From ecf8619430f78b8b2beeb57c239cc78f6e3907bd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Mon, 10 Dec 2018 16:50:10 +0000
Subject: [PATCH] tools: relax x509 Subject regexes to allow numbers and more
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The virt-pki-validate tool is extracting components in the x509
certificate Subject field. Unfortunately the regex it is is using is far
too strict, and so truncating valid data. It needs to consider ',' as a
field separator, and if that's not there take all data until the EOL.

With the broken regex:

$ echo "  Subject: O=Test,CN=guestHyp1ver"  | sed 's+.*CN=\(.[a-zA-Z \._-]*\).*+\1+'
guestHyp

And with the fixed regex

$ echo "Subject: O=Test,CN=guestHyp1ver"  | sed 's+.*CN=\([^,]*\).*+\1+'
guestHyp1ver

Reported-by: Kashyap Chamarthy <kchamart@redhat.com>
Reviewed-by: Kashyap Chamarthy <kchamart@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
 tools/virt-pki-validate.in | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/tools/virt-pki-validate.in b/tools/virt-pki-validate.in
index b04680ddef..c3fadbba64 100755
--- a/tools/virt-pki-validate.in
+++ b/tools/virt-pki-validate.in
@@ -201,14 +201,14 @@ then
         echo Client certificate $LIBVIRT/clientcert.pem should be world readable
         echo "as root do: chown root:root $LIBVIRT/clientcert.pem ; chmod 644 $LIBVIRT/clientcert.pem"
     else
-        S_ORG=`"$CERTOOL" -i --infile "$LIBVIRT/clientcert.pem" | grep Subject: | sed 's+.*O=\([a-zA-Z \._-]*\).*+\1+'`
+        S_ORG=`"$CERTOOL" -i --infile "$LIBVIRT/clientcert.pem" | grep Subject: | sed 's+.*O=\([^,]*\).*+\1+'`
         if [ "$ORG" != "$S_ORG" ]
         then
             echo The CA certificate and the client certificate do not match
             echo CA organization: $ORG
             echo Client organization: $S_ORG
         fi
-        CLIENT=`"$CERTOOL" -i --infile "$LIBVIRT/clientcert.pem" | grep Subject: | sed 's+.*CN=\(.[a-zA-Z \._-]*\).*+\1+'`
+        CLIENT=`"$CERTOOL" -i --infile "$LIBVIRT/clientcert.pem" | grep Subject: | sed 's+.*CN=\(.[^,]*\).*+\1+'`
         echo Found client certificate $LIBVIRT/clientcert.pem for $CLIENT
         if [ ! -e "$LIBVIRTP/clientkey.pem" ]
         then
@@ -248,14 +248,14 @@ then
         echo Server certificate $LIBVIRT/servercert.pem should be world readable
         echo "as root do: chown root:root $LIBVIRT/servercert.pem ; chmod 644 $LIBVIRT/servercert.pem"
     else
-        S_ORG=`"$CERTOOL" -i --infile "$LIBVIRT/servercert.pem" | grep Subject: | sed 's+.*O=\([a-zA-Z\. _-]*\).*+\1+'`
+        S_ORG=`"$CERTOOL" -i --infile "$LIBVIRT/servercert.pem" | grep Subject: | sed 's+.*O=\([^,]*\).*+\1+'`
         if [ "$ORG" != "$S_ORG" ]
         then
             echo The CA certificate and the server certificate do not match
             echo CA organization: $ORG
             echo Server organization: $S_ORG
         fi
-        S_HOST=`"$CERTOOL" -i --infile "$LIBVIRT/servercert.pem" | grep Subject: | sed 's+.*CN=\(.[a-zA-Z \._-]*\).*+\1+'`
+        S_HOST=`"$CERTOOL" -i --infile "$LIBVIRT/servercert.pem" | grep Subject: | sed 's+.*CN=\([^,]*\).*+\1+'`
         if test "$S_HOST" != "`hostname -s`" && test "$S_HOST" != "`hostname`"
         then
             echo The server certificate does not seem to match the host name
-- 
GitLab