[libvirt] [PATCH] Fix virt-pki-validate's determination of CN
Fix virt-pki-validate's determination of CN This patch is a follow-up to: cb06a9bfe529e64b15773cb86781ae14c09f8216 "portability fixes to tools/virt-pki-validate.in" addressing Eric Blake's concerns about the regular expression. Ubuntu's gntls package generates an Issuer line that looks like this: Issuer: C=US,ST=NY,L=Rochester,O=example.com,CN=example.com CA,EMAIL=hostmaster@example.com While Red Hat's looks like this Issuer: CN=Red Hat Emerging Technologies Note the leading whitespace, and the additional fields in the former. This patch updates the regular expression to: * trim leading characters before "Issuer:" * trim anything between Issuer: and CN= * trim anything after the next , I've tested this against the certool output of both RH and Ubuntu generated certs. I know that Eric dislikes the leading grep. My apologies. I spent more time than I care to admit trying to get sed to select that one line, and then run two regexes against it. Feel free to correct this patch and educate me, if you have a better way. Thanks! Signed-off-by: Dustin Kirkland <kirkland@canonical.com> diff --git a/tools/virt-pki-validate.in b/tools/virt-pki-validate.in index f77521d..c44aa9d 100755 --- a/tools/virt-pki-validate.in +++ b/tools/virt-pki-validate.in @@ -130,7 +130,7 @@ then echo "as root do: chmod 644 $CA/cacert.pem" exit 1 fi -ORG=`$CERTOOL -i --infile $CA/cacert.pem | sed -n '/Issuer/ s+Issuer: CN=++p'` +ORG=`$CERTOOL -i --infile $CA/cacert.pem | grep "Issuer:" | sed -e 's/^.*Issuer:.*CN=//' -e 's/,.*$//'` if [ "$ORG" = "" ] then echo the CA certificate $CA/cacert.pem does not define the organization
On 04/29/2010 03:20 PM, Dustin Kirkland wrote:
Fix virt-pki-validate's determination of CN
This patch is a follow-up to: cb06a9bfe529e64b15773cb86781ae14c09f8216 "portability fixes to tools/virt-pki-validate.in" addressing Eric Blake's concerns about the regular expression.
Ubuntu's gntls package generates an Issuer line that looks like this: Issuer: C=US,ST=NY,L=Rochester,O=example.com,CN=example.com CA,EMAIL=hostmaster@example.com
While Red Hat's looks like this Issuer: CN=Red Hat Emerging Technologies
Thanks for the details - that extra bit of information in the commit log makes it much easier to justify the new sed expression.
I know that Eric dislikes the leading grep. My apologies. I spent more time than I care to admit trying to get sed to select that one line, and then run two regexes against it. Feel free to correct this patch and educate me, if you have a better way. Thanks!
I'd be glad to help out - open source is all about sharing experience and learning from others. We're after sed's grouping command, {}. For maximum portability, POSIX 2001 says that the { and } must be on lines of their own (I think POSIX 2008 tried to relax that, but at least busybox took POSIX 2001 at their word and rejects one-liner groups even though the POSIX wording appears to be a mistake since historical Unix sed always supported one-liner groups). But since multi-line commands interrupt the flow of a shell pipeline command, it becomes easier to do it in two stages. Also, .* is greedy, so you can simplify ^.* or .*$ to the shorter .* and get the same result. sed_find_issuer='/Issuer:/ { s/.*Issuer:.*CN=// s/,.*// p }' ORG=`$CERTOOL -i --infile $CA/cacert.pem | sed -n "$sed_find_issuer"` I wrote the above with minimal testing (basically, I got "example.com CA" from your Ubuntu example, and "Red Hat Emerging Technologies" from your Red Hat example), so I would appreciate if you could try it as well. I'll also reply to this message with the above in actual patch form. -- Eric Blake eblake@redhat.com +1-801-349-2682 Libvirt virtualization library http://libvirt.org
From: Dustin Kirkland <kirkland@canonical.com> Ubuntu's gntls package generates an Issuer line that looks like this: Issuer: C=US,ST=NY,L=Rochester,O=example.com,CN=example.com CA,EMAIL=hostmaster@example.com While Red Hat's looks like this Issuer: CN=Red Hat Emerging Technologies Note the leading whitespace, and the additional fields in the former. This patch updates the regular expression to: * trim leading characters before "Issuer:" * trim anything between Issuer: and CN= * trim anything after the next , I've tested this against the certool output of both RH and Ubuntu generated certs. Signed-off-by: Dustin Kirkland <kirkland@canonical.com> Signed-off-by: Eric Blake <eblake@redhat.com> --- tools/virt-pki-validate.in | 7 ++++++- 1 files changed, 6 insertions(+), 1 deletions(-) diff --git a/tools/virt-pki-validate.in b/tools/virt-pki-validate.in index f77521d..207fa76 100755 --- a/tools/virt-pki-validate.in +++ b/tools/virt-pki-validate.in @@ -130,7 +130,12 @@ then echo "as root do: chmod 644 $CA/cacert.pem" exit 1 fi -ORG=`$CERTOOL -i --infile $CA/cacert.pem | sed -n '/Issuer/ s+Issuer: CN=++p'` +sed_get_org='/Issuer:/ { + s/.*Issuer:.*CN=// + s/,.*// + p +}' +ORG=`$CERTOOL -i --infile $CA/cacert.pem | sed -n "$sed_get_org"` if [ "$ORG" = "" ] then echo the CA certificate $CA/cacert.pem does not define the organization -- 1.6.6.1
On Thu, 2010-04-29 at 15:56 -0600, Eric Blake wrote:
From: Dustin Kirkland <kirkland@canonical.com>
Ubuntu's gntls package generates an Issuer line that looks like this: Issuer: C=US,ST=NY,L=Rochester,O=example.com,CN=example.com CA,EMAIL=hostmaster@example.com
While Red Hat's looks like this Issuer: CN=Red Hat Emerging Technologies
Note the leading whitespace, and the additional fields in the former.
This patch updates the regular expression to: * trim leading characters before "Issuer:" * trim anything between Issuer: and CN= * trim anything after the next ,
I've tested this against the certool output of both RH and Ubuntu generated certs.
Signed-off-by: Dustin Kirkland <kirkland@canonical.com> Signed-off-by: Eric Blake <eblake@redhat.com> --- tools/virt-pki-validate.in | 7 ++++++- 1 files changed, 6 insertions(+), 1 deletions(-)
diff --git a/tools/virt-pki-validate.in b/tools/virt-pki-validate.in index f77521d..207fa76 100755 --- a/tools/virt-pki-validate.in +++ b/tools/virt-pki-validate.in @@ -130,7 +130,12 @@ then echo "as root do: chmod 644 $CA/cacert.pem" exit 1 fi -ORG=`$CERTOOL -i --infile $CA/cacert.pem | sed -n '/Issuer/ s+Issuer: CN=++p'` +sed_get_org='/Issuer:/ { + s/.*Issuer:.*CN=// + s/,.*// + p +}' +ORG=`$CERTOOL -i --infile $CA/cacert.pem | sed -n "$sed_get_org"` if [ "$ORG" = "" ] then echo the CA certificate $CA/cacert.pem does not define the organization
Thanks, Eric. I've tested this and it still works works as expected for me against the two different cert formats. Tested-by: Dustin Kirkland <kirkland@canonical.com>
On 04/29/2010 04:16 PM, Dustin Kirkland wrote:
I've tested this against the certool output of both RH and Ubuntu generated certs.
Signed-off-by: Dustin Kirkland <kirkland@canonical.com> Signed-off-by: Eric Blake <eblake@redhat.com> --- -ORG=`$CERTOOL -i --infile $CA/cacert.pem | sed -n '/Issuer/ s+Issuer: CN=++p'` +sed_get_org='/Issuer:/ { + s/.*Issuer:.*CN=// + s/,.*// + p +}' +ORG=`$CERTOOL -i --infile $CA/cacert.pem | sed -n "$sed_get_org"` if [ "$ORG" = "" ] then echo the CA certificate $CA/cacert.pem does not define the organization
Thanks, Eric. I've tested this and it still works works as expected for me against the two different cert formats.
Given your ACK and my testing, I've gone ahead and pushed this patch. Thanks again for persevering with this issue. -- Eric Blake eblake@redhat.com +1-801-349-2682 Libvirt virtualization library http://libvirt.org
participants (2)
-
Dustin Kirkland -
Eric Blake