Skip to content

Tests: test for loading "store:..." keys. #16

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
May 26, 2025
Merged

Tests: test for loading "store:..." keys. #16

merged 2 commits into from
May 26, 2025

Conversation

bavshin-f5
Copy link
Member

@bavshin-f5 bavshin-f5 commented Jan 9, 2025
edited
Loading

@bavshin-f5 bavshin-f5 mentioned this pull request Jan 9, 2025
Merged
@pluknet
Copy link
Contributor

pluknet commented May 19, 2025
edited
Loading

How this is supposed to work? I get:

Could not open file or uri for loading private key from pkcs11:token=NginxZero;object=nx_key_0
002041D7E0390000:error:16000069:STORE routines:ossl_store_get0_loader_int:unregistered scheme:/usr/src/crypto/openssl/crypto/store/store_register.c:237:scheme=file
002041D7E0390000:error:80000002:system library:file_open:No such file or directory:/usr/src/crypto/openssl/providers/implementations/storemgmt/file_store.c:267:calling stat(pkcs11:token=NginxZero;object=nx_key_0)
002041D7E0390000:error:16000069:STORE routines:ossl_store_get0_loader_int:unregistered scheme:/usr/src/crypto/openssl/crypto/store/store_register.c:237:scheme=pkcs11
002041D7E0390000:error:1608010C:STORE routines:inner_loader_fetch:unsupported:/usr/src/crypto/openssl/crypto/store/store_meth.c:383:No store loader found. For standard store loaders you need at least one of the default or base providers available. Did you forget to load them? Info: Global default library context, Scheme (pkcs11 : 0), Properties (<null>)

P.S.
Nevermind, it turns out missing pkcs11-provider in both openssl cli and OpenSSL library used by nginx.

It makes sense to record these dependencies in the test to make it work,
similar to https://mailman.nginx.org/pipermail/nginx-devel/2014-October/006151.html

@pluknet pluknet self-requested a review May 20, 2025 14:41
@bavshin-f5 bavshin-f5 force-pushed the ssl-provider-keys branch from adff61f to b8b69c8 Compare May 21, 2025 17:50
@bavshin-f5 bavshin-f5 marked this pull request as ready for review May 22, 2025 22:17
pluknet
pluknet reviewed May 23, 2025
View reviewed changes
ssl_provider_keys.t Outdated
Comment on lines 9 to 12
# Test prerequisites:
# * OpenSSL >= 3
# * softhsm2
# * pkcs11-provider (https://github.com/latchset/pkcs11-provider)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Adding a descriptive error message for "missing pkcs11-provider" and using proper test prerequisites made this block excessive.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We still have to clarify which pkcs11 provider is required for this test (there are two now, see https://github.com/OpenSC/libp11/releases/tag/libp11-0.4.14).
But I found a better location for the link and removed this block.

ssl_provider_keys.t Outdated
Comment on lines 33 to 29
plan(skip_all => 'may not work, leaves coredump')
unless $ENV{TEST_NGINX_UNSAFE};
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Any reason to mark this test unsafe similar to ssl_engine_keys.t ?
If not, I'd rather remove it. (Running through the sandbox should give some initial evidence.)

Speaking about ssl_engine_keys.t, I feel desire to stop marking it unsafe, in particular, since recent changes in a5e6efa, which made it more flexible.
In addition, using engines had stability issues, which seems to fixed now, some details are given in 6fd0486.
Last time I looked (maybe ~ 1 year ago), this test passed on all test builders.

Copy link
Member Author

@bavshin-f5 bavshin-f5 May 23, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As comments in the pkcs11-provider tests suggest, SOFTHSMv2 still can crash on deinitialization.

It makes sense to remove the unsafe mark from ssl_provider_keys.t, as we explicitly address that with pkcs11-module-quirks = no-deinit, but I'd be wary of making the change to ssl_engine_keys.t without confirming that init = 1 workaround does the same.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It appears that we need to skip these tests when running against nginx built with sanitizers:

tests/ssl_provider_keys.t .............
==81209==You are trying to dlopen a /lib64/libsofthsm2.so shared library with RTLD_DEEPBIND flag which is incompatible with sanitizer runtime (see https://github.com/google/sanitizers/issues/611 for details). If you want to run /lib64/libsofthsm2.so library under sanitizers please remove RTLD_DEEPBIND from dlopen flags.
Can't start nginx at lib/Test/Nginx.pm line 408.

ssl_provider_keys.t Outdated

my $d = $t->testdir();

$t->write_file('openssl.conf', <<EOF);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would write "openssl.conf" using idiom from ssl_engine_keys.t.

In addition to further reducing diffs, this would make it possible to run tests on FreeBSD,
by optionally adding module = /usr/local/lib/ossl-modules/pkcs11.so
(path taken following security/openssl-oqsprovider).
Although, FreeBSD ports don't deliver pkcs11-provider right now, this may change in future.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FreeBSD choose a rather odd approach here. The default system-wide OpenSSL

  • searches for providers in /usr/lib/ossl-modules
  • removes the modulesdir=/usr/lib/ossl-modules from the libcrypto.pc
    pkcs11-provider specifically requires this variable during build.

I suspect that providers on FreeBSD are meant to be built and used with OpenSSL from ports located at /usr/local, and that also takes care of the search path.

Your suggestion does not conflict with that though, so applied.

ssl_provider_keys.t Outdated
my $t = Test::Nginx->new()->has(qw/http proxy http_ssl openssl:3/)
->has_daemon('openssl')->has_daemon('softhsm2-util');

plan(skip_all => "not yet") unless $t->has_version('1.29.0');
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We have $t->try_run() for this, to run tests that depend on new nginx syntax. Any reason to avoid using it?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I want to be able to distinguish missing OSSL_STORE support from failing to load a key from the store. $t->try_run() will skip in both cases, as you can confirm by writing an incorrect pin.

@bavshin-f5 bavshin-f5 force-pushed the ssl-provider-keys branch from 6c2084b to c7849ad Compare May 23, 2025 16:54
@bavshin-f5 bavshin-f5 force-pushed the ssl-provider-keys branch 3 times, most recently from 15ce88b to a10b864 Compare May 26, 2025 15:07
@bavshin-f5 bavshin-f5 force-pushed the ssl-provider-keys branch from a10b864 to 8a85d59 Compare May 26, 2025 16:08
@pluknet pluknet merged commit a3d5580 into nginx:master May 26, 2025
@bavshin-f5 bavshin-f5 deleted the ssl-provider-keys branch May 26, 2025 17:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pluknet pluknet pluknet approved these changes

Assignees

@bavshin-f5 bavshin-f5

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@bavshin-f5 @pluknet