[Swan-dev] match_certs_id()
D. Hugh Redelmeier
hugh at mimosa.com
Fri Feb 8 03:43:52 UTC 2019
| From: Paul Wouters <paul at nohats.ca>
| On Thu, 7 Feb 2019, D. Hugh Redelmeier wrote:
|
| > | > testing/pluto/nss-cert-chain-01-ikev2/OUTPUT/east.pluto.log:1758:"nss-cert-chain"
| > | > #1: EXPECTATION FAILED: cert->next == NULL (in match_certs_id() at
| > | > x509.c:779)
| > |
| > | This does indicate that certificate chains are passed to the function.
| > | Perhaps we are not guaranteed the order of the chain of certificates,
| > | and we still havent figured out which is the EE cert and which is the
| > | intermediary root CA ?
| >
| > There are 29 instances of this in the test run.
| >
| > What should be happening?
|
| What is currently happening?
|
| > This is a matter of design and not conjecture. But the design isn't
| > recorded. It needs to be.
|
| We could rename match_certs_id() to matchid_from_certbundle() ?
So: I changed match_certs_id to loop over the whole list. If any cert
matched, a match was declared. But the whole list was processed.
ID_FROMCERT processing wasn't really affected because the first match
would replace it.
So: what would be new? If the match of the first element failed,
perhaps a match against a cert further down the chain would succeed.
Without knowing the structure of the list, it isn't clear.
Here are some results. It sure looks as if the only cert of interest
is the first. So I'll delete the looping code (it was never
committed) and add some comments.
testing/pluto/nss-cert-chain-01/OUTPUT/west.console.diff
002 "nss-cert-chain" #1: Peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east_chain_endcert.testing.libreswan.org, E=east_chain_endcert at testing.libreswan.org'
002 "nss-cert-chain" #1: certificate verified OK: E=east_chain_endcert at testing.libreswan.org,CN=east_chain_endcert.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA
+003 "nss-cert-chain" #1: ID_DER_ASN1_DN 'E=east_chain_int_2 at testing.libreswan.org,CN=east_chain_int_2.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA' does not match expected 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east_chain_endcert.testing.libreswan.org, E=east_chain_endcert at testing.libreswan.org'
+003 "nss-cert-chain" #1: ID_DER_ASN1_DN 'E=east_chain_int_1 at testing.libreswan.org,CN=east_chain_int_1.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA' does not match expected 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east_chain_endcert.testing.libreswan.org, E=east_chain_endcert at testing.libreswan.org'
003 "nss-cert-chain" #1: Authenticated using RSA
testing/pluto/nss-cert-chain-03/OUTPUT/west.console.diff
002 "nss-cert-chain" #1: Peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east_chain_endcert.testing.libreswan.org, E=east_chain_endcert at testing.libreswan.org'
002 "nss-cert-chain" #1: certificate verified OK: E=east_chain_endcert at testing.libreswan.org,CN=east_chain_endcert.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA
+003 "nss-cert-chain" #1: ID_DER_ASN1_DN 'E=east_chain_int_2 at testing.libreswan.org,CN=east_chain_int_2.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA' does not match expected 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east_chain_endcert.testing.libreswan.org, E=east_chain_endcert at testing.libreswan.org'
003 "nss-cert-chain" #1: Authenticated using RSA
testing/pluto/nss-cert-chain-01-ikev2/OUTPUT/west.console.diff
134 "nss-cert-chain" #2: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
002 "nss-cert-chain" #2: certificate verified OK: E=east_chain_endcert at testing.libreswan.org,CN=east_chain_endcert.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA
+003 "nss-cert-chain" #2: ID_DER_ASN1_DN 'E=east_chain_int_2 at testing.libreswan.org,CN=east_chain_int_2.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA' does not match expected 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east_chain_endcert.testing.libreswan.org, E=east_chain_endcert at testing.libreswan.org'
+003 "nss-cert-chain" #2: ID_DER_ASN1_DN 'E=east_chain_int_1 at testing.libreswan.org,CN=east_chain_int_1.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA' does not match expected 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east_chain_endcert.testing.libreswan.org, E=east_chain_endcert at testing.libreswan.org'
002 "nss-cert-chain" #2: IKEv2 mode peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east_chain_endcert.testing.libreswan.org, E=east_chain_endcert at testing.libreswan.org'
003 "nss-cert-chain" #2: Authenticated using RSA
testing/pluto/nss-cert-chain-03-ikev2/OUTPUT/west.console.diff
134 "nss-cert-chain" #2: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
002 "nss-cert-chain" #2: certificate verified OK: E=east_chain_endcert at testing.libreswan.org,CN=east_chain_endcert.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA
+003 "nss-cert-chain" #2: ID_DER_ASN1_DN 'E=east_chain_int_2 at testing.libreswan.org,CN=east_chain_int_2.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA' does not match expected 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east_chain_endcert.testing.libreswan.org, E=east_chain_endcert at testing.libreswan.org'
002 "nss-cert-chain" #2: IKEv2 mode peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east_chain_endcert.testing.libreswan.org, E=east_chain_endcert at testing.libreswan.org'
003 "nss-cert-chain" #2: Authenticated using RSA
testing/pluto/nss-cert-ocsp-01-chain/OUTPUT/west.console.diff
002 "nss-cert-ocsp" #1: Peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east_chain_endcert.testing.libreswan.org, E=east_chain_endcert at testing.libreswan.org'
002 "nss-cert-ocsp" #1: certificate verified OK: E=east_chain_endcert at testing.libreswan.org,CN=east_chain_endcert.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA
+003 "nss-cert-ocsp" #1: ID_DER_ASN1_DN 'E=east_chain_int_2 at testing.libreswan.org,CN=east_chain_int_2.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA' does not match expected 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east_chain_endcert.testing.libreswan.org, E=east_chain_endcert at testing.libreswan.org'
+003 "nss-cert-ocsp" #1: ID_DER_ASN1_DN 'E=east_chain_int_1 at testing.libreswan.org,CN=east_chain_int_1.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA' does not match expected 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east_chain_endcert.testing.libreswan.org, E=east_chain_endcert at testing.libreswan.org'
003 "nss-cert-ocsp" #1: Authenticated using RSA
More information about the Swan-dev
mailing list