-
Notifications
You must be signed in to change notification settings - Fork 139
189 lines (154 loc) · 6.63 KB
/
ca-profile-caServerCert-test.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
name: CA with caServerCert profile
on: workflow_call
env:
DS_IMAGE: ${{ vars.DS_IMAGE || 'quay.io/389ds/dirsrv' }}
jobs:
test:
name: Test
runs-on: ubuntu-latest
env:
SHARED: /tmp/workdir/pki
steps:
- name: Clone repository
uses: actions/checkout@v4
- name: Retrieve PKI images
uses: actions/cache@v4
with:
key: pki-images-${{ github.sha }}
path: pki-images.tar
- name: Load PKI images
run: docker load --input pki-images.tar
- name: Create network
run: docker network create example
- name: Set up DS container
run: |
tests/bin/ds-create.sh \
--image=${{ env.DS_IMAGE }} \
--hostname=ds.example.com \
--password=Secret.123 \
ds
- name: Connect DS container to network
run: docker network connect example ds --alias ds.example.com
- name: Set up PKI container
run: |
tests/bin/runner-init.sh pki
env:
HOSTNAME: pki.example.com
- name: Connect PKI container to network
run: docker network connect example pki --alias pki.example.com
- name: Install CA
run: |
docker exec pki pkispawn \
-f /usr/share/pki/server/examples/installation/ca.cfg \
-s CA \
-D pki_ds_url=ldap://ds.example.com:3389 \
-v
- name: Configure caServerCert profile
run: |
# allow user-specified SAN extension
docker exec pki sed -i \
-e "s/^\(policyset.serverCertSet.list\)=\(.*\)$/\1=\2,13/" \
-e '$ a policyset.serverCertSet.13.constraint.class_id=noConstraintImpl' \
-e '$ a policyset.serverCertSet.13.constraint.name=No Constraint' \
-e '$ a policyset.serverCertSet.13.default.class_id=userExtensionDefaultImpl' \
-e '$ a policyset.serverCertSet.13.default.name=User supplied extension in CSR' \
-e '$ a policyset.serverCertSet.13.default.params.userExtOID=2.5.29.17' \
/var/lib/pki/pki-tomcat/conf/ca/profiles/ca/caServerCert.cfg
# require unique subject name
docker exec pki sed -i \
-e "s/^\(policyset.serverCertSet.list\)=\(.*\)$/\1=\2,14/" \
-e '$ a policyset.serverCertSet.14.constraint.class_id=uniqueSubjectNameConstraintImpl' \
-e '$ a policyset.serverCertSet.14.constraint.name=Unique Subject Name Constraint' \
-e '$ a policyset.serverCertSet.14.default.class_id=noDefaultImpl' \
-e '$ a policyset.serverCertSet.14.default.name=No Default' \
/var/lib/pki/pki-tomcat/conf/ca/profiles/ca/caServerCert.cfg
# check updated profile
docker exec pki cat /var/lib/pki/pki-tomcat/conf/ca/profiles/ca/caServerCert.cfg
docker exec pki pki-server ca-redeploy --wait
- name: Set up CA admin
run: |
docker exec pki pki-server cert-export ca_signing --cert-file ca_signing.crt
docker exec pki pki nss-cert-import \
--cert ca_signing.crt \
--trust CT,C,C \
ca_signing
docker exec pki pki pkcs12-import \
--pkcs12 /root/.dogtag/pki-tomcat/ca_admin_cert.p12 \
--pkcs12-password Secret.123
- name: Create SSL server cert
run: |
# generate cert request
docker exec pki pki \
nss-cert-request \
--subject "CN=server.example.com" \
--ext /usr/share/pki/server/certs/sslserver.conf \
--subjectAltName "critical, DNS:www.example.com" \
--csr sslserver.csr
docker exec pki openssl req -text -noout -in sslserver.csr | tee output
# verify SAN extension in cert request
echo "X509v3 Subject Alternative Name: critical" > expected
echo "DNS:www.example.com" >> expected
sed -En 'N; s/^ *(X509v3 Subject Alternative Name: .*)\n *(.*)$/\1\n\2/p; D' output | tee actual
diff actual expected
# issue cert
docker exec pki pki \
-n caadmin \
ca-cert-issue \
--profile caServerCert \
--csr-file sslserver.csr \
--output-file sslserver.crt
docker exec pki openssl x509 -text -noout -in sslserver.crt | tee output
# verfiy SAN extension in cert
echo "X509v3 Subject Alternative Name: critical" > expected
echo "DNS:www.example.com" >> expected
sed -En 'N; s/^ *(X509v3 Subject Alternative Name: .*)\n *(.*)$/\1\n\2/p; D' output | tee actual
diff actual expected
- name: Create SSL server cert with same subject name
run: |
# generate cert request
docker exec pki pki \
nss-cert-request \
--subject "CN=server.example.com" \
--ext /usr/share/pki/server/certs/sslserver.conf \
--subjectAltName "critical, DNS:pki.example.com" \
--csr sslserver.csr
docker exec pki openssl req -text -noout -in sslserver.csr | tee output
# verify SAN extension
echo "X509v3 Subject Alternative Name: critical" > expected
echo "DNS:pki.example.com" >> expected
sed -En 'N; s/^ *(X509v3 Subject Alternative Name: .*)\n *(.*)$/\1\n\2/p; D' output | tee actual
diff actual expected
# issue cert
docker exec pki pki \
-n caadmin \
ca-cert-issue \
--profile caServerCert \
--csr-file sslserver.csr \
> >(tee stdout) 2> >(tee stderr >&2) || true
# request should be rejected by UniqueSubjectNameConstraint
cat > expected << EOF
ERROR: Request rejected: Subject Name Not Unique CN=server.example.com
EOF
diff expected stderr
- name: Remove CA
run: docker exec pki pkidestroy -s CA -v
- name: Check PKI server systemd journal
if: always()
run: |
docker exec pki journalctl -x --no-pager -u [email protected]
- name: Check CA debug log
if: always()
run: |
docker exec pki find /var/lib/pki/pki-tomcat/logs/ca -name "debug.*" -exec cat {} \;
- name: Gather artifacts
if: always()
run: |
tests/bin/ds-artifacts-save.sh ds
tests/bin/pki-artifacts-save.sh pki
continue-on-error: true
- name: Upload artifacts
if: always()
uses: actions/upload-artifact@v4
with:
name: ca-profile-caServerCert
path: /tmp/artifacts