Handle errors when signing SSH certificates #2500
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build and Test | |
on: [push, pull_request] | |
jobs: | |
build_debian_derivatives: | |
strategy: | |
fail-fast: false | |
matrix: | |
include: | |
- environment: "ubuntu:24.10" | |
cc: "gcc" | |
upload_for_test: "false" | |
- environment: "ubuntu:24.10" | |
cc: "clang" | |
upload_for_test: "false" | |
- environment: "ubuntu:24.04" | |
cc: "gcc" | |
upload_for_test: "false" | |
- environment: "ubuntu:24.04" | |
cc: "clang" | |
upload_for_test: "false" | |
- environment: "ubuntu:22.04" | |
cc: "gcc" | |
upload_for_test: "false" | |
- environment: "ubuntu:22.04" | |
cc: "clang" | |
upload_for_test: "true" | |
- environment: "ubuntu:20.04" | |
cc: "gcc" | |
upload_for_test: "false" | |
- environment: "ubuntu:20.04" | |
cc: "clang" | |
upload_for_test: "false" | |
- environment: "debian:12" | |
cc: "gcc" | |
upload_for_test: "false" | |
- environment: "debian:12" | |
cc: "clang" | |
upload_for_test: "false" | |
- environment: "debian:11" | |
cc: "gcc" | |
upload_for_test: "false" | |
- environment: "debian:11" | |
cc: "clang" | |
upload_for_test: "false" | |
name: build on ${{ matrix.environment }} (${{ matrix.cc }},${{ matrix.upload_for_test}}) | |
runs-on: ubuntu-latest | |
container: ${{ matrix.environment }} | |
steps: | |
- name: install dependencies from package management | |
env: | |
CC: ${{ matrix.cc }} | |
DEBIAN_FRONTEND: noninteractive | |
run: | | |
apt update | |
apt install -q -y build-essential \ | |
cmake pkg-config \ | |
gengetopt \ | |
help2man \ | |
libcurl4-openssl-dev \ | |
libedit-dev \ | |
libpcsclite-dev \ | |
libusb-1.0-0-dev \ | |
libssl-dev \ | |
file \ | |
curl \ | |
jq | |
if [ "$CC" = "clang" ]; then | |
apt install -q -y clang llvm lld | |
fi | |
- name: clone the Yubico/yubihsm-shell repository | |
uses: actions/checkout@v4 | |
with: | |
path: yubihsm-shell | |
- name: apply environment specific changes to CMakeLists.txt | |
working-directory: yubihsm-shell | |
if: ${{ matrix.environment == 'ubuntu:14.04' }} | |
run: | | |
# ubuntu 14.04 comes with cmake version 2.8, but the project requires 3.5 | |
# we downgrade that requirement for the ubuntu 14.04 build | |
sed -i 's/cmake_minimum_required (VERSION 3.5)/cmake_minimum_required (VERSION 2.8)/' CMakeLists.txt | |
# we also remove the following policies which are not supported in the older cmake version | |
sed -i 's/cmake_policy(SET CMP0025 NEW)/#cmake_policy(SET CMP0025 NEW)/' CMakeLists.txt | |
sed -i 's/cmake_policy(SET CMP0042 NEW)/#cmake_policy(SET CMP0042 NEW)/' CMakeLists.txt | |
sed -i 's/cmake_policy(SET CMP0054 NEW)/#cmake_policy(SET CMP0054 NEW)/' CMakeLists.txt | |
# append the following flags: -Wno-missing-braces -Wno-missing-field-initializers -Wno-implicit-function-declaration | |
sed -i 's/-Wall -Wextra -Werror/-Wall -Wextra -Werror -Wno-missing-braces -Wno-missing-field-initializers -Wno-implicit-function-declaration/' cmake/SecurityFlags.cmake | |
- name: apply environment specific changes to CMakeLists.txt | |
working-directory: yubihsm-shell | |
if: ${{ matrix.environment == 'ubuntu:24.10' }} | |
run: | | |
# ubuntu 24.10 comes with _FORTIFY_SOURCE already set | |
sed -i 's/add_definitions (-D_FORTIFY_SOURCE=2)/add_definitions (-D_FORTIFY_SOURCE=3)/' cmake/SecurityFlags.cmake | |
# Set PCSC flags | |
sed -i 's/#SET(CMAKE_C_FLAGS/SET(CMAKE_C_FLAGS/' ykhsmauth/CMakeLists.txt | |
- name: do build | |
working-directory: yubihsm-shell | |
env: | |
CC: ${{ matrix.cc }} | |
VERBOSE: 1 | |
run: | | |
mkdir build | |
cd build | |
if [ "$CC" = "gcc" ]; then | |
cmake -DRELEASE_BUILD=1 -DWITHOUT_YKYH=1 .. | |
else | |
cmake -DRELEASE_BUILD=1 -DWITHOUT_YKYH=1 \ | |
-DCMAKE_AR=/usr/bin/llvm-ar \ | |
-DCMAKE_RANLIB=/usr/bin/llvm-ranlib \ | |
-DCMAKE_EXE_LINKER_FLAGS="-fuse-ld=lld" \ | |
.. | |
fi | |
cmake --build . | |
- name: do static build | |
working-directory: yubihsm-shell | |
env: | |
CC: ${{ matrix.cc }} | |
VERBOSE: 1 | |
BUILD_ENVIRONMENT: ${{ matrix.environment }} | |
run: | | |
mkdir build-static | |
cd build-static | |
if [ "$CC" = "gcc" ]; then | |
cmake -DENABLE_STATIC=ON -DCMAKE_BUILD_TYPE=Release .. | |
else | |
cmake -DENABLE_STATIC=ON -DCMAKE_BUILD_TYPE=Release \ | |
-DCMAKE_AR=/usr/bin/llvm-ar \ | |
-DCMAKE_RANLIB=/usr/bin/llvm-ranlib \ | |
-DCMAKE_EXE_LINKER_FLAGS="-fuse-ld=lld" \ | |
.. | |
fi | |
cmake --build . | |
- name: prepare name for upload-artifact action | |
env: | |
DOCKER_IMAGE: ${{ matrix.environment }} | |
CC: ${{ matrix.cc }} | |
run: | | |
ESCAPED_IMAGE=$(echo -n "$DOCKER_IMAGE" | sed -E 's/[^a-zA-Z0-9]//g') | |
echo "ARTIFACT_NAME=yubihsm-shell_${ESCAPED_IMAGE}_${CC}" >> $GITHUB_ENV | |
- name: create compressed tar file | |
if: ${{ matrix.upload_for_test == 'true' }} | |
run: tar cfz yubihsm-shell.tar.gz yubihsm-shell | |
- name: upload artifacts for the test job | |
if: ${{ matrix.upload_for_test == 'true' }} | |
uses: actions/upload-artifact@v4 | |
with: | |
name: "${{ env.ARTIFACT_NAME }}" | |
path: yubihsm-shell.tar.gz | |
build_centos_fedora: | |
strategy: | |
fail-fast: false | |
matrix: | |
include: | |
# we do not perform clang builds for all environments, only fedora | |
- environment: "fedora:40" | |
cc: "gcc" | |
upload_for_test: "true" | |
- environment: "fedora:40" | |
cc: "clang" | |
upload_for_test: "false" | |
- environment: "fedora:41" | |
cc: "gcc" | |
upload_for_test: "false" | |
- environment: "fedora:41" | |
cc: "clang" | |
upload_for_test: "false" | |
name: build on ${{ matrix.environment }} (${{ matrix.cc }}, ${{ matrix.upload_for_test }}) | |
runs-on: ubuntu-latest | |
container: ${{ matrix.environment }} | |
steps: | |
- name: clone the Yubico/yubihsm-shell repository | |
uses: actions/checkout@v4 | |
with: | |
path: yubihsm-shell | |
- name: extract platform name | |
env: | |
DOCKER_IMAGE: ${{ matrix.environment }} | |
run: | | |
# Remove everything from DOCKER_IMAGE that is not a letter or a number | |
PLATFORM=$(echo -n "$DOCKER_IMAGE" | sed -E 's/[^a-zA-Z0-9]//g') | |
echo "PLATFORM=$PLATFORM" >> $GITHUB_ENV | |
- name: install dependencies from package management | |
env: | |
CC: ${{ matrix.cc }} | |
PLATFORM: ${{ env.PLATFORM }} | |
run: | | |
cd yubihsm-shell/resources/release/linux | |
./install_redhat_dependencies.sh $PLATFORM | |
if [ "$CC" = "clang" ]; then | |
yum install -y clang llvm lld | |
fi | |
- name: apply environment specific changes to CMakeLists.txt | |
working-directory: yubihsm-shell | |
if: ${{ matrix.environment == 'centos:7' }} | |
run: | | |
# centos 7 comes with cmake version 2.8, but the project requires 3.5 | |
# we downgrade that requirement for the centos 7 build | |
sed -i 's/cmake_minimum_required (VERSION 3.5)/cmake_minimum_required (VERSION 2.8)/' CMakeLists.txt | |
# we also remove the following policies which are not supported in the older cmake version | |
sed -i 's/cmake_policy(SET CMP0025 NEW)/#cmake_policy(SET CMP0025 NEW)/' CMakeLists.txt | |
sed -i 's/cmake_policy(SET CMP0042 NEW)/#cmake_policy(SET CMP0042 NEW)/' CMakeLists.txt | |
sed -i 's/cmake_policy(SET CMP0054 NEW)/#cmake_policy(SET CMP0054 NEW)/' CMakeLists.txt | |
# append the following flags: -Wno-missing-braces -Wno-missing-field-initializers -Wno-implicit-function-declaration | |
sed -i 's/-Wall -Wextra -Werror/-Wall -Wextra -Werror -Wno-missing-braces -Wno-missing-field-initializers/' cmake/SecurityFlags.cmake | |
- name: apply environment specific changes to CMakeLists.txt | |
working-directory: yubihsm-shell | |
if: ${{ matrix.environment == 'fedora:41' }} | |
run: | | |
# Set PCSC flags | |
sed -i 's/#SET(CMAKE_C_FLAGS/SET(CMAKE_C_FLAGS/' ykhsmauth/CMakeLists.txt | |
- name: do build | |
working-directory: yubihsm-shell | |
env: | |
CC: ${{ matrix.cc }} | |
VERBOSE: 1 | |
run: | | |
mkdir build | |
cd build | |
if [ "$CC" = "gcc" ]; then | |
cmake -DCMAKE_BUILD_TYPE=Release .. | |
else | |
cmake -DCMAKE_BUILD_TYPE=Release \ | |
-DCMAKE_AR=/usr/bin/llvm-ar \ | |
-DCMAKE_RANLIB=/usr/bin/llvm-ranlib \ | |
-DCMAKE_EXE_LINKER_FLAGS="-fuse-ld=lld" \ | |
.. | |
fi | |
cmake --build . | |
- name: do static build | |
working-directory: yubihsm-shell | |
env: | |
CC: ${{ matrix.cc }} | |
VERBOSE: 1 | |
PLATFORM: ${{ env.PLATFORM }} | |
run: | | |
mkdir build-static | |
cd build-static | |
if [ "$CC" = "gcc" ]; then | |
# lto breaks static builds on centos 7 so we disable it | |
if [ $PLATFORM = "centos7" ]; then | |
cmake -DENABLE_STATIC=ON -DCMAKE_BUILD_TYPE=Release -DDISABLE_LTO=ON .. | |
else | |
cmake -DENABLE_STATIC=ON -DCMAKE_BUILD_TYPE=Release .. | |
fi | |
else | |
cmake -DENABLE_STATIC=ON -DCMAKE_BUILD_TYPE=Release \ | |
-DCMAKE_AR=/usr/bin/llvm-ar \ | |
-DCMAKE_RANLIB=/usr/bin/llvm-ranlib \ | |
-DCMAKE_EXE_LINKER_FLAGS="-fuse-ld=lld" \ | |
.. | |
fi | |
cmake --build . | |
- name: prepare name for upload-artifact action | |
env: | |
PLATFORM: ${{ env.PLATFORM }} | |
CC: ${{ matrix.cc }} | |
run: | | |
echo "ARTIFACT_NAME=yubihsm-shell_${PLATFORM}_${CC}" >> $GITHUB_ENV | |
- name: create compressed tar file | |
if: ${{ matrix.upload_for_test == 'true' }} | |
run: tar cfz yubihsm-shell.tar.gz yubihsm-shell | |
- name: upload artifacts for the test job | |
if: ${{ matrix.upload_for_test == 'true' }} | |
uses: actions/upload-artifact@v4 | |
with: | |
name: "${{ env.ARTIFACT_NAME }}" | |
path: yubihsm-shell.tar.gz | |
build_macos: | |
name: build on macos | |
runs-on: ${{ matrix.os }} | |
strategy: | |
fail-fast: false | |
matrix: | |
include: | |
- os: macos-latest | |
- os: macos-latest-xlarge | |
steps: | |
- name: install dependencies using brew | |
run: brew install gengetopt help2man libedit opensc | |
- name: clone the Yubico/yubihsm-shell repository | |
uses: actions/checkout@v4 | |
with: | |
path: yubihsm-shell | |
- name: do build | |
working-directory: yubihsm-shell | |
env: | |
VERBOSE: 1 | |
run: | | |
mkdir build | |
cd build | |
cmake -DCMAKE_BUILD_TYPE=Release .. | |
cmake --build . | |
- name: Test loading PKCS11 module | |
working-directory: yubihsm-shell | |
run: | | |
echo connector=http://127.0.0.1:12345 > yubihsm_pkcs11.conf | |
export YUBIHSM_PKCS11_CONF=$GITHUB_WORKSPACE/yubihsm-shell/yubihsm_pkcs11.conf | |
pkcs11-tool --module build/pkcs11/yubihsm_pkcs11.dylib --show-info | grep Yubico | |
- name: do static build | |
working-directory: yubihsm-shell | |
env: | |
VERBOSE: 1 | |
run: | | |
mkdir build-static | |
cd build-static | |
cmake -DENABLE_STATIC=ON -DCMAKE_BUILD_TYPE=Release .. | |
cmake --build . | |
- name: check binaries for hardening | |
working-directory: yubihsm-shell | |
run: | | |
./resources/release/macos/check_hardening.sh "build/src/yubihsm-shell" | |
test: | |
strategy: | |
fail-fast: false | |
matrix: | |
include: | |
- environment: "ubuntu:22.04" | |
cc: "clang" | |
- environment: "fedora:40" | |
cc: "gcc" | |
name: run unit tests | |
runs-on: ubuntu-latest | |
container: ${{ matrix.environment }} | |
needs: [build_debian_derivatives, build_centos_fedora] | |
steps: | |
- name: install dependencies from package management (debian based) | |
env: | |
DEBIAN_FRONTEND: noninteractive | |
if: ${{ matrix.environment == 'ubuntu:22.04' }} | |
run: | | |
apt update | |
apt install -q -y build-essential cmake python3 python3-pip python3-setuptools curl libedit2 libpcsclite1 libengine-pkcs11-openssl opensc swig openjdk-11-jdk-headless libssl3 | |
- name: install dependencies from package management (rpm based) | |
if: ${{ matrix.environment == 'fedora:40' }} | |
run: | | |
yum install -y gcc gcc-c++ cmake python3-devel python3-pip python3-setuptools curl libedit gengetopt openssl libcurl pcsc-lite swig java-11-openjdk-headless which | |
- name: prepare name for download-artifact action | |
env: | |
DOCKER_IMAGE: ${{ matrix.environment }} | |
CC: ${{ matrix.cc }} | |
run: | | |
ESCAPED_IMAGE=$(echo -n "$DOCKER_IMAGE" | sed -E 's/[^a-zA-Z0-9]//g') | |
echo "ARTIFACT_NAME=yubihsm-shell_${ESCAPED_IMAGE}_${CC}" >> $GITHUB_ENV | |
- name: download artifacts from the build job | |
uses: actions/download-artifact@v4 | |
with: | |
name: "${{ env.ARTIFACT_NAME }}" | |
- name: decompress yubihsm-shell.tar.gz | |
run: tar xfz yubihsm-shell.tar.gz | |
- name: prepare ghostunnel | |
env: | |
TLSPWD: ${{ secrets.TLSKEY }} | |
# GODEBUG required for ghostunnel to temporarily enable Common Name matching | |
GODEBUG: x509ignoreCN=0 | |
run: | | |
curl -o /tmp/ghostunnel -L https://github.com/ghostunnel/ghostunnel/releases/download/v1.6.0/ghostunnel-v1.6.0-linux-amd64 | |
chmod +x /tmp/ghostunnel | |
openssl aes-256-cbc \ | |
-k "$TLSPWD" \ | |
-md sha256 \ | |
-in yubihsm-shell/.ci/client-combined.pem.enc \ | |
-out yubihsm-shell/.ci/client-combined.pem \ | |
-d | |
/tmp/ghostunnel client \ | |
--listen localhost:12345 \ | |
--target hsm-connector01.sthlm.in.yubico.org:8443 \ | |
--keystore yubihsm-shell/.ci/client-combined.pem \ | |
--cacert yubihsm-shell/.ci/server-crt.pem > /dev/null 2>&1 & | |
sleep 3 | |
DEFAULT_CONNECTOR_URL=$(curl -s http://localhost:12345/dispatcher/request) | |
test -n "$DEFAULT_CONNECTOR_URL" || (echo "Unable to obtain a connector URL, aborting"; exit 1) | |
echo "DEFAULT_CONNECTOR_URL=$DEFAULT_CONNECTOR_URL" >> $GITHUB_ENV | |
- name: clone the YubicoLabs/pkcs11test repository | |
uses: actions/checkout@v4 | |
with: | |
repository: YubicoLabs/pkcs11test | |
path: pkcs11test | |
- name: build the pkcs11test binary | |
working-directory: pkcs11test | |
run: | | |
make | |
echo "PKCS11TEST_PATH=`pwd`" >> $GITHUB_ENV | |
- name: reset the hsm | |
working-directory: yubihsm-shell/build/src | |
run: | | |
./yubihsm-shell --connector "$DEFAULT_CONNECTOR_URL" -p password -a reset | |
sleep 3 | |
- name: run tests with ctest | |
working-directory: yubihsm-shell/build | |
env: | |
DOCKER_IMAGE: ${{ matrix.environment }} | |
run: | | |
if [ $DOCKER_IMAGE = "debian:11" ]; then | |
# we skip the engine tests (for now) since it ships with a broken curl version | |
ctest --output-on-failure -E engine | |
elif [ $DOCKER_IMAGE = "centos:7" ]; then | |
# we skip the ecdh_derive tests (for now) since there is an issue with generating secp224r1 keys | |
ctest --output-on-failure -E ecdh_derive\|aes\|ecdh_sp800 | |
else | |
ctest --output-on-failure | |
fi | |
- name: clone the YubicoLabs/python-pkcs11tester repository | |
uses: actions/checkout@v4 | |
with: | |
repository: YubicoLabs/python-pkcs11tester | |
path: python-pkcs11tester | |
- name: run python-pkcs11tester | |
env: | |
DOCKER_IMAGE: ${{ matrix.environment }} | |
run: | | |
if [ $DOCKER_IMAGE = "centos:7" ]; then | |
# the pypi cryptography package requires an up-to-date version of pip | |
# https://github.com/pyca/cryptography/issues/5753 | |
pip3 install --upgrade pip | |
fi | |
export YUBIHSM_PKCS11_MODULE=`pwd`/yubihsm-shell/build/pkcs11/yubihsm_pkcs11.so | |
cd python-pkcs11tester | |
echo "connector=$DEFAULT_CONNECTOR_URL" > yubihsm_pkcs11.conf | |
python3 -m pip install 'pykcs11' 'cryptography>=1.4.0' | |
python3 setup.py test | |
- name: cleanup | |
if: ${{ always() }} | |
run: | | |
if [ -n "$DEFAULT_CONNECTOR_URL" ]; then | |
curl -s http://localhost:12345/dispatcher/release?connector=$DEFAULT_CONNECTOR_URL | |
fi |