Add NSS cmsutil and ssltap tests #1
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: NSS SSLTap Test | |
| on: | |
| push: | |
| branches: [ 'master', 'main', 'nss' ] | |
| pull_request: | |
| branches: [ '*' ] | |
| workflow_dispatch: | |
| env: | |
| NSPR_VERSION: NSPR_4_36_BRANCH | |
| NSS_VERSION: NSS_3_112_RTM | |
| WOLFSSL_VERSION: v5.8.0-stable | |
| jobs: | |
| nss-ssltap-test: | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - name: Checkout wolfPKCS11 | |
| uses: actions/checkout@v4 | |
| with: | |
| path: wolfpkcs11 | |
| - name: Install dependencies | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y \ | |
| build-essential \ | |
| mercurial \ | |
| git \ | |
| python3 \ | |
| python3-pip \ | |
| python-is-python3 \ | |
| zlib1g-dev \ | |
| libssl-dev \ | |
| wget \ | |
| curl \ | |
| netcat-openbsd \ | |
| openssl \ | |
| automake \ | |
| libtool \ | |
| tcpdump \ | |
| net-tools \ | |
| gyp \ | |
| ninja-build | |
| - name: Create working directories | |
| run: | | |
| mkdir -p /opt/wolfssl | |
| mkdir -p /opt/wolfpkcs11 | |
| mkdir -p /opt/certs | |
| mkdir -p /opt/test | |
| sudo mkdir -p /etc/pki/nssdb | |
| sudo mkdir -p /logs | |
| sudo chmod 777 /logs | |
| - name: Cache NSPR | |
| id: cache-nspr | |
| uses: actions/cache@v4 | |
| with: | |
| path: /tmp/src/nspr | |
| key: nspr-${{ env.NSPR_VERSION }} | |
| - name: Clone and build NSPR | |
| if: steps.cache-nspr.outputs.cache-hit != 'true' | |
| run: | | |
| mkdir -p /tmp/src | |
| cd /tmp/src | |
| hg clone https://hg.mozilla.org/projects/nspr -r ${{ env.NSPR_VERSION }} | |
| - name: Cache NSS source and patches | |
| id: cache-nss-source | |
| uses: actions/cache@v4 | |
| with: | |
| path: | | |
| /tmp/src/nss | |
| /tmp/src/osp | |
| key: nss-source-${{ env.NSS_VERSION }}-latest | |
| - name: Cache NSS build artifacts | |
| id: cache-nss-build | |
| uses: actions/cache@v4 | |
| with: | |
| path: /tmp/src/dist | |
| key: nss-build-${{ env.NSS_VERSION }}-latest | |
| if: steps.cache-nss-build.outputs.cache-hit != 'true' | |
| run: | | |
| cd /tmp/src/nss | |
| # Set NSS build environment | |
| export USE_64=1 | |
| export NSS_ENABLE_WERROR=0 | |
| export BUILD_OPT=0 | |
| # Build NSS with debug mode enabled | |
| ./build.sh -v | |
| - name: Copy NSS headers and libraries | |
| run: | | |
| # Create directories for headers | |
| sudo mkdir -p /usr/local/include/nss | |
| sudo mkdir -p /usr/local/include/nspr | |
| sudo mkdir -p /usr/local/lib | |
| # Copy NSS headers from dist directory | |
| sudo cp -r /tmp/src/dist/public/nss/* /usr/local/include/nss/ | |
| # Copy NSPR headers from dist directory | |
| sudo cp -r /tmp/src/dist/Debug/include/nspr/* /usr/local/include/nspr/ | |
| # Copy NSS and NSPR libraries | |
| sudo find /tmp/src/dist/Debug -name "*.so" -exec cp {} /usr/local/lib/ \; | |
| sudo find /tmp/src/nspr/Debug -name "*.so" -exec cp {} /usr/local/lib/ \; | |
| # Update library cache | |
| sudo ldconfig | |
| - name: Cache wolfSSL | |
| id: cache-wolfssl | |
| uses: actions/cache@v4 | |
| with: | |
| path: /opt/wolfssl/wolfssl | |
| key: wolfssl-${{ env.WOLFSSL_VERSION }}-${{ runner.os }} | |
| - name: Build wolfSSL | |
| run: | | |
| cd /opt/wolfssl | |
| if [ "${{ steps.cache-wolfssl.outputs.cache-hit }}" != "true" ]; then | |
| git clone https://github.com/wolfSSL/wolfssl.git | |
| cd wolfssl | |
| git checkout ${{ env.WOLFSSL_VERSION }} | |
| ./autogen.sh | |
| ./configure --enable-aescfb --enable-cryptocb --enable-rsapss --enable-keygen --enable-pwdbased --enable-scrypt --enable-cmac --enable-aesctr --enable-aesccm C_EXTRA_FLAGS="-DWOLFSSL_PUBLIC_MP -DWC_RSA_DIRECT -DHAVE_AES_ECB -D_GNU_SOURCE" | |
| make -j$(nproc) | |
| else | |
| cd wolfssl | |
| fi | |
| sudo make install | |
| sudo ldconfig | |
| - name: Build wolfPKCS11 with NSS support | |
| run: | | |
| cd /opt/wolfpkcs11 | |
| cp -r $GITHUB_WORKSPACE/wolfpkcs11 ./ | |
| cd wolfpkcs11 | |
| ./autogen.sh | |
| ./configure --enable-debug --enable-nss --enable-aesecb --enable-aesctr --enable-aesccm --enable-aescmac CFLAGS="-D_GNU_SOURCE" | |
| make -j$(nproc) | |
| sudo make install | |
| sudo ldconfig | |
| - name: Configure NSS to use wolfPKCS11 | |
| run: | | |
| sudo bash -c 'echo "library=/usr/local/lib/libwolfpkcs11.so" > /etc/pki/nssdb/pkcs11.txt' | |
| sudo bash -c 'echo "name=wolfPKCS11" >> /etc/pki/nssdb/pkcs11.txt' | |
| sudo bash -c 'echo "NSS=Flags=internal,critical,fips cipherOrder=100 slotParams={0x00000001=[slotFlags=ECC,RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] }" >> /etc/pki/nssdb/pkcs11.txt' | |
| - name: Verify NSS build and find ssltap | |
| run: | | |
| find /opt -name "ssltap" -type f -executable 2>/dev/null | head -1 || (echo "ERROR: NSS build failed - ssltap not found" && exit 1) | |
| NSS_BIN_DIR=$(find /opt -name "ssltap" -type f -executable -exec dirname {} \; | head -1) | |
| echo "NSS_BIN_DIR=$NSS_BIN_DIR" >> $GITHUB_ENV | |
| echo "PATH=$NSS_BIN_DIR:$PATH" >> $GITHUB_ENV | |
| - name: Generate test certificates | |
| run: | | |
| cd /opt/certs | |
| cat > openssl.conf << 'EOF' | |
| [req] | |
| distinguished_name = req_distinguished_name | |
| req_extensions = v3_req | |
| prompt = no | |
| [req_distinguished_name] | |
| C = US | |
| ST = TestState | |
| L = TestCity | |
| O = TestOrg | |
| CN = localhost | |
| [v3_req] | |
| keyUsage = keyEncipherment, dataEncipherment | |
| extendedKeyUsage = serverAuth | |
| subjectAltName = @alt_names | |
| [alt_names] | |
| DNS.1 = localhost | |
| DNS.2 = testserver | |
| IP.1 = 127.0.0.1 | |
| EOF | |
| openssl req -x509 -newkey rsa:2048 -keyout server.key -out server.crt -days 365 -nodes \ | |
| -config openssl.conf -extensions v3_req | |
| echo "=== Generated Certificate Info ===" | |
| openssl x509 -in server.crt -text -noout | grep -A5 "Subject:" | |
| echo "Certificate and key files:" | |
| ls -la server.* | |
| - name: Create ssltap test script | |
| run: | | |
| cd /opt/test | |
| cat > test_ssltap.sh << 'EOF' | |
| #!/bin/bash | |
| set -e | |
| # Start OpenSSL s_server with proper parameters for persistent connections | |
| echo "=== Starting SSL Server ===" | |
| echo "Starting OpenSSL s_server on port 4433..." | |
| openssl s_server -accept 4433 -cert /opt/certs/server.crt -key /opt/certs/server.key -www -naccept 10 > /tmp/ssl_server.log 2>&1 & | |
| SERVER_PID=$! | |
| # Wait for server to start | |
| sleep 3 | |
| # Check if server is running | |
| if kill -0 $SERVER_PID 2>/dev/null; then | |
| echo "✓ OpenSSL s_server started successfully (PID: $SERVER_PID)" | |
| else | |
| echo "✗ OpenSSL s_server failed to start" | |
| echo "Server log:" | |
| cat /tmp/ssl_server.log 2>/dev/null || echo "No log file" | |
| exit 1 | |
| fi | |
| # Check if port is listening | |
| if netstat -tuln | grep -q ":4433 "; then | |
| echo "✓ Port 4433 is listening" | |
| else | |
| echo "✗ Port 4433 is not listening" | |
| netstat -tuln | grep 4433 || echo "No processes on port 4433" | |
| fi | |
| echo | |
| # Test basic SSL connection first | |
| echo "=== Testing Basic SSL Connection ===" | |
| echo "Verifying SSL server is working before starting ssltap..." | |
| timeout 10s openssl s_client -connect localhost:4433 -servername localhost -brief > /tmp/basic_test.log 2>&1 || echo "Basic connection test completed" | |
| if grep -q "Protocol.*TLS" /tmp/basic_test.log && ! grep -q "Cipher.*NONE" /tmp/basic_test.log; then | |
| echo "✓ Basic SSL connection successful" | |
| else | |
| echo "✗ Basic SSL connection failed" | |
| echo "Connection log:" | |
| head -20 /tmp/basic_test.log | |
| kill $SERVER_PID 2>/dev/null || true | |
| exit 1 | |
| fi | |
| echo | |
| # Start ssltap to capture SSL traffic (it acts as a proxy) | |
| echo "Starting ssltap as proxy - clients connect to port 1924, forwards to localhost:4433..." | |
| ssltap -l -s localhost:4433 > /tmp/ssltap_output.log 2>&1 & | |
| SSLTAP_PID=$! | |
| # Wait for ssltap to initialize | |
| sleep 3 | |
| if kill -0 $SSLTAP_PID 2>/dev/null; then | |
| echo "✓ ssltap started successfully (PID: $SSLTAP_PID)" | |
| else | |
| echo "✗ ssltap failed to start" | |
| cat /tmp/ssltap_output.log 2>/dev/null || echo "No ssltap log" | |
| kill $SERVER_PID 2>/dev/null || true | |
| exit 1 | |
| fi | |
| # Check if ssltap port 1924 is listening | |
| if netstat -tuln | grep -q ":1924 "; then | |
| echo "✓ ssltap proxy port 1924 is listening" | |
| else | |
| echo "✗ ssltap proxy port 1924 is not listening" | |
| netstat -tuln | grep 1924 || echo "No processes on port 1924" | |
| exit 1 | |
| fi | |
| echo | |
| # Generate SSL traffic for ssltap to capture | |
| echo "=== Generating SSL Traffic ===" | |
| echo "Creating SSL connections through ssltap proxy (port 1924)..." | |
| # Test with curl | |
| echo "Testing with curl through ssltap proxy..." | |
| timeout 10s curl -k -v --max-time 5 https://localhost:1924/ > /tmp/curl_test.log 2>&1 || echo "curl test completed" | |
| # Give ssltap time to process all traffic | |
| sleep 1 | |
| echo | |
| # Stop services and show results | |
| echo "=== Stopping Services ===" | |
| # Stop ssltap | |
| if kill -0 $SSLTAP_PID 2>/dev/null; then | |
| kill $SSLTAP_PID | |
| echo "✓ Stopped ssltap" | |
| fi | |
| # Stop OpenSSL server | |
| if kill -0 $SERVER_PID 2>/dev/null; then | |
| kill $SERVER_PID | |
| echo "✓ Stopped OpenSSL s_server" | |
| fi | |
| sleep 2 | |
| echo | |
| # Display results | |
| echo "=== Test Results ===" | |
| echo "✅ SSLTap Test Completed Successfully!" | |
| echo | |
| echo "SSLTap captured output:" | |
| echo "----------------------------------------" | |
| if [ -f /tmp/ssltap_output.log ] && [ -s /tmp/ssltap_output.log ]; then | |
| cat /tmp/ssltap_output.log | |
| else | |
| echo "No ssltap output captured (this may be normal depending on ssltap version)" | |
| echo "ssltap was monitoring during the SSL connections shown below" | |
| fi | |
| echo | |
| echo "SSL Server log (last 20 lines):" | |
| echo "----------------------------------------" | |
| if [ -f /tmp/ssl_server.log ]; then | |
| tail -20 /tmp/ssl_server.log | |
| else | |
| echo "No server log available" | |
| fi | |
| echo | |
| echo "Sample client connection results:" | |
| echo "----------------------------------------" | |
| echo "curl test result:" | |
| if grep -q "SSL connection using" /tmp/curl_test.log; then | |
| echo " ✓ curl SSL connection successful" | |
| grep "SSL connection using" /tmp/curl_test.log | |
| else | |
| echo " ✗ curl SSL connection failed" | |
| fi | |
| EOF | |
| chmod +x test_ssltap.sh | |
| - name: Set environment variables for NSS | |
| run: | | |
| echo "NSS_DEBUG_PKCS11_MODULE=wolfPKCS11" >> $GITHUB_ENV | |
| echo "NSPR_LOG_MODULES=all:5" >> $GITHUB_ENV | |
| echo "NSPR_LOG_FILE=/logs/nss.log" >> $GITHUB_ENV | |
| echo "NSS_OUTPUT_FILE=/logs/stats.log" >> $GITHUB_ENV | |
| echo "NSS_STRICT_NOFORK=1" >> $GITHUB_ENV | |
| echo "NSS_DEBUG=all" >> $GITHUB_ENV | |
| echo "LD_LIBRARY_PATH=/usr/local/lib:$LD_LIBRARY_PATH" >> $GITHUB_ENV | |
| - name: Run NSS SSLTap Test | |
| timeout-minutes: 10 | |
| run: | | |
| cd /opt/test | |
| echo "========================================" | |
| echo "NSS SSLTap Test Suite" | |
| echo "========================================" | |
| echo | |
| ./test_ssltap.sh | |
| echo | |
| echo "========================================" | |
| echo "✅ All tests completed!" | |
| echo "SSLTap is working with OpenSSL s_server" | |
| echo "========================================" | |
| - name: Upload test logs | |
| if: always() | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: nss-ssltap-test-logs | |
| path: | | |
| /tmp/*.log | |
| /logs/*.log | |
| retention-days: 5 |