forked from wolfSSL/wolfPKCS11
-
Notifications
You must be signed in to change notification settings - Fork 0
289 lines (250 loc) · 9.27 KB
/
nss-test.yml
File metadata and controls
289 lines (250 loc) · 9.27 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
name: wolfPKCS11 NSS PDF Signing Test
on:
push:
branches: [ '*' ]
pull_request:
branches: [ '*' ]
workflow_dispatch:
jobs:
test-nss-pdf-signing:
runs-on: ubuntu-22.04
steps:
- name: Checkout wolfPKCS11 repository
uses: actions/checkout@v4
with:
path: wolfpkcs11
- name: Set up build environment
- name: Install NSS and NSPR headers and libraries
run: |
sudo apt-get update
sudo DEBIAN_FRONTEND=noninteractive apt-get install -y \
mercurial \
python3 \
python-is-python3 \
python3-pip \
gyp \
ninja-build \
build-essential \
automake \
libtool \
git \
pkg-config \
poppler-utils \
wget \
enscript \
ghostscript \
gdb \
vim \
hexedit
- name: Clone and build NSPR
run: |
mkdir -p /tmp/src
cd /tmp/src
hg clone https://hg.mozilla.org/projects/nspr
- name: Clone NSS and apply wolfSSL patches
run: |
cd /tmp/src
# Clone official Mozilla NSS
hg clone https://hg.mozilla.org/projects/nss
# Clone wolfSSL OSP repository for patches
git clone https://github.com/wolfSSL/osp.git
cd nss
# Apply patches from wolfSSL/osp/nss directory
echo "Applying wolfSSL NSS patches..."
if [ -d "../osp/nss" ]; then
for patch in ../osp/nss/*.patch; do
if [ -f "$patch" ]; then
echo "Applying patch: $(basename $patch)"
patch -p1 < "$patch" || {
echo "Warning: Patch $(basename $patch) failed to apply cleanly"
echo "Attempting to apply with --reject-file option..."
patch -p1 --reject-file=/tmp/$(basename $patch).rej < "$patch" || true
}
fi
done
else
echo "No patches found in wolfSSL/osp/nss directory"
fi
# Set NSS build environment
export USE_64=1
export NSS_ENABLE_WERROR=0
export BUILD_OPT=0
# Build NSS with debug mode enabled
./build.sh -v
- name: Display patch application results
run: |
echo "=== NSS Patch Application Summary ==="
if [ -d /tmp/src/osp/nss ]; then
echo "Available patches in wolfSSL/osp/nss:"
ls -la /tmp/src/osp/nss/*.patch 2>/dev/null || echo "No .patch files found"
# Check for any rejected patches
if ls /tmp/*.rej 2>/dev/null; then
echo ""
echo "⚠ Warning: Some patches were rejected:"
ls -la /tmp/*.rej
echo ""
echo "Rejected patch contents:"
for rej in /tmp/*.rej; do
echo "--- $(basename $rej) ---"
cat "$rej"
echo ""
done
else
echo "✓ All patches applied successfully (no .rej files found)"
fi
else
echo "No patches directory found at wolfSSL/osp/nss"
fi
run: |
# Create directories for headers
sudo mkdir -p /usr/local/include/nss
sudo mkdir -p /usr/local/include/nspr
sudo mkdir -p /usr/local/lib
# Copy NSS headers from dist directory
sudo cp -r /tmp/src/dist/public/nss/* /usr/local/include/nss/
# Copy NSPR headers from dist directory
sudo cp -r /tmp/src/dist/Debug/include/nspr/* /usr/local/include/nspr/
# Copy NSS and NSPR libraries
sudo find /tmp/src/dist/Debug -name "*.so" -exec cp {} /usr/local/lib/ \;
sudo find /tmp/src/nspr/Debug -name "*.so" -exec cp {} /usr/local/lib/ \;
# Update library cache
sudo ldconfig
- name: Clone and build wolfSSL
run: |
cd /tmp
git clone https://github.com/wolfSSL/wolfssl.git
cd wolfssl
./autogen.sh
./configure --enable-aescfb --enable-cryptocb --enable-rsapss --enable-keygen --enable-pwdbased --enable-scrypt --enable-cmac --enable-aesctr --enable-aesccm C_EXTRA_FLAGS="-DWOLFSSL_PUBLIC_MP -DWC_RSA_DIRECT -DHAVE_AES_ECB -D_GNU_SOURCE"
make -j$(nproc)
sudo make install
sudo ldconfig
- name: Build wolfPKCS11 with NSS support
run: |
cd wolfpkcs11
./autogen.sh
./configure --enable-debug --enable-nss --enable-aesecb --enable-aesctr --enable-aesccm --enable-aescmac CFLAGS="-D_GNU_SOURCE"
make -j$(nproc)
sudo make install
sudo ldconfig
- name: Verify wolfPKCS11 installation
run: |
echo "Checking wolfPKCS11 library..."
if [ -f /usr/local/lib/libwolfpkcs11.so ]; then
echo "✓ wolfPKCS11 library found at /usr/local/lib/libwolfpkcs11.so"
ls -la /usr/local/lib/libwolfpkcs11.so
ldd /usr/local/lib/libwolfpkcs11.so || echo "Failed to run ldd on libwolfpkcs11.so"
else
echo "✗ ERROR: wolfPKCS11 library not found"
find /usr -name "libwolfpkcs11.so" 2>/dev/null || true
exit 1
fi
echo "Checking wolfSSL library..."
if [ -f /usr/local/lib/libwolfssl.so ]; then
echo "✓ wolfSSL library found at /usr/local/lib/libwolfssl.so"
ls -la /usr/local/lib/libwolfssl.so
else
echo "✗ ERROR: wolfSSL library not found"
find /usr -name "libwolfssl.so" 2>/dev/null || true
exit 1
fi
- name: Configure NSS database
run: |
mkdir -p /tmp/nssdb
chmod 755 /tmp/nssdb
# Configure NSS to use wolfPKCS11
cat > /tmp/nssdb/pkcs11.txt << 'EOF'
library=/usr/local/lib/libwolfpkcs11.so
name=wolfPKCS11
NSS=Flags=internal,critical,fips cipherOrder=100 slotParams={0x00000001=[slotFlags=ECC,RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] }
EOF
# Initialize NSS database
/tmp/src/dist/Debug/bin/certutil -N -d /tmp/nssdb/ --empty-password
- name: Generate test certificate
run: |
echo "Generating self-signed certificate for PDF signing..."
/tmp/src/dist/Debug/bin/certutil -d /tmp/nssdb -S -n "PDF Signing Certificate" -s "CN=PDF Signer,O=wolfSSL,C=US" -x -t "CT,C,C" -v 120 -g 2048 -z wolfpkcs11/configure.ac
- name: Generate test PDF
run: |
cd /tmp
# Create test content
cat > test.txt << EOF
This is a test document for PDF signing with wolfPKCS11 and NSS.
Generated on $(date)
Branch: ${GITHUB_REF#refs/heads/}
Commit: ${GITHUB_SHA:0:8}
EOF
echo "Converting text to PDF..."
cat test.txt | enscript -B -o - | ps2pdf - test.pdf
if [ -f test.pdf ]; then
echo "✓ PDF generation successful!"
ls -la test.pdf
else
echo "✗ PDF generation failed!"
exit 1
fi
- name: Test PDF signing with wolfPKCS11
env:
NSS_DEBUG_PKCS11_MODULE: "wolfPKCS11"
NSPR_LOG_MODULES: "all:5"
NSPR_LOG_FILE: /tmp/nss.log
NSS_OUTPUT_FILE: /tmp/stats.log
NSS_STRICT_NOFORK: "1"
NSS_DEBUG: "all"
run: |
cd /tmp
echo "Signing the PDF file with wolfPKCS11..."
echo "Note: NSS shutdown warnings are normal and expected"
# Attempt to sign the PDF
if pdfsig test.pdf signed.pdf -add-signature -nick "PDF Signing Certificate" -nssdir /tmp/nssdb; then
echo "✓ PDF signing completed successfully!"
else
echo "⚠ PDF signing completed with warnings (this may be normal)"
fi
# Check if signed PDF was created
if [ -f signed.pdf ]; then
echo "✓ Signed PDF file created successfully"
ls -la signed.pdf
else
echo "✗ Signed PDF file was not created"
exit 1
fi
- name: Verify PDF signature
run: |
cd /tmp
echo "Verifying the PDF signature..."
if pdfsig signed.pdf -nssdir /tmp/nssdb; then
echo "✓ PDF signature verification completed"
else
echo "⚠ PDF signature verification completed with warnings"
fi
- name: Upload test artifacts
uses: actions/upload-artifact@v4
if: always()
with:
name: pdf-test-artifacts
path: |
/tmp/test.pdf
/tmp/signed.pdf
/tmp/*.log
retention-days: 7
- name: Display test summary
if: always()
run: |
echo "=== wolfPKCS11 NSS PDF Signing Test Summary ==="
echo "Branch: ${GITHUB_REF#refs/heads/}"
echo "Commit: ${GITHUB_SHA:0:8}"
echo ""
if [ -f /tmp/signed.pdf ]; then
echo "✓ Test PASSED: PDF was successfully signed using wolfPKCS11 with NSS"
else
echo "✗ Test FAILED: PDF signing was not successful"
fi
echo ""
echo "Files created during test:"
ls -la /tmp/*.pdf 2>/dev/null || echo "No PDF files found"
echo ""
if [ -f /tmp/nss.log ]; then
echo "NSS debug log (last 20 lines):"
tail -20 /tmp/nss.log
fi