OU verification script for OpenVPN tls-verify.

verify-ou.pl

#!/usr/bin/perl
## vim: set syn=on ts=4 sw=4 sts=0 et foldmethod=indent:
## purpose: check if value exists in multi-valued ou
## copyright: B1 Systems GmbH <[email protected]>, 2018.
## license: GPLv3+, http://www.gnu.org/licenses/gpl-3.0.html
## author: Tobias Wolter <[email protected]>, 2018.
## version: 1.0

## Source for this is the verify-cn sample from OpenVPN:
## https://github.com/OpenVPN/openvpn/blob/master/sample/sample-scripts/verify-cn
## Original author isn't known.

## For this to work like intended, the OU will need to be formatted like OU=foo,bar,baz.

die "usage: verify-ou search certificate_depth subject" if (@ARGV != 3);

# Parse out arguments:
#   search -- The substing you are searching in the OU
#   depth  -- The current certificate chain depth.  In a typical
#             bi-level chain, the root certificate will be at level
#             1 and the client certificate will be at level 0.
#             This script will be called separately for each level.
#   x509   -- the X509 subject string as extracted by OpenVPN from
#             the client's provided certificate.
($search, $depth, $x509) = @ARGV;

if ($depth == 0) {
    # If depth is zero, we know that this is the final
    # certificate in the chain (i.e. the client certificate),
    # and the one we are interested in examining.
    # If so, parse out the organizational unit substring in
    # the X509 subject string.

    $x509 =~ s{(^/|/$)}{}g;
    %components = split /[\/=]/, $x509;
    @ous = (split /,/, $components{'OU'});
    $components{'OU'} = \@ous;

    if (grep(/$search/, @{$components{'OU'}})) {
      # found
      exit 0
    }

    # Authentication failed -- Either we could not parse
    # the X509 subject string, or the common name in the
    # subject string didn't match the passed cn argument.
    exit 1;
} else {
    # If depth is nonzero, tell OpenVPN to continue processing
    # the certificate chain.
    exit 0;
}