scottk/wlan-ap
1
0
Fork 0
mirror of https://github.com/Telecominfraproject/wlan-ap.git synced 2025-10-30 18:07:52 +00:00
Code Issues Packages Projects Releases 10 Wiki Activity

est_client: add a function to validate that the CN is correct

Browse Source 
cloud_discovery will not start if the CN does not match the devices serial.
an error will be written to syslog

---
Wed Aug  6 14:23:23 2025 user.notice root: ERROR
Wed Aug  6 14:23:23 2025 user.notice root: ERROR
Wed Aug  6 14:23:23 2025 user.notice root: ERROR
Wed Aug  6 14:23:23 2025 user.notice root: The certificate used has a CN that does not match the serial of the device
Wed Aug  6 14:23:23 2025 user.notice root: ERROR
Wed Aug  6 14:23:23 2025 user.notice root: ERROR
Wed Aug  6 14:23:23 2025 user.notice root: ERROR
---

Signed-off-by: John Crispin <john@phrozen.org>
This commit is contained in:
John Crispin
2025-08-06 16:23:57 +02:00
parent b5b276bfcc
commit 6ba26cba2b
2 changed files with 31 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
feeds/tip/cloud_discovery/files/etc/init.d/cloud_discover
View File

@@ -22,6 +22,19 @@ start_service() {
[ "$valid" == "true" ] || [ "$valid" == "true" ] ||
/usr/share/ucentral/ucentral.uc /etc/ucentral/ucentral.cfg.0000000001 > /dev/null /usr/share/ucentral/ucentral.uc /etc/ucentral/ucentral.cfg.0000000001 > /dev/null
est_client check
[ $? -eq 1 ] && {
logger ERROR
logger ERROR
logger ERROR
logger The certificate used has a CN that does not match the serial of the device
echo The certificate used has a CN that does not match the serial of the device
logger ERROR
logger ERROR
logger ERROR
return
}
procd_open_instance procd_open_instance
procd_set_param command "$PROG" procd_set_param command "$PROG"
procd_set_param respawn procd_set_param respawn

18
feeds/tip/cloud_discovery/files/usr/bin/est_client
View File

@@ -4,6 +4,7 @@
import { ulog_open, ulog, ULOG_SYSLOG, ULOG_STDIO, LOG_DAEMON, LOG_INFO } from 'log'; import { ulog_open, ulog, ULOG_SYSLOG, ULOG_STDIO, LOG_DAEMON, LOG_INFO } from 'log';
import * as fs from 'fs'; import * as fs from 'fs';
import * as libuci from 'uci';
let store_operational_pem = false; let store_operational_pem = false;
let store_operational_ca = false; let store_operational_ca = false;
@@ -166,6 +167,20 @@ function fwtool() {
return 0; return 0;
} }
function check_cert() {
if (!fs.stat('/etc/ucentral/cert.pem'))
return 0;
let pipe = fs.popen("openssl x509 -in /etc/ucentral/cert.pem -noout -subject -nameopt multiline | grep commonName | awk '{ print $3 }'");
let cn = pipe.read("all");
pipe.close();
if (!cn)
return 0;
cn = lc(trim(cn));
let uci = libuci.cursor();
let serial = uci.get('ucentral', 'config', 'serial');
return cn != serial;
}
switch(ARGV[0]) { switch(ARGV[0]) {
case 'enroll': case 'enroll':
let ret = simpleenroll(); let ret = simpleenroll();
@@ -187,4 +202,7 @@ case 'reenroll':
case 'fwtool': case 'fwtool':
exit(fwtool()); exit(fwtool());
case 'check':
exit(check_cert());
} }