Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

crypto/x509: TestSystemVerify/EKULeafValid fails on LUCI #60925

Closed
heschi opened this issue Jun 21, 2023 · 7 comments
Closed

crypto/x509: TestSystemVerify/EKULeafValid fails on LUCI #60925

heschi opened this issue Jun 21, 2023 · 7 comments
Labels
NeedsFix The path to resolution is known, but the work has not been done. Testing An issue that has been verified to require only test changes, not just a test failure.
Milestone
Go1.21

Comments

@heschi
Copy link
Contributor

heschi commented Jun 21, 2023

The test is failing on 1.20 and master:

=== RUN   TestSystemVerify/EKULeafValid
    verify_test.go:525: Got 2 matches instead of 1 for expected chain [CORPORATIVO FICTICIO ACTIVO EAEko Herri Administrazioen CA - CA AAPP Vascas (2) IZENPE S.A.]
    verify_test.go:528: 	 matched /IZENPE/Ziurtagiri korporatiboa-Certificado corporativo,Condiciones de uso en www.izenpe.com nola erabili jakiteko/CORPORATIVO FICTICIO ACTIVO -> ES/IZENPE S.A./AZZ Ziurtagiri publikoa - Certificado publico SCA/EAEko Herri Administrazioen CA - CA AAPP Vascas (2) -> ES/IZENPE S.A.//Izenpe.com
    verify_test.go:528: 	 matched /IZENPE/Ziurtagiri korporatiboa-Certificado corporativo,Condiciones de uso en www.izenpe.com nola erabili jakiteko/CORPORATIVO FICTICIO ACTIVO -> ES/IZENPE S.A./AZZ Ziurtagiri publikoa - Certificado publico SCA/EAEko Herri Administrazioen CA - CA AAPP Vascas (2) -> ES/IZENPE S.A.//Izenpe.com
--- FAIL: TestSystemVerify/EKULeafValid (0.00s)

https://ci.chromium.org/ui/p/golang/builders/ci/gotip-windows-amd64/b8777650789528565057/test-results

cc @golang/security @rolandshoemaker
@heschi heschi added the NeedsFix The path to resolution is known, but the work has not been done. label Jun 21, 2023
@heschi heschi added this to the Go1.22 milestone Jun 21, 2023
@rolandshoemaker
Copy link
Member

I assume Izenpe re-issued one of their roots, resulting in a pair of valid chains, instead of just one.

We can probably bandaid this, but it's an inherent problem with how TestSystemVerify works. Once #52108 lands we'll be able to just remove these semi-broken tests entirely.

@heschi
Copy link
Contributor Author

heschi commented Jun 21, 2023

I'd appreciate a bandaid :(

@rolandshoemaker
Copy link
Member

I will bandaid :)

@gopherbot
Copy link

Change https://go.dev/cl/505035 mentions this issue: crypto/x509: tolerate multiple matching chains in testVerify

@heschi
Copy link
Contributor Author

heschi commented Jun 22, 2023

@gopherbot please backport to 1.20.

@gopherbot
Copy link

Backport issue(s) opened: #60947 (for 1.20).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases.

@gopherbot gopherbot mentioned this issue Jun 22, 2023
Closed
@gopherbot
Copy link

Change https://go.dev/cl/505275 mentions this issue: [release-branch.go1.20] crypto/x509: tolerate multiple matching chains in testVerify

@dmitshur dmitshur modified the milestones: Go1.22, Go1.21 Jun 22, 2023
@dmitshur dmitshur added the Testing An issue that has been verified to require only test changes, not just a test failure. label Jun 22, 2023
gopherbot pushed a commit that referenced this issue Jun 22, 2023
@rolandshoemaker @gopherbot
[release-branch.go1.20] crypto/x509: tolerate multiple matching chain…
bca8175 
…s in testVerify

Due to the semantics of roots, a root store may contain two valid roots
that have the same subject (but different SPKIs) at the asme time. As
such in testVerify it is possible that when we verify a certificate we
may get two chains that has the same stringified representation.

Rather than doing something fancy to include keys (which is just overly
complicated), tolerate multiple matches.

Updates #60925
Fixes #60947

Change-Id: I5f51f7635801762865a536bcb20ec75f217a36ea
Reviewed-on: https://go-review.googlesource.com/c/go/+/505035
Reviewed-by: Heschi Kreinick <heschi@google.com>
Run-TryBot: Roland Shoemaker <roland@golang.org>
Auto-Submit: Roland Shoemaker <roland@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
(cherry picked from commit 2031366)
Reviewed-on: https://go-review.googlesource.com/c/go/+/505275
Run-TryBot: Heschi Kreinick <heschi@google.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Auto-Submit: Heschi Kreinick <heschi@google.com>
bradfitz pushed a commit to tailscale/go that referenced this issue Jul 15, 2023
@rolandshoemaker @bradfitz
crypto/x509: tolerate multiple matching chains in testVerify
e9d2e61 
Due to the semantics of roots, a root store may contain two valid roots
that have the same subject (but different SPKIs) at the asme time. As
such in testVerify it is possible that when we verify a certificate we
may get two chains that has the same stringified representation.

Rather than doing something fancy to include keys (which is just overly
complicated), tolerate multiple matches.

Fixes golang#60925

Change-Id: I5f51f7635801762865a536bcb20ec75f217a36ea
Reviewed-on: https://go-review.googlesource.com/c/go/+/505035
Reviewed-by: Heschi Kreinick <heschi@google.com>
Run-TryBot: Roland Shoemaker <roland@golang.org>
Auto-Submit: Roland Shoemaker <roland@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
NeedsFix The path to resolution is known, but the work has not been done. Testing An issue that has been verified to require only test changes, not just a test failure.
Projects
None yet
Milestone
Go1.21
Development

No branches or pull requests
4 participants
@dmitshur @rolandshoemaker @gopherbot @heschi