Re: macOS (Big Sur, Apple Silicon) 'make check' fails in test-crypto-tlscredsx509

[Daniel P . Berrangé]

On Wed, Jan 27, 2021 at 05:44:59PM +0100, Stefan Weil wrote:
> Am 27.01.21 um 13:17 schrieb Daniel P. Berrangé:
> 
> > On Tue, Jan 26, 2021 at 04:41:13PM +0000, Peter Maydell wrote:
> > > On Tue, 26 Jan 2021 at 16:37, Daniel P. Berrangé <berrange@redhat.com> 
> > > wrote:
> > > > On Tue, Jan 26, 2021 at 04:32:08PM +0000, Peter Maydell wrote:
> > > > > ** (tests/test-crypto-tlscredsx509:35180): CRITICAL **: 16:23:34.590:
> > > > > Failed to sign certificate ASN1 parser: Value is not valid.
> > > > > ERROR test-crypto-tlscredsx509 - Bail out! FATAL-CRITICAL: Failed to
> > > > > sign certificate ASN1 parser: Value is not valid.
> > > > > make: *** [run-test-70] Error 1
> > > > > 
> > > > > 
> > > > > Does this failure ring any bells for anybody?
> > > > Not seen it before.
> > > > 
> > > > Is this using a gnutls from homebrew, or one that apple
> > > > ship themselves ?  Any idea what version it is ?
> > > Homebrew gnutls, 3.6.15.
> > On further investigation it seems the error comes from libtasn1,
> > but unfortunately there are 100's of scenarios it could arise
> > so difficult one to debug.
> > 
> > In the test_tls_generate_cert method in QEMU tests/crypto-tls-x509-helpers.c
> > 
> > There are conditional lines like
> > 
> >      if (req->country) {
> > 
> >      if (req->altname1) {
> >      ...etc...
> > 
> > I guess one, or more of those, is writing data that libtasn1 is not happy
> > with.
> > 
> > Some one with easy access to this apple silicon will likely need to start
> > by incrementally disabling each of those conditionals eg.  if (req->country
> > && 0)
> > 
> > until we find out which one (might be more than one) make the
> > 
> >     Failed to sign certificate ASN1 parser: Value is not valid.
> > 
> > error message go away. NB, once that ASN1 error goes away, the QEMU test
> > suite will likely give its own error because the certs will no longer
> > have the data it is expecting.
> > 
> > Regards,
> > Daniel
> 
> 
> I could debug into gnutls_x509_crt_sign2. gnutls_x509_crt_privkey_sign seems
> to fail.
> 
> Disabling the conditionals mentioned above did not help.

In $QEMU.git/crypto/init.c can you uncomment  the "#define DEBUG_GNUTLS"
line and then re-build and re-run the test case.

There's a bunch of debug logs in code paths from gnutls_x509_crt_privkey_sign
that might give us useful info.

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|