.github/workflows/pki-tools-test.yml

name: Testing PKI tools

on: workflow_call

env:
  NAMESPACE: ${{ vars.REGISTRY_NAMESPACE || 'dogtagpki' }}

jobs:
  test:
    name: Test
    runs-on: ubuntu-latest
    env:
      SHARED: /tmp/workdir/pki
    steps:
      - name: Clone repository
        uses: actions/checkout@v4

      - name: Retrieve JSS images
        uses: actions/cache@v4
        with:
          key: jss-images-${{ github.sha }}
          path: jss-images.tar

      - name: Load JSS images
        run: docker load --input jss-images.tar

      - name: Set up JSS container
        run: |
          tests/bin/runner-init.sh pki
        env:
          HOSTNAME: pki.example.com

      - name: Import LDAP SDK packages
        run: |
          docker create --name=ldapjdk-dist quay.io/$NAMESPACE/ldapjdk-dist:latest
          docker cp ldapjdk-dist:/root/RPMS/. /tmp/RPMS/
          docker rm -f ldapjdk-dist

      - name: Import PKI packages
        run: |
          docker create --name=pki-dist quay.io/$NAMESPACE/pki-dist:latest
          docker cp pki-dist:/root/RPMS/. /tmp/RPMS/
          docker rm -f pki-dist

      - name: Install packages
        run: |
          docker cp /tmp/RPMS/. pki:/root/RPMS/
          docker exec pki bash -c "dnf localinstall -y /root/RPMS/*"

      - name: Create HSM token
        run: |
          docker exec pki dnf install -y softhsm
          docker exec pki softhsm2-util --init-token \
              --label HSM \
              --so-pin Secret.HSM \
              --pin Secret.HSM \
              --free
          docker exec pki softhsm2-util --show-slots

          # create password.conf
          echo "internal=" > password.conf
          echo "hardware-HSM=Secret.HSM" >> password.conf

      - name: Check PKI CLI with AES
        run: |
          # create key
          docker exec pki pki nss-key-create --key-type AES aes

          # find key with nickname
          docker exec pki pki nss-key-show --key-nickname aes | tee output

          # check key type
          sed -n 's/\s*Type:\s*\(\S\+\)\s*$/\1/p' output > actual
          echo "AES" > expected
          diff expected actual

          # check key algorithm
          sed -n 's/\s*Algorithm:\s*\(\S\+\)\s*$/\1/p' output > actual
          echo "AES" > expected
          diff expected actual

      - name: Check PKI CLI with RSA
        run: |
          # create key
          docker exec pki pki nss-key-create --key-type RSA | tee output

          # get key ID
          KEY_ID=$(sed -n 's/^\s*Key ID:\s*\(\S\+\)\s*$/\1/p' output)

          # find key with key ID
          docker exec pki pki nss-key-show --key-id $KEY_ID | tee output

          # check key type
          sed -n 's/\s*Type:\s*\(\S\+\)\s*$/\1/p' output > actual
          echo "RSA" > expected
          diff expected actual

          # check key algorithm
          sed -n 's/\s*Algorithm:\s*\(\S\+\)\s*$/\1/p' output > actual
          echo "RSA" > expected
          diff expected actual

          # create cert request
          docker exec pki pki nss-cert-request \
              --key-id $KEY_ID \
              --subject "CN=Certificate Authority" \
              --ext /usr/share/pki/server/certs/ca_signing.conf \
              --csr rsa.csr

          # issue cert
          docker exec pki pki nss-cert-issue \
              --csr rsa.csr \
              --ext /usr/share/pki/server/certs/ca_signing.conf \
              --cert rsa.crt

          # import cert
          docker exec pki pki nss-cert-import \
              --cert rsa.crt \
              --trust CT,C,C \
              rsa

          # find cert with nickname
          docker exec pki pki nss-cert-show rsa

          # find cert with cert binaries
          docker exec pki pki nss-cert-show --cert-file rsa.crt

      - name: Check PKI CLI with ECC
        run: |
          # create key
          docker exec pki pki nss-key-create --key-type EC | tee output

          # get key ID
          KEY_ID=$(sed -n 's/^\s*Key ID:\s*\(\S\+\)\s*$/\1/p' output)

          # find key with key ID
          docker exec pki pki nss-key-show --key-id $KEY_ID | tee output

          # check key type
          sed -n 's/\s*Type:\s*\(\S\+\)\s*$/\1/p' output > actual
          echo "EC" > expected
          diff expected actual

          # check key algorithm
          sed -n 's/\s*Algorithm:\s*\(\S\+\)\s*$/\1/p' output > actual
          echo "EC" > expected
          diff expected actual

          # create cert request
          docker exec pki pki nss-cert-request \
              --key-id $KEY_ID \
              --subject "CN=Certificate Authority" \
              --ext /usr/share/pki/server/certs/ca_signing.conf \
              --csr ecc.csr

          # issue cert
          docker exec pki pki nss-cert-issue \
              --csr ecc.csr \
              --ext /usr/share/pki/server/certs/ca_signing.conf \
              --cert ecc.crt

          # import cert
          docker exec pki pki nss-cert-import \
              --cert ecc.crt \
              --trust CT,C,C \
              ecc

          # find cert with nickname
          docker exec pki pki nss-cert-show ecc

          # find cert with cert binaries
          docker exec pki pki nss-cert-show --cert-file ecc.crt

      - name: Check PKI CLI with HSM
        run: |
          # create key
          docker exec pki pki \
              --token HSM \
              -f $SHARED/password.conf \
              nss-key-create \
              --key-type RSA | tee output

          # get key ID
          KEY_ID=$(sed -n 's/^\s*Key ID:\s*\(\S\+\)\s*$/\1/p' output)

          # find key with key ID
          docker exec pki pki \
              --token HSM \
              -f $SHARED/password.conf \
              nss-key-show \
              --key-id $KEY_ID | tee output

          # check key type
          sed -n 's/\s*Type:\s*\(\S\+\)\s*$/\1/p' output > actual
          echo "RSA" > expected
          diff expected actual

          # check key algorithm
          sed -n 's/\s*Algorithm:\s*\(\S\+\)\s*$/\1/p' output > actual
          echo "RSA" > expected
          diff expected actual

          # create cert request
          docker exec pki pki \
              --token HSM \
              -f $SHARED/password.conf \
              nss-cert-request \
              --key-id $KEY_ID \
              --subject "CN=Certificate Authority" \
              --ext /usr/share/pki/server/certs/ca_signing.conf \
              --csr hsm.csr

          # issue cert
          docker exec pki pki \
              --token HSM \
              -f $SHARED/password.conf \
              nss-cert-issue \
              --csr hsm.csr \
              --ext /usr/share/pki/server/certs/ca_signing.conf \
              --cert hsm.crt

          # import cert
          docker exec pki pki \
              --token HSM \
              -f $SHARED/password.conf \
              nss-cert-import \
              --cert hsm.crt \
              --trust CT,C,C \
              hsm

          # find cert with nickname
          docker exec pki pki nss-cert-show hsm

          # find cert with cert binaries
          docker exec pki pki nss-cert-show --cert-file hsm.crt

          # find cert in HSM with nickname
          docker exec pki pki \
              --token HSM \
              -f $SHARED/password.conf \
              nss-cert-show \
              HSM:hsm

          # find cert in HSM with cert binaries
          docker exec pki pki \
              --token HSM \
              -f $SHARED/password.conf \
              nss-cert-show \
              --cert-file hsm.crt

      - name: Remove HSM token
        run: docker exec pki softhsm2-util --delete-token --token HSM