Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[CI] SamlAuthenticatorTests.testSuccessfullyParseContentFromEncryptedAssertion failure #58651

Closed
dimitris-athanasiou opened this issue Jun 29, 2020 · 4 comments · Fixed by #58668
Assignees
Labels
:Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc) Team:Security Meta label for security team >test-failure Triaged test failures from CI

Comments

@dimitris-athanasiou
Copy link
Contributor

dimitris-athanasiou commented Jun 29, 2020

Build scan: https://gradle-enterprise.elastic.co/s/yczk6f2jiwbbu

Repro line: ./gradlew ':x-pack:plugin:security:test' --tests "org.elasticsearch.xpack.security.authc.saml.SamlAuthenticatorTests.testSuccessfullyParseContentFromEncryptedAssertion" -Dtests.seed=81B483E734DC92DB -Dtests.security.manager=true -Dtests.locale=de -Dtests.timezone=BET -Druntime.java=11 -Dtests.fips.enabled=true

Reproduces locally?: Yes

Applicable branches: master

Failure history:
The test failed for the first time but we also got a similar failure in https://gradle-enterprise.elastic.co/s/t5ncm7jvhfo3k where the testSigningWhenIdpHasMultipleKeys test failed similarly. I think those 2 are the same issue.

See in Kibana
Failure excerpt:

org.bouncycastle.crypto.IllegalKeyException: Attempt to encrypt/decrypt with RSA modulus already used for sign/verify.	
at __randomizedtesting.SeedInfo.seed([81B483E734DC92DB:1848D24F26D988C7]:0)	
at org.bouncycastle.crypto.general.RSA$KeyWrapOperatorFactory$KeyWrapper.<init>(Unknown Source)	
at org.bouncycastle.crypto.general.RSA$KeyWrapOperatorFactory.createKeyWrapper(Unknown Source)	
at org.bouncycastle.crypto.general.RSA$KeyWrapOperatorFactory.createKeyWrapper(Unknown Source)	
at org.bouncycastle.jcajce.provider.BaseSingleBlockCipher.engineInit(Unknown Source)	
at org.bouncycastle.jcajce.provider.BaseSingleBlockCipher.engineInit(Unknown Source)	
at javax.crypto.Cipher.implInit(Cipher.java:839)	
at javax.crypto.Cipher.chooseProvider(Cipher.java:901)	
at javax.crypto.Cipher.init(Cipher.java:1286)	
at javax.crypto.Cipher.init(Cipher.java:1223)	
at org.apache.xml.security.encryption.XMLCipher.encryptKey(XMLCipher.java:1384)	
at org.apache.xml.security.encryption.XMLCipher.encryptKey(XMLCipher.java:1322)	
at org.apache.xml.security.encryption.XMLCipher.encryptKey(XMLCipher.java:1302)	
at org.opensaml.xmlsec.encryption.support.Encrypter.encryptKey(Encrypter.java:362)	
at org.opensaml.xmlsec.encryption.support.Encrypter.encryptKey(Encrypter.java:297)	
at org.opensaml.xmlsec.encryption.support.Encrypter.encryptKey(Encrypter.java:274)	
at org.opensaml.saml.saml2.encryption.Encrypter.encrypt(Encrypter.java:378)	
at org.opensaml.saml.saml2.encryption.Encrypter.encrypt(Encrypter.java:256)	
at org.elasticsearch.xpack.security.authc.saml.SamlAuthenticatorTests.encryptAssertions(SamlAuthenticatorTests.java:1206)	
at org.elasticsearch.xpack.security.authc.saml.SamlAuthenticatorTests.testSuccessfullyParseContentFromEncryptedAssertion(SamlAuthenticatorTests.java:226)	
@dimitris-athanasiou dimitris-athanasiou added >test-failure Triaged test failures from CI :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc) labels Jun 29, 2020
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-security (:Security/Authentication)

@elasticmachine elasticmachine added the Team:Security Meta label for security team label Jun 29, 2020
@jkakavas
Copy link
Member

@ywangd would you mind looking at this? Something in e966155 made it so that the same keypair is used both for encryption and for signing and this is not allowed in FIPS 140-2, thus these tests are failing

@ywangd ywangd self-assigned this Jun 29, 2020
@ywangd
Copy link
Member

ywangd commented Jun 29, 2020

Thanks for the notification @jkakavas Yes its my change. I'll take care of it.

@dimitris-athanasiou
Copy link
Contributor Author

It does reproduce locally btw, I had forgotten the fips flag.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
:Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc) Team:Security Meta label for security team >test-failure Triaged test failures from CI
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants