Closed
Description
To test the readiness of Yocto stack for Y2038 we run qemu virtual machines with RTC set to some day in 2040. This causes some tests to fail on both 32 bit and 64 bit systems: the reason is that test certificates seemto set their expiry date to earlier than that or so.
I would propose to set the expiry date to far enough in the future that it won't have to be tweaked in our lifetimes: this way real Y2038 issues in python-cryptography (or in things it depends on) can be exposed and fixed (it's well possible there are none, but that needs confirmation too).
Failure observed (this is one of several similar failures, all of them in test_pkcs7 and relying on _load_cert_key()).
self = <tests.hazmat.primitives.test_pkcs7.TestPKCS7Builder object at 0x7f94f0863610>, backend = <OpenSSLBackend(version: OpenSSL 3.1.1 30 May 2023, FIPS: False, Legacy: True)>
def test_smime_sign_detached(self, backend):
data = b"hello world"
cert, key = _load_cert_key()
options = [pkcs7.PKCS7Options.DetachedSignature]
builder = (
pkcs7.PKCS7SignatureBuilder()
.set_data(data)
.add_signer(cert, key, hashes.SHA256())
)
sig = builder.sign(serialization.Encoding.SMIME, options)
sig_binary = builder.sign(serialization.Encoding.DER, options)
assert b"text/plain" not in sig
# We don't have a generic ASN.1 parser available to us so we instead
# will assert on specific byte sequences being present based on the
# parameters chosen above.
assert b"sha-256" in sig
# Detached signature means that the signed data is *not* embedded into
# the PKCS7 structure itself, but is present in the SMIME serialization
# as a separate section before the PKCS7 data. So we should expect to
# have data in sig but not in sig_binary
assert data in sig
# Parse the message to get the signed data, which is the
# first payload in the message
message = email.parser.BytesParser().parsebytes(sig)
signed_data = message.get_payload()[0].get_payload().encode()
> _pkcs7_verify(
serialization.Encoding.SMIME,
sig,
signed_data,
[cert],
options,
backend,
)
tests/hazmat/primitives/test_pkcs7.py:307:
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
tests/hazmat/primitives/test_pkcs7.py:142: in _pkcs7_verify
backend.openssl_assert(res == 1)
../../python3.11/site-packages/cryptography/hazmat/backends/openssl/backend.py:173: in openssl_assert
return binding._openssl_assert(self._lib, ok, errors=errors)
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
lib = <module 'lib'>, ok = False, errors = [<OpenSSLError(code=276824181, lib=33, reason=117, reason_text=certificate verify error)>]
def _openssl_assert(
lib,
ok: bool,
errors: typing.Optional[typing.List[openssl.OpenSSLError]] = None,
) -> None:
if not ok:
if errors is None:
errors = openssl.capture_error_stack()
> raise InternalError(
"Unknown OpenSSL error. This error is commonly encountered when "
"another library is not cleaning up the OpenSSL error stack. If "
"you are using cryptography with another library that uses "
"OpenSSL try disabling it before reporting a bug. Otherwise "
"please file an issue at https://github.com/pyca/cryptography/"
"issues with information on how to reproduce "
"this. ({!r})".format(errors),
errors,
)
E cryptography.exceptions.InternalError: Unknown OpenSSL error. This error is commonly encountered when another library is not cleaning up the OpenSSL error stack. If you are using cryptography with a)
../../python3.11/site-packages/cryptography/hazmat/bindings/openssl/binding.py:29: InternalError
FAIL: tests/hazmat/primitives/test_pkcs7.py:TestPKCS7Builder.test_smime_sign_detached