From 452734fb722958e1c9c233a0270d5673d119dc53 Mon Sep 17 00:00:00 2001 From: Alexander Hughes Date: Tue, 29 Dec 2020 15:21:45 -0500 Subject: [PATCH] Making certificate check more robust Some operators may have externally managed certificates that do not conform to the originally expected certificate pattern of ---BEGIN CERTIFICATE----- foo -----END CERTIFICATE----- and may instead include additional information on the subject/issuer. In these cases the current regex will fail to load certs that can be parsed with the existing cfssl command. Addressing this by tightening up the regex prior to trying to obtain certificate information. Change-Id: Ief9993632718caa46b52761b49a97621f134ca53 Signed-off-by: Alexander Hughes --- pegleg/engine/secrets.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/pegleg/engine/secrets.py b/pegleg/engine/secrets.py index 5a22181e..bf82db71 100644 --- a/pegleg/engine/secrets.py +++ b/pegleg/engine/secrets.py @@ -301,8 +301,9 @@ def check_cert_expiry(site_name, duration=60): if result['schema'] in cert_schemas: text = result['data'] header_pattern = '-----BEGIN CERTIFICATE-----' - find_pattern = r'%s.*?(?=%s|$)' % ( - header_pattern, header_pattern) + footer_pattern = '-----END CERTIFICATE-----' + find_pattern = r'%s.*?%s' % ( + header_pattern, footer_pattern) certs = re.findall(find_pattern, text, re.DOTALL) for cert in certs: cert_info = pki_util.check_expiry(cert)