-
Notifications
You must be signed in to change notification settings - Fork 4.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OpenSslX509ChainProcessor: ignore NotSignatureValid on last element. #69668
Conversation
Tagging subscribers to this area: @dotnet/area-system-security, @vcsjones Issue DetailsFixes #65874 (comment). Implements #65874 (comment). Tests still need to be updated.
|
With this change, I see 12 less test failures on RHEL 9 in
There are still 104 test failures remaining due to the sha1 deprecation. Some of these should be skipped, similar to #67998. Updating these tests is for a separate PR(/PRs).
|
For tests, I think we'd like to combine a I'm not sure how to write these tests. I assume I need to create my own root cert, intermediate cert and end certificate using openssl? And then, using @bartonjs @vcsjones does this sound right? any advice on how I can create the certificates? |
We have helpers and some existing tests that are pretty close to this scenario. runtime/src/libraries/System.Security.Cryptography.X509Certificates/tests/DynamicChainTests.cs Line 77 in a0ff92c
Then there are all of the negative tests that Jeremy mentioned, like |
Well, that'd be UntrustedRoot, since it found it (from ExtraStore), but doesn't trust it... PartialChain would be when the root can't be found at all. Otherwise, yeah, what @vcsjones said 😄. |
Yeah, that. |
....Cryptography/src/System/Security/Cryptography/X509Certificates/OpenSslX509ChainProcessor.cs
Outdated
Show resolved
Hide resolved
....Cryptography/src/System/Security/Cryptography/X509Certificates/OpenSslX509ChainProcessor.cs
Show resolved
Hide resolved
src/libraries/System.Security.Cryptography.X509Certificates/tests/ChainTests.cs
Outdated
Show resolved
Hide resolved
src/libraries/System.Security.Cryptography.X509Certificates/tests/ChainTests.cs
Outdated
Show resolved
Hide resolved
....Cryptography/src/System/Security/Cryptography/X509Certificates/OpenSslX509ChainProcessor.cs
Show resolved
Hide resolved
....Cryptography/src/System/Security/Cryptography/X509Certificates/OpenSslX509ChainProcessor.cs
Outdated
Show resolved
Hide resolved
src/libraries/System.Security.Cryptography.X509Certificates/tests/ChainTests.cs
Outdated
Show resolved
Hide resolved
@bartonjs I've addressed your feedback. ptal. |
Test failure is #69806. |
/backport to release/6.0 |
Started backporting to release/6.0: https://github.com/dotnet/runtime/actions/runs/2391548531 |
@bartonjs backporting to release/6.0 failed, the patch most likely resulted in conflicts: $ git am --3way --ignore-whitespace --keep-non-patch changes.patch
Applying: OpenSslX509ChainProcessor: ignore NotSignatureValid on last element.
Using index info to reconstruct a base tree...
A src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/OpenSslX509ChainProcessor.cs
Falling back to patching base and 3-way merge...
Auto-merging src/libraries/System.Security.Cryptography.X509Certificates/src/Internal/Cryptography/Pal.Unix/OpenSslX509ChainProcessor.cs
Applying: Add test
Applying: Test: verify NotSignatureValid is not filtered from end cert.
Applying: PR feedback.
Using index info to reconstruct a base tree...
A src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/OpenSslX509ChainProcessor.cs
Falling back to patching base and 3-way merge...
Auto-merging src/libraries/System.Security.Cryptography.X509Certificates/src/Internal/Cryptography/Pal.Unix/OpenSslX509ChainProcessor.cs
CONFLICT (content): Merge conflict in src/libraries/System.Security.Cryptography.X509Certificates/src/Internal/Cryptography/Pal.Unix/OpenSslX509ChainProcessor.cs
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
Patch failed at 0004 PR feedback.
When you have resolved this problem, run "git am --continue".
If you prefer to skip this patch, run "git am --skip" instead.
To restore the original branch and stop patching, run "git am --abort".
Error: The process '/usr/bin/git' failed with exit code 128 Please backport manually! |
Given all of the code shuffling in 7.0 I would pretty much expect every back port to fail in S.S.Cryptography 😔. |
Yeah. I was hoping it'd see backwards through the moves. |
@bartonjs should I create a PR against the 6.0 branch? Or will you look into it? |
Yes, please. I meant to, but keep getting distracted by other things. |
Fixes #65874 (comment).
Implements #65874 (comment).
Tests still need to be updated.
@bartonjs @vcsjones ptal.