On Thu, 2010-04-29 at 15:56 -0600, Eric Blake wrote:
> From: Dustin Kirkland <kirkland@xxxxxxxxxxxxx>
>
> Ubuntu's gntls package generates an Issuer line that looks like this:
> Issuer: C=US,ST=NY,L=Rochester,O=example.com,CN=example.com CA,EMAIL=hostmaster@xxxxxxxxxxx
>
> While Red Hat's looks like this
> Issuer: CN=Red Hat Emerging Technologies
>
> Note the leading whitespace, and the additional fields in the former.
>
> This patch updates the regular expression to:
> * trim leading characters before "Issuer:"
> * trim anything between Issuer: and CN=
> * trim anything after the next ,
>
> I've tested this against the certool output of both RH and Ubuntu
> generated certs.
>
> Signed-off-by: Dustin Kirkland <kirkland@xxxxxxxxxxxxx>
> Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
> ---
> tools/virt-pki-validate.in | 7 ++++++-
> 1 files changed, 6 insertions(+), 1 deletions(-)
>
> diff --git a/tools/virt-pki-validate.in b/tools/virt-pki-validate.in
> index f77521d..207fa76 100755
> --- a/tools/virt-pki-validate.in
> +++ b/tools/virt-pki-validate.in
> @@ -130,7 +130,12 @@ then
> echo "as root do: chmod 644 $CA/cacert.pem"
> exit 1
> fi
> -ORG=`$CERTOOL -i --infile $CA/cacert.pem | sed -n '/Issuer/ s+Issuer: CN=++p'`
> +sed_get_org='/Issuer:/ {
> + s/.*Issuer:.*CN=//
> + s/,.*//
> + p
> +}'
> +ORG=`$CERTOOL -i --infile $CA/cacert.pem | sed -n "$sed_get_org"`
> if [ "$ORG" = "" ]
> then
> echo the CA certificate $CA/cacert.pem does not define the organization
Thanks, Eric. I've tested this and it still works works as expected for
me against the two different cert formats.
Tested-by: Dustin Kirkland <kirkland@xxxxxxxxxxxxx>
Attachment:
signature.asc
Description: This is a digitally signed message part
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list