more test debug diagnostic output

JacobBarthelmeh · JacobBarthelmeh · commit 62528d9853f8 · 2026-02-02T10:46:36.000-07:00
diff --git a/.github/workflows/windows-cert-store-test.yml b/.github/workflows/windows-cert-store-test.yml
@@ -1061,6 +1061,102 @@ jobs:
         Remove-Item $batchPath -ErrorAction SilentlyContinue
         Remove-Item $outputFile -ErrorAction SilentlyContinue
 
+    - name: Test wolfsshd config loading as LocalSystem
+      if: matrix.server_key_source == 'store'
+      working-directory: ${{ github.workspace }}\wolfssh
+      shell: pwsh
+      run: |
+        # Try to get more info by testing if wolfsshd can at least parse the config
+        # We'll create a small test that verifies LocalSystem can read all config-referenced files
+        Write-Host "=== Testing config file access as LocalSystem ==="
+
+        $configPath = (Resolve-Path "sshd_config_test").Path
+        $outputFile = "$env:TEMP\localsystem-config-test-output.txt"
+
+        # Create a PowerShell script to test file access as SYSTEM
+        $testScript = @'
+        $ErrorActionPreference = "Continue"
+        $configPath = $args[0]
+        $outputPath = $args[1]
+
+        $results = @()
+        $results += "Testing config access as: $([System.Security.Principal.WindowsIdentity]::GetCurrent().Name)"
+        $results += ""
+
+        # Test config file
+        $results += "Config file: $configPath"
+        if (Test-Path $configPath) {
+          $results += "  Exists: YES"
+          try {
+            $content = Get-Content $configPath -Raw
+            $results += "  Readable: YES"
+            $results += "  Content:"
+            $content -split "`n" | ForEach-Object { $results += "    $_" }
+            $results += ""
+
+            # Extract and test TrustedUserCAKeys
+            if ($content -match "TrustedUserCAKeys\s+([^\r\n]+)") {
+              $caPath = $matches[1].Trim()
+              $results += "TrustedUserCAKeys: $caPath"
+              if (Test-Path $caPath) {
+                $results += "  Exists: YES"
+                try {
+                  $caContent = Get-Content $caPath -Raw
+                  $results += "  Readable: YES ($($caContent.Length) bytes)"
+                } catch {
+                  $results += "  Readable: NO - $_"
+                }
+              } else {
+                $results += "  Exists: NO"
+              }
+            }
+          } catch {
+            $results += "  Readable: NO - $_"
+          }
+        } else {
+          $results += "  Exists: NO"
+        }
+
+        $results | Out-File -FilePath $outputPath -Encoding UTF8
+        '@
+
+        $scriptPath = "$env:TEMP\test-config-access.ps1"
+        $testScript | Out-File -FilePath $scriptPath -Encoding UTF8
+
+        # Create scheduled task to run as SYSTEM
+        $taskName = "WolfSSH-ConfigAccessTest"
+        $action = New-ScheduledTaskAction -Execute "powershell.exe" -Argument "-ExecutionPolicy Bypass -File `"$scriptPath`" `"$configPath`" `"$outputFile`""
+        $principal = New-ScheduledTaskPrincipal -UserId "NT AUTHORITY\SYSTEM" -LogonType ServiceAccount -RunLevel Highest
+        $settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries
+
+        Unregister-ScheduledTask -TaskName $taskName -Confirm:$false -ErrorAction SilentlyContinue
+        Register-ScheduledTask -TaskName $taskName -Action $action -Principal $principal -Settings $settings | Out-Null
+        Start-ScheduledTask -TaskName $taskName
+
+        # Wait for completion
+        $timeout = 30
+        $elapsed = 0
+        while ($elapsed -lt $timeout) {
+          Start-Sleep -Seconds 1
+          $elapsed++
+          $task = Get-ScheduledTask -TaskName $taskName -ErrorAction SilentlyContinue
+          if ($task.State -eq "Ready") { break }
+        }
+
+        # Show results
+        if (Test-Path $outputFile) {
+          Write-Host "=== LocalSystem config access test results ==="
+          Get-Content $outputFile
+          Write-Host "=== End results ==="
+        } else {
+          Write-Host "WARNING: No output file generated"
+        }
+
+        # Cleanup
+        Unregister-ScheduledTask -TaskName $taskName -Confirm:$false -ErrorAction SilentlyContinue
+        Remove-Item $scriptPath -ErrorAction SilentlyContinue
+        Remove-Item $outputFile -ErrorAction SilentlyContinue
+
     - name: Start wolfSSHd as Windows service
       working-directory: ${{ github.workspace }}\wolfssh
       shell: pwsh
@@ -1070,14 +1166,14 @@ jobs:
             Write-Host "ERROR: wolfsshd.exe not found at $sshdPath"
             exit 1
         }
-        
+
         # Get absolute path for service
         $sshdPathFull = (Resolve-Path $sshdPath).Path
         $configPathFull = (Resolve-Path "sshd_config_test").Path
-        
+
         # Service name
         $serviceName = "wolfsshd"
-        
+
         # Remove service if it already exists
         $existingService = Get-Service -Name $serviceName -ErrorAction SilentlyContinue
         if ($existingService) {
@@ -1089,7 +1185,45 @@ jobs:
             sc.exe delete $serviceName | Out-Null
             Start-Sleep -Seconds 2
         }
-        
+
+        # Show config file content for debugging
+        Write-Host "=== Config file content ==="
+        Get-Content $configPathFull
+        Write-Host "=== End config ==="
+
+        # Verify all files referenced in config are accessible
+        Write-Host "=== Verifying config file references ==="
+        $configContent = Get-Content $configPathFull -Raw
+
+        # Check TrustedUserCAKeys
+        if ($configContent -match "TrustedUserCAKeys\s+([^\r\n]+)") {
+          $caPath = $matches[1].Trim()
+          Write-Host "TrustedUserCAKeys: $caPath"
+          if (Test-Path $caPath) {
+            Write-Host "  File exists: YES"
+            $acl = Get-Acl $caPath
+            $systemAccess = $acl.Access | Where-Object { $_.IdentityReference -like "*SYSTEM*" }
+            if ($systemAccess) {
+              Write-Host "  SYSTEM access: $($systemAccess.FileSystemRights)"
+            } else {
+              Write-Host "  WARNING: No explicit SYSTEM access (may inherit)"
+            }
+          } else {
+            Write-Host "  ERROR: File not found!"
+          }
+        }
+
+        # Check HostKeyStoreSubject
+        if ($configContent -match "HostKeyStoreSubject\s+([^\r\n]+)") {
+          $subject = $matches[1].Trim()
+          Write-Host "HostKeyStoreSubject: '$subject'"
+          Write-Host "  Length: $($subject.Length) chars"
+          # Show hex dump for debugging
+          $bytes = [System.Text.Encoding]::UTF8.GetBytes($subject)
+          $hex = ($bytes | ForEach-Object { '{0:X2}' -f $_ }) -join ' '
+          Write-Host "  UTF-8 hex: $hex"
+        }
+
         # Pre-service checks
         $sshdDir = Split-Path -Parent $sshdPathFull
         $dllPath = Join-Path $sshdDir "wolfssl.dll"
