Skip to content

Commit

Permalink
Merge branch 'master' of github.com:IETF-Hackathon/pqc-certificates
Browse files Browse the repository at this point in the history
  • Loading branch information
ounsworth committed Aug 29, 2024
2 parents 442758c + b00fd78 commit 0c35cfa
Show file tree
Hide file tree
Showing 3 changed files with 104 additions and 5 deletions.
26 changes: 21 additions & 5 deletions .github/workflows/artifact_validation.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -24,10 +24,23 @@ jobs:
with:
name: Compatibility_oqs_csv
path: ./output/
bc_validation:
runs-on: ubuntu-latest
container: bcdocker2000/bc_hackathon_pqc
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Test artifacts with BC
run: ./src/test_certs_r3_with_bc.sh
- name: Save artifacts
uses: actions/upload-artifact@v4
with:
name: Compatibility_bc_csv
path: ./output/
build_results_html:
runs-on: ubuntu-latest
container: ubuntu:latest
needs: oqs_validation
needs: [oqs_validation, bc_validation]
steps:
- name: Checkout code
uses: actions/checkout@v4
Expand All @@ -41,17 +54,20 @@ jobs:
python-version: '3.x'
- name: Install python requirements
run: python -m pip install -r src/requirements.txt
- name: Overwrite manually uploaded OQS results with automated results
- name: Get OQS results from previous job
uses: actions/download-artifact@v4
with:
name: Compatibility_oqs_csv
path: output/
# - name: Overwrite manually-uploaded OQS results CSVs
# run: cp ./output/certs/* ./providers/oqs-provider/compatMatrices/artifacts_certs_r3
- name: Get BC results from previous job
uses: actions/download-artifact@v4
with:
name: Compatibility_bc_csv
path: output/
- name: Build compat matrix
run: ./src/rebuild_results_certs_r3.sh
- name: Copy output files
run: mv ./docs/pqc_hackathon_results_certs_r3.html ./docs/pqc_hackathon_results_certs_r3_automated_tests.html ./docs/pqc_hackathon_results_cms_v1.html ./output/certs/oqs_certs.log ./docs/gh-pages
run: mv ./docs/pqc_hackathon_results_certs_r3.html ./docs/pqc_hackathon_results_certs_r3_automated_tests.html ./docs/pqc_hackathon_results_cms_v1.html ./output/certs/oqs_certs.log ./output/certs/bc_certs.log ./docs/gh-pages
- name: Archive Compatibility Matrix For Download
uses: actions/upload-pages-artifact@v3
with:
Expand Down
1 change: 1 addition & 0 deletions docs/gh-pages/index.html
Original file line number Diff line number Diff line change
Expand Up @@ -14,5 +14,6 @@
<p>Logs from the most recent run can be found here:</p>
<p>(check the logs to see why your certs failed)</p>
<p><a href="oqs_certs.log">oqs_certs.log</a></p>
<p><a href="bc_certs.log">bc_certs.log</a></p>
</body>
</html>
82 changes: 82 additions & 0 deletions src/test_certs_r3_with_bc.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,82 @@
#!/bin/bash

certszipr3="artifacts_certs_r3.zip"
cmszipr1="artifacts_cms_v1.zip"
inputdir="./providers"
outputdir="./output/certs"
logfile=$outputdir/bc_certs.log

# Start the results CSV file
mkdir -p $outputdir
printf "Build time: %s\n\n" "$(date)" > $logfile

alreadyTestedOIDs=";"

# Requires an input: the TA file to test
test_ta () {
tafile=$1
resultsfile=$2

tafileBasename=$(basename $tafile)

# strip off the file suffix to get the OID name
if [[ $(expr match "$tafileBasename" ".*_ta\.pem$") != 0 ]]; then
oid=${tafileBasename%_ta.pem}
elif [[ $(expr match "$tafileBasename" ".*_ta\.der$") != 0 ]]; then
oid=${tafileBasename%_ta.der}
elif [[ $(expr match "$tafileBasename" ".*_ta\.der\.pem$") != 0 ]]; then
oid=${tafileBasename%_ta.der.pem}
else # It's some other filename
printf "ERROR: file name is not in the expected format: %s\n" $tafileBasename
return
fi

# some artifacts submit multiple copies of the same cert as .pem, .der, etc. Just skip the second one
if [[ $(expr match "$alreadyTestedOIDs" ".*\;$oid\;.*") != 0 ]]; then
printf "\nWarning: %s has been submitted multiple times by this provider. Skipping\n" $oid
return
fi

alreadyTestedOIDs=${alreadyTestedOIDs}$oid";"

printf "\nTesting %s\n" $tafile
printf "\nTesting %s\n" $tafile >> $logfile

# The actual openssl command that is the heart of this script
ossl_output=$(verify_r3.sh $(pwd)/$tafile 2>&1)
ossl_status=$?

# log it to file and to stdout
echo "$ossl_output" >> $logfile
echo "$ossl_output"


# test for an error and print a link in the results CSV file
if [[ $ossl_status -ne 0 ]]; then
echo "Certificate Validation Result: FAIL"
echo $oid,N >> $resultsfile
else
echo "Certificate Validation Result: SUCCESS"
echo $oid,Y >> $resultsfile
fi
}

# First, recurse into any provider dir
for providerdir in $(ls -d $inputdir/*/); do
provider=$(basename $providerdir)

# process certs
zip=${providerdir}$certszipr3
unzipdir=${providerdir}"artifacts_certs_r3"
printf "Unziping %s to %s\n" $zip $unzipdir
unzip -o $zip -d $unzipdir

resultsfile=${outputdir}/${provider}_bc.csv
echo "key_algorithm_oid,test_result" > $resultsfile # CSV header row

alreadyTestedOIDs=";" # for a guard to skip testing the same cert multiple times
# test each TA file
for tafile in $(find $unzipdir \( -iname "*_ta.pem" -o -iname "*_ta.der" -o -iname "*_ta.der.pem" \)); do
test_ta "$tafile" "$resultsfile"
done
done

0 comments on commit 0c35cfa

Please sign in to comment.