Skip to content

Add Stunnel FIPS support for wolfProvider #251

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 1 commit into
base: master
Choose a base branch
from
Draft

Add Stunnel FIPS support for wolfProvider #251

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions wolfProvider/stunnel/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,10 @@
For version 5.67 testing with WPFF support, use the patch `stunnel-WPFF-5.67-wolfprov.patch`
This patch adds support for testing stunnel with `WOLFPROV_FORCE_FAIL=1`
environment variable, which is used to simulate provider failures during
testing. It is only needed if you are testing wolfProvider with
`WOLFPROV_FORCE_FAIL=1`.
The patch includes modifications to certificate generation and session
resumption tests to properly handle this test mode.

For version 5.67 testing with FIPS support, use the patch `stunnel-FIPS-5.67-wolfprov.patch`
Note: use either the WPFF or FIPS patch not both.
129 changes: 129 additions & 0 deletions wolfProvider/stunnel/stunnel-FIPS-5.67-wolfprov.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,129 @@
diff --git a/tests/certs/maketestcert.sh b/tests/certs/maketestcert.sh
index 3c4f8b5..f53cfda 100755
--- a/tests/certs/maketestcert.sh
+++ b/tests/certs/maketestcert.sh
@@ -7,6 +7,17 @@ cd $(dirname "$0")
script_path=$(pwd)
cd "${result_path}"

+# Set wolfProvider paths with dynamic user detection
+CURRENT_USER=$(whoami)
+WOLFPROV_PATH="/home/${CURRENT_USER}/wolfProvider/wolfprov-install"
+WOLFPROV_LIB="$WOLFPROV_PATH/lib"
+OPENSSL_PATH="/home/${CURRENT_USER}/wolfProvider/openssl-install"
+
+# Set environment variables
+export LD_LIBRARY_PATH="$WOLFPROV_LIB:$OPENSSL_PATH/lib64:$LD_LIBRARY_PATH"
+export OPENSSL_CONF="/home/${CURRENT_USER}/wolfProvider/provider-fips.conf"
+export OPENSSL_MODULES="$WOLFPROV_LIB"
+
mkdir "tmp/"

# create new psk secrets
@@ -30,8 +41,7 @@ gen_psk 2

# OpenSSL settings
TEMP_LD_LIBRARY_PATH=$LD_LIBRARY_PATH
-LD_LIBRARY_PATH=""
-OPENSSL=openssl
+OPENSSL="$OPENSSL_PATH/bin/openssl"
CONF="${script_path}/openssltest.cnf"

mkdir "demoCA/"
@@ -40,57 +50,57 @@ touch "demoCA/index.txt.attr"
echo 1000 > "demoCA/serial"

# generate a self-signed certificate
-$OPENSSL req -config $CONF -new -x509 -days $ddays -keyout tmp/stunnel.pem -out tmp/stunnel.pem \
+$OPENSSL req -provider-path $WOLFPROV_LIB -provider libwolfprov -config $CONF -new -x509 -days $ddays -keyout tmp/stunnel.pem -out tmp/stunnel.pem \
-subj "/C=PL/ST=Mazovia Province/L=Warsaw/O=Stunnel Developers/OU=Provisional CA/CN=localhost/[email protected]" \
1>&2 2>> "maketestcert.log"

# generate root CA certificate
-$OPENSSL genrsa -out demoCA/CA.key 1>&2 2>> "maketestcert.log"
-$OPENSSL req -config $CONF -new -x509 -days $ddays -key demoCA/CA.key -out tmp/CACert.pem \
+$OPENSSL genpkey -provider-path $WOLFPROV_LIB -provider libwolfprov -algorithm RSA -out demoCA/CA.key -pkeyopt rsa_keygen_bits:2048 1>&2 2>> "maketestcert.log"
+$OPENSSL req -provider-path $WOLFPROV_LIB -provider libwolfprov -config $CONF -new -x509 -days $ddays -key demoCA/CA.key -out tmp/CACert.pem \
-subj "/C=PL/O=Stunnel Developers/OU=Root CA/CN=CA/[email protected]" \
1>&2 2>> "maketestcert.log"

# generate a certificate to revoke
-$OPENSSL genrsa -out demoCA/revoked.key 1>&2 2>> "maketestcert.log"
-$OPENSSL req -config $CONF -new -key demoCA/revoked.key -out demoCA/revoked.csr \
+$OPENSSL genpkey -provider-path $WOLFPROV_LIB -provider libwolfprov -algorithm RSA -out demoCA/revoked.key -pkeyopt rsa_keygen_bits:2048 1>&2 2>> "maketestcert.log"
+$OPENSSL req -provider-path $WOLFPROV_LIB -provider libwolfprov -config $CONF -new -key demoCA/revoked.key -out demoCA/revoked.csr \
-subj "/C=PL/O=Stunnel Developers/OU=revoked/CN=revoked/[email protected]" \
1>&2 2>> "maketestcert.log"

-$OPENSSL ca -config $CONF -batch -days $ddays -in demoCA/revoked.csr -out demoCA/revoked.cer 1>&2 2>> "maketestcert.log"
+$OPENSSL ca -provider-path $WOLFPROV_LIB -provider libwolfprov -config $CONF -batch -days $ddays -in demoCA/revoked.csr -out demoCA/revoked.cer 1>&2 2>> "maketestcert.log"

-$OPENSSL x509 -in demoCA/revoked.cer -out tmp/revoked_cert.pem 1>&2 2>> "maketestcert.log"
+$OPENSSL x509 -provider-path $WOLFPROV_LIB -provider libwolfprov -in demoCA/revoked.cer -out tmp/revoked_cert.pem 1>&2 2>> "maketestcert.log"
cat demoCA/revoked.key >> tmp/revoked_cert.pem 2>> "maketestcert.log"

# revoke above certificate and generate CRL file
-$OPENSSL ca -config $CONF -revoke demoCA/1000.pem 1>&2 2>> "maketestcert.log"
-$OPENSSL ca -config $CONF -gencrl -crldays $ddays -out tmp/CACertCRL.pem 1>&2 2>> "maketestcert.log"
+$OPENSSL ca -provider-path $WOLFPROV_LIB -provider libwolfprov -config $CONF -revoke demoCA/1000.pem 1>&2 2>> "maketestcert.log"
+$OPENSSL ca -provider-path $WOLFPROV_LIB -provider libwolfprov -config $CONF -gencrl -crldays $ddays -out tmp/CACertCRL.pem 1>&2 2>> "maketestcert.log"

# generate a client certificate
-$OPENSSL genrsa -out demoCA/client.key 1>&2 2>> "maketestcert.log"
-$OPENSSL req -config $CONF -new -key demoCA/client.key -out demoCA/client.csr \
+$OPENSSL genpkey -provider-path $WOLFPROV_LIB -provider libwolfprov -algorithm RSA -out demoCA/client.key -pkeyopt rsa_keygen_bits:2048 1>&2 2>> "maketestcert.log"
+$OPENSSL req -provider-path $WOLFPROV_LIB -provider libwolfprov -config $CONF -new -key demoCA/client.key -out demoCA/client.csr \
-subj "/C=PL/O=Stunnel Developers/OU=client/CN=client/[email protected]" \
1>&2 2>> "maketestcert.log"

-$OPENSSL ca -config $CONF -batch -days $ddays -in demoCA/client.csr -out demoCA/client.cer 1>&2 2>> "maketestcert.log"
+$OPENSSL ca -provider-path $WOLFPROV_LIB -provider libwolfprov -config $CONF -batch -days $ddays -in demoCA/client.csr -out demoCA/client.cer 1>&2 2>> "maketestcert.log"

-$OPENSSL x509 -in demoCA/client.cer -out tmp/client_cert.pem 1>&2 2>> "maketestcert.log"
+$OPENSSL x509 -provider-path $WOLFPROV_LIB -provider libwolfprov -in demoCA/client.cer -out tmp/client_cert.pem 1>&2 2>> "maketestcert.log"
cat tmp/client_cert.pem > tmp/PeerCerts.pem 2>> "maketestcert.log"
cat demoCA/client.key >> tmp/client_cert.pem 2>> "maketestcert.log"

# generate a server certificate
-$OPENSSL genrsa -out demoCA/server.key 1>&2 2>> "maketestcert.log"
-$OPENSSL req -config $CONF -new -key demoCA/server.key -out demoCA/server.csr \
+$OPENSSL genpkey -provider-path $WOLFPROV_LIB -provider libwolfprov -algorithm RSA -out demoCA/server.key -pkeyopt rsa_keygen_bits:2048 1>&2 2>> "maketestcert.log"
+$OPENSSL req -provider-path $WOLFPROV_LIB -provider libwolfprov -config $CONF -new -key demoCA/server.key -out demoCA/server.csr \
-subj "/C=PL/O=Stunnel Developers/OU=server/CN=server/[email protected]" \
1>&2 2>> "maketestcert.log"

-$OPENSSL ca -config $CONF -batch -days $ddays -in demoCA/server.csr -out demoCA/server.cer 1>&2 2>> "maketestcert.log"
+$OPENSSL ca -provider-path $WOLFPROV_LIB -provider libwolfprov -config $CONF -batch -days $ddays -in demoCA/server.csr -out demoCA/server.cer 1>&2 2>> "maketestcert.log"

-$OPENSSL x509 -in demoCA/server.cer -out tmp/server_cert.pem 1>&2 2>> "maketestcert.log"
+$OPENSSL x509 -provider-path $WOLFPROV_LIB -provider libwolfprov -in demoCA/server.cer -out tmp/server_cert.pem 1>&2 2>> "maketestcert.log"
cat tmp/server_cert.pem >> tmp/PeerCerts.pem 2>> "maketestcert.log"
cat demoCA/server.key >> tmp/server_cert.pem 2>> "maketestcert.log"

# create a PKCS#12 file with a server certificate
-$OPENSSL pkcs12 -export -certpbe pbeWithSHA1And3-KeyTripleDES-CBC -in tmp/server_cert.pem -out tmp/server_cert.p12 -passout pass: 1>&2 2>> "maketestcert.log"
+$OPENSSL pkcs12 -provider-path $WOLFPROV_LIB -provider libwolfprov -export -in tmp/server_cert.pem -out tmp/server_cert.p12 -inkey demoCA/server.key -name server -macalg sha1 -keypbe pbeWithSHA1And3-KeyTripleDES-CBC -certpbe pbeWithSHA1And3-KeyTripleDES-CBC -passout pass: 1>&2 2>> "maketestcert.log"

# copy new files
if [ -s tmp/stunnel.pem ] && [ -s tmp/CACert.pem ] && [ -s tmp/CACertCRL.pem ] && \
diff --git a/tests/maketest.py b/tests/maketest.py
index 8443dbc..19f0bcc 100644
--- a/tests/maketest.py
+++ b/tests/maketest.py
@@ -1620,11 +1620,15 @@ def parse_args() -> Config:
"(default: INFO)",
)
args = parser.parse_args()
+ # Detect current user for dynamic paths
+ current_user = os.environ.get("USER", "user")
utf8_env = dict(os.environ)
utf8_env.update({
"LC_ALL": "C.UTF-8",
"LANGUAGE": "",
- "LD_LIBRARY_PATH": args.libs})
+ "LD_LIBRARY_PATH": args.libs,
+ "OPENSSL_CONF": f"/home/{current_user}/wolfProvider/provider-fips.conf",
+ "OPENSSL_MODULES": f"/home/{current_user}/wolfProvider/wolfprov-install/lib"})
if not os.path.isdir(args.logs):
os.mkdir(args.logs)
with os.scandir(args.logs) as entries: