From cf27359fb2bc989dbf340125e61270dc99ceefbf Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Tue, 20 Aug 2024 16:47:35 -0500 Subject: [PATCH] Update sub CA tests The latest NSS requires the client to have the full cert chain in order to validate a cert, so most of the sub CA tests have been updated to install the sub CA signing cert in addition to the root CA signing cert. For some reason the sub CA tests with HSM still work without these changes. That will be investigated separately later. --- .github/workflows/ipa-subca-test.yml | 11 ++++++++++- .github/workflows/subca-basic-test.yml | 11 ++++++++++- .github/workflows/subca-clone-hsm-test.yml | 1 + .github/workflows/subca-clone-test.yml | 12 ++++++++++++ .github/workflows/subca-cmc-test.yml | 11 ++++++++++- .github/workflows/subca-external-test.yml | 11 ++++++++++- .github/workflows/subca-hsm-test.yml | 1 + 7 files changed, 54 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ipa-subca-test.yml b/.github/workflows/ipa-subca-test.yml index 83653289db7..de81d2c73d2 100644 --- a/.github/workflows/ipa-subca-test.yml +++ b/.github/workflows/ipa-subca-test.yml @@ -92,10 +92,19 @@ jobs: - name: Check Sub-CA admin run: | - docker exec ipa pki client-cert-import ca_signing --ca-cert root-ca_signing.crt + docker exec ipa pki nss-cert-import \ + --cert root-ca_signing.crt \ + --trust CT,C,C \ + root-ca_signing + + docker exec ipa pki nss-cert-import \ + --cert ipa.crt \ + ca_signing + docker exec ipa pki pkcs12-import \ --pkcs12 /root/ca-agent.p12 \ --pkcs12-password Secret.123 + docker exec ipa pki -n ipa-ca-agent ca-user-show admin - name: Gather artifacts diff --git a/.github/workflows/subca-basic-test.yml b/.github/workflows/subca-basic-test.yml index a2505d9f27c..1963acbace0 100644 --- a/.github/workflows/subca-basic-test.yml +++ b/.github/workflows/subca-basic-test.yml @@ -145,10 +145,19 @@ jobs: - name: Verify CA admin run: | - docker exec subordinate pki client-cert-import ca_signing --ca-cert ${SHARED}/root-ca_signing.crt + docker exec subordinate pki nss-cert-import \ + --cert $SHARED/root-ca_signing.crt \ + --trust CT,C,C \ + root-ca_signing + + docker exec subordinate pki nss-cert-import \ + --cert ca_signing.crt \ + ca_signing + docker exec subordinate pki pkcs12-import \ --pkcs12 /root/.dogtag/pki-tomcat/ca_admin_cert.p12 \ --pkcs12-password Secret.123 + docker exec subordinate pki -n caadmin --ignore-banner ca-user-show caadmin - name: Check cert requests in subordinate CA diff --git a/.github/workflows/subca-clone-hsm-test.yml b/.github/workflows/subca-clone-hsm-test.yml index f2e515b0537..4bd433ae6e0 100644 --- a/.github/workflows/subca-clone-hsm-test.yml +++ b/.github/workflows/subca-clone-hsm-test.yml @@ -280,6 +280,7 @@ jobs: docker exec primary-subca pki pkcs12-import \ --pkcs12 $SHARED/caadmin.p12 \ --pkcs12-password Secret.123 + docker exec primary-subca pki -n caadmin ca-user-show caadmin - name: Set up secondary DS container diff --git a/.github/workflows/subca-clone-test.yml b/.github/workflows/subca-clone-test.yml index c2a78206010..6151fb3f7bb 100644 --- a/.github/workflows/subca-clone-test.yml +++ b/.github/workflows/subca-clone-test.yml @@ -113,9 +113,15 @@ jobs: docker exec primary-subca pki client-cert-import \ --ca-cert $SHARED/root-ca_signing.crt \ root-ca_signing + + docker exec primary-subca pki nss-cert-import \ + --cert $SHARED/subca_signing.crt \ + ca_signing + docker exec primary-subca pki pkcs12-import \ --pkcs12 $SHARED/caadmin.p12 \ --pkcs12-password Secret.123 + docker exec primary-subca pki -n caadmin ca-user-show caadmin - name: Export primary sub-CA certs @@ -241,9 +247,15 @@ jobs: docker exec secondary-subca pki client-cert-import \ --ca-cert $SHARED/root-ca_signing.crt \ root-ca_signing + + docker exec secondary-subca pki nss-cert-import \ + --cert $SHARED/subca_signing.crt \ + ca_signing + docker exec secondary-subca pki pkcs12-import \ --pkcs12 $SHARED/caadmin.p12 \ --pkcs12-password Secret.123 + docker exec secondary-subca pki -n caadmin ca-user-show caadmin - name: Check users in primary sub-CA and secondary sub-CA diff --git a/.github/workflows/subca-cmc-test.yml b/.github/workflows/subca-cmc-test.yml index 42bc8beb22c..024a0dd0a80 100644 --- a/.github/workflows/subca-cmc-test.yml +++ b/.github/workflows/subca-cmc-test.yml @@ -182,10 +182,19 @@ jobs: - name: Verify subordinate CA admin cert run: | - docker exec subordinate pki client-cert-import ca_signing --ca-cert $SHARED/ca_signing.p7b + docker exec subordinate pki nss-cert-import \ + --cert $SHARED/root-ca_signing.crt \ + --trust CT,C,C \ + root-ca_signing + + docker exec subordinate pki nss-cert-import \ + --cert ca_signing.crt \ + ca_signing + docker exec subordinate pki pkcs12-import \ --pkcs12 /root/.dogtag/pki-tomcat/ca_admin_cert.p12 \ --pkcs12-password Secret.123 + docker exec subordinate pki -n caadmin ca-user-show caadmin - name: Check cert requests in subordinate CA diff --git a/.github/workflows/subca-external-test.yml b/.github/workflows/subca-external-test.yml index 501f5193c85..daad0adaeab 100644 --- a/.github/workflows/subca-external-test.yml +++ b/.github/workflows/subca-external-test.yml @@ -111,10 +111,19 @@ jobs: - name: Verify CA admin run: | - docker exec pki pki client-cert-import ca_signing --ca-cert root-ca_signing.crt + docker exec pki pki nss-cert-import \ + --cert root-ca_signing.crt \ + --trust CT,C,C \ + root-ca_signing + + docker exec pki pki nss-cert-import \ + --cert ca_signing.crt \ + ca_signing + docker exec pki pki pkcs12-import \ --pkcs12 /root/.dogtag/pki-tomcat/ca_admin_cert.p12 \ --pkcs12-password Secret.123 + docker exec pki pki -n caadmin ca-user-show caadmin - name: Check cert requests in CA diff --git a/.github/workflows/subca-hsm-test.yml b/.github/workflows/subca-hsm-test.yml index 75b03a5d3d2..4ddd3d9f566 100644 --- a/.github/workflows/subca-hsm-test.yml +++ b/.github/workflows/subca-hsm-test.yml @@ -267,6 +267,7 @@ jobs: docker exec pki pki pkcs12-import \ --pkcs12 /root/.dogtag/pki-tomcat/ca_admin_cert.p12 \ --pkcs12-password Secret.123 + docker exec pki pki -n caadmin ca-user-show caadmin - name: Check CA certs and requests