[libvirt] [PATCH] tools: relax x509 Subject regexes to allow numbers and more

Monday, 10 December 2018

The virt-pki-validate tool is extracting components in the x509
certificate Subject field. Unfortunately the regex it is is using is far
too strict, and so truncating valid data. It needs to consider ',' as a
field separator, and if that's not there take all data until the EOL.

With the broken regex:

$ echo "  Subject: O=Test,CN=guestHyp1ver"  | sed 's+.*CN=$.[a-zA-Z
\._-]*$.*+\1+'
guestHyp

And with the fixed regex

$ echo "Subject: O=Test,CN=guestHyp1ver"  | sed
's+.*CN=$[^,]*$.*+\1+'
guestHyp1ver

Reported-by: Kashyap Chamarthy <kchamart(a)redhat.com&gt;
Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com&gt;
---
 tools/virt-pki-validate.in | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/tools/virt-pki-validate.in b/tools/virt-pki-validate.in
index b04680ddef..c3fadbba64 100755
--- a/tools/virt-pki-validate.in
+++ b/tools/virt-pki-validate.in
@@ -201,14 +201,14 @@ then
         echo Client certificate $LIBVIRT/clientcert.pem should be world readable
         echo "as root do: chown root:root $LIBVIRT/clientcert.pem ; chmod 644
$LIBVIRT/clientcert.pem"
     else
-        S_ORG=`"$CERTOOL" -i --infile "$LIBVIRT/clientcert.pem" |
grep Subject: | sed 's+.*O=\([a-zA-Z \._-]*\).*+\1+'`
+        S_ORG=`"$CERTOOL" -i --infile "$LIBVIRT/clientcert.pem" |
grep Subject: | sed 's+.*O=\([^,]*\).*+\1+'`
         if [ "$ORG" != "$S_ORG" ]
         then
             echo The CA certificate and the client certificate do not match
             echo CA organization: $ORG
             echo Client organization: $S_ORG
         fi
-        CLIENT=`"$CERTOOL" -i --infile "$LIBVIRT/clientcert.pem" |
grep Subject: | sed 's+.*CN=\(.[a-zA-Z \._-]*\).*+\1+'`
+        CLIENT=`"$CERTOOL" -i --infile "$LIBVIRT/clientcert.pem" |
grep Subject: | sed 's+.*CN=\(.[^,]*\).*+\1+'`
         echo Found client certificate $LIBVIRT/clientcert.pem for $CLIENT
         if [ ! -e "$LIBVIRTP/clientkey.pem" ]
         then
@@ -248,14 +248,14 @@ then
         echo Server certificate $LIBVIRT/servercert.pem should be world readable
         echo "as root do: chown root:root $LIBVIRT/servercert.pem ; chmod 644
$LIBVIRT/servercert.pem"
     else
-        S_ORG=`"$CERTOOL" -i --infile "$LIBVIRT/servercert.pem" |
grep Subject: | sed 's+.*O=\([a-zA-Z\. _-]*\).*+\1+'`
+        S_ORG=`"$CERTOOL" -i --infile "$LIBVIRT/servercert.pem" |
grep Subject: | sed 's+.*O=\([^,]*\).*+\1+'`
         if [ "$ORG" != "$S_ORG" ]
         then
             echo The CA certificate and the server certificate do not match
             echo CA organization: $ORG
             echo Server organization: $S_ORG
         fi
-        S_HOST=`"$CERTOOL" -i --infile "$LIBVIRT/servercert.pem" |
grep Subject: | sed 's+.*CN=\(.[a-zA-Z \._-]*\).*+\1+'`
+        S_HOST=`"$CERTOOL" -i --infile "$LIBVIRT/servercert.pem" |
grep Subject: | sed 's+.*CN=\([^,]*\).*+\1+'`
         if test "$S_HOST" != "`hostname -s`" && test
"$S_HOST" != "`hostname`"
         then
             echo The server certificate does not seem to match the host name
-- 
2.19.2


    

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

[libvirt] [PATCH] tools: relax x509 Subject regexes to allow numbers and more