From 6ba26cba2b4a7c2cbc11338000a31079a699d94e Mon Sep 17 00:00:00 2001
From: John Crispin <john@phrozen.org>
Date: Wed, 6 Aug 2025 16:23:57 +0200
Subject: [PATCH] est_client: add a function to validate that the CN is correct

cloud_discovery will not start if the CN does not match the devices serial.
an error will be written to syslog

---
Wed Aug  6 14:23:23 2025 user.notice root: ERROR
Wed Aug  6 14:23:23 2025 user.notice root: ERROR
Wed Aug  6 14:23:23 2025 user.notice root: ERROR
Wed Aug  6 14:23:23 2025 user.notice root: The certificate used has a CN that does not match the serial of the device
Wed Aug  6 14:23:23 2025 user.notice root: ERROR
Wed Aug  6 14:23:23 2025 user.notice root: ERROR
Wed Aug  6 14:23:23 2025 user.notice root: ERROR
---

Signed-off-by: John Crispin <john@phrozen.org>
---
 .../files/etc/init.d/cloud_discover            | 13 +++++++++++++
 .../cloud_discovery/files/usr/bin/est_client   | 18 ++++++++++++++++++
 2 files changed, 31 insertions(+)

diff --git a/feeds/tip/cloud_discovery/files/etc/init.d/cloud_discover b/feeds/tip/cloud_discovery/files/etc/init.d/cloud_discover
index 77ddb05cb..e9828b22f 100755
--- a/feeds/tip/cloud_discovery/files/etc/init.d/cloud_discover
+++ b/feeds/tip/cloud_discovery/files/etc/init.d/cloud_discover
@@ -22,6 +22,19 @@ start_service() {
 	[ "$valid" == "true" ] || 
 		/usr/share/ucentral/ucentral.uc /etc/ucentral/ucentral.cfg.0000000001 > /dev/null
 
+	est_client check
+	[ $? -eq 1 ] && {
+		logger ERROR
+		logger ERROR
+		logger ERROR
+		logger The certificate used has a CN that does not match the serial of the device
+		echo The certificate used has a CN that does not match the serial of the device
+		logger ERROR
+		logger ERROR
+		logger ERROR
+		return
+	}
+
 	procd_open_instance
 	procd_set_param command "$PROG"
 	procd_set_param respawn
diff --git a/feeds/tip/cloud_discovery/files/usr/bin/est_client b/feeds/tip/cloud_discovery/files/usr/bin/est_client
index a2a740475..61eff4e50 100755
--- a/feeds/tip/cloud_discovery/files/usr/bin/est_client
+++ b/feeds/tip/cloud_discovery/files/usr/bin/est_client
@@ -4,6 +4,7 @@
 
 import { ulog_open, ulog, ULOG_SYSLOG, ULOG_STDIO, LOG_DAEMON, LOG_INFO } from 'log';
 import * as fs from 'fs';
+import * as libuci from 'uci';
 
 let store_operational_pem = false;
 let store_operational_ca = false;
@@ -166,6 +167,20 @@ function fwtool() {
 	return 0;
 }
 
+function check_cert() {
+	if (!fs.stat('/etc/ucentral/cert.pem'))
+		return 0;
+	let pipe = fs.popen("openssl x509 -in /etc/ucentral/cert.pem  -noout -subject -nameopt multiline | grep commonName | awk '{ print $3 }'");
+	let cn = pipe.read("all");
+	pipe.close();
+	if (!cn)
+		return 0;
+	cn = lc(trim(cn));
+	let uci = libuci.cursor();
+	let serial = uci.get('ucentral', 'config', 'serial');
+	return cn != serial;
+}
+
 switch(ARGV[0]) {
 case 'enroll':
 	let ret = simpleenroll();
@@ -187,4 +202,7 @@ case 'reenroll':
 
 case 'fwtool':
 	exit(fwtool());
+
+case 'check':
+	exit(check_cert());
 }