Skip to content

Commit f0c6dd6

Browse files
ejohnstownejohnstown
committed
Add x509 interop CI workflow
- Build PKIX-SSH and run wolfSSHd against the PKIX-SSH ssh/sftp clients using x509 user certs. - Posts an issue if the test fails.
1 parent b217806 commit f0c6dd6

1 file changed

Lines changed: 251 additions & 0 deletions

File tree

.github/workflows/x509-interop.yml

Lines changed: 251 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,251 @@
1+
name: wolfSSH x509 Interop Test
2+
3+
on:
4+
schedule:
5+
# Weekly: Mondays at 06:00 UTC
6+
- cron: '0 6 * * 1'
7+
workflow_dispatch:
8+
9+
concurrency:
10+
group: ${{ github.workflow }}-${{ github.ref }}
11+
cancel-in-progress: true
12+
13+
env:
14+
WOLFSSL_REF: v5.9.1-stable
15+
PKIXSSH_VERSION: 14.4
16+
17+
jobs:
18+
build_wolfssl:
19+
name: Build wolfSSL
20+
runs-on: ubuntu-latest
21+
timeout-minutes: 5
22+
steps:
23+
- name: Checking cache for wolfSSL
24+
uses: actions/cache@v5
25+
id: cache-wolfssl
26+
with:
27+
path: build-dir/
28+
key: wolfssh-x509-interop-wolfssl-${{ env.WOLFSSL_REF }}-ubuntu-latest
29+
lookup-only: true
30+
31+
- name: Checkout, build, and install wolfSSL
32+
if: steps.cache-wolfssl.outputs.cache-hit != 'true'
33+
uses: wolfSSL/actions-build-autotools-project@v1
34+
with:
35+
repository: wolfssl/wolfssl
36+
ref: ${{ env.WOLFSSL_REF }}
37+
path: wolfssl
38+
configure: --enable-ssh --enable-keygen --enable-ed25519 --enable-curve25519
39+
check: false
40+
install: true
41+
42+
build_pkixssh:
43+
name: Build PKIX-SSH
44+
runs-on: ubuntu-latest
45+
timeout-minutes: 10
46+
steps:
47+
- name: Checking cache for PKIX-SSH
48+
uses: actions/cache@v5
49+
id: cache-pkixssh
50+
with:
51+
path: build-dir/
52+
key: wolfssh-x509-interop-pkixssh-${{ env.PKIXSSH_VERSION }}-ubuntu-latest
53+
lookup-only: true
54+
55+
- name: Install build dependencies
56+
if: steps.cache-pkixssh.outputs.cache-hit != 'true'
57+
run: |
58+
sudo apt-get -y update
59+
sudo apt-get -y install libssl-dev zlib1g-dev
60+
61+
- name: Download, build, and install PKIX-SSH
62+
if: steps.cache-pkixssh.outputs.cache-hit != 'true'
63+
run: |
64+
curl -L -o pkixssh.tar.gz \
65+
"https://roumenpetrov.info/secsh/src/pkixssh-${PKIXSSH_VERSION}.tar.gz"
66+
echo "3d3b34a3e60dcc69995aeea25a9dafb9a3abbb72a413ef0654b64f7103aa4928 pkixssh.tar.gz" \
67+
| sha256sum -c -
68+
tar xzf pkixssh.tar.gz
69+
sudo mkdir -p /var/empty
70+
cd pkixssh-${PKIXSSH_VERSION}
71+
./configure \
72+
--prefix=$PWD/../build-dir/ \
73+
--with-privsep-path=/var/empty \
74+
--with-privsep-user=nobody \
75+
--disable-strip
76+
make
77+
make install
78+
79+
x509_interop:
80+
name: Run x509 interop test
81+
needs: [build_wolfssl, build_pkixssh]
82+
runs-on: ubuntu-latest
83+
timeout-minutes: 10
84+
steps:
85+
- name: Restore wolfSSL cache
86+
uses: actions/cache@v5
87+
with:
88+
path: build-dir/
89+
key: wolfssh-x509-interop-wolfssl-${{ env.WOLFSSL_REF }}-ubuntu-latest
90+
fail-on-cache-miss: true
91+
92+
- name: Restore PKIX-SSH cache
93+
uses: actions/cache@v5
94+
with:
95+
path: build-dir/
96+
key: wolfssh-x509-interop-pkixssh-${{ env.PKIXSSH_VERSION }}-ubuntu-latest
97+
fail-on-cache-miss: true
98+
99+
- name: Install test dependencies
100+
run: |
101+
sudo apt-get -y update
102+
sudo apt-get -y install netcat-traditional
103+
104+
- uses: actions/checkout@v6
105+
with:
106+
path: wolfssh/
107+
108+
- name: autogen
109+
working-directory: ./wolfssh/
110+
run: ./autogen.sh
111+
112+
- name: configure
113+
working-directory: ./wolfssh/
114+
run: |
115+
./configure --enable-all --enable-certs \
116+
LDFLAGS="-L${{ github.workspace }}/build-dir/lib" \
117+
CPPFLAGS="-I${{ github.workspace }}/build-dir/include -DWOLFSSH_NO_FPKI"
118+
119+
- name: make
120+
working-directory: ./wolfssh/
121+
run: make
122+
123+
- name: Create test user fred
124+
run: |
125+
sudo useradd -m fred
126+
127+
- name: Prepare client cert in PKIX-SSH format
128+
working-directory: ./wolfssh/
129+
run: |
130+
chmod 600 ./keys/fred-key.pem
131+
cat ./keys/fred-cert.pem >> ./keys/fred-key.pem
132+
../build-dir/bin/ssh-keygen -y -f ./keys/fred-key.pem \
133+
> ./keys/fred-key.pem.pub
134+
135+
- name: Write PKIX-SSH client config
136+
working-directory: ./wolfssh/
137+
run: |
138+
echo "CACertificateFile $PWD/keys/ca-cert-ecc.pem" \
139+
> ssh-pkixssh-config
140+
141+
- name: Write wolfSSHd config
142+
working-directory: ./wolfssh/
143+
run: |
144+
rm -f sshd_config
145+
cat > sshd_config <<EOT
146+
Port 22222
147+
Protocol 2
148+
LoginGraceTime 600
149+
PermitRootLogin yes
150+
PasswordAuthentication yes
151+
PermitEmptyPasswords no
152+
153+
TrustedUserCAKeys $PWD/keys/ca-cert-ecc.pem
154+
HostKey $PWD/keys/server-key.pem
155+
HostCertificate $PWD/keys/server-cert.pem
156+
EOT
157+
158+
- name: Start wolfSSHd
159+
working-directory: ./wolfssh/
160+
run: |
161+
sudo ./apps/wolfsshd/wolfsshd -f sshd_config -d \
162+
-E $PWD/wolfsshd-log.txt &
163+
for i in $(seq 1 20); do
164+
if nc -z 127.0.0.1 22222; then
165+
echo "wolfSSHd is up"
166+
exit 0
167+
fi
168+
sleep 0.5
169+
done
170+
echo "wolfSSHd failed to start"
171+
cat wolfsshd-log.txt || true
172+
exit 1
173+
174+
- name: Test PKIX-SSH client exit
175+
working-directory: ./wolfssh/
176+
run: |
177+
../build-dir/bin/ssh -o StrictHostKeyChecking=accept-new \
178+
-o PreferredAuthentications=publickey \
179+
-p 22222 -F ssh-pkixssh-config \
180+
-i ./keys/fred-key.pem fred@127.0.0.1 exit
181+
182+
- name: Test PKIX-SSH client ls command
183+
working-directory: ./wolfssh/
184+
run: |
185+
../build-dir/bin/ssh -o StrictHostKeyChecking=accept-new \
186+
-p 22222 -F ssh-pkixssh-config \
187+
-i ./keys/fred-key.pem fred@127.0.0.1 ls
188+
189+
- name: Test PKIX-SSH sftp interop
190+
working-directory: ./wolfssh/
191+
run: |
192+
../build-dir/bin/sftp -o StrictHostKeyChecking=accept-new \
193+
-P 22222 -F ssh-pkixssh-config \
194+
-S ../build-dir/bin/ssh \
195+
-i ./keys/fred-key.pem \
196+
fred@127.0.0.1 <<EOF
197+
exit
198+
EOF
199+
200+
- name: Show wolfSSHd log on failure
201+
if: failure()
202+
working-directory: ./wolfssh/
203+
run: cat wolfsshd-log.txt || true
204+
205+
- name: Stop wolfSSHd
206+
if: always()
207+
run: sudo pkill wolfsshd || true
208+
209+
notify_failure:
210+
name: Open issue on scheduled failure
211+
needs: [build_wolfssl, build_pkixssh, x509_interop]
212+
if: failure() && github.event_name == 'schedule'
213+
runs-on: ubuntu-latest
214+
timeout-minutes: 5
215+
permissions:
216+
issues: write
217+
steps:
218+
- uses: actions/github-script@v7
219+
with:
220+
script: |
221+
const label = 'x509-interop-failure';
222+
const runUrl = `${context.serverUrl}/${context.repo.owner}/` +
223+
`${context.repo.repo}/actions/runs/${context.runId}`;
224+
const body = [
225+
'The weekly x509 interop workflow failed.',
226+
'',
227+
`Run: ${runUrl}`,
228+
`Commit: ${context.sha}`,
229+
].join('\n');
230+
const existing = await github.rest.issues.listForRepo({
231+
owner: context.repo.owner,
232+
repo: context.repo.repo,
233+
state: 'open',
234+
labels: label,
235+
});
236+
if (existing.data.length > 0) {
237+
await github.rest.issues.createComment({
238+
owner: context.repo.owner,
239+
repo: context.repo.repo,
240+
issue_number: existing.data[0].number,
241+
body: body,
242+
});
243+
} else {
244+
await github.rest.issues.create({
245+
owner: context.repo.owner,
246+
repo: context.repo.repo,
247+
title: 'Weekly x509 interop test failed',
248+
body: body,
249+
labels: [label],
250+
});
251+
}

0 commit comments

Comments
 (0)