[libvirt] [PATCH] tools: relax x509 Subject regexes to allow numbers and more
The virt-pki-validate tool is extracting components in the x509 certificate Subject field. Unfortunately the regex it is is using is far too strict, and so truncating valid data. It needs to consider ',' as a field separator, and if that's not there take all data until the EOL. With the broken regex: $ echo " Subject: O=Test,CN=guestHyp1ver" | sed 's+.*CN=\(.[a-zA-Z \._-]*\).*+\1+' guestHyp And with the fixed regex $ echo "Subject: O=Test,CN=guestHyp1ver" | sed 's+.*CN=\([^,]*\).*+\1+' guestHyp1ver Reported-by: Kashyap Chamarthy <kchamart@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> --- tools/virt-pki-validate.in | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tools/virt-pki-validate.in b/tools/virt-pki-validate.in index b04680ddef..c3fadbba64 100755 --- a/tools/virt-pki-validate.in +++ b/tools/virt-pki-validate.in @@ -201,14 +201,14 @@ then echo Client certificate $LIBVIRT/clientcert.pem should be world readable echo "as root do: chown root:root $LIBVIRT/clientcert.pem ; chmod 644 $LIBVIRT/clientcert.pem" else - S_ORG=`"$CERTOOL" -i --infile "$LIBVIRT/clientcert.pem" | grep Subject: | sed 's+.*O=\([a-zA-Z \._-]*\).*+\1+'` + S_ORG=`"$CERTOOL" -i --infile "$LIBVIRT/clientcert.pem" | grep Subject: | sed 's+.*O=\([^,]*\).*+\1+'` if [ "$ORG" != "$S_ORG" ] then echo The CA certificate and the client certificate do not match echo CA organization: $ORG echo Client organization: $S_ORG fi - CLIENT=`"$CERTOOL" -i --infile "$LIBVIRT/clientcert.pem" | grep Subject: | sed 's+.*CN=\(.[a-zA-Z \._-]*\).*+\1+'` + CLIENT=`"$CERTOOL" -i --infile "$LIBVIRT/clientcert.pem" | grep Subject: | sed 's+.*CN=\(.[^,]*\).*+\1+'` echo Found client certificate $LIBVIRT/clientcert.pem for $CLIENT if [ ! -e "$LIBVIRTP/clientkey.pem" ] then @@ -248,14 +248,14 @@ then echo Server certificate $LIBVIRT/servercert.pem should be world readable echo "as root do: chown root:root $LIBVIRT/servercert.pem ; chmod 644 $LIBVIRT/servercert.pem" else - S_ORG=`"$CERTOOL" -i --infile "$LIBVIRT/servercert.pem" | grep Subject: | sed 's+.*O=\([a-zA-Z\. _-]*\).*+\1+'` + S_ORG=`"$CERTOOL" -i --infile "$LIBVIRT/servercert.pem" | grep Subject: | sed 's+.*O=\([^,]*\).*+\1+'` if [ "$ORG" != "$S_ORG" ] then echo The CA certificate and the server certificate do not match echo CA organization: $ORG echo Server organization: $S_ORG fi - S_HOST=`"$CERTOOL" -i --infile "$LIBVIRT/servercert.pem" | grep Subject: | sed 's+.*CN=\(.[a-zA-Z \._-]*\).*+\1+'` + S_HOST=`"$CERTOOL" -i --infile "$LIBVIRT/servercert.pem" | grep Subject: | sed 's+.*CN=\([^,]*\).*+\1+'` if test "$S_HOST" != "`hostname -s`" && test "$S_HOST" != "`hostname`" then echo The server certificate does not seem to match the host name -- 2.19.2
On Mon, Dec 10, 2018 at 04:53:27PM +0000, Daniel P. Berrangé wrote:
The virt-pki-validate tool is extracting components in the x509 certificate Subject field. Unfortunately the regex it is is using is far too strict, and so truncating valid data. It needs to consider ',' as a field separator, and if that's not there take all data until the EOL.
With the broken regex:
$ echo " Subject: O=Test,CN=guestHyp1ver" | sed 's+.*CN=\(.[a-zA-Z \._-]*\).*+\1+' guestHyp
And with the fixed regex
$ echo "Subject: O=Test,CN=guestHyp1ver" | sed 's+.*CN=\([^,]*\).*+\1+' guestHyp1ver
Reported-by: Kashyap Chamarthy <kchamart@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> --- tools/virt-pki-validate.in | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions
diff --git a/tools/virt-pki-validate.in b/tools/virt-pki-validate.in index b04680ddef..c3fadbba64 100755 --- a/tools/virt-pki-validate.in +++ b/tools/virt-pki-validate.in @@ -201,14 +201,14 @@ then echo Client certificate $LIBVIRT/clientcert.pem should be world readable echo "as root do: chown root:root $LIBVIRT/clientcert.pem ; chmod 644 $LIBVIRT/clientcert.pem" else - S_ORG=`"$CERTOOL" -i --infile "$LIBVIRT/clientcert.pem" | grep Subject: | sed 's+.*O=\([a-zA-Z \._-]*\).*+\1+'` + S_ORG=`"$CERTOOL" -i --infile "$LIBVIRT/clientcert.pem" | grep Subject: | sed 's+.*O=\([^,]*\).*+\1+'`
So, besides ',' any input is accepted. Works for me in my scenario. Thanks for the quick patch! FWIW: Reviewed-by: Kashyap Chamarthy <kchamart@redhat.com> [...] -- /kashyap
On Mon, Dec 10, 2018 at 04:53:27PM +0000, Daniel P. Berrangé wrote:
The virt-pki-validate tool is extracting components in the x509 certificate Subject field. Unfortunately the regex it is is using is far too strict, and so truncating valid data. It needs to consider ',' as a field separator, and if that's not there take all data until the EOL.
[...]
--- tools/virt-pki-validate.in | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/tools/virt-pki-validate.in b/tools/virt-pki-validate.in index b04680ddef..c3fadbba64 100755 --- a/tools/virt-pki-validate.in +++ b/tools/virt-pki-validate.in @@ -201,14 +201,14 @@ then echo Client certificate $LIBVIRT/clientcert.pem should be world readable echo "as root do: chown root:root $LIBVIRT/clientcert.pem ; chmod 644 $LIBVIRT/clientcert.pem" else - S_ORG=`"$CERTOOL" -i --infile "$LIBVIRT/clientcert.pem" | grep Subject: | sed 's+.*O=\([a-zA-Z \._-]*\).*+\1+'` + S_ORG=`"$CERTOOL" -i --infile "$LIBVIRT/clientcert.pem" | grep Subject: | sed 's+.*O=\([^,]*\).*+\1+'`
Unrelated to this patch, nit-pick: s/S_ORG/C_ORG/ here? Because we use 'S_ORG' further below in the script for server certificate. [...] -- /kashyap
On Tue, Dec 11, 2018 at 10:04:34AM +0100, Kashyap Chamarthy wrote:
On Mon, Dec 10, 2018 at 04:53:27PM +0000, Daniel P. Berrangé wrote:
The virt-pki-validate tool is extracting components in the x509 certificate Subject field. Unfortunately the regex it is is using is far too strict, and so truncating valid data. It needs to consider ',' as a field separator, and if that's not there take all data until the EOL.
[...]
--- tools/virt-pki-validate.in | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/tools/virt-pki-validate.in b/tools/virt-pki-validate.in index b04680ddef..c3fadbba64 100755 --- a/tools/virt-pki-validate.in +++ b/tools/virt-pki-validate.in @@ -201,14 +201,14 @@ then echo Client certificate $LIBVIRT/clientcert.pem should be world readable echo "as root do: chown root:root $LIBVIRT/clientcert.pem ; chmod 644 $LIBVIRT/clientcert.pem" else - S_ORG=`"$CERTOOL" -i --infile "$LIBVIRT/clientcert.pem" | grep Subject: | sed 's+.*O=\([a-zA-Z \._-]*\).*+\1+'` + S_ORG=`"$CERTOOL" -i --infile "$LIBVIRT/clientcert.pem" | grep Subject: | sed 's+.*O=\([^,]*\).*+\1+'`
Unrelated to this patch, nit-pick: s/S_ORG/C_ORG/ here? Because we use 'S_ORG' further below in the script for server certificate.
Yes, that's a harmless mistake but i'll push a trivial patch to rename it. Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
participants (2)
-
Daniel P. Berrangé -
Kashyap Chamarthy