PROTON-2594: ci: setup environment for PKCS#11 test

Now that all pieces are in place, let's adapt out Github Action workflow, so softhsm2, opensc (for pkcs11-tool) and pkcs11-provider (for OpenSSL integration) are available and amend the ctest step to source scripts/prep-pkcs11_test.sh, so the relevant environment variables are exported. Note that pkcs11-provider is shipped in ubuntu-24.04, but it doesn't work, so we build it from source instead. We still need to use ubuntu-24.04, because otherwise libcrypto would be outdated: >= 3.0.7 is required, but ubuntu-latest is 22.04.5, which ships libcrypto 3.0.2.
apache · Oct 30, 2024 · a747694 · a747694
1 parent 1fa98f4
commit a747694
Show file tree

Hide file tree

Showing 3 changed files with 63 additions and 10 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -9,7 +9,7 @@ jobs:
       fail-fast: false
       matrix:
         os:
-        - ubuntu-latest
+        - ubuntu-24.04
         - macOS-13
         - windows-latest
         buildType:
@@ -47,7 +47,7 @@ jobs:
     - name: Install Linux dependencies
       if: runner.os == 'Linux'
       run: |
-        sudo apt install -y swig libpython3-dev libsasl2-dev libjsoncpp-dev
+        sudo apt install -y swig libpython3-dev libsasl2-dev libjsoncpp-dev softhsm2 opensc
     - name: Install Windows dependencies
       if: runner.os == 'Windows'
       run: |
@@ -63,6 +63,10 @@ jobs:
       working-directory: ${{github.workspace}}
       run: sudo sh ./ci/otel.sh
       shell: bash
+    - name: pkcs11-provider build/install
+      if: runner.os == 'Linux'
+      run: sudo sh ./ci/pkcs11-provider.sh
+      shell: bash
     - name: cmake configure
       working-directory: ${{env.BuildDir}}
       run: cmake "${{github.workspace}}" "-DCMAKE_BUILD_TYPE=${BuildType}" "-DCMAKE_INSTALL_PREFIX=${InstallPrefix}" ${{matrix.cmake_extra}}
@@ -88,7 +92,13 @@ jobs:
     - id: ctest
       name: ctest
       working-directory: ${{env.BuildDir}}
-      run: ctest -C ${BuildType} -V -T Test --no-compress-output ${{matrix.ctest_extra}}
+      run: |
+        if [ "$RUNNER_OS" = "Linux" ]; then
+          pushd ${{github.workspace}}
+          . scripts/prep-pkcs11_test.sh
+          popd
+        fi
+        ctest -C ${BuildType} -V -T Test --no-compress-output ${{matrix.ctest_extra}}
       shell: bash
     - name: Upload Test results
       if: always() && (steps.ctest.outcome == 'failure' || steps.ctest.outcome == 'success')

diff --git a/ci/pkcs11-provider.sh b/ci/pkcs11-provider.sh
@@ -0,0 +1,38 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+set -e
+
+# pkcs11-provider dependencies
+
+sudo apt-get install meson
+
+# Clone pkcs11-provider
+
+git clone -b v0.5 https://github.com/latchset/pkcs11-provider
+
+# Build/Install pkcs11-provider
+
+cd pkcs11-provider
+mkdir build
+
+meson setup build .
+meson compile -C build
+meson install -C build
+cd ..
diff --git a/scripts/prep-pkcs11_test.sh b/scripts/prep-pkcs11_test.sh
@@ -19,8 +19,9 @@
 # prep-pkcs11_test.sh - Source to set up environment for pkcs11_test to run
 #                       against a SoftHSM
 
-KEYDIR="$(readlink -f cpp/testdata/certs)"
+set -x
 
+KEYDIR="$(readlink -f cpp/testdata/certs)"
 
 if [ -z "$PKCS11_PROVIDER" ]; then
     export PKCS11_PROVIDER=$(openssl version -m | cut -d'"' -f2)/pkcs11.so
@@ -53,23 +54,27 @@ sed -r "s;@softhsmtokendir@;${softhsmtokendir};g" scripts/softhsm2.conf.in >$SOF
 
 export PKCS11_MODULE_LOAD_BEHAVIOR=late
 
+set -x
+
 softhsm2-util --delete-token --token proton-test 2>/dev/null || true
 softhsm2-util --init-token --free --label proton-test --pin tclientpw --so-pin tclientpw
 
-alias pkcs11-tool="pkcs11-tool --module=$PKCS11_PROVIDER_MODULE --token-label proton-test --pin tclientpw"
+pkcs11_tool () { pkcs11-tool --module=$PKCS11_PROVIDER_MODULE --token-label proton-test --pin tclientpw "$@"; }
 
-pkcs11-tool -l --label tclient --delete-object --type privkey 2>/dev/null || true
+pkcs11_tool --module=$PKCS11_PROVIDER_MODULE --token-label proton-test --pin tclientpw -l --label tclient --delete-object --type privkey 2>/dev/null || true
 
-pkcs11-tool -l --label tclient --id 2222 \
+pkcs11_tool --module=$PKCS11_PROVIDER_MODULE --token-label proton-test --pin tclientpw -l --label tclient --id 2222 \
     --write-object "$KEYDIR/client-certificate.pem" --type cert --usage-sign
-pkcs11-tool -l --label tclient --id 2222 \
+pkcs11_tool --module=$PKCS11_PROVIDER_MODULE --token-label proton-test --pin tclientpw -l --label tclient --id 2222 \
     --write-object "$KEYDIR/client-private-key-no-password.pem" --type privkey --usage-sign
 
-pkcs11-tool -l --label tserver --id 4444 \
+pkcs11_tool --module=$PKCS11_PROVIDER_MODULE --token-label proton-test --pin tclientpw -l --label tserver --id 4444 \
     --write-object "$KEYDIR/server-certificate-lh.pem" --type cert --usage-sign
-pkcs11-tool -l --label tserver --id 4444 \
+pkcs11_tool --module=$PKCS11_PROVIDER_MODULE --token-label proton-test --pin tclientpw -l --label tserver --id 4444 \
     --write-object "$KEYDIR/server-private-key-lh-no-password.pem" --type privkey --usage-sign
 
+set +x
+
 # Workaround for https://github.com/latchset/pkcs11-provider/issues/419
 export PKCS11_MODULE_LOAD_BEHAVIOR=early