NServiceBus icon indicating copy to clipboard operation
NServiceBus copied to clipboard
verified publisher icon Particular

License validation fails on Fedora 41/RHEL 9 because SHA-1 not trusted by openssl

Open chklauser opened this issue 1 year ago • 3 comments

Describe the bug

Description

Validation of license.xml signature fails an exception. I suspect it's the same issue as the one reported on the Unity forums. You use SHA-1 as the hashing algorithm for the license file. SHA-1 is broken and the system's crypto library no longer trusts SHA-1-based signatures.

Expected behavior

License validation works.

Actual behavior

Interop+Crypto+OpenSslCryptographicException: error:03000098:digital envelope routines::invalid digest
   at Interop.Crypto.RsaVerifyHash(SafeEvpPKeyHandle pkey, RSASignaturePaddingMode paddingMode, IntPtr digestAlgorithm, ReadOnlySpan`1 hash, ReadOnlySpan`1 signature)
   at System.Security.Cryptography.RSAOpenSsl.VerifyHash(ReadOnlySpan`1 hash, ReadOnlySpan`1 signature, HashAlgorithmName hashAlgorithm, RSASignaturePadding padding)
   at System.Security.Cryptography.RSACryptoServiceProvider.VerifyHash(Byte[] hash, Byte[] signature, HashAlgorithmName hashAlgorithm, RSASignaturePadding padding)
   at System.Security.Cryptography.RSAPKCS1SignatureDeformatter.VerifySignature(Byte[] rgbHash, Byte[] rgbSignature)
   at System.Security.Cryptography.Xml.SignedXml.CheckSignature(AsymmetricAlgorithm key)
   at Particular.Licensing.LicenseVerifier.SignedXmlVerifier.TryVerifyXml(String xml, String& failureMessage) in /_1/particular.licensing.sources/6.0.0/contentFiles/cs/net8.0/Particular.Licensing/LicenseVerifier.cs:line 69
   at Particular.Licensing.LicenseVerifier.TryVerify(String licenseText, String& failureMessage) in /_1/particular.licensing.sources/6.0.0/contentFiles/cs/net8.0/Particular.Licensing/LicenseVerifier.cs:line 21

Impact

For now, only bleeding edge workstations in our organization are affected. Developers get nagged with the license screen every time they run one of our applications under the debugger. But we generally stay relatively close to recent OS releases even in production. This issue will hit our production systems sooner or later

Versions

  • NServiceBus 9.2.2
  • .NET 8
  • Fedora 41 Workstation
  • OpenSSL: openssl-libs.x86_64 1:3.2.2-9.fc41

Steps to reproduce

  1. Use a Fedora 41 system
  2. Provide signed license.xml
  3. Run an NServiceBus application

Additional Information

Workarounds

On RHEL/Fedora, the system can be configured to trust SHA1 once again.

sudo update-crypto-policies --set DEFAULT:SHA1

But this reduces overall system security.

Possible solutions

Change the licenses you generate to no longer rely on SHA-1. The System.Security.Cryptography.Xml surely supports other algorithms out of the box.

Additional information

chklauser avatar Dec 20 '24 10:12 chklauser

@chklauser Another workaround that should work would be setting the OPENSSL_ENABLE_SHA1_SIGNATURES=1 environment variable on the endpoint process.

That should limit the scope of change to not be system-wide.

bording avatar Dec 20 '24 17:12 bording

We've reviewed this issue and added it to our backlog. It's eligible to be picked up for a future release, but we can't provide a firm timeline.

tamararivera avatar Jan 29 '25 01:01 tamararivera

I can confirm that OPENSSL_ENABLE_SHA1_SIGNATURES works on Fedora 42.1. Thanks @bording

On my workstation I'm using https://direnv.net/ and have a .env set in my ~/src folder with this envvar.

ramonsmits avatar Jul 09 '25 09:07 ramonsmits