Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix ECDSA endorsements test for OpenSSL v3 #6600

Closed
maxtropets opened this issue Oct 29, 2024 · 1 comment · Fixed by #6621
Closed

Fix ECDSA endorsements test for OpenSSL v3 #6600

maxtropets opened this issue Oct 29, 2024 · 1 comment · Fixed by #6621
Assignees
Labels

Comments

@maxtropets
Copy link
Collaborator

maxtropets commented Oct 29, 2024

On Azure Linux

ninja && ./tests.sh -VV -R endorsements_test

...

18: /workspace/src/node/test/endorsements.cpp:54: FATAL ERROR: REQUIRE_THROWS_WITH_AS( ccf::verify_uvm_endorsements(endorsement, uvm_measurement), "UVM endorsements did did:x509:0:sha256:VFsRLNBh5Zy1HRtVl2IIXAl0lUs-xobEbskZ3XRDpCY::subject:CN:Test%20Leaf%20%28DO%20NOT%20TRUST%29, feed ConfAKS-AMD-UVM-Test, svn 0 do not match any of the known UVM roots of trust", std::logic_error ) threw a DIFFERENT exception! (contents: "certificate chain verification failed: Missing Subject Key Identifier (depth: 1)")

There's missing X509v3 Subject Key Identifier, details below:

Details

Checked ECDSA certs chain in the test, one of them:

-----BEGIN CERTIFICATE-----
MIIBiTCCAQ8CFCFHH9DIbmmTMz2p+XNuX0L0HFDuMAoGCCqGSM49BAMCMC4xLDAq
BgNVBAMMI1Rlc3QgSW50ZXJtZWRpYXRlIENBIChETyBOT1QgVFJVU1QpMB4XDTI0
MDQyNjE4MDE1MVoXDTI1MDQyNjE4MDE1MVowIzEhMB8GA1UEAwwYVGVzdCBMZWFm
IChETyBOT1QgVFJVU1QpMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAElCp7v/uiSnjY
dymZXlYRQRxljnbBtvwLbr+lXXhiTG/kdgh5pHKjOl+7xvWTkJmJG0J8EMqRDylr
KW7gP12C/fTrwcESOUdVy0h+ju1KyxNSUuiGeen9Z0GEA+pOh2OlMAoGCCqGSM49
BAMCA2gAMGUCMD8MBexV5IyyX8yk2/CSgZaNVj2Su2FUGhYTOWqNcRXJ5gd7AHmG
qCH2tE0Bmc0FSwIxAKDYxpBL9vGy/xy9RQKjxO3LPBstuaTvihdjei9cH9RSV20p
8ZuMbs1wcxi+ECdu1w==
-----END CERTIFICATE-----

Tried openssl decode

root [ /workspace ]# openssl x509 --text
Warning: Reading certificate from stdin since no -in or -new option is given
-----BEGIN CERTIFICATE-----
MIIBiTCCAQ8CFCFHH9DIbmmTMz2p+XNuX0L0HFDuMAoGCCqGSM49BAMCMC4xLDAq
BgNVBAMMI1Rlc3QgSW50ZXJtZWRpYXRlIENBIChETyBOT1QgVFJVU1QpMB4XDTI0
MDQyNjE4MDE1MVoXDTI1MDQyNjE4MDE1MVowIzEhMB8GA1UEAwwYVGVzdCBMZWFm
IChETyBOT1QgVFJVU1QpMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAElCp7v/uiSnjY
dymZXlYRQRxljnbBtvwLbr+lXXhiTG/kdgh5pHKjOl+7xvWTkJmJG0J8EMqRDylr
KW7gP12C/fTrwcESOUdVy0h+ju1KyxNSUuiGeen9Z0GEA+pOh2OlMAoGCCqGSM49
BAMCA2gAMGUCMD8MBexV5IyyX8yk2/CSgZaNVj2Su2FUGhYTOWqNcRXJ5gd7AHmG
qCH2tE0Bmc0FSwIxAKDYxpBL9vGy/xy9RQKjxO3LPBstuaTvihdjei9cH9RSV20p
8ZuMbs1wcxi+ECdu1w==
-----END CERTIFICATE-----
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            21:47:1f:d0:c8:6e:69:93:33:3d:a9:f9:73:6e:5f:42:f4:1c:50:ee
        Signature Algorithm: ecdsa-with-SHA256
        Issuer: CN=Test Intermediate CA (DO NOT TRUST)
        Validity
            Not Before: Apr 26 18:01:51 2024 GMT
            Not After : Apr 26 18:01:51 2025 GMT
        Subject: CN=Test Leaf (DO NOT TRUST)
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (384 bit)
                pub:
                    04:94:2a:7b:bf:fb:a2:4a:78:d8:77:29:99:5e:56:
                    11:41:1c:65:8e:76:c1:b6:fc:0b:6e:bf:a5:5d:78:
                    62:4c:6f:e4:76:08:79:a4:72:a3:3a:5f:bb:c6:f5:
                    93:90:99:89:1b:42:7c:10:ca:91:0f:29:6b:29:6e:
                    e0:3f:5d:82:fd:f4:eb:c1:c1:12:39:47:55:cb:48:
                    7e:8e:ed:4a:cb:13:52:52:e8:86:79:e9:fd:67:41:
                    84:03:ea:4e:87:63:a5
                ASN1 OID: secp384r1
                NIST CURVE: P-384
    Signature Algorithm: ecdsa-with-SHA256
    Signature Value:
        30:65:02:30:3f:0c:05:ec:55:e4:8c:b2:5f:cc:a4:db:f0:92:
        81:96:8d:56:3d:92:bb:61:54:1a:16:13:39:6a:8d:71:15:c9:
        e6:07:7b:00:79:86:a8:21:f6:b4:4d:01:99:cd:05:4b:02:31:
        00:a0:d8:c6:90:4b:f6:f1:b2:ff:1c:bd:45:02:a3:c4:ed:cb:
        3c:1b:2d:b9:a4:ef:8a:17:63:7a:2f:5c:1f:d4:52:57:6d:29:
        f1:9b:8c:6e:cd:70:73:18:be:10:27:6e:d7
-----BEGIN CERTIFICATE-----
MIIBiTCCAQ8CFCFHH9DIbmmTMz2p+XNuX0L0HFDuMAoGCCqGSM49BAMCMC4xLDAq
BgNVBAMMI1Rlc3QgSW50ZXJtZWRpYXRlIENBIChETyBOT1QgVFJVU1QpMB4XDTI0
MDQyNjE4MDE1MVoXDTI1MDQyNjE4MDE1MVowIzEhMB8GA1UEAwwYVGVzdCBMZWFm
IChETyBOT1QgVFJVU1QpMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAElCp7v/uiSnjY
dymZXlYRQRxljnbBtvwLbr+lXXhiTG/kdgh5pHKjOl+7xvWTkJmJG0J8EMqRDylr
KW7gP12C/fTrwcESOUdVy0h+ju1KyxNSUuiGeen9Z0GEA+pOh2OlMAoGCCqGSM49
BAMCA2gAMGUCMD8MBexV5IyyX8yk2/CSgZaNVj2Su2FUGhYTOWqNcRXJ5gd7AHmG
qCH2tE0Bmc0FSwIxAKDYxpBL9vGy/xy9RQKjxO3LPBstuaTvihdjei9cH9RSV20p
8ZuMbs1wcxi+ECdu1w==
-----END CERTIFICATE-----

Indeed, there's missing X509v3 Subject Key Identifier, which is present in RSA certs for another test, for instance:

root [ /workspace ]# openssl x509 --text
Warning: Reading certificate from stdin since no -in or -new option is given
-----BEGIN CERTIFICATE-----
MIIFrzCCA5egAwIBAgIQaCjVTH5c2r1DOa4MwVoqNTANBgkqhkiG9w0BAQwFADBf
MQswCQYDVQQGEwJVUzEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMTAw
LgYDVQQDEydNaWNyb3NvZnQgU3VwcGx5IENoYWluIFJTQSBSb290IENBIDIwMjIw
HhcNMjIwMjE3MDAxMjM2WhcNNDcwMjE3MDAyMTA5WjBfMQswCQYDVQQGEwJVUzEe
MBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMTAwLgYDVQQDEydNaWNyb3Nv
ZnQgU3VwcGx5IENoYWluIFJTQSBSb290IENBIDIwMjIwggIiMA0GCSqGSIb3DQEB
AQUAA4ICDwAwggIKAoICAQCeJQFmGR9kNMGdOSNiHXGLVuol0psf7ycBgr932JQz
gxhIm1Cee5ZkwtDDX0X/MpzoFxe9eO11mF86BggrHDebRkqQCrCvRpI+M4kq+rjn
MmPzI8du0hT7Jlju/gaEVPrBHzeq29TsViq/Sb3M6wLtxk78rBm1EjVpFYkXTaNo
6mweKZoJ8856IcYJ0RnqjzBGaTtoBCt8ii3WY13qbdY5nr0GPlvuLxFbKGunUqRo
Xkyk6q7OI79MNnHagUVQjsqGzv9Tw7hDsyTuB3qitPrHCh17xlI1MewIH4SAklv4
sdo51snn5YkEflF/9OZqZEdJ6vjspvagQ1P+2sMjJNgl2hMsKrc/lN53HEx4HGr5
mo/rahV3d61JhM4QQMeZSA/Vlh6AnHOhOKEDb9NNINC1Q+T3LngPTve8v2XabZAL
W7/e6icnmWT4OXxzPdYh0u7W81MRLlXD3OrxKVfeUaF4c5ALL/XJdTbrjdJtjnld
uho4/98ZAajSyNHW8uuK9S7RzJMTm5yQeGVjeQTE8Z6fjDrzZAz+mB2T4o9WpWNT
I7hucxZFGrb3ew/NpDL/Wv6WjeGHeNtwg6gkhWkgwm0SDeV59ipZz9ar54HmoLGI
LQiMC7HP12w2r575A2fZQXOpq0W4cWBYGNQWLGW60QXeksVQEBGQzkfM+6+/I8Cf
BQIDAQABo2cwZTAOBgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNV
HQ4EFgQUC7NoO6/ar+5wpXbZIffMRBYH0PgwEAYJKwYBBAGCNxUBBAMCAQAwEQYD
VR0gBAowCDAGBgRVHSAAMA0GCSqGSIb3DQEBDAUAA4ICAQBIxzf//8FoV9eLQ2ZG
OiZrL+j63mihj0fxPTSVetpVMfSV0jhfLLqPpY1RMWqJVWhsK0JkaoUkoFEDx93R
cljtbB6M2JHF50kRnRl6N1ged0T7wgiYQsRN45uKDs9ARU8bgHBZjJOB6A/VyCaV
qfcfdwa4yu+c++hm2uU54NLSYsOn1LYYmiebJlBKcpfVs1sqpP1fL37mYqMnZgz6
2RnMER0xqAFSCOZUDJljK+rYhNS0CBbvvkpbiFj0Bhag63pd4cdE1rsvVVYl8J4M
5A8S28B/r1ZdxokOcalWEuS5nKhkHrVHlZKu0HDIk318WljxBfFKuGxyGKmuH1eZ
JnRm9R0P313w5zdbX7rwtO/kYwd+HzIYaalwWpL5eZxY1H6/cl1TRituo5lg1oWM
ZncWdq/ixRhb4l0INtZmNxdl8C7PoeW85o0NZbRWU12fyK9OblHPiL6S6jD7LOd1
P0JgxHHnl59zx5/K0bhsI+pQKB0OQ8z1qRtA66aY5eUPxZIvpZbH1/o8GO4dG2ED
/YbnJEEzvdjztmB88xyCA9Vgr9/0IKTkgQYiWsyFM31k+OS4v4AX1PshP2Ou54+3
F0Tsci41yQvQgR3pcgMJQdnfCUjmzbeyHGAlGVLzPRJJ7Z2UIo5xKPjBB1Rz3TgI
tIWPFGyqAK9Aq7WHzrY5XHP5kA==
-----END CERTIFICATE-----
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            68:28:d5:4c:7e:5c:da:bd:43:39:ae:0c:c1:5a:2a:35

        ...

        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign, CRL Sign
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Subject Key Identifier:
                0B:B3:68:3B:AF:DA:AF:EE:70:A5:76:D9:21:F7:CC:44:16:07:D0:F8
            1.3.6.1.4.1.311.21.1:

             ...

            X509v3 Certificate Policies:
                Policy: X509v3 Any Policy
    Signature Algorithm: sha384WithRSAEncryption
   ...

@achamayou
Copy link
Member

That looks like a check that openssl 1.1 did not enforce, and 3.x does, according to https://x509-limbo.com/testcases/rfc5280/#rfc5280skiroot-missing-ski

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants