1+ name : wolfPKCS11 NSS cmsutil Debian Package Test
2+
3+ on :
4+ push :
5+ branches : [ main, master, nss ]
6+ pull_request :
7+ branches : [ main, master, nss ]
8+ workflow_dispatch :
9+
10+ env :
11+ WOLFSSL_VERSION : v5.8.0-stable
12+ NSS_DEBUG_PKCS11_MODULE : wolfPKCS11
13+ NSPR_LOG_MODULES : all:5
14+ NSPR_LOG_FILE : /logs/nss.log
15+ NSS_OUTPUT_FILE : /logs/stats.log
16+ NSS_STRICT_NOFORK : 1
17+ NSS_DEBUG : all
18+
19+ jobs :
20+ nss-cmsutil-debian-test :
21+ runs-on : ubuntu-latest
22+ container :
23+ image : debian:bookworm
24+
25+ steps :
26+ - name : Checkout repository
27+ uses : actions/checkout@v4
28+
29+ - name : Install system dependencies
30+ run : |
31+ apt-get update
32+ DEBIAN_FRONTEND=noninteractive apt-get install -y \
33+ build-essential \
34+ automake \
35+ libtool \
36+ git \
37+ pkg-config \
38+ wget \
39+ ca-certificates \
40+ devscripts \
41+ dpkg-dev \
42+ fakeroot \
43+ lintian \
44+ dh-make \
45+ debhelper \
46+ dh-autoreconf \
47+ libnss3-dev \
48+ libnss3-tools \
49+ openssl \
50+ patch \
51+ curl \
52+ gnupg2 \
53+ software-properties-common
54+
55+ name : Setup Debian source repositories
56+ run : |
57+ # Add source repositories for apt-get source
58+ echo "deb-src http://deb.debian.org/debian bookworm main" >> /etc/apt/sources.list
59+ echo "deb-src http://deb.debian.org/debian-security bookworm-security main" >> /etc/apt/sources.list
60+ echo "deb-src http://deb.debian.org/debian bookworm-updates main" >> /etc/apt/sources.list
61+ apt-get update
62+
63+ name : Build wolfSSL Debian package
64+ run : |
65+ cd /tmp
66+ git clone https://github.com/wolfSSL/wolfssl.git --branch ${{ env.WOLFSSL_VERSION }} --depth 1
67+ cd wolfssl
68+
69+ # Configure wolfSSL for PKCS#11 compatibility
70+ ./autogen.sh
71+ ./configure --enable-aescfb --enable-cryptocb --enable-rsapss --enable-keygen --enable-pwdbased --enable-scrypt --enable-cmac --enable-aesctr --enable-aesccm --enable-md5 C_EXTRA_FLAGS="-DWOLFSSL_PUBLIC_MP -DWC_RSA_DIRECT -DHAVE_AES_ECB -D_GNU_SOURCE"
72+
73+ # Build Debian package
74+ make deb
75+
76+ # Install wolfSSL packages
77+ dpkg -i *.deb || true
78+ apt-get install -f -y
79+ ldconfig
80+
81+ name : Build wolfPKCS11 Debian package
82+ run : |
83+ # Build wolfPKCS11
84+ ./autogen.sh
85+ ./configure --enable-debug --enable-nss --enable-aesecb --enable-aesctr --enable-aesccm --enable-aescmac CFLAGS="-D_GNU_SOURCE"
86+ make
87+
88+ # Build Debian package
89+ make deb
90+
91+ # Install wolfPKCS11 packages
92+ dpkg -i *.deb || true
93+ apt-get install -f -y
94+ ldconfig
95+
96+ name : Get NSS Debian sources and apply wolfPKCS11 patch
97+ run : |
98+ mkdir -p /tmp/nss-build
99+ cd /tmp/nss-build
100+
101+ # Get NSS Debian source package
102+ apt-get source libnss3
103+
104+ # Find the NSS source directory
105+ NSS_DIR=$(find . -maxdepth 1 -type d -name "nss-*" | head -1)
106+ echo "Found NSS directory: $NSS_DIR"
107+
108+ if [ -z "$NSS_DIR" ]; then
109+ echo "Error: NSS source directory not found"
110+ exit 1
111+ fi
112+
113+ cd "$NSS_DIR"
114+
115+ # Apply the wolfPKCS11 NSS patch
116+ echo "Applying wolfPKCS11 NSS Debian patch..."
117+ patch -p1 < ${{ github.workspace }}/.github/workflows/wolfpkcs11-nss-debian.patch
118+
119+ echo "Patch applied successfully"
120+
121+ name : Build NSS Debian package with wolfPKCS11 support
122+ run : |
123+ cd /tmp/nss-build
124+ NSS_DIR=$(find . -maxdepth 1 -type d -name "nss-*" | head -1)
125+ cd "$NSS_DIR"
126+
127+ # Install build dependencies
128+ apt-get build-dep -y libnss3
129+
130+ # Build the NSS packages
131+ echo "Building NSS Debian packages..."
132+ dpkg-buildpackage -us -uc -b
133+
134+ # Install the built NSS packages
135+ cd ..
136+ echo "Installing NSS packages..."
137+ dpkg -i libnss3_*.deb libnss3-dev_*.deb libnss3-tools_*.deb || true
138+ apt-get install -f -y
139+ ldconfig
140+
141+ name : Verify package installations
142+ run : |
143+ echo "=== Installed Package Versions ==="
144+ dpkg -l | grep -E "(wolfssl|wolfpkcs11|libnss3)"
145+ echo
146+
147+ echo "=== Library Dependencies ==="
148+ ldd /usr/lib/*/libwolfpkcs11.so* || echo "wolfPKCS11 library not found"
149+ ldd /usr/lib/*/libnss3.so* || echo "NSS library not found"
150+ echo
151+
152+ echo "=== Available NSS Tools ==="
153+ which certutil cmsutil || echo "NSS tools not found in PATH"
154+ certutil --version || echo "certutil not working"
155+
156+ name : Configure NSS database and wolfPKCS11
157+ run : |
158+ mkdir -p /nss-test/nssdb
159+ chmod -R 777 /nss-test
160+ mkdir -p /logs
161+
162+ # Configure NSS to use wolfPKCS11 from installed package
163+ cat > /nss-test/pkcs11.txt << 'EOF'
164+ library=/usr/lib/libwolfpkcs11.so
165+ name=wolfPKCS11
166+ NSS=Flags=internal,critical,fips cipherOrder=100 slotParams={0x00000001=[slotFlags=ECC,RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] }
167+ EOF
168+
169+ # Initialize NSS database
170+ certutil -N -d /nss-test/nssdb/ --empty-password
171+
172+ echo "NSS database initialized successfully"
173+
174+ name : Run NSS cmsutil tests with installed packages
175+ run : |
176+ cd /nss-test
177+ set -e
178+
179+ echo "=== NSS cmsutil Test Script (Using Installed Packages) ==="
180+ echo "NSS Database location: /nss-test/nssdb"
181+ echo "wolfPKCS11 library: /usr/lib/libwolfpkcs11.so"
182+ echo
183+
184+ # Create test data
185+ echo "1. Creating test data file:"
186+ echo "This is test data for CMS signing and encryption" > test-data.txt
187+ cat test-data.txt
188+ echo
189+
190+ # Generate a test certificate and key
191+ echo "2. Generating CA and user certificates:"
192+
193+ # Step 1: Create a CA certificate using OpenSSL
194+ echo " Creating CA certificate..."
195+ cat > ca-openssl.conf << 'CAEOF'
196+ [req]
197+ distinguished_name = req_distinguished_name
198+ req_extensions = v3_ca
199+ prompt = no
200+
201+ [req_distinguished_name]
202+ CN = Test CA
203+ O = NSS Test CA
204+ C = US
205+
206+ [v3_ca]
207+ keyUsage = critical, keyCertSign, cRLSign
208+ basicConstraints = critical, CA:true
209+ subjectKeyIdentifier = hash
210+ authorityKeyIdentifier = keyid:always,issuer
211+ CAEOF
212+
213+ # Create CA certificate and key
214+ openssl req -x509 -newkey rsa:2048 -keyout ca-key.pem -out ca-cert.pem -days 365 -nodes \
215+ -config ca-openssl.conf -extensions v3_ca
216+
217+ # Import CA certificate into NSS database
218+ certutil -A -n "TestCA" -i ca-cert.pem -t "CT,C,C" -d /nss-test/nssdb
219+
220+ # Step 2: Generate user certificate and key pair directly in NSS
221+ echo " Generating user certificate and key pair in NSS database..."
222+
223+ # Create random seed for key generation
224+ dd if=/dev/urandom of=noise.bin bs=20 count=1 2>/dev/null
225+
226+ # Generate certificate request with key pair (creates DER format)
227+ printf '\n\n' | certutil -R -s "CN=Test User,O=NSS Test,C=US" \
228+ -o user-req.der -d /nss-test/nssdb -z noise.bin
229+
230+ # Convert DER format certificate request to PEM format for OpenSSL
231+ openssl req -in user-req.der -inform DER -out user-req.pem -outform PEM
232+
233+ # Sign the certificate request with CA
234+ echo " Signing user certificate with CA..."
235+ cat > signing.conf << 'SIGNEOF'
236+ [v3_user_sign]
237+ keyUsage = critical, digitalSignature, keyEncipherment
238+ extendedKeyUsage = critical, emailProtection
239+ basicConstraints = critical, CA:false
240+ subjectKeyIdentifier = hash
241+ authorityKeyIdentifier = keyid:always,issuer:always
242+ subjectAltName = email:test@example.com
243+ SIGNEOF
244+
245+ openssl x509 -req -in user-req.pem -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial \
246+ -out user-cert.pem -days 365 -extensions v3_user_sign -extfile signing.conf
247+
248+ # Import the signed certificate back into NSS database
249+ echo " Importing signed user certificate..."
250+ certutil -A -n "testcert" -i user-cert.pem -t "u,u,u" -d /nss-test/nssdb
251+
252+ echo " ✓ CA and user certificates created successfully"
253+
254+ echo "3. Listing certificates in NSS database:"
255+ certutil -L -d /nss-test/nssdb
256+ echo
257+ echo "Private keys in NSS database:"
258+ certutil -K -d /nss-test/nssdb
259+ echo
260+ echo "Certificate details:"
261+ if certutil -L -n "testcert" -d /nss-test/nssdb >/dev/null 2>&1; then
262+ echo "User certificate 'testcert':"
263+ certutil -L -n "testcert" -d /nss-test/nssdb
264+ echo
265+ fi
266+ if certutil -L -n "TestCA" -d /nss-test/nssdb >/dev/null 2>&1; then
267+ echo "CA certificate 'TestCA':"
268+ certutil -L -n "TestCA" -d /nss-test/nssdb
269+ fi
270+
271+ echo "4. Testing CMS operations with installed cmsutil:"
272+
273+ # Verify cmsutil is from installed NSS package
274+ echo " Using cmsutil from: $(which cmsutil)"
275+ cmsutil -V || echo "cmsutil version command not supported"
276+
277+ # Test CMS signing with additional options to handle trust
278+ echo " a) Signing data with CMS:"
279+ cmsutil -S -N "testcert" -i test-data.txt -o signed-data.p7s -d /nss-test/nssdb -p "" -G
280+
281+ if [ -f signed-data.p7s ]; then
282+ echo " ✓ CMS signing successful - created signed-data.p7s"
283+ ls -la signed-data.p7s
284+ else
285+ echo " ✗ CMS signing failed"
286+ fi
287+
288+ # Test CMS verification
289+ echo " b) Verifying CMS signature:"
290+ openssl smime -verify -in signed-data.p7s -CAfile ca-cert.pem -inform DER -noverify 2>/dev/null && echo " ✓ OpenSSL verification successful"
291+
292+ # Test CMS encryption (envelope)
293+ echo " c) Creating CMS encrypted envelope:"
294+ cmsutil -E -r "testcert" -i test-data.txt -o encrypted-data.p7e -d /nss-test/nssdb
295+ if [ -f encrypted-data.p7e ]; then
296+ echo " ✓ CMS encryption successful - created encrypted-data.p7e"
297+ ls -la encrypted-data.p7e
298+ else
299+ echo " ✗ CMS encryption failed"
300+ fi
301+
302+ # Test CMS decryption
303+ echo " d) Decrypting CMS envelope:"
304+ cmsutil -D -i encrypted-data.p7e -o decrypted-data.txt -d /nss-test/nssdb -p ""
305+ if [ -f decrypted-data.txt ]; then
306+ echo " ✓ CMS decryption successful"
307+ echo " Original data:"
308+ cat test-data.txt
309+ echo " Decrypted data:"
310+ cat decrypted-data.txt
311+ echo " Data match:" $(cmp -s test-data.txt decrypted-data.txt && echo "YES" || echo "NO")
312+ else
313+ echo " ✗ CMS decryption failed"
314+ fi
315+
316+ echo
317+ echo "=== Package-based cmsutil Test Complete ==="
318+ echo "Files created:"
319+ ls -la *.p7s *.p7e *.txt *.pem 2>/dev/null || echo "No files found"
320+
321+ echo
322+ echo "=== Package Information ==="
323+ echo "Installed wolfSSL packages:"
324+ dpkg -l | grep wolfssl || echo "No wolfSSL packages found"
325+ echo "Installed wolfPKCS11 packages:"
326+ dpkg -l | grep wolfpkcs11 || echo "No wolfPKCS11 packages found"
327+ echo "Installed NSS packages:"
328+ dpkg -l | grep libnss3 || echo "No NSS packages found"
329+
330+ # Create tar archive with all test artifacts
331+ mkdir -p /tmp/artifacts
332+ cp -r /logs /tmp/artifacts/ 2>/dev/null || true
333+ cp -r /nss-test /tmp/artifacts/ 2>/dev/null || true
334+ tar -czf /tmp/nss-cmsutil-debian-test-artifacts.tar.gz -C /tmp/artifacts . 2>/dev/null || true
335+
336+ name : Upload test artifacts
337+ if : always()
338+ uses : actions/upload-artifact@v4
339+ with :
340+ name : nss-cmsutil-debian-test-artifacts
341+ path : /tmp/nss-cmsutil-debian-test-artifacts.tar.gz
342+ retention-days : 5
343+
344+ - name : Upload built packages
345+ if : always()
346+ uses : actions/upload-artifact@v4
347+ with :
348+ name : debian-packages
349+ path : |
350+ /tmp/wolfssl/*.deb
351+ *.deb
352+ /tmp/nss-build/*.deb
353+ retention-days : 5
0 commit comments