diff options
| author | Parménides GV <parmegv@sdf.org> | 2014-04-08 12:04:17 +0200 |
|---|---|---|
| committer | Parménides GV <parmegv@sdf.org> | 2014-04-08 12:04:17 +0200 |
| commit | 3c3421afd8f74a3aa8d1011de07a8c18f9549210 (patch) | |
| tree | 49d52344661c23d7268b8ea69466a1cfef04bf8b /bitmask_android/openvpn/sample/sample-scripts/verify-cn | |
| parent | 5fc5d37330d3535a0f421632694d1e7918fc22d7 (diff) | |
Rename app->bitmask_android
This way, gradle commands generate apks correctly named.
Diffstat (limited to 'bitmask_android/openvpn/sample/sample-scripts/verify-cn')
| -rwxr-xr-x | bitmask_android/openvpn/sample/sample-scripts/verify-cn | 64 |
1 files changed, 64 insertions, 0 deletions
diff --git a/bitmask_android/openvpn/sample/sample-scripts/verify-cn b/bitmask_android/openvpn/sample/sample-scripts/verify-cn new file mode 100755 index 00000000..6e747ef1 --- /dev/null +++ b/bitmask_android/openvpn/sample/sample-scripts/verify-cn @@ -0,0 +1,64 @@ +#!/usr/bin/perl + +# verify-cn -- a sample OpenVPN tls-verify script +# +# Return 0 if cn matches the common name component of +# subject, 1 otherwise. +# +# For example in OpenVPN, you could use the directive: +# +# tls-verify "./verify-cn /etc/openvpn/allowed_clients" +# +# This would cause the connection to be dropped unless +# the client common name is listed on a line in the +# allowed_clients file. + +die "usage: verify-cn cnfile certificate_depth subject" if (@ARGV != 3); + +# Parse out arguments: +# cnfile -- The file containing the list of common names, one per +# line, which the client is required to have, +# taken from the argument to the tls-verify directive +# in the OpenVPN config file. +# The file can have blank lines and comment lines that begin +# with the # character. +# depth -- The current certificate chain depth. In a typical +# bi-level chain, the root certificate will be at level +# 1 and the client certificate will be at level 0. +# This script will be called separately for each level. +# x509 -- the X509 subject string as extracted by OpenVPN from +# the client's provided certificate. +($cnfile, $depth, $x509) = @ARGV; + +if ($depth == 0) { + # If depth is zero, we know that this is the final + # certificate in the chain (i.e. the client certificate), + # and the one we are interested in examining. + # If so, parse out the common name substring in + # the X509 subject string. + + if ($x509 =~ / CN=([^,]+)/) { + $cn = $1; + # Accept the connection if the X509 common name + # string matches the passed cn argument. + open(FH, '<', $cnfile) or exit 1; # can't open, nobody authenticates! + while (defined($line = <FH>)) { + if ($line !~ /^[[:space:]]*(#|$)/o) { + chop($line); + if ($line eq $cn) { + exit 0; + } + } + } + close(FH); + } + + # Authentication failed -- Either we could not parse + # the X509 subject string, or the common name in the + # subject string didn't match the passed cn argument. + exit 1; +} + +# If depth is nonzero, tell OpenVPN to continue processing +# the certificate chain. +exit 0; |