Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-19480

Broken test in python-cryptography (TestRSADecryption.test_decrypt_invalid_decrypt) [rhel-8]

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • rhel-8.9.0
    • python-cryptography
    • None
    • None
    • None
    • rhel-sst-idm-ipa
    • ssg_idm
    • None
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • None

      What were you trying to do that didn't work?

      I was trying to ship an update for python3 in RHEL 8.9 and 8.10 and the gating failed in 8.10 but passed in 8.9. You can see the failed test (waived) here: https://dashboard.osci.redhat.com/#/artifact/brew-build/aid/57603036?focus=baseos-ci.brew-build.tier1.functional

      CI uses tests from python-cryptography SRPM and one of them failed:

      ========================================================================================== FAILURES ==========================================================================================
      _______________________________________________________________________ TestRSADecryption.test_decrypt_invalid_decrypt _______________________________________________________________________

      self = <tests.hazmat.primitives.test_rsa.TestRSADecryption object at 0x7fe47733f940>, backend = <cryptography.hazmat.backends.openssl.backend.Backend object at 0x7fe47996feb8>

          @pytest.mark.supported(
              only_if=lambda backend: backend.rsa_padding_supported(
                  padding.PKCS1v15()
              ),
              skip_message="Does not support PKCS1v1.5.",
          )
          def test_decrypt_invalid_decrypt(self, backend):
              private_key = RSA_KEY_512.private_key(backend)
              with pytest.raises(ValueError):
      >           private_key.decrypt(b"\x00" * 64, padding.PKCS1v15())
      E           Failed: DID NOT RAISE <class 'ValueError'>

      tests/hazmat/primitives/test_rsa.py:1484: Failed

      Please provide the package NVR for which bug is seen:

      The test works fine with openssl-1.1.1k-9.el8_7.x86_64 (installed by default in 1minutetip machine running on RHEL 8.9) but fails with openssl-1.1.1k-12.el8_9.x86_64 (installed in 1minutetip with RHEL 8.10)

      From the changelog, this looks suspicious:

      • Thu Nov 30 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:1.1.1k-12
      • Backport implicit rejection mechanism for RSA PKCS#1 v1.5 to RHEL-8 series
          (a proper fix for CVE-2020-25659)
          Resolves: RHEL-17696

        How reproducible:

      Allways.

      Install latest python3-cryptography (+ vectors), python3-pytest, unpack python-cryptography SRPM and run the test.

      Steps to reproduce

      1. Install latest python3-cryptography (+ vectors), python3-pytest
      2. update openssl, if you don't have the latest version mentioned above
      3. unpack python-cryptography SRPM
      4. run the tests

      Expected results

      tests pass

      Actual results

      the mentioned test fails

              ftrivino@redhat.com Francisco Trivino Garcia
              lbalhar@redhat.com Lumir Balhar
              Christian Heimes Christian Heimes
              Sudhir Menon Sudhir Menon
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated: