[verify-cn] Mise à jour du script pour accepter plusieurs CN
This commit is contained in:
Valentin Samir
parent
42829db9eb
commit
89adc33b29
1 changed files with 27 additions and 15 deletions
|
|
@ -7,24 +7,28 @@
|
||||||
#
|
#
|
||||||
# For example in OpenVPN, you could use the directive:
|
# For example in OpenVPN, you could use the directive:
|
||||||
#
|
#
|
||||||
# tls-verify "./verify-cn Test-Client"
|
# tls-verify "./verify-cn /etc/openvpn/allowed_clients"
|
||||||
#
|
#
|
||||||
# This would cause the connection to be dropped unless
|
# This would cause the connection to be dropped unless
|
||||||
# the client common name is "Test-Client"
|
# the client common name is listed on a line in the
|
||||||
|
# allowed_clients file.
|
||||||
|
|
||||||
die "usage: verify-cn cn certificate_depth X509_NAME_oneline" if (@ARGV != 3);
|
die "usage: verify-cn cnfile certificate_depth X509_NAME_oneline" if (@ARGV != 3);
|
||||||
|
|
||||||
# Parse out arguments:
|
# Parse out arguments:
|
||||||
# cn -- The common name which the client is required to have,
|
# cnfile -- The file containing the list of common names, one per
|
||||||
# taken from the argument to the tls-verify directive
|
# line, which the client is required to have,
|
||||||
# in the OpenVPN config file.
|
# taken from the argument to the tls-verify directive
|
||||||
# depth -- The current certificate chain depth. In a typical
|
# in the OpenVPN config file.
|
||||||
# bi-level chain, the root certificate will be at level
|
# The file can have blank lines and comment lines that begin
|
||||||
# 1 and the client certificate will be at level 0.
|
# with the # character.
|
||||||
# This script will be called separately for each level.
|
# depth -- The current certificate chain depth. In a typical
|
||||||
# x509 -- the X509 subject string as extracted by OpenVPN from
|
# bi-level chain, the root certificate will be at level
|
||||||
# the client's provided certificate.
|
# 1 and the client certificate will be at level 0.
|
||||||
($cn, $depth, $x509) = @ARGV;
|
# This script will be called separately for each level.
|
||||||
|
# x509 -- the X509 subject string as extracted by OpenVPN from
|
||||||
|
# the client's provided certificate.
|
||||||
|
($cnfile, $depth, $x509) = @ARGV;
|
||||||
|
|
||||||
if ($depth == 0) {
|
if ($depth == 0) {
|
||||||
# If depth is zero, we know that this is the final
|
# If depth is zero, we know that this is the final
|
||||||
|
|
@ -34,11 +38,19 @@ if ($depth == 0) {
|
||||||
# the X509 subject string.
|
# the X509 subject string.
|
||||||
|
|
||||||
if ($x509 =~ /\/CN=([^\/]+)/) {
|
if ($x509 =~ /\/CN=([^\/]+)/) {
|
||||||
|
$cn = $1;
|
||||||
# Accept the connection if the X509 common name
|
# Accept the connection if the X509 common name
|
||||||
# string matches the passed cn argument.
|
# string matches the passed cn argument.
|
||||||
if ($cn eq $1) {
|
open(FH, '<', $cnfile) or exit 1; # can't open, nobody authenticates!
|
||||||
exit 0;
|
while (defined($line = <FH>)) {
|
||||||
|
if ($line !~ /^[[:space:]]*(#|$)/o) {
|
||||||
|
chop($line);
|
||||||
|
if ($line eq $cn) {
|
||||||
|
exit 0;
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
close(FH);
|
||||||
}
|
}
|
||||||
|
|
||||||
# Authentication failed -- Either we could not parse
|
# Authentication failed -- Either we could not parse
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue