Re: [Swan-dev] match_certs_id()

Thu, 07 Feb 2019 19:44:13 -0800 

| From: Paul Wouters <p...@nohats.ca>

| On Thu, 7 Feb 2019, D. Hugh Redelmeier wrote:
| 
| > | > 
testing/pluto/nss-cert-chain-01-ikev2/OUTPUT/east.pluto.log:1758:"nss-cert-chain"
| > | > #1: EXPECTATION FAILED: cert->next == NULL (in match_certs_id() at
| > | > x509.c:779)
| > |
| > | This does indicate that certificate chains are passed to the function.
| > | Perhaps we are not guaranteed the order of the chain of certificates,
| > | and we still havent figured out which is the EE cert and which is the
| > | intermediary root CA ?
| >
| > There are 29 instances of this in the test run.
| >
| > What should be happening?
| 
| What is currently happening?
| 
| > This is a matter of design and not conjecture.  But the design isn't
| > recorded.  It needs to be.
| 
| We could rename match_certs_id() to matchid_from_certbundle()  ?

So: I changed match_certs_id to loop over the whole list.  If any cert
matched, a match was declared.  But the whole list was processed.

ID_FROMCERT processing wasn't really affected because the first match
would replace it.

So: what would be new?  If the match of the first element failed,
perhaps a match against a cert further down the chain would succeed.
Without knowing the structure of the list, it isn't clear.

Here are some results.  It sure looks as if the only cert of interest
is the first.  So I'll delete the looping code (it was never
committed) and add some comments.

testing/pluto/nss-cert-chain-01/OUTPUT/west.console.diff
 002 "nss-cert-chain" #1: Peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, 
L=Toronto, O=Libreswan, OU=Test Department, 
CN=east_chain_endcert.testing.libreswan.org, 
E=east_chain_endc...@testing.libreswan.org'
 002 "nss-cert-chain" #1: certificate verified OK: 
E=east_chain_endc...@testing.libreswan.org,CN=east_chain_endcert.testing.libreswan.org,OU=Test
 Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA
+003 "nss-cert-chain" #1: ID_DER_ASN1_DN 
'E=east_chain_in...@testing.libreswan.org,CN=east_chain_int_2.testing.libreswan.org,OU=Test
 Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA' does not match expected 
'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, 
CN=east_chain_endcert.testing.libreswan.org, 
E=east_chain_endc...@testing.libreswan.org'
+003 "nss-cert-chain" #1: ID_DER_ASN1_DN 
'E=east_chain_in...@testing.libreswan.org,CN=east_chain_int_1.testing.libreswan.org,OU=Test
 Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA' does not match expected 
'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, 
CN=east_chain_endcert.testing.libreswan.org, 
E=east_chain_endc...@testing.libreswan.org'
 003 "nss-cert-chain" #1: Authenticated using RSA

testing/pluto/nss-cert-chain-03/OUTPUT/west.console.diff
 002 "nss-cert-chain" #1: Peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, 
L=Toronto, O=Libreswan, OU=Test Department, 
CN=east_chain_endcert.testing.libreswan.org, 
E=east_chain_endc...@testing.libreswan.org'
 002 "nss-cert-chain" #1: certificate verified OK: 
E=east_chain_endc...@testing.libreswan.org,CN=east_chain_endcert.testing.libreswan.org,OU=Test
 Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA
+003 "nss-cert-chain" #1: ID_DER_ASN1_DN 
'E=east_chain_in...@testing.libreswan.org,CN=east_chain_int_2.testing.libreswan.org,OU=Test
 Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA' does not match expected 
'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, 
CN=east_chain_endcert.testing.libreswan.org, 
E=east_chain_endc...@testing.libreswan.org'
 003 "nss-cert-chain" #1: Authenticated using RSA

testing/pluto/nss-cert-chain-01-ikev2/OUTPUT/west.console.diff
 134 "nss-cert-chain" #2: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 
cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
 002 "nss-cert-chain" #2: certificate verified OK: 
E=east_chain_endc...@testing.libreswan.org,CN=east_chain_endcert.testing.libreswan.org,OU=Test
 Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA
+003 "nss-cert-chain" #2: ID_DER_ASN1_DN 
'E=east_chain_in...@testing.libreswan.org,CN=east_chain_int_2.testing.libreswan.org,OU=Test
 Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA' does not match expected 
'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, 
CN=east_chain_endcert.testing.libreswan.org, 
E=east_chain_endc...@testing.libreswan.org'
+003 "nss-cert-chain" #2: ID_DER_ASN1_DN 
'E=east_chain_in...@testing.libreswan.org,CN=east_chain_int_1.testing.libreswan.org,OU=Test
 Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA' does not match expected 
'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, 
CN=east_chain_endcert.testing.libreswan.org, 
E=east_chain_endc...@testing.libreswan.org'
 002 "nss-cert-chain" #2: IKEv2 mode peer ID is ID_DER_ASN1_DN: 'C=CA, 
ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, 
CN=east_chain_endcert.testing.libreswan.org, 
E=east_chain_endc...@testing.libreswan.org'
 003 "nss-cert-chain" #2: Authenticated using RSA

testing/pluto/nss-cert-chain-03-ikev2/OUTPUT/west.console.diff
 134 "nss-cert-chain" #2: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 
cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
 002 "nss-cert-chain" #2: certificate verified OK: 
E=east_chain_endc...@testing.libreswan.org,CN=east_chain_endcert.testing.libreswan.org,OU=Test
 Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA
+003 "nss-cert-chain" #2: ID_DER_ASN1_DN 
'E=east_chain_in...@testing.libreswan.org,CN=east_chain_int_2.testing.libreswan.org,OU=Test
 Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA' does not match expected 
'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, 
CN=east_chain_endcert.testing.libreswan.org, 
E=east_chain_endc...@testing.libreswan.org'
 002 "nss-cert-chain" #2: IKEv2 mode peer ID is ID_DER_ASN1_DN: 'C=CA, 
ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, 
CN=east_chain_endcert.testing.libreswan.org, 
E=east_chain_endc...@testing.libreswan.org'
 003 "nss-cert-chain" #2: Authenticated using RSA

testing/pluto/nss-cert-ocsp-01-chain/OUTPUT/west.console.diff
 002 "nss-cert-ocsp" #1: Peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, 
L=Toronto, O=Libreswan, OU=Test Department, 
CN=east_chain_endcert.testing.libreswan.org, 
E=east_chain_endc...@testing.libreswan.org'
 002 "nss-cert-ocsp" #1: certificate verified OK: 
E=east_chain_endc...@testing.libreswan.org,CN=east_chain_endcert.testing.libreswan.org,OU=Test
 Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA
+003 "nss-cert-ocsp" #1: ID_DER_ASN1_DN 
'E=east_chain_in...@testing.libreswan.org,CN=east_chain_int_2.testing.libreswan.org,OU=Test
 Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA' does not match expected 
'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, 
CN=east_chain_endcert.testing.libreswan.org, 
E=east_chain_endc...@testing.libreswan.org'
+003 "nss-cert-ocsp" #1: ID_DER_ASN1_DN 
'E=east_chain_in...@testing.libreswan.org,CN=east_chain_int_1.testing.libreswan.org,OU=Test
 Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA' does not match expected 
'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, 
CN=east_chain_endcert.testing.libreswan.org, 
E=east_chain_endc...@testing.libreswan.org'
 003 "nss-cert-ocsp" #1: Authenticated using RSA
_______________________________________________
Swan-dev mailing list
Swan-dev@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan-dev

Reply via email to