Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error: SSL_CTX_use_certificate, reason: "ee key too small" #69

Open
jainvikas8 opened this issue Sep 12, 2024 · 2 comments
Open

Error: SSL_CTX_use_certificate, reason: "ee key too small" #69

jainvikas8 opened this issue Sep 12, 2024 · 2 comments

Comments

@jainvikas8
Copy link

jainvikas8 commented Sep 12, 2024
edited
Loading

We have this setup on a x86 ubuntu 20 LTS machine:
Container: Openssl + parsec openssl provider + parsec tool
Host: Parsec service (1.4.1) with Mbed crypto provider

The ping from parsec-tool and openssl list -providers was working.
The certificates and parsec keys were created within the container:

Docker file:

FROM rust:1.78.0-slim-bookworm

ARG PARSEC_TOOL_SRC_REF="561c4163030b6fbebdd489a9cf8d92a88b71d09a"

ENV DEBIAN_FRONTEND=noninteractive

RUN apt-get update \
    && apt-get install --no-install-recommends --yes \
    clang \
    git \
    libssl-dev \
    openssl \
    pkg-config

RUN apt-get autoremove

WORKDIR /tmp

COPY openssl.cnf /tmp

RUN git clone --branch 0.1.0 https://github.com/parallaxsecond/parsec-openssl-provider.git && \
    cd parsec-openssl-provider/parsec-openssl-provider-shared && \
    cargo build

RUN git clone --branch main https://github.com/parallaxsecond/parsec-tool.git && \
    cd parsec-tool && \
    git checkout ${PARSEC_TOOL_SRC_REF} && \
    cargo install patch-crate --locked && \
    cargo patch-crate && \
    cargo build && \
    cp /tmp/parsec-tool/target/debug/parsec-tool /usr/bin/parsec-tool && \

ENV PARSEC_SERVICE_ENDPOINT="unix:/tmp/parsec.sock"

ENV OPENSSL_CONF="/tmp/openssl.cnf"

It inconsistently fails at 2 tests:

called `Result::unwrap()` on an `Err` value: ErrorStack([Error { code: 50331762, library: "digital envelope routines", function: "X509_PUBKEY_get0", reason: "decode error", file: "../crypto/x509/x_pubkey.c", line: 458 }, Error { code: 167772559, library: "SSL routines", function: "SSL_CTX_use_certificate", reason: "ee key too small", file: "../ssl/ssl_rsa.c", line: 221 }])

test test_client_with_mismatched_rsa_key_and_certificate ... FAILED
test test_handshake_client_authentication_rsa ... FAILED

when we run the parsec openssl provider e2e tests - cargo test --test "handshake"

Please find the attached log file:
parsec-openssl-provider.log
@jainvikas8
Copy link
Author

Further, if we use rust:1.80-slim-bookworm then cargo install patch-crate is required in the docker container.

Further another test fails

test_handshake_client_authentication_ecdsa

@jainvikas8
Copy link
Author

Further using the same container on ARM64 machine
Container: Openssl + parsec openssl provider + parsec tool
Host: Parsec service (1.4.1) with Trusted service provider

We see the failure of:

---- test_handshake_client_authentication_ecdsa stdout ----
thread '<unnamed>' panicked at parsec-openssl-provider-shared/e2e_tests/src/lib.rs:107:47:
called `Result::unwrap()` on an `Err` value: Failure(MidHandshakeSslStream { stream: SslStream { stream: TcpStream { addr: 127.0.0.1:35073, peer: 127.0.0.1:40098, fd: 5 }, ssl: Ssl { state: "error", verify_result: X509VerifyResult { code: 0, error: "ok" } )
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
thread 'test_handshake_client_authentication_ecdsa' panicked at parsec-openssl-provider-shared/e2e_tests/src/lib.rs:173:45:
called `Result::unwrap()` on an `Err` value: Failure(MidHandshakeSslStream { stream: SslStream { stream: TcpStream { addr: 127.0.0.1:40098, peer: 127.0.0.1:35073, fd: 4 }, ssl: Ssl { state: "error", verify_result: X509VerifyResult { code: 0, error: "ok" } )
:---- test_handshake_client_authentication_rsa stdout ----
thread '<unnamed>' panicked at parsec-openssl-provider-shared/e2e_tests/src/lib.rs:107:47:
called `Result::unwrap()` on an `Err` value: Failure(MidHandshakeSslStream { stream: SslStream { stream: TcpStream { addr: 127.0.0.1:39935, peer: 127.0.0.1:42170, fd: 5 }, ssl: Ssl { state: "error", verify_result: X509VerifyResult { code: 0, error: "ok" } )
thread 'test_handshake_client_authentication_rsa' panicked at parsec-openssl-provider-shared/e2e_tests/src/lib.rs:173:45:
called `Result::unwrap()` on an `Err` value: Failure(MidHandshakeSslStream { stream: SslStream { stream: TcpStream { addr: 127.0.0.1:42170, peer: 127.0.0.1:39935, fd: 4 }, ssl: Ssl { state: "error", verify_result: X509VerifyResult { code: 0, error: "ok" } )
failures:
  test_handshake_client_authentication_ecdsa
  test_handshake_client_authentication_rsa
test result: FAILED. 9 passed; 2 failed; 0 ignored; 0 measured; 0 filtered out; finished in 0.47s

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jainvikas8