webauthn icon indicating copy to clipboard operation
webauthn copied to clipboard

Published 20 hours ago verified publisher icon duo-labs

webauthn/metadata/metadata_test broken

Open m9a opened this issue 4 years ago • 5 comments

The webauthn/metadata/metadata_test are failing due to Get "https://fidoalliance.co.nz/mds/pki/MDSROOT.crt": dial tcp: lookup fidoalliance.co.nz: no such host which is correct since this url is unreachable. I tried running the tests with the new urls (below) and now I am running into an error saying CRL path is invalid.

func getMetdataTOCSigningTrustAnchor(c http.Client) ([]byte, error) {
	rooturl := ""
	if Conformance {
		rooturl = "https://mds.certinfra.fidoalliance.org/pki/MDSROOT.crt"
	} else {
		rooturl = "https://valid.r3.roots.globalsign.com/"
	}

	return downloadBytes(rooturl, c)
}

Error with CRL path invalid (below). Indeed this url is unreachable too but looking at the code I can't tell where is it coming from. Could you please help @nicksteele @aseigler, thank you!

2021/07/20 14:44:58 [WARNING] failed to fetch CRL: Get "https://fidoalliance.co.nz/mds/crl/MDSROOT.crl": dial tcp: lookup fidoalliance.co.nz: no such host
2021/07/20 14:44:58 [WARNING] error checking revocation via CRL
err Certificate revocation list is unavailable tt.wantErr <nil>--- FAIL: TestMetadataTOCParsing

m9a avatar Jul 20 '21 21:07 m9a

Hey @aseigler any ideas on the issue, thanks!

m9a avatar Jul 21 '21 01:07 m9a

@nicksteele do you have any insights into the reported issue, thank you!

m9a avatar Jul 24 '21 00:07 m9a

@aseigler @kylelady @nicksteele I noticed the CRL in the jwts in /testdata is unreachable (crl: https://fidoalliance.co.nz/mds/crl/MDSROOT.crl). I believe the valid one is https://mds.certinfra.fidoalliance.org/crl/MDSROOT.crl. Would you be able to help fix the jwts, the metadata tests are broken on tot. Thank you!

m9a avatar Jul 31 '21 01:07 m9a

The metadata tests probably need to be completely overhauled, lots of changes occurred in them since the tests were initially implemented, I am not surprised they are all broken now.

aseigler avatar Aug 04 '21 14:08 aseigler

I'll chime in to say that I hit the same issue with metadata tests failing when the certificate can't be downloaded, although in my case I'm working on packaging this library for use in Debian. (Builds in Debian typically don't have network access.) For now I've commented out those tests, but it would be great if the whole testsuite for this library could be run!

Also, current code actually crashes, since in this failure case metadata/metadata_test.go:56 tries to dereference tt.wantErr, which is nil:

--- FAIL: TestMetadataTOCParsing (0.00s)
    --- FAIL: TestMetadataTOCParsing/success (0.00s)
panic: runtime error: invalid memory address or nil pointer dereference [recovered]
	panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x18 pc=0x677729]

goroutine 7 [running]:
testing.tRunner.func1.2({0x6a9580, 0x922ef0})
	/usr/lib/go-1.17/src/testing/testing.go:1209 +0x24e
testing.tRunner.func1()
	/usr/lib/go-1.17/src/testing/testing.go:1212 +0x218
panic({0x6a9580, 0x922ef0})
	/usr/lib/go-1.17/src/runtime/panic.go:1038 +0x215
github.com/duo-labs/webauthn/metadata.TestMetadataTOCParsing.func1(0xc0000af1e0)
	/build/golang-github-duo-labs-webauthn-0.0~git20210727.9f1b88e/_build/src/github.com/duo-labs/webauthn/metadata/metadata_test.go:56 +0x109
testing.tRunner(0xc0000af1e0, 0xc00000e240)
	/usr/lib/go-1.17/src/testing/testing.go:1259 +0x102
created by testing.(*T).Run
	/usr/lib/go-1.17/src/testing/testing.go:1306 +0x35a
FAIL	github.com/duo-labs/webauthn/metadata	0.010s

gibmat avatar Nov 07 '21 20:11 gibmat