#!/usr/bin/perl
# verify-cn -- a sample OpenVPN tls-verify script
#
# Return 0 if cn matches the common name component of
# X509_NAME_oneline, 1 otherwise.
#
# For example in OpenVPN, you could use the directive:
#
# tls-verify "./verify-cn /etc/openvpn/allowed_clients"
#
# This would cause the connection to be dropped unless
# the client common name is listed on a line in the
# allowed_clients file.
die "usage: verify-cn cnfile certificate_depth X509_NAME_oneline" if (@ARGV != 3);
# Parse out arguments:
# cnfile -- The file containing the list of common names, one per
# line, which the client is required to have,
# taken from the argument to the tls-verify directive
# in the OpenVPN config file.
# The file can have blank lines and comment lines that begin
# with the # character.
# depth -- The current certificate chain depth. In a typical
# bi-level chain, the root certificate will be at level
# 1 and the client certificate will be at level 0.
# This script will be called separately for each level.
# x509 -- the X509 subject string as extracted by OpenVPN from
# the client's provided certificate.
($cnfile, $depth, $x509) = @ARGV;
if ($depth == 0) {
# If depth is zero, we know that this is the final
# certificate in the chain (i.e. the client certificate),
# and the one we are interested in examining.
# If so, parse out the common name substring in
# the X509 subject string.
if ($x509 =~ /\/CN=([^\/]+)/) {
$cn = $1;
# Accept the connection if the X509 common name
# string matches the passed cn argument.
open(FH, '<', $cnfile) or exit 1; # can't open, nobody authenticates!
while (defined($line = <FH>)) {
if ($line !~ /^[[:space:]]*(#|$)/o) {
chop($line);
if ($line eq $cn) {
exit 0;
}
}
}
close(FH);
}
# Authentication failed -- Either we could not parse
# the X509 subject string, or the common name in the
# subject string didn't match the passed cn argument.
exit 1;
}
# If depth is nonzero, tell OpenVPN to continue processing
# the certificate chain.
exit 0;