diff --git a/.github/workflows/bundler.yml b/.github/workflows/bundler.yml index 3221dbb..3a29402 100644 --- a/.github/workflows/bundler.yml +++ b/.github/workflows/bundler.yml @@ -7,8 +7,8 @@ on: branches: [main] jobs: - pqc-single-https-reverse-proxy-ruby-openssl: - name: PQC single HTTPS TLS reverse proxy (Ruby OpenSSL) + https-direct: + name: HTTPS direct (WEBrick) runs-on: ubuntu-latest strategy: fail-fast: false @@ -28,6 +28,30 @@ jobs: - uses: ./.github/actions/setup-openssl + - name: Setup + run: ../rubygems/script/setup.sh + + - name: Run HTTPS server and client + run: | + ../rubygems/script/run_https_server.rb & + sleep 3 + script/run_client.sh + + https-reverse-proxy-ruby-openssl: + name: HTTPS TLS reverse proxy (Ruby OpenSSL) + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + ruby-version: ['4.0', 'head'] + defaults: + run: + working-directory: bundler + steps: + - uses: actions/checkout@v4 + - *setup-ruby + - uses: ./.github/actions/setup-openssl + - name: Setup run: ../rubygems/script/setup.sh @@ -36,13 +60,93 @@ jobs: if: matrix.ruby-version == 'head' run: git clone https://github.com/ruby/rubygems-server.git ~/git/ruby/rubygems-server + - name: Run HTTP server, TLS proxy, and client + run: | + ../rubygems/script/run_http_server.sh & + sleep 2 + ../rubygems/script/run_https_reverse_proxy.rb & + sleep 2 + script/run_client.sh + + https-reverse-proxy-nginx: + name: HTTPS TLS reverse proxy (Nginx) + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + ruby-version: ['4.0', 'head'] + defaults: + run: + working-directory: bundler + steps: + - uses: actions/checkout@v4 + - *setup-ruby + - uses: ./.github/actions/setup-openssl + + - name: Setup + run: ../rubygems/script/setup_nginx.sh + + - *clone-rubygems-server + + - name: Run HTTP server, Nginx TLS proxy, and client + run: | + ../rubygems/script/run_http_server.sh & + sleep 2 + ../rubygems/script/run_https_reverse_proxy_nginx.sh & + sleep 2 + script/run_client.sh + + pqc-single-https-direct: + name: PQC single HTTPS direct (WEBrick) + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + ruby-version: ['4.0', 'head'] + defaults: + run: + working-directory: bundler + steps: + - uses: actions/checkout@v4 + - *setup-ruby + - uses: ./.github/actions/setup-openssl + + - name: Setup + run: ../rubygems/script/setup.sh + + - name: Run PQC single HTTPS server and client + run: | + ../rubygems/script/run_https_server.rb -s & + sleep 3 + script/run_client.sh -s + + pqc-single-https-reverse-proxy-ruby-openssl: + name: PQC single HTTPS TLS reverse proxy (Ruby OpenSSL) + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + ruby-version: ['4.0', 'head'] + defaults: + run: + working-directory: bundler + steps: + - uses: actions/checkout@v4 + - *setup-ruby + - uses: ./.github/actions/setup-openssl + + - name: Setup + run: ../rubygems/script/setup.sh + + - *clone-rubygems-server + - name: Run HTTP server, PQC single TLS proxy, and client run: | ../rubygems/script/run_http_server.sh & sleep 2 ../rubygems/script/run_https_reverse_proxy.rb -s & sleep 2 - script/run_client.sh + script/run_client.sh -s pqc-single-https-reverse-proxy-nginx: name: PQC single HTTPS TLS reverse proxy (Nginx) @@ -70,4 +174,84 @@ jobs: sleep 2 ../rubygems/script/run_https_reverse_proxy_nginx.sh -s & sleep 2 - script/run_client.sh + script/run_client.sh -s + + pqc-dual-https-direct: + name: PQC dual HTTPS direct (WEBrick) + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + ruby-version: ['4.0', 'head'] + defaults: + run: + working-directory: bundler + steps: + - uses: actions/checkout@v4 + - *setup-ruby + - uses: ./.github/actions/setup-openssl + + - name: Setup + run: ../rubygems/script/setup.sh + + - name: Run PQC dual HTTPS server and client + run: | + ../rubygems/script/run_https_server.rb -d & + sleep 3 + script/run_client.sh -d + + pqc-dual-https-reverse-proxy-ruby-openssl: + name: PQC dual HTTPS TLS reverse proxy (Ruby OpenSSL) + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + ruby-version: ['4.0', 'head'] + defaults: + run: + working-directory: bundler + steps: + - uses: actions/checkout@v4 + - *setup-ruby + - uses: ./.github/actions/setup-openssl + + - name: Setup + run: ../rubygems/script/setup.sh + + - *clone-rubygems-server + + - name: Run HTTP server, PQC dual TLS proxy, and client + run: | + ../rubygems/script/run_http_server.sh & + sleep 2 + ../rubygems/script/run_https_reverse_proxy.rb -d & + sleep 2 + script/run_client.sh -d + + pqc-dual-https-reverse-proxy-nginx: + name: PQC dual HTTPS TLS reverse proxy (Nginx) + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + ruby-version: ['4.0', 'head'] + defaults: + run: + working-directory: bundler + steps: + - uses: actions/checkout@v4 + - *setup-ruby + - uses: ./.github/actions/setup-openssl + + - name: Setup + run: ../rubygems/script/setup_nginx.sh + + - *clone-rubygems-server + + - name: Run HTTP server, PQC dual Nginx TLS proxy, and client + run: | + ../rubygems/script/run_http_server.sh & + sleep 2 + ../rubygems/script/run_https_reverse_proxy_nginx.sh -d & + sleep 2 + script/run_client.sh -d diff --git a/bundler/script/run_client.sh b/bundler/script/run_client.sh index a5fcadf..e72b362 100755 --- a/bundler/script/run_client.sh +++ b/bundler/script/run_client.sh @@ -2,6 +2,36 @@ set -eu -o pipefail +usage() { + echo "Usage: $(basename "${0}") [OPTIONS]" + echo " -d, --pqc-dual PQC dual (ML-DSA-65 + RSA) mode" + echo " -s, --pqc-single PQC single cert mode" + exit 1 +} + +PQC_DUAL=false +PQC_SINGLE=false + +while [[ "${#}" -gt 0 ]]; do + case "${1}" in + -d|--pqc-dual) + PQC_DUAL=true + shift + ;; + -s|--pqc-single) + PQC_SINGLE=true + shift + ;; + -h|--help) + usage + ;; + *) + echo "Unknown option: ${1}" + usage + ;; + esac +done + set -x TOP_DIR="$(cd "$(dirname "${0}")/.." && pwd)" @@ -9,55 +39,154 @@ SSL_DIR="$(cd "${TOP_DIR}/../rubygems/client/ssl" && pwd)" PORT_HTTPS=18443 PORT_HTTPS_NON_PQC=18444 -rm -rf "${TOP_DIR}/tmp" -mkdir -p "${TOP_DIR}/tmp" +# Generate OpenSSL config files for controlling client signature algorithms. +generate_openssl_conf() { + local conf_file="${1}" + local sigalgs="${2}" -echo "Mode: PQC (single), non-PQC (single)" + cat > "${conf_file}" << EOF +openssl_conf = openssl_init -pushd "${TOP_DIR}/tmp" +[openssl_init] +ssl_conf = ssl_sect + +[ssl_sect] +system_default = system_default_sect + +[system_default_sect] +SignatureAlgorithms = ${sigalgs} +EOF +} + +generate_openssl_conf "${SSL_DIR}/mldsa65-client.cnf" "mldsa65" +generate_openssl_conf "${SSL_DIR}/rsa-client.cnf" "rsa_pss_rsae_sha256" -echo "=== Test 1: PQC (single) ML-DSA-65 connection" \ - "to port ${PORT_HTTPS} ===" -# FIXME: The `bundle config set ssl_ca_cert` command doesn't work. -# https://bundler.io/man/bundle-config.1.html - ssl_ca_cert -# bundle config set --local ssl_ca_cert "${SSL_DIR}/mldsa65-1.crt" -export SSL_CERT_FILE="${SSL_DIR}/mldsa65-1.crt" -bundle config set --local \ - mirror.https://localhost:${PORT_HTTPS_NON_PQC} \ - https://localhost:${PORT_HTTPS} -bundle config set --local path vendor/bundle -bundle config list -cp -p "${TOP_DIR}/client/Gemfile.1" Gemfile -bundle install -cp -p "${TOP_DIR}/client/Gemfile.2" Gemfile -bundle update --all -bundle list -bundle info hello-pqc - -popd - -# Reset for second test rm -rf "${TOP_DIR}/tmp" mkdir -p "${TOP_DIR}/tmp" -bundle config unset --local \ - mirror.https://localhost:${PORT_HTTPS_NON_PQC} pushd "${TOP_DIR}/tmp" -echo "=== Test 2: non-PQC (single) RSA connection" \ - "to port ${PORT_HTTPS_NON_PQC} ===" -# FIXME: The `bundle config set ssl_ca_cert` command doesn't work. -# bundle config set --local ssl_ca_cert "${SSL_DIR}/rsa-1.crt" -export SSL_CERT_FILE="${SSL_DIR}/rsa-1.crt" -bundle config set --local path vendor/bundle -bundle config list -cp -p "${TOP_DIR}/client/Gemfile.1" Gemfile -bundle install -cp -p "${TOP_DIR}/client/Gemfile.2" Gemfile -bundle update --all -bundle list -bundle info hello-pqc - -popd +if [[ "${PQC_DUAL}" = true ]]; then + echo "Mode: PQC, non-PQC (dual)" + + echo "=== Test 1: PQC (dual) ML-DSA-65 connection" \ + "to port ${PORT_HTTPS}" \ + "(equivalent to ctx.sigalgs = 'mldsa65') ===" + # FIXME: The `bundle config set ssl_ca_cert` command doesn't work. + # https://bundler.io/man/bundle-config.1.html - ssl_ca_cert + # bundle config set --local ssl_ca_cert "${SSL_DIR}/mldsa65-1.crt" + export SSL_CERT_FILE="${SSL_DIR}/mldsa65-1.crt" + export OPENSSL_CONF="${SSL_DIR}/mldsa65-client.cnf" + bundle config set --local \ + mirror.https://localhost:${PORT_HTTPS_NON_PQC} \ + https://localhost:${PORT_HTTPS} + bundle config set --local path vendor/bundle + bundle config list + cp -p "${TOP_DIR}/client/Gemfile.1" Gemfile + bundle install + cp -p "${TOP_DIR}/client/Gemfile.2" Gemfile + bundle update --all + bundle list + bundle info hello-pqc + + popd + + # Reset for second test + rm -rf "${TOP_DIR}/tmp" + mkdir -p "${TOP_DIR}/tmp" + bundle config unset --local \ + mirror.https://localhost:${PORT_HTTPS_NON_PQC} + + pushd "${TOP_DIR}/tmp" + + echo "=== Test 2: PQC (dual) RSA connection" \ + "to port ${PORT_HTTPS}" \ + "(equivalent to ctx.sigalgs = 'rsa_pss_rsae_sha256') ===" + # FIXME: The `bundle config set ssl_ca_cert` command doesn't work. + # https://bundler.io/man/bundle-config.1.html - ssl_ca_cert + # bundle config set --local ssl_ca_cert "${SSL_DIR}/rsa-1.crt" + export SSL_CERT_FILE="${SSL_DIR}/rsa-1.crt" + export OPENSSL_CONF="${SSL_DIR}/rsa-client.cnf" + bundle config set --local \ + mirror.https://localhost:${PORT_HTTPS_NON_PQC} \ + https://localhost:${PORT_HTTPS} + bundle config set --local path vendor/bundle + bundle config list + cp -p "${TOP_DIR}/client/Gemfile.1" Gemfile + bundle install + cp -p "${TOP_DIR}/client/Gemfile.2" Gemfile + bundle update --all + bundle list + bundle info hello-pqc + + popd +elif [[ "${PQC_SINGLE}" = true ]]; then + echo "Mode: PQC (single), non-PQC (single)" + + echo "=== Test 1: PQC (single) ML-DSA-65 connection" \ + "to port ${PORT_HTTPS} ===" + # FIXME: The `bundle config set ssl_ca_cert` command doesn't work. + # https://bundler.io/man/bundle-config.1.html - ssl_ca_cert + # bundle config set --local ssl_ca_cert "${SSL_DIR}/mldsa65-1.crt" + export SSL_CERT_FILE="${SSL_DIR}/mldsa65-1.crt" + bundle config set --local \ + mirror.https://localhost:${PORT_HTTPS_NON_PQC} \ + https://localhost:${PORT_HTTPS} + bundle config set --local path vendor/bundle + bundle config list + cp -p "${TOP_DIR}/client/Gemfile.1" Gemfile + bundle install + cp -p "${TOP_DIR}/client/Gemfile.2" Gemfile + bundle update --all + bundle list + bundle info hello-pqc + + popd + + # Reset for second test + rm -rf "${TOP_DIR}/tmp" + mkdir -p "${TOP_DIR}/tmp" + bundle config unset --local \ + mirror.https://localhost:${PORT_HTTPS_NON_PQC} + + pushd "${TOP_DIR}/tmp" + + echo "=== Test 2: non-PQC (single) RSA connection" \ + "to port ${PORT_HTTPS_NON_PQC} ===" + # FIXME: The `bundle config set ssl_ca_cert` command doesn't work. + # https://bundler.io/man/bundle-config.1.html - ssl_ca_cert + # bundle config set --local ssl_ca_cert "${SSL_DIR}/rsa-1.crt" + export SSL_CERT_FILE="${SSL_DIR}/rsa-1.crt" + bundle config set --local path vendor/bundle + bundle config list + cp -p "${TOP_DIR}/client/Gemfile.1" Gemfile + bundle install + cp -p "${TOP_DIR}/client/Gemfile.2" Gemfile + bundle update --all + bundle list + bundle info hello-pqc + + popd +else + echo "Mode: non-PQC" + + # FIXME: The `bundle config set ssl_ca_cert` command doesn't work. + # https://bundler.io/man/bundle-config.1.html - ssl_ca_cert + # bundle config set --local ssl_ca_cert "${SSL_DIR}/rsa-1.crt" + export SSL_CERT_FILE="${SSL_DIR}/rsa-1.crt" + bundle config set --local \ + mirror.https://localhost:${PORT_HTTPS_NON_PQC} \ + https://localhost:${PORT_HTTPS} + bundle config set --local path vendor/bundle + bundle config list + cp -p "${TOP_DIR}/client/Gemfile.1" Gemfile + bundle install + cp -p "${TOP_DIR}/client/Gemfile.2" Gemfile + bundle update --all + bundle list + bundle info hello-pqc + + popd +fi echo "OK: All tests passed."