[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[libvirt] [PATCH] Fix virt-pki-validate's determination of CN



Fix virt-pki-validate's determination of CN

This patch is a follow-up to:
    cb06a9bfe529e64b15773cb86781ae14c09f8216
    "portability fixes to tools/virt-pki-validate.in"
addressing Eric Blake's concerns about the regular expression.

Ubuntu's gntls package generates an Issuer line that looks like this:
        Issuer: C=US,ST=NY,L=Rochester,O=example.com,CN=example.com CA,EMAIL=hostmaster example com

While Red Hat's looks like this
Issuer: CN=Red Hat Emerging Technologies

Note the leading whitespace, and the additional fields in the former.

This patch updates the regular expression to:
 * trim leading characters before "Issuer:"
 * trim anything between Issuer: and CN=
 * trim anything after the next ,

I've tested this against the certool output of both RH and Ubuntu
generated certs.

I know that Eric dislikes the leading grep.  My apologies.  I spent more
time than I care to admit trying to get sed to select that one line, and
then run two regexes against it.  Feel free to correct this patch and
educate me, if you have a better way.  Thanks!

Signed-off-by: Dustin Kirkland <kirkland canonical com>

diff --git a/tools/virt-pki-validate.in b/tools/virt-pki-validate.in
index f77521d..c44aa9d 100755
--- a/tools/virt-pki-validate.in
+++ b/tools/virt-pki-validate.in
@@ -130,7 +130,7 @@ then
     echo "as root do: chmod 644 $CA/cacert.pem"
     exit 1
 fi
-ORG=`$CERTOOL -i --infile $CA/cacert.pem | sed -n '/Issuer/ s+Issuer: CN=++p'`
+ORG=`$CERTOOL -i --infile $CA/cacert.pem | grep "Issuer:" | sed -e 's/^.*Issuer:.*CN=//' -e 's/,.*$//'`
 if [ "$ORG" = "" ]
 then
     echo the CA certificate $CA/cacert.pem does not define the organization

Attachment: signature.asc
Description: This is a digitally signed message part


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]