search

secdev / scapy

Scapy: the Python-based interactive packet manipulation program & library.
https://scapy.net
GNU General Public License v2.0
10.52k stars 2k forks source link

The "PrivKey class : resign cert" test seems to be failing on Fedora Rawhide #4470

Closed evverx closed 1 month ago

evverx commented 1 month ago

Brief description

The test fails with

######
## PrivKey/Pubkey test signatures
######

###(023)=[failed] PrivKey class : resign cert

>>> correct_sha1_sig = c_tosign.signatureValue
>>> c_tosign.x509Cert.signatureValue.val = 512*'0'
>>> 
>>> c_resigned = pkey_sign.resignCert(c_tosign)
>>> assert pkey_sign.verifyCert(c_resigned)
>>> assert raw(c_resigned.signatureValue) == correct_sha1_sig
Traceback (most recent call last):
  File "<input>", line 2, in <module>
AssertionError

https://download.copr.fedorainfracloud.org/results/packit/evverx-scapy-2/fedora-rawhide-i386/07751439-scapy/builder-live.log.gz

(As far as I can see it started failing a couple of days ago so given that Fedora Rawhide is kind of unstable it can be a glitch that can fix itself in a week or so)

Scapy version

f199f916c89a0fbe0fbb836e3f580d1e6a70c955

Python version

Python 3.13.0~b3-2.fc41

Operating system

Fedora Rawhide

Additional environment information

No response

How to reproduce

It should be enough to trigger Packit with the master branch.

Actual result

No response

Expected result

No response

Related resources

No response

evverx commented 1 month ago

I've just triggered Packit and it seems that the test started failing on all the architectures on Fedora Rawhide: https://copr.fedorainfracloud.org/coprs/packit/evverx-scapy-2/build/7766512/.

I reproduced it locally.

>>> correct_sha1_sig
b'\x9b\r%O!\x15\x1f\xc6\x1f\xca\xd6\xd5K\xd0\x16\xad2u\xc1hC\x19\xff\xbd\x8cq\xc4\x8d\x7f\xce"\xaeb\x8bB\xac\xdf\xc5\xb2\xc9\xb8C\xed\xc3\x105\xf9\x19\n\x02#\xae\xebk,s\x7f\x9b\xfc\'\xf5\xa0\xf1\xcb\xdb\xee\xb9\xb5\xaf\xad\xc6\xea\x86\xea\xfc\xd9\x86[Vyo\x12*\x84\x13&?P\xba\x82im\x97\xed@\xb6+\xfd\x8d\x03-x\xa0^\x9b\nR\xd7\xf0\xb0j\xdco\xe5s\xa1\x949:\r\xea.\x0e\xb8\xa7\x81\xf7\x1co%\xa0q\xb1R\x1d\x9dE\xbd"\xa7\xac\x1d\xabjW\x8c\x88\x84}\x7f~XjX\xce;.1\xcfk\xfb\x88\x19\xba2\x86_)\xe5\xbbwiV\xd7\x17\t\xbf5\xea\xac9S\xc3q\x0b\x01ua\xa5t#z\x96\x82\xc4\xed\xbe\x1e$8c\x1d\xbb.G`\xb7j\x89\x96s!\x96\xd6dq4\x95\x08\xd0d9\x10pyV\xfc\xb8\x99\xccJ\x1bP\xccc\x11\xbf\xacg\xff\x10y>\xc4\xf2W\xa4\x84\xc8\xba\x06\xe2\xb2\x96\xe6\xb8'

>>> raw(c_resigned.signatureValue)
b'\xd1PD\xf0z\xb9<\xec\x80\x9d\xff\xde\xb9\x13\xdc\xea\x1d\xf1\xec\x82\x9c\xa9\x00{\xaa\xaaI<%h\x82n\xc6\x84\n\x98\xa6b\x99\xd9t\xcc\x86\x92\xf43\xbd\xde\x15I\x1a\xcb\xcc\x14\x8e\xa7\xe7Y\x85\x17*_\xc9\x83\x9a\x9c\x1c\x8b\xfd\x02j[BW3`Q\xc2\x1e\xa4\xc8nu4\x1f\x90\xda\x04\xe7\xd5\x9e\x9f\x03\x12\x92\xc7\xddN \xf4+r\xf9\x00\x05\xac}\x833\xae\xb5\xadh\x9a{\x1dlz\x8eF1kzk%\xe4\xa0s\x0b\x81X\xd8\x04\x05\xb8!\xca\x01\xe4\x92\xf9\xa7\xdb/\xdd\x10\x9c\x94\x0c\xe4\xb2\xa4\x927#\xd4\x8b\xfbT\xbbGPg\xf5SA\\.W=^F<t8\x1aDVH\xf2J(\x9f\xd0\xab\xaa\xef\xcb\x166\x9fNl\x93\xb7\x1bE\xd2@\xd5\x08\xea\xc3\xbaa]qx\xcd\x87-\x13\x0b\xc2\xc4\x80\xf0`\xd1\x92\xa52Ua\xeeg\xd0\xab\xf3\xb1r\x96\xf7\xea\x96`+\xba\x02\x1b\xbc\xb0\xd9\xcaC\xaahP\xa3\xf1Q\x04i=\xf2\x91'

>>> c_resigned.show2()                                                                                                                      23:59:04 [19/1980]
###[ X509_Cert ]###                                                                                                                                           
  \tbsCertificate\                                                                                                                                            
   |###[ X509_TBSCertificate ]###                                                                                                                             
   |  version   = 'v3' 0x2 <ASN1_INTEGER[2]>                                                                                                                  
   |  serialNumber= 0xb9100596bbac2445 <ASN1_INTEGER[13335164641595892805]>                                                                                   
   |  \signature \                                                                                                                                            
   |   |###[ X509_AlgorithmIdentifier ]###                                                                                                                    
   |   |  algorithm = <ASN1_OID['sha1-with-rsa-signature']>                                                                                                   
   |   |  parameters= <ASN1_NULL[0]>                                                                                                                          
   |  \issuer    \                                                                                                                                            
   |   |###[ X509_RDN ]###                                                                                                                                    
   |   |  \rdn       \                                                                                                                                        
   |   |   |###[ X509_AttributeTypeAndValue ]###                                                                                                              
   |   |   |  type      = <ASN1_OID['commonName']>                                                                                                            
   |   |   |  value     = <ASN1_UTF8_STRING[b'secdev.org']>                                                                                                   
   |  \validity  \                                                                                                                                            
   |   |###[ X509_Validity ]###                                                                                                                               
   |   |  not_before= 2018-02-27 16:56:22 UTC <ASN1_UTC_TIME['180227165622Z']>                                                                                
   |   |  not_after = 2028-02-25 16:56:22 UTC <ASN1_UTC_TIME['280225165622Z']>                                                                                
   |  \subject   \
   |   |###[ X509_RDN ]###
   |   |  \rdn       \
   |   |   |###[ X509_AttributeTypeAndValue ]###
   |   |   |  type      = <ASN1_OID['commonName']>
   |   |   |  value     = <ASN1_UTF8_STRING[b'secdev.org']>
   |  \subjectPublicKeyInfo\
   |   |###[ X509_SubjectPublicKeyInfo ]###
   |   |  \signatureAlgorithm\
   |   |   |###[ X509_AlgorithmIdentifier ]###
   |   |   |  algorithm = <ASN1_OID['rsaEncryption']>
   |   |   |  parameters= <ASN1_NULL[0]>
   |   |  \subjectPublicKey\
   |   |   |###[ RSAPublicKey ]###
   |   |   |  modulus   = 0xd4bf0a69c7...f748545eb1 <ASN1_INTEGER[2685672632...3604718257]>
   |   |   |  publicExponent= 0x10001 <ASN1_INTEGER[65537]>
   |  issuerUniqueID= None
   |  subjectUniqueID= None
   |  \extensions\
   |   |###[ X509_Extension ]###
   |   |  extnID    = <ASN1_OID['subjectKeyIdentifier']>
   |   |  critical  = None
   |   |  \extnValue \
   |   |   |###[ X509_ExtSubjectKeyIdentifier ]###
   |   |   |  keyIdentifier= <ASN1_STRING[b'\x7f\xdf$\x18\xeaL\tPEt|Eo\xc0\xda/\xabO{\xef']>
   |   |###[ X509_Extension ]###
   |   |  extnID    = <ASN1_OID['authorityKeyIdentifier']>
   |   |  critical  = None
   |   |  \extnValue \
   |   |   |###[ X509_ExtAuthorityKeyIdentifier ]###
   |   |   |  keyIdentifier= <ASN1_STRING[b'\x7f\xdf$\x18\xeaL\tPEt|Eo\xc0\xda/\xabO{\xef']>
   |   |   |  authorityCertIssuer= None 
   |   |   |  authorityCertSerialNumber= None
   |   |###[ X509_Extension ]###
   |   |  extnID    = <ASN1_OID['basicConstraints']>
   |   |  critical  = None
   |   |  \extnValue \
   |   |   |###[ X509_ExtBasicConstraints ]###
   |   |   |  cA        = True <ASN1_BOOLEAN[-1]>
   |   |   |  pathLenConstraint= None
  \signatureAlgorithm\
   |###[ X509_AlgorithmIdentifier ]###
   |  algorithm = <ASN1_OID['sha1-with-rsa-signature']>
   |  parameters= <ASN1_NULL[0]>
  signatureValue= <_Raw_ASN1_BIT_STRING[1101000101...1010010001]=b'\xd1PD\xf0z\xb9<\xec\x80\x9d...hP\xa3\xf1Q\x04i=\xf2\x91' (0 unused bit)>
gpotter2 commented 1 month ago

Thanks for the report. Do you think that this could be related to #4463 ? Do we have a simple way of testing that?

evverx commented 1 month ago

I don't think it's related. I rolled back scapy to https://github.com/secdev/scapy/releases/tag/v2.6.0rc1 to exclude the recent PRs and the test failed. I should have mentioned that sorry! My guess would be that it has something to do with either the python prerelease or cryptography (or both).

evverx commented 1 month ago

I tracked it down. openssl was updated on Fedora Rawhide along with changes like https://src.fedoraproject.org/rpms/openssl/c/e9284f5bee9b3a6ebf87a4a40de5ec48747836b4?branch=rawhide. The packit script didn't set up OPENSSL_CONF using .config/ci/openssl.py properly and it fell apart. The test passes with the following patch applied

diff --git a/.packit.yml b/.packit.yml
index 7636390f..9d4839cc 100644
--- a/.packit.yml
+++ b/.packit.yml
@@ -17,7 +17,7 @@ actions:
     - "git clone https://src.fedoraproject.org/rpms/scapy .packit_rpm --depth=1"
     # Drop the "sources" file so rebase-helper doesn't think we're a dist-git
     - "rm -fv .packit_rpm/sources"
-    - "sed -i '/^# check$/a%check\\n./test/run_tests -c test/configs/linux.utsc -K scanner' .packit_rpm/scapy.spec"
+    - "sed -i '/^# check$/a%check\\nOPENSSL_CONF=$(python3 ./.config/ci/openssl.py) ./test/run_tests -c test/configs/linux.utsc -K scanner' .packit_rpm/scapy.spec"
     - "sed -i '/^BuildArch/aBuildRequires: can-utils' .packit_rpm/scapy.spec"
     - "sed -i '/^BuildArch/aBuildRequires: libpcap' .packit_rpm/scapy.spec"
     - "sed -i '/^BuildArch/aBuildRequires: openssl' .packit_rpm/scapy.spec"

I'll send it tomorrow.