public function authenticate() { if (self::hasModSsl()) { // Fix to support reverseProxy without SSLProxyEngine $clientCert = !empty($_SERVER['SSL_CLIENT_CERT']) ? $_SERVER['SSL_CLIENT_CERT'] : $_SERVER['HTTP_SSL_CLIENT_CERT']; // get Identity $certificate = Custom_Auth_ModSsl_Certificate_Factory::buildCertificate($clientCert); $config = Tinebase_Config::getInstance()->get('modssl'); if (class_exists($config->username_callback)) { $callback = new $config->username_callback($certificate); } else { // fallback to default $callback = new Custom_Auth_ModSsl_UsernameCallback_Standard($certificate); } $this->setIdentity(call_user_func(array($callback, 'getUsername'))); $this->setCredential(null); if ($certificate instanceof Custom_Auth_ModSsl_Certificate_X509) { if (!$certificate->isValid()) { $lines = ''; foreach ($certificate->getStatusErrors() as $line) { $lines .= $line . '#'; } if (Tinebase_Core::isLogLevel(Zend_Log::ERR)) { Tinebase_Core::getLogger()->err(__METHOD__ . '::' . __LINE__ . ' ModSsl authentication for ' . $this->_identity . ' failed: ' . $lines); } return new Zend_Auth_Result(Zend_Auth_Result::FAILURE_CREDENTIAL_INVALID, $this->_identity, $certificate->getStatusErrors()); } $messages = array('Authentication Successfull'); // If certificate is valid store it in database $controller = Addressbook_Controller_Certificate::getInstance(); try { $controller->create(new Addressbook_Model_Certificate($certificate)); } catch (Tinebase_Exception_Duplicate $e) { // Fail silently if certificate already exists } return new Zend_Auth_Result(Zend_Auth_Result::SUCCESS, $this->_identity, $messages); } } return new Zend_Auth_Result(Zend_Auth_Result::FAILURE, 'Unknown User', array('Unknown Authentication Error')); }
/** * Verify a integrity of a signed message * * @return array */ public static function verify($rawHeaders, $rawBody, $fromEmail, $smime) { $return = array(); $path = Tinebase_Core::getTempDir(); $translate = Tinebase_Translation::getTranslation('Expressomail'); $ret_type = False; if (!empty($rawHeaders) && !empty($rawBody)) { $msg = $rawHeaders . $rawBody; $ret_type = null; if ($smime == Expressomail_Smime::TYPE_ENVELOPED_DATA_VALUE || $smime == Expressomail_Smime::TYPE_SIGNED_DATA_VALUE) { $ret_type = self::verify_p7m($rawBody); // Encrypted Message ?? if ($ret_type == 'cipher') { $return['success'] = false; $return['msgs'] = array("Encrypted Message."); $return['ret_type'] = $ret_type; // return raw msg to others process. $return['content'] = $msg; return $return; } } $config = Tinebase_Config::getInstance()->get('modssl'); // creates temporary files $temporary_files = array(); $msgTempFile = self::generateTempFilename($temporary_files, $path); if (!self::writeTo($msgTempFile, $msg)) { $return['success'] = false; $return['msgs'] = array("Coudn't write temporary files!"); } $certificateTempFile = self::generateTempFilename($temporary_files, $path); $contentTempFile = self::generateTempFilename($temporary_files, $path); // do verification $result = openssl_pkcs7_verify($msgTempFile, 0, $certificateTempFile, array($config->casfile), $config->casfile, $contentTempFile); if (is_file($certificateTempFile)) { $aux_certificate = file_get_contents($certificateTempFile); } else { $aux_certificate = ''; } if ($aux_certificate != '') { // E-mail validation is unskipable, we always verify chain and crls $certificate = Custom_Auth_ModSsl_Certificate_Factory::buildCertificate($aux_certificate, TRUE); } else { // try get certificate from message (other way) .... $certificate = self::pullCertificateFromMessage($msgTempFile); } if ($result === -1 || !$result) { // error on openssl_pkcs7_verify() call $return['success'] = false; $return['msgs'] = self::getOpensslErrors(); if ($certificate) { $return['certificate'] = $certificate->toArray(); } } else { $mailMismatch = $fromEmail !== $certificate->getEmail(); if ($certificate->isValid()) { if (!$mailMismatch) { $return['success'] = true; $return['msgs'] = array('Message Verification Successful'); } // If certificate is valid store it in database $controller = Addressbook_Controller_Certificate::getInstance(); try { $controller->create(new Addressbook_Model_Certificate($certificate)); } catch (Tinebase_Exception_Duplicate $e) { // Fail silently if certificate already exists } } else { $return['success'] = false; $return['msgs'] = $certificate->getStatusErrors(); if ($mailMismatch) { $return['msgs'][] = $translate->_('Sender\'s email is different from Digital Certificate\'s email'); } } $return['certificate'] = $certificate->toArray(); } if (is_file($contentTempFile)) { // get original msg $return['content'] = file_get_contents($contentTempFile); } if ($ret_type) { $return['ret_type'] = $ret_type; } self::removeTempFiles($temporary_files); return $return; } else { return array('success' => false, 'msgs' => array("Empty message")); } }