[libvirt] [PATCH] Fix virt-pki-validate's determination of CN

Dustin Kirkland kirkland at canonical.com
Thu Apr 29 21:20:50 UTC 2010

Fix virt-pki-validate's determination of CN

This patch is a follow-up to:
    "portability fixes to tools/virt-pki-validate.in"
addressing Eric Blake's concerns about the regular expression.

Ubuntu's gntls package generates an Issuer line that looks like this:
        Issuer: C=US,ST=NY,L=Rochester,O=example.com,CN=example.com CA,EMAIL=hostmaster at example.com

While Red Hat's looks like this
Issuer: CN=Red Hat Emerging Technologies

Note the leading whitespace, and the additional fields in the former.

This patch updates the regular expression to:
 * trim leading characters before "Issuer:"
 * trim anything between Issuer: and CN=
 * trim anything after the next ,

I've tested this against the certool output of both RH and Ubuntu
generated certs.

I know that Eric dislikes the leading grep.  My apologies.  I spent more
time than I care to admit trying to get sed to select that one line, and
then run two regexes against it.  Feel free to correct this patch and
educate me, if you have a better way.  Thanks!

Signed-off-by: Dustin Kirkland <kirkland at canonical.com>

diff --git a/tools/virt-pki-validate.in b/tools/virt-pki-validate.in
index f77521d..c44aa9d 100755
--- a/tools/virt-pki-validate.in
+++ b/tools/virt-pki-validate.in
@@ -130,7 +130,7 @@ then
     echo "as root do: chmod 644 $CA/cacert.pem"
     exit 1
-ORG=`$CERTOOL -i --infile $CA/cacert.pem | sed -n '/Issuer/ s+Issuer: CN=++p'`
+ORG=`$CERTOOL -i --infile $CA/cacert.pem | grep "Issuer:" | sed -e 's/^.*Issuer:.*CN=//' -e 's/,.*$//'`
 if [ "$ORG" = "" ]
     echo the CA certificate $CA/cacert.pem does not define the organization

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20100429/7891e0a1/attachment-0001.sig>

More information about the libvir-list mailing list