Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

TestVerify go test certificate expiration #19

Open
sarcasticadmin opened this issue Mar 27, 2024 · 0 comments
Open

TestVerify go test certificate expiration #19

sarcasticadmin opened this issue Mar 27, 2024 · 0 comments

Comments

@sarcasticadmin
Copy link

sarcasticadmin commented Mar 27, 2024
edited
Loading

Description

TestVerify go test fails currently off master (6106ac9):

$ go test -v -run TestVerify ./fetcher
=== RUN   TestVerify
t=2024-03-27T19:23:42+0000 lvl=eror msg="Signature verification failed: verifyTopologySignature" err="unable to validate certificate chain: exit status 1"
--- FAIL: TestVerify (0.03s)
FAIL
FAIL    github.com/netsec-ethz/bootstrapper/fetcher     0.032s
FAIL

If you incorporate the more verbose output from #18 its explains the error in more detail (certificate expiration):

$ go test -v ./fetcher
=== RUN   TestVerify
t=2024-03-27T19:22:11+0000 lvl=eror msg="Signature verification failed: verifyTopologySignature" err="unable to validate certificate chain: Error: verification failed: chain did not verify against any selected TRC {errors=[verifying chain {trc_base=1; trc_serial=1}: x509: certificate has expired or is not yet valid: current time 2024-03-27T19:22:11Z is after 2024-02-15T14:44:03Z]}\n exit status 1"
--- FAIL: TestVerify (0.02s)
=== RUN   TestExtractSignerInfo
--- PASS: TestExtractSignerInfo (0.01s)
=== RUN   TestWipeInsecureSymlinks
--- PASS: TestWipeInsecureSymlinks (0.00s)
FAIL
FAIL    github.com/netsec-ethz/bootstrapper/fetcher     0.037s
FAIL

This can be also verified if you look at the temporary files generated for the test:

$ cd /tmp/bootstrapper-cppki-tests_<uuid>
$ scion-pki certificate verify --trc certs/ISD17-B1-S1.trc bootstrapper/verify-1711563260/as_cert_chain.pem
Error: verification failed: chain did not verify against any selected TRC {errors=[verifying chain {trc_base=1; trc_serial=1}: x509: certificate has expired or is not yet valid: current time 2024-03-27T19:26:49Z is after 2024-02-15T14:44:03Z]}

And I can confirm the TRC is valid but the as cert chain is not:

TRC:

$ scion-pki trc inspect ./certs/ISD17-B1-S1.trc
version: 1
id:
  isd: 17
  base_number: 1
  serial_number: 1
validity:
  not_before: 2023-02-15T14:43:58Z
  not_after: 2025-02-14T14:43:57Z
no_trust_reset: false
voting_quorum: 1
core_ases:
- ffaa:0:1101
authoritative_ases:
- ffaa:0:1101
description: SCIONLab TRC for ISD 17
certificates:
- type: sensitive-voting
  common_name: 17-ffaa:0:1101 Sensitive Voting Certificate
  isd_as: 17-ffaa:0:1101
  serial_number: 1B 8D 11 31 D9 60 CF F1 62 07 23 97 1E 55 39 60 E6 A0 EE 6B
  validity:
    not_before: 2023-02-15T14:43:58Z
    not_after: 2025-02-14T14:43:58Z
  index: 0
- type: regular-voting
  common_name: 17-ffaa:0:1101 Regular Voting Certificate
  isd_as: 17-ffaa:0:1101
  serial_number: 79 C9 07 75 EB 64 EB 1F 76 82 D4 B4 EF 87 69 83 0A 47 55 FF
  validity:
    not_before: 2023-02-15T14:43:58Z
    not_after: 2025-02-14T14:43:58Z
  index: 1
- type: cp-root
  common_name: 17-ffaa:0:1101 High Security Root Certificate
  isd_as: 17-ffaa:0:1101
  serial_number: 41 12 C5 43 AA 60 A0 33 BC 8C 0F 5A 28 31 4A 5C EF 18 8A FF
  validity:
    not_before: 2023-02-15T14:43:58Z
    not_after: 2025-02-14T14:43:58Z
  index: 2
signatures:
- common_name: 17-ffaa:0:1101 Regular Voting Certificate
  isd_as: 17-ffaa:0:1101
  serial_number: 79 C9 07 75 EB 64 EB 1F 76 82 D4 B4 EF 87 69 83 0A 47 55 FF
  signing_time: 2023-02-15T14:43:59Z
- common_name: 17-ffaa:0:1101 Sensitive Voting Certificate
  isd_as: 17-ffaa:0:1101
  serial_number: 1B 8D 11 31 D9 60 CF F1 62 07 23 97 1E 55 39 60 E6 A0 EE 6B
  signing_time: 2023-02-15T14:43:59Z

AS cert chain:

$ scion-pki certificate inspect bootstrapper/verify-1711563260/as_cert_chain.pem 
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 683721132898883334608280617416430018731715877094 (0x77c31daf26b06d6cf03135102ca1256440d058e6)
    Signature Algorithm: ECDSA-SHA512
        Issuer: C=CH,ST=ZH,L=Zürich,O=Netsec,OU=Netsec,CN=17-ffaa:0:1101 Secure CA Certificate,UnknownOID=1.3.6.1.4.1.55324.1.2.1
        Validity
            Not Before: Feb 15 14:44:03 2023 UTC
            Not After : Feb 15 14:44:03 2024 UTC
        Subject: C=CH,ST=ZH,L=Zürich,O=Netsec,OU=Netsec,CN=17-ffaa:1:1 AS Certificate,UnknownOID=1.3.6.1.4.1.55324.1.2.1
        Subject Public Key Info:
            Public Key Algorithm: ECDSA
                Public-Key: (256 bit)
                X:
                    80:05:14:eb:74:f7:80:ca:a0:84:e4:1e:c9:12:c5:
                    76:7c:df:3d:95:b5:cb:ac:54:27:4d:6e:49:50:8d:
                    50:60
                Y:
                    c0:ba:7e:06:e4:f1:47:03:09:d1:f5:91:a4:56:a4:
                    02:1c:e6:2b:a2:5f:11:4c:37:83:45:e2:e0:92:78:
                    3a:77
                Curve: P-256
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature
            X509v3 Subject Key Identifier:
                D4:9B:0C:E9:87:9E:9E:9E:48:62:18:33:28:51:7B:CA:A0:5C:69:CF
            X509v3 Authority Key Identifier:
                keyid:5B:08:CD:06:EF:6C:B3:6F:F5:6E:BD:1C:1F:3E:DB:6A:0B:2A:48:CA
            X509v3 Extended Key Usage:
                Server Authentication, Client Authentication, Time Stamping
    Signature Algorithm: ECDSA-SHA512
         30:46:02:21:00:b6:22:c9:8d:ca:b0:b4:6d:fb:fd:c1:89:4b:
         aa:38:3a:8a:b1:75:b1:61:b5:48:da:79:b1:a6:3a:96:4e:87:
         5d:02:21:00:96:0c:4a:e4:ba:67:23:44:21:e7:28:75:3c:0a:
         0c:e0:8e:fb:54:d3:a7:4d:43:9b:40:05:c8:ce:04:55:f8:ac
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 58819176891451386468343669332218926409222400689 (0xa4d8b0963c9987f874e7cde8c7db7b9fa772ab1)
    Signature Algorithm: ECDSA-SHA512
        Issuer: C=CH,ST=ZH,L=Zürich,O=Netsec,OU=Netsec,CN=17-ffaa:0:1101 High Security Root Certificate,UnknownOID=1.3.6.1.4.1.55324.1.2.1
        Validity
            Not Before: Feb 15 14:43:58 2023 UTC
            Not After : Feb 14 14:43:58 2025 UTC
        Subject: C=CH,ST=ZH,L=Zürich,O=Netsec,OU=Netsec,CN=17-ffaa:0:1101 Secure CA Certificate,UnknownOID=1.3.6.1.4.1.55324.1.2.1
        Subject Public Key Info:
            Public Key Algorithm: ECDSA
                Public-Key: (256 bit)
                X:
                    81:39:4b:bb:6a:c8:14:4c:9e:11:d2:a7:98:9b:be:
                    ec:9b:84:d5:c7:78:28:ef:ae:98:c3:a7:c2:b5:83:
                    c9:b4
                Y:
                    b6:b2:f1:d6:89:16:45:60:d1:68:52:14:3e:69:2c:
                    31:6c:ee:d8:04:e4:fb:b7:9f:38:b9:16:48:c1:1b:
                    10:69
                Curve: P-256
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:0
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            X509v3 Subject Key Identifier:
                5B:08:CD:06:EF:6C:B3:6F:F5:6E:BD:1C:1F:3E:DB:6A:0B:2A:48:CA
            X509v3 Authority Key Identifier:
                keyid:F0:C9:71:F6:3C:76:08:0A:14:FA:B5:43:81:C3:5F:FD:A6:6C:DD:FF
    Signature Algorithm: ECDSA-SHA512
         30:46:02:21:00:a9:13:c0:92:69:d1:70:e3:c6:e0:21:d4:ed:
         a4:c4:b5:d7:a6:c7:79:5d:74:ee:2e:06:ac:64:dc:4e:7b:c8:
         5b:02:21:00:96:b2:40:71:5b:cc:29:7a:ed:95:86:23:7d:40:
         cd:50:03:45:8d:c5:52:e6:cd:6c:e8:0d:3c:25:02:9c:b2:dc

Expected Behavior

  • Certificate verification passes
  • Omit or mock datetime during verification
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sarcasticadmin