Intersystem authz-authn using x509 certificate PKI with PHP
Why Certificates?
For the GB2 Final Grade Submission Enterprise Service, the motivation comes from the realization that the target endpoint for the grades submissions may be a service that is used by many different systems through out the Campus/Enterprise. Using PKI can simplify managing access to that endpoint service for both the client and the service provider administrators. And so by using x509 PKI for authz/authn, Gradebook2 should 'play well' in even the largest Campus infrastructures.
Apache and PHP Service End Point
UC Davis' Final Grade Submission Enterprise Service is created using PHP and fronted by Apache. In order to interact with the x509 certficates, the openssl extension [1] for PHP should be installed.
Apache
We need to be able to get the Apache server to challenge the client when it the client sends a specific URL to the server. In our case, this will likely be the actual POST of data for grades. Since we will not have an actual directory at the URL target location in the file system, we can't use an .htaccess file and directive in the config file will be needed. Which directive is still unclear: Directory?
The following will require the client to provide a certificate to the application.
SSLVerifyClient require
SSLRequireSSL
SSLVerifyDepth 1
PHP
In PHP, the openssl extension can be used the parse (among other things) the certificate supplied:
openssl_x509_parse($_SERVER['SSL_CLIENT_CERT']));
The result is an array of size 12 (I havn't verified this)...... no need to validate the cert since apache already did that......so, we would probably want to use the object with the 'subject' key:
["subject"]=> array(6) { ["C"]=> string(2) "US" ["ST"]=> string(10) "California" ["O"]=> string(30) "University of California Davis" ["OU"]=> string(6) "IET-IR" ["CN"]=> string(21) "smartsite.ucdavis.edu" ["L"]]=> string(5) "Davis" }
—
Links
http://www.php.net/manual/en/book.openssl.php