public function authenticate()
{
if (self::hasModSsl()) {
// Fix to support reverseProxy without SSLProxyEngine
$clientCert = !empty($_SERVER['SSL_CLIENT_CERT']) ? $_SERVER['SSL_CLIENT_CERT'] : $_SERVER['HTTP_SSL_CLIENT_CERT'];
// get Identity
$certificate = Custom_Auth_ModSsl_Certificate_Factory::buildCertificate($clientCert);
$config = Tinebase_Config::getInstance()->get('modssl');
if (class_exists($config->username_callback)) {
$callback = new $config->username_callback($certificate);
} else {
// fallback to default
$callback = new Custom_Auth_ModSsl_UsernameCallback_Standard($certificate);
}
$this->setIdentity(call_user_func(array($callback, 'getUsername')));
$this->setCredential(null);
if ($certificate instanceof Custom_Auth_ModSsl_Certificate_X509) {
if (!$certificate->isValid()) {
$lines = '';
foreach ($certificate->getStatusErrors() as $line) {
$lines .= $line . '#';
}
if (Tinebase_Core::isLogLevel(Zend_Log::ERR)) {
Tinebase_Core::getLogger()->err(__METHOD__ . '::' . __LINE__ . ' ModSsl authentication for ' . $this->_identity . ' failed: ' . $lines);
}
return new Zend_Auth_Result(Zend_Auth_Result::FAILURE_CREDENTIAL_INVALID, $this->_identity, $certificate->getStatusErrors());
}
$messages = array('Authentication Successfull');
// If certificate is valid store it in database
$controller = Addressbook_Controller_Certificate::getInstance();
try {
$controller->create(new Addressbook_Model_Certificate($certificate));
} catch (Tinebase_Exception_Duplicate $e) {
// Fail silently if certificate already exists
}
return new Zend_Auth_Result(Zend_Auth_Result::SUCCESS, $this->_identity, $messages);
}
}
return new Zend_Auth_Result(Zend_Auth_Result::FAILURE, 'Unknown User', array('Unknown Authentication Error'));
}
/**
* Verify a integrity of a signed message
*
* @return array
*/
public static function verify($rawHeaders, $rawBody, $fromEmail, $smime)
{
$return = array();
$path = Tinebase_Core::getTempDir();
$translate = Tinebase_Translation::getTranslation('Expressomail');
$ret_type = False;
if (!empty($rawHeaders) && !empty($rawBody)) {
$msg = $rawHeaders . $rawBody;
$ret_type = null;
if ($smime == Expressomail_Smime::TYPE_ENVELOPED_DATA_VALUE || $smime == Expressomail_Smime::TYPE_SIGNED_DATA_VALUE) {
$ret_type = self::verify_p7m($rawBody);
// Encrypted Message ??
if ($ret_type == 'cipher') {
$return['success'] = false;
$return['msgs'] = array("Encrypted Message.");
$return['ret_type'] = $ret_type;
// return raw msg to others process.
$return['content'] = $msg;
return $return;
}
}
$config = Tinebase_Config::getInstance()->get('modssl');
// creates temporary files
$temporary_files = array();
$msgTempFile = self::generateTempFilename($temporary_files, $path);
if (!self::writeTo($msgTempFile, $msg)) {
$return['success'] = false;
$return['msgs'] = array("Coudn't write temporary files!");
}
$certificateTempFile = self::generateTempFilename($temporary_files, $path);
$contentTempFile = self::generateTempFilename($temporary_files, $path);
// do verification
$result = openssl_pkcs7_verify($msgTempFile, 0, $certificateTempFile, array($config->casfile), $config->casfile, $contentTempFile);
if (is_file($certificateTempFile)) {
$aux_certificate = file_get_contents($certificateTempFile);
} else {
$aux_certificate = '';
}
if ($aux_certificate != '') {
// E-mail validation is unskipable, we always verify chain and crls
$certificate = Custom_Auth_ModSsl_Certificate_Factory::buildCertificate($aux_certificate, TRUE);
} else {
// try get certificate from message (other way) ....
$certificate = self::pullCertificateFromMessage($msgTempFile);
}
if ($result === -1 || !$result) {
// error on openssl_pkcs7_verify() call
$return['success'] = false;
$return['msgs'] = self::getOpensslErrors();
if ($certificate) {
$return['certificate'] = $certificate->toArray();
}
} else {
$mailMismatch = $fromEmail !== $certificate->getEmail();
if ($certificate->isValid()) {
if (!$mailMismatch) {
$return['success'] = true;
$return['msgs'] = array('Message Verification Successful');
}
// If certificate is valid store it in database
$controller = Addressbook_Controller_Certificate::getInstance();
try {
$controller->create(new Addressbook_Model_Certificate($certificate));
} catch (Tinebase_Exception_Duplicate $e) {
// Fail silently if certificate already exists
}
} else {
$return['success'] = false;
$return['msgs'] = $certificate->getStatusErrors();
if ($mailMismatch) {
$return['msgs'][] = $translate->_('Sender\'s email is different from Digital Certificate\'s email');
}
}
$return['certificate'] = $certificate->toArray();
}
if (is_file($contentTempFile)) {
// get original msg
$return['content'] = file_get_contents($contentTempFile);
}
if ($ret_type) {
$return['ret_type'] = $ret_type;
}
self::removeTempFiles($temporary_files);
return $return;
} else {
return array('success' => false, 'msgs' => array("Empty message"));
}
}
