[Swan-dev] commit 9bc2e4e7f61 broke self-signed certs
Andrew Cagney
andrew.cagney at gmail.com
Tue Nov 12 19:51:34 UTC 2019
On Mon, 11 Nov 2019 at 20:51, Paul Wouters <paul at nohats.ca> wrote:
>
> On Sun, 10 Nov 2019, Andrew Cagney wrote:
>
> > BTW, just a sanity check. Have you tried the "fixed test" on the code
> > prior to commit 9bc... (i.e., with all the SKIP cruft?).
>
> It also fails there.
But at some point it must have worked :-/
> >> It looks like it is checking that there's a root ca, and when there
> >> isn't barf. A correctly set up and installed self signed cert should
> >> have been returned?
>
> These are actually not self-signed certs. These are "hardcoded" certs in
> leftcert= and rightcert=
as in ...
conn westnet-eastnet-x509
ikev2=no
also=westnet
also=eastnet
left=192.1.2.45
leftcert=west
leftid=%fromcert
right=192.1.2.23
rightid=%fromcert
rightcert=east
> >>> Removing the hunk fixed my issue. Is there a problem later in the code
> >>> that assumes root_certs != NULL ?
> >>>>> introduced this code:
> >>>>>
> >>>>> if (!pexpect(root_certs != NULL) || CERT_LIST_EMPTY(root_certs)) {
> >>>>> libreswan_log("No Certificate Authority in NSS Certificate DB! Certificate payloads discarded.");
> >>>>> return NULL;
> >>>>> }
>
> I still think this check should go away.
After checking that there are root certs, the code:
- creates a list of certs sent over the wire
- feeds this untrusted list + the root into CERT_PKIXVerifyCert() with:
{
.type = cert_pi_trustAnchors,
.value = { .pointer = { .chain = trustcl } }
},
{
.type = cert_pi_useOnlyTrustAnchors,
.value = { .scalar = { .b = PR_TRUE } }
},
so if there's no root, or the only root is wrong, how can this pass?
See lib/certdb/certt.h
More information about the Swan-dev
mailing list