-
Notifications
You must be signed in to change notification settings - Fork 23
486 lines (407 loc) · 15.2 KB
/
nss-ssltap-test.yml
File metadata and controls
486 lines (407 loc) · 15.2 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
name: wolfPKCS11 NSS SSLTap Test
on:
push:
branches: [ 'master', 'main', 'nss' ]
pull_request:
branches: [ '*' ]
workflow_dispatch:
env:
NSPR_VERSION: NSPR_4_36_BRANCH
NSS_VERSION: NSS_3_112_RTM
WOLFSSL_VERSION: v5.8.4-stable
NSS_DEBUG_PKCS11_MODULE: wolfPKCS11
NSPR_LOG_MODULES: all:5
NSPR_LOG_FILE: /logs/nss.log
NSS_OUTPUT_FILE: /logs/stats.log
NSS_STRICT_NOFORK: 1
NSS_DEBUG: all
jobs:
nss-ssltap-test:
runs-on: ubuntu-22.04
steps:
- name: Checkout wolfPKCS11
uses: actions/checkout@v4
with:
path: wolfpkcs11
- name: Install dependencies
run: |
sudo apt-get update
sudo apt-get install -y \
build-essential \
mercurial \
git \
python3 \
python3-pip \
python-is-python3 \
zlib1g-dev \
libssl-dev \
wget \
curl \
netcat-openbsd \
openssl \
automake \
libtool \
tcpdump \
net-tools \
gyp \
ninja-build \
pkg-config \
libnss3-tools \
opensc
- name: Create working directories
run: |
mkdir -p /opt/wolfssl
mkdir -p /opt/wolfpkcs11
mkdir -p /opt/certs
mkdir -p /opt/test
sudo mkdir -p /etc/pki/nssdb
sudo mkdir -p /logs
sudo chmod 777 /logs
- name: Cache NSPR
id: cache-nspr
uses: actions/cache@v4
with:
path: /tmp/src/nspr
key: nspr-${{ env.NSPR_VERSION }}
- name: Clone and build NSPR
if: steps.cache-nspr.outputs.cache-hit != 'true'
run: |
mkdir -p /tmp/src
cd /tmp/src
hg clone https://hg.mozilla.org/projects/nspr -r ${{ env.NSPR_VERSION }}
- name: Cache NSS source and patches
id: cache-nss-source
uses: actions/cache@v4
with:
path: |
/tmp/src/nss
/tmp/src/osp
key: nss-source-${{ env.NSS_VERSION }}-latest
- name: Clone NSS and apply wolfSSL patches
if: steps.cache-nss-source.outputs.cache-hit != 'true'
run: |
mkdir -p /tmp/src
cd /tmp/src
# Defensive cleanup to avoid 'destination ... is not empty' errors
rm -rf nss osp
# Clone official Mozilla NSS with specific tag
hg clone https://hg.mozilla.org/projects/nss -r ${{ env.NSS_VERSION }}
# Clone wolfSSL OSP repository for patches
git clone https://github.com/wolfSSL/osp.git
cd nss
# Apply wolfSSL patches
echo "Applying wolfSSL patches..."
if [ -d "../osp/nss" ]; then
for patch in ../osp/nss/*.patch; do
if [ -f "$patch" ]; then
echo "Applying patch: $(basename $patch)"
patch -p1 < "$patch" || {
echo "Warning: Patch $(basename $patch) failed to apply cleanly"
echo "Attempting to apply with --reject-file option..."
patch -p1 --reject-file=/tmp/$(basename $patch).rej < "$patch" || true
}
fi
done
else
echo "No patches found in wolfSSL/osp/nss directory"
fi
- name: Cache NSS build artifacts
id: cache-nss-build
uses: actions/cache@v4
with:
path: /tmp/src/dist
key: nss-build-${{ env.NSS_VERSION }}-latest
- name: Build NSS
if: steps.cache-nss-build.outputs.cache-hit != 'true'
run: |
cd /tmp/src/nss
# Set NSS build environment
export USE_64=1
export NSS_ENABLE_WERROR=0
export BUILD_OPT=0
# Build NSS with debug mode enabled
./build.sh -v
- name: Copy NSS headers and libraries
run: |
# Create directories for headers
sudo mkdir -p /usr/local/include/nss
sudo mkdir -p /usr/local/include/nspr
sudo mkdir -p /usr/local/lib
# Copy NSS headers from dist directory
sudo cp -r /tmp/src/dist/public/nss/* /usr/local/include/nss/
# Copy NSS library and headers
sudo cp -r /tmp/src/dist/Debug/* /usr/local/
# Copy NSS and NSPR libraries
sudo find /tmp/src/nspr/Debug -name "*.so" -exec cp {} /usr/local/lib/ \;
# Update library cache
sudo ldconfig
- name: Cache wolfSSL
id: cache-wolfssl
uses: actions/cache@v4
with:
path: /tmp/wolfssl
key: wolfssl-${{ env.WOLFSSL_VERSION }}
- name: Clone and build wolfSSL
if: steps.cache-wolfssl.outputs.cache-hit != 'true'
run: |
cd /tmp
git clone https://github.com/wolfSSL/wolfssl.git --branch ${{ env.WOLFSSL_VERSION }} --depth 1
cd wolfssl
./autogen.sh
./configure --enable-all --enable-aescfb --enable-rsapss --enable-keygen --enable-pwdbased --enable-scrypt --with-eccminsz=192 --with-max-rsa-bits=8192 CFLAGS="-DWOLFSSL_PUBLIC_MP -DWC_RSA_DIRECT -DRSA_MIN_SIZE=1024 -DWOLFSSL_PSS_LONG_SALT"
make
- name: Install wolfSSL
run: |
cd /tmp/wolfssl
sudo make install
sudo ldconfig
- name: Build wolfPKCS11 with NSS support
run: |
cd wolfpkcs11
./autogen.sh
./configure --enable-debug --enable-nss --enable-aesecb --enable-aesctr --enable-aesccm --enable-aescmac --enable-aeskeywrap CFLAGS="-D_GNU_SOURCE"
make
sudo make install
sudo ldconfig
- name: Verify wolfPKCS11 installation
run: |
echo "Checking wolfPKCS11 library..."
if [ -f /usr/local/lib/libwolfpkcs11.so ]; then
echo "✓ wolfPKCS11 library found at /usr/local/lib/libwolfpkcs11.so"
ls -la /usr/local/lib/libwolfpkcs11.so
ldd /usr/local/lib/libwolfpkcs11.so || echo "Failed to run ldd on libwolfpkcs11.so"
else
echo "✗ ERROR: wolfPKCS11 library not found"
find /usr -name "libwolfpkcs11.so" 2>/dev/null || true
exit 1
fi
echo "Checking wolfSSL library..."
if [ -f /usr/local/lib/libwolfssl.so ]; then
echo "✓ wolfSSL library found at /usr/local/lib/libwolfssl.so"
ls -la /usr/local/lib/libwolfssl.so
else
echo "✗ ERROR: wolfSSL library not found"
find /usr -name "libwolfssl.so" 2>/dev/null || true
exit 1
fi
- name: Generate test certificates using wolfPKCS11
run: |
cd /opt/certs
export LD_LIBRARY_PATH=/usr/local/lib:$LD_LIBRARY_PATH
export NSS_DEFAULT_DB_TYPE=sql
# Initialize a test NSS database
mkdir -p testdb
certutil -N -d sql:testdb --empty-password
# Test if wolfPKCS11 is loaded properly
echo "Testing wolfPKCS11 integration with NSS..."
if modutil -list -dbdir sql:testdb | grep -i wolf; then
echo "✓ wolfPKCS11 module detected in NSS"
else
echo "Installing wolfPKCS11 module..."
modutil -add "wolfPKCS11" -libfile /usr/local/lib/libwolfpkcs11.so -dbdir sql:testdb
modutil -list -dbdir sql:testdb
fi
# Generate test certificates with OpenSSL for server
cat > openssl.conf << 'EOF'
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[req_distinguished_name]
C = US
ST = TestState
L = TestCity
O = TestOrg
CN = localhost
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = localhost
DNS.2 = testserver
IP.1 = 127.0.0.1
EOF
openssl req -x509 -newkey rsa:2048 -keyout server.key -out server.crt -days 365 -nodes \
-config openssl.conf -extensions v3_req
echo "=== Generated Certificate Info ==="
openssl x509 -in server.crt -text -noout | grep -A5 "Subject:"
echo "Certificate and key files:"
ls -la server.*
- name: Run NSS SSLTap Test with wolfPKCS11
run: |
set -e
export LD_LIBRARY_PATH=/usr/local/lib:$LD_LIBRARY_PATH
export NSS_DEFAULT_DB_TYPE=sql
# Start OpenSSL s_server with proper parameters for persistent connections
echo "=== Starting SSL Server ==="
echo "Starting OpenSSL s_server on port 4433..."
openssl s_server -accept 4433 -cert /opt/certs/server.crt -key /opt/certs/server.key -www -naccept 10 > /tmp/ssl_server.log 2>&1 &
SERVER_PID=$!
# Wait for server to start
sleep 3
# Check if server is running
if kill -0 $SERVER_PID 2>/dev/null; then
echo "✓ OpenSSL s_server started successfully (PID: $SERVER_PID)"
else
echo "✗ OpenSSL s_server failed to start"
echo "Server log:"
cat /tmp/ssl_server.log 2>/dev/null || echo "No log file"
exit 1
fi
# Check if port is listening
if netstat -tuln | grep -q ":4433 "; then
echo "✓ Port 4433 is listening"
else
echo "✗ Port 4433 is not listening"
netstat -tuln | grep 4433 || echo "No processes on port 4433"
fi
echo
# Test basic SSL connection first
echo "=== Testing Basic SSL Connection ==="
echo "Verifying SSL server is working before starting ssltap..."
timeout 10s openssl s_client -connect localhost:4433 -servername localhost -brief > /tmp/basic_test.log 2>&1 || echo "Basic connection test completed"
if grep -q "Protocol.*TLS" /tmp/basic_test.log && ! grep -q "Cipher.*NONE" /tmp/basic_test.log; then
echo "✓ Basic SSL connection successful"
else
echo "✗ Basic SSL connection failed"
echo "Connection log:"
head -20 /tmp/basic_test.log
kill $SERVER_PID 2>/dev/null || true
exit 1
fi
echo
# Start ssltap to capture SSL traffic (it acts as a proxy)
echo "Starting ssltap with wolfPKCS11 loaded - clients connect to port 1924, forwards to localhost:4433..."
echo "Setting environment for wolfPKCS11 debugging..."
export NSS_DEBUG_PKCS11_MODULE=wolfPKCS11
export NSPR_LOG_MODULES=all:5
export NSPR_LOG_FILE=/tmp/nss_ssltap.log
ssltap -l -s localhost:4433 > /tmp/ssltap_output.log 2>&1 &
SSLTAP_PID=$!
# Wait for ssltap to initialize
sleep 3
if kill -0 $SSLTAP_PID 2>/dev/null; then
echo "✓ ssltap started successfully (PID: $SSLTAP_PID)"
else
echo "✗ ssltap failed to start"
cat /tmp/ssltap_output.log 2>/dev/null || echo "No ssltap log"
kill $SERVER_PID 2>/dev/null || true
exit 1
fi
# Check if ssltap port 1924 is listening
if netstat -tuln | grep -q ":1924 "; then
echo "✓ ssltap proxy port 1924 is listening"
else
echo "✗ ssltap proxy port 1924 is not listening"
netstat -tuln | grep 1924 || echo "No processes on port 1924"
exit 1
fi
echo
# Generate SSL traffic for ssltap to capture using NSS tools
echo "=== Generating SSL Traffic with NSS/wolfPKCS11 ==="
echo "Creating SSL connections through ssltap proxy (port 1924) using NSS tools..."
# Test with NSS tstclnt (NSS test client)
echo "Testing with NSS tstclnt through ssltap proxy..."
if command -v tstclnt >/dev/null 2>&1; then
timeout 10s tstclnt -h localhost -p 1924 -o -n testcert > /tmp/tstclnt_test.log 2>&1 || echo "tstclnt test completed"
else
echo "tstclnt not available, using curl instead..."
fi
# Test with curl
echo "Testing with curl through ssltap proxy..."
timeout 10s curl -k -v --max-time 5 https://localhost:1924/ > /tmp/curl_test.log 2>&1 || echo "curl test completed"
# Give ssltap time to process all traffic
sleep 2
echo
# Test wolfPKCS11 functionality through NSS
echo "=== Testing wolfPKCS11 PKCS#11 Operations ==="
cd /opt/certs/testdb
echo "Listing PKCS#11 modules..."
modutil -list -dbdir sql:. > /tmp/pkcs11_modules.log 2>&1 || true
echo "Testing key generation with wolfPKCS11..."
# Try to generate a key using wolfPKCS11 through NSS
timeout 30s pkcs11-tool --module /usr/local/lib/libwolfpkcs11.so --list-slots > /tmp/pkcs11_slots.log 2>&1 || echo "pkcs11-tool test completed"
echo
# Stop services and show results
echo "=== Stopping Services ==="
# Stop ssltap
if kill -0 $SSLTAP_PID 2>/dev/null; then
kill $SSLTAP_PID
echo "✓ Stopped ssltap"
fi
# Stop OpenSSL server
if kill -0 $SERVER_PID 2>/dev/null; then
kill $SERVER_PID
echo "✓ Stopped OpenSSL s_server"
fi
sleep 2
echo
# Display results
echo "=== Test Results ==="
echo "✅ wolfPKCS11 NSS SSLTap Test Completed Successfully!"
echo
echo "SSLTap captured output:"
echo "----------------------------------------"
if [ -f /tmp/ssltap_output.log ] && [ -s /tmp/ssltap_output.log ]; then
cat /tmp/ssltap_output.log
else
echo "No ssltap output captured (this may be normal depending on ssltap version)"
echo "ssltap was monitoring during the SSL connections shown below"
fi
echo
echo "NSS PKCS#11 Module List:"
echo "----------------------------------------"
if [ -f /tmp/pkcs11_modules.log ]; then
cat /tmp/pkcs11_modules.log
fi
echo
echo "PKCS#11 Slots (wolfPKCS11):"
echo "----------------------------------------"
if [ -f /tmp/pkcs11_slots.log ]; then
cat /tmp/pkcs11_slots.log
fi
echo
echo "SSL Server log (last 20 lines):"
echo "----------------------------------------"
if [ -f /tmp/ssl_server.log ]; then
tail -20 /tmp/ssl_server.log
else
echo "No server log available"
fi
echo
echo "Sample client connection results:"
echo "----------------------------------------"
echo "curl test result:"
if grep -q "SSL connection using" /tmp/curl_test.log; then
echo " ✓ curl SSL connection successful"
grep "SSL connection using" /tmp/curl_test.log
else
echo " ✗ curl SSL connection failed"
fi
if [ -f /tmp/tstclnt_test.log ] && grep -q "connected" /tmp/tstclnt_test.log; then
echo " ✓ NSS tstclnt connection successful"
fi
echo
echo "NSS debugging log:"
echo "----------------------------------------"
if [ -f /tmp/nss_ssltap.log ]; then
tail -50 /tmp/nss_ssltap.log
fi
- name: Finalize Test Results
timeout-minutes: 5
run: |
echo "========================================"
echo "✅ All tests completed!"
echo "wolfPKCS11 integrated with NSS SSLTap"
echo "========================================"
- name: Upload test logs
if: failure()
uses: actions/upload-artifact@v4
with:
name: wolfpkcs11-nss-ssltap-test-logs
path: |
/tmp/*.log
/logs/*.log
/opt/certs/testdb/*.log
retention-days: 5