[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] [PATCH] Fix virt-pki-validate's determination of CN



On Thu, 2010-04-29 at 15:56 -0600, Eric Blake wrote:
> From: Dustin Kirkland <kirkland canonical com>
> 
> Ubuntu's gntls package generates an Issuer line that looks like this:
>         Issuer: C=US,ST=NY,L=Rochester,O=example.com,CN=example.com CA,EMAIL=hostmaster example com
> 
> While Red Hat's looks like this
> Issuer: CN=Red Hat Emerging Technologies
> 
> Note the leading whitespace, and the additional fields in the former.
> 
> This patch updates the regular expression to:
>  * trim leading characters before "Issuer:"
>  * trim anything between Issuer: and CN=
>  * trim anything after the next ,
> 
> I've tested this against the certool output of both RH and Ubuntu
> generated certs.
> 
> Signed-off-by: Dustin Kirkland <kirkland canonical com>
> Signed-off-by: Eric Blake <eblake redhat com>
> ---
>  tools/virt-pki-validate.in |    7 ++++++-
>  1 files changed, 6 insertions(+), 1 deletions(-)
> 
> diff --git a/tools/virt-pki-validate.in b/tools/virt-pki-validate.in
> index f77521d..207fa76 100755
> --- a/tools/virt-pki-validate.in
> +++ b/tools/virt-pki-validate.in
> @@ -130,7 +130,12 @@ then
>      echo "as root do: chmod 644 $CA/cacert.pem"
>      exit 1
>  fi
> -ORG=`$CERTOOL -i --infile $CA/cacert.pem | sed -n '/Issuer/ s+Issuer: CN=++p'`
> +sed_get_org='/Issuer:/ {
> +  s/.*Issuer:.*CN=//
> +  s/,.*//
> +  p
> +}'
> +ORG=`$CERTOOL -i --infile $CA/cacert.pem | sed -n "$sed_get_org"`
>  if [ "$ORG" = "" ]
>  then
>      echo the CA certificate $CA/cacert.pem does not define the organization

Thanks, Eric.  I've tested this and it still works works as expected for
me against the two different cert formats.

Tested-by: Dustin Kirkland <kirkland canonical com>

Attachment: signature.asc
Description: This is a digitally signed message part


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]