chore: reanable intermediate validation in DER and change download re… #4
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Certificate Validation and PIN Verification | |
| on: | |
| push: | |
| branches: [ poc/ci-certificate-check ] | |
| jobs: | |
| validate-certificates: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v3 | |
| - name: Download and unzip certificates | |
| run: | | |
| mkdir -p ./certs | |
| echo "Directory ./certs created" | |
| curl -L -o ./certs/certificate.zip https://github.com/HathorNetwork/hathor-wallet-mobile/archive/refs/tags/v1.zip | |
| echo "Certificates downloaded to ./certs/certificate.zip file" | |
| unzip -j ./certs/certificate.zip -d ./certs | |
| echo "Certificates unzipped to ./certs directory" | |
| rm ./certs/certificate.zip | |
| echo "Zip file ./certs/certificate.zip removed" | |
| - name: Validate intermediate certificates in PEM | |
| run: | | |
| for cert in ./certs/hathor-network-trust*.pem; do | |
| openssl verify -CAfile ./certs/hathor-network-root-ca-1.pem $cert || { | |
| echo "Error: Intermediate certificate signature do not match with root certificate" | |
| exit 1 | |
| } | |
| done | |
| - name: Validate intermediate certificates in DER | |
| run: | | |
| for cert in ./certs/hathor-network-trust*.der; do | |
| openssl verify -CAfile ./certs/hathor-network-root-ca-1.der $cert || { | |
| echo "Error: Intermediate certificate signature do not match with root certificate" | |
| exit 1 | |
| } | |
| done | |
| - name: Compare root certificates | |
| run: | | |
| # Check existence of the downloaed certificates in PEM encoding | |
| if [ ! -f ./certs/hathor-network-root-ca-1.pem ]; then | |
| echo "Error: ./certs/hathor-network-root-ca-1.pem does not exist" | |
| exit 1 | |
| fi | |
| if [ ! -f ./certs/hathor-network-root-ca-2.pem ]; then | |
| echo "Error: ./certs/hathor-network-root-ca-2.pem does not exist" | |
| exit 1 | |
| fi | |
| # Check existence of the downloaed certificates in DER encoding | |
| if [ ! -f ./certs/hathor-network-root-ca-1.der ]; then | |
| echo "Error: ./certs/hathor-network-root-ca-1.der does not exist" | |
| exit 1 | |
| fi | |
| if [ ! -f ./certs/hathor-network-root-ca-2.der ]; then | |
| echo "Error: ./certs/hathor-network-root-ca-2.der does not exist" | |
| exit 1 | |
| fi | |
| # Check existence of installed certificates for iOS | |
| if [ ! -f ./ios/hathor-network-root-ca-1.der ]; then | |
| echo "Error: ./ios/hathor-network-root-ca-1.der does not exist" | |
| exit 1 | |
| fi | |
| if [ ! -f ./ios/hathor-network-root-ca-2.der ]; then | |
| echo "Error: ./ios/hathor-network-root-ca-2.der does not exist" | |
| exit 1 | |
| fi | |
| # Check existence of installed certificates for Android | |
| if [ ! -f ./android/hathor-network-root-ca-1.pem ]; then | |
| echo "Error: ./android/hathor-network-root-ca-1.pem does not exist" | |
| exit 1 | |
| fi | |
| if [ ! -f ./android/hathor-network-root-ca-2.pem ]; then | |
| echo "Error: ./android/hathor-network-root-ca-2.pem does not exist" | |
| exit 1 | |
| fi | |
| # Check equality between the certificates | |
| diff -q ./certs/hathor-network-root-ca-1.pem ./android/app/src/main/res/raw/hathor-network-root-ca-1.pem || { | |
| echo "Error: hathor-network-root-ca-1.pem do not match on Android" | |
| exit 1 | |
| } | |
| diff -q ./certs/hathor-network-root-ca-2.pem ./android/app/src/main/res/raw/hathor-network-root-ca-2.pem || { | |
| echo "Error: hathor-network-root-ca-2.pem do not match on Android" | |
| exit 1 | |
| } | |
| diff -q ./certs/hathor-network-root-ca-1.der ./ios/hathor-network-root-ca-1.der || { | |
| echo "Error: hathor-network-root-ca-1.der do not match on iOS" | |
| exit 1 | |
| } | |
| diff -q ./certs/hathor-network-root-ca-2.der ./ios/hathor-network-root-ca-2.der || { | |
| echo "Error: hathor-network-root-ca-2.der do not match on iOS" | |
| exit 1 | |
| } | |
| - name: Generate PINs and verify Android manifest | |
| run: | | |
| for cert in ./certs/intermediate/*.pem; do | |
| PIN=$(openssl x509 -in $cert -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64) | |
| grep -q "$PIN" ./android/app/src/main/AndroidManifest.xml || { | |
| echo "Error: PIN $PIN not found in AndroidManifest.xml" | |
| exit 1 | |
| } | |
| done | |
| - name: Generate PINs and verify iOS Info.plist | |
| run: | | |
| for cert in ./certs/intermediate/*.pem; do | |
| PIN=$(openssl x509 -in $cert -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64) | |
| grep -q "$PIN" ./ios/HathorNetwork/Info.plist || { | |
| echo "Error: PIN $PIN not found in Info.plist" | |
| } | |
| done |