[verify-cn] Mise à jour du script pour accepter plusieurs CN
This commit is contained in:
Valentin Samir
parent
42829db9eb
commit
89adc33b29
1 changed files with 27 additions and 15 deletions
|
|
@ -7,24 +7,28 @@
|
|||
#
|
||||
# For example in OpenVPN, you could use the directive:
|
||||
#
|
||||
# tls-verify "./verify-cn Test-Client"
|
||||
# tls-verify "./verify-cn /etc/openvpn/allowed_clients"
|
||||
#
|
||||
# This would cause the connection to be dropped unless
|
||||
# the client common name is "Test-Client"
|
||||
# the client common name is listed on a line in the
|
||||
# allowed_clients file.
|
||||
|
||||
die "usage: verify-cn cn certificate_depth X509_NAME_oneline" if (@ARGV != 3);
|
||||
die "usage: verify-cn cnfile certificate_depth X509_NAME_oneline" if (@ARGV != 3);
|
||||
|
||||
# Parse out arguments:
|
||||
# cn -- The common name which the client is required to have,
|
||||
# taken from the argument to the tls-verify directive
|
||||
# in the OpenVPN config file.
|
||||
# depth -- The current certificate chain depth. In a typical
|
||||
# bi-level chain, the root certificate will be at level
|
||||
# 1 and the client certificate will be at level 0.
|
||||
# This script will be called separately for each level.
|
||||
# x509 -- the X509 subject string as extracted by OpenVPN from
|
||||
# the client's provided certificate.
|
||||
($cn, $depth, $x509) = @ARGV;
|
||||
# cnfile -- The file containing the list of common names, one per
|
||||
# line, which the client is required to have,
|
||||
# taken from the argument to the tls-verify directive
|
||||
# in the OpenVPN config file.
|
||||
# The file can have blank lines and comment lines that begin
|
||||
# with the # character.
|
||||
# depth -- The current certificate chain depth. In a typical
|
||||
# bi-level chain, the root certificate will be at level
|
||||
# 1 and the client certificate will be at level 0.
|
||||
# This script will be called separately for each level.
|
||||
# x509 -- the X509 subject string as extracted by OpenVPN from
|
||||
# the client's provided certificate.
|
||||
($cnfile, $depth, $x509) = @ARGV;
|
||||
|
||||
if ($depth == 0) {
|
||||
# If depth is zero, we know that this is the final
|
||||
|
|
@ -34,11 +38,19 @@ if ($depth == 0) {
|
|||
# the X509 subject string.
|
||||
|
||||
if ($x509 =~ /\/CN=([^\/]+)/) {
|
||||
$cn = $1;
|
||||
# Accept the connection if the X509 common name
|
||||
# string matches the passed cn argument.
|
||||
if ($cn eq $1) {
|
||||
exit 0;
|
||||
open(FH, '<', $cnfile) or exit 1; # can't open, nobody authenticates!
|
||||
while (defined($line = <FH>)) {
|
||||
if ($line !~ /^[[:space:]]*(#|$)/o) {
|
||||
chop($line);
|
||||
if ($line eq $cn) {
|
||||
exit 0;
|
||||
}
|
||||
}
|
||||
}
|
||||
close(FH);
|
||||
}
|
||||
|
||||
# Authentication failed -- Either we could not parse
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue