[libvirt] [PATCH] tools: relax x509 Subject regexes to allow numbers and more
Daniel P. Berrangé
berrange at redhat.com
Tue Dec 11 14:59:34 UTC 2018
On Tue, Dec 11, 2018 at 10:04:34AM +0100, Kashyap Chamarthy wrote:
> On Mon, Dec 10, 2018 at 04:53:27PM +0000, Daniel P. Berrangé wrote:
> > The virt-pki-validate tool is extracting components in the x509
> > certificate Subject field. Unfortunately the regex it is is using is far
> > too strict, and so truncating valid data. It needs to consider ',' as a
> > field separator, and if that's not there take all data until the EOL.
>
> [...]
>
> > ---
> > tools/virt-pki-validate.in | 8 ++++----
> > 1 file changed, 4 insertions(+), 4 deletions(-)
> >
> > diff --git a/tools/virt-pki-validate.in b/tools/virt-pki-validate.in
> > index b04680ddef..c3fadbba64 100755
> > --- a/tools/virt-pki-validate.in
> > +++ b/tools/virt-pki-validate.in
> > @@ -201,14 +201,14 @@ then
> > echo Client certificate $LIBVIRT/clientcert.pem should be world readable
> > echo "as root do: chown root:root $LIBVIRT/clientcert.pem ; chmod 644 $LIBVIRT/clientcert.pem"
> > else
> > - S_ORG=`"$CERTOOL" -i --infile "$LIBVIRT/clientcert.pem" | grep Subject: | sed 's+.*O=\([a-zA-Z \._-]*\).*+\1+'`
> > + S_ORG=`"$CERTOOL" -i --infile "$LIBVIRT/clientcert.pem" | grep Subject: | sed 's+.*O=\([^,]*\).*+\1+'`
>
> Unrelated to this patch, nit-pick: s/S_ORG/C_ORG/ here? Because we use
> 'S_ORG' further below in the script for server certificate.
Yes, that's a harmless mistake but i'll push a trivial patch to rename
it.
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
More information about the libvir-list
mailing list