Commit 581a51fe authored by Gary Wong's avatar Gary Wong

When parsing certificates, use any UUID in subjectAltName by preference.

That's where the GPO want UUIDs to go.  (And it's where we put them now,
though we didn't before.)  We still look for UUIDs in other places, because
we're not ready to break backward compatibility with old certificates yet.
parent 58c4a727
......@@ -439,12 +439,13 @@ sub LoadFromArray($@)
chomp($DN);
#
# The text output is next. Look for the URL in the extensions. Stop
# when we get to the certificate line.
# The text output is next. Look for the URN, URL and UUID in the
# extensions. Stop when we get to the certificate line.
#
my ($alturi,$accessuri);
my $altname = 0;
my $accessinfo = 0;
my $uuid = undef;
while (@certlines) {
my $line = shift(@certlines);
last
......@@ -455,8 +456,12 @@ sub LoadFromArray($@)
} elsif( $line =~ /^\s+Authority Information Access:\s*$/ ) {
$accessinfo = 1;
} elsif( $altname ) {
m'^\s*URI:(urn:publicid:[-!#$%()*+,./0-9:;=?@A-Z_a-z~]+)\s*$' and $alturi = $1
foreach split( /, /, $line );
foreach ( split( /, /, $line ) ) {
m'^\s*URI:(urn:publicid:[-!#$%()*+,./0-9:;=?@A-Z_a-z~]+)\s*$'
and $alturi = $1;
m'^\s*URI:urn:uuid:([-\w]+)\s*$'
and $uuid = $1;
}
$altname = 0;
} elsif( $accessinfo ) {
m'^\s*[0-9.]+ - URI:([-!#$%()*+,./0-9:;=?@A-Z_a-z~]+)\s*$'
......@@ -485,21 +490,27 @@ sub LoadFromArray($@)
pop(@certlines);
my $cert = join("", @certlines);
# Dig out the uuid.
# Unfortunately, for historical reasons, there are a whole bunch
# of places the UUID might be stored (and we continue to store UUIDs
# in multiple places ourselves, to maintain backward compatibility).
# The GPO want UUIDs in a subjectAltName extension (which would have
# been found above), so we use that one if it exists. If it doesn't,
# we'll have to dig...
#
# The uuid that PLC puts in the certificate is not associated with the
# underlying object, so it is not useful to us. We end up generating
# one below.
#
my $uuid;
if ($DN =~ /\/CN=([-\w]*)/) {
$uuid = $1;
}
else {
print STDERR "Could not find uuid in 'DN'\n";
return undef;
if( !defined( $uuid ) ) {
if ($DN =~ /\/CN=([-\w]*)/) {
$uuid = $1;
}
else {
print STDERR "Could not find uuid in 'DN'\n";
return undef;
}
}
# GENI AM: CN might not be a UUID, so check it.
# If it is not a UUID, make one up.
if ($uuid !~ /^\w+\-\w+\-\w+\-\w+\-\w+$/) {
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment