jackline giving "async error: Invalid_argument("RSA: key too small")" on server connect

[deetch]

Using jackline and ocaml-nocrypto on an amd64 FreeBSD 10.1-RELEASE machine (same as #40). Same result using gcc or clang.

[hannesm]

this also occurs when running the interop-openssl-sserver.sh script...

[deetch]

For what it's worth here's my current opam list:

# Installed packages for 4.02.1:
asn1-combinators      0.1.1  Combinators for expressing ASN.1 grammars in OCaml
base-bigarray          base  Bigarray library distributed with the OCaml compiler
base-bytes             base  Bytes library distributed with the OCaml compiler
base-threads           base  Threads library distributed with the OCaml compiler
base-unix              base  Unix library distributed with the OCaml compiler
camlp4             4.02.1+1  Camlp4 is a system for writing extensible parsers for programming languages
camomile              0.8.5  A comprehensive Unicode library
conf-gmp                  1  Virtual package relying on a GMP lib system installation.
cppo                  1.1.2  Equivalent of the C preprocessor for OCaml programs
cstruct               1.5.0  access C structures via a camlp4 extension
ctypes                0.3.3  Combinators for binding to C libraries without writing any C.
erm_xml                 0.3  XML stream parser
erm_xmpp                0.3  XMPP protocol implementation
hex                   0.1.0  Hexadecimal converter
jackline              0.1.0  XMPP client
lambda-term             1.7  Terminal manipulation library for OCaml
lwt                   2.4.6  A cooperative threads library for OCaml
nocrypto              0.2.2  Small functional-style crypto library.
ocamlfind             1.5.5  A library manager for OCaml
ocplib-endian           0.8  Optimised functions to read and write int16/32/64 from strings and bigarrays, based on new primitives added in version 4.01.
otr                   0.1.0  OTR in pure OCaml
ounit                 2.0.0  Unit testing framework loosely based on HUnit. It is similar to JUnit, and other XUnit testing frameworks
ppx_tools            0.99.2  Tools for authors of ppx rewriters and other syntactic tools
react                 1.2.0  Declarative events and signals for OCaml
sexplib           112.06.00  Library for serializing OCaml values to and from S-expressions
tls                   0.2.1  TLS in pure OCaml
type_conv         112.01.00  Library for building type-driven syntax extensions
x509                  0.2.1  X509 in OCaml
zarith                  1.3  Implements arithmetic and logical operations over arbitrary-precision integers
zed                     1.3  Abstract engine for text edition in OCaml

[hannesm]

I put a patch which exposes more debug data (pubkey and message) at http://berlin.ccc.de/~hannes/nocrypto_debug.diff -- please checkout nocrypto (opam source nocrypto), apply patch, make and make reinstall (or ocamlfind remove nocrypto ; make install -- followed by opam reinstall jackline and provide us with the debug data...

[deetch]

async error: Invalid_argument("RSA: key too small, key: ((e 65537)(n 253353426833205771839194749117376810734558699931974085771274779055058891368234982360257178026376246534911310830212368054622473755467 780460632917337572189345297696712152163632208492815636743778416306662271428818042513414436558831914225225697474035505146808182947304846048397802714553365324285218058276355164134486405902259356336193050492955813 220001804988168298669419654811311819275567078445581442471286148128533006839502772917534148228469141475425009596642532901911526494443160248857863909962142128757322757563458051938609696356763233103368260683109784 01847579098309311616016927646225540965197305939740272995918768489)) msg: 25893050418953362407264189151614645495518140151388132676913105691316059592696070755100223485697263423921017922220375347235283252620039362 749291847372078239777287004804495260608918676367787867099389927959629888400213150325007118090731798979783703483989712433362858543006462160560098256225939659784135891790895681584606007719440777881960729289714752 103767898145205912616700429232454997250374656035759038606606647646409532958585038136146377601609125636023039278419881889429921556981226551734462089046987116217681481432134710639815839461093673298504073040548715 371534848984007410770835991790022463761029331117037689076113423046865409819408516272052477035746753208986431883247214188245497971241034836640448309219441308995770857710549730992104220601856952345818846518290352 669957006987962402811848115645516598936717152238410850916793075830519834830997714815948749470083769055081151822385594527034804156438439316671478957080251548126236321702138274595742020185159904776178720450339718 877451698167303269109664607239359719697426453991628444472133782864550529946662711141477850288418691521079357450725888408177516470526713521832422234088941942217917857996592985320372218346092342688418589178158514 4760893121862324268400831650439934809536841621")

[sg2342]

https://gist.github.com/sg2342/3aa7eee90c45e09455e5

is the complete log of an successful jackline installation in an (empty -- except pkg) FreeBSD 10.1 amd64 VM

@deetch you have to find out what breaks your setup.

[hannesm]

ok - what happened here? the trust_anchor was set to the server certificate of jabber.ccc.de (2048 bit RSA key)... during X.509 validation the signature on the certificate is verified to be done by the trust_anchor file... well, the signature was instead done by cacert certificate (4096 bit RSA), and the exception was thrown from nocrypto/Rsa via X.509 (instead of tls handshake_client which I assumed all the time)... what we learned: we need better error handling in X.509 (and tls as well ;)

[hannesm]

so we fixed this at various points and it should not occur anymore (PKCS1.verify does handle the exception, jackline checks for valid cas during configuration time). and: it now works for @deetch :dancers: