Skip to content

Commit

Permalink
Add test for CA with RSA algorithm
Browse files Browse the repository at this point in the history 
A new test has been added to install CA with a non-default RSA
algorithm verify that the system certs and admin cert use the
same algorithm. The test will also issue an SSL server cert
and verify that the cert uses the same algorithm.

The tests for CA with ECC and RSA/PSS algorithms have also
been updated to perform the same validation.
  • Loading branch information
@edewata
edewata committed Aug 1, 2023
1 parent 09c3c0b commit 12d3d64
Show file tree
Hide file tree
Showing 5 changed files with 490 additions and 20 deletions.
122 changes: 112 additions & 10 deletions .github/workflows/ca-ecc-test.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@ jobs:
- name: Connect PKI container to network
run: docker network connect example pki --alias pki.example.com

- name: Install CA
- name: Install CA with SHA512withEC
run: |
docker exec pki pkispawn \
-f /usr/share/pki/server/examples/installation/ca-ecc.cfg \
Expand All @@ -63,6 +63,7 @@ jobs:
- name: Check system cert keys
run: |
# all keys should be "ec"
echo Secret.123 > password.txt
docker exec pki certutil -K -d /etc/pki/pki-tomcat/alias -f ${SHARED}/password.txt | tee output
echo "ec" > expected
Expand All @@ -84,33 +85,103 @@ jobs:
- name: Check CA signing cert
run: |
# inspect cert with certutil
docker exec pki certutil -L -d /etc/pki/pki-tomcat/alias -f ${SHARED}/password.txt -n ca_signing | tee output
# signing algorithm should be "X9.62 ECDSA signature with SHA512"
echo "X9.62 ECDSA signature with SHA512" > expected
sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual
diff expected actual
# inspect cert with openssl
docker exec pki pki-server cert-export ca_signing --cert-file ca_signing.crt
docker exec pki openssl x509 -text -noout -in ca_signing.crt
docker exec pki openssl x509 -text -noout -in ca_signing.crt | tee output
# signing algorithm should be "ecdsa-with-SHA512"
echo "ecdsa-with-SHA512" > expected
sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual
diff expected actual
- name: Check CA OCSP signing cert
run: |
# inspect cert with certutil
docker exec pki certutil -L -d /etc/pki/pki-tomcat/alias -f ${SHARED}/password.txt -n ca_ocsp_signing | tee output
# signing algorithm should be "X9.62 ECDSA signature with SHA512"
echo "X9.62 ECDSA signature with SHA512" > expected
sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual
diff expected actual
# inspect cert with openssl
docker exec pki pki-server cert-export ca_ocsp_signing --cert-file ca_ocsp_signing.crt
docker exec pki openssl x509 -text -noout -in ca_ocsp_signing.crt
docker exec pki openssl x509 -text -noout -in ca_ocsp_signing.crt | tee output
# signing algorithm should be "ecdsa-with-SHA512"
echo "ecdsa-with-SHA512" > expected
sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual
diff expected actual
- name: Check CA audit signing cert
run: |
# inspect cert with certutil
docker exec pki certutil -L -d /etc/pki/pki-tomcat/alias -f ${SHARED}/password.txt -n ca_audit_signing | tee output
# signing algorithm should be "X9.62 ECDSA signature with SHA512"
echo "X9.62 ECDSA signature with SHA512" > expected
sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual
diff expected actual
# inspect cert with openssl
docker exec pki pki-server cert-export ca_audit_signing --cert-file ca_audit_signing.crt
docker exec pki openssl x509 -text -noout -in ca_audit_signing.crt
docker exec pki openssl x509 -text -noout -in ca_audit_signing.crt | tee output
# signing algorithm should be "ecdsa-with-SHA512"
echo "ecdsa-with-SHA512" > expected
sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual
diff expected actual
- name: Check subsystem cert
run: |
# inspect cert with certutil
docker exec pki certutil -L -d /etc/pki/pki-tomcat/alias -f ${SHARED}/password.txt -n subsystem | tee output
# signing algorithm should be "X9.62 ECDSA signature with SHA512"
echo "X9.62 ECDSA signature with SHA512" > expected
sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual
diff expected actual
# inspect cert with openssl
docker exec pki pki-server cert-export subsystem --cert-file subsystem.crt
docker exec pki openssl x509 -text -noout -in subsystem.crt
docker exec pki openssl x509 -text -noout -in subsystem.crt | tee output
# signing algorithm should be "ecdsa-with-SHA512"
echo "ecdsa-with-SHA512" > expected
sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual
diff expected actual
- name: Check SSL server cert
run: |
# inspect cert with certutil
docker exec pki certutil -L -d /etc/pki/pki-tomcat/alias -f ${SHARED}/password.txt -n sslserver | tee output
# signing algorithm should be "X9.62 ECDSA signature with SHA512"
echo "X9.62 ECDSA signature with SHA512" > expected
sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual
diff expected actual
# inspect cert with openssl
docker exec pki pki-server cert-export sslserver --cert-file sslserver.crt
docker exec pki openssl x509 -text -noout -in sslserver.crt
docker exec pki openssl x509 -text -noout -in sslserver.crt | tee output
# signing algorithm should be "ecdsa-with-SHA512"
echo "ecdsa-with-SHA512" > expected
sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual
diff expected actual
- name: Run PKI healthcheck
run: docker exec pki pki-healthcheck --failures-only

- name: Verify CA admin
- name: Check authenticating as CA admin user
run: |
docker exec pki pki-server cert-export ca_signing --cert-file ca_signing.crt
docker exec pki pki client-cert-import ca_signing --ca-cert ca_signing.crt
Expand All @@ -121,11 +192,42 @@ jobs:
- name: Check CA admin cert
run: |
docker exec pki openssl x509 -text -noout -in /root/.dogtag/pki-tomcat/ca_admin.cert
# inspect cert with certutil
docker exec pki certutil -L -d /root/.dogtag/nssdb -n caadmin | tee output
# signing algorithm should be "X9.62 ECDSA signature with SHA512"
echo "X9.62 ECDSA signature with SHA512" > expected
sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual
diff expected actual
- name: Check cert requests in CA
# inspect cert with openssl
docker exec pki openssl x509 -text -noout -in /root/.dogtag/pki-tomcat/ca_admin.cert | tee output
# signing algorithm should be "ecdsa-with-SHA512"
echo "ecdsa-with-SHA512" > expected
sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual
diff expected actual
- name: Check issuing SSL server cert
run: |
docker exec pki pki -n caadmin ca-cert-request-find
# issue cert
docker exec pki /usr/share/pki/tests/ca/bin/sslserver-create.sh
# inspect cert with certutil
docker exec pki certutil -L -d /root/.dogtag/nssdb -n sslserver | tee output
# signing algorithm should be "X9.62 ECDSA signature with SHA512"
echo "X9.62 ECDSA signature with SHA512" > expected
sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual
diff expected actual
# inspect cert with openssl
docker exec pki openssl x509 -text -noout -in sslserver.crt | tee output
# signing algorithm should be "ecdsa-with-SHA512"
echo "ecdsa-with-SHA512" > expected
sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual
diff expected actual
- name: Gather artifacts
if: always()
Expand Down
98 changes: 88 additions & 10 deletions .github/workflows/ca-rsa-pss-test.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@ jobs:
- name: Connect PKI container to network
run: docker network connect example pki --alias pki.example.com

- name: Install CA
- name: Install CA with SHA512withRSA/PSS
run: |
docker exec pki pkispawn \
-f /usr/share/pki/server/examples/installation/ca.cfg \
Expand All @@ -74,6 +74,7 @@ jobs:
- name: Check system cert keys
run: |
# all keys should be "rsa"
echo Secret.123 > password.txt
docker exec pki certutil -K -d /etc/pki/pki-tomcat/alias -f ${SHARED}/password.txt | tee output
echo "rsa" > expected
Expand All @@ -95,53 +96,103 @@ jobs:
- name: Check CA signing cert
run: |
# inspect cert with certutil
docker exec pki certutil -L -d /etc/pki/pki-tomcat/alias -f ${SHARED}/password.txt -n ca_signing | tee output
# signing algorithm should be "PKCS #1 RSA-PSS Signature"
echo "PKCS #1 RSA-PSS Signature" > expected
sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual
diff expected actual
# inspect cert with openssl
docker exec pki pki-server cert-export ca_signing --cert-file ca_signing.crt
docker exec pki openssl x509 -text -noout -in ca_signing.crt | tee output
# signing algorithm should be "rsassaPss"
echo "rsassaPss" > expected
sed -n "/^\s*Signature Algorithm:/ {s/^.*:\s*\(\S*\)\s*$/\1/p;q}" output > actual
sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual
diff expected actual
- name: Check CA OCSP signing cert
run: |
# inspect cert with certutil
docker exec pki certutil -L -d /etc/pki/pki-tomcat/alias -f ${SHARED}/password.txt -n ca_ocsp_signing | tee output
# signing algorithm should be "PKCS #1 RSA-PSS Signature"
echo "PKCS #1 RSA-PSS Signature" > expected
sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual
diff expected actual
# inspect cert with openssl
docker exec pki pki-server cert-export ca_ocsp_signing --cert-file ca_ocsp_signing.crt
docker exec pki openssl x509 -text -noout -in ca_ocsp_signing.crt | tee output
# signing algorithm should be "rsassaPss"
echo "rsassaPss" > expected
sed -n "/^\s*Signature Algorithm:/ {s/^.*:\s*\(\S*\)\s*$/\1/p;q}" output > actual
sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual
diff expected actual
- name: Check CA audit signing cert
run: |
# inspect cert with certutil
docker exec pki certutil -L -d /etc/pki/pki-tomcat/alias -f ${SHARED}/password.txt -n ca_audit_signing | tee output
# signing algorithm should be "PKCS #1 RSA-PSS Signature"
echo "PKCS #1 RSA-PSS Signature" > expected
sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual
diff expected actual
# inspect cert with openssl
docker exec pki pki-server cert-export ca_audit_signing --cert-file ca_audit_signing.crt
docker exec pki openssl x509 -text -noout -in ca_audit_signing.crt | tee output
# signing algorithm should be "rsassaPss"
echo "rsassaPss" > expected
sed -n "/^\s*Signature Algorithm:/ {s/^.*:\s*\(\S*\)\s*$/\1/p;q}" output > actual
sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual
diff expected actual
- name: Check subsystem cert
run: |
# inspect cert with certutil
docker exec pki certutil -L -d /etc/pki/pki-tomcat/alias -f ${SHARED}/password.txt -n subsystem | tee output
# signing algorithm should be "PKCS #1 RSA-PSS Signature"
echo "PKCS #1 RSA-PSS Signature" > expected
sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual
diff expected actual
# inspect cert with openssl
docker exec pki pki-server cert-export subsystem --cert-file subsystem.crt
docker exec pki openssl x509 -text -noout -in subsystem.crt | tee output
# signing algorithm should be "rsassaPss"
echo "rsassaPss" > expected
sed -n "/^\s*Signature Algorithm:/ {s/^.*:\s*\(\S*\)\s*$/\1/p;q}" output > actual
sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual
diff expected actual
- name: Check SSL server cert
run: |
# inspect cert with certutil
docker exec pki certutil -L -d /etc/pki/pki-tomcat/alias -f ${SHARED}/password.txt -n sslserver | tee output
# signing algorithm should be "PKCS #1 RSA-PSS Signature"
echo "PKCS #1 RSA-PSS Signature" > expected
sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual
diff expected actual
# inspect cert with openssl
docker exec pki pki-server cert-export sslserver --cert-file sslserver.crt
docker exec pki openssl x509 -text -noout -in sslserver.crt | tee output
# signing algorithm should be "rsassaPss"
echo "rsassaPss" > expected
sed -n "/^\s*Signature Algorithm:/ {s/^.*:\s*\(\S*\)\s*$/\1/p;q}" output > actual
sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual
diff expected actual
- name: Run PKI healthcheck
run: docker exec pki pki-healthcheck --failures-only

- name: Verify CA admin
- name: Check authenticating as CA admin user
run: |
docker exec pki pki-server cert-export ca_signing --cert-file ca_signing.crt
docker exec pki pki client-cert-import ca_signing --ca-cert ca_signing.crt
Expand All @@ -152,15 +203,42 @@ jobs:
- name: Check CA admin cert
run: |
# inspect cert with certutil
docker exec pki certutil -L -d /root/.dogtag/nssdb -n caadmin | tee output
# signing algorithm should be "PKCS #1 RSA-PSS Signature"
echo "PKCS #1 RSA-PSS Signature" > expected
sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual
diff expected actual
# inspect cert with openssl
docker exec pki openssl x509 -text -noout -in /root/.dogtag/pki-tomcat/ca_admin.cert | tee output
# signing algorithm should be "rsassaPss"
echo "rsassaPss" > expected
sed -n "/^\s*Signature Algorithm:/ {s/^.*:\s*\(\S*\)\s*$/\1/p;q}" output > actual
sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual
diff expected actual
- name: Check cert requests in CA
- name: Check issuing SSL server cert
run: |
docker exec pki pki -n caadmin ca-cert-request-find
# issue cert
docker exec pki /usr/share/pki/tests/ca/bin/sslserver-create.sh
# inspect cert with certutil
docker exec pki certutil -L -d /root/.dogtag/nssdb -n sslserver | tee output
# signing algorithm should be "PKCS #1 RSA-PSS Signature"
echo "PKCS #1 RSA-PSS Signature" > expected
sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual
diff expected actual
# inspect cert with openssl
docker exec pki openssl x509 -text -noout -in sslserver.crt | tee output
# signing algorithm should be "rsassaPss"
echo "rsassaPss" > expected
sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual
diff expected actual
- name: Gather artifacts
if: always()
Expand Down
Loading

0 comments on commit 12d3d64

Please sign in to comment.