Bug 916603
| Summary: | virnettlscontexttest fails in Rawhide | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Richard W.M. Jones <rjones> |
| Component: | libvirt | Assignee: | Libvirt Maintainers <libvirt-maint> |
| Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | rawhide | CC: | berrange, clalancette, crobinso, eblake, itamar, jforbes, jorton, jyang, laine, libvirt-maint, tmraz, veillard |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-04-01 14:32:48 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Attachments: | |||
|
Description
Richard W.M. Jones
2013-02-28 12:58:54 UTC
Reassigning to gnutls, based on: https://www.redhat.com/archives/libvir-list/2013-February/msg01675.html "In that test case we're creating a CA cert which has the key-usage policy set to "digital signature" instead of "key signing". However we also set the flag "non-critical" so a failing key usage policy check should still result in a pass from cert validation. Sounds like gnutls3 isn't liking this." Can you attach the CA cert you're creating? Created attachment 704143 [details]
The CA certificate (notice bogus key usage, but marked non-critical)
Created attachment 704144 [details]
The server cert which should validate
Here is the test itself: http://libvirt.org/git/?p=libvirt.git;a=blob;f=tests/virnettlscontexttest.c;hb=HEAD Created attachment 704145 [details]
Fixed: The CA certificate (notice bogus key usage, but marked non-critical)
Created attachment 704146 [details]
Fixed: The server cert which should validate
Created attachment 704147 [details]
A test case to demo what libvirt does
On my Fedora 18 system this results in:
# gcc -Wall -o tlsvalid tlsvalid.c `pkg-config --cflags --libs gnutls`
# ./tlsvalid cacert5.pem servercert.pem
Certificate is ok
I've not tested this demo program on F19, but I believe it should fail in the same way as the libvirt test case fails
The output of Dan's program on Fedora Rawhide (x86-64): $ ./tlsvalid cacert5.pem servercert.pem Failed validation The certificate is not trusted. I think this is not a bug and compliant with RFC 3280.
Citing it: (n) If a key usage extension is present, verify that the
keyCertSign bit is set.
...
If check (a), (k), (l), (n) or (o) fails, the procedure terminates,
returning a failure indication and an appropriate reason.
There is nowhere stated that when Key usage without keyCertSign bit can be ignored when it is marked non-critical.
Hmm, so this could be due to a misunderstanding of the effect of 'critical' vs 'non-critical'. On closer inspection of the RFC, it appears that this flag is only to have effect when a TLS impl does not support the extension in question. If the extension is marked 'critical' then lack of support should be a fatal error, if it is marked 'non-critical' then lack of support means the extension can be ignored. This does, however, raise the question of why gnutls 2.x successfully validates this certificate - it seems like this could be a bug in that version of gnutls ? Yes, sure, this is a bug in older gnutls versions but one that is pretty harmless and so it does not warrant fixing it there. Also changing this on already deployed systems is not good exactly because of the reasons like this bug. Fixed in upstream libvirt
commit 0204d6d7a0519377b2e6bc296b00328cd748f55d
Author: Daniel P. Berrange <berrange>
Date: Mon Mar 4 17:27:38 2013 +0000
Fix TLS tests with gnutls 3
When given a CA cert with basic constraints to set non-critical,
and key usage of 'key signing', this should be rejected. Version
of GNUTLS < 3 do not rejecte it though, so we never noticed the
test case was broken
Signed-off-by: Daniel P. Berrange <berrange>
This was in libvirt 1.0.3 |