Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

mix deps.compile jose error since 1.10 release #82

Closed
ed-vazquez opened this issue Jan 4, 2020 · 13 comments
Closed

mix deps.compile jose error since 1.10 release #82

ed-vazquez opened this issue Jan 4, 2020 · 13 comments

Comments

@ed-vazquez
Copy link

ed-vazquez commented Jan 4, 2020
edited
Loading

mix.deps get and compile failing for version 1.10
Issue did not occur using 1.8

Compiling 105 files (.erl)
src/jwk/jose_jwk_pem.erl:82: undefined macro 'id-aes256-CBC'
src/jwk/jose_jwk_pem.erl:20: function to_binary/3 undefined
src/jwk/jose_jwk_der.erl:58: undefined macro 'id-aes256-CBC'
src/jwk/jose_jwk_der.erl:18: function to_binary/3 undefined

I am unsure if related to external factors.

using
Erlang/OTP 22 [erts-10.4.4] [source] [64-bit] [smp:12:12] [ds:12:12:10] [async-threads:1] [hipe]
Elixir 1.9.0 (compiled with Erlang/OTP 22)
@pedrorossato
Copy link

I`m with the same error here. Waiting for help.

@mazz
Copy link

mazz commented Jan 5, 2020
edited
Loading

Getting the same issue. I have an umbrella app and in the "root" mix.exs I put:
{:jose, "~> 1.9", override: true}
which seemed to get me up-and-running.
** UPDATE **
Sorry, I misspoke. The above does not help.

However, after running mix deps.get I manually edited the mix.lock file from:

"jose": {:hex, :jose, "1.10.0", "4167c5f6d06ffaebffd15cdb8da61a108445ef5e85ab8f5a7ad926fdf3ada154", [:mix, :rebar3], [{:base64url, "~> 0.0.1", [hex: :base64url, repo: "hexpm", optional: false]}], "hexpm"},

to:

"jose": {:hex, :jose, "1.9.0", "4167c5f6d06ffaebffd15cdb8da61a108445ef5e85ab8f5a7ad926fdf3ada154", [:mix, :rebar3], [{:base64url, "~> 0.0.1", [hex: :base64url, repo: "hexpm", optional: false]}], "hexpm"},

@FrancisMurilloDigix
Copy link

@mazz Have you tried just {:jose, "~> 1.9.0", override: true}, the ~> will look for the next minor version available instead of just the build/patch number by adding the extra .0? Have the same problem and the fix above works for now.

@markupguy
Copy link

markupguy commented Jan 6, 2020
edited
Loading

Getting the same with a fresh Phoenix install. I added Guardian which has the jose dependancy. Unfortunately none of the above fixes have worked for me thus far.

Edit: Looks like hand editing the mix.lock to 1.9.0 does the trick as per @mazz

@ed-vazquez
Copy link
Author

ed-vazquez commented Jan 6, 2020 via email

@victorolinasc
Copy link
Contributor

Passing {:jose, "~> 1.9.0", override: true} or {:jose, "== 1.9.0"} and running:

mix deps.unlock jose
mix deps.get jose
mix deps.compile jose

Works :)

@mazz
Copy link

mazz commented Jan 6, 2020

@FrancisMurilloDigix

Will try the .0 thanks

@mazz Have you tried just {:jose, "~> 1.9.0", override: true}, the ~> will look for the next minor version available instead of just the build/patch number by adding the extra .0? Have the same problem and the fix above works for now.

@tonight-halfmoon
Copy link

tonight-halfmoon commented Jan 7, 2020
edited
Loading

it requires: elixir 1.9.4 and Erlang to be as younger as/than 22.1

@potatosalad
Copy link
Owner

Really odd, I haven't been able to reproduce this behavior locally with either of the following setups:

  1. Erlang/OTP 22.1.8, Elixir 1.9.0
  2. Erlang/OTP 22.2.1, Elixir 1.9.4

This sounds like it's a minimum OTP version number problem where OTP 22.1 might be the new minimum requirement in order to support the new cryptographic operations (specifically, the switch from default PEM encryption from DES3 to AES-256-CBC).

erts-10.4.4 would mean OTP-22.0.{5,6,7}, so I'll do some more tests with that version and report back.

@potatosalad
Copy link
Owner

It looks as though there was a moderate change between crypto-4.5 and crypto-4.6 as well as public_key-1.6 and public-key-1.7 (see the version table) which corresponds with OTP-22.0 and OTP-22.1.

I'll see if I can get a compatibility fix put together for a version 1.10.1 release.

@potatosalad
Copy link
Owner

To make things even more confusing, OTP-21.3.8.11 works fine.

So, somewhere between OTP-21 and OTP-22, some of the public key macros appear to have been messed up.

@mazz
Copy link

mazz commented Jan 8, 2020

From memory, I am using otp 22.0.7/elixir 1.9.1 if that helps. I installed elixir 1.10-rc0 and plan to upgrade to latest otp.

It looks as though there was a moderate change between crypto-4.5 and crypto-4.6 as well as public_key-1.6 and public-key-1.7 (see the version table) which corresponds with OTP-22.0 and OTP-22.1.

I'll see if I can get a compatibility fix put together for a version 1.10.1 release.

potatosalad added a commit that referenced this issue Jan 8, 2020
@potatosalad
WIP - public_key PEM/DER PKCS-8 compatibility layer for issue #82
ae03cdb
potatosalad added a commit that referenced this issue Jan 8, 2020
@potatosalad
WIP - ensure the EC curve parameters aren't dropped on PKCS-8 convers…
571a7be 
…ion (see issue #82)
potatosalad added a commit that referenced this issue Jan 8, 2020
@potatosalad
Version 1.10.1 (2020-01-08)
c7aad59 
* Fixes
  * Add PEM/DER compatibility layer for PKCS-8 incompatibilities with various versions of OTP, `crypto`, and `public_key`; see #82
@potatosalad
Copy link
Owner

The compilation error should no longer occur as of jose version 1.10.1.

There are some slight differences between the way PEM and DER formats will be generated between OTP 20, 21, and 22, but hopefully the compatibility layer I added will help smooth things over during the transition.

Thanks to everyone who reported this!

netbsd-srcmastr pushed a commit to NetBSD/pkgsrc that referenced this issue Mar 23, 2020
@alarixnia
erlang-jose: Update to 1.10.1
f9f5ea0 
# Changelog

## 1.10.1 (2020-01-08)

* Fixes
  * Add PEM/DER compatibility layer for PKCS-8 incompatibilities with various versions of OTP, `crypto`, and `public_key`; see [#82](potatosalad/erlang-jose#82)

## 1.10.0 (2020-01-03)

* Enhancements
  * Remove [base64url](https://github.com/dvv/base64url) dependency and include embedded version.
  * Add support for `C20P` and `XC20P` encryption based on [draft-amringer-jose-chacha](https://tools.ietf.org/html/draft-amringer-jose-chacha-01) (ChaCha20/Poly1305 and XChaCha20/Poly1305).
  * Add support for ECDH-ES keywrapping for AES-GCM, ChaCha20/Poly1305, and XChaCha20/Poly1305.
  * Add support for PBES2 keywrapping for AES-GCM, ChaCha20/Poly1305, and XChaCha20/Poly1305.
  * Add support for `ECDH-1PU` encryption based on [draft-madden-jose-ecdh-1pu](https://tools.ietf.org/html/draft-madden-jose-ecdh-1pu-02).
  * Add support for reading/writing DER format (or PKCS8 format).

* Fixes
  * Fix PSS salt length (thanks to [@ntrepid8](https://github.com/ntrepid8), see [#65](potatosalad/erlang-jose#65))
  * Speed up and stabilize tests on CI environment.

## 1.9.0 (2018-12-31)

* Enhancements
  * Add support for [Jason](https://github.com/michalmuskala/jason) JSON encoding and decoding.
  * Add support for Poison 4.x and lexical ordering.
  * Use `public_key` over `cutkey` for RSA key generation if available.
  * Drop support for older versions of OTP (19+ now required).
  * Relicense library under MIT license.

* Fixes
  * Add macro so the application compiles without warnings after `erlang:get_stacktrace/0` has been deprecated.
  * Extra sanity check for RSA padding modes when falling back.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@potatosalad @victorolinasc @mazz @ed-vazquez @tonight-halfmoon @markupguy @pedrorossato @FrancisMurilloDigix