The virt-pki-validate tool is extracting components in the x509
certificate Subject field. Unfortunately the regex it is is using is far
too strict, and so truncating valid data. It needs to consider ',' as a
field separator, and if that's not there take all data until the EOL.
With the broken regex:
$ echo " Subject: O=Test,CN=guestHyp1ver" | sed 's+.*CN=\(.[a-zA-Z \._-]*\).*+\1+'
guestHyp
And with the fixed regex
$ echo "Subject: O=Test,CN=guestHyp1ver" | sed 's+.*CN=\([^,]*\).*+\1+'
guestHyp1ver
Reported-by: Kashyap Chamarthy <kchamart@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
tools/virt-pki-validate.in | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/tools/virt-pki-validate.in b/tools/virt-pki-validate.in
index b04680ddef..c3fadbba64 100755
--- a/tools/virt-pki-validate.in
+++ b/tools/virt-pki-validate.in
@@ -201,14 +201,14 @@ then
echo Client certificate $LIBVIRT/clientcert.pem should be world readable
echo "as root do: chown root:root $LIBVIRT/clientcert.pem ; chmod 644 $LIBVIRT/clientcert.pem"
else
- S_ORG=`"$CERTOOL" -i --infile "$LIBVIRT/clientcert.pem" | grep Subject: | sed 's+.*O=\([a-zA-Z \._-]*\).*+\1+'`
+ S_ORG=`"$CERTOOL" -i --infile "$LIBVIRT/clientcert.pem" | grep Subject: | sed 's+.*O=\([^,]*\).*+\1+'`
if [ "$ORG" != "$S_ORG" ]
then
echo The CA certificate and the client certificate do not match
echo CA organization: $ORG
echo Client organization: $S_ORG
fi
- CLIENT=`"$CERTOOL" -i --infile "$LIBVIRT/clientcert.pem" | grep Subject: | sed 's+.*CN=\(.[a-zA-Z \._-]*\).*+\1+'`
+ CLIENT=`"$CERTOOL" -i --infile "$LIBVIRT/clientcert.pem" | grep Subject: | sed 's+.*CN=\(.[^,]*\).*+\1+'`
echo Found client certificate $LIBVIRT/clientcert.pem for $CLIENT
if [ ! -e "$LIBVIRTP/clientkey.pem" ]
then
@@ -248,14 +248,14 @@ then
echo Server certificate $LIBVIRT/servercert.pem should be world readable
echo "as root do: chown root:root $LIBVIRT/servercert.pem ; chmod 644 $LIBVIRT/servercert.pem"
else
- S_ORG=`"$CERTOOL" -i --infile "$LIBVIRT/servercert.pem" | grep Subject: | sed 's+.*O=\([a-zA-Z\. _-]*\).*+\1+'`
+ S_ORG=`"$CERTOOL" -i --infile "$LIBVIRT/servercert.pem" | grep Subject: | sed 's+.*O=\([^,]*\).*+\1+'`
if [ "$ORG" != "$S_ORG" ]
then
echo The CA certificate and the server certificate do not match
echo CA organization: $ORG
echo Server organization: $S_ORG
fi
- S_HOST=`"$CERTOOL" -i --infile "$LIBVIRT/servercert.pem" | grep Subject: | sed 's+.*CN=\(.[a-zA-Z \._-]*\).*+\1+'`
+ S_HOST=`"$CERTOOL" -i --infile "$LIBVIRT/servercert.pem" | grep Subject: | sed 's+.*CN=\([^,]*\).*+\1+'`
if test "$S_HOST" != "`hostname -s`" && test "$S_HOST" != "`hostname`"
then
echo The server certificate does not seem to match the host name
--
2.19.2
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
On Mon, Dec 10, 2018 at 04:53:27PM +0000, Daniel P. Berrangé wrote: > The virt-pki-validate tool is extracting components in the x509 > certificate Subject field. Unfortunately the regex it is is using is far > too strict, and so truncating valid data. It needs to consider ',' as a > field separator, and if that's not there take all data until the EOL. > > With the broken regex: > > $ echo " Subject: O=Test,CN=guestHyp1ver" | sed 's+.*CN=\(.[a-zA-Z \._-]*\).*+\1+' > guestHyp > > And with the fixed regex > > $ echo "Subject: O=Test,CN=guestHyp1ver" | sed 's+.*CN=\([^,]*\).*+\1+' > guestHyp1ver > > Reported-by: Kashyap Chamarthy <kchamart@redhat.com> > Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> > --- > tools/virt-pki-validate.in | 8 ++++---- > 1 file changed, 4 insertions(+), 4 deletions > > diff --git a/tools/virt-pki-validate.in b/tools/virt-pki-validate.in > index b04680ddef..c3fadbba64 100755 > --- a/tools/virt-pki-validate.in > +++ b/tools/virt-pki-validate.in > @@ -201,14 +201,14 @@ then > echo Client certificate $LIBVIRT/clientcert.pem should be world readable > echo "as root do: chown root:root $LIBVIRT/clientcert.pem ; chmod 644 $LIBVIRT/clientcert.pem" > else > - S_ORG=`"$CERTOOL" -i --infile "$LIBVIRT/clientcert.pem" | grep Subject: | sed 's+.*O=\([a-zA-Z \._-]*\).*+\1+'` > + S_ORG=`"$CERTOOL" -i --infile "$LIBVIRT/clientcert.pem" | grep Subject: | sed 's+.*O=\([^,]*\).*+\1+'` So, besides ',' any input is accepted. Works for me in my scenario. Thanks for the quick patch! FWIW: Reviewed-by: Kashyap Chamarthy <kchamart@redhat.com> [...] -- /kashyap -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
On Mon, Dec 10, 2018 at 04:53:27PM +0000, Daniel P. Berrangé wrote: > The virt-pki-validate tool is extracting components in the x509 > certificate Subject field. Unfortunately the regex it is is using is far > too strict, and so truncating valid data. It needs to consider ',' as a > field separator, and if that's not there take all data until the EOL. [...] > --- > tools/virt-pki-validate.in | 8 ++++---- > 1 file changed, 4 insertions(+), 4 deletions(-) > > diff --git a/tools/virt-pki-validate.in b/tools/virt-pki-validate.in > index b04680ddef..c3fadbba64 100755 > --- a/tools/virt-pki-validate.in > +++ b/tools/virt-pki-validate.in > @@ -201,14 +201,14 @@ then > echo Client certificate $LIBVIRT/clientcert.pem should be world readable > echo "as root do: chown root:root $LIBVIRT/clientcert.pem ; chmod 644 $LIBVIRT/clientcert.pem" > else > - S_ORG=`"$CERTOOL" -i --infile "$LIBVIRT/clientcert.pem" | grep Subject: | sed 's+.*O=\([a-zA-Z \._-]*\).*+\1+'` > + S_ORG=`"$CERTOOL" -i --infile "$LIBVIRT/clientcert.pem" | grep Subject: | sed 's+.*O=\([^,]*\).*+\1+'` Unrelated to this patch, nit-pick: s/S_ORG/C_ORG/ here? Because we use 'S_ORG' further below in the script for server certificate. [...] -- /kashyap -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
On Tue, Dec 11, 2018 at 10:04:34AM +0100, Kashyap Chamarthy wrote: > On Mon, Dec 10, 2018 at 04:53:27PM +0000, Daniel P. Berrangé wrote: > > The virt-pki-validate tool is extracting components in the x509 > > certificate Subject field. Unfortunately the regex it is is using is far > > too strict, and so truncating valid data. It needs to consider ',' as a > > field separator, and if that's not there take all data until the EOL. > > [...] > > > --- > > tools/virt-pki-validate.in | 8 ++++---- > > 1 file changed, 4 insertions(+), 4 deletions(-) > > > > diff --git a/tools/virt-pki-validate.in b/tools/virt-pki-validate.in > > index b04680ddef..c3fadbba64 100755 > > --- a/tools/virt-pki-validate.in > > +++ b/tools/virt-pki-validate.in > > @@ -201,14 +201,14 @@ then > > echo Client certificate $LIBVIRT/clientcert.pem should be world readable > > echo "as root do: chown root:root $LIBVIRT/clientcert.pem ; chmod 644 $LIBVIRT/clientcert.pem" > > else > > - S_ORG=`"$CERTOOL" -i --infile "$LIBVIRT/clientcert.pem" | grep Subject: | sed 's+.*O=\([a-zA-Z \._-]*\).*+\1+'` > > + S_ORG=`"$CERTOOL" -i --infile "$LIBVIRT/clientcert.pem" | grep Subject: | sed 's+.*O=\([^,]*\).*+\1+'` > > Unrelated to this patch, nit-pick: s/S_ORG/C_ORG/ here? Because we use > 'S_ORG' further below in the script for server certificate. Yes, that's a harmless mistake but i'll push a trivial patch to rename it. Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
© 2016 - 2024 Red Hat, Inc.