[libvirt] [PATCH] tools: relax x509 Subject regexes to allow numbers and more
Kashyap Chamarthy
kchamart at redhat.com
Tue Dec 11 09:04:34 UTC 2018
On Mon, Dec 10, 2018 at 04:53:27PM +0000, Daniel P. Berrangé wrote:
> The virt-pki-validate tool is extracting components in the x509
> certificate Subject field. Unfortunately the regex it is is using is far
> too strict, and so truncating valid data. It needs to consider ',' as a
> field separator, and if that's not there take all data until the EOL.
[...]
> ---
> tools/virt-pki-validate.in | 8 ++++----
> 1 file changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/tools/virt-pki-validate.in b/tools/virt-pki-validate.in
> index b04680ddef..c3fadbba64 100755
> --- a/tools/virt-pki-validate.in
> +++ b/tools/virt-pki-validate.in
> @@ -201,14 +201,14 @@ then
> echo Client certificate $LIBVIRT/clientcert.pem should be world readable
> echo "as root do: chown root:root $LIBVIRT/clientcert.pem ; chmod 644 $LIBVIRT/clientcert.pem"
> else
> - S_ORG=`"$CERTOOL" -i --infile "$LIBVIRT/clientcert.pem" | grep Subject: | sed 's+.*O=\([a-zA-Z \._-]*\).*+\1+'`
> + S_ORG=`"$CERTOOL" -i --infile "$LIBVIRT/clientcert.pem" | grep Subject: | sed 's+.*O=\([^,]*\).*+\1+'`
Unrelated to this patch, nit-pick: s/S_ORG/C_ORG/ here? Because we use
'S_ORG' further below in the script for server certificate.
[...]
--
/kashyap
More information about the libvir-list
mailing list