Skip to content

SSH cert sign: check OpenSSL return code #2489

SSH cert sign: check OpenSSL return code

SSH cert sign: check OpenSSL return code #2489

Workflow file for this run

name: Build and Test
on: [push, pull_request]
jobs:
build_debian_derivatives:
strategy:
fail-fast: false
matrix:
include:
- environment: "ubuntu:24.10"
cc: "gcc"
upload_for_test: "false"
- environment: "ubuntu:24.10"
cc: "clang"
upload_for_test: "false"
- environment: "ubuntu:24.04"
cc: "gcc"
upload_for_test: "false"
- environment: "ubuntu:24.04"
cc: "clang"
upload_for_test: "false"
- environment: "ubuntu:22.04"
cc: "gcc"
upload_for_test: "false"
- environment: "ubuntu:22.04"
cc: "clang"
upload_for_test: "true"
- environment: "ubuntu:20.04"
cc: "gcc"
upload_for_test: "false"
- environment: "ubuntu:20.04"
cc: "clang"
upload_for_test: "false"
- environment: "debian:12"
cc: "gcc"
upload_for_test: "false"
- environment: "debian:12"
cc: "clang"
upload_for_test: "false"
- environment: "debian:11"
cc: "gcc"
upload_for_test: "false"
- environment: "debian:11"
cc: "clang"
upload_for_test: "false"
name: build on ${{ matrix.environment }} (${{ matrix.cc }},${{ matrix.upload_for_test}})
runs-on: ubuntu-latest
container: ${{ matrix.environment }}
steps:
- name: install dependencies from package management
env:
CC: ${{ matrix.cc }}
DEBIAN_FRONTEND: noninteractive
run: |
apt update
apt install -q -y build-essential \
cmake pkg-config \
gengetopt \
help2man \
libcurl4-openssl-dev \
libedit-dev \
libpcsclite-dev \
libusb-1.0-0-dev \
libssl-dev \
file \
curl \
jq
if [ "$CC" = "clang" ]; then
apt install -q -y clang llvm lld
fi
- name: clone the Yubico/yubihsm-shell repository
uses: actions/checkout@v4
with:
path: yubihsm-shell
- name: apply environment specific changes to CMakeLists.txt
working-directory: yubihsm-shell
if: ${{ matrix.environment == 'ubuntu:14.04' }}
run: |
# ubuntu 14.04 comes with cmake version 2.8, but the project requires 3.5
# we downgrade that requirement for the ubuntu 14.04 build
sed -i 's/cmake_minimum_required (VERSION 3.5)/cmake_minimum_required (VERSION 2.8)/' CMakeLists.txt
# we also remove the following policies which are not supported in the older cmake version
sed -i 's/cmake_policy(SET CMP0025 NEW)/#cmake_policy(SET CMP0025 NEW)/' CMakeLists.txt
sed -i 's/cmake_policy(SET CMP0042 NEW)/#cmake_policy(SET CMP0042 NEW)/' CMakeLists.txt
sed -i 's/cmake_policy(SET CMP0054 NEW)/#cmake_policy(SET CMP0054 NEW)/' CMakeLists.txt
# append the following flags: -Wno-missing-braces -Wno-missing-field-initializers -Wno-implicit-function-declaration
sed -i 's/-Wall -Wextra -Werror/-Wall -Wextra -Werror -Wno-missing-braces -Wno-missing-field-initializers -Wno-implicit-function-declaration/' cmake/SecurityFlags.cmake
- name: apply environment specific changes to CMakeLists.txt
working-directory: yubihsm-shell
if: ${{ matrix.environment == 'ubuntu:24.10' }}
run: |
# ubuntu 24.10 comes with _FORTIFY_SOURCE already set
sed -i 's/add_definitions (-D_FORTIFY_SOURCE=2)/add_definitions (-D_FORTIFY_SOURCE=3)/' cmake/SecurityFlags.cmake
# Set PCSC flags
sed -i 's/#SET(CMAKE_C_FLAGS/SET(CMAKE_C_FLAGS/' ykhsmauth/CMakeLists.txt
- name: do build
working-directory: yubihsm-shell
env:
CC: ${{ matrix.cc }}
VERBOSE: 1
run: |
mkdir build
cd build
if [ "$CC" = "gcc" ]; then
cmake -DRELEASE_BUILD=1 -DWITHOUT_YKYH=1 ..
else
cmake -DRELEASE_BUILD=1 -DWITHOUT_YKYH=1 \
-DCMAKE_AR=/usr/bin/llvm-ar \
-DCMAKE_RANLIB=/usr/bin/llvm-ranlib \
-DCMAKE_EXE_LINKER_FLAGS="-fuse-ld=lld" \
..
fi
cmake --build .
- name: do static build
working-directory: yubihsm-shell
env:
CC: ${{ matrix.cc }}
VERBOSE: 1
BUILD_ENVIRONMENT: ${{ matrix.environment }}
run: |
mkdir build-static
cd build-static
if [ "$CC" = "gcc" ]; then
cmake -DENABLE_STATIC=ON -DCMAKE_BUILD_TYPE=Release ..
else
cmake -DENABLE_STATIC=ON -DCMAKE_BUILD_TYPE=Release \
-DCMAKE_AR=/usr/bin/llvm-ar \
-DCMAKE_RANLIB=/usr/bin/llvm-ranlib \
-DCMAKE_EXE_LINKER_FLAGS="-fuse-ld=lld" \
..
fi
cmake --build .
- name: prepare name for upload-artifact action
env:
DOCKER_IMAGE: ${{ matrix.environment }}
CC: ${{ matrix.cc }}
run: |
ESCAPED_IMAGE=$(echo -n "$DOCKER_IMAGE" | sed -E 's/[^a-zA-Z0-9]//g')
echo "ARTIFACT_NAME=yubihsm-shell_${ESCAPED_IMAGE}_${CC}" >> $GITHUB_ENV
- name: create compressed tar file
if: ${{ matrix.upload_for_test == 'true' }}
run: tar cfz yubihsm-shell.tar.gz yubihsm-shell
- name: upload artifacts for the test job
if: ${{ matrix.upload_for_test == 'true' }}
uses: actions/upload-artifact@v3
with:
name: "${{ env.ARTIFACT_NAME }}"
path: yubihsm-shell.tar.gz
build_centos_fedora:
strategy:
fail-fast: false
matrix:
include:
# we do not perform clang builds for all environments, only fedora
- environment: "fedora:40"
cc: "gcc"
upload_for_test: "true"
- environment: "fedora:40"
cc: "clang"
upload_for_test: "false"
- environment: "fedora:41"
cc: "gcc"
upload_for_test: "false"
- environment: "fedora:41"
cc: "clang"
upload_for_test: "false"
name: build on ${{ matrix.environment }} (${{ matrix.cc }}, ${{ matrix.upload_for_test }})
runs-on: ubuntu-latest
container: ${{ matrix.environment }}
steps:
- name: clone the Yubico/yubihsm-shell repository
uses: actions/checkout@v3
with:
path: yubihsm-shell
- name: extract platform name
env:
DOCKER_IMAGE: ${{ matrix.environment }}
run: |
# Remove everything from DOCKER_IMAGE that is not a letter or a number
PLATFORM=$(echo -n "$DOCKER_IMAGE" | sed -E 's/[^a-zA-Z0-9]//g')
echo "PLATFORM=$PLATFORM" >> $GITHUB_ENV
- name: install dependencies from package management
env:
CC: ${{ matrix.cc }}
PLATFORM: ${{ env.PLATFORM }}
run: |
cd yubihsm-shell/resources/release/linux
./install_redhat_dependencies.sh $PLATFORM
if [ "$CC" = "clang" ]; then
yum install -y clang llvm lld
fi
- name: apply environment specific changes to CMakeLists.txt
working-directory: yubihsm-shell
if: ${{ matrix.environment == 'centos:7' }}
run: |
# centos 7 comes with cmake version 2.8, but the project requires 3.5
# we downgrade that requirement for the centos 7 build
sed -i 's/cmake_minimum_required (VERSION 3.5)/cmake_minimum_required (VERSION 2.8)/' CMakeLists.txt
# we also remove the following policies which are not supported in the older cmake version
sed -i 's/cmake_policy(SET CMP0025 NEW)/#cmake_policy(SET CMP0025 NEW)/' CMakeLists.txt
sed -i 's/cmake_policy(SET CMP0042 NEW)/#cmake_policy(SET CMP0042 NEW)/' CMakeLists.txt
sed -i 's/cmake_policy(SET CMP0054 NEW)/#cmake_policy(SET CMP0054 NEW)/' CMakeLists.txt
# append the following flags: -Wno-missing-braces -Wno-missing-field-initializers -Wno-implicit-function-declaration
sed -i 's/-Wall -Wextra -Werror/-Wall -Wextra -Werror -Wno-missing-braces -Wno-missing-field-initializers/' cmake/SecurityFlags.cmake
- name: apply environment specific changes to CMakeLists.txt
working-directory: yubihsm-shell
if: ${{ matrix.environment == 'fedora:41' }}
run: |
# Set PCSC flags
sed -i 's/#SET(CMAKE_C_FLAGS/SET(CMAKE_C_FLAGS/' ykhsmauth/CMakeLists.txt
- name: do build
working-directory: yubihsm-shell
env:
CC: ${{ matrix.cc }}
VERBOSE: 1
run: |
mkdir build
cd build
if [ "$CC" = "gcc" ]; then
cmake -DCMAKE_BUILD_TYPE=Release ..
else
cmake -DCMAKE_BUILD_TYPE=Release \
-DCMAKE_AR=/usr/bin/llvm-ar \
-DCMAKE_RANLIB=/usr/bin/llvm-ranlib \
-DCMAKE_EXE_LINKER_FLAGS="-fuse-ld=lld" \
..
fi
cmake --build .
- name: do static build
working-directory: yubihsm-shell
env:
CC: ${{ matrix.cc }}
VERBOSE: 1
PLATFORM: ${{ env.PLATFORM }}
run: |
mkdir build-static
cd build-static
if [ "$CC" = "gcc" ]; then
# lto breaks static builds on centos 7 so we disable it
if [ $PLATFORM = "centos7" ]; then
cmake -DENABLE_STATIC=ON -DCMAKE_BUILD_TYPE=Release -DDISABLE_LTO=ON ..
else
cmake -DENABLE_STATIC=ON -DCMAKE_BUILD_TYPE=Release ..
fi
else
cmake -DENABLE_STATIC=ON -DCMAKE_BUILD_TYPE=Release \
-DCMAKE_AR=/usr/bin/llvm-ar \
-DCMAKE_RANLIB=/usr/bin/llvm-ranlib \
-DCMAKE_EXE_LINKER_FLAGS="-fuse-ld=lld" \
..
fi
cmake --build .
- name: prepare name for upload-artifact action
env:
PLATFORM: ${{ env.PLATFORM }}
CC: ${{ matrix.cc }}
run: |
echo "ARTIFACT_NAME=yubihsm-shell_${PLATFORM}_${CC}" >> $GITHUB_ENV
- name: create compressed tar file
if: ${{ matrix.upload_for_test == 'true' }}
run: tar cfz yubihsm-shell.tar.gz yubihsm-shell
- name: upload artifacts for the test job
if: ${{ matrix.upload_for_test == 'true' }}
uses: actions/upload-artifact@v3
with:
name: "${{ env.ARTIFACT_NAME }}"
path: yubihsm-shell.tar.gz
build_macos:
name: build on macos
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
include:
- os: macos-latest
- os: macos-latest-xlarge
steps:
- name: install dependencies using brew
run: brew install gengetopt help2man libedit opensc
- name: clone the Yubico/yubihsm-shell repository
uses: actions/checkout@v4
with:
path: yubihsm-shell
- name: do build
working-directory: yubihsm-shell
env:
VERBOSE: 1
run: |
mkdir build
cd build
cmake -DCMAKE_BUILD_TYPE=Release ..
cmake --build .
- name: Test loading PKCS11 module
working-directory: yubihsm-shell
run: |
echo connector=http://127.0.0.1:12345 > yubihsm_pkcs11.conf
export YUBIHSM_PKCS11_CONF=$GITHUB_WORKSPACE/yubihsm-shell/yubihsm_pkcs11.conf
pkcs11-tool --module build/pkcs11/yubihsm_pkcs11.dylib --show-info | grep Yubico
- name: do static build
working-directory: yubihsm-shell
env:
VERBOSE: 1
run: |
mkdir build-static
cd build-static
cmake -DENABLE_STATIC=ON -DCMAKE_BUILD_TYPE=Release ..
cmake --build .
- name: check binaries for hardening
working-directory: yubihsm-shell
run: |
./resources/release/macos/check_hardening.sh "build/src/yubihsm-shell"
test:
strategy:
fail-fast: false
matrix:
include:
- environment: "ubuntu:22.04"
cc: "clang"
- environment: "fedora:40"
cc: "gcc"
name: run unit tests
runs-on: ubuntu-latest
container: ${{ matrix.environment }}
needs: [build_debian_derivatives, build_centos_fedora]
steps:
- name: install dependencies from package management (debian based)
env:
DEBIAN_FRONTEND: noninteractive
if: ${{ matrix.environment == 'ubuntu:22.04' }}
run: |
apt update
apt install -q -y build-essential cmake python3 python3-pip python3-setuptools curl libedit2 libpcsclite1 libengine-pkcs11-openssl opensc swig openjdk-11-jdk-headless libssl3
- name: install dependencies from package management (rpm based)
if: ${{ matrix.environment == 'fedora:40' }}
run: |
yum install -y gcc gcc-c++ cmake python3-devel python3-pip python3-setuptools curl libedit gengetopt openssl libcurl pcsc-lite swig java-11-openjdk-headless which
- name: prepare name for download-artifact action
env:
DOCKER_IMAGE: ${{ matrix.environment }}
CC: ${{ matrix.cc }}
run: |
ESCAPED_IMAGE=$(echo -n "$DOCKER_IMAGE" | sed -E 's/[^a-zA-Z0-9]//g')
echo "ARTIFACT_NAME=yubihsm-shell_${ESCAPED_IMAGE}_${CC}" >> $GITHUB_ENV
- name: download artifacts from the build job
uses: actions/download-artifact@v3
with:
name: "${{ env.ARTIFACT_NAME }}"
- name: decompress yubihsm-shell.tar.gz
run: tar xfz yubihsm-shell.tar.gz
- name: prepare ghostunnel
env:
TLSPWD: ${{ secrets.TLSKEY }}
# GODEBUG required for ghostunnel to temporarily enable Common Name matching
GODEBUG: x509ignoreCN=0
run: |
curl -o /tmp/ghostunnel -L https://github.com/ghostunnel/ghostunnel/releases/download/v1.6.0/ghostunnel-v1.6.0-linux-amd64
chmod +x /tmp/ghostunnel
openssl aes-256-cbc \
-k "$TLSPWD" \
-md sha256 \
-in yubihsm-shell/.ci/client-combined.pem.enc \
-out yubihsm-shell/.ci/client-combined.pem \
-d
/tmp/ghostunnel client \
--listen localhost:12345 \
--target hsm-connector01.sthlm.in.yubico.org:8443 \
--keystore yubihsm-shell/.ci/client-combined.pem \
--cacert yubihsm-shell/.ci/server-crt.pem > /dev/null 2>&1 &
sleep 3
DEFAULT_CONNECTOR_URL=$(curl -s http://localhost:12345/dispatcher/request)
test -n "$DEFAULT_CONNECTOR_URL" || (echo "Unable to obtain a connector URL, aborting"; exit 1)
echo "DEFAULT_CONNECTOR_URL=$DEFAULT_CONNECTOR_URL" >> $GITHUB_ENV
- name: clone the YubicoLabs/pkcs11test repository
uses: actions/checkout@v3
with:
repository: YubicoLabs/pkcs11test
path: pkcs11test
- name: build the pkcs11test binary
working-directory: pkcs11test
run: |
make
echo "PKCS11TEST_PATH=`pwd`" >> $GITHUB_ENV
- name: reset the hsm
working-directory: yubihsm-shell/build/src
run: |
./yubihsm-shell --connector "$DEFAULT_CONNECTOR_URL" -p password -a reset
sleep 3
- name: run tests with ctest
working-directory: yubihsm-shell/build
env:
DOCKER_IMAGE: ${{ matrix.environment }}
run: |
if [ $DOCKER_IMAGE = "debian:11" ]; then
# we skip the engine tests (for now) since it ships with a broken curl version
ctest --output-on-failure -E engine
elif [ $DOCKER_IMAGE = "centos:7" ]; then
# we skip the ecdh_derive tests (for now) since there is an issue with generating secp224r1 keys
ctest --output-on-failure -E ecdh_derive\|aes\|ecdh_sp800
else
ctest --output-on-failure
fi
- name: clone the YubicoLabs/python-pkcs11tester repository
uses: actions/checkout@v3
with:
repository: YubicoLabs/python-pkcs11tester
path: python-pkcs11tester
- name: run python-pkcs11tester
env:
DOCKER_IMAGE: ${{ matrix.environment }}
run: |
if [ $DOCKER_IMAGE = "centos:7" ]; then
# the pypi cryptography package requires an up-to-date version of pip
# https://github.com/pyca/cryptography/issues/5753
pip3 install --upgrade pip
fi
export YUBIHSM_PKCS11_MODULE=`pwd`/yubihsm-shell/build/pkcs11/yubihsm_pkcs11.so
cd python-pkcs11tester
echo "connector=$DEFAULT_CONNECTOR_URL" > yubihsm_pkcs11.conf
python3 -m pip install 'pykcs11' 'cryptography>=1.4.0'
python3 setup.py test
- name: cleanup
if: ${{ always() }}
run: |
if [ -n "$DEFAULT_CONNECTOR_URL" ]; then
curl -s http://localhost:12345/dispatcher/release?connector=$DEFAULT_CONNECTOR_URL
fi