Web3Signer integration tests failing on MacOS

[jimmygchen]

Description

Our web3signer integration tests consistently fails on MacOS:

---- tests::sepolia_altair_types stdout ----
thread 'tests::sepolia_altair_types' panicked at testing/web3signer_tests/src/lib.rs:258:91:
called `Result::unwrap()` on an `Err` value: InvalidWeb3SignerClientIdentityCertificate(reqwest::Error { kind: Builder, source: Error { code: -25264, message: "MAC verification failed during PKCS12 import (wrong password?)" } })
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

This has been an issue for a while but we never had a chance to fix it.

I digged into this a while ago, and the issue looks like it's related to security-framework (macos Security.Framework bindings used by openssl) - and it seems like this crate is no longer being actively maintained.

Not sure if it's worth fixing it to make it work, or we could just disable these tests on MacOS.

[ackintosh]

I have also looked into this, and have raised an issue in security-framework.

kornelski/rust-security-framework#216

[ackintosh]

The problem was that the default openssl pkcs12 encoding algorithm is not compatible with the algorithm used by the Apple Security Framework for pkcs.

kornelski/rust-security-framework#216 (comment)

Creating the p12 file with the -legacy option resolves the web3signer test failure on macOS. Our options to achieve this are as follows:

• Overwrite the lighthouse/key.p12 file with one generated using the -legacy option. See the Update below.
• Create lighthouse/key_legacy.p12 and use it only for macOS testing.

I don't fully understand the web3signer_tests, but it seems that the second option might be preferable since the problem occurs only on macOS?

---

Update
I confirmed that, on Linux, choosing the first option (Overwrite ....) results in the following error:

thread 'tests::sepolia_altair_types' panicked at testing/web3signer_tests/src/lib.rs:257:91:
   called `Result::unwrap()` on an `Err` value: InvalidWeb3SignerClientIdentityCertificate(reqwest::Error { kind: Builder, source: Normal(ErrorStack([Error { code: 50856204, library: "digital envelope routines", function: "inner_evp_generic_fetch", reason: "unsupported", file: "crypto/evp/evp_fetch.c", line: 355, data: "Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()" }])) })

Therefore, we should proceed with creating the lighthouse/key_legacy.p12 file.

[ackintosh]

Noticed another problem on macOS. Even if we create lighthouse/key_legacy.p12 specifically for macOS testing, the test fails with the following error message:

upcheck error: reqwest::Error { kind: Request, url: Url { scheme: "https", cannot_be_a_base: false, username: "", password: None, host: Some(Ipv4(127.0.0.1)), port: Some(4251), path: "/upcheck", query: None, fragment: None }, source: hyper::Error(Connect, Error { code: -67843, message: "The certificate was not trusted." }) }

The The certificate was not trusted. error occurs because the certificates for the web3signer test are generated with the -days 36500 option, which violates the security requirements on macOS. Apple requires TLS server certificates to have a validity period of 825 days or fewer.

https://support.apple.com/en-us/103769

TLS server certificates must have a validity period of 825 days or fewer (as expressed in the NotBefore and NotAfter fields of the certificate).