I've sent a question to the NSS list. It seems that CERT_PKIXVerifyCert() consideres a cert already in the NSS DB to be implicitly valid.
On Tue, 12 Nov 2019 at 22:42, Andrew Cagney <[email protected]> wrote: > > On Tue, 12 Nov 2019 at 21:01, Paul Wouters <[email protected]> wrote: > > > > On Tue, 12 Nov 2019, Andrew Cagney wrote: > > > > > as in ... > > > > > > conn westnet-eastnet-x509 > > > ikev2=no > > > also=westnet > > > also=eastnet > > > left=192.1.2.45 > > > leftcert=west > > > leftid=%fromcert > > > right=192.1.2.23 > > > rightid=%fromcert > > > rightcert=east > > > > Yes. > > > > >> I still think this check should go away. > > > > > > After checking that there are root certs, the code: > > > > > > - creates a list of certs sent over the wire > > > - feeds this untrusted list + the root into CERT_PKIXVerifyCert() with: > > > > > > { > > > .type = cert_pi_trustAnchors, > > > .value = { .pointer = { .chain = trustcl } } > > > }, > > > { > > > .type = cert_pi_useOnlyTrustAnchors, > > > .value = { .scalar = { .b = PR_TRUE } } > > > }, > > > > > > so if there's no root, or the only root is wrong, how can this pass? > > > See lib/certdb/certt.h > > > > Looking at the logs of x509-pluto-05, the code never calls > > verify_end_cert(). I made an ikev2 version of this test, > > ikev2-x509-pluto-05 and it too never calls verify_end_cert() > > > > It does call find_and_verify_certs() which calls get_root_certs() > > Right. If there's no root cert, find_and_verify_certs() tosses the > cert payload and then both returns NULL and clears BAD. Since BAD is > clear the code doesn't treat this as fatal and stumbles on finally > using eastcert=east to select and use the local cert. > > If the message: > > 003 "westnet-eastnet-x509" #1: Authenticated using RSA with SHA-1 > > also include the cert used to authenticate this would be clearer. > > > Changing west to use the cert "road" properly fails: > > > > loading root certificate cache > > "westnet-eastnet-x509" #1: No Certificate Authority in NSS Certificate DB! > > Certificate payloads discarded. > > "westnet-eastnet-x509" #1: certificate subjectAltName extension does not > > match ID_DER_ASN1_DN 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test > > Department, CN=east.testing.libreswan.org, > > [email protected]' > > "westnet-eastnet-x509" #1: Peer ID 'C=CA, ST=Ontario, L=Toronto, > > O=Libreswan, OU=Test Department, CN=road.testing.libreswan.org, > > [email protected]' mismatched on first found connection and > > no better connection found > > "westnet-eastnet-x509" #1: responding to IKE_AUTH message (ID 1) from > > 192.1.2.45:500 with encrypted notification AUTHENTICATION_FAILED > > > > Paul _______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
