parallel.test-crypto-rsa-dsa fails with Missing expected exception

[richardlau]

Test

test-crypto-rsa-dsa

Platform

Linux x64

Console output

08:08:54 not ok 758 parallel/test-crypto-rsa-dsa
08:08:54   ---
08:08:54   duration_ms: 245.73400
08:08:54   severity: fail
08:08:54   exitcode: 1
08:08:54   stack: |-
08:08:54     node:assert:126
08:08:54       throw new AssertionError(obj);
08:08:54       ^
08:08:54     
08:08:54     AssertionError [ERR_ASSERTION]: Missing expected exception.
08:08:54         at test_rsa (/home/iojs/build/workspace/node-test-commit-linux-containered/test/parallel/test-crypto-rsa-dsa.js:226:12)
08:08:54         at Object.<anonymous> (/home/iojs/build/workspace/node-test-commit-linux-containered/test/parallel/test-crypto-rsa-dsa.js:258:1)
08:08:54         at Module._compile (node:internal/modules/cjs/loader:1476:14)
08:08:54         at Module._extensions..js (node:internal/modules/cjs/loader:1555:10)
08:08:54         at Module.load (node:internal/modules/cjs/loader:1288:32)
08:08:54         at Module._load (node:internal/modules/cjs/loader:1104:12)
08:08:54         at Function.executeUserEntryPoint [as runMain] (node:internal/modules/run_main:187:14)
08:08:54         at node:internal/main/run_main_module:28:49 {
08:08:54       generatedMessage: false,
08:08:54       code: 'ERR_ASSERTION',
08:08:54       actual: undefined,
08:08:54       expected: { code: 'ERR_INVALID_ARG_VALUE' },
08:08:54       operator: 'throws'
08:08:54     }
08:08:54     
08:08:54     Node.js v22.0.0-pre
08:08:54   ...

Build links

• https://ci.nodejs.org/job/node-test-commit-linux-containered/42650/nodes=ubi81_sharedlibs_openssl111fips_x64/consoleFull

Additional information

Looks like this test is constantly failing on test-ibm-ubi81_container-x64-1 since yesterday.

[richardlau]

The stack is pointing at the test added in 54cd268 for https://hackerone.com/reports/2269177.

IIRC ubi81_sharedlibs_openssl111fips_x64 builds against the system OpenSSL (i.e. the one in UBI 8). The container was recently redeployed -- I'm wondering if that has picked up a patched system OpenSSL that the test case doesn't pass with.

cc @mhdawson

[richardlau]

The code does a runtime check for whether the OpenSSL implementation supports implicit rejection and conditionally throws an exception based on the check:

node/src/crypto/crypto_cipher.cc

Lines 1081 to 1095 in f098b7a

	int rsa_pkcs1_implicit_rejection =
	EVP_PKEY_CTX_ctrl_str(ctx.get(), "rsa_pkcs1_implicit_rejection", "1");
	// From the doc -2 means that the option is not supported.
	// The default for the option is enabled and if it has been
	// specifically disabled we want to respect that so we will
	// not throw an error if the option is supported regardless
	// of how it is set. The call to set the value
	// will not affect what is used since a different context is
	// used in the call if the option is supported
	if (rsa_pkcs1_implicit_rejection <= 0) {
	return THROW_ERR_INVALID_ARG_VALUE(
	env,
	"RSA_PKCS1_PADDING is no longer supported for private decryption,"
	" this can be reverted with --security-revert=CVE-2024-PEND");
	}

However the test looks to be always expecting the exception. It may not be easy for the test to do the feature detection without native code.

[richardlau]

@mhdawson Thoughts? Perhaps as a short term fix we can skip the test if built with a dynamically linked OpenSSL?

I presume we'd expect to have to update the test in the future when we update the statically linked OpenSSL to a version that supports the implicit rejection.

[targos]

This is a similar problem to #52196

[targos]

I also rebuilt test-digitalocean-ubi81_container-x64-1 (and all other containers on that host) today.

[richardlau]

I had a quick discussion with @mhdawson who is going to look at if there's a way for the test to detect if the underlying OpenSSL implementation supports implicit rejections.

As a temporary fix to unblock the CI, I've opened #52542 to skip that part of the test if Node.js has been dynamically linked against OpenSSL.