Kezdőlap Felfedezés Súgó
Bejelentkezés
SoftwareDesign
/
csu3_am335x
8
0
Másolás 0
Fájlok Problémák 0 Beolvasztási kérések 0 Wiki
Branch: master
Branch-ok Tag-ek
csu3_am335x
/
EVSE
/
GPL
/
openvpn-2.4.9
/
sample
/
sample-scripts
/
verify-cn

verify-cn 2.1 KB
Állandó hivatkozás Előzmények Nyers

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364 
  1. #!/usr/bin/perl
    2. 

  2. 

  3. # verify-cn -- a sample OpenVPN tls-verify script
    4. 

  4. #
    5. 

  5. # Return 0 if cn matches the common name component of
    6. 

  6. # subject, 1 otherwise.
    7. 

  7. #
    8. 

  8. # For example in OpenVPN, you could use the directive:
    9. 

  9. #
    10. 

  10. #   tls-verify "./verify-cn /etc/openvpn/allowed_clients"
    11. 

  11. #
    12. 

  12. # This would cause the connection to be dropped unless
    13. 

  13. # the client common name is listed on a line in the
    14. 

  14. # allowed_clients file.
    15. 

  15. 

  16. die "usage: verify-cn cnfile certificate_depth subject" if (@ARGV != 3);
    17. 

  17. 

  18. # Parse out arguments:
    19. 

  19. #   cnfile -- The file containing the list of common names, one per
    20. 

  20. #             line, which the client is required to have,
    21. 

  21. #             taken from the argument to the tls-verify directive
    22. 

  22. #             in the OpenVPN config file.
    23. 

  23. #             The file can have blank lines and comment lines that begin
    24. 

  24. #             with the # character.
    25. 

  25. #   depth  -- The current certificate chain depth.  In a typical
    26. 

  26. #             bi-level chain, the root certificate will be at level
    27. 

  27. #             1 and the client certificate will be at level 0.
    28. 

  28. #             This script will be called separately for each level.
    29. 

  29. #   x509   -- the X509 subject string as extracted by OpenVPN from
    30. 

  30. #             the client's provided certificate.
    31. 

  31. ($cnfile, $depth, $x509) = @ARGV;
    32. 

  32. 

  33. if ($depth == 0) {
    34. 

  34.     # If depth is zero, we know that this is the final
    35. 

  35.     # certificate in the chain (i.e. the client certificate),
    36. 

  36.     # and the one we are interested in examining.
    37. 

  37.     # If so, parse out the common name substring in
    38. 

  38.     # the X509 subject string.
    39. 

  39. 

  40.     if ($x509 =~ / CN=([^,]+)/) {
    41. 

  41.         $cn = $1;
    42. 

  42. 	# Accept the connection if the X509 common name
    43. 

  43. 	# string matches the passed cn argument.
    44. 

  44. 	open(FH, '<', $cnfile) or exit 1; # can't open, nobody authenticates!
    45. 

  45.         while (defined($line = <FH>)) {
    46. 

  46. 	    if ($line !~ /^[[:space:]]*(#|$)/o) {
    47. 

  47. 		chop($line);
    48. 

  48. 		if ($line eq $cn) {
    49. 

  49. 		    exit 0;
    50. 

  50. 		}
    51. 

  51. 	    }
    52. 

  52. 	}
    53. 

  53. 	close(FH);
    54. 

  54.     }
    55. 

  55. 

  56.     # Authentication failed -- Either we could not parse
    57. 

  57.     # the X509 subject string, or the common name in the
    58. 

  58.     # subject string didn't match the passed cn argument.
    59. 

  59.     exit 1;
    60. 

  60. }
    61. 

  61. 

  62. # If depth is nonzero, tell OpenVPN to continue processing
    63. 

  63. # the certificate chain.
    64. 

  64. exit 0;
    65.