crans/scripts
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

[verify-cn] Mise à jour du script pour accepter plusieurs CN

Browse source
This commit is contained in:
Valentin Samir 2014-02-10 16:27:21 +01:00
parent 42829db9eb
commit 89adc33b29
1 changed files with 27 additions and 15 deletions
Download patch file Download diff file Expand all files Collapse all files

24
utils/verify-cn
View file

@ -7,24 +7,28 @@
# #
# For example in OpenVPN, you could use the directive: # For example in OpenVPN, you could use the directive:
# #
# tls-verify "./verify-cn Test-Client" # tls-verify "./verify-cn /etc/openvpn/allowed_clients"
# #
# This would cause the connection to be dropped unless # This would cause the connection to be dropped unless
# the client common name is "Test-Client" # the client common name is listed on a line in the
# allowed_clients file.
die "usage: verify-cn cn certificate_depth X509_NAME_oneline" if (@ARGV != 3); die "usage: verify-cn cnfile certificate_depth X509_NAME_oneline" if (@ARGV != 3);
# Parse out arguments: # Parse out arguments:
# cn -- The common name which the client is required to have, # cnfile -- The file containing the list of common names, one per
# line, which the client is required to have,
# taken from the argument to the tls-verify directive # taken from the argument to the tls-verify directive
# in the OpenVPN config file. # in the OpenVPN config file.
# The file can have blank lines and comment lines that begin
# with the # character.
# depth -- The current certificate chain depth. In a typical # depth -- The current certificate chain depth. In a typical
# bi-level chain, the root certificate will be at level # bi-level chain, the root certificate will be at level
# 1 and the client certificate will be at level 0. # 1 and the client certificate will be at level 0.
# This script will be called separately for each level. # This script will be called separately for each level.
# x509 -- the X509 subject string as extracted by OpenVPN from # x509 -- the X509 subject string as extracted by OpenVPN from
# the client's provided certificate. # the client's provided certificate.
($cn, $depth, $x509) = @ARGV; ($cnfile, $depth, $x509) = @ARGV;
if ($depth == 0) { if ($depth == 0) {
# If depth is zero, we know that this is the final # If depth is zero, we know that this is the final
@ -34,12 +38,20 @@ if ($depth == 0) {
# the X509 subject string. # the X509 subject string.
if ($x509 =~ /\/CN=([^\/]+)/) { if ($x509 =~ /\/CN=([^\/]+)/) {
$cn = $1;
# Accept the connection if the X509 common name # Accept the connection if the X509 common name
# string matches the passed cn argument. # string matches the passed cn argument.
if ($cn eq $1) { open(FH, '<', $cnfile) or exit 1; # can't open, nobody authenticates!
while (defined($line = <FH>)) {
if ($line !~ /^[[:space:]]*(#|$)/o) {
chop($line);
if ($line eq $cn) {
exit 0; exit 0;
} }
} }
}
close(FH);
}
# Authentication failed -- Either we could not parse # Authentication failed -- Either we could not parse
# the X509 subject string, or the common name in the # the X509 subject string, or the common name in the