diff --git a/.github/workflows/ca-ecc-test.yml b/.github/workflows/ca-ecc-test.yml index c1fde5bf172..4e592b955d8 100644 --- a/.github/workflows/ca-ecc-test.yml +++ b/.github/workflows/ca-ecc-test.yml @@ -50,7 +50,7 @@ jobs: - name: Connect PKI container to network run: docker network connect example pki --alias pki.example.com - - name: Install CA + - name: Install CA with SHA512withEC run: | docker exec pki pkispawn \ -f /usr/share/pki/server/examples/installation/ca-ecc.cfg \ @@ -63,6 +63,7 @@ jobs: - name: Check system cert keys run: | + # all keys should be "ec" echo Secret.123 > password.txt docker exec pki certutil -K -d /etc/pki/pki-tomcat/alias -f ${SHARED}/password.txt | tee output echo "ec" > expected @@ -84,33 +85,103 @@ jobs: - name: Check CA signing cert run: | + # inspect cert with certutil + docker exec pki certutil -L -d /etc/pki/pki-tomcat/alias -f ${SHARED}/password.txt -n ca_signing | tee output + + # signing algorithm should be "X9.62 ECDSA signature with SHA512" + echo "X9.62 ECDSA signature with SHA512" > expected + sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual + diff expected actual + + # inspect cert with openssl docker exec pki pki-server cert-export ca_signing --cert-file ca_signing.crt - docker exec pki openssl x509 -text -noout -in ca_signing.crt + docker exec pki openssl x509 -text -noout -in ca_signing.crt | tee output + + # signing algorithm should be "ecdsa-with-SHA512" + echo "ecdsa-with-SHA512" > expected + sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual + diff expected actual - name: Check CA OCSP signing cert run: | + # inspect cert with certutil + docker exec pki certutil -L -d /etc/pki/pki-tomcat/alias -f ${SHARED}/password.txt -n ca_ocsp_signing | tee output + + # signing algorithm should be "X9.62 ECDSA signature with SHA512" + echo "X9.62 ECDSA signature with SHA512" > expected + sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual + diff expected actual + + # inspect cert with openssl docker exec pki pki-server cert-export ca_ocsp_signing --cert-file ca_ocsp_signing.crt - docker exec pki openssl x509 -text -noout -in ca_ocsp_signing.crt + docker exec pki openssl x509 -text -noout -in ca_ocsp_signing.crt | tee output + + # signing algorithm should be "ecdsa-with-SHA512" + echo "ecdsa-with-SHA512" > expected + sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual + diff expected actual - name: Check CA audit signing cert run: | + # inspect cert with certutil + docker exec pki certutil -L -d /etc/pki/pki-tomcat/alias -f ${SHARED}/password.txt -n ca_audit_signing | tee output + + # signing algorithm should be "X9.62 ECDSA signature with SHA512" + echo "X9.62 ECDSA signature with SHA512" > expected + sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual + diff expected actual + + # inspect cert with openssl docker exec pki pki-server cert-export ca_audit_signing --cert-file ca_audit_signing.crt - docker exec pki openssl x509 -text -noout -in ca_audit_signing.crt + docker exec pki openssl x509 -text -noout -in ca_audit_signing.crt | tee output + + # signing algorithm should be "ecdsa-with-SHA512" + echo "ecdsa-with-SHA512" > expected + sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual + diff expected actual - name: Check subsystem cert run: | + # inspect cert with certutil + docker exec pki certutil -L -d /etc/pki/pki-tomcat/alias -f ${SHARED}/password.txt -n subsystem | tee output + + # signing algorithm should be "X9.62 ECDSA signature with SHA512" + echo "X9.62 ECDSA signature with SHA512" > expected + sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual + diff expected actual + + # inspect cert with openssl docker exec pki pki-server cert-export subsystem --cert-file subsystem.crt - docker exec pki openssl x509 -text -noout -in subsystem.crt + docker exec pki openssl x509 -text -noout -in subsystem.crt | tee output + + # signing algorithm should be "ecdsa-with-SHA512" + echo "ecdsa-with-SHA512" > expected + sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual + diff expected actual - name: Check SSL server cert run: | + # inspect cert with certutil + docker exec pki certutil -L -d /etc/pki/pki-tomcat/alias -f ${SHARED}/password.txt -n sslserver | tee output + + # signing algorithm should be "X9.62 ECDSA signature with SHA512" + echo "X9.62 ECDSA signature with SHA512" > expected + sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual + diff expected actual + + # inspect cert with openssl docker exec pki pki-server cert-export sslserver --cert-file sslserver.crt - docker exec pki openssl x509 -text -noout -in sslserver.crt + docker exec pki openssl x509 -text -noout -in sslserver.crt | tee output + + # signing algorithm should be "ecdsa-with-SHA512" + echo "ecdsa-with-SHA512" > expected + sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual + diff expected actual - name: Run PKI healthcheck run: docker exec pki pki-healthcheck --failures-only - - name: Verify CA admin + - name: Check authenticating as CA admin user run: | docker exec pki pki-server cert-export ca_signing --cert-file ca_signing.crt docker exec pki pki client-cert-import ca_signing --ca-cert ca_signing.crt @@ -121,11 +192,42 @@ jobs: - name: Check CA admin cert run: | - docker exec pki openssl x509 -text -noout -in /root/.dogtag/pki-tomcat/ca_admin.cert + # inspect cert with certutil + docker exec pki certutil -L -d /root/.dogtag/nssdb -n caadmin | tee output + + # signing algorithm should be "X9.62 ECDSA signature with SHA512" + echo "X9.62 ECDSA signature with SHA512" > expected + sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual + diff expected actual - - name: Check cert requests in CA + # inspect cert with openssl + docker exec pki openssl x509 -text -noout -in /root/.dogtag/pki-tomcat/ca_admin.cert | tee output + + # signing algorithm should be "ecdsa-with-SHA512" + echo "ecdsa-with-SHA512" > expected + sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual + diff expected actual + + - name: Check issuing SSL server cert run: | - docker exec pki pki -n caadmin ca-cert-request-find + # issue cert + docker exec pki /usr/share/pki/tests/ca/bin/sslserver-create.sh + + # inspect cert with certutil + docker exec pki certutil -L -d /root/.dogtag/nssdb -n sslserver | tee output + + # signing algorithm should be "X9.62 ECDSA signature with SHA512" + echo "X9.62 ECDSA signature with SHA512" > expected + sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual + diff expected actual + + # inspect cert with openssl + docker exec pki openssl x509 -text -noout -in sslserver.crt | tee output + + # signing algorithm should be "ecdsa-with-SHA512" + echo "ecdsa-with-SHA512" > expected + sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual + diff expected actual - name: Gather artifacts if: always() diff --git a/.github/workflows/ca-rsa-pss-test.yml b/.github/workflows/ca-rsa-pss-test.yml index bcbfba49b55..4ed023fb42d 100644 --- a/.github/workflows/ca-rsa-pss-test.yml +++ b/.github/workflows/ca-rsa-pss-test.yml @@ -50,7 +50,7 @@ jobs: - name: Connect PKI container to network run: docker network connect example pki --alias pki.example.com - - name: Install CA + - name: Install CA with SHA512withRSA/PSS run: | docker exec pki pkispawn \ -f /usr/share/pki/server/examples/installation/ca.cfg \ @@ -74,6 +74,7 @@ jobs: - name: Check system cert keys run: | + # all keys should be "rsa" echo Secret.123 > password.txt docker exec pki certutil -K -d /etc/pki/pki-tomcat/alias -f ${SHARED}/password.txt | tee output echo "rsa" > expected @@ -95,53 +96,103 @@ jobs: - name: Check CA signing cert run: | + # inspect cert with certutil + docker exec pki certutil -L -d /etc/pki/pki-tomcat/alias -f ${SHARED}/password.txt -n ca_signing | tee output + + # signing algorithm should be "PKCS #1 RSA-PSS Signature" + echo "PKCS #1 RSA-PSS Signature" > expected + sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual + diff expected actual + + # inspect cert with openssl docker exec pki pki-server cert-export ca_signing --cert-file ca_signing.crt docker exec pki openssl x509 -text -noout -in ca_signing.crt | tee output + # signing algorithm should be "rsassaPss" echo "rsassaPss" > expected - sed -n "/^\s*Signature Algorithm:/ {s/^.*:\s*\(\S*\)\s*$/\1/p;q}" output > actual + sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual diff expected actual - name: Check CA OCSP signing cert run: | + # inspect cert with certutil + docker exec pki certutil -L -d /etc/pki/pki-tomcat/alias -f ${SHARED}/password.txt -n ca_ocsp_signing | tee output + + # signing algorithm should be "PKCS #1 RSA-PSS Signature" + echo "PKCS #1 RSA-PSS Signature" > expected + sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual + diff expected actual + + # inspect cert with openssl docker exec pki pki-server cert-export ca_ocsp_signing --cert-file ca_ocsp_signing.crt docker exec pki openssl x509 -text -noout -in ca_ocsp_signing.crt | tee output + # signing algorithm should be "rsassaPss" echo "rsassaPss" > expected - sed -n "/^\s*Signature Algorithm:/ {s/^.*:\s*\(\S*\)\s*$/\1/p;q}" output > actual + sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual diff expected actual - name: Check CA audit signing cert run: | + # inspect cert with certutil + docker exec pki certutil -L -d /etc/pki/pki-tomcat/alias -f ${SHARED}/password.txt -n ca_audit_signing | tee output + + # signing algorithm should be "PKCS #1 RSA-PSS Signature" + echo "PKCS #1 RSA-PSS Signature" > expected + sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual + diff expected actual + + # inspect cert with openssl docker exec pki pki-server cert-export ca_audit_signing --cert-file ca_audit_signing.crt docker exec pki openssl x509 -text -noout -in ca_audit_signing.crt | tee output + # signing algorithm should be "rsassaPss" echo "rsassaPss" > expected - sed -n "/^\s*Signature Algorithm:/ {s/^.*:\s*\(\S*\)\s*$/\1/p;q}" output > actual + sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual diff expected actual - name: Check subsystem cert run: | + # inspect cert with certutil + docker exec pki certutil -L -d /etc/pki/pki-tomcat/alias -f ${SHARED}/password.txt -n subsystem | tee output + + # signing algorithm should be "PKCS #1 RSA-PSS Signature" + echo "PKCS #1 RSA-PSS Signature" > expected + sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual + diff expected actual + + # inspect cert with openssl docker exec pki pki-server cert-export subsystem --cert-file subsystem.crt docker exec pki openssl x509 -text -noout -in subsystem.crt | tee output + # signing algorithm should be "rsassaPss" echo "rsassaPss" > expected - sed -n "/^\s*Signature Algorithm:/ {s/^.*:\s*\(\S*\)\s*$/\1/p;q}" output > actual + sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual diff expected actual - name: Check SSL server cert run: | + # inspect cert with certutil + docker exec pki certutil -L -d /etc/pki/pki-tomcat/alias -f ${SHARED}/password.txt -n sslserver | tee output + + # signing algorithm should be "PKCS #1 RSA-PSS Signature" + echo "PKCS #1 RSA-PSS Signature" > expected + sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual + diff expected actual + + # inspect cert with openssl docker exec pki pki-server cert-export sslserver --cert-file sslserver.crt docker exec pki openssl x509 -text -noout -in sslserver.crt | tee output + # signing algorithm should be "rsassaPss" echo "rsassaPss" > expected - sed -n "/^\s*Signature Algorithm:/ {s/^.*:\s*\(\S*\)\s*$/\1/p;q}" output > actual + sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual diff expected actual - name: Run PKI healthcheck run: docker exec pki pki-healthcheck --failures-only - - name: Verify CA admin + - name: Check authenticating as CA admin user run: | docker exec pki pki-server cert-export ca_signing --cert-file ca_signing.crt docker exec pki pki client-cert-import ca_signing --ca-cert ca_signing.crt @@ -152,15 +203,42 @@ jobs: - name: Check CA admin cert run: | + # inspect cert with certutil + docker exec pki certutil -L -d /root/.dogtag/nssdb -n caadmin | tee output + + # signing algorithm should be "PKCS #1 RSA-PSS Signature" + echo "PKCS #1 RSA-PSS Signature" > expected + sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual + diff expected actual + + # inspect cert with openssl docker exec pki openssl x509 -text -noout -in /root/.dogtag/pki-tomcat/ca_admin.cert | tee output + # signing algorithm should be "rsassaPss" echo "rsassaPss" > expected - sed -n "/^\s*Signature Algorithm:/ {s/^.*:\s*\(\S*\)\s*$/\1/p;q}" output > actual + sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual diff expected actual - - name: Check cert requests in CA + - name: Check issuing SSL server cert run: | - docker exec pki pki -n caadmin ca-cert-request-find + # issue cert + docker exec pki /usr/share/pki/tests/ca/bin/sslserver-create.sh + + # inspect cert with certutil + docker exec pki certutil -L -d /root/.dogtag/nssdb -n sslserver | tee output + + # signing algorithm should be "PKCS #1 RSA-PSS Signature" + echo "PKCS #1 RSA-PSS Signature" > expected + sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual + diff expected actual + + # inspect cert with openssl + docker exec pki openssl x509 -text -noout -in sslserver.crt | tee output + + # signing algorithm should be "rsassaPss" + echo "rsassaPss" > expected + sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual + diff expected actual - name: Gather artifacts if: always() diff --git a/.github/workflows/ca-rsa-test.yml b/.github/workflows/ca-rsa-test.yml new file mode 100644 index 00000000000..16067d4dc79 --- /dev/null +++ b/.github/workflows/ca-rsa-test.yml @@ -0,0 +1,258 @@ +name: CA with RSA + +on: + workflow_call: + inputs: + db-image: + required: false + type: string + +jobs: + test: + name: Test + runs-on: ubuntu-latest + env: + SHARED: /tmp/workdir/pki + steps: + - name: Clone repository + uses: actions/checkout@v3 + + - name: Retrieve PKI images + uses: actions/cache@v3 + with: + key: pki-images-${{ github.sha }} + path: pki-images.tar + + - name: Load PKI images + run: docker load --input pki-images.tar + + - name: Create network + run: docker network create example + + - name: Set up DS container + run: | + tests/bin/ds-container-create.sh ds + env: + IMAGE: ${{ inputs.db-image }} + HOSTNAME: ds.example.com + PASSWORD: Secret.123 + + - name: Connect DS container to network + run: docker network connect example ds --alias ds.example.com + + - name: Set up PKI container + run: | + tests/bin/runner-init.sh pki + env: + HOSTNAME: pki.example.com + + - name: Connect PKI container to network + run: docker network connect example pki --alias pki.example.com + + - name: Install CA with SHA384withRSA + run: | + docker exec pki pkispawn \ + -f /usr/share/pki/server/examples/installation/ca.cfg \ + -s CA \ + -D pki_ds_url=ldap://ds.example.com:3389 \ + -D pki_ca_signing_key_algorithm=SHA384withRSA \ + -D pki_ca_signing_signing_algorithm=SHA384withRSA \ + -D pki_ocsp_signing_key_algorithm=SHA384withRSA \ + -D pki_ocsp_signing_signing_algorithm=SHA384withRSA \ + -D pki_audit_signing_key_algorithm=SHA384withRSA \ + -D pki_audit_signing_signing_algorithm=SHA384withRSA \ + -D pki_subsystem_key_algorithm=SHA384withRSA \ + -D pki_subsystem_signing_algorithm=SHA384withRSA \ + -D pki_sslserver_key_algorithm=SHA384withRSA \ + -D pki_sslserver_signing_algorithm=SHA384withRSA \ + -D pki_admin_key_algorithm=SHA384withRSA \ + -D pki_cert_id_generator=random \ + -D pki_request_id_generator=random \ + -D pki_enable_access_log=False \ + -v + + - name: Check system certs keys + run: | + # all keys should be "rsa" + echo Secret.123 > password.txt + docker exec pki certutil -K -d /etc/pki/pki-tomcat/alias -f ${SHARED}/password.txt | tee output + echo "rsa" > expected + + grep ca_signing output | sed -n 's/<.*>\s\(\S\+\)\s.*/\1/p' > actual + diff expected actual + + grep ca_ocsp_signing output | sed -n 's/<.*>\s\(\S\+\)\s.*/\1/p' > actual + diff expected actual + + grep ca_audit_signing output | sed -n 's/<.*>\s\(\S\+\)\s.*/\1/p' > actual + diff expected actual + + grep subsystem output | sed -n 's/<.*>\s\(\S\+\)\s.*/\1/p' > actual + diff expected actual + + grep sslserver output | sed -n 's/<.*>\s\(\S\+\)\s.*/\1/p' > actual + diff expected actual + + - name: Check CA signing cert + run: | + # inspect cert with certutil + docker exec pki certutil -L -d /etc/pki/pki-tomcat/alias -f ${SHARED}/password.txt -n ca_signing | tee output + + # signing algorithm should be "PKCS #1 SHA-384 With RSA Encryption" + echo "PKCS #1 SHA-384 With RSA Encryption" > expected + sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual + diff expected actual + + # inspect cert with openssl + docker exec pki pki-server cert-export ca_signing --cert-file ca_signing.crt + docker exec pki openssl x509 -text -noout -in ca_signing.crt | tee output + + # signing algorithm should be "sha384WithRSAEncryption" + echo "sha384WithRSAEncryption" > expected + sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual + diff expected actual + + - name: Check CA OCSP signing cert + run: | + # inspect cert with certutil + docker exec pki certutil -L -d /etc/pki/pki-tomcat/alias -f ${SHARED}/password.txt -n ca_ocsp_signing | tee output + + # signing algorithm should be "PKCS #1 SHA-384 With RSA Encryption" + echo "PKCS #1 SHA-384 With RSA Encryption" > expected + sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual + diff expected actual + + # inspect cert with openssl + docker exec pki pki-server cert-export ca_ocsp_signing --cert-file ca_ocsp_signing.crt + docker exec pki openssl x509 -text -noout -in ca_ocsp_signing.crt | tee output + + # signing algorithm should be "sha384WithRSAEncryption" + echo "sha384WithRSAEncryption" > expected + sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual + diff expected actual + + - name: Check CA audit signing cert + run: | + # inspect cert with certutil + docker exec pki certutil -L -d /etc/pki/pki-tomcat/alias -f ${SHARED}/password.txt -n ca_audit_signing | tee output + + # signing algorithm should be "PKCS #1 SHA-384 With RSA Encryption" + echo "PKCS #1 SHA-384 With RSA Encryption" > expected + sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual + diff expected actual + + # inspect cert with openssl + docker exec pki pki-server cert-export ca_audit_signing --cert-file ca_audit_signing.crt + docker exec pki openssl x509 -text -noout -in ca_audit_signing.crt | tee output + + # signing algorithm should be "sha384WithRSAEncryption" + echo "sha384WithRSAEncryption" > expected + sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual + diff expected actual + + - name: Check subsystem cert + run: | + # inspect cert with certutil + docker exec pki certutil -L -d /etc/pki/pki-tomcat/alias -f ${SHARED}/password.txt -n subsystem | tee output + + # signing algorithm should be "PKCS #1 SHA-384 With RSA Encryption" + echo "PKCS #1 SHA-384 With RSA Encryption" > expected + sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual + diff expected actual + + # inspect cert with openssl + docker exec pki pki-server cert-export subsystem --cert-file subsystem.crt + docker exec pki openssl x509 -text -noout -in subsystem.crt | tee output + + # signing algorithm should be "sha384WithRSAEncryption" + echo "sha384WithRSAEncryption" > expected + sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual + diff expected actual + + - name: Check SSL server cert + run: | + # inspect cert with certutil + docker exec pki certutil -L -d /etc/pki/pki-tomcat/alias -f ${SHARED}/password.txt -n sslserver | tee output + + # signing algorithm should be "PKCS #1 SHA-384 With RSA Encryption" + echo "PKCS #1 SHA-384 With RSA Encryption" > expected + sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual + diff expected actual + + # inspect cert with openssl + docker exec pki pki-server cert-export sslserver --cert-file sslserver.crt + docker exec pki openssl x509 -text -noout -in sslserver.crt | tee output + + # signing algorithm should be "sha384WithRSAEncryption" + echo "sha384WithRSAEncryption" > expected + sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual + diff expected actual + + - name: Run PKI healthcheck + run: docker exec pki pki-healthcheck --failures-only + + - name: Check authenticating as CA admin user + run: | + docker exec pki pki-server cert-export ca_signing --cert-file ca_signing.crt + docker exec pki pki client-cert-import ca_signing --ca-cert ca_signing.crt + docker exec pki pki pkcs12-import \ + --pkcs12 /root/.dogtag/pki-tomcat/ca_admin_cert.p12 \ + --pkcs12-password Secret.123 + docker exec pki pki -n caadmin ca-user-show caadmin + + - name: Check CA admin cert + run: | + # inspect cert with certutil + docker exec pki certutil -L -d /root/.dogtag/nssdb -n caadmin | tee output + + # signing algorithm should be "PKCS #1 SHA-384 With RSA Encryption" + echo "PKCS #1 SHA-384 With RSA Encryption" > expected + sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual + diff expected actual + + # inspect cert with openssl + docker exec pki openssl x509 -text -noout -in /root/.dogtag/pki-tomcat/ca_admin.cert | tee output + + # signing algorithm should be "sha384WithRSAEncryption" + echo "sha384WithRSAEncryption" > expected + sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual + diff expected actual + + - name: Check issuing SSL server cert + run: | + # issue cert + docker exec pki /usr/share/pki/tests/ca/bin/sslserver-create.sh + + # inspect cert with certutil + docker exec pki certutil -L -d /root/.dogtag/nssdb -n sslserver | tee output + + # signing algorithm should be "PKCS #1 SHA-384 With RSA Encryption" + echo "PKCS #1 SHA-384 With RSA Encryption" > expected + sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual + diff expected actual + + # inspect cert with openssl + docker exec pki openssl x509 -text -noout -in sslserver.crt | tee output + + # signing algorithm should be "sha384WithRSAEncryption" + echo "sha384WithRSAEncryption" > expected + sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual + diff expected actual + + - name: Gather artifacts + if: always() + run: | + tests/bin/ds-artifacts-save.sh --output=/tmp/artifacts/pki ds + tests/bin/pki-artifacts-save.sh pki + continue-on-error: true + + - name: Remove CA + run: docker exec pki pkidestroy -i pki-tomcat -s CA -v + + - name: Upload artifacts + if: always() + uses: actions/upload-artifact@v3 + with: + name: ca-rsa + path: | + /tmp/artifacts/pki diff --git a/.github/workflows/ca-tests.yml b/.github/workflows/ca-tests.yml index ca14b4673c0..ca9c3c5c30c 100644 --- a/.github/workflows/ca-tests.yml +++ b/.github/workflows/ca-tests.yml @@ -28,6 +28,13 @@ jobs: with: db-image: ${{ needs.init.outputs.db-image }} + ca-rsa-test: + name: CA with RSA + needs: [init, build] + uses: ./.github/workflows/ca-rsa-test.yml + with: + db-image: ${{ needs.init.outputs.db-image }} + ca-rsa-pss-test: name: CA with RSA/PSS needs: [init, build] diff --git a/tests/ca/bin/sslserver-create.sh b/tests/ca/bin/sslserver-create.sh new file mode 100755 index 00000000000..4a43febfdc8 --- /dev/null +++ b/tests/ca/bin/sslserver-create.sh @@ -0,0 +1,25 @@ +#!/bin/bash -ex + +# https://github.com/dogtagpki/pki/wiki/Generating-SSL-Server-CSR-with-PKI-NSS +# https://github.com/dogtagpki/pki/wiki/Issuing-SSL-Server-Certificate-with-PKI-CA + +# submit a cert request and capture the request ID +pki nss-cert-request \ + --subject "CN=$HOSTNAME" \ + --ext /usr/share/pki/server/certs/sslserver.conf \ + --csr sslserver.csr + +pki ca-cert-request-submit --profile caServerCert --csr-file sslserver.csr | tee /tmp/output + +sed -n "s/^\s*Request ID:\s*\(\S*\)$/\1/p" /tmp/output > /tmp/request_id +REQUEST_ID=$(cat /tmp/request_id) + +# approve the cert request and capture the cert ID +pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee /tmp/output + +sed -n "s/^\s*Certificate ID:\s*\(\S*\)$/\1/p" /tmp/output > /tmp/cert_id +CERT_ID=$(cat /tmp/cert_id) + +pki ca-cert-export $CERT_ID --output-file sslserver.crt + +pki nss-cert-import sslserver --cert sslserver.crt