On Mon, Dec 10, 2018 at 04:53:27PM +0000, Daniel P. Berrangé wrote: > The virt-pki-validate tool is extracting components in the x509 > certificate Subject field. Unfortunately the regex it is is using is far > too strict, and so truncating valid data. It needs to consider ',' as a > field separator, and if that's not there take all data until the EOL. > > With the broken regex: > > $ echo " Subject: O=Test,CN=guestHyp1ver" | sed 's+.*CN=\(.[a-zA-Z \._-]*\).*+\1+' > guestHyp > > And with the fixed regex > > $ echo "Subject: O=Test,CN=guestHyp1ver" | sed 's+.*CN=\([^,]*\).*+\1+' > guestHyp1ver > > Reported-by: Kashyap Chamarthy <kchamart@xxxxxxxxxx> > Signed-off-by: Daniel P. Berrangé <berrange@xxxxxxxxxx> > --- > tools/virt-pki-validate.in | 8 ++++---- > 1 file changed, 4 insertions(+), 4 deletions > > diff --git a/tools/virt-pki-validate.in b/tools/virt-pki-validate.in > index b04680ddef..c3fadbba64 100755 > --- a/tools/virt-pki-validate.in > +++ b/tools/virt-pki-validate.in > @@ -201,14 +201,14 @@ then > echo Client certificate $LIBVIRT/clientcert.pem should be world readable > echo "as root do: chown root:root $LIBVIRT/clientcert.pem ; chmod 644 $LIBVIRT/clientcert.pem" > else > - S_ORG=`"$CERTOOL" -i --infile "$LIBVIRT/clientcert.pem" | grep Subject: | sed 's+.*O=\([a-zA-Z \._-]*\).*+\1+'` > + S_ORG=`"$CERTOOL" -i --infile "$LIBVIRT/clientcert.pem" | grep Subject: | sed 's+.*O=\([^,]*\).*+\1+'` So, besides ',' any input is accepted. Works for me in my scenario. Thanks for the quick patch! FWIW: Reviewed-by: Kashyap Chamarthy <kchamart@xxxxxxxxxx> [...] -- /kashyap -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list
