search

parallaxsecond / parsec-openssl-provider

Parsec OpenSSL Provider
Apache License 2.0
1 stars 1 forks source link

Error: SSL_CTX_use_certificate, reason: "ee key too small" #69

Open jainvikas8 opened 1 week ago

jainvikas8 commented 1 week ago

We have this setup on a x86 ubuntu 20 LTS machine: Container: Openssl + parsec openssl provider + parsec tool Host: Parsec service (1.4.1) with Mbed crypto provider

The ping from parsec-tool and openssl list -providers was working. The certificates and parsec keys were created within the container:

Docker file:

FROM rust:1.78.0-slim-bookworm

ARG PARSEC_TOOL_SRC_REF="561c4163030b6fbebdd489a9cf8d92a88b71d09a"

ENV DEBIAN_FRONTEND=noninteractive

RUN apt-get update \
    && apt-get install --no-install-recommends --yes \
    clang \
    git \
    libssl-dev \
    openssl \
    pkg-config

RUN apt-get autoremove

WORKDIR /tmp

COPY openssl.cnf /tmp

RUN git clone --branch 0.1.0 https://github.com/parallaxsecond/parsec-openssl-provider.git && \
    cd parsec-openssl-provider/parsec-openssl-provider-shared && \
    cargo build

RUN git clone --branch main https://github.com/parallaxsecond/parsec-tool.git && \
    cd parsec-tool && \
    git checkout ${PARSEC_TOOL_SRC_REF} && \
    cargo install patch-crate --locked && \
    cargo patch-crate && \
    cargo build && \
    cp /tmp/parsec-tool/target/debug/parsec-tool /usr/bin/parsec-tool && \

ENV PARSEC_SERVICE_ENDPOINT="unix:/tmp/parsec.sock"

ENV OPENSSL_CONF="/tmp/openssl.cnf"

It inconsistently fails at 2 tests:

called `Result::unwrap()` on an `Err` value: ErrorStack([Error { code: 50331762, library: "digital envelope routines", function: "X509_PUBKEY_get0", reason: "decode error", file: "../crypto/x509/x_pubkey.c", line: 458 }, Error { code: 167772559, library: "SSL routines", function: "SSL_CTX_use_certificate", reason: "ee key too small", file: "../ssl/ssl_rsa.c", line: 221 }])

test test_client_with_mismatched_rsa_key_and_certificate ... FAILED
test test_handshake_client_authentication_rsa ... FAILED

when we run the parsec openssl provider e2e tests - cargo test --test "handshake"

Please find the attached log file: parsec-openssl-provider.log

jainvikas8 commented 1 week ago

Further, if we use rust:1.80-slim-bookworm then cargo install patch-crate is required in the docker container.

Further another test fails

test_handshake_client_authentication_ecdsa
jainvikas8 commented 3 days ago

Further using the same container on ARM64 machine Container: Openssl + parsec openssl provider + parsec tool Host: Parsec service (1.4.1) with Trusted service provider

We see the failure of:

---- test_handshake_client_authentication_ecdsa stdout ----
thread '<unnamed>' panicked at parsec-openssl-provider-shared/e2e_tests/src/lib.rs:107:47:
called `Result::unwrap()` on an `Err` value: Failure(MidHandshakeSslStream { stream: SslStream { stream: TcpStream { addr: 127.0.0.1:35073, peer: 127.0.0.1:40098, fd: 5 }, ssl: Ssl { state: "error", verify_result: X509VerifyResult { code: 0, error: "ok" } )
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
thread 'test_handshake_client_authentication_ecdsa' panicked at parsec-openssl-provider-shared/e2e_tests/src/lib.rs:173:45:
called `Result::unwrap()` on an `Err` value: Failure(MidHandshakeSslStream { stream: SslStream { stream: TcpStream { addr: 127.0.0.1:40098, peer: 127.0.0.1:35073, fd: 4 }, ssl: Ssl { state: "error", verify_result: X509VerifyResult { code: 0, error: "ok" } )
:---- test_handshake_client_authentication_rsa stdout ----
thread '<unnamed>' panicked at parsec-openssl-provider-shared/e2e_tests/src/lib.rs:107:47:
called `Result::unwrap()` on an `Err` value: Failure(MidHandshakeSslStream { stream: SslStream { stream: TcpStream { addr: 127.0.0.1:39935, peer: 127.0.0.1:42170, fd: 5 }, ssl: Ssl { state: "error", verify_result: X509VerifyResult { code: 0, error: "ok" } )
thread 'test_handshake_client_authentication_rsa' panicked at parsec-openssl-provider-shared/e2e_tests/src/lib.rs:173:45:
called `Result::unwrap()` on an `Err` value: Failure(MidHandshakeSslStream { stream: SslStream { stream: TcpStream { addr: 127.0.0.1:42170, peer: 127.0.0.1:39935, fd: 4 }, ssl: Ssl { state: "error", verify_result: X509VerifyResult { code: 0, error: "ok" } )
failures:
  test_handshake_client_authentication_ecdsa
  test_handshake_client_authentication_rsa
test result: FAILED. 9 passed; 2 failed; 0 ignored; 0 measured; 0 filtered out; finished in 0.47s