Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

openssl-master fips: Failure: test_ed25519_not_approved_on_fips(OpenSSL::TestPKey): OpenSSL::PKey::PKeyError expected but nothing was raised. #787

Closed
junaruga opened this issue Aug 15, 2024 · 5 comments · Fixed by #789
Closed

openssl-master fips: Failure: test_ed25519_not_approved_on_fips(OpenSSL::TestPKey): OpenSSL::PKey::PKeyError expected but nothing was raised. #787

junaruga opened this issue Aug 15, 2024 · 5 comments · Fixed by #789

Comments

@junaruga
Copy link
Member

This openssl-master fips specific failure was found on #786 (comment).

The following failure happened with OpenSSL master openssl/openssl@02b8b7b.

https://github.com/ruby/openssl/actions/runs/10405700727/job/28817053622?pr=786#step:11:103

1) Failure: test_ed25519_not_approved_on_fips(OpenSSL::TestPKey): OpenSSL::PKey::PKeyError expected but nothing was raised.
/home/runner/work/openssl/openssl/vendor/bundle/ruby/3.0.0/gems/test-unit-ruby-core-1.0.6/lib/core_assertions.rb:462:in `assert_raise'
/home/runner/work/openssl/openssl/test/openssl/test_pkey.rb:174:in `test_ed25519_not_approved_on_fips'
     171:     MC4CAQAwBQYDK2VwBCIEIEzNCJso/5banbbDRuwRTg9bijGfNaumJNqM9u1PuKb7
     172:     -----END PRIVATE KEY-----
     173:     EOF
  => 174:     assert_raise(OpenSSL::PKey::PKeyError) do
     175:       OpenSSL::PKey.read(priv_pem)
     176:     end
     177:   end
@junaruga junaruga mentioned this issue Aug 15, 2024
Merged
@junaruga
Copy link
Member Author

The last succeeded commit is openssl/openssl@20bf3fe according to the https://github.com/ruby/openssl/actions/runs/10261548837/job/28389492262#step:4:41

@rhenium
Copy link
Member

rhenium commented Aug 15, 2024

There is an openssl/openssl issue/discussion: openssl/openssl#22054

According to the page, FIPS 140-3 currently allows Ed25519 and disallows X25519. But current releases of OpenSSL 3.x work the other way around?

FIPS 140 seems like a moving target, so I lean towards not checking what is "not available" in the FIPS mode.

@junaruga
Copy link
Member Author

I found the openssl/openssl@5f04124 causing this failure by git bisect.

@junaruga
Copy link
Member Author

There is an openssl/openssl issue/discussion: openssl/openssl#22054

According to the page, FIPS 140-3 currently allows Ed25519 and disallows X25519. But current releases of OpenSSL 3.x work the other way around?

FIPS 140 seems like a moving target, so I lean towards not checking what is "not available" in the FIPS mode.

Yes, in my understanding, FIPS 140 is a moving target. The comment openssl/openssl#24799 (comment) is about the topic as a reference.

I would agree on your opinion "I lean towards not checking what is "not available" in the FIPS mode.". Because we want to keep our tests stable. Let me send a PR about it.

@junaruga junaruga mentioned this issue Aug 16, 2024
Merged
@junaruga
Copy link
Member Author

I sent the PR #789.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Remove test_ed25519_not_approved_on_fips. junaruga/ruby-openssl
2 participants
@junaruga @rhenium