Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix OpenSSL::PKey.read that cannot parse PKey in the FIPS mode. #615

Merged
merged 3 commits into from
Jun 1, 2023
Merged

Fix OpenSSL::PKey.read that cannot parse PKey in the FIPS mode. #615

merged 3 commits into from
Jun 1, 2023

Commits on Jun 1, 2023

  1. Workaround: Fix OpenSSL::PKey.read that cannot parse PKey in the FIPS… 

    … mode.

This commit is a workaround to avoid the error below that the
`OpenSSL::PKey.read` fails with the OpenSSL 3.0 FIPS mode.

```
$ openssl genrsa -out key.pem 4096

$ ruby -e "require 'openssl'; OpenSSL::PKey.read(File.read('key.pem'))"
-e:1:in `read': Could not parse PKey (OpenSSL::PKey::PKeyError)
  from -e:1:in `<main>'
```

The root cause is on the OpenSSL side. The `OSSL_DECODER_CTX_set_selection`
doesn't apply the selection value properly if there are multiple providers, and
a provider (e.g.  "base" provider) handles the decoder implementation, and
another provider (e.g. "fips" provider) handles the keys.

The workaround is to create `OSSL_DECODER_CTX` variable each time without using
the `OSSL_DECODER_CTX_set_selection`.
    @junaruga
    junaruga committed Jun 1, 2023
    Configuration menu
    Copy the full SHA
    5ff4a31 View commit details
    Browse the repository at this point in the history

  2. Drop a common logic disabling the FIPS mode in the tests. 

    We want to run the unit tests in the FIPS mode too.
    @junaruga
    junaruga committed Jun 1, 2023
    Configuration menu
    Copy the full SHA
    ab92baf View commit details
    Browse the repository at this point in the history

  3. CI: Add the test/openssl/test_pkey.rb on the FIPS mode case. 

    It's to test the `OpenSSL::PKey.read` in the `test/openssl/test_pkey.rb`.

I added the pending status to the following tests failing on the FIPS mode
case in the `test/openssl/test_pkey.rb`.

* `test_ed25519`
* `test_x25519`
* `test_compare?`
    @junaruga
    junaruga committed Jun 1, 2023
    Configuration menu
    Copy the full SHA
    8149cdf View commit details
    Browse the repository at this point in the history