Skip to content

Commit a064ebe

Browse files
edewataedewata
committed
Add test for KRA with ECC
A new test has been added to validate installing KRA with ECC certs (except for storage and transport certs) then archive ECC keys using CRMFPopClient and pki client-cert-request.
1 parent 7f48f40 commit a064ebe

File tree

3 files changed

+449
-0
lines changed

3 files changed

+449
-0
lines changed

.github/workflows/kra-ecc-test.yml

+394
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,394 @@
1+
name: KRA with ECC
2+
# docs/installation/kra/Installing_KRA_with_ECC.md
3+
4+
on: workflow_call
5+
6+
env:
7+
DB_IMAGE: ${{ vars.DB_IMAGE || 'quay.io/389ds/dirsrv' }}
8+
9+
jobs:
10+
test:
11+
name: Test
12+
runs-on: ubuntu-latest
13+
env:
14+
SHARED: /tmp/workdir/pki
15+
steps:
16+
- name: Clone repository
17+
uses: actions/checkout@v3
18+
19+
- name: Retrieve PKI images
20+
uses: actions/cache@v3
21+
with:
22+
key: pki-images-${{ github.sha }}
23+
path: pki-images.tar
24+
25+
- name: Load PKI images
26+
run: docker load --input pki-images.tar
27+
28+
- name: Create network
29+
run: docker network create example
30+
31+
- name: Set up DS container
32+
run: |
33+
tests/bin/ds-container-create.sh ds
34+
env:
35+
IMAGE: ${{ env.DB_IMAGE }}
36+
HOSTNAME: ds.example.com
37+
PASSWORD: Secret.123
38+
39+
- name: Connect DS container to network
40+
run: docker network connect example ds --alias ds.example.com
41+
42+
- name: Set up PKI container
43+
run: |
44+
tests/bin/runner-init.sh pki
45+
env:
46+
HOSTNAME: pki.example.com
47+
48+
- name: Connect PKI container to network
49+
run: docker network connect example pki --alias pki.example.com
50+
51+
- name: Install CA
52+
run: |
53+
docker exec pki pkispawn \
54+
-f /usr/share/pki/server/examples/installation/ca-ecc.cfg \
55+
-s CA \
56+
-D pki_ds_url=ldap://ds.example.com:3389 \
57+
-v
58+
59+
- name: Install KRA
60+
run: |
61+
docker exec pki pkispawn \
62+
-f /usr/share/pki/server/examples/installation/kra-ecc.cfg \
63+
-s KRA \
64+
-D pki_ds_url=ldap://ds.example.com:3389 \
65+
-v
66+
67+
- name: Check KRA storage cert
68+
run: |
69+
docker exec pki openssl req -text -noout \
70+
-in /etc/pki/pki-tomcat/certs/kra_storage.csr
71+
72+
docker exec pki pki-server cert-export kra_storage \
73+
--cert-file kra_storage.crt
74+
docker exec pki openssl x509 -text -noout -in kra_storage.crt | tee output
75+
76+
# public key algorithm should be "rsaEncryption"
77+
echo "rsaEncryption" > expected
78+
sed -n -e "s/\s*$//" -e "s/^\s*Public Key Algorithm:\s*\(.*\)$/\1/p" output > actual
79+
diff expected actual
80+
81+
# signing algorithm should be "ecdsa-with-SHA512"
82+
echo "ecdsa-with-SHA512" > expected
83+
sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual
84+
diff expected actual
85+
86+
# default signing algorithm should not exist
87+
echo "ERROR: No such parameter: kra.storage.defaultSigningAlgorithm" > expected
88+
docker exec pki pki-server kra-config-show kra.storage.defaultSigningAlgorithm \
89+
> >(tee stdout) 2> >(tee stderr >&2) || true
90+
diff expected stderr
91+
92+
- name: Check KRA transport cert
93+
run: |
94+
docker exec pki openssl req -text -noout \
95+
-in /etc/pki/pki-tomcat/certs/kra_transport.csr
96+
97+
docker exec pki pki-server cert-export kra_transport \
98+
--cert-file kra_transport.crt
99+
docker exec pki openssl x509 -text -noout -in kra_transport.crt | tee output
100+
101+
# public key algorithm should be "rsaEncryption"
102+
echo "rsaEncryption" > expected
103+
sed -n -e "s/\s*$//" -e "s/^\s*Public Key Algorithm:\s*\(.*\)$/\1/p" output > actual
104+
diff expected actual
105+
106+
# signing algorithm should be "ecdsa-with-SHA512"
107+
echo "ecdsa-with-SHA512" > expected
108+
sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual
109+
diff expected actual
110+
111+
# default signing algorithm should not exist
112+
echo "ERROR: No such parameter: kra.transport.defaultSigningAlgorithm" > expected
113+
docker exec pki pki-server kra-config-show kra.transport.defaultSigningAlgorithm \
114+
> >(tee stdout) 2> >(tee stderr >&2) || true
115+
diff expected stderr
116+
117+
- name: Check KRA audit signing cert
118+
run: |
119+
docker exec pki openssl req -text -noout \
120+
-in /etc/pki/pki-tomcat/certs/kra_audit_signing.csr
121+
122+
docker exec pki pki-server cert-export kra_audit_signing \
123+
--cert-file kra_audit_signing.crt
124+
docker exec pki openssl x509 -text -noout -in kra_audit_signing.crt | tee output
125+
126+
# public key algorithm should be "id-ecPublicKey"
127+
echo "id-ecPublicKey" > expected
128+
sed -n -e "s/\s*$//" -e "s/^\s*Public Key Algorithm:\s*\(.*\)$/\1/p" output > actual
129+
diff expected actual
130+
131+
# signing algorithm should be "ecdsa-with-SHA512"
132+
echo "ecdsa-with-SHA512" > expected
133+
sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual
134+
diff expected actual
135+
136+
# default signing algorithm should be "SHA384withEC"
137+
echo "SHA384withEC" > expected
138+
docker exec pki pki-server kra-config-show kra.audit_signing.defaultSigningAlgorithm | tee actual
139+
diff expected actual
140+
141+
- name: Check subsystem cert
142+
run: |
143+
docker exec pki openssl req -text -noout \
144+
-in /etc/pki/pki-tomcat/certs/subsystem.csr
145+
146+
docker exec pki pki-server cert-export subsystem \
147+
--cert-file subsystem.crt
148+
docker exec pki openssl x509 -text -noout -in subsystem.crt | tee output
149+
150+
# public key algorithm should be "id-ecPublicKey"
151+
echo "id-ecPublicKey" > expected
152+
sed -n -e "s/\s*$//" -e "s/^\s*Public Key Algorithm:\s*\(.*\)$/\1/p" output > actual
153+
diff expected actual
154+
155+
# signing algorithm should be "ecdsa-with-SHA512"
156+
echo "ecdsa-with-SHA512" > expected
157+
sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual
158+
diff expected actual
159+
160+
# default signing algorithm should not exist
161+
echo "ERROR: No such parameter: kra.subsystem.defaultSigningAlgorithm" > expected
162+
docker exec pki pki-server kra-config-show kra.subsystem.defaultSigningAlgorithm \
163+
> >(tee stdout) 2> >(tee stderr >&2) || true
164+
diff expected stderr
165+
166+
- name: Check SSL server cert
167+
run: |
168+
docker exec pki openssl req -text -noout \
169+
-in /etc/pki/pki-tomcat/certs/sslserver.csr
170+
171+
docker exec pki pki-server cert-export sslserver \
172+
--cert-file sslserver.crt
173+
docker exec pki openssl x509 -text -noout -in sslserver.crt | tee output
174+
175+
# public key algorithm should be "id-ecPublicKey"
176+
echo "id-ecPublicKey" > expected
177+
sed -n -e "s/\s*$//" -e "s/^\s*Public Key Algorithm:\s*\(.*\)$/\1/p" output > actual
178+
diff expected actual
179+
180+
# signing algorithm should be "ecdsa-with-SHA512"
181+
echo "ecdsa-with-SHA512" > expected
182+
sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual
183+
diff expected actual
184+
185+
# default signing algorithm should not exist
186+
echo "ERROR: No such parameter: kra.sslserver.defaultSigningAlgorithm" > expected
187+
docker exec pki pki-server kra-config-show kra.sslserver.defaultSigningAlgorithm \
188+
> >(tee stdout) 2> >(tee stderr >&2) || true
189+
diff expected stderr
190+
191+
- name: Check KRA admin cert
192+
run: |
193+
docker exec pki openssl x509 -text -noout \
194+
-in /root/.dogtag/pki-tomcat/ca_admin.cert | tee output
195+
196+
# public key algorithm should be "id-ecPublicKey"
197+
echo "id-ecPublicKey" > expected
198+
sed -n -e "s/\s*$//" -e "s/^\s*Public Key Algorithm:\s*\(.*\)$/\1/p" output > actual
199+
diff expected actual
200+
201+
# signing algorithm should be "ecdsa-with-SHA512"
202+
echo "ecdsa-with-SHA512" > expected
203+
sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual
204+
diff expected actual
205+
206+
- name: Run PKI healthcheck
207+
run: docker exec pki pki-healthcheck --failures-only
208+
209+
- name: Check KRA admin
210+
run: |
211+
docker exec pki pki-server cert-export ca_signing --cert-file ca_signing.crt
212+
docker exec pki pki client-cert-import ca_signing --ca-cert ca_signing.crt
213+
docker exec pki pki pkcs12-import \
214+
--pkcs12 /root/.dogtag/pki-tomcat/ca_admin_cert.p12 \
215+
--pkcs12-password Secret.123
216+
docker exec pki pki -n caadmin kra-user-show kraadmin
217+
218+
- name: Enable caECUserCert profile
219+
run: |
220+
docker exec pki pki-server ca-profile-mod --enable true caECUserCert
221+
docker exec pki pki-server restart --wait
222+
223+
- name: Check key archival with CRMFPopClient
224+
run: |
225+
# generate key and cert request
226+
docker exec pki CRMFPopClient \
227+
-d /root/.dogtag/nssdb \
228+
-p "" \
229+
-m pki.example.com:8080 \
230+
-f caECUserCert \
231+
-a ec \
232+
-t false \
233+
-n UID=testuser1 \
234+
-u testuser1 \
235+
-r testuser1 \
236+
-b kra_transport.crt | tee output
237+
238+
REQUEST_ID=$(sed -n "s/^\s*Request ID:\s*\(\S*\)\s*$/\1/p" output)
239+
echo "Request ID: $REQUEST_ID"
240+
241+
# issue cert
242+
docker exec pki pki \
243+
-u caadmin \
244+
-w Secret.123 \
245+
ca-cert-request-approve \
246+
--force \
247+
$REQUEST_ID | tee output
248+
249+
CERT_ID=$(sed -n "s/^\s*Certificate ID:\s*\(\S*\)\s*$/\1/p" output)
250+
echo "Cert ID: $CERT_ID"
251+
252+
# import cert
253+
docker exec pki pki ca-cert-export --output-file testuser1.crt $CERT_ID
254+
docker exec pki pki nss-cert-import --cert testuser1.crt testuser1
255+
docker exec pki pki nss-cert-show testuser1 | tee output
256+
257+
# verify that the cert matches the key (trust flags must be u,u,u)
258+
sed -n "s/^\s*Trust Flags:\s*\(\S*\)\s*$/\1/p" output > actual
259+
echo "u,u,u" > expected
260+
diff expected actual
261+
262+
docker exec pki pki \
263+
-u kraadmin \
264+
-w Secret.123 \
265+
kra-key-find --owner UID=testuser1 | tee output
266+
267+
HEX_KEY_ID=$(sed -n "s/^\s*Key ID:\s*\(\S*\)$/\1/p" output)
268+
echo "Key ID: $HEX_KEY_ID"
269+
270+
DEC_KEY_ID=$(python -c "print(int('$HEX_KEY_ID', 16))")
271+
echo "Dec Key ID: $DEC_KEY_ID"
272+
273+
# get key record
274+
docker exec pki ldapsearch \
275+
-H ldap://ds.example.com:3389 \
276+
-x \
277+
-D "cn=Directory Manager" \
278+
-w Secret.123 \
279+
-b "cn=$DEC_KEY_ID,ou=keyRepository,ou=kra,dc=kra,dc=pki,dc=example,dc=com" \
280+
-o ldif_wrap=no \
281+
-LLL | tee output
282+
283+
# encryption mode should be "false" by default
284+
echo "false" > expected
285+
sed -n 's/^metaInfo: payloadEncrypted:\(.*\)$/\1/p' output > actual
286+
diff expected actual
287+
288+
# key wrap algorithm should be "AES KeyWrap/Padding" by default
289+
echo "AES KeyWrap/Padding" > expected
290+
sed -n 's/^metaInfo: payloadWrapAlgorithm:\(.*\)$/\1/p' output > actual
291+
diff expected actual
292+
293+
- name: Check key archival with pki client-cert-request
294+
run: |
295+
# generate key and cert request
296+
docker exec pki pki \
297+
-U http://pki.example.com:8080 \
298+
client-cert-request \
299+
--profile caECUserCert \
300+
--type crmf \
301+
--algorithm ec \
302+
--permanent \
303+
--transport kra_transport.crt \
304+
UID=testuser2 | tee output
305+
306+
REQUEST_ID=$(sed -n "s/^\s*Request ID:\s*\(\S*\)\s*$/\1/p" output)
307+
echo "Request ID: $REQUEST_ID"
308+
309+
# issue cert
310+
docker exec pki pki \
311+
-u caadmin \
312+
-w Secret.123 \
313+
ca-cert-request-approve \
314+
--force \
315+
$REQUEST_ID | tee output
316+
317+
CERT_ID=$(sed -n "s/^\s*Certificate ID:\s*\(\S*\)\s*$/\1/p" output)
318+
echo "Cert ID: $CERT_ID"
319+
320+
# import cert
321+
docker exec pki pki ca-cert-export --output-file testuser2.crt $CERT_ID
322+
docker exec pki pki nss-cert-import --cert testuser2.crt testuser2
323+
docker exec pki pki nss-cert-show testuser2 | tee output
324+
325+
# verify that the cert matches the key (trust flags must be u,u,u)
326+
sed -n "s/^\s*Trust Flags:\s*\(\S*\)\s*$/\1/p" output > actual
327+
echo "u,u,u" > expected
328+
diff expected actual
329+
330+
docker exec pki pki \
331+
-u kraadmin \
332+
-w Secret.123 \
333+
kra-key-find --owner UID=testuser2 | tee output
334+
335+
HEX_KEY_ID=$(sed -n "s/^\s*Key ID:\s*\(\S*\)$/\1/p" output)
336+
echo "Key ID: $HEX_KEY_ID"
337+
338+
DEC_KEY_ID=$(python -c "print(int('$HEX_KEY_ID', 16))")
339+
echo "Dec Key ID: $DEC_KEY_ID"
340+
341+
# get key record
342+
docker exec pki ldapsearch \
343+
-H ldap://ds.example.com:3389 \
344+
-x \
345+
-D "cn=Directory Manager" \
346+
-w Secret.123 \
347+
-b "cn=$DEC_KEY_ID,ou=keyRepository,ou=kra,dc=kra,dc=pki,dc=example,dc=com" \
348+
-o ldif_wrap=no \
349+
-LLL | tee output
350+
351+
# encryption mode should be "false" by default
352+
echo "false" > expected
353+
sed -n 's/^metaInfo: payloadEncrypted:\(.*\)$/\1/p' output > actual
354+
diff expected actual
355+
356+
# key wrap algorithm should be "AES KeyWrap/Padding" by default
357+
echo "AES KeyWrap/Padding" > expected
358+
sed -n 's/^metaInfo: payloadWrapAlgorithm:\(.*\)$/\1/p' output > actual
359+
diff expected actual
360+
361+
- name: Check PKI server systemd journal
362+
if: always()
363+
run: |
364+
docker exec pki journalctl -x --no-pager -u [email protected]
365+
366+
- name: Check CA debug log
367+
if: always()
368+
run: |
369+
docker exec pki find /var/log/pki/pki-tomcat/ca -name "debug.*" -exec cat {} \;
370+
371+
- name: Check KRA debug log
372+
if: always()
373+
run: |
374+
docker exec pki find /var/log/pki/pki-tomcat/kra -name "debug.*" -exec cat {} \;
375+
376+
- name: Gather artifacts
377+
if: always()
378+
run: |
379+
tests/bin/ds-artifacts-save.sh ds
380+
tests/bin/pki-artifacts-save.sh pki
381+
continue-on-error: true
382+
383+
- name: Remove KRA
384+
run: docker exec pki pkidestroy -i pki-tomcat -s KRA -v
385+
386+
- name: Remove CA
387+
run: docker exec pki pkidestroy -i pki-tomcat -s CA -v
388+
389+
- name: Upload artifacts
390+
if: always()
391+
uses: actions/upload-artifact@v3
392+
with:
393+
name: kra-ecc
394+
path: /tmp/artifacts

0 commit comments

Comments
 (0)