search

sigp / lighthouse

Ethereum consensus client in Rust
https://lighthouse.sigmaprime.io/
Apache License 2.0
2.97k stars 769 forks source link

Web3Signer integration tests failing on MacOS #6442

Open jimmygchen opened 2 months ago

jimmygchen commented 2 months ago

Description

Our web3signer integration tests consistently fails on MacOS:

---- tests::sepolia_altair_types stdout ----
thread 'tests::sepolia_altair_types' panicked at testing/web3signer_tests/src/lib.rs:258:91:
called `Result::unwrap()` on an `Err` value: InvalidWeb3SignerClientIdentityCertificate(reqwest::Error { kind: Builder, source: Error { code: -25264, message: "MAC verification failed during PKCS12 import (wrong password?)" } })
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

This has been an issue for a while but we never had a chance to fix it.

I digged into this a while ago, and the issue looks like it's related to security-framework (macos Security.Framework bindings used by openssl) - and it seems like this crate is no longer being actively maintained.

Not sure if it's worth fixing it to make it work, or we could just disable these tests on MacOS.

ackintosh commented 3 weeks ago

I have also looked into this, and have raised an issue in security-framework.

https://github.com/kornelski/rust-security-framework/issues/216

ackintosh commented 3 weeks ago

The problem was that the default openssl pkcs12 encoding algorithm is not compatible with the algorithm used by the Apple Security Framework for pkcs.

https://github.com/kornelski/rust-security-framework/issues/216#issuecomment-2466496614

Creating the p12 file with the -legacy option resolves the web3signer test failure on macOS. Our options to achieve this are as follows:

I don't fully understand the web3signer_tests, but it seems that the second option might be preferable since the problem occurs only on macOS?

Update I confirmed that, on Linux, choosing the first option (Overwrite ....) results in the following error:

thread 'tests::sepolia_altair_types' panicked at testing/web3signer_tests/src/lib.rs:257:91:
   called `Result::unwrap()` on an `Err` value: InvalidWeb3SignerClientIdentityCertificate(reqwest::Error { kind: Builder, source: Normal(ErrorStack([Error { code: 50856204, library: "digital envelope routines", function: "inner_evp_generic_fetch", reason: "unsupported", file: "crypto/evp/evp_fetch.c", line: 355, data: "Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()" }])) })

Therefore, we should proceed with creating the lighthouse/key_legacy.p12 file.

ackintosh commented 2 weeks ago

Noticed another problem on macOS. Even if we create lighthouse/key_legacy.p12 specifically for macOS testing, the test fails with the following error message:

upcheck error: reqwest::Error { kind: Request, url: Url { scheme: "https", cannot_be_a_base: false, username: "", password: None, host: Some(Ipv4(127.0.0.1)), port: Some(4251), path: "/upcheck", query: None, fragment: None }, source: hyper::Error(Connect, Error { code: -67843, message: "The certificate was not trusted." }) }

The The certificate was not trusted. error occurs because the certificates for the web3signer test are generated with the -days 36500 option, which violates the security requirements on macOS. Apple requires TLS server certificates to have a validity period of 825 days or fewer.

https://support.apple.com/en-us/103769

TLS server certificates must have a validity period of 825 days or fewer (as expressed in the NotBefore and NotAfter fields of the certificate).