&$state)
     {
         assert(is_array($state));
         $ldapcf = $this->ldapcf;

         if (!isset($_SERVER['SSL_CLIENT_CERT']) ||
             ($_SERVER['SSL_CLIENT_CERT'] == '')) {
             $state['authX509.error'] = "NOCERT";
             $this->authFailed($state);

             assert(false); // should never be reached
             return;
         }

         $client_cert = $_SERVER['SSL_CLIENT_CERT'];
         $client_cert_data = openssl_x509_parse($client_cert);
         if ($client_cert_data === false) {
             SimpleSAML\Logger::error('authX509: invalid cert');
             $state['authX509.error'] = "INVALIDCERT";
             $this->authFailed($state);

             assert(false); // should never be reached
             return;
         }

         $dn = null;
         foreach ($this->x509attributes as $x509_attr => $ldap_attr) {
             // value is scalar
             if (array_key_exists($x509_attr, $client_cert_data['subject'])) {
                 $value = $client_cert_data['subject'][$x509_attr];
                 SimpleSAML\Logger::info('authX509: cert '. $x509_attr.' = '.$value);
                 $dn = $ldapcf->searchfordn($ldap_attr, $value, true);
                 if ($dn !== null) {
                     break;
                 }
             }
         }

         if ($dn === null) {
             SimpleSAML\Logger::error('authX509: cert has no matching user in LDAP.');
             $state['authX509.error'] = "UNKNOWNCERT";
             $this->authFailed($state);

             assert(false); // should never be reached
             return;
         }

         if ($this->ldapusercert === null) { // do not check for certificate match
             $attributes = $ldapcf->getAttributes($dn);
             assert(is_array($attributes));
             $state['Attributes'] = $attributes;
             $this->authSuccesful($state);

             assert(false); // should never be reached
             return;
         }

         $ldap_certs = $ldapcf->getAttributes($dn, $this->ldapusercert);
         if ($ldap_certs === false) {
             SimpleSAML\Logger::error('authX509: no certificate found in LDAP for dn='.$dn);
             $state['authX509.error'] = "UNKNOWNCERT";
             $this->authFailed($state);

             assert(false); // should never be reached
             return;
         }


         $merged_ldapcerts = array();
         foreach ($this->ldapusercert as $attr) {
             $merged_ldapcerts = array_merge($merged_ldapcerts, $ldap_certs[$attr]);
         }
         $ldap_certs = $merged_ldapcerts;

         foreach ($ldap_certs as $ldap_cert) {
             $pem = \SimpleSAML\Utils\Crypto::der2pem($ldap_cert);
             $ldap_cert_data = openssl_x509_parse($pem);
             if ($ldap_cert_data === false) {
                 SimpleSAML\Logger::error('authX509: cert in LDAP is invalid for dn='.$dn);
                 continue;
             }

             if ($ldap_cert_data === $client_cert_data) {
                 $attributes = $ldapcf->getAttributes($dn);
                 assert(is_array($attributes));
                 $state['Attributes'] = $attributes;
                 $this->authSuccesful($state);

                 assert(false); // should never be reached
                 return;
             }
         }

         SimpleSAML\Logger::error('authX509: no matching cert in LDAP for dn='.$dn);
         $state['authX509.error'] = "UNKNOWNCERT";
         $this->authFailed($state);

         assert(false); // should never be reached
         return;
     }


     public function authSuccesful(&$state)
     {
         SimpleSAML_Auth_Source::completeAuth($state);

         assert(false); // should never be reached
         return;
     }
 }
$_SERVER
if((!isset($_SERVER['DOCUMENT_ROOT'])) OR(empty($_SERVER['DOCUMENT_ROOT']))) $_SERVER['DOCUMENT_ROOT']
Definition: tcpdf_autoconfig.php:54

$config
$config
Definition: bootstrap.php:15

SimpleSAML_Auth_Source

SimpleSAML\Utils\Crypto\der2pem
static der2pem($der, $type='CERTIFICATE')
Convert data from DER to PEM encoding.
Definition: Crypto.php:160

sspmod_authX509_Auth_Source_X509userCert\authenticate
authenticate(&$state)
Validate certificate and login.
Definition: X509userCert.php:90

sspmod_ldap_ConfigHelper
Definition: ConfigHelper.php:11

sspmod_authX509_Auth_Source_X509userCert\$ldapcf
$ldapcf
LDAPConfigHelper object.
Definition: X509userCert.php:27

sspmod_authX509_Auth_Source_X509userCert
Definition: X509userCert.php:9

SimpleSAML\Error\ErrorCodes\getAllErrorCodeMessages
static getAllErrorCodeMessages()
Get a map of both errorcode titles and descriptions.
Definition: ErrorCodes.php:135

$state
if(!array_key_exists('stateid', $_REQUEST)) $state
Handle linkback() response from LinkedIn.
Definition: linkback.php:10

SimpleSAML\Logger\info
static info($string)
Definition: Logger.php:199

sspmod_authX509_Auth_Source_X509userCert\__construct
__construct($info, &$config)
Constructor for this authentication source.
Definition: X509userCert.php:38

sspmod_authX509_Auth_Source_X509userCert\$ldapusercert
$ldapusercert
LDAP attribute containing the user certificate.
Definition: X509userCert.php:21

SimpleSAML\Logger\error
static error($string)
Definition: Logger.php:166

sspmod_authX509_Auth_Source_X509userCert\authFailed
authFailed(&$state)
Finish a failed authentication.
Definition: X509userCert.php:69

$attributes
if(array_key_exists('yes', $_REQUEST)) $attributes
Definition: getconsent.php:85

$t
$t
Definition: authorize_403.php:14

sspmod_authX509_Auth_Source_X509userCert\$x509attributes
$x509attributes
x509 attributes to use from the certificate for searching the user in the LDAP directory.
Definition: X509userCert.php:15

exit
exit
Definition: backend.php:16

SimpleSAML_XHTML_Template
Definition: Template.php:14

php

SimpleSAML_Auth_Source\completeAuth
static completeAuth(&$state)
Complete authentication.
Definition: Source.php:136

$info
$info
Definition: index.php:5

sspmod_authX509_Auth_Source_X509userCert\authSuccesful
authSuccesful(&$state)
Finish a successful authentication.
Definition: X509userCert.php:199

SimpleSAML_Configuration\getInstance
static getInstance($instancename='simplesaml')
Get a configuration file by its instance name.
Definition: Configuration.php:325