-
Notifications
You must be signed in to change notification settings - Fork 42
167 lines (144 loc) · 5.79 KB
/
fips-ready-dual-provider.yml
File metadata and controls
167 lines (144 loc) · 5.79 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
name: FIPS Ready Dual Provider Test
on:
push:
branches: [ 'master', 'main', 'release/**' ]
pull_request:
branches: [ 'master' ]
jobs:
dual-provider-fips-test:
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
jdk_version: [ '11', '21' ]
name: Dual Provider FIPS (JDK ${{ matrix.jdk_version }})
steps:
- name: Checkout wolfssljni
uses: actions/checkout@v4
with:
path: wolfssljni
- name: Setup Java
uses: actions/setup-java@v4
with:
distribution: zulu
java-version: ${{ matrix.jdk_version }}
- name: Cache JUnit dependencies
uses: actions/cache@v4
id: cache-junit
with:
path: junit
key: junit-jars-v1
- name: Download junit-4.13.2.jar
if: steps.cache-junit.outputs.cache-hit != 'true'
run: |
wget --directory-prefix=$GITHUB_WORKSPACE/junit \
https://repo1.maven.org/maven2/junit/junit/4.13.2/junit-4.13.2.jar
echo "8e495b634469d64fb8acfa3495a065cbacc8a0fff55ce1e31007be4c16dc57d3 $GITHUB_WORKSPACE/junit/junit-4.13.2.jar" \
| sha256sum -c -
- name: Download hamcrest-all-1.3.jar
if: steps.cache-junit.outputs.cache-hit != 'true'
run: |
wget --directory-prefix=$GITHUB_WORKSPACE/junit \
https://repo1.maven.org/maven2/org/hamcrest/hamcrest-all/1.3/hamcrest-all-1.3.jar
echo "4877670629ab96f34f5f90ab283125fcd9acb7e683e66319a68be6eb2cca60de $GITHUB_WORKSPACE/junit/hamcrest-all-1.3.jar" \
| sha256sum -c -
# Get latest wolfSSL stable version for FIPS Ready download URL
- name: Get latest wolfSSL stable version
id: wolfssl-version
env:
GITHUB_TOKEN: ${{ github.token }}
run: |
LATEST_TAG=$(curl -s \
-H "Authorization: Bearer $GITHUB_TOKEN" \
"https://api.github.com/repos/wolfSSL/wolfssl/tags?per_page=100" | \
jq -r '.[].name | select(endswith("-stable"))' | \
sort -V | tail -n 1)
if [ -z "$LATEST_TAG" ]; then
echo "Error: No stable wolfSSL tags found" >&2
exit 1
fi
VERSION=$(echo "$LATEST_TAG" | sed 's/^v//' | sed 's/-stable$//')
echo "version=$VERSION" >> "$GITHUB_OUTPUT"
echo "Latest wolfSSL stable version: $VERSION"
# Cache only the downloaded zip to avoid reusing stale build
# artifacts across matrix jobs (JDK 11 vs 21)
- name: Cache wolfSSL FIPS Ready zip
uses: actions/cache@v4
id: cache-fips-ready
with:
path: wolfssl-fips-ready.zip
key: wolfssl-fips-ready-${{ steps.wolfssl-version.outputs.version }}
- name: Download wolfSSL FIPS Ready
if: steps.cache-fips-ready.outputs.cache-hit != 'true'
run: |
VERSION=${{ steps.wolfssl-version.outputs.version }}
URL="https://www.wolfssl.com/wolfssl-${VERSION}-gplv3-fips-ready.zip"
echo "Downloading: $URL"
wget -q "$URL" -O wolfssl-fips-ready.zip
- name: Extract wolfSSL FIPS Ready
run: unzip -q wolfssl-fips-ready.zip -d wolfssl-fips-ready
# Build wolfSSL FIPS Ready with JNI support
- name: Build wolfSSL FIPS Ready
working-directory: wolfssl-fips-ready
run: |
# Find the extracted directory (name may vary)
WOLFSSL_DIR=$(find . -maxdepth 1 -type d -name "wolfssl-*" | head -1)
if [ -z "$WOLFSSL_DIR" ]; then
echo "Error: No wolfSSL directory found after unzip" >&2
exit 1
fi
cd "$WOLFSSL_DIR"
./configure --enable-fips=ready --enable-jni \
--prefix=$GITHUB_WORKSPACE/build-dir
make
./fips-hash.sh
make
make install
- name: Set library paths
run: |
echo "LD_LIBRARY_PATH=$GITHUB_WORKSPACE/build-dir/lib:$GITHUB_WORKSPACE/wolfssljni/lib:$GITHUB_WORKSPACE/wolfcryptjni/lib" >> "$GITHUB_ENV"
echo "JUNIT_HOME=$GITHUB_WORKSPACE/junit" >> "$GITHUB_ENV"
# Build wolfssljni (wolfJSSE)
- name: Build wolfssljni JNI library
working-directory: wolfssljni
run: ./java.sh $GITHUB_WORKSPACE/build-dir
- name: Build wolfssljni JAR
working-directory: wolfssljni
run: ant
# Clone and build wolfcryptjni (wolfJCE)
- name: Checkout wolfcryptjni
uses: actions/checkout@v4
with:
repository: wolfSSL/wolfcryptjni
path: wolfcryptjni
- name: Build wolfcryptjni JNI library
working-directory: wolfcryptjni
run: |
cp makefile.linux makefile
PREFIX=$GITHUB_WORKSPACE/build-dir make
- name: Build wolfcryptjni JCE JAR
working-directory: wolfcryptjni
run: ant build-jce-release
# Run standard wolfssljni tests first to verify nothing
# is broken with the FIPS Ready build
- name: Run wolfssljni tests (ant test)
working-directory: wolfssljni
run: ant test
# Compile and run the dual provider FIPS test
- name: Compile DualProviderFIPSTest
working-directory: wolfssljni
run: |
javac -classpath \
lib/wolfssl.jar:lib/wolfssl-jsse.jar:$GITHUB_WORKSPACE/wolfcryptjni/lib/wolfcrypt-jni.jar \
examples/provider/DualProviderFIPSTest.java
- name: Run DualProviderFIPSTest
working-directory: wolfssljni
run: |
java -classpath \
lib/wolfssl.jar:lib/wolfssl-jsse.jar:$GITHUB_WORKSPACE/wolfcryptjni/lib/wolfcrypt-jni.jar:examples/provider \
DualProviderFIPSTest
- name: Show logs on failure
if: failure() || cancelled()
working-directory: wolfssljni
run: |
cat build/reports/*.txt 2>/dev/null || true