Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/x509: Trust setting not inherited on darwin #30471

Open
vdobler opened this Issue Feb 28, 2019 · 5 comments

Comments

Projects
None yet
4 participants
@vdobler
Copy link
Contributor

vdobler commented Feb 28, 2019

What version of Go are you using (go version)?

$ go version
go version go1.12 darwin/amd64

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GOARCH="amd64"
GOBIN=""
GOCACHE="/Users/m/Library/Caches/go-build"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="darwin"
GOOS="darwin"
GOPATH="/Users/m/go"
GOPROXY=""
GORACE=""
GOROOT="/usr/local/go"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/darwin_amd64"
GCCGO="gccgo"
CC="clang"
CXX="clang++"
CGO_ENABLED="1"
GOMOD="/Users/m/go/src/git.intern.migros.net/devops-api-mobile/ch.migros.lottery/go.mod"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=/var/folders/f6/vr81k40j5y35bpj039w1hwfdrvg106/T/go-build545405925=/tmp/go-build -gno-record-gcc-switches -fno-common"

What did you do?

$ go build

What did you expect to see?

Nothing (a successful build).

What did you see instead?

go: git.intern.migros.net/package7path@v1.3.0: unrecognized import path "git.intern.migros.net/package/path" (https fetch: Get https://git.intern.migros.net/package/path?go-get=1: x509: certificate signed by unknown authority)
go: error loading module requirements

More details

This is basically just issue #24652 but with Go 1.12

The same fix (mark root ca as "Allways trust") as described in #24652 (comment)
makes the problem go away.

Curl and Browsers do accept the certificate. E.g

$ curl -v "https://git.intern.migros.net/package/path?go-get=1"
*   Trying 164.xxx.xxx.xxx...
* TCP_NODELAY set
* Connected to git.intern.migros.net (164.xxx.xxx.xxx) port 443 (#0)
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate: git.intern.migros.net
* Server certificate: Migros System CA 2
* Server certificate: Migros Root CA 2
> GET /package/path?go-get=1 HTTP/1.1
> Host: git.intern.migros.net
> User-Agent: curl/7.54.0
> Accept: */*

But running TestSystemRoots yields:

$ GODEBUG=x509roots=1 ../bin/go test -v -run TestSystemRoots crypto/x509
=== RUN   TestSystemRoots
crypto/x509: 6 certs have a trust policy
crypto/x509: verify-cert approved CN=Migros User CA 2,O=Migros,C=CH
crypto/x509: verify-cert approved CN=QuoVadis Swiss Advanced CA G2,O=QuoVadis Trustlink Switzerland Ltd.,C=CH
crypto/x509: verify-cert approved CN=webproxy.dc.migros.ch,OU=Informatik,O=Migros,L=Zuerich,ST=Zuerich,C=CH
crypto/x509: verify-cert approved CN=Migros Root CA 2,O=Migros,C=CH
crypto/x509: verify-cert approved CN=Migros Root CA 2,O=Migros,C=CH
crypto/x509: verify-cert approved CN=Migros User CA 2,O=Migros,C=CH
crypto/x509: verify-cert rejected CN=dlv-cert: "Cert Verify Result: Invalid Extended Key Usage for policy"
crypto/x509: verify-cert approved CN=QuoVadis Swiss Advanced CA G2,O=QuoVadis Trustlink Switzerland Ltd.,C=CH
crypto/x509: verify-cert approved CN=Migros Root CA 2,O=Migros,C=CH
crypto/x509: verify-cert approved CN=macman.migros.net,OU=Migros Genossenschafts Bund,O=Migros Genossenschafts Bund,L=Zuerich,ST=Zueich,C=CH
crypto/x509: verify-cert approved CN=Migros User CA 2,O=Migros,C=CH
crypto/x509: verify-cert approved CN=QuoVadis Swiss Advanced CA G2,O=QuoVadis Trustlink Switzerland Ltd.,C=CH
crypto/x509: verify-cert approved CN=macman.migros.net,OU=Migros Genossenschafts Bund,O=Migros Genossenschafts Bund,L=Zuerich,ST=Zueich,C=CH
crypto/x509: ran security verify-cert 13 times
Number of trusted certs = 2
Cert 0: Migros Root CA 2
   Number of trust settings : 4
   Trust Setting 0:
      Policy OID            : SSL
      Policy String         : autodiscover.migros.net
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 1:
      Policy OID            : SSL
      Policy String         : autodiscover.migros.net
      Allowed Error         : Host name mismatch
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 2:
      Policy OID            : Apple X509 Basic
      Policy String         : autodiscover.migros.net
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 3:
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
Cert 1: macman.migros.net
   Number of trust settings : 2
   Trust Setting 0:
      Policy OID            : EAP
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 1:
      Policy OID            : Apple X509 Basic
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
Number of trusted certs = 5
Cert 0: Migros User CA 2
   Number of trust settings : 1
   Trust Setting 0:
      Result Type           : kSecTrustSettingsResultTrustAsRoot
Cert 1: QuoVadis Swiss Advanced CA G2
   Number of trust settings : 1
   Trust Setting 0:
      Result Type           : kSecTrustSettingsResultTrustAsRoot
Cert 2: webproxy.dc.migros.ch
   Number of trust settings : 0
Cert 3: dlv-cert
   Number of trust settings : 0
Cert 4: Migros Root CA 2
   Number of trust settings : 0
--- FAIL: TestSystemRoots (0.31s)
    root_darwin_test.go:35:     cgo sys roots: 56.90889ms
    root_darwin_test.go:36: non-cgo sys roots: 150.793582ms
    root_darwin_test.go:77: certificate only present in non-cgo pool: CN=Migros User CA 2,O=Migros,C=CH (verify error: x509: certificate signed by unknown authority)
    root_darwin_test.go:79: signed certificate only present in non-cgo pool (acceptable): CN=QuoVadis Swiss Advanced CA G2,O=QuoVadis Trustlink Switzerland Ltd.,C=CH
    root_darwin_test.go:77: certificate only present in non-cgo pool: CN=Migros Root CA 2,O=Migros,C=CH (verify error: x509: certificate signed by unknown authority)
    root_darwin_test.go:79: signed certificate only present in non-cgo pool (acceptable): CN=macman.migros.net,OU=Migros Genossenschafts Bund,O=Migros Genossenschafts Bund,L=Zuerich,ST=Zueich,C=CH
    root_darwin_test.go:79: signed certificate only present in non-cgo pool (acceptable): CN=Developer ID Certification Authority,OU=Apple Certification Authority,O=Apple Inc.,C=US
    root_darwin_test.go:99: off-EKU certificate only present in cgo pool (acceptable): CN=dlv-cert
FAIL
crypto/x509: kSecTrustSettingsResultInvalid = 0
crypto/x509: kSecTrustSettingsResultTrustRoot = 1
crypto/x509: kSecTrustSettingsResultTrustAsRoot = 2
crypto/x509: kSecTrustSettingsResultDeny = 3
crypto/x509: kSecTrustSettingsResultUnspecified = 4
crypto/x509: Migros User CA 2 returned 4
crypto/x509: QuoVadis Swiss Advanced CA G2 returned 4
crypto/x509: webproxy.dc.migros.ch returned 1
crypto/x509: dlv-cert returned 1
crypto/x509: Migros Root CA 2 returned 4
crypto/x509: Migros Root CA 2 returned 4
crypto/x509: macman.migros.net returned 4
FAIL	crypto/x509	0.317s
@vdobler

This comment has been minimized.

Copy link
Contributor Author

vdobler commented Feb 28, 2019

@FiloSottile In #24652 you requested to be tagged if the problem is not completely solved in Go 1.12.

@SteelPhase

This comment has been minimized.

Copy link

SteelPhase commented Feb 28, 2019

I've run into the same issue, and while I can't share the output of the test in question. I can confirm that marking the intermediate ca as Always Trusted resolves the issue for me. I would hope that this would be fixed in a Go 1.12.x release

@FiloSottile

This comment has been minimized.

Copy link
Member

FiloSottile commented Mar 1, 2019

Thank you for the report. Is this a regression or was it broken in Go 1.11 as well?

@SteelPhase

This comment has been minimized.

Copy link

SteelPhase commented Mar 1, 2019

This was working for me in Go 1.11. I installed my companies root CA, and two intermediate CAs in the system keychain. At the time when I did this, it was required because Go didn't check the login keychain. That specific details appears to have changed, but I'm not 100% sure that was introduced in Go 1.12. I only had the root CA marked as Always Trusted.

After running into this issue today, I cleaned up the certs in my system keychain, and moved them to the login keychain. I tested this in both locations. When only the root CA is marked Always Trusted, go doesn't trust either of the intermediate certs. When all 3 certs are marked Always Trusted, go has no trust issues with the certificates.

As an additional note, The ouput of GODEBUG=x509roots=1 go test -v -run TestSystemRoots crypto/x509 didn't change based on Always Trusted settings, and I assume that is a red herring.

I can confirm that a script that relies on the certificate being trusted works correctly when I change the intermediate CA it depends on to Always Trusted

@SteelPhase

This comment has been minimized.

Copy link

SteelPhase commented Mar 1, 2019

I'm going to include this tidbit just because it's slightly related

I'm on macOS Mojave 10.14.3, and it appears security handles pointing login.keychain to login.keychain-db internally. I shasum'd the output of the commands with the different paths below it it's the same value.

keychains = append(keychains,
filepath.Join(home, "/Library/Keychains/login.keychain"),
// Fresh installs of Sierra use a slightly different path for the login keychain
filepath.Join(home, "/Library/Keychains/login.keychain-db"),
)

steel@computer:src$ls -la ~/Library/Keychains/
drwxr-xr-x  11 steel  000000000     352 Feb 28 19:36 .
drwx------@ 75 steel  000000000    2400 Feb 11 10:21 ..
-rw-r--r--@  1 steel  000000000    6148 Jan  7 15:33 .DS_Store
-rw-r--r--@  1 steel  000000000  736696 Feb 28 19:36 login.keychain-db
-rw-------   1 steel  000000000   30740 Feb 12 11:13 metadata.keychain-db
steel@computer:src$security find-certificate -a ~/Library/Keychains/login.keychain | shasum
a2b9a124e87200b0663f8b45df45c39584663bd9  -
steel@computer:src$security find-certificate -a ~/Library/Keychains/login.keychain-db | shasum
a2b9a124e87200b0663f8b45df45c39584663bd9  -
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.