From 458f1a80fdfb01474e6bc17fafda6f00f5429006 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Tue, 20 Aug 2024 16:47:35 -0500 Subject: [PATCH] Update sub CA tests The latest NSS requires the client to have the full cert chain in order to validate a cert, so most of the sub CA tests have been updated to install the sub CA signing cert in addition to the root CA signing cert. For some reason the sub CA tests with HSM still work without these changes. That will be investigated separately later. --- .github/workflows/ipa-subca-test.yml | 5 +++++ .github/workflows/subca-basic-test.yml | 5 +++++ .github/workflows/subca-clone-hsm-test.yml | 1 + .github/workflows/subca-clone-test.yml | 10 ++++++++++ .github/workflows/subca-cmc-test.yml | 11 ++++++++++- .github/workflows/subca-external-test.yml | 5 +++++ .github/workflows/subca-hsm-test.yml | 1 + 7 files changed, 37 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ipa-subca-test.yml b/.github/workflows/ipa-subca-test.yml index 438d54e1ce2..808cb7f82c4 100644 --- a/.github/workflows/ipa-subca-test.yml +++ b/.github/workflows/ipa-subca-test.yml @@ -96,11 +96,16 @@ jobs: docker exec ipa pki nss-cert-import \ --cert root-ca_signing.crt \ --trust CT,C,C \ + root-ca_signing + + docker exec ipa pki nss-cert-import \ + --cert ipa.crt \ ca_signing docker exec ipa pki pkcs12-import \ --pkcs12 /root/ca-agent.p12 \ --pkcs12-password Secret.123 + docker exec ipa pki -n ipa-ca-agent ca-user-show admin - name: Check lightweight CAs diff --git a/.github/workflows/subca-basic-test.yml b/.github/workflows/subca-basic-test.yml index 8accb955898..4b9e9fbd4be 100644 --- a/.github/workflows/subca-basic-test.yml +++ b/.github/workflows/subca-basic-test.yml @@ -172,11 +172,16 @@ jobs: docker exec subordinate pki nss-cert-import \ --cert $SHARED/root-ca_signing.crt \ --trust CT,C,C \ + root-ca_signing + + docker exec subordinate pki nss-cert-import \ + --cert ca_signing.crt \ ca_signing docker exec subordinate pki pkcs12-import \ --pkcs12 /root/.dogtag/pki-tomcat/ca_admin_cert.p12 \ --pkcs12-password Secret.123 + docker exec subordinate pki -n caadmin --ignore-banner ca-user-show caadmin - name: Check cert requests in subordinate CA diff --git a/.github/workflows/subca-clone-hsm-test.yml b/.github/workflows/subca-clone-hsm-test.yml index a62cf72c68d..1013a175247 100644 --- a/.github/workflows/subca-clone-hsm-test.yml +++ b/.github/workflows/subca-clone-hsm-test.yml @@ -283,6 +283,7 @@ jobs: docker exec primary-subca pki pkcs12-import \ --pkcs12 $SHARED/caadmin.p12 \ --pkcs12-password Secret.123 + docker exec primary-subca pki -n caadmin ca-user-show caadmin - name: Set up secondary DS container diff --git a/.github/workflows/subca-clone-test.yml b/.github/workflows/subca-clone-test.yml index 86d7ba1dff2..7a71ccbca44 100644 --- a/.github/workflows/subca-clone-test.yml +++ b/.github/workflows/subca-clone-test.yml @@ -116,9 +116,14 @@ jobs: --trust CT,C,C \ root-ca_signing + docker exec primary-subca pki nss-cert-import \ + --cert $SHARED/subca_signing.crt \ + ca_signing + docker exec primary-subca pki pkcs12-import \ --pkcs12 $SHARED/caadmin.p12 \ --pkcs12-password Secret.123 + docker exec primary-subca pki -n caadmin ca-user-show caadmin - name: Export primary sub-CA certs @@ -246,9 +251,14 @@ jobs: --trust CT,C,C \ root-ca_signing + docker exec secondary-subca pki nss-cert-import \ + --cert $SHARED/subca_signing.crt \ + ca_signing + docker exec secondary-subca pki pkcs12-import \ --pkcs12 $SHARED/caadmin.p12 \ --pkcs12-password Secret.123 + docker exec secondary-subca pki -n caadmin ca-user-show caadmin - name: Check users in primary sub-CA and secondary sub-CA diff --git a/.github/workflows/subca-cmc-test.yml b/.github/workflows/subca-cmc-test.yml index 7f1711310b3..f67c147c841 100644 --- a/.github/workflows/subca-cmc-test.yml +++ b/.github/workflows/subca-cmc-test.yml @@ -187,10 +187,19 @@ jobs: - name: Verify subordinate CA admin cert run: | - docker exec subordinate pki client-cert-import ca_signing --ca-cert $SHARED/ca_signing.p7b + docker exec subordinate pki nss-cert-import \ + --cert $SHARED/root-ca_signing.crt \ + --trust CT,C,C \ + root-ca_signing + + docker exec subordinate pki nss-cert-import \ + --cert ca_signing.crt \ + ca_signing + docker exec subordinate pki pkcs12-import \ --pkcs12 /root/.dogtag/pki-tomcat/ca_admin_cert.p12 \ --pkcs12-password Secret.123 + docker exec subordinate pki -n caadmin ca-user-show caadmin - name: Check cert requests in subordinate CA diff --git a/.github/workflows/subca-external-test.yml b/.github/workflows/subca-external-test.yml index 6d58655f18a..1c34c71f1b6 100644 --- a/.github/workflows/subca-external-test.yml +++ b/.github/workflows/subca-external-test.yml @@ -117,11 +117,16 @@ jobs: docker exec pki pki nss-cert-import \ --cert root-ca_signing.crt \ --trust CT,C,C \ + root-ca_signing + + docker exec pki pki nss-cert-import \ + --cert ca_signing.crt \ ca_signing docker exec pki pki pkcs12-import \ --pkcs12 /root/.dogtag/pki-tomcat/ca_admin_cert.p12 \ --pkcs12-password Secret.123 + docker exec pki pki -n caadmin ca-user-show caadmin - name: Check cert requests in CA diff --git a/.github/workflows/subca-hsm-test.yml b/.github/workflows/subca-hsm-test.yml index 86bb3d6fcff..71b2b33cbd1 100644 --- a/.github/workflows/subca-hsm-test.yml +++ b/.github/workflows/subca-hsm-test.yml @@ -272,6 +272,7 @@ jobs: docker exec pki pki pkcs12-import \ --pkcs12 /root/.dogtag/pki-tomcat/ca_admin_cert.p12 \ --pkcs12-password Secret.123 + docker exec pki pki -n caadmin ca-user-show caadmin - name: Check CA certs and requests