Add support for RSA-PSS Keys #1490
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
name: Build | |
on: | |
push: | |
branches: ["main"] | |
pull_request: | |
branches: ["main"] | |
jobs: | |
build: | |
name: CI with software token | |
runs-on: ubuntu-22.04 | |
strategy: | |
fail-fast: false | |
matrix: | |
name: [fedora, debian, centos9, centos10, ubuntu] | |
compiler: [gcc, clang] | |
token: [softokn, softhsm] | |
include: | |
- name: fedora | |
container: fedora:latest | |
- name: debian | |
container: debian:sid | |
- name: centos9 | |
container: quay.io/centos/centos:stream9 | |
- name: centos10 | |
container: quay.io/centos/centos:stream10 | |
- name: ubuntu | |
container: ubuntu:latest | |
container: ${{ matrix.container }} | |
steps: | |
- name: Install Dependencies | |
run: | | |
if [ "${{ matrix.name }}" = "centos9" -o "${{ matrix.name }}" = "centos10" ]; then | |
dnf_opts="--enablerepo=crb" | |
fi | |
if [ -f /etc/redhat-release ]; then | |
dnf -y install $dnf_opts \ | |
git ${{ matrix.compiler }} meson which \ | |
pkgconf-pkg-config openssl-devel openssl \ | |
diffutils expect valgrind opensc gnutls-utils python3-six | |
if [ "${{ matrix.token }}" = "softokn" ]; then | |
dnf -y install nss-softokn nss-tools nss-softokn-devel \ | |
nss-devel | |
elif [ "${{ matrix.token }}" = "softhsm" ]; then | |
dnf -y install softhsm p11-kit-devel | |
fi | |
elif [ -f /etc/debian_version ]; then | |
apt-get -q update | |
apt-get -yq install git ${{ matrix.compiler }} meson \ | |
pkg-config libssl-dev openssl expect \ | |
valgrind procps opensc gnutls-bin python3-six | |
if [ "${{ matrix.token }}" = "softokn" ]; then | |
apt-get -yq install libnss3 libnss3-tools libnss3-dev | |
elif [ "${{ matrix.token }}" = "softhsm" ]; then | |
apt-get -yq install softhsm2 p11-kit libp11-kit-dev \ | |
p11-kit-modules | |
fi | |
fi | |
- name: Check NSS version | |
id: nss-version-check | |
run: | | |
if [ "${{ matrix.name }}" = "centos9" -o "${{ matrix.name }}" = "centos10" ]; then | |
if [ "${{ matrix.token }}" = "softokn" ]; then | |
NSSMINVER=`nss-config --version nss | cut -d '.' -f 2` | |
if [ $NSSMINVER -lt 101 ]; then | |
echo "skiptest=true" >> $GITHUB_OUTPUT | |
fi | |
fi | |
fi | |
- name: Checkout Repository | |
if : ( steps.nss-version-check.outputs.skiptest != 'true' ) | |
uses: actions/checkout@v4 | |
- name: Setup | |
if : ( steps.nss-version-check.outputs.skiptest != 'true' ) | |
run: | | |
git config --global --add safe.directory \ | |
/__w/pkcs11-provider/pkcs11-provider | |
git submodule update --init | |
if [ -f /etc/redhat-release ]; then | |
CC=${{ matrix.compiler }} meson setup builddir | |
else | |
CC=${{ matrix.compiler }} meson setup builddir -Denable_explicit_EC_test=true | |
fi | |
- name: Build and Test | |
if : ( steps.nss-version-check.outputs.skiptest != 'true' ) | |
run: | | |
meson compile -C builddir | |
meson test --num-processes 1 -C builddir | |
- uses: actions/upload-artifact@v4 | |
if: failure() | |
with: | |
name: Test logs ${{ matrix.name }}, ${{ matrix.compiler }}, ${{ matrix.token }} | |
path: | | |
builddir/meson-logs/ | |
builddir/tests/${{ matrix.token }}/p11prov-debug.log | |
builddir/tests/${{ matrix.token }}/testvars | |
builddir/tests/${{ matrix.token }}/openssl.cnf | |
- name: Run tests with valgrind | |
if : ( steps.nss-version-check.outputs.skiptest != 'true' ) | |
run: | | |
if [ "${{ matrix.compiler }}" = "gcc" ]; then | |
meson test --num-processes 1 -C builddir --setup=valgrind | |
fi | |
- uses: actions/upload-artifact@v4 | |
if: failure() | |
with: | |
name: Test valgrind logs ${{ matrix.name }}, ${{ matrix.compiler }}, ${{ matrix.token }} | |
path: | | |
builddir/meson-logs/ | |
builddir/tests/${{ matrix.token }}/p11prov-debug.log | |
builddir/tests/${{ matrix.token }}/testvars | |
builddir/tests/${{ matrix.token }}/openssl.cnf | |
- name: Run tests in FIPS Mode (on CentOS + gcc only) | |
if : ( steps.nss-version-check.outputs.skiptest != 'true' ) | |
run: | | |
if [ "${{ matrix.compiler }}" = "gcc" -a \( "${{ matrix.name }}" = "centos9" -o "${{ matrix.name }}" = "centos10" \) ]; then | |
OPENSSL_FORCE_FIPS_MODE=1 \ | |
meson test --num-processes 1 -C builddir | |
fi | |
- uses: actions/upload-artifact@v4 | |
if: failure() | |
with: | |
name: Test FIPS Mode logs ${{ matrix.name }}, ${{ matrix.compiler }}, ${{ matrix.token }} | |
path: | | |
builddir/meson-logs/ | |
builddir/tests/${{ matrix.token }}/p11prov-debug.log | |
builddir/tests/${{ matrix.token }}/testvars | |
builddir/tests/${{ matrix.token }}/openssl.cnf | |
build-macos: | |
name: CI with software token | |
runs-on: ${{ matrix.os }} | |
strategy: | |
fail-fast: false | |
matrix: | |
os: [macos-14] | |
token: [softokn, softhsm] | |
steps: | |
- name: Install Dependencies | |
run: | | |
brew update | |
brew install \ | |
meson \ | |
openssl@3 \ | |
opensc \ | |
p11-kit \ | |
six | |
if [ "${{ matrix.token }}" = "softokn" ]; then | |
brew install nss | |
elif [ "${{ matrix.token }}" = "softhsm" ]; then | |
brew install softhsm | |
fi | |
- name: Checkout Repository | |
uses: actions/checkout@v4 | |
- name: Setup | |
run: | | |
git config --global --add safe.directory \ | |
/__w/pkcs11-provider/pkcs11-provider | |
git submodule update --init | |
export PKG_CONFIG_PATH=$(brew --prefix openssl@3)/lib/pkgconfig | |
export PATH=$(brew --prefix openssl@3)/bin:$PATH | |
CC=clang meson setup builddir | |
- name: Build and Test | |
run: | | |
export PATH=$(brew --prefix openssl@3)/bin:$PATH | |
meson compile -j$(sysctl -n hw.ncpu || echo 2) -C builddir | |
meson test --num-processes 1 -C builddir | |
- uses: actions/upload-artifact@v4 | |
if: failure() | |
with: | |
name: Test logs on macOS-14 with ${{ matrix.token }} | |
path: | | |
builddir/meson-logs/* | |
builddir/tests/*.log | |
builddir/tests/${{ matrix.token }}/p11prov-debug.log | |
builddir/tests/${{ matrix.token }}/testvars | |
builddir/tests/${{ matrix.token }}/openssl.cnf | |