From cd30548016cdd32486c130661276d8d394e071cf Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Tue, 8 Oct 2024 10:00:40 -0500 Subject: [PATCH] Add test for sequential serial number gaps The test for CA with sequential serial numbers has been updated to perform additional enrollments and check the request IDs and cert serial numbers. Ideally the numbers should be contiguous, but currently the cert serial numbers sometimes have gaps. This issue will be fixed separately later. --- .github/workflows/ca-sequential-test.yml | 841 ++++++++++++++++++++--- 1 file changed, 759 insertions(+), 82 deletions(-) diff --git a/.github/workflows/ca-sequential-test.yml b/.github/workflows/ca-sequential-test.yml index 985ce44a2d3..33e51ebece2 100644 --- a/.github/workflows/ca-sequential-test.yml +++ b/.github/workflows/ca-sequential-test.yml @@ -85,20 +85,22 @@ jobs: run: | docker exec pki pki-server ca-cert-request-find | tee output - grep "Request ID:" output | wc -l > actual + sed -n "s/^ *Request ID: *\(.*\)$/\1/p" output > actual # there should be 6 requests - echo "6" > expected + seq 1 6 > expected + diff expected actual - name: Check certs run: | docker exec pki pki-server ca-cert-find | tee output - grep "Serial Number:" output | wc -l > actual + sed -n "s/^ *Serial Number: *\(.*\)$/\1/p" output > actual # there should be 6 certs - echo "6" > expected + seq 1 6 | while read n; do printf "0x%x\n" $n; done > expected + diff expected actual - name: Check request range config @@ -436,20 +438,22 @@ jobs: run: | docker exec pki pki-server ca-cert-request-find | tee output - grep "Request ID:" output | wc -l > actual + sed -n "s/^ *Request ID: *\(.*\)$/\1/p" output > actual # there should be 16 requests - echo "16" > expected + seq 1 16 > expected + diff expected actual - name: Check certs run: | docker exec pki pki-server ca-cert-find | tee output - grep "Serial Number:" output | wc -l > actual + sed -n "s/^ *Serial Number: *\(.*\)$/\1/p" output > actual # there should be 16 certs - echo "16" > expected + seq 1 16 | while read n; do printf "0x%x\n" $n; done > expected + diff expected actual - name: Check request range config @@ -590,13 +594,13 @@ jobs: diff /dev/null output #################################################################################################### - # Enroll a cert when range is exhausted + # Enroll a cert when cert range is exhausted # # This will create one request but fails to create another cert. # For some reason requests can switch to a new range automatically, # but certs cannot. - - name: Enroll a cert when range is exhausted + - name: Enroll a cert when cert range is exhausted run: | docker exec pki pki \ -n caadmin \ @@ -618,20 +622,22 @@ jobs: run: | docker exec pki pki-server ca-cert-request-find | tee output - grep "Request ID:" output | wc -l > actual + sed -n "s/^ *Request ID: *\(.*\)$/\1/p" output > actual # there should be 17 requests - echo "17" > expected + seq 1 17 > expected + diff expected actual - name: Check certs run: | docker exec pki pki-server ca-cert-find | tee output - grep "Serial Number:" output | wc -l > actual + sed -n "s/^ *Serial Number: *\(.*\)$/\1/p" output > actual # there should be 16 certs - echo "16" > expected + seq 1 16 | while read n; do printf "0x%x\n" $n; done > expected + diff expected actual - name: Check request range config @@ -792,7 +798,7 @@ jobs: -e dbs.requestLowWaterMark \ | tee actual - # request range should be 11 - 20 decimal (total: 10, remaining: 3) + # request range should be the same cat > expected << EOF dbs.beginRequestNumber=11 dbs.endRequestNumber=20 @@ -814,7 +820,7 @@ jobs: -e dbs.serialLowWaterMark \ | tee actual - # cert range should be 1 - 10 hex (total: 16, remaining: 0) + # cert range should be the same cat > expected << EOF dbs.beginSerialNumber=1 dbs.endSerialNumber=10 @@ -954,41 +960,44 @@ jobs: diff expected actual #################################################################################################### - # Enroll a cert after updating serial numbers + # Enroll 13 additional certs # - # This should create one request and one cert. For certs, - # it should switch to a new range. For requests, there - # should be no changes. + # This will create 13 requests and 13 certs. Both requests and certs + # will switch to the new ranges allocated earlier. - - name: Enroll a cert after updating serial numbers + - name: Enroll 13 additional certs run: | - docker exec pki pki \ - -n caadmin \ - ca-cert-issue \ - --profile caUserCert \ - --csr-file testuser.csr \ - --output-file testuser.crt + for i in $(seq 1 13); do + docker exec pki pki \ + -n caadmin \ + ca-cert-issue \ + --profile caUserCert \ + --csr-file testuser.csr \ + --output-file testuser.crt - docker exec pki openssl x509 -in testuser.crt -text -noout + docker exec pki openssl x509 -in testuser.crt -serial -noout + done - name: Check requests run: | docker exec pki pki-server ca-cert-request-find | tee output - grep "Request ID:" output | wc -l > actual + sed -n "s/^ *Request ID: *\(.*\)$/\1/p" output > actual + + # there should be 30 requests (17 existing + 13 new) + seq 1 30 > expected - # there should be 18 requests - echo "18" > expected diff expected actual - name: Check certs run: | docker exec pki pki-server ca-cert-find | tee output - grep "Serial Number:" output | wc -l > actual + sed -n "s/^ *Serial Number: *\(.*\)$/\1/p" output > actual + + # there should be 29 certs (16 existing + 13 new) + seq 1 29 | while read n; do printf "0x%x\n" $n; done > expected - # there should be 17 certs - echo "17" > expected diff expected actual - name: Check request range config @@ -1002,10 +1011,10 @@ jobs: -e dbs.requestLowWaterMark \ | tee actual - # request range should be 11 - 20 decimal (total: 10, remaining: 2) + # request range should be 21 - 30 decimal (total: 10, remaining: 0) cat > expected << EOF - dbs.beginRequestNumber=11 - dbs.endRequestNumber=20 + dbs.beginRequestNumber=21 + dbs.endRequestNumber=30 dbs.requestCloneTransferNumber=5 dbs.requestIncrement=10 dbs.requestLowWaterMark=5 @@ -1024,7 +1033,7 @@ jobs: -e dbs.serialLowWaterMark \ | tee actual - # cert range should be 11 - 20 hex (total: 16, remaining: 15) + # cert range should be 11 - 20 hex (total: 16, remaining: 3) cat > expected << EOF dbs.beginSerialNumber=11 dbs.endSerialNumber=20 @@ -1164,75 +1173,743 @@ jobs: diff expected actual #################################################################################################### - # Enroll a cert with RSNv3 + # Enroll a cert when request range is exhausted # - # This should create a request and a cert. The cert - # should be issued with a non-sequential serial number. - - - name: Switch to RSNv3 - run: | - # switch cert request ID generator to RSNv3 - docker exec pki pki-server ca-config-unset dbs.beginRequestNumber - docker exec pki pki-server ca-config-unset dbs.endRequestNumber - docker exec pki pki-server ca-config-unset dbs.requestIncrement - docker exec pki pki-server ca-config-unset dbs.requestLowWaterMark - docker exec pki pki-server ca-config-unset dbs.requestCloneTransferNumber - docker exec pki pki-server ca-config-unset dbs.requestRangeDN - - docker exec pki pki-server ca-config-set dbs.request.id.generator random - - # switch cert ID generator to RSNv3 - docker exec pki pki-server ca-config-unset dbs.beginSerialNumber - docker exec pki pki-server ca-config-unset dbs.endSerialNumber - docker exec pki pki-server ca-config-unset dbs.serialIncrement - docker exec pki pki-server ca-config-unset dbs.serialLowWaterMark - docker exec pki pki-server ca-config-unset dbs.serialCloneTransferNumber - docker exec pki pki-server ca-config-unset dbs.serialRangeDN - - docker exec pki pki-server ca-config-set dbs.cert.id.generator random - - # restart CA subsystem - docker exec pki pki-server ca-redeploy --wait + # This will fail to create a request so no cert will be created either. - - name: Enroll a cert with RSNv3 + - name: Enroll a cert when request range is exhausted run: | docker exec pki pki \ -n caadmin \ ca-cert-issue \ --profile caUserCert \ --csr-file testuser.csr \ - --output-file testuser.crt - - docker exec pki openssl x509 -in testuser.crt -serial -noout | tee output - - # serial number should not be 12 hex (18 decimal) - echo "serial=12" >> expected + --output-file testuser.crt \ + > >(tee stdout) 2> >(tee stderr >&2) || true - rc=0 - diff expected output || rc=$? + cat > expected << EOF + PKIException: Unable to create enrollment request: Unable to create enrollment request: All serial numbers are used. The max serial number is 0x31 + EOF - [ $rc -ne 0 ] + diff expected stderr - name: Check requests run: | docker exec pki pki-server ca-cert-request-find | tee output - grep "Request ID:" output | wc -l > actual + sed -n "s/^ *Request ID: *\(.*\)$/\1/p" output > actual + + # requests should be the same + seq 1 30 > expected - # there should be 19 requests - echo "19" > expected diff expected actual - name: Check certs run: | docker exec pki pki-server ca-cert-find | tee output - grep "Serial Number:" output | wc -l > actual + sed -n "s/^ *Serial Number: *\(.*\)$/\1/p" output > actual + + # certs should be the same + seq 1 29 | while read n; do printf "0x%x\n" $n; done > expected + + diff expected actual + + - name: Check request range config + run: | + docker exec pki pki-server ca-config-find \ + | grep \ + -e dbs.beginRequestNumber \ + -e dbs.endRequestNumber \ + -e dbs.requestCloneTransferNumber \ + -e dbs.requestIncrement \ + -e dbs.requestLowWaterMark \ + | tee actual + + # request range should be the same + cat > expected << EOF + dbs.beginRequestNumber=21 + dbs.endRequestNumber=30 + dbs.requestCloneTransferNumber=5 + dbs.requestIncrement=10 + dbs.requestLowWaterMark=5 + EOF + + diff expected actual + + - name: Check cert range config + run: | + docker exec pki pki-server ca-config-find \ + | grep \ + -e dbs.beginSerialNumber \ + -e dbs.endSerialNumber \ + -e dbs.serialCloneTransferNumber \ + -e dbs.serialIncrement \ + -e dbs.serialLowWaterMark \ + | tee actual + + # cert range should be the same + cat > expected << EOF + dbs.beginSerialNumber=11 + dbs.endSerialNumber=20 + dbs.serialCloneTransferNumber=8 + dbs.serialIncrement=10 + dbs.serialLowWaterMark=8 + EOF + + diff expected actual + + - name: Check request repository + run: | + docker exec ds ldapsearch \ + -H ldap://ds.example.com:3389 \ + -D "cn=Directory Manager" \ + -w Secret.123 \ + -b ou=ca,ou=requests,dc=ca,dc=pki,dc=example,dc=com \ + -s base \ + -o ldif_wrap=no \ + -LLL | tee output + + grep \ + -e serialno: \ + -e nextRange: \ + output \ + | sort > actual + + # request nextRange should be the same + cat > expected << EOF + nextRange: 31 + serialno: 010 + EOF + + diff expected actual + + - name: Check cert repository + run: | + docker exec ds ldapsearch \ + -H ldap://ds.example.com:3389 \ + -D "cn=Directory Manager" \ + -w Secret.123 \ + -b ou=certificateRepository,ou=ca,dc=ca,dc=pki,dc=example,dc=com \ + -s base \ + -o ldif_wrap=no \ + -LLL | tee output + + grep \ + -e serialno: \ + -e nextRange: \ + output \ + | sort > actual + + # cert nextRange should be the same + cat > expected << EOF + nextRange: 27 + serialno: 011 + EOF + + diff expected actual + + - name: Check request range objects + run: | + docker exec ds ldapsearch \ + -H ldap://ds.example.com:3389 \ + -D "cn=Directory Manager" \ + -w Secret.123 \ + -b ou=requests,ou=ranges,dc=ca,dc=pki,dc=example,dc=com \ + -s one \ + -o ldif_wrap=no \ + -LLL | tee output + + rm -f actual + + for DN in $(sed -n 's/^dn: *\(.*\)$/\1/p' output) + do + docker exec ds ldapsearch \ + -H ldap://ds.example.com:3389 \ + -D "cn=Directory Manager" \ + -w Secret.123 \ + -b $DN \ + -s base \ + -o ldif_wrap=no \ + -LLL \ + | grep \ + -e SecurePort: \ + -e beginRange: \ + -e endRange: \ + -e host: \ + | sort >> actual + + echo >> actual + done + + # request range objects should be the same + cat > expected << EOF + SecurePort: 8443 + beginRange: 11 + endRange: 20 + host: pki.example.com + + SecurePort: 8443 + beginRange: 21 + endRange: 30 + host: pki.example.com + + EOF + + diff expected actual + + - name: Check cert range objects + run: | + docker exec ds ldapsearch \ + -H ldap://ds.example.com:3389 \ + -D "cn=Directory Manager" \ + -w Secret.123 \ + -b ou=certificateRepository,ou=ranges,dc=ca,dc=pki,dc=example,dc=com \ + -s one \ + -o ldif_wrap=no \ + -LLL | tee output + + grep \ + -e SecurePort: \ + -e beginRange: \ + -e endRange: \ + -e host: \ + output \ + | sort > actual + + # cert range objects should be the same + cat > expected << EOF + SecurePort: 8443 + beginRange: 11 + endRange: 26 + host: pki.example.com + EOF - # there should be 18 certs - echo "18" > expected diff expected actual + #################################################################################################### + # Update serial numbers again + # + # This will allocate new ranges for requests and certs since + # the remaining numbers in their ranges are below the minimum. + + - name: Update serial numbers again + run: | + docker exec pki pki -n caadmin ca-job-start serialNumberUpdate + + - name: Check request range config + run: | + docker exec pki pki-server ca-config-find \ + | grep \ + -e dbs.beginRequestNumber \ + -e dbs.endRequestNumber \ + -e dbs.requestCloneTransferNumber \ + -e dbs.requestIncrement \ + -e dbs.requestLowWaterMark \ + | tee actual + + # request range should be the same + cat > expected << EOF + dbs.beginRequestNumber=21 + dbs.endRequestNumber=30 + dbs.requestCloneTransferNumber=5 + dbs.requestIncrement=10 + dbs.requestLowWaterMark=5 + EOF + + diff expected actual + + - name: Check cert range config + run: | + docker exec pki pki-server ca-config-find \ + | grep \ + -e dbs.beginSerialNumber \ + -e dbs.endSerialNumber \ + -e dbs.serialCloneTransferNumber \ + -e dbs.serialIncrement \ + -e dbs.serialLowWaterMark \ + | tee actual + + # cert range should be the same + cat > expected << EOF + dbs.beginSerialNumber=11 + dbs.endSerialNumber=20 + dbs.serialCloneTransferNumber=8 + dbs.serialIncrement=10 + dbs.serialLowWaterMark=8 + EOF + + diff expected actual + + - name: Check request repository + run: | + docker exec ds ldapsearch \ + -H ldap://ds.example.com:3389 \ + -D "cn=Directory Manager" \ + -w Secret.123 \ + -b ou=ca,ou=requests,dc=ca,dc=pki,dc=example,dc=com \ + -s base \ + -o ldif_wrap=no \ + -LLL | tee output + + grep \ + -e serialno: \ + -e nextRange: \ + output \ + | sort > actual + + # request nextRange should be incremented by 10 decimal to 41 decimal + cat > expected << EOF + nextRange: 41 + serialno: 010 + EOF + + diff expected actual + + - name: Check cert repository + run: | + docker exec ds ldapsearch \ + -H ldap://ds.example.com:3389 \ + -D "cn=Directory Manager" \ + -w Secret.123 \ + -b ou=certificateRepository,ou=ca,dc=ca,dc=pki,dc=example,dc=com \ + -s base \ + -o ldif_wrap=no \ + -LLL | tee output + + grep \ + -e serialno: \ + -e nextRange: \ + output \ + | sort > actual + + # cert nextRange should be incremented by 10 hex (16 decimal) to 43 decimal + cat > expected << EOF + nextRange: 43 + serialno: 011 + EOF + + diff expected actual + + - name: Check request range objects + run: | + docker exec ds ldapsearch \ + -H ldap://ds.example.com:3389 \ + -D "cn=Directory Manager" \ + -w Secret.123 \ + -b ou=requests,ou=ranges,dc=ca,dc=pki,dc=example,dc=com \ + -s one \ + -o ldif_wrap=no \ + -LLL | tee output + + rm -f actual + + for DN in $(sed -n 's/^dn: *\(.*\)$/\1/p' output) + do + docker exec ds ldapsearch \ + -H ldap://ds.example.com:3389 \ + -D "cn=Directory Manager" \ + -w Secret.123 \ + -b $DN \ + -s base \ + -o ldif_wrap=no \ + -LLL \ + | grep \ + -e SecurePort: \ + -e beginRange: \ + -e endRange: \ + -e host: \ + | sort >> actual + + echo >> actual + done + + # new request range should be 31 - 40 decimal (total: 10) + cat > expected << EOF + SecurePort: 8443 + beginRange: 11 + endRange: 20 + host: pki.example.com + + SecurePort: 8443 + beginRange: 21 + endRange: 30 + host: pki.example.com + + SecurePort: 8443 + beginRange: 31 + endRange: 40 + host: pki.example.com + + EOF + + diff expected actual + + - name: Check cert range objects + run: | + docker exec ds ldapsearch \ + -H ldap://ds.example.com:3389 \ + -D "cn=Directory Manager" \ + -w Secret.123 \ + -b ou=certificateRepository,ou=ranges,dc=ca,dc=pki,dc=example,dc=com \ + -s one \ + -o ldif_wrap=no \ + -LLL | tee output + + rm -f actual + + for DN in $(sed -n 's/^dn: *\(.*\)$/\1/p' output) + do + docker exec ds ldapsearch \ + -H ldap://ds.example.com:3389 \ + -D "cn=Directory Manager" \ + -w Secret.123 \ + -b $DN \ + -s base \ + -o ldif_wrap=no \ + -LLL \ + | grep \ + -e SecurePort: \ + -e beginRange: \ + -e endRange: \ + -e host: \ + | sort >> actual + + echo >> actual + done + + # new cert range should be 27 - 42 decimal (total: 16) + cat > expected << EOF + SecurePort: 8443 + beginRange: 11 + endRange: 26 + host: pki.example.com + + SecurePort: 8443 + beginRange: 27 + endRange: 42 + host: pki.example.com + + EOF + + diff expected actual + + #################################################################################################### + # Enroll 10 additional certs + # + # This will create 10 requests and 10 certs. + # Both requests and certs will switch to new ranges. + + - name: Enroll 10 additional certs + run: | + for i in $(seq 1 10); do + docker exec pki pki \ + -n caadmin \ + ca-cert-issue \ + --profile caUserCert \ + --csr-file testuser.csr \ + --output-file testuser.crt + + docker exec pki openssl x509 -in testuser.crt -serial -noout + done + + - name: Check requests + run: | + docker exec pki pki-server ca-cert-request-find | tee output + + sed -n "s/^ *Request ID: *\(.*\)$/\1/p" output > actual + + # there should be 40 requests (30 existing + 10 new) + seq 1 40 > expected + + diff expected actual + + - name: Check certs + run: | + docker exec pki pki-server ca-cert-find | tee output + + sed -n "s/^ *Serial Number: *\(.*\)$/\1/p" output > actual + + # there should be 39 certs (29 existing + 10 new) + # but due to a bug the serial numbers have a gap + + # seq 1 39 | while read n; do printf "0x%x\n" $n; done > expected + seq 1 32 | while read n; do printf "0x%x\n" $n; done > expected + seq 39 45 | while read n; do printf "0x%x\n" $n; done >> expected + + diff expected actual + + - name: Check request range config + run: | + docker exec pki pki-server ca-config-find \ + | grep \ + -e dbs.beginRequestNumber \ + -e dbs.endRequestNumber \ + -e dbs.requestCloneTransferNumber \ + -e dbs.requestIncrement \ + -e dbs.requestLowWaterMark \ + | tee actual + + # request range should be 31 - 40 decimal (total: 10, remaining: 0) + cat > expected << EOF + dbs.beginRequestNumber=31 + dbs.endRequestNumber=40 + dbs.requestCloneTransferNumber=5 + dbs.requestIncrement=10 + dbs.requestLowWaterMark=5 + EOF + + diff expected actual + + - name: Check cert range config + run: | + docker exec pki pki-server ca-config-find \ + | grep \ + -e dbs.beginSerialNumber \ + -e dbs.endSerialNumber \ + -e dbs.serialCloneTransferNumber \ + -e dbs.serialIncrement \ + -e dbs.serialLowWaterMark \ + | tee actual + + # cert range should be 21 - 30 hex (total: 16, remaining: 0) + cat > expected << EOF + dbs.beginSerialNumber=27 + dbs.endSerialNumber=36 + dbs.serialCloneTransferNumber=8 + dbs.serialIncrement=10 + dbs.serialLowWaterMark=8 + EOF + + diff expected actual + + - name: Check request repository + run: | + docker exec ds ldapsearch \ + -H ldap://ds.example.com:3389 \ + -D "cn=Directory Manager" \ + -w Secret.123 \ + -b ou=ca,ou=requests,dc=ca,dc=pki,dc=example,dc=com \ + -s base \ + -o ldif_wrap=no \ + -LLL | tee output + + grep \ + -e serialno: \ + -e nextRange: \ + output \ + | sort > actual + + # request nextRange should be the same + cat > expected << EOF + nextRange: 41 + serialno: 010 + EOF + + diff expected actual + + - name: Check cert repository + run: | + docker exec ds ldapsearch \ + -H ldap://ds.example.com:3389 \ + -D "cn=Directory Manager" \ + -w Secret.123 \ + -b ou=certificateRepository,ou=ca,dc=ca,dc=pki,dc=example,dc=com \ + -s base \ + -o ldif_wrap=no \ + -LLL | tee output + + grep \ + -e serialno: \ + -e nextRange: \ + output \ + | sort > actual + + # cert nextRange should be the same + cat > expected << EOF + nextRange: 43 + serialno: 011 + EOF + + diff expected actual + + - name: Check request range objects + run: | + docker exec ds ldapsearch \ + -H ldap://ds.example.com:3389 \ + -D "cn=Directory Manager" \ + -w Secret.123 \ + -b ou=requests,ou=ranges,dc=ca,dc=pki,dc=example,dc=com \ + -s one \ + -o ldif_wrap=no \ + -LLL | tee output + + rm -f actual + + for DN in $(sed -n 's/^dn: *\(.*\)$/\1/p' output) + do + docker exec ds ldapsearch \ + -H ldap://ds.example.com:3389 \ + -D "cn=Directory Manager" \ + -w Secret.123 \ + -b $DN \ + -s base \ + -o ldif_wrap=no \ + -LLL \ + | grep \ + -e SecurePort: \ + -e beginRange: \ + -e endRange: \ + -e host: \ + | sort >> actual + + echo >> actual + done + + # request range objects should be the same + cat > expected << EOF + SecurePort: 8443 + beginRange: 11 + endRange: 20 + host: pki.example.com + + SecurePort: 8443 + beginRange: 21 + endRange: 30 + host: pki.example.com + + SecurePort: 8443 + beginRange: 31 + endRange: 40 + host: pki.example.com + + EOF + + diff expected actual + + - name: Check cert range objects + run: | + docker exec ds ldapsearch \ + -H ldap://ds.example.com:3389 \ + -D "cn=Directory Manager" \ + -w Secret.123 \ + -b ou=certificateRepository,ou=ranges,dc=ca,dc=pki,dc=example,dc=com \ + -s one \ + -o ldif_wrap=no \ + -LLL | tee output + + rm -f actual + + for DN in $(sed -n 's/^dn: *\(.*\)$/\1/p' output) + do + docker exec ds ldapsearch \ + -H ldap://ds.example.com:3389 \ + -D "cn=Directory Manager" \ + -w Secret.123 \ + -b $DN \ + -s base \ + -o ldif_wrap=no \ + -LLL \ + | grep \ + -e SecurePort: \ + -e beginRange: \ + -e endRange: \ + -e host: \ + | sort >> actual + + echo >> actual + done + + # cert range should be the same + cat > expected << EOF + SecurePort: 8443 + beginRange: 11 + endRange: 26 + host: pki.example.com + + SecurePort: 8443 + beginRange: 27 + endRange: 42 + host: pki.example.com + + EOF + + diff expected actual + + #################################################################################################### + # Enroll a cert with RSNv3 + # + # This should create a request and a cert. The cert + # should be issued with a non-sequential serial number. + + - name: Switch to RSNv3 + run: | + # switch cert request ID generator to RSNv3 + docker exec pki pki-server ca-config-unset dbs.beginRequestNumber + docker exec pki pki-server ca-config-unset dbs.endRequestNumber + docker exec pki pki-server ca-config-unset dbs.requestIncrement + docker exec pki pki-server ca-config-unset dbs.requestLowWaterMark + docker exec pki pki-server ca-config-unset dbs.requestCloneTransferNumber + docker exec pki pki-server ca-config-unset dbs.requestRangeDN + + docker exec pki pki-server ca-config-set dbs.request.id.generator random + + # switch cert ID generator to RSNv3 + docker exec pki pki-server ca-config-unset dbs.beginSerialNumber + docker exec pki pki-server ca-config-unset dbs.endSerialNumber + docker exec pki pki-server ca-config-unset dbs.serialIncrement + docker exec pki pki-server ca-config-unset dbs.serialLowWaterMark + docker exec pki pki-server ca-config-unset dbs.serialCloneTransferNumber + docker exec pki pki-server ca-config-unset dbs.serialRangeDN + + docker exec pki pki-server ca-config-set dbs.cert.id.generator random + + # restart CA subsystem + docker exec pki pki-server ca-redeploy --wait + + - name: Enroll a cert with RSNv3 + run: | + docker exec pki pki \ + -n caadmin \ + ca-cert-issue \ + --profile caUserCert \ + --csr-file testuser.csr \ + --output-file testuser.crt + + docker exec pki openssl x509 -in testuser.crt -serial -noout + + - name: Check requests + run: | + docker exec pki pki-server ca-cert-request-find | tee output + sed -n "s/^ *Request ID: *\(.*\)$/\1/p" output > list + + # there should be 40 requests with sequential request ID + seq 1 40 > expected + head -n 40 list > actual + diff expected actual + + # there should be one request with random request ID (longer than 2 chars) + REQUEST_ID=$(tail -n 1 list) + [ ${#REQUEST_ID} -gt 2 ] + + - name: Check certs + run: | + docker exec pki pki-server ca-cert-find | tee output + sed -n "s/^ *Serial Number: *\(.*\)$/\1/p" output > list + + # there should be 39 certs with sequential serial numbers + # but due to a bug the serial numbers have a gap + + # seq 1 39 | while read n; do printf "0x%x\n" $n; done > expected + seq 1 32 | while read n; do printf "0x%x\n" $n; done > expected + seq 39 45 | while read n; do printf "0x%x\n" $n; done >> expected + head -n 39 list > actual + diff expected actual + + # there should be one cert with random serial number (longer than 4 chars) + SERIAL_NUMBER=$(tail -n 1 list) + [ ${#SERIAL_NUMBER} -gt 4 ] + #################################################################################################### # Cleanup