From 8a8f1538fa476192874dc0186a1619aaa3758ad8 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Wed, 2 Aug 2023 09:52:24 -0500 Subject: [PATCH] Update tests for CA with non-default algorithms The tests for CA with non-default algorithms (i.e. RSA, RSA/PSS, ECC) have been modified to check the default signing algorithm params in CS.cfg. --- .github/workflows/ca-ecc-test.yml | 25 +++++++++++++++++++++++++ .github/workflows/ca-rsa-pss-test.yml | 25 +++++++++++++++++++++++++ .github/workflows/ca-rsa-test.yml | 25 +++++++++++++++++++++++++ 3 files changed, 75 insertions(+) diff --git a/.github/workflows/ca-ecc-test.yml b/.github/workflows/ca-ecc-test.yml index 4e592b955d8..72cc60f3cba 100644 --- a/.github/workflows/ca-ecc-test.yml +++ b/.github/workflows/ca-ecc-test.yml @@ -102,6 +102,11 @@ jobs: sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual diff expected actual + # default signing algorithm should be "SHA512withEC" + echo "SHA512withEC" > expected + docker exec pki pki-server ca-config-show ca.signing.defaultSigningAlgorithm | tee actual + diff expected actual + - name: Check CA OCSP signing cert run: | # inspect cert with certutil @@ -121,6 +126,11 @@ jobs: sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual diff expected actual + # default signing algorithm should be "SHA512withEC" + echo "SHA512withEC" > expected + docker exec pki pki-server ca-config-show ca.ocsp_signing.defaultSigningAlgorithm | tee actual + diff expected actual + - name: Check CA audit signing cert run: | # inspect cert with certutil @@ -140,6 +150,11 @@ jobs: sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual diff expected actual + # default signing algorithm should be "SHA512withEC" + echo "SHA512withEC" > expected + docker exec pki pki-server ca-config-show ca.audit_signing.defaultSigningAlgorithm | tee actual + diff expected actual + - name: Check subsystem cert run: | # inspect cert with certutil @@ -159,6 +174,11 @@ jobs: sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual diff expected actual + # default signing algorithm should be "SHA512withEC" + echo "SHA512withEC" > expected + docker exec pki pki-server ca-config-show ca.subsystem.defaultSigningAlgorithm | tee actual + diff expected actual + - name: Check SSL server cert run: | # inspect cert with certutil @@ -178,6 +198,11 @@ jobs: sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual diff expected actual + # default signing algorithm should be "SHA512withEC" + echo "SHA512withEC" > expected + docker exec pki pki-server ca-config-show ca.sslserver.defaultSigningAlgorithm | tee actual + diff expected actual + - name: Run PKI healthcheck run: docker exec pki pki-healthcheck --failures-only diff --git a/.github/workflows/ca-rsa-pss-test.yml b/.github/workflows/ca-rsa-pss-test.yml index 4ed023fb42d..07560c59872 100644 --- a/.github/workflows/ca-rsa-pss-test.yml +++ b/.github/workflows/ca-rsa-pss-test.yml @@ -113,6 +113,11 @@ jobs: sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual diff expected actual + # default signing algorithm should be "SHA512withRSA/PSS" + echo "SHA512withRSA/PSS" > expected + docker exec pki pki-server ca-config-show ca.signing.defaultSigningAlgorithm | tee actual + diff expected actual + - name: Check CA OCSP signing cert run: | # inspect cert with certutil @@ -132,6 +137,11 @@ jobs: sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual diff expected actual + # default signing algorithm should be "SHA512withRSA/PSS" + echo "SHA512withRSA/PSS" > expected + docker exec pki pki-server ca-config-show ca.ocsp_signing.defaultSigningAlgorithm | tee actual + diff expected actual + - name: Check CA audit signing cert run: | # inspect cert with certutil @@ -151,6 +161,11 @@ jobs: sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual diff expected actual + # default signing algorithm should be "SHA512withRSA/PSS" + echo "SHA512withRSA/PSS" > expected + docker exec pki pki-server ca-config-show ca.audit_signing.defaultSigningAlgorithm | tee actual + diff expected actual + - name: Check subsystem cert run: | # inspect cert with certutil @@ -170,6 +185,11 @@ jobs: sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual diff expected actual + # default signing algorithm should be "SHA512withRSA/PSS" + echo "SHA512withRSA/PSS" > expected + docker exec pki pki-server ca-config-show ca.subsystem.defaultSigningAlgorithm | tee actual + diff expected actual + - name: Check SSL server cert run: | # inspect cert with certutil @@ -189,6 +209,11 @@ jobs: sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual diff expected actual + # default signing algorithm should be "SHA512withRSA/PSS" + echo "SHA512withRSA/PSS" > expected + docker exec pki pki-server ca-config-show ca.sslserver.defaultSigningAlgorithm | tee actual + diff expected actual + - name: Run PKI healthcheck run: docker exec pki pki-healthcheck --failures-only diff --git a/.github/workflows/ca-rsa-test.yml b/.github/workflows/ca-rsa-test.yml index 16067d4dc79..829535359a8 100644 --- a/.github/workflows/ca-rsa-test.yml +++ b/.github/workflows/ca-rsa-test.yml @@ -112,6 +112,11 @@ jobs: sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual diff expected actual + # default signing algorithm should be "SHA384withRSA" + echo "SHA384withRSA" > expected + docker exec pki pki-server ca-config-show ca.signing.defaultSigningAlgorithm | tee actual + diff expected actual + - name: Check CA OCSP signing cert run: | # inspect cert with certutil @@ -131,6 +136,11 @@ jobs: sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual diff expected actual + # default signing algorithm should be "SHA384withRSA" + echo "SHA384withRSA" > expected + docker exec pki pki-server ca-config-show ca.ocsp_signing.defaultSigningAlgorithm | tee actual + diff expected actual + - name: Check CA audit signing cert run: | # inspect cert with certutil @@ -150,6 +160,11 @@ jobs: sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual diff expected actual + # default signing algorithm should be "SHA384withRSA" + echo "SHA384withRSA" > expected + docker exec pki pki-server ca-config-show ca.audit_signing.defaultSigningAlgorithm | tee actual + diff expected actual + - name: Check subsystem cert run: | # inspect cert with certutil @@ -169,6 +184,11 @@ jobs: sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual diff expected actual + # default signing algorithm should be "SHA384withRSA" + echo "SHA384withRSA" > expected + docker exec pki pki-server ca-config-show ca.subsystem.defaultSigningAlgorithm | tee actual + diff expected actual + - name: Check SSL server cert run: | # inspect cert with certutil @@ -188,6 +208,11 @@ jobs: sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual diff expected actual + # default signing algorithm should be "SHA384withRSA" + echo "SHA384withRSA" > expected + docker exec pki pki-server ca-config-show ca.sslserver.defaultSigningAlgorithm | tee actual + diff expected actual + - name: Run PKI healthcheck run: docker exec pki pki-healthcheck --failures-only