Open runfoapp[bot] opened 2 years ago
Tagging subscribers to this area: @dotnet/area-system-security, @vcsjones See info in area-owners.md if you want to be subscribed.
Author: | runfoapp[bot] |
---|---|
Assignees: | - |
Labels: | `area-System.Security` |
Milestone: | - |
Tagging subscribers to 'arch-android': @steveisok, @akoeplinger See info in area-owners.md if you want to be subscribed.
Author: | runfoapp[bot] |
---|---|
Assignees: | - |
Labels: | `area-System.Security`, `blocking-clean-ci`, `os-android`, `untriaged` |
Milestone: | - |
The default RSA provider tests claim that Android supports both RSASSA-PSS and RSA with keys whose exponents are bigger than 32 bits; but this may be the only test that does both.
<test name="System.Security.Cryptography.X509Certificates.Tests.CertificateCreation.CrlBuilderTests.BuildEmptyRsaPss(hashName: \"SHA256\")" type="System.Security.Cryptography.X509Certificates.Tests.CertificateCreation.CrlBuilderTests" method="BuildEmptyRsaPss" time="0.0771638" result="Fail">
<failure exception-type="Xunit.Sdk.TrueException">
<message>
<![CDATA[ Certificate's public key verifies the signature\nExpected: True\nActual: False ]]>
</message>
<stack-trace>
<![CDATA[ at System.Security.Cryptography.X509Certificates.Tests.CertificateCreation.CrlBuilderTests.<>c__DisplayClass17_0.<BuildEmptyRsaPss>b__0(X509Certificate2 cert, DateTimeOffset now) in /_/src/libraries/System.Security.Cryptography.X509Certificates/tests/CertificateCreation/CrlBuilderTests.cs:line 407 at System.Security.Cryptography.X509Certificates.Tests.CertificateCreation.CrlBuilderTests.BuildRsaCertificateAndRun(IEnumerable`1 extensions, Action`2 action, Boolean addSubjectKeyIdentifier, String callerName) in /_/src/libraries/System.Security.Cryptography.X509Certificates/tests/CertificateCreation/CrlBuilderTests.cs:line 1490 at System.Security.Cryptography.X509Certificates.Tests.CertificateCreation.CrlBuilderTests.BuildEmptyRsaPss(String hashName) in /_/src/libraries/System.Security.Cryptography.X509Certificates/tests/CertificateCreation/CrlBuilderTests.cs:line 382 at System.Reflection.MethodInvoker.InterpretedInvoke(Object obj, Span`1 args, BindingFlags invokeAttr) ]]>
</stack-trace>
</failure>
</test>
<test name="System.Security.Cryptography.X509Certificates.Tests.CertificateCreation.CrlBuilderTests.BuildEmptyRsaPss(hashName: \"SHA384\")" type="System.Security.Cryptography.X509Certificates.Tests.CertificateCreation.CrlBuilderTests" method="BuildEmptyRsaPss" time="0.0057438" result="Fail">
<failure exception-type="Xunit.Sdk.TrueException">
<message>
<![CDATA[ Certificate's public key verifies the signature\nExpected: True\nActual: False ]]>
</message>
<stack-trace>
<![CDATA[ at System.Security.Cryptography.X509Certificates.Tests.CertificateCreation.CrlBuilderTests.<>c__DisplayClass17_0.<BuildEmptyRsaPss>b__0(X509Certificate2 cert, DateTimeOffset now) in /_/src/libraries/System.Security.Cryptography.X509Certificates/tests/CertificateCreation/CrlBuilderTests.cs:line 407 at System.Security.Cryptography.X509Certificates.Tests.CertificateCreation.CrlBuilderTests.BuildRsaCertificateAndRun(IEnumerable`1 extensions, Action`2 action, Boolean addSubjectKeyIdentifier, String callerName) in /_/src/libraries/System.Security.Cryptography.X509Certificates/tests/CertificateCreation/CrlBuilderTests.cs:line 1490 at System.Security.Cryptography.X509Certificates.Tests.CertificateCreation.CrlBuilderTests.BuildEmptyRsaPss(String hashName) in /_/src/libraries/System.Security.Cryptography.X509Certificates/tests/CertificateCreation/CrlBuilderTests.cs:line 382 at System.Reflection.MethodInvoker.InterpretedInvoke(Object obj, Span`1 args, BindingFlags invokeAttr) ]]>
</stack-trace>
</failure>
</test>
<test name="System.Security.Cryptography.X509Certificates.Tests.CertificateCreation.CrlBuilderTests.BuildEmptyRsaPss(hashName: \"SHA512\")" type="System.Security.Cryptography.X509Certificates.Tests.CertificateCreation.CrlBuilderTests" method="BuildEmptyRsaPss" time="0.0070822" result="Fail">
<failure exception-type="Xunit.Sdk.TrueException">
<message>
<![CDATA[ Certificate's public key verifies the signature\nExpected: True\nActual: False ]]>
</message>
<stack-trace>
<![CDATA[ at System.Security.Cryptography.X509Certificates.Tests.CertificateCreation.CrlBuilderTests.<>c__DisplayClass17_0.<BuildEmptyRsaPss>b__0(X509Certificate2 cert, DateTimeOffset now) in /_/src/libraries/System.Security.Cryptography.X509Certificates/tests/CertificateCreation/CrlBuilderTests.cs:line 407 at System.Security.Cryptography.X509Certificates.Tests.CertificateCreation.CrlBuilderTests.BuildRsaCertificateAndRun(IEnumerable`1 extensions, Action`2 action, Boolean addSubjectKeyIdentifier, String callerName) in /_/src/libraries/System.Security.Cryptography.X509Certificates/tests/CertificateCreation/CrlBuilderTests.cs:line 1490 at System.Security.Cryptography.X509Certificates.Tests.CertificateCreation.CrlBuilderTests.BuildEmptyRsaPss(String hashName) in /_/src/libraries/System.Security.Cryptography.X509Certificates/tests/CertificateCreation/CrlBuilderTests.cs:line 382 at System.Reflection.MethodInvoker.InterpretedInvoke(Object obj, Span`1 args, BindingFlags invokeAttr) ]]>
</stack-trace>
</failure>
</test>
The only failures are in the CrlBuilderTests.BuildEmptyRsaPss test, and that test is passing everywhere except Android.
Newer tests show that even RSASSA-PKCS1 is failing with big-exponent keys; it looks like RsaVerificationPrimitive is not working how we'd expect. That makes big-exponent encryption also suspect.
Looking at this:
BoringSSL, the cryptographic provider used by conscrypt in Android, does not permit RSA e greater than 33-bits (yes 33 not 32).
I haven't yet figured out why sign appears to work and verify does not, but judging from the commentary it appears the intention is that verifying with a large public exponent is disabled to mitigate DoS.
Probably "you have the private key, you do you", vs "you got this public key from a certificate, oh, they're trolling you".
It'd be nicer if they failed at key import, though.
I got some amount of confirmation from a Google contact saying "Yes, we limit public key operations with an exponent of <= 2^33". So these disabled tests should become either conditional tests, or, where appropriate, don't use a large exponent (I seem to recall a number of the CRL tests using big exponents exclusively).
@vcsjones thanks, we can work to get these enabled.
There are a bunch of cryptography failures on Android in rolling build 1905046. Here is an example of one:
https://helixre107v0xdeko0k025g8.blob.core.windows.net/dotnet-runtime-refs-heads-main-e21ac2efc94b48918e/Microsoft.Extensions.Caching.Memory.Tests/1/console.10ca6335.log?%3Fhelixlogtype%3Dresult