Inconsistent chain validation on Windows / Linux which results to 2 failed unit tests on Linux #293
Comments
dbalikhin
changed the title
|
If it helps, I used WSL2 for debugging on Linux under Win (https://docs.microsoft.com/en-us/visualstudio/test/remote-testing?view=vs-2022#:~:text=Remote%20testing%20enables%20developers%20to,Windows%20or%20Linux%20operating%20systems.) The pure Linux runner fails the tests as well. |
|
Yep, you're 100% correct, I can confirm locally. Will figure it out and fix. |
|
Based on dotnet/runtime#55423, this definitely is known/expected behavior. With the |
|
Under the covers, this is almost exactly like #284. I think it makes sense to change the terminology from root to trust anchor and have this work from that perspective. |
|
The above only applies to the TestValidateTrustChainSubAnchor test. The issue with the TestInvalidU2FAttestationASync test is actually a completely different issue entirely, it looks quite a bit like dotnet/runtime#31569 in fact. Authenticator cert: Trust anchor: Both certutil and openssl are happy with this chain: |
|
I'm relatively new to this topic, but what is the actual impact of failed ValidateTrustChainSubAnchor on Linux? |
|
The way the spec works during registration with attestation, the server looks at a local cache of trusted metadata containing information about various aspects of authenticators, including things like if they are FIDO certified, are there known vulnerabilities in the product, trust anchor certificates and lots of other stuff. That local cache can be populated from the FIDO MDS repository, or managed manually by the server operator. If an authenticator shows up with a known AAGUID and that AAGUID has metadata that indicates that an attestation should look a certain way, a conformant server should only accept registrations that have properties that match what is expected. In this case, it's ensuring that the authenticator attestation certificate was signed by an entity that ties back to one of the trust anchors. It could be that an authenticator shows up with BLE transport, but the metadata shows it is only capable of USB, for example. Enterprise may care about things like this, but general consumers will not, which is what @abergs was getting at in #291 (comment). |
|
@aseigler Should we skip these two tests for now so we can have a clean CI build again? |
I love that we have tests for linux, but I too think we need to disable them (or fix them, but that's not straight forward) to get back to a green CI build. I'd welcome a PR for that @iamcarbon. I don't think @aseigler disagrees :) |
|
Yeah, I agree we should skip those tests for now until I/we figure out a way to make them work. |
It works on Windows, but on Linux there is a different behavior that seems actually normal, see below.
Failed tests:
Fido2Tests.TestInvalidU2FAttestationASync() line 624
Message:
Fido2NetLib.Fido2VerificationException : Invalid certificate chain
From:
fido2-net-lib/Src/Fido2/CryptoUtils.cs
Lines 107 to 118 in db931bd
What happens in ValidateTrustChain:
We disable revocation flag and allow unknown CA
On Windows we will get success + Status Untrusted Root (A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.) which is expected.
On Linux we will get success + Status Partial Chain (Unable to find local issuer)
This one will succeed on Windows but fail on Linux. The required item won't be added to CustomTrustStore on Linux, because "chain.ChainElements[^1].Certificate" doesn't contain it.
So we will have something like this:
..
}
Any ideas on how to handle PartialChain on Linux then?
PartialChain result returned by OpenSSL (which is used under the hood on Linux).
Related discussions:
dotnet/runtime#49615 (comment)
dotnet/runtime#49615
dotnet/dotnet-api-docs#6660
dotnet/runtime#29164
dotnet/runtime#28314
The text was updated successfully, but these errors were encountered: