Make X509 CodeBuild webhook more resilient (#2680)

### Description of changes: 
Mainly reorganizes the project to have the x509-limbo and python
dependency already setup in a docker container (which will stay updates
by our periodic pipeline refreshment). We then use the image and pull in
the AWS-LC source and run the harness within that.

### Testing:
Verified the changes work with the X509 CodeBuild webhook project.

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license and the ISC license.

Author: skmcgrail

tests/ci/codebuild/common/run_x509_limbo_reports_target.yml

@@ -8,10 +8,6 @@ env:
     GOPROXY: https://proxy.golang.org,direct
 
 phases:
-  install:
-    commands:
-      - nohup /usr/bin/dockerd --host=unix:///var/run/docker.sock --host=tcp://127.0.0.1:2375 &
-      - timeout 15 sh -c "until docker info; do echo .; sleep 1; done"
   build:
     commands:
       - "./${AWS_LC_CI_TARGET}"

tests/ci/docker_images/linux-x86/amazonlinux-2023_base/Dockerfile

@@ -33,7 +33,9 @@ RUN set -ex && \
     valgrind \
     # valgrind/memcheck.h is provided by the valgrind-devel package on AL2. see P63119011.
     valgrind-devel \
-    unzip && \
+    unzip \
+    patch \
+    jq && \
     wget https://raw.githubusercontent.com/aws/aws-codebuild-docker-images/master/al/x86_64/standard/5.0/amazon-ssm-agent.json -P /etc/amazon/ssm/ && \
     # Based on https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2-linux.html
     curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" && \

tests/ci/docker_images/linux-x86/amazonlinux-2023_x509/Dockerfile

@@ -1,16 +1,13 @@
 # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0 OR ISC
 
-FROM amazonlinux-2023:clang-15x
+FROM amazonlinux-2023:gcc-11x
 
 SHELL ["/bin/bash", "-c"]
 
 RUN set -ex && \
     dnf -y upgrade --releasever=latest && dnf install -y \
-    docker \
-    openssl-devel \
-    patch \
-    jq && \
+    openssl-devel && \
     dnf clean packages && \
     dnf clean metadata && \
     dnf clean all && \
@@ -21,8 +18,13 @@ RUN curl -fsSL https://pyenv.run | bash
 
 ENV PATH="/root/.pyenv/bin:${PATH}"
 RUN eval "$(pyenv init -)" && \
-    pyenv install 3.13.1
+    pyenv install 3.13.7
 
-ENV PATH="/root/.pyenv/versions/3.13.1/bin:${PATH}"
-ENV CC=clang
-ENV CXX=clang++
+ENV PATH="/root/.pyenv/versions/3.13.7/bin:${PATH}"
+
+RUN git clone https://github.com/C2SP/x509-limbo.git /x509-limbo && \
+    cd /x509-limbo && \
+    python3 -m venv .venv && \
+    source .venv/bin/activate && \
+    pip install -e . && \
+    deactivate

tests/ci/run_x509_limbo.sh

@@ -12,7 +12,7 @@ source tests/ci/common_posix_setup.sh
 
 SCRATCH_DIR="${SYS_ROOT}/scratch"
 X509_CI_DIR="${SRC_ROOT}/tests/ci/x509"
-X509_LIMBO_SRC="${SCRATCH_DIR}/x509-limbo"
+X509_LIMBO_SRC="${X509_LIMBO_SRC:-/x509-limbo}" # Should be by the docker image
 BASE_COMMIT_SRC="${SYS_ROOT}/base-src"
 
 # If BASE_REF is set in the environment we will use that, this provides a mechanism for a user to manually kick off
@@ -23,38 +23,61 @@ BASE_COMMIT_SRC="${SYS_ROOT}/base-src"
 BASE_REF="${BASE_REF:-${CODEBUILD_WEBHOOK_BASE_REF:-${CODEBUILD_WEBHOOK_PREV_COMMIT:?}}}"
 
 function build_reporting_tool() {
-    pushd "${X509_CI_DIR}/limbo-report"
+    pushd "${X509_CI_DIR}/limbo-report" 2>&1 >/dev/null
     make
     mv ./limbo-report "${SCRATCH_DIR}/"
-    popd # "${X509_CI_DIR}/limbo-report"
+    popd 2>&1 >/dev/null # "${X509_CI_DIR}/limbo-report"
 }
 
 function setup_x509_limbo() {
-    git clone https://github.com/C2SP/x509-limbo.git "${X509_LIMBO_SRC}"
-    pushd "${X509_LIMBO_SRC}"
+    pushd "${X509_LIMBO_SRC}" 2>&1 >/dev/null
     patch -p1 -i "${X509_CI_DIR}/x509-limbo.patch"
-    python3 -m venv .venv
-    source .venv/bin/activate
-    pip install -e .
-    popd # "${X509_LIMBO_SRC}"
+    popd 2>&1 >/dev/null # "${X509_LIMBO_SRC}"
+}
+
+function build_aws_lc() {
+    local BUILD_DIR
+    BUILD_DIR=$(mktemp -d)
+    cmake -B "${BUILD_DIR}" -S "${1}" -GNinja \
+        -DBUILD_SHARED_LIBS=1 \
+        -DCMAKE_BUILD_TYPE=Debug \
+        -DCMAKE_INSTALL_PREFIX="${2}"
+    cmake --build "${BUILD_DIR}"
+    cmake --install "${BUILD_DIR}"
+    rm -rf "${BUILD_DIR}"
+}
+
+function build_aws_lc_harness() {
+    local HARNESS_SRC
+    HARNESS_SRC="${X509_LIMBO_SRC}/harness/aws-lc"
+    local PKG_CONFIG_PATH
+    PKG_CONFIG_PATH="${1}/lib64/pkgconfig"
+
+    pushd "${HARNESS_SRC}" 2>&1 >/dev/null
+    PKG_CONFIG_PATH="${PKG_CONFIG_PATH}" make 2>&1 >/dev/null
+
+    local HARNESS 
+    HARNESS="$(mktemp harnessXXX)"
+
+    mv main "${HARNESS}"
+
+    popd 2>&1 >/dev/null # "${HARNESS_SRC}"
+
+    echo "${HARNESS_SRC}/${HARNESS}"
 }
 
 function run_aws_lc_harness() {
-    pushd "${X509_LIMBO_SRC}"
+    pushd "${X509_LIMBO_SRC}" 2>&1 >/dev/null
     set +e
-    AWS_LC_SRC_DIR="${1}" make test-aws-lc
+    make run ARGS="harness --output ./results/aws-lc.json -- ${1}"
     if [ ! -f "${X509_LIMBO_SRC}/results/aws-lc.json" ]; then
-        echo "Failed to run x509-limbo harness for AWS_LC_SRC_DIR=${1}"
+        echo "Failed to run x509-limbo harness: ${1}"
         exit 1
     fi
     set -e
-    popd # "${X509_LIMBO_SRC}"
+    popd 2>&1 >/dev/null # "${X509_LIMBO_SRC}"
 }
 
-# Log Docker hub limit https://docs.docker.com/docker-hub/download-rate-limit/#how-can-i-check-my-current-rate
-TOKEN=$(curl "https://auth.docker.io/token?service=registry.docker.io&scope=repository:ratelimitpreview/test:pull" | jq -r .token)
-curl --head -H "Authorization: Bearer $TOKEN" https://registry-1.docker.io/v2/ratelimitpreview/test/manifests/latest
-
 git worktree add "${BASE_COMMIT_SRC}" "${BASE_REF:?}"
 
 mkdir -p "${SCRATCH_DIR}"
@@ -68,12 +91,16 @@ REPORTS_DIR="${SRC_ROOT}/x509-limbo-reports"
 mkdir -p "${REPORTS_DIR}"
 
 # Build run x509-limbo on current src of event
-run_aws_lc_harness "${SRC_ROOT}"
+build_aws_lc "${SRC_ROOT}" "/opt/aws-lc-after"
+AFTER_HARNESS="$(build_aws_lc_harness "/opt/aws-lc-after")"
+run_aws_lc_harness "${AFTER_HARNESS}"
 "${SCRATCH_DIR}/limbo-report" annotate "${X509_LIMBO_SRC}/limbo.json" "${X509_LIMBO_SRC}/results/aws-lc.json" > "${REPORTS_DIR}/base.json"
 "${SCRATCH_DIR}/limbo-report" annotate -csv "${X509_LIMBO_SRC}/limbo.json" "${X509_LIMBO_SRC}/results/aws-lc.json" > "${REPORTS_DIR}/base.csv"
 
 # Build run x509-limbo on the base src for event
-run_aws_lc_harness "${BASE_COMMIT_SRC}"
+build_aws_lc "${BASE_COMMIT_SRC}" "/opt/aws-lc-before"
+BEFORE_HARNESS="$(build_aws_lc_harness "/opt/aws-lc-before")"
+run_aws_lc_harness "${BEFORE_HARNESS}"
 "${SCRATCH_DIR}/limbo-report" annotate "${X509_LIMBO_SRC}/limbo.json" "${X509_LIMBO_SRC}/results/aws-lc.json" > "${REPORTS_DIR}/changes.json"
 "${SCRATCH_DIR}/limbo-report" annotate -csv "${X509_LIMBO_SRC}/limbo.json" "${X509_LIMBO_SRC}/results/aws-lc.json" > "${REPORTS_DIR}/changes.csv"
 

tests/ci/setup.py

@@ -6,7 +6,7 @@
 
 
 setuptools.setup(
-    name="AWS-LC CI",
+    name="aws-lc-ci",
     version="0.0.1",
 
     description="AWS-LC CI python environment.",

tests/ci/x509/x509-limbo.patch

@@ -1,28 +1,5 @@
-From c9801cd216fa64be8045d948cc9f73a3fad025a2 Mon Sep 17 00:00:00 2001
-From: Sean McGrail <[email protected]>
-Date: Mon, 30 Sep 2024 19:29:48 +0000
-Subject: [PATCH] Support for AWS Libcrypto (AWS-LC)
-
----
- Makefile                         |     7 +-
- harness/aws-lc/.gitignore        |     2 +
- harness/aws-lc/Makefile          |    26 +
- harness/aws-lc/README.md         |    26 +
- harness/aws-lc/aws-lc.dockerfile |    27 +
- harness/aws-lc/date.hpp          |  8234 ++++++++++
- harness/aws-lc/json.hpp          | 24596 +++++++++++++++++++++++++++++
- harness/aws-lc/main.cpp          |   253 +
- 8 files changed, 33170 insertions(+), 1 deletion(-)
- create mode 100644 harness/aws-lc/.gitignore
- create mode 100644 harness/aws-lc/Makefile
- create mode 100644 harness/aws-lc/README.md
- create mode 100644 harness/aws-lc/aws-lc.dockerfile
- create mode 100644 harness/aws-lc/date.hpp
- create mode 100644 harness/aws-lc/json.hpp
- create mode 100644 harness/aws-lc/main.cpp
-
 diff --git a/Makefile b/Makefile
-index b81cf83..416c5c8 100644
+index ff0e109..53b4611 100644
 --- a/Makefile
 +++ b/Makefile
 @@ -110,8 +110,13 @@ test-certvalidator: $(NEEDS_VENV)
@@ -50,7 +27,7 @@ index 0000000..9bc5102
 +results.json
 diff --git a/harness/aws-lc/Makefile b/harness/aws-lc/Makefile
 new file mode 100644
-index 0000000..2305b42
+index 0000000..0090d83
 --- /dev/null
 +++ b/harness/aws-lc/Makefile
 @@ -0,0 +1,26 @@
@@ -32990,10 +32967,10 @@ index 0000000..4d1a37a
 +#endif  // INCLUDE_NLOHMANN_JSON_HPP_
 diff --git a/harness/aws-lc/main.cpp b/harness/aws-lc/main.cpp
 new file mode 100644
-index 0000000..e4e8519
+index 0000000..ba987cf
 --- /dev/null
 +++ b/harness/aws-lc/main.cpp
-@@ -0,0 +1,253 @@
+@@ -0,0 +1,275 @@
 +#include <cstdlib>
 +#include <fstream>
 +#include <iostream>
@@ -33021,6 +32998,7 @@ index 0000000..e4e8519
 +using STACK_OF_X509_ptr = std::unique_ptr<STACK_OF(X509), decltype(&SK_X509_free)>;
 +using X509_STORE_ptr = std::unique_ptr<X509_STORE, decltype(&X509_STORE_free)>;
 +using X509_STORE_CTX_ptr = std::unique_ptr<X509_STORE_CTX, decltype(&X509_STORE_CTX_free)>;
++using X509_CRL_ptr = std::unique_ptr<X509_CRL, decltype(&X509_CRL_free)>;
 +
 +[[noreturn]] void barf(const std::string &msg)
 +{
@@ -33050,6 +33028,19 @@ index 0000000..e4e8519
 +  return X509_ptr(cert, X509_free);
 +}
 +
++X509_CRL_ptr pem_to_crl(const std::string &pem)
++{
++  X509_CRL *crl = nullptr;
++  BIO_ptr crl_bio(BIO_new_mem_buf(pem.data(), pem.length()), BIO_free);
++
++  if (!PEM_read_bio_X509_CRL(crl_bio.get(), &crl, 0, NULL))
++  {
++    barf("failed to parse CRL");
++  }
++
++  return X509_CRL_ptr(crl, X509_CRL_free);
++}
++
 +STACK_OF_X509_ptr x509_stack(const json &certs)
 +{
 +  if (!certs.is_array())
@@ -33127,6 +33118,19 @@ index 0000000..e4e8519
 +    X509_STORE_add_cert(store.get(), cert_x509.get());
 +  }
 +
++  // Add CRLs to the store if present
++  if (testcase.contains("crls") && !testcase["crls"].empty())
++  {
++    for (auto &crl_pem : testcase["crls"])
++    {
++      auto crl = pem_to_crl(crl_pem.template get<std::string>());
++      X509_STORE_add_crl(store.get(), crl.get());
++    }
++
++    // Enable CRL checking
++    X509_STORE_set_flags(store.get(), X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
++  }
++
 +  auto untrusted = x509_stack(testcase["untrusted_intermediates"]);
 +  auto peer_pem = testcase["peer_certificate"].template get<std::string>();
 +  auto peer = pem_to_x509(peer_pem);
@@ -33154,11 +33158,6 @@ index 0000000..e4e8519
 +
 +  auto param = X509_STORE_CTX_get0_param(ctx.get());
 +
-+  // The default authentication level is 1, which corresponds to 80 bits
-+  // of security. Level 2 corresponds to 112 bits and includes RSA 2048,
-+  // which brings the validation logic very slightly closer to the Web PKI.
-+  // X509_VERIFY_PARAM_set_auth_level(param, 2);
-+
 +  if (testcase["expected_peer_name"].is_object())
 +  {
 +    auto peer_name = testcase["expected_peer_name"]["value"].template get<std::string>();
@@ -33247,6 +33246,3 @@ index 0000000..e4e8519
 +
 +  return 0;
 +}
--- 
-2.40.1
-