static authn_status authn_ldap_check_certificate(request_rec *r,const char *username)

{

    ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "[%" APR_PID_T_FMT "] auth_ldap check_certificate: user %s",

                  getpid(), username);

    /* short-circuit this error early so that we don't get a misleading error later */

    if (username == NULL || username == "") {

        ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,

                      "[%" APR_PID_T_FMT "] auth_ldap authenticate: no certificate specified", getpid());

        return AUTH_GENERAL_ERROR;

    }

    /* To borrow check_password we have to supply a placeholder password */

    authn_status result = authn_ldap_check_password(r, username, "password");

    return result;

}

    static const char * const aszPre[]={ "mod_ssl.c", NULL };

APACHE_MODULE(auth_cert, X.509 certificate authentication, , , most)

    /* Given an X.509 certificate, expected to return AUTH_GRANTED

     * if the provider authenticates the certificate */

    authn_status (*check_certificate)(request_rec *r, const char *certificate);

/* Licensed to the Apache Software Foundation (ASF) under one or more

 * contributor license agreements.  See the NOTICE file distributed with

 * this work for additional information regarding copyright ownership.

 * The ASF licenses this file to You under the Apache License, Version 2.0

 * (the "License"); you may not use this file except in compliance with

 * the License.  You may obtain a copy of the License at

 *

 *     http://www.apache.org/licenses/LICENSE-2.0

 *

 * Unless required by applicable law or agreed to in writing, software

 * distributed under the License is distributed on an "AS IS" BASIS,

 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

 * See the License for the specific language governing permissions and

 * limitations under the License.

 */

#include "apr_strings.h"

#define APR_WANT_STRFUNC        /* for strcasecmp */

#include "apr_want.h"

#include "ap_config.h"

#include "httpd.h"

#include "http_config.h"

#include "http_core.h"

#include "http_log.h"

#include "http_protocol.h"

#include "http_request.h"

#include "ap_provider.h"

#include "mod_auth.h"

#include "mod_ssl.h"

typedef struct {

    authn_provider_list *providers;

    char *dir;

    int authoritative;

} auth_cert_config_rec;

static void *create_auth_cert_dir_config(apr_pool_t *p, char *d)

{

    auth_cert_config_rec *conf = apr_pcalloc(p, sizeof(*conf));

    conf->dir = d;

    /* Any failures are fatal. */

    conf->authoritative = 1;

    return conf;

}

static const char *add_authn_provider(cmd_parms *cmd, void *config,

                                      const char *arg)

{

    auth_cert_config_rec *conf = (auth_cert_config_rec*)config;

    authn_provider_list *newp;

    newp = apr_pcalloc(cmd->pool, sizeof(authn_provider_list));

    newp->provider_name = apr_pstrdup(cmd->pool, arg);

    /* lookup and cache the actual provider now */

    newp->provider = ap_lookup_provider(AUTHN_PROVIDER_GROUP,

                                        newp->provider_name, "0");

    if (newp->provider == NULL) {

        /* by the time they use it, the provider should be loaded and

           registered with us. */

        return apr_psprintf(cmd->pool,

                            "Unknown Authn provider: %s",

                            newp->provider_name);

    }

    if (!newp->provider->check_certificate) {

        /* if it doesn't provide the appropriate function, reject it */

        return apr_psprintf(cmd->pool,

                            "The '%s' Authn provider doesn't support "

                            "Certificate Authentication", newp->provider_name);

    }

    /* Add it to the list now. */

    if (!conf->providers) {

        conf->providers = newp;

    }

    else {

        authn_provider_list *last = conf->providers;

        while (last->next) {

            last = last->next;

        }

        last->next = newp;

    }

    return NULL;

}

static const command_rec auth_cert_cmds[] =

{

    AP_INIT_ITERATE("AuthCertificateProvider", add_authn_provider, NULL, OR_AUTHCFG,

                    "specify the auth providers for a directory or location"),

    AP_INIT_FLAG("AuthCertificateAuthoritative", ap_set_flag_slot,

                 (void *)APR_OFFSETOF(auth_cert_config_rec, authoritative),

                 OR_AUTHCFG,

                 "Set to 'Off' to allow access control to be passed along to "

                 "lower modules if the UserID is not known to this module"),

    {NULL}

};

static APR_OPTIONAL_FN_TYPE(ssl_var_lookup) *ssl_svl_func = NULL;

module AP_MODULE_DECLARE_DATA auth_cert_module;

/* These functions return 0 if client is OK, and proper error status

 * if not... either HTTP_UNAUTHORIZED, if we made a check, and it failed, or

 * HTTP_INTERNAL_SERVER_ERROR, if things are so totally confused that we

 * couldn't figure out how to tell if the client is authorized or not.

 *

 * If they return DECLINED, and all other modules also decline, that's

 * treated by the server core as a configuration error, logged and

 * reported as such.

 */

/* Determine user ID, and check if it really is that user, for HTTP

 */

static int authenticate_cert_user(request_rec *r)

{

    auth_cert_config_rec *conf = ap_get_module_config(r->per_dir_config,

                                                       &auth_cert_module);

    const char *username, *current_auth;

    const char *verstatus;

    authn_status auth_result;

    authn_provider_list *current_provider;

    /* Are we configured to be Certificate auth? */

    current_auth = ap_auth_type(r);

    if (!current_auth || strcasecmp(current_auth, "Certificate")) {

        return DECLINED;

    }

    /* We need an authentication realm. */

    if (!ap_auth_name(r)) {

        ap_log_rerror(APLOG_MARK, APLOG_ERR,

                      0, r, "need AuthName: %s", r->uri);

        return HTTP_INTERNAL_SERVER_ERROR;

    }

    r->ap_auth_type = (char*)current_auth;

    verstatus = ssl_svl_func(r->pool,r->server,r->connection,r,"SSL_CLIENT_VERIFY");

    ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,

                              "Client certificate status is: %s", verstatus);

    switch (verstatus[0]) {

        case 'G': // ENEROUS

            ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,

                              "Client certificate is not from a trusted CA");

            break;

        case 'S': // UCCESS

            ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,

                              "Client certificate accepted.");

            break;

        case 'N': // ONE

            ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,

                          "Client certificate not provided");

            return HTTP_INTERNAL_SERVER_ERROR;

        case 'F': // AILED

            ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "Authentication "

                          "aborted; certificate verification %s",

                          verstatus);

            return HTTP_UNAUTHORIZED;

        default: // Only possible if another return is defined by mod_ssl.c

            ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "Unexpected return "

                          "code from certificate verification %s",

                          verstatus);

            return HTTP_INTERNAL_SERVER_ERROR;

    }

    /*

     * At this point we know we have a certificate.

     */

    username = ssl_svl_func(r->pool,r->server,r->connection,r,"SSL_CLIENT_S_DN");

    r->user = (char *) username;

    ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,

              "user %s: attempting certificate authentication for \"%s\": ",

              username, r->uri);

    current_provider = conf->providers;

    do {

        const authn_provider *provider;

        /* For now, if a provider isn't set, we'll be nice and use the file

         * provider.

         */

        if (!current_provider) {

            provider = ap_lookup_provider(AUTHN_PROVIDER_GROUP,

                                          AUTHN_DEFAULT_PROVIDER, "0");

            if (!provider || !provider->check_certificate) {

                ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,

                              "No Authn provider configured");

                auth_result = AUTH_GENERAL_ERROR;

                break;

            }

            apr_table_setn(r->notes, AUTHN_PROVIDER_NAME_NOTE, AUTHN_DEFAULT_PROVIDER);

        }

        else {

            provider = current_provider->provider;

            apr_table_setn(r->notes, AUTHN_PROVIDER_NAME_NOTE, current_provider->provider_name);

        }

        auth_result = provider->check_certificate(r, r->user);

        apr_table_unset(r->notes, AUTHN_PROVIDER_NAME_NOTE);

        /* Something occured. Stop checking. */

        if (auth_result != AUTH_USER_NOT_FOUND) {

            break;

        }

        /* If we're not really configured for providers, stop now. */

        if (!conf->providers) {

            break;

        }

        current_provider = current_provider->next;

    } while (current_provider);

    if (auth_result != AUTH_GRANTED) {

        int return_code;

        /* If we're not authoritative, then any error is ignored. */

        if (!(conf->authoritative) && auth_result != AUTH_DENIED) {

            return DECLINED;

        }

        switch (auth_result) {

        case AUTH_DENIED:

            /* Currently we are not passing a user name with the certificate.

             * This may change eventually, in which case we could see a denial

             * where the requested user is found, but there is no corresponding

             * certificate in its attributes.  Until then AUTH_DENIED 

             * and AUTH_USER_NOT_FOUND are really identical results.

             */

            ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,

                      "user %s: authentication failure for \"%s\": "

                      "Certificate Mismatch",

                      r->user, r->uri);

            return_code = HTTP_UNAUTHORIZED;

            break;

        case AUTH_USER_NOT_FOUND:

            ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,

                      "user %s not found: %s", r->user, r->uri);

            return_code = HTTP_UNAUTHORIZED;

            break;

        case AUTH_GENERAL_ERROR:

        default:

            /* We'll assume that the module has already said what its error

             * was in the logs.

             */

            return_code = HTTP_INTERNAL_SERVER_ERROR;

            break;

        }

        return return_code;

    }

    return OK;

}

static int auth_cert_post_config(apr_pool_t *pconf, apr_pool_t *plog,

                                apr_pool_t *ptemp, server_rec *s)

{

    ssl_svl_func = APR_RETRIEVE_OPTIONAL_FN(ssl_var_lookup);

    return OK;

}

static void register_hooks(apr_pool_t *p)

{

    static const char * const aszPre[]={ "mod_ssl.c",NULL };

    ap_hook_check_user_id(authenticate_cert_user, aszPre, NULL, APR_HOOK_MIDDLE);

    ap_hook_post_config(auth_cert_post_config, NULL, NULL, APR_HOOK_MIDDLE);

}

module AP_MODULE_DECLARE_DATA auth_cert_module =

{

    STANDARD20_MODULE_STUFF,

    create_auth_cert_dir_config,  /* dir config creater */

    NULL,                          /* dir merger --- default is to override */

    NULL,                          /* server config */

    NULL,                          /* merge server config */

    auth_cert_cmds,               /* command apr_table_t */

    register_hooks                 /* register hooks */

};