Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

WWSympa: TLS client authentication: Get email from certificate according to S/MIME #571

Merged
merged 1 commit into from
Apr 2, 2019
Merged

WWSympa: TLS client authentication: Get email from certificate according to S/MIME #571

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
56 changes: 20 additions & 36 deletions src/cgi/wwsympa.fcgi.in
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1282,48 +1282,32 @@ while ($query = CGI::Fast->new) {

## RSS does not require user authentication
unless ($rss) {
if ( $ENV{'SSL_CLIENT_VERIFY'} eq 'SUCCESS'
if ( $Crypt::OpenSSL::X509::VERSION
and $ENV{SSL_CLIENT_VERIFY}
and $ENV{SSL_CLIENT_VERIFY} eq 'SUCCESS'
and $in{'action'} ne 'sso_login') {
# Do not check client certificate automatically if in sso_login

$log->syslog(
'debug2',
'SSL verified, S_EMAIL = %s, " . " S_DN_Email = %s',
$ENV{'SSL_CLIENT_S_EMAIL'},
$ENV{'SSL_CLIENT_S_DN_Email'}
);
if (($ENV{'SSL_CLIENT_S_EMAIL'})) {
# this is the X509v3 SubjectAlternativeName, and requires
# a patch to mod_ssl -- [email protected]
$param->{'user'}{'email'} = lc($ENV{'SSL_CLIENT_S_EMAIL'});
} elsif ($ENV{SSL_CLIENT_S_DN_Email}) {
$param->{'user'}{'email'} = lc($ENV{'SSL_CLIENT_S_DN_Email'});
} elsif ($ENV{'SSL_CLIENT_S_DN'} =~ /\+MAIL=([^\+\/]+)$/) {
## Compatibility issue with old a-sign.at certs
$param->{'user'}{'email'} = lc($1);
} elsif ($Crypt::OpenSSL::X509::VERSION
and exists($ENV{SSL_CLIENT_CERT})) {
# this is the X509v3 SubjectAlternativeName, and does only
# require "SSLOptions +ExportCertData" without patching
# mod_ssl -- [email protected]
$param->{'user'}{'email'} = lc(
Crypt::OpenSSL::X509->new_from_string(
$ENV{SSL_CLIENT_CERT}
)->email()
);
}
# Get rfc822Name in X.509v3 subjectAltName, otherwise
# emailAddress attribute in subject DN (the first one of either).
# Note: Earlier efforts getting attribute such as MAIL, Email in
# subject DN are no longer supported.
my $x509 = eval {
Crypt::OpenSSL::X509->new_from_string($ENV{SSL_CLIENT_CERT});
};
my $email = Sympa::Tools::Text::canonic_email($x509->email)
if $x509 and Sympa::Tools::Text::valid_email($x509->email);

if ($param->{user}{email}) {
$session->{'email'} = $param->{user}{email};
if ($email) {
$param->{'user'}{'email'} = $email;
$session->{'email'} = $email;
$param->{'auth_method'} = 'smime';
$session->{'auth'} = 'x509';
$param->{'ssl_client_s_dn'} = $ENV{'SSL_CLIENT_S_DN'};
$param->{'ssl_client_v_end'} = $ENV{'SSL_CLIENT_V_END'};
$param->{'ssl_client_i_dn'} = $ENV{'SSL_CLIENT_I_DN'};
$param->{'ssl_client_s_dn'} = $x509->subject;
$param->{'ssl_client_v_end'} = $x509->notAfter;
$param->{'ssl_client_i_dn'} = $x509->issuer;
# Only with Apache+mod_ssl or lighttpd+mod_openssl.
$param->{'ssl_cipher_usekeysize'} =
$ENV{'SSL_CIPHER_USEKEYSIZE'};
$ENV{SSL_CIPHER_USEKEYSIZE};
}

} elsif (($session->{'email'}) && ($session->{'email'} ne 'nobody')) {
$param->{'user'}{'email'} = $session->{'email'};
} elsif ($in{'ticket'} =~ /(S|P)T\-/) {
Expand Down