diff --git a/.github/workflows/artifact_validation.yaml b/.github/workflows/artifact_validation.yaml index 36419b70..3a19befc 100644 --- a/.github/workflows/artifact_validation.yaml +++ b/.github/workflows/artifact_validation.yaml @@ -24,10 +24,23 @@ jobs: with: name: Compatibility_oqs_csv path: ./output/ + bc_validation: + runs-on: ubuntu-latest + container: bcdocker2000/bc_hackathon_pqc + steps: + - name: Checkout code + uses: actions/checkout@v4 + - name: Test artifacts with BC + run: ./src/test_certs_r3_with_bc.sh + - name: Save artifacts + uses: actions/upload-artifact@v4 + with: + name: Compatibility_bc_csv + path: ./output/ build_results_html: runs-on: ubuntu-latest container: ubuntu:latest - needs: oqs_validation + needs: [oqs_validation, bc_validation] steps: - name: Checkout code uses: actions/checkout@v4 @@ -41,17 +54,20 @@ jobs: python-version: '3.x' - name: Install python requirements run: python -m pip install -r src/requirements.txt - - name: Overwrite manually uploaded OQS results with automated results + - name: Get OQS results from previous job uses: actions/download-artifact@v4 with: name: Compatibility_oqs_csv path: output/ - # - name: Overwrite manually-uploaded OQS results CSVs - # run: cp ./output/certs/* ./providers/oqs-provider/compatMatrices/artifacts_certs_r3 + - name: Get BC results from previous job + uses: actions/download-artifact@v4 + with: + name: Compatibility_bc_csv + path: output/ - name: Build compat matrix run: ./src/rebuild_results_certs_r3.sh - name: Copy output files - run: mv ./docs/pqc_hackathon_results_certs_r3.html ./docs/pqc_hackathon_results_certs_r3_automated_tests.html ./docs/pqc_hackathon_results_cms_v1.html ./output/certs/oqs_certs.log ./docs/gh-pages + run: mv ./docs/pqc_hackathon_results_certs_r3.html ./docs/pqc_hackathon_results_certs_r3_automated_tests.html ./docs/pqc_hackathon_results_cms_v1.html ./output/certs/oqs_certs.log ./output/certs/bc_certs.log ./docs/gh-pages - name: Archive Compatibility Matrix For Download uses: actions/upload-pages-artifact@v3 with: diff --git a/docs/gh-pages/index.html b/docs/gh-pages/index.html index 0683e3c3..e7776552 100644 --- a/docs/gh-pages/index.html +++ b/docs/gh-pages/index.html @@ -14,5 +14,6 @@ <p>Logs from the most recent run can be found here:</p> <p>(check the logs to see why your certs failed)</p> <p><a href="oqs_certs.log">oqs_certs.log</a></p> + <p><a href="bc_certs.log">bc_certs.log</a></p> </body> </html> diff --git a/src/test_certs_r3_with_bc.sh b/src/test_certs_r3_with_bc.sh new file mode 100755 index 00000000..c1eb1c06 --- /dev/null +++ b/src/test_certs_r3_with_bc.sh @@ -0,0 +1,82 @@ +#!/bin/bash + +certszipr3="artifacts_certs_r3.zip" +cmszipr1="artifacts_cms_v1.zip" +inputdir="./providers" +outputdir="./output/certs" +logfile=$outputdir/bc_certs.log + +# Start the results CSV file +mkdir -p $outputdir +printf "Build time: %s\n\n" "$(date)" > $logfile + +alreadyTestedOIDs=";" + +# Requires an input: the TA file to test +test_ta () { + tafile=$1 + resultsfile=$2 + + tafileBasename=$(basename $tafile) + + # strip off the file suffix to get the OID name + if [[ $(expr match "$tafileBasename" ".*_ta\.pem$") != 0 ]]; then + oid=${tafileBasename%_ta.pem} + elif [[ $(expr match "$tafileBasename" ".*_ta\.der$") != 0 ]]; then + oid=${tafileBasename%_ta.der} + elif [[ $(expr match "$tafileBasename" ".*_ta\.der\.pem$") != 0 ]]; then + oid=${tafileBasename%_ta.der.pem} + else # It's some other filename + printf "ERROR: file name is not in the expected format: %s\n" $tafileBasename + return + fi + + # some artifacts submit multiple copies of the same cert as .pem, .der, etc. Just skip the second one + if [[ $(expr match "$alreadyTestedOIDs" ".*\;$oid\;.*") != 0 ]]; then + printf "\nWarning: %s has been submitted multiple times by this provider. Skipping\n" $oid + return + fi + + alreadyTestedOIDs=${alreadyTestedOIDs}$oid";" + + printf "\nTesting %s\n" $tafile + printf "\nTesting %s\n" $tafile >> $logfile + + # The actual openssl command that is the heart of this script + ossl_output=$(verify_r3.sh $(pwd)/$tafile 2>&1) + ossl_status=$? + + # log it to file and to stdout + echo "$ossl_output" >> $logfile + echo "$ossl_output" + + + # test for an error and print a link in the results CSV file + if [[ $ossl_status -ne 0 ]]; then + echo "Certificate Validation Result: FAIL" + echo $oid,N >> $resultsfile + else + echo "Certificate Validation Result: SUCCESS" + echo $oid,Y >> $resultsfile + fi +} + +# First, recurse into any provider dir +for providerdir in $(ls -d $inputdir/*/); do + provider=$(basename $providerdir) + + # process certs + zip=${providerdir}$certszipr3 + unzipdir=${providerdir}"artifacts_certs_r3" + printf "Unziping %s to %s\n" $zip $unzipdir + unzip -o $zip -d $unzipdir + + resultsfile=${outputdir}/${provider}_bc.csv + echo "key_algorithm_oid,test_result" > $resultsfile # CSV header row + + alreadyTestedOIDs=";" # for a guard to skip testing the same cert multiple times + # test each TA file + for tafile in $(find $unzipdir \( -iname "*_ta.pem" -o -iname "*_ta.der" -o -iname "*_ta.der.pem" \)); do + test_ta "$tafile" "$resultsfile" + done +done