From nobody Sun May 5 14:46:04 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1544460821114796.9929604019712; Mon, 10 Dec 2018 08:53:41 -0800 (PST) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 91A8B13A9A; Mon, 10 Dec 2018 16:53:38 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 2C2FA5D962; Mon, 10 Dec 2018 16:53:37 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 0A9DE181B9E4; Mon, 10 Dec 2018 16:53:34 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id wBAGrY1X017593 for ; Mon, 10 Dec 2018 11:53:34 -0500 Received: by smtp.corp.redhat.com (Postfix) id 310076012B; Mon, 10 Dec 2018 16:53:34 +0000 (UTC) Received: from localhost.localdomain.com (ovpn-112-59.ams2.redhat.com [10.36.112.59]) by smtp.corp.redhat.com (Postfix) with ESMTP id B8F0F600D7; Mon, 10 Dec 2018 16:53:30 +0000 (UTC) From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: libvir-list@redhat.com Date: Mon, 10 Dec 2018 16:53:27 +0000 Message-Id: <20181210165327.11033-1-berrange@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH] tools: relax x509 Subject regexes to allow numbers and more X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.29]); Mon, 10 Dec 2018 16:53:39 +0000 (UTC) The virt-pki-validate tool is extracting components in the x509 certificate Subject field. Unfortunately the regex it is is using is far too strict, and so truncating valid data. It needs to consider ',' as a field separator, and if that's not there take all data until the EOL. With the broken regex: $ echo " Subject: O=3DTest,CN=3DguestHyp1ver" | sed 's+.*CN=3D\(.[a-zA-Z = \._-]*\).*+\1+' guestHyp And with the fixed regex $ echo "Subject: O=3DTest,CN=3DguestHyp1ver" | sed 's+.*CN=3D\([^,]*\).*+\= 1+' guestHyp1ver Reported-by: Kashyap Chamarthy Signed-off-by: Daniel P. Berrang=C3=A9 --- tools/virt-pki-validate.in | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tools/virt-pki-validate.in b/tools/virt-pki-validate.in index b04680ddef..c3fadbba64 100755 --- a/tools/virt-pki-validate.in +++ b/tools/virt-pki-validate.in @@ -201,14 +201,14 @@ then echo Client certificate $LIBVIRT/clientcert.pem should be world re= adable echo "as root do: chown root:root $LIBVIRT/clientcert.pem ; chmod = 644 $LIBVIRT/clientcert.pem" else - S_ORG=3D`"$CERTOOL" -i --infile "$LIBVIRT/clientcert.pem" | grep S= ubject: | sed 's+.*O=3D\([a-zA-Z \._-]*\).*+\1+'` + S_ORG=3D`"$CERTOOL" -i --infile "$LIBVIRT/clientcert.pem" | grep S= ubject: | sed 's+.*O=3D\([^,]*\).*+\1+'` if [ "$ORG" !=3D "$S_ORG" ] then echo The CA certificate and the client certificate do not match echo CA organization: $ORG echo Client organization: $S_ORG fi - CLIENT=3D`"$CERTOOL" -i --infile "$LIBVIRT/clientcert.pem" | grep = Subject: | sed 's+.*CN=3D\(.[a-zA-Z \._-]*\).*+\1+'` + CLIENT=3D`"$CERTOOL" -i --infile "$LIBVIRT/clientcert.pem" | grep = Subject: | sed 's+.*CN=3D\(.[^,]*\).*+\1+'` echo Found client certificate $LIBVIRT/clientcert.pem for $CLIENT if [ ! -e "$LIBVIRTP/clientkey.pem" ] then @@ -248,14 +248,14 @@ then echo Server certificate $LIBVIRT/servercert.pem should be world re= adable echo "as root do: chown root:root $LIBVIRT/servercert.pem ; chmod = 644 $LIBVIRT/servercert.pem" else - S_ORG=3D`"$CERTOOL" -i --infile "$LIBVIRT/servercert.pem" | grep S= ubject: | sed 's+.*O=3D\([a-zA-Z\. _-]*\).*+\1+'` + S_ORG=3D`"$CERTOOL" -i --infile "$LIBVIRT/servercert.pem" | grep S= ubject: | sed 's+.*O=3D\([^,]*\).*+\1+'` if [ "$ORG" !=3D "$S_ORG" ] then echo The CA certificate and the server certificate do not match echo CA organization: $ORG echo Server organization: $S_ORG fi - S_HOST=3D`"$CERTOOL" -i --infile "$LIBVIRT/servercert.pem" | grep = Subject: | sed 's+.*CN=3D\(.[a-zA-Z \._-]*\).*+\1+'` + S_HOST=3D`"$CERTOOL" -i --infile "$LIBVIRT/servercert.pem" | grep = Subject: | sed 's+.*CN=3D\([^,]*\).*+\1+'` if test "$S_HOST" !=3D "`hostname -s`" && test "$S_HOST" !=3D "`ho= stname`" then echo The server certificate does not seem to match the host na= me --=20 2.19.2 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list