When a CA certificate is provided in the settings, we need to verify that any users attempting to log in via certificate have actually had it signed by the CA.

See How to verify CA in PHP openssl for some discussion on this:

Just because the CA's issuer and cert's subject match doesn't mean the CA's public key corresponds to the private key used to do the signing on the cert.

Given that it's not easy to use PHP's built-in signature-verification checking via Openssl, we need to find a simpler way to do this. After reviewing Choosing the Right Cryptography Library for your PHP Project: A Guide, the only one of those I can find that makes it easy to verify signatures on a certificate is phpseclib: Verify a signature.

Comments

colan created an issue. See original summary.

  • colan committed a2f8a93 on issue-2898045 
    Issue #2898045 by colan: Added the CA Signature Verification plugin...

  • colan committed 4d6c57c on 8.x-1.x 
    Issue #2898045 by colan: Added the admin selector for choosing the CA...
  • colan committed 5e78cda on 8.x-1.x
    Issue #2898045 by colan: Defined the interface for CA certificate...
  • colan committed 7012448 on 8.x-1.x
    Issue #2898045 by colan: Implemented the CA signature verification using...
  • colan committed 90fb5ee on 8.x-1.x
    Issue #2898045 by colan: Added the Phpseclib CA signature verification...
  • colan committed a2f8a93 on 8.x-1.x
    Issue #2898045 by colan: Added the CA Signature Verification plugin...
  • colan committed e00f592 on 8.x-1.x
    Issue #2898045 by colan: Merge branch 'issue-2898045' into 8.x-1.x
colan’s picture

colan
he/him
Primary language English
Location Toronto 🇨🇦
CreditAttribution: colan at Colan Schwartz Consulting commented
Status: Active » Fixed

This was implemented as a plug-in so other libraries can be used later if desired. There's now a configuration option to choose the desired one.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.