After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 754129 - Add test for out-of-order certificate chain handling
Add test for out-of-order certificate chain handling
Status: RESOLVED FIXED
Product: glib
Classification: Platform
Component: network
2.44.x
Other Linux
: Normal enhancement
: ---
Assigned To: gtkdev
gtkdev
Depends on: 683266
Blocks: 750457
 
 
Reported: 2015-08-26 15:49 UTC by Michael Catanzaro
Modified: 2015-08-29 22:35 UTC
See Also:
GNOME target: ---
GNOME version: ---


Attachments
WIP not working don't push: attempt to add certificate chain tests (78.03 KB, patch)
2015-08-28 18:04 UTC, Michael Catanzaro
none Details | Review
WIP not working don't push: attempt to add certificate chain tests (78.16 KB, patch)
2015-08-28 18:09 UTC, Michael Catanzaro
none Details | Review
WIP not working don't push: attempt to add certificate chain tests (78.31 KB, patch)
2015-08-29 01:16 UTC, Michael Catanzaro
none Details | Review
fixup: use the right server key in the chain files (1.31 KB, patch)
2015-08-29 15:02 UTC, Dan Winship
none Details | Review
fixup: the code assumes the server cert's commonName is "server.example.com" (938 bytes, patch)
2015-08-29 15:02 UTC, Dan Winship
none Details | Review
Add test for out-of-order certificate chain handling (78.38 KB, patch)
2015-08-29 16:17 UTC, Michael Catanzaro
none Details | Review
Add tests for client certificate chain handling (68.28 KB, patch)
2015-08-29 18:15 UTC, Michael Catanzaro
committed Details | Review

Description Michael Catanzaro 2015-08-26 15:49:51 UTC
Add tests for the functionality implemented in bug #683266 and bug #750457.
Comment 1 Michael Catanzaro 2015-08-28 18:04:56 UTC
Created attachment 310216 [details] [review]
WIP not working don't push: attempt to add certificate chain tests

They fail because only one certificate is sent. I'm still debugging this. I'm posting it here just because I've written a patch similar to this and lost my copy at least twice before today, and I don't want to lose it again. :)

To run the tests you'll need to remove the GMainLoop I run for manual testing with gnutls-cli in start_async_server_and_connect_to_it(), and uncomment the tests in main(). If you don't, you can connect to the server to see what's going on like so:

$ gnutls-cli -V 127.0.0.1 -p 57257
Comment 2 Michael Catanzaro 2015-08-28 18:09:02 UTC
Created attachment 310217 [details] [review]
WIP not working don't push: attempt to add certificate chain tests

Just kidding, the port is decided randomly. This patch prints the port to connect to if you run with G_MESSAGES_DEBUG=all in your environment.

Next step: figure out why only one certificate is sent.
Comment 3 Michael Catanzaro 2015-08-29 01:16:52 UTC
Created attachment 310226 [details] [review]
WIP not working don't push: attempt to add certificate chain tests

In bug #754264 I fixed the problem with parse_and_create_certificate_list() that was causing only one certificate to be sent, and copied the fix into this patch. Now the GTlsCertificate is being generated correctly and properly sent to the client. By uncommenting the test call to g_main_loop_run() in start_async_server_and_connect_to_it(), you can verify with gnutls-cli that all certificates are now being sent.

The test is still broken though. The client rejects the connection with the following error:

GnuTLS error: Public key signature verification has failed.

Further investigation required (and help welcome ;)
Comment 4 Dan Winship 2015-08-29 15:02:04 UTC
Created attachment 310264 [details] [review]
fixup: use the right server key in the chain files
Comment 5 Dan Winship 2015-08-29 15:02:08 UTC
Created attachment 310265 [details] [review]
fixup: the code assumes the server cert's commonName is "server.example.com"
Comment 6 Dan Winship 2015-08-29 15:03:49 UTC
At this point (after regenerating the certs) it gets an "Unacceptable TLS certificate" because G_TLS_CERTIFICATE_UNKNOWN_CA. I didn't investigate why yet.
Comment 7 Michael Catanzaro 2015-08-29 16:11:06 UTC
(In reply to Dan Winship from comment #6)
> At this point (after regenerating the certs) it gets an "Unacceptable TLS
> certificate" because G_TLS_CERTIFICATE_UNKNOWN_CA. I didn't investigate why
> yet.

That's strange, because now all the tests pass for me (after regenerating the certificates and replacing the first certificate in ca-roots.pem and ca-roots-bad.pem).
Comment 8 Michael Catanzaro 2015-08-29 16:17:15 UTC
Created attachment 310268 [details] [review]
Add test for out-of-order certificate chain handling

Made possible by help from Dan Winship.

This passes for me, but fails if 0e08f17396287d00a69bbbcbec3b364b98cbcace is reverted, so seems good. It doesn't test the new behavior in bug #750457, but it's an important first step.
Comment 9 Dan Winship 2015-08-29 16:30:40 UTC
(In reply to Michael Catanzaro from comment #7)
> That's strange, because now all the tests pass for me (after regenerating
> the certificates and replacing the first certificate in ca-roots.pem and
> ca-roots-bad.pem).

Yeah, I missed that last step... I really ought to automate that.


Need to do something about the huge amount of cut+pasting though. It's only needed for one test...

Instead of reading the chain from a single file, you could do:

  intermediate = g_tls_certificate_new_from_file("intermediate-ca.pem")

  cert_data = g_file_get_data("ca.pem")
  ca = g_object_new (cert_type,
                     "issuer", intermediate,
                     "certificate-pem", cert_data,
                     NULL)

  cert_data = g_file_get_data("server-intermediate.pem")
  key_data = g_file_get_data("server-intermediate-key.pem")
  server_cert = g_object_new (cert_type,
                              "issuer", ca,
                              "certificate-pem", cert_data,
                              "private-key-pem", key_data,
                              NULL)

and now you have a Server -> CA -> Intermediate chain
Comment 10 Michael Catanzaro 2015-08-29 18:15:13 UTC
Created attachment 310276 [details] [review]
Add tests for client certificate chain handling

OK, removed the huge copypaste, and replaced it with more tests. :)
Comment 11 Dan Winship 2015-08-29 21:54:49 UTC
Comment on attachment 310276 [details] [review]
Add tests for client certificate chain handling

yay
Comment 12 Michael Catanzaro 2015-08-29 22:35:28 UTC
Attachment 310276 [details] pushed as 01631a0 - Add tests for client certificate chain handling