Skip to content

unable to sign with external OpenSSL engine after usage of crypto.hash #52307

New issue
New issue
Open
Open
unable to sign with external OpenSSL engine after usage of crypto.hash#52307
Labels
cryptoIssues and PRs related to the crypto subsystem.opensslIssues and PRs related to the OpenSSL dependency.
@GauriSpears

Description

@GauriSpears
GauriSpears
opened on Apr 1, 2024

Version

v21.7.1

Platform

Linux debgis 5.10.0-8-amd64 #1 SMP Debian 5.10.46-4 (2021-08-03) x86_64 GNU/Linux

Subsystem

crypto

What steps will reproduce the bug?

  1. Install gost-engine for OpenSSL 3.x from here: https://github.com/gost-engine/engine
    For Debian I use this script:
ENGINE_PATH=$(openssl version -a | grep -Po '(?<=ENGINESDIR: ")[^"]*')
rm -rf "/usr/local/src/engine" \
  && cd /usr/local/src \
  && git clone https://github.com/gost-engine/engine \
  && cd engine \
  && git submodule update --init \
  && mkdir -p build \
  && cd build \
  && cmake -DCMAKE_BUILD_TYPE=Release -DCMAKE_C_FLAGS='-I/usr/local/ssl/include -L/usr/local/ssl/lib' \
   -DOPENSSL_ROOT_DIR=/usr/local/ssl  -DOPENSSL_INCLUDE_DIR=/usr/local/ssl/include -DOPENSSL_LIBRARIES=/usr/local/ssl/lib -DOPENSSL_ENGINES_DIR=${ENGINE_PATH} .. \
  && cmake --build . --config Release \
  && cmake --build . --target install --config Release
  1. Run the code:
const crypto = require('crypto');
const fs = require('fs');
//on some systems engine is successfully loaded by name, but on others you have to specify full path
try{
  crypto.setEngine('gost');
} catch(err){
  //look for engine path in "openssl version -a"
  const child_process = require('child_process');
  let Epath = child_process.execSync('openssl version -a').toString().match(/(?<=ENGINESDIR: ")[^"]*/);
  if (Epath==null) logger.info('ENGINESDIR not found in openssl version -a');
  Epath=Epath[0];
  crypto.setEngine(Epath+'/gost.so');
}

//without this string everything is OK
const hash=crypto.createHash('md_gost12_256');

const sign = crypto.createSign('md_gost12_256');
sign.update('this is test string');
const privateKey = fs.readFileSync('/home/key.pem'); //Just a private key, if you don't know how to generate one, I can provide it to you.
const SignatureValueT = sign.sign(privateKey,'base64');

How often does it reproduce? Is there a required condition?

Always

What is the expected behavior? Why is that the expected behavior?

Signature should be calculated without any errors.

What do you see instead?

node:internal/crypto/sig:128
  const ret = this[kHandle].sign(data, format, type, passphrase, rsaPadding,
                            ^

Error: error:0308010C:digital envelope routines::unsupported
    at Sign.sign (node:internal/crypto/sig:128:29)
    at Object.<anonymous> (/home/GKU-data/test/hashtest.js:21:30)
    at Module._compile (node:internal/modules/cjs/loader:1368:14)
    at Module._extensions..js (node:internal/modules/cjs/loader:1426:10)
    at Module.load (node:internal/modules/cjs/loader:1205:32)
    at Module._load (node:internal/modules/cjs/loader:1021:12)
    at Function.executeUserEntryPoint [as runMain] (node:internal/modules/run_main:142:12)
    at node:internal/main/run_main_module:28:49 {
  library: 'digital envelope routines',
  reason: 'unsupported',
  code: 'ERR_OSSL_EVP_UNSUPPORTED'
}

Additional information

It looks like it's caused by #51044 or #51034
The given code works fine on v21.6.2 and before but breaks on v21.7.0 and v21.7.1.

Metadata

Metadata

Assignees

No one assigned

    Labels

    cryptoIssues and PRs related to the crypto subsystem.opensslIssues and PRs related to the OpenSSL dependency.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions