lp-signing

Merge ~cjwatson/lp-signing:escape-common-name into lp-signing:master

  1. Git
  2. lp:~cjwatson/lp-signing
  3. escape-common-name
  4. Merge into master
Proposed by Colin Watson
Status: Merged
Approved by: Colin Watson
Approved revision: 57b939f69e11f1b5e1f1d3e0344a93b8f6c7d7fe
Merge reported by: Otto Co-Pilot
Merged at revision: not available
Proposed branch: ~cjwatson/lp-signing:escape-common-name
Merge into: lp-signing:master
Diff against target: 118 lines (+13/-11)
2 files modified
lp_signing/model/key.py (+3/-1)
lp_signing/model/tests/test_key.py (+10/-10)
Reviewer Review Type Date Requested Status
Thiago F. Pappacena (community) Approve
Review via email: mp+382598@code.launchpad.net

Commit message

Escape common names in openssl req -subj

Description of the change

req(1ssl) says, for -subj:

  The arg must be formatted as "/type0=value0/type1=value1/type2=...". Keyword characters may be escaped by \ (backslash), and whitespace is retained.

Accordingly, escape any "/" and "=" characters in the common name when building the -subj argument.

To post a comment you must log in.
Revision history for this message
Thiago F. Pappacena (pappacena) wrote :

LGTM

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/lp_signing/model/key.py b/lp_signing/model/key.py
index 84ddc46..451b3b2 100644
--- a/lp_signing/model/key.py
+++ b/lp_signing/model/key.py
@@ -12,6 +12,7 @@ from contextlib import contextmanager
12import json12import json
13import logging13import logging
14from pathlib import Path14from pathlib import Path
15import re
15import shutil16import shutil
16import subprocess17import subprocess
17from subprocess import CalledProcessError18from subprocess import CalledProcessError
@@ -251,9 +252,10 @@ class Key(Storm):
251 """252 """
252 key = tmp / f"{key_type.name.lower()}.key"253 key = tmp / f"{key_type.name.lower()}.key"
253 cert = tmp / f"{key_type.name.lower()}.crt"254 cert = tmp / f"{key_type.name.lower()}.crt"
255 common_name_esc = re.sub(r'([/=])', r'\\\1', common_name)
254 _log_subprocess_run([256 _log_subprocess_run([
255 "openssl", "req", "-new", "-x509", "-newkey", "rsa:2048",257 "openssl", "req", "-new", "-x509", "-newkey", "rsa:2048",
256 "-subj", f"/CN={common_name}/", "-keyout", str(key),258 "-subj", f"/CN={common_name_esc}/", "-keyout", str(key),
257 "-out", str(cert), "-days", "3650", "-nodes", "-sha256",259 "-out", str(cert), "-days", "3650", "-nodes", "-sha256",
258 ], check=True)260 ], check=True)
259 return key.read_bytes(), cert.read_bytes()261 return key.read_bytes(), cert.read_bytes()
diff --git a/lp_signing/model/tests/test_key.py b/lp_signing/model/tests/test_key.py
index 48bc737..8b7d1f1 100644
--- a/lp_signing/model/tests/test_key.py
+++ b/lp_signing/model/tests/test_key.py
@@ -104,7 +104,7 @@ class TestKey(TestCase):
104 fingerprint = factory.generate_fingerprint()104 fingerprint = factory.generate_fingerprint()
105 fake_openssl = FakeOpenSSL(private_key, public_key, fingerprint)105 fake_openssl = FakeOpenSSL(private_key, public_key, fingerprint)
106 self.processes_fixture.add(fake_openssl)106 self.processes_fixture.add(fake_openssl)
107 key = Key.generate(KeyType.UEFI, "PPA signing-owner testing")107 key = Key.generate(KeyType.UEFI, "~signing-owner/ubuntu/testing")
108 now = get_transaction_timestamp(store)108 now = get_transaction_timestamp(store)
109 self.assertThat(key, MatchesStructure.byEquality(109 self.assertThat(key, MatchesStructure.byEquality(
110 key_type=KeyType.UEFI,110 key_type=KeyType.UEFI,
@@ -117,7 +117,7 @@ class TestKey(TestCase):
117 key, Key.getByTypeAndFingerprint(KeyType.UEFI, fingerprint))117 key, Key.getByTypeAndFingerprint(KeyType.UEFI, fingerprint))
118 req_args = [118 req_args = [
119 "openssl", "req", "-new", "-x509", "-newkey", "rsa:2048",119 "openssl", "req", "-new", "-x509", "-newkey", "rsa:2048",
120 "-subj", "/CN=PPA signing-owner testing UEFI/",120 "-subj", r"/CN=~signing-owner\/ubuntu\/testing UEFI/",
121 "-keyout", EndsWith("uefi.key"), "-out", EndsWith("uefi.crt"),121 "-keyout", EndsWith("uefi.key"), "-out", EndsWith("uefi.crt"),
122 "-days", "3650", "-nodes", "-sha256",122 "-days", "3650", "-nodes", "-sha256",
123 ]123 ]
@@ -141,7 +141,7 @@ class TestKey(TestCase):
141 fingerprint = factory.generate_fingerprint()141 fingerprint = factory.generate_fingerprint()
142 fake_openssl = FakeOpenSSL(private_key, public_key, fingerprint)142 fake_openssl = FakeOpenSSL(private_key, public_key, fingerprint)
143 self.processes_fixture.add(fake_openssl)143 self.processes_fixture.add(fake_openssl)
144 key = Key.generate(KeyType.KMOD, "PPA signing-owner testing")144 key = Key.generate(KeyType.KMOD, "~signing-owner/ubuntu/testing")
145 now = get_transaction_timestamp(store)145 now = get_transaction_timestamp(store)
146 self.assertThat(key, MatchesStructure.byEquality(146 self.assertThat(key, MatchesStructure.byEquality(
147 key_type=KeyType.KMOD,147 key_type=KeyType.KMOD,
@@ -154,7 +154,7 @@ class TestKey(TestCase):
154 key, Key.getByTypeAndFingerprint(KeyType.KMOD, fingerprint))154 key, Key.getByTypeAndFingerprint(KeyType.KMOD, fingerprint))
155 self.assertIn("[ req ]", fake_openssl.keygen_text)155 self.assertIn("[ req ]", fake_openssl.keygen_text)
156 self.assertThat(fake_openssl.keygen_text, MatchesRegex(156 self.assertThat(fake_openssl.keygen_text, MatchesRegex(
157 r".*\bCN\s*=\s*PPA signing-owner testing\b", flags=re.S))157 r".*\bCN\s*=\s*~signing-owner/ubuntu/testing\b", flags=re.S))
158 self.assertThat(fake_openssl.keygen_text, MatchesRegex(158 self.assertThat(fake_openssl.keygen_text, MatchesRegex(
159 r".*\bextendedKeyUsage\s*=\s*"159 r".*\bextendedKeyUsage\s*=\s*"
160 r"codeSigning,1.3.6.1.4.1.2312.16.1.2\s*\b", flags=re.S))160 r"codeSigning,1.3.6.1.4.1.2312.16.1.2\s*\b", flags=re.S))
@@ -190,7 +190,7 @@ class TestKey(TestCase):
190 fingerprint = factory.generate_fingerprint()190 fingerprint = factory.generate_fingerprint()
191 fake_openssl = FakeOpenSSL(private_key, public_key, fingerprint)191 fake_openssl = FakeOpenSSL(private_key, public_key, fingerprint)
192 self.processes_fixture.add(fake_openssl)192 self.processes_fixture.add(fake_openssl)
193 key = Key.generate(KeyType.OPAL, "PPA signing-owner testing")193 key = Key.generate(KeyType.OPAL, "~signing-owner/ubuntu/testing")
194 now = get_transaction_timestamp(store)194 now = get_transaction_timestamp(store)
195 self.assertThat(key, MatchesStructure.byEquality(195 self.assertThat(key, MatchesStructure.byEquality(
196 key_type=KeyType.OPAL,196 key_type=KeyType.OPAL,
@@ -203,7 +203,7 @@ class TestKey(TestCase):
203 key, Key.getByTypeAndFingerprint(KeyType.OPAL, fingerprint))203 key, Key.getByTypeAndFingerprint(KeyType.OPAL, fingerprint))
204 self.assertIn("[ req ]", fake_openssl.keygen_text)204 self.assertIn("[ req ]", fake_openssl.keygen_text)
205 self.assertThat(fake_openssl.keygen_text, MatchesRegex(205 self.assertThat(fake_openssl.keygen_text, MatchesRegex(
206 r".*\bCN\s*=\s*PPA signing-owner testing\b", flags=re.S))206 r".*\bCN\s*=\s*~signing-owner/ubuntu/testing\b", flags=re.S))
207 self.assertNotIn("extendedKeyUsage", fake_openssl.keygen_text)207 self.assertNotIn("extendedKeyUsage", fake_openssl.keygen_text)
208 req_args = [208 req_args = [
209 "openssl", "req", "-new", "-nodes", "-utf8", "-sha512",209 "openssl", "req", "-new", "-nodes", "-utf8", "-sha512",
@@ -237,7 +237,7 @@ class TestKey(TestCase):
237 fingerprint = factory.generate_fingerprint()237 fingerprint = factory.generate_fingerprint()
238 fake_openssl = FakeOpenSSL(private_key, public_key, fingerprint)238 fake_openssl = FakeOpenSSL(private_key, public_key, fingerprint)
239 self.processes_fixture.add(fake_openssl)239 self.processes_fixture.add(fake_openssl)
240 key = Key.generate(KeyType.SIPL, "PPA signing-owner testing")240 key = Key.generate(KeyType.SIPL, "~signing-owner/ubuntu/testing")
241 now = get_transaction_timestamp(store)241 now = get_transaction_timestamp(store)
242 self.assertThat(key, MatchesStructure.byEquality(242 self.assertThat(key, MatchesStructure.byEquality(
243 key_type=KeyType.SIPL,243 key_type=KeyType.SIPL,
@@ -250,7 +250,7 @@ class TestKey(TestCase):
250 key, Key.getByTypeAndFingerprint(KeyType.SIPL, fingerprint))250 key, Key.getByTypeAndFingerprint(KeyType.SIPL, fingerprint))
251 self.assertIn("[ req ]", fake_openssl.keygen_text)251 self.assertIn("[ req ]", fake_openssl.keygen_text)
252 self.assertThat(fake_openssl.keygen_text, MatchesRegex(252 self.assertThat(fake_openssl.keygen_text, MatchesRegex(
253 r".*\bCN\s*=\s*PPA signing-owner testing\b", flags=re.S))253 r".*\bCN\s*=\s*~signing-owner/ubuntu/testing\b", flags=re.S))
254 self.assertNotIn("extendedKeyUsage", fake_openssl.keygen_text)254 self.assertNotIn("extendedKeyUsage", fake_openssl.keygen_text)
255 req_args = [255 req_args = [
256 "openssl", "req", "-new", "-nodes", "-utf8", "-sha512",256 "openssl", "req", "-new", "-nodes", "-utf8", "-sha512",
@@ -284,7 +284,7 @@ class TestKey(TestCase):
284 fingerprint = factory.generate_fingerprint()284 fingerprint = factory.generate_fingerprint()
285 fake_openssl = FakeOpenSSL(private_key, public_key, fingerprint)285 fake_openssl = FakeOpenSSL(private_key, public_key, fingerprint)
286 self.processes_fixture.add(fake_openssl)286 self.processes_fixture.add(fake_openssl)
287 key = Key.generate(KeyType.FIT, "PPA signing-owner testing")287 key = Key.generate(KeyType.FIT, "~signing-owner/ubuntu/testing")
288 now = get_transaction_timestamp(store)288 now = get_transaction_timestamp(store)
289 self.assertThat(key, MatchesStructure.byEquality(289 self.assertThat(key, MatchesStructure.byEquality(
290 key_type=KeyType.FIT,290 key_type=KeyType.FIT,
@@ -297,7 +297,7 @@ class TestKey(TestCase):
297 key, Key.getByTypeAndFingerprint(KeyType.FIT, fingerprint))297 key, Key.getByTypeAndFingerprint(KeyType.FIT, fingerprint))
298 req_args = [298 req_args = [
299 "openssl", "req", "-new", "-x509", "-newkey", "rsa:2048",299 "openssl", "req", "-new", "-x509", "-newkey", "rsa:2048",
300 "-subj", "/CN=PPA signing-owner testing FIT/",300 "-subj", r"/CN=~signing-owner\/ubuntu\/testing FIT/",
301 "-keyout", EndsWith("fit.key"), "-out", EndsWith("fit.crt"),301 "-keyout", EndsWith("fit.key"), "-out", EndsWith("fit.crt"),
302 "-days", "3650", "-nodes", "-sha256",302 "-days", "3650", "-nodes", "-sha256",
303 ]303 ]

Subscribers

People subscribed via source and target branches