-
Notifications
You must be signed in to change notification settings - Fork 217
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support running CCF on Azure Linux #6588
Comments
@maxtropets current is 3.3.2, so that one :) |
Currently removed the Checked OpenSSL source, same NID for 3.1 and 3.3 impl, NID matches.
Needs investigation. |
Tried all other unit tests (crypto test patched with #6591)
|
256k1 is not a NIST standard, which is likely why SymCrypt rejects it - it would be good to confirm and document though |
Figured out it's not explicitly linked, but rather being loaded during runtime
Confirmed dependency chain ccf -> librypto -> libsymcrypt (monolithic lib):
|
Split into smaller sub-issues except UPD: Fixed in #6598 |
Got to the bottom of UVM endorsements test failure, filed a ticket (#6600) So far, all the known issues are filed in sub-issues or solved. Next steps
|
Dumping to not lose, how to run the container + tests
|
Currently running standard e2e tests set (no perf, no ASAN/TSAN, etc) is blocked by
|
Checked it in-depth, key things to mention
As soon as both PEMs represent the same private key, it's to be figured out what metadata encoded makes the difference here |
Example Priv key converted to JWK and back to PEM
The original one
Public key
|
I've also tried a simple python test with sign/verify with both keys (different pems), worked out just well. Learned some RSA docs, seems Will dig up the implementation, but seems like either openssl version bump-up issue or a symcrypt problem. |
Current summary
Tried running local ccf crypto test as follows
That always passes, meaning there's something wrong with creating the key from parameters. Open question - is it possible that PEM->JWK on one openssl version and then JWK->PEM on another openssl version aren't compatible? |
Also, found this online jwk->pem->jwk thing: https://8gwifi.org/jwkconvertfunctions.jsp JWK->PEM there matches the CCF version |
Saving an interesting post here: https://crypto.stackexchange.com/questions/76253/requirements-for-rsa-key-parameters |
Reproduced it in another way, getting a pem from a failed test, then unit-testing as follows
This passes on our current Ubuntu 20.04 with openssl 1.1.1, but fails on Mariner with openssl 3.3 |
Summoning @ad-l for an expertise |
It looks like the difference between the private exponents is caused by different ways of computing d. The 2048bit version uses d=e^-1 mod (p-1)(q-1), the shorter one uses e^-1 mod lcm(p-1)(q-1). Both are valid and some pedantic idiot must have thought that saving 5 bits was worth changing the private key representation. I have to look at the OpenSSL API to see if I can propose a reasonable patch around this |
@ad-l it looks like this change pyca/cryptography#11193 |
Yes that's what's causing your issue here, the use of Carmichael totient in pyca |
@achamayou , @ad-l , are we all OK with relaxing the test constraint
In that case, is to sign/verify some payload the best option or shall we go with something else? UPD: #6716 |
@achamayou yes, as discussed, there are two ways to represent the key but the key is logically the same. Updating the test to check equivalence rather than byte-representation equality makes sense. |
In this issue have to support building and testing CCF on Azure Linux.
The major obstacle so far - openssl.
On Azure Linux, we shall use OpenSSL of (major) version 3. It is to be determined in this ticket which exact version is supported by Azure Linux.
Ticket for reference: #5291
Subtasks to track the progress
./crypto_test
(patched, see discussions in comments)The text was updated successfully, but these errors were encountered: