aboutsummaryrefslogtreecommitdiff
path: root/sample-scripts/verify-cn
diff options
context:
space:
mode:
Diffstat (limited to 'sample-scripts/verify-cn')
-rwxr-xr-xsample-scripts/verify-cn42
1 files changed, 27 insertions, 15 deletions
diff --git a/sample-scripts/verify-cn b/sample-scripts/verify-cn
index 5d56d95..f9fea0f 100755
--- a/sample-scripts/verify-cn
+++ b/sample-scripts/verify-cn
@@ -7,24 +7,28 @@
#
# For example in OpenVPN, you could use the directive:
#
-# tls-verify "./verify-cn Test-Client"
+# tls-verify "./verify-cn /etc/openvpn/allowed_clients"
#
# This would cause the connection to be dropped unless
-# the client common name is "Test-Client"
+# the client common name is listed on a line in the
+# allowed_clients file.
-die "usage: verify-cn cn certificate_depth X509_NAME_oneline" if (@ARGV != 3);
+die "usage: verify-cn cnfile certificate_depth X509_NAME_oneline" if (@ARGV != 3);
# Parse out arguments:
-# cn -- The common name which the client is required to have,
-# taken from the argument to the tls-verify directive
-# in the OpenVPN config file.
-# depth -- The current certificate chain depth. In a typical
-# bi-level chain, the root certificate will be at level
-# 1 and the client certificate will be at level 0.
-# This script will be called separately for each level.
-# x509 -- the X509 subject string as extracted by OpenVPN from
-# the client's provided certificate.
-($cn, $depth, $x509) = @ARGV;
+# cnfile -- The file containing the list of common names, one per
+# line, which the client is required to have,
+# taken from the argument to the tls-verify directive
+# in the OpenVPN config file.
+# The file can have blank lines and comment lines that begin
+# with the # character.
+# depth -- The current certificate chain depth. In a typical
+# bi-level chain, the root certificate will be at level
+# 1 and the client certificate will be at level 0.
+# This script will be called separately for each level.
+# x509 -- the X509 subject string as extracted by OpenVPN from
+# the client's provided certificate.
+($cnfile, $depth, $x509) = @ARGV;
if ($depth == 0) {
# If depth is zero, we know that this is the final
@@ -34,11 +38,19 @@ if ($depth == 0) {
# the X509 subject string.
if ($x509 =~ /\/CN=([^\/]+)/) {
+ $cn = $1;
# Accept the connection if the X509 common name
# string matches the passed cn argument.
- if ($cn eq $1) {
- exit 0;
+ open(FH, '<', $cnfile) or exit 1; # can't open, nobody authenticates!
+ while (defined($line = <FH>)) {
+ if ($line !~ /^[[:space:]]*(#|$)/o) {
+ chop($line);
+ if ($line eq $cn) {
+ exit 0;
+ }
+ }
}
+ close(FH);
}
# Authentication failed -- Either we could not parse