-
Notifications
You must be signed in to change notification settings - Fork 17
/
Copy pathazure-pipelines.yml
147 lines (143 loc) · 7.48 KB
/
azure-pipelines.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
# Copyright (c) Microsoft Corporation.
# Licensed under the MIT License.
# NOTE: define your own Azure DevOps pipeline agents as $(LINUXAGENT) and $(WINAGENT)
trigger:
- main
pool: default
jobs:
- job: 'Ubuntu'
pool:
name: default
demands:
- agent.name -equals $(LINUXAGENT)
steps:
- script: |
echo Install packages
echo Source Path : $(Build.SourcesDirectory)
sudo apt install -y libssl-dev
sudo apt install -y libcurl4-openssl-dev
sudo apt install -y libjson-c-dev
cd src
mkdir build
cd build
cmake ..
make
openssl version -a | grep ENGINESDIR
sudo cp e_akv.so /usr/lib/x86_64-linux-gnu/engines-1.1/e_akv.so
openssl engine -vvv -t e_akv
cp $(Build.SourcesDirectory)/src/build/e_akv.so $(Build.ArtifactStagingDirectory)
displayName: Build and Load test
- script: |
cd $(Build.SourcesDirectory)/samples/openssl
openssl req -new -x509 -config openssl.cnf -engine e_akv -keyform engine -key $AKVKEY -out cert.pem
openssl x509 -pubkey -noout -in cert.pem > publickey.pem
openssl dgst -binary -sha256 -out hash256 readme.md
openssl pkeyutl -engine e_akv -sign -keyform engine -inkey $AKVKEY -in hash256 -out hash256.sig
openssl pkeyutl -verify -pubin -inkey publickey.pem -in hash256 -sigfile hash256.sig -pkeyopt digest:sha256
echo "Unlike RSA, ECC can not perform encryption and decryption directly. See ECIES (Elliptic Curve Integrated Encryption Scheme)."
env:
AKVKEY : $(HSMECCKEY) # HSM ECC KEY
displayName: Openssl ECC Key test
- script: |
echo "make sure the HSM RSA key has keyOps : sign, decrypt, encrypt"
echo "for example: az keyvault key set-attributes --hsm-name ManagedHSMOpenSSLEngine --name myrsakey --ops sign encrypt decrypt"
cd $(Build.SourcesDirectory)/samples/openssl
echo "create self sign cert"
openssl req -new -x509 -config openssl.cnf -engine e_akv -keyform engine -key $AKVKEY -out rsacert.pem
openssl x509 -pubkey -noout -in rsacert.pem > rsapublickey.pem
echo "RSA key Managed HSM test, see https://learn.microsoft.com/en-us/azure/key-vault/keys/about-keys-details" > readme.md
date >> readme.md
openssl pkey -engine e_akv -inform engine -in $AKVKEY -pubout -text -out leafpubkey.pem
openssl dgst -binary -sha256 -out hash256 readme.md
echo "RSA sign with pss padding"
openssl pkeyutl -engine e_akv -sign -keyform engine -inkey $AKVKEY -in hash256 -out hash256.sig.pss -pkeyopt digest:sha256 -pkeyopt rsa_padding_mode:pss
openssl pkeyutl -verify -pubin -inkey leafpubkey.pem -in hash256 -sigfile hash256.sig.pss -pkeyopt digest:sha256 -pkeyopt rsa_padding_mode:pss
echo "RSA sign with PKCS padding"
openssl pkeyutl -engine e_akv -sign -keyform engine -inkey $AKVKEY -in hash256 -out hash256.sig -pkeyopt digest:sha256
openssl pkeyutl -verify -pubin -inkey leafpubkey.pem -in hash256 -sigfile hash256.sig -pkeyopt digest:sha256
echo "RSA encrypt/decrypt with pkeyutil RSA1_5"
openssl pkeyutl -encrypt -pubin -inkey leafpubkey.pem -in hash256 -out rsa15.enc
openssl pkeyutl -engine e_akv -decrypt -keyform engine -inkey $AKVKEY -in rsa15.enc -out rsa15.dec
diff rsa15.dec hash256
echo "RSA encrypt/decrypt with rsautl oaep"
openssl rsautl -encrypt -pubin -inkey leafpubkey.pem -in hash256 -out oaep.enc -oaep
openssl rsautl -engine e_akv -decrypt -keyform engine -inkey $AKVKEY -in oaep.enc -out oaep.dec -oaep
diff oaep.dec hash256
echo "pkeyutl is NOT working for -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:SHA1 or -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:SHA256"
echo "The engine will get padding=3 but 3 is RSA_NO_PADDING and HSM REST API does not support no-padding."
echo "see https://superuser.com/questions/943972/what-is-the-difference-between-openssl-pkeyutl-sign-and-openssl-rsautl-sign"
env:
AKVKEY : $(HSMRSAKEY) # HSM RSA KEY
displayName: Openssl RSA Key Test
- task: PublishBuildArtifacts@1
inputs:
PathtoPublish: '$(Build.ArtifactStagingDirectory)'
ArtifactName: 'ubuntu20'
publishLocation: 'Container'
- job: 'Windows_VCPKG'
pool:
name: default
demands:
- agent.name -equals $(WINAGENT)
vmImage:
steps:
# - script: |
# git clone https://github.com/Microsoft/vcpkg.git
# echo done checkout vcpkg
# displayName: initialize vcpkg
# - script: |
# cd vcpkg
# bootstrap-vcpkg.bat -disableMetrics
# displayName: bootstrap
# - script: |
# cd vcpkg
# vcpkg.exe install json-c:x64-windows-static
# vcpkg.exe install curl:x64-windows-static
# vcpkg.exe install openssl:x64-windows
# echo Install gRPC packages
# vcpkg.exe install abseil:x64-windows
# vcpkg.exe install c-ares:x64-windows
# vcpkg.exe install grpc:x64-windows
# vcpkg.exe install protobuf:x64-windows
# vcpkg.exe install re2:x64-windows
# vcpkg.exe install upb:x64-windows
# displayName: Install packages
- task: MSBuild@1
inputs:
solution: 'src/e_akv.vcxproj'
platform: 'x64'
configuration: 'Release'
msbuildArguments: /p:PkgCurl="C:\vcpkg\packages\curl_x64-windows-static" /p:PkgJson="C:\vcpkg\packages\json-c_x64-windows-static" /p:PkgZ="C:\vcpkg\packages\zlib_x64-windows-static" /p:PkgOpenssl="C:\vcpkg\packages\openssl_x64-windows" /p:Configuration=Release;Platform=x64
displayName: MSbuild task
- script: |
openssl version -a
mkdir C:\vcpkg\packages\openssl_x64-windows\lib\engines-1_1\
copy /Y $(Build.SourcesDirectory)\src\x64\Release\e_akv.dll C:\vcpkg\packages\openssl_x64-windows\lib\engines-1_1\e_akv.dll
openssl engine -vvv -t e_akv
displayName: Load test
- script: |
echo "rsa key Managed HSM test" > readme.md
openssl pkey -engine e_akv -inform engine -in $(HSMRSAKEY) -pubout -text -out leafpubkey.pem
openssl dgst -binary -sha256 -out hash256 readme.md
openssl pkeyutl -engine e_akv -sign -keyform engine -inkey $(HSMRSAKEY) -in hash256 -out hash256.sig.pss -pkeyopt digest:sha256 -pkeyopt rsa_padding_mode:pss
openssl pkeyutl -verify -pubin -inkey leafpubkey.pem -in hash256 -sigfile hash256.sig.pss -pkeyopt digest:sha256 -pkeyopt rsa_padding_mode:pss
openssl pkeyutl -engine e_akv -sign -keyform engine -inkey $(HSMRSAKEY) -in hash256 -out hash256.sig -pkeyopt digest:sha256
openssl pkeyutl -verify -pubin -inkey leafpubkey.pem -in hash256 -sigfile hash256.sig -pkeyopt digest:sha256
displayName: RSA Key test
- script: |
cd $(Build.SourcesDirectory)/samples/openssl
openssl req -new -x509 -config openssl.cnf -engine e_akv -keyform engine -key $(HSMECCKEY) -out cert.pem
openssl x509 -pubkey -noout -in cert.pem > publickey.pem
openssl dgst -binary -sha256 -out hash256 readme.md
openssl pkeyutl -engine e_akv -sign -keyform engine -inkey $(HSMECCKEY) -in hash256 -out hash256.sig
openssl pkeyutl -verify -pubin -inkey publickey.pem -in hash256 -sigfile hash256.sig -pkeyopt digest:sha256
echo "Unlike RSA, ECC can not perform encryption and decryption directly. See ECIES (Elliptic Curve Integrated Encryption Scheme)."
displayName: ECC Key test
- script: |
copy /Y $(Build.SourcesDirectory)\src\x64\Release\e_akv.dll $(Build.ArtifactStagingDirectory)
displayName: Copy Output
- task: PublishBuildArtifacts@1
inputs:
PathtoPublish: '$(Build.ArtifactStagingDirectory)'
ArtifactName: 'x64-windows'
publishLocation: 'Container'