wolfsshd: bind FPKI certificate UPN realm to AuthorizedUPNDomains #1160
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: TPM SSH Test | |
| on: | |
| push: | |
| branches: [ 'master', 'main', 'release/**' ] | |
| pull_request: | |
| branches: [ '*' ] | |
| workflow_dispatch: | |
| jobs: | |
| test-tpm-ssh: | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 20 | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| keytype: [ rsa, ecc ] | |
| sim: [ ibmswtpm2, fwtpm ] | |
| steps: | |
| - uses: actions/checkout@v6 | |
| with: | |
| path: wolfssh | |
| - name: Clone wolfSSL | |
| uses: actions/checkout@v6 | |
| with: | |
| repository: wolfSSL/wolfssl | |
| path: wolfssl | |
| - name: Clone wolfTPM | |
| uses: actions/checkout@v6 | |
| with: | |
| repository: wolfSSL/wolftpm | |
| path: wolftpm | |
| - name: Install Dependencies | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y libtool automake autoconf | |
| sudo apt-get install -y build-essential git autoconf-archive \ | |
| libcmocka-dev libssl-dev uthash-dev libglib2.0-dev \ | |
| tpm2-tools openssh-client sshpass | |
| - name: Build wolfSSL | |
| run: | | |
| cd wolfssl | |
| ./autogen.sh | |
| ./configure --enable-wolftpm --enable-wolfssh --enable-keygen \ | |
| CFLAGS="-DWC_RSA_NO_PADDING" | |
| make | |
| sudo make install | |
| sudo ldconfig | |
| # The wolfTPM client library uses the SWTPM TCP transport (port 2321) for | |
| # both simulators. The fwTPM build additionally produces fwtpm_server. | |
| - name: Build wolfTPM (fwTPM) | |
| if: matrix.sim == 'fwtpm' | |
| run: | | |
| cd wolftpm | |
| ./autogen.sh | |
| ./configure --enable-fwtpm --enable-swtpm | |
| make | |
| sudo make install | |
| sudo ldconfig | |
| - name: Start fwTPM simulator | |
| if: matrix.sim == 'fwtpm' | |
| run: | | |
| cd wolftpm | |
| ./src/fwtpm/fwtpm_server & | |
| echo "fwtpm_server started with PID: $!" | |
| sleep 2 | |
| - name: Build wolfTPM (SWTPM) | |
| if: matrix.sim == 'ibmswtpm2' | |
| run: | | |
| cd wolftpm | |
| ./autogen.sh | |
| ./configure --enable-swtpm | |
| make | |
| sudo make install | |
| sudo ldconfig | |
| - name: Start ibmswtpm2 simulator | |
| if: matrix.sim == 'ibmswtpm2' | |
| run: | | |
| git clone https://github.com/kgoldman/ibmswtpm2 | |
| cd ibmswtpm2/src | |
| make | |
| ./tpm_server & | |
| echo "tpm_server started with PID: $!" | |
| sleep 2 | |
| - name: Build wolfSSH | |
| run: | | |
| cd wolfssh | |
| ./autogen.sh | |
| ./configure --enable-tpm | |
| make | |
| sudo make install | |
| sudo ldconfig | |
| # Server host key resident in the TPM: the private key never enters RAM. | |
| - name: Test TPM host key (${{ matrix.keytype }}) | |
| run: | | |
| cd wolftpm | |
| ./examples/keygen/keygen hostkey.bin -${{ matrix.keytype }} -t -eh | |
| cd ../wolfssh | |
| ./examples/echoserver/echoserver -1 -p 22222 \ | |
| -G ../wolftpm/hostkey.bin & | |
| echo "Echoserver (TPM ${{ matrix.keytype }} host key) PID: $!" | |
| sleep 2 | |
| if [ "${{ matrix.keytype }}" = "ecc" ]; then | |
| HKA=ecdsa-sha2-nistp256 | |
| else | |
| HKA=rsa-sha2-256 | |
| fi | |
| timeout 20 sshpass -p upthehill ssh -v -p 22222 \ | |
| -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null \ | |
| -o PreferredAuthentications=password -o PubkeyAuthentication=no \ | |
| -o HostKeyAlgorithms=$HKA \ | |
| jill@localhost exit > ssh_out.txt 2>&1 || true | |
| echo "----- ssh output -----" | |
| cat ssh_out.txt | |
| grep -q "Authenticated to localhost" ssh_out.txt | |
| # Client public-key authentication with a TPM-resident key (RSA only). | |
| - name: Test TPM client public-key auth | |
| if: matrix.keytype == 'rsa' | |
| run: | | |
| cd wolftpm | |
| ./examples/keygen/keygen keyblob.bin -rsa -t -pem -eh | |
| ssh-keygen -f key.pem -i -m PKCS8 > ../wolfssh/key.ssh | |
| cd ../wolfssh | |
| ./examples/echoserver/echoserver -1 -s key.ssh & | |
| echo "Echoserver (authorized TPM client key) PID: $!" | |
| sleep 2 | |
| timeout 20 ./examples/client/client -i ../wolftpm/keyblob.bin \ | |
| -u hansel -K ThisIsMyKeyAuth | |
| - name: Archive test artifacts | |
| if: always() | |
| uses: actions/upload-artifact@v7 | |
| with: | |
| name: test-artifacts-${{ matrix.keytype }}-${{ matrix.sim }} | |
| path: | | |
| wolftpm/hostkey.bin | |
| wolfssh/ssh_out.txt |