lp-signing

Merge ~cjwatson/lp-signing:escape-common-name into lp-signing:master

Proposed by Colin Watson on 2020-04-20

Status:	Merged
Approved by:	Colin Watson on 2020-04-20
Approved revision:	57b939f69e11f1b5e1f1d3e0344a93b8f6c7d7fe
Merge reported by:	Otto Co-Pilot
Merged at revision:	not available
Proposed branch:	~cjwatson/lp-signing:escape-common-name
Merge into:	lp-signing:master
Diff against target:	118 lines (+13/-11) 2 files modified lp_signing/model/key.py (+3/-1) lp_signing/model/tests/test_key.py (+10/-10)
Related bugs:	Link a bug report

Reviewer	Review Type	Date Requested	Status
Thiago F. Pappacena (community)		2020-04-20	Approve on 2020-04-20
Review via email: mp+382598@code.launchpad.net

Commit message

Escape common names in openssl req -subj

Description of the change

req(1ssl) says, for -subj:

The arg must be formatted as "/type0=value0/type1=value1/type2=...". Keyword characters may be escaped by \ (backslash), and whitespace is retained.

Accordingly, escape any "/" and "=" characters in the common name when building the -subj argument.

Revision history for this message

Thiago F. Pappacena (pappacena) wrote on 2020-04-20:

LGTM

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Canonical Launchpad Engineering

Colin Watson

1	diff --git a/lp_signing/model/key.py b/lp_signing/model/key.py
2	index 84ddc46..451b3b2 100644
3	--- a/lp_signing/model/key.py
4	+++ b/lp_signing/model/key.py
5	@@ -12,6 +12,7 @@ from contextlib import contextmanager
6	import json
7	import logging
8	from pathlib import Path
9	+import re
10	import shutil
11	import subprocess
12	from subprocess import CalledProcessError
13	@@ -251,9 +252,10 @@ class Key(Storm):
14	"""
15	key = tmp / f"{key_type.name.lower()}.key"
16	cert = tmp / f"{key_type.name.lower()}.crt"
17	+ common_name_esc = re.sub(r'([/=])', r'\\\1', common_name)
18	_log_subprocess_run([
19	"openssl", "req", "-new", "-x509", "-newkey", "rsa:2048",
20	- "-subj", f"/CN={common_name}/", "-keyout", str(key),
21	+ "-subj", f"/CN={common_name_esc}/", "-keyout", str(key),
22	"-out", str(cert), "-days", "3650", "-nodes", "-sha256",
23	], check=True)
24	return key.read_bytes(), cert.read_bytes()
25	diff --git a/lp_signing/model/tests/test_key.py b/lp_signing/model/tests/test_key.py
26	index 48bc737..8b7d1f1 100644
27	--- a/lp_signing/model/tests/test_key.py
28	+++ b/lp_signing/model/tests/test_key.py
29	@@ -104,7 +104,7 @@ class TestKey(TestCase):
30	fingerprint = factory.generate_fingerprint()
31	fake_openssl = FakeOpenSSL(private_key, public_key, fingerprint)
32	self.processes_fixture.add(fake_openssl)
33	- key = Key.generate(KeyType.UEFI, "PPA signing-owner testing")
34	+ key = Key.generate(KeyType.UEFI, "~signing-owner/ubuntu/testing")
35	now = get_transaction_timestamp(store)
36	self.assertThat(key, MatchesStructure.byEquality(
37	key_type=KeyType.UEFI,
38	@@ -117,7 +117,7 @@ class TestKey(TestCase):
39	key, Key.getByTypeAndFingerprint(KeyType.UEFI, fingerprint))
40	req_args = [
41	"openssl", "req", "-new", "-x509", "-newkey", "rsa:2048",
42	- "-subj", "/CN=PPA signing-owner testing UEFI/",
43	+ "-subj", r"/CN=~signing-owner\/ubuntu\/testing UEFI/",
44	"-keyout", EndsWith("uefi.key"), "-out", EndsWith("uefi.crt"),
45	"-days", "3650", "-nodes", "-sha256",
46	]
47	@@ -141,7 +141,7 @@ class TestKey(TestCase):
48	fingerprint = factory.generate_fingerprint()
49	fake_openssl = FakeOpenSSL(private_key, public_key, fingerprint)
50	self.processes_fixture.add(fake_openssl)
51	- key = Key.generate(KeyType.KMOD, "PPA signing-owner testing")
52	+ key = Key.generate(KeyType.KMOD, "~signing-owner/ubuntu/testing")
53	now = get_transaction_timestamp(store)
54	self.assertThat(key, MatchesStructure.byEquality(
55	key_type=KeyType.KMOD,
56	@@ -154,7 +154,7 @@ class TestKey(TestCase):
57	key, Key.getByTypeAndFingerprint(KeyType.KMOD, fingerprint))
58	self.assertIn("[ req ]", fake_openssl.keygen_text)
59	self.assertThat(fake_openssl.keygen_text, MatchesRegex(
60	- r".\bCN\s=\s*PPA signing-owner testing\b", flags=re.S))
61	+ r".\bCN\s=\s*~signing-owner/ubuntu/testing\b", flags=re.S))
62	self.assertThat(fake_openssl.keygen_text, MatchesRegex(
63	r".\bextendedKeyUsage\s=\s*"
64	r"codeSigning,1.3.6.1.4.1.2312.16.1.2\s*\b", flags=re.S))
65	@@ -190,7 +190,7 @@ class TestKey(TestCase):
66	fingerprint = factory.generate_fingerprint()
67	fake_openssl = FakeOpenSSL(private_key, public_key, fingerprint)
68	self.processes_fixture.add(fake_openssl)
69	- key = Key.generate(KeyType.OPAL, "PPA signing-owner testing")
70	+ key = Key.generate(KeyType.OPAL, "~signing-owner/ubuntu/testing")
71	now = get_transaction_timestamp(store)
72	self.assertThat(key, MatchesStructure.byEquality(
73	key_type=KeyType.OPAL,
74	@@ -203,7 +203,7 @@ class TestKey(TestCase):
75	key, Key.getByTypeAndFingerprint(KeyType.OPAL, fingerprint))
76	self.assertIn("[ req ]", fake_openssl.keygen_text)
77	self.assertThat(fake_openssl.keygen_text, MatchesRegex(
78	- r".\bCN\s=\s*PPA signing-owner testing\b", flags=re.S))
79	+ r".\bCN\s=\s*~signing-owner/ubuntu/testing\b", flags=re.S))
80	self.assertNotIn("extendedKeyUsage", fake_openssl.keygen_text)
81	req_args = [
82	"openssl", "req", "-new", "-nodes", "-utf8", "-sha512",
83	@@ -237,7 +237,7 @@ class TestKey(TestCase):
84	fingerprint = factory.generate_fingerprint()
85	fake_openssl = FakeOpenSSL(private_key, public_key, fingerprint)
86	self.processes_fixture.add(fake_openssl)
87	- key = Key.generate(KeyType.SIPL, "PPA signing-owner testing")
88	+ key = Key.generate(KeyType.SIPL, "~signing-owner/ubuntu/testing")
89	now = get_transaction_timestamp(store)
90	self.assertThat(key, MatchesStructure.byEquality(
91	key_type=KeyType.SIPL,
92	@@ -250,7 +250,7 @@ class TestKey(TestCase):
93	key, Key.getByTypeAndFingerprint(KeyType.SIPL, fingerprint))
94	self.assertIn("[ req ]", fake_openssl.keygen_text)
95	self.assertThat(fake_openssl.keygen_text, MatchesRegex(
96	- r".\bCN\s=\s*PPA signing-owner testing\b", flags=re.S))
97	+ r".\bCN\s=\s*~signing-owner/ubuntu/testing\b", flags=re.S))
98	self.assertNotIn("extendedKeyUsage", fake_openssl.keygen_text)
99	req_args = [
100	"openssl", "req", "-new", "-nodes", "-utf8", "-sha512",
101	@@ -284,7 +284,7 @@ class TestKey(TestCase):
102	fingerprint = factory.generate_fingerprint()
103	fake_openssl = FakeOpenSSL(private_key, public_key, fingerprint)
104	self.processes_fixture.add(fake_openssl)
105	- key = Key.generate(KeyType.FIT, "PPA signing-owner testing")
106	+ key = Key.generate(KeyType.FIT, "~signing-owner/ubuntu/testing")
107	now = get_transaction_timestamp(store)
108	self.assertThat(key, MatchesStructure.byEquality(
109	key_type=KeyType.FIT,
110	@@ -297,7 +297,7 @@ class TestKey(TestCase):
111	key, Key.getByTypeAndFingerprint(KeyType.FIT, fingerprint))
112	req_args = [
113	"openssl", "req", "-new", "-x509", "-newkey", "rsa:2048",
114	- "-subj", "/CN=PPA signing-owner testing FIT/",
115	+ "-subj", r"/CN=~signing-owner\/ubuntu\/testing FIT/",
116	"-keyout", EndsWith("fit.key"), "-out", EndsWith("fit.crt"),
117	"-days", "3650", "-nodes", "-sha256",
118	]