.github/workflows/ocsp-crl-direct-test.yml

name: OCSP with direct CRL publishing

on: workflow_call

env:
  DB_IMAGE: ${{ vars.DB_IMAGE || 'quay.io/389ds/dirsrv' }}

jobs:
  # https://github.com/dogtagpki/pki/wiki/Installing-Standalone-OCSP
  # https://github.com/dogtagpki/pki/wiki/Publishing-CRL-to-OCSP-Responder
  test:
    name: Test
    runs-on: ubuntu-latest
    env:
      SHARED: /tmp/workdir/pki
    steps:
      - name: Install dependencies
        run: |
          sudo apt-get update
          sudo apt-get -y install libxml2-utils

      - name: Clone repository
        uses: actions/checkout@v3

      - name: Retrieve PKI images
        uses: actions/cache@v3
        with:
          key: pki-images-${{ github.sha }}
          path: pki-images.tar

      - name: Load PKI images
        run: docker load --input pki-images.tar

      - name: Create network
        run: docker network create example

      - name: Set up CA DS container
        run: |
          tests/bin/ds-container-create.sh cads
        env:
          IMAGE: ${{ env.DB_IMAGE }}
          HOSTNAME: cads.example.com
          PASSWORD: Secret.123

      - name: Connect CA DS container to network
        run: docker network connect example cads --alias cads.example.com

      - name: Set up CA container
        run: |
          tests/bin/runner-init.sh ca
        env:
          HOSTNAME: ca.example.com

      - name: Connect CA container to network
        run: docker network connect example ca --alias ca.example.com

      - name: Install CA in CA container
        run: |
          docker exec ca pkispawn \
              -f /usr/share/pki/server/examples/installation/ca.cfg \
              -s CA \
              -D pki_ds_url=ldap://cads.example.com:3389 \
              -v

      - name: Install CA admin cert in CA container
        run: |
          docker exec ca pki-server cert-export ca_signing --cert-file ${SHARED}/ca_signing.crt
          docker exec ca pki client-cert-import ca_signing --ca-cert ${SHARED}/ca_signing.crt
          docker exec ca pki pkcs12-import \
              --pkcs12 /root/.dogtag/pki-tomcat/ca_admin_cert.p12 \
              --pkcs12-password Secret.123

      - name: Set up OCSP DS container
        run: |
          tests/bin/ds-container-create.sh ocspds
        env:
          IMAGE: ${{ env.DB_IMAGE }}
          HOSTNAME: ocspds.example.com
          PASSWORD: Secret.123

      - name: Connect OCSP DS container to network
        run: docker network connect example ocspds --alias ocspds.example.com

      - name: Set up OCSP container
        run: |
          tests/bin/runner-init.sh ocsp
        env:
          HOSTNAME: ocsp.example.com

      - name: Connect OCSP container to network
        run: docker network connect example ocsp --alias ocsp.example.com

      - name: Install OCSP in OCSP container (step 1)
        run: |
          docker exec ocsp pkispawn \
              -f /usr/share/pki/server/examples/installation/ocsp-standalone-step1.cfg \
              -s OCSP \
              -D pki_cert_chain_path=${SHARED}/ca_signing.crt \
              -D pki_ds_url=ldap://ocspds.example.com:3389 \
              -D pki_ocsp_signing_csr_path=${SHARED}/ocsp_signing.csr \
              -D pki_subsystem_csr_path=${SHARED}/subsystem.csr \
              -D pki_sslserver_csr_path=${SHARED}/sslserver.csr \
              -D pki_audit_signing_csr_path=${SHARED}/ocsp_audit_signing.csr \
              -D pki_admin_csr_path=${SHARED}/ocsp_admin.csr \
              -v

      - name: Issue OCSP signing cert
        run: |
          docker exec ca openssl req -text -noout -in ${SHARED}/ocsp_signing.csr
          docker exec ca pki ca-cert-request-submit --profile caOCSPCert --csr-file ${SHARED}/ocsp_signing.csr | tee output
          REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output)
          docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output
          CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output)
          docker exec ca pki ca-cert-export $CERT_ID --output-file ${SHARED}/ocsp_signing.crt
          docker exec ca openssl x509 -text -noout -in ${SHARED}/ocsp_signing.crt

      - name: Issue subsystem cert
        run: |
          docker exec ca openssl req -text -noout -in ${SHARED}/subsystem.csr
          docker exec ca pki ca-cert-request-submit --profile caSubsystemCert --csr-file ${SHARED}/subsystem.csr | tee output
          REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output)
          docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output
          CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output)
          docker exec ca pki ca-cert-export $CERT_ID --output-file ${SHARED}/subsystem.crt
          docker exec ca openssl x509 -text -noout -in ${SHARED}/subsystem.crt

      - name: Issue SSL server cert
        run: |
          docker exec ca openssl req -text -noout -in ${SHARED}/sslserver.csr
          docker exec ca pki ca-cert-request-submit --profile caServerCert --csr-file ${SHARED}/sslserver.csr | tee output
          REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output)
          docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output
          CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output)
          docker exec ca pki ca-cert-export $CERT_ID --output-file ${SHARED}/sslserver.crt
          docker exec ca openssl x509 -text -noout -in ${SHARED}/sslserver.crt

      - name: Issue OCSP audit signing cert
        run: |
          docker exec ca openssl req -text -noout -in ${SHARED}/ocsp_audit_signing.csr
          docker exec ca pki ca-cert-request-submit --profile caAuditSigningCert --csr-file ${SHARED}/ocsp_audit_signing.csr | tee output
          REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output)
          docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output
          CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output)
          docker exec ca pki ca-cert-export $CERT_ID --output-file ${SHARED}/ocsp_audit_signing.crt
          docker exec ca openssl x509 -text -noout -in ${SHARED}/ocsp_audit_signing.crt

      - name: Issue OCSP admin cert
        run: |
          docker exec ca openssl req -text -noout -in ${SHARED}/ocsp_admin.csr
          docker exec ca pki ca-cert-request-submit --profile AdminCert --csr-file ${SHARED}/ocsp_admin.csr | tee output
          REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output)
          docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output
          CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output)
          docker exec ca pki ca-cert-export $CERT_ID --output-file ${SHARED}/ocsp_admin.crt
          docker exec ca openssl x509 -text -noout -in ${SHARED}/ocsp_admin.crt

      - name: Install OCSP in OCSP container (step 2)
        run: |
          docker exec ocsp pkispawn \
              -f /usr/share/pki/server/examples/installation/ocsp-standalone-step2.cfg \
              -s OCSP \
              -D pki_cert_chain_path=${SHARED}/ca_signing.crt \
              -D pki_ds_url=ldap://ocspds.example.com:3389 \
              -D pki_ocsp_signing_csr_path=${SHARED}/ocsp_signing.csr \
              -D pki_subsystem_csr_path=${SHARED}/subsystem.csr \
              -D pki_sslserver_csr_path=${SHARED}/sslserver.csr \
              -D pki_audit_signing_csr_path=${SHARED}/ocsp_audit_signing.csr \
              -D pki_admin_csr_path=${SHARED}/ocsp_admin.csr \
              -D pki_ocsp_signing_cert_path=${SHARED}/ocsp_signing.crt \
              -D pki_subsystem_cert_path=${SHARED}/subsystem.crt \
              -D pki_sslserver_cert_path=${SHARED}/sslserver.crt \
              -D pki_audit_signing_cert_path=${SHARED}/ocsp_audit_signing.crt \
              -D pki_admin_cert_path=${SHARED}/ocsp_admin.crt \
              -v

          docker exec ocsp pki-server cert-find

      # TODO: Fix DogtagOCSPConnectivityCheck to work without CA
      # - name: Run PKI healthcheck
      #   run: docker exec ocsp pki-healthcheck --failures-only

      - name: Install OCSP admin cert in OCSP container
        run: |
          docker exec ocsp pki client-cert-import ca_signing --ca-cert ${SHARED}/ca_signing.crt
          docker exec ocsp pki pkcs12-import \
              --pkcs12 /root/.dogtag/pki-tomcat/ocsp_admin_cert.p12 \
              --pkcs12-password Secret.123
          docker exec ocsp pki -n ocspadmin ocsp-user-show ocspadmin

      - name: Create CA user in OCSP
        run: |
          # export CA subsystem cert
          docker exec ca pki-server cert-export subsystem --cert-file ${SHARED}/subsystem.crt

          # create CA user with CA subsystem cert
          docker exec ocsp pki-server ocsp-user-add CA --full-name "CA" --type agentType
          docker exec ocsp pki-server ocsp-user-cert-add CA --cert ${SHARED}/subsystem.crt
          docker exec ocsp pki-server ocsp-group-member-add "Trusted Managers" CA

      - name: Create CRL issuing point in OCSP
        run: |
          # convert CA signing cert into PKCS #7 chain
          docker exec ocsp pki pkcs7-cert-import --pkcs7 ca_signing.p7 --input-file ${SHARED}/ca_signing.crt
          docker exec ocsp pki pkcs7-cert-find --pkcs7 ca_signing.p7

          # create CRL issuing point with the PKCS #7 chain
          docker exec ocsp pki-server ocsp-crl-issuingpoint-add --cert-chain ca_signing.p7

      - name: Configure OCSP publishing in CA
        run: |
          # configure OCSP publisher
          docker exec ca pki-server ca-config-set ca.publish.publisher.instance.OCSPPublisher.enableClientAuth true
          docker exec ca pki-server ca-config-set ca.publish.publisher.instance.OCSPPublisher.host ocsp.example.com
          docker exec ca pki-server ca-config-set ca.publish.publisher.instance.OCSPPublisher.nickName subsystem
          docker exec ca pki-server ca-config-set ca.publish.publisher.instance.OCSPPublisher.path /ocsp/agent/ocsp/addCRL
          docker exec ca pki-server ca-config-set ca.publish.publisher.instance.OCSPPublisher.pluginName OCSPPublisher
          docker exec ca pki-server ca-config-set ca.publish.publisher.instance.OCSPPublisher.port 8443

          # configure CRL publishing rule
          docker exec ca pki-server ca-config-set ca.publish.rule.instance.OCSPRule.enable true
          docker exec ca pki-server ca-config-set ca.publish.rule.instance.OCSPRule.mapper NoMap
          docker exec ca pki-server ca-config-set ca.publish.rule.instance.OCSPRule.pluginName Rule
          docker exec ca pki-server ca-config-set ca.publish.rule.instance.OCSPRule.publisher OCSPPublisher
          docker exec ca pki-server ca-config-set ca.publish.rule.instance.OCSPRule.type crl

          # enable CRL publishing
          docker exec ca pki-server ca-config-set ca.publish.enable true

          # set buffer size to 0 so that revocation will take effect immediately
          docker exec ca pki-server ca-config-set auths.revocationChecking.bufferSize 0

          # update CRL immediately after each cert revocation
          docker exec ca pki-server ca-crl-ip-mod -D alwaysUpdate=true MasterCRL

          # restart CA subsystem
          docker exec ca pki-server ca-redeploy --wait

      - name: Check OCSP responder with no CRLs
        run: |
          # create CA agent and its cert
          docker exec ca /usr/share/pki/tests/ca/bin/ca-agent-create.sh
          docker exec ca /usr/share/pki/tests/ca/bin/ca-agent-cert-create.sh

          # get cert serial number
          docker exec ca pki nss-cert-show caagent | tee output
          CERT_ID=$(sed -n "s/^\s*Serial Number:\s*\(\S*\)$/\1/p" output)

          # check cert status using OCSPClient
          docker exec ocsp OCSPClient \
              -d /root/.dogtag/nssdb \
              -h ocsp.example.com \
              -p 8080 \
              -t /ocsp/ee/ocsp \
              -c ca_signing \
              --serial $CERT_ID \
              > >(tee stdout) 2> >(tee stderr >&2) || true

          # the responder should fail
          sed -n "s/^SEVERE:\s*\(\S*\)/\1/p" stderr > actual
          echo "InvalidBERException: Incorrect tag: expected [UNIVERSAL 16], found [UNIVERSAL 28]" > expected
          diff expected actual

          # check cert status using OpenSSL
          docker exec ocsp openssl ocsp \
              -url http://ocsp.example.com:8080/ocsp/ee/ocsp \
              -CAfile ${SHARED}/ca_signing.crt \
              -issuer ${SHARED}/ca_signing.crt \
              -serial $CERT_ID \
              > >(tee stdout) 2> >(tee stderr >&2) || true

          # remove the random parts of stderr so it can be compared
          sed -i "s/^[^:]*:error:/error:/g" stderr

          # remove file names and line numbers so it can be compared
          sed -i "s/^\([^:]*:[^:]*:[^:]*:[^:]*:[^:]*:\)[^:]*:[^:]*:/\1/" stderr

          # the responder should fail
          echo "Error querying OCSP responder" > expected
          echo "error:1E800076:HTTP routines:OSSL_HTTP_REQ_CTX_nbio:unexpected content type:expected=application/ocsp-response, actual=text/html" >> expected
          echo "error:1E800067:HTTP routines:OSSL_HTTP_REQ_CTX_exchange:error receiving:server=http://ocsp.example.com:8080" >> expected

          diff expected stderr

      - name: Check OCSP responder with initial CRL
        run: |
          # get cert serial number
          docker exec ca pki nss-cert-show caagent | tee output
          CERT_ID=$(sed -n "s/^\s*Serial Number:\s*\(\S*\)$/\1/p" output)

          # https://github.com/dogtagpki/pki/wiki/UpdateCRL-Service
          docker exec ca curl \
              --cert-type P12 \
              --cert /root/.dogtag/pki-tomcat/ca_admin_cert.p12:Secret.123 \
              -sk \
              -d "xml=true" \
              https://ca.example.com:8443/ca/agent/ca/updateCRL \
              | xmllint --format -

          # wait for CRL update
          sleep 10

          # check cert status using OCSPClient
          docker exec ocsp OCSPClient \
              -d /root/.dogtag/nssdb \
              -h ocsp.example.com \
              -p 8080 \
              -t /ocsp/ee/ocsp \
              -c ca_signing \
              --serial $CERT_ID | tee output

          # the status should be good
          sed -n "s/^CertStatus=\(.*\)$/\1/p" output > actual
          echo Good > expected
          diff expected actual

          # check cert status using OpenSSL
          docker exec ocsp openssl ocsp \
              -url http://ocsp.example.com:8080/ocsp/ee/ocsp \
              -CAfile ${SHARED}/ca_signing.crt \
              -issuer ${SHARED}/ca_signing.crt \
              -serial $CERT_ID | tee output

          # the status should be good
          sed -n "s/^$CERT_ID:\s*\(\S*\)$/\1/p" output > actual
          echo good > expected
          diff expected actual

      - name: Check OCSP responder with revoked cert
        run: |
          # revoke CA agent cert
          docker exec ca /usr/share/pki/tests/ca/bin/ca-agent-cert-revoke.sh

          # https://github.com/dogtagpki/pki/wiki/UpdateCRL-Service
          docker exec ca curl \
              --cert-type P12 \
              --cert /root/.dogtag/pki-tomcat/ca_admin_cert.p12:Secret.123 \
              -sk \
              -d "xml=true" \
              https://ca.example.com:8443/ca/agent/ca/updateCRL \
              | xmllint --format -

          # wait for CRL update
          sleep 10

          # get cert serial number
          docker exec ca pki nss-cert-show caagent | tee output
          CERT_ID=$(sed -n "s/^\s*Serial Number:\s*\(\S*\)$/\1/p" output)

          # check cert status using OCSPClient
          docker exec ocsp OCSPClient \
              -d /root/.dogtag/nssdb \
              -h ocsp.example.com \
              -p 8080 \
              -t /ocsp/ee/ocsp \
              -c ca_signing \
              --serial $CERT_ID | tee output

          # the status should be revoked
          sed -n "s/^CertStatus=\(.*\)$/\1/p" output > actual
          echo Revoked > expected
          diff expected actual

          # check cert status using OpenSSL
          docker exec ocsp openssl ocsp \
              -url http://ocsp.example.com:8080/ocsp/ee/ocsp \
              -CAfile ${SHARED}/ca_signing.crt \
              -issuer ${SHARED}/ca_signing.crt \
              -serial $CERT_ID | tee output

          # the status should be revoked
          sed -n "s/^$CERT_ID:\s*\(\S*\)$/\1/p" output > actual
          echo revoked > expected
          diff expected actual

      - name: Check OCSP responder with unrevoked cert
        run: |
          # unrevoke CA agent cert
          docker exec ca /usr/share/pki/tests/ca/bin/ca-agent-cert-unrevoke.sh

          # https://github.com/dogtagpki/pki/wiki/UpdateCRL-Service
          docker exec ca curl \
              --cert-type P12 \
              --cert /root/.dogtag/pki-tomcat/ca_admin_cert.p12:Secret.123 \
              -sk \
              -d "xml=true" \
              https://ca.example.com:8443/ca/agent/ca/updateCRL \
              | xmllint --format -

          # wait for CRL update
          sleep 10

          # get cert serial number
          docker exec ca pki nss-cert-show caagent | tee output
          CERT_ID=$(sed -n "s/^\s*Serial Number:\s*\(\S*\)$/\1/p" output)

          # check cert status using OCSPClient
          docker exec ocsp OCSPClient \
              -d /root/.dogtag/nssdb \
              -h ocsp.example.com \
              -p 8080 \
              -t /ocsp/ee/ocsp \
              -c ca_signing \
              --serial $CERT_ID | tee output

          # the status should be good
          sed -n "s/^CertStatus=\(.*\)$/\1/p" output > actual
          echo Good > expected
          diff expected actual

          # check cert status using OpenSSL
          docker exec ocsp openssl ocsp \
              -url http://ocsp.example.com:8080/ocsp/ee/ocsp \
              -CAfile ${SHARED}/ca_signing.crt \
              -issuer ${SHARED}/ca_signing.crt \
              -serial $CERT_ID | tee output

          # the status should be good
          sed -n "s/^$CERT_ID:\s*\(\S*\)$/\1/p" output > actual
          echo good > expected
          diff expected actual

      - name: Gather artifacts from CA containers
        if: always()
        run: |
          tests/bin/ds-artifacts-save.sh --output=/tmp/artifacts/pki cads
          tests/bin/pki-artifacts-save.sh ca
        continue-on-error: true

      - name: Gather artifacts from OCSP containers
        if: always()
        run: |
          tests/bin/ds-artifacts-save.sh --output=/tmp/artifacts/pki ocspds
          tests/bin/pki-artifacts-save.sh ocsp
        continue-on-error: true

      - name: Remove OCSP from OCSP container
        run: docker exec ocsp pkidestroy -i pki-tomcat -s OCSP -v

      - name: Remove CA from CA container
        run: docker exec ca pkidestroy -i pki-tomcat -s CA -v

      - name: Upload artifacts from CA containers
        if: always()
        uses: actions/upload-artifact@v3
        with:
          name: ocsp-crl-direct-ca
          path: |
            /tmp/artifacts/ca

      - name: Upload artifacts from OCSP containers
        if: always()
        uses: actions/upload-artifact@v3
        with:
          name: ocsp-crl-direct-ocsp
          path: |
            /tmp/artifacts/ocsp