10:53 a.m.
The virt-pki-validate tool is extracting components in the x509
certificate Subject field. Unfortunately the regex it is is using is far
too strict, and so truncating valid data. It needs to consider ',' as a
field separator, and if that's not there take all data until the EOL.
With the broken regex:
$ echo " Subject: O=Test,CN=guestHyp1ver" | sed 's+.*CN=\(.[a-zA-Z
\._-]*\).*+\1+'
guestHyp
And with the fixed regex
$ echo "Subject: O=Test,CN=guestHyp1ver" | sed
's+.*CN=\([^,]*\).*+\1+'
guestHyp1ver
Reported-by: Kashyap Chamarthy <kchamart(a)redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
tools/virt-pki-validate.in | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/tools/virt-pki-validate.in b/tools/virt-pki-validate.in
index b04680ddef..c3fadbba64 100755
--- a/tools/virt-pki-validate.in
+++ b/tools/virt-pki-validate.in
@@ -201,14 +201,14 @@ then
echo Client certificate $LIBVIRT/clientcert.pem should be world readable
echo "as root do: chown root:root $LIBVIRT/clientcert.pem ; chmod 644
$LIBVIRT/clientcert.pem"
else
- S_ORG=`"$CERTOOL" -i --infile "$LIBVIRT/clientcert.pem" |
grep Subject: | sed 's+.*O=\([a-zA-Z \._-]*\).*+\1+'`
+ S_ORG=`"$CERTOOL" -i --infile "$LIBVIRT/clientcert.pem" |
grep Subject: | sed 's+.*O=\([^,]*\).*+\1+'`
if [ "$ORG" != "$S_ORG" ]
then
echo The CA certificate and the client certificate do not match
echo CA organization: $ORG
echo Client organization: $S_ORG
fi
- CLIENT=`"$CERTOOL" -i --infile "$LIBVIRT/clientcert.pem" |
grep Subject: | sed 's+.*CN=\(.[a-zA-Z \._-]*\).*+\1+'`
+ CLIENT=`"$CERTOOL" -i --infile "$LIBVIRT/clientcert.pem" |
grep Subject: | sed 's+.*CN=\(.[^,]*\).*+\1+'`
echo Found client certificate $LIBVIRT/clientcert.pem for $CLIENT
if [ ! -e "$LIBVIRTP/clientkey.pem" ]
then
@@ -248,14 +248,14 @@ then
echo Server certificate $LIBVIRT/servercert.pem should be world readable
echo "as root do: chown root:root $LIBVIRT/servercert.pem ; chmod 644
$LIBVIRT/servercert.pem"
else
- S_ORG=`"$CERTOOL" -i --infile "$LIBVIRT/servercert.pem" |
grep Subject: | sed 's+.*O=\([a-zA-Z\. _-]*\).*+\1+'`
+ S_ORG=`"$CERTOOL" -i --infile "$LIBVIRT/servercert.pem" |
grep Subject: | sed 's+.*O=\([^,]*\).*+\1+'`
if [ "$ORG" != "$S_ORG" ]
then
echo The CA certificate and the server certificate do not match
echo CA organization: $ORG
echo Server organization: $S_ORG
fi
- S_HOST=`"$CERTOOL" -i --infile "$LIBVIRT/servercert.pem" |
grep Subject: | sed 's+.*CN=\(.[a-zA-Z \._-]*\).*+\1+'`
+ S_HOST=`"$CERTOOL" -i --infile "$LIBVIRT/servercert.pem" |
grep Subject: | sed 's+.*CN=\([^,]*\).*+\1+'`
if test "$S_HOST" != "`hostname -s`" && test
"$S_HOST" != "`hostname`"
then
echo The server certificate does not seem to match the host name
--
2.19.2
2:39 a.m.
On Mon, Dec 10, 2018 at 04:53:27PM +0000, Daniel P. Berrangé wrote:
The virt-pki-validate tool is extracting components in the x509
certificate Subject field. Unfortunately the regex it is is using is far
too strict, and so truncating valid data. It needs to consider ',' as a
field separator, and if that's not there take all data until the EOL.
With the broken regex:
$ echo " Subject: O=Test,CN=guestHyp1ver" | sed 's+.*CN=\(.[a-zA-Z
\._-]*\).*+\1+'
guestHyp
And with the fixed regex
$ echo "Subject: O=Test,CN=guestHyp1ver" | sed
's+.*CN=\([^,]*\).*+\1+'
guestHyp1ver
Reported-by: Kashyap Chamarthy <kchamart(a)redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
tools/virt-pki-validate.in | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions
diff --git a/tools/virt-pki-validate.in b/tools/virt-pki-validate.in
index b04680ddef..c3fadbba64 100755
--- a/tools/virt-pki-validate.in
+++ b/tools/virt-pki-validate.in
@@ -201,14 +201,14 @@ then
echo Client certificate $LIBVIRT/clientcert.pem should be world readable
echo "as root do: chown root:root $LIBVIRT/clientcert.pem ; chmod 644
$LIBVIRT/clientcert.pem"
else
- S_ORG=`"$CERTOOL" -i --infile "$LIBVIRT/clientcert.pem" |
grep Subject: | sed 's+.*O=\([a-zA-Z \._-]*\).*+\1+'`
+ S_ORG=`"$CERTOOL" -i --infile "$LIBVIRT/clientcert.pem" |
grep Subject: | sed 's+.*O=\([^,]*\).*+\1+'`
So, besides ',' any input is accepted. Works for me in my scenario.
Thanks for the quick patch!
FWIW: Reviewed-by: Kashyap Chamarthy <kchamart(a)redhat.com>
[...]
--
/kashyap
3:04 a.m.
On Mon, Dec 10, 2018 at 04:53:27PM +0000, Daniel P. Berrangé wrote:
The virt-pki-validate tool is extracting components in the x509
certificate Subject field. Unfortunately the regex it is is using is far
too strict, and so truncating valid data. It needs to consider ',' as a
field separator, and if that's not there take all data until the EOL.
[...]
---
tools/virt-pki-validate.in | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/tools/virt-pki-validate.in b/tools/virt-pki-validate.in
index b04680ddef..c3fadbba64 100755
--- a/tools/virt-pki-validate.in
+++ b/tools/virt-pki-validate.in
@@ -201,14 +201,14 @@ then
echo Client certificate $LIBVIRT/clientcert.pem should be world readable
echo "as root do: chown root:root $LIBVIRT/clientcert.pem ; chmod 644
$LIBVIRT/clientcert.pem"
else
- S_ORG=`"$CERTOOL" -i --infile "$LIBVIRT/clientcert.pem" |
grep Subject: | sed 's+.*O=\([a-zA-Z \._-]*\).*+\1+'`
+ S_ORG=`"$CERTOOL" -i --infile "$LIBVIRT/clientcert.pem" |
grep Subject: | sed 's+.*O=\([^,]*\).*+\1+'`
Unrelated to this patch, nit-pick: s/S_ORG/C_ORG/ here? Because we use
'S_ORG' further below in the script for server certificate.
[...]
--
/kashyap
8:59 a.m.
On Tue, Dec 11, 2018 at 10:04:34AM +0100, Kashyap Chamarthy wrote:
On Mon, Dec 10, 2018 at 04:53:27PM +0000, Daniel P. Berrangé wrote:
> The virt-pki-validate tool is extracting components in the x509
> certificate Subject field. Unfortunately the regex it is is using is far
> too strict, and so truncating valid data. It needs to consider ',' as a
> field separator, and if that's not there take all data until the EOL.
[...]
> ---
> tools/virt-pki-validate.in | 8 ++++----
> 1 file changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/tools/virt-pki-validate.in b/tools/virt-pki-validate.in
> index b04680ddef..c3fadbba64 100755
> --- a/tools/virt-pki-validate.in
> +++ b/tools/virt-pki-validate.in
> @@ -201,14 +201,14 @@ then
> echo Client certificate $LIBVIRT/clientcert.pem should be world readable
> echo "as root do: chown root:root $LIBVIRT/clientcert.pem ; chmod 644
$LIBVIRT/clientcert.pem"
> else
> - S_ORG=`"$CERTOOL" -i --infile "$LIBVIRT/clientcert.pem"
| grep Subject: | sed 's+.*O=\([a-zA-Z \._-]*\).*+\1+'`
> + S_ORG=`"$CERTOOL" -i --infile "$LIBVIRT/clientcert.pem"
| grep Subject: | sed 's+.*O=\([^,]*\).*+\1+'`
Unrelated to this patch, nit-pick: s/S_ORG/C_ORG/ here? Because we use
'S_ORG' further below in the script for server certificate.
Yes, that's a harmless mistake but i'll push a trivial patch to rename
it.
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
2176
days inactive
2177
days old
3 comments
2 participants
participants (2)
-
Daniel P. Berrangé -
Kashyap Chamarthy