Skip to content

test: fix flaky key pair generation test#22980

Closed
tniessen wants to merge 1 commit intonodejs:masterfrom
tniessen:test-fix-flaky-keygen
Closed

test: fix flaky key pair generation test#22980
tniessen wants to merge 1 commit intonodejs:masterfrom
tniessen:test-fix-flaky-keygen

Conversation

@tniessen
Copy link
Member

@tniessen tniessen commented Sep 20, 2018
edited
Loading

There is a very small chance (about 0.4%) that OpenSSL will successfully decrypt a key without the correct passphrase and will then fail while parsing its ASN.1 structure. In those rare cases, the error message will be different.

Fixes: #22978

Checklist
  • make -j4 test (UNIX), or vcbuild test (Windows) passes
  • tests and/or benchmarks are included
  • commit message follows commit guidelines

@nodejs-github-bot
Copy link
Collaborator

nodejs-github-bot commented Sep 20, 2018

@tniessen build started: https://ci.nodejs.org/blue/organizations/jenkins/node-test-pull-request-lite-pipeline/detail/node-test-pull-request-lite-pipeline/950/pipeline

@nodejs-github-bot nodejs-github-bot added the test Issues and PRs related to the tests. label Sep 20, 2018
@tniessen
Copy link
Member Author

tniessen commented Sep 20, 2018

Suggesting to fast-track, please add 👍 here to approve.

@tniessen tniessen added the fast-track PRs that do not need to wait for 48 hours to land. label Sep 20, 2018
@tniessen tniessen mentioned this pull request Sep 20, 2018
Closed
@addaleax
Copy link
Member

addaleax commented Sep 20, 2018

CI: https://ci.nodejs.org/job/node-test-pull-request/17344/

@addaleax addaleax added the author ready PRs that have at least one approval, no pending requests for changes, and a CI started. label Sep 20, 2018
@Trott
Copy link
Member

Trott commented Sep 20, 2018

Would it make sense to repeat the encryption/decryption when that happens rather than allow the test to pass? (Not blocking. Just a suggestion. Like, if the decryption fails 100% of the time, we want the test to fail. That sort of thing.)

@tniessen
Copy link
Member Author

tniessen commented Sep 20, 2018

@Trott Short answer: No.

Longer answer: We expect the signing / decryption operation using the generated private key to fail since the private key was encrypted with a custom passphrase.
We don't give the passphrase to OpenSSL, so OpenSSL will attempt to decrypt the private key without a password. When that happens, there are two possible outcomes:

  1. OpenSSL detects that the decrypted message has an invalid padding (that's how people usually distinguish between "correctly decrypted" and "incorrectly decrypted") and throws the bad decrypt error, or
  2. the padding is valid by chance (said 0.4%). The default padding is valid if the last n bytes of the decrypted plaintext have a value of n (for 1 <= n <= 16). So in those cases where the padding is considered correct by OpenSSL, it invokes the ASN1 parser which attempts to parse the (supposedly decrypted) private key. The parser fails, however, because the private key was not decrypted correctly, thus resulting in the asn1 encoding routines error.

Both results meet our expectations, but one is much more likely than the other.

@tniessen
Copy link
Member Author

tniessen commented Sep 20, 2018

Thanks for reviewing! Landed in bad670c.

@tniessen tniessen closed this Sep 20, 2018
tniessen added a commit that referenced this pull request Sep 20, 2018
@tniessen
test: fix flaky key pair generation test
bad670c 
There is a very small chance (about 0.4%) that OpenSSL will
successfully decrypt a key without the correct passphrase and will
then fail while parsing its ASN.1 structure. In those rare cases,
the error message will be different.

PR-URL: #22980
Fixes: #22978
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Rich Trott <rtrott@gmail.com>
targos pushed a commit that referenced this pull request Sep 21, 2018
@tniessen @targos
test: fix flaky key pair generation test
83278b2 
There is a very small chance (about 0.4%) that OpenSSL will
successfully decrypt a key without the correct passphrase and will
then fail while parsing its ASN.1 structure. In those rare cases,
the error message will be different.

PR-URL: #22980
Fixes: #22978
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Rich Trott <rtrott@gmail.com>
@joyeecheung joyeecheung mentioned this pull request Sep 26, 2018
Closed
@targos targos mentioned this pull request Oct 7, 2018
Merged
This was referenced Oct 10, 2018
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
@tniessen tniessen removed the author ready PRs that have at least one approval, no pending requests for changes, and a CI started. label Jan 14, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Trott Trott Trott approved these changes

@addaleax addaleax addaleax approved these changes

Assignees

No one assigned

Labels

fast-track PRs that do not need to wait for 48 hours to land. test Issues and PRs related to the tests.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Investigate flaky parallel/test-crypto-keygen

4 participants

@tniessen @nodejs-github-bot @addaleax @Trott