When a CA certificate is provided in the settings, we need to verify that any users attempting to log in via certificate have actually had it signed by the CA.
See How to verify CA in PHP openssl for some discussion on this:
Just because the CA's issuer and cert's subject match doesn't mean the CA's public key corresponds to the private key used to do the signing on the cert.
Given that it's not easy to use PHP's built-in signature-verification checking via Openssl, we need to find a simpler way to do this. After reviewing Choosing the Right Cryptography Library for your PHP Project: A Guide, the only one of those I can find that makes it easy to verify signatures on a certificate is phpseclib: Verify a signature.
Comments
Comment #4
colanThis was implemented as a plug-in so other libraries can be used later if desired. There's now a configuration option to choose the desired one.