From fffd213c8cba2135afda493d797c41c10354770e Mon Sep 17 00:00:00 2001
From: Othmar Gsenger <otti@anytun.org>
Date: Sat, 12 Apr 2008 11:38:42 +0000
Subject: big svn cleanup

---
 src/openvpn/sample-scripts/verify-cn | 52 ++++++++++++++++++++++++++++++++++++
 1 file changed, 52 insertions(+)
 create mode 100755 src/openvpn/sample-scripts/verify-cn

(limited to 'src/openvpn/sample-scripts/verify-cn')

diff --git a/src/openvpn/sample-scripts/verify-cn b/src/openvpn/sample-scripts/verify-cn
new file mode 100755
index 0000000..5d56d95
--- /dev/null
+++ b/src/openvpn/sample-scripts/verify-cn
@@ -0,0 +1,52 @@
+#!/usr/bin/perl
+
+# verify-cn -- a sample OpenVPN tls-verify script
+#
+# Return 0 if cn matches the common name component of
+# X509_NAME_oneline, 1 otherwise.
+#
+# For example in OpenVPN, you could use the directive:
+#
+#   tls-verify "./verify-cn Test-Client"
+#
+# This would cause the connection to be dropped unless
+# the client common name is "Test-Client"
+
+die "usage: verify-cn cn certificate_depth X509_NAME_oneline" if (@ARGV != 3);
+
+# Parse out arguments:
+#   cn    -- The common name which the client is required to have,
+#            taken from the argument to the tls-verify directive
+#            in the OpenVPN config file.
+#   depth -- The current certificate chain depth.  In a typical
+#            bi-level chain, the root certificate will be at level
+#            1 and the client certificate will be at level 0.
+#            This script will be called separately for each level.
+#   x509  -- the X509 subject string as extracted by OpenVPN from
+#            the client's provided certificate.
+($cn, $depth, $x509) = @ARGV;
+
+if ($depth == 0) {
+    # If depth is zero, we know that this is the final
+    # certificate in the chain (i.e. the client certificate),
+    # and the one we are interested in examining.
+    # If so, parse out the common name substring in
+    # the X509 subject string.
+
+    if ($x509 =~ /\/CN=([^\/]+)/) {
+	# Accept the connection if the X509 common name
+	# string matches the passed cn argument.
+	if ($cn eq $1) {
+	    exit 0;
+	}
+    }
+
+    # Authentication failed -- Either we could not parse
+    # the X509 subject string, or the common name in the
+    # subject string didn't match the passed cn argument.
+    exit 1;
+}
+
+# If depth is nonzero, tell OpenVPN to continue processing
+# the certificate chain.
+exit 0;
-- 
cgit v1.2.3