X509toolcomparison (aws#1714)

Description: Refactored existing x509 tests Added OpenSSL comparison tests and CI script By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license. --------- Co-authored-by: Samuel Chiang <[email protected]> (cherry picked from commit f723a0c)
samuel40791765 · Aug 14, 2024 · 805d238 · 805d238
1 parent 481bded
commit 805d238
Show file tree

Hide file tree

Showing 6 changed files with 350 additions and 273 deletions.
diff --git a/.github/workflows/opensslcomparison.yml b/.github/workflows/opensslcomparison.yml
@@ -0,0 +1,27 @@
+name: OpenSSL CLI Comparison Tests
+on:
+  push:
+    branches: [ '*' ]
+  pull_request:
+    branches: [ '*' ]
+
+jobs:
+  openssl_comparison_tests:
+    if: github.repository_owner == 'aws'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      - name: Install OS Dependencies
+        run: |
+          sudo apt-get update
+          sudo apt-get -y --no-install-recommends install \
+            cmake gcc ninja-build golang make autoconf pkg-config openssl
+
+      - name: Make the script executable
+        run: chmod +x ./tests/ci/run_openssl_comparison_tests.sh
+
+      - name: Build AWS-LC & OpenSSL and Run Comparison Tests
+        run: |
+            ./tests/ci/run_openssl_comparison_tests.sh
diff --git a/tests/ci/common_posix_setup.sh b/tests/ci/common_posix_setup.sh
@@ -203,6 +203,19 @@ function sde_getenforce_check {
   fi
 }
 
+function build_openssl {
+    branch=$1
+    echo "building OpenSSL ${branch}"
+    git clone --depth 1 --branch "${branch}" "${openssl_url}" "${scratch_folder}/openssl-${branch}"
+    pushd "${scratch_folder}/openssl-${branch}"
+    mkdir -p "${install_dir}/openssl-${branch}"
+    ./config --prefix="${install_dir}/openssl-${branch}" --openssldir="${install_dir}/openssl-${branch}" -d
+    make "-j${NUM_CPU_THREADS}" > /dev/null
+    make install_sw
+    popd
+    rm -rf "${scratch_folder}/openssl-${branch}"
+}
+
 print_executable_information "cmake" "--version" "CMake version"
 print_executable_information "cmake3" "--version" "CMake version (cmake3 executable)"
 print_executable_information "go" "version" "Go version"

diff --git a/tests/ci/run_benchmark_build_tests.sh b/tests/ci/run_benchmark_build_tests.sh
@@ -52,19 +52,6 @@ function build_aws_lc_branch {
     rm -rf "${scratch_folder}/aws-lc-${branch}"
 }
 
-function build_openssl {
-    branch=$1
-    echo "building OpenSSL ${branch}"
-    git clone --depth 1 --branch "${branch}" "${openssl_url}" "${scratch_folder}/openssl-${branch}"
-    pushd "${scratch_folder}/openssl-${branch}"
-    mkdir -p "${install_dir}/openssl-${branch}"
-    ./config --prefix="${install_dir}/openssl-${branch}" --openssldir="${install_dir}/openssl-${branch}" -d
-    make "-j${NUM_CPU_THREADS}" > /dev/null
-    make install_sw
-    popd
-    rm -rf "${scratch_folder}/openssl-${branch}"
-}
-
 function build_boringssl {
   git clone --depth 1 https://github.com/google/boringssl.git "${scratch_folder}/boringssl"
   pushd "${scratch_folder}/boringssl"

diff --git a/tests/ci/run_openssl_comparison_tests.sh b/tests/ci/run_openssl_comparison_tests.sh
@@ -0,0 +1,45 @@
+#!/usr/bin/env bash
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0 OR ISC
+
+set -ex
+
+source tests/ci/common_posix_setup.sh
+
+scratch_folder=${SYS_ROOT}/"openssl-scratch"
+install_dir="${scratch_folder}/libcrypto_install_dir"
+openssl_url='https://github.com/openssl/openssl.git'
+openssl_1_1_1_branch='OpenSSL_1_1_1-stable'
+openssl_1_0_2_branch='OpenSSL_1_0_2-stable'
+openssl_3_1_branch='openssl-3.1'
+openssl_3_2_branch='openssl-3.2'
+openssl_master_branch='master'
+
+mkdir -p "${scratch_folder}"
+rm -rf "${scratch_folder:?}"/*
+
+build_openssl $openssl_1_0_2_branch
+build_openssl $openssl_1_1_1_branch
+build_openssl $openssl_3_1_branch
+build_openssl $openssl_3_2_branch
+build_openssl $openssl_master_branch
+
+run_build -DCMAKE_BUILD_TYPE=RelWithDebInfo -DCMAKE_C_STANDARD=11 -DENABLE_DILITHIUM=ON
+
+# OpenSSL 3.1.0 on switches from lib folder to lib64 folder
+declare -A openssl_branches=(
+  ["$openssl_1_0_2_branch"]="lib"
+  ["$openssl_1_1_1_branch"]="lib"
+  ["$openssl_3_1_branch"]="lib64"
+  ["$openssl_3_2_branch"]="lib64"
+  ["$openssl_master_branch"]="lib64"
+)
+
+# Run X509 Comparison Tests against all OpenSSL branches
+export AWSLC_TOOL_PATH="${BUILD_ROOT}/tool-openssl/openssl"
+for branch in "${!openssl_branches[@]}"; do
+  export OPENSSL_TOOL_PATH="${install_dir}/openssl-${branch}/bin/openssl"
+  echo "Running X509ComparisonTests against OpenSSL ${branch}"
+  LD_LIBRARY_PATH="${install_dir}/openssl-${branch}/${openssl_branches[$branch]}" "${BUILD_ROOT}/tool-openssl/tool_openssl_test" --gtest_filter=X509ComparisonTest.*
+done
+
diff --git a/tool-openssl/x509.cc b/tool-openssl/x509.cc
@@ -4,9 +4,8 @@
 #include <openssl/x509.h>
 #include <openssl/pem.h>
 #include <openssl/rsa.h>
-#include <cstdio>
-#include <ctime>
 #include "internal.h"
+#include <ctime>
 
 static const argument_t kArguments[] = {
   { "-help", kBooleanArgument, "Display option summary" },
@@ -99,10 +98,6 @@ bool X509Tool(const args_list_t &args) {
   }
 
   // Check for mutually exclusive options
-  if (noout && (!out_path.empty() || modulus || dates || parsed_args.count("-checkend"))) {
-    fprintf(stderr, "Error: '-noout' option cannot be used with '-out', '-modulus', '-dates', and '-checkend' options\n");
-    return false;
-  }
   if (req && (dates || parsed_args.count("-checkend"))){
     fprintf(stderr, "Error: '-req' option cannot be used with '-dates' and '-checkend' options\n");
     return false;
@@ -192,7 +187,7 @@ bool X509Tool(const args_list_t &args) {
     }
 
     // Write the signed certificate to output file
-    if (!noout && !out_path.empty()) {
+    if (!out_path.empty()) {
       if (!WriteSignedCertificate(x509.get(), out_path)) {
         return false;
       }
@@ -240,9 +235,16 @@ bool X509Tool(const args_list_t &args) {
           fprintf(stderr, "Error: unable to load modulus\n");
           return false;
         }
-        printf("Modulus=");
-        BN_print_fp(stdout, n);
-        printf("\n");
+        char *hex_modulus = BN_bn2hex(n);
+        if (!hex_modulus) {
+          fprintf(stderr, "Error: unable to convert modulus to hex\n");
+          return false;
+        }
+        for (char *p = hex_modulus; *p; ++p) {
+          *p = toupper(*p);
+        }
+        printf("Modulus=%s\n", hex_modulus);
+        OPENSSL_free(hex_modulus);
       } else {
         fprintf(stderr, "Error: public key is not an RSA key\n");
         return false;
@@ -271,11 +273,18 @@ bool X509Tool(const args_list_t &args) {
       }
     }
 
-    if (!noout && !out_path.empty()) {
+    if (!out_path.empty()) {
       if (!WriteSignedCertificate(x509.get(), out_path)) {
         return false;
       }
     }
+
+    if (!noout && !in_path.empty() && !checkend && parsed_args.count("-out")==0) {
+      bssl::UniquePtr<BIO> bio_out(BIO_new_fp(stdout, BIO_NOCLOSE));
+      if (!PEM_write_bio_X509(bio_out.get(), x509.get())) {
+        return false;
+      }
+    }
   }
   return true;
 }