Some X509 tests fail

[kistlin]

wolfssl 5.7.6
wolfclu 0.1.7

wolfssl built with

./autogen.sh
./configure --prefix=/usr --enable-all

I also tried to compile wolfssl with --enable-asn=original, but it didn't look like it changed anything.

similar to #127

PASS: tests/rand/rand-test.sh
ERROR: tests/x509/x509-req-test.sh
PASS: tests/pkcs/pkcs7-test.sh
ERROR: tests/x509/x509-ca-test.sh
PASS: tests/pkey/pkey-test.sh
PASS: tests/pkey/ecparam-test.sh
PASS: tests/server/server-test.sh
PASS: tests/pkcs/pkcs12-test.sh
PASS: tests/hash/hash-test.sh
PASS: tests/x509/CRL-verify-test.sh
PASS: tests/client/client-test.sh
PASS: tests/pkey/rsa-test.sh
PASS: tests/x509/x509-verify-test.sh
PASS: tests/dsa/dsa-test.sh
PASS: tests/dh/dh-test.sh
PASS: tests/encrypt/enc-test.sh
PASS: tests/genkey_sign_ver/genkey-sign-ver-test.sh
ERROR: tests/x509/x509-process-test.sh
PASS: tests/dgst/dgst-test.sh
PASS: tests/bench/bench-test.sh
============================================================================
Testsuite summary for wolfclu 0.1.7
============================================================================
# TOTAL: 20
# PASS:  17
# SKIP:  0
# XFAIL: 0
# FAIL:  0
# XPASS: 0
# ERROR: 3
============================================================================
See ./test-suite.log for debugging.
Some test(s) failed.  Please report this to http://www.wolfssl.com,
together with the test-suite.log file (gzipped) and your system
information.  Thanks.
============================================================================

ERROR: tests/x509/x509-ca-test.sh
=================================

grep: warning: stray \ before -
./wolfssl ca
	-in CSR file input
	-out file to output to
	-keyfile file to read private key from
	-cert file to read CA from
	-extensions section in config file to parse extensions from
	-md type of hash i.e sha256
	-inform type PEM/DER of CSR input
	-config file to read configuration from
	-days number of days for certificate to be valid
	-selfsign sign with key associated with cert
./wolfssl ca
	-in CSR file input
	-out file to output to
	-keyfile file to read private key from
	-cert file to read CA from
	-extensions section in config file to parse extensions from
	-md type of hash i.e sha256
	-inform type PEM/DER of CSR input
	-config file to read configuration from
	-days number of days for certificate to be valid
	-selfsign sign with key associated with cert
Unable to open config file ca-example.conf
Unable to create a signer struct
Error returned: -1.
Issue creating structure to use
Error ./src/x509.c:5343: ASN parsing error, invalid input (-140)
Error returned: -1.
Issue creating structure to use
Error ./src/x509.c:5343: ASN parsing error, invalid input (-140)
Error returned: -1.
Fail on ./wolfssl ca -config ca.conf -in tmp-ca.csr -out test_ca.pem -md sha256 -selfsign -keyfile ./certs/server-key.pem
ERROR tests/x509/x509-ca-test.sh (exit status: 99)

ERROR: tests/x509/x509-process-test.sh
======================================

grep: warning: stray \ before -
TEST 1: VALID
TEST 1.a
testing: ./wolfssl -x509 -inform pem -outform pem -in certs/ca-cert.pem -out test.pem
Checking certificate test.pem's signature.
Verified OK

TEST 1.b

TEST 1.c
testing: ./wolfssl -x509 -inform pem -outform der -in certs/ca-cert.pem -out test.der
Checking certificate test.der's signature.
Verified OK

TEST 1.d
testing: ./wolfssl -x509 -inform der -outform pem -in certs/ca-cert.der

TEST 1.e
testing: ./wolfssl -x509 -inform der -outform der -in certs/ca-cert.der -out test.der
Checking certificate test.der's signature.
Verified OK

TEST 1.f
testing: ./wolfssl -x509 -inform der -text -noout -in certs/ca-cert.der

TEST 1.g
testing: ./wolfssl -x509 -inform der -pubkey -noout -in certs/ca-cert.der

TEST 1.h
testing: ./wolfssl -x509 -inform der -outform pem -in certs/ca-cert.der -out test.pem
Checking certificate test.pem's signature.
Verified OK

TEST 1.i
testing: ./wolfssl -x509 -in combined.pem -out process_x509.pem
testing: ./wolfssl -x509 -in process_x509.pem -text
testing: ./wolfssl -x509 -in ./certs/ca-cert.pem -text

TEST 2: INVALID INPUT
TEST 2.a
testing: ./wolfssl -x509 -inform pem -inform der
ERROR: argument found twice: "-inform"
Error returned: -1.
TEST 2.b
testing: ./wolfssl -x509 -outform pem -outform der
ERROR: argument found twice: "-outform"
Error returned: -1.
TEST 2.c
testing: ./wolfssl -x509 -inform -inform
ERROR: argument found twice: "-inform"
Error returned: -1.
TEST 2.d
testing: ./wolfssl -x509 -outform -outform
ERROR: argument found twice: "-outform"
Error returned: -1.
TEST 2.e
testing: ./wolfssl -x509 -inform pem -inform der -inform
ERROR: argument found twice: "-inform"
Error returned: -1.
TEST 2.f
testing: ./wolfssl -x509 -outform pem -outform der -outform
ERROR: argument found twice: "-outform"
Error returned: -1.
TEST 2.g
testing: ./wolfssl -x509 -inform pem -outform der -inform
ERROR: argument found twice: "-inform"
Error returned: -1.
TEST 2.h
testing: ./wolfssl -x509 -outform pem -inform der -outform
ERROR: argument found twice: "-outform"
Error returned: -1.
TEST 2.i
testing: ./wolfssl -x509 -inform
Usage: -inform [PEM/DER/RAW]
missing inform required argument
Error returned: -1.
TEST 2.j
testing: ./wolfssl -x509 -outform
Usage: -outform [PEM/DER/RAW]
missing outform required argument
Error returned: -1.
TEST 2.k
testing: ./wolfssl -x509 -outform pem -outform der -noout
ERROR: argument found twice: "-outform"
Error returned: -1.
TEST 2.l
testing: ./wolfssl -x509 -outform -outform -noout
ERROR: argument found twice: "-outform"
Error returned: -1.
TEST 2.m
testing: ./wolfssl -x509 -outform pem -outform der -outform -noout
ERROR: argument found twice: "-outform"
Error returned: -1.
TEST 2.n
testing: ./wolfssl -x509 -inform pem -outform der -inform -noout
ERROR: argument found twice: "-inform"
Error returned: -1.
TEST 2.o
testing: ./wolfssl -x509 -outform pem -inform der -outform -noout
ERROR: argument found twice: "-outform"
Error returned: -1.
TEST 2.p
testing: ./wolfssl -x509 -outform -noout
Usage: -outform [PEM/DER/RAW]
"-noout" is not a valid output format
Error returned: -1.
TEST3: VALID INPUT FILES
TEST 3.a
testing: ./wolfssl -x509 -inform der -in certs/ca-cert.der -outform pem -out tmp.pem
RESULT: 0
RESULT OF DIFF: 0

TEST 3.b
testing: ./wolfssl -x509 -inform pem -outform der -in certs/ca-cert.pem -out x509_tmp.der
RESULT: 0
RESULT OF DIFF: 0

TEST 3.c
testing: ./wolfssl -x509 -in certs/server-cert.pem -subject -noout
TEST 3.d
testing: ./wolfssl -x509 -in certs/server-cert.pem -issuer -noout
TEST 3.e
testing: ./wolfssl -x509 -in certs/ca-cert.pem -serial -noout
TEST 3.f
testing: ./wolfssl -x509 -in certs/server-cert.pem -serial -noout
TEST 3.g
testing: ./wolfssl -x509 -in certs/server-cert.pem -dates -noout
TEST 3.h
testing: ./wolfssl -x509 -in certs/server-cert.pem -email -noout
TEST 3.i
testing: ./wolfssl -x509 -in certs/server-cert.pem -fingerprint -noout
TEST 3.j
testing: ./wolfssl -x509 -in certs/server-cert.pem -purpose -noout
TEST 3.k
testing: ./wolfssl -x509 -in certs/server-cert.pem -hash -noout
TEST 3.l
testing: ./wolfssl -x509 -in x509-process-tmp.cert -email -noout
unable to parse input file
Error wolfcrypt/src/asn.c:23967: ASN parsing error, invalid input (-140)
Error returned: -1.
Failed when expected to pass
ERROR tests/x509/x509-process-test.sh (exit status: 99)

ERROR: tests/x509/x509-req-test.sh
==================================

grep: warning: stray \ before -
unable to parse input file
Error wolfcrypt/src/asn.c:23967: ASN parsing error, invalid input (-140)
Error returned: -1.
found unexpected result
Got      : 
Expected :         Subject: O=wolfSSL, C=US, ST=WA, L=Seattle, CN=wolfSSL, OU=org-unit
ERROR tests/x509/x509-req-test.sh (exit status: 99)

[embhorn]

Hi @kistlin

I was not able to reproduce this with the latest code. I did find a build error, fixed in #170

Could you please try again with the latest code from GitHub?

Thanks,
@embhorn

[kistlin]

Hello @embhorn, strange enough I saw the build error #170 when I was building wolfssl with CMake, but not with autogen/configure.

What is the preferred build system?

But using the latest changes in wolfCLU didn't help (and wolfssl with autogen/configure). I still have the same tests failing.

I'm on Arch and gcc in case it would matter.

gcc (GCC) 14.2.1 20240910
Copyright (C) 2024 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

And just to be clear on the steps
wolfssl (with or without --enable-wolfclu)

./autogen.sh
./configure --prefix=/usr --enable-all --enable-wolfclu
make -j8
make install

wolfCLU

./autogen.sh
./configure
make -j8
make check

[embhorn]

We did just release with a new lib tag. Can you check the wolfSSL lib being linked using:
ldconfig -v | grep libwolfssl

[embhorn]

Also try updating the linker cache before building wolfCLU using sudo ldconfig

[kistlin]

To give more context on my side.
I try to package wolfCLU on Arch. For that I'm pulling wolfssl from https://github.com/wolfSSL/wolfssl/archive/refs/tags/v5.7.6-stable.tar.gz.
Build it with steps mentioned earlier.
Once the package is built, I install it with pacman, the package manager from Arch.
After that I try to package wolfCLU and as part of the check after building, the unit tests are run.
The binary produced linkes against the one installed on the system.

ldd ./src/wolfCLU-0.1.7-stable/wolfssl                                                                                                      │~
        linux-vdso.so.1 (0x00007ffed315e000)                                                                                                                                │~
        libwolfssl.so.43 => /usr/lib/libwolfssl.so.43 (0x00007fc6e9800000)                                                                                                  │~
        libc.so.6 => /usr/lib/libc.so.6 (0x00007fc6e960f000)                                                                                                                │~
        libm.so.6 => /usr/lib/libm.so.6 (0x00007fc6e9df1000)                                                                                                                │ NORMAL  PKGBUILD                                                                                                                           sh  utf-8[unix]  2% ㏑:1/45≡℅:1
        /lib64/ld-linux-x86-64.so.2 => /usr/lib64/ld-linux-x86-64.so.2 (0x00007fc6e9f78000)

I can see the same shared library in the build output of wolfssl

│       ├── lib                                               
│       │   ├── libwolfssl.so -> libwolfssl.so.43.0.0         
│       │   ├── libwolfssl.so.43 -> libwolfssl.so.43.0.0      
│       │   ├── libwolfssl.so.43.0.0                          

sudo ldconfig didn't change anything.
We did just release with a new lib tag do you mean wolfssl? Should I pull something newer?

$ ./src/wolfCLU-0.1.7-stable/wolfssl version      
You are using version 0.1.7 of the wolfssl Command Line Utility.                
Linked to wolfSSL version 5.7.6                                                 

$ echo $?                                         
0                                                                                                                                                               

Forget the previous comment :). I called with --version instead of version.

[kistlin]

When for example
ca -config ca.conf -in tmp-ca.csr -out test_ca.pem -md sha256 -selfsign -keyfile ./certs/server-key.pem is passed to wolfssl it goes into wolfSSL_PEM_read_bio_X509_REQ.

    if (ret == WOLFCLU_SUCCESS) {
        if (inForm == PEM_FORM) {
            wolfSSL_PEM_read_bio_X509_REQ(reqIn, &x509, NULL, NULL);
        }
        else {
            wolfSSL_d2i_X509_REQ_bio(reqIn, &x509);
        }
        if (x509 == NULL) {
            wolfCLU_LogError("Issue creating structure to use");
            ret = WOLFCLU_FATAL_ERROR;
        }

There x509 is NULL. So I would assume it has to be a problem within the wolfssl library, that I compiled.

[embhorn]

Since you are using a prefix to install wolfSSL, you should also point wolfCLU to that location using ./configure --with-wolfssl=/usr

The wolfCLU you are building is likely picking up another wolfSSL installation.

[kistlin]

Linking against something else is highly unlikely.

What I did now is a quick comparison.
Ubuntu 20.04 wolfssl v5.7.6-stable wolfCLU v0.1.7-stable: doesn't work - unit tests fail as mentioned
Ubuntu 24.04 (with gcc-13 and gcc-14) wolfssl v5.7.6-stable wolfCLU v0.1.7-stable: doesn't work - unit tests fail as mentioned
Ubuntu 20.04 wolfssl master wolfCLU v0.1.7-stable: would work but shows the issue in #170
Ubuntu 20.04 wolfssl master wolfCLU master: works
Ubuntu 24.04 (with gcc-13 and gcc-14) wolfssl master wolfCLU master: works

So for me it looks like an incompatibility between the stable versions.

[embhorn]

Ubuntu 20.04 wolfssl master wolfCLU master: works

Excellent! That means going forward the issue you observed is resolved.

Are you okay with closing this issue or do you have further questions?

[kistlin]

Yes ok.