Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

RubyGems compatibility with FIPS #365

Closed
voxik opened this Issue · 1 comment

2 participants

Vít Ondruch Eric Hodel
Vít Ondruch

I can observer several test suite failures, when running the Ruby's test suite in FIPS mode (related to https://bugs.ruby-lang.org/issues/6946). Could you please consider to fix these issues? Thank you.

./miniruby -I./lib -I. -I.ext/common  ./tool/runruby.rb --extout=.ext  -- --disable-gems "./test/runner.rb" --ruby="./miniruby -I./lib -I. -I.ext/common  ./tool/runruby.rb --extout=.ext  -- --disable-gems"  -v 'test/rubygems/test_gem_commands_cert_command.rb'
Run options: "--ruby=./miniruby -I./lib -I. -I.ext/common  ./tool/runruby.rb --extout=.ext  -- --disable-gems" -v

# Running tests:

TestGemCommandsCertCommand#test_execute_add = 0.03 s = .
TestGemCommandsCertCommand#test_execute_list = 0.02 s = .
TestGemCommandsCertCommand#test_execute_remove = 0.02 s = .
TestGemCommandsCertCommand#test_execute_build = 0.42 s = .
TestGemCommandsCertCommand#test_execute_private_key = 0.09 s = F
TestGemCommandsCertCommand#test_execute_sign = 0.03 s = .
TestGemCommandsCertCommand#test_execute_certificate = 0.02 s = .


Finished tests in 0.632391s, 11.0691 tests/s, 34.7886 assertions/s.

  1) Failure:
test_execute_private_key(TestGemCommandsCertCommand) [/home/mockbuild/rpmbuild/BUILD/ruby-2.0.0-r36887/test/rubygems/test_gem_commands_cert_command.rb:96]:
--- expected
+++ actual
@@ -1,28 +1,29 @@
-"-----BEGIN RSA PRIVATE KEY-----
-MIIEpQIBAAKCAQEAz0tTOtsJuHDKAEXrQx0f6DUEzBEUTSLR1fk0iEHsY9rDCQxm
-sw5Bf2UnVhdD03B4/XzIK+pat2CMQc37/vLIBuVgS7g/fzatGiM0m5rAHtycr0XU
-8Ek6zjx4iSv70OLjybY+/utHCEc838awGDMCFR21jYxgATPVwqAIyasvwbKh/Vhw
-uErFPqT9G8BKTHsaX+H+ADIRH001OmWkjB6EyjF05114kNMa0+2C7daV9hoBL3md
-hCt6zOGcapl/9LkGxhcNEUB/So16V1ZQldg9macGyWktyNTSfctlF+f8okAmicG3
-XIwaW8UTmjFCmvDs/h1R/uKpe2IOHz87n29d2QIDAQABAoIBAQCR6n/nyg+JmTtX
-/d+hGns/RTLfQpZ7xarXZ9gmoeD4WSE42VXhbIOGXXnXDAFecKl6Jb/xycGZm4if
-OZPM3rEWyZeDNWrc7WvkHiwF7GSYVMqmRg2iJqoSSla+mAtl+pBFiNfHMW6K0Tp0
-erOyFRW+L2+A9/MMZaRun6AP9URkn0jz2kwmMFf+6szmzVn6fPFzZDRI+hEeaDmi
-LBzSrfrddrIBX+xGEoBj6RmfnKBCSUVSSxOauYjd4mVjVYxvMH4SV1hXDUS5GPl5
-MbCiBb7bpNIg/8ljMoRrQiqk0XwwS7MaCqPtMhUtpSmC/zSjAfmoN7AOc/Xh69cQ
-OCMNZH9BAoGBAPBlsuuU6fg0gVTKDdR12jHx03uRRt8/nPxHnpJkZCIh9XKh1LtY
-bkumi9HZpp3mzDiaGg/rwfCwNckKx8NLhICLgkric6ClrKftxTu6C8tBAb5YDi6u
-74KYnV8lMY/unzBtIloPgM3uluS292POmrWZpKwhvHLD71MewzMor5HFAoGBANy/
-mwsBs8i3Gzk8Twjq8effhPpE7kpxhC7bhwmjX3q41EjQWDT8M6xb1P9dRSsCIebi
-kqP1yhl27dJpA8r5WqE/z89xhBvObAGRv41eXxOI0LaH2k5lJQrUeSC+51dy+BEB
-T3GXD4C5ezZHQ8Wz/oL73uikrfhD+AqOZT2YbMEFAoGBAJvWEWpOGm3f+4bvhI+Z
-5lxCG4oa3wqRvj58XvsfQRovUWGCLtlTtgwsZq8enLf3iaOXohV4Czzvva4Z4u1i
-4v5BcbEBo1scixRBOn5BWKvl9C9j/a2dkX3jWQD4p2xaj69gz8f6DNFyPTb+tNhq
-cjgO5YUASZ1MDrSfWIKteULRAoGAZkZv8x2KyofrmQ0UITGZerDYz4t4TA1kDMGx
-QwnqhtVzpXjCJWpkFotFmDsCfPaz9mErR8PtKvcrIL1/AF+fWe5Sve3+I1P0PpXk
-hf8fVdGhwbAXuRKrouTmagGI9b9Sp65PvHUcvasyJufFwqeuV8mScX87CzeSiHGI
-/ozMdnECgYEAq4+losrhe0DEmiC9zVPvwRXjbSixDsSJxHfOcqIsZqhUgBiZ4TJD
-SrkuukrMZib6BAD+PtCJS1TBbJyyvL3QecizhHSIh3ZnT0HnaRPatLEYmU65+3kE
-kTqL4ik92bJnnWowy677sydl1lzBJDVa9ZlTs7BFSd8y/0DZaUxGg2I=
------END RSA PRIVATE KEY-----
+"-----BEGIN PRIVATE KEY-----
+MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDPS1M62wm4cMoA
+RetDHR/oNQTMERRNItHV+TSIQexj2sMJDGazDkF/ZSdWF0PTcHj9fMgr6lq3YIxB
+zfv+8sgG5WBLuD9/Nq0aIzSbmsAe3JyvRdTwSTrOPHiJK/vQ4uPJtj7+60cIRzzf
+xrAYMwIVHbWNjGABM9XCoAjJqy/BsqH9WHC4SsU+pP0bwEpMexpf4f4AMhEfTTU6
+ZaSMHoTKMXTnXXiQ0xrT7YLt1pX2GgEveZ2EK3rM4ZxqmX/0uQbGFw0RQH9KjXpX
+VlCV2D2ZpwbJaS3I1NJ9y2UX5/yiQCaJwbdcjBpbxROaMUKa8Oz+HVH+4ql7Yg4f
+Pzufb13ZAgMBAAECggEBAJHqf+fKD4mZO1f936Eaez9FMt9ClnvFqtdn2Cah4PhZ
+ITjZVeFsg4ZdedcMAV5wqXolv/HJwZmbiJ85k8zesRbJl4M1atzta+QeLAXsZJhU
+yqZGDaImqhJKVr6YC2X6kEWI18cxborROnR6s7IVFb4vb4D38wxlpG6foA/1RGSf
+SPPaTCYwV/7qzObNWfp88XNkNEj6ER5oOaIsHNKt+t12sgFf7EYSgGPpGZ+coEJJ
+RVJLE5q5iN3iZWNVjG8wfhJXWFcNRLkY+XkxsKIFvtuk0iD/yWMyhGtCKqTRfDBL
+sxoKo+0yFS2lKYL/NKMB+ag3sA5z9eHr1xA4Iw1kf0ECgYEA8GWy65Tp+DSBVMoN
+1HXaMfHTe5FG3z+c/EeekmRkIiH1cqHUu1huS6aL0dmmnebMOJoaD+vB8LA1yQrH
+w0uEgIuCSuJzoKWsp+3FO7oLy0EBvlgOLq7vgpidXyUxj+6fMG0iWg+Aze6W5Lb3
+Y86atZmkrCG8csPvUx7DMyivkcUCgYEA3L+bCwGzyLcbOTxPCOrx59+E+kTuSnGE
+LtuHCaNferjUSNBYNPwzrFvU/11FKwIh5uKSo/XKGXbt0mkDyvlaoT/Pz3GEG85s
+AZG/jV5fE4jQtofaTmUlCtR5IL7nV3L4EQFPcZcPgLl7NkdDxbP+gvve6KSt+EP4
+Co5lPZhswQUCgYEAm9YRak4abd/7hu+Ej5nmXEIbihrfCpG+Pnxe+x9BGi9RYYIu
+2VO2DCxmrx6ct/eJo5eiFXgLPO+9rhni7WLi/kFxsQGjWxyLFEE6fkFYq+X0L2P9
+rZ2RfeNZAPinbFqPr2DPx/oM0XI9Nv602GpyOA7lhQBJnUwOtJ9Ygq15QtECgYBm
+Rm/zHYrKh+uZDRQhMZl6sNjPi3hMDWQMwbFDCeqG1XOleMIlamQWi0WYOwJ89rP2
+YStHw+0q9ysgvX8AX59Z7lK97f4jU/Q+leSF/x9V0aHBsBe5Equi5OZqAYj1v1Kn
+rk+8dRy9qzIm58XCp65XyZJxfzsLN5KIcYj+jMx2cQKBgQCrj6WiyuF7QMSaIL3N
+U+/BFeNtKLEOxInEd85yoixmqFSAGJnhMkNKuS66SsxmJvoEAP4+0IlLVMFsnLK8
+vdB5yLOEdIiHdmdPQedpE9q0sRiZTrn7eQSROoviKT3ZsmedajDLrvuzJ2XWXMEk
+NVr1mVOzsEVJ3zL/QNlpTEaDYg==
+-----END PRIVATE KEY-----
 "


7 tests, 22 assertions, 1 failures, 0 errors, 0 skips

ruby -v: ruby 2.0.0dev (2012-09-03 trunk 36887) [x86_64-linux]
make: *** [yes-test-all] Error 1
./miniruby -I./lib -I. -I.ext/common  ./tool/runruby.rb --extout=.ext  -- --disable-gems "./test/runner.rb" --ruby="./miniruby -I./lib -I. -I.ext/common  ./tool/runruby.rb --extout=.ext  -- --disable-gems"  -v 'test/rubygems/test_gem_validator.rb'
Run options: "--ruby=./miniruby -I./lib -I. -I.ext/common  ./tool/runruby.rb --extout=.ext  -- --disable-gems" -v

# Running tests:

TestGemValidator#test_verify_gem_file_empty = 0.03 s = .
TestGemValidator#test_verify_gem_empty = 0.01 s = .
TestGemValidator#test_verify_gem_no_sum = 0.01 s = .
TestGemValidator#test_verify_gem_file = md5_dgst.c(78): OpenSSL internal error, assertion failed: Digest MD5 forbidden in FIPS mode!
make: *** [yes-test-all] Aborted (core dumped)
./miniruby -I./lib -I. -I.ext/common  ./tool/runruby.rb --extout=.ext  -- --disable-gems "./test/runner.rb" --ruby="./miniruby -I./lib -I. -I.ext/common  ./tool/runruby.rb --extout=.ext  -- --disable-gems"  -v 'test/rubygems/test_gem_security.rb'
Run options: "--ruby=./miniruby -I./lib -I. -I.ext/common  ./tool/runruby.rb --extout=.ext  -- --disable-gems" -v

# Running tests:

TestGemSecurity#test_class_build_self_signed_cert = 0.02 s = E
TestGemSecurity#test_class_email_to_name = 0.01 s = .
TestGemSecurity#test_class_build_cert = 0.01 s = E
TestGemSecurity#test_class_sign_cert = 0.01 s = E


Finished tests in 0.067462s, 59.2926 tests/s, 59.2926 assertions/s.

  1) Error:
test_class_build_self_signed_cert(TestGemSecurity):
OpenSSL::PKey::RSAError: key too short
    /home/mockbuild/rpmbuild/BUILD/ruby-2.0.0-r36887/lib/rubygems/security.rb:711:in `initialize'
    /home/mockbuild/rpmbuild/BUILD/ruby-2.0.0-r36887/lib/rubygems/security.rb:711:in `new'
    /home/mockbuild/rpmbuild/BUILD/ruby-2.0.0-r36887/lib/rubygems/security.rb:711:in `build_self_signed_cert'
    /home/mockbuild/rpmbuild/BUILD/ruby-2.0.0-r36887/test/rubygems/test_gem_security.rb:58:in `test_class_build_self_signed_cert'

  2) Error:
test_class_build_cert(TestGemSecurity):
OpenSSL::PKey::RSAError: key too short
    /home/mockbuild/rpmbuild/BUILD/ruby-2.0.0-r36887/test/rubygems/test_gem_security.rb:19:in `initialize'
    /home/mockbuild/rpmbuild/BUILD/ruby-2.0.0-r36887/test/rubygems/test_gem_security.rb:19:in `new'
    /home/mockbuild/rpmbuild/BUILD/ruby-2.0.0-r36887/test/rubygems/test_gem_security.rb:19:in `test_class_build_cert'

  3) Error:
test_class_sign_cert(TestGemSecurity):
OpenSSL::PKey::RSAError: key too short
    /home/mockbuild/rpmbuild/BUILD/ruby-2.0.0-r36887/test/rubygems/test_gem_security.rb:72:in `initialize'
    /home/mockbuild/rpmbuild/BUILD/ruby-2.0.0-r36887/test/rubygems/test_gem_security.rb:72:in `new'
    /home/mockbuild/rpmbuild/BUILD/ruby-2.0.0-r36887/test/rubygems/test_gem_security.rb:72:in `test_class_sign_cert'

4 tests, 4 assertions, 0 failures, 3 errors, 0 skips

ruby -v: ruby 2.0.0dev (2012-09-03 trunk 36887) [x86_64-linux]
make: *** [yes-test-all] Error 3
./miniruby -I./lib -I. -I.ext/common  ./tool/runruby.rb --extout=.ext  -- --disable-gems "./test/runner.rb" --ruby="./miniruby -I./lib -I. -I.ext/common  ./tool/runruby.rb --extout=.ext  -- --disable-gems"  -v 'test/rubygems/test_gem_remote_fetcher.rb'
/home/mockbuild/rpmbuild/BUILD/ruby-2.0.0-r36887/test/rubygems/test_gem_remote_fetcher.rb:859:in `initialize': BN lib (OpenSSL::PKey::DHError)
    from /home/mockbuild/rpmbuild/BUILD/ruby-2.0.0-r36887/test/rubygems/test_gem_remote_fetcher.rb:859:in `new'
    from /home/mockbuild/rpmbuild/BUILD/ruby-2.0.0-r36887/test/rubygems/test_gem_remote_fetcher.rb:859:in `singleton class'
    from /home/mockbuild/rpmbuild/BUILD/ruby-2.0.0-r36887/test/rubygems/test_gem_remote_fetcher.rb:847:in `<class:TestGemRemoteFetcher>'
    from /home/mockbuild/rpmbuild/BUILD/ruby-2.0.0-r36887/test/rubygems/test_gem_remote_fetcher.rb:25:in `<top (required)>'
    from /home/mockbuild/rpmbuild/BUILD/ruby-2.0.0-r36887/lib/test/unit.rb:243:in `require'
    from /home/mockbuild/rpmbuild/BUILD/ruby-2.0.0-r36887/lib/test/unit.rb:243:in `block in non_options'
    from /home/mockbuild/rpmbuild/BUILD/ruby-2.0.0-r36887/lib/test/unit.rb:237:in `each'
    from /home/mockbuild/rpmbuild/BUILD/ruby-2.0.0-r36887/lib/test/unit.rb:237:in `non_options'
    from /home/mockbuild/rpmbuild/BUILD/ruby-2.0.0-r36887/lib/test/unit.rb:52:in `process_args'
    from /home/mockbuild/rpmbuild/BUILD/ruby-2.0.0-r36887/lib/minitest/unit.rb:956:in `_run'
    from /home/mockbuild/rpmbuild/BUILD/ruby-2.0.0-r36887/lib/minitest/unit.rb:949:in `run'
    from /home/mockbuild/rpmbuild/BUILD/ruby-2.0.0-r36887/lib/test/unit.rb:21:in `run'
    from /home/mockbuild/rpmbuild/BUILD/ruby-2.0.0-r36887/lib/test/unit.rb:767:in `run'
    from /home/mockbuild/rpmbuild/BUILD/ruby-2.0.0-r36887/lib/test/unit.rb:820:in `run'
    from /home/mockbuild/rpmbuild/BUILD/ruby-2.0.0-r36887/lib/test/unit.rb:824:in `run'
    from ./test/runner.rb:25:in `<main>'
make: *** [yes-test-all] Error 1
Vít Ondruch voxik referenced this issue from a commit in voxik/rubygems
Vít Ondruch voxik Drop check --verify option.
This option is not usefull for ages. Moreover, the test suite of the old
paths for the validation uses MD5, which is prohibited in FIPS mode
(#365).
0e547d6
Eric Hodel drbrain was assigned
Eric Hodel drbrain closed this issue from a commit
Eric Hodel drbrain Regenerated test certificates for FIPS mode
Previously the test certificates had (broken) 512 bit keys which are too
short for FIPS mode.  The new keys have 2048 bit keys which should last
a good while.  Fixes #365

Updated History.txt for commits since 2.0.0.preview2
b3d629f
Eric Hodel drbrain closed this in b3d629f
Eric Hodel
Owner

I don't have a 32 bit 1.8.7 to test this on (1.8.7 only has a 32 bit range for Time), but since the certificates are all generated the same way there should be no issue there.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.