blob: 5d56d95a68f05f669fc25294f2ff305ad30774bd (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
|
#!/usr/bin/perl
# verify-cn -- a sample OpenVPN tls-verify script
#
# Return 0 if cn matches the common name component of
# X509_NAME_oneline, 1 otherwise.
#
# For example in OpenVPN, you could use the directive:
#
# tls-verify "./verify-cn Test-Client"
#
# This would cause the connection to be dropped unless
# the client common name is "Test-Client"
die "usage: verify-cn cn certificate_depth X509_NAME_oneline" if (@ARGV != 3);
# Parse out arguments:
# cn -- The common name which the client is required to have,
# taken from the argument to the tls-verify directive
# in the OpenVPN config file.
# depth -- The current certificate chain depth. In a typical
# bi-level chain, the root certificate will be at level
# 1 and the client certificate will be at level 0.
# This script will be called separately for each level.
# x509 -- the X509 subject string as extracted by OpenVPN from
# the client's provided certificate.
($cn, $depth, $x509) = @ARGV;
if ($depth == 0) {
# If depth is zero, we know that this is the final
# certificate in the chain (i.e. the client certificate),
# and the one we are interested in examining.
# If so, parse out the common name substring in
# the X509 subject string.
if ($x509 =~ /\/CN=([^\/]+)/) {
# Accept the connection if the X509 common name
# string matches the passed cn argument.
if ($cn eq $1) {
exit 0;
}
}
# Authentication failed -- Either we could not parse
# the X509 subject string, or the common name in the
# subject string didn't match the passed cn argument.
exit 1;
}
# If depth is nonzero, tell OpenVPN to continue processing
# the certificate chain.
exit 0;
|