Re: [PATCH] tools: relax x509 Subject regexes to allow numbers and more

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, Dec 10, 2018 at 04:53:27PM +0000, Daniel P. Berrangé wrote:
> The virt-pki-validate tool is extracting components in the x509
> certificate Subject field. Unfortunately the regex it is is using is far
> too strict, and so truncating valid data. It needs to consider ',' as a
> field separator, and if that's not there take all data until the EOL.
> 
> With the broken regex:
> 
> $ echo "  Subject: O=Test,CN=guestHyp1ver"  | sed 's+.*CN=\(.[a-zA-Z \._-]*\).*+\1+'
> guestHyp
> 
> And with the fixed regex
> 
> $ echo "Subject: O=Test,CN=guestHyp1ver"  | sed 's+.*CN=\([^,]*\).*+\1+'
> guestHyp1ver
> 
> Reported-by: Kashyap Chamarthy <kchamart@xxxxxxxxxx>
> Signed-off-by: Daniel P. Berrangé <berrange@xxxxxxxxxx>
> ---
>  tools/virt-pki-validate.in | 8 ++++----
>  1 file changed, 4 insertions(+), 4 deletions
>
> diff --git a/tools/virt-pki-validate.in b/tools/virt-pki-validate.in
> index b04680ddef..c3fadbba64 100755
> --- a/tools/virt-pki-validate.in
> +++ b/tools/virt-pki-validate.in
> @@ -201,14 +201,14 @@ then
>          echo Client certificate $LIBVIRT/clientcert.pem should be world readable
>          echo "as root do: chown root:root $LIBVIRT/clientcert.pem ; chmod 644 $LIBVIRT/clientcert.pem"
>      else
> -        S_ORG=`"$CERTOOL" -i --infile "$LIBVIRT/clientcert.pem" | grep Subject: | sed 's+.*O=\([a-zA-Z \._-]*\).*+\1+'`
> +        S_ORG=`"$CERTOOL" -i --infile "$LIBVIRT/clientcert.pem" | grep Subject: | sed 's+.*O=\([^,]*\).*+\1+'`

So, besides ',' any input is accepted.  Works for me in my scenario.

Thanks for the quick patch!

FWIW: Reviewed-by: Kashyap Chamarthy <kchamart@xxxxxxxxxx>

[...]

-- 
/kashyap

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list




[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]

  Powered by Linux