-
Notifications
You must be signed in to change notification settings - Fork 4.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
macOS: subjectKeyIdentifier and authorityKeyIdentifier mismatch crashes chain building #41678
Comments
I couldn't figure out the best area label to add to this issue. If you have write-permissions please help me learn by adding exactly one area label. |
Changing the debug output to use an allocating version got me the right output: CFIndex keyStringLength = CFStringGetLength(keyString);
CFIndex maxEncodedLength = CFStringGetMaximumSizeForEncoding(keyStringLength, kCFStringEncodingUTF8) + 1;
char *printBuffer = malloc(maxEncodedLength);
if (CFStringGetCString(keyString, printBuffer, maxEncodedLength, kCFStringEncodingUTF8))
{
printf("Unknown Chain Status: %s\n", printBuffer);
}
else
{
printf("Unknown Chain Status. Could not allocate string.");
}
free(printBuffer);
|
All three platforms have different behavior.
|
Was this from trawling the string table, or did it come up in reality? |
Had some spare time during lunch and started looking for more of these in Big Sur. I noticed that IdLinkage was one that applies to 10.15 (and probably 10.14) as well. |
This is another "unknown chain status" on macOS chain building. If a leaf and issuing certificate chain to each other but the authority and subject key identifiers do not match, chain building will fail.
A
DynamicChainTest
to reproduce it:Unfortunately, the debugging output isn't helpful for this one, for some reason.
I think the chain status string is
"IdLinkage"
based on my examination of Apple sources.The text was updated successfully, but these errors were encountered: