Restore certificate check compatibility w/ RC2-40-CBC encrypted PKS#12 #1745

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Merged

per1234 merged 1 commit into main from per1234/fix-check-certificates

Dec 7, 2022

Merged

Restore certificate check compatibility w/ RC2-40-CBC encrypted PKS#12 #1745

per1234 merged 1 commit into main from per1234/fix-check-certificates

Dec 7, 2022

Conversation

per1234

Copy link

Contributor

@per1234 per1234 commented Dec 7, 2022

Motivation

The "Check Certificates" GitHub Actions workflow uses OpenSSL to check for problems with the project's signing certificates.

Certificates exported to PKS #12 archive files using older tools may have been encrypted using the "RC2-40-CBC" algorithm.

Due to the availability of more secure modern alternatives, default support for RC2-40-CBC encryption was dropped in OpenSSL 3.x.

The macOS signing certificate uses this RC2-40-CBC encryption.

The "Check Certificates" GitHub Actions workflow runs on the ubuntu-latest runner. Previously, this runner used Ubuntu 20.04. This has now changed to Ubuntu 22.04. With the operating system update came an OpenSSL update from 1.1.1f to 3.0.2. This caused the workflow runs to fail on the macOS certificate job:

https://github.com/arduino/arduino-ide/actions/runs/3637803834/jobs/6139239158#step:5:16

Error outputting keys and certificates
80FBB0C5087F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:349:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()

Change description

Even though no longer done by default, OpenSSL still supports RC2-40-CBC encryption via its "legacy" provider. So compatibility with the certificate is restored by adding the -legacy flag to the openssl pkcs12 commands.

Other information

Passing "Check Certificates" workflow run from the commit proposed in this PR:

https://github.com/arduino/arduino-ide/actions/runs/3638084494

Identical change applied to the Arduino CLI repository to fix the same bug: arduino/arduino-cli#2002

Reviewer checklist

PR addresses a single concern.
The PR has no duplicates (please search among the Pull Requests before creating one)
PR title and description are properly filled.
Docs have been added / updated (for bug fixes / features)

@per1234


 Restore certificate check compatibility w/ RC2-40-CBC encrypted PKS#12

The "Check Certificates" GitHub Actions workflow uses OpenSSL to check for problems with the project's signing
certificates.
Certificates exported to PKS#12 archive files using older tools may have been encrypted using the "RC2-40-CBC"
algorithm.
Due to the availability of more secure modern alternatives, default support for RC2-40-CBC encryption was dropped in
OpenSSL 3.x.
The macOS signing certificate uses this RC2-40-CBC encryption.
The "Check Certificates" GitHub Actions workflow runs on the `ubuntu-latest` runner. Previously, this runner used Ubuntu
20.04. This has now changed to Ubuntu 22.04. With the operating system update came an OpenSSL update from 1.1.1f to
3.0.2. This caused the workflow runs to fail on the macOS certificate job:
Error outputting keys and certificates
80FBB0C5087F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:349:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()
Even though no longer done by default, OpenSSL still supports RC2-40-CBC encryption via its "legacy" provider. So
compatibility with the certificate is restored by adding the `-legacy` flag to the `openssl pkcs12` commands.