search

lsh123 / xmlsec

XML Security Library
Other
133 stars 100 forks source link

xmlsec - openssl 3.0.0alpha10 - unit test check-crypto-openssl fails #309

Closed Thomas-Barbier-1A closed 3 years ago

Thomas-Barbier-1A commented 3 years ago

Hello,

I am trying to compile xmlsec 1.2.31 with openssl 3.0.0 alpha10 and I have openssl related test failing: Makefile:1184: recipe for target 'check-crypto-openssl' failed

It seems that all openssl tests fails at "Create new signature" or "Verify existing signature"

Here is an example of error during unit test:

/remote/tmp/rnd-aqg/ospack/dev/tbarbier/open-source-pack/xmlsec/BUILD/xmlsec1-1.2.31/apps/xmlsec1 sign --crypto openssl --crypto-config /tmp/xmlsec-crypto-config --pkcs12:key2 /remote/tmp/rnd-aqg/ospack/dev/tbarbier/open-source-pack/xmlsec/BUILD/xmlsec1-1.2.31/tests/keys/rsakey.p12 --pwd secret123 --url-map:http://www.w3.org/TR/xml-stylesheet /remote/tmp/rnd-aqg/ospack/dev/tbarbier/open-source-pack/xmlsec/BUILD/xmlsec1-1.2.31/tests/external-data/xml-stylesheet-2018 --output /tmp/testDSig.sh.20210108_164235-39076.tmp /remote/tmp/rnd-aqg/ospack/dev/tbarbier/open-source-pack/xmlsec/BUILD/xmlsec1-1.2.31/tests/aleksey-xmldsig-01/signature-two-keynames.tmpl func=xmlSecOpenSSLEvpKeyAdopt:file=evp.c:line=351:obj=unknown:subj=pKey != NULL:error=100:assertion: func=xmlSecOpenSSLAppPkcs12LoadBIO:file=app.c:line=639:obj=unknown:subj=xmlSecOpenSSLEvpKeyAdopt:error=1:xmlsec library function failed: func=xmlSecOpenSSLAppKeyLoadBIO:file=app.c:line=314:obj=unknown:subj=xmlSecOpenSSLAppPkcs12LoadBIO:error=1:xmlsec library function failed: func=xmlSecOpenSSLAppKeyLoad:file=app.c:line=175:obj=unknown:subj=xmlSecOpenSSLAppKeyLoadBIO:error=1:xmlsec library function failed:filename=/remote/tmp/rnd-aqg/ospack/dev/tbarbier/open-source-pack/xmlsec/BUILD/xmlsec1-1.2.31/tests/keys/rsakey.p12 Error: xmlSecCryptoAppKeyLoad failed: filename=/remote/tmp/rnd-aqg/ospack/dev/tbarbier/open-source-pack/xmlsec/BUILD/xmlsec1-1.2.31/tests/keys/rsakey.p12 Error: failed to load pkcs12 key from "/remote/tmp/rnd-aqg/ospack/dev/tbarbier/open-source-pack/xmlsec/BUILD/xmlsec1-1.2.31/tests/keys/rsakey.p12". Error: keys manager creation failed

It is unclear to me if the command generated by the test is bogus or if it is an internal error due to OpenSSL API changes

Here is a reproducer (simplified command taken from unit tests) ` tar -xzvf reproducer.tar.gz xmlsec1 \ sign \ --crypto openssl \ --crypto-config /tmp/xmlsec-crypto-config \ --pkcs12:key2 ./tests/keys/rsakey.p12 \ --pwd secret123 \ --url-map:http://www.w3.org/TR/xml-stylesheet \ ./tests/external-data/xml-stylesheet-2018 \ --output ./testDSig.sh.20210108_164235-39076.tmp \ ./tests/aleksey-xmldsig-01/signature-two-keynames.tmpl

func=xmlSecOpenSSLEvpKeyAdopt:file=evp.c:line=351:obj=unknown:subj=pKey != NULL:error=100:assertion: func=xmlSecOpenSSLAppPkcs12LoadBIO:file=app.c:line=639:obj=unknown:subj=xmlSecOpenSSLEvpKeyAdopt:error=1:xmlsec library function failed: func=xmlSecOpenSSLAppKeyLoadBIO:file=app.c:line=314:obj=unknown:subj=xmlSecOpenSSLAppPkcs12LoadBIO:error=1:xmlsec library function failed: func=xmlSecOpenSSLAppKeyLoad:file=app.c:line=175:obj=unknown:subj=xmlSecOpenSSLAppKeyLoadBIO:error=1:xmlsec library function failed:filename=./tests/keys/rsakey.p12
Error: xmlSecCryptoAppKeyLoad failed: filename=./tests/keys/rsakey.p12 Error: failed to load pkcs12 key from "./tests/keys/rsakey.p12". Error: keys manager creation failed Unknown command Usage: xmlsec [] [] `

Do you have any hint of what the issue could be?

Cheers Thomas reproducer.tar.gz

lsh123 commented 3 years ago

Probably API changes in OpenSSL 3.0.0 --- need to look and fix whatever they broke. I didn't try to compile against it yet, I usually wait for stable release however I love patches :)

petrovr commented 3 years ago

Does above command pass with absolute name?

If I remember well openssl master (future 3.0) switch utilities to use STORE2 API for loads. Unfortunatelly stable release support only absolute paths. Dunno for master. This is reason to ask to test with absolute name.

Thomas-Barbier-1A commented 3 years ago

I just tried with absolute path instead of relative path and I have the same error

xmlsec1 \
    sign \
    --crypto openssl \
    --crypto-config /tmp/xmlsec-crypto-config \
    --pkcs12:key2 ${PWD}/tests/keys/rsakey.p12 \
    --pwd secret123 \
    --url-map:http://www.w3.org/TR/xml-stylesheet \
    ${PWD}/tests/external-data/xml-stylesheet-2018 \
    --output ${PWD}/testDSig.sh.20210108_164235-39076.tmp \
    ${PWD}/tests/aleksey-xmldsig-01/signature-two-keynames.tmpl

I also checked the commands run by the Unit Tests and they seem to all use absolute path as well.

stac47 commented 3 years ago

Hello, The error comes from the fact OpenSSL v3 comes with the concept of "providers". In fact, old deprecated algorithms have been transfered into a module that is loaded at runtime. This module is called the "legacy" provider.

In this test case, the rsakey.p12 uses the RC2-40-CBC which is no more provided by default. So make sure your OpenSSLv3 configuration files enable the legacy provider. As mentioned there https://wiki.openssl.org/index.php/OpenSSL_3.0#Providers, this can be done with the following openssl.cnf file:

   openssl_conf = openssl_init

   [openssl_init]
   providers = provider_sect

   [provider_sect]
   default = default_sect
   legacy = legacy_sect

   [default_sect]
   activate = 1

   [legacy_sect]
   activate = 1

With this configured, the whole xmlsec test suite works. Regards

lsh123 commented 3 years ago

Thank you for detailed explanation!