1. Patchew
  2. Libvirt
  3. View series

[libvirt] [PATCH] fix regex to check CN from server certificate

Tiago M. Vieira posted 1 patch 6 years, 2 months ago
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/libvirt tags/patchew/20180126193302.18394-1-tmv@redhat.com
tools/virt-pki-validate.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
[libvirt] [PATCH] fix regex to check CN from server certificate
Posted by Tiago M. Vieira 6 years, 2 months ago 
Currently when the script validates the PKI files and
the certificate 'Subject:' field contains RDNs after
the Common Name (CN), these values are also included,
creating a false result that the CN is not correct.

A small change to the sed regex fixes this issue, by
extracting only the value for CN and nothing else. The
regex is replaced with the exact same regex used to
extract the CN value from the client certificate.
---
 tools/virt-pki-validate.in | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tools/virt-pki-validate.in b/tools/virt-pki-validate.in
index 206637abf..b04680dde 100755
--- a/tools/virt-pki-validate.in
+++ b/tools/virt-pki-validate.in
@@ -255,7 +255,7 @@ then
             echo CA organization: $ORG
             echo Server organization: $S_ORG
         fi
-        S_HOST=`"$CERTOOL" -i --infile "$LIBVIRT/servercert.pem" | grep Subject: | sed 's+.*CN=\([a-zA-Z\. _-]*\)+\1+'`
+        S_HOST=`"$CERTOOL" -i --infile "$LIBVIRT/servercert.pem" | grep Subject: | sed 's+.*CN=\(.[a-zA-Z \._-]*\).*+\1+'`
         if test "$S_HOST" != "`hostname -s`" && test "$S_HOST" != "`hostname`"
         then
             echo The server certificate does not seem to match the host name
-- 
2.14.3

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH] fix regex to check CN from server certificate
Posted by Andrea Bolognani 6 years, 2 months ago 
On Fri, 2018-01-26 at 14:33 -0500, Tiago M. Vieira wrote:
> Currently when the script validates the PKI files and
> the certificate 'Subject:' field contains RDNs after
> the Common Name (CN), these values are also included,
> creating a false result that the CN is not correct.
> 
> A small change to the sed regex fixes this issue, by
> extracting only the value for CN and nothing else. The
> regex is replaced with the exact same regex used to
> extract the CN value from the client certificate.
> ---
>  tools/virt-pki-validate.in | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/tools/virt-pki-validate.in b/tools/virt-pki-validate.in
> index 206637abf..b04680dde 100755
> --- a/tools/virt-pki-validate.in
> +++ b/tools/virt-pki-validate.in
> @@ -255,7 +255,7 @@ then
>              echo CA organization: $ORG
>              echo Server organization: $S_ORG
>          fi
> -        S_HOST=`"$CERTOOL" -i --infile "$LIBVIRT/servercert.pem" | grep Subject: | sed 's+.*CN=\([a-zA-Z\. _-]*\)+\1+'`
> +        S_HOST=`"$CERTOOL" -i --infile "$LIBVIRT/servercert.pem" | grep Subject: | sed 's+.*CN=\(.[a-zA-Z \._-]*\).*+\1+'`
>          if test "$S_HOST" != "`hostname -s`" && test "$S_HOST" != "`hostname`"
>          then
>              echo The server certificate does not seem to match the host name

ACK and pushed.

Congratulation on your first contribution to libvirt! :)

-- 
Andrea Bolognani / Red Hat / Virtualization

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Patchew 2.1-devel-0870f84

© 2016 - 2024 Red Hat, Inc.