From: Martin Bosslet <Martin.Bosslet@...>
Date: 2011-06-26T08:14:02+09:00
Subject: [ruby-core:37354] [Ruby 1.9 - Bug #3862][Feedback] Bugs in the OpenSSL extension on sparc64


Issue #3862 has been updated by Martin Bosslet.

Status changed from Assigned to Feedback

Jeremy Evans wrote:
> =begin
>  The OpenSSL extension has some bugs on sparc64, either in the code or in the test suite.  Here are the errors that are received when running the 1.9.2 test suite on sparc64 on OpenBSD:
>  
>    8) Failure:
>  test_create_by_factory(OpenSSL::TestX509Extension)
>  [/usr/ports/pobj/ruby-1.9.2-p0/ruby-1.9.2-p0/test/openssl/test_x509ext.rb:41]:
>  <"0\x12\x06\x03U\x1D\x13\x01\x01\x00\x04\b0\x06\x01\x01\x00\x02\x01\x02"> expected but was
>  <"0\x12\x06\x03U\x1D\x13\x01\x01\xFF\x04\b0\x06\x01\x01\xFF\x02\x01\x02">.

The former encoding is that of @basic_constraints in test_x509ext.rb.

It is defined as 

@basic_constraints_value = OpenSSL::ASN1::Sequence([
  OpenSSL::ASN1::Boolean(true),   # CA
  OpenSSL::ASN1::Integer(2)       # pathlen
])
@basic_constraints = OpenSSL::ASN1::Sequence([
  OpenSSL::ASN1::ObjectId("basicConstraints"),
  OpenSSL::ASN1::Boolean(true),
  OpenSSL::ASN1::OctetString(@basic_constraints_value.to_der),
])

Something must have gone wrong, either parsing OpenSSL::ASN1::Boolean(true) or encoding it again during #to_der because the encoding should be "\x01\x01\xFF" instead of "\x01\x01\x00".

  
>    9) Failure:
>  test_new(OpenSSL::TestX509Extension)
>  [/usr/ports/pobj/ruby-1.9.2-p0/ruby-1.9.2-p0/test/openssl/test_x509ext.rb:29]:
>  <true> expected but was
>  <false>.

Same cause as in 8), where "true" was expected the actual value is "false". Could have happened either in OpenSSL::X509::Extension#initialize or in @basic_constraints.to_der.
  
>   10) Failure:
>  test_attr(OpenSSL::TestX509Request)
>  [/usr/ports/pobj/ruby-1.9.2-p0/ruby-1.9.2-p0/test/openssl/test_x509req.rb:94]:
>  <[["keyUsage", "Digital Signature, Key Encipherment", true],
>   ["subjectAltName", "email:gotoyuzo@ruby-lang.org", false]]> expected
>  but was
>  <[["keyUsage", "Digital Signature, Key Encipherment", false],
>   ["subjectAltName", "email:gotoyuzo@ruby-lang.org", false]]>.
>  

It again seems that decoding a ASN.1 boolean "true" was wrongly decoded as "false" in the end. But I' can't tell whether this happened when encoding the attributes after creating them with OpenSSL::X509::ExtensionFactory#create_extension or when decoding them via OpenSSL::ASN1.decode.

>    7) Failure:
>  test_decode(OpenSSL::TestASN1)
>  [/usr/ports/pobj/ruby-1.9.2-p0/ruby-1.9.2-p0/test/openssl/test_asn1.rb:195]:
>  <"\x8F\\\xA8\f|\xD7JV\x92\b`\xE9\xC1\xC5\x90\xEB\xB0\x9E!\x86\xD5\x8F\xAC\x7Fa\x1E<$\xD8_\xC9\x98\xABv\xC2[\x15\x97\xD6\xCAX\xAA\xB7\x12`QK\x02c\xFE\xCF;(\x89Zm\xED0V
>  +rQ\xED\x17/\xA8\xB2d\xABN\xDC\x1F\v\xC6\f\x10w\xA7\xFEd\xE1\xFA\x1E\x8C\xDB\xED\x97\xD0\xE1\xE6\xDDo\xFD\xFD\xFC~\xFE\xDF\xA8x{\x1C\xA4\x13\xF8E\x02\xB4\x1Ev\xF8\xDF
>  +\xC3\x14$~\xD4\xE3t\xB2\xAF\"\xF1?f\xB0yL"> expected but was
>  <"\x9E*\xC8zH\xF0\xB8\xAA\xF4<\xFD\x81ud\xE6\x19\x87I\xAB\x8Du\xB9\xE0u\x94t\x87\x06\xDFb\xC2\x98\xBB9p\x88w\x84R3'\xBE\x84_\xD3\xF7\xDB\xDA\xE2\xD5\xD7\xE0?\x16#\x99
>  +\xF1\xE8\x80I\x90\xCDic\r\x8A2\x8A\xA3\xC9\xB9\x92n\x04\n\x9C\xF5C\x95\xE0/\x8D\r{\xB3\xB0\xE0j\xCA\xE4\xDF\xC9\x88\x05\x88\xCE\x82\xB1\xE7\x13:}\xF7\x19\xCAG3\xAD\x
>  +9F\xBC\xA7\xAD\xD3,\xE9\xD00\xDF\xA9P\x1F\x14\xA7l\x9B\xB3\x87m">.
>  

My bet would be that this is also related to the obvious problems with ASN.1 booleans. The values being compared here are signatures on the DER encoding of a certificate. I assume that the encoding was already different due to the boolean problems and so the resulting signature would also be different.

It would help if I knew the exact OpenSSL version used that raised these failures. 

Could this be related to r29075? Here is what it says in the change log:

* backport r29071 from ruby_1_8;

          * ext/openssl/ossl_asn1.c (obj_to_asn1bool): fixed ASN1::Boolean 
            encoding issue for OpenSSL 1.0.0 compatibility.
            ASN1::Boolean.new(false).to_der wrongly generated "\1\1\377" which 
            means 'true'. 

            ASN1_TYPE_set of OpenSSL <= 0.9.8 treats value 0x100 as 'false' 
            but OpenSSL >= 1.0.0 treats it as 'true'.  ruby-ossl was using
            0x100 for 'false' for backward compatibility.  Just use 0x0 for
            the case OpenSSL >= OpenSSL 0.9.7.
----------------------------------------
Bug #3862: Bugs in the OpenSSL extension on sparc64
http://redmine.ruby-lang.org/issues/3862

Author: Jeremy Evans
Status: Feedback
Priority: Low
Assignee: Martin Bosslet
Category: lib
Target version: 
ruby -v: -


=begin
 The OpenSSL extension has some bugs on sparc64, either in the code or in the test suite.  Here are the errors that are received when running the 1.9.2 test suite on sparc64 on OpenBSD:
 
   7) Failure:
 test_decode(OpenSSL::TestASN1)
 [/usr/ports/pobj/ruby-1.9.2-p0/ruby-1.9.2-p0/test/openssl/test_asn1.rb:195]:
 <"\x8F\\\xA8\f|\xD7JV\x92\b`\xE9\xC1\xC5\x90\xEB\xB0\x9E!\x86\xD5\x8F\xAC\x7Fa\x1E<$\xD8_\xC9\x98\xABv\xC2[\x15\x97\xD6\xCAX\xAA\xB7\x12`QK\x02c\xFE\xCF;(\x89Zm\xED0V
 +rQ\xED\x17/\xA8\xB2d\xABN\xDC\x1F\v\xC6\f\x10w\xA7\xFEd\xE1\xFA\x1E\x8C\xDB\xED\x97\xD0\xE1\xE6\xDDo\xFD\xFD\xFC~\xFE\xDF\xA8x{\x1C\xA4\x13\xF8E\x02\xB4\x1Ev\xF8\xDF
 +\xC3\x14$~\xD4\xE3t\xB2\xAF\"\xF1?f\xB0yL"> expected but was
 <"\x9E*\xC8zH\xF0\xB8\xAA\xF4<\xFD\x81ud\xE6\x19\x87I\xAB\x8Du\xB9\xE0u\x94t\x87\x06\xDFb\xC2\x98\xBB9p\x88w\x84R3'\xBE\x84_\xD3\xF7\xDB\xDA\xE2\xD5\xD7\xE0?\x16#\x99
 +\xF1\xE8\x80I\x90\xCDic\r\x8A2\x8A\xA3\xC9\xB9\x92n\x04\n\x9C\xF5C\x95\xE0/\x8D\r{\xB3\xB0\xE0j\xCA\xE4\xDF\xC9\x88\x05\x88\xCE\x82\xB1\xE7\x13:}\xF7\x19\xCAG3\xAD\x
 +9F\xBC\xA7\xAD\xD3,\xE9\xD00\xDF\xA9P\x1F\x14\xA7l\x9B\xB3\x87m">.
 
   8) Failure:
 test_create_by_factory(OpenSSL::TestX509Extension)
 [/usr/ports/pobj/ruby-1.9.2-p0/ruby-1.9.2-p0/test/openssl/test_x509ext.rb:41]:
 <"0\x12\x06\x03U\x1D\x13\x01\x01\x00\x04\b0\x06\x01\x01\x00\x02\x01\x02"> expected but was
 <"0\x12\x06\x03U\x1D\x13\x01\x01\xFF\x04\b0\x06\x01\x01\xFF\x02\x01\x02">.
 
   9) Failure:
 test_new(OpenSSL::TestX509Extension)
 [/usr/ports/pobj/ruby-1.9.2-p0/ruby-1.9.2-p0/test/openssl/test_x509ext.rb:29]:
 <true> expected but was
 <false>.
 
  10) Failure:
 test_attr(OpenSSL::TestX509Request)
 [/usr/ports/pobj/ruby-1.9.2-p0/ruby-1.9.2-p0/test/openssl/test_x509req.rb:94]:
 <[["keyUsage", "Digital Signature, Key Encipherment", true],
  ["subjectAltName", "email:gotoyuzo@ruby-lang.org", false]]> expected
 but was
 <[["keyUsage", "Digital Signature, Key Encipherment", false],
  ["subjectAltName", "email:gotoyuzo@ruby-lang.org", false]]>.
 
 I spoke to Aaron Patterson about this and he wasn't sure if this is a bug in the test suite that should be made platform dependent, or if was a bug in the code.
=end



-- 
http://redmine.ruby-lang.org