Implement PublicKeyComponents::build_encrypting_key #1111
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: tests | |
on: | |
push: | |
branches: | |
- '*' | |
- '!generate/aws-lc-*' | |
pull_request: | |
branches: | |
- '*' | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.ref_name }} | |
cancel-in-progress: true | |
env: | |
RUST_BACKTRACE: 1 | |
# We can pin the version if nightly is too unstable. | |
# Otherwise, we test against the latest version. | |
RUST_NIGHTLY_TOOLCHAIN: nightly | |
jobs: | |
aws-lc-rs-test: | |
if: github.repository_owner == 'aws' | |
name: aws-lc-rs tests | |
runs-on: ${{ matrix.os }} | |
strategy: | |
fail-fast: false | |
matrix: | |
rust: [ stable ] | |
os: [ ubuntu-latest, macos-13, macos-14-xlarge ] | |
args: | |
- --all-targets --features unstable | |
- --release --all-targets --features unstable | |
- --no-default-features --features non-fips,unstable | |
- --no-default-features --features non-fips,ring-io,unstable | |
- --no-default-features --features non-fips,ring-sig-verify,unstable | |
- --no-default-features --features non-fips,alloc,unstable | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
submodules: 'recursive' | |
- uses: dtolnay/rust-toolchain@master | |
id: toolchain | |
with: | |
toolchain: ${{ matrix.rust }} | |
- name: Set Rust toolchain override | |
run: rustup override set ${{ steps.toolchain.outputs.name }} | |
- name: Run cargo test | |
working-directory: ./aws-lc-rs | |
run: cargo test ${{ matrix.args }} | |
- name: Run extra tests | |
working-directory: ./aws-lc-rs-testing | |
run: cargo test --all-targets | |
aws-lc-rs-1804-gcc: | |
if: github.repository_owner == 'aws' | |
name: GCC ${{ matrix.gcc_version }} - CMake ${{ matrix.cmake }} - FIPS ${{ matrix.fips }} | |
runs-on: ubuntu-20.04 | |
container: | |
image: ubuntu:18.04 | |
env: | |
AWS_LC_SYS_CMAKE_BUILDER: ${{ matrix.cmake }} | |
strategy: | |
fail-fast: false | |
matrix: | |
cmake: [ '0', '1' ] | |
gcc_version: [ '4.8', '5', '6' ] | |
fips: [ '0', '1' ] | |
steps: | |
- run: | | |
apt-get update | |
apt-get install -y ca-certificates | |
apt-get install -y cmake curl sudo | |
apt-get install -y --no-install-recommends gpg-agent software-properties-common | |
apt-add-repository --yes ppa:git-core/ppa | |
add-apt-repository --yes ppa:longsleep/golang-backports | |
apt-get update | |
apt-get install -y build-essential git golang-go | |
curl -L -O -J https://github.com/PowerShell/PowerShell/releases/download/v7.2.23/powershell_7.2.23-1.deb_amd64.deb | |
dpkg -i powershell_7.2.23-1.deb_amd64.deb | |
apt-get install -f | |
rm powershell_7.2.23-1.deb_amd64.deb | |
- name: Checkout | |
run: | | |
git config --global --add safe.directory '*' | |
git clone --recursive ${{ github.server_url }}/${{ github.repository }}.git . | |
git fetch origin ${{ github.sha }} | |
git checkout --recurse-submodules -b ci-job ${{ github.sha }} | |
- uses: dtolnay/rust-toolchain@master | |
id: toolchain | |
with: | |
toolchain: stable | |
- name: Set up GCC | |
uses: egor-tensin/setup-gcc@v1.3 | |
with: | |
version: ${{ matrix.gcc_version }} | |
platform: x64 | |
- name: Run cargo test (debug) | |
run: cargo test -p aws-lc-rs --all-targets --no-default-features --features ${{ (matrix.fips == '0' && 'unstable,aws-lc-sys') || 'unstable,fips' }} | |
- name: Run cargo test (release) | |
run: cargo test -p aws-lc-rs --release --all-targets --no-default-features --features ${{ (matrix.fips == '0' && 'unstable,aws-lc-sys') || 'unstable,fips' }} | |
aws-lc-rs-2004-gcc: | |
if: github.repository_owner == 'aws' | |
name: GCC ${{ matrix.gcc_version }} - CMake ${{ matrix.cmake }} - FIPS ${{ matrix.fips }} | |
runs-on: ubuntu-20.04 | |
env: | |
AWS_LC_SYS_CMAKE_BUILDER: ${{ matrix.cmake }} | |
strategy: | |
fail-fast: false | |
matrix: | |
cmake: [ '0', '1' ] | |
gcc_version: [ '7', '8' ] | |
fips: [ '0', '1' ] | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
submodules: 'recursive' | |
- uses: dtolnay/rust-toolchain@master | |
id: toolchain | |
with: | |
toolchain: stable | |
- name: Set up GCC | |
uses: egor-tensin/setup-gcc@v1.3 | |
with: | |
version: ${{ matrix.gcc_version }} | |
platform: x64 | |
- if: matrix.fips == '1' | |
uses: actions/setup-go@v4 | |
with: | |
go-version: '>=1.18' | |
- name: Run cargo test (debug) | |
run: cargo test -p aws-lc-rs --all-targets --no-default-features --features ${{ (matrix.fips == '0' && 'unstable,aws-lc-sys') || 'unstable,fips' }} | |
- name: Run cargo test (release) | |
run: cargo test -p aws-lc-rs --release --all-targets --no-default-features --features ${{ (matrix.fips == '0' && 'unstable,aws-lc-sys') || 'unstable,fips' }} | |
# The steps below verify that we're successfully using `-ffile-prefix-map` | |
# to remove build environment paths from the resulting library. | |
- if: ${{ matrix.gcc_version == '8' }} | |
name: Verify paths found in debug build | |
run: | | |
DEBUG_LIBCRYPTO=$(find ./target/debug -name "libaws_lc_*_crypto.a") | |
if strings ${DEBUG_LIBCRYPTO} | grep runner; then | |
exit 0; # SUCCESS | |
else | |
exit 1; # FAIL - we expected to find "runner" (i.e., a path) | |
fi | |
# TODO: Due to the nature of the FIPS build (e.g., its dynamic generation of | |
# assembly files and its custom compilation commands within CMake), not all | |
# source paths are stripped from the resulting binary. | |
- if: ${{ matrix.gcc_version == '8' && matrix.fips == '0' }} | |
name: Verify paths not found in release build | |
run: | | |
RELEASE_LIBCRYPTO=$(find ./target/release -name "libaws_lc_*_crypto.a") | |
if strings ${RELEASE_LIBCRYPTO} | grep runner; then | |
exit 1; # FAIL - we did not expect to find "runner" (i.e., a path) | |
else | |
exit 0; # SUCCESS | |
fi | |
aws-lc-rs-c-std-test: | |
if: github.repository_owner == 'aws' | |
name: C-std ${{ matrix.os }} - ${{ matrix.c_std }} - Force CMake ${{ matrix.cmake }} | |
runs-on: ${{ matrix.os }} | |
strategy: | |
fail-fast: false | |
matrix: | |
rust: [ stable ] | |
os: [ ubuntu-latest, macos-13, macos-14-xlarge, windows-latest ] | |
c_std: [ "11", "99" ] | |
cmake: [ '0', '1' ] | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
submodules: 'recursive' | |
- uses: dtolnay/rust-toolchain@master | |
id: toolchain | |
with: | |
toolchain: stable | |
- run: | | |
echo 'export AWS_LC_SYS_CMAKE_BUILDER=${{ matrix.cmake }}' >> "$GITHUB_ENV" | |
- name: Run cargo test | |
working-directory: ./aws-lc-rs | |
env: | |
AWS_LC_SYS_PREBUILT_NASM: 1 | |
AWS_LC_SYS_C_STD: ${{ matrix.c_std }} | |
run: cargo test --all-targets --features unstable | |
bindgen-test: | |
if: github.repository_owner == 'aws' | |
name: aws-lc-rs bindgen-tests | |
runs-on: ${{ matrix.os }} | |
strategy: | |
fail-fast: false | |
matrix: | |
rust: [ stable ] | |
os: [ ubuntu-latest, macos-13, macos-14-xlarge ] | |
args: | |
- --no-default-features --features aws-lc-sys,bindgen,unstable | |
- --release --all-targets --features bindgen,unstable | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
submodules: 'recursive' | |
- if: ${{ startsWith(matrix.os, 'macos-') }} | |
run: | | |
brew install llvm | |
echo 'export PATH="/opt/homebrew/opt/llvm/bin:$PATH"' >> "$GITHUB_ENV" | |
echo 'export LIBCLANG_PATH=/opt/homebrew/opt/llvm' >> "$GITHUB_ENV" | |
- uses: dtolnay/rust-toolchain@master | |
id: toolchain | |
with: | |
toolchain: ${{ matrix.rust }} | |
- name: Set Rust toolchain override | |
run: rustup override set ${{ steps.toolchain.outputs.name }} | |
- name: Run cargo test | |
working-directory: ./aws-lc-rs | |
run: cargo test ${{ matrix.args }} | |
windows-test: | |
if: github.repository_owner == 'aws' | |
name: aws-lc-rs windows-tests | |
runs-on: ${{ matrix.os }} | |
strategy: | |
fail-fast: false | |
matrix: | |
rust: [ stable ] | |
os: [ windows-2019, windows-2022 ] | |
args: | |
- --all-targets --features unstable | |
- --all-targets --features bindgen,unstable | |
- --release --all-targets --features unstable | |
- --no-default-features --features non-fips,unstable | |
- --no-default-features --features non-fips,ring-io,unstable | |
- --no-default-features --features non-fips,ring-sig-verify,unstable | |
- --no-default-features --features non-fips,alloc,unstable | |
env: | |
AWS_LC_SYS_PREBUILT_NASM: 1 | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
submodules: 'recursive' | |
- uses: dtolnay/rust-toolchain@master | |
id: toolchain | |
with: | |
toolchain: ${{ matrix.rust }} | |
- name: Set Rust toolchain override | |
run: rustup override set ${{ steps.toolchain.outputs.name }} | |
- name: Run cargo test | |
working-directory: ./aws-lc-rs | |
run: cargo test ${{ matrix.args }} | |
aws-lc-rs-coverage: | |
name: aws-ls-rs coverage | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
submodules: 'recursive' | |
lfs: true | |
- uses: dtolnay/rust-toolchain@master | |
id: toolchain | |
with: | |
toolchain: ${{ env.RUST_NIGHTLY_TOOLCHAIN }} | |
components: llvm-tools-preview | |
- name: Set Rust toolchain override | |
run: rustup override set ${{ steps.toolchain.outputs.name }} | |
- name: Install cargo-llvm-cov | |
run: cargo install cargo-llvm-cov | |
- name: Run coverage | |
run: cargo llvm-cov -p aws-lc-rs --features unstable --no-fail-fast --ignore-filename-regex "aws-lc-(fips-)?sys/.*" --codecov --output-path ./codecov.json | |
- name: Run FIPS coverage | |
run: cargo llvm-cov -p aws-lc-rs --features unstable,fips --no-fail-fast --ignore-filename-regex "aws-lc-(fips-)?sys/.*" --codecov --output-path ./codecov-fips.json | |
- name: Upload coverage reports to Codecov | |
env: | |
CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} | |
uses: codecov/codecov-action@v4 | |
with: | |
files: ./codecov.json,./codecov-fips.json | |
verbose: true | |
fail_ci_if_error: true | |
aws-lc-rs-asan: | |
if: github.repository_owner == 'aws' | |
name: aws-lc-rs asan | |
strategy: | |
matrix: | |
args: | |
- | |
- --release | |
features: | |
- --features asan | |
- --no-default-features --features fips,asan | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
submodules: 'recursive' | |
- uses: dtolnay/rust-toolchain@master | |
id: toolchain | |
with: | |
toolchain: ${{ env.RUST_NIGHTLY_TOOLCHAIN }} | |
- name: Set Rust toolchain override | |
run: rustup override set ${{ steps.toolchain.outputs.name }} | |
- name: Run address sanitizers | |
env: | |
ASAN_OPTIONS: detect_leaks=1 | |
RUSTFLAGS: -Zsanitizer=address | |
RUSTDOCFLAGS: -Zsanitizer=address | |
working-directory: ./aws-lc-rs | |
run: cargo test ${{ matrix.args }} --lib --bins --tests --examples --target x86_64-unknown-linux-gnu --features asan | |
build-env-static-test: | |
if: github.repository_owner == 'aws' | |
name: aws-lc-rs build-env-static-test | |
runs-on: ${{ matrix.os }} | |
env: | |
AWS_LC_SYS_STATIC: ${{ matrix.static }} | |
strategy: | |
fail-fast: false | |
matrix: | |
os: [ ubuntu-latest, macos-13, macos-14-xlarge ] | |
static: [ 0, 1 ] | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
submodules: 'recursive' | |
- uses: dtolnay/rust-toolchain@stable | |
- name: Run cargo test | |
# Doc-tests fail to link with dynamic build | |
# See: https://github.com/rust-lang/cargo/issues/8531 | |
run: cargo test -p aws-lc-rs --tests | |
build-prebuild-nasm-test: | |
if: github.repository_owner == 'aws' | |
name: prebuilt-nasm usage | |
runs-on: windows-latest | |
strategy: | |
fail-fast: false | |
matrix: | |
target: | |
- 'x86_64-pc-windows-msvc' | |
- 'x86_64-pc-windows-gnu' | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
submodules: 'recursive' | |
- uses: dtolnay/rust-toolchain@stable | |
- name: Verify NASM not available | |
shell: bash | |
run: | | |
if nasm --version; then | |
exit 1 | |
else | |
exit 0; | |
fi | |
- name: Run cargo test w/ prebuilt-nasm feature | |
shell: bash | |
run: cargo test --tests -p aws-lc-rs --release --no-default-features --features aws-lc-sys,prebuilt-nasm | |
- name: Run cargo test w/ AWS_LC_SYS_PREBUILT_NASM=1 | |
shell: bash | |
run: AWS_LC_SYS_PREBUILT_NASM=1 cargo test --tests -p aws-lc-rs --release --no-default-features --features aws-lc-sys | |
build-env-nasm-test: | |
if: github.repository_owner == 'aws' | |
name: prebuilt NASM verification | |
runs-on: windows-latest | |
strategy: | |
fail-fast: false | |
matrix: | |
target: | |
- 'x86_64-pc-windows-msvc' | |
- 'x86_64-pc-windows-gnu' | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
submodules: 'recursive' | |
- uses: dtolnay/rust-toolchain@stable | |
- name: Install NASM | |
uses: ilammy/setup-nasm@v1 | |
- name: Remove NASM artifacts | |
shell: bash | |
run: | | |
cargo clean | |
rm ./aws-lc-sys/builder/prebuilt-nasm/* | |
- name: Run cargo test | |
shell: bash | |
run: AWS_LC_SYS_PREBUILT_NASM=0 cargo test --tests -p aws-lc-rs --release --no-default-features --features aws-lc-sys | |
- name: Collect NASM outputs | |
shell: bash | |
run: ./scripts/build/collect_nasm_obj.sh | |
- name: Flag any NASM changes | |
shell: bash | |
run: | | |
git add . | |
git diff --cached --exit-code HEAD -- aws-lc-sys/builder/prebuilt-nasm/*.txt | |
build-env-external-bindgen-test: | |
if: github.repository_owner == 'aws' | |
name: aws-lc-rs FIPS - External bindgen test | |
runs-on: ${{ matrix.os }} | |
env: | |
AWS_LC_SYS_EXTERNAL_BINDGEN: 1 | |
strategy: | |
fail-fast: false | |
matrix: | |
os: [ ubuntu-latest, macos-13, macos-14-xlarge, windows-latest ] | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
submodules: 'recursive' | |
- uses: dtolnay/rust-toolchain@stable | |
- if: ${{ matrix.os == 'windows-latest' }} | |
uses: ilammy/setup-nasm@v1 | |
- name: Install bindgen-cli | |
run: cargo install --locked bindgen-cli | |
- name: Remove bindings | |
run: | | |
rm ./aws-lc-sys/src/x86_64* | |
rm ./aws-lc-sys/src/aarch64* | |
- name: Run cargo test | |
run: cargo test --tests -p aws-lc-rs --no-default-features --features aws-lc-sys | |
build-env-fips-static-test: | |
if: github.repository_owner == 'aws' | |
name: aws-lc-rs build-env-fips-static-test | |
runs-on: ${{ matrix.os }} | |
env: | |
AWS_LC_FIPS_SYS_STATIC: ${{ matrix.static }} | |
strategy: | |
fail-fast: false | |
matrix: | |
os: [ ubuntu-latest, macos-13, macos-14-xlarge ] | |
static: [ 0, 1 ] | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
submodules: 'recursive' | |
- uses: dtolnay/rust-toolchain@stable | |
- uses: actions/setup-go@v4 | |
with: | |
go-version: '>=1.18' | |
- name: Run cargo test | |
if: ${{ matrix.os == 'ubuntu-latest' || matrix.static != 1 }} | |
# Doc-tests fail to link with dynamic build | |
# See: https://github.com/rust-lang/cargo/issues/8531 | |
run: cargo test -p aws-lc-rs --tests --no-default-features --features fips | |
build-env-no-asm-test: | |
if: github.repository_owner == 'aws' | |
name: build-env-no-asm-test | |
runs-on: ${{ matrix.os }} | |
env: | |
AWS_LC_SYS_NO_ASM: 1 | |
strategy: | |
fail-fast: false | |
matrix: | |
os: [ ubuntu-latest, macos-13, macos-14-xlarge, windows-latest ] | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
submodules: 'recursive' | |
- uses: dtolnay/rust-toolchain@stable | |
- name: Run cargo test | |
run: cargo test -p aws-lc-rs | |
- name: Release build | |
if: ${{ matrix.os != 'windows-latest' }} | |
run: | | |
if cargo build -p aws-lc-rs --release; then | |
exit 1 | |
else | |
exit 0 | |
fi | |
- name: Release build | |
if: ${{ matrix.os == 'windows-latest' }} | |
shell: pwsh | |
run: | | |
if (cargo build -p aws-lc-rs --release) { | |
exit 1 | |
} else { | |
exit 0 | |
} | |
build-env-fips-no-asm-test: | |
if: github.repository_owner == 'aws' | |
name: aws-lc-rs build-env-fips-no-asm-test | |
runs-on: ${{ matrix.os }} | |
env: | |
AWS_LC_FIPS_SYS_NO_ASM: 1 | |
strategy: | |
fail-fast: false | |
matrix: | |
os: [ ubuntu-latest, macos-13, macos-14-xlarge, windows-latest ] | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
submodules: 'recursive' | |
- uses: dtolnay/rust-toolchain@stable | |
- uses: actions/setup-go@v4 | |
with: | |
go-version: '>=1.18' | |
- uses: seanmiddleditch/gha-setup-ninja@v5 | |
- name: Run cargo test | |
run: cargo test -p aws-lc-rs --tests --no-default-features --features fips | |
- name: Release build | |
if: ${{ matrix.os != 'windows-latest' }} | |
run: | | |
if cargo build -p aws-lc-rs --release --no-default-features --features fips; then | |
exit 1 | |
else | |
exit 0 | |
fi | |
- name: Release build | |
if: ${{ matrix.os == 'windows-latest' }} | |
shell: pwsh | |
run: | | |
if (cargo build -p aws-lc-rs --release --no-default-features --features fips) { | |
exit 1 | |
} else { | |
exit 0 | |
} | |
build-env-fips-external-bindgen-test: | |
if: github.repository_owner == 'aws' | |
name: aws-lc-rs FIPS - External bindgen test | |
runs-on: ${{ matrix.os }} | |
env: | |
AWS_LC_FIPS_SYS_EXTERNAL_BINDGEN: 1 | |
strategy: | |
fail-fast: false | |
matrix: | |
os: [ ubuntu-latest, macos-13, macos-14-xlarge, windows-latest ] | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
submodules: 'recursive' | |
- if: ${{ matrix.os == 'windows-latest' }} | |
uses: ilammy/setup-nasm@v1 | |
- if: ${{ matrix.os == 'windows-latest' }} | |
uses: seanmiddleditch/gha-setup-ninja@v5 | |
- uses: dtolnay/rust-toolchain@stable | |
- uses: actions/setup-go@v4 | |
with: | |
go-version: '>=1.18' | |
- name: Install bindgen-cli | |
run: cargo install --locked bindgen-cli | |
- name: Remove bindings | |
run: | | |
rm ./aws-lc-fips-sys/src/x86_64* | |
rm ./aws-lc-fips-sys/src/aarch64* | |
- name: Run cargo test | |
run: cargo test --tests -p aws-lc-rs --no-default-features --features fips | |
careful: | |
if: github.repository_owner == 'aws' | |
name: Run carefully | |
runs-on: ${{ matrix.os }} | |
strategy: | |
fail-fast: false | |
matrix: | |
os: | |
- ubuntu-latest | |
- macos-13 | |
- macos-14-xlarge | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
submodules: 'recursive' | |
lfs: true | |
- uses: dtolnay/rust-toolchain@master | |
id: toolchain | |
with: | |
toolchain: ${{ env.RUST_NIGHTLY_TOOLCHAIN }} | |
components: 'rust-src' | |
- if: ${{ startsWith(matrix.os, 'macos-') }} | |
run: | | |
brew install llvm | |
echo 'export PATH="/opt/homebrew/opt/llvm/bin:$PATH"' | |
echo 'export LIBCLANG_PATH=/opt/homebrew/opt/llvm' >> "$GITHUB_ENV" | |
- name: Set Rust toolchain override | |
run: rustup override set ${{ steps.toolchain.outputs.name }} | |
- name: Install cargo-careful | |
run: cargo install --locked cargo-careful | |
- uses: actions/setup-go@v4 | |
with: | |
go-version: '>=1.18' | |
- name: Run tests | |
working-directory: ./aws-lc-rs | |
run: cargo careful test | |
- name: Run tests w/ FIPS | |
working-directory: ./aws-lc-rs | |
# Rust doc tests dislike dynamic linking | |
run: cargo careful test --tests --features fips,bindgen | |
clang-19-bindgen: | |
if: github.repository_owner == 'aws' | |
name: Clang 19.1 + bindgen tests | |
runs-on: macos-14-xlarge | |
env: | |
LIBCLANG_PATH: /opt/homebrew/opt/llvm/lib | |
LLVM_CONFIG_PATH: /opt/homebrew/opt/llvm/llvm-config | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
submodules: 'recursive' | |
- uses: actions/setup-go@v4 | |
with: | |
go-version: '>=1.18' | |
- uses: dtolnay/rust-toolchain@master | |
id: toolchain | |
with: | |
toolchain: stable | |
- run: | | |
brew update | |
brew uninstall --force llvm | |
brew install llvm@19 | |
echo 'export PATH="/opt/homebrew/opt/llvm/bin:$PATH"' >> "$GITHUB_ENV" | |
- name: aws-lc-sys bindgen build | |
working-directory: ./aws-lc-sys | |
run: cargo test --features bindgen | |
- name: aws-lc-fips-sys bindgen build | |
working-directory: ./aws-lc-fips-sys | |
run: cargo test --features bindgen |