Re: macOS (Big Sur, Apple Silicon) 'make check' fails in test-crypto-tlscredsx509

["Daniel P. Berrangé" <berrange@redhat.com>]

On Tue, Jan 26, 2021 at 04:41:13PM +0000, Peter Maydell wrote:
> On Tue, 26 Jan 2021 at 16:37, Daniel P. Berrangé <berrange@redhat.com> wrote:
> >
> > On Tue, Jan 26, 2021 at 04:32:08PM +0000, Peter Maydell wrote:
> > > ** (tests/test-crypto-tlscredsx509:35180): CRITICAL **: 16:23:34.590:
> > > Failed to sign certificate ASN1 parser: Value is not valid.
> > > ERROR test-crypto-tlscredsx509 - Bail out! FATAL-CRITICAL: Failed to
> > > sign certificate ASN1 parser: Value is not valid.
> > > make: *** [run-test-70] Error 1
> > >
> > >
> > > Does this failure ring any bells for anybody?
> >
> > Not seen it before.
> >
> > Is this using a gnutls from homebrew, or one that apple
> > ship themselves ?  Any idea what version it is ?
> 
> Homebrew gnutls, 3.6.15.

On further investigation it seems the error comes from libtasn1,
but unfortunately there are 100's of scenarios it could arise
so difficult one to debug.

In the test_tls_generate_cert method in QEMU tests/crypto-tls-x509-helpers.c

There are conditional lines like

    if (req->country) {

    if (req->altname1) {
    ...etc...

I guess one, or more of those, is writing data that libtasn1 is not happy
with.

Some one with easy access to this apple silicon will likely need to start
by incrementally disabling each of those conditionals eg.  if (req->country
&& 0)

until we find out which one (might be more than one) make the 

   Failed to sign certificate ASN1 parser: Value is not valid.

error message go away. NB, once that ASN1 error goes away, the QEMU test
suite will likely give its own error because the certs will no longer
have the data it is expecting. 

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|