Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add pki nss-cert-del #4599

Merged
merged 1 commit into from
Nov 2, 2023
Merged

Add pki nss-cert-del #4599

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 1 addition & 2 deletions .github/workflows/ca-renewal-system-certs-test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -395,8 +395,7 @@ jobs:
docker exec pki pki ca-cert-export $CERT_ID --output-file caadmin.crt

# delete current cert
# TODO: add pki nss-cert-del command
docker exec pki certutil -D -d /root/.dogtag/nssdb -n caadmin
docker exec pki pki nss-cert-del caadmin

# install new cert
docker exec pki pki nss-cert-import caadmin --cert caadmin.crt
Expand Down
39 changes: 35 additions & 4 deletions .github/workflows/pki-nss-ecc-test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -142,11 +142,24 @@ jobs:
sed -n 's/\s*Type:\s*\(\S\+\)\s*$/\L\1/p' output > actual
diff actual expected

- name: Delete SSL server cert
- name: Delete SSL server cert but keep the key
run: |
docker exec pki certutil -D -d /root/.dogtag/nssdb -n sslserver
docker exec pki certutil -L -d /root/.dogtag/nssdb
docker exec pki certutil -K -d /root/.dogtag/nssdb
docker exec pki pki nss-cert-del sslserver

docker exec pki certutil -L -d /root/.dogtag/nssdb | tee output

# SSL server cert should not exist
echo "ca_signing CTu,Cu,Cu" > expected
sed -n -e '1,4d' -e 's/^\(.*\S\)\s\+\(\S\+\)\s*$/\1 \2/p' output > actual
diff expected actual

docker exec pki certutil -K -d /root/.dogtag/nssdb | tee output

# SSL server key should exist but orphaned
echo "(orphan)" > expected
echo "NSS Certificate DB:ca_signing" >> expected
sed -n 's/^<.*>\s\+\S\+\s\+\S\+\s\+\(.*\)$/\1/p' output | sort > actual
diff expected actual

- name: Create new SSL server cert request with existing EC key
run: |
Expand Down Expand Up @@ -201,3 +214,21 @@ jobs:
docker exec pki certutil -K -d /root/.dogtag/nssdb | tee output
sed -n 's/^<.*>\s\+\S\+\s\+\(\S\+\)\s\+NSS Certificate DB:new_sslserver$/\1/p' output > new_sslserver_key_id
diff sslserver_key_id new_sslserver_key_id

- name: Delete SSL server cert and key
run: |
docker exec pki pki nss-cert-del new_sslserver --remove-key

docker exec pki certutil -L -d /root/.dogtag/nssdb | tee output

# SSL server cert should not exist
echo "ca_signing CTu,Cu,Cu" > expected
sed -n -e '1,4d' -e 's/^\(.*\S\)\s\+\(\S\+\)\s*$/\1 \2/p' output > actual
diff expected actual

docker exec pki certutil -K -d /root/.dogtag/nssdb | tee output

# SSL server key should not exist
echo "NSS Certificate DB:ca_signing" > expected
sed -n 's/^<.*>\s\+\S\+\s\+\S\+\s\+\(.*\)$/\1/p' output | sort > actual
diff expected actual
204 changes: 204 additions & 0 deletions .github/workflows/pki-nss-hsm-test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -254,5 +254,209 @@ jobs:
sed -n 's/\s*Type:\s*\(\S\+\)\s*$/\L\1/p' output > actual
diff actual expected

# get key ID
sed -n 's/\s*Key ID:\s*\(\S\+\)\s*$/\L\1/p' output > sslserver_key_id

- name: Delete SSL server cert but keep the key
run: |
# delete cert from internal token
docker exec pki pki \
nss-cert-del \
sslserver

# delete cert from HSM
docker exec pki pki \
-f $SHARED/password.conf \
nss-cert-del \
HSM:sslserver

- name: Verify SSL server cert in internal token
run: |
docker exec pki certutil -L -d /root/.dogtag/nssdb | tee output

# SSL server cert should not exist
echo "ca_signing CT,C,C" > expected
sed -n -e '1,4d' -e 's/^\(.*\S\)\s\+\(\S\+\)\s*$/\1 \2/p' output > actual
diff expected actual

docker exec pki certutil -K -d /root/.dogtag/nssdb | tee output

# SSL server key should not exist
echo -n > expected
sed -n 's/^<.*>\s\+\S\+\s\+\S\+\s\+\(.*\)$/\1/p' output | sort > actual
diff expected actual

- name: Verify SSL server cert in HSM
run: |
docker exec pki certutil -L \
-d /root/.dogtag/nssdb \
-h HSM \
-f $SHARED/password.txt | tee output

# SSL server cert should not exist
echo "HSM:ca_signing CTu,Cu,Cu" > expected
sed -n -e '1,4d' -e 's/^\(.*\S\)\s\+\(\S\+\)\s*$/\1 \2/p' output > actual
diff expected actual

docker exec pki certutil -K \
-d /root/.dogtag/nssdb \
-h HSM \
-f $SHARED/password.txt | tee output

# SSL server key should exist but orphaned
echo "(orphan)" > expected
echo "HSM:ca_signing" >> expected
sed -n 's/^<.*>\s\+\S\+\s\+\S\+\s\+\(.*\)$/\1/p' output | sort > actual
diff expected actual

- name: Create new SSL server cert request with existing key in HSM
run: |
docker exec pki pki \
--token HSM \
-f $SHARED/password.conf \
nss-cert-request \
--key-id $(cat sslserver_key_id) \
--subject "CN=pki.example.com" \
--ext /usr/share/pki/server/certs/sslserver.conf \
--csr new_sslserver.csr
docker exec pki openssl req -text -noout -in new_sslserver.csr

docker exec pki certutil -K -d /root/.dogtag/nssdb || true

docker exec pki certutil -K \
-d /root/.dogtag/nssdb \
-f $SHARED/password.txt \
-h HSM

- name: Issue new SSL server cert
run: |
docker exec pki pki \
--token HSM \
-f $SHARED/password.conf \
nss-cert-issue \
--issuer HSM:ca_signing \
--csr new_sslserver.csr \
--ext /usr/share/pki/server/certs/sslserver.conf \
--cert new_sslserver.crt
docker exec pki openssl x509 -text -noout -in new_sslserver.crt

- name: Import new SSL server cert into internal token and HSM
run: |
docker exec pki pki \
--token HSM \
-f $SHARED/password.conf \
nss-cert-import \
--cert new_sslserver.crt \
new_sslserver

- name: Verify SSL server cert in internal token
run: |
# verify trust flags
echo ",," > expected

docker exec pki certutil -L -d /root/.dogtag/nssdb | tee output
sed -n 's/^new_sslserver\s*\(\S\+\)\s*$/\1/p' output > actual
diff actual expected

docker exec pki pki nss-cert-show new_sslserver | tee output
sed -n 's/\s*Trust Flags:\s*\(\S\+\)\s*$/\1/p' output > actual
diff actual expected

# verify key not in internal token
docker exec pki pki \
-f $SHARED/password.conf \
nss-key-find \
--nickname new_sslserver | tee actual
echo -n > expected
diff actual expected

- name: Verify SSL server cert in HSM
run: |
# verify trust flags
echo "u,u,u" > expected

docker exec pki certutil -L \
-d /root/.dogtag/nssdb \
-h HSM \
-f $SHARED/password.txt | tee output
sed -n 's/^HSM:new_sslserver\s*\(\S\+\)\s*$/\1/p' output > actual
diff actual expected

docker exec pki pki \
--token HSM \
-f $SHARED/password.conf \
nss-cert-show \
HSM:new_sslserver | tee output
sed -n 's/\s*Trust Flags:\s*\(\S\+\)\s*$/\1/p' output > actual
diff actual expected

# verify key type
echo rsa > expected

docker exec pki pki \
--token HSM \
-f $SHARED/password.conf \
nss-key-find \
--nickname HSM:new_sslserver | tee output
sed -n 's/\s*Type:\s*\(\S\+\)\s*$/\L\1/p' output > actual
diff actual expected

# get key ID
sed -n 's/\s*Key ID:\s*\(\S\+\)\s*$/\L\1/p' output > new_sslserver_key_id
diff sslserver_key_id new_sslserver_key_id

- name: Delete SSL server cert and key from internal token and HSM
run: |
# delete cert from internal token
docker exec pki pki \
nss-cert-del \
new_sslserver \
--remove-key

# delete cert from HSM
docker exec pki pki \
-f $SHARED/password.conf \
nss-cert-del \
HSM:new_sslserver \
--remove-key

- name: Verify SSL server cert in internal token
run: |
docker exec pki certutil -L -d /root/.dogtag/nssdb | tee output

# SSL server cert should not exist
echo "ca_signing CT,C,C" > expected
sed -n -e '1,4d' -e 's/^\(.*\S\)\s\+\(\S\+\)\s*$/\1 \2/p' output > actual
diff expected actual

docker exec pki certutil -K -d /root/.dogtag/nssdb | tee output

# SSL server key should not exist
echo -n > expected
sed -n 's/^<.*>\s\+\S\+\s\+\S\+\s\+\(.*\)$/\1/p' output | sort > actual
diff expected actual

- name: Verify SSL server cert in HSM
run: |
docker exec pki certutil -L \
-d /root/.dogtag/nssdb \
-h HSM \
-f $SHARED/password.txt | tee output

# SSL server cert should not exist
echo "HSM:ca_signing CTu,Cu,Cu" > expected
sed -n -e '1,4d' -e 's/^\(.*\S\)\s\+\(\S\+\)\s*$/\1 \2/p' output > actual
diff expected actual

docker exec pki certutil -K \
-d /root/.dogtag/nssdb \
-h HSM \
-f $SHARED/password.txt | tee output

# SSL server key should not exist
echo "HSM:ca_signing" > expected
sed -n 's/^<.*>\s\+\S\+\s\+\S\+\s\+\(.*\)$/\1/p' output | sort > actual
diff expected actual

- name: Remove HSM token
run: docker exec pki softhsm2-util --delete-token --token HSM
39 changes: 35 additions & 4 deletions .github/workflows/pki-nss-rsa-test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -142,11 +142,24 @@ jobs:
sed -n 's/\s*Type:\s*\(\S\+\)\s*$/\L\1/p' output > actual
diff actual expected

- name: Delete SSL server cert
- name: Delete SSL server cert but keep the key
run: |
docker exec pki certutil -D -d /root/.dogtag/nssdb -n sslserver
docker exec pki certutil -L -d /root/.dogtag/nssdb
docker exec pki certutil -K -d /root/.dogtag/nssdb
docker exec pki pki nss-cert-del sslserver

docker exec pki certutil -L -d /root/.dogtag/nssdb | tee output

# SSL server cert should not exist
echo "ca_signing CTu,Cu,Cu" > expected
sed -n -e '1,4d' -e 's/^\(.*\S\)\s\+\(\S\+\)\s*$/\1 \2/p' output > actual
diff expected actual

docker exec pki certutil -K -d /root/.dogtag/nssdb | tee output

# SSL server key should exist but orphaned
echo "(orphan)" > expected
echo "NSS Certificate DB:ca_signing" >> expected
sed -n 's/^<.*>\s\+\S\+\s\+\S\+\s\+\(.*\)$/\1/p' output | sort > actual
diff expected actual

- name: Create new SSL server cert request with existing RSA key
run: |
Expand Down Expand Up @@ -200,3 +213,21 @@ jobs:
docker exec pki pki nss-key-find --nickname new_sslserver | tee output
sed -n 's/\s*Type:\s*\(\S\+\)\s*$/\L\1/p' output > actual
diff actual expected

- name: Delete SSL server cert and key
run: |
docker exec pki pki nss-cert-del new_sslserver --remove-key

docker exec pki certutil -L -d /root/.dogtag/nssdb | tee output

# SSL server cert should not exist
echo "ca_signing CTu,Cu,Cu" > expected
sed -n -e '1,4d' -e 's/^\(.*\S\)\s\+\(\S\+\)\s*$/\1 \2/p' output > actual
diff expected actual

docker exec pki certutil -K -d /root/.dogtag/nssdb | tee output

# SSL server key should not exist
echo "NSS Certificate DB:ca_signing" > expected
sed -n 's/^<.*>\s\+\S\+\s\+\S\+\s\+\(.*\)$/\1/p' output | sort > actual
diff expected actual
8 changes: 4 additions & 4 deletions .github/workflows/pki-pkcs7-test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -98,8 +98,8 @@ jobs:

- name: Remove certs from NSS database
run: |
docker exec pki certutil -D -d /root/.dogtag/nssdb -n sslserver
docker exec pki certutil -D -d /root/.dogtag/nssdb -n ca_signing
docker exec pki pki nss-cert-del sslserver
docker exec pki pki nss-cert-del ca_signing
docker exec pki certutil -L -d /root/.dogtag/nssdb

- name: "Import PKCS #7 chain into NSS database"
Expand Down Expand Up @@ -130,8 +130,8 @@ jobs:

- name: Remove certs from NSS database
run: |
docker exec pki certutil -D -d /root/.dogtag/nssdb -n sslserver
docker exec pki certutil -D -d /root/.dogtag/nssdb -n "Certificate Authority"
docker exec pki pki nss-cert-del sslserver
docker exec pki pki nss-cert-del "Certificate Authority"
docker exec pki certutil -L -d /root/.dogtag/nssdb

- name: Import PEM certificates into NSS database
Expand Down
Loading
Loading