Ben Reser <ben_at_reser.org> writes:
> I think we should get this merged to trunk.
> The original email asking to start this merge happened back in August here:
> Since that email the checksum formatting code was removed and there have been
> some API changes to make the API more capable of fully representing the
> certificates. As well as quite a few bug fixes.
> You can get a diff with:
> svn diff ^/subversion/trunk_at_1655188 ^/subversion/branches/svn-auth-x509
> Per the decision in Berlin 2013, I'm asking for a vote to bring this branch
> into trunk. This is currently holding up 1.9 branch, so I'd like to get this
> on trunk.
> There are some further fixes I'd like to make but I'm going to hold off on
> doing that for now and do so on trunk.
Here is a couple of findings I would like to share.
I took the certificates from a regression suite in  and fed them to the new
X509 parser, svn_x509_parse_cert(). The parser currently fails to parse 20 of
the test certificates, mostly with an SVN_ERR_ASN1_LENGTH_MISMATCH.
Please see the attached fails log. I think that the only expected failure is
the last one, google.pem_cert.p7b, which happens with a deliberately broken
PEM certificate stored in a file with a .p7b extension. Other failures look
quite unexpected to me. Failing certificates are a bit special — for instance,
one of them has the EKU set to Code Signing (184.108.40.206.220.127.116.11.3), and the other
ones are using 768-bit RSA, but I would not say this is a reason for the parser
to break on them. Other existing parsers, like the one provided within the
CryptoAPI , do not error out when parsing them.
I might be missing something, because I did not examine the root cause of this
behavior. Also, I did not review the branch itself, so, no comments on merging
it to trunk.
Received on 2015-01-28 15:56:34 CET