Bug2246422-(refinement of)ServerSideKeygen static SKID #4546
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Tools Tests | |
on: [push, pull_request] | |
jobs: | |
init: | |
name: Initialization | |
uses: ./.github/workflows/init.yml | |
secrets: inherit | |
build: | |
name: Waiting for build | |
needs: init | |
runs-on: ubuntu-latest | |
steps: | |
- name: Wait for build | |
uses: lewagon/[email protected] | |
with: | |
ref: ${{ github.ref }} | |
check-name: 'Building PKI' | |
repo-token: ${{ secrets.GITHUB_TOKEN }} | |
wait-interval: 30 | |
if: github.event_name == 'push' | |
- name: Wait for build | |
uses: lewagon/[email protected] | |
with: | |
ref: ${{ github.event.pull_request.head.sha }} | |
check-name: 'Building PKI' | |
repo-token: ${{ secrets.GITHUB_TOKEN }} | |
wait-interval: 30 | |
if: github.event_name == 'pull_request' | |
PKICertImport-test: | |
name: Testing PKICertImport | |
needs: [init, build] | |
runs-on: ubuntu-latest | |
env: | |
PKIDIR: /tmp/workdir/pki | |
steps: | |
- name: Clone repository | |
uses: actions/checkout@v3 | |
- name: Retrieve pki-runner image | |
uses: actions/cache@v3 | |
with: | |
key: pki-runner-${{ github.sha }} | |
path: pki-runner.tar | |
- name: Load runner image | |
run: docker load --input pki-runner.tar | |
- name: Run container | |
run: | | |
IMAGE=pki-runner \ | |
NAME=pki \ | |
HOSTNAME=pki.example.com \ | |
tests/bin/runner-init.sh | |
- name: Run PKICertImport test | |
run: docker exec pki bash ${PKIDIR}/base/util/src/test/shell/test_PKICertImport.bash | |
# https://github.com/dogtagpki/pki/wiki/PKI-NSS-CLI | |
pki-nss-rsa-test: | |
name: Testing PKI NSS CLI with RSA | |
needs: [init, build] | |
runs-on: ubuntu-latest | |
env: | |
PKIDIR: /tmp/workdir/pki | |
steps: | |
- name: Clone repository | |
uses: actions/checkout@v3 | |
- name: Retrieve pki-runner image | |
uses: actions/cache@v3 | |
with: | |
key: pki-runner-${{ github.sha }} | |
path: pki-runner.tar | |
- name: Load runner image | |
run: docker load --input pki-runner.tar | |
- name: Run container | |
run: | | |
IMAGE=pki-runner \ | |
NAME=pki \ | |
HOSTNAME=pki.example.com \ | |
tests/bin/runner-init.sh | |
# https://github.com/dogtagpki/pki/wiki/Generating-CA-Signing-CSR-with-PKI-NSS | |
- name: Create CA signing cert request with new RSA key | |
run: | | |
docker exec pki pki nss-cert-request \ | |
--key-type RSA \ | |
--subject "CN=Certificate Authority" \ | |
--ext /usr/share/pki/server/certs/ca_signing.conf \ | |
--csr ca_signing.csr | |
docker exec pki openssl req -text -noout -in ca_signing.csr | |
# https://github.com/dogtagpki/pki/wiki/Issuing-CA-Signing-Certificate-with-PKI-NSS | |
- name: Issue self-signed CA signing cert | |
run: | | |
docker exec pki pki nss-cert-issue \ | |
--csr ca_signing.csr \ | |
--ext /usr/share/pki/server/certs/ca_signing.conf \ | |
--cert ca_signing.crt | |
docker exec pki openssl x509 -text -noout -in ca_signing.crt | |
- name: Import CA signing cert | |
run: | | |
docker exec pki pki nss-cert-import \ | |
--cert ca_signing.crt \ | |
--trust CT,C,C \ | |
ca_signing | |
# verify trust flags | |
docker exec pki certutil -L -d /root/.dogtag/nssdb | tee output | |
sed -n 's/^ca_signing\s*\(\S\+\)\s*$/\1/p' output > actual | |
echo "CTu,Cu,Cu" > expected | |
diff actual expected | |
# verify key type | |
docker exec pki certutil -K -d /root/.dogtag/nssdb | tee output | |
sed -n 's/^<.*>\s\+\(\S\+\)\s\+\S\+\s\+NSS Certificate DB:ca_signing$/\1/p' output > actual | |
echo rsa > expected | |
diff actual expected | |
# https://github.com/dogtagpki/pki/wiki/Generating-SSL-Server-CSR-with-PKI-NSS | |
- name: Create SSL server cert request with new RSA key | |
run: | | |
docker exec pki pki nss-cert-request \ | |
--key-type RSA \ | |
--subject "CN=pki.example.com" \ | |
--ext /usr/share/pki/server/certs/sslserver.conf \ | |
--csr sslserver.csr | |
docker exec pki openssl req -text -noout -in sslserver.csr | |
# https://github.com/dogtagpki/pki/wiki/Issuing-SSL-Server-Certificate-with-PKI-NSS | |
- name: Issue SSL server cert | |
run: | | |
docker exec pki pki nss-cert-issue \ | |
--issuer ca_signing \ | |
--csr sslserver.csr \ | |
--ext /usr/share/pki/server/certs/sslserver.conf \ | |
--cert sslserver.crt | |
docker exec pki openssl x509 -text -noout -in sslserver.crt | |
- name: Import SSL server cert | |
run: | | |
docker exec pki pki nss-cert-import \ | |
--cert sslserver.crt \ | |
sslserver | |
# verify trust flags | |
docker exec pki certutil -L -d /root/.dogtag/nssdb | tee output | |
sed -n 's/^sslserver\s*\(\S\+\)\s*$/\1/p' output > actual | |
echo "u,u,u" > expected | |
diff actual expected | |
# verify key type | |
docker exec pki certutil -K -d /root/.dogtag/nssdb | tee output | |
sed -n 's/^<.*>\s\+\(\S\+\)\s\+\S\+\s\+NSS Certificate DB:sslserver$/\1/p' output > actual | |
echo rsa > expected | |
diff actual expected | |
# get key ID | |
docker exec pki certutil -K -d /root/.dogtag/nssdb | tee output | |
sed -n 's/^<.*>\s\+\S\+\s\+\(\S\+\)\s\+NSS Certificate DB:sslserver$/\1/p' output > sslserver_key_id | |
- name: Delete SSL server cert | |
run: | | |
docker exec pki certutil -D -d /root/.dogtag/nssdb -n sslserver | |
docker exec pki certutil -L -d /root/.dogtag/nssdb | |
docker exec pki certutil -K -d /root/.dogtag/nssdb | |
- name: Create new SSL server cert request with existing RSA key | |
run: | | |
docker exec pki pki nss-cert-request \ | |
--key-id `cat sslserver_key_id` \ | |
--subject "CN=pki.example.com" \ | |
--ext /usr/share/pki/server/certs/sslserver.conf \ | |
--csr new_sslserver.csr | |
docker exec pki openssl req -text -noout -in new_sslserver.csr | |
- name: Issue new SSL server cert | |
run: | | |
docker exec pki pki nss-cert-issue \ | |
--issuer ca_signing \ | |
--csr new_sslserver.csr \ | |
--ext /usr/share/pki/server/certs/sslserver.conf \ | |
--cert new_sslserver.crt | |
docker exec pki openssl x509 -text -noout -in new_sslserver.crt | |
- name: Import new SSL server cert | |
run: | | |
docker exec pki pki nss-cert-import \ | |
--cert new_sslserver.crt \ | |
new_sslserver | |
# verify trust flags | |
docker exec pki certutil -L -d /root/.dogtag/nssdb | tee output | |
sed -n 's/^new_sslserver\s*\(\S\+\)\s*$/\1/p' output > actual | |
echo "u,u,u" > expected | |
diff actual expected | |
# verify key type | |
docker exec pki certutil -K -d /root/.dogtag/nssdb | tee output | |
sed -n 's/^<.*>\s\+\(\S\+\)\s\+\S\+\s\+NSS Certificate DB:new_sslserver$/\1/p' output > actual | |
echo rsa > expected | |
diff actual expected | |
# verify key ID | |
docker exec pki certutil -K -d /root/.dogtag/nssdb | tee output | |
sed -n 's/^<.*>\s\+\S\+\s\+\(\S\+\)\s\+NSS Certificate DB:new_sslserver$/\1/p' output > new_sslserver_key_id | |
diff sslserver_key_id new_sslserver_key_id | |
# https://github.com/dogtagpki/pki/wiki/PKI-NSS-CLI | |
pki-nss-ecc-test: | |
name: Testing PKI NSS CLI with ECC | |
needs: [init, build] | |
runs-on: ubuntu-latest | |
env: | |
PKIDIR: /tmp/workdir/pki | |
steps: | |
- name: Clone repository | |
uses: actions/checkout@v3 | |
- name: Retrieve pki-runner image | |
uses: actions/cache@v3 | |
with: | |
key: pki-runner-${{ github.sha }} | |
path: pki-runner.tar | |
- name: Load runner image | |
run: docker load --input pki-runner.tar | |
- name: Run container | |
run: | | |
IMAGE=pki-runner \ | |
NAME=pki \ | |
HOSTNAME=pki.example.com \ | |
tests/bin/runner-init.sh | |
# https://github.com/dogtagpki/pki/wiki/Generating-CA-Signing-CSR-with-PKI-NSS | |
- name: Create CA signing cert request with new EC key | |
run: | | |
docker exec pki pki nss-cert-request \ | |
--key-type EC \ | |
--curve nistp256 \ | |
--subject "CN=Certificate Authority" \ | |
--ext /usr/share/pki/server/certs/ca_signing.conf \ | |
--csr ca_signing.csr | |
docker exec pki openssl req -text -noout -in ca_signing.csr | |
# https://github.com/dogtagpki/pki/wiki/Issuing-CA-Signing-Certificate-with-PKI-NSS | |
- name: Issue self-signed CA signing cert | |
run: | | |
docker exec pki pki nss-cert-issue \ | |
--csr ca_signing.csr \ | |
--ext /usr/share/pki/server/certs/ca_signing.conf \ | |
--cert ca_signing.crt | |
docker exec pki openssl x509 -text -noout -in ca_signing.crt | |
- name: Import CA signing cert | |
run: | | |
docker exec pki pki nss-cert-import \ | |
--cert ca_signing.crt \ | |
--trust CT,C,C \ | |
ca_signing | |
# verify trust flags | |
docker exec pki certutil -L -d /root/.dogtag/nssdb | tee output | |
sed -n 's/^ca_signing\s*\(\S\+\)\s*$/\1/p' output > actual | |
echo "CTu,Cu,Cu" > expected | |
diff actual expected | |
# verify key type | |
docker exec pki certutil -K -d /root/.dogtag/nssdb | tee output | |
sed -n 's/^<.*>\s\+\(\S\+\)\s\+\S\+\s\+NSS Certificate DB:ca_signing$/\1/p' output > actual | |
echo ec > expected | |
diff actual expected | |
# https://github.com/dogtagpki/pki/wiki/Generating-SSL-Server-CSR-with-PKI-NSS | |
- name: Create SSL server cert request with new EC key | |
run: | | |
docker exec pki pki nss-cert-request \ | |
--key-type EC \ | |
--curve nistp256 \ | |
--subject "CN=pki.example.com" \ | |
--ext /usr/share/pki/server/certs/sslserver.conf \ | |
--csr sslserver.csr | |
docker exec pki openssl req -text -noout -in sslserver.csr | |
# https://github.com/dogtagpki/pki/wiki/Issuing-SSL-Server-Certificate-with-PKI-NSS | |
- name: Issue SSL server cert | |
run: | | |
docker exec pki pki nss-cert-issue \ | |
--issuer ca_signing \ | |
--csr sslserver.csr \ | |
--ext /usr/share/pki/server/certs/sslserver.conf \ | |
--cert sslserver.crt | |
docker exec pki openssl x509 -text -noout -in sslserver.crt | |
- name: Import SSL server cert | |
run: | | |
docker exec pki pki nss-cert-import \ | |
--cert sslserver.crt \ | |
sslserver | |
# verify trust flags | |
docker exec pki certutil -L -d /root/.dogtag/nssdb | tee output | |
sed -n 's/^sslserver\s*\(\S\+\)\s*$/\1/p' output > actual | |
echo "u,u,u" > expected | |
diff actual expected | |
# verify key type | |
docker exec pki certutil -K -d /root/.dogtag/nssdb | tee output | |
sed -n 's/^<.*>\s\+\(\S\+\)\s\+\S\+\s\+NSS Certificate DB:sslserver$/\1/p' output > actual | |
echo ec > expected | |
diff actual expected | |
# get key ID | |
docker exec pki certutil -K -d /root/.dogtag/nssdb | tee output | |
sed -n 's/^<.*>\s\+\S\+\s\+\(\S\+\)\s\+NSS Certificate DB:sslserver$/\1/p' output > sslserver_key_id | |
- name: Delete SSL server cert | |
run: | | |
docker exec pki certutil -D -d /root/.dogtag/nssdb -n sslserver | |
docker exec pki certutil -L -d /root/.dogtag/nssdb | |
docker exec pki certutil -K -d /root/.dogtag/nssdb | |
- name: Create new SSL server cert request with existing EC key | |
run: | | |
docker exec pki pki nss-cert-request \ | |
--key-id `cat sslserver_key_id` \ | |
--subject "CN=pki.example.com" \ | |
--ext /usr/share/pki/server/certs/sslserver.conf \ | |
--csr new_sslserver.csr | |
docker exec pki openssl req -text -noout -in new_sslserver.csr | |
- name: Issue new SSL server cert | |
run: | | |
docker exec pki pki nss-cert-issue \ | |
--issuer ca_signing \ | |
--csr new_sslserver.csr \ | |
--ext /usr/share/pki/server/certs/sslserver.conf \ | |
--cert new_sslserver.crt | |
docker exec pki openssl x509 -text -noout -in new_sslserver.crt | |
- name: Import new SSL server cert | |
run: | | |
docker exec pki pki nss-cert-import \ | |
--cert new_sslserver.crt \ | |
new_sslserver | |
# verify trust flags | |
docker exec pki certutil -L -d /root/.dogtag/nssdb | tee output | |
sed -n 's/^new_sslserver\s*\(\S\+\)\s*$/\1/p' output > actual | |
echo "u,u,u" > expected | |
diff actual expected | |
# verify key type | |
docker exec pki certutil -K -d /root/.dogtag/nssdb | tee output | |
sed -n 's/^<.*>\s\+\(\S\+\)\s\+\S\+\s\+NSS Certificate DB:new_sslserver$/\1/p' output > actual | |
echo ec > expected | |
diff actual expected | |
# verify key ID | |
docker exec pki certutil -K -d /root/.dogtag/nssdb | tee output | |
sed -n 's/^<.*>\s\+\S\+\s\+\(\S\+\)\s\+NSS Certificate DB:new_sslserver$/\1/p' output > new_sslserver_key_id | |
diff sslserver_key_id new_sslserver_key_id | |
# https://github.com/dogtagpki/pki/wiki/PKI-NSS-CLI | |
pki-nss-hsm-test: | |
name: Testing PKI NSS CLI with HSM | |
needs: [init, build] | |
runs-on: ubuntu-latest | |
env: | |
PKIDIR: /tmp/workdir/pki | |
steps: | |
- name: Clone repository | |
uses: actions/checkout@v3 | |
- name: Retrieve pki-runner image | |
uses: actions/cache@v3 | |
with: | |
key: pki-runner-${{ github.sha }} | |
path: pki-runner.tar | |
- name: Load runner image | |
run: docker load --input pki-runner.tar | |
- name: Run container | |
run: | | |
IMAGE=pki-runner \ | |
NAME=pki \ | |
HOSTNAME=pki.example.com \ | |
tests/bin/runner-init.sh | |
- name: Create HSM token | |
run: | | |
docker exec pki dnf install -y softhsm | |
docker exec pki softhsm2-util --init-token \ | |
--label HSM \ | |
--so-pin Secret.123 \ | |
--pin Secret.123 \ | |
--free | |
docker exec pki softhsm2-util --show-slots | |
# https://github.com/dogtagpki/pki/wiki/Generating-CA-Signing-CSR-with-PKI-NSS | |
- name: Generate CA signing cert request with key in HSM | |
run: | | |
echo "internal=" > password.conf | |
echo "hardware-HSM=Secret.123" >> password.conf | |
docker exec pki pki \ | |
--token HSM \ | |
-f ${PKIDIR}/password.conf \ | |
nss-cert-request \ | |
--subject "CN=Certificate Authority" \ | |
--ext /usr/share/pki/server/certs/ca_signing.conf \ | |
--csr ca_signing.csr | |
docker exec pki openssl req -text -noout -in ca_signing.csr | |
# https://github.com/dogtagpki/pki/wiki/Issuing-CA-Signing-Certificate-with-PKI-NSS | |
- name: Issue self-signed CA signing cert | |
run: | | |
docker exec pki pki \ | |
--token HSM \ | |
-f ${PKIDIR}/password.conf \ | |
nss-cert-issue \ | |
--csr ca_signing.csr \ | |
--ext /usr/share/pki/server/certs/ca_signing.conf \ | |
--cert ca_signing.crt | |
docker exec pki openssl x509 -text -noout -in ca_signing.crt | |
- name: Import CA signing cert into internal token and HSM | |
run: | | |
docker exec pki pki \ | |
--token HSM \ | |
-f ${PKIDIR}/password.conf \ | |
nss-cert-import \ | |
--cert ca_signing.crt \ | |
--trust CT,C,C \ | |
ca_signing | |
- name: Verify CA signing cert trust flags in internal token | |
run: | | |
docker exec pki certutil -L -d /root/.dogtag/nssdb | tee output | |
sed -n 's/^ca_signing\s*\(\S\+\)\s*$/\1/p' output > actual | |
echo "CT,C,C" > expected | |
diff actual expected | |
- name: Verify CA signing cert trust flags in HSM | |
run: | | |
echo "Secret.123" > password.txt | |
docker exec pki certutil \ | |
-L \ | |
-d /root/.dogtag/nssdb \ | |
-h HSM \ | |
-f ${PKIDIR}/password.txt | tee output | |
sed -n 's/^HSM:ca_signing\s*\(\S\+\)\s*$/\1/p' output > actual | |
echo "CTu,Cu,Cu" > expected | |
diff actual expected | |
- name: Remove HSM token | |
run: docker exec pki softhsm2-util --delete-token --token HSM | |
# docs/user/tools/Using-PKI-PKCS7-CLI.adoc | |
pki-pkcs7-test: | |
name: Testing PKI PKCS7 CLI | |
needs: [init, build] | |
runs-on: ubuntu-latest | |
env: | |
PKIDIR: /tmp/workdir/pki | |
steps: | |
- name: Clone repository | |
uses: actions/checkout@v3 | |
- name: Retrieve pki-runner image | |
uses: actions/cache@v3 | |
with: | |
key: pki-runner-${{ github.sha }} | |
path: pki-runner.tar | |
- name: Load runner image | |
run: docker load --input pki-runner.tar | |
- name: Run container | |
run: | | |
IMAGE=pki-runner \ | |
NAME=pki \ | |
HOSTNAME=pki.example.com \ | |
tests/bin/runner-init.sh | |
- name: Generate CA signing cert request | |
run: | | |
docker exec pki pki nss-cert-request \ | |
--subject "CN=Certificate Authority" \ | |
--ext /usr/share/pki/server/certs/ca_signing.conf \ | |
--csr ca_signing.csr | |
- name: Issue self-signed CA signing cert | |
run: | | |
docker exec pki pki nss-cert-issue \ | |
--csr ca_signing.csr \ | |
--ext /usr/share/pki/server/certs/ca_signing.conf \ | |
--cert ca_signing.crt | |
- name: Import CA signing cert | |
run: | | |
docker exec pki pki nss-cert-import \ | |
--cert ca_signing.crt \ | |
--trust CT,C,C \ | |
ca_signing | |
- name: Generate SSL server cert request | |
run: | | |
docker exec pki pki nss-cert-request \ | |
--subject "CN=localhost.localdomain" \ | |
--ext /usr/share/pki/server/certs/sslserver.conf \ | |
--csr sslserver.csr | |
- name: Issue SSL server cert signed by CA signing cert | |
run: | | |
docker exec pki pki nss-cert-issue \ | |
--issuer ca_signing \ | |
--csr sslserver.csr \ | |
--ext /usr/share/pki/server/certs/ca_signing.conf \ | |
--cert sslserver.crt | |
- name: Import SSL server cert | |
run: docker exec pki pki nss-cert-import sslserver --cert sslserver.crt | |
- name: "Export SSL server cert chain into PKCS #7 chain" | |
run: | | |
docker exec pki pki pkcs7-export sslserver --pkcs7 cert_chain.p7b | |
docker exec pki pki pkcs7-cert-find --pkcs7 cert_chain.p7b | |
- name: Convert cert chain into separate PEM certificates | |
run: | | |
docker exec pki pki pkcs7-cert-export --pkcs7 cert_chain.p7b --output-prefix cert- --output-suffix .pem | |
docker exec pki cat cert-0.pem | |
docker exec pki cat cert-1.pem | |
- name: "Merge PEM certificates into a PKCS #7 chain" | |
run: | | |
docker exec pki rm -f cert_chain.p7b | |
docker exec pki pki pkcs7-cert-import --pkcs7 cert_chain.p7b --input-file cert-0.pem | |
docker exec pki pki pkcs7-cert-import --pkcs7 cert_chain.p7b --input-file cert-1.pem --append | |
docker exec pki pki pkcs7-cert-find --pkcs7 cert_chain.p7b | |
- name: Remove certs from NSS database | |
run: | | |
docker exec pki certutil -D -d /root/.dogtag/nssdb -n sslserver | |
docker exec pki certutil -D -d /root/.dogtag/nssdb -n ca_signing | |
docker exec pki certutil -L -d /root/.dogtag/nssdb | |
- name: "Import PKCS #7 chain into NSS database" | |
run: | | |
docker exec pki pki pkcs7-import sslserver --pkcs7 cert_chain.p7b | |
docker exec pki certutil -L -d /root/.dogtag/nssdb | |
- name: Verify CA signing cert trust flags | |
run: | | |
docker exec pki certutil -L -d /root/.dogtag/nssdb | tee output | |
sed -n 's/^Certificate Authority *\(\S\+\)/\1/p' output > actual | |
echo "CTu,Cu,Cu" > expected | |
diff actual expected | |
- name: Verify SSL server cert trust flags | |
run: | | |
docker exec pki certutil -L -d /root/.dogtag/nssdb | tee output | |
sed -n 's/^sslserver *\(\S\+\)/\1/p' output > actual | |
echo "u,u,u" > expected | |
diff actual expected | |
- name: "Convert PKCS #7 chain into a series of PEM certificates" | |
run: | | |
docker exec pki pki pkcs7-cert-export --pkcs7 cert_chain.p7b --output-file cert_chain.pem | |
docker exec pki cat cert_chain.pem | |
- name: Remove certs from NSS database | |
run: | | |
docker exec pki certutil -D -d /root/.dogtag/nssdb -n sslserver | |
docker exec pki certutil -D -d /root/.dogtag/nssdb -n "Certificate Authority" | |
docker exec pki certutil -L -d /root/.dogtag/nssdb | |
- name: Import PEM certificates into NSS database | |
run: | | |
docker exec pki rm -f cert_chain.p7b | |
docker exec pki pki pkcs7-cert-import --pkcs7 cert_chain.p7b --input-file cert_chain.pem | |
docker exec pki pki pkcs7-import sslserver --pkcs7 cert_chain.p7b | |
docker exec pki certutil -L -d /root/.dogtag/nssdb | |
- name: Verify CA signing cert trust flags | |
run: | | |
docker exec pki certutil -L -d /root/.dogtag/nssdb | tee output | |
sed -n 's/^Certificate Authority *\(\S\+\)/\1/p' output > actual | |
echo "CTu,Cu,Cu" > expected | |
diff actual expected | |
- name: Verify SSL server cert trust flags | |
run: | | |
docker exec pki certutil -L -d /root/.dogtag/nssdb | tee output | |
sed -n 's/^sslserver *\(\S\+\)/\1/p' output > actual | |
echo "u,u,u" > expected | |
diff actual expected | |
update-version-test: | |
name: Update Version | |
uses: ./.github/workflows/update-version-test.yml |