Jira (PUP-10689) Assess SSL provider spec after upgrade to openssl 1.1.1h

11 views
Skip to first unread message

Gabriel Nagy (Jira)

unread,
Oct 7, 2020, 9:23:03 AM10/7/20
to puppe...@googlegroups.com
Gabriel Nagy created an issue
 
Puppet / Bug PUP-10689
Assess SSL provider spec after upgrade to openssl 1.1.1h
Issue Type: Bug Bug
Assignee: Unassigned
Created: 2020/10/07 6:22 AM
Priority: Normal Normal
Reporter: Gabriel Nagy

After upgrading to openssl 1.1.1h, the following rspec failure can be seen:

 

$ bundle exec rspec ./spec/unit/ssl/ssl_provider_spec.rb
 
Run options: exclude {:broken=>true, :benchmark=>true}
 
.......................................F................................
 
 
 
Failures:
 
 
 
  1) Puppet::SSL::SSLProvider when creating an ssl context with client certs raises if root cert signature is invalid
 
     Failure/Error:
 
       expect {
 
         subject.create_context(**config.merge(cacerts: global_cacerts))
 
       }.to raise_error(Puppet::SSL::CertVerifyError,
 
                        "Invalid signature for certificate 'CN=Test CA'")
 
     
       expected Puppet::SSL::CertVerifyError with "Invalid signature for certificate 'CN=Test CA'" but nothing was raised
 
     # ./spec/unit/ssl/ssl_provider_spec.rb:278:in `block (3 levels) in <top (required)>'
 
     # ./spec/spec_helper.rb:180:in `block (2 levels) in <top (required)>'
 
     # /home/gabi/.rvm/gems/ruby-2.6.3/gems/webmock-3.9.1/lib/webmock/rspec.rb:37:in `block (2 levels) in <top (required)>'
 
 
 
Finished in 0.51384 seconds (files took 1.09 seconds to load)
 
72 examples, 1 failure
 
 
 
Failed examples:
 
 
 
rspec ./spec/unit/ssl/ssl_provider_spec.rb:274 # Puppet::SSL::SSLProvider when creating an ssl context with client certs raises if root cert signature is invalid

We traced this to https://github.com/openssl/openssl/commit/42bb51e59308b3ebc5cc1c35ff4822fba6b52d79, notably the changing of X509_V_FLAG_CHECK_SS_SIGNATURE to no longer check signature of the root CA. Downgrading openssl to 1.1.1g causes the test to pass again.

This currently impacts GitHub Actions Windows runners, as ruby 2.7.2 there comes with openssl 1.1.1h.
Add Comment Add Comment
 
This message was sent by Atlassian Jira (v8.5.2#805002-sha1:a66f935)
Atlassian logo

Josh Cooper (Jira)

unread,
Oct 7, 2020, 6:53:05 PM10/7/20
to puppe...@googlegroups.com
Josh Cooper commented on Bug PUP-10689
 
Re: Assess SSL provider spec after upgrade to openssl 1.1.1h

Strangely if I remove the X509_V_FLAG_CHECK_SS_SIGNATURE from the default set of flags passed to the store, then the test still fails (the signature of the self-signed cert isn't checked). Also the commit summary says:

Upon this request we do the signature verification, but not in case it is a (non-conforming) self-issued
CA certificate with a key usage extension that does not include keyCertSign.

And yet the ca.pem and intermediate.pem cert fixtures both have the keyCertSign key usage extension:

# openssl x509 -in spec/fixtures/ssl/ca.pem -noout -text
 
Certificate:
 
    Data:
 
        Version: 3 (0x2)
 
        Serial Number: 0 (0x0)
 
        Signature Algorithm: sha256WithRSAEncryption
 
        Issuer: CN = Test CA
 
        Validity
 
            Not Before: Jan  1 00:00:00 1970 GMT
 
            Not After : Apr 19 22:31:22 2029 GMT
 
        Subject: CN = Test CA
 
        Subject Public Key Info:
 
            Public Key Algorithm: rsaEncryption
 
                RSA Public-Key: (1024 bit)
 
                Modulus:
 
                    00:d0:b3:d8:3f:2b:c0:45:8c:f0:3d:96:58:2c:5e:
 
                    0e:6a:46:81:ab:10:2f:22:9c:7c:69:f0:61:b7:2d:
 
                    f2:2f:46:97:d5:d9:1b:08:c8:c9:e8:18:a5:d8:89:
 
                    27:a7:80:cb:0a:8e:ee:26:32:89:70:37:2b:bf:6f:
 
                    7e:ee:12:7d:49:c7:0c:19:46:7c:65:99:dc:1f:1a:
 
                    31:af:ab:87:01:b3:68:8a:5b:51:a7:78:ca:cc:1d:
 
                    7c:26:b4:27:5f:67:75:99:7e:9f:16:ed:88:b3:8f:
 
                    77:0f:b3:e8:b3:97:bc:70:8b:ec:62:b9:a2:47:4b:
 
                    ef:dc:af:d4:9f:3d:17:cd:03
 
                Exponent: 65537 (0x10001)
 
        X509v3 extensions:
 
            X509v3 Basic Constraints: critical
 
                CA:TRUE
 
            X509v3 Key Usage: critical
 
                Certificate Sign, CRL Sign
 
...

I created a repro case:

require 'openssl'
 
 
 
puts OpenSSL::OPENSSL_LIBRARY_VERSION
 
 
 
# The signature of the root cert is incorrect
 
root = OpenSSL::X509::Certificate.new(<<PEM)
 
-----BEGIN CERTIFICATE-----
 
MIIB8TCCAZugAwIBAgIBADANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdUZXN0
 
IENBMB4XDTcwMDEwMTAwMDAwMFoXDTI5MDQxOTIyMzEyMlowEjEQMA4GA1UEAwwH
 
VGVzdCBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA0LPYPyvARYzwPZZY
 
LF4OakaBqxAvIpx8afBhty3yL0aX1dkbCMjJ6Bil2Iknp4DLCo7uJjKJcDcrv29+
 
7hJ9SccMGUZ8ZZncHxoxr6uHAbNoiltRp3jKzB18JrQnX2d1mX6fFu2Is493D7Po
 
s5e8cIvsYrmiR0vv3K/Unz0XzQMCAwEAAaOBlzCBlDAPBgNVHRMBAf8EBTADAQH/
 
MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQULCUZoWyz92n9dps6IssMVgEB8TEw
 
MQYJYIZIAYb4QgENBCQWIlB1cHBldCBTZXJ2ZXIgSW50ZXJuYWwgQ2VydGlmaWNh
 
dGUwHwYDVR0jBBgwFoAULCUZoWyz92n9dps6IssMVgEB8TEwDQYJKoZIhvcNAQEL
 
BQADQQAQ63JYl8u+53PoBTkmYryYHE9HFS+0SQDhiiswHzUiAH2FONni4ynkM875
 
frRoMIWnsgCg5D02pKCSiqyrkZou
 
-----END CERTIFICATE-----
 
PEM
 
 
 
intermediate = OpenSSL::X509::Certificate.new(<<PEM)
 
-----BEGIN CERTIFICATE-----
 
MIICPzCCAaigAwIBAgIBATANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdUZXN0
 
IENBMB4XDTcwMDEwMTAwMDAwMFoXDTI5MDQxOTIyMzEyMlowHzEdMBsGA1UEAwwU
 
VGVzdCBDQSBTdWJhdXRob3JpdHkwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGB
 
AMJKbgfGHIsvv5E+JdxULAIPG29bDlppHd1SP4v0yFbG88VWLLiCZ4EJew1vASZK
 
rkJTlbEyugfUZLx5HxYKkgflr13Ws00JWLGKuizA05uVzKEN5U1AGlAtpEX/BWNi
 
hDVzLA+z9mn9m9NeqBLwxKB3JVnngT3uxSIQdaytzKQfAgMBAAGjgZcwgZQwDwYD
 
VR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFCN4LwmBsHvG
 
eR8w/vxeNxT/IKAgMDEGCWCGSAGG+EIBDQQkFiJQdXBwZXQgU2VydmVyIEludGVy
 
bmFsIENlcnRpZmljYXRlMB8GA1UdIwQYMBaAFCwlGaFss/dp/XabOiLLDFYBAfEx
 
MA0GCSqGSIb3DQEBCwUAA4GBAIK61Y3y05h5GgIVoj2zU+d5KAU5qr4tfGpPwmZg
 
hmJBuuvV3m46gUoiM1siMTVhntmc+Fn6k+d+nPnnFWA08io6E5aUyN4ktr8NIKpK
 
m+vBnEm+L2lpAVMKBiod5wJrqNjnlTJ+tXnmQA5yAnQkdes9F411hysq3V6Y2Gfj
 
XCqd
 
-----END CERTIFICATE-----
 
PEM
 
 
 
store = OpenSSL::X509::Store.new
 
store.purpose = OpenSSL::X509::PURPOSE_ANY
 
store.flags = OpenSSL::X509::V_FLAG_CHECK_SS_SIGNATURE
 
store.add_cert(root)
 
 
 
store_context = OpenSSL::X509::StoreContext.new(store, intermediate, [])
 
ok = store_context.verify
 
if ok
 
  puts "OK"
 
else
 
  puts "ERR #{store_context.error_string} #{store_context.current_cert.subject.to_utf8} (#{store_context.error})"
 
end

Using 1.1.1d it prints:

$ ruby cert.rb
 
OpenSSL 1.1.1d  10 Sep 2019
 
ERR certificate signature failure CN=Test CA (7)

Using 1.1.1h it prints:

OpenSSL 1.1.1h  22 Sep 2020
 
OK

This doesn't affect the overall security of puppet, because the certs are self-signed and trusted. Also note openssl 1.1.1h does verify the signature of intermediate certs.

The change in openssl behavior seems like a bug though...

Mihai Buzgau (Jira)

unread,
Oct 21, 2020, 3:56:03 AM10/21/20
to puppe...@googlegroups.com
Mihai Buzgau updated an issue
 
Change By: Mihai Buzgau
Story Points: 2

Bogdan Irimie (Jira)

unread,
Nov 5, 2020, 3:51:05 AM11/5/20
to puppe...@googlegroups.com
Bogdan Irimie updated an issue
Change By: Bogdan Irimie
Sprint:

Bogdan Irimie (Jira)

unread,
Nov 5, 2020, 3:52:05 AM11/5/20
to puppe...@googlegroups.com
Bogdan Irimie updated an issue
Change By: Bogdan Irimie
Sprint: ready for triage

Gabriel Nagy (Jira)

unread,
Dec 16, 2020, 2:23:19 PM12/16/20
to puppe...@googlegroups.com
Gabriel Nagy commented on Bug PUP-10689
 
Re: Assess SSL provider spec after upgrade to openssl 1.1.1h

Josh Cooper you were right, the change was indeed a bug and appears to have been fixed in 1.1.1i. I created a PR to only skip the test if we're running OpenSSL 1.1.1h: https://github.com/puppetlabs/puppet/pull/8460
Reply all
Reply to author
Forward
0 new messages