crypto/x509: TestSystemVerify/EKULeafValid fails on LUCI #60925

heschi · 2023-06-21T20:18:53Z

The test is failing on 1.20 and master:

=== RUN   TestSystemVerify/EKULeafValid
    verify_test.go:525: Got 2 matches instead of 1 for expected chain [CORPORATIVO FICTICIO ACTIVO EAEko Herri Administrazioen CA - CA AAPP Vascas (2) IZENPE S.A.]
    verify_test.go:528: 	 matched /IZENPE/Ziurtagiri korporatiboa-Certificado corporativo,Condiciones de uso en www.izenpe.com nola erabili jakiteko/CORPORATIVO FICTICIO ACTIVO -> ES/IZENPE S.A./AZZ Ziurtagiri publikoa - Certificado publico SCA/EAEko Herri Administrazioen CA - CA AAPP Vascas (2) -> ES/IZENPE S.A.//Izenpe.com
    verify_test.go:528: 	 matched /IZENPE/Ziurtagiri korporatiboa-Certificado corporativo,Condiciones de uso en www.izenpe.com nola erabili jakiteko/CORPORATIVO FICTICIO ACTIVO -> ES/IZENPE S.A./AZZ Ziurtagiri publikoa - Certificado publico SCA/EAEko Herri Administrazioen CA - CA AAPP Vascas (2) -> ES/IZENPE S.A.//Izenpe.com
--- FAIL: TestSystemVerify/EKULeafValid (0.00s)

https://ci.chromium.org/ui/p/golang/builders/ci/gotip-windows-amd64/b8777650789528565057/test-results

cc @golang/security @rolandshoemaker

The text was updated successfully, but these errors were encountered:

rolandshoemaker · 2023-06-21T21:12:19Z

I assume Izenpe re-issued one of their roots, resulting in a pair of valid chains, instead of just one.

We can probably bandaid this, but it's an inherent problem with how TestSystemVerify works. Once #52108 lands we'll be able to just remove these semi-broken tests entirely.

heschi · 2023-06-21T21:25:38Z

I'd appreciate a bandaid :(

rolandshoemaker · 2023-06-21T21:25:57Z

I will bandaid :)

gopherbot · 2023-06-21T21:54:27Z

Change https://go.dev/cl/505035 mentions this issue: crypto/x509: tolerate multiple matching chains in testVerify

heschi · 2023-06-22T18:17:58Z

@gopherbot please backport to 1.20.

gopherbot · 2023-06-22T18:18:30Z

Backport issue(s) opened: #60947 (for 1.20).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases.

gopherbot · 2023-06-22T18:21:02Z

Change https://go.dev/cl/505275 mentions this issue: [release-branch.go1.20] crypto/x509: tolerate multiple matching chains in testVerify

…s in testVerify Due to the semantics of roots, a root store may contain two valid roots that have the same subject (but different SPKIs) at the asme time. As such in testVerify it is possible that when we verify a certificate we may get two chains that has the same stringified representation. Rather than doing something fancy to include keys (which is just overly complicated), tolerate multiple matches. Updates #60925 Fixes #60947 Change-Id: I5f51f7635801762865a536bcb20ec75f217a36ea Reviewed-on: https://go-review.googlesource.com/c/go/+/505035 Reviewed-by: Heschi Kreinick <[email protected]> Run-TryBot: Roland Shoemaker <[email protected]> Auto-Submit: Roland Shoemaker <[email protected]> TryBot-Result: Gopher Robot <[email protected]> (cherry picked from commit 2031366) Reviewed-on: https://go-review.googlesource.com/c/go/+/505275 Run-TryBot: Heschi Kreinick <[email protected]> Reviewed-by: Roland Shoemaker <[email protected]> Auto-Submit: Heschi Kreinick <[email protected]>

Due to the semantics of roots, a root store may contain two valid roots that have the same subject (but different SPKIs) at the asme time. As such in testVerify it is possible that when we verify a certificate we may get two chains that has the same stringified representation. Rather than doing something fancy to include keys (which is just overly complicated), tolerate multiple matches. Fixes golang#60925 Change-Id: I5f51f7635801762865a536bcb20ec75f217a36ea Reviewed-on: https://go-review.googlesource.com/c/go/+/505035 Reviewed-by: Heschi Kreinick <[email protected]> Run-TryBot: Roland Shoemaker <[email protected]> Auto-Submit: Roland Shoemaker <[email protected]> TryBot-Result: Gopher Robot <[email protected]>

heschi added the NeedsFix The path to resolution is known, but the work has not been done. label Jun 21, 2023

heschi added this to the Go1.22 milestone Jun 21, 2023

gopherbot closed this as completed in 2031366 Jun 22, 2023

gopherbot mentioned this issue Jun 22, 2023

crypto/x509: TestSystemVerify/EKULeafValid fails on LUCI [1.20 backport] #60947

Closed

dmitshur modified the milestones: Go1.22, Go1.21 Jun 22, 2023

dmitshur added the Testing An issue that has been verified to require only test changes, not just a test failure. label Jun 22, 2023

golang locked and limited conversation to collaborators Jun 21, 2024

gopherbot added the FrozenDueToAge label Jun 21, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

crypto/x509: TestSystemVerify/EKULeafValid fails on LUCI #60925

crypto/x509: TestSystemVerify/EKULeafValid fails on LUCI #60925

heschi commented Jun 21, 2023

rolandshoemaker commented Jun 21, 2023

heschi commented Jun 21, 2023

rolandshoemaker commented Jun 21, 2023

gopherbot commented Jun 21, 2023

heschi commented Jun 22, 2023

gopherbot commented Jun 22, 2023

gopherbot commented Jun 22, 2023

crypto/x509: TestSystemVerify/EKULeafValid fails on LUCI #60925

crypto/x509: TestSystemVerify/EKULeafValid fails on LUCI #60925

Comments

heschi commented Jun 21, 2023

rolandshoemaker commented Jun 21, 2023

heschi commented Jun 21, 2023

rolandshoemaker commented Jun 21, 2023

gopherbot commented Jun 21, 2023

heschi commented Jun 22, 2023

gopherbot commented Jun 22, 2023

gopherbot commented Jun 22, 2023