[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: [VOTE} Merge svn-auth-x509 branch to trunk?

From: Evgeny Kotkov <evgeny.kotkov_at_visualsvn.com>
Date: Wed, 28 Jan 2015 17:55:40 +0300

Ben Reser <ben_at_reser.org> writes:

> I think we should get this merged to trunk.
> The original email asking to start this merge happened back in August here:
> https://mail-archives.apache.org/mod_mbox/subversion-dev/201408.mbox/%3C53E1C1D7.2040005%40reser.org%3E
> Since that email the checksum formatting code was removed and there have been
> some API changes to make the API more capable of fully representing the
> certificates. As well as quite a few bug fixes.
> You can get a diff with:
> svn diff ^/subversion/trunk_at_1655188 ^/subversion/branches/svn-auth-x509
> Per the decision in Berlin 2013, I'm asking for a vote to bring this branch
> into trunk. This is currently holding up 1.9 branch, so I'd like to get this
> on trunk.
> There are some further fixes I'd like to make but I'm going to hold off on
> doing that for now and do so on trunk.

Here is a couple of findings I would like to share.

I took the certificates from a regression suite in [1] and fed them to the new
X509 parser, svn_x509_parse_cert(). The parser currently fails to parse 20 of
the test certificates, mostly with an SVN_ERR_ASN1_LENGTH_MISMATCH.

Please see the attached fails log. I think that the only expected failure is
the last one, google.pem_cert.p7b, which happens with a deliberately broken
PEM certificate stored in a file with a .p7b extension. Other failures look
quite unexpected to me. Failing certificates are a bit special — for instance,
one of them has the EKU set to Code Signing (, and the other
ones are using 768-bit RSA, but I would not say this is a reason for the parser
to break on them. Other existing parsers, like the one provided within the
CryptoAPI [2], do not error out when parsing them.

I might be missing something, because I did not examine the root cause of this
behavior. Also, I did not review the branch itself, so, no comments on merging
it to trunk.

[1] http://src.chromium.org/svn/trunk/src/net/data/ssl/certificates
[2] https://msdn.microsoft.com/en-us/library/windows/desktop/aa376033

Evgeny Kotkov

Received on 2015-01-28 15:56:34 CET

This is an archived mail posted to the Subversion Dev mailing list.