sample-scripts/verify-cn

   1 #!/usr/bin/perl
   2
   3 # verify-cn -- a sample OpenVPN tls-verify script
   4 #
   5 # Return 0 if cn matches the common name component of
   6 # X509_NAME_oneline, 1 otherwise.
   7 #
   8 # For example in OpenVPN, you could use the directive:
   9 #
  10 #   tls-verify "./verify-cn /etc/openvpn/allowed_clients"
  11 #
  12 # This would cause the connection to be dropped unless
  13 # the client common name is listed on a line in the
  14 # allowed_clients file.
  15
  16 die "usage: verify-cn cnfile certificate_depth X509_NAME_oneline" if (@ARGV != 3);
  17
  18 # Parse out arguments:
  19 #   cnfile -- The file containing the list of common names, one per
  20 #             line, which the client is required to have,
  21 #             taken from the argument to the tls-verify directive
  22 #             in the OpenVPN config file.
  23 #             The file can have blank lines and comment lines that begin
  24 #             with the # character.
  25 #   depth  -- The current certificate chain depth.  In a typical
  26 #             bi-level chain, the root certificate will be at level
  27 #             1 and the client certificate will be at level 0.
  28 #             This script will be called separately for each level.
  29 #   x509   -- the X509 subject string as extracted by OpenVPN from
  30 #             the client's provided certificate.
  31 ($cnfile, $depth, $x509) = @ARGV;
  32
  33 if ($depth == 0) {
  34     # If depth is zero, we know that this is the final
  35     # certificate in the chain (i.e. the client certificate),
  36     # and the one we are interested in examining.
  37     # If so, parse out the common name substring in
  38     # the X509 subject string.
  39
  40     if ($x509 =~ /\/CN=([^\/]+)/) {
  41         $cn = $1;
  42         # Accept the connection if the X509 common name
  43         # string matches the passed cn argument.
  44         open(FH, '<', $cnfile) or exit 1; # can't open, nobody authenticates!
  45         while (defined($line = <FH>)) {
  46             if ($line !~ /^[[:space:]]*(#|$)/o) {
  47                 chop($line);
  48                 if ($line eq $cn) {
  49                     exit 0;
  50                 }
  51             }
  52         }
  53         close(FH);
  54     }
  55
  56     # Authentication failed -- Either we could not parse
  57     # the X509 subject string, or the common name in the
  58     # subject string didn't match the passed cn argument.
  59     exit 1;
  60 }
  61
  62 # If depth is nonzero, tell OpenVPN to continue processing
  63 # the certificate chain.
  64 exit 0;