Merge pull request #4573 from tbielawa/cert-hex-serial-parse

Fix parsing certs with very large serial numbers
author: Scott Dodson <sdodson@redhat.com> 2017-06-23 13:15:12 -0400
committer: GitHub <noreply@github.com> 2017-06-23 13:15:12 -0400
commit: d75a3c6c0f45589cb98ea933a1f19a44d99b723f (patch)
tree: 9d15736ebcb07287b4c2b5e64112bcef688be8b3 /roles
parent: 272288b9d7a771f72af1e6b9c3fbb68a1030b6a3 (diff)
parent: b45b2ff5412b29ae995027cdd1982a1dec0066d7 (diff)
download: openshift-d75a3c6c0f45589cb98ea933a1f19a44d99b723f.tar.gz
openshift-d75a3c6c0f45589cb98ea933a1f19a44d99b723f.tar.bz2
openshift-d75a3c6c0f45589cb98ea933a1f19a44d99b723f.tar.xz
openshift-d75a3c6c0f45589cb98ea933a1f19a44d99b723f.zip
2 files changed, 23 insertions, 3 deletions
diff --git a/roles/openshift_certificate_expiry/library/openshift_cert_expiry.py b/roles/openshift_certificate_expiry/library/openshift_cert_expiry.py
index 0242f5b43..44a8fa29b 100644
--- a/roles/openshift_certificate_expiry/library/openshift_cert_expiry.py
+++ b/roles/openshift_certificate_expiry/library/openshift_cert_expiry.py
@@ -104,6 +104,7 @@ platforms missing the Python OpenSSL library.
         self.extensions = []
 
         PARSING_ALT_NAMES = False
+        PARSING_HEX_SERIAL = False
         for line in self.cert_string.split('\n'):
             l = line.strip()
             if PARSING_ALT_NAMES:
@@ -114,10 +115,26 @@ platforms missing the Python OpenSSL library.
                 PARSING_ALT_NAMES = False
                 continue
 
+            if PARSING_HEX_SERIAL:
+                # Hex serials arrive colon-delimited
+                serial_raw = l.replace(':', '')
+                # Convert to decimal
+                self.serial = int('0x' + serial_raw, base=16)
+                PARSING_HEX_SERIAL = False
+                continue
+
             # parse out the bits that we can
             if l.startswith('Serial Number:'):
-                # Serial Number: 11 (0xb)
-                # => 11
+                # Decimal format:
+                #   Serial Number: 11 (0xb)
+                #   => 11
+                # Hex Format (large serials):
+                #   Serial Number:
+                #       0a:de:eb:24:04:75:ab:56:39:14:e9:5a:22:e2:85:bf
+                #   => 14449739080294792594019643629255165375
+                if l.endswith(':'):
+                    PARSING_HEX_SERIAL = True
+                    continue
                 self.serial = int(l.split()[-2])
 
             elif l.startswith('Not After :'):
diff --git a/roles/openshift_certificate_expiry/test/conftest.py b/roles/openshift_certificate_expiry/test/conftest.py
index 4ca35ecbc..df948fff0 100644
--- a/roles/openshift_certificate_expiry/test/conftest.py
+++ b/roles/openshift_certificate_expiry/test/conftest.py
@@ -23,7 +23,10 @@ VALID_CERTIFICATE_PARAMS = [
     {
         'short_name': 'combined',
         'cn': 'combined.example.com',
-        'serial': 6,
+        # Verify that HUGE serials parse correctly.
+        # Frobs PARSING_HEX_SERIAL in _parse_cert
+        # See https://bugzilla.redhat.com/show_bug.cgi?id=1464240
+        'serial': 14449739080294792594019643629255165375,
         'uses': b'clientAuth, serverAuth',
         'dns': ['etcd'],
         'ip': ['10.0.0.2', '192.168.0.2']
author	Scott Dodson <sdodson@redhat.com>	2017-06-23 13:15:12 -0400
committer	GitHub <noreply@github.com>	2017-06-23 13:15:12 -0400
commit	d75a3c6c0f45589cb98ea933a1f19a44d99b723f (patch)
tree	9d15736ebcb07287b4c2b5e64112bcef688be8b3 /roles
parent	272288b9d7a771f72af1e6b9c3fbb68a1030b6a3 (diff)
parent	b45b2ff5412b29ae995027cdd1982a1dec0066d7 (diff)
download	openshift-d75a3c6c0f45589cb98ea933a1f19a44d99b723f.tar.gz openshift-d75a3c6c0f45589cb98ea933a1f19a44d99b723f.tar.bz2 openshift-d75a3c6c0f45589cb98ea933a1f19a44d99b723f.tar.xz openshift-d75a3c6c0f45589cb98ea933a1f19a44d99b723f.zip