PQC Support preparation #418
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: wolfPKCS11 NSS cmsutil Test | |
| on: | |
| push: | |
| branches: [ main, master, nss ] | |
| pull_request: | |
| branches: [ main, master, nss ] | |
| workflow_dispatch: | |
| env: | |
| NSPR_VERSION: NSPR_4_36_BRANCH | |
| NSS_VERSION: NSS_3_112_RTM | |
| WOLFSSL_VERSION: v5.8.4-stable | |
| NSS_DEBUG_PKCS11_MODULE: wolfPKCS11 | |
| NSPR_LOG_MODULES: all:5 | |
| NSPR_LOG_FILE: /logs/nss.log | |
| NSS_OUTPUT_FILE: /logs/stats.log | |
| NSS_STRICT_NOFORK: 1 | |
| NSS_DEBUG: all | |
| jobs: | |
| nss-cmsutil-test: | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Install system dependencies | |
| run: | | |
| sudo apt-get update | |
| sudo DEBIAN_FRONTEND=noninteractive apt-get install -y \ | |
| mercurial \ | |
| python3 \ | |
| python-is-python3 \ | |
| python3-pip \ | |
| gyp \ | |
| ninja-build \ | |
| build-essential \ | |
| automake \ | |
| libtool \ | |
| git \ | |
| pkg-config \ | |
| poppler-utils \ | |
| wget \ | |
| enscript \ | |
| ghostscript \ | |
| gdb \ | |
| vim \ | |
| hexedit \ | |
| openssl \ | |
| ca-certificates | |
| - name: Cache NSPR | |
| id: cache-nspr | |
| uses: actions/cache@v4 | |
| with: | |
| path: /tmp/src/nspr | |
| key: nspr-${{ env.NSPR_VERSION }} | |
| - name: Clone and build NSPR | |
| if: steps.cache-nspr.outputs.cache-hit != 'true' | |
| run: | | |
| mkdir -p /tmp/src | |
| cd /tmp/src | |
| hg clone https://hg.mozilla.org/projects/nspr -r ${{ env.NSPR_VERSION }} | |
| - name: Cache NSS source and patches | |
| id: cache-nss-source | |
| uses: actions/cache@v4 | |
| with: | |
| path: | | |
| /tmp/src/nss | |
| /tmp/src/osp | |
| key: nss-source-${{ env.NSS_VERSION }}-latest | |
| - name: Cache NSS build artifacts | |
| id: cache-nss-build | |
| uses: actions/cache@v4 | |
| with: | |
| path: /tmp/src/dist | |
| key: nss-build-${{ env.NSS_VERSION }}-latest | |
| - name: Clone NSS and apply wolfSSL patches | |
| if: steps.cache-nss-source.outputs.cache-hit != 'true' | |
| run: | | |
| mkdir -p /tmp/src | |
| cd /tmp/src | |
| # Clone official Mozilla NSS with specific tag | |
| hg clone https://hg.mozilla.org/projects/nss -r ${{ env.NSS_VERSION }} | |
| # Clone wolfSSL OSP repository for patches | |
| git clone https://github.com/wolfSSL/osp.git | |
| cd nss | |
| # Apply patches from wolfSSL/osp/nss directory | |
| echo "Applying wolfSSL NSS patches..." | |
| if [ -d "../osp/nss" ]; then | |
| for patch in ../osp/nss/*.patch; do | |
| if [ -f "$patch" ]; then | |
| echo "Applying patch: $(basename $patch)" | |
| patch -p1 < "$patch" || { | |
| echo "Warning: Patch $(basename $patch) failed to apply cleanly" | |
| echo "Attempting to apply with --reject-file option..." | |
| patch -p1 --reject-file=/tmp/$(basename $patch).rej < "$patch" || true | |
| } | |
| fi | |
| done | |
| else | |
| echo "No patches found in wolfSSL/osp/nss directory" | |
| fi | |
| - name: Build NSS | |
| if: steps.cache-nss-build.outputs.cache-hit != 'true' | |
| run: | | |
| cd /tmp/src/nss | |
| # Set NSS build environment | |
| export USE_64=1 | |
| export NSS_ENABLE_WERROR=0 | |
| export BUILD_OPT=0 | |
| # Build NSS with debug mode enabled | |
| ./build.sh -v | |
| - name: Copy NSS headers and libraries | |
| run: | | |
| # Create directories for headers | |
| sudo mkdir -p /usr/local/include/nss | |
| sudo mkdir -p /usr/local/include/nspr | |
| sudo mkdir -p /usr/local/lib | |
| # Copy NSS headers from dist directory | |
| sudo cp -r /tmp/src/dist/public/nss/* /usr/local/include/nss/ | |
| # Copy NSS library and headers | |
| sudo cp -r /tmp/src/dist/Debug/* /usr/local/ | |
| # Copy NSS and NSPR libraries | |
| sudo find /tmp/src/nspr/Debug -name "*.so" -exec cp {} /usr/local/lib/ \; | |
| # Update library cache | |
| sudo ldconfig | |
| - name: Cache wolfSSL | |
| id: cache-wolfssl | |
| uses: actions/cache@v4 | |
| with: | |
| path: /tmp/wolfssl | |
| key: wolfssl-${{ env.WOLFSSL_VERSION }} | |
| - name: Clone and build wolfSSL | |
| if: steps.cache-wolfssl.outputs.cache-hit != 'true' | |
| run: | | |
| cd /tmp | |
| git clone https://github.com/wolfSSL/wolfssl.git --branch ${{ env.WOLFSSL_VERSION }} --depth 1 | |
| cd wolfssl | |
| ./autogen.sh | |
| ./configure --enable-aescfb --enable-rsapss --enable-keygen --enable-pwdbased --enable-scrypt --enable-cmac --enable-aesctr --enable-aesccm --enable-md5 C_EXTRA_FLAGS="-DWOLFSSL_PUBLIC_MP -DWC_RSA_DIRECT -DHAVE_AES_ECB -D_GNU_SOURCE" | |
| make | |
| - name: Install wolfSSL | |
| run: | | |
| cd /tmp/wolfssl | |
| sudo make install | |
| sudo ldconfig | |
| - name: Build wolfPKCS11 | |
| run: | | |
| ./autogen.sh | |
| ./configure --enable-debug --enable-nss --enable-aesecb --enable-aesctr --enable-aesccm --enable-aescmac CFLAGS="-D_GNU_SOURCE" | |
| make | |
| sudo make install | |
| sudo ldconfig | |
| - name: Configure NSS database | |
| run: | | |
| sudo mkdir -p /nss-test/nssdb | |
| sudo chmod -R 777 /nss-test | |
| sudo mkdir -p /logs | |
| # Configure NSS to use wolfPKCS11 | |
| cat > /nss-test/pkcs11.txt << 'EOF' | |
| library=/usr/local/lib/libwolfpkcs11.so | |
| name=wolfPKCS11 | |
| NSS=Flags=internal,critical,fips cipherOrder=100 slotParams={0x00000001=[slotFlags=ECC,RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] } | |
| EOF | |
| # Initialize NSS database | |
| certutil -N -d /nss-test/nssdb/ --empty-password | |
| - name: Run NSS cmsutil tests | |
| run: | | |
| cd /nss-test | |
| set -e | |
| echo "=== NSS cmsutil Test Script ===" | |
| echo "NSS Database location: /nss-test/nssdb" | |
| echo | |
| # Create test data | |
| echo "1. Creating test data file:" | |
| echo "This is test data for CMS signing and encryption" > test-data.txt | |
| cat test-data.txt | |
| echo | |
| # Generate a test certificate and key | |
| echo "2. Generating CA and user certificates:" | |
| # Step 1: Create a CA certificate using OpenSSL | |
| echo " Creating CA certificate..." | |
| cat > ca-openssl.conf << 'CAEOF' | |
| [req] | |
| distinguished_name = req_distinguished_name | |
| req_extensions = v3_ca | |
| prompt = no | |
| [req_distinguished_name] | |
| CN = Test CA | |
| O = NSS Test CA | |
| C = US | |
| [v3_ca] | |
| keyUsage = critical, keyCertSign, cRLSign | |
| basicConstraints = critical, CA:true | |
| subjectKeyIdentifier = hash | |
| authorityKeyIdentifier = keyid:always,issuer | |
| CAEOF | |
| # Create CA certificate and key | |
| openssl req -x509 -newkey rsa:2048 -keyout ca-key.pem -out ca-cert.pem -days 365 -nodes \ | |
| -config ca-openssl.conf -extensions v3_ca | |
| # Import CA certificate into NSS database | |
| certutil -A -n "TestCA" -i ca-cert.pem -t "CT,C,C" -d /nss-test/nssdb | |
| # Step 2: Generate user certificate and key pair directly in NSS | |
| echo " Generating user certificate and key pair in NSS database..." | |
| # Create random seed for key generation | |
| dd if=/dev/urandom of=noise.bin bs=20 count=1 2>/dev/null | |
| # Generate certificate request with key pair (creates DER format) | |
| printf '\n\n' | certutil -R -s "CN=Test User,O=NSS Test,C=US" \ | |
| -o user-req.der -d /nss-test/nssdb -z noise.bin | |
| # Convert DER format certificate request to PEM format for OpenSSL | |
| openssl req -in user-req.der -inform DER -out user-req.pem -outform PEM | |
| # Sign the certificate request with CA | |
| echo " Signing user certificate with CA..." | |
| cat > signing.conf << 'SIGNEOF' | |
| [v3_user_sign] | |
| keyUsage = critical, digitalSignature, keyEncipherment | |
| extendedKeyUsage = critical, emailProtection | |
| basicConstraints = critical, CA:false | |
| subjectKeyIdentifier = hash | |
| authorityKeyIdentifier = keyid:always,issuer:always | |
| subjectAltName = email:test@example.com | |
| SIGNEOF | |
| openssl x509 -req -in user-req.pem -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial \ | |
| -out user-cert.pem -days 365 -extensions v3_user_sign -extfile signing.conf | |
| # Import the signed certificate back into NSS database | |
| echo " Importing signed user certificate..." | |
| certutil -A -n "testcert" -i user-cert.pem -t "u,u,u" -d /nss-test/nssdb | |
| echo " ✓ CA and user certificates created successfully" | |
| echo "3. Listing certificates in NSS database:" | |
| certutil -L -d /nss-test/nssdb | |
| echo | |
| echo "Private keys in NSS database:" | |
| certutil -K -d /nss-test/nssdb | |
| echo | |
| echo "Certificate details:" | |
| if certutil -L -n "testcert" -d /nss-test/nssdb >/dev/null 2>&1; then | |
| echo "User certificate 'testcert':" | |
| certutil -L -n "testcert" -d /nss-test/nssdb | |
| echo | |
| fi | |
| if certutil -L -n "TestCA" -d /nss-test/nssdb >/dev/null 2>&1; then | |
| echo "CA certificate 'TestCA':" | |
| certutil -L -n "TestCA" -d /nss-test/nssdb | |
| fi | |
| echo "4. Testing CMS operations with cmsutil:" | |
| # Test CMS signing with additional options to handle trust | |
| echo " a) Signing data with CMS:" | |
| cmsutil -S -N "testcert" -i test-data.txt -o signed-data.p7s -d /nss-test/nssdb -p "" -G | |
| if [ -f signed-data.p7s ]; then | |
| echo " ✓ CMS signing successful - created signed-data.p7s" | |
| ls -la signed-data.p7s | |
| else | |
| echo " ✗ CMS signing failed" | |
| fi | |
| # Test CMS verification | |
| echo " b) Verifying CMS signature:" | |
| openssl smime -verify -in signed-data.p7s -CAfile test-cert.pem -inform DER -noverify 2>/dev/null && echo " ✓ OpenSSL verification successful" | |
| # Test CMS encryption (envelope) | |
| echo " c) Creating CMS encrypted envelope:" | |
| cmsutil -E -r "testcert" -i test-data.txt -o encrypted-data.p7e -d /nss-test/nssdb | |
| if [ -f encrypted-data.p7e ]; then | |
| echo " ✓ CMS encryption successful - created encrypted-data.p7e" | |
| ls -la encrypted-data.p7e | |
| else | |
| echo " ✗ CMS encryption failed" | |
| fi | |
| # Test CMS decryption | |
| echo " d) Decrypting CMS envelope:" | |
| cmsutil -D -i encrypted-data.p7e -o decrypted-data.txt -d /nss-test/nssdb -p "" | |
| if [ -f decrypted-data.txt ]; then | |
| echo " ✓ CMS decryption successful" | |
| echo " Original data:" | |
| cat test-data.txt | |
| echo " Decrypted data:" | |
| cat decrypted-data.txt | |
| echo " Data match:" $(cmp -s test-data.txt decrypted-data.txt && echo "YES" || echo "NO") | |
| else | |
| echo " ✗ CMS decryption failed" | |
| fi | |
| echo | |
| echo "=== cmsutil Test Complete ===" | |
| echo "Files created:" | |
| ls -la *.p7s *.p7e *.txt *.pem *.p12 2>/dev/null || echo "No files found" | |
| # Create tar archive with all test artifacts | |
| sudo mkdir -p /tmp/artifacts | |
| sudo cp -r /logs /tmp/artifacts/ 2>/dev/null || true | |
| sudo cp -r /nss-test /tmp/artifacts/ 2>/dev/null || true | |
| sudo tar -czf /tmp/nss-cmsutil-test-artifacts.tar.gz -C /tmp/artifacts . 2>/dev/null || true | |
| # Fix permissions for artifact upload | |
| sudo chown $USER:$USER /tmp/nss-cmsutil-test-artifacts.tar.gz 2>/dev/null || true | |
| - name: Upload test artifacts | |
| if: failure() | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: nss-cmsutil-test-artifacts | |
| path: /tmp/nss-cmsutil-test-artifacts.tar.gz | |
| retention-days: 5 |