Ubuntu
ruby-openid-connect package

Do not support OpenSSL 3

Bug #1965184 reported by Lucas Kanashiro
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ruby-json-jwt (Ubuntu)
Fix Released
Undecided
Lucas Kanashiro
Jammy
Fix Released
Undecided
Michał Małoszewski
Kinetic
Fix Released
Undecided
Lucas Kanashiro
ruby-openid-connect (Ubuntu)
Invalid
Undecided
Unassigned
Jammy
Invalid
Undecided
Unassigned
Kinetic
Invalid
Undecided
Unassigned

Bug Description

[Impact]

The ruby-json-jwt package build, as well as autopkgtest, do not work properly because of OpenSSL 3 and users could encounter some failure messages. The code which provides the changes, enables support for OpenSSL 3.

The situation before the patch was applied was really unfortunate for users who were not able to fully use the library with the default version of OpenSSL in jammy.

Backport upstream fix to Jammy
Link to the commit: https://github.com/nov/json-jwt/commit/d6c823326e15d03761fa9f17ff0869ff1b2ddbe1

[Test Plan]

** Reproduction **

Message:

  OpenSSL::PKey::PKeyError:
       rsa#set_key= is incompatible with OpenSSL 3.0
     # /usr/share/rubygems-integration/all/gems/json-jwt-1.13.0/lib/json/jwk.rb:106:in `set_key'
     # /usr/share/rubygems-integration/all/gems/json-jwt-1.13.0/lib/json/jwk.rb:106:in `to_rsa_key'
     # /usr/share/rubygems-integration/all/gems/json-jwt-1.13.0/lib/json/jwk.rb:43:in `to_key'
     # /usr/share/rubygems-integration/all/gems/openid_connect-1.2.0/lib/openid_connect/discovery/provider/config/response.rb:91:in `collect'
     # /usr/share/rubygems-integration/all/gems/openid_connect-1.2.0/lib/openid_connect/discovery/provider/config/response.rb:91:in `public_keys'
     # ./spec/openid_connect/discovery/provider/config/response_spec.rb:100:in `block (4 levels) in <top (required)>'
     # ./spec/helpers/webmock_helper.rb:10:in `mock_json'
     # ./spec/openid_connect/discovery/provider/config/response_spec.rb:99:in `block (3 levels) in <top (required)>'

Make a container for testing:

First option:
$ lxc launch images:ubuntu/jammy jammy-test
$ lxc shell jammy-test

Then simply build the package.
Use: ‘dpkg-buildpackage’ command which will generate the package.
Full command with proper flags: dpkg-buildpackage -S -nc -d -us -uc

You shouldn’t notice failures.

** Verification **

Follow the reproduction steps above to ensure that the messages no longer appear.

[Where problems could occur]

Any code change might change the behavior of the package in a specific situation and cause other errors.
Users that rely on the library API related to OpenSSL might encounter errors.

--- original report ---
ruby-openid-connect/1.2.0-2 do not support OpenSSL 3 which lead us to the following test failures during build/autopkgtest time:

Failures:

  1) OpenIDConnect::Discovery::Provider::Config::Response#public_keys
     Failure/Error: instance.public_keys

     OpenSSL::PKey::PKeyError:
       rsa#set_key= is incompatible with OpenSSL 3.0
     # /usr/share/rubygems-integration/all/gems/json-jwt-1.13.0/lib/json/jwk.rb:106:in `set_key'
     # /usr/share/rubygems-integration/all/gems/json-jwt-1.13.0/lib/json/jwk.rb:106:in `to_rsa_key'
     # /usr/share/rubygems-integration/all/gems/json-jwt-1.13.0/lib/json/jwk.rb:43:in `to_key'
     # /usr/share/rubygems-integration/all/gems/openid_connect-1.2.0/lib/openid_connect/discovery/provider/config/response.rb:91:in `collect'
     # /usr/share/rubygems-integration/all/gems/openid_connect-1.2.0/lib/openid_connect/discovery/provider/config/response.rb:91:in `public_keys'
     # ./spec/openid_connect/discovery/provider/config/response_spec.rb:100:in `block (4 levels) in <top (required)>'
     # ./spec/helpers/webmock_helper.rb:10:in `mock_json'
     # ./spec/openid_connect/discovery/provider/config/response_spec.rb:99:in `block (3 levels) in <top (required)>'

  2) OpenIDConnect::ResponseObject::IdToken.decode when self-issued when valid when key == :self_issued is expected not to raise Exception
     Failure/Error:
       expect do
         klass.decode self_issued, :self_issued
       end.not_to raise_error

       expected no Exception, got #<OpenSSL::PKey::PKeyError: rsa#set_key= is incompatible with OpenSSL 3.0> with backtrace:
         # /usr/share/rubygems-integration/all/gems/json-jwt-1.13.0/lib/json/jwk.rb:106:in `set_key'
         # /usr/share/rubygems-integration/all/gems/json-jwt-1.13.0/lib/json/jwk.rb:106:in `to_rsa_key'
         # /usr/share/rubygems-integration/all/gems/json-jwt-1.13.0/lib/json/jwk.rb:43:in `to_key'
         # /usr/share/rubygems-integration/all/gems/json-jwt-1.13.0/lib/json/jose.rb:27:in `with_jwk_support'
         # /usr/share/rubygems-integration/all/gems/json-jwt-1.13.0/lib/json/jws.rb:124:in `valid?'
         # /usr/share/rubygems-integration/all/gems/json-jwt-1.13.0/lib/json/jws.rb:26:in `verify!'
         # /usr/share/rubygems-integration/all/gems/openid_connect-1.2.0/lib/openid_connect/response_object/id_token.rb:79:in `decode_self_issued'
         # /usr/share/rubygems-integration/all/gems/openid_connect-1.2.0/lib/openid_connect/response_object/id_token.rb:68:in `decode'
         # ./spec/openid_connect/response_object/id_token_spec.rb:263:in `block (7 levels) in <top (required)>'
         # ./spec/openid_connect/response_object/id_token_spec.rb:262:in `block (6 levels) in <top (required)>'
     # ./spec/openid_connect/response_object/id_token_spec.rb:262:in `block (6 levels) in <top (required)>'

Finished in 32.37 seconds (files took 0.73441 seconds to load)
234 examples, 2 failures, 2 pending

See original description
Revision history for this message
Lucas Kanashiro (lucaskanashiro) wrote :

Actually, this is an issue with ruby-json-jwt, and not ruby-openid-connect itself which only depends on it.

tags: added: transition-openssl3-jj update-excuse
Revision history for this message
Lucas Kanashiro (lucaskanashiro) wrote :

Filed a bug upstream: https://github.com/nov/json-jwt/issues/100

Revision history for this message
Lucas Kanashiro (lucaskanashiro) wrote :

A PR adding support to openssl 3 was submitted here: https://github.com/nov/json-jwt/pull/101

Changed in ruby-json-jwt (Ubuntu):
assignee: nobody → Lucas Kanashiro (lucaskanashiro)
status: New → In Progress
Changed in ruby-json-jwt (Ubuntu Jammy):
status: New → Triaged
Revision history for this message
Lucas Kanashiro (lucaskanashiro) wrote :

The fix was finally merged and released by upstream in version 1.14.0:

https://github.com/nov/json-jwt/commit/d6c823326e15d03761fa9f17ff0869ff1b2ddbe1

Version 1.14.0-1 was already uploaded to Debian unstable and it will fix this issue in kinetic once it is synced.

tags: added: server-todo
Revision history for this message
Lucas Kanashiro (lucaskanashiro) wrote :

The commit mentioned in #4 needs to be backported to Jammy, it should cleanly apply to the version in there.

Revision history for this message
Michał Małoszewski (michal-maloszewski99) wrote :

Start with that one from today.
ETA, thursday 14.07.2022

Changed in ruby-json-jwt (Ubuntu Jammy):
assignee: nobody → Michał Małoszewski (michal-maloszewski99)
Revision history for this message
Lucas Kanashiro (lucaskanashiro) wrote :

Version 1.14.0-1 already landed in kinetic:

 ruby-json-jwt | 1.14.0-1 | kinetic/universe | source, all

Changed in ruby-json-jwt (Ubuntu Kinetic):
status: In Progress → Fix Released
Revision history for this message
Michał Małoszewski (michal-maloszewski99) wrote :

MP waits for approval from Lucas

Michał Małoszewski (michal-maloszewski99)
description: updated
Revision history for this message
Michał Małoszewski (michal-maloszewski99) wrote :

Waiting for sponsorship

Michał Małoszewski (michal-maloszewski99)
description: updated
Lucas Kanashiro (lucaskanashiro)
description: updated
Revision history for this message
Michał Małoszewski (michal-maloszewski99) wrote :

Changed status just to track bugs properly, even though it has been sponsored.

Changed in ruby-json-jwt (Ubuntu Jammy):
status: Triaged → In Progress
Revision history for this message
Robie Basak (racb) wrote :

Since the goal here is to fix the package for users, in the test plan could we please ensure that the package actually works?

If instead you think this is adequately covered by the existing automated tests, then that's fine, but in that case please state that. Thanks!

Changed in ruby-json-jwt (Ubuntu Jammy):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-jammy
Revision history for this message
Robie Basak (racb) wrote : Please test proposed package

Hello Lucas, or anyone else affected,

Accepted ruby-json-jwt into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ruby-json-jwt/1.13.0-1ubuntu0.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Revision history for this message
Lucas Kanashiro (lucaskanashiro) wrote :

I believe the upstream test suite is enough to cover the most common use cases for this library. Since all of them passed in this build [1], I trust this is ready to be landed.

[1] https://launchpadlibrarian.net/621252215/buildlog_ubuntu-jammy-amd64.ruby-json-jwt_1.13.0-1ubuntu0.1_BUILDING.txt.gz

tags: added: verification-done verification-done-jammy
removed: verification-needed verification-needed-jammy
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ruby-json-jwt - 1.13.0-1ubuntu0.1

---------------
ruby-json-jwt (1.13.0-1ubuntu0.1) jammy; urgency=medium

  * d/p/002-openssl3-support.patch: Backport upstream patch to comply with
    OpenSSL 3 API changes. It fixes a FTBFS and autopkgtest failure
    (LP: #1965184).

 -- Michal Maloszewski <email address hidden> Wed, 13 Jul 2022 15:21:02 +0200

Changed in ruby-json-jwt (Ubuntu Jammy):
status: Fix Committed → Fix Released
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Update Released

The verification of the Stable Release Update for ruby-json-jwt has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Actually only in jwt, openid is invalid (no need to change)

Changed in ruby-openid-connect (Ubuntu):
status: New → Invalid
Changed in ruby-openid-connect (Ubuntu Jammy):
status: New → Invalid
Changed in ruby-openid-connect (Ubuntu Kinetic):
status: New → Invalid
tags: removed: server-todo
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.