Ben Reser <b...@reser.org> writes: > I think we should get this merged to trunk. > > The original email asking to start this merge happened back in August here: > https://mail-archives.apache.org/mod_mbox/subversion-dev/201408.mbox/%3C53E1C1D7.2040005%40reser.org%3E > > Since that email the checksum formatting code was removed and there have been > some API changes to make the API more capable of fully representing the > certificates. As well as quite a few bug fixes. > > You can get a diff with: > svn diff ^/subversion/trunk@1655188 ^/subversion/branches/svn-auth-x509 > > Per the decision in Berlin 2013, I'm asking for a vote to bring this branch > into trunk. This is currently holding up 1.9 branch, so I'd like to get this > on trunk. > > There are some further fixes I'd like to make but I'm going to hold off on > doing that for now and do so on trunk.
Here is a couple of findings I would like to share. I took the certificates from a regression suite in [1] and fed them to the new X509 parser, svn_x509_parse_cert(). The parser currently fails to parse 20 of the test certificates, mostly with an SVN_ERR_ASN1_LENGTH_MISMATCH. Please see the attached fails log. I think that the only expected failure is the last one, google.pem_cert.p7b, which happens with a deliberately broken PEM certificate stored in a file with a .p7b extension. Other failures look quite unexpected to me. Failing certificates are a bit special — for instance, one of them has the EKU set to Code Signing (1.3.6.1.5.5.7.3.3), and the other ones are using 768-bit RSA, but I would not say this is a reason for the parser to break on them. Other existing parsers, like the one provided within the CryptoAPI [2], do not error out when parsing them. I might be missing something, because I did not examine the root cause of this behavior. Also, I did not review the branch itself, so, no comments on merging it to trunk. [1] http://src.chromium.org/svn/trunk/src/net/data/ssl/certificates [2] https://msdn.microsoft.com/en-us/library/windows/desktop/aa376033 Regards, Evgeny Kotkov
multivalue_rdn.pem - FAIL ..\..\..\subversion\libsvn_subr\x509parse.c:1118, ..\..\..\subversion\libsvn_subr\x509parse.c:318: (apr_err=SVN_ERR_X509_CERT_INVALID_NAME) E240011: Found invalid name in certificate ..\..\..\subversion\libsvn_subr\x509parse.c:317: (apr_err=SVN_ERR_ASN1_LENGTH_MISMATCH) E240003: ASN1 length mismatch 2048-rsa-ee-by-prime256v1-ecdsa-intermediate.pem - FAIL ..\..\..\subversion\libsvn_subr\x509parse.c:1173: (apr_err=SVN_ERR_X509_CERT_INVALID_FORMAT) E240007: Invalid certificate format ..\..\..\subversion\libsvn_subr\x509parse.c:1172: (apr_err=SVN_ERR_ASN1_LENGTH_MISMATCH) E240003: ASN1 length mismatch prime256v1-ecdsa-ee-by-prime256v1-ecdsa-intermediate.pem - FAIL ..\..\..\subversion\libsvn_subr\x509parse.c:1173: (apr_err=SVN_ERR_X509_CERT_INVALID_FORMAT) E240007: Invalid certificate format ..\..\..\subversion\libsvn_subr\x509parse.c:1172: (apr_err=SVN_ERR_ASN1_LENGTH_MISMATCH) E240003: ASN1 length mismatch crit-codeSigning-chain.pem - FAIL ..\..\..\subversion\libsvn_subr\x509parse.c:1173: (apr_err=SVN_ERR_X509_CERT_INVALID_FORMAT) E240007: Invalid certificate format ..\..\..\subversion\libsvn_subr\x509parse.c:1172: (apr_err=SVN_ERR_ASN1_LENGTH_MISMATCH) E240003: ASN1 length mismatch 768-rsa-ee-by-768-rsa-intermediate.pem - FAIL ..\..\..\subversion\libsvn_subr\x509parse.c:1173: (apr_err=SVN_ERR_X509_CERT_INVALID_FORMAT) E240007: Invalid certificate format ..\..\..\subversion\libsvn_subr\x509parse.c:1172: (apr_err=SVN_ERR_ASN1_LENGTH_MISMATCH) E240003: ASN1 length mismatch 1024-rsa-ee-by-1024-rsa-intermediate.pem - FAIL ..\..\..\subversion\libsvn_subr\x509parse.c:1173: (apr_err=SVN_ERR_X509_CERT_INVALID_FORMAT) E240007: Invalid certificate format ..\..\..\subversion\libsvn_subr\x509parse.c:1172: (apr_err=SVN_ERR_ASN1_LENGTH_MISMATCH) E240003: ASN1 length mismatch 1024-rsa-ee-by-2048-rsa-intermediate.pem - FAIL ..\..\..\subversion\libsvn_subr\x509parse.c:1173: (apr_err=SVN_ERR_X509_CERT_INVALID_FORMAT) E240007: Invalid certificate format ..\..\..\subversion\libsvn_subr\x509parse.c:1172: (apr_err=SVN_ERR_ASN1_LENGTH_MISMATCH) E240003: ASN1 length mismatch prime256v1-ecdsa-ee-by-768-rsa-intermediate.pem - FAIL ..\..\..\subversion\libsvn_subr\x509parse.c:1173: (apr_err=SVN_ERR_X509_CERT_INVALID_FORMAT) E240007: Invalid certificate format ..\..\..\subversion\libsvn_subr\x509parse.c:1172: (apr_err=SVN_ERR_ASN1_LENGTH_MISMATCH) E240003: ASN1 length mismatch 768-rsa-ee-by-prime256v1-ecdsa-intermediate.pem - FAIL ..\..\..\subversion\libsvn_subr\x509parse.c:1173: (apr_err=SVN_ERR_X509_CERT_INVALID_FORMAT) E240007: Invalid certificate format ..\..\..\subversion\libsvn_subr\x509parse.c:1172: (apr_err=SVN_ERR_ASN1_LENGTH_MISMATCH) E240003: ASN1 length mismatch 2048-rsa-ee-by-1024-rsa-intermediate.pem - FAIL ..\..\..\subversion\libsvn_subr\x509parse.c:1173: (apr_err=SVN_ERR_X509_CERT_INVALID_FORMAT) E240007: Invalid certificate format ..\..\..\subversion\libsvn_subr\x509parse.c:1172: (apr_err=SVN_ERR_ASN1_LENGTH_MISMATCH) E240003: ASN1 length mismatch 2048-rsa-ee-by-2048-rsa-intermediate.pem - FAIL ..\..\..\subversion\libsvn_subr\x509parse.c:1173: (apr_err=SVN_ERR_X509_CERT_INVALID_FORMAT) E240007: Invalid certificate format ..\..\..\subversion\libsvn_subr\x509parse.c:1172: (apr_err=SVN_ERR_ASN1_LENGTH_MISMATCH) E240003: ASN1 length mismatch prime256v1-ecdsa-ee-by-1024-rsa-intermediate.pem - FAIL ..\..\..\subversion\libsvn_subr\x509parse.c:1173: (apr_err=SVN_ERR_X509_CERT_INVALID_FORMAT) E240007: Invalid certificate format ..\..\..\subversion\libsvn_subr\x509parse.c:1172: (apr_err=SVN_ERR_ASN1_LENGTH_MISMATCH) E240003: ASN1 length mismatch prime256v1-ecdsa-ee-by-2048-rsa-intermediate.pem - FAIL ..\..\..\subversion\libsvn_subr\x509parse.c:1173: (apr_err=SVN_ERR_X509_CERT_INVALID_FORMAT) E240007: Invalid certificate format ..\..\..\subversion\libsvn_subr\x509parse.c:1172: (apr_err=SVN_ERR_ASN1_LENGTH_MISMATCH) E240003: ASN1 length mismatch 1024-rsa-ee-by-768-rsa-intermediate.pem - FAIL ..\..\..\subversion\libsvn_subr\x509parse.c:1173: (apr_err=SVN_ERR_X509_CERT_INVALID_FORMAT) E240007: Invalid certificate format ..\..\..\subversion\libsvn_subr\x509parse.c:1172: (apr_err=SVN_ERR_ASN1_LENGTH_MISMATCH) E240003: ASN1 length mismatch 768-rsa-ee-by-1024-rsa-intermediate.pem - FAIL ..\..\..\subversion\libsvn_subr\x509parse.c:1173: (apr_err=SVN_ERR_X509_CERT_INVALID_FORMAT) E240007: Invalid certificate format ..\..\..\subversion\libsvn_subr\x509parse.c:1172: (apr_err=SVN_ERR_ASN1_LENGTH_MISMATCH) E240003: ASN1 length mismatch 768-rsa-ee-by-2048-rsa-intermediate.pem - FAIL ..\..\..\subversion\libsvn_subr\x509parse.c:1173: (apr_err=SVN_ERR_X509_CERT_INVALID_FORMAT) E240007: Invalid certificate format ..\..\..\subversion\libsvn_subr\x509parse.c:1172: (apr_err=SVN_ERR_ASN1_LENGTH_MISMATCH) E240003: ASN1 length mismatch 2048-rsa-ee-by-768-rsa-intermediate.pem - FAIL ..\..\..\subversion\libsvn_subr\x509parse.c:1173: (apr_err=SVN_ERR_X509_CERT_INVALID_FORMAT) E240007: Invalid certificate format ..\..\..\subversion\libsvn_subr\x509parse.c:1172: (apr_err=SVN_ERR_ASN1_LENGTH_MISMATCH) E240003: ASN1 length mismatch non-crit-codeSigning-chain.pem - FAIL ..\..\..\subversion\libsvn_subr\x509parse.c:1173: (apr_err=SVN_ERR_X509_CERT_INVALID_FORMAT) E240007: Invalid certificate format ..\..\..\subversion\libsvn_subr\x509parse.c:1172: (apr_err=SVN_ERR_ASN1_LENGTH_MISMATCH) E240003: ASN1 length mismatch 1024-rsa-ee-by-prime256v1-ecdsa-intermediate.pem - FAIL ..\..\..\subversion\libsvn_subr\x509parse.c:1173: (apr_err=SVN_ERR_X509_CERT_INVALID_FORMAT) E240007: Invalid certificate format ..\..\..\subversion\libsvn_subr\x509parse.c:1172: (apr_err=SVN_ERR_ASN1_LENGTH_MISMATCH) E240003: ASN1 length mismatch google.pem_cert.p7b - FAIL ..\..\..\subversion\libsvn_subr\x509parse.c:1091: (apr_err=SVN_ERR_X509_CERT_INVALID_FORMAT) E240007: Invalid certificate format ..\..\..\subversion\libsvn_subr\x509parse.c:114: (apr_err=SVN_ERR_ASN1_UNEXPECTED_TAG) E240001: Unexpected ASN1 tag
-----BEGIN CERTIFICATE----- MIIDTDCCAjQCAgDsMA0GCSqGSIb3DQEBBQUAMCAxHjAcBgNVBAMMFTIwNDggUlNB IFRlc3QgUm9vdCBDQTAeFw0xMzAxMjMyMzUxMDVaFw0yMzAxMjEyMzUxMDVaMGAx CzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3Vu dGFpbiBWaWV3MRAwDgYDVQQKDAdUZXN0IENBMRIwEAYDVQQDDAkxMjcuMC4wLjEw ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD2qoTHe0DamF56TtpVv/Xo Vjg3K6ZnR+HJefrTGaFQ+RERJtHQkZQ19YSTUomAZkcv9+TBFbiEI9AyYHMF0AWM JRH9XZAZRW7h0Rw0UeuEax0WItujZP71riaqa1hJFkWoekGoG/xTLR5zgS38XMMA IsrcJjtS34ENb6pwEtgS9djHeglQZBbvXIHte4GAWN3lHfKrekddBdKtlujPaEZ3 dp1hTrFEWJYASDE6UybgKYuCpdbfLARbhcCZ/3eMPGNE8KJCqNQUUq7472AUgqM2 r5qmJ+5VkDkNcjwOasl/E1CTiDWIkVmnoXN/JSv94JXmIeOSN9WlYOvrrfLLjEBD AgMBAAGjVTBTMA8GA1UdEQQIMAaHBH8AAAEwDAYDVR0TAQH/BAIwADAdBgNVHQ4E FgQU8c9WYIYie1/jAH7Yc6LyxB2p60MwEwYDVR0lBAwwCgYIKwYBBQUHAwMwDQYJ KoZIhvcNAQEFBQADggEBAJNwLkjpGVUi6MQYnCrLTzzliAiojoxJ1T5qvHfXjSID eJofAUOF5uzT7JAFR6Mj6ATkbXrvRa+xbBd84T6+EL3BBRKYxzyHSZ55MMqKRJXO AL6BJg6Eg6sWkfMzMO8JUD5Le/hbbJBH+VX2TMu+UC3xwZbAwk8s7suLqtbC3SiJ vLPR3NHswP6/uXsKq6qWzgiJ2MdQXbAW6pAV8CDT5rs7GIcScbe4Vuuchb6CfFNL iCIIWWPudUJ8EGnpTP6wd1KBF/NCtWDlKhsDIaDfu6shRmv7eHasgOzDnVinJ6+K sGChx4z549b5G+hEZz+8Q+Yy4dnKKXggjEVCDHY5wsA= -----END CERTIFICATE-----
-----BEGIN CERTIFICATE----- MIICsDCCAhmgAwIBAgIJAO9sL1fZ/VoPMA0GCSqGSIb3DQEBBQUAMHExbzAJBgNV BAYTAlVTMA8GA1UECgwIQ2hyb21pdW0wFgYKCZImiZPyLGQBGRYIQ2hyb21pdW0w GgYDVQQDDBNNdWx0aXZhbHVlIFJETiBUZXN0MB0GA1UECwwWQ2hyb21pdW0gbmV0 X3VuaXR0ZXN0czAeFw0xMTEyMDIwMzQ3MzlaFw0xMjAxMDEwMzQ3MzlaMHExbzAJ BgNVBAYTAlVTMA8GA1UECgwIQ2hyb21pdW0wFgYKCZImiZPyLGQBGRYIQ2hyb21p dW0wGgYDVQQDDBNNdWx0aXZhbHVlIFJETiBUZXN0MB0GA1UECwwWQ2hyb21pdW0g bmV0X3VuaXR0ZXN0czCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAnSMQ7YeC sOuk+0n128F7TfDtG/X48sG10oTe65SC8N6LBLfo7YYiQZlWVHEzjsFpaiv0dx4k cIFbVghXAky/r5qgM1XiAGuzzFw7R27cBTC9DPlRwHArP3CiEKO3iz8i+qu9x0il /9N70LcSSAu/kGLxikDbHRoM9d2SKhy2LGsCAwEAAaNQME4wHQYDVR0OBBYEFI1e cfoqc7qfjmMyHF2rh9CrR6u3MB8GA1UdIwQYMBaAFI1ecfoqc7qfjmMyHF2rh9Cr R6u3MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAGKwN01A47nxVHOkw wFdbT8t9FFkY3pIg5meoqO3aATNaSEzkZoUljWtWgWfzr+n4ElwZBxeYv9cPurVk a+wXygzWzsOzCUMKBI/aS8ijRervyvh6LpGojPGn1HttnXNLmhy+BLECs7cq6f0Z hvImrEWhD5uZGlOxaZk+bFEjQHA= -----END CERTIFICATE-----
-----BEGIN CERTIFICATE----- MIIBxzCCAVECAgDsMA0GCSqGSIb3DQEBBQUAMCcxJTAjBgNVBAMMHDc2OCByc2Eg VGVzdCBpbnRlcm1lZGlhdGUgQ0EwHhcNMTExMjEyMjI0NzUzWhcNMjExMjA5MjI0 NzUzWjBgMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UE BwwNTW91bnRhaW4gVmlldzEQMA4GA1UECgwHVGVzdCBDQTESMBAGA1UEAwwJMTI3 LjAuMC4xMHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAKJyIS5u+tBObBO4fMTke8jp q9O4zvWf9sIlOQjEoMipMEPU4/rxI1eak1HsAH2hhSItz3W3xGD34OltrEXl6xWl J1z2qT2He4LcWjllA4vuMlX3KlL6qAdeMd7XAnS8AQIDAQABoxMwETAPBgNVHREE CDAGhwR/AAABMA0GCSqGSIb3DQEBBQUAA2EAcGouErg+SWr0W8FXVLj9Wwog0cdx NS9hOmQln5/yiNAQ9gilDxmxuu6iIf/aytEeQVSK5MJLU6rcX0aqZhNvPmXF8wXq o3z86Ymzmo3B6ZhhMxxeZOOq4iUD+3BYm4GZ -----END CERTIFICATE-----
