Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

update CI to test against go1.19 #3108

Open
wants to merge 2 commits into
base: master
Choose a base branch
from

Conversation

thaJeztah
Copy link
Member

- Description for the changelog

@thaJeztah
Copy link
Member Author

FWIW; I saw some failures locally when running some tests. No problems were found in Moby CI, so it could be just a badly written test, or it's a code-path that's not used in Moby.

@thaJeztah thaJeztah force-pushed the bump_go_1.19 branch 2 times, most recently from cf8bd74 to 06da8e6 Compare December 29, 2022 11:41
@thaJeztah
Copy link
Member Author

Same failure in CI;

--- FAIL: TestRenewTLSConfigUpdatesRootOnUnknownAuthError (0.00s)
    config_test.go:645: 
        	Error Trace:	/home/circleci/.go_workspace/src/github.com/docker/swarmkit/ca/config_test.go:645
        	Error:      	Received unexpected error:
        	            	x509: certificate signed by unknown authority
        	            	error while validating signing CA certificate against roots and intermediates
        	            	github.com/moby/swarmkit/v2/ca.newLocalSigner
        	            		/home/circleci/.go_workspace/src/github.com/docker/swarmkit/ca/certificates.go:632
        	            	github.com/moby/swarmkit/v2/ca.NewRootCA
        	            		/home/circleci/.go_workspace/src/github.com/docker/swarmkit/ca/certificates.go:493
        	            	github.com/moby/swarmkit/v2/ca_test.TestRenewTLSConfigUpdatesRootOnUnknownAuthError
        	            		/home/circleci/.go_workspace/src/github.com/docker/swarmkit/ca/config_test.go:644
        	            	testing.tRunner
        	            		/usr/local/go/src/testing/testing.go:1446
        	            	runtime.goexit
        	            		/usr/local/go/src/runtime/asm_amd64.s:1594
        	Test:       	TestRenewTLSConfigUpdatesRootOnUnknownAuthError

@thaJeztah
Copy link
Member Author

--- FAIL: TestRenewTLSConfigUpdatesRootOnUnknownAuthError (0.01s)
    config_test.go:655: CA0 :
         -----BEGIN CERTIFICATE-----
        MIIBXzCCAQagAwIBAgIUfpRA9wL7mdWauik6D1TBidXUy0owCgYIKoZIzj0EAwIw
        DjEMMAoGA1UEAxMDQ0EwMB4XDTIzMDcyOTA3NTUwMFoXDTQzMDcyNDA3NTUwMFow
        DjEMMAoGA1UEAxMDQ0EwMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEz+8tuTkm
        UjTjBwsdgJnGss5ox5k1tN1UBKFg4Q0LRmmNzzhxIJ9aMtDJMU9mt/dqW9vuH4xE
        Rw3ynOR2+AqnFqNCMEAwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8w
        HQYDVR0OBBYEFJdKDRuYLizWXelbEz+Kt1ZTQ7u/MAoGCCqGSM49BAMCA0cAMEQC
        IBeRctrhgZWooKGJLTp1UdzF9HHvSkFXhCkYn8rWSRWmAiA5FjrxMHXf01szAYm5
        IQzgJhfe9V16n0gLgR+gQZ2fyw==
        -----END CERTIFICATE-----
        
    config_test.go:656: &{Raw:[] RawTBSCertificate:[] RawSubjectPublicKeyInfo:[] RawSubject:[] RawIssuer:[] Signature:[] SignatureAlgorithm:ECDSA-SHA256 PublicKeyAlgorithm:ECDSA PublicKey:0xc000726ba0 Version:3 SerialNumber:+722639006653195417041125068417418380177491413834 Issuer:CN=CA0 Subject:CN=CA0 NotBefore:2023-07-29 07:55:00 +0000 UTC NotAfter:2043-07-24 07:55:00 +0000 UTC KeyUsage:96 Extensions:[{Id:2.5.29.15 Critical:true Value:[3 2 1 6]} {Id:2.5.29.19 Critical:true Value:[48 3 1 1 255]} {Id:2.5.29.14 Critical:false Value:[4 20 151 74 13 27 152 46 44 214 93 233 91 19 63 138 183 86 83 67 187 191]}] ExtraExtensions:[] UnhandledCriticalExtensions:[] ExtKeyUsage:[] UnknownExtKeyUsage:[] BasicConstraintsValid:true IsCA:true MaxPathLen:-1 MaxPathLenZero:false SubjectKeyId:[151 74 13 27 152 46 44 214 93 233 91 19 63 138 183 86 83 67 187 191] AuthorityKeyId:[] OCSPServer:[] IssuingCertificateURL:[] DNSNames:[] EmailAddresses:[] IPAddresses:[] URIs:[] PermittedDNSDomainsCritical:false PermittedDNSDomains:[] ExcludedDNSDomains:[] PermittedIPRanges:[] ExcludedIPRanges:[] PermittedEmailAddresses:[] ExcludedEmailAddresses:[] PermittedURIDomains:[] ExcludedURIDomains:[] CRLDistributionPoints:[] PolicyIdentifiers:[]}
    config_test.go:655: CA1 :
         -----BEGIN CERTIFICATE-----
        MIIBYDCCAQagAwIBAgIUXYVjRTRwVvukRhpmHUnS0Y51JZwwCgYIKoZIzj0EAwIw
        DjEMMAoGA1UEAxMDQ0ExMB4XDTIzMDcyOTA3NTUwMFoXDTQzMDcyNDA3NTUwMFow
        DjEMMAoGA1UEAxMDQ0ExMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE26KDC4MP
        LxBjKCGFkV+QsS/ZGYCkxfccV+XFoG6GBFnGGiKxybcFKQ/V45N2zkUKe8MXl3q+
        AzP9A37th2H5MqNCMEAwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8w
        HQYDVR0OBBYEFA4dz9RtrKoYAJyjdQkPbAqkqcmTMAoGCCqGSM49BAMCA0gAMEUC
        IEnEm/ROxx8K4vvEJupb+kiWuWPpkxj2ZkG9XffE6QOiAiEAltKAsxsJQx+/voG7
        Mkjv4bqqkRdm5irq5Ky0POqLJrk=
        -----END CERTIFICATE-----
        
    config_test.go:656: &{Raw:[] RawTBSCertificate:[] RawSubjectPublicKeyInfo:[] RawSubject:[] RawIssuer:[] Signature:[] SignatureAlgorithm:ECDSA-SHA256 PublicKeyAlgorithm:ECDSA PublicKey:0xc000727a20 Version:3 SerialNumber:+533910788463515367693985148197052179646950745500 Issuer:CN=CA1 Subject:CN=CA1 NotBefore:2023-07-29 07:55:00 +0000 UTC NotAfter:2043-07-24 07:55:00 +0000 UTC KeyUsage:96 Extensions:[{Id:2.5.29.15 Critical:true Value:[3 2 1 6]} {Id:2.5.29.19 Critical:true Value:[48 3 1 1 255]} {Id:2.5.29.14 Critical:false Value:[4 20 14 29 207 212 109 172 170 24 0 156 163 117 9 15 108 10 164 169 201 147]}] ExtraExtensions:[] UnhandledCriticalExtensions:[] ExtKeyUsage:[] UnknownExtKeyUsage:[] BasicConstraintsValid:true IsCA:true MaxPathLen:-1 MaxPathLenZero:false SubjectKeyId:[14 29 207 212 109 172 170 24 0 156 163 117 9 15 108 10 164 169 201 147] AuthorityKeyId:[] OCSPServer:[] IssuingCertificateURL:[] DNSNames:[] EmailAddresses:[] IPAddresses:[] URIs:[] PermittedDNSDomainsCritical:false PermittedDNSDomains:[] ExcludedDNSDomains:[] PermittedIPRanges:[] ExcludedIPRanges:[] PermittedEmailAddresses:[] ExcludedEmailAddresses:[] PermittedURIDomains:[] ExcludedURIDomains:[] CRLDistributionPoints:[] PolicyIdentifiers:[]}
    config_test.go:665: Intermediate1 :
         -----BEGIN CERTIFICATE-----
        MIIBgDCCASegAwIBAgIUXYVjRTRwVvukRhpmHUnS0Y51JZwwCgYIKoZIzj0EAwIw
        DjEMMAoGA1UEAxMDQ0EwMB4XDTIzMDcyOTA3NTUwMFoXDTQzMDcyNDA3NTUwMFow
        DjEMMAoGA1UEAxMDQ0ExMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE26KDC4MP
        LxBjKCGFkV+QsS/ZGYCkxfccV+XFoG6GBFnGGiKxybcFKQ/V45N2zkUKe8MXl3q+
        AzP9A37th2H5MqNjMGEwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8w
        HQYDVR0OBBYEFA4dz9RtrKoYAJyjdQkPbAqkqcmTMB8GA1UdIwQYMBaAFJdKDRuY
        LizWXelbEz+Kt1ZTQ7u/MAoGCCqGSM49BAMCA0cAMEQCIFFC+06WHHDksLIF0R44
        vkc1W3dzxrWXg6slY11O1lOBAiB90yNENKPK58notn3OtLC0z+frbVefbQ0TXfnI
        TRZB1g==
        -----END CERTIFICATE-----
        
    config_test.go:666: &{Raw:[] RawTBSCertificate:[] RawSubjectPublicKeyInfo:[] RawSubject:[] RawIssuer:[] Signature:[] SignatureAlgorithm:ECDSA-SHA256 PublicKeyAlgorithm:ECDSA PublicKey:0xc000424040 Version:3 SerialNumber:+533910788463515367693985148197052179646950745500 Issuer:CN=CA0 Subject:CN=CA1 NotBefore:2023-07-29 07:55:00 +0000 UTC NotAfter:2043-07-24 07:55:00 +0000 UTC KeyUsage:96 Extensions:[{Id:2.5.29.15 Critical:true Value:[3 2 1 6]} {Id:2.5.29.19 Critical:true Value:[48 3 1 1 255]} {Id:2.5.29.14 Critical:false Value:[4 20 14 29 207 212 109 172 170 24 0 156 163 117 9 15 108 10 164 169 201 147]} {Id:2.5.29.35 Critical:false Value:[48 22 128 20 151 74 13 27 152 46 44 214 93 233 91 19 63 138 183 86 83 67 187 191]}] ExtraExtensions:[] UnhandledCriticalExtensions:[] ExtKeyUsage:[] UnknownExtKeyUsage:[] BasicConstraintsValid:true IsCA:true MaxPathLen:-1 MaxPathLenZero:false SubjectKeyId:[14 29 207 212 109 172 170 24 0 156 163 117 9 15 108 10 164 169 201 147] AuthorityKeyId:[151 74 13 27 152 46 44 214 93 233 91 19 63 138 183 86 83 67 187 191] OCSPServer:[] IssuingCertificateURL:[] DNSNames:[] EmailAddresses:[] IPAddresses:[] URIs:[] PermittedDNSDomainsCritical:false PermittedDNSDomains:[] ExcludedDNSDomains:[] PermittedIPRanges:[] ExcludedIPRanges:[] PermittedEmailAddresses:[] ExcludedEmailAddresses:[] PermittedURIDomains:[] ExcludedURIDomains:[] CRLDistributionPoints:[] PolicyIdentifiers:[]}
    config_test.go:668: 
        	Error Trace:	/go/src/github.com/docker/swarmkit/ca/config_test.go:668
        	Error:      	Received unexpected error:
        	            	x509: certificate signed by unknown authority
        	            	error while validating signing CA certificate against roots and intermediates
        	            	github.com/moby/swarmkit/v2/ca.newLocalSigner
        	            		/go/src/github.com/docker/swarmkit/ca/certificates.go:632
        	            	github.com/moby/swarmkit/v2/ca.NewRootCA
        	            		/go/src/github.com/docker/swarmkit/ca/certificates.go:493
        	            	github.com/moby/swarmkit/v2/ca_test.TestRenewTLSConfigUpdatesRootOnUnknownAuthError
        	            		/go/src/github.com/docker/swarmkit/ca/config_test.go:667
        	            	testing.tRunner
        	            		/usr/local/go/src/testing/testing.go:1446
        	            	runtime.goexit
        	            		/usr/local/go/src/runtime/asm_amd64.s:1594
        	Test:       	TestRenewTLSConfigUpdatesRootOnUnknownAuthError

@thaJeztah
Copy link
Member Author

Suggestion from Cory; try with GODEBUG=x509sha1=1

@corhere
Copy link
Contributor

corhere commented Nov 30, 2023

Suggestion from Cory; try with GODEBUG=x509sha1=1

Studying the debug output more closely, and the swarmkit source, I now see that won't do anything.

@corhere
Copy link
Contributor

corhere commented Nov 30, 2023

https://go.dev/issue/58792 might be related

@thaJeztah
Copy link
Member Author

That, at a glance, looks very plausible yes (great find!).

@corhere
Copy link
Contributor

corhere commented Nov 30, 2023

    config_test.go:663: rootCert:
    config_test.go:663:   Subject: CN=CA0
    config_test.go:663:   Issuer:  CN=CA0
    config_test.go:663: ----------------
    config_test.go:664: signCert:
    config_test.go:664:   Subject: CN=CA1
    config_test.go:664:   Issuer:  CN=CA1
    config_test.go:664: ----------------
    config_test.go:665: crossSigneds:
    config_test.go:665:   Subject: CN=CA1
    config_test.go:665:   Issuer:  CN=CA0

NewRootCA() asserts that signCert can chain up to rootCert with crossSigneds as the intermediate. signCert is self-signed, so go#58792 is the reason the test is failing on Go 1.19 and above.

To be clear, the behaviour change in Go is a bugfix, not a regression. The test is broken and always has been.

Also, the cross-signed certs have the same serial number as the template cert. While not the cause of the test failures, it's not kosher either to have more than one cert with the same subject and serial.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants