Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

TestVerify go test certificate expiration #19

Open
sarcasticadmin opened this issue Mar 27, 2024 · 0 comments
Open

TestVerify go test certificate expiration #19

sarcasticadmin opened this issue Mar 27, 2024 · 0 comments

Comments

@sarcasticadmin
Copy link

sarcasticadmin commented Mar 27, 2024

Description

TestVerify go test fails currently off master (6106ac9):

$ go test -v -run TestVerify ./fetcher
=== RUN   TestVerify
t=2024-03-27T19:23:42+0000 lvl=eror msg="Signature verification failed: verifyTopologySignature" err="unable to validate certificate chain: exit status 1"
--- FAIL: TestVerify (0.03s)
FAIL
FAIL    github.com/netsec-ethz/bootstrapper/fetcher     0.032s
FAIL

If you incorporate the more verbose output from #18 its explains the error in more detail (certificate expiration):

$ go test -v ./fetcher
=== RUN   TestVerify
t=2024-03-27T19:22:11+0000 lvl=eror msg="Signature verification failed: verifyTopologySignature" err="unable to validate certificate chain: Error: verification failed: chain did not verify against any selected TRC {errors=[verifying chain {trc_base=1; trc_serial=1}: x509: certificate has expired or is not yet valid: current time 2024-03-27T19:22:11Z is after 2024-02-15T14:44:03Z]}\n exit status 1"
--- FAIL: TestVerify (0.02s)
=== RUN   TestExtractSignerInfo
--- PASS: TestExtractSignerInfo (0.01s)
=== RUN   TestWipeInsecureSymlinks
--- PASS: TestWipeInsecureSymlinks (0.00s)
FAIL
FAIL    github.com/netsec-ethz/bootstrapper/fetcher     0.037s
FAIL

This can be also verified if you look at the temporary files generated for the test:

$ cd /tmp/bootstrapper-cppki-tests_<uuid>
$ scion-pki certificate verify --trc certs/ISD17-B1-S1.trc bootstrapper/verify-1711563260/as_cert_chain.pem
Error: verification failed: chain did not verify against any selected TRC {errors=[verifying chain {trc_base=1; trc_serial=1}: x509: certificate has expired or is not yet valid: current time 2024-03-27T19:26:49Z is after 2024-02-15T14:44:03Z]}

And I can confirm the TRC is valid but the as cert chain is not:

TRC:

$ scion-pki trc inspect ./certs/ISD17-B1-S1.trc
version: 1
id:
  isd: 17
  base_number: 1
  serial_number: 1
validity:
  not_before: 2023-02-15T14:43:58Z
  not_after: 2025-02-14T14:43:57Z
no_trust_reset: false
voting_quorum: 1
core_ases:
- ffaa:0:1101
authoritative_ases:
- ffaa:0:1101
description: SCIONLab TRC for ISD 17
certificates:
- type: sensitive-voting
  common_name: 17-ffaa:0:1101 Sensitive Voting Certificate
  isd_as: 17-ffaa:0:1101
  serial_number: 1B 8D 11 31 D9 60 CF F1 62 07 23 97 1E 55 39 60 E6 A0 EE 6B
  validity:
    not_before: 2023-02-15T14:43:58Z
    not_after: 2025-02-14T14:43:58Z
  index: 0
- type: regular-voting
  common_name: 17-ffaa:0:1101 Regular Voting Certificate
  isd_as: 17-ffaa:0:1101
  serial_number: 79 C9 07 75 EB 64 EB 1F 76 82 D4 B4 EF 87 69 83 0A 47 55 FF
  validity:
    not_before: 2023-02-15T14:43:58Z
    not_after: 2025-02-14T14:43:58Z
  index: 1
- type: cp-root
  common_name: 17-ffaa:0:1101 High Security Root Certificate
  isd_as: 17-ffaa:0:1101
  serial_number: 41 12 C5 43 AA 60 A0 33 BC 8C 0F 5A 28 31 4A 5C EF 18 8A FF
  validity:
    not_before: 2023-02-15T14:43:58Z
    not_after: 2025-02-14T14:43:58Z
  index: 2
signatures:
- common_name: 17-ffaa:0:1101 Regular Voting Certificate
  isd_as: 17-ffaa:0:1101
  serial_number: 79 C9 07 75 EB 64 EB 1F 76 82 D4 B4 EF 87 69 83 0A 47 55 FF
  signing_time: 2023-02-15T14:43:59Z
- common_name: 17-ffaa:0:1101 Sensitive Voting Certificate
  isd_as: 17-ffaa:0:1101
  serial_number: 1B 8D 11 31 D9 60 CF F1 62 07 23 97 1E 55 39 60 E6 A0 EE 6B
  signing_time: 2023-02-15T14:43:59Z

AS cert chain:

$ scion-pki certificate inspect bootstrapper/verify-1711563260/as_cert_chain.pem 
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 683721132898883334608280617416430018731715877094 (0x77c31daf26b06d6cf03135102ca1256440d058e6)
    Signature Algorithm: ECDSA-SHA512
        Issuer: C=CH,ST=ZH,L=Zürich,O=Netsec,OU=Netsec,CN=17-ffaa:0:1101 Secure CA Certificate,UnknownOID=1.3.6.1.4.1.55324.1.2.1
        Validity
            Not Before: Feb 15 14:44:03 2023 UTC
            Not After : Feb 15 14:44:03 2024 UTC
        Subject: C=CH,ST=ZH,L=Zürich,O=Netsec,OU=Netsec,CN=17-ffaa:1:1 AS Certificate,UnknownOID=1.3.6.1.4.1.55324.1.2.1
        Subject Public Key Info:
            Public Key Algorithm: ECDSA
                Public-Key: (256 bit)
                X:
                    80:05:14:eb:74:f7:80:ca:a0:84:e4:1e:c9:12:c5:
                    76:7c:df:3d:95:b5:cb:ac:54:27:4d:6e:49:50:8d:
                    50:60
                Y:
                    c0:ba:7e:06:e4:f1:47:03:09:d1:f5:91:a4:56:a4:
                    02:1c:e6:2b:a2:5f:11:4c:37:83:45:e2:e0:92:78:
                    3a:77
                Curve: P-256
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature
            X509v3 Subject Key Identifier:
                D4:9B:0C:E9:87:9E:9E:9E:48:62:18:33:28:51:7B:CA:A0:5C:69:CF
            X509v3 Authority Key Identifier:
                keyid:5B:08:CD:06:EF:6C:B3:6F:F5:6E:BD:1C:1F:3E:DB:6A:0B:2A:48:CA
            X509v3 Extended Key Usage:
                Server Authentication, Client Authentication, Time Stamping
    Signature Algorithm: ECDSA-SHA512
         30:46:02:21:00:b6:22:c9:8d:ca:b0:b4:6d:fb:fd:c1:89:4b:
         aa:38:3a:8a:b1:75:b1:61:b5:48:da:79:b1:a6:3a:96:4e:87:
         5d:02:21:00:96:0c:4a:e4:ba:67:23:44:21:e7:28:75:3c:0a:
         0c:e0:8e:fb:54:d3:a7:4d:43:9b:40:05:c8:ce:04:55:f8:ac
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 58819176891451386468343669332218926409222400689 (0xa4d8b0963c9987f874e7cde8c7db7b9fa772ab1)
    Signature Algorithm: ECDSA-SHA512
        Issuer: C=CH,ST=ZH,L=Zürich,O=Netsec,OU=Netsec,CN=17-ffaa:0:1101 High Security Root Certificate,UnknownOID=1.3.6.1.4.1.55324.1.2.1
        Validity
            Not Before: Feb 15 14:43:58 2023 UTC
            Not After : Feb 14 14:43:58 2025 UTC
        Subject: C=CH,ST=ZH,L=Zürich,O=Netsec,OU=Netsec,CN=17-ffaa:0:1101 Secure CA Certificate,UnknownOID=1.3.6.1.4.1.55324.1.2.1
        Subject Public Key Info:
            Public Key Algorithm: ECDSA
                Public-Key: (256 bit)
                X:
                    81:39:4b:bb:6a:c8:14:4c:9e:11:d2:a7:98:9b:be:
                    ec:9b:84:d5:c7:78:28:ef:ae:98:c3:a7:c2:b5:83:
                    c9:b4
                Y:
                    b6:b2:f1:d6:89:16:45:60:d1:68:52:14:3e:69:2c:
                    31:6c:ee:d8:04:e4:fb:b7:9f:38:b9:16:48:c1:1b:
                    10:69
                Curve: P-256
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:0
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            X509v3 Subject Key Identifier:
                5B:08:CD:06:EF:6C:B3:6F:F5:6E:BD:1C:1F:3E:DB:6A:0B:2A:48:CA
            X509v3 Authority Key Identifier:
                keyid:F0:C9:71:F6:3C:76:08:0A:14:FA:B5:43:81:C3:5F:FD:A6:6C:DD:FF
    Signature Algorithm: ECDSA-SHA512
         30:46:02:21:00:a9:13:c0:92:69:d1:70:e3:c6:e0:21:d4:ed:
         a4:c4:b5:d7:a6:c7:79:5d:74:ee:2e:06:ac:64:dc:4e:7b:c8:
         5b:02:21:00:96:b2:40:71:5b:cc:29:7a:ed:95:86:23:7d:40:
         cd:50:03:45:8d:c5:52:e6:cd:6c:e8:0d:3c:25:02:9c:b2:dc

Expected Behavior

  • Certificate verification passes
  • Omit or mock datetime during verification
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant