#!/usr/bin/perl

# auth-eid-check -- a sample OpenVPN tls-verify script
#  Based on the sample OpenVPN tls-verify script
#  changed by Christophe Vandeplas
#
# Return 0 if cn matches the common name component of
# X509_NAME_oneline, 1 otherwise.
#
# For example in OpenVPN, you could use the directive:
#
#   auth-eid-check "./auth-eid-check"
#
die "usage: auth-eid-check certificate_depth X509_NAME_oneline" if (@ARGV != 2);

# Parse out arguments:
#   cn    -- The common name which the client is required to have,
#            taken from the argument to the tls-verify directive
#            in the OpenVPN config file.
#   depth -- The current certificate chain depth.  In a typical
#            bi-level chain, the root certificate will be at level
#            1 and the client certificate will be at level 0.
#            This script will be called separately for each level.
#   x509  -- the X509 subject string as extracted by OpenVPN from
#            the client's provided certificate.
($depth, $x509) = @ARGV;

$cn="83021811535";
if ($depth == 0) {
    # If depth is zero, we know that this is the final
    # certificate in the chain (i.e. the client certificate),
    # and the one we are interested in examining.
    # If so, parse out the common name substring in
    # the X509 subject string.

    if ($x509 =~ /\/serialNumber=([^\/]+)/) {
	# Accept the connection if the X509 common name
	# string matches the passed cn argument.
	if ($cn eq $1) {
            #print "TLS-VERIFY: OK - $1";
	    exit 0;
	}
    }

    # Authentication failed -- Either we could not parse
    # the X509 subject string, or the common name in the
    # subject string didn't match the passed cn argument.
    #print "TLS-VERIFY: EE - $1";
    exit 1;
}

# If depth is nonzero, tell OpenVPN to continue processing
# the certificate chain.
exit 0;