Skip to content

OCSP responder to serve status check for itself using latest CRL #4168

OCSP responder to serve status check for itself using latest CRL

OCSP responder to serve status check for itself using latest CRL #4168

Workflow file for this run

name: Tools Tests
on: [push, pull_request]
jobs:
init:
name: Initialization
uses: ./.github/workflows/init.yml
secrets: inherit
build:
name: Waiting for build
needs: init
runs-on: ubuntu-latest
steps:
- name: Wait for build
uses: lewagon/[email protected]
with:
ref: ${{ github.ref }}
check-name: 'Building PKI'
repo-token: ${{ secrets.GITHUB_TOKEN }}
wait-interval: 30
if: github.event_name == 'push'
- name: Wait for build
uses: lewagon/[email protected]
with:
ref: ${{ github.event.pull_request.head.sha }}
check-name: 'Building PKI'
repo-token: ${{ secrets.GITHUB_TOKEN }}
wait-interval: 30
if: github.event_name == 'pull_request'
PKICertImport-test:
name: Testing PKICertImport
needs: [init, build]
runs-on: ubuntu-latest
env:
PKIDIR: /tmp/workdir/pki
steps:
- name: Clone repository
uses: actions/checkout@v3
- name: Retrieve pki-runner image
uses: actions/cache@v3
with:
key: pki-runner-${{ github.sha }}
path: pki-runner.tar
- name: Load runner image
run: docker load --input pki-runner.tar
- name: Run container
run: |
IMAGE=pki-runner \
NAME=pki \
HOSTNAME=pki.example.com \
tests/bin/runner-init.sh
- name: Run PKICertImport test
run: docker exec pki bash ${PKIDIR}/base/util/src/test/shell/test_PKICertImport.bash
# https://github.com/dogtagpki/pki/wiki/PKI-NSS-CLI
pki-nss-rsa-test:
name: Testing PKI NSS CLI with RSA
needs: [init, build]
runs-on: ubuntu-latest
env:
PKIDIR: /tmp/workdir/pki
steps:
- name: Clone repository
uses: actions/checkout@v3
- name: Retrieve pki-runner image
uses: actions/cache@v3
with:
key: pki-runner-${{ github.sha }}
path: pki-runner.tar
- name: Load runner image
run: docker load --input pki-runner.tar
- name: Run container
run: |
IMAGE=pki-runner \
NAME=pki \
HOSTNAME=pki.example.com \
tests/bin/runner-init.sh
# https://github.com/dogtagpki/pki/wiki/Generating-CA-Signing-CSR-with-PKI-NSS
- name: Create CA signing cert request with new RSA key
run: |
docker exec pki pki nss-cert-request \
--key-type RSA \
--subject "CN=Certificate Authority" \
--ext /usr/share/pki/server/certs/ca_signing.conf \
--csr ca_signing.csr
docker exec pki openssl req -text -noout -in ca_signing.csr
# https://github.com/dogtagpki/pki/wiki/Issuing-CA-Signing-Certificate-with-PKI-NSS
- name: Issue self-signed CA signing cert
run: |
docker exec pki pki nss-cert-issue \
--csr ca_signing.csr \
--ext /usr/share/pki/server/certs/ca_signing.conf \
--cert ca_signing.crt
docker exec pki openssl x509 -text -noout -in ca_signing.crt
- name: Import CA signing cert
run: |
docker exec pki pki nss-cert-import \
--cert ca_signing.crt \
--trust CT,C,C \
ca_signing
# verify trust flags
docker exec pki certutil -L -d /root/.dogtag/nssdb | tee output
sed -n 's/^ca_signing\s*\(\S\+\)\s*$/\1/p' output > actual
echo "CTu,Cu,Cu" > expected
diff actual expected
# verify key type
docker exec pki certutil -K -d /root/.dogtag/nssdb | tee output
sed -n 's/^<.*>\s\+\(\S\+\)\s\+\S\+\s\+NSS Certificate DB:ca_signing$/\1/p' output > actual
echo rsa > expected
diff actual expected
# https://github.com/dogtagpki/pki/wiki/Generating-SSL-Server-CSR-with-PKI-NSS
- name: Create SSL server cert request with new RSA key
run: |
docker exec pki pki nss-cert-request \
--key-type RSA \
--subject "CN=pki.example.com" \
--ext /usr/share/pki/server/certs/sslserver.conf \
--csr sslserver.csr
docker exec pki openssl req -text -noout -in sslserver.csr
# https://github.com/dogtagpki/pki/wiki/Issuing-SSL-Server-Certificate-with-PKI-NSS
- name: Issue SSL server cert
run: |
docker exec pki pki nss-cert-issue \
--issuer ca_signing \
--csr sslserver.csr \
--ext /usr/share/pki/server/certs/sslserver.conf \
--cert sslserver.crt
docker exec pki openssl x509 -text -noout -in sslserver.crt
- name: Import SSL server cert
run: |
docker exec pki pki nss-cert-import \
--cert sslserver.crt \
sslserver
# verify trust flags
docker exec pki certutil -L -d /root/.dogtag/nssdb | tee output
sed -n 's/^sslserver\s*\(\S\+\)\s*$/\1/p' output > actual
echo "u,u,u" > expected
diff actual expected
# verify key type
docker exec pki certutil -K -d /root/.dogtag/nssdb | tee output
sed -n 's/^<.*>\s\+\(\S\+\)\s\+\S\+\s\+NSS Certificate DB:sslserver$/\1/p' output > actual
echo rsa > expected
diff actual expected
# get key ID
docker exec pki certutil -K -d /root/.dogtag/nssdb | tee output
sed -n 's/^<.*>\s\+\S\+\s\+\(\S\+\)\s\+NSS Certificate DB:sslserver$/\1/p' output > sslserver_key_id
- name: Delete SSL server cert
run: |
docker exec pki certutil -D -d /root/.dogtag/nssdb -n sslserver
docker exec pki certutil -L -d /root/.dogtag/nssdb
docker exec pki certutil -K -d /root/.dogtag/nssdb
- name: Create new SSL server cert request with existing RSA key
run: |
docker exec pki pki nss-cert-request \
--key-id `cat sslserver_key_id` \
--subject "CN=pki.example.com" \
--ext /usr/share/pki/server/certs/sslserver.conf \
--csr new_sslserver.csr
docker exec pki openssl req -text -noout -in new_sslserver.csr
- name: Issue new SSL server cert
run: |
docker exec pki pki nss-cert-issue \
--issuer ca_signing \
--csr new_sslserver.csr \
--ext /usr/share/pki/server/certs/sslserver.conf \
--cert new_sslserver.crt
docker exec pki openssl x509 -text -noout -in new_sslserver.crt
- name: Import new SSL server cert
run: |
docker exec pki pki nss-cert-import \
--cert new_sslserver.crt \
new_sslserver
# verify trust flags
docker exec pki certutil -L -d /root/.dogtag/nssdb | tee output
sed -n 's/^new_sslserver\s*\(\S\+\)\s*$/\1/p' output > actual
echo "u,u,u" > expected
diff actual expected
# verify key type
docker exec pki certutil -K -d /root/.dogtag/nssdb | tee output
sed -n 's/^<.*>\s\+\(\S\+\)\s\+\S\+\s\+NSS Certificate DB:new_sslserver$/\1/p' output > actual
echo rsa > expected
diff actual expected
# verify key ID
docker exec pki certutil -K -d /root/.dogtag/nssdb | tee output
sed -n 's/^<.*>\s\+\S\+\s\+\(\S\+\)\s\+NSS Certificate DB:new_sslserver$/\1/p' output > new_sslserver_key_id
diff sslserver_key_id new_sslserver_key_id
# https://github.com/dogtagpki/pki/wiki/PKI-NSS-CLI
pki-nss-ecc-test:
name: Testing PKI NSS CLI with ECC
needs: [init, build]
runs-on: ubuntu-latest
env:
PKIDIR: /tmp/workdir/pki
steps:
- name: Clone repository
uses: actions/checkout@v3
- name: Retrieve pki-runner image
uses: actions/cache@v3
with:
key: pki-runner-${{ github.sha }}
path: pki-runner.tar
- name: Load runner image
run: docker load --input pki-runner.tar
- name: Run container
run: |
IMAGE=pki-runner \
NAME=pki \
HOSTNAME=pki.example.com \
tests/bin/runner-init.sh
# https://github.com/dogtagpki/pki/wiki/Generating-CA-Signing-CSR-with-PKI-NSS
- name: Create CA signing cert request with new EC key
run: |
docker exec pki pki nss-cert-request \
--key-type EC \
--curve nistp256 \
--subject "CN=Certificate Authority" \
--ext /usr/share/pki/server/certs/ca_signing.conf \
--csr ca_signing.csr
docker exec pki openssl req -text -noout -in ca_signing.csr
# https://github.com/dogtagpki/pki/wiki/Issuing-CA-Signing-Certificate-with-PKI-NSS
- name: Issue self-signed CA signing cert
run: |
docker exec pki pki nss-cert-issue \
--csr ca_signing.csr \
--ext /usr/share/pki/server/certs/ca_signing.conf \
--cert ca_signing.crt
docker exec pki openssl x509 -text -noout -in ca_signing.crt
- name: Import CA signing cert
run: |
docker exec pki pki nss-cert-import \
--cert ca_signing.crt \
--trust CT,C,C \
ca_signing
# verify trust flags
docker exec pki certutil -L -d /root/.dogtag/nssdb | tee output
sed -n 's/^ca_signing\s*\(\S\+\)\s*$/\1/p' output > actual
echo "CTu,Cu,Cu" > expected
diff actual expected
# verify key type
docker exec pki certutil -K -d /root/.dogtag/nssdb | tee output
sed -n 's/^<.*>\s\+\(\S\+\)\s\+\S\+\s\+NSS Certificate DB:ca_signing$/\1/p' output > actual
echo ec > expected
diff actual expected
# https://github.com/dogtagpki/pki/wiki/Generating-SSL-Server-CSR-with-PKI-NSS
- name: Create SSL server cert request with new EC key
run: |
docker exec pki pki nss-cert-request \
--key-type EC \
--curve nistp256 \
--subject "CN=pki.example.com" \
--ext /usr/share/pki/server/certs/sslserver.conf \
--csr sslserver.csr
docker exec pki openssl req -text -noout -in sslserver.csr
# https://github.com/dogtagpki/pki/wiki/Issuing-SSL-Server-Certificate-with-PKI-NSS
- name: Issue SSL server cert
run: |
docker exec pki pki nss-cert-issue \
--issuer ca_signing \
--csr sslserver.csr \
--ext /usr/share/pki/server/certs/sslserver.conf \
--cert sslserver.crt
docker exec pki openssl x509 -text -noout -in sslserver.crt
- name: Import SSL server cert
run: |
docker exec pki pki nss-cert-import \
--cert sslserver.crt \
sslserver
# verify trust flags
docker exec pki certutil -L -d /root/.dogtag/nssdb | tee output
sed -n 's/^sslserver\s*\(\S\+\)\s*$/\1/p' output > actual
echo "u,u,u" > expected
diff actual expected
# verify key type
docker exec pki certutil -K -d /root/.dogtag/nssdb | tee output
sed -n 's/^<.*>\s\+\(\S\+\)\s\+\S\+\s\+NSS Certificate DB:sslserver$/\1/p' output > actual
echo ec > expected
diff actual expected
# get key ID
docker exec pki certutil -K -d /root/.dogtag/nssdb | tee output
sed -n 's/^<.*>\s\+\S\+\s\+\(\S\+\)\s\+NSS Certificate DB:sslserver$/\1/p' output > sslserver_key_id
- name: Delete SSL server cert
run: |
docker exec pki certutil -D -d /root/.dogtag/nssdb -n sslserver
docker exec pki certutil -L -d /root/.dogtag/nssdb
docker exec pki certutil -K -d /root/.dogtag/nssdb
- name: Create new SSL server cert request with existing EC key
run: |
docker exec pki pki nss-cert-request \
--key-id `cat sslserver_key_id` \
--subject "CN=pki.example.com" \
--ext /usr/share/pki/server/certs/sslserver.conf \
--csr new_sslserver.csr
docker exec pki openssl req -text -noout -in new_sslserver.csr
- name: Issue new SSL server cert
run: |
docker exec pki pki nss-cert-issue \
--issuer ca_signing \
--csr new_sslserver.csr \
--ext /usr/share/pki/server/certs/sslserver.conf \
--cert new_sslserver.crt
docker exec pki openssl x509 -text -noout -in new_sslserver.crt
- name: Import new SSL server cert
run: |
docker exec pki pki nss-cert-import \
--cert new_sslserver.crt \
new_sslserver
# verify trust flags
docker exec pki certutil -L -d /root/.dogtag/nssdb | tee output
sed -n 's/^new_sslserver\s*\(\S\+\)\s*$/\1/p' output > actual
echo "u,u,u" > expected
diff actual expected
# verify key type
docker exec pki certutil -K -d /root/.dogtag/nssdb | tee output
sed -n 's/^<.*>\s\+\(\S\+\)\s\+\S\+\s\+NSS Certificate DB:new_sslserver$/\1/p' output > actual
echo ec > expected
diff actual expected
# verify key ID
docker exec pki certutil -K -d /root/.dogtag/nssdb | tee output
sed -n 's/^<.*>\s\+\S\+\s\+\(\S\+\)\s\+NSS Certificate DB:new_sslserver$/\1/p' output > new_sslserver_key_id
diff sslserver_key_id new_sslserver_key_id
# https://github.com/dogtagpki/pki/wiki/PKI-NSS-CLI
pki-nss-hsm-test:
name: Testing PKI NSS CLI with HSM
needs: [init, build]
runs-on: ubuntu-latest
env:
PKIDIR: /tmp/workdir/pki
steps:
- name: Clone repository
uses: actions/checkout@v3
- name: Retrieve pki-runner image
uses: actions/cache@v3
with:
key: pki-runner-${{ github.sha }}
path: pki-runner.tar
- name: Load runner image
run: docker load --input pki-runner.tar
- name: Run container
run: |
IMAGE=pki-runner \
NAME=pki \
HOSTNAME=pki.example.com \
tests/bin/runner-init.sh
- name: Create HSM token
run: |
docker exec pki dnf install -y softhsm
docker exec pki softhsm2-util --init-token \
--label HSM \
--so-pin Secret.123 \
--pin Secret.123 \
--free
docker exec pki softhsm2-util --show-slots
# https://github.com/dogtagpki/pki/wiki/Generating-CA-Signing-CSR-with-PKI-NSS
- name: Generate CA signing cert request with key in HSM
run: |
echo "internal=" > password.conf
echo "hardware-HSM=Secret.123" >> password.conf
docker exec pki pki \
--token HSM \
-f ${PKIDIR}/password.conf \
nss-cert-request \
--subject "CN=Certificate Authority" \
--ext /usr/share/pki/server/certs/ca_signing.conf \
--csr ca_signing.csr
docker exec pki openssl req -text -noout -in ca_signing.csr
# https://github.com/dogtagpki/pki/wiki/Issuing-CA-Signing-Certificate-with-PKI-NSS
- name: Issue self-signed CA signing cert
run: |
docker exec pki pki \
--token HSM \
-f ${PKIDIR}/password.conf \
nss-cert-issue \
--csr ca_signing.csr \
--ext /usr/share/pki/server/certs/ca_signing.conf \
--cert ca_signing.crt
docker exec pki openssl x509 -text -noout -in ca_signing.crt
- name: Import CA signing cert into internal token and HSM
run: |
docker exec pki pki \
--token HSM \
-f ${PKIDIR}/password.conf \
nss-cert-import \
--cert ca_signing.crt \
--trust CT,C,C \
ca_signing
- name: Verify CA signing cert trust flags in internal token
run: |
docker exec pki certutil -L -d /root/.dogtag/nssdb | tee output
sed -n 's/^ca_signing\s*\(\S\+\)\s*$/\1/p' output > actual
echo "CT,C,C" > expected
diff actual expected
- name: Verify CA signing cert trust flags in HSM
run: |
echo "Secret.123" > password.txt
docker exec pki certutil \
-L \
-d /root/.dogtag/nssdb \
-h HSM \
-f ${PKIDIR}/password.txt | tee output
sed -n 's/^HSM:ca_signing\s*\(\S\+\)\s*$/\1/p' output > actual
echo "CTu,Cu,Cu" > expected
diff actual expected
- name: Remove HSM token
run: docker exec pki softhsm2-util --delete-token --token HSM
# docs/user/tools/Using-PKI-PKCS7-CLI.adoc
pki-pkcs7-test:
name: Testing PKI PKCS7 CLI
needs: [init, build]
runs-on: ubuntu-latest
env:
PKIDIR: /tmp/workdir/pki
steps:
- name: Clone repository
uses: actions/checkout@v3
- name: Retrieve pki-runner image
uses: actions/cache@v3
with:
key: pki-runner-${{ github.sha }}
path: pki-runner.tar
- name: Load runner image
run: docker load --input pki-runner.tar
- name: Run container
run: |
IMAGE=pki-runner \
NAME=pki \
HOSTNAME=pki.example.com \
tests/bin/runner-init.sh
- name: Generate CA signing cert request
run: |
docker exec pki pki nss-cert-request \
--subject "CN=Certificate Authority" \
--ext /usr/share/pki/server/certs/ca_signing.conf \
--csr ca_signing.csr
- name: Issue self-signed CA signing cert
run: |
docker exec pki pki nss-cert-issue \
--csr ca_signing.csr \
--ext /usr/share/pki/server/certs/ca_signing.conf \
--cert ca_signing.crt
- name: Import CA signing cert
run: |
docker exec pki pki nss-cert-import \
--cert ca_signing.crt \
--trust CT,C,C \
ca_signing
- name: Generate SSL server cert request
run: |
docker exec pki pki nss-cert-request \
--subject "CN=localhost.localdomain" \
--ext /usr/share/pki/server/certs/sslserver.conf \
--csr sslserver.csr
- name: Issue SSL server cert signed by CA signing cert
run: |
docker exec pki pki nss-cert-issue \
--issuer ca_signing \
--csr sslserver.csr \
--ext /usr/share/pki/server/certs/ca_signing.conf \
--cert sslserver.crt
- name: Import SSL server cert
run: docker exec pki pki nss-cert-import sslserver --cert sslserver.crt
- name: "Export SSL server cert chain into PKCS #7 chain"
run: |
docker exec pki pki pkcs7-export sslserver --pkcs7 cert_chain.p7b
docker exec pki pki pkcs7-cert-find --pkcs7 cert_chain.p7b
- name: Convert cert chain into separate PEM certificates
run: |
docker exec pki pki pkcs7-cert-export --pkcs7 cert_chain.p7b --output-prefix cert- --output-suffix .pem
docker exec pki cat cert-0.pem
docker exec pki cat cert-1.pem
- name: "Merge PEM certificates into a PKCS #7 chain"
run: |
docker exec pki rm -f cert_chain.p7b
docker exec pki pki pkcs7-cert-import --pkcs7 cert_chain.p7b --input-file cert-0.pem
docker exec pki pki pkcs7-cert-import --pkcs7 cert_chain.p7b --input-file cert-1.pem --append
docker exec pki pki pkcs7-cert-find --pkcs7 cert_chain.p7b
- name: Remove certs from NSS database
run: |
docker exec pki certutil -D -d /root/.dogtag/nssdb -n sslserver
docker exec pki certutil -D -d /root/.dogtag/nssdb -n ca_signing
docker exec pki certutil -L -d /root/.dogtag/nssdb
- name: "Import PKCS #7 chain into NSS database"
run: |
docker exec pki pki pkcs7-import sslserver --pkcs7 cert_chain.p7b
docker exec pki certutil -L -d /root/.dogtag/nssdb
- name: Verify CA signing cert trust flags
run: |
docker exec pki certutil -L -d /root/.dogtag/nssdb | tee output
sed -n 's/^Certificate Authority *\(\S\+\)/\1/p' output > actual
echo "CTu,Cu,Cu" > expected
diff actual expected
- name: Verify SSL server cert trust flags
run: |
docker exec pki certutil -L -d /root/.dogtag/nssdb | tee output
sed -n 's/^sslserver *\(\S\+\)/\1/p' output > actual
echo "u,u,u" > expected
diff actual expected
- name: "Convert PKCS #7 chain into a series of PEM certificates"
run: |
docker exec pki pki pkcs7-cert-export --pkcs7 cert_chain.p7b --output-file cert_chain.pem
docker exec pki cat cert_chain.pem
- name: Remove certs from NSS database
run: |
docker exec pki certutil -D -d /root/.dogtag/nssdb -n sslserver
docker exec pki certutil -D -d /root/.dogtag/nssdb -n "Certificate Authority"
docker exec pki certutil -L -d /root/.dogtag/nssdb
- name: Import PEM certificates into NSS database
run: |
docker exec pki rm -f cert_chain.p7b
docker exec pki pki pkcs7-cert-import --pkcs7 cert_chain.p7b --input-file cert_chain.pem
docker exec pki pki pkcs7-import sslserver --pkcs7 cert_chain.p7b
docker exec pki certutil -L -d /root/.dogtag/nssdb
- name: Verify CA signing cert trust flags
run: |
docker exec pki certutil -L -d /root/.dogtag/nssdb | tee output
sed -n 's/^Certificate Authority *\(\S\+\)/\1/p' output > actual
echo "CTu,Cu,Cu" > expected
diff actual expected
- name: Verify SSL server cert trust flags
run: |
docker exec pki certutil -L -d /root/.dogtag/nssdb | tee output
sed -n 's/^sslserver *\(\S\+\)/\1/p' output > actual
echo "u,u,u" > expected
diff actual expected
update-version-test:
name: Update Version
uses: ./.github/workflows/update-version-test.yml