[libvirt] [PATCH] Fix virt-pki-validate's determination of CN

Eric Blake eblake at redhat.com
Thu Apr 29 21:40:20 UTC 2010


On 04/29/2010 03:20 PM, Dustin Kirkland wrote:
> Fix virt-pki-validate's determination of CN
> 
> This patch is a follow-up to:
>     cb06a9bfe529e64b15773cb86781ae14c09f8216
>     "portability fixes to tools/virt-pki-validate.in"
> addressing Eric Blake's concerns about the regular expression.
> 
> Ubuntu's gntls package generates an Issuer line that looks like this:
>         Issuer: C=US,ST=NY,L=Rochester,O=example.com,CN=example.com CA,EMAIL=hostmaster at example.com
> 
> While Red Hat's looks like this
> Issuer: CN=Red Hat Emerging Technologies

Thanks for the details - that extra bit of information in the commit log
makes it much easier to justify the new sed expression.

> I know that Eric dislikes the leading grep.  My apologies.  I spent more
> time than I care to admit trying to get sed to select that one line, and
> then run two regexes against it.  Feel free to correct this patch and
> educate me, if you have a better way.  Thanks!

I'd be glad to help out - open source is all about sharing experience
and learning from others.  We're after sed's grouping command, {}.  For
maximum portability, POSIX 2001 says that the { and } must be on lines
of their own (I think POSIX 2008 tried to relax that, but at least
busybox took POSIX 2001 at their word and rejects one-liner groups even
though the POSIX wording appears to be a mistake since historical Unix
sed always supported one-liner groups).  But since multi-line commands
interrupt the flow of a shell pipeline command, it becomes easier to do
it in two stages.  Also, .* is greedy, so you can simplify ^.* or .*$ to
the shorter .* and get the same result.

sed_find_issuer='/Issuer:/ {
  s/.*Issuer:.*CN=//
  s/,.*//
  p
}'
ORG=`$CERTOOL -i --infile $CA/cacert.pem | sed -n "$sed_find_issuer"`

I wrote the above with minimal testing (basically, I got "example.com
CA" from your Ubuntu example, and "Red Hat Emerging Technologies" from
your Red Hat example), so I would appreciate if you could try it as
well.  I'll also reply to this message with the above in actual patch form.

-- 
Eric Blake   eblake at redhat.com    +1-801-349-2682
Libvirt virtualization library http://libvirt.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 619 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20100429/3b000c1a/attachment-0001.sig>


More information about the libvir-list mailing list