Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

unable to sign with external OpenSSL engine after usage of crypto.hash #52307

Open
GauriSpears opened this issue Apr 1, 2024 · 1 comment
Open
Labels
crypto Issues and PRs related to the crypto subsystem. openssl Issues and PRs related to the OpenSSL dependency.

Comments

@GauriSpears
Copy link
Contributor

GauriSpears commented Apr 1, 2024

Version

v21.7.1

Platform

Linux debgis 5.10.0-8-amd64 #1 SMP Debian 5.10.46-4 (2021-08-03) x86_64 GNU/Linux

Subsystem

crypto

What steps will reproduce the bug?

  1. Install gost-engine for OpenSSL 3.x from here: https://github.com/gost-engine/engine
    For Debian I use this script:
ENGINE_PATH=$(openssl version -a | grep -Po '(?<=ENGINESDIR: ")[^"]*')
rm -rf "/usr/local/src/engine" \
  && cd /usr/local/src \
  && git clone https://github.com/gost-engine/engine \
  && cd engine \
  && git submodule update --init \
  && mkdir -p build \
  && cd build \
  && cmake -DCMAKE_BUILD_TYPE=Release -DCMAKE_C_FLAGS='-I/usr/local/ssl/include -L/usr/local/ssl/lib' \
   -DOPENSSL_ROOT_DIR=/usr/local/ssl  -DOPENSSL_INCLUDE_DIR=/usr/local/ssl/include -DOPENSSL_LIBRARIES=/usr/local/ssl/lib -DOPENSSL_ENGINES_DIR=${ENGINE_PATH} .. \
  && cmake --build . --config Release \
  && cmake --build . --target install --config Release
  1. Run the code:
const crypto = require('crypto');
const fs = require('fs');
//on some systems engine is successfully loaded by name, but on others you have to specify full path
try{
  crypto.setEngine('gost');
} catch(err){
  //look for engine path in "openssl version -a"
  const child_process = require('child_process');
  let Epath = child_process.execSync('openssl version -a').toString().match(/(?<=ENGINESDIR: ")[^"]*/);
  if (Epath==null) logger.info('ENGINESDIR not found in openssl version -a');
  Epath=Epath[0];
  crypto.setEngine(Epath+'/gost.so');
}

//without this string everything is OK
const hash=crypto.createHash('md_gost12_256');

const sign = crypto.createSign('md_gost12_256');
sign.update('this is test string');
const privateKey = fs.readFileSync('/home/key.pem'); //Just a private key, if you don't know how to generate one, I can provide it to you.
const SignatureValueT = sign.sign(privateKey,'base64');

How often does it reproduce? Is there a required condition?

Always

What is the expected behavior? Why is that the expected behavior?

Signature should be calculated without any errors.

What do you see instead?

node:internal/crypto/sig:128
  const ret = this[kHandle].sign(data, format, type, passphrase, rsaPadding,
                            ^

Error: error:0308010C:digital envelope routines::unsupported
    at Sign.sign (node:internal/crypto/sig:128:29)
    at Object.<anonymous> (/home/GKU-data/test/hashtest.js:21:30)
    at Module._compile (node:internal/modules/cjs/loader:1368:14)
    at Module._extensions..js (node:internal/modules/cjs/loader:1426:10)
    at Module.load (node:internal/modules/cjs/loader:1205:32)
    at Module._load (node:internal/modules/cjs/loader:1021:12)
    at Function.executeUserEntryPoint [as runMain] (node:internal/modules/run_main:142:12)
    at node:internal/main/run_main_module:28:49 {
  library: 'digital envelope routines',
  reason: 'unsupported',
  code: 'ERR_OSSL_EVP_UNSUPPORTED'
}

Additional information

It looks like it's caused by #51044 or #51034
The given code works fine on v21.6.2 and before but breaks on v21.7.0 and v21.7.1.

@panva
Copy link
Member

panva commented Apr 1, 2024

@joyeecheung

@RedYetiDev RedYetiDev added crypto Issues and PRs related to the crypto subsystem. openssl Issues and PRs related to the OpenSSL dependency. labels Apr 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
crypto Issues and PRs related to the crypto subsystem. openssl Issues and PRs related to the OpenSSL dependency.
Projects
None yet
Development

No branches or pull requests

3 participants