Making certificate check more robust

Some operators may have externally managed certificates that do not conform to the originally expected certificate pattern of ---BEGIN CERTIFICATE----- foo -----END CERTIFICATE----- and may instead include additional information on the subject/issuer. In these cases the current regex will fail to load certs that can be parsed with the existing cfssl command. Addressing this by tightening up the regex prior to trying to obtain certificate information. Change-Id: Ief9993632718caa46b52761b49a97621f134ca53 Signed-off-by: Alexander Hughes <Alexander.Hughes@pm.me>
2020-12-29 15:21:45 -05:00 · 2020-12-29 15:21:45 -05:00 · 452734fb72
parent 8ad13a330e
commit 452734fb72
1 changed files with 3 additions and 2 deletions
--- a/pegleg/engine/secrets.py
+++ b/pegleg/engine/secrets.py
@ -301,8 +301,9 @@ def check_cert_expiry(site_name, duration=60):
                    if result['schema'] in cert_schemas:
                        text = result['data']
                        header_pattern = '-----BEGIN CERTIFICATE-----'
-                        find_pattern = r'%s.*?(?=%s|$)' % (
-                            header_pattern, header_pattern)
+                        footer_pattern = '-----END CERTIFICATE-----'
+                        find_pattern = r'%s.*?%s' % (
+                            header_pattern, footer_pattern)
                        certs = re.findall(find_pattern, text, re.DOTALL)
                        for cert in certs:
                            cert_info = pki_util.check_expiry(cert)