Skip to content

Commit f0851c0

Browse files
ejohnstownejohnstown
committed
Add x509 interop CI workflow
- Build PKIX-SSH and run wolfSSHd against the PKIX-SSH ssh/sftp clients using x509 user certs.
1 parent 36496cb commit f0851c0

1 file changed

Lines changed: 205 additions & 0 deletions

File tree

.github/workflows/x509-interop.yml

Lines changed: 205 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,205 @@
1+
name: wolfSSH x509 Interop Test
2+
3+
on:
4+
schedule:
5+
# Weekly: Mondays at 06:00 UTC
6+
- cron: '0 6 * * 1'
7+
workflow_dispatch:
8+
9+
concurrency:
10+
group: ${{ github.workflow }}-${{ github.ref }}
11+
cancel-in-progress: true
12+
13+
env:
14+
WOLFSSL_REF: v5.9.1-stable
15+
PKIXSSH_VERSION: 14.4
16+
17+
jobs:
18+
build_wolfssl:
19+
name: Build wolfSSL
20+
runs-on: ubuntu-latest
21+
timeout-minutes: 5
22+
steps:
23+
- name: Checking cache for wolfSSL
24+
uses: actions/cache@v5
25+
id: cache-wolfssl
26+
with:
27+
path: build-dir/
28+
key: wolfssh-x509-interop-wolfssl-${{ env.WOLFSSL_REF }}-ubuntu-latest
29+
lookup-only: true
30+
31+
- name: Checkout, build, and install wolfSSL
32+
if: steps.cache-wolfssl.outputs.cache-hit != 'true'
33+
uses: wolfSSL/actions-build-autotools-project@v1
34+
with:
35+
repository: wolfssl/wolfssl
36+
ref: ${{ env.WOLFSSL_REF }}
37+
path: wolfssl
38+
configure: --enable-ssh --enable-keygen --enable-ed25519 --enable-curve25519
39+
check: false
40+
install: true
41+
42+
build_pkixssh:
43+
name: Build PKIX-SSH
44+
runs-on: ubuntu-latest
45+
timeout-minutes: 10
46+
steps:
47+
- name: Checking cache for PKIX-SSH
48+
uses: actions/cache@v5
49+
id: cache-pkixssh
50+
with:
51+
path: build-dir/
52+
key: wolfssh-x509-interop-pkixssh-${{ env.PKIXSSH_VERSION }}-ubuntu-latest
53+
lookup-only: true
54+
55+
- name: Install build dependencies
56+
if: steps.cache-pkixssh.outputs.cache-hit != 'true'
57+
run: |
58+
sudo apt-get -y update
59+
sudo apt-get -y install libssl-dev zlib1g-dev
60+
61+
- name: Download, build, and install PKIX-SSH
62+
if: steps.cache-pkixssh.outputs.cache-hit != 'true'
63+
run: |
64+
curl -L -o pkixssh.tar.gz \
65+
"https://roumenpetrov.info/secsh/src/pkixssh-${PKIXSSH_VERSION}.tar.gz"
66+
tar xzf pkixssh.tar.gz
67+
sudo mkdir -p /var/empty
68+
cd pkixssh-${PKIXSSH_VERSION}
69+
./configure \
70+
--prefix=$PWD/../build-dir/ \
71+
--with-privsep-path=/var/empty \
72+
--with-privsep-user=nobody \
73+
--disable-strip
74+
make
75+
make install
76+
77+
x509_interop:
78+
name: Run x509 interop test
79+
needs: [build_wolfssl, build_pkixssh]
80+
runs-on: ubuntu-latest
81+
timeout-minutes: 10
82+
steps:
83+
- name: Restore wolfSSL cache
84+
uses: actions/cache@v5
85+
with:
86+
path: build-dir/
87+
key: wolfssh-x509-interop-wolfssl-${{ env.WOLFSSL_REF }}-ubuntu-latest
88+
fail-on-cache-miss: true
89+
90+
- name: Restore PKIX-SSH cache
91+
uses: actions/cache@v5
92+
with:
93+
path: build-dir/
94+
key: wolfssh-x509-interop-pkixssh-${{ env.PKIXSSH_VERSION }}-ubuntu-latest
95+
fail-on-cache-miss: true
96+
97+
- name: Install test dependencies
98+
run: |
99+
sudo apt-get -y update
100+
sudo apt-get -y install netcat-traditional
101+
102+
- uses: actions/checkout@v6
103+
with:
104+
path: wolfssh/
105+
106+
- name: autogen
107+
working-directory: ./wolfssh/
108+
run: ./autogen.sh
109+
110+
- name: configure
111+
working-directory: ./wolfssh/
112+
run: |
113+
./configure --enable-all --enable-certs \
114+
LDFLAGS="-L${{ github.workspace }}/build-dir/lib" \
115+
CPPFLAGS="-I${{ github.workspace }}/build-dir/include -DWOLFSSH_NO_FPKI"
116+
117+
- name: make
118+
working-directory: ./wolfssh/
119+
run: make
120+
121+
- name: Create test user fred
122+
run: |
123+
sudo useradd -m fred
124+
125+
- name: Prepare client cert in PKIX-SSH format
126+
working-directory: ./wolfssh/
127+
run: |
128+
chmod 600 ./keys/fred-key.pem
129+
cat ./keys/fred-cert.pem >> ./keys/fred-key.pem
130+
../build-dir/bin/ssh-keygen -y -f ./keys/fred-key.pem \
131+
> ./keys/fred-key.pem.pub
132+
133+
- name: Write PKIX-SSH client config
134+
working-directory: ./wolfssh/
135+
run: |
136+
echo "CACertificateFile $PWD/keys/ca-cert-ecc.pem" \
137+
> ssh-pkixssh-config
138+
139+
- name: Write wolfSSHd config
140+
working-directory: ./wolfssh/
141+
run: |
142+
rm -f sshd_config
143+
cat > sshd_config <<EOT
144+
Port 22222
145+
Protocol 2
146+
LoginGraceTime 600
147+
PermitRootLogin yes
148+
PasswordAuthentication yes
149+
PermitEmptyPasswords no
150+
151+
TrustedUserCAKeys $PWD/keys/ca-cert-ecc.pem
152+
HostKey $PWD/keys/server-key.pem
153+
HostCertificate $PWD/keys/server-cert.pem
154+
EOT
155+
156+
- name: Start wolfSSHd
157+
working-directory: ./wolfssh/
158+
run: |
159+
sudo ./apps/wolfsshd/wolfsshd -f sshd_config -d \
160+
-E $PWD/wolfsshd-log.txt &
161+
for i in $(seq 1 20); do
162+
if nc -z 127.0.0.1 22222; then
163+
echo "wolfSSHd is up"
164+
exit 0
165+
fi
166+
sleep 0.5
167+
done
168+
echo "wolfSSHd failed to start"
169+
cat wolfsshd-log.txt || true
170+
exit 1
171+
172+
- name: Test PKIX-SSH client exit
173+
working-directory: ./wolfssh/
174+
run: |
175+
../build-dir/bin/ssh -o StrictHostKeyChecking=accept-new \
176+
-o PreferredAuthentications=publickey \
177+
-p 22222 -F ssh-pkixssh-config \
178+
-i ./keys/fred-key.pem fred@127.0.0.1 exit
179+
180+
- name: Test PKIX-SSH client ls command
181+
working-directory: ./wolfssh/
182+
run: |
183+
../build-dir/bin/ssh -o StrictHostKeyChecking=accept-new \
184+
-p 22222 -F ssh-pkixssh-config \
185+
-i ./keys/fred-key.pem fred@127.0.0.1 ls
186+
187+
- name: Test PKIX-SSH sftp interop
188+
working-directory: ./wolfssh/
189+
run: |
190+
../build-dir/bin/sftp -o StrictHostKeyChecking=accept-new \
191+
-P 22222 -F ssh-pkixssh-config \
192+
-S ../build-dir/bin/ssh \
193+
-i ./keys/fred-key.pem \
194+
fred@127.0.0.1 <<EOF
195+
exit
196+
EOF
197+
198+
- name: Show wolfSSHd log on failure
199+
if: failure()
200+
working-directory: ./wolfssh/
201+
run: cat wolfsshd-log.txt || true
202+
203+
- name: Stop wolfSSHd
204+
if: always()
205+
run: sudo pkill wolfsshd || true

0 commit comments

Comments
 (0)