Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

test: generate des rsa_cert.pfx #28471

Closed
wants to merge 1 commit into from
Closed

Conversation

everett1992
Copy link
Contributor

My node distribution uses a shared openssl library with some ciphers
disabled, including RC2.

These tests (which use rsa_cert.pfx) fail with unknown cipher:

  • parallel/test-crypto-binary-default
  • parallel/test-https-pfx
  • parallel/test-crypto

This is a regression from 12.4.0

The other fixture .pfx's use the -descert option, I don't know if
rsa_cert.pfx was generated without -descert intentionally or not but
none of the tests reference RC2, and the tests pass with a des cert.

I'm not an ssl/crypto expert, so I would appreciate any insight.

Old key:

openssl pkcs12 -info -in test/fixtures/keys/rsa_cert.pfx -noout -passin
pass:sample
MAC Iteration 2048
MAC verified OK
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Certificate bag
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048

New

openssl pkcs12 -info -in test/fixtures/keys/rsa_cert.pfx -noout -passin
pass:sample
MAC Iteration 2048
MAC verified OK
PKCS7 Encrypted data: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
Certificate bag
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
Checklist
  • make -j4 test (UNIX), or vcbuild test (Windows) passes
  • tests and/or benchmarks are included
  • commit message follows commit guidelines

@nodejs-github-bot nodejs-github-bot added the test Issues and PRs related to the tests. label Jun 28, 2019
My node distribution uses a shared openssl library with some ciphers
disabled, including RC2.

These tests (which use `rsa_cert.pfx`) fail with `unknown cipher`:
 - parallel/test-crypto-binary-default
 - parallel/test-https-pfx
 - parallel/test-crypto

The other fixture .pfx's use the `-descert` option, I don't know if
rsa_cert.pfx was generated without `-descert` intentionally or not but
none of the tests reference RC2, and the tests pass with a des cert.

I'm not an ssl/crypto expert, so I would appreciate any insight.

Old key:
```
openssl pkcs12 -info -in test/fixtures/keys/rsa_cert.pfx -noout -passin
pass:sample
MAC Iteration 2048
MAC verified OK
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Certificate bag
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
```

New
```
openssl pkcs12 -info -in test/fixtures/keys/rsa_cert.pfx -noout -passin
pass:sample
MAC Iteration 2048
MAC verified OK
PKCS7 Encrypted data: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
Certificate bag
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
```
@nodejs-github-bot
Copy link
Collaborator

Copy link
Member

@bnoordhuis bnoordhuis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the pull request. The reason for RC2 is simply because that's openssl pkcs12's default.

@bnoordhuis bnoordhuis added the crypto Issues and PRs related to the crypto subsystem. label Jun 30, 2019
@everett1992
Copy link
Contributor Author

None of the failing checks look related to my change. Am I expected to fix them in order to merge this PR?

@Trott
Copy link
Member

Trott commented Jul 1, 2019

None of the failing checks look related to my change. Am I expected to fix them in order to merge this PR?

No, not if they are clearly unrelated.

@nodejs-github-bot
Copy link
Collaborator

@nodejs-github-bot
Copy link
Collaborator

@BridgeAR BridgeAR added the author ready PRs that have at least one approval, no pending requests for changes, and a CI started. label Jul 4, 2019
@Trott
Copy link
Member

Trott commented Jul 6, 2019

Landed in 6aafee1.

Thanks for the contribution! 🎉

@Trott Trott closed this Jul 6, 2019
Trott pushed a commit to Trott/io.js that referenced this pull request Jul 6, 2019
My node distribution uses a shared openssl library with some ciphers
disabled, including RC2.

These tests (which use `rsa_cert.pfx`) fail with `unknown cipher`:
 - parallel/test-crypto-binary-default
 - parallel/test-https-pfx
 - parallel/test-crypto

The other fixture .pfx's use the `-descert` option, I don't know if
rsa_cert.pfx was generated without `-descert` intentionally or not but
none of the tests reference RC2, and the tests pass with a des cert.

I'm not an ssl/crypto expert, so I would appreciate any insight.

Old key:
```
openssl pkcs12 -info -in test/fixtures/keys/rsa_cert.pfx -noout -passin
pass:sample
MAC Iteration 2048
MAC verified OK
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Certificate bag
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
```

New
```
openssl pkcs12 -info -in test/fixtures/keys/rsa_cert.pfx -noout -passin
pass:sample
MAC Iteration 2048
MAC verified OK
PKCS7 Encrypted data: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
Certificate bag
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
```

PR-URL: nodejs#28471
Reviewed-By: Ben Noordhuis <[email protected]>
Reviewed-By: Rich Trott <[email protected]>
targos pushed a commit that referenced this pull request Jul 20, 2019
My node distribution uses a shared openssl library with some ciphers
disabled, including RC2.

These tests (which use `rsa_cert.pfx`) fail with `unknown cipher`:
 - parallel/test-crypto-binary-default
 - parallel/test-https-pfx
 - parallel/test-crypto

The other fixture .pfx's use the `-descert` option, I don't know if
rsa_cert.pfx was generated without `-descert` intentionally or not but
none of the tests reference RC2, and the tests pass with a des cert.

I'm not an ssl/crypto expert, so I would appreciate any insight.

Old key:
```
openssl pkcs12 -info -in test/fixtures/keys/rsa_cert.pfx -noout -passin
pass:sample
MAC Iteration 2048
MAC verified OK
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Certificate bag
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
```

New
```
openssl pkcs12 -info -in test/fixtures/keys/rsa_cert.pfx -noout -passin
pass:sample
MAC Iteration 2048
MAC verified OK
PKCS7 Encrypted data: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
Certificate bag
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
```

PR-URL: #28471
Reviewed-By: Ben Noordhuis <[email protected]>
Reviewed-By: Rich Trott <[email protected]>
This was referenced Jul 23, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
author ready PRs that have at least one approval, no pending requests for changes, and a CI started. crypto Issues and PRs related to the crypto subsystem. test Issues and PRs related to the tests.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants