Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New legacy id generator #4875

Open
wants to merge 15 commits into
base: master
Choose a base branch
from
Open

New legacy id generator #4875

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
55ab888
Add option for decimal range numbers
fmarco76 Oct 7, 2024
80a5732
Add new serial generator and use 0x for hex
fmarco76 Oct 8, 2024
c1f27e3
Make serial range operation in DS not radix dependent
fmarco76 Oct 8, 2024
0c15cba
Update KRA to the new legacy generator
fmarco76 Oct 8, 2024
b4c6c3f
Update range format for new legacy generator in clients
fmarco76 Oct 9, 2024
234a3f5
Add newLegacy id generator support in pkispawn
fmarco76 Oct 10, 2024
ba07e30
Add test for newLegacy id generator
fmarco76 Oct 11, 2024
7bca87d
Update generator name from newLegacy to legacy2
fmarco76 Oct 16, 2024
02bb72a
Add new pki-server ca-range-generator-* commands
fmarco76 Oct 17, 2024
79e07e7
Update sequential test to use command for generator update
fmarco76 Oct 17, 2024
125b477
Split the redix options beteween request and cert
fmarco76 Oct 18, 2024
e83c163
Update all ranges when move from legacy to legacy2
fmarco76 Oct 18, 2024
4fb546b
Update sequential tests to the new generator update command
fmarco76 Oct 18, 2024
26e8c1b
Add command pki-server kra-range-generator-update
fmarco76 Oct 18, 2024
da9f148
Modify pki-server ca-range-generator-* to ca-id-generator-*
fmarco76 Oct 21, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
531 changes: 531 additions & 0 deletions .github/workflows/ca-clone-sequential-test.yml
View file
Open in desktop

Large diffs are not rendered by default.

357 changes: 357 additions & 0 deletions .github/workflows/ca-sequential-test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1143,6 +1143,363 @@ jobs:

diff expected output

####################################################################################################
# Switch cert request ID generator to legacy2 and verify if serials
# have gaps when range is updated
#
# It should work like the legacy but with correct range.
- name: Switch to legacy2
run: |
docker exec pki pki-server stop
docker exec pki pki-server ca-id-generator-update --type request legacy2
docker exec pki pki-server ca-id-generator-update --type cert legacy2
docker exec pki pki-server start --wait


- name: Check request range config
run: |
tests/ca/bin/ca-request-range-config.sh pki | tee output
# request range should be the same
cat > expected << EOF
dbs.beginRequestNumber=31
dbs.endRequestNumber=40
dbs.requestCloneTransferNumber=5
dbs.requestIncrement=10
dbs.requestLowWaterMark=5
EOF

diff expected output

- name: Check cert range config
run: |
tests/ca/bin/ca-cert-range-config.sh pki | tee output

cat > expected << EOF
dbs.beginSerialNumber=0x37
dbs.endSerialNumber=0x54
dbs.serialCloneTransferNumber=0x9
dbs.serialIncrement=0x12
dbs.serialLowWaterMark=0x9
EOF

diff expected output

- name: Check the radix in for the new generator
run: |
docker exec pki pki-server ca-config-show dbs.request.id.radix | tee output
docker exec pki pki-server ca-config-show dbs.cert.id.radix | tee -a output

cat > expected <<EOF
10
16
EOF

diff expected output

- name: Check request repository
run: |
tests/ca/bin/ca-request-next-range.sh ds | tee output

# request nextRange should be incremented by 10 decimal to 41 decimal
cat > expected << EOF
nextRange: 51
EOF

diff expected output

- name: Check cert repository
run: |
tests/ca/bin/ca-cert-next-range.sh ds | tee output

cat > expected << EOF
nextRange: 85
EOF

diff expected output

- name: Check request range objects
run: |
tests/ca/bin/ca-request-range-objects.sh ds | tee output

# new request range should be 31 - 40 decimal (total: 10)
cat > expected << EOF
SecurePort: 8443
beginRange: 11
endRange: 20
host: pki.example.com

SecurePort: 8443
beginRange: 21
endRange: 30
host: pki.example.com

SecurePort: 8443
beginRange: 31
endRange: 40
host: pki.example.com

SecurePort: 8443
beginRange: 41
endRange: 50
host: pki.example.com

EOF

diff expected output

- name: Check cert range objects
run: |
tests/ca/bin/ca-cert-range-objects.sh ds | tee output

# new cert range should be the same but converted to decimal
# first range move from 19-36 (hex) to 25-54 (dec)
# second range move from 37-54 (hex) to 55-84 (dec)
cat > expected << EOF
SecurePort: 8443
beginRange: 25
endRange: 54
host: pki.example.com

SecurePort: 8443
beginRange: 55
endRange: 84
host: pki.example.com

EOF

diff expected output

####################################################################################################
# Enroll additional certs updating the range
#

- name: Enroll additional certs
run: |
# Enroll until request range exhausted
for i in $(seq 1 9); do
docker exec pki pki \
-n caadmin \
ca-cert-issue \
--profile caUserCert \
--csr-file testuser.csr \
--output-file testuser.crt

docker exec pki openssl x509 -in testuser.crt -serial -noout
done
docker exec pki pki -n caadmin ca-job-start serialNumberUpdate
# Enroll until request range exhausted
for i in $(seq 1 10); do
docker exec pki pki \
-n caadmin \
ca-cert-issue \
--profile caUserCert \
--csr-file testuser.csr \
--output-file testuser.crt

docker exec pki openssl x509 -in testuser.crt -serial -noout
done
docker exec pki pki -n caadmin ca-job-start serialNumberUpdate
# Enroll until request range exhausted
for i in $(seq 1 10); do
docker exec pki pki \
-n caadmin \
ca-cert-issue \
--profile caUserCert \
--csr-file testuser.csr \
--output-file testuser.crt

docker exec pki openssl x509 -in testuser.crt -serial -noout
done
docker exec pki pki -n caadmin ca-job-start serialNumberUpdate
# Enroll until request range exhausted
for i in $(seq 1 10); do
docker exec pki pki \
-n caadmin \
ca-cert-issue \
--profile caUserCert \
--csr-file testuser.csr \
--output-file testuser.crt

docker exec pki openssl x509 -in testuser.crt -serial -noout
done
docker exec pki pki -n caadmin ca-job-start serialNumberUpdate
# Enroll until request range exhausted
for i in $(seq 1 10); do
docker exec pki pki \
-n caadmin \
ca-cert-issue \
--profile caUserCert \
--csr-file testuser.csr \
--output-file testuser.crt

docker exec pki openssl x509 -in testuser.crt -serial -noout
done
docker exec pki pki -n caadmin ca-job-start serialNumberUpdate

- name: Check request range config
run: |
tests/ca/bin/ca-request-range-config.sh pki | tee output

cat > expected << EOF
dbs.beginRequestNumber=81
dbs.endRequestNumber=90
dbs.requestCloneTransferNumber=5
dbs.requestIncrement=10
dbs.requestLowWaterMark=5
EOF

diff expected output

- name: Check cert range config
run: |
tests/ca/bin/ca-cert-range-config.sh pki | tee output

cat > expected << EOF
dbs.beginSerialNumber=0x67
dbs.endSerialNumber=0x78
dbs.serialCloneTransferNumber=0x9
dbs.serialIncrement=0x12
dbs.serialLowWaterMark=0x9
EOF

diff expected output

- name: Check request repository
run: |
tests/ca/bin/ca-request-next-range.sh ds | tee output

cat > expected << EOF
nextRange: 101
EOF

diff expected output

- name: Check cert repository
run: |
tests/ca/bin/ca-cert-next-range.sh ds | tee output

cat > expected << EOF
nextRange: 121
EOF

diff expected output

- name: Check request range objects
run: |
tests/ca/bin/ca-request-range-objects.sh ds | tee output

cat > expected << EOF
SecurePort: 8443
beginRange: 11
endRange: 20
host: pki.example.com

SecurePort: 8443
beginRange: 21
endRange: 30
host: pki.example.com

SecurePort: 8443
beginRange: 31
endRange: 40
host: pki.example.com

SecurePort: 8443
beginRange: 41
endRange: 50
host: pki.example.com

SecurePort: 8443
beginRange: 51
endRange: 60
host: pki.example.com

SecurePort: 8443
beginRange: 61
endRange: 70
host: pki.example.com

SecurePort: 8443
beginRange: 71
endRange: 80
host: pki.example.com

SecurePort: 8443
beginRange: 81
endRange: 90
host: pki.example.com

SecurePort: 8443
beginRange: 91
endRange: 100
host: pki.example.com

EOF

diff expected output

- name: Check cert range objects
run: |
tests/ca/bin/ca-cert-range-objects.sh ds | tee output

cat > expected << EOF
SecurePort: 8443
beginRange: 25
endRange: 54
host: pki.example.com

SecurePort: 8443
beginRange: 55
endRange: 84
host: pki.example.com

SecurePort: 8443
beginRange: 85
endRange: 102
host: pki.example.com

SecurePort: 8443
beginRange: 103
endRange: 120
host: pki.example.com

EOF

diff expected output

####################################################################################################
# Checking request no gap should be present after switching to legacy2
#
- name: Check requests
run: |
docker exec pki pki-server ca-cert-request-find | tee output

sed -n "s/^ *Request ID: *\(.*\)$/\1/p" output > actual

# there should be 40 requests (30 existing + 10 new)
seq 1 89 > expected

diff expected actual

####################################################################################################
# Checking certs no gap should be present after switching to legacy2
# so the last gap is between 32 and 39
#
- name: Check certs
run: |
docker exec pki pki-server ca-cert-find | tee output

sed -n "s/^ *Serial Number: *\(.*\)$/\1/p" output > actual

# there should be 39 certs (29 existing + 10 new)
# but due to a bug the serial numbers have a gap

# seq 1 39 | while read n; do printf "0x%x\n" $n; done > expected
seq 9 42 | while read n; do printf "0x%x\n" $n; done > expected
seq 55 108 | while read n; do printf "0x%x\n" $n; done >> expected

diff expected actual

####################################################################################################
# Enroll a cert with RSNv3
#
Expand Down
Loading
Loading