[libvirt] [PATCH] Fix virt-pki-validate's determination of CN
Dustin Kirkland
kirkland at canonical.com
Thu Apr 29 22:16:46 UTC 2010
On Thu, 2010-04-29 at 15:56 -0600, Eric Blake wrote:
> From: Dustin Kirkland <kirkland at canonical.com>
>
> Ubuntu's gntls package generates an Issuer line that looks like this:
> Issuer: C=US,ST=NY,L=Rochester,O=example.com,CN=example.com CA,EMAIL=hostmaster at example.com
>
> While Red Hat's looks like this
> Issuer: CN=Red Hat Emerging Technologies
>
> Note the leading whitespace, and the additional fields in the former.
>
> This patch updates the regular expression to:
> * trim leading characters before "Issuer:"
> * trim anything between Issuer: and CN=
> * trim anything after the next ,
>
> I've tested this against the certool output of both RH and Ubuntu
> generated certs.
>
> Signed-off-by: Dustin Kirkland <kirkland at canonical.com>
> Signed-off-by: Eric Blake <eblake at redhat.com>
> ---
> tools/virt-pki-validate.in | 7 ++++++-
> 1 files changed, 6 insertions(+), 1 deletions(-)
>
> diff --git a/tools/virt-pki-validate.in b/tools/virt-pki-validate.in
> index f77521d..207fa76 100755
> --- a/tools/virt-pki-validate.in
> +++ b/tools/virt-pki-validate.in
> @@ -130,7 +130,12 @@ then
> echo "as root do: chmod 644 $CA/cacert.pem"
> exit 1
> fi
> -ORG=`$CERTOOL -i --infile $CA/cacert.pem | sed -n '/Issuer/ s+Issuer: CN=++p'`
> +sed_get_org='/Issuer:/ {
> + s/.*Issuer:.*CN=//
> + s/,.*//
> + p
> +}'
> +ORG=`$CERTOOL -i --infile $CA/cacert.pem | sed -n "$sed_get_org"`
> if [ "$ORG" = "" ]
> then
> echo the CA certificate $CA/cacert.pem does not define the organization
Thanks, Eric. I've tested this and it still works works as expected for
me against the two different cert formats.
Tested-by: Dustin Kirkland <kirkland at canonical.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20100429/5a31940c/attachment-0001.sig>
More information about the libvir-list
mailing list