Add Xmlsec to our CI (#2333)

smittals2 · web-flow · commit 3fdc0f6880d0 · 2025-05-05T18:01:20.000-07:00
### Issues:
`2909`

### Description of changes: 
Add xmlsec to our CI 

### Call-outs:
2 callouts regarding the patch file: 
1) we lower the overall percentage of tests required to succeed with
openSSL. Xmlsec verifies the percentage of tests that passed as an
additional check. Skipped tests can skew this (and we skip a bunch
because of missing features like ossl_store).
2) 10 tests are commented out in the Xmlsec test suite. These 10 tests
all have certs that use MD5 digests. AWS-LC rejects these certs by
default. OS level patching of OpenSSL adds support for
OPENSSL_ENABLE_MD5_VERIFY to allow validating these certs. We don't
support this in AWS-LC. I have verified that these 10 tests pass if we
were to start accepting md5 digests.


### Testing:
How is this change tested (unit tests, fuzz tests, etc.)? Are there any
testing steps to be verified by the reviewer?

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license and the ISC license.
diff --git a/tests/ci/cdk/cdk/codebuild/github_ci_integration_omnibus.yaml b/tests/ci/cdk/cdk/codebuild/github_ci_integration_omnibus.yaml
@@ -400,7 +400,17 @@ batch:
         image: 620771051181.dkr.ecr.us-west-2.amazonaws.com/aws-lc-docker-images-linux-x86:ubuntu-22.04_gcc-12x_integration_latest
         variables:
           AWS_LC_CI_TARGET: "tests/ci/integration/run_openvpn_integration.sh master"
-          
+
+    - identifier: xmlsec_integration_x86_64
+      buildspec: tests/ci/codebuild/common/run_ipv6_target.yml
+      env:
+        type: LINUX_CONTAINER
+        privileged-mode: true
+        compute-type: BUILD_GENERAL1_MEDIUM
+        image: 620771051181.dkr.ecr.us-west-2.amazonaws.com/aws-lc-docker-images-linux-x86:ubuntu-22.04_gcc-12x_integration_latest
+        variables:
+          AWS_LC_CI_TARGET: "tests/ci/integration/run_xmlsec_integration.sh"
+
     - identifier: python_main_integration_x86_64
       buildspec: tests/ci/codebuild/common/run_ipv6_target.yml
       env:
diff --git a/tests/ci/integration/run_xmlsec_integration.sh b/tests/ci/integration/run_xmlsec_integration.sh
@@ -0,0 +1,71 @@
+#!/usr/bin/env bash
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0 OR ISC
+
+set -exu
+
+source tests/ci/common_posix_setup.sh
+
+# Set up environment.
+
+# SYS_ROOT
+#  - SRC_ROOT(aws-lc)
+#    - SCRATCH_FOLDER
+#      - XMLSEC_SRC_FOLDER
+#      - AWS_LC_BUILD_FOLDER
+#      - AWS_LC_INSTALL_FOLDER
+
+# Assumes script is executed from the root of aws-lc directory
+SCRATCH_FOLDER="${SRC_ROOT}/XMLSEC_BUILD_ROOT"
+XMLSEC_SRC_FOLDER="${SCRATCH_FOLDER}/xmlsec"
+XMLSEC_SRC_FOLDER_BUILD_PREFIX="${XMLSEC_SRC_FOLDER}/build/install"
+XMLSEC_SRC_FOLDER_BUILD_EPREFIX="${XMLSEC_SRC_FOLDER}/build/exec-install"
+XMLSEC_PATCH_FOLDER="${SRC_ROOT}/tests/ci/integration/xmlsec_patch"
+
+AWS_LC_BUILD_FOLDER="${SCRATCH_FOLDER}/aws-lc-build"
+AWS_LC_INSTALL_FOLDER="${SCRATCH_FOLDER}/aws-lc-install"
+
+mkdir -p ${SCRATCH_FOLDER}
+rm -rf "${SCRATCH_FOLDER:?}"/*
+cd ${SCRATCH_FOLDER}
+
+function xmlsec_build() {
+
+  export OPENSSL_CFLAGS="-I${AWS_LC_INSTALL_FOLDER}/include"
+  export OPENSSL_LIBS="-L${AWS_LC_INSTALL_FOLDER}/lib -lssl -lcrypto"
+  export LD_FLAGS="-Wl,-rpath=${AWS_LC_INSTALL_FOLDER}/lib"
+
+  ./autogen.sh --prefix="$XMLSEC_SRC_FOLDER_BUILD_PREFIX" \
+              --exec-prefix="$XMLSEC_SRC_FOLDER_BUILD_EPREFIX"
+
+  make -j install
+
+  local xmlsec_executable="${XMLSEC_SRC_FOLDER}/build/exec-install/lib/libxmlsec1-openssl.so"
+  ldd ${xmlsec_executable} \
+    | grep "${AWS_LC_INSTALL_FOLDER}/lib/libcrypto.so" || exit 1
+}
+
+function xmlsec_patch() {
+  patchfile="${XMLSEC_PATCH_FOLDER}/xmlsec_master.patch"
+  echo "Apply patch $patchfile..."
+  patch -p1 --quiet -i "$patchfile"
+}
+
+function xmlsec_run_tests() {
+  make check XMLSEC_TEST_IGNORE_PERCENT_SUCCESS=y
+}
+
+git clone https://github.com/lsh123/xmlsec.git ${XMLSEC_SRC_FOLDER}
+mkdir -p ${AWS_LC_BUILD_FOLDER} ${AWS_LC_INSTALL_FOLDER}
+ls
+
+aws_lc_build "$SRC_ROOT" "$AWS_LC_BUILD_FOLDER" "$AWS_LC_INSTALL_FOLDER" -DCMAKE_INSTALL_LIBDIR=lib  -DBUILD_TESTING=OFF -DBUILD_TOOL=OFF -DCMAKE_BUILD_TYPE=Debug -DBUILD_SHARED_LIBS=1
+
+# Build xmlsec from source.
+apt update -y
+apt install -y libtool libtool-bin libltdl-dev
+export LD_LIBRARY_PATH="${AWS_LC_INSTALL_FOLDER}/lib"
+pushd ${XMLSEC_SRC_FOLDER}
+xmlsec_patch
+xmlsec_build
+xmlsec_run_tests
diff --git a/tests/ci/integration/xmlsec_patch/xmlsec_master.patch b/tests/ci/integration/xmlsec_patch/xmlsec_master.patch
@@ -0,0 +1,282 @@
+diff --git a/configure.ac b/configure.ac
+index 7fd22877..9f8c4156 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -825,7 +825,7 @@ if test "z$OPENSSL_FOUND" = "zyes" ; then
+             #include <openssl/opensslv.h>
+             #include <openssl/crypto.h>
+             #if OPENSSL_VERSION_NUMBER >= 0x10100010L
+-            #ifdef OPENSSL_IS_BORINGSSL
++            #if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+             greater-than-minvers
+             #endif
+             #endif
+diff --git a/src/openssl/app.c b/src/openssl/app.c
+index bad1f849..03d07d8d 100644
+--- a/src/openssl/app.c
++++ b/src/openssl/app.c
+@@ -50,7 +50,7 @@
+ #include <openssl/engine.h>
+ #endif /* !defined(OPENSSL_NO_ENGINE) && (!defined(XMLSEC_OPENSSL_API_300) || defined(XMLSEC_OPENSSL3_ENGINES)) */
+
+-#ifndef OPENSSL_IS_BORINGSSL
++#if !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC)
+ #include <openssl/ui.h>
+ #endif /* OPENSSL_IS_BORINGSSL */
+
+@@ -150,11 +150,11 @@ xmlSecOpenSSLAppInit(const char* config) {
+     opts |= OPENSSL_INIT_ADD_ALL_DIGESTS;
+     opts |= OPENSSL_INIT_LOAD_CONFIG;
+
+-#if !defined(OPENSSL_IS_BORINGSSL)
++#if !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC)
+     opts |= OPENSSL_INIT_ASYNC;
+ #endif /* !defined(OPENSSL_IS_BORINGSSL) */
+
+-#if !defined(OPENSSL_IS_BORINGSSL) && !defined(XMLSEC_OPENSSL_API_300)
++#if !defined(OPENSSL_IS_BORINGSSL) && !defined(XMLSEC_OPENSSL_API_300) && !defined(OPENSSL_IS_AWSLC)
+     opts |= OPENSSL_INIT_ENGINE_ALL_BUILTIN;
+ #endif /* !defined(OPENSSL_IS_BORINGSSL) && !defined(XMLSEC_OPENSSL_API_300) */
+
+diff --git a/src/openssl/crypto.c b/src/openssl/crypto.c
+index d9e8423c..c63e812c 100644
+--- a/src/openssl/crypto.c
++++ b/src/openssl/crypto.c
+@@ -46,7 +46,7 @@ static void             xmlSecOpenSSLErrorsShutdown             (void);
+ static xmlSecCryptoDLFunctionsPtr gXmlSecOpenSSLFunctions = NULL;
+ static xmlChar* gXmlSecOpenSSLTrustedCertsFolder = NULL;
+
+-#if !defined(XMLSEC_OPENSSL_API_300) && !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_NO_ERR)
++#if !defined(XMLSEC_OPENSSL_API_300) && !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC) && !defined(OPENSSL_NO_ERR)
+
+ #define XMLSEC_OPENSSL_ERRORS_FUNCTION                  0
+
+@@ -566,7 +566,7 @@ void
+ xmlSecOpenSSLErrorsDefaultCallback(const char* file, int line, const char* func,
+                                 const char* errorObject, const char* errorSubject,
+                                 int reason, const char* msg) {
+-#if !defined(XMLSEC_OPENSSL_API_300) && !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_NO_ERR)
++#if !defined(XMLSEC_OPENSSL_API_300) && !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC) && !defined(OPENSSL_NO_ERR)
+     ERR_put_error(gXmlSecOpenSSLErrorsLib,
+                 XMLSEC_OPENSSL_ERRORS_FUNCTION,
+                 reason, file, line);
+@@ -579,7 +579,7 @@ xmlSecOpenSSLErrorsDefaultCallback(const char* file, int line, const char* func,
+
+ static int
+ xmlSecOpenSSLErrorsInit(void) {
+-#if !defined(XMLSEC_OPENSSL_API_300) && !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_NO_ERR)
++#if !defined(XMLSEC_OPENSSL_API_300) && !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC) && !defined(OPENSSL_NO_ERR)
+     xmlSecSize pos;
+
+     /* get XMLSec library id */
+@@ -620,7 +620,7 @@ xmlSecOpenSSLErrorsShutdown(void) {
+     /* remove callback */
+     xmlSecErrorsSetCallback(NULL);
+
+-#if !defined(XMLSEC_OPENSSL_API_300) && !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_NO_ERR)
++#if !defined(XMLSEC_OPENSSL_API_300) && !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC) && !defined(OPENSSL_NO_ERR)
+     /* unload xmlsec strings from OpenSSL */
+     ERR_unload_strings(gXmlSecOpenSSLErrorsLib, xmlSecOpenSSLStrLib);
+     ERR_unload_strings(gXmlSecOpenSSLErrorsLib, xmlSecOpenSSLStrDefReason);
+diff --git a/src/openssl/openssl_compat.h b/src/openssl/openssl_compat.h
+index 968c7eee..92ff1027 100644
+--- a/src/openssl/openssl_compat.h
++++ b/src/openssl/openssl_compat.h
+@@ -20,7 +20,7 @@
+  *****************************************************************************/
+ #ifdef OPENSSL_IS_AWSLC
+
+-#ifndef OPENSSL_IS_BORINGSSL
++#if !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC)
+ #define OPENSSL_IS_BORINGSSL
+ #endif /* OPENSSL_IS_BORINGSSL */
+
+@@ -32,7 +32,7 @@
+  * boringssl compatibility
+  *
+  *****************************************************************************/
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+
+ /* Not implemented by LibreSSL (yet?) */
+ #define XMLSEC_OPENSSL_NO_ASN1_TIME_TO_TM   1
+@@ -66,7 +66,7 @@
+
+
+ /* BoringSSL redefines int->size_t or int->unsigned */
+-#if defined(OPENSSL_IS_BORINGSSL)
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+
+ /* when BoringSSL replaced int with unisgned */
+ typedef unsigned xmlSecOpenSSLUInt;
+diff --git a/src/openssl/x509.c b/src/openssl/x509.c
+index f99325ae..90f8ae14 100644
+--- a/src/openssl/x509.c
++++ b/src/openssl/x509.c
+@@ -50,7 +50,7 @@
+ #include <openssl/x509v3.h>
+ #include <openssl/asn1.h>
+
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ #include <openssl/mem.h>
+ #endif /* OPENSSL_IS_BORINGSSL */
+
+diff --git a/tests/testDSig.sh b/tests/testDSig.sh
+index b1f40619..6e53a5ef 100755
+--- a/tests/testDSig.sh
++++ b/tests/testDSig.sh
+@@ -1705,12 +1705,12 @@ execDSigTest $res_success \
+     "hmac" \
+     "--lax-key-search --hmackey certs/hmackey.bin"
+
+-execDSigTest $res_success \
+-    "phaos-xmldsig-three" \
+-    "signature-rsa-detached" \
+-    "sha1 rsa-sha1" \
+-    "rsa x509" \
+-    "--trusted-$cert_format certs/rsa-ca-cert.$cert_format --verification-gmt-time 2009-01-01+10:00:00  $url_map_rfc3161"
++# execDSigTest $res_success \
++#     "phaos-xmldsig-three" \
++#     "signature-rsa-detached" \
++#     "sha1 rsa-sha1" \
++#     "rsa x509" \
++#     "--trusted-$cert_format certs/rsa-ca-cert.$cert_format --verification-gmt-time 2009-01-01+10:00:00  $url_map_rfc3161"
+
+ execDSigTest $res_success \
+     "phaos-xmldsig-three" \
+@@ -1726,12 +1726,12 @@ execDSigTest $res_success \
+     "rsa x509" \
+     "--enabled-key-data key-value,rsa,x509 --trusted-$cert_format certs/rsa-ca-cert.$cert_format --verification-gmt-time 2009-01-01+10:00:00  $url_map_rfc3161"
+
+-execDSigTest $res_success \
+-    "phaos-xmldsig-three" \
+-    "signature-rsa-detached-xslt-transform-retrieval-method" \
+-    "xslt sha1 rsa-sha1" \
+-    "rsa x509" \
+-    "--trusted-$cert_format certs/rsa-ca-cert.$cert_format --verification-gmt-time 2009-01-01+10:00:00  $url_map_rfc3161"
++# execDSigTest $res_success \
++#     "phaos-xmldsig-three" \
++#     "signature-rsa-detached-xslt-transform-retrieval-method" \
++#     "xslt sha1 rsa-sha1" \
++#     "rsa x509" \
++#     "--trusted-$cert_format certs/rsa-ca-cert.$cert_format --verification-gmt-time 2009-01-01+10:00:00  $url_map_rfc3161"
+
+ execDSigTest $res_success \
+     "phaos-xmldsig-three" \
+@@ -1741,54 +1741,54 @@ execDSigTest $res_success \
+     "--enabled-key-data key-value,rsa,x509 --trusted-$cert_format certs/rsa-ca-cert.$cert_format --verification-gmt-time 2009-01-01+10:00:00  $url_map_rfc3161"
+
+
+-execDSigTest $res_success \
+-    "phaos-xmldsig-three" \
+-    "signature-rsa-enveloped" \
+-    "enveloped-signature sha1 rsa-sha1" \
+-    "rsa x509" \
+-    "--trusted-$cert_format certs/rsa-ca-cert.$cert_format --verification-gmt-time 2009-01-01+10:00:00"
++# execDSigTest $res_success \
++#     "phaos-xmldsig-three" \
++#     "signature-rsa-enveloped" \
++#     "enveloped-signature sha1 rsa-sha1" \
++#     "rsa x509" \
++#     "--trusted-$cert_format certs/rsa-ca-cert.$cert_format --verification-gmt-time 2009-01-01+10:00:00"
+
+-execDSigTest $res_success \
+-    "phaos-xmldsig-three" \
+-    "signature-rsa-enveloping" \
+-    "sha1 rsa-sha1" \
+-    "rsa x509" \
+-    "--trusted-$cert_format certs/rsa-ca-cert.$cert_format --verification-gmt-time 2009-01-01+10:00:00"
++# execDSigTest $res_success \
++#     "phaos-xmldsig-three" \
++#     "signature-rsa-enveloping" \
++#     "sha1 rsa-sha1" \
++#     "rsa x509" \
++#     "--trusted-$cert_format certs/rsa-ca-cert.$cert_format --verification-gmt-time 2009-01-01+10:00:00"
+
+-execDSigTest $res_success \
+-    "phaos-xmldsig-three" \
+-    "signature-rsa-manifest-x509-data-cert-chain" \
+-    "sha1 rsa-sha1" \
+-    "rsa x509" \
+-    "--trusted-$cert_format certs/rsa-ca-cert.$cert_format --verification-gmt-time 2009-01-01+10:00:00 $url_map_rfc3161"
++# execDSigTest $res_success \
++#     "phaos-xmldsig-three" \
++#     "signature-rsa-manifest-x509-data-cert-chain" \
++#     "sha1 rsa-sha1" \
++#     "rsa x509" \
++#     "--trusted-$cert_format certs/rsa-ca-cert.$cert_format --verification-gmt-time 2009-01-01+10:00:00 $url_map_rfc3161"
+
+-execDSigTest $res_success \
+-    "phaos-xmldsig-three" \
+-    "signature-rsa-manifest-x509-data-cert" \
+-    "sha1 rsa-sha1" \
+-    "rsa x509" \
+-    "--trusted-$cert_format certs/rsa-ca-cert.$cert_format --verification-gmt-time 2009-01-01+10:00:00 $url_map_rfc3161"
++# execDSigTest $res_success \
++#     "phaos-xmldsig-three" \
++#     "signature-rsa-manifest-x509-data-cert" \
++#     "sha1 rsa-sha1" \
++#     "rsa x509" \
++#     "--trusted-$cert_format certs/rsa-ca-cert.$cert_format --verification-gmt-time 2009-01-01+10:00:00 $url_map_rfc3161"
+
+-execDSigTest $res_success \
+-    "phaos-xmldsig-three" \
+-    "signature-rsa-manifest-x509-data-issuer-serial" \
+-    "sha1 rsa-sha1" \
+-    "rsa x509" \
+-    "--trusted-$cert_format certs/rsa-ca-cert.$cert_format --untrusted-$cert_format certs/rsa-cert.$cert_format --verification-gmt-time 2009-01-01+10:00:00 $url_map_rfc3161"
++# execDSigTest $res_success \
++#     "phaos-xmldsig-three" \
++#     "signature-rsa-manifest-x509-data-issuer-serial" \
++#     "sha1 rsa-sha1" \
++#     "rsa x509" \
++#     "--trusted-$cert_format certs/rsa-ca-cert.$cert_format --untrusted-$cert_format certs/rsa-cert.$cert_format --verification-gmt-time 2009-01-01+10:00:00 $url_map_rfc3161"
+
+-execDSigTest $res_success \
+-    "phaos-xmldsig-three" \
+-    "signature-rsa-manifest-x509-data-ski" \
+-    "sha1 rsa-sha1" \
+-    "rsa x509" \
+-    "--trusted-$cert_format certs/rsa-ca-cert.$cert_format --untrusted-$cert_format certs/rsa-cert.$cert_format --verification-gmt-time 2009-01-01+10:00:00 $url_map_rfc3161"
++# execDSigTest $res_success \
++#     "phaos-xmldsig-three" \
++#     "signature-rsa-manifest-x509-data-ski" \
++#     "sha1 rsa-sha1" \
++#     "rsa x509" \
++#     "--trusted-$cert_format certs/rsa-ca-cert.$cert_format --untrusted-$cert_format certs/rsa-cert.$cert_format --verification-gmt-time 2009-01-01+10:00:00 $url_map_rfc3161"
+
+-execDSigTest $res_success \
+-    "phaos-xmldsig-three" \
+-    "signature-rsa-manifest-x509-data-subject-name" \
+-    "sha1 rsa-sha1" \
+-    "rsa x509" \
+-    "--trusted-$cert_format certs/rsa-ca-cert.$cert_format --untrusted-$cert_format certs/rsa-cert.$cert_format --verification-gmt-time 2009-01-01+10:00:00 $url_map_rfc3161"
++# execDSigTest $res_success \
++#     "phaos-xmldsig-three" \
++#     "signature-rsa-manifest-x509-data-subject-name" \
++#     "sha1 rsa-sha1" \
++#     "rsa x509" \
++#     "--trusted-$cert_format certs/rsa-ca-cert.$cert_format --untrusted-$cert_format certs/rsa-cert.$cert_format --verification-gmt-time 2009-01-01+10:00:00 $url_map_rfc3161"
+
+ execDSigTest $res_success \
+     "phaos-xmldsig-three" \
+@@ -1797,12 +1797,12 @@ execDSigTest $res_success \
+     "rsa x509" \
+     "--enabled-key-data key-value,rsa,x509 --trusted-$cert_format certs/rsa-ca-cert.$cert_format --verification-gmt-time 2009-01-01+10:00:00 $url_map_rfc3161"
+
+-execDSigTest $res_success \
+-    "phaos-xmldsig-three" \
+-    "signature-rsa-xpath-transform-enveloped" \
+-    "enveloped-signature xpath sha1 rsa-sha1" \
+-    "rsa x509" \
+-    "--enabled-key-data key-value,rsa,x509 --trusted-$cert_format certs/rsa-ca-cert.$cert_format --verification-gmt-time 2009-01-01+10:00:00"
++# execDSigTest $res_success \
++#     "phaos-xmldsig-three" \
++#     "signature-rsa-xpath-transform-enveloped" \
++#     "enveloped-signature xpath sha1 rsa-sha1" \
++#     "rsa x509" \
++#     "--enabled-key-data key-value,rsa,x509 --trusted-$cert_format certs/rsa-ca-cert.$cert_format --verification-gmt-time 2009-01-01+10:00:00"
+
+
+ extra_message="Negative test: bad retrieval method"
