Fix EC public key auto-derive version check for OpenSSL 4.0.0+ #743
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: xmlsec Tests | |
| # START OF COMMON SECTION | |
| on: | |
| push: | |
| branches: [ 'master', 'main', 'release/**' ] | |
| #pull_request: | |
| #branches: [ '*' ] | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| # END OF COMMON SECTION | |
| jobs: | |
| build_wolfprovider: | |
| uses: ./.github/workflows/build-wolfprovider.yml | |
| with: | |
| wolfssl_ref: ${{ matrix.wolfssl_ref }} | |
| openssl_ref: ${{ matrix.openssl_ref }} | |
| fips_ref: ${{ matrix.fips_ref }} | |
| replace_default: ${{ matrix.replace_default }} | |
| strategy: | |
| matrix: | |
| wolfssl_ref: [ 'v5.8.4-stable' ] | |
| openssl_ref: [ 'openssl-3.5.4' ] | |
| fips_ref: [ 'FIPS', 'non-FIPS' ] | |
| replace_default: [ true ] | |
| test_xmlsec: | |
| runs-on: ubuntu-22.04 | |
| needs: build_wolfprovider | |
| # Run inside Debian Bookworm to match packaging environment | |
| container: | |
| image: debian:bookworm | |
| env: | |
| DEBIAN_FRONTEND: noninteractive | |
| # This should be a safe limit for the tests to run. | |
| timeout-minutes: 20 | |
| strategy: | |
| matrix: | |
| xmlsec_ref: [ 'xmlsec-1_2_37' ] | |
| wolfssl_ref: [ 'v5.8.4-stable' ] | |
| openssl_ref: [ 'openssl-3.5.4' ] | |
| fips_ref: [ 'FIPS', 'non-FIPS' ] | |
| force_fail: [ 'WOLFPROV_FORCE_FAIL=1', '' ] | |
| replace_default: [ true ] | |
| env: | |
| WOLFSSL_PACKAGES_PATH: /tmp/wolfssl-packages | |
| OPENSSL_PACKAGES_PATH: /tmp/openssl-packages | |
| WOLFPROV_PACKAGES_PATH: /tmp/wolfprov-packages | |
| steps: | |
| - name: Checkout wolfProvider | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 1 | |
| - name: Download packages from build job | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: debian-packages-${{ matrix.fips_ref }}${{ matrix.replace_default && '-replace-default' || '' }}-${{ matrix.wolfssl_ref }}-${{ matrix.openssl_ref }} | |
| path: /tmp | |
| - name: Install wolfSSL/OpenSSL/wolfprov packages | |
| run: | | |
| apt install --reinstall -y --allow-downgrades --allow-change-held-packages \ | |
| ${{ env.WOLFSSL_PACKAGES_PATH }}/libwolfssl_*.deb | |
| apt install --reinstall -y --allow-downgrades --allow-change-held-packages \ | |
| ${{ env.OPENSSL_PACKAGES_PATH }}/openssl_*.deb \ | |
| ${{ env.OPENSSL_PACKAGES_PATH }}/libssl3_*.deb \ | |
| ${{ env.OPENSSL_PACKAGES_PATH }}/libssl-dev_*.deb | |
| apt install --reinstall -y --allow-downgrades --allow-change-held-packages \ | |
| ${{ env.WOLFPROV_PACKAGES_PATH }}/libwolfprov_*.deb | |
| - name: Verify wolfProvider is properly installed | |
| run: | | |
| $GITHUB_WORKSPACE/scripts/verify-install.sh \ | |
| ${{ matrix.replace_default && '--replace-default' || '' }} \ | |
| ${{ matrix.fips_ref == 'FIPS' && '--fips' || '' }} | |
| - name: Install xmlsec dependencies | |
| run: | | |
| apt-get update | |
| apt-get install -y automake autoconf libtool libtool-bin \ | |
| libltdl-dev libltdl7 libxml2-dev patch build-essential \ | |
| pkg-config libxml2-dev | |
| - name: Download xmlsec | |
| uses: actions/checkout@v4 | |
| with: | |
| repository: lsh123/xmlsec | |
| ref: ${{ matrix.xmlsec_ref }} | |
| path: xmlsec | |
| fetch-depth: 1 | |
| - name: Checkout OSP | |
| uses: actions/checkout@v4 | |
| with: | |
| repository: wolfSSL/osp | |
| path: osp | |
| fetch-depth: 1 | |
| - run: | | |
| cd xmlsec | |
| if [ ${{ matrix.fips_ref == 'FIPS' }} ]; then | |
| patch -p1 < $GITHUB_WORKSPACE/osp/wolfProvider/xmlsec/xmlsec-FIPS-${{ matrix.xmlsec_ref }}-wolfprov.patch | |
| else | |
| patch -p1 < $GITHUB_WORKSPACE/osp/wolfProvider/xmlsec/xmlsec-${{ matrix.xmlsec_ref }}-wolfprov.patch | |
| fi | |
| - name: Build xmlsec | |
| working-directory: xmlsec | |
| env: | |
| XMLSEC_REF: ${{ matrix.xmlsec_ref }} | |
| run: | | |
| ./autogen.sh --disable-openssl3-engines --disable-dsa --without-nss \ | |
| --without-gnutls --without-gcrypt --disable-xmldsig \ | |
| --disable-crypto-dl --disable-apps-crypto-dl \ | |
| --disable-concatkdf --disable-tmpl-tests | |
| make -j$(nproc) | |
| # Remove the bundled openssl3.cnf since we use the default | |
| rm -f tests/openssl3.cnf | |
| - name: Run xmlsec tests | |
| working-directory: xmlsec | |
| shell: bash | |
| run: | | |
| set +o pipefail # ignore errors from make check | |
| export ${{ matrix.force_fail }} | |
| make check-keys | tee xmlsec-keys.log | |
| make check-enc | tee xmlsec-enc.log | |
| if grep -q "TOTAL FAILED: 0" xmlsec-enc.log && grep -q "TOTAL FAILED: 0" xmlsec-keys.log; then | |
| TEST_RESULT=0 | |
| else | |
| TEST_RESULT=1 | |
| fi | |
| $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT ${{ matrix.force_fail }} xmlsec |