[ssh_x509] x509 tests fail on Mac OSX (pkixssh8.6)

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Wed Dec 23 22:33:07 EET 2015

ssh_x509 at roumenpetrov.info wrote:
> On Sun, Dec 6, 2015 at 3:14 AM,<ssh_x509 at roumenpetrov.info>  wrote:
>> Hello ,
>> ssh_x509 at roumenpetrov.info  wrote:
>>> Hello,
>>> I was testing pkixssh8.6 on Mac OSX (on 10.10/Yosemite and 10.11/El
>>> Capitan), and noticed that the X509 specific tests fail on both.
>> I would like to know is specific test fail or if tests for a public key
>> algorithm fail.
> * against CACertificatePath:
> =======================================================================
> Begin test with base key_file testid_rsa ...
>    - autorization by x509 Subject against CA key rsa_sha1
>    * rsa_sha1
> failed
> Permission denied (publickey).

The list of  regression tests is described in environment variable 
If variable is not set then is used default defined in 
A specific test could be run for example :
$ SSH_X509TESTS="agent blob_auth" make check-certs
will run test with keys from agent first and then a test with x.509 
certificate of public key encoded in authorized keys file.

So lets see the default :

So "* against CACertificatePath:" is actually dn_auth_path, i.e. third test fail and first two tests pass.

Certificate validation process use a store with "trusted X.509 certificates" to build certificate chain to root certificate.
Test  dn_auth_file mean that authorized keys file contain distinguished name of client certificate and "store" is a file with all
X.509 certificates (ca,  issuer and etc) certificates.
The failed test is when for store is used a directory . Is this case each certificate is stored into separate file with name  <HASH>.<NUM> .
Seehttp://roumenpetrov.info.localhost/domino_CA/#dca2ssl  .

If other tests pass you could use you custom build secure shell but without option CACertificatePath . CACertificateFile is enough. May be OS X has system "certificate bundle".

The test may fail if hash is calculated with different digest. OpenSSL before version 1 use md5. Then hash is switched to sha1. It seems to me libressl 2.2.4 use sha1 as well. This mean that one possible reason for failure is "old" openssl in PATH.

OPENSSL environment variable could be used to set openssl binary. For instance :
OPENSSL=/opt/test/myssl/bin/openssl SSH_X509TESTS=agent make check-certs

You point that <SOURCEDIR>/tests/CA/verify.sh pass on 10.10.
What about to run OPENSSL="path to custom build openssl binary" ..../verify.sh?

The script runs openssl verify  command first with -CAfile argument then with -CApath .


More information about the ssh_x509 mailing list