Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

RubyGems compatibility with FIPS #365

Closed
voxik opened this Issue · 1 comment

2 participants

@voxik

I can observer several test suite failures, when running the Ruby's test suite in FIPS mode (related to https://bugs.ruby-lang.org/issues/6946). Could you please consider to fix these issues? Thank you.

./miniruby -I./lib -I. -I.ext/common  ./tool/runruby.rb --extout=.ext  -- --disable-gems "./test/runner.rb" --ruby="./miniruby -I./lib -I. -I.ext/common  ./tool/runruby.rb --extout=.ext  -- --disable-gems"  -v 'test/rubygems/test_gem_commands_cert_command.rb'
Run options: "--ruby=./miniruby -I./lib -I. -I.ext/common  ./tool/runruby.rb --extout=.ext  -- --disable-gems" -v

# Running tests:

TestGemCommandsCertCommand#test_execute_add = 0.03 s = .
TestGemCommandsCertCommand#test_execute_list = 0.02 s = .
TestGemCommandsCertCommand#test_execute_remove = 0.02 s = .
TestGemCommandsCertCommand#test_execute_build = 0.42 s = .
TestGemCommandsCertCommand#test_execute_private_key = 0.09 s = F
TestGemCommandsCertCommand#test_execute_sign = 0.03 s = .
TestGemCommandsCertCommand#test_execute_certificate = 0.02 s = .


Finished tests in 0.632391s, 11.0691 tests/s, 34.7886 assertions/s.

  1) Failure:
test_execute_private_key(TestGemCommandsCertCommand) [/home/mockbuild/rpmbuild/BUILD/ruby-2.0.0-r36887/test/rubygems/test_gem_commands_cert_command.rb:96]:
--- expected
+++ actual
@@ -1,28 +1,29 @@
-"-----BEGIN RSA PRIVATE KEY-----
-MIIEpQIBAAKCAQEAz0tTOtsJuHDKAEXrQx0f6DUEzBEUTSLR1fk0iEHsY9rDCQxm
-sw5Bf2UnVhdD03B4/XzIK+pat2CMQc37/vLIBuVgS7g/fzatGiM0m5rAHtycr0XU
-8Ek6zjx4iSv70OLjybY+/utHCEc838awGDMCFR21jYxgATPVwqAIyasvwbKh/Vhw
-uErFPqT9G8BKTHsaX+H+ADIRH001OmWkjB6EyjF05114kNMa0+2C7daV9hoBL3md
-hCt6zOGcapl/9LkGxhcNEUB/So16V1ZQldg9macGyWktyNTSfctlF+f8okAmicG3
-XIwaW8UTmjFCmvDs/h1R/uKpe2IOHz87n29d2QIDAQABAoIBAQCR6n/nyg+JmTtX
-/d+hGns/RTLfQpZ7xarXZ9gmoeD4WSE42VXhbIOGXXnXDAFecKl6Jb/xycGZm4if
-OZPM3rEWyZeDNWrc7WvkHiwF7GSYVMqmRg2iJqoSSla+mAtl+pBFiNfHMW6K0Tp0
-erOyFRW+L2+A9/MMZaRun6AP9URkn0jz2kwmMFf+6szmzVn6fPFzZDRI+hEeaDmi
-LBzSrfrddrIBX+xGEoBj6RmfnKBCSUVSSxOauYjd4mVjVYxvMH4SV1hXDUS5GPl5
-MbCiBb7bpNIg/8ljMoRrQiqk0XwwS7MaCqPtMhUtpSmC/zSjAfmoN7AOc/Xh69cQ
-OCMNZH9BAoGBAPBlsuuU6fg0gVTKDdR12jHx03uRRt8/nPxHnpJkZCIh9XKh1LtY
-bkumi9HZpp3mzDiaGg/rwfCwNckKx8NLhICLgkric6ClrKftxTu6C8tBAb5YDi6u
-74KYnV8lMY/unzBtIloPgM3uluS292POmrWZpKwhvHLD71MewzMor5HFAoGBANy/
-mwsBs8i3Gzk8Twjq8effhPpE7kpxhC7bhwmjX3q41EjQWDT8M6xb1P9dRSsCIebi
-kqP1yhl27dJpA8r5WqE/z89xhBvObAGRv41eXxOI0LaH2k5lJQrUeSC+51dy+BEB
-T3GXD4C5ezZHQ8Wz/oL73uikrfhD+AqOZT2YbMEFAoGBAJvWEWpOGm3f+4bvhI+Z
-5lxCG4oa3wqRvj58XvsfQRovUWGCLtlTtgwsZq8enLf3iaOXohV4Czzvva4Z4u1i
-4v5BcbEBo1scixRBOn5BWKvl9C9j/a2dkX3jWQD4p2xaj69gz8f6DNFyPTb+tNhq
-cjgO5YUASZ1MDrSfWIKteULRAoGAZkZv8x2KyofrmQ0UITGZerDYz4t4TA1kDMGx
-QwnqhtVzpXjCJWpkFotFmDsCfPaz9mErR8PtKvcrIL1/AF+fWe5Sve3+I1P0PpXk
-hf8fVdGhwbAXuRKrouTmagGI9b9Sp65PvHUcvasyJufFwqeuV8mScX87CzeSiHGI
-/ozMdnECgYEAq4+losrhe0DEmiC9zVPvwRXjbSixDsSJxHfOcqIsZqhUgBiZ4TJD
-SrkuukrMZib6BAD+PtCJS1TBbJyyvL3QecizhHSIh3ZnT0HnaRPatLEYmU65+3kE
-kTqL4ik92bJnnWowy677sydl1lzBJDVa9ZlTs7BFSd8y/0DZaUxGg2I=
------END RSA PRIVATE KEY-----
+"-----BEGIN PRIVATE KEY-----
+MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDPS1M62wm4cMoA
+RetDHR/oNQTMERRNItHV+TSIQexj2sMJDGazDkF/ZSdWF0PTcHj9fMgr6lq3YIxB
+zfv+8sgG5WBLuD9/Nq0aIzSbmsAe3JyvRdTwSTrOPHiJK/vQ4uPJtj7+60cIRzzf
+xrAYMwIVHbWNjGABM9XCoAjJqy/BsqH9WHC4SsU+pP0bwEpMexpf4f4AMhEfTTU6
+ZaSMHoTKMXTnXXiQ0xrT7YLt1pX2GgEveZ2EK3rM4ZxqmX/0uQbGFw0RQH9KjXpX
+VlCV2D2ZpwbJaS3I1NJ9y2UX5/yiQCaJwbdcjBpbxROaMUKa8Oz+HVH+4ql7Yg4f
+Pzufb13ZAgMBAAECggEBAJHqf+fKD4mZO1f936Eaez9FMt9ClnvFqtdn2Cah4PhZ
+ITjZVeFsg4ZdedcMAV5wqXolv/HJwZmbiJ85k8zesRbJl4M1atzta+QeLAXsZJhU
+yqZGDaImqhJKVr6YC2X6kEWI18cxborROnR6s7IVFb4vb4D38wxlpG6foA/1RGSf
+SPPaTCYwV/7qzObNWfp88XNkNEj6ER5oOaIsHNKt+t12sgFf7EYSgGPpGZ+coEJJ
+RVJLE5q5iN3iZWNVjG8wfhJXWFcNRLkY+XkxsKIFvtuk0iD/yWMyhGtCKqTRfDBL
+sxoKo+0yFS2lKYL/NKMB+ag3sA5z9eHr1xA4Iw1kf0ECgYEA8GWy65Tp+DSBVMoN
+1HXaMfHTe5FG3z+c/EeekmRkIiH1cqHUu1huS6aL0dmmnebMOJoaD+vB8LA1yQrH
+w0uEgIuCSuJzoKWsp+3FO7oLy0EBvlgOLq7vgpidXyUxj+6fMG0iWg+Aze6W5Lb3
+Y86atZmkrCG8csPvUx7DMyivkcUCgYEA3L+bCwGzyLcbOTxPCOrx59+E+kTuSnGE
+LtuHCaNferjUSNBYNPwzrFvU/11FKwIh5uKSo/XKGXbt0mkDyvlaoT/Pz3GEG85s
+AZG/jV5fE4jQtofaTmUlCtR5IL7nV3L4EQFPcZcPgLl7NkdDxbP+gvve6KSt+EP4
+Co5lPZhswQUCgYEAm9YRak4abd/7hu+Ej5nmXEIbihrfCpG+Pnxe+x9BGi9RYYIu
+2VO2DCxmrx6ct/eJo5eiFXgLPO+9rhni7WLi/kFxsQGjWxyLFEE6fkFYq+X0L2P9
+rZ2RfeNZAPinbFqPr2DPx/oM0XI9Nv602GpyOA7lhQBJnUwOtJ9Ygq15QtECgYBm
+Rm/zHYrKh+uZDRQhMZl6sNjPi3hMDWQMwbFDCeqG1XOleMIlamQWi0WYOwJ89rP2
+YStHw+0q9ysgvX8AX59Z7lK97f4jU/Q+leSF/x9V0aHBsBe5Equi5OZqAYj1v1Kn
+rk+8dRy9qzIm58XCp65XyZJxfzsLN5KIcYj+jMx2cQKBgQCrj6WiyuF7QMSaIL3N
+U+/BFeNtKLEOxInEd85yoixmqFSAGJnhMkNKuS66SsxmJvoEAP4+0IlLVMFsnLK8
+vdB5yLOEdIiHdmdPQedpE9q0sRiZTrn7eQSROoviKT3ZsmedajDLrvuzJ2XWXMEk
+NVr1mVOzsEVJ3zL/QNlpTEaDYg==
+-----END PRIVATE KEY-----
 "


7 tests, 22 assertions, 1 failures, 0 errors, 0 skips

ruby -v: ruby 2.0.0dev (2012-09-03 trunk 36887) [x86_64-linux]
make: *** [yes-test-all] Error 1
./miniruby -I./lib -I. -I.ext/common  ./tool/runruby.rb --extout=.ext  -- --disable-gems "./test/runner.rb" --ruby="./miniruby -I./lib -I. -I.ext/common  ./tool/runruby.rb --extout=.ext  -- --disable-gems"  -v 'test/rubygems/test_gem_validator.rb'
Run options: "--ruby=./miniruby -I./lib -I. -I.ext/common  ./tool/runruby.rb --extout=.ext  -- --disable-gems" -v

# Running tests:

TestGemValidator#test_verify_gem_file_empty = 0.03 s = .
TestGemValidator#test_verify_gem_empty = 0.01 s = .
TestGemValidator#test_verify_gem_no_sum = 0.01 s = .
TestGemValidator#test_verify_gem_file = md5_dgst.c(78): OpenSSL internal error, assertion failed: Digest MD5 forbidden in FIPS mode!
make: *** [yes-test-all] Aborted (core dumped)
./miniruby -I./lib -I. -I.ext/common  ./tool/runruby.rb --extout=.ext  -- --disable-gems "./test/runner.rb" --ruby="./miniruby -I./lib -I. -I.ext/common  ./tool/runruby.rb --extout=.ext  -- --disable-gems"  -v 'test/rubygems/test_gem_security.rb'
Run options: "--ruby=./miniruby -I./lib -I. -I.ext/common  ./tool/runruby.rb --extout=.ext  -- --disable-gems" -v

# Running tests:

TestGemSecurity#test_class_build_self_signed_cert = 0.02 s = E
TestGemSecurity#test_class_email_to_name = 0.01 s = .
TestGemSecurity#test_class_build_cert = 0.01 s = E
TestGemSecurity#test_class_sign_cert = 0.01 s = E


Finished tests in 0.067462s, 59.2926 tests/s, 59.2926 assertions/s.

  1) Error:
test_class_build_self_signed_cert(TestGemSecurity):
OpenSSL::PKey::RSAError: key too short
    /home/mockbuild/rpmbuild/BUILD/ruby-2.0.0-r36887/lib/rubygems/security.rb:711:in `initialize'
    /home/mockbuild/rpmbuild/BUILD/ruby-2.0.0-r36887/lib/rubygems/security.rb:711:in `new'
    /home/mockbuild/rpmbuild/BUILD/ruby-2.0.0-r36887/lib/rubygems/security.rb:711:in `build_self_signed_cert'
    /home/mockbuild/rpmbuild/BUILD/ruby-2.0.0-r36887/test/rubygems/test_gem_security.rb:58:in `test_class_build_self_signed_cert'

  2) Error:
test_class_build_cert(TestGemSecurity):
OpenSSL::PKey::RSAError: key too short
    /home/mockbuild/rpmbuild/BUILD/ruby-2.0.0-r36887/test/rubygems/test_gem_security.rb:19:in `initialize'
    /home/mockbuild/rpmbuild/BUILD/ruby-2.0.0-r36887/test/rubygems/test_gem_security.rb:19:in `new'
    /home/mockbuild/rpmbuild/BUILD/ruby-2.0.0-r36887/test/rubygems/test_gem_security.rb:19:in `test_class_build_cert'

  3) Error:
test_class_sign_cert(TestGemSecurity):
OpenSSL::PKey::RSAError: key too short
    /home/mockbuild/rpmbuild/BUILD/ruby-2.0.0-r36887/test/rubygems/test_gem_security.rb:72:in `initialize'
    /home/mockbuild/rpmbuild/BUILD/ruby-2.0.0-r36887/test/rubygems/test_gem_security.rb:72:in `new'
    /home/mockbuild/rpmbuild/BUILD/ruby-2.0.0-r36887/test/rubygems/test_gem_security.rb:72:in `test_class_sign_cert'

4 tests, 4 assertions, 0 failures, 3 errors, 0 skips

ruby -v: ruby 2.0.0dev (2012-09-03 trunk 36887) [x86_64-linux]
make: *** [yes-test-all] Error 3
./miniruby -I./lib -I. -I.ext/common  ./tool/runruby.rb --extout=.ext  -- --disable-gems "./test/runner.rb" --ruby="./miniruby -I./lib -I. -I.ext/common  ./tool/runruby.rb --extout=.ext  -- --disable-gems"  -v 'test/rubygems/test_gem_remote_fetcher.rb'
/home/mockbuild/rpmbuild/BUILD/ruby-2.0.0-r36887/test/rubygems/test_gem_remote_fetcher.rb:859:in `initialize': BN lib (OpenSSL::PKey::DHError)
    from /home/mockbuild/rpmbuild/BUILD/ruby-2.0.0-r36887/test/rubygems/test_gem_remote_fetcher.rb:859:in `new'
    from /home/mockbuild/rpmbuild/BUILD/ruby-2.0.0-r36887/test/rubygems/test_gem_remote_fetcher.rb:859:in `singleton class'
    from /home/mockbuild/rpmbuild/BUILD/ruby-2.0.0-r36887/test/rubygems/test_gem_remote_fetcher.rb:847:in `<class:TestGemRemoteFetcher>'
    from /home/mockbuild/rpmbuild/BUILD/ruby-2.0.0-r36887/test/rubygems/test_gem_remote_fetcher.rb:25:in `<top (required)>'
    from /home/mockbuild/rpmbuild/BUILD/ruby-2.0.0-r36887/lib/test/unit.rb:243:in `require'
    from /home/mockbuild/rpmbuild/BUILD/ruby-2.0.0-r36887/lib/test/unit.rb:243:in `block in non_options'
    from /home/mockbuild/rpmbuild/BUILD/ruby-2.0.0-r36887/lib/test/unit.rb:237:in `each'
    from /home/mockbuild/rpmbuild/BUILD/ruby-2.0.0-r36887/lib/test/unit.rb:237:in `non_options'
    from /home/mockbuild/rpmbuild/BUILD/ruby-2.0.0-r36887/lib/test/unit.rb:52:in `process_args'
    from /home/mockbuild/rpmbuild/BUILD/ruby-2.0.0-r36887/lib/minitest/unit.rb:956:in `_run'
    from /home/mockbuild/rpmbuild/BUILD/ruby-2.0.0-r36887/lib/minitest/unit.rb:949:in `run'
    from /home/mockbuild/rpmbuild/BUILD/ruby-2.0.0-r36887/lib/test/unit.rb:21:in `run'
    from /home/mockbuild/rpmbuild/BUILD/ruby-2.0.0-r36887/lib/test/unit.rb:767:in `run'
    from /home/mockbuild/rpmbuild/BUILD/ruby-2.0.0-r36887/lib/test/unit.rb:820:in `run'
    from /home/mockbuild/rpmbuild/BUILD/ruby-2.0.0-r36887/lib/test/unit.rb:824:in `run'
    from ./test/runner.rb:25:in `<main>'
make: *** [yes-test-all] Error 1
@voxik voxik referenced this issue from a commit in voxik/rubygems
@voxik voxik Drop check --verify option.
This option is not usefull for ages. Moreover, the test suite of the old
paths for the validation uses MD5, which is prohibited in FIPS mode
(#365).
0e547d6
@drbrain drbrain was assigned
@drbrain drbrain closed this issue from a commit
@drbrain drbrain Regenerated test certificates for FIPS mode
Previously the test certificates had (broken) 512 bit keys which are too
short for FIPS mode.  The new keys have 2048 bit keys which should last
a good while.  Fixes #365

Updated History.txt for commits since 2.0.0.preview2
b3d629f
@drbrain drbrain closed this in b3d629f
@drbrain
Owner

I don't have a 32 bit 1.8.7 to test this on (1.8.7 only has a 32 bit range for Time), but since the certificates are all generated the same way there should be no issue there.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.