On Tue, 12 Nov 2019 at 21:01, Paul Wouters <[email protected]> wrote: > > On Tue, 12 Nov 2019, Andrew Cagney wrote: > > > as in ... > > > > conn westnet-eastnet-x509 > > ikev2=no > > also=westnet > > also=eastnet > > left=192.1.2.45 > > leftcert=west > > leftid=%fromcert > > right=192.1.2.23 > > rightid=%fromcert > > rightcert=east > > Yes. > > >> I still think this check should go away. > > > > After checking that there are root certs, the code: > > > > - creates a list of certs sent over the wire > > - feeds this untrusted list + the root into CERT_PKIXVerifyCert() with: > > > > { > > .type = cert_pi_trustAnchors, > > .value = { .pointer = { .chain = trustcl } } > > }, > > { > > .type = cert_pi_useOnlyTrustAnchors, > > .value = { .scalar = { .b = PR_TRUE } } > > }, > > > > so if there's no root, or the only root is wrong, how can this pass? > > See lib/certdb/certt.h > > Looking at the logs of x509-pluto-05, the code never calls > verify_end_cert(). I made an ikev2 version of this test, > ikev2-x509-pluto-05 and it too never calls verify_end_cert() > > It does call find_and_verify_certs() which calls get_root_certs()
Right. If there's no root cert, find_and_verify_certs() tosses the cert payload and then both returns NULL and clears BAD. Since BAD is clear the code doesn't treat this as fatal and stumbles on finally using eastcert=east to select and use the local cert. If the message: 003 "westnet-eastnet-x509" #1: Authenticated using RSA with SHA-1 also include the cert used to authenticate this would be clearer. > Changing west to use the cert "road" properly fails: > > loading root certificate cache > "westnet-eastnet-x509" #1: No Certificate Authority in NSS Certificate DB! > Certificate payloads discarded. > "westnet-eastnet-x509" #1: certificate subjectAltName extension does not > match ID_DER_ASN1_DN 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test > Department, CN=east.testing.libreswan.org, [email protected]' > "westnet-eastnet-x509" #1: Peer ID 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, > OU=Test Department, CN=road.testing.libreswan.org, > [email protected]' mismatched on first found connection and > no better connection found > "westnet-eastnet-x509" #1: responding to IKE_AUTH message (ID 1) from > 192.1.2.45:500 with encrypted notification AUTHENTICATION_FAILED > > Paul _______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
