diff options
| author | Tim Bielawa <tbielawa@redhat.com> | 2017-06-23 11:20:06 -0400 |
|---|---|---|
| committer | Tim Bielawa <tbielawa@redhat.com> | 2017-06-23 11:20:06 -0400 |
| commit | b45b2ff5412b29ae995027cdd1982a1dec0066d7 (patch) | |
| tree | 9d15736ebcb07287b4c2b5e64112bcef688be8b3 /roles/openshift_certificate_expiry | |
| parent | 272288b9d7a771f72af1e6b9c3fbb68a1030b6a3 (diff) | |
| download | openshift-b45b2ff5412b29ae995027cdd1982a1dec0066d7.tar.gz openshift-b45b2ff5412b29ae995027cdd1982a1dec0066d7.tar.bz2 openshift-b45b2ff5412b29ae995027cdd1982a1dec0066d7.tar.xz openshift-b45b2ff5412b29ae995027cdd1982a1dec0066d7.zip | |
Fix parsing certs with very large serial numbers
Certificates with large serial numbers (such as those from commercial
vendors) previously failed to parse due to absent logic in the
FakeOpenSSLCertificate parser. This would cause the module to abort
and break any other roles depending on the cert expiry checking
results.
* Identifies large serials in HEX format for decimal conversion
* Update unit tests to parse a large serial
Diffstat (limited to 'roles/openshift_certificate_expiry')
| -rw-r--r-- | roles/openshift_certificate_expiry/library/openshift_cert_expiry.py | 21 | ||||
| -rw-r--r-- | roles/openshift_certificate_expiry/test/conftest.py | 5 |
2 files changed, 23 insertions, 3 deletions
diff --git a/roles/openshift_certificate_expiry/library/openshift_cert_expiry.py b/roles/openshift_certificate_expiry/library/openshift_cert_expiry.py index 0242f5b43..44a8fa29b 100644 --- a/roles/openshift_certificate_expiry/library/openshift_cert_expiry.py +++ b/roles/openshift_certificate_expiry/library/openshift_cert_expiry.py @@ -104,6 +104,7 @@ platforms missing the Python OpenSSL library. self.extensions = [] PARSING_ALT_NAMES = False + PARSING_HEX_SERIAL = False for line in self.cert_string.split('\n'): l = line.strip() if PARSING_ALT_NAMES: @@ -114,10 +115,26 @@ platforms missing the Python OpenSSL library. PARSING_ALT_NAMES = False continue + if PARSING_HEX_SERIAL: + # Hex serials arrive colon-delimited + serial_raw = l.replace(':', '') + # Convert to decimal + self.serial = int('0x' + serial_raw, base=16) + PARSING_HEX_SERIAL = False + continue + # parse out the bits that we can if l.startswith('Serial Number:'): - # Serial Number: 11 (0xb) - # => 11 + # Decimal format: + # Serial Number: 11 (0xb) + # => 11 + # Hex Format (large serials): + # Serial Number: + # 0a:de:eb:24:04:75:ab:56:39:14:e9:5a:22:e2:85:bf + # => 14449739080294792594019643629255165375 + if l.endswith(':'): + PARSING_HEX_SERIAL = True + continue self.serial = int(l.split()[-2]) elif l.startswith('Not After :'): diff --git a/roles/openshift_certificate_expiry/test/conftest.py b/roles/openshift_certificate_expiry/test/conftest.py index 4ca35ecbc..df948fff0 100644 --- a/roles/openshift_certificate_expiry/test/conftest.py +++ b/roles/openshift_certificate_expiry/test/conftest.py @@ -23,7 +23,10 @@ VALID_CERTIFICATE_PARAMS = [ { 'short_name': 'combined', 'cn': 'combined.example.com', - 'serial': 6, + # Verify that HUGE serials parse correctly. + # Frobs PARSING_HEX_SERIAL in _parse_cert + # See https://bugzilla.redhat.com/show_bug.cgi?id=1464240 + 'serial': 14449739080294792594019643629255165375, 'uses': b'clientAuth, serverAuth', 'dns': ['etcd'], 'ip': ['10.0.0.2', '192.168.0.2'] |