Home Explore Help
Register Sign In
shixiong
/
okd
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

Fix parsing certs with very large serial numbers

Certificates with large serial numbers (such as those from commercial
vendors) previously failed to parse due to absent logic in the
FakeOpenSSLCertificate parser. This would cause the module to abort
and break any other roles depending on the cert expiry checking
results.

* Identifies large serials in HEX format for decimal conversion
* Update unit tests to parse a large serial
Tim Bielawa 7 years ago
parent
272288b9d7
commit
b45b2ff541
2 changed files with 23 additions and 3 deletions
Unified View Show Diff Stats
  1. 19 2
      roles/openshift_certificate_expiry/library/openshift_cert_expiry.py
  2. 4 1
      roles/openshift_certificate_expiry/test/conftest.py

+ 19 - 2
roles/openshift_certificate_expiry/library/openshift_cert_expiry.py
View File 

@@ -104,6 +104,7 @@ platforms missing the Python OpenSSL library.
 
         self.extensions = []
 
         self.extensions = []
 
 
 
         PARSING_ALT_NAMES = False
 
         PARSING_ALT_NAMES = False
 
+        PARSING_HEX_SERIAL = False
 
         for line in self.cert_string.split('\n'):
 
         for line in self.cert_string.split('\n'):
 
             l = line.strip()
 
             l = line.strip()
 
             if PARSING_ALT_NAMES:
 
             if PARSING_ALT_NAMES:
 
@@ -114,10 +115,26 @@ platforms missing the Python OpenSSL library.
 
                 PARSING_ALT_NAMES = False
 
                 PARSING_ALT_NAMES = False
 
                 continue
 
                 continue
 
 
 
+            if PARSING_HEX_SERIAL:
 
+                # Hex serials arrive colon-delimited
 
+                serial_raw = l.replace(':', '')
 
+                # Convert to decimal
 
+                self.serial = int('0x' + serial_raw, base=16)
 
+                PARSING_HEX_SERIAL = False
 
+                continue
 
+
 
             # parse out the bits that we can
 
             # parse out the bits that we can
 
             if l.startswith('Serial Number:'):
 
             if l.startswith('Serial Number:'):
 
-                # Serial Number: 11 (0xb)
 
-                # => 11
 
+                # Decimal format:
 
+                #   Serial Number: 11 (0xb)
 
+                #   => 11
 
+                # Hex Format (large serials):
 
+                #   Serial Number:
 
+                #       0a:de:eb:24:04:75:ab:56:39:14:e9:5a:22:e2:85:bf
 
+                #   => 14449739080294792594019643629255165375
 
+                if l.endswith(':'):
 
+                    PARSING_HEX_SERIAL = True
 
+                    continue
 
                 self.serial = int(l.split()[-2])
 
                 self.serial = int(l.split()[-2])
 
 
 
             elif l.startswith('Not After :'):
 
             elif l.startswith('Not After :'):

+ 4 - 1
roles/openshift_certificate_expiry/test/conftest.py
View File 

@@ -23,7 +23,10 @@ VALID_CERTIFICATE_PARAMS = [
 
     {
 
     {
 
         'short_name': 'combined',
 
         'short_name': 'combined',
 
         'cn': 'combined.example.com',
 
         'cn': 'combined.example.com',
 
-        'serial': 6,
 
+        # Verify that HUGE serials parse correctly.
 
+        # Frobs PARSING_HEX_SERIAL in _parse_cert
 
+        # See https://bugzilla.redhat.com/show_bug.cgi?id=1464240
 
+        'serial': 14449739080294792594019643629255165375,
 
         'uses': b'clientAuth, serverAuth',
 
         'uses': b'clientAuth, serverAuth',
 
         'dns': ['etcd'],
 
         'dns': ['etcd'],
 
         'ip': ['10.0.0.2', '192.168.0.2']
 
         'ip': ['10.0.0.2', '192.168.0.2']