|
| 1 | +name: Python Cryptography Tests |
| 2 | +on: |
| 3 | + push: |
| 4 | + branches: [ 'master', 'main', 'release/**' ] |
| 5 | + pull_request: |
| 6 | + branches: [ '*' ] |
| 7 | + |
| 8 | +concurrency: |
| 9 | + group: ${{ github.workflow }}-${{ github.ref }} |
| 10 | + cancel-in-progress: true |
| 11 | + |
| 12 | +jobs: |
| 13 | + build_wolfprovider: |
| 14 | + uses: ./.github/workflows/build-wolfprovider.yml |
| 15 | + with: |
| 16 | + wolfssl_ref: ${{ matrix.wolfssl_ref }} |
| 17 | + openssl_ref: ${{ matrix.openssl_ref }} |
| 18 | + strategy: |
| 19 | + matrix: |
| 20 | + wolfssl_ref: [ 'master', 'v5.8.0-stable' ] |
| 21 | + openssl_ref: [ 'openssl-3.5.0' ] |
| 22 | + |
| 23 | + test_cryptography: |
| 24 | + runs-on: ubuntu-22.04 |
| 25 | + needs: build_wolfprovider |
| 26 | + timeout-minutes: 30 |
| 27 | + strategy: |
| 28 | + matrix: |
| 29 | + cryptography_ref: [ 'main', '38.0.4' ] |
| 30 | + wolfssl_ref: [ 'master', 'v5.8.0-stable' ] |
| 31 | + openssl_ref: [ 'openssl-3.5.0' ] |
| 32 | + force_fail: [ 'WOLFPROV_FORCE_FAIL=1', '' ] |
| 33 | + exclude: |
| 34 | + - cryptography_ref: 'main' |
| 35 | + force_fail: 'WOLFPROV_FORCE_FAIL=1' |
| 36 | + steps: |
| 37 | + - name: Checkout wolfProvider |
| 38 | + uses: actions/checkout@v4 |
| 39 | + with: |
| 40 | + fetch-depth: 1 |
| 41 | + |
| 42 | + - name: Retrieving wolfProvider from cache |
| 43 | + uses: actions/cache/restore@v4 |
| 44 | + id: wolfprov-cache-restore |
| 45 | + with: |
| 46 | + path: | |
| 47 | + wolfssl-install |
| 48 | + wolfprov-install |
| 49 | + openssl-install/lib64 |
| 50 | + openssl-install/include |
| 51 | + openssl-install/bin |
| 52 | + key: wolfprov-${{ matrix.wolfssl_ref }}-${{ matrix.openssl_ref }}-${{ github.sha }} |
| 53 | + fail-on-cache-miss: true |
| 54 | + |
| 55 | + - name: Install Python cryptography dependencies |
| 56 | + run: | |
| 57 | + sudo apt-get update |
| 58 | + sudo apt-get install -y python3 python3-pip python3-venv python3-dev build-essential libffi-dev pkg-config |
| 59 | +
|
| 60 | + - name: Checkout Python cryptography |
| 61 | + uses: actions/checkout@v4 |
| 62 | + with: |
| 63 | + repository: pyca/cryptography |
| 64 | + path: cryptography_repo |
| 65 | + ref: ${{ matrix.cryptography_ref }} |
| 66 | + fetch-depth: 1 |
| 67 | + |
| 68 | + - name: Apply wolfProvider patch for cryptography 38.0.4 |
| 69 | + if: matrix.cryptography_ref == '38.0.4' |
| 70 | + working-directory: cryptography_repo |
| 71 | + run: | |
| 72 | + patch -p1 < $GITHUB_WORKSPACE/osp/wolfProvider/python-cryptography/python-cryptography-38.0.4-wolfprov.patch |
| 73 | +
|
| 74 | + - name: Setup Python environment |
| 75 | + working-directory: cryptography_repo |
| 76 | + run: | |
| 77 | + python3 -m venv venv |
| 78 | + source venv/bin/activate |
| 79 | + pip install -e . |
| 80 | + pip install -e .[test] |
| 81 | + pip install pytest pytest-cov |
| 82 | + #disable non-standard key size RSA tests |
| 83 | + perl -i -0777 -pe 's/def _check_fips_key_length\(backend, private_key\):\s*if \(\s*backend\._fips_enabled\s*and\s*private_key\.key_size\s*<\s*backend\._fips_rsa_min_key_size\s*\):\s*pytest\.skip\(f"Key size not FIPS compliant: \{private_key\.key_size\}"\)/def _check_fips_key_length(backend, private_key):\n min_key_size = 2048\n if private_key.key_size < min_key_size:\n pytest.skip(f"Key size not compliant: {private_key.key_size} < {min_key_size}")/g' tests/hazmat/primitives/test_rsa.py |
| 84 | +
|
| 85 | + - name: Run cryptography tests |
| 86 | + working-directory: cryptography_repo |
| 87 | + run: | |
| 88 | + echo "Setting environment variables..." |
| 89 | + source $GITHUB_WORKSPACE/scripts/env-setup |
| 90 | + export ${{ matrix.force_fail }} |
| 91 | + source venv/bin/activate |
| 92 | +
|
| 93 | + set -o pipefail |
| 94 | +
|
| 95 | + python -m pytest --disable-warnings -m "not skip_fips" \ |
| 96 | + --ignore=tests/hazmat/primitives/test_ed25519.py \ |
| 97 | + --ignore=tests/hazmat/primitives/test_ed448.py \ |
| 98 | + --ignore=tests/hazmat/primitives/test_x25519.py \ |
| 99 | + --ignore=tests/hazmat/primitives/test_x448.py \ |
| 100 | + --ignore=tests/conftest.py \ |
| 101 | + --ignore=tests/hazmat/primitives/test_pkcs12.py \ |
| 102 | + -k "not (test_vector_version or test_build_cert_with_rsa_key_too_small or test_rsa_key_too_small or test_sign_rsa_key_too_small or SHA1 or sha1 or test_gcm_min_max_iv)" \ |
| 103 | + | tee cryptography-test.log |
| 104 | +
|
| 105 | + TEST_EXIT_CODE=$? |
| 106 | +
|
| 107 | + if [ $TEST_EXIT_CODE -eq 0 ]; then |
| 108 | + TEST_RESULT=0 |
| 109 | + else |
| 110 | + TEST_RESULT=1 |
| 111 | + fi |
| 112 | +
|
| 113 | + $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT ${{ matrix.force_fail }} cryptography |
0 commit comments