RubyGems compatibility with FIPS #365

Closed
voxik opened this Issue Sep 4, 2012 · 1 comment

Comments

Projects
None yet
2 participants
Contributor

voxik commented Sep 4, 2012

I can observer several test suite failures, when running the Ruby's test suite in FIPS mode (related to https://bugs.ruby-lang.org/issues/6946). Could you please consider to fix these issues? Thank you.

./miniruby -I./lib -I. -I.ext/common  ./tool/runruby.rb --extout=.ext  -- --disable-gems "./test/runner.rb" --ruby="./miniruby -I./lib -I. -I.ext/common  ./tool/runruby.rb --extout=.ext  -- --disable-gems"  -v 'test/rubygems/test_gem_commands_cert_command.rb'
Run options: "--ruby=./miniruby -I./lib -I. -I.ext/common  ./tool/runruby.rb --extout=.ext  -- --disable-gems" -v

# Running tests:

TestGemCommandsCertCommand#test_execute_add = 0.03 s = .
TestGemCommandsCertCommand#test_execute_list = 0.02 s = .
TestGemCommandsCertCommand#test_execute_remove = 0.02 s = .
TestGemCommandsCertCommand#test_execute_build = 0.42 s = .
TestGemCommandsCertCommand#test_execute_private_key = 0.09 s = F
TestGemCommandsCertCommand#test_execute_sign = 0.03 s = .
TestGemCommandsCertCommand#test_execute_certificate = 0.02 s = .


Finished tests in 0.632391s, 11.0691 tests/s, 34.7886 assertions/s.

  1) Failure:
test_execute_private_key(TestGemCommandsCertCommand) [/home/mockbuild/rpmbuild/BUILD/ruby-2.0.0-r36887/test/rubygems/test_gem_commands_cert_command.rb:96]:
--- expected
+++ actual
@@ -1,28 +1,29 @@
-"-----BEGIN RSA PRIVATE KEY-----
-MIIEpQIBAAKCAQEAz0tTOtsJuHDKAEXrQx0f6DUEzBEUTSLR1fk0iEHsY9rDCQxm
-sw5Bf2UnVhdD03B4/XzIK+pat2CMQc37/vLIBuVgS7g/fzatGiM0m5rAHtycr0XU
-8Ek6zjx4iSv70OLjybY+/utHCEc838awGDMCFR21jYxgATPVwqAIyasvwbKh/Vhw
-uErFPqT9G8BKTHsaX+H+ADIRH001OmWkjB6EyjF05114kNMa0+2C7daV9hoBL3md
-hCt6zOGcapl/9LkGxhcNEUB/So16V1ZQldg9macGyWktyNTSfctlF+f8okAmicG3
-XIwaW8UTmjFCmvDs/h1R/uKpe2IOHz87n29d2QIDAQABAoIBAQCR6n/nyg+JmTtX
-/d+hGns/RTLfQpZ7xarXZ9gmoeD4WSE42VXhbIOGXXnXDAFecKl6Jb/xycGZm4if
-OZPM3rEWyZeDNWrc7WvkHiwF7GSYVMqmRg2iJqoSSla+mAtl+pBFiNfHMW6K0Tp0
-erOyFRW+L2+A9/MMZaRun6AP9URkn0jz2kwmMFf+6szmzVn6fPFzZDRI+hEeaDmi
-LBzSrfrddrIBX+xGEoBj6RmfnKBCSUVSSxOauYjd4mVjVYxvMH4SV1hXDUS5GPl5
-MbCiBb7bpNIg/8ljMoRrQiqk0XwwS7MaCqPtMhUtpSmC/zSjAfmoN7AOc/Xh69cQ
-OCMNZH9BAoGBAPBlsuuU6fg0gVTKDdR12jHx03uRRt8/nPxHnpJkZCIh9XKh1LtY
-bkumi9HZpp3mzDiaGg/rwfCwNckKx8NLhICLgkric6ClrKftxTu6C8tBAb5YDi6u
-74KYnV8lMY/unzBtIloPgM3uluS292POmrWZpKwhvHLD71MewzMor5HFAoGBANy/
-mwsBs8i3Gzk8Twjq8effhPpE7kpxhC7bhwmjX3q41EjQWDT8M6xb1P9dRSsCIebi
-kqP1yhl27dJpA8r5WqE/z89xhBvObAGRv41eXxOI0LaH2k5lJQrUeSC+51dy+BEB
-T3GXD4C5ezZHQ8Wz/oL73uikrfhD+AqOZT2YbMEFAoGBAJvWEWpOGm3f+4bvhI+Z
-5lxCG4oa3wqRvj58XvsfQRovUWGCLtlTtgwsZq8enLf3iaOXohV4Czzvva4Z4u1i
-4v5BcbEBo1scixRBOn5BWKvl9C9j/a2dkX3jWQD4p2xaj69gz8f6DNFyPTb+tNhq
-cjgO5YUASZ1MDrSfWIKteULRAoGAZkZv8x2KyofrmQ0UITGZerDYz4t4TA1kDMGx
-QwnqhtVzpXjCJWpkFotFmDsCfPaz9mErR8PtKvcrIL1/AF+fWe5Sve3+I1P0PpXk
-hf8fVdGhwbAXuRKrouTmagGI9b9Sp65PvHUcvasyJufFwqeuV8mScX87CzeSiHGI
-/ozMdnECgYEAq4+losrhe0DEmiC9zVPvwRXjbSixDsSJxHfOcqIsZqhUgBiZ4TJD
-SrkuukrMZib6BAD+PtCJS1TBbJyyvL3QecizhHSIh3ZnT0HnaRPatLEYmU65+3kE
-kTqL4ik92bJnnWowy677sydl1lzBJDVa9ZlTs7BFSd8y/0DZaUxGg2I=
------END RSA PRIVATE KEY-----
+"-----BEGIN PRIVATE KEY-----
+MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDPS1M62wm4cMoA
+RetDHR/oNQTMERRNItHV+TSIQexj2sMJDGazDkF/ZSdWF0PTcHj9fMgr6lq3YIxB
+zfv+8sgG5WBLuD9/Nq0aIzSbmsAe3JyvRdTwSTrOPHiJK/vQ4uPJtj7+60cIRzzf
+xrAYMwIVHbWNjGABM9XCoAjJqy/BsqH9WHC4SsU+pP0bwEpMexpf4f4AMhEfTTU6
+ZaSMHoTKMXTnXXiQ0xrT7YLt1pX2GgEveZ2EK3rM4ZxqmX/0uQbGFw0RQH9KjXpX
+VlCV2D2ZpwbJaS3I1NJ9y2UX5/yiQCaJwbdcjBpbxROaMUKa8Oz+HVH+4ql7Yg4f
+Pzufb13ZAgMBAAECggEBAJHqf+fKD4mZO1f936Eaez9FMt9ClnvFqtdn2Cah4PhZ
+ITjZVeFsg4ZdedcMAV5wqXolv/HJwZmbiJ85k8zesRbJl4M1atzta+QeLAXsZJhU
+yqZGDaImqhJKVr6YC2X6kEWI18cxborROnR6s7IVFb4vb4D38wxlpG6foA/1RGSf
+SPPaTCYwV/7qzObNWfp88XNkNEj6ER5oOaIsHNKt+t12sgFf7EYSgGPpGZ+coEJJ
+RVJLE5q5iN3iZWNVjG8wfhJXWFcNRLkY+XkxsKIFvtuk0iD/yWMyhGtCKqTRfDBL
+sxoKo+0yFS2lKYL/NKMB+ag3sA5z9eHr1xA4Iw1kf0ECgYEA8GWy65Tp+DSBVMoN
+1HXaMfHTe5FG3z+c/EeekmRkIiH1cqHUu1huS6aL0dmmnebMOJoaD+vB8LA1yQrH
+w0uEgIuCSuJzoKWsp+3FO7oLy0EBvlgOLq7vgpidXyUxj+6fMG0iWg+Aze6W5Lb3
+Y86atZmkrCG8csPvUx7DMyivkcUCgYEA3L+bCwGzyLcbOTxPCOrx59+E+kTuSnGE
+LtuHCaNferjUSNBYNPwzrFvU/11FKwIh5uKSo/XKGXbt0mkDyvlaoT/Pz3GEG85s
+AZG/jV5fE4jQtofaTmUlCtR5IL7nV3L4EQFPcZcPgLl7NkdDxbP+gvve6KSt+EP4
+Co5lPZhswQUCgYEAm9YRak4abd/7hu+Ej5nmXEIbihrfCpG+Pnxe+x9BGi9RYYIu
+2VO2DCxmrx6ct/eJo5eiFXgLPO+9rhni7WLi/kFxsQGjWxyLFEE6fkFYq+X0L2P9
+rZ2RfeNZAPinbFqPr2DPx/oM0XI9Nv602GpyOA7lhQBJnUwOtJ9Ygq15QtECgYBm
+Rm/zHYrKh+uZDRQhMZl6sNjPi3hMDWQMwbFDCeqG1XOleMIlamQWi0WYOwJ89rP2
+YStHw+0q9ysgvX8AX59Z7lK97f4jU/Q+leSF/x9V0aHBsBe5Equi5OZqAYj1v1Kn
+rk+8dRy9qzIm58XCp65XyZJxfzsLN5KIcYj+jMx2cQKBgQCrj6WiyuF7QMSaIL3N
+U+/BFeNtKLEOxInEd85yoixmqFSAGJnhMkNKuS66SsxmJvoEAP4+0IlLVMFsnLK8
+vdB5yLOEdIiHdmdPQedpE9q0sRiZTrn7eQSROoviKT3ZsmedajDLrvuzJ2XWXMEk
+NVr1mVOzsEVJ3zL/QNlpTEaDYg==
+-----END PRIVATE KEY-----
 "


7 tests, 22 assertions, 1 failures, 0 errors, 0 skips

ruby -v: ruby 2.0.0dev (2012-09-03 trunk 36887) [x86_64-linux]
make: *** [yes-test-all] Error 1
./miniruby -I./lib -I. -I.ext/common  ./tool/runruby.rb --extout=.ext  -- --disable-gems "./test/runner.rb" --ruby="./miniruby -I./lib -I. -I.ext/common  ./tool/runruby.rb --extout=.ext  -- --disable-gems"  -v 'test/rubygems/test_gem_validator.rb'
Run options: "--ruby=./miniruby -I./lib -I. -I.ext/common  ./tool/runruby.rb --extout=.ext  -- --disable-gems" -v

# Running tests:

TestGemValidator#test_verify_gem_file_empty = 0.03 s = .
TestGemValidator#test_verify_gem_empty = 0.01 s = .
TestGemValidator#test_verify_gem_no_sum = 0.01 s = .
TestGemValidator#test_verify_gem_file = md5_dgst.c(78): OpenSSL internal error, assertion failed: Digest MD5 forbidden in FIPS mode!
make: *** [yes-test-all] Aborted (core dumped)
./miniruby -I./lib -I. -I.ext/common  ./tool/runruby.rb --extout=.ext  -- --disable-gems "./test/runner.rb" --ruby="./miniruby -I./lib -I. -I.ext/common  ./tool/runruby.rb --extout=.ext  -- --disable-gems"  -v 'test/rubygems/test_gem_security.rb'
Run options: "--ruby=./miniruby -I./lib -I. -I.ext/common  ./tool/runruby.rb --extout=.ext  -- --disable-gems" -v

# Running tests:

TestGemSecurity#test_class_build_self_signed_cert = 0.02 s = E
TestGemSecurity#test_class_email_to_name = 0.01 s = .
TestGemSecurity#test_class_build_cert = 0.01 s = E
TestGemSecurity#test_class_sign_cert = 0.01 s = E


Finished tests in 0.067462s, 59.2926 tests/s, 59.2926 assertions/s.

  1) Error:
test_class_build_self_signed_cert(TestGemSecurity):
OpenSSL::PKey::RSAError: key too short
    /home/mockbuild/rpmbuild/BUILD/ruby-2.0.0-r36887/lib/rubygems/security.rb:711:in `initialize'
    /home/mockbuild/rpmbuild/BUILD/ruby-2.0.0-r36887/lib/rubygems/security.rb:711:in `new'
    /home/mockbuild/rpmbuild/BUILD/ruby-2.0.0-r36887/lib/rubygems/security.rb:711:in `build_self_signed_cert'
    /home/mockbuild/rpmbuild/BUILD/ruby-2.0.0-r36887/test/rubygems/test_gem_security.rb:58:in `test_class_build_self_signed_cert'

  2) Error:
test_class_build_cert(TestGemSecurity):
OpenSSL::PKey::RSAError: key too short
    /home/mockbuild/rpmbuild/BUILD/ruby-2.0.0-r36887/test/rubygems/test_gem_security.rb:19:in `initialize'
    /home/mockbuild/rpmbuild/BUILD/ruby-2.0.0-r36887/test/rubygems/test_gem_security.rb:19:in `new'
    /home/mockbuild/rpmbuild/BUILD/ruby-2.0.0-r36887/test/rubygems/test_gem_security.rb:19:in `test_class_build_cert'

  3) Error:
test_class_sign_cert(TestGemSecurity):
OpenSSL::PKey::RSAError: key too short
    /home/mockbuild/rpmbuild/BUILD/ruby-2.0.0-r36887/test/rubygems/test_gem_security.rb:72:in `initialize'
    /home/mockbuild/rpmbuild/BUILD/ruby-2.0.0-r36887/test/rubygems/test_gem_security.rb:72:in `new'
    /home/mockbuild/rpmbuild/BUILD/ruby-2.0.0-r36887/test/rubygems/test_gem_security.rb:72:in `test_class_sign_cert'

4 tests, 4 assertions, 0 failures, 3 errors, 0 skips

ruby -v: ruby 2.0.0dev (2012-09-03 trunk 36887) [x86_64-linux]
make: *** [yes-test-all] Error 3
./miniruby -I./lib -I. -I.ext/common  ./tool/runruby.rb --extout=.ext  -- --disable-gems "./test/runner.rb" --ruby="./miniruby -I./lib -I. -I.ext/common  ./tool/runruby.rb --extout=.ext  -- --disable-gems"  -v 'test/rubygems/test_gem_remote_fetcher.rb'
/home/mockbuild/rpmbuild/BUILD/ruby-2.0.0-r36887/test/rubygems/test_gem_remote_fetcher.rb:859:in `initialize': BN lib (OpenSSL::PKey::DHError)
    from /home/mockbuild/rpmbuild/BUILD/ruby-2.0.0-r36887/test/rubygems/test_gem_remote_fetcher.rb:859:in `new'
    from /home/mockbuild/rpmbuild/BUILD/ruby-2.0.0-r36887/test/rubygems/test_gem_remote_fetcher.rb:859:in `singleton class'
    from /home/mockbuild/rpmbuild/BUILD/ruby-2.0.0-r36887/test/rubygems/test_gem_remote_fetcher.rb:847:in `<class:TestGemRemoteFetcher>'
    from /home/mockbuild/rpmbuild/BUILD/ruby-2.0.0-r36887/test/rubygems/test_gem_remote_fetcher.rb:25:in `<top (required)>'
    from /home/mockbuild/rpmbuild/BUILD/ruby-2.0.0-r36887/lib/test/unit.rb:243:in `require'
    from /home/mockbuild/rpmbuild/BUILD/ruby-2.0.0-r36887/lib/test/unit.rb:243:in `block in non_options'
    from /home/mockbuild/rpmbuild/BUILD/ruby-2.0.0-r36887/lib/test/unit.rb:237:in `each'
    from /home/mockbuild/rpmbuild/BUILD/ruby-2.0.0-r36887/lib/test/unit.rb:237:in `non_options'
    from /home/mockbuild/rpmbuild/BUILD/ruby-2.0.0-r36887/lib/test/unit.rb:52:in `process_args'
    from /home/mockbuild/rpmbuild/BUILD/ruby-2.0.0-r36887/lib/minitest/unit.rb:956:in `_run'
    from /home/mockbuild/rpmbuild/BUILD/ruby-2.0.0-r36887/lib/minitest/unit.rb:949:in `run'
    from /home/mockbuild/rpmbuild/BUILD/ruby-2.0.0-r36887/lib/test/unit.rb:21:in `run'
    from /home/mockbuild/rpmbuild/BUILD/ruby-2.0.0-r36887/lib/test/unit.rb:767:in `run'
    from /home/mockbuild/rpmbuild/BUILD/ruby-2.0.0-r36887/lib/test/unit.rb:820:in `run'
    from /home/mockbuild/rpmbuild/BUILD/ruby-2.0.0-r36887/lib/test/unit.rb:824:in `run'
    from ./test/runner.rb:25:in `<main>'
make: *** [yes-test-all] Error 1

voxik added a commit to voxik/rubygems that referenced this issue Sep 4, 2012

Drop check --verify option.
This option is not usefull for ages. Moreover, the test suite of the old
paths for the validation uses MD5, which is prohibited in FIPS mode
(#365).

@ghost ghost assigned drbrain Nov 28, 2012

@drbrain drbrain closed this in b3d629f Dec 8, 2012

Owner

drbrain commented Dec 8, 2012

I don't have a 32 bit 1.8.7 to test this on (1.8.7 only has a 32 bit range for Time), but since the certificates are all generated the same way there should be no issue there.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment