Merge pull request #35 from canonical/snap-action

Add a GitHub action to test the content snap
canonical · Sep 21, 2024 · 015c067 · 015c067
2 parents 833cc69 + 3a45446
commit 015c067
Show file tree

Hide file tree

Showing 5 changed files with 550 additions and 1 deletion.
diff --git a/.github/workflows/snaptest.yml b/.github/workflows/snaptest.yml
@@ -0,0 +1,47 @@
+name: Content snap test 
+
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    branches: [ "**" ]
+
+jobs:
+  build:
+    runs-on: ubuntu-22.04
+    steps:
+    - uses: actions/checkout@v4
+    - name: Install and init lxd
+      run: |
+        sudo lxd init --auto 
+    - name: Install snapcraft
+      run: sudo snap install snapcraft --classic
+    - name: Re-ensure connectivity in LXD containers
+      run: |
+        for ipt in iptables iptables-legacy ip6tables ip6tables-legacy; do \
+          sudo $ipt --flush; \
+          sudo $ipt --flush -t nat; \
+          sudo $ipt --delete-chain; \
+          sudo $ipt --delete-chain -t nat; \
+          sudo $ipt -P FORWARD ACCEPT; \
+          sudo $ipt -P INPUT ACCEPT; \
+          sudo $ipt -P OUTPUT ACCEPT; \
+        done
+        sudo systemctl reload snap.lxd.daemon
+    - name: Build openssl-fips-java snap
+      run: sudo snapcraft
+    - name: Install openssl-fips-java snap
+      run: sudo snap install --dangerous ./openssl-fips-java_0.0.1_amd64.snap
+    - name: Build sample consumer snap
+      run: |
+        cd ${{ github.workspace }}/src/test/consumer-snap
+        sudo snapcraft
+        sudo snap install --dangerous ./kem-test_1.0_amd64.snap 
+        cd ${{ github.workspace }}
+    - name: Connect snaps
+      run: sudo snap connect kem-test:openssl-fips-provider-jar openssl-fips-java:openssl-fips-provider-jar
+    - name: Run kem-test
+      run: kem-test
+
+
+
diff --git a/src/main/native/c/init.c b/src/main/native/c/init.c
@@ -18,6 +18,7 @@
 #include <openssl/crypto.h>
 #include <openssl/err.h>
 #include <stdio.h>
+#include <stdlib.h>
 #include "jni.h"
 
 /* Global libctx handle. Will be initializaed in JNI_OnLoad */
@@ -64,6 +65,11 @@ OSSL_LIB_CTX* load_openssl_base_provider(const char* conf_file_path) {
 }
 
 int JNI_OnLoad(JavaVM* vm, void *reserved) {
-    global_libctx = load_openssl_fips_provider("/usr/local/ssl/openssl.cnf");
+    const char *default_cnf = "/usr/local/ssl/openssl.cnf";
+    char *cnf = getenv("OPENSSL_CUSTOM_CONF");
+    if (cnf == NULL) {
+        cnf = default_cnf;
+    }
+    global_libctx = load_openssl_fips_provider(cnf);
     return JNI_VERSION_21;
 }
diff --git a/src/test/consumer-snap/KEMTest.java b/src/test/consumer-snap/KEMTest.java
@@ -0,0 +1,43 @@
+import java.security.KeyPair;
+import java.security.PublicKey;
+import java.security.PrivateKey;
+import java.util.Arrays;
+import java.security.KeyPairGenerator;
+import javax.crypto.KEM;
+import javax.crypto.KEM.Encapsulated;
+import javax.crypto.KEM.Encapsulator;
+import javax.crypto.KEM.Decapsulator;
+import javax.crypto.SecretKey;
+import java.security.Security;
+
+
+public class KEMTest {
+    public static void main(String[] args) throws Exception {
+        String cname = "com.canonical.openssl.provider.OpenSSLFIPSProvider";
+        Security.addProvider((java.security.Provider) Class.forName(cname).newInstance());
+
+        KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA");
+        kpg.initialize(4096);
+
+        // Alice creates a key pair and shares the public key with Bob
+        KeyPair aliceKeys = kpg.generateKeyPair();
+        PublicKey alicePublicKey = aliceKeys.getPublic();
+        PrivateKey alicePrivateKey = aliceKeys.getPrivate();
+
+        // Bob generates a shared secret and wraps it using Alice's public key
+        KEM bobKem = KEM.getInstance("RSA", "OpenSSLFIPSProvider");
+        Encapsulator encapsulator = bobKem.newEncapsulator(alicePublicKey, null, null);
+        int secretSize = encapsulator.secretSize();
+        KEM.Encapsulated encapsulated = encapsulator.encapsulate(0, secretSize, "AES");
+        SecretKey bobSecret = encapsulated.key();
+
+        // Bob sends the encapsulated secret to Alice
+        // Alice uses her RSA private key to unwrap the shared secret
+        KEM aliceKem = KEM.getInstance("RSA", "OpenSSLFIPSProvider");
+        Decapsulator decapsulator = aliceKem.newDecapsulator(alicePrivateKey, null);
+        byte[] encapsulationBytes = encapsulated.encapsulation();
+        SecretKey aliceSecret = decapsulator.decapsulate(encapsulationBytes, 0, encapsulationBytes.length, "AES");
+
+        System.out.println(aliceSecret.equals(bobSecret));
+    }
+}