est_client: add a function to validate that the CN is correct

cloud_discovery will not start if the CN does not match the devices serial. an error will be written to syslog --- Wed Aug 6 14:23:23 2025 user.notice root: ERROR Wed Aug 6 14:23:23 2025 user.notice root: ERROR Wed Aug 6 14:23:23 2025 user.notice root: ERROR Wed Aug 6 14:23:23 2025 user.notice root: The certificate used has a CN that does not match the serial of the device Wed Aug 6 14:23:23 2025 user.notice root: ERROR Wed Aug 6 14:23:23 2025 user.notice root: ERROR Wed Aug 6 14:23:23 2025 user.notice root: ERROR --- Signed-off-by: John Crispin <john@phrozen.org>
2025-10-28 17:12:22 +00:00 · 2025-08-06 16:23:57 +02:00
parent b5b276bfcc
commit 6ba26cba2b
2 changed files with 31 additions and 0 deletions
--- a/feeds/tip/cloud_discovery/files/etc/init.d/cloud_discover
+++ b/feeds/tip/cloud_discovery/files/etc/init.d/cloud_discover
@@ -22,6 +22,19 @@ start_service() {
 	[ "$valid" == "true" ] || 
 		/usr/share/ucentral/ucentral.uc /etc/ucentral/ucentral.cfg.0000000001 > /dev/null

+	est_client check
+	[ $? -eq 1 ] && {
+		logger ERROR
+		logger ERROR
+		logger ERROR
+		logger The certificate used has a CN that does not match the serial of the device
+		echo The certificate used has a CN that does not match the serial of the device
+		logger ERROR
+		logger ERROR
+		logger ERROR
+		return
+	}
+
 	procd_open_instance
 	procd_set_param command "$PROG"
 	procd_set_param respawn
--- a/feeds/tip/cloud_discovery/files/usr/bin/est_client
+++ b/feeds/tip/cloud_discovery/files/usr/bin/est_client
@@ -4,6 +4,7 @@

 import { ulog_open, ulog, ULOG_SYSLOG, ULOG_STDIO, LOG_DAEMON, LOG_INFO } from 'log';
 import * as fs from 'fs';
+import * as libuci from 'uci';

 let store_operational_pem = false;
 let store_operational_ca = false;
@@ -166,6 +167,20 @@ function fwtool() {
 	return 0;
 }

+function check_cert() {
+	if (!fs.stat('/etc/ucentral/cert.pem'))
+		return 0;
+	let pipe = fs.popen("openssl x509 -in /etc/ucentral/cert.pem  -noout -subject -nameopt multiline | grep commonName | awk '{ print $3 }'");
+	let cn = pipe.read("all");
+	pipe.close();
+	if (!cn)
+		return 0;
+	cn = lc(trim(cn));
+	let uci = libuci.cursor();
+	let serial = uci.get('ucentral', 'config', 'serial');
+	return cn != serial;
+}
+
 switch(ARGV[0]) {
 case 'enroll':
 	let ret = simpleenroll();
@@ -187,4 +202,7 @@ case 'reenroll':

 case 'fwtool':
 	exit(fwtool());
+
+case 'check':
+	exit(check_cert());
 }