Skip to content
This repository was archived by the owner on Feb 28, 2023. It is now read-only.

Comments

dist: Replace openssl with pure Rust libraries for cert generation#67

Merged
drahnr merged 8 commits intomasterfrom
igor-remove-openssl
May 4, 2021
Merged

dist: Replace openssl with pure Rust libraries for cert generation#67
drahnr merged 8 commits intomasterfrom
igor-remove-openssl

Conversation

@Xanewok
Copy link
Contributor

@Xanewok Xanewok commented May 1, 2021

Last change split from https://github.com/paritytech/sccache/tree/legacy-rebased. This also includes an extra commit which upgrades rsa to 0.4 (see commit for rationale; we can skip that commit for now).

Ideally this is something that we'd like to upstream (see mozilla/sccache#879 for previous attempt).

@Xanewok Xanewok requested a review from drahnr May 1, 2021 23:31
@Xanewok Xanewok mentioned this pull request May 1, 2021
Closed
@drahnr drahnr mentioned this pull request May 2, 2021
Merged
@Xanewok Xanewok force-pushed the igor-remove-openssl branch from 0c80440 to 67e9c90 Compare May 2, 2021 13:18
Xanewok
Xanewok commented May 2, 2021
View reviewed changes
Copy link
Contributor Author

@Xanewok Xanewok left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm in the process of debugging the dist test failures and so I looked closely at the certificate generation process, trying to get the old and new certificate to be bit perfect to rule it out as a potential cause.
It seems that, to achieve backwards compat, we first sign the certificate but later replace its extensions with select few that we used with the openssl code. I'm not 110% sure this is the direct cause of the test failure but it looks like something we need to address before this lands as this looks incorrect.

@drahnr drahnr force-pushed the igor-remove-openssl branch 4 times, most recently from 62c7544 to 85485ad Compare May 3, 2021 13:42
@Xanewok Xanewok force-pushed the igor-remove-openssl branch from 60e6156 to 0c5b885 Compare May 3, 2021 21:35
@Xanewok
Copy link
Contributor Author

Xanewok commented May 3, 2021

Timeouts are gone, now we actually fail to connect due to SSL/cert error 🙃

error trying to connect: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:../ssl/statem/statem_clnt.c:1924: (unable to get local issuer certificate), caused by: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:../ssl/statem/statem_clnt.c:1924: (unable to get local issuer certificate), caused by: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:../ssl/statem/statem_clnt.c:1924:

@Xanewok
Copy link
Contributor Author

Xanewok commented May 3, 2021

Dist tests are finally green now 🎉

@Xanewok Xanewok changed the title Replace openssl with pure Rust libraries dist: Replace openssl with pure Rust libraries for cert generation May 3, 2021
@drahnr
Copy link
Contributor

drahnr commented May 4, 2021
edited
Loading

The only downside with introducing rsa to v0.4 is, we now have two versions in the dependency graph: v0.4 and v0.3. That's ok for now, but as soon as we can, we should unify to one version.

drahnr and others added 8 commits May 4, 2021 09:53
@drahnr
feat/rustls: replace openssl with rsa, ring, picky
339a7ea
@Xanewok @drahnr
Use rsa 0.4
603e769 
This removes the extra rsa-* dependencies at the cost of introducing
rand 0.8, which other libraries (incl. picky) has not migrated to yet
at the time of writing.
@drahnr
fix/picky: do not change extensions of cert after calling build
0f73af3 
This effectively invalidates the signature, and hence the certifacte
is rightfully rejected by the dist tests.
@drahnr
chore/util: add timeit macro
55ffcb2
@Xanewok @drahnr
Persist dumped certs if create_cert_and_sk test fails
f8896f5
@Xanewok @drahnr
Always optimize num-bigint-dig
08c2833 
Co-authored-by: Bernhard Schuster <[email protected]>
@Xanewok @drahnr
dist: Use default key usage in cert generation
b750d3e 
By default, the digital signature and data encipherment key usage are
enabled by default, whereas we only specified the former here.
Our existing web server (`rouille` with `openssl` backend) is not happy,
so don't specify anything different ourselves and rely on the default.
@Xanewok @drahnr
dist: Don't explicitly state how to gen key ID for cert AKIs
7a1e672 
We distribute self-signed certificates so according to RFC 5280 the
authority key identifier (AKI) can be safely be omitted (and also
openssl omits this), but since picky includes it unconditionally,
let's just stick to a default not to give an impression that we rely
on this specific key ID generation method.
@drahnr drahnr force-pushed the igor-remove-openssl branch from a84b0ef to 7a1e672 Compare May 4, 2021 08:03
@drahnr drahnr merged commit a703461 into master May 4, 2021
@drahnr drahnr deleted the igor-remove-openssl branch May 4, 2021 11:05
@Xanewok
Copy link
Contributor Author

Xanewok commented May 4, 2021

Should we update our upstream PR with what the fixed/refreshed version from here?

@drahnr
Copy link
Contributor

drahnr commented May 4, 2021

We probably should eventually, but that's not a pressing thing imho.

This was referenced May 7, 2021
Merged
Merged
@Xanewok Xanewok mentioned this pull request Jul 11, 2021
Open
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

1 more reviewer

@drahnr drahnr drahnr approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Xanewok @drahnr