use DHUK to wrap/unwrap seed value used for token #435

Workflow file for this run

.github/workflows/nss-ssltap-test.yml at 33bac4e

	name: wolfPKCS11 NSS SSLTap Test

	on:
	push:
	branches: [ 'master', 'main', 'nss' ]
	pull_request:
	branches: [ '*' ]
	workflow_dispatch:

	env:
	NSPR_VERSION: NSPR_4_36_BRANCH
	NSS_VERSION: NSS_3_112_RTM
	WOLFSSL_VERSION: v5.8.0-stable
	NSS_DEBUG_PKCS11_MODULE: wolfPKCS11
	NSPR_LOG_MODULES: all:5
	NSPR_LOG_FILE: /logs/nss.log
	NSS_OUTPUT_FILE: /logs/stats.log
	NSS_STRICT_NOFORK: 1
	NSS_DEBUG: all

	jobs:
	nss-ssltap-test:
	runs-on: ubuntu-22.04

	steps:
	- name: Checkout wolfPKCS11
	uses: actions/checkout@v4
	with:
	path: wolfpkcs11

	- name: Install dependencies
	run: \|
	sudo apt-get update
	sudo apt-get install -y \
	build-essential \
	mercurial \
	git \
	python3 \
	python3-pip \
	python-is-python3 \
	zlib1g-dev \
	libssl-dev \
	wget \
	curl \
	netcat-openbsd \
	openssl \
	automake \
	libtool \
	tcpdump \
	net-tools \
	gyp \
	ninja-build \
	pkg-config \
	libnss3-tools \
	opensc

	- name: Create working directories
	run: \|
	mkdir -p /opt/wolfssl
	mkdir -p /opt/wolfpkcs11
	mkdir -p /opt/certs
	mkdir -p /opt/test
	sudo mkdir -p /etc/pki/nssdb
	sudo mkdir -p /logs
	sudo chmod 777 /logs

	- name: Cache NSPR
	id: cache-nspr
	uses: actions/cache@v4
	with:
	path: /tmp/src/nspr
	key: nspr-${{ env.NSPR_VERSION }}

	- name: Clone and build NSPR
	if: steps.cache-nspr.outputs.cache-hit != 'true'
	run: \|
	mkdir -p /tmp/src
	cd /tmp/src
	hg clone https://hg.mozilla.org/projects/nspr -r ${{ env.NSPR_VERSION }}

	- name: Cache NSS source and patches
	id: cache-nss-source
	uses: actions/cache@v4
	with:
	path: \|
	/tmp/src/nss
	/tmp/src/osp
	key: nss-source-${{ env.NSS_VERSION }}-latest

	- name: Clone NSS and apply wolfSSL patches
	if: steps.cache-nss-source.outputs.cache-hit != 'true'
	run: \|
	mkdir -p /tmp/src
	cd /tmp/src
	# Defensive cleanup to avoid 'destination ... is not empty' errors
	rm -rf nss osp

	# Clone official Mozilla NSS with specific tag
	hg clone https://hg.mozilla.org/projects/nss -r ${{ env.NSS_VERSION }}

	# Clone wolfSSL OSP repository for patches
	git clone https://github.com/wolfSSL/osp.git

	cd nss

	# Apply wolfSSL patches
	echo "Applying wolfSSL patches..."
	if [ -d "../osp/nss" ]; then
	for patch in ../osp/nss/*.patch; do
	if [ -f "$patch" ]; then
	echo "Applying patch: $(basename $patch)"
	patch -p1 < "$patch" \|\| {
	echo "Warning: Patch $(basename $patch) failed to apply cleanly"
	echo "Attempting to apply with --reject-file option..."
	patch -p1 --reject-file=/tmp/$(basename $patch).rej < "$patch" \|\| true
	}
	fi
	done
	else
	echo "No patches found in wolfSSL/osp/nss directory"
	fi

	- name: Cache NSS build artifacts
	id: cache-nss-build
	uses: actions/cache@v4
	with:
	path: /tmp/src/dist
	key: nss-build-${{ env.NSS_VERSION }}-latest



	- name: Build NSS
	if: steps.cache-nss-build.outputs.cache-hit != 'true'
	run: \|
	cd /tmp/src/nss

	# Set NSS build environment
	export USE_64=1
	export NSS_ENABLE_WERROR=0
	export BUILD_OPT=0

	# Build NSS with debug mode enabled
	./build.sh -v

	- name: Copy NSS headers and libraries
	run: \|
	# Create directories for headers
	sudo mkdir -p /usr/local/include/nss
	sudo mkdir -p /usr/local/include/nspr
	sudo mkdir -p /usr/local/lib

	# Copy NSS headers from dist directory
	sudo cp -r /tmp/src/dist/public/nss/* /usr/local/include/nss/

	# Copy NSS library and headers
	sudo cp -r /tmp/src/dist/Debug/* /usr/local/

	# Copy NSS and NSPR libraries
	sudo find /tmp/src/nspr/Debug -name "*.so" -exec cp {} /usr/local/lib/ \;

	# Update library cache
	sudo ldconfig

	- name: Cache wolfSSL
	id: cache-wolfssl
	uses: actions/cache@v4
	with:
	path: /tmp/wolfssl
	key: wolfssl-${{ env.WOLFSSL_VERSION }}

	- name: Clone and build wolfSSL
	if: steps.cache-wolfssl.outputs.cache-hit != 'true'
	run: \|
	cd /tmp
	git clone https://github.com/wolfSSL/wolfssl.git --branch ${{ env.WOLFSSL_VERSION }} --depth 1
	cd wolfssl
	./autogen.sh
	./configure --enable-all --enable-aescfb --enable-rsapss --enable-keygen --enable-pwdbased --enable-scrypt --with-eccminsz=192 --with-max-rsa-bits=8192 CFLAGS="-DWOLFSSL_PUBLIC_MP -DWC_RSA_DIRECT -DRSA_MIN_SIZE=1024 -DWOLFSSL_PSS_LONG_SALT"
	make

	- name: Install wolfSSL
	run: \|
	cd /tmp/wolfssl
	sudo make install
	sudo ldconfig

	- name: Build wolfPKCS11 with NSS support
	run: \|
	cd wolfpkcs11
	./autogen.sh
	./configure --enable-debug --enable-nss --enable-aesecb --enable-aesctr --enable-aesccm --enable-aescmac --enable-aeskeywrap CFLAGS="-D_GNU_SOURCE"
	make
	sudo make install
	sudo ldconfig

	- name: Verify wolfPKCS11 installation
	run: \|
	echo "Checking wolfPKCS11 library..."
	if [ -f /usr/local/lib/libwolfpkcs11.so ]; then
	echo "✓ wolfPKCS11 library found at /usr/local/lib/libwolfpkcs11.so"
	ls -la /usr/local/lib/libwolfpkcs11.so
	ldd /usr/local/lib/libwolfpkcs11.so \|\| echo "Failed to run ldd on libwolfpkcs11.so"
	else
	echo "✗ ERROR: wolfPKCS11 library not found"
	find /usr -name "libwolfpkcs11.so" 2>/dev/null \|\| true
	exit 1
	fi

	echo "Checking wolfSSL library..."
	if [ -f /usr/local/lib/libwolfssl.so ]; then
	echo "✓ wolfSSL library found at /usr/local/lib/libwolfssl.so"
	ls -la /usr/local/lib/libwolfssl.so
	else
	echo "✗ ERROR: wolfSSL library not found"
	find /usr -name "libwolfssl.so" 2>/dev/null \|\| true
	exit 1
	fi

	- name: Generate test certificates using wolfPKCS11
	run: \|
	cd /opt/certs
	export LD_LIBRARY_PATH=/usr/local/lib:$LD_LIBRARY_PATH
	export NSS_DEFAULT_DB_TYPE=sql

	# Initialize a test NSS database
	mkdir -p testdb
	certutil -N -d sql:testdb --empty-password

	# Test if wolfPKCS11 is loaded properly
	echo "Testing wolfPKCS11 integration with NSS..."
	if modutil -list -dbdir sql:testdb \| grep -i wolf; then
	echo "✓ wolfPKCS11 module detected in NSS"
	else
	echo "Installing wolfPKCS11 module..."
	modutil -add "wolfPKCS11" -libfile /usr/local/lib/libwolfpkcs11.so -dbdir sql:testdb
	modutil -list -dbdir sql:testdb
	fi

	# Generate test certificates with OpenSSL for server
	cat > openssl.conf << 'EOF'
	[req]
	distinguished_name = req_distinguished_name
	req_extensions = v3_req
	prompt = no

	[req_distinguished_name]
	C = US
	ST = TestState
	L = TestCity
	O = TestOrg
	CN = localhost

	[v3_req]
	keyUsage = keyEncipherment, dataEncipherment
	extendedKeyUsage = serverAuth
	subjectAltName = @alt_names

	[alt_names]
	DNS.1 = localhost
	DNS.2 = testserver
	IP.1 = 127.0.0.1
	EOF

	openssl req -x509 -newkey rsa:2048 -keyout server.key -out server.crt -days 365 -nodes \
	-config openssl.conf -extensions v3_req

	echo "=== Generated Certificate Info ==="
	openssl x509 -in server.crt -text -noout \| grep -A5 "Subject:"
	echo "Certificate and key files:"
	ls -la server.*

	- name: Run NSS SSLTap Test with wolfPKCS11
	run: \|
	set -e
	export LD_LIBRARY_PATH=/usr/local/lib:$LD_LIBRARY_PATH
	export NSS_DEFAULT_DB_TYPE=sql

	# Start OpenSSL s_server with proper parameters for persistent connections
	echo "=== Starting SSL Server ==="
	echo "Starting OpenSSL s_server on port 4433..."
	openssl s_server -accept 4433 -cert /opt/certs/server.crt -key /opt/certs/server.key -www -naccept 10 > /tmp/ssl_server.log 2>&1 &
	SERVER_PID=$!

	# Wait for server to start
	sleep 3

	# Check if server is running
	if kill -0 $SERVER_PID 2>/dev/null; then
	echo "✓ OpenSSL s_server started successfully (PID: $SERVER_PID)"
	else
	echo "✗ OpenSSL s_server failed to start"
	echo "Server log:"
	cat /tmp/ssl_server.log 2>/dev/null \|\| echo "No log file"
	exit 1
	fi

	# Check if port is listening
	if netstat -tuln \| grep -q ":4433 "; then
	echo "✓ Port 4433 is listening"
	else
	echo "✗ Port 4433 is not listening"
	netstat -tuln \| grep 4433 \|\| echo "No processes on port 4433"
	fi

	echo

	# Test basic SSL connection first
	echo "=== Testing Basic SSL Connection ==="
	echo "Verifying SSL server is working before starting ssltap..."
	timeout 10s openssl s_client -connect localhost:4433 -servername localhost -brief > /tmp/basic_test.log 2>&1 \|\| echo "Basic connection test completed"

	if grep -q "Protocol.TLS" /tmp/basic_test.log && ! grep -q "Cipher.NONE" /tmp/basic_test.log; then
	echo "✓ Basic SSL connection successful"
	else
	echo "✗ Basic SSL connection failed"
	echo "Connection log:"
	head -20 /tmp/basic_test.log
	kill $SERVER_PID 2>/dev/null \|\| true
	exit 1
	fi

	echo

	# Start ssltap to capture SSL traffic (it acts as a proxy)
	echo "Starting ssltap with wolfPKCS11 loaded - clients connect to port 1924, forwards to localhost:4433..."
	echo "Setting environment for wolfPKCS11 debugging..."
	export NSS_DEBUG_PKCS11_MODULE=wolfPKCS11
	export NSPR_LOG_MODULES=all:5
	export NSPR_LOG_FILE=/tmp/nss_ssltap.log

	ssltap -l -s localhost:4433 > /tmp/ssltap_output.log 2>&1 &
	SSLTAP_PID=$!

	# Wait for ssltap to initialize
	sleep 3

	if kill -0 $SSLTAP_PID 2>/dev/null; then
	echo "✓ ssltap started successfully (PID: $SSLTAP_PID)"
	else
	echo "✗ ssltap failed to start"
	cat /tmp/ssltap_output.log 2>/dev/null \|\| echo "No ssltap log"
	kill $SERVER_PID 2>/dev/null \|\| true
	exit 1
	fi

	# Check if ssltap port 1924 is listening
	if netstat -tuln \| grep -q ":1924 "; then
	echo "✓ ssltap proxy port 1924 is listening"
	else
	echo "✗ ssltap proxy port 1924 is not listening"
	netstat -tuln \| grep 1924 \|\| echo "No processes on port 1924"
	exit 1
	fi

	echo

	# Generate SSL traffic for ssltap to capture using NSS tools
	echo "=== Generating SSL Traffic with NSS/wolfPKCS11 ==="
	echo "Creating SSL connections through ssltap proxy (port 1924) using NSS tools..."

	# Test with NSS tstclnt (NSS test client)
	echo "Testing with NSS tstclnt through ssltap proxy..."
	if command -v tstclnt >/dev/null 2>&1; then
	timeout 10s tstclnt -h localhost -p 1924 -o -n testcert > /tmp/tstclnt_test.log 2>&1 \|\| echo "tstclnt test completed"
	else
	echo "tstclnt not available, using curl instead..."
	fi

	# Test with curl
	echo "Testing with curl through ssltap proxy..."
	timeout 10s curl -k -v --max-time 5 https://localhost:1924/ > /tmp/curl_test.log 2>&1 \|\| echo "curl test completed"

	# Give ssltap time to process all traffic
	sleep 2

	echo

	# Test wolfPKCS11 functionality through NSS
	echo "=== Testing wolfPKCS11 PKCS#11 Operations ==="
	cd /opt/certs/testdb

	echo "Listing PKCS#11 modules..."
	modutil -list -dbdir sql:. > /tmp/pkcs11_modules.log 2>&1 \|\| true

	echo "Testing key generation with wolfPKCS11..."
	# Try to generate a key using wolfPKCS11 through NSS
	timeout 30s pkcs11-tool --module /usr/local/lib/libwolfpkcs11.so --list-slots > /tmp/pkcs11_slots.log 2>&1 \|\| echo "pkcs11-tool test completed"

	echo

	# Stop services and show results
	echo "=== Stopping Services ==="

	# Stop ssltap
	if kill -0 $SSLTAP_PID 2>/dev/null; then
	kill $SSLTAP_PID
	echo "✓ Stopped ssltap"
	fi

	# Stop OpenSSL server
	if kill -0 $SERVER_PID 2>/dev/null; then
	kill $SERVER_PID
	echo "✓ Stopped OpenSSL s_server"
	fi

	sleep 2

	echo

	# Display results
	echo "=== Test Results ==="
	echo "✅ wolfPKCS11 NSS SSLTap Test Completed Successfully!"
	echo

	echo "SSLTap captured output:"
	echo "----------------------------------------"
	if [ -f /tmp/ssltap_output.log ] && [ -s /tmp/ssltap_output.log ]; then
	cat /tmp/ssltap_output.log
	else
	echo "No ssltap output captured (this may be normal depending on ssltap version)"
	echo "ssltap was monitoring during the SSL connections shown below"
	fi

	echo
	echo "NSS PKCS#11 Module List:"
	echo "----------------------------------------"
	if [ -f /tmp/pkcs11_modules.log ]; then
	cat /tmp/pkcs11_modules.log
	fi

	echo
	echo "PKCS#11 Slots (wolfPKCS11):"
	echo "----------------------------------------"
	if [ -f /tmp/pkcs11_slots.log ]; then
	cat /tmp/pkcs11_slots.log
	fi

	echo
	echo "SSL Server log (last 20 lines):"
	echo "----------------------------------------"
	if [ -f /tmp/ssl_server.log ]; then
	tail -20 /tmp/ssl_server.log
	else
	echo "No server log available"
	fi

	echo
	echo "Sample client connection results:"
	echo "----------------------------------------"
	echo "curl test result:"
	if grep -q "SSL connection using" /tmp/curl_test.log; then
	echo " ✓ curl SSL connection successful"
	grep "SSL connection using" /tmp/curl_test.log
	else
	echo " ✗ curl SSL connection failed"
	fi

	if [ -f /tmp/tstclnt_test.log ] && grep -q "connected" /tmp/tstclnt_test.log; then
	echo " ✓ NSS tstclnt connection successful"
	fi

	echo
	echo "NSS debugging log:"
	echo "----------------------------------------"
	if [ -f /tmp/nss_ssltap.log ]; then
	tail -50 /tmp/nss_ssltap.log
	fi

	- name: Finalize Test Results
	timeout-minutes: 5
	run: \|
	echo "========================================"
	echo "✅ All tests completed!"
	echo "wolfPKCS11 integrated with NSS SSLTap"
	echo "========================================"

	- name: Upload test logs
	if: failure()
	uses: actions/upload-artifact@v4
	with:
	name: wolfpkcs11-nss-ssltap-test-logs
	path: \|
	/tmp/*.log
	/logs/*.log
	/opt/certs/testdb/*.log
	retention-days: 5

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

use DHUK to wrap/unwrap seed value used for token #435

Workflow file

use DHUK to wrap/unwrap seed value used for token #435

Uh oh!

Workflow file for this run