Replace deprecated VeriSign CA with Amazon Root CA 1 + Starfield G2 #831
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Ubuntu Build Test | |
| on: | |
| push: | |
| branches: [ 'master', 'main', 'release/**' ] | |
| pull_request: | |
| branches: [ '*' ] | |
| jobs: | |
| build: | |
| runs-on: ubuntu-22.04 | |
| timeout-minutes: 5 | |
| steps: | |
| - name: Install dependencies | |
| run: | | |
| # Don't prompt for anything | |
| export DEBIAN_FRONTEND=noninteractive | |
| sudo apt-get update | |
| # Install mosquitto | |
| sudo apt-get install -y mosquitto bubblewrap | |
| - name: Setup mosquitto broker | |
| run: | | |
| # Disable default broker daemon | |
| sudo service mosquitto stop | |
| sleep 1 | |
| # This is some debug info useful if something goes wrong | |
| - name: Show network status | |
| run: | | |
| sudo ifconfig | |
| sudo route | |
| sudo netstat -tulpan | |
| - uses: actions/checkout@master | |
| with: | |
| repository: wolfssl/wolfssl | |
| path: wolfssl | |
| - name: wolfssl autogen | |
| working-directory: ./wolfssl | |
| run: ./autogen.sh | |
| - name: wolfssl configure | |
| working-directory: ./wolfssl | |
| run: ./configure --enable-enckeys | |
| - name: wolfssl make | |
| working-directory: ./wolfssl | |
| run: make | |
| - name: wolfssl make install | |
| working-directory: ./wolfssl | |
| run: sudo make install | |
| - uses: actions/checkout@master | |
| - name: wolfmqtt autogen | |
| run: ./autogen.sh | |
| - name: wolfmqtt configure | |
| run: ./configure | |
| - name: wolfmqtt make | |
| run: make | |
| # Note: this will run the external tests for this CI only | |
| - name: wolfmqtt make check | |
| run: make check | |
| - name: wolfmqtt configure without TLS | |
| env: | |
| WOLFMQTT_NO_EXTERNAL_BROKER_TESTS: 1 | |
| run: ./configure --enable-all --disable-tls | |
| - name: wolfmqtt make | |
| run: make | |
| - name: wolfmqtt make check | |
| run: make check | |
| - name: wolfmqtt configure with SN Enabled | |
| env: | |
| WOLFMQTT_NO_EXTERNAL_BROKER_TESTS: 1 | |
| run: ./configure --enable-sn | |
| - name: wolfmqtt make | |
| run: make | |
| - name: wolfmqtt make check | |
| run: make check | |
| - name: wolfmqtt configure with Non-Block | |
| env: | |
| WOLFMQTT_NO_EXTERNAL_BROKER_TESTS: 1 | |
| run: ./configure --enable-nonblock CFLAGS="-DWOLFMQTT_TEST_NONBLOCK" | |
| - name: wolfmqtt make | |
| run: make | |
| - name: wolfmqtt make check | |
| run: make check | |
| - name: wolfmqtt configure with Non-Block and Multi-threading | |
| env: | |
| WOLFMQTT_NO_EXTERNAL_BROKER_TESTS: 1 | |
| run: ./configure --enable-mt --enable-nonblock CFLAGS="-DWOLFMQTT_TEST_NONBLOCK" | |
| - name: wolfmqtt make | |
| run: make | |
| - name: wolfmqtt make check | |
| run: make check | |
| - name: configure with Multi-threading and WOLFMQTT_DYN_PROP | |
| env: | |
| WOLFMQTT_NO_EXTERNAL_BROKER_TESTS: 1 | |
| run: ./configure --enable-mt CFLAGS="-DWOLFMQTT_DYN_PROP" | |
| - name: make | |
| run: make | |
| - name: make check | |
| run: make check | |
| - name: wolfmqtt configure with Stress | |
| env: | |
| WOLFMQTT_NO_EXTERNAL_BROKER_TESTS: 1 | |
| run: ./configure --enable-stress | |
| - name: wolfmqtt make | |
| run: make | |
| - name: wolfmqtt make check | |
| run: make check | |
| # capture logs on failure | |
| - name: Show logs on failure | |
| if: failure() || cancelled() | |
| run: | | |
| cat test-suite.log | |
| cat scripts/*.log | |
| aws-ca-regression: | |
| # Exercises examples/aws/awsiot.c trust-anchor handling in three | |
| # configurations. Uses the real AWS IoT ATS endpoint hard-coded in | |
| # the demo, so this job needs external network access (same as the | |
| # `build` job's `make check`). | |
| # | |
| # case 1: default bundle (Amazon Root CA 1 + Starfield G2), wolfSSL | |
| # built WITHOUT WOLFSSL_NO_ASN_STRICT. Strict ASN parsing | |
| # drops Starfield G2 (serial=0); the verify callback's | |
| # accept-anyway branch keeps the test passing. Expect PASS. | |
| # | |
| # case 2: default bundle, wolfSSL built WITH WOLFSSL_NO_ASN_STRICT. | |
| # Full bundle loads, chain verifies cleanly, callback | |
| # never has to mask an error. Expect PASS. | |
| # | |
| # case 3: legacy VeriSign G5 bundle (via | |
| # -DWOLFMQTT_AWSIOT_LEGACY_VERISIGN_CA), wolfSSL built WITH | |
| # WOLFSSL_NO_ASN_STRICT. The strict callback rejects the | |
| # unanchored chain. Expect FAIL. | |
| runs-on: ubuntu-22.04 | |
| timeout-minutes: 10 | |
| steps: | |
| - name: Install dependencies | |
| run: | | |
| export DEBIAN_FRONTEND=noninteractive | |
| sudo apt-get update | |
| sudo apt-get install -y mosquitto bubblewrap | |
| - name: Setup mosquitto broker | |
| run: | | |
| sudo service mosquitto stop | |
| sleep 1 | |
| # --- case 1: wolfSSL built with DEFAULT strict ASN parsing --- | |
| - uses: actions/checkout@master | |
| with: | |
| repository: wolfssl/wolfssl | |
| path: wolfssl | |
| - name: wolfssl autogen (strict ASN default) | |
| working-directory: ./wolfssl | |
| run: ./autogen.sh | |
| - name: wolfssl configure (strict ASN default) | |
| working-directory: ./wolfssl | |
| run: ./configure --enable-enckeys | |
| - name: wolfssl make | |
| working-directory: ./wolfssl | |
| run: make | |
| - name: wolfssl make install | |
| working-directory: ./wolfssl | |
| run: sudo make install | |
| - uses: actions/checkout@master | |
| - name: wolfmqtt autogen | |
| run: ./autogen.sh | |
| - name: case 1 - wolfmqtt configure (default bundle, strict ASN) | |
| run: ./configure --enable-tls --enable-examples | |
| - name: case 1 - wolfmqtt make | |
| run: make | |
| - name: case 1 - awsiot.test expect PASS | |
| run: ./scripts/awsiot.test | |
| # --- cases 2 + 3: wolfSSL rebuilt with WOLFSSL_NO_ASN_STRICT --- | |
| - name: wolfssl reconfigure with -DWOLFSSL_NO_ASN_STRICT | |
| working-directory: ./wolfssl | |
| run: | | |
| make clean | |
| ./configure --enable-enckeys CFLAGS=-DWOLFSSL_NO_ASN_STRICT | |
| - name: wolfssl rebuild | |
| working-directory: ./wolfssl | |
| run: make | |
| - name: wolfssl reinstall | |
| working-directory: ./wolfssl | |
| run: sudo make install | |
| - name: case 2 - wolfmqtt configure (default bundle, WOLFSSL_NO_ASN_STRICT) | |
| run: | | |
| make clean | |
| ./configure --enable-tls --enable-examples | |
| - name: case 2 - wolfmqtt make | |
| run: make | |
| - name: case 2 - awsiot.test expect PASS | |
| run: ./scripts/awsiot.test | |
| - name: case 3 - wolfmqtt configure (legacy VeriSign, WOLFSSL_NO_ASN_STRICT) | |
| run: | | |
| make clean | |
| ./configure --enable-tls --enable-examples \ | |
| CPPFLAGS=-DWOLFMQTT_AWSIOT_LEGACY_VERISIGN_CA | |
| - name: case 3 - wolfmqtt make | |
| run: make | |
| - name: case 3 - awsiot.test expect FAIL | |
| run: | | |
| if ./scripts/awsiot.test; then | |
| echo "case 3 unexpectedly PASSED - legacy VeriSign should not verify AWS IoT chain" | |
| exit 1 | |
| fi | |
| echo "case 3 FAILED as expected (legacy VeriSign trust anchor rejected)" | |
| - name: Show logs on failure | |
| if: failure() || cancelled() | |
| run: | | |
| cat test-suite.log || true | |
| cat scripts/*.log || true |