[libvirt] [PATCH] tools: relax x509 Subject regexes to allow numbers and more

Daniel P. Berrangé berrange at redhat.com
Tue Dec 11 14:59:34 UTC 2018


On Tue, Dec 11, 2018 at 10:04:34AM +0100, Kashyap Chamarthy wrote:
> On Mon, Dec 10, 2018 at 04:53:27PM +0000, Daniel P. Berrangé wrote:
> > The virt-pki-validate tool is extracting components in the x509
> > certificate Subject field. Unfortunately the regex it is is using is far
> > too strict, and so truncating valid data. It needs to consider ',' as a
> > field separator, and if that's not there take all data until the EOL.
> 
> [...]
> 
> > ---
> >  tools/virt-pki-validate.in | 8 ++++----
> >  1 file changed, 4 insertions(+), 4 deletions(-)
> > 
> > diff --git a/tools/virt-pki-validate.in b/tools/virt-pki-validate.in
> > index b04680ddef..c3fadbba64 100755
> > --- a/tools/virt-pki-validate.in
> > +++ b/tools/virt-pki-validate.in
> > @@ -201,14 +201,14 @@ then
> >          echo Client certificate $LIBVIRT/clientcert.pem should be world readable
> >          echo "as root do: chown root:root $LIBVIRT/clientcert.pem ; chmod 644 $LIBVIRT/clientcert.pem"
> >      else
> > -        S_ORG=`"$CERTOOL" -i --infile "$LIBVIRT/clientcert.pem" | grep Subject: | sed 's+.*O=\([a-zA-Z \._-]*\).*+\1+'`
> > +        S_ORG=`"$CERTOOL" -i --infile "$LIBVIRT/clientcert.pem" | grep Subject: | sed 's+.*O=\([^,]*\).*+\1+'`
> 
> Unrelated to this patch, nit-pick: s/S_ORG/C_ORG/ here?  Because we use
> 'S_ORG' further below in the script for server certificate.

Yes, that's a harmless mistake but i'll push a trivial patch to rename
it.

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|




More information about the libvir-list mailing list