diff options
| author | Niranjan Mallapadi <mrniranjan@redhat.com> | 2015-03-09 17:02:40 +0530 |
|---|---|---|
| committer | Niranjan Mallapadi <mrniranjan@redhat.com> | 2015-03-09 17:03:19 +0530 |
| commit | 22ab9648aa88af7d75f5bdd4490ce9444ee6dd67 (patch) | |
| tree | ecdc19bc15015f3b978a28a2def531a3ef9a9164 /tests | |
| parent | 84610884fa52ad47599d2e78eaecb339f081b1ee (diff) | |
| download | pki-22ab9648aa88af7d75f5bdd4490ce9444ee6dd67.tar.gz pki-22ab9648aa88af7d75f5bdd4490ce9444ee6dd67.tar.xz pki-22ab9648aa88af7d75f5bdd4490ce9444ee6dd67.zip | |
Adding legacy ipa-tests and ca-clone tests
Diffstat (limited to 'tests')
| -rwxr-xr-x | tests/dogtag/Makefile | 2 | ||||
| -rwxr-xr-x | tests/dogtag/acceptance/legacy/clone_ca_tests/clone_tests.sh | 2016 | ||||
| -rwxr-xr-x | tests/dogtag/acceptance/legacy/ipa-tests/ipa_backend_plugin.sh | 1633 | ||||
| -rwxr-xr-x | tests/dogtag/runtest.sh | 12 |
4 files changed, 3663 insertions, 0 deletions
diff --git a/tests/dogtag/Makefile b/tests/dogtag/Makefile index b9db34784..a2af21a74 100755 --- a/tests/dogtag/Makefile +++ b/tests/dogtag/Makefile @@ -291,6 +291,8 @@ build: $(BUILT_FILES) chmod a+x ./acceptance/legacy/tks-tests/internaldb/tks-ad-internaldb.sh chmod a+x ./acceptance/legacy/tks-tests/logs/tks-ad-logs.sh chmod a+x ./acceptance/legacy/tks-tests/usergroups/tks-ad-usergroups.sh + chmod a+x ./acceptance/legacy/ipa-tests/ipa_backend_plugin.sh + chmod a+x ./acceptance/legacy/clone_ca_tests/clone_tests.sh # bug verifications chmod a+x ./acceptance/bugzilla/tomcatjss-bugs/bug-1058366.sh chmod a+x ./acceptance/bugzilla/tomcatjss-bugs/bug-1084224.sh diff --git a/tests/dogtag/acceptance/legacy/clone_ca_tests/clone_tests.sh b/tests/dogtag/acceptance/legacy/clone_ca_tests/clone_tests.sh new file mode 100755 index 000000000..dd3971c9d --- /dev/null +++ b/tests/dogtag/acceptance/legacy/clone_ca_tests/clone_tests.sh @@ -0,0 +1,2016 @@ +#!/bin/bash +# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# runtest.sh of /CoreOS/rhcs/acceptance/legacy/clone_ca_tests/clone_tests.sh +# Description: CA Clone tests +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Author: Niranjan Mallapadi <mniranja@redhat.com> +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2013 Red Hat, Inc. All rights reserved. +# +# This copyrighted material is made available to anyone wishing +# to use, modify, copy, or redistribute it subject to the terms +# and conditions of the GNU General Public License version 2. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public +# License along with this program; if not, write to the Free +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301, USA. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +# Include rhts environment +. /usr/bin/rhts-environment.sh +. /usr/share/beakerlib/beakerlib.sh +. /opt/rhqa_pki/rhcs-shared.sh +. /opt/rhqa_pki/pki-cert-cli-lib.sh +. /opt/rhqa_pki/env.sh + +# Include tests +. ./acceptance/quickinstall/rhds-install.sh + +clone_legacy_ca_tests() +{ + local cs_Type=$1 + local cs_Role=$2 + + # Creating Temporary Directory for clone ca tests + rlPhaseStartSetup "Create Temporary Directory" + rlRun "TmpDir=\`mktemp -d\`" 0 "Creating tmp directory" + rlRun "pushd $TmpDir" + rlPhaseEnd + + #local variables + get_topo_stack $cs_Role $TmpDir/topo_file + local CA_INST=$(cat $TmpDir/topo_file | grep MY_CA | cut -d= -f2) + local tomcat_name=$(eval echo \$${CA_INST}_TOMCAT_INSTANCE_NAME) + local CA_agentV=$CA_INST\_agentV + local CA_auditV=$CA_INST\_auditV + local CA_operatorV=$CA_INST\_operatorV + local CA_adminV=$CA_INST\_adminV + local CA_agentR=$CA_INST\_agentR + local CA_adminR=$CA_INST\_adminR + local CA_adminE=$CA_INST\_adminE + local CA_agentE=$CA_INST\_agentE + local invalid_serialNumber=$RANDOM + local invalid_hex_serialNumber=0x$(echo "ibase=16;$invalid_serialNumber"|bc) + local TEMP_NSS_DB="$TmpDir/nssdb" + local TEMP_NSS_DB_PWD="Secret123" + local target_port=$(eval echo \$${CA_INST}_UNSECURE_PORT) + local masterca_secure_port=$(eval echo \$${CA_INST}_SECURE_PORT) + local tmp_ca_host=$(eval echo \$${cs_Role}) + local target_host=$(eval echo \$${cs_Role}) + local cert_show_out="$TmpDir/cert_show.out" + local root_ca_ldap_port=$(eval echo \$${CA_INST}_LDAP_PORT) + local root_ca_admin_user=$(eval echo \$${CA_INST}_ADMIN_USER) + local root_ca_security_domain_password=$(eval echo \$${CA_INST}_SECURITY_DOMAIN_PASSWORD) + local root_ca_security_domain=$(eval echo \$${CA_INST}_DOMAIN) + local root_ca_db_suffix=$(eval echo \$${CA_INST}_DB_SUFFIX) + local root_ca_ldap_instance_name=$(eval echo \$${CA_INST}_LDAP_INSTANCE_NAME) + + rlPhaseStartSetup "Preparation to Master CA before clones are configured" + + #"In the CS.cfg file for the master CA, enable the master CA to monitor replication database changes by adding the ca.listenToCloneModifications parameter:" + rlLog "Enable the master CA to monitor replication database changes" + CURRENT_MASTERCA_CONFIG_FILE=$ROOTCA_SERVER_ROOT/conf/CS.cfg + BACKUP_MASTERCA_CONFIG_FILE=$ROOTCA_SERVER_ROOT/conf/CS.cfg.backupfile + + rlLog "Stop $tomcat_name instance" + rhcs_stop_instance $tomcat_name + + rlLog "Take backup of existing CS.cfg" + rlRun "/usr/bin/cp $CURRENT_MASTERCA_CONFIG_FILE $BACKUP_MASTERCA_CONFIG_FILE" 0 "Backup current cs.cfg" + + search_string1="ca.listenToCloneModifications" + replace_string1="ca.listenToCloneModifications=true" + + check_val_exists1=$(cat $CURRENT_MASTERCA_CONFIG_FILE | grep $search_string1) + if [ "$check_val_exists1" == "" ]; then + rlLog "Append $replace_string1 value to $tomcat_name CS.cfg" + echo "$replace_string1" >> $CURRENT_MASTERCA_CONFIG_FILE + + elif [ "$check_val_exists1" == "ca.listenToCloneModifications=true" ]; then + rlLog "Master is already configured to track clone modifications" + else + rlLog "Replace $search_string1 with $replace_string1" + rlRun "sed -i s/"$search_string1"/"$replace_string1"/ $CURRENT_MASTERCA_CONFIG_FILE" 0 + RETVAL=$? + if [ $RETVAL != 0 ]; then + rlLog "Could not modify value of $search_string1" + return 1 + fi + fi + rlLog "Start $tomcat_name instance" + rhcs_start_instance $tomcat_name + rlLog "Disable nonce" + disable_ca_nonce $tomcat_name + rlPhaseEnd + + rlPhaseStartSetup "clone_ca_tests: Setup clonecatest-tp1" + local clone_ca1_ldap_port=1839 + local clone_ca1_http_port=29444 + local clone_ca1_https_port=29443 + local clone_ca1_ajp_port=29449 + local clone_ca1_tomcat_port=29445 + local clone_ca1_instance_name="clonecatest-tp1" + local clone_ca1_server_root=/var/lib/$clone_ca1_instance_name/ca + local clone_ca1_admin_cert_nickname="clonecatest-tp1-admin" + local clone_ca1_install_info=$TmpDir/$clone_ca1_instance_name-install.info + local clone_ca1_install_cfg=$TmpDir/$clone_ca1_instance_name-install.inf + local clone_ca1_instance_out=$TmpDir/$clone_ca1_instance_name-create.out + local clone_ca1_admin_cert_location=$TmpDir/$clone_ca1_instance_name/clone_ca1_admin_cert.p12 + + rhcs_install_prep_disableFirewall + + for i in {$clone_ca1_ldap_port $clone_ca1_http_port $clone_ca1_https_port $clone_ca1_ajp_port $clone_ca1_tomcat_port} + do + netstat -plant | cut -d" " -f4 | cut -d":" -f2 | grep -v grep | grep $i + RETVAL=$? + if [ $RETVAL == 0 ];then + echo -e "\nThere are some process which are using those ports" + rlFail "Ports already in use installation Failed" + fi + done + + rlLog "Creating LDAP server Instance to Sub CA instace $SUBCA_INSTANCE_NAME" + rhcs_install_set_ldap_vars + rlRun "rhds_install $clone_ca1_ldap_port $clone_ca1_instance_name \"$LDAP_ROOTDN\" $LDAP_ROOTDNPWD $LDAP_BASEDN" 0 "Installing RHDS instance for CLONE CA install" + + rlLog "Creating CLONE CA Instance" + echo -e "[DEFAULT]" >> $clone_ca1_install_cfg + echo -e "pki_instance_name=$clone_ca1_instance_name" >> $clone_ca1_install_cfg + echo -e "pki_https_port=$clone_ca1_https_port" >> $clone_ca1_install_cfg + echo -e "pki_http_port=$clone_ca1_http_port" >> $clone_ca1_install_cfg + echo -e "pki_ajp_port=$clone_ca1_ajp_port" >> $clone_ca1_install_cfg + echo -e "pki_tomcat_server_port=$clone_ca1_tomcat_port" >> $clone_ca1_install_cfg + echo -e "pki_user=pkiuser" >> $clone_ca1_install_cfg + echo -e "pki_group=pkiuser" >> $clone_ca1_install_cfg + echo -e "pki_audit_group=pkiaudit" >> $clone_ca1_install_cfg + echo -e "pki_token_name=Internal" >> $clone_ca1_install_cfg + echo -e "pki_token_password=Secret123" >> $clone_ca1_install_cfg + echo -e "pki_client_pkcs12_password=Secret123" >> $clone_ca1_install_cfg + echo -e "pki_admin_password=Secret123" >> $clone_ca1_install_cfg + echo -e "pki_ds_password=Secret123" >> $clone_ca1_install_cfg + echo -e "pki_clone=True" >> $clone_ca1_install_cfg + echo -e "pki_clone_pkcs12_password=Secret123" >> $clone_ca1_install_cfg + echo -e "pki_clone_pkcs12_path=$CLIENT_PKCS12_DIR/ca_backup_keys.p12" >> $clone_ca1_install_cfg + echo -e "pki_clone_replication_master_port=$root_ca_ldap_port" >> $clone_ca1_install_cfg + echo -e "pki_clone_replication_clone_port=$clone_ca1_ldap_port" >> $clone_ca1_install_cfg + echo -e "pki_clone_repicate_schema=$REPLICATE_SCHEMA" >> $clone_ca1_install_cfg + echo -e "pki_clone_replication_security=$REPLICATION_SEC" >> $clone_ca1_install_cfg + echo -e "pki_clone_uri=https://$(eval echo \$${cs_Role}):$masterca_secure_port" >> $clone_ca1_install_cfg + echo -e "pki_client_database_dir=/tmp/dummydir1" >> $clone_ca1_install_cfg + echo -e "pki_client_database_password=Secret123" >> $clone_ca1_install_cfg + echo -e "pki_client_dir=$TmpDir/$clone_ca1_instance_name" >> $clone_ca1_install_cfg + echo -e "[CA]" >> $clone_ca1_install_cfg + echo -e "pki_admin_name=caadmin" >> $clone_ca1_install_cfg + echo -e "pki_admin_uid=caadmin" >> $clone_ca1_install_cfg + echo -e "pki_admin_email=root@localhost" >> $clone_ca1_install_cfg + echo -e "pki_admin_dualkey=True" >> $clone_ca1_install_cfg + echo -e "pki_admin_key_size=2048" >> $clone_ca1_install_cfg + echo -e "pki_admin_key_type=rsa" >> $clone_ca1_install_cfg + echo -e "pki_admin_subject_dn=CN=$clone_ca1_admin_cert_nickname,O=redhat" >> $clone_ca1_install_cfg + echo -e "pki_admin_nickname=$clone_ca1_admin_cert_nickname" >> $clone_ca1_install_cfg + echo -e "pki_ssl_server_key_type=rsa" >> $clone_ca1_install_cfg + echo -e "pki_ssl_server_key_size=2048" >> $clone_ca1_install_cfg + echo -e "pki_ssl_server_key_algorithm=SHA512withRSA" >> $clone_ca1_install_cfg + echo -e "pki_ssl_server_signing_algorithm=SHA512withRSA" >> $clone_ca1_install_cfg + echo -e "pki_ssl_server_token=Internal" >> $clone_ca1_install_cfg + echo -e "pki_ssl_server_nickname=Server-Cert cert-pki-$clone_ca1_instance_name" >> $clone_ca1_install_cfg + echo -e "pki_ssl_server_subject_dn=cn=$(hostname),O=redhat" >> $clone_ca1_install_cfg + echo -e "pki_client_admin_cert_p12=$clone_ca1_admin_cert_location" >> $clone_ca1_install_cfg + echo -e "pki_security_domain_hostname=$(eval echo \$${cs_Role})" >> $clone_ca1_install_cfg + echo -e "pki_security_domain_https_port=$masterca_secure_port" >> $clone_ca1_install_cfg + echo -e "pki_security_domain_user=$root_ca_admin_user" >> $clone_ca1_install_cfg + echo -e "pki_security_domain_password=$root_ca_security_domain_password" >> $clone_ca1_install_cfg + echo -e "pki_security_domain_name=$root_ca_security_domain" >> $clone_ca1_install_cfg + echo -e "pki_ds_hostname=$(hostname)" >> $clone_ca1_install_cfg + echo -e "pki_ds_ldap_port=$clone_ca1_ldap_port" >> $clone_ca1_install_cfg + echo -e "pki_ds_bind_dn=cn=Directory Manager" >> $clone_ca1_install_cfg + echo -e "pki_ds_password=Secret123" >> $clone_ca1_install_cfg + echo -e "pki_ds_secure_connection=False" >> $clone_ca1_install_cfg + echo -e "pki_ds_remove_data=True" >> $clone_ca1_install_cfg + echo -e "pki_ds_base_dn=$root_ca_db_suffix" >> $clone_ca1_install_cfg + echo -e "pki_ds_database=$root_ca_ldap_instance_name" >> $clone_ca1_install_cfg + + rlLog "EXECUTING: pkispawn -s CA -f $clone_ca1_install_cfg -v" + rlRun "pkispawn -s CA -f $clone_ca1_install_cfg -v > $clone_ca1_install_info 2>&1" + exp_message1="Administrator's username: caadmin" + rlAssertGrep "$exp_message1" "$clone_ca1_install_info" + + # Edit the CS.cfg file for the clone. Certain parameters must be added to the clone configuration to disable caching + # and generating CRLs + + CURRENT_CLONECA1_CONFIG_FILE=/var/lib/pki/$clone_ca1_instance_name/ca/conf/CS.cfg + BACKUP_CLONECA1_CONFIG_FILE=/var/lib/pki/$clone_ca1_instance_name/ca/conf/CS.cfg.backup + rlLog "Stop $clone_ca1_instance_name instance" + rhcs_stop_instance $clone_ca1_instance_name + + rlLog "Take backup of existing CS.cfg" + rlRun "/usr/bin/cp $CURRENT_CLONECA1_CONFIG_FILE $BACKUP_CLONECA1_CONFIG_FILE" 0 "Backup current cs.cfg" + + search_string1="ca.crl.MasterCRL.enableCRLUpdates=true" + replace_string1="ca.crl.MasterCRL.enableCRLUpdates=false" + search_string2="ca.crl.MasterCRL.enableCRLCache=true" + replace_string2="ca.crl.MasterCRL.enableCRLCache=false" + search_string3="master.ca.agent.host=" + replace_string3="master.ca.agent.host=$tmp_ca_host" + search_string4="master.ca.agent.port=" + replace_string4="master.ca.agent.port=$masterca_secure_port" + + check_val_exists1=$(cat $CURRENT_CLONECA1_CONFIG_FILE | grep $search_string1) + if [ "$check_val_exists1" == "" ]; then + rlLog "Append $replace_string1 value to $clone_ca1_instance_name CS.cfg" + echo "$replace_string1" >> $CURRENT_CLONECA1_CONFIG_FILE + else + rlLog "Replace $search_string1 with $replace_string1" + rlRun "sed -i s/"$search_string1"/"$replace_string1"/ $CURRENT_CLONECA1_CONFIG_FILE" 0 + RETVAL=$? + if [ $RETVAL != 0 ]; then + rlLog "Could not modify value of $search_string1" + return 1 + fi + fi + check_val_exists2=$(cat $CURRENT_CLONECA1_CONFIG_FILE | grep $search_string2) + if [ "$check_val_exists2" == "" ]; then + rlLog "Append $replace_string2 value to $clone_ca1_instance_name CS.cfg" + echo "$replace_string2" >> $CURRENT_CLONECA1_CONFIG_FILE + else + rlLog "Replace $search_string2 with $replace_string2" + rlRun "sed -i s/"$search_string2"/"$replace_string2"/ $CURRENT_CLONECA1_CONFIG_FILE" 0 + RETVAL=$? + if [ $RETVAL != 0 ]; then + rlLog "Could not modify value of $search_string2" + return 1 + fi + fi + check_val_exists3=$(cat $CURRENT_CLONECA1_CONFIG_FILE | grep $search_string3) + if [ "$check_val_exists3" == "" ]; then + rlLog "Append $replace_string3 value to $clone_ca1_instance_name CS.cfg" + echo "$replace_string3" >> $CURRENT_CLONECA1_CONFIG_FILE + else + rlLog "Replace $search_string3 with $replace_string3" + rlRun "sed -i s/"$search_string3"/"$replace_string3"/ $CURRENT_CLONECA1_CONFIG_FILE" 0 + RETVAL=$? + if [ $RETVAL != 0 ]; then + rlLog "Could not modify value of $search_string3" + return 1 + fi + fi + check_val_exists4=$(cat $CURRENT_CLONECA1_CONFIG_FILE | grep $search_string4) + if [ "$check_val_exists4" == "" ]; then + rlLog "Append $replace_string4 value to $clone_ca1_instance_name CS.cfg" + echo "$replace_string4" >> $CURRENT_CLONECA1_CONFIG_FILE + else + rlLog "Replace $search_string4 with $replace_string4" + rlRun "sed -i s/"$search_string4"/"$replace_string4"/ $CURRENT_CLONECA1_CONFIG_FILE" 0 + RETVAL=$? + if [ $RETVAL != 0 ]; then + rlLog "Could not modify value of $search_string4" + return 1 + fi + fi + rlLog "Start $clone_ca1_instance_name instance" + rhcs_start_instance $clone_ca1_instance_name + + rlLog "Disable Nonce" + disable_ca_nonce $clone_ca1_instance_name + rlPhaseEnd + + rlPhaseStartTest "clone_ca_test-001: Enroll cert on master and search requestid and serialNumber on clone" + # (1) user cert enrollment using master CA instance. + # (2) Search for the requestId in Clone CA's agent page. + # (3) approve this request id using master CA. + # (4) Search for the serial number in Clone CA's agent page + # (1) user cert enrollment using master CA instance. + local admin_out=$TmpDir/admin.out + local request_type=pkcs10 + local request_key_type=rsa + local request_key_size=1024 + local profile=caUserCert + local cert_ext_exKeyUsageOIDs="1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4" + local userid="fooUser-$RANDOM" + local usercn="$userid" + local phone="1234" + local usermail="$userid@example.org" + local test_out=ca-$profile-test.txt + rlRun "export SSL_DIR=$CERTDB_DIR" + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"$usercn\" \ + subject_uid:$userid \ + subject_email:$usermail \ + subject_ou:IDM \ + subject_organization:RedHat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/cert-request.pem \ + cert_subject_file:$TEMP_NSS_DB/cert-subject.out" 0 "Create $request_type request for $profile" + local cert_requestdn=$(cat $TEMP_NSS_DB/cert-subject.out | grep Request_DN | cut -d ":" -f2) + rlLog "cert_requestdn=cert_requestdn" + rlRun "cat $TEMP_NSS_DB/cert-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/cert-encoded-request.pem" + rlLog "curl --basic \ + --dump-header $admin_out \ + -d \"profileId=$profile&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$usercn&sn_e=$usermail&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$useremail&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/cert-encoded-request.pem)\" \ + -k \"https://$tmp_ca_host:$masterca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $admin_out \ + -d \"profileId=$profile&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$usercn&sn_e=$usermail&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$useremail&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/cert-encoded-request.pem)\" \ + -k \"https://$tmp_ca_host:$masterca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/$test_out" 0 "Submit Certificate request to $profile" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local request_id=$(cat -v $TmpDir/$test_out | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "request_id=$request_id" + # (2) Search for the requestId in Clone CA's agent page + rlLog "View certificate request details in clone CA's agent page" + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $CA_agentV:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id\" -k \"https://$tmp_ca_host:$clone_ca1_https_port/ca/agent/ca/profileReview\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $CA_agentV:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id\" -k \"https://$tmp_ca_host:$clone_ca1_https_port/ca/agent/ca/profileReview\" > $TmpDir/$test_out" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertGrep "defList.defVal=\"RSA - 1.2.840.113549.1.1.1\"" "$TmpDir/$test_out" + rlAssertGrep "defList.defVal=\"$cert_ext_exKeyUsageOIDs\"" "$TmpDir/$test_out" + rlAssertGrep "inputList.inputVal=\"$useid\"" "$TmpDir/$test_out" + rlAssertGrep "inputList.inputVal=\"$usercn\"" "$TmpDir/$test_out" + rlAssertGrep "inputList.inputVal=\"$usermail\"" "$TmpDir/$test_out" + rlAssertGrep "profileName=\"Manual User Dual-Use Certificate Enrollment\"" "$TmpDir/$test_out" + # (3) approve this request id using master CA. + rlLog "Approve $request_id using $CA_agentV" + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$Year+1 + local end_day="1" + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$Month-$end_day $Hour:$Minute:$Second" + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $CA_agentV:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$tmp_ca_host:$masterca_secure_port/ca/agent/ca/profileProcess\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $CA_agentV:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$tmp_ca_host:$masterca_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/$test_out" 0 "Submit Certificare request" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + local serial_number=$(cat -v $TmpDir/$test_out | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + rlRun "verify_cert \"$serial_number\" \"$cert_requestdn\"" 0 "Verify cert" + # (4) Search for the serial number in Clone CA's agent page + rlLog "serial_number=$serial_number" + local profile_request="/ca/ee/ca/displayBySerial" + local request_info="serialNumber=$serial_number" + local sslget_output=$TEMP_NSS_DB/sslget.out + rlRun "/usr/bin/sslget -d $CERTDB_DIR -p $CERTDB_DIR_PASSWORD -n \"$CA_agentV\" -e \"$request_info\" -v -r \"$profile_request\" \"$target_host\":\"$clone_ca1_https_port\" > $sslget_output 2>&1" 0 "Verify certificate from clone CA" + rlAssertGrep "TTP/1.1 200 OK" "$sslget_output" + local base64=$(cat -v $sslget_output | grep header.pkcs7ChainBase64 | awk -F \" '{print $2}') + if [ $base64 == "" ]; then + rlFail "sslget failed to get certificate details" + else + rlPass "sslget was successful in getting certificate details" + rlLog "Certificate Base64: $base64" + fi + rlPhaseEnd + + rlPhaseStartTest "clone_ca_test-002: Enroll cert on clone and search requestid and serialNumber on master" + # (1) user cert enrollment using clone CA instance. + # (2) Search for the requestId in Master CA's agent page. + # (3) approve this request id using clone CA. + # (4) Search for the serial number in Master CA's agent page + + # (1) user cert enrollment using clone CA instance. + local admin_out=$TmpDir/admin.out + local request_type=pkcs10 + local request_key_type=rsa + local request_key_size=1024 + local profile=caUserCert + local cert_ext_exKeyUsageOIDs="1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4" + local userid="fooUser-$RANDOM" + local usercn="$userid" + local phone="1234" + local usermail="$userid@example.org" + local test_out=ca-$profile-test.txt + rlRun "export SSL_DIR=$CERTDB_DIR" + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"$usercn\" \ + subject_uid:$userid \ + subject_email:$usermail \ + subject_ou:IDM \ + subject_organization:RedHat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/cert-request.pem \ + cert_subject_file:$TEMP_NSS_DB/cert-subject.out" 0 "Create $request_type request for $profile" + local cert_requestdn=$(cat $TEMP_NSS_DB/cert-subject.out | grep Request_DN | cut -d ":" -f2) + rlLog "cert_requestdn=cert_requestdn" + rlRun "cat $TEMP_NSS_DB/cert-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/cert-encoded-request.pem" + rlLog "curl --basic \ + --dump-header $admin_out \ + -d \"profileId=$profile&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$usercn&sn_e=$usermail&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$useremail&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/cert-encoded-request.pem)\" \ + -k \"https://$tmp_ca_host:$clone_ca1_https_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $admin_out \ + -d \"profileId=$profile&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$usercn&sn_e=$usermail&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$useremail&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/cert-encoded-request.pem)\" \ + -k \"https://$tmp_ca_host:$clone_ca1_https_port/ca/ee/ca/profileSubmit\" > $TmpDir/$test_out" 0 "Submit Certificate request to $profile" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local request_id=$(cat -v $TmpDir/$test_out | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "request_id=$request_id" + # (2) Search for the requestId in Master CA's Agent Page + rlLog "View certificate request details in clone CA's agent page" + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $CA_agentV:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id\" -k \"https://$tmp_ca_host:$masterca_secure_port/ca/agent/ca/profileReview\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $CA_agentV:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id\" -k \"https://$tmp_ca_host:$masterca_secure_port/ca/agent/ca/profileReview\" > $TmpDir/$test_out" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertGrep "defList.defVal=\"RSA - 1.2.840.113549.1.1.1\"" "$TmpDir/$test_out" + rlAssertGrep "defList.defVal=\"$cert_ext_exKeyUsageOIDs\"" "$TmpDir/$test_out" + rlAssertGrep "inputList.inputVal=\"$useid\"" "$TmpDir/$test_out" + rlAssertGrep "inputList.inputVal=\"$usercn\"" "$TmpDir/$test_out" + rlAssertGrep "inputList.inputVal=\"$usermail\"" "$TmpDir/$test_out" + rlAssertGrep "profileName=\"Manual User Dual-Use Certificate Enrollment\"" "$TmpDir/$test_out" + # (3) approve this request id using Clone CA. + rlLog "Approve $request_id using $CA_agentV" + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$Year+1 + local end_day="1" + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$Month-$end_day $Hour:$Minute:$Second" + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $CA_agentV:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$tmp_ca_host:$clone_ca1_https_port/ca/agent/ca/profileProcess\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $CA_agentV:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$tmp_ca_host:$clone_ca1_https_port/ca/agent/ca/profileProcess\" > $TmpDir/$test_out" 0 "Submit Certificare request" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + local serial_number=$(cat -v $TmpDir/$test_out | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + rlLog "sleep 10" + rlRun "sleep 10" + rlRun "verify_cert \"$serial_number\" \"$cert_requestdn\"" 0 "Verify cert" + # (4) Search for the serial number in Master CA's agent page + rlLog "serial_number=$serial_number" + local profile_request="/ca/ee/ca/displayBySerial" + local request_info="serialNumber=$serial_number" + local sslget_output=$TEMP_NSS_DB/sslget.out + rlRun "/usr/bin/sslget -d $CERTDB_DIR -p $CERTDB_DIR_PASSWORD -n \"$CA_agentV\" -e \"$request_info\" -v -r \"$profile_request\" \"$target_host\":\"$masterca_secure_port\" > $sslget_output 2>&1" 0 "Verify certificate from clone CA" + rlAssertGrep "TTP/1.1 200 OK" "$sslget_output" + local base64=$(cat -v $sslget_output | grep header.pkcs7ChainBase64 | awk -F \" '{print $2}') + if [ $base64 == "" ]; then + rlFail "sslget failed to get certificate details" + else + rlPass "sslget was successful in getting certificate details" + rlLog "Certificate Base64: $base64" + fi + rlPhaseEnd + + + rlPhaseStartTest "clone_ca_test-003: Enroll cert on Master CA, Reject it on clone CA, and search request id on clone" + # (1) user cert enrollment using master CA instance. + # (2) Search for the requestId in Clone CA's agent page. + # (3) Reject this request id using master CA. + # (4) Search for the requestId in Clone CA's agent page + + # (1) user cert enrollment using Master CA instance. + local admin_out=$TmpDir/admin.out + local request_type=pkcs10 + local request_key_type=rsa + local request_key_size=1024 + local profile=caUserCert + local cert_ext_exKeyUsageOIDs="1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4" + local userid="fooUser-$RANDOM" + local usercn="$userid" + local phone="1234" + local usermail="$userid@example.org" + local test_out=ca-$profile-test.txt + rlRun "export SSL_DIR=$CERTDB_DIR" + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"$usercn\" \ + subject_uid:$userid \ + subject_email:$usermail \ + subject_ou:IDM \ + subject_organization:RedHat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/cert-request.pem \ + cert_subject_file:$TEMP_NSS_DB/cert-subject.out" 0 "Create $request_type request for $profile" + local cert_requestdn=$(cat $TEMP_NSS_DB/cert-subject.out | grep Request_DN | cut -d ":" -f2) + rlLog "cert_requestdn=cert_requestdn" + rlRun "cat $TEMP_NSS_DB/cert-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/cert-encoded-request.pem" + rlLog "curl --basic \ + --dump-header $admin_out \ + -d \"profileId=$profile&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$usercn&sn_e=$usermail&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$useremail&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/cert-encoded-request.pem)\" \ + -k \"https://$tmp_ca_host:$masterca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $admin_out \ + -d \"profileId=$profile&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$usercn&sn_e=$usermail&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$useremail&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/cert-encoded-request.pem)\" \ + -k \"https://$tmp_ca_host:$masterca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/$test_out" 0 "Submit Certificate request to $profile" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local request_id=$(cat -v $TmpDir/$test_out | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "request_id=$request_id" + # (2) Search for the requestId in Master Clone's Agent Page + rlLog "View certificate request details in clone CA's agent page" + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $CA_agentV:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id\" -k \"https://$tmp_ca_host:$clone_ca1_https_port/ca/agent/ca/profileReview\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $CA_agentV:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id\" -k \"https://$tmp_ca_host:$clone_ca1_https_port/ca/agent/ca/profileReview\" > $TmpDir/$test_out" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertGrep "defList.defVal=\"RSA - 1.2.840.113549.1.1.1\"" "$TmpDir/$test_out" + rlAssertGrep "defList.defVal=\"$cert_ext_exKeyUsageOIDs\"" "$TmpDir/$test_out" + rlAssertGrep "inputList.inputVal=\"$userid\"" "$TmpDir/$test_out" + rlAssertGrep "inputList.inputVal=\"$usercn\"" "$TmpDir/$test_out" + rlAssertGrep "inputList.inputVal=\"$usermail\"" "$TmpDir/$test_out" + rlAssertGrep "profileName=\"Manual User Dual-Use Certificate Enrollment\"" "$TmpDir/$test_out" + # (3) Reject this request id using Master CA. + rlLog "Approve $request_id using $CA_agentV" + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$Year+1 + local end_day="1" + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$Month-$end_day $Hour:$Minute:$Second" + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $CA_agentV:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=reject&submit=submit&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$tmp_ca_host:$masterca_secure_port/ca/agent/ca/profileProcess\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $CA_agentV:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=reject&submit=submit&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$tmp_ca_host:$masterca_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/$test_out" 0 "Submit Certificare request" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertGrep "requestType=\"enrollment\"" "$TmpDir/$test_out" + rlAssertGrep "profileId=\"caUserCert\"" "$TmpDir/$test_out" + rlAssertGrep "requestId=\"$request_id\"" "$TmpDir/$test_out" + rlAssertGrep "errorCode=\"0\"" "$TmpDir/$test_out" + rlAssertGrep "requestStatus=\"rejected\"" "$TmpDir/$test_out" + # (4) Search for the Request Id in clone CA's agent page + rlLog "View certificate request details in clone CA's agent page" + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $CA_agentV:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id\" -k \"https://$tmp_ca_host:$clone_ca1_https_port/ca/agent/ca/profileReview\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $CA_agentV:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id\" -k \"https://$tmp_ca_host:$clone_ca1_https_port/ca/agent/ca/profileReview\" > $TmpDir/$test_out" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertGrep "defList.defVal=\"RSA - 1.2.840.113549.1.1.1\"" "$TmpDir/$test_out" + rlAssertGrep "defList.defVal=\"$cert_ext_exKeyUsageOIDs\"" "$TmpDir/$test_out" + rlAssertGrep "inputList.inputVal=\"$userid\"" "$TmpDir/$test_out" + rlAssertGrep "inputList.inputVal=\"$usercn\"" "$TmpDir/$test_out" + rlAssertGrep "inputList.inputVal=\"$usermail\"" "$TmpDir/$test_out" + rlAssertGrep "profileName=\"Manual User Dual-Use Certificate Enrollment\"" "$TmpDir/$test_out" + rlPhaseEnd + + rlPhaseStartTest "clone_ca_test-004: Enroll cert on Clone CA, Reject it on clone CA, and search request id on Master" + # (1) user cert enrollment using clone CA instance. + # (2) Search for the requestId in master CA's agent page. + # (3) Reject this request id using clone CA. + # (4) Search for the requestId in master CA's agent page + + # (1) user cert enrollment using Clone CA instance. + local admin_out=$TmpDir/admin.out + local request_type=pkcs10 + local request_key_type=rsa + local request_key_size=1024 + local profile=caUserCert + local cert_ext_exKeyUsageOIDs="1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4" + local userid="fooUser-$RANDOM" + local usercn="$userid" + local phone="1234" + local usermail="$userid@example.org" + local test_out=ca-$profile-test.txt + rlRun "export SSL_DIR=$CERTDB_DIR" + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"$usercn\" \ + subject_uid:$userid \ + subject_email:$usermail \ + subject_ou:IDM \ + subject_organization:RedHat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/cert-request.pem \ + cert_subject_file:$TEMP_NSS_DB/cert-subject.out" 0 "Create $request_type request for $profile" + local cert_requestdn=$(cat $TEMP_NSS_DB/cert-subject.out | grep Request_DN | cut -d ":" -f2) + rlLog "cert_requestdn=cert_requestdn" + rlRun "cat $TEMP_NSS_DB/cert-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/cert-encoded-request.pem" + rlLog "curl --basic \ + --dump-header $admin_out \ + -d \"profileId=$profile&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$usercn&sn_e=$usermail&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$useremail&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/cert-encoded-request.pem)\" \ + -k \"https://$tmp_ca_host:$clone_ca1_https_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $admin_out \ + -d \"profileId=$profile&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$usercn&sn_e=$usermail&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$useremail&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/cert-encoded-request.pem)\" \ + -k \"https://$tmp_ca_host:$clone_ca1_https_port/ca/ee/ca/profileSubmit\" > $TmpDir/$test_out" 0 "Submit Certificate request to $profile" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local request_id=$(cat -v $TmpDir/$test_out | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "request_id=$request_id" + rlLog "sleep 10" + rlRun "sleep 10" + # (2) Search for the requestId in clone CA Agent Page + rlLog "View certificate request details in clone CA's agent page" + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $CA_agentV:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id\" -k \"https://$tmp_ca_host:$masterca_secure_port/ca/agent/ca/profileReview\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $CA_agentV:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id\" -k \"https://$tmp_ca_host:$masterca_secure_port/ca/agent/ca/profileReview\" > $TmpDir/$test_out" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertGrep "defList.defVal=\"RSA - 1.2.840.113549.1.1.1\"" "$TmpDir/$test_out" + rlAssertGrep "defList.defVal=\"$cert_ext_exKeyUsageOIDs\"" "$TmpDir/$test_out" + rlAssertGrep "inputList.inputVal=\"$userid\"" "$TmpDir/$test_out" + rlAssertGrep "inputList.inputVal=\"$usercn\"" "$TmpDir/$test_out" + rlAssertGrep "inputList.inputVal=\"$usermail\"" "$TmpDir/$test_out" + rlAssertGrep "profileName=\"Manual User Dual-Use Certificate Enrollment\"" "$TmpDir/$test_out" + rlLog "sleep 10" + rlRun "sleep 10" + # (3) Reject this request id on Clone CA. + rlLog "Approve $request_id using $CA_agentV" + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$Year+1 + local end_day="1" + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$Month-$end_day $Hour:$Minute:$Second" + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $CA_agentV:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=reject&submit=submit&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$tmp_ca_host:$clone_ca1_https_port/ca/agent/ca/profileProcess\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $CA_agentV:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=reject&submit=submit&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$tmp_ca_host:$clone_ca1_https_port/ca/agent/ca/profileProcess\" > $TmpDir/$test_out" 0 "Submit Certificare request" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertGrep "requestType=\"enrollment\"" "$TmpDir/$test_out" + rlAssertGrep "profileId=\"caUserCert\"" "$TmpDir/$test_out" + rlAssertGrep "requestId=\"$request_id\"" "$TmpDir/$test_out" + rlAssertGrep "errorCode=\"0\"" "$TmpDir/$test_out" + rlAssertGrep "requestStatus=\"rejected\"" "$TmpDir/$test_out" + # (4) Search for the Request Id in Master CA agent page + rlLog "View certificate request details in clone CA's agent page" + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $CA_agentV:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id\" -k \"https://$tmp_ca_host:$masterca_secure_port/ca/agent/ca/profileReview\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $CA_agentV:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id\" -k \"https://$tmp_ca_host:$masterca_secure_port/ca/agent/ca/profileReview\" > $TmpDir/$test_out" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertGrep "defList.defVal=\"RSA - 1.2.840.113549.1.1.1\"" "$TmpDir/$test_out" + rlAssertGrep "defList.defVal=\"$cert_ext_exKeyUsageOIDs\"" "$TmpDir/$test_out" + rlAssertGrep "inputList.inputVal=\"$userid\"" "$TmpDir/$test_out" + rlAssertGrep "inputList.inputVal=\"$usercn\"" "$TmpDir/$test_out" + rlAssertGrep "inputList.inputVal=\"$usermail\"" "$TmpDir/$test_out" + rlAssertGrep "profileName=\"Manual User Dual-Use Certificate Enrollment\"" "$TmpDir/$test_out" + rlPhaseEnd + + + rlPhaseStartTest "clone_ca_test-005: Enroll cert on Master CA, Cancel it on Master CA, and search request id on clone" + # (1) user cert enrollment using master CA instance. + # (2) Search for the requestId in Clone CA's agent page. + # (3) Cancel this request id using master CA. + # (4) Search for the requestId in Clone CA's agent page + + # (1) user cert enrollment using Master CA instance. + local admin_out=$TmpDir/admin.out + local request_type=pkcs10 + local request_key_type=rsa + local request_key_size=1024 + local profile=caUserCert + local cert_ext_exKeyUsageOIDs="1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4" + local userid="fooUser-$RANDOM" + local usercn="$userid" + local phone="1234" + local usermail="$userid@example.org" + local test_out=ca-$profile-test.txt + rlRun "export SSL_DIR=$CERTDB_DIR" + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"$usercn\" \ + subject_uid:$userid \ + subject_email:$usermail \ + subject_ou:IDM \ + subject_organization:RedHat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/cert-request.pem \ + cert_subject_file:$TEMP_NSS_DB/cert-subject.out" 0 "Create $request_type request for $profile" + local cert_requestdn=$(cat $TEMP_NSS_DB/cert-subject.out | grep Request_DN | cut -d ":" -f2) + rlLog "cert_requestdn=cert_requestdn" + rlRun "cat $TEMP_NSS_DB/cert-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/cert-encoded-request.pem" + rlLog "curl --basic \ + --dump-header $admin_out \ + -d \"profileId=$profile&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$usercn&sn_e=$usermail&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$useremail&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/cert-encoded-request.pem)\" \ + -k \"https://$tmp_ca_host:$masterca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $admin_out \ + -d \"profileId=$profile&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$usercn&sn_e=$usermail&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$useremail&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/cert-encoded-request.pem)\" \ + -k \"https://$tmp_ca_host:$masterca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/$test_out" 0 "Submit Certificate request to $profile" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local request_id=$(cat -v $TmpDir/$test_out | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "request_id=$request_id" + # (2) Search for the requestId in Master Clone's Agent Page + rlLog "View certificate request details in clone CA's agent page" + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $CA_agentV:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id\" -k \"https://$tmp_ca_host:$clone_ca1_https_port/ca/agent/ca/profileReview\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $CA_agentV:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id\" -k \"https://$tmp_ca_host:$clone_ca1_https_port/ca/agent/ca/profileReview\" > $TmpDir/$test_out" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertGrep "defList.defVal=\"RSA - 1.2.840.113549.1.1.1\"" "$TmpDir/$test_out" + rlAssertGrep "defList.defVal=\"$cert_ext_exKeyUsageOIDs\"" "$TmpDir/$test_out" + rlAssertGrep "inputList.inputVal=\"$userid\"" "$TmpDir/$test_out" + rlAssertGrep "inputList.inputVal=\"$usercn\"" "$TmpDir/$test_out" + rlAssertGrep "inputList.inputVal=\"$usermail\"" "$TmpDir/$test_out" + rlAssertGrep "profileName=\"Manual User Dual-Use Certificate Enrollment\"" "$TmpDir/$test_out" + # (3) Cancel this request id using Master CA. + rlLog "Approve $request_id using $CA_agentV" + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$Year+1 + local end_day="1" + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$Month-$end_day $Hour:$Minute:$Second" + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $CA_agentV:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=cancel&submit=submit&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$tmp_ca_host:$masterca_secure_port/ca/agent/ca/profileProcess\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $CA_agentV:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=cancel&submit=submit&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$tmp_ca_host:$masterca_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/$test_out" 0 "Submit Certificare request" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertGrep "requestType=\"enrollment\"" "$TmpDir/$test_out" + rlAssertGrep "profileId=\"caUserCert\"" "$TmpDir/$test_out" + rlAssertGrep "requestId=\"$request_id\"" "$TmpDir/$test_out" + rlAssertGrep "errorCode=\"0\"" "$TmpDir/$test_out" + rlAssertGrep "requestStatus=\"canceled\"" "$TmpDir/$test_out" + # (4) Search for the Request Id in clone CA's agent page + rlLog "View certificate request details in clone CA's agent page" + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $CA_agentV:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id\" -k \"https://$tmp_ca_host:$clone_ca1_https_port/ca/agent/ca/profileReview\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $CA_agentV:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id\" -k \"https://$tmp_ca_host:$clone_ca1_https_port/ca/agent/ca/profileReview\" > $TmpDir/$test_out" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertGrep "defList.defVal=\"RSA - 1.2.840.113549.1.1.1\"" "$TmpDir/$test_out" + rlAssertGrep "defList.defVal=\"$cert_ext_exKeyUsageOIDs\"" "$TmpDir/$test_out" + rlAssertGrep "inputList.inputVal=\"$userid\"" "$TmpDir/$test_out" + rlAssertGrep "inputList.inputVal=\"$usercn\"" "$TmpDir/$test_out" + rlAssertGrep "inputList.inputVal=\"$usermail\"" "$TmpDir/$test_out" + rlAssertGrep "profileName=\"Manual User Dual-Use Certificate Enrollment\"" "$TmpDir/$test_out" + rlPhaseEnd + + rlPhaseStartTest "clone_ca_test-006: Enroll cert on Clone CA, Cancel it on clone CA, and search request id on Master" + # (1) user cert enrollment using clone CA instance. + # (2) Search for the requestId in master CA's agent page. + # (3) Reject this request id using clone CA. + # (4) Search for the requestId in master CA's agent page + + # (1) user cert enrollment using Clone CA instance. + local admin_out=$TmpDir/admin.out + local request_type=pkcs10 + local request_key_type=rsa + local request_key_size=1024 + local profile=caUserCert + local cert_ext_exKeyUsageOIDs="1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4" + local userid="fooUser-$RANDOM" + local usercn="$userid" + local phone="1234" + local usermail="$userid@example.org" + local test_out=ca-$profile-test.txt + rlRun "export SSL_DIR=$CERTDB_DIR" + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"$usercn\" \ + subject_uid:$userid \ + subject_email:$usermail \ + subject_ou:IDM \ + subject_organization:RedHat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/cert-request.pem \ + cert_subject_file:$TEMP_NSS_DB/cert-subject.out" 0 "Create $request_type request for $profile" + local cert_requestdn=$(cat $TEMP_NSS_DB/cert-subject.out | grep Request_DN | cut -d ":" -f2) + rlLog "cert_requestdn=cert_requestdn" + rlRun "cat $TEMP_NSS_DB/cert-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/cert-encoded-request.pem" + rlLog "curl --basic \ + --dump-header $admin_out \ + -d \"profileId=$profile&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$usercn&sn_e=$usermail&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$useremail&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/cert-encoded-request.pem)\" \ + -k \"https://$tmp_ca_host:$clone_ca1_https_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $admin_out \ + -d \"profileId=$profile&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$usercn&sn_e=$usermail&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$useremail&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/cert-encoded-request.pem)\" \ + -k \"https://$tmp_ca_host:$clone_ca1_https_port/ca/ee/ca/profileSubmit\" > $TmpDir/$test_out" 0 "Submit Certificate request to $profile" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local request_id=$(cat -v $TmpDir/$test_out | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "request_id=$request_id" + # (2) Search for the requestId in master CA Agent Page + rlLog "View certificate request details in Master CA's agent page" + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $CA_agentV:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id\" -k \"https://$tmp_ca_host:$masterca_secure_port/ca/agent/ca/profileReview\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $CA_agentV:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id\" -k \"https://$tmp_ca_host:$masterca_secure_port/ca/agent/ca/profileReview\" > $TmpDir/$test_out" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertGrep "defList.defVal=\"RSA - 1.2.840.113549.1.1.1\"" "$TmpDir/$test_out" + rlAssertGrep "defList.defVal=\"$cert_ext_exKeyUsageOIDs\"" "$TmpDir/$test_out" + rlAssertGrep "inputList.inputVal=\"$userid\"" "$TmpDir/$test_out" + rlAssertGrep "inputList.inputVal=\"$usercn\"" "$TmpDir/$test_out" + rlAssertGrep "inputList.inputVal=\"$usermail\"" "$TmpDir/$test_out" + rlAssertGrep "profileName=\"Manual User Dual-Use Certificate Enrollment\"" "$TmpDir/$test_out" + rlLog "sleep 10" + rlRun "sleep 10" + # (3) Cancel this request id on Clone CA. + rlLog "Approve $request_id using $CA_agentV" + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$Year+1 + local end_day="1" + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$Month-$end_day $Hour:$Minute:$Second" + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $CA_agentV:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=cancel&submit=submit&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$tmp_ca_host:$clone_ca1_https_port/ca/agent/ca/profileProcess\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $CA_agentV:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=cancel&submit=submit&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$tmp_ca_host:$clone_ca1_https_port/ca/agent/ca/profileProcess\" > $TmpDir/$test_out" 0 "Submit Certificare request" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertGrep "requestType=\"enrollment\"" "$TmpDir/$test_out" + rlAssertGrep "profileId=\"caUserCert\"" "$TmpDir/$test_out" + rlAssertGrep "requestId=\"$request_id\"" "$TmpDir/$test_out" + rlAssertGrep "errorCode=\"0\"" "$TmpDir/$test_out" + rlAssertGrep "requestStatus=\"canceled\"" "$TmpDir/$test_out" + # (4) Search for the Request Id in Master CA agent page + rlLog "sleep 10" + rlRun "sleep 10" + rlLog "View certificate request details in Master CA's agent page" + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $CA_agentV:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id\" -k \"https://$tmp_ca_host:$masterca_secure_port/ca/agent/ca/profileReview\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $CA_agentV:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id\" -k \"https://$tmp_ca_host:$masterca_secure_port/ca/agent/ca/profileReview\" > $TmpDir/$test_out" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertGrep "defList.defVal=\"RSA - 1.2.840.113549.1.1.1\"" "$TmpDir/$test_out" + rlAssertGrep "defList.defVal=\"$cert_ext_exKeyUsageOIDs\"" "$TmpDir/$test_out" + rlAssertGrep "inputList.inputVal=\"$userid\"" "$TmpDir/$test_out" + rlAssertGrep "inputList.inputVal=\"$usercn\"" "$TmpDir/$test_out" + rlAssertGrep "inputList.inputVal=\"$usermail\"" "$TmpDir/$test_out" + rlAssertGrep "profileName=\"Manual User Dual-Use Certificate Enrollment\"" "$TmpDir/$test_out" + rlPhaseEnd + + rlPhaseStartTest "clone_ca_test-007: Enroll cert on Master CA, approve, Revoke the cert on Master CA and search cert on clone, status should be revoked" + # (1) user cert enrollment using master CA instance. + # (2) approve this request id using master CA. + # (3) Revoke this certificate from master CA. + # (4) Search for this certificate from clone CA, status should be revoked. + + # (1) user cert enrollment using master CA instance. + local admin_out=$TmpDir/admin.out + local request_type=pkcs10 + local request_key_type=rsa + local request_key_size=1024 + local profile=caUserCert + local cert_ext_exKeyUsageOIDs="1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4" + local userid="fooUser-$RANDOM" + local usercn="$userid" + local phone="1234" + local usermail="$userid@example.org" + local test_out=ca-$profile-test.txt + rlRun "export SSL_DIR=$CERTDB_DIR" + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"$usercn\" \ + subject_uid:$userid \ + subject_email:$usermail \ + subject_ou:IDM \ + subject_organization:RedHat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/cert-request.pem \ + cert_subject_file:$TEMP_NSS_DB/cert-subject.out" 0 "Create $request_type request for $profile" + local cert_requestdn=$(cat $TEMP_NSS_DB/cert-subject.out | grep Request_DN | cut -d ":" -f2) + rlLog "cert_requestdn=cert_requestdn" + rlRun "cat $TEMP_NSS_DB/cert-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/cert-encoded-request.pem" + rlLog "curl --basic \ + --dump-header $admin_out \ + -d \"profileId=$profile&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$usercn&sn_e=$usermail&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$useremail&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/cert-encoded-request.pem)\" \ + -k \"https://$tmp_ca_host:$masterca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $admin_out \ + -d \"profileId=$profile&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$usercn&sn_e=$usermail&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$useremail&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/cert-encoded-request.pem)\" \ + -k \"https://$tmp_ca_host:$masterca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/$test_out" 0 "Submit Certificate request to $profile" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local request_id=$(cat -v $TmpDir/$test_out | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "request_id=$request_id" + # (2) approve this request id using master CA. + rlLog "Approve $request_id using $CA_agentV" + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$Year+1 + local end_day="1" + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$Month-$end_day $Hour:$Minute:$Second" + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $CA_agentV:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$tmp_ca_host:$masterca_secure_port/ca/agent/ca/profileProcess\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $CA_agentV:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$tmp_ca_host:$masterca_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/$test_out" 0 "Submit Certificare request" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + local serial_number=$(cat -v $TmpDir/$test_out | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlRun "curl --basic --dump-header $admin_out -d \"op=displayBySerial&serialNumber=$serial_number\" -k https://$tmp_ca_host:$masterca_secure_port/ca/ee/ca/displayBySerial 1> $TmpDir/cert.out" + local certificate_base64=$(cat -v $TmpDir/cert.out | grep "header.certChainBase64 = "|awk -F \" '{print $2}' | sed '/^$/d' | sed 's/^\\n//'|sed -e 's/^/-----BEGIN CERTIFICATE-----/' | sed 's/$/-----END CERTIFICATE-----/' | sed 's/\\r\\n//g') + rlLog "serial_number=$serial_number" + rlRun "verify_cert \"$serial_number\" \"$cert_requestdn\"" 0 "Verify cert" + # (3) Revoke this certificate from master CA + local STRIP_HEX=$(echo $serial_number | cut -dx -f2) + local serial=$STRIP_HEX + local CONV_UPP_VAL=${STRIP_HEX^^} + local CONV_LOW_VAL=${STRIP_HEX,,} + serial_number_array+=(0x$CONV_LOW_VAL) + local decimal_serial_number=$(echo "ibase=16;$CONV_UPP_VAL"|bc) + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local revocationReason="0" + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $CA_agentV:$CERTDB_DIR_PASSWORD \ + -d \"$serial=on&day=0&month=$Month&year=0&revocationReason=$revocationReason&csrRequestorComments=&submit=Submit&op=doRevoke&templateType=RevocationSuccess&serialNumber=$serial&revokeAll=(|(certRecordId=$decimal_serial_number))&totalRecordCount=1&verifiedRecordCount=1&invalidityDate=0\" -k \"https://$tmp_ca_host:$masterca_secure_port/ca/agent/ca/doRevoke\" > $TmpDir/$test_out" 0 "Revoke cert with serial Number $serial_number" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $CA_agentV:$CERTDB_DIR_PASSWORD \ + -d \"$serial=on&day=0&month=$Month&year=0&revocationReason=$revocationReason&csrRequestorComments=&submit=Submit&op=doRevoke&templateType=RevocationSuccess&serialNumber=$serial&revokeAll=(|(certRecordId=$decimal_serial_number))&totalRecordCount=1&verifiedRecordCount=1&invalidityDate=0\" -k \"https://$tmp_ca_host:$masterca_secure_port/ca/agent/ca/doRevoke\" > $TmpDir/$test_out" 0 "Revoke cert with serial Number $serial_number" + rlAssertGrep "header.revoked = \"yes\"" "$TmpDir/$test_out" + rlAssertGrep "header.error = null" "$TmpDir/$test_out" + # (4) Search for the serial number in Clone CA + rlLog "Sleep for 10 seconds for clone to get synced" + rlRun "sleep 10" + rlRun "set_newjavapath \":./:/usr/lib/java/jss4.jar:/usr/share/java/pki/pki-nsutil.jar:/usr/share/java/pki/pki-cmsutil.jar:/usr/share/java/apache-commons-codec.jar:/opt/rhqa_pki/jars/pki-qe-tools.jar:\"" 0 "Setting Java CLASSPATH" + rlRun "source /opt/rhqa_pki/env.sh" 0 "Set Environment Variables" + rlLog "Executing java -cp" + rlLog "java -cp $CLASSPATH ca_ee_ocspRequest -ca_hostname $tmp_ca_host -ca_ee_port $clone_ca1_http_port -client_certdb_dir $CERTDB_DIR -client_certdb_pwd $CERTDB_DIR_PASSWORD -ca_cert_nickname $(eval echo \$${CA_INST}_SIGNING_NICKNAME) -serial_number $decimal_serial_number -debug true > $TmpDir/$test_out 2>&1" + rlRun "java -cp $CLASSPATH ca_ee_ocspRequest -ca_hostname $tmp_ca_host -ca_ee_port $clone_ca1_http_port -client_certdb_dir $CERTDB_DIR -client_certdb_pwd $CERTDB_DIR_PASSWORD -ca_cert_nickname $(eval echo \$${CA_INST}_SIGNING_NICKNAME) -serial_number $decimal_serial_number -debug true > $TmpDir/$test_out 2>&1" + rlAssertGrep "RESPONSE STATUS: HTTP/1.1 200 OK" "$TmpDir/$test_out" + rlAssertGrep "RESPONSE HEADER: Content-Type: application/ocsp-response" "$TmpDir/$test_out" + rlAssertGrep "CertStatus=Revoked" "$TmpDir/$test_out" + rlAssertGrep "SerialNumber=$decimal_serial_number" "$TmpDir/$test_out" + rlAssertGrep "SUCCESS" "$TmpDir/$test_out" + rlPhaseEnd + + + rlPhaseStartTest "clone_ca_test-008: Enroll cert on Clone CA, approve, Revoke the cert on clone CA and search cert on master, status should be revoked" + # (1) user cert enrollment using clone CA . + # (2) approve this request id using clone CA. + # (3) Revoke this certificate from clone CA. + # (4) Search for this certificate from Master CA, status should be revoked. + + # (1) user cert enrollment using clone CA. + local admin_out=$TmpDir/admin.out + local request_type=pkcs10 + local request_key_type=rsa + local request_key_size=1024 + local profile=caUserCert + local cert_ext_exKeyUsageOIDs="1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4" + local userid="fooUser-$RANDOM" + local usercn="$userid" + local phone="1234" + local usermail="$userid@example.org" + local test_out=ca-$profile-test.txt + rlRun "export SSL_DIR=$CERTDB_DIR" + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"$usercn\" \ + subject_uid:$userid \ + subject_email:$usermail \ + subject_ou:IDM \ + subject_organization:RedHat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/cert-request.pem \ + cert_subject_file:$TEMP_NSS_DB/cert-subject.out" 0 "Create $request_type request for $profile" + local cert_requestdn=$(cat $TEMP_NSS_DB/cert-subject.out | grep Request_DN | cut -d ":" -f2) + rlLog "cert_requestdn=cert_requestdn" + rlRun "cat $TEMP_NSS_DB/cert-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/cert-encoded-request.pem" + rlLog "curl --basic \ + --dump-header $admin_out \ + -d \"profileId=$profile&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$usercn&sn_e=$usermail&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$useremail&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/cert-encoded-request.pem)\" \ + -k \"https://$tmp_ca_host:$clone_ca1_https_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $admin_out \ + -d \"profileId=$profile&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$usercn&sn_e=$usermail&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$useremail&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/cert-encoded-request.pem)\" \ + -k \"https://$tmp_ca_host:$clone_ca1_https_port/ca/ee/ca/profileSubmit\" > $TmpDir/$test_out" 0 "Submit Certificate request to $profile" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local request_id=$(cat -v $TmpDir/$test_out | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "request_id=$request_id" + # (2) approve this request id using clone CA. + rlLog "Approve $request_id using $CA_agentV" + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$Year+1 + local end_day="1" + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$Month-$end_day $Hour:$Minute:$Second" + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $CA_agentV:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$tmp_ca_host:$clone_ca1_https_port/ca/agent/ca/profileProcess\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $CA_agentV:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$tmp_ca_host:$clone_ca1_https_port/ca/agent/ca/profileProcess\" > $TmpDir/$test_out" 0 "Submit Certificare request" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + local serial_number=$(cat -v $TmpDir/$test_out | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlRun "curl --basic --dump-header $admin_out -d \"op=displayBySerial&serialNumber=$serial_number\" -k https://$tmp_ca_host:$clone_ca1_https_port/ca/ee/ca/displayBySerial 1> $TmpDir/cert.out" + local certificate_base64=$(cat -v $TmpDir/cert.out | grep "header.certChainBase64 = "|awk -F \" '{print $2}' | sed '/^$/d' | sed 's/^\\n//'|sed -e 's/^/-----BEGIN CERTIFICATE-----/' | sed 's/$/-----END CERTIFICATE-----/' | sed 's/\\r\\n//g') + rlLog "serial_number=$serial_number" + if [ "$serial_number" == "" ]; then + rlFail "Certificate request did not approve" + fi + # (3) Revoke this certificate from clone CA + local STRIP_HEX=$(echo $serial_number | cut -dx -f2) + local serial=$STRIP_HEX + local CONV_UPP_VAL=${STRIP_HEX^^} + local CONV_LOW_VAL=${STRIP_HEX,,} + serial_number_array+=(0x$CONV_LOW_VAL) + local decimal_serial_number=$(echo "ibase=16;$CONV_UPP_VAL"|bc) + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local revocationReason="0" + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $CA_agentV:$CERTDB_DIR_PASSWORD \ + -d \"$serial=on&day=0&month=$Month&year=0&revocationReason=$revocationReason&csrRequestorComments=&submit=Submit&op=doRevoke&templateType=RevocationSuccess&serialNumber=$serial&revokeAll=(|(certRecordId=$decimal_serial_number))&totalRecordCount=1&verifiedRecordCount=1&invalidityDate=0\" -k \"https://$tmp_ca_host:$clone_ca1_https_port/ca/agent/ca/doRevoke\" > $TmpDir/$test_out" 0 "Revoke cert with serial Number $serial_number" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $CA_agentV:$CERTDB_DIR_PASSWORD \ + -d \"$serial=on&day=0&month=$Month&year=0&revocationReason=$revocationReason&csrRequestorComments=&submit=Submit&op=doRevoke&templateType=RevocationSuccess&serialNumber=$serial&revokeAll=(|(certRecordId=$decimal_serial_number))&totalRecordCount=1&verifiedRecordCount=1&invalidityDate=0\" -k \"https://$tmp_ca_host:$clone_ca1_https_port/ca/agent/ca/doRevoke\" > $TmpDir/$test_out" 0 "Revoke cert with serial Number $serial_number" + rlAssertGrep "header.revoked = \"yes\"" "$TmpDir/$test_out" + rlAssertGrep "header.error = null" "$TmpDir/$test_out" + # (4) Search for the serial number in Master CA + rlLog "Sleep for 10 seconds for clone to get synced" + rlRun "sleep 10" + rlRun "set_newjavapath \":./:/usr/lib/java/jss4.jar:/usr/share/java/pki/pki-nsutil.jar:/usr/share/java/pki/pki-cmsutil.jar:/usr/share/java/apache-commons-codec.jar:/opt/rhqa_pki/jars/pki-qe-tools.jar:\"" 0 "Setting Java CLASSPATH" + rlRun "source /opt/rhqa_pki/env.sh" 0 "Set Environment Variables" + rlLog "Executing java -cp" + rlLog "java -cp $CLASSPATH ca_ee_ocspRequest -ca_hostname $tmp_ca_host -ca_ee_port $target_port -client_certdb_dir $CERTDB_DIR -client_certdb_pwd $CERTDB_DIR_PASSWORD -ca_cert_nickname $(eval echo \$${CA_INST}_SIGNING_NICKNAME) -serial_number $decimal_serial_number -debug true > $TmpDir/$test_out 2>&1" + rlRun "java -cp $CLASSPATH ca_ee_ocspRequest -ca_hostname $tmp_ca_host -ca_ee_port $target_port -client_certdb_dir $CERTDB_DIR -client_certdb_pwd $CERTDB_DIR_PASSWORD -ca_cert_nickname $(eval echo \$${CA_INST}_SIGNING_NICKNAME) -serial_number $decimal_serial_number -debug true > $TmpDir/$test_out 2>&1" + rlAssertGrep "RESPONSE STATUS: HTTP/1.1 200 OK" "$TmpDir/$test_out" + rlAssertGrep "RESPONSE HEADER: Content-Type: application/ocsp-response" "$TmpDir/$test_out" + rlAssertGrep "CertStatus=Revoked" "$TmpDir/$test_out" + rlAssertGrep "SerialNumber=$decimal_serial_number" "$TmpDir/$test_out" + rlAssertGrep "SUCCESS" "$TmpDir/$test_out" + rlPhaseEnd + + rlPhaseStartTest "clone_ca_test-009: Enroll cert on Master CA, approve, and take cert on Hold, take cert of hold from clone CA, status from master ca should be valid" + # (1) user cert enrollment using master CA instance. + # (2) approve this request id using master CA. + # (3) Take cert on hold from master CA. + # (4) Search for this certificate from clone CA, status should be revoked. + # (5) Take cert off hold from clone CA. + # (6) Search for this certificate from master CA, status should be valid + # (1) user cert enrollment using master CA instance. + local admin_out=$TmpDir/admin.out + local request_type=pkcs10 + local request_key_type=rsa + local request_key_size=1024 + local profile=caUserCert + local cert_ext_exKeyUsageOIDs="1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4" + local userid="fooUser-$RANDOM" + local usercn="$userid" + local phone="1234" + local usermail="$userid@example.org" + local test_out=ca-$profile-test.txt + rlRun "export SSL_DIR=$CERTDB_DIR" + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"$usercn\" \ + subject_uid:$userid \ + subject_email:$usermail \ + subject_ou:IDM \ + subject_organization:RedHat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/cert-request.pem \ + cert_subject_file:$TEMP_NSS_DB/cert-subject.out" 0 "Create $request_type request for $profile" + local cert_requestdn=$(cat $TEMP_NSS_DB/cert-subject.out | grep Request_DN | cut -d ":" -f2) + rlLog "cert_requestdn=cert_requestdn" + rlRun "cat $TEMP_NSS_DB/cert-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/cert-encoded-request.pem" + rlLog "curl --basic \ + --dump-header $admin_out \ + -d \"profileId=$profile&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$usercn&sn_e=$usermail&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$useremail&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/cert-encoded-request.pem)\" \ + -k \"https://$tmp_ca_host:$masterca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $admin_out \ + -d \"profileId=$profile&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$usercn&sn_e=$usermail&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$useremail&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/cert-encoded-request.pem)\" \ + -k \"https://$tmp_ca_host:$masterca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/$test_out" 0 "Submit Certificate request to $profile" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local request_id=$(cat -v $TmpDir/$test_out | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "request_id=$request_id" + # (2) approve this request id using master CA. + rlLog "Approve $request_id using $CA_agentV" + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$Year+1 + local end_day="1" + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$Month-$end_day $Hour:$Minute:$Second" + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $CA_agentV:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$tmp_ca_host:$masterca_secure_port/ca/agent/ca/profileProcess\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $CA_agentV:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$tmp_ca_host:$masterca_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/$test_out" 0 "Submit Certificare request" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + local serial_number=$(cat -v $TmpDir/$test_out | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlRun "curl --basic --dump-header $admin_out -d \"op=displayBySerial&serialNumber=$serial_number\" -k https://$tmp_ca_host:$masterca_secure_port/ca/ee/ca/displayBySerial 1> $TmpDir/cert.out" + local certificate_base64=$(cat -v $TmpDir/cert.out | grep "header.certChainBase64 = "|awk -F \" '{print $2}' | sed '/^$/d' | sed 's/^\\n//'|sed -e 's/^/-----BEGIN CERTIFICATE-----/' | sed 's/$/-----END CERTIFICATE-----/' | sed 's/\\r\\n//g') + rlLog "serial_number=$serial_number" + rlRun "verify_cert \"$serial_number\" \"$cert_requestdn\"" 0 "Verify cert" + # (3) Revoke this certificate from master CA + local STRIP_HEX=$(echo $serial_number | cut -dx -f2) + local serial=$STRIP_HEX + local CONV_UPP_VAL=${STRIP_HEX^^} + local CONV_LOW_VAL=${STRIP_HEX,,} + serial_number_array+=(0x$CONV_LOW_VAL) + local decimal_serial_number=$(echo "ibase=16;$CONV_UPP_VAL"|bc) + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local revocationReason="6" + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $CA_agentV:$CERTDB_DIR_PASSWORD \ + -d \"$serial=on&day=0&month=$Month&year=0&revocationReason=$revocationReason&csrRequestorComments=&submit=Submit&op=doRevoke&templateType=RevocationSuccess&serialNumber=$serial&revokeAll=(|(certRecordId=$decimal_serial_number))&totalRecordCount=1&verifiedRecordCount=1&invalidityDate=0\" -k \"https://$tmp_ca_host:$masterca_secure_port/ca/agent/ca/doRevoke\" > $TmpDir/$test_out" 0 "Revoke cert with serial Number $serial_number" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $CA_agentV:$CERTDB_DIR_PASSWORD \ + -d \"$serial=on&day=0&month=$Month&year=0&revocationReason=$revocationReason&csrRequestorComments=&submit=Submit&op=doRevoke&templateType=RevocationSuccess&serialNumber=$serial&revokeAll=(|(certRecordId=$decimal_serial_number))&totalRecordCount=1&verifiedRecordCount=1&invalidityDate=0\" -k \"https://$tmp_ca_host:$masterca_secure_port/ca/agent/ca/doRevoke\" > $TmpDir/$test_out" 0 "Revoke cert with serial Number $serial_number" + rlAssertGrep "header.revoked = \"yes\"" "$TmpDir/$test_out" + rlAssertGrep "header.error = null" "$TmpDir/$test_out" + # (4) Search for this certificate from clone CA, status should be revoked. + rlLog "Sleep for 10 seconds for clone to get synced" + rlRun "sleep 10" + rlRun "set_newjavapath \":./:/usr/lib/java/jss4.jar:/usr/share/java/pki/pki-nsutil.jar:/usr/share/java/pki/pki-cmsutil.jar:/usr/share/java/apache-commons-codec.jar:/opt/rhqa_pki/jars/pki-qe-tools.jar:\"" 0 "Setting Java CLASSPATH" + rlRun "source /opt/rhqa_pki/env.sh" 0 "Set Environment Variables" + rlLog "Executing java -cp" + rlLog "java -cp $CLASSPATH ca_ee_ocspRequest -ca_hostname $tmp_ca_host -ca_ee_port $clone_ca1_http_port -client_certdb_dir $CERTDB_DIR -client_certdb_pwd $CERTDB_DIR_PASSWORD -ca_cert_nickname $(eval echo \$${CA_INST}_SIGNING_NICKNAME) -serial_number $decimal_serial_number -debug true > $TmpDir/$test_out 2>&1" + rlRun "java -cp $CLASSPATH ca_ee_ocspRequest -ca_hostname $tmp_ca_host -ca_ee_port $clone_ca1_http_port -client_certdb_dir $CERTDB_DIR -client_certdb_pwd $CERTDB_DIR_PASSWORD -ca_cert_nickname $(eval echo \$${CA_INST}_SIGNING_NICKNAME) -serial_number $decimal_serial_number -debug true > $TmpDir/$test_out 2>&1" + rlAssertGrep "RESPONSE STATUS: HTTP/1.1 200 OK" "$TmpDir/$test_out" + rlAssertGrep "RESPONSE HEADER: Content-Type: application/ocsp-response" "$TmpDir/$test_out" + rlAssertGrep "CertStatus=Revoked" "$TmpDir/$test_out" + rlAssertGrep "SerialNumber=$decimal_serial_number" "$TmpDir/$test_out" + rlAssertGrep "SUCCESS" "$TmpDir/$test_out" + #(5) Take cert off hold from clone CA + local profile_request="/ca/agent/ca/doUnrevoke" + local request_info="serialNumber=$serial_number" + rlLog "/usr/bin/sslget -d $CERTDB_DIR -p $CERTDB_DIR_PASSWORD -n \"$CA_agentV\" -e \"$request_info\" -v -r \"$profile_request\" \"$target_host\":\"$clone_ca1_https_port\" > $sslget_output 2>&1" 0 "Un Revoke Certificate" + rlRun "/usr/bin/sslget -d $CERTDB_DIR -p $CERTDB_DIR_PASSWORD -n \"$CA_agentV\" -e \"$request_info\" -v -r \"$profile_request\" \"$target_host\":\"$clone_ca1_https_port\" > $sslget_output 2>&1" 0 "Un Revoke Certificate" + rlAssertGrep "TTP/1.1 200 OK" "$sslget_output" + rlAssertGrep "header.unrevoked = \"yes\"" "$sslget_output" + rlAssertGrep "header.serialNumber = \"$serial_number\"" "$sslget_output" + # (6) Search for this certificate from master CA, status should be valid + rlLog "Sleep for 10 seconds for master to get synced" + rlRun "sleep 10" + rlRun "set_newjavapath \":./:/usr/lib/java/jss4.jar:/usr/share/java/pki/pki-nsutil.jar:/usr/share/java/pki/pki-cmsutil.jar:/usr/share/java/apache-commons-codec.jar:/opt/rhqa_pki/jars/pki-qe-tools.jar:\"" 0 "Setting Java CLASSPATH" + rlRun "source /opt/rhqa_pki/env.sh" 0 "Set Environment Variables" + rlLog "Executing java -cp" + rlLog "java -cp $CLASSPATH ca_ee_ocspRequest -ca_hostname $tmp_ca_host -ca_ee_port $target_port -client_certdb_dir $CERTDB_DIR -client_certdb_pwd $CERTDB_DIR_PASSWORD -ca_cert_nickname $(eval echo \$${CA_INST}_SIGNING_NICKNAME) -serial_number $decimal_serial_number -debug true > $TmpDir/$test_out 2>&1" + rlRun "java -cp $CLASSPATH ca_ee_ocspRequest -ca_hostname $tmp_ca_host -ca_ee_port $target_port -client_certdb_dir $CERTDB_DIR -client_certdb_pwd $CERTDB_DIR_PASSWORD -ca_cert_nickname $(eval echo \$${CA_INST}_SIGNING_NICKNAME) -serial_number $decimal_serial_number -debug true > $TmpDir/$test_out 2>&1" + rlAssertGrep "RESPONSE STATUS: HTTP/1.1 200 OK" "$TmpDir/$test_out" + rlAssertGrep "RESPONSE HEADER: Content-Type: application/ocsp-response" "$TmpDir/$test_out" + rlAssertGrep "CertStatus=Good" "$TmpDir/$test_out" + rlAssertGrep "SerialNumber=$decimal_serial_number" "$TmpDir/$test_out" + rlAssertGrep "SUCCESS" "$TmpDir/$test_out" + rlPhaseEnd + + rlPhaseStartTest "clone_ca_test-0011: Enroll cert on clone CA, approve, and take cert on Hold, take cert of hold from master CA, status from master and clone ca should be valid" + # (1) user cert enrollment using clone CA. + # (2) approve this request id using clone CA. + # (3) Take cert on hold from clone CA. + # (4) Search for this certificate from master CA, status should be revoked. + # (5) Take cert off hold from master CA. + # (6) Search for this certificate from clone CA, status should be valid + + # (1) user cert enrollment using clone CA. + local admin_out=$TmpDir/admin.out + local request_type=pkcs10 + local request_key_type=rsa + local request_key_size=1024 + local profile=caUserCert + local cert_ext_exKeyUsageOIDs="1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4" + local userid="fooUser-$RANDOM" + local usercn="$userid" + local phone="1234" + local usermail="$userid@example.org" + local test_out=ca-$profile-test.txt + rlRun "export SSL_DIR=$CERTDB_DIR" + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"$usercn\" \ + subject_uid:$userid \ + subject_email:$usermail \ + subject_ou:IDM \ + subject_organization:RedHat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/cert-request.pem \ + cert_subject_file:$TEMP_NSS_DB/cert-subject.out" 0 "Create $request_type request for $profile" + local cert_requestdn=$(cat $TEMP_NSS_DB/cert-subject.out | grep Request_DN | cut -d ":" -f2) + rlLog "cert_requestdn=cert_requestdn" + rlRun "cat $TEMP_NSS_DB/cert-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/cert-encoded-request.pem" + rlLog "curl --basic \ + --dump-header $admin_out \ + -d \"profileId=$profile&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$usercn&sn_e=$usermail&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$useremail&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/cert-encoded-request.pem)\" \ + -k \"https://$tmp_ca_host:$clone_ca1_https_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $admin_out \ + -d \"profileId=$profile&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$usercn&sn_e=$usermail&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$useremail&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/cert-encoded-request.pem)\" \ + -k \"https://$tmp_ca_host:$clone_ca1_https_port/ca/ee/ca/profileSubmit\" > $TmpDir/$test_out" 0 "Submit Certificate request to $profile" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local request_id=$(cat -v $TmpDir/$test_out | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "request_id=$request_id" + # (2) approve this request id using clone CA. + rlLog "Approve $request_id using $CA_agentV" + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$Year+1 + local end_day="1" + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$Month-$end_day $Hour:$Minute:$Second" + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $CA_agentV:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$tmp_ca_host:$clone_ca1_https_port/ca/agent/ca/profileProcess\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $CA_agentV:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$tmp_ca_host:$clone_ca1_https_port/ca/agent/ca/profileProcess\" > $TmpDir/$test_out" 0 "Submit Certificare request" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + local serial_number=$(cat -v $TmpDir/$test_out | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlRun "curl --basic --dump-header $admin_out -d \"op=displayBySerial&serialNumber=$serial_number\" -k https://$tmp_ca_host:$clone_ca1_https_port/ca/ee/ca/displayBySerial 1> $TmpDir/cert.out" + local certificate_base64=$(cat -v $TmpDir/cert.out | grep "header.certChainBase64 = "|awk -F \" '{print $2}' | sed '/^$/d' | sed 's/^\\n//'|sed -e 's/^/-----BEGIN CERTIFICATE-----/' | sed 's/$/-----END CERTIFICATE-----/' | sed 's/\\r\\n//g') + rlLog "serial_number=$serial_number" + rlRun "verify_cert \"$serial_number\" \"$cert_requestdn\"" 0 "Verify cert" + # (3) Revoke this certificate from clone CA + local STRIP_HEX=$(echo $serial_number | cut -dx -f2) + local serial=$STRIP_HEX + local CONV_UPP_VAL=${STRIP_HEX^^} + local CONV_LOW_VAL=${STRIP_HEX,,} + serial_number_array+=(0x$CONV_LOW_VAL) + local decimal_serial_number=$(echo "ibase=16;$CONV_UPP_VAL"|bc) + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local revocationReason="6" + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $CA_agentV:$CERTDB_DIR_PASSWORD \ + -d \"$serial=on&day=0&month=$Month&year=0&revocationReason=$revocationReason&csrRequestorComments=&submit=Submit&op=doRevoke&templateType=RevocationSuccess&serialNumber=$serial&revokeAll=(|(certRecordId=$decimal_serial_number))&totalRecordCount=1&verifiedRecordCount=1&invalidityDate=0\" -k \"https://$tmp_ca_host:$clone_ca1_https_port/ca/agent/ca/doRevoke\" > $TmpDir/$test_out" 0 "Revoke cert with serial Number $serial_number" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $CA_agentV:$CERTDB_DIR_PASSWORD \ + -d \"$serial=on&day=0&month=$Month&year=0&revocationReason=$revocationReason&csrRequestorComments=&submit=Submit&op=doRevoke&templateType=RevocationSuccess&serialNumber=$serial&revokeAll=(|(certRecordId=$decimal_serial_number))&totalRecordCount=1&verifiedRecordCount=1&invalidityDate=0\" -k \"https://$tmp_ca_host:$clone_ca1_https_port/ca/agent/ca/doRevoke\" > $TmpDir/$test_out" 0 "Revoke cert with serial Number $serial_number" + rlAssertGrep "header.revoked = \"yes\"" "$TmpDir/$test_out" + rlAssertGrep "header.error = null" "$TmpDir/$test_out" + # (4) Search for this certificate from master CA, status should be revoked + rlLog "Sleep for 10 seconds for clone to get synced" + rlRun "sleep 10" + rlRun "set_newjavapath \":./:/usr/lib/java/jss4.jar:/usr/share/java/pki/pki-nsutil.jar:/usr/share/java/pki/pki-cmsutil.jar:/usr/share/java/apache-commons-codec.jar:/opt/rhqa_pki/jars/pki-qe-tools.jar:\"" 0 "Setting Java CLASSPATH" + rlRun "source /opt/rhqa_pki/env.sh" 0 "Set Environment Variables" + rlLog "Executing java -cp" + rlLog "java -cp $CLASSPATH ca_ee_ocspRequest -ca_hostname $tmp_ca_host -ca_ee_port $masterca_secure_port -client_certdb_dir $CERTDB_DIR -client_certdb_pwd $CERTDB_DIR_PASSWORD -ca_cert_nickname $(eval echo \$${CA_INST}_SIGNING_NICKNAME) -serial_number $decimal_serial_number -debug true > $TmpDir/$test_out 2>&1" + rlRun "java -cp $CLASSPATH ca_ee_ocspRequest -ca_hostname $tmp_ca_host -ca_ee_port $masterca_secure_port -client_certdb_dir $CERTDB_DIR -client_certdb_pwd $CERTDB_DIR_PASSWORD -ca_cert_nickname $(eval echo \$${CA_INST}_SIGNING_NICKNAME) -serial_number $decimal_serial_number -debug true > $TmpDir/$test_out 2>&1" + rlAssertGrep "RESPONSE STATUS: HTTP/1.1 200 OK" "$TmpDir/$test_out" + rlAssertGrep "RESPONSE HEADER: Content-Type: application/ocsp-response" "$TmpDir/$test_out" + rlAssertGrep "CertStatus=Revoked" "$TmpDir/$test_out" + rlAssertGrep "SerialNumber=$decimal_serial_number" "$TmpDir/$test_out" + rlAssertGrep "SUCCESS" "$TmpDir/$test_out" + #(5) Take cert off hold from master CA. + local profile_request="/ca/agent/ca/doUnrevoke" + local request_info="serialNumber=$serial_number" + rlLog "/usr/bin/sslget -d $CERTDB_DIR -p $CERTDB_DIR_PASSWORD -n \"$CA_agentV\" -e \"$request_info\" -v -r \"$profile_request\" \"$target_host\":\"$clone_ca1_https_port\" > $sslget_output 2>&1" 0 "Un Revoke Certificate" + rlRun "/usr/bin/sslget -d $CERTDB_DIR -p $CERTDB_DIR_PASSWORD -n \"$CA_agentV\" -e \"$request_info\" -v -r \"$profile_request\" \"$target_host\":\"$clone_ca1_https_port\" > $sslget_output 2>&1" 0 "Un Revoke Certificate" + rlAssertGrep "TTP/1.1 200 OK" "$sslget_output" + rlAssertGrep "header.unrevoked = \"yes\"" "$sslget_output" + rlAssertGrep "header.serialNumber = \"$serial_number\"" "$sslget_output" + # (6) Search for this certificate from clone CA, status should be valid + rlLog "Sleep for 10 seconds for master to get synced" + rlRun "sleep 10" + rlRun "set_newjavapath \":./:/usr/lib/java/jss4.jar:/usr/share/java/pki/pki-nsutil.jar:/usr/share/java/pki/pki-cmsutil.jar:/usr/share/java/apache-commons-codec.jar:/opt/rhqa_pki/jars/pki-qe-tools.jar:\"" 0 "Setting Java CLASSPATH" + rlRun "source /opt/rhqa_pki/env.sh" 0 "Set Environment Variables" + rlLog "Executing java -cp" + rlLog "java -cp $CLASSPATH ca_ee_ocspRequest -ca_hostname $tmp_ca_host -ca_ee_port $clone_ca1_http_port -client_certdb_dir $CERTDB_DIR -client_certdb_pwd $CERTDB_DIR_PASSWORD -ca_cert_nickname $(eval echo \$${CA_INST}_SIGNING_NICKNAME) -serial_number $decimal_serial_number -debug true > $TmpDir/$test_out 2>&1" + rlRun "java -cp $CLASSPATH ca_ee_ocspRequest -ca_hostname $tmp_ca_host -ca_ee_port $clone_ca1_http_port -client_certdb_dir $CERTDB_DIR -client_certdb_pwd $CERTDB_DIR_PASSWORD -ca_cert_nickname $(eval echo \$${CA_INST}_SIGNING_NICKNAME) -serial_number $decimal_serial_number -debug true > $TmpDir/$test_out 2>&1" + rlAssertGrep "RESPONSE STATUS: HTTP/1.1 200 OK" "$TmpDir/$test_out" + rlAssertGrep "RESPONSE HEADER: Content-Type: application/ocsp-response" "$TmpDir/$test_out" + rlAssertGrep "CertStatus=Good" "$TmpDir/$test_out" + rlAssertGrep "SerialNumber=$decimal_serial_number" "$TmpDir/$test_out" + rlAssertGrep "SUCCESS" "$TmpDir/$test_out" + rlPhaseEnd + + rlPhaseStartTest "clone_ca_test-0011: Verify CA clone displays updated CRL on clone CA with enrollment and revokcation on Master CA" + # (1) user cert enrollment using master CA instance. + # (2) approve this request id using master CA + # (3) Revoke this cert from master CA. + # (4) Update RevocationList in master CA. + # (5) Display RevocationList in clone CA, should have the revoked cert. + # (6) Display RevocationList in master CA, should have the revoked cert. + + # (1) user cert enrollment using master CA instance + local admin_out=$TmpDir/admin.out + local request_type=pkcs10 + local request_key_type=rsa + local request_key_size=1024 + local profile=caUserCert + local cert_ext_exKeyUsageOIDs="1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4" + local userid="fooUser-$RANDOM" + local usercn="$userid" + local phone="1234" + local usermail="$userid@example.org" + local test_out=ca-$profile-test.txt + rlRun "export SSL_DIR=$CERTDB_DIR" + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"$usercn\" \ + subject_uid:$userid \ + subject_email:$usermail \ + subject_ou:IDM \ + subject_organization:RedHat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/cert-request.pem \ + cert_subject_file:$TEMP_NSS_DB/cert-subject.out" 0 "Create $request_type request for $profile" + local cert_requestdn=$(cat $TEMP_NSS_DB/cert-subject.out | grep Request_DN | cut -d ":" -f2) + rlLog "cert_requestdn=cert_requestdn" + rlRun "cat $TEMP_NSS_DB/cert-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/cert-encoded-request.pem" + rlLog "curl --basic \ + --dump-header $admin_out \ + -d \"profileId=$profile&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$usercn&sn_e=$usermail&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$useremail&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/cert-encoded-request.pem)\" \ + -k \"https://$tmp_ca_host:$masterca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $admin_out \ + -d \"profileId=$profile&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$usercn&sn_e=$usermail&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$useremail&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/cert-encoded-request.pem)\" \ + -k \"https://$tmp_ca_host:$masterca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/$test_out" 0 "Submit Certificate request to $profile" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local request_id=$(cat -v $TmpDir/$test_out | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "request_id=$request_id" + # (2) approve this request id using master CA. + rlLog "Approve $request_id using $CA_agentV" + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$Year+1 + local end_day="1" + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$Month-$end_day $Hour:$Minute:$Second" + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $CA_agentV:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$tmp_ca_host:$masterca_secure_port/ca/agent/ca/profileProcess\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $CA_agentV:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$tmp_ca_host:$masterca_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/$test_out" 0 "Submit Certificare request" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + local serial_number=$(cat -v $TmpDir/$test_out | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlRun "curl --basic --dump-header $admin_out -d \"op=displayBySerial&serialNumber=$serial_number\" -k https://$tmp_ca_host:$masterca_secure_port/ca/ee/ca/displayBySerial 1> $TmpDir/cert.out" + local certificate_base64=$(cat -v $TmpDir/cert.out | grep "header.certChainBase64 = "|awk -F \" '{print $2}' | sed '/^$/d' | sed 's/^\\n//'|sed -e 's/^/-----BEGIN CERTIFICATE-----/' | sed 's/$/-----END CERTIFICATE-----/' | sed 's/\\r\\n//g') + rlLog "serial_number=$serial_number" + rlRun "verify_cert \"$serial_number\" \"$cert_requestdn\"" 0 "Verify cert" + # (3) Revoke this cert from master CA + local STRIP_HEX=$(echo $serial_number | cut -dx -f2) + local serial=$STRIP_HEX + local CONV_UPP_VAL=${STRIP_HEX^^} + local CONV_LOW_VAL=${STRIP_HEX,,} + serial_number_array+=(0x$CONV_LOW_VAL) + local decimal_serial_number=$(echo "ibase=16;$CONV_UPP_VAL"|bc) + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local revocationReason="6" + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $CA_agentV:$CERTDB_DIR_PASSWORD \ + -d \"$serial=on&day=0&month=$Month&year=0&revocationReason=$revocationReason&csrRequestorComments=&submit=Submit&op=doRevoke&templateType=RevocationSuccess&serialNumber=$serial&revokeAll=(|(certRecordId=$decimal_serial_number))&totalRecordCount=1&verifiedRecordCount=1&invalidityDate=0\" -k \"https://$tmp_ca_host:$masterca_secure_port/ca/agent/ca/doRevoke\" > $TmpDir/$test_out" 0 "Revoke cert with serial Number $serial_number" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $CA_agentV:$CERTDB_DIR_PASSWORD \ + -d \"$serial=on&day=0&month=$Month&year=0&revocationReason=$revocationReason&csrRequestorComments=&submit=Submit&op=doRevoke&templateType=RevocationSuccess&serialNumber=$serial&revokeAll=(|(certRecordId=$decimal_serial_number))&totalRecordCount=1&verifiedRecordCount=1&invalidityDate=0\" -k \"https://$tmp_ca_host:$masterca_secure_port/ca/agent/ca/doRevoke\" > $TmpDir/$test_out" 0 "Revoke cert with serial Number $serial_number" + rlAssertGrep "header.revoked = \"yes\"" "$TmpDir/$test_out" + rlAssertGrep "header.error = null" "$TmpDir/$test_out" + # (4) Update RevocationList in master CA. + local crlIssuingPoint="MasterCRL" + local signatureAlgorithm="SHA512withRSA" + local test_out=updatecrl.out + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem --dump-header $admin_out -E $CA_agentV:$CERTDB_DIR_PASSWORD -d \"crlIssuingPoint=$crlIssuingPoint&signatureAlgorithm=$signatureAlgorithm\" -k \"https://$tmp_ca_host:$masterca_secure_port/ca/agent/ca/updateCRL\" > $TmpDir/$test_out" 0 "Update CRL" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem --dump-header $admin_out -E $CA_agentV:$CERTDB_DIR_PASSWORD -d \"crlIssuingPoint=$crlIssuingPoint&signatureAlgorithm=$signatureAlgorithm\" -k \"https://$tmp_ca_host:$masterca_secure_port/ca/agent/ca/updateCRL\" > $TmpDir/$test_out" 0 "Update CRL" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertGrep "header.crlIssuingPoint = \"$crlIssuingPoint\"" "$TmpDir/$test_out" + rlAssertGrep "header.crlUpdate = \"Scheduled\"" "$TmpDir/$test_out" + #(5) Display RevocationList in clone CA, should have the revoked cert + rlLog "Display Entire CRL" + local crlIssuingPoint='MasterCRL' + local crlDisplayType='entireCRL' + local pageStart='1' + local pageSize='50' + local test_out=$crlDisplayType + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $CA_agentV:$CERTDB_DIR_PASSWORD \ + -d \"crlIssuingPoint=$crlIssuingPoint&crlDisplayType=$crlDisplayType&pageStart=$pageStart&pageSize=$pageSize\" -k \"https://$tmp_ca_host:$masterca_ecure_port/ca/agent/ca/displayCRL\" > $TmpDir/$test_out" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $CA_agentV:$CERTDB_DIR_PASSWORD \ + -d \"crlIssuingPoint=$crlIssuingPoint&crlDisplayType=$crlDisplayType&pageStart=$pageStart&pageSize=$pageSize\" -k \"https://$tmp_ca_host:$masterca_secure_port/ca/agent/ca/displayCRL\" > $TmpDir/$test_out" 0 "Display cached CRL" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertGrep "header.crlIssuingPoint = \"$crlIssuingPoint\"" "$TmpDir/$test_out" + rlAssertGrep "header.crlDisplayType = \"$crlDisplayType\"" "$TmpDir/$test_out" + rlAssertGrep "Serial Number: $serial_number" "$TmpDir/$test_out" + #Update RevocationList in clone CA. + local crlIssuingPoint="MasterCRL" + local signatureAlgorithm="SHA512withRSA" + local test_out=updatecrl.out + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem --dump-header $admin_out -E $CA_agentV:$CERTDB_DIR_PASSWORD -d \"crlIssuingPoint=$crlIssuingPoint&signatureAlgorithm=$signatureAlgorithm\" -k \"https://$tmp_ca_host:$clone_ca1_https_port/ca/agent/ca/updateCRL\" > $TmpDir/$test_out" 0 "Update CRL" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem --dump-header $admin_out -E $CA_agentV:$CERTDB_DIR_PASSWORD -d \"crlIssuingPoint=$crlIssuingPoint&signatureAlgorithm=$signatureAlgorithm\" -k \"https://$tmp_ca_host:$clone_ca1_https_port/ca/agent/ca/updateCRL\" > $TmpDir/$test_out" 0 "Update CRL" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertGrep "header.crlIssuingPoint = \"$crlIssuingPoint\"" "$TmpDir/$test_out" + #(6) Display RevocationList in master CA, should have the revoked cert + rlLog "Display Entire CRL" + local crlIssuingPoint='MasterCRL' + local crlDisplayType='entireCRL' + local pageStart='1' + local pageSize='50' + local test_out=$crlDisplayType + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $CA_agentV:$CERTDB_DIR_PASSWORD \ + -d \"crlIssuingPoint=$crlIssuingPoint&crlDisplayType=$crlDisplayType&pageStart=$pageStart&pageSize=$pageSize\" -k \"https://$tmp_ca_host:$clone_ca1_https_port/ca/agent/ca/displayCRL\" > $TmpDir/$test_out" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $CA_agentV:$CERTDB_DIR_PASSWORD \ + -d \"crlIssuingPoint=$crlIssuingPoint&crlDisplayType=$crlDisplayType&pageStart=$pageStart&pageSize=$pageSize\" -k \"https://$tmp_ca_host:$clone_ca1_https_port/ca/agent/ca/displayCRL\" > $TmpDir/$test_out" 0 "Display cached CRL" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertGrep "header.crlIssuingPoint = \"$crlIssuingPoint\"" "$TmpDir/$test_out" + rlAssertGrep "header.crlDisplayType = \"$crlDisplayType\"" "$TmpDir/$test_out" + rlAssertGrep "Serial Number: $serial_number" "$TmpDir/$test_out" + rlPhaseEnd + + rlPhaseStartTest "clone_ca_test-0012: Verify CA clone displays updated CRL on Master CA with enrollment and revokcation on Clone CA" + # (1) user cert enrollment using clone CA. + # (2) approve this request id using clone CA + # (3) Revoke this cert from clone CA. + # (4) Update RevocationList in clone CA. + # (5) Display RevocationList in master CA, should have the revoked cert. + # (6) Display RevocationList in clone CA, should have the revoked cert. + + # (1) user cert enrollment using clone CA + local admin_out=$TmpDir/admin.out + local request_type=pkcs10 + local request_key_type=rsa + local request_key_size=1024 + local profile=caUserCert + local cert_ext_exKeyUsageOIDs="1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4" + local userid="fooUser-$RANDOM" + local usercn="$userid" + local phone="1234" + local usermail="$userid@example.org" + local test_out=ca-$profile-test.txt + rlRun "export SSL_DIR=$CERTDB_DIR" + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"$usercn\" \ + subject_uid:$userid \ + subject_email:$usermail \ + subject_ou:IDM \ + subject_organization:RedHat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/cert-request.pem \ + cert_subject_file:$TEMP_NSS_DB/cert-subject.out" 0 "Create $request_type request for $profile" + local cert_requestdn=$(cat $TEMP_NSS_DB/cert-subject.out | grep Request_DN | cut -d ":" -f2) + rlLog "cert_requestdn=cert_requestdn" + rlRun "cat $TEMP_NSS_DB/cert-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/cert-encoded-request.pem" + rlLog "curl --basic \ + --dump-header $admin_out \ + -d \"profileId=$profile&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$usercn&sn_e=$usermail&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$useremail&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/cert-encoded-request.pem)\" \ + -k \"https://$tmp_ca_host:$clone_ca1_https_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $admin_out \ + -d \"profileId=$profile&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$usercn&sn_e=$usermail&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$useremail&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/cert-encoded-request.pem)\" \ + -k \"https://$tmp_ca_host:$clone_ca1_https_port/ca/ee/ca/profileSubmit\" > $TmpDir/$test_out" 0 "Submit Certificate request to $profile" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local request_id=$(cat -v $TmpDir/$test_out | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "request_id=$request_id" + # (2) approve this request id using clone CA. + rlLog "Approve $request_id using $CA_agentV" + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$Year+1 + local end_day="1" + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$Month-$end_day $Hour:$Minute:$Second" + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $CA_agentV:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$tmp_ca_host:$clone_ca1_https_port/ca/agent/ca/profileProcess\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $CA_agentV:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$tmp_ca_host:$clone_ca1_https_port/ca/agent/ca/profileProcess\" > $TmpDir/$test_out" 0 "Submit Certificare request" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + local serial_number=$(cat -v $TmpDir/$test_out | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlRun "curl --basic --dump-header $admin_out -d \"op=displayBySerial&serialNumber=$serial_number\" -k https://$tmp_ca_host:$masterca_secure_port/ca/ee/ca/displayBySerial 1> $TmpDir/cert.out" + local certificate_base64=$(cat -v $TmpDir/cert.out | grep "header.certChainBase64 = "|awk -F \" '{print $2}' | sed '/^$/d' | sed 's/^\\n//'|sed -e 's/^/-----BEGIN CERTIFICATE-----/' | sed 's/$/-----END CERTIFICATE-----/' | sed 's/\\r\\n//g') + rlLog "serial_number=$serial_number" + rlLog "sleep 10 seconds for master to get updated" + rlRun "sleep 10" + rlRun "verify_cert \"$serial_number\" \"$cert_requestdn\"" 0 "Verify cert" + # (3) Revoke this cert from clone CA + local STRIP_HEX=$(echo $serial_number | cut -dx -f2) + local serial=$STRIP_HEX + local CONV_UPP_VAL=${STRIP_HEX^^} + local CONV_LOW_VAL=${STRIP_HEX,,} + serial_number_array+=(0x$CONV_LOW_VAL) + local decimal_serial_number=$(echo "ibase=16;$CONV_UPP_VAL"|bc) + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local revocationReason="6" + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $CA_agentV:$CERTDB_DIR_PASSWORD \ + -d \"$serial=on&day=0&month=$Month&year=0&revocationReason=$revocationReason&csrRequestorComments=&submit=Submit&op=doRevoke&templateType=RevocationSuccess&serialNumber=$serial&revokeAll=(|(certRecordId=$decimal_serial_number))&totalRecordCount=1&verifiedRecordCount=1&invalidityDate=0\" -k \"https://$tmp_ca_host:$clone_ca1_https_port/ca/agent/ca/doRevoke\" > $TmpDir/$test_out" 0 "Revoke cert with serial Number $serial_number" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $CA_agentV:$CERTDB_DIR_PASSWORD \ + -d \"$serial=on&day=0&month=$Month&year=0&revocationReason=$revocationReason&csrRequestorComments=&submit=Submit&op=doRevoke&templateType=RevocationSuccess&serialNumber=$serial&revokeAll=(|(certRecordId=$decimal_serial_number))&totalRecordCount=1&verifiedRecordCount=1&invalidityDate=0\" -k \"https://$tmp_ca_host:$clone_ca1_https_port/ca/agent/ca/doRevoke\" > $TmpDir/$test_out" 0 "Revoke cert with serial Number $serial_number" + rlAssertGrep "header.revoked = \"yes\"" "$TmpDir/$test_out" + rlAssertGrep "header.error = null" "$TmpDir/$test_out" + rlLog "Sleep for 10 seconds" + rlRun "sleep 10" + # (4) Update RevocationList in clone CA. + local crlIssuingPoint="MasterCRL" + local signatureAlgorithm="SHA512withRSA" + local test_out=updatecrl.out + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem --dump-header $admin_out -E $CA_agentV:$CERTDB_DIR_PASSWORD -d \"crlIssuingPoint=$crlIssuingPoint&signatureAlgorithm=$signatureAlgorithm\" -k \"https://$tmp_ca_host:$clone_ca1_https_port/ca/agent/ca/updateCRL\" > $TmpDir/$test_out" 0 "Update CRL" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem --dump-header $admin_out -E $CA_agentV:$CERTDB_DIR_PASSWORD -d \"crlIssuingPoint=$crlIssuingPoint&signatureAlgorithm=$signatureAlgorithm\" -k \"https://$tmp_ca_host:$clone_ca1_https_port/ca/agent/ca/updateCRL\" > $TmpDir/$test_out" 0 "Update CRL" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertGrep "header.crlIssuingPoint = \"$crlIssuingPoint\"" "$TmpDir/$test_out" + rlLog "sleep for 10s for master to get updated" + rlRun "sleep 10" + #(5) Display RevocationList in clone CA, should have the revoked cert + rlLog "Display Entire CRL" + local crlIssuingPoint='MasterCRL' + local crlDisplayType='entireCRL' + local pageStart='1' + local pageSize='150' + local test_out=$crlDisplayType + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $CA_agentV:$CERTDB_DIR_PASSWORD \ + -d \"crlIssuingPoint=$crlIssuingPoint&crlDisplayType=$crlDisplayType&pageStart=$pageStart&pageSize=$pageSize\" -k \"https://$tmp_ca_host:$clone_ca1_https_port/ca/agent/ca/displayCRL\" > $TmpDir/$test_out" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $CA_agentV:$CERTDB_DIR_PASSWORD \ + -d \"crlIssuingPoint=$crlIssuingPoint&crlDisplayType=$crlDisplayType&pageStart=$pageStart&pageSize=$pageSize\" -k \"https://$tmp_ca_host:$clone_ca1_https_port/ca/agent/ca/displayCRL\" > $TmpDir/$test_out" 0 "Display cached CRL" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertGrep "header.crlIssuingPoint = \"$crlIssuingPoint\"" "$TmpDir/$test_out" + rlAssertGrep "header.crlDisplayType = \"$crlDisplayType\"" "$TmpDir/$test_out" + rlAssertGrep "$serial_number" "$TmpDir/$test_out" + #Update RevocationList in master CA. + local crlIssuingPoint="MasterCRL" + local signatureAlgorithm="SHA512withRSA" + local test_out=updatecrl.out + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem --dump-header $admin_out -E $CA_agentV:$CERTDB_DIR_PASSWORD -d \"crlIssuingPoint=$crlIssuingPoint&signatureAlgorithm=$signatureAlgorithm\" -k \"https://$tmp_ca_host:$clone_ca1_https_port/ca/agent/ca/updateCRL\" > $TmpDir/$test_out" 0 "Update CRL" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem --dump-header $admin_out -E $CA_agentV:$CERTDB_DIR_PASSWORD -d \"crlIssuingPoint=$crlIssuingPoint&signatureAlgorithm=$signatureAlgorithm\" -k \"https://$tmp_ca_host:$clone_ca1_https_port/ca/agent/ca/updateCRL\" > $TmpDir/$test_out" 0 "Update CRL" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertGrep "header.crlIssuingPoint = \"$crlIssuingPoint\"" "$TmpDir/$test_out" + rlAssertGrep "header.crlUpdate = \"Scheduled\"" "$TmpDir/$test_out" + rlLog "Sleep for 10 seconds" + rlRun "sleep 10" + #(6) Display RevocationList in master CA, should have the revoked cert + rlLog "Display Entire CRL" + local crlIssuingPoint='MasterCRL' + local crlDisplayType='entireCRL' + local pageStart='1' + local pageSize='150' + local test_out=$crlDisplayType + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $CA_agentV:$CERTDB_DIR_PASSWORD \ + -d \"crlIssuingPoint=$crlIssuingPoint&crlDisplayType=$crlDisplayType&pageStart=$pageStart&pageSize=$pageSize\" -k \"https://$tmp_ca_host:$masterca_secure_port/ca/agent/ca/displayCRL\" > $TmpDir/$test_out" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $CA_agentV:$CERTDB_DIR_PASSWORD \ + -d \"crlIssuingPoint=$crlIssuingPoint&crlDisplayType=$crlDisplayType&pageStart=$pageStart&pageSize=$pageSize\" -k \"https://$tmp_ca_host:$masterca_secure_port/ca/agent/ca/displayCRL\" > $TmpDir/$test_out" 0 "Display cached CRL" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertGrep "header.crlIssuingPoint = \"$crlIssuingPoint\"" "$TmpDir/$test_out" + rlAssertGrep "header.crlDisplayType = \"$crlDisplayType\"" "$TmpDir/$test_out" + rlAssertGrep "$serial_number" "$TmpDir/$test_out" + rlPhaseEnd + + rlPhaseStartTest "clone_ca_test-0013: Shutdown Clone instance. Master CA instance should work just fine" + # (1) Shutdown Clone instance. + # (2) user cert enrollment using master CA instance. + # (3) approve this request id using master CA. + + # (1) Shutdown Clone instance. + rlLog "Shutdown clone instance $clone_ca1_instance_name" + rhcs_stop_instance $clone_ca1_instance_name + + # (1) user cert enrollment using master CA instance + local admin_out=$TmpDir/admin.out + local request_type=pkcs10 + local request_key_type=rsa + local request_key_size=1024 + local profile=caUserCert + local cert_ext_exKeyUsageOIDs="1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4" + local userid="fooUser-$RANDOM" + local usercn="$userid" + local phone="1234" + local usermail="$userid@example.org" + local test_out=ca-$profile-test.txt + rlRun "export SSL_DIR=$CERTDB_DIR" + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"$usercn\" \ + subject_uid:$userid \ + subject_email:$usermail \ + subject_ou:IDM \ + subject_organization:RedHat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/cert-request.pem \ + cert_subject_file:$TEMP_NSS_DB/cert-subject.out" 0 "Create $request_type request for $profile" + local cert_requestdn=$(cat $TEMP_NSS_DB/cert-subject.out | grep Request_DN | cut -d ":" -f2) + rlLog "cert_requestdn=cert_requestdn" + rlRun "cat $TEMP_NSS_DB/cert-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/cert-encoded-request.pem" + rlLog "curl --basic \ + --dump-header $admin_out \ + -d \"profileId=$profile&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$usercn&sn_e=$usermail&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$useremail&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/cert-encoded-request.pem)\" \ + -k \"https://$tmp_ca_host:$masterca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $admin_out \ + -d \"profileId=$profile&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$usercn&sn_e=$usermail&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$useremail&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/cert-encoded-request.pem)\" \ + -k \"https://$tmp_ca_host:$masterca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/$test_out" 0 "Submit Certificate request to $profile" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local request_id=$(cat -v $TmpDir/$test_out | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "request_id=$request_id" + # (2) approve this request id using master CA. + rlLog "Approve $request_id using $CA_agentV" + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$Year+1 + local end_day="1" + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$Month-$end_day $Hour:$Minute:$Second" + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $CA_agentV:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$tmp_ca_host:$masterca_secure_port/ca/agent/ca/profileProcess\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $CA_agentV:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$tmp_ca_host:$masterca_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/$test_out" 0 "Submit Certificare request" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + local serial_number=$(cat -v $TmpDir/$test_out | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlRun "curl --basic --dump-header $admin_out -d \"op=displayBySerial&serialNumber=$serial_number\" -k https://$tmp_ca_host:$masterca_secure_port/ca/ee/ca/displayBySerial 1> $TmpDir/cert.out" + local certificate_base64=$(cat -v $TmpDir/cert.out | grep "header.certChainBase64 = "|awk -F \" '{print $2}' | sed '/^$/d' | sed 's/^\\n//'|sed -e 's/^/-----BEGIN CERTIFICATE-----/' | sed 's/$/-----END CERTIFICATE-----/' | sed 's/\\r\\n//g') + rlLog "serial_number=$serial_number" + rlRun "verify_cert \"$serial_number\" \"$cert_requestdn\"" 0 "Verify cert" + + rlLog "Start clone instance $clone_ca1_instance_name" + rhcs_start_instance $clone_ca1_instance_name + rlPhaseEnd + + rlPhaseStartTest "clone_ca_test-0013: Shutdown Master CA instance. Clone CA instance should work just fine" + # (1) Shutdown master CA instance. + # (2) user cert enrollment using clone CA instance. + # (3) approve this request id using clone CA. + + # (1) Shutdown Master CA instance. + rlLog "Shutdown Master CA instance $tomcat_name" + rhcs_stop_instance $tomcat_name + + # (1) user cert enrollment using clone CA + local admin_out=$TmpDir/admin.out + local request_type=pkcs10 + local request_key_type=rsa + local request_key_size=1024 + local profile=caUserCert + local cert_ext_exKeyUsageOIDs="1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4" + local userid="fooUser-$RANDOM" + local usercn="$userid" + local phone="1234" + local usermail="$userid@example.org" + local test_out=ca-$profile-test.txt + rlRun "export SSL_DIR=$CERTDB_DIR" + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"$usercn\" \ + subject_uid:$userid \ + subject_email:$usermail \ + subject_ou:IDM \ + subject_organization:RedHat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/cert-request.pem \ + cert_subject_file:$TEMP_NSS_DB/cert-subject.out" 0 "Create $request_type request for $profile" + local cert_requestdn=$(cat $TEMP_NSS_DB/cert-subject.out | grep Request_DN | cut -d ":" -f2) + rlLog "cert_requestdn=cert_requestdn" + rlRun "cat $TEMP_NSS_DB/cert-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/cert-encoded-request.pem" + rlLog "curl --basic \ + --dump-header $admin_out \ + -d \"profileId=$profile&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$usercn&sn_e=$usermail&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$useremail&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/cert-encoded-request.pem)\" \ + -k \"https://$tmp_ca_host:$clone_ca1_https_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $admin_out \ + -d \"profileId=$profile&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$usercn&sn_e=$usermail&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$useremail&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/cert-encoded-request.pem)\" \ + -k \"https://$tmp_ca_host:$clone_ca1_https_port/ca/ee/ca/profileSubmit\" > $TmpDir/$test_out" 0 "Submit Certificate request to $profile" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local request_id=$(cat -v $TmpDir/$test_out | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "request_id=$request_id" + # (2) approve this request id using clone CA. + rlLog "Approve $request_id using $CA_agentV" + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$Year+1 + local end_day="1" + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$Month-$end_day $Hour:$Minute:$Second" + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $CA_agentV:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$tmp_ca_host:$clone_ca1_https_port/ca/agent/ca/profileProcess\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $CA_agentV:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$tmp_ca_host:$clone_ca1_https_port/ca/agent/ca/profileProcess\" > $TmpDir/$test_out" 0 "Submit Certificare request" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + local serial_number=$(cat -v $TmpDir/$test_out | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlRun "curl --basic --dump-header $admin_out -d \"op=displayBySerial&serialNumber=$serial_number\" -k https://$tmp_ca_host:$clone_ca1_https_port/ca/ee/ca/displayBySerial 1> $TmpDir/cert.out" + local certificate_base64=$(cat -v $TmpDir/cert.out | grep "header.certChainBase64 = "|awk -F \" '{print $2}' | sed '/^$/d' | sed 's/^\\n//'|sed -e 's/^/-----BEGIN CERTIFICATE-----/' | sed 's/$/-----END CERTIFICATE-----/' | sed 's/\\r\\n//g') + rlLog "serial_number=$serial_number" + rlLog "sleep 10 seconds for master to get updated" + rlRun "sleep 10" + STRIP_HEX=$(echo $serial_number | cut -dx -f2) + CONV_LOW_VAL=${STRIP_HEX,,} + rlRun "pki -h $tmp_ca_host -p $clone_ca1_http_port cert-show $serial_number > $cert_show_out" 0 "Executing pki cert-show $serial_number" + rlAssertGrep "Serial Number: 0x$CONV_LOW_VAL" "$cert_show_out" + rlAssertGrep "Issuer: CN=PKI $CA_INST Signing Cert,O=redhat" "$cert_show_out" + rlAssertGrep "Subject: $request_dn" "$cert_show_out" + rlAssertGrep "Status: VALID" "$cert_show_out" + + # (1) Start Master CA instance. + rlLog "Start Master CA instance $tomcat_name" + rhcs_start_instance $tomcat_name + rlPhaseEnd + + rlPhaseStartSetup "clone_ca_tests cleanup" + rlLog "Destroy pki instance $clone_ca1_instance_name" + rlRun "pkidestroy -s CA -i $clone_ca1_instance_name > $TmpDir/clone-ca1-uninstall.out 2>&1" 0 + rlAssertGrep "Uninstallation complete" "$TmpDir/clone-ca1-uninstall.out" + rlLog "Remove DS instance" + rlRun "remove-ds.pl -i slapd-$clone_ca1_instance_name > $TmpDir/ds-clone1-uninstall.out 2>&1" + rlAssertGrep "Instance slapd-$clone_ca1_instance_name removed" "$TmpDir/ds-clone1-uninstall.out" + rlPhaseEnd + + rlPhaseStartSetup "Deleting Temporary Directory" + rlRun "popd" + rlRun "rm -r $TmpDir" 0 "Removing tmp directory" + rlPhaseEnd +} +verify_cert() +{ + local serial_number=$1 + local request_dn=$2 + STRIP_HEX=$(echo $serial_number | cut -dx -f2) + CONV_LOW_VAL=${STRIP_HEX,,} + rlRun "pki -h $tmp_ca_host -p $target_port cert-show $serial_number > $cert_show_out" 0 "Executing pki cert-show $serial_number" + rlAssertGrep "Serial Number: 0x$CONV_LOW_VAL" "$cert_show_out" + rlAssertGrep "Issuer: CN=PKI $CA_INST Signing Cert,O=redhat" "$cert_show_out" + rlAssertGrep "Subject: $request_dn" "$cert_show_out" + rlAssertGrep "Status: VALID" "$cert_show_out" +} diff --git a/tests/dogtag/acceptance/legacy/ipa-tests/ipa_backend_plugin.sh b/tests/dogtag/acceptance/legacy/ipa-tests/ipa_backend_plugin.sh new file mode 100755 index 000000000..70091fc2b --- /dev/null +++ b/tests/dogtag/acceptance/legacy/ipa-tests/ipa_backend_plugin.sh @@ -0,0 +1,1633 @@ +#!/bin/bash +# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# runtest.sh of /CoreOS/rhcs/acceptance/legacy/ipa-tests/ipa_backend_plugin.sh +# Description: IPA Backend Plugin +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Author: Niranjan Mallapadi <mniranja@redhat.com> +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2013 Red Hat, Inc. All rights reserved. +# +# This copyrighted material is made available to anyone wishing +# to use, modify, copy, or redistribute it subject to the terms +# and conditions of the GNU General Public License version 2. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public +# License along with this program; if not, write to the Free +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301, USA. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +# Include rhts environment +. /usr/bin/rhts-environment.sh +. /usr/share/beakerlib/beakerlib.sh +. /opt/rhqa_pki/rhcs-shared.sh +. /opt/rhqa_pki/pki-cert-cli-lib.sh +. /opt/rhqa_pki/env.sh + +# Include tests +. ./acceptance/quickinstall/rhds-install.sh + +run_ipa_backend_plugin() +{ + local cs_Type=$1 + local cs_Role=$2 + + # Creating Temporary Directory for ca-admin-acl tests + rlPhaseStartSetup "Create Temporary Directory" + rlRun "TmpDir=\`mktemp -d\`" 0 "Creating tmp directory" + rlRun "pushd $TmpDir" + rlPhaseEnd + + #local variables + get_topo_stack $cs_Role $TmpDir/topo_file + local CA_INST=$(cat $TmpDir/topo_file | grep MY_CA | cut -d= -f2) + local CA_agentV_user=$CA_INST\_agentV + local CA_auditV_user=$CA_INST\_auditV + local CA_operatorV_user=$CA_INST\_operatorV + local CA_adminV_user=$CA_INST\_adminV + local CA_agentR_user=$CA_INST\_agentR + local CA_adminR_user=$CA_INST\_adminR + local CA_adminE_user=$CA_INST\_adminE + local CA_agentE_user=$CA_INST\_agentE + local invalid_serialNumber=$RANDOM + local invalid_hex_serialNumber=0x$(echo "ibase=16;$invalid_serialNumber"|bc) + local pkcs10_reqstatus + local pkcs10_requestid + local rand=$(openssl rand -base64 50 | perl -p -e 's/\n//') + local sub_ca_ldap_port=1839 + local sub_ca_http_port=15080 + local sub_ca_https_port=15443 + local sub_ca_ajp_port=15009 + local sub_ca_tomcat_port=15005 + local subca_instance_name=pki-example-$RANDOM + local SUBCA_SERVER_ROOT=/var/lib/pki/$subca_instance_name/ca + local admin_cert_nickname="PKI Administrator for example.org" + local TEMP_NSS_DB="$TmpDir/nssdb" + local TEMP_NSS_DB_PWD="Secret123" + local exp="$TmpDir/expfile.out" + local expout="$TmpDir/exp_out" + local cert_info="$TmpDir/cert_info" + local target_port=$(eval echo \$${CA_INST}_UNSECURE_PORT) + local target_https_port=$(eval echo \$${CA_INST}_SECURE_PORT) + local tmp_ca_host=$(eval echo \$${cs_Role}) + local target_host=$(eval echo \$${cs_Role}) + + rlPhaseStartSetup "Setup a Subordinate CA for pki cert-revoke" + local install_info=$TmpDir/install_info + rlLog "Setting up a Subordinate CA instance $subca_instance_name" + rlRun "rhcs_install_ipaca $subca_instance_name \ + $sub_ca_ldap_port \ + $sub_ca_http_port \ + $sub_ca_https_port \ + $sub_ca_ajp_port \ + $sub_ca_tomcat_port \ + $TmpDir $TmpDir/nssdb $install_info \ + $CA_INST \ + $target_host \ + $target_port \ + $target_https_port" + rlLog "Add CA Cert to $TEMP_NSS_DB" + rlRun "install_and_trust_CA_cert $SUBCA_SERVER_ROOT \"$TEMP_NSS_DB\"" + local subca_serialNumber=$(pki -h $target_host -p $target_port cert-find --name "SubCA-$subca_instance_name" --matchExactly | grep "Serial Number" | awk -F": " '{print $2}') + local STRIP_HEX_PKCS10=$(echo $subca_serialNumber | cut -dx -f2) + local CONV_UPP_VAL_PKCS10=${STRIP_HEX_PKCS10^^} + local subca_decimal_serialNumber=$(echo "ibase=16;$CONV_UPP_VAL_PKCS10"|bc) + rlPhaseEnd + + rlPhaseStartSetup "Preparation steps to generate Certificate request" + rlLog "In create_cert" + rlLog "Get the cert in a output file" + rlRun "pki -h $target_host -p $target_port cert-show 0x1 --encoded --output $TEMP_NSS_DB/ca_cert.pem 1> $TEMP_NSS_DB/ca-cert-show.out" + rlAssertGrep "Certificate \"0x1\"" "$TEMP_NSS_DB/ca-cert-show.out" + rlRun "pki -d $TEMP_NSS_DB \ + -h $target_host \ + -p $target_port \ + -c $TEMP_NSS_DB_PWD \ + -n \"casigningcert\" client-cert-import \ + --ca-cert $TEMP_NSS_DB/ca_cert.pem 1> $TEMP_NSS_DB/pki-ca-cert.out" + rlAssertGrep "Imported certificate \"casigningcert\"" "$TEMP_NSS_DB/pki-ca-cert.out" + rlLog "Step-2: ipa certificate request for creating sslget client cert" + rlLog "Generating temporary certificate" + local ipa_cn="IPA-Subsystem-Certificate" + rlRun "generate_new_cert \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_pwd:$TEMP_NSS_DB_PWD \ + myreq_type:pkcs10 \ + algo:rsa \ + key_size:2048 \ + subject_cn:$ipa_cn \ + subject_uid: \ + subject_email: \ + subject_ou:pki-ipa \ + subject_o:redhat \ + subject_c: \ + archive:false \ + req_profile:caServerCert \ + target_host:$target_host \ + protocol: \ + port:$sub_ca_http_port \ + cert_db_dir:$TEMP_NSS_DB \ + cert_db_pwd:$TEMP_NSS_DB_PWD \ + certdb_nick:\"$admin_cert_nickname\" \ + cert_info:$cert_info" + local cert_serialNumber=$(cat $cert_info| grep cert_serialNumber | cut -d- -f2) + rlLog "cert_serialNumber=$cert_serialNumber" + rlRun "pki -h $target_host -p $sub_ca_http_port cert-show $cert_serialNumber --encoded --output $TEMP_NSS_DB/$ipa_cn\.pem 1> $TEMP_NSS_DB/cert-show.out" + rlAssertGrep "Certificate \"$cert_serialNumber\"" "$TEMP_NSS_DB/cert-show.out" + rlRun "pki -d $TEMP_NSS_DB \ + -h $target_host \ + -p $sub_ca_http_port \ + -c $TEMP_NSS_DB_PWD \ + -n $ipa_cn client-cert-import \ + --cert $TEMP_NSS_DB/$ipa_cn\.pem 1> $TEMP_NSS_DB/pki-cert.out" + rlAssertGrep "Imported certificate \"$ipa_cn\"" "$TEMP_NSS_DB/pki-cert.out" + rlLog "Step-3: Generate freeIPA1 user and Import $ipa_cn cert" + local test_agent_user="freeIPA1" + local agent_user_fullName="free IPA1 Admin User" + local test_agent_pwd="Secret123" + rlLog "Create user with Admin Privileges only" + rlRun "pki -d $TEMP_NSS_DB \ + -c $TEMP_NSS_DB_PWD \ + -h $target_host \ + -p $sub_ca_http_port \ + -n \"$admin_cert_nickname\" \ + user-add $test_agent_user \ + --fullName \"$agent_user_fullName\" \ + --password $test_agent_pwd" 0 "Create $agent_user_fullName" + rlLog "Add user to Certificate Manager Agents Group" + rlRun "pki -d $TEMP_NSS_DB \ + -c $TEMP_NSS_DB_PWD \ + -h $target_host \ + -p $sub_ca_http_port \ + -n \"$admin_cert_nickname\" \ + group-member-add \"Certificate Manager Agents\" $test_agent_user" 0 "Add $agent_user_fullName to Certificate Manager Agents" + rlRun "pki -d $TEMP_NSS_DB \ + -c $TEMP_NSS_DB_PWD \ + -h $target_host \ + -p $sub_ca_http_port \ + -n \"$admin_cert_nickname\" \ + group-member-add \"Registration Manager Agents\" $test_agent_user" 0 "Add $agent_user_fullName to Registration Manager Agents" + rlRun "pki -d $TEMP_NSS_DB \ + -c $TEMP_NSS_DB_PWD \ + -h $target_host \ + -p $sub_ca_http_port \ + -n \"$admin_cert_nickname\" \ + user-cert-add $test_agent_user --input $TEMP_NSS_DB/$ipa_cn\.pem > $TEMP_NSS_DB/cert-add.out" 0 "Import cert to $test_agent_user user" + rlLog "Disable nonce" + disable_ca_nonce $subca_instance_name + rlPhaseEnd + + rlPhaseStartTest "ipa_legacy_test-001: test is for requesting a ipa certificate" + echo $TEMP_NSS_DB_PWD >> $TEMP_NSS_DB/certdb_pwd_file + local request_type=pkcs10 + local request_key_type=rsa + local request_key_size=2048 + local ipa_profile="caIPAserviceCert" + local sslget_output=$TEMP_NSS_DB/sslget1.out + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"IPA-Cert-$RANDOM\" \ + subject_uid: \ + subject_email: \ + subject_ou:pki-ipa \ + subject_organization:redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/freeipa1-request.pem \ + cert_subject_file:$TEMP_NSS_DB/freeipa1-subject.out" 0 "Create $request_type request" + local cert_requestdn=$(cat $TEMP_NSS_DB/freeipa1-subject.out | grep Request_DN | cut -d ":" -f2) + local encoded_request=$(cat $TEMP_NSS_DB/freeipa1-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());') + local profile_request="/ca/ee/ca/profileSubmit" + local request_info="profileId=caIPAserviceCert&cert_request_type=pkcs10&xmlOutput=true&cert_request=" + rlRun "/usr/bin/sslget -d $TEMP_NSS_DB -w $TEMP_NSS_DB/certdb_pwd_file -n \"$ipa_cn\" -e \"$request_info$encoded_request\" -v -r \"$profile_request\" \"$target_host\":\"$sub_ca_https_port\" > $sslget_output 2>&1" 0 "Submit request using sslget for approval" + local serialNo=$(cat $sslget_output | grep ^"<?xml" | xmlstarlet sel -t -v "/XMLResponse/Requests/Request/serialno") + local RequestId=$(cat $sslget_output | grep ^"<?xml" | xmlstarlet sel -t -v "/XMLResponse/Requests/Request/Id") + local base64=$(cat $sslget_output | grep ^"<?xml" | xmlstarlet sel -t -v "/XMLResponse/Requests/Request/b64") + rlLog "serialNo: $serialNo" + rlLog "RequestID: $RequestId" + if [ "$serialNo" == "" ]; then + rlFail "Serial Number not found" + else + rlPass "Certificate request successfull approved" + fi + if [ "$RequestId" == "" ]; then + + rlFail "Requestid Number not found" + else + rlPass "Certificate Request successfull Submitted" + fi + rlPhaseEnd + + + rlPhaseStartTest "ipa_legacy_test-002: This test is for requesting a ipa certificate when request signing cert is not provided." + local profile_request="/ca/ee/ca/profileSubmit" + local request_info="profileId=caIPAserviceCert&cert_request_type=pkcs10&xmlOutput=true&cert_request=" + local encoded_request="" + local sslget_output=$TEMP_NSS_DB/sslget2.out + rlRun "/usr/bin/sslget -d $TEMP_NSS_DB -w $TEMP_NSS_DB/certdb_pwd_file -n \"$ipa_cn\" -e \"$request_info$encoded_request\" -v -r \"$profile_request\" \"$target_host\":\"$sub_ca_https_port\" > $sslget_output 2>&1" 0 "Submit request using sslget with no cert request" + local error=$(cat $sslget_output | grep ^"<?xml" | xmlstarlet sel -t -v "/XMLResponse/Error") + if [ "$error" == "Invalid Request" ]; then + rlPass "Invalid Request" + else + rlFail "sslget failed with not a valid error" + fi + rlPhaseEnd + + rlPhaseStartTest "ipa_legacy_test-003: This test is for requesting a ipa certificate when an invalid cert request is provided" + local profile_request="/ca/ee/ca/profileSubmit" + local request_info="profileId=caIPAserviceCert&cert_request_type=pkcs10&xmlOutput=true&cert_request=" + local encoded_request="$rand" + local sslget_output=$TEMP_NSS_DB/sslget3.out + rlRun "/usr/bin/sslget -d $TEMP_NSS_DB -w $TEMP_NSS_DB/certdb_pwd_file -n \"$ipa_cn\" -e \"$request_info$encoded_request\" -v -r \"$profile_request\" \"$target_host\":\"$sub_ca_https_port\" > $sslget_output 2>&1" 0 "Submit request using sslget with no cert request" + local error=$(cat $sslget_output | grep ^"<?xml" | xmlstarlet sel -t -v "/XMLResponse/Error") + if [ "$error" == "Invalid Request" ]; then + rlPass "sslget failed with eror: $error" + else + rlFail "sslget failed with not a valid error" + fi + rlPhaseEnd + + rlPhaseStartTest "ipa_legacy_test-004: This test is for requesting a ipa certificate when request type is crmf" + local ipa_cn="IPA-Subsystem-Certificate" + local request_type=crmf + local request_key_type=rsa + local request_key_size=2048 + local ipa_profile="caIPAserviceCert" + local sslget_output=$TEMP_NSS_DB/sslget4.out + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"IPA-Cert-$RANDOM\" \ + subject_uid: \ + subject_email: \ + subject_ou:pki-ipa \ + subject_organization:redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/freeipa2-request.pem \ + cert_subject_file:$TEMP_NSS_DB/freeipa2-subject.out" 0 "Create $request_type request" + local cert_requestdn=$(cat $TEMP_NSS_DB/freeipa2-subject.out | grep Request_DN | cut -d ":" -f2) + local encoded_request=$(cat $TEMP_NSS_DB/freeipa2-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());') + local profile_request="/ca/ee/ca/profileSubmit" + local request_info="profileId=caIPAserviceCert&cert_request_type=crmf&xmlOutput=true&cert_request=" + rlRun "/usr/bin/sslget -d $TEMP_NSS_DB -w $TEMP_NSS_DB/certdb_pwd_file -n \"$ipa_cn\" -e \"$request_info$encoded_request\" -v -r \"$profile_request\" \"$target_host\":\"$sub_ca_https_port\" > $sslget_output 2>&1" 0 "Submit request using sslget for approval" + local serialNo=$(cat $sslget_output | grep ^"<?xml" | xmlstarlet sel -t -v "/XMLResponse/Requests/Request/serialno") + local RequestId=$(cat $sslget_output | grep ^"<?xml" | xmlstarlet sel -t -v "/XMLResponse/Requests/Request/Id") + local base64=$(cat $sslget_output | grep ^"<?xml" | xmlstarlet sel -t -v "/XMLResponse/Requests/Request/b64") + if [ "$serialNo" == "" ]; then + rlFail "Serial Number not found" + else + rlPass "Certificate request successfull approved" + fi + if [ "$RequestId" == "" ]; then + + rlFail "Requestid Number not found" + else + rlPass "Certificate Request successfull Submitted" + fi + rlPhaseEnd + + rlPhaseStartTest "ipa_legacy_test-005: This test is for requesting a ipa certificate when request type is not provided" + local ipa_cn="IPA-Subsystem-Certificate" + local request_type=crmf + local request_key_type=rsa + local request_key_size=2048 + local ipa_profile="caIPAserviceCert" + local sslget_output=$TEMP_NSS_DB/sslget5.out + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"IPA-Cert-$RANDOM\" \ + subject_uid: \ + subject_email: \ + subject_ou:pki-ipa \ + subject_organization:redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/freeipa3-request.pem \ + cert_subject_file:$TEMP_NSS_DB/freeipa3-subject.out" 0 "Create $request_type request" + local cert_requestdn=$(cat $TEMP_NSS_DB/freeipa3-subject.out | grep Request_DN | cut -d ":" -f2) + local encoded_request=$(cat $TEMP_NSS_DB/freeipa3-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());') + local profile_request="/ca/ee/ca/profileSubmit" + local request_info="profileId=caIPAserviceCert&cert_request_type=&xmlOutput=true&cert_request=" + rlRun "/usr/bin/sslget -d $TEMP_NSS_DB -w $TEMP_NSS_DB/certdb_pwd_file -n \"$ipa_cn\" -e \"$request_info$encoded_request\" -v -r \"$profile_request\" \"$target_host\":\"$sub_ca_https_port\" > $sslget_output 2>&1" 0 "Submit request using sslget for approval" + local error=$(cat $sslget_output | grep ^"<?xml" | xmlstarlet sel -t -v "/XMLResponse/Error") + if [ "$error" == "Unknown Certificate Request Type " ]; then + rlPass "ssl get failed with error: $error" + else + rlFail "sslget failed with not a valid error" + fi + rlPhaseEnd + + rlPhaseStartTest "ipa_legacy_test-006: This test is for requesting a ipa certificate when xmloutput set to false" + local ipa_cn="IPA-Subsystem-Certificate" + local request_type=pkcs10 + local request_key_type=rsa + local request_key_size=2048 + local ipa_profile="caIPAserviceCert" + local sslget_output=$TEMP_NSS_DB/sslget6.out + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"IPA-Cert-$RANDOM\" \ + subject_uid: \ + subject_email: \ + subject_ou:pki-ipa \ + subject_organization:redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/freeipa4-request.pem \ + cert_subject_file:$TEMP_NSS_DB/freeipa4-subject.out" 0 "Create $request_type request" + local cert_requestdn=$(cat $TEMP_NSS_DB/freeipa4-subject.out | grep Request_DN | cut -d ":" -f2) + local encoded_request=$(cat $TEMP_NSS_DB/freeipa4-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());') + local profile_request="/ca/ee/ca/profileSubmit" + local request_info="profileId=caIPAserviceCert&cert_request_type=pkcs10&xmlOutput=false&cert_request=" + rlRun "/usr/bin/sslget -d $TEMP_NSS_DB -w $TEMP_NSS_DB/certdb_pwd_file -n \"$ipa_cn\" -e \"$request_info$encoded_request\" -v -r \"$profile_request\" \"$target_host\":\"$sub_ca_https_port\" > $sslget_output 2>&1" 0 "Submit request using sslget for approval" + requestid=$(cat -v $sslget_output | grep requestList.requestId | awk -F\" '{print $2}') + cert_b64=$(cat -v $sslget_output | grep outputList.outputVal | grep "BEGIN CERTIFICATE" | awk -F \" '{print $2}') + if [ $requestid == "" ]; then + rlFail "Request not submitted" + else + rlPass "Request successfull submitted, requestid: $requestid" + fi + if [ $cert_b64 == "" ]; then + rlFail "Request not approved" + else + rlPass "Request approved Successfully" + fi + rlPhaseEnd + + rlPhaseStartTest "ipa_legacy_test-007: This test is for requesting a ipa certificate when xmloutput does not have any value" + local ipa_cn="IPA-Subsystem-Certificate" + local request_type=pkcs10 + local request_key_type=rsa + local request_key_size=2048 + local ipa_profile="caIPAserviceCert" + local sslget_output=$TEMP_NSS_DB/sslget7.out + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"IPA-Cert-$RANDOM\" \ + subject_uid: \ + subject_email: \ + subject_ou:pki-ipa \ + subject_organization:redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/freeipa5-request.pem \ + cert_subject_file:$TEMP_NSS_DB/freeipa5-subject.out" 0 "Create $request_type request" + local cert_requestdn=$(cat $TEMP_NSS_DB/freeipa5-subject.out | grep Request_DN | cut -d ":" -f2) + local encoded_request=$(cat $TEMP_NSS_DB/freeipa5-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());') + local profile_request="/ca/ee/ca/profileSubmit" + local request_info="profileId=caIPAserviceCert&cert_request_type=pkcs10&xmlOutput=&cert_request=" + rlRun "/usr/bin/sslget -d $TEMP_NSS_DB -w $TEMP_NSS_DB/certdb_pwd_file -n \"$ipa_cn\" -e \"$request_info$encoded_request\" -v -r \"$profile_request\" \"$target_host\":\"$sub_ca_https_port\" > $sslget_output 2>&1" 0 "Submit request using sslget for approval" + requestid=$(cat -v $sslget_output | grep requestList.requestId | awk -F\" '{print $2}') + cert_b64=$(cat -v $sslget_output | grep outputList.outputVal | grep "BEGIN CERTIFICATE" | awk -F \" '{print $2}') + if [ $requestid == "" ]; then + rlFail "Request not submitted" + else + rlPass "Request successfull submitted, requestid: $requestid" + fi + if [ $cert_b64 == "" ]; then + rlFail "Request not approved" + else + rlPass "Request approved Successfully" + fi + rlPhaseEnd + + rlPhaseStartTest "ipa_legacy_test-008: This test is to get certificate when serial number is provided" + local ipa_cn="IPA-Subsystem-Certificate" + local request_type=pkcs10 + local request_key_type=rsa + local request_key_size=2048 + local ipa_profile="caIPAserviceCert" + local sslget_output=$TEMP_NSS_DB/sslget8-0.out + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"IPA-Cert-$RANDOM\" \ + subject_uid: \ + subject_email: \ + subject_ou:pki-ipa \ + subject_organization:redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/freeipa6-request.pem \ + cert_subject_file:$TEMP_NSS_DB/freeipa6-subject.out" 0 "Create $request_type request" + local cert_requestdn=$(cat $TEMP_NSS_DB/freeipa6-subject.out | grep Request_DN | cut -d ":" -f2) + local encoded_request=$(cat $TEMP_NSS_DB/freeipa6-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());') + local profile_request="/ca/ee/ca/profileSubmit" + local request_info="profileId=caIPAserviceCert&cert_request_type=pkcs10&xmlOutput=true&cert_request=" + rlRun "/usr/bin/sslget -d $TEMP_NSS_DB -w $TEMP_NSS_DB/certdb_pwd_file -n \"$ipa_cn\" -e \"$request_info$encoded_request\" -v -r \"$profile_request\" \"$target_host\":\"$sub_ca_https_port\" > $sslget_output 2>&1" 0 "Submit request using sslget for approval" + local serial_number=$(cat $sslget_output | grep ^"<?xml" | xmlstarlet sel -t -v "/XMLResponse/Requests/Request/serialno") + local RequestId=$(cat $sslget_output | grep ^"<?xml" | xmlstarlet sel -t -v "/XMLResponse/Requests/Request/Id") + local base64=$(cat $sslget_output | grep ^"<?xml" | xmlstarlet sel -t -v "/XMLResponse/Requests/Request/b64") + rlLog "serialNo: $serialNo" + rlLog "RequestID: $RequestId" + if [ "$serialNo" == "" ]; then + rlFail "Serial Number not found" + else + rlPass "Certificate request successfull approved, requestid: $RequestId" + fi + if [ "$RequestId" == "" ]; then + + rlFail "Requestid Number not found" + else + rlPass "Certificate Request successfull Submitted" + fi + local profile_request="/ca/ee/ca/displayBySerial" + local request_info="serialNumber=0x$serial_number" + local sslget_output=$TEMP_NSS_DB/sslget8-1.out + rlRun "/usr/bin/sslget -d $TEMP_NSS_DB -w $TEMP_NSS_DB/certdb_pwd_file -n \"$ipa_cn\" -e \"$request_info\" -v -r \"$profile_request\" \"$target_host\":\"$sub_ca_https_port\" > $sslget_output 2>&1" 0 "Submit request using sslget for approval" + rlAssertGrep "TTP/1.1 200 OK" "$sslget_output" + local base64=$(cat -v $sslget_output | grep header.certChainBase64 | awk -F \" '{print $2}') + if [ $base64 == "" ]; then + rlFail "sslget failed to get certificate details" + else + rlPass "sslget was successful in getting certificate details" + rlLog "Certificate Base64: $base64" + fi + rlPhaseEnd + + rlPhaseStartTest "ipa_legacy_test-009: This test is to get certificate when serial number provided does not exist in cs" + local ipa_cn="IPA-Subsystem-Certificate" + local request_type=pkcs10 + local request_key_type=rsa + local request_key_size=2048 + local ipa_profile="caIPAserviceCert" + local sslget_output=$TEMP_NSS_DB/sslget9-0.out + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"IPA-Cert-$RANDOM\" \ + subject_uid: \ + subject_email: \ + subject_ou:pki-ipa \ + subject_organization:redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/freeipa7-request.pem \ + cert_subject_file:$TEMP_NSS_DB/freeipa7-subject.out" 0 "Create $request_type request" + local cert_requestdn=$(cat $TEMP_NSS_DB/freeipa7-subject.out | grep Request_DN | cut -d ":" -f2) + local encoded_request=$(cat $TEMP_NSS_DB/freeipa7-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());') + local profile_request="/ca/ee/ca/profileSubmit" + local request_info="profileId=caIPAserviceCert&cert_request_type=pkcs10&xmlOutput=true&cert_request=" + rlRun "/usr/bin/sslget -d $TEMP_NSS_DB -w $TEMP_NSS_DB/certdb_pwd_file -n \"$ipa_cn\" -e \"$request_info$encoded_request\" -v -r \"$profile_request\" \"$target_host\":\"$sub_ca_https_port\" > $sslget_output 2>&1" 0 "Submit request using sslget for approval" + local serial_number=$(cat $sslget_output | grep ^"<?xml" | xmlstarlet sel -t -v "/XMLResponse/Requests/Request/serialno") + local RequestId=$(cat $sslget_output | grep ^"<?xml" | xmlstarlet sel -t -v "/XMLResponse/Requests/Request/Id") + local base64=$(cat $sslget_output | grep ^"<?xml" | xmlstarlet sel -t -v "/XMLResponse/Requests/Request/b64") + rlLog "serialNo: $serialNo" + rlLog "RequestID: $RequestId" + if [ "$serialNo" == "" ]; then + rlFail "Serial Number not found" + else + rlPass "Certificate request successfull approved, requestid: $RequestId" + fi + if [ "$RequestId" == "" ]; then + + rlFail "Requestid Number not found" + else + rlPass "Certificate Request successfull Submitted" + fi + local serial_number=$RANDOM$RANDOM + local profile_request="/ca/ee/ca/displayBySerial" + local request_info="serialNumber=0x$serial_number" + local sslget_output=$TEMP_NSS_DB/sslget9-1.out + rlRun "/usr/bin/sslget -d $TEMP_NSS_DB -w $TEMP_NSS_DB/certdb_pwd_file -n \"$ipa_cn\" -e \"$request_info\" -v -r \"$profile_request\" \"$target_host\":\"$sub_ca_https_port\" > $sslget_output 2>&1" 0 "Submit request using sslget for approval" + rlAssertGrep "TTP/1.1 200 OK" "$sslget_output" + rlAssertGrep "fixed.unexpectedError = \"Certificate serial number 0x$serial_number not found\"" "$sslget_output" + rlPhaseEnd + + rlPhaseStartTest "ipa_legacy_test-0010: This test is to get certificate when serial number is not provided" + local serial_number="" + local profile_request="/ca/ee/ca/displayBySerial" + local request_info="serialNumber=$serial_number" + local sslget_output=$TEMP_NSS_DB/sslget10.out + rlRun "/usr/bin/sslget -d $TEMP_NSS_DB -w $TEMP_NSS_DB/certdb_pwd_file -n \"$ipa_cn\" -e \"$request_info\" -v -r \"$profile_request\" \"$target_host\":\"$sub_ca_https_port\" > $sslget_output 2>&1" 0 "Submit request using sslget for approval" + rlAssertGrep "TTP/1.1 200 OK" "$sslget_output" + rlAssertGrep "fixed.errorDetails = \"Certificate Serial number is not set or invalid.\"" "$sslget_output" + rlPhaseEnd + + rlPhaseStartTest "ipa_legacy_test-0011: This test is to get certificate when certificate is not created through ipa." + rlLog "Generate Cert approved by $admin_cert_nickname" + local request_type=pkcs10 + local request_key_type=rsa + local request_key_size=1024 + local profile=caUserCert + local cert_ext_exKeyUsageOIDs="1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4" + local userid="fooUser" + local usercn="fooUser" + local phone="1234" + local admin_out="$TmpDir/admin.out" + local usermail="fooUser@example.org" + local test_out=ca-$profile-test.txt + rlRun "export SSL_DIR=$TEMP_NSS_DB" + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"$usercn\" \ + subject_uid:$userid \ + subject_email:$usermail \ + subject_ou:IDM \ + subject_organization:RedHat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/user-request.pem \ + cert_subject_file:$TEMP_NSS_DB/user-subject.out" 0 "Create $request_type request for $profile" + local cert_requestdn=$(cat $TEMP_NSS_DB/user-subject.out | grep Request_DN | cut -d ":" -f2) + rlLog "cert_requestdn=$cert_requestdn" + rlRun "cat $TEMP_NSS_DB/user-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/user-encoded-request.pem" + rlLog "curl --basic \ + --dump-header $admin_out \ + -d \"profileId=$profile&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$usercn&sn_e=$usermail&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$useremail&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/user-encoded-request.pem)\" \ + -k \"https://$target_host:$sub_ca_https_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $admin_out \ + -d \"profileId=$profile&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$usercn&sn_e=$usermail&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$useremail&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/user-encoded-request.pem)\" \ + -k \"https://$target_host:$sub_ca_https_port/ca/ee/ca/profileSubmit\" > $TmpDir/$test_out" 0 "Submit Certificate request to $profile" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local request_id=$(cat -v $TmpDir/$test_out | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "request_id=$request_id" + rlLog "Approve $request_id using $valid_agent_cert" + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$Year+1 + local end_day="1" + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$Month-$end_day $Hour:$Minute:$Second" + rlLog "curl --cacert $TEMP_NSS_DB/ca_cert.pem \ + --dump-header $admin_out \ + -E \"$admin_cert_nickname\":$TEMP_NSS_DB_PWD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$target_host:$sub_ca_https_port/ca/agent/ca/profileProcess\"" + rlRun "curl --cacert $TEMP_NSS_DB/ca_cert.pem \ + --dump-header $admin_out \ + -E \"$admin_cert_nickname\":$TEMP_NSS_DB_PWD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$target_host:$sub_ca_https_port/ca/agent/ca/profileProcess\" > $TmpDir/$test_out" 0 "Submit Certificare request" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + local serial_number=$(cat -v $TmpDir/$test_out | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + local profile_request="/ca/ee/ca/displayBySerial" + local request_info="serialNumber=$serial_number" + local sslget_output=$TEMP_NSS_DB/sslget8-1.out + rlRun "/usr/bin/sslget -d $TEMP_NSS_DB -w $TEMP_NSS_DB/certdb_pwd_file -n \"$ipa_cn\" -e \"$request_info\" -v -r \"$profile_request\" \"$target_host\":\"$sub_ca_https_port\" > $sslget_output 2>&1" 0 "Submit request using sslget for approval" + rlAssertGrep "TTP/1.1 200 OK" "$sslget_output" + local base64=$(cat -v $sslget_output | grep header.certChainBase64 | awk -F \" '{print $2}') + if [ $base64 == "" ]; then + rlFail "sslget failed to get certificate details" + else + rlPass "sslget was successful in getting certificate details" + rlLog "Certificate Base64: $base64" + fi + rlPhaseEnd + + rlPhaseStartTest "ipa_legacy_test-0012: This test is for get certificate request on a revoked ipa certificate" + local request_type=pkcs10 + local request_key_type=rsa + local request_key_size=2048 + local sslget_output=$TEMP_NSS_DB/sslget12-1.out + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"IPA-Cert-$RANDOM\" \ + subject_uid: \ + subject_email: \ + subject_ou:pki-ipa \ + subject_organization:redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/freeipa12-request.pem \ + cert_subject_file:$TEMP_NSS_DB/freeipa12-subject.out" 0 "Create $request_type request" + local cert_requestdn=$(cat $TEMP_NSS_DB/freeipa12-subject.out | grep Request_DN | cut -d ":" -f2) + local encoded_request=$(cat $TEMP_NSS_DB/freeipa12-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());') + local profile_request="/ca/ee/ca/profileSubmit" + local request_info="profileId=caIPAserviceCert&cert_request_type=pkcs10&xmlOutput=true&cert_request=" + rlLog "/usr/bin/sslget -d $TEMP_NSS_DB -w $TEMP_NSS_DB/certdb_pwd_file -n \"$ipa_cn\" -e \"$request_info$encoded_request\" -v -r \"$profile_request\" \"$target_host\":\"$sub_ca_https_port\" > $sslget_output 2>&1" 0 "Submit request using sslget for approval" + rlRun "/usr/bin/sslget -d $TEMP_NSS_DB -w $TEMP_NSS_DB/certdb_pwd_file -n \"$ipa_cn\" -e \"$request_info$encoded_request\" -v -r \"$profile_request\" \"$target_host\":\"$sub_ca_https_port\" > $sslget_output 2>&1" 0 "Submit request using sslget for approval" + local serial_number=$(cat $sslget_output | grep ^"<?xml" | xmlstarlet sel -t -v "/XMLResponse/Requests/Request/serialno") + local RequestId=$(cat $sslget_output | grep ^"<?xml" | xmlstarlet sel -t -v "/XMLResponse/Requests/Request/Id") + local base64=$(cat $sslget_output | grep ^"<?xml" | xmlstarlet sel -t -v "/XMLResponse/Requests/Request/b64") + rlLog "serialNo: $serialNo" + rlLog "RequestID: $RequestId" + if [ "$serial_number" == "" ]; then + rlFail "Serial Number not found" + else + rlPass "Certificate request successfull approved" + fi + if [ "$RequestId" == "" ]; then + + rlFail "Requestid Number not found" + else + rlPass "Certificate Request successfull Submitted" + fi + rlLog "Revoke ipa certificate" + local sslget_output=$TEMP_NSS_DB/sslget12-2.out + local profile_request="/ca/agent/ca/doRevoke" + local revocation_reason=0 + local request_info="op=revoke&revocationReason=$revocation_reason&revokeAll=(certRecordId%3D0x$serial_number)&totalRecordCount=1" + rlLog "/usr/bin/sslget -d $TEMP_NSS_DB -w $TEMP_NSS_DB/certdb_pwd_file -n \"$ipa_cn\" -e \"$request_info\" -v -r \"$profile_request\" \"$target_host\":\"$sub_ca_https_port\" > $sslget_output 2>&1" 0 "Revoke Certificate $serial_number" + rlRun "/usr/bin/sslget -d $TEMP_NSS_DB -w $TEMP_NSS_DB/certdb_pwd_file -n \"$ipa_cn\" -e \"$request_info\" -v -r \"$profile_request\" \"$target_host\":\"$sub_ca_https_port\" > $sslget_output 2>&1" 0 "Revoke Certificate $serial_number" + rlAssertGrep "TTP/1.1 200 OK" "$sslget_output" + rlAssertGrep "header.error = null" "$sslget_output" + rlAssertGrep "header.revoked = \"yes\"" "$sslget_output" + local profile_request="/ca/ee/ca/displayBySerial" + local request_info="serialNumber=0x$serial_number" + local sslget_output=$TEMP_NSS_DB/sslget12-3.out + rlRun "/usr/bin/sslget -d $TEMP_NSS_DB -w $TEMP_NSS_DB/certdb_pwd_file -n \"$ipa_cn\" -e \"$request_info\" -v -r \"$profile_request\" \"$target_host\":\"$sub_ca_https_port\" > $sslget_output 2>&1" 0 "Submit request using sslget for approval" + rlAssertGrep "TTP/1.1 200 OK" "$sslget_output" + local base64=$(cat -v $sslget_output | grep header.certChainBase64 | awk -F \" '{print $2}') + if [ "$base64" == "" ]; then + rlFail "sslget failed to get certificate details" + else + rlPass "sslget was successful in getting certificate details" + rlLog "Certificate Base64: $base64" + fi + rlPhaseEnd + + rlPhaseStartTest "ipa_legacy_test-0013: This test is to check certificate request status" + local request_type=pkcs10 + local request_key_type=rsa + local request_key_size=2048 + local sslget_output=$TEMP_NSS_DB/sslget13-1.out + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"IPA-Cert-$RANDOM\" \ + subject_uid: \ + subject_email: \ + subject_ou:pki-ipa \ + subject_organization:redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/freeipa13-request.pem \ + cert_subject_file:$TEMP_NSS_DB/freeipa13-subject.out" 0 "Create $request_type request" + local cert_requestdn=$(cat $TEMP_NSS_DB/freeipa13-subject.out | grep Request_DN | cut -d ":" -f2) + local encoded_request=$(cat $TEMP_NSS_DB/freeipa13-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());') + local profile_request="/ca/ee/ca/profileSubmit" + local request_info="profileId=caIPAserviceCert&cert_request_type=pkcs10&xmlOutput=true&cert_request=" + rlLog "/usr/bin/sslget -d $TEMP_NSS_DB -w $TEMP_NSS_DB/certdb_pwd_file -n \"$ipa_cn\" -e \"$request_info$encoded_request\" -v -r \"$profile_request\" \"$target_host\":\"$sub_ca_https_port\" > $sslget_output 2>&1" 0 "Submit request using sslget for approval" + rlRun "/usr/bin/sslget -d $TEMP_NSS_DB -w $TEMP_NSS_DB/certdb_pwd_file -n \"$ipa_cn\" -e \"$request_info$encoded_request\" -v -r \"$profile_request\" \"$target_host\":\"$sub_ca_https_port\" > $sslget_output 2>&1" 0 "Submit request using sslget for approval" + local serial_number=$(cat $sslget_output | grep ^"<?xml" | xmlstarlet sel -t -v "/XMLResponse/Requests/Request/serialno") + local RequestId=$(cat $sslget_output | grep ^"<?xml" | xmlstarlet sel -t -v "/XMLResponse/Requests/Request/Id") + local base64=$(cat $sslget_output | grep ^"<?xml" | xmlstarlet sel -t -v "/XMLResponse/Requests/Request/b64") + rlLog "serialNo: $serialNo" + rlLog "RequestID: $RequestId" + if [ "$serialNo" == "" ]; then + rlFail "Serial Number not found" + else + rlPass "Certificate request successfull approved" + fi + if [ "$RequestId" == "" ]; then + + rlFail "Requestid Number not found" + else + rlPass "Certificate Request successfull Submitted" + fi + local sslget_output=$TEMP_NSS_DB/sslget13-2.out + local profile_request="/ca/ee/ca/checkRequest" + local request_info="requestId=$RequestId" + rlLog "/usr/bin/sslget -d $TEMP_NSS_DB -w $TEMP_NSS_DB/certdb_pwd_file -n \"$ipa_cn\" -e \"$request_info\" -v -r \"$profile_request\" \"$target_host\":\"$sub_ca_https_port\" > $sslget_output 2>&1" 0 "Get details of request" + rlRun "/usr/bin/sslget -d $TEMP_NSS_DB -w $TEMP_NSS_DB/certdb_pwd_file -n \"$ipa_cn\" -e \"$request_info\" -v -r \"$profile_request\" \"$target_host\":\"$sub_ca_https_port\" > $sslget_output 2>&1" 0 "Get details of request" + rlAssertGrep "TTP/1.1 200 OK" "$sslget_output" + rlAssertGrep "header.requestId = \"$RequestId\"" "$sslget_output" + rlAssertGrep "header.status = \"complete\"" "$sslget_output" + rlAssertGrep "record.serialNumber=\"$serial_number\"" "$sslget_output" + rlPhaseEnd + + + rlPhaseStartTest "ipa_legacy_test-0014: This test is for check certificate status request on a revoked ipa certificate" + local request_type=pkcs10 + local request_key_type=rsa + local request_key_size=2048 + local sslget_output=$TEMP_NSS_DB/sslget14-1.out + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"IPA-Cert-$RANDOM\" \ + subject_uid: \ + subject_email: \ + subject_ou:pki-ipa \ + subject_organization:redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/freeipa14-request.pem \ + cert_subject_file:$TEMP_NSS_DB/freeipa14-subject.out" 0 "Create $request_type request" + local cert_requestdn=$(cat $TEMP_NSS_DB/freeipa14-subject.out | grep Request_DN | cut -d ":" -f2) + local encoded_request=$(cat $TEMP_NSS_DB/freeipa14-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());') + local profile_request="/ca/ee/ca/profileSubmit" + local request_info="profileId=caIPAserviceCert&cert_request_type=pkcs10&xmlOutput=true&cert_request=" + rlLog "/usr/bin/sslget -d $TEMP_NSS_DB -w $TEMP_NSS_DB/certdb_pwd_file -n \"$ipa_cn\" -e \"$request_info$encoded_request\" -v -r \"$profile_request\" \"$target_host\":\"$sub_ca_https_port\" > $sslget_output 2>&1" 0 "Submit request using sslget for approval" + rlRun "/usr/bin/sslget -d $TEMP_NSS_DB -w $TEMP_NSS_DB/certdb_pwd_file -n \"$ipa_cn\" -e \"$request_info$encoded_request\" -v -r \"$profile_request\" \"$target_host\":\"$sub_ca_https_port\" > $sslget_output 2>&1" 0 "Submit request using sslget for approval" + local serial_number=$(cat $sslget_output | grep ^"<?xml" | xmlstarlet sel -t -v "/XMLResponse/Requests/Request/serialno") + local RequestId=$(cat $sslget_output | grep ^"<?xml" | xmlstarlet sel -t -v "/XMLResponse/Requests/Request/Id") + local base64=$(cat $sslget_output | grep ^"<?xml" | xmlstarlet sel -t -v "/XMLResponse/Requests/Request/b64") + rlLog "serialNo: $serialNo" + rlLog "RequestID: $RequestId" + if [ "$serial_number" == "" ]; then + rlFail "Serial Number not found" + else + rlPass "Certificate request successfull approved" + fi + if [ "$RequestId" == "" ]; then + + rlFail "Requestid Number not found" + else + rlPass "Certificate Request successfull Submitted" + fi + rlLog "Revoke ipa certificate" + local sslget_output=$TEMP_NSS_DB/sslget14-2.out + local profile_request="/ca/agent/ca/doRevoke" + local revocation_reason=0 + local request_info="op=revoke&revocationReason=$revocation_reason&revokeAll=(certRecordId%3D0x$serial_number)&totalRecordCount=1" + rlLog "/usr/bin/sslget -d $TEMP_NSS_DB -w $TEMP_NSS_DB/certdb_pwd_file -n \"$ipa_cn\" -e \"$request_info\" -v -r \"$profile_request\" \"$target_host\":\"$sub_ca_https_port\" > $sslget_output 2>&1" 0 "Revoke Certificate $serial_number" + rlRun "/usr/bin/sslget -d $TEMP_NSS_DB -w $TEMP_NSS_DB/certdb_pwd_file -n \"$ipa_cn\" -e \"$request_info\" -v -r \"$profile_request\" \"$target_host\":\"$sub_ca_https_port\" > $sslget_output 2>&1" 0 "Revoke Certificate $serial_number" + rlAssertGrep "TTP/1.1 200 OK" "$sslget_output" + rlAssertGrep "header.error = null" "$sslget_output" + rlAssertGrep "header.revoked = \"yes\"" "$sslget_output" + local profile_request="/ca/ee/ca/displayBySerial" + local request_info="serialNumber=0x$serial_number" + local sslget_output=$TEMP_NSS_DB/sslget14-3.out + rlRun "/usr/bin/sslget -d $TEMP_NSS_DB -w $TEMP_NSS_DB/certdb_pwd_file -n \"$ipa_cn\" -e \"$request_info\" -v -r \"$profile_request\" \"$target_host\":\"$sub_ca_https_port\" > $sslget_output 2>&1" 0 "Submit request using sslget for approval" + rlAssertGrep "TTP/1.1 200 OK" "$sslget_output" + local base64=$(cat -v $sslget_output | grep header.certChainBase64 | awk -F \" '{print $2}') + if [ "$base64" == "" ]; then + rlFail "sslget failed to get certificate details" + else + rlPass "sslget was successful in getting certificate details" + rlLog "Certificate Base64: $base64" + fi + local sslget_output=$TEMP_NSS_DB/sslget14-4.out + local profile_request="/ca/ee/ca/checkRequest" + local request_info="requestId=$RequestId" + rlLog "/usr/bin/sslget -d $TEMP_NSS_DB -w $TEMP_NSS_DB/certdb_pwd_file -n \"$ipa_cn\" -e \"$request_info\" -v -r \"$profile_request\" \"$target_host\":\"$sub_ca_https_port\" > $sslget_output 2>&1" 0 "Get details of request" + rlRun "/usr/bin/sslget -d $TEMP_NSS_DB -w $TEMP_NSS_DB/certdb_pwd_file -n \"$ipa_cn\" -e \"$request_info\" -v -r \"$profile_request\" \"$target_host\":\"$sub_ca_https_port\" > $sslget_output 2>&1" 0 "Get details of request" + rlAssertGrep "TTP/1.1 200 OK" "$sslget_output" + rlAssertGrep "header.requestId = \"$RequestId\"" "$sslget_output" + rlAssertGrep "header.status = \"complete\"" "$sslget_output" + rlAssertGrep "record.serialNumber=\"$serial_number\"" "$sslget_output" + rlPhaseEnd + + + rlPhaseStartTest "ipa_legacy_test-0015: This test is to check certificate request status when request id provided does not exist" + local RequestId=999999999 + local sslget_output=$TEMP_NSS_DB/sslget15.out + local profile_request="/ca/ee/ca/checkRequest" + local request_info="requestId=$RequestId" + rlLog "/usr/bin/sslget -d $TEMP_NSS_DB -w $TEMP_NSS_DB/certdb_pwd_file -n \"$ipa_cn\" -e \"$request_info\" -v -r \"$profile_request\" \"$target_host\":\"$sub_ca_https_port\" > $sslget_output 2>&1" 0 "Get details of request" + rlRun "/usr/bin/sslget -d $TEMP_NSS_DB -w $TEMP_NSS_DB/certdb_pwd_file -n \"$ipa_cn\" -e \"$request_info\" -v -r \"$profile_request\" \"$target_host\":\"$sub_ca_https_port\" > $sslget_output 2>&1" 0 "Get details of request" + rlAssertGrep "TTP/1.1 200 OK" "$sslget_output" + rlAssertGrep "fixed.unexpectedError = \"Request ID $RequestId was not found in the request queue.\"" "$sslget_output" + rlPhaseEnd + + rlPhaseStartTest "ipa_legacy_test-0016: This test is to check certificate request status when request id provided are junk characters" + local RequestId="jëmbëdhãøàe-ré1ürkçå" + local sslget_output=$TEMP_NSS_DB/sslget16.out + local profile_request="/ca/ee/ca/checkRequest" + local request_info="requestId=$RequestId" + rlLog "/usr/bin/sslget -d $TEMP_NSS_DB -w $TEMP_NSS_DB/certdb_pwd_file -n \"$ipa_cn\" -e \"$request_info\" -v -r \"$profile_request\" \"$target_host\":\"$sub_ca_https_port\" > $sslget_output 2>&1" 0 "Get details of request" + rlRun "/usr/bin/sslget -d $TEMP_NSS_DB -w $TEMP_NSS_DB/certdb_pwd_file -n \"$ipa_cn\" -e \"$request_info\" -v -r \"$profile_request\" \"$target_host\":\"$sub_ca_https_port\" > $sslget_output 2>&1" 0 "Get details of request" + rlAssertGrep "TTP/1.1 200 OK" "$sslget_output" + rlAssertGrep "fixed.unexpectedError = \"Invalid number format: $RequestId\"" "$sslget_output" + rlPhaseEnd + + rlPhaseStartTest "ipa_legacy_test-0016: This test is for revoking an ipa certificate with reason 0-unspecified" + local request_type=pkcs10 + local request_key_type=rsa + local request_key_size=2048 + local sslget_output=$TEMP_NSS_DB/sslget16-1.out + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"IPA-Cert-$RANDOM\" \ + subject_uid: \ + subject_email: \ + subject_ou:pki-ipa \ + subject_organization:redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/freeipa16-request.pem \ + cert_subject_file:$TEMP_NSS_DB/freeipa16-subject.out" 0 "Create $request_type request" + local cert_requestdn=$(cat $TEMP_NSS_DB/freeipa16-subject.out | grep Request_DN | cut -d ":" -f2) + local encoded_request=$(cat $TEMP_NSS_DB/freeipa16-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());') + local profile_request="/ca/ee/ca/profileSubmit" + local request_info="profileId=caIPAserviceCert&cert_request_type=pkcs10&xmlOutput=true&cert_request=" + rlLog "/usr/bin/sslget -d $TEMP_NSS_DB -w $TEMP_NSS_DB/certdb_pwd_file -n \"$ipa_cn\" -e \"$request_info$encoded_request\" -v -r \"$profile_request\" \"$target_host\":\"$sub_ca_https_port\" > $sslget_output 2>&1" 0 "Submit request using sslget for approval" + rlRun "/usr/bin/sslget -d $TEMP_NSS_DB -w $TEMP_NSS_DB/certdb_pwd_file -n \"$ipa_cn\" -e \"$request_info$encoded_request\" -v -r \"$profile_request\" \"$target_host\":\"$sub_ca_https_port\" > $sslget_output 2>&1" 0 "Submit request using sslget for approval" + local serial_number=$(cat $sslget_output | grep ^"<?xml" | xmlstarlet sel -t -v "/XMLResponse/Requests/Request/serialno") + local RequestId=$(cat $sslget_output | grep ^"<?xml" | xmlstarlet sel -t -v "/XMLResponse/Requests/Request/Id") + local base64=$(cat $sslget_output | grep ^"<?xml" | xmlstarlet sel -t -v "/XMLResponse/Requests/Request/b64") + rlLog "serialNo: $serialNo" + rlLog "RequestID: $RequestId" + if [ "$serialNo" == "" ]; then + rlFail "Serial Number not found" + else + rlPass "Certificate request successfull approved" + fi + if [ "$RequestId" == "" ]; then + + rlFail "Requestid Number not found" + else + rlPass "Certificate Request successfull Submitted" + fi + rlLog "Revoke ipa certificate" + local sslget_output=$TEMP_NSS_DB/sslget16-2.out + local profile_request="/ca/agent/ca/doRevoke" + local revocation_reason=0 + local request_info="op=revoke&revocationReason=$revocation_reason&revokeAll=(certRecordId%3D0x$serial_number)&totalRecordCount=1" + rlLog "/usr/bin/sslget -d $TEMP_NSS_DB -w $TEMP_NSS_DB/certdb_pwd_file -n \"$ipa_cn\" -e \"$request_info\" -v -r \"$profile_request\" \"$target_host\":\"$sub_ca_https_port\" > $sslget_output 2>&1" 0 "Revoke Certificate $serial_number" + rlRun "/usr/bin/sslget -d $TEMP_NSS_DB -w $TEMP_NSS_DB/certdb_pwd_file -n \"$ipa_cn\" -e \"$request_info\" -v -r \"$profile_request\" \"$target_host\":\"$sub_ca_https_port\" > $sslget_output 2>&1" 0 "Revoke Certificate $serial_number" + rlAssertGrep "TTP/1.1 200 OK" "$sslget_output" + rlAssertGrep "header.error = null" "$sslget_output" + rlAssertGrep "header.revoked = \"yes\"" "$sslget_output" + rlPhaseEnd + + rlPhaseStartTest "ipa_legacy_test-0017: This test is for revoking an ipa certificate with reason 1-Key compromise" + local request_type=pkcs10 + local request_key_type=rsa + local request_key_size=2048 + local sslget_output=$TEMP_NSS_DB/sslget17-1.out + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"IPA-Cert-$RANDOM\" \ + subject_uid: \ + subject_email: \ + subject_ou:pki-ipa \ + subject_organization:redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/freeipa17-request.pem \ + cert_subject_file:$TEMP_NSS_DB/freeipa17-subject.out" 0 "Create $request_type request" + local cert_requestdn=$(cat $TEMP_NSS_DB/freeipa17-subject.out | grep Request_DN | cut -d ":" -f2) + local encoded_request=$(cat $TEMP_NSS_DB/freeipa17-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());') + local profile_request="/ca/ee/ca/profileSubmit" + local request_info="profileId=caIPAserviceCert&cert_request_type=pkcs10&xmlOutput=true&cert_request=" + rlLog "/usr/bin/sslget -d $TEMP_NSS_DB -w $TEMP_NSS_DB/certdb_pwd_file -n \"$ipa_cn\" -e \"$request_info$encoded_request\" -v -r \"$profile_request\" \"$target_host\":\"$sub_ca_https_port\" > $sslget_output 2>&1" 0 "Submit request using sslget for approval" + rlRun "/usr/bin/sslget -d $TEMP_NSS_DB -w $TEMP_NSS_DB/certdb_pwd_file -n \"$ipa_cn\" -e \"$request_info$encoded_request\" -v -r \"$profile_request\" \"$target_host\":\"$sub_ca_https_port\" > $sslget_output 2>&1" 0 "Submit request using sslget for approval" + local serial_number=$(cat $sslget_output | grep ^"<?xml" | xmlstarlet sel -t -v "/XMLResponse/Requests/Request/serialno") + local RequestId=$(cat $sslget_output | grep ^"<?xml" | xmlstarlet sel -t -v "/XMLResponse/Requests/Request/Id") + local base64=$(cat $sslget_output | grep ^"<?xml" | xmlstarlet sel -t -v "/XMLResponse/Requests/Request/b64") + rlLog "serialNo: $serialNo" + rlLog "RequestID: $RequestId" + if [ "$serialNo" == "" ]; then + rlFail "Serial Number not found" + else + rlPass "Certificate request successfull approved" + fi + if [ "$RequestId" == "" ]; then + + rlFail "Requestid Number not found" + else + rlPass "Certificate Request successfull Submitted" + fi + rlLog "Revoke ipa certificate" + local sslget_output=$TEMP_NSS_DB/sslget17-2.out + local profile_request="/ca/agent/ca/doRevoke" + local revocation_reason=1 + local request_info="op=revoke&revocationReason=$revocation_reason&revokeAll=(certRecordId%3D0x$serial_number)&totalRecordCount=1" + rlLog "/usr/bin/sslget -d $TEMP_NSS_DB -w $TEMP_NSS_DB/certdb_pwd_file -n \"$ipa_cn\" -e \"$request_info\" -v -r \"$profile_request\" \"$target_host\":\"$sub_ca_https_port\" > $sslget_output 2>&1" 0 "Revoke Certificate $serial_number" + rlRun "/usr/bin/sslget -d $TEMP_NSS_DB -w $TEMP_NSS_DB/certdb_pwd_file -n \"$ipa_cn\" -e \"$request_info\" -v -r \"$profile_request\" \"$target_host\":\"$sub_ca_https_port\" > $sslget_output 2>&1" 0 "Revoke Certificate $serial_number" + rlAssertGrep "TTP/1.1 200 OK" "$sslget_output" + rlAssertGrep "header.error = null" "$sslget_output" + rlAssertGrep "header.revoked = \"yes\"" "$sslget_output" + rlPhaseEnd + + rlPhaseStartTest "ipa_legacy_test-0018: This test is for revoking an ipa certificate with reason 2-ca compromise" + local request_type=pkcs10 + local request_key_type=rsa + local request_key_size=2048 + local sslget_output=$TEMP_NSS_DB/sslget18-1.out + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"IPA-Cert-$RANDOM\" \ + subject_uid: \ + subject_email: \ + subject_ou:pki-ipa \ + subject_organization:redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/freeipa18-request.pem \ + cert_subject_file:$TEMP_NSS_DB/freeipa18-subject.out" 0 "Create $request_type request" + local cert_requestdn=$(cat $TEMP_NSS_DB/freeipa18-subject.out | grep Request_DN | cut -d ":" -f2) + local encoded_request=$(cat $TEMP_NSS_DB/freeipa18-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());') + local profile_request="/ca/ee/ca/profileSubmit" + local request_info="profileId=caIPAserviceCert&cert_request_type=pkcs10&xmlOutput=true&cert_request=" + rlLog "/usr/bin/sslget -d $TEMP_NSS_DB -w $TEMP_NSS_DB/certdb_pwd_file -n \"$ipa_cn\" -e \"$request_info$encoded_request\" -v -r \"$profile_request\" \"$target_host\":\"$sub_ca_https_port\" > $sslget_output 2>&1" 0 "Submit request using sslget for approval" + rlRun "/usr/bin/sslget -d $TEMP_NSS_DB -w $TEMP_NSS_DB/certdb_pwd_file -n \"$ipa_cn\" -e \"$request_info$encoded_request\" -v -r \"$profile_request\" \"$target_host\":\"$sub_ca_https_port\" > $sslget_output 2>&1" 0 "Submit request using sslget for approval" + local serial_number=$(cat $sslget_output | grep ^"<?xml" | xmlstarlet sel -t -v "/XMLResponse/Requests/Request/serialno") + local RequestId=$(cat $sslget_output | grep ^"<?xml" | xmlstarlet sel -t -v "/XMLResponse/Requests/Request/Id") + local base64=$(cat $sslget_output | grep ^"<?xml" | xmlstarlet sel -t -v "/XMLResponse/Requests/Request/b64") + rlLog "serialNo: $serialNo" + rlLog "RequestID: $RequestId" + if [ "$serialNo" == "" ]; then + rlFail "Serial Number not found" + else + rlPass "Certificate request successfull approved" + fi + if [ "$RequestId" == "" ]; then + + rlFail "Requestid Number not found" + else + rlPass "Certificate Request successfull Submitted" + fi + rlLog "Revoke ipa certificate" + local sslget_output=$TEMP_NSS_DB/sslget18-2.out + local profile_request="/ca/agent/ca/doRevoke" + local revocation_reason=2 + local request_info="op=revoke&revocationReason=$revocation_reason&revokeAll=(certRecordId%3D0x$serial_number)&totalRecordCount=1" + rlLog "/usr/bin/sslget -d $TEMP_NSS_DB -w $TEMP_NSS_DB/certdb_pwd_file -n \"$ipa_cn\" -e \"$request_info\" -v -r \"$profile_request\" \"$target_host\":\"$sub_ca_https_port\" > $sslget_output 2>&1" 0 "Revoke Certificate $serial_number" + rlRun "/usr/bin/sslget -d $TEMP_NSS_DB -w $TEMP_NSS_DB/certdb_pwd_file -n \"$ipa_cn\" -e \"$request_info\" -v -r \"$profile_request\" \"$target_host\":\"$sub_ca_https_port\" > $sslget_output 2>&1" 0 "Revoke Certificate $serial_number" + rlAssertGrep "TTP/1.1 200 OK" "$sslget_output" + rlAssertGrep "header.error = null" "$sslget_output" + rlAssertGrep "header.revoked = \"yes\"" "$sslget_output" + rlPhaseEnd + + rlPhaseStartTest "ipa_legacy_test-0019: This test is for revoking an ipa certificate with reason 3-affiliation changed" + local request_type=pkcs10 + local request_key_type=rsa + local request_key_size=2048 + local sslget_output=$TEMP_NSS_DB/sslget19-1.out + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"IPA-Cert-$RANDOM\" \ + subject_uid: \ + subject_email: \ + subject_ou:pki-ipa \ + subject_organization:redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/freeipa19-request.pem \ + cert_subject_file:$TEMP_NSS_DB/freeipa19-subject.out" 0 "Create $request_type request" + local cert_requestdn=$(cat $TEMP_NSS_DB/freeipa19-subject.out | grep Request_DN | cut -d ":" -f2) + local encoded_request=$(cat $TEMP_NSS_DB/freeipa19-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());') + local profile_request="/ca/ee/ca/profileSubmit" + local request_info="profileId=caIPAserviceCert&cert_request_type=pkcs10&xmlOutput=true&cert_request=" + rlLog "/usr/bin/sslget -d $TEMP_NSS_DB -w $TEMP_NSS_DB/certdb_pwd_file -n \"$ipa_cn\" -e \"$request_info$encoded_request\" -v -r \"$profile_request\" \"$target_host\":\"$sub_ca_https_port\" > $sslget_output 2>&1" 0 "Submit request using sslget for approval" + rlRun "/usr/bin/sslget -d $TEMP_NSS_DB -w $TEMP_NSS_DB/certdb_pwd_file -n \"$ipa_cn\" -e \"$request_info$encoded_request\" -v -r \"$profile_request\" \"$target_host\":\"$sub_ca_https_port\" > $sslget_output 2>&1" 0 "Submit request using sslget for approval" + local serial_number=$(cat $sslget_output | grep ^"<?xml" | xmlstarlet sel -t -v "/XMLResponse/Requests/Request/serialno") + local RequestId=$(cat $sslget_output | grep ^"<?xml" | xmlstarlet sel -t -v "/XMLResponse/Requests/Request/Id") + local base64=$(cat $sslget_output | grep ^"<?xml" | xmlstarlet sel -t -v "/XMLResponse/Requests/Request/b64") + rlLog "serialNo: $serialNo" + rlLog "RequestID: $RequestId" + if [ "$serialNo" == "" ]; then + rlFail "Serial Number not found" + else + rlPass "Certificate request successfull approved" + fi + if [ "$RequestId" == "" ]; then + + rlFail "Requestid Number not found" + else + rlPass "Certificate Request successfull Submitted" + fi + rlLog "Revoke ipa certificate" + local sslget_output=$TEMP_NSS_DB/sslget19-2.out + local profile_request="/ca/agent/ca/doRevoke" + local revocation_reason=3 + local request_info="op=revoke&revocationReason=$revocation_reason&revokeAll=(certRecordId%3D0x$serial_number)&totalRecordCount=1" + rlLog "/usr/bin/sslget -d $TEMP_NSS_DB -w $TEMP_NSS_DB/certdb_pwd_file -n \"$ipa_cn\" -e \"$request_info\" -v -r \"$profile_request\" \"$target_host\":\"$sub_ca_https_port\" > $sslget_output 2>&1" 0 "Revoke Certificate $serial_number" + rlRun "/usr/bin/sslget -d $TEMP_NSS_DB -w $TEMP_NSS_DB/certdb_pwd_file -n \"$ipa_cn\" -e \"$request_info\" -v -r \"$profile_request\" \"$target_host\":\"$sub_ca_https_port\" > $sslget_output 2>&1" 0 "Revoke Certificate $serial_number" + rlAssertGrep "TTP/1.1 200 OK" "$sslget_output" + rlAssertGrep "header.error = null" "$sslget_output" + rlAssertGrep "header.revoked = \"yes\"" "$sslget_output" + rlPhaseEnd + + rlPhaseStartTest "ipa_legacy_test-0020: This test is for revoking an ipa certificate with reason 4-superseded." + local request_type=pkcs10 + local request_key_type=rsa + local request_key_size=2048 + local sslget_output=$TEMP_NSS_DB/sslget20-1.out + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"IPA-Cert-$RANDOM\" \ + subject_uid: \ + subject_email: \ + subject_ou:pki-ipa \ + subject_organization:redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/freeipa20-request.pem \ + cert_subject_file:$TEMP_NSS_DB/freeipa20-subject.out" 0 "Create $request_type request" + local cert_requestdn=$(cat $TEMP_NSS_DB/freeipa20-subject.out | grep Request_DN | cut -d ":" -f2) + local encoded_request=$(cat $TEMP_NSS_DB/freeipa20-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());') + local profile_request="/ca/ee/ca/profileSubmit" + local request_info="profileId=caIPAserviceCert&cert_request_type=pkcs10&xmlOutput=true&cert_request=" + rlLog "/usr/bin/sslget -d $TEMP_NSS_DB -w $TEMP_NSS_DB/certdb_pwd_file -n \"$ipa_cn\" -e \"$request_info$encoded_request\" -v -r \"$profile_request\" \"$target_host\":\"$sub_ca_https_port\" > $sslget_output 2>&1" 0 "Submit request using sslget for approval" + rlRun "/usr/bin/sslget -d $TEMP_NSS_DB -w $TEMP_NSS_DB/certdb_pwd_file -n \"$ipa_cn\" -e \"$request_info$encoded_request\" -v -r \"$profile_request\" \"$target_host\":\"$sub_ca_https_port\" > $sslget_output 2>&1" 0 "Submit request using sslget for approval" + local serial_number=$(cat $sslget_output | grep ^"<?xml" | xmlstarlet sel -t -v "/XMLResponse/Requests/Request/serialno") + local RequestId=$(cat $sslget_output | grep ^"<?xml" | xmlstarlet sel -t -v "/XMLResponse/Requests/Request/Id") + local base64=$(cat $sslget_output | grep ^"<?xml" | xmlstarlet sel -t -v "/XMLResponse/Requests/Request/b64") + rlLog "serialNo: $serialNo" + rlLog "RequestID: $RequestId" + if [ "$serialNo" == "" ]; then + rlFail "Serial Number not found" + else + rlPass "Certificate request successfull approved" + fi + if [ "$RequestId" == "" ]; then + + rlFail "Requestid Number not found" + else + rlPass "Certificate Request successfull Submitted" + fi + rlLog "Revoke ipa certificate" + local sslget_output=$TEMP_NSS_DB/sslget20-2.out + local profile_request="/ca/agent/ca/doRevoke" + local revocation_reason=4 + local request_info="op=revoke&revocationReason=$revocation_reason&revokeAll=(certRecordId%3D0x$serial_number)&totalRecordCount=1" + rlLog "/usr/bin/sslget -d $TEMP_NSS_DB -w $TEMP_NSS_DB/certdb_pwd_file -n \"$ipa_cn\" -e \"$request_info\" -v -r \"$profile_request\" \"$target_host\":\"$sub_ca_https_port\" > $sslget_output 2>&1" 0 "Revoke Certificate $serial_number" + rlRun "/usr/bin/sslget -d $TEMP_NSS_DB -w $TEMP_NSS_DB/certdb_pwd_file -n \"$ipa_cn\" -e \"$request_info\" -v -r \"$profile_request\" \"$target_host\":\"$sub_ca_https_port\" > $sslget_output 2>&1" 0 "Revoke Certificate $serial_number" + rlAssertGrep "TTP/1.1 200 OK" "$sslget_output" + rlAssertGrep "header.error = null" "$sslget_output" + rlAssertGrep "header.revoked = \"yes\"" "$sslget_output" + rlPhaseEnd + + rlPhaseStartTest "ipa_legacy_test-0021: This test is for revoking an ipa certificate with reason 5-cessation of operation" + local request_type=pkcs10 + local request_key_type=rsa + local request_key_size=2048 + local sslget_output=$TEMP_NSS_DB/sslget21-1.out + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"IPA-Cert-$RANDOM\" \ + subject_uid: \ + subject_email: \ + subject_ou:pki-ipa \ + subject_organization:redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/freeipa21-request.pem \ + cert_subject_file:$TEMP_NSS_DB/freeipa21-subject.out" 0 "Create $request_type request" + local cert_requestdn=$(cat $TEMP_NSS_DB/freeipa21-subject.out | grep Request_DN | cut -d ":" -f2) + local encoded_request=$(cat $TEMP_NSS_DB/freeipa21-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());') + local profile_request="/ca/ee/ca/profileSubmit" + local request_info="profileId=caIPAserviceCert&cert_request_type=pkcs10&xmlOutput=true&cert_request=" + rlLog "/usr/bin/sslget -d $TEMP_NSS_DB -w $TEMP_NSS_DB/certdb_pwd_file -n \"$ipa_cn\" -e \"$request_info$encoded_request\" -v -r \"$profile_request\" \"$target_host\":\"$sub_ca_https_port\" > $sslget_output 2>&1" 0 "Submit request using sslget for approval" + rlRun "/usr/bin/sslget -d $TEMP_NSS_DB -w $TEMP_NSS_DB/certdb_pwd_file -n \"$ipa_cn\" -e \"$request_info$encoded_request\" -v -r \"$profile_request\" \"$target_host\":\"$sub_ca_https_port\" > $sslget_output 2>&1" 0 "Submit request using sslget for approval" + local serial_number=$(cat $sslget_output | grep ^"<?xml" | xmlstarlet sel -t -v "/XMLResponse/Requests/Request/serialno") + local RequestId=$(cat $sslget_output | grep ^"<?xml" | xmlstarlet sel -t -v "/XMLResponse/Requests/Request/Id") + local base64=$(cat $sslget_output | grep ^"<?xml" | xmlstarlet sel -t -v "/XMLResponse/Requests/Request/b64") + rlLog "serialNo: $serialNo" + rlLog "RequestID: $RequestId" + if [ "$serialNo" == "" ]; then + rlFail "Serial Number not found" + else + rlPass "Certificate request successfull approved" + fi + if [ "$RequestId" == "" ]; then + + rlFail "Requestid Number not found" + else + rlPass "Certificate Request successfull Submitted" + fi + rlLog "Revoke ipa certificate" + local sslget_output=$TEMP_NSS_DB/sslget21-2.out + local profile_request="/ca/agent/ca/doRevoke" + local revocation_reason=5 + local request_info="op=revoke&revocationReason=$revocation_reason&revokeAll=(certRecordId%3D0x$serial_number)&totalRecordCount=1" + rlLog "/usr/bin/sslget -d $TEMP_NSS_DB -w $TEMP_NSS_DB/certdb_pwd_file -n \"$ipa_cn\" -e \"$request_info\" -v -r \"$profile_request\" \"$target_host\":\"$sub_ca_https_port\" > $sslget_output 2>&1" 0 "Revoke Certificate $serial_number" + rlRun "/usr/bin/sslget -d $TEMP_NSS_DB -w $TEMP_NSS_DB/certdb_pwd_file -n \"$ipa_cn\" -e \"$request_info\" -v -r \"$profile_request\" \"$target_host\":\"$sub_ca_https_port\" > $sslget_output 2>&1" 0 "Revoke Certificate $serial_number" + rlAssertGrep "TTP/1.1 200 OK" "$sslget_output" + rlAssertGrep "header.error = null" "$sslget_output" + rlAssertGrep "header.revoked = \"yes\"" "$sslget_output" + rlPhaseEnd + + rlPhaseStartTest "ipa_legacy_test-0022: This test is for revoking an ipa certificate with reason 6-certificate hold" + local request_type=pkcs10 + local request_key_type=rsa + local request_key_size=2048 + local sslget_output=$TEMP_NSS_DB/sslget22-1.out + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"IPA-Cert-$RANDOM\" \ + subject_uid: \ + subject_email: \ + subject_ou:pki-ipa \ + subject_organization:redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/freeipa22-request.pem \ + cert_subject_file:$TEMP_NSS_DB/freeipa22-subject.out" 0 "Create $request_type request" + local cert_requestdn=$(cat $TEMP_NSS_DB/freeipa22-subject.out | grep Request_DN | cut -d ":" -f2) + local encoded_request=$(cat $TEMP_NSS_DB/freeipa22-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());') + local profile_request="/ca/ee/ca/profileSubmit" + local request_info="profileId=caIPAserviceCert&cert_request_type=pkcs10&xmlOutput=true&cert_request=" + rlLog "/usr/bin/sslget -d $TEMP_NSS_DB -w $TEMP_NSS_DB/certdb_pwd_file -n \"$ipa_cn\" -e \"$request_info$encoded_request\" -v -r \"$profile_request\" \"$target_host\":\"$sub_ca_https_port\" > $sslget_output 2>&1" 0 "Submit request using sslget for approval" + rlRun "/usr/bin/sslget -d $TEMP_NSS_DB -w $TEMP_NSS_DB/certdb_pwd_file -n \"$ipa_cn\" -e \"$request_info$encoded_request\" -v -r \"$profile_request\" \"$target_host\":\"$sub_ca_https_port\" > $sslget_output 2>&1" 0 "Submit request using sslget for approval" + local serial_number=$(cat $sslget_output | grep ^"<?xml" | xmlstarlet sel -t -v "/XMLResponse/Requests/Request/serialno") + local RequestId=$(cat $sslget_output | grep ^"<?xml" | xmlstarlet sel -t -v "/XMLResponse/Requests/Request/Id") + local base64=$(cat $sslget_output | grep ^"<?xml" | xmlstarlet sel -t -v "/XMLResponse/Requests/Request/b64") + rlLog "serialNo: $serialNo" + rlLog "RequestID: $RequestId" + if [ "$serialNo" == "" ]; then + rlFail "Serial Number not found" + else + rlPass "Certificate request successfull approved" + fi + if [ "$RequestId" == "" ]; then + + rlFail "Requestid Number not found" + else + rlPass "Certificate Request successfull Submitted" + fi + rlLog "Revoke ipa certificate" + local sslget_output=$TEMP_NSS_DB/sslget22-2.out + local profile_request="/ca/agent/ca/doRevoke" + local revocation_reason=6 + local request_info="op=revoke&revocationReason=$revocation_reason&revokeAll=(certRecordId%3D0x$serial_number)&totalRecordCount=1" + rlLog "/usr/bin/sslget -d $TEMP_NSS_DB -w $TEMP_NSS_DB/certdb_pwd_file -n \"$ipa_cn\" -e \"$request_info\" -v -r \"$profile_request\" \"$target_host\":\"$sub_ca_https_port\" > $sslget_output 2>&1" 0 "Revoke Certificate $serial_number" + rlRun "/usr/bin/sslget -d $TEMP_NSS_DB -w $TEMP_NSS_DB/certdb_pwd_file -n \"$ipa_cn\" -e \"$request_info\" -v -r \"$profile_request\" \"$target_host\":\"$sub_ca_https_port\" > $sslget_output 2>&1" 0 "Revoke Certificate $serial_number" + rlAssertGrep "TTP/1.1 200 OK" "$sslget_output" + rlAssertGrep "header.error = null" "$sslget_output" + rlAssertGrep "header.revoked = \"yes\"" "$sslget_output" + rlPhaseEnd + + + rlPhaseStartTest "ipa_legacy_test-0023: This test is for revoking an ipa certificate when serial number does not exist in cs db" + local serial_number="0xEEEEEEEEE" + local sslget_output=$TEMP_NSS_DB/sslget23.out + local profile_request="/ca/agent/ca/doRevoke" + local revocation_reason=0 + local request_info="op=revoke&revocationReason=$revocation_reason&revokeAll=(certRecordId%3D0x$serial_number)&totalRecordCount=1" + rlLog "/usr/bin/sslget -d $TEMP_NSS_DB -w $TEMP_NSS_DB/certdb_pwd_file -n \"$ipa_cn\" -e \"$request_info\" -v -r \"$profile_request\" \"$target_host\":\"$sub_ca_https_port\" > $sslget_output 2>&1" 0 "Revoke Certificate $serial_number" + rlRun "/usr/bin/sslget -d $TEMP_NSS_DB -w $TEMP_NSS_DB/certdb_pwd_file -n \"$ipa_cn\" -e \"$request_info\" -v -r \"$profile_request\" \"$target_host\":\"$sub_ca_https_port\" > $sslget_output 2>&1" 0 "Revoke Certificate $serial_number" + rlAssertGrep "TTP/1.1 200 OK" "$sslget_output" + rlAssertGrep "fixed.errorDetails = \"Attempt to revoke non-existent certificate(s).\"" "$sslget_output" + rlPhaseEnd + + rlPhaseStartTest "ipa_legacy_test-0024: This test is for revoking an ipa certificate when serial number is not provided" + local serial_number="" + local sslget_output=$TEMP_NSS_DB/sslget24.out + local profile_request="/ca/agent/ca/doRevoke" + local revocation_reason=0 + local request_info="op=revoke&revocationReason=$revocation_reason&revokeAll=(certRecordId%3D0x$serial_number)&totalRecordCount=1" + rlLog "/usr/bin/sslget -d $TEMP_NSS_DB -w $TEMP_NSS_DB/certdb_pwd_file -n \"$ipa_cn\" -e \"$request_info\" -v -r \"$profile_request\" \"$target_host\":\"$sub_ca_https_port\" > $sslget_output 2>&1" 0 "Revoke Certificate $serial_number" + rlRun "/usr/bin/sslget -d $TEMP_NSS_DB -w $TEMP_NSS_DB/certdb_pwd_file -n \"$ipa_cn\" -e \"$request_info\" -v -r \"$profile_request\" \"$target_host\":\"$sub_ca_https_port\" > $sslget_output 2>&1" 0 "Revoke Certificate $serial_number" + rlAssertGrep "TTP/1.1 200 OK" "$sslget_output" + rlAssertGrep "fixed.errorDetails = \"Attempt to revoke non-existent certificate(s).\"" "$sslget_output" + rlPhaseEnd + + rlPhaseStartTest "ipa_legacy_test-0025: This test is for revoking an ipa certificate when serial number has junk characters" + local serial_number="jëmbëdhãøàe-ré1ürkçå" + local sslget_output=$TEMP_NSS_DB/sslget25.out + local profile_request="/ca/agent/ca/doRevoke" + local revocation_reason=0 + local request_info="op=revoke&revocationReason=$revocation_reason&revokeAll=(certRecordId%3D0x$serial_number)&totalRecordCount=1" + rlLog "/usr/bin/sslget -d $TEMP_NSS_DB -w $TEMP_NSS_DB/certdb_pwd_file -n \"$ipa_cn\" -e \"$request_info\" -v -r \"$profile_request\" \"$target_host\":\"$sub_ca_https_port\" > $sslget_output 2>&1" 0 "Revoke Certificate $serial_number" + rlRun "/usr/bin/sslget -d $TEMP_NSS_DB -w $TEMP_NSS_DB/certdb_pwd_file -n \"$ipa_cn\" -e \"$request_info\" -v -r \"$profile_request\" \"$target_host\":\"$sub_ca_https_port\" > $sslget_output 2>&1" 0 "Revoke Certificate $serial_number" + rlAssertGrep "TTP/1.1 200 OK" "$sslget_output" + rlAssertGrep "fixed.errorDetails = \"Attempt to revoke non-existent certificate(s).\"" "$sslget_output" + rlPhaseEnd + + rlPhaseStartTest "ipa_legacy_test-0026: This test is for revoking an ipa certificate with reason 0-unspecified" + local request_type=pkcs10 + local request_key_type=rsa + local request_key_size=2048 + local sslget_output=$TEMP_NSS_DB/sslget26-1.out + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"IPA-Cert-$RANDOM\" \ + subject_uid: \ + subject_email: \ + subject_ou:pki-ipa \ + subject_organization:redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/freeipa26-request.pem \ + cert_subject_file:$TEMP_NSS_DB/freeipa26-subject.out" 0 "Create $request_type request" + local cert_requestdn=$(cat $TEMP_NSS_DB/freeipa26-subject.out | grep Request_DN | cut -d ":" -f2) + local encoded_request=$(cat $TEMP_NSS_DB/freeipa26-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());') + local profile_request="/ca/ee/ca/profileSubmit" + local request_info="profileId=caIPAserviceCert&cert_request_type=pkcs10&xmlOutput=true&cert_request=" + rlLog "/usr/bin/sslget -d $TEMP_NSS_DB -w $TEMP_NSS_DB/certdb_pwd_file -n \"$ipa_cn\" -e \"$request_info$encoded_request\" -v -r \"$profile_request\" \"$target_host\":\"$sub_ca_https_port\" > $sslget_output 2>&1" 0 "Submit request using sslget for approval" + rlRun "/usr/bin/sslget -d $TEMP_NSS_DB -w $TEMP_NSS_DB/certdb_pwd_file -n \"$ipa_cn\" -e \"$request_info$encoded_request\" -v -r \"$profile_request\" \"$target_host\":\"$sub_ca_https_port\" > $sslget_output 2>&1" 0 "Submit request using sslget for approval" + local serial_number=$(cat $sslget_output | grep ^"<?xml" | xmlstarlet sel -t -v "/XMLResponse/Requests/Request/serialno") + local RequestId=$(cat $sslget_output | grep ^"<?xml" | xmlstarlet sel -t -v "/XMLResponse/Requests/Request/Id") + local base64=$(cat $sslget_output | grep ^"<?xml" | xmlstarlet sel -t -v "/XMLResponse/Requests/Request/b64") + rlLog "serialNo: $serialNo" + rlLog "RequestID: $RequestId" + if [ "$serialNo" == "" ]; then + rlFail "Serial Number not found" + else + rlPass "Certificate request successfull approved" + fi + if [ "$RequestId" == "" ]; then + + rlFail "Requestid Number not found" + else + rlPass "Certificate Request successfull Submitted" + fi + rlLog "Revoke ipa certificate" + local sslget_output=$TEMP_NSS_DB/sslget26-2.out + local profile_request="/ca/agent/ca/doRevoke" + local revocation_reason="" + local request_info="op=revoke&revocationReason=$revocation_reason&revokeAll=(certRecordId%3D0x$serial_number)&totalRecordCount=1" + rlLog "/usr/bin/sslget -d $TEMP_NSS_DB -w $TEMP_NSS_DB/certdb_pwd_file -n \"$ipa_cn\" -e \"$request_info\" -v -r \"$profile_request\" \"$target_host\":\"$sub_ca_https_port\" > $sslget_output 2>&1" 0 "Revoke Certificate $serial_number" + rlRun "/usr/bin/sslget -d $TEMP_NSS_DB -w $TEMP_NSS_DB/certdb_pwd_file -n \"$ipa_cn\" -e \"$request_info\" -v -r \"$profile_request\" \"$target_host\":\"$sub_ca_https_port\" > $sslget_output 2>&1" 0 "Revoke Certificate $serial_number" + rlAssertGrep "TTP/1.1 200 OK" "$sslget_output" + rlAssertGrep "fixed.errorDetails = \"Invalid number format.\"" "$sslget_output" + rlPhaseEnd + + rlPhaseStartTest "ipa_legacy_test-0027: This test is for revoke an ipa certificate with reason certificate hold and unrevoke the certificate." + local request_type=pkcs10 + local request_key_type=rsa + local request_key_size=2048 + local sslget_output=$TEMP_NSS_DB/sslget27-1.out + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"IPA-Cert-$RANDOM\" \ + subject_uid: \ + subject_email: \ + subject_ou:pki-ipa \ + subject_organization:redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/freeipa27-request.pem \ + cert_subject_file:$TEMP_NSS_DB/freeipa27-subject.out" 0 "Create $request_type request" + local cert_requestdn=$(cat $TEMP_NSS_DB/freeipa27-subject.out | grep Request_DN | cut -d ":" -f2) + local encoded_request=$(cat $TEMP_NSS_DB/freeipa27-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());') + local profile_request="/ca/ee/ca/profileSubmit" + local request_info="profileId=caIPAserviceCert&cert_request_type=pkcs10&xmlOutput=true&cert_request=" + rlLog "/usr/bin/sslget -d $TEMP_NSS_DB -w $TEMP_NSS_DB/certdb_pwd_file -n \"$ipa_cn\" -e \"$request_info$encoded_request\" -v -r \"$profile_request\" \"$target_host\":\"$sub_ca_https_port\" > $sslget_output 2>&1" 0 "Submit request using sslget for approval" + rlRun "/usr/bin/sslget -d $TEMP_NSS_DB -w $TEMP_NSS_DB/certdb_pwd_file -n \"$ipa_cn\" -e \"$request_info$encoded_request\" -v -r \"$profile_request\" \"$target_host\":\"$sub_ca_https_port\" > $sslget_output 2>&1" 0 "Submit request using sslget for approval" + local serial_number=$(cat $sslget_output | grep ^"<?xml" | xmlstarlet sel -t -v "/XMLResponse/Requests/Request/serialno") + local RequestId=$(cat $sslget_output | grep ^"<?xml" | xmlstarlet sel -t -v "/XMLResponse/Requests/Request/Id") + local base64=$(cat $sslget_output | grep ^"<?xml" | xmlstarlet sel -t -v "/XMLResponse/Requests/Request/b64") + rlLog "serialNo: $serialNo" + rlLog "RequestID: $RequestId" + if [ "$serialNo" == "" ]; then + rlFail "Serial Number not found" + else + rlPass "Certificate request successfull approved" + fi + if [ "$RequestId" == "" ]; then + + rlFail "Requestid Number not found" + else + rlPass "Certificate Request successfull Submitted" + fi + rlLog "Revoke ipa certificate" + local sslget_output=$TEMP_NSS_DB/sslget27-2.out + local profile_request="/ca/agent/ca/doRevoke" + local revocation_reason=6 + local request_info="op=revoke&revocationReason=$revocation_reason&revokeAll=(certRecordId%3D0x$serial_number)&totalRecordCount=1" + rlLog "/usr/bin/sslget -d $TEMP_NSS_DB -w $TEMP_NSS_DB/certdb_pwd_file -n \"$ipa_cn\" -e \"$request_info\" -v -r \"$profile_request\" \"$target_host\":\"$sub_ca_https_port\" > $sslget_output 2>&1" 0 "Revoke Certificate $serial_number" + rlRun "/usr/bin/sslget -d $TEMP_NSS_DB -w $TEMP_NSS_DB/certdb_pwd_file -n \"$ipa_cn\" -e \"$request_info\" -v -r \"$profile_request\" \"$target_host\":\"$sub_ca_https_port\" > $sslget_output 2>&1" 0 "Revoke Certificate $serial_number" + rlAssertGrep "TTP/1.1 200 OK" "$sslget_output" + rlAssertGrep "header.error = null" "$sslget_output" + rlAssertGrep "header.revoked = \"yes\"" "$sslget_output" + rlLog "Unrevoke $serial_number Certificate" + local sslget_output=$TEMP_NSS_DB/sslget27-3.out + local crlIssuingPoint="MasterCRL" + local signatureAlgorithm="SHA512withRSA" + local test_out=updatecrl.out + local admin_out=$TEMP_NSS_DB/admin.out + rlRun "export SSL_DIR=$TEMP_NSS_DB" + rlLog "curl --cacert $TEMP_NSS_DB/ca_cert.pem --dump-header $admin_out -E \"$ipa_cn\":$TEMP_NSS_DB_PWD -d \"crlIssuingPoint=$crlIssuingPoint&signatureAlgorithm=$signatureAlgorithm\" -k \"https://$target_host:$sub_ca_https_port/ca/agent/ca/updateCRL\" > $TmpDir/$test_out" 0 "Update CRL" + rlRun "curl --cacert $TEMP_NSS_DB/ca_cert.pem --dump-header $admin_out -E \"$ipa_cn\":$TEMP_NSS_DB_PWD -d \"crlIssuingPoint=$crlIssuingPoint&signatureAlgorithm=$signatureAlgorithm\" -k \"https://$target_host:$sub_ca_https_port/ca/agent/ca/updateCRL\" > $TmpDir/$test_out" 0 "Update CRL" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertGrep "header.crlIssuingPoint = \"$crlIssuingPoint\"" "$TmpDir/$test_out" + rlAssertGrep "header.crlUpdate = \"Scheduled\"" "$TmpDir/$test_out" + local profile_request="/ca/agent/ca/doUnrevoke" + local request_info="serialNumber=0x$serial_number" + rlLog "/usr/bin/sslget -d $TEMP_NSS_DB -w $TEMP_NSS_DB/certdb_pwd_file -n \"$ipa_cn\" -e \"$request_info\" -v -r \"$profile_request\" \"$target_host\":\"$sub_ca_https_port\" > $sslget_output 2>&1" 0 "Un Revoke Certificate" + rlRun "/usr/bin/sslget -d $TEMP_NSS_DB -w $TEMP_NSS_DB/certdb_pwd_file -n \"$ipa_cn\" -e \"$request_info\" -v -r \"$profile_request\" \"$target_host\":\"$sub_ca_https_port\" > $sslget_output 2>&1" 0 "Un Revoke Certificate" + rlAssertGrep "TTP/1.1 200 OK" "$sslget_output" + rlAssertGrep "header.unrevoked = \"yes\"" "$sslget_output" + rlAssertGrep "header.serialNumber = \"$0xserial_number\"" "$sslget_output" + rlPhaseEnd + + rlPhaseStartTest "ipa_legacy_test-0028: This test is for revoked cert off hold for an ipa certificate when revoked reason is not 6-certificateHold" + local request_type=pkcs10 + local request_key_type=rsa + local request_key_size=2048 + local sslget_output=$TEMP_NSS_DB/sslget28-1.out + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"IPA-Cert-$RANDOM\" \ + subject_uid: \ + subject_email: \ + subject_ou:pki-ipa \ + subject_organization:redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/freeipa28-request.pem \ + cert_subject_file:$TEMP_NSS_DB/freeipa28-subject.out" 0 "Create $request_type request" + local cert_requestdn=$(cat $TEMP_NSS_DB/freeipa28-subject.out | grep Request_DN | cut -d ":" -f2) + local encoded_request=$(cat $TEMP_NSS_DB/freeipa28-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());') + local profile_request="/ca/ee/ca/profileSubmit" + local request_info="profileId=caIPAserviceCert&cert_request_type=pkcs10&xmlOutput=true&cert_request=" + rlLog "/usr/bin/sslget -d $TEMP_NSS_DB -w $TEMP_NSS_DB/certdb_pwd_file -n \"$ipa_cn\" -e \"$request_info$encoded_request\" -v -r \"$profile_request\" \"$target_host\":\"$sub_ca_https_port\" > $sslget_output 2>&1" 0 "Submit request using sslget for approval" + rlRun "/usr/bin/sslget -d $TEMP_NSS_DB -w $TEMP_NSS_DB/certdb_pwd_file -n \"$ipa_cn\" -e \"$request_info$encoded_request\" -v -r \"$profile_request\" \"$target_host\":\"$sub_ca_https_port\" > $sslget_output 2>&1" 0 "Submit request using sslget for approval" + local serial_number=$(cat $sslget_output | grep ^"<?xml" | xmlstarlet sel -t -v "/XMLResponse/Requests/Request/serialno") + local RequestId=$(cat $sslget_output | grep ^"<?xml" | xmlstarlet sel -t -v "/XMLResponse/Requests/Request/Id") + local base64=$(cat $sslget_output | grep ^"<?xml" | xmlstarlet sel -t -v "/XMLResponse/Requests/Request/b64") + rlLog "serialNo: $serialNo" + rlLog "RequestID: $RequestId" + if [ "$serialNo" == "" ]; then + rlFail "Serial Number not found" + else + rlPass "Certificate request successfull approved" + fi + if [ "$RequestId" == "" ]; then + + rlFail "Requestid Number not found" + else + rlPass "Certificate Request successfull Submitted" + fi + rlLog "Revoke ipa certificate" + local sslget_output=$TEMP_NSS_DB/sslget28-2.out + local profile_request="/ca/agent/ca/doRevoke" + local revocation_reason=0 + local request_info="op=revoke&revocationReason=$revocation_reason&revokeAll=(certRecordId%3D0x$serial_number)&totalRecordCount=1" + rlLog "/usr/bin/sslget -d $TEMP_NSS_DB -w $TEMP_NSS_DB/certdb_pwd_file -n \"$ipa_cn\" -e \"$request_info\" -v -r \"$profile_request\" \"$target_host\":\"$sub_ca_https_port\" > $sslget_output 2>&1" 0 "Revoke Certificate $serial_number" + rlRun "/usr/bin/sslget -d $TEMP_NSS_DB -w $TEMP_NSS_DB/certdb_pwd_file -n \"$ipa_cn\" -e \"$request_info\" -v -r \"$profile_request\" \"$target_host\":\"$sub_ca_https_port\" > $sslget_output 2>&1" 0 "Revoke Certificate $serial_number" + rlAssertGrep "TTP/1.1 200 OK" "$sslget_output" + rlAssertGrep "header.error = null" "$sslget_output" + rlAssertGrep "header.revoked = \"yes\"" "$sslget_output" + rlLog "Unrevoke $serial_number Certificate" + local sslget_output=$TEMP_NSS_DB/sslget28-3.out + local profile_request="/ca/agent/ca/doUnrevoke" + local request_info="serialNumber=$serial_number" + rlLog "/usr/bin/sslget -d $TEMP_NSS_DB -w $TEMP_NSS_DB/certdb_pwd_file -n \"$ipa_cn\" -e \"$request_info\" -v -r \"$profile_request\" \"$target_host\":\"$sub_ca_https_port\" > $sslget_output 2>&1" 0 "Un Revoke Certificate" + rlRun "/usr/bin/sslget -d $TEMP_NSS_DB -w $TEMP_NSS_DB/certdb_pwd_file -n \"$ipa_cn\" -e \"$request_info\" -v -r \"$profile_request\" \"$target_host\":\"$sub_ca_https_port\" > $sslget_output 2>&1" 0 "Un Revoke Certificate" + rlAssertGrep "TTP/1.1 200 OK" "$sslget_output" + rlAssertGrep "header.unrevoked = \"no\"" "$sslget_output" + rlAssertGrep "header.error = \"One or more certificates could not be unrevoked\"" "$sslget_output" + rlPhaseEnd + + rlPhaseStartTest "ipa_legacy_test-0029: This test is for revoked cert off hold for an ipa certificate when serial number provided does not exist in cs db." + rlLog "Unrevoke Certificate which does not exist" + local serial_number="0xEEEEEEE" + local sslget_output=$TEMP_NSS_DB/sslget29.out + local profile_request="/ca/agent/ca/doUnrevoke" + local request_info="serialNumber=$serial_number" + rlLog "/usr/bin/sslget -d $TEMP_NSS_DB -w $TEMP_NSS_DB/certdb_pwd_file -n \"$ipa_cn\" -e \"$request_info\" -v -r \"$profile_request\" \"$target_host\":\"$sub_ca_https_port\" > $sslget_output 2>&1" 0 "Un Revoke Certificate" + rlRun "/usr/bin/sslget -d $TEMP_NSS_DB -w $TEMP_NSS_DB/certdb_pwd_file -n \"$ipa_cn\" -e \"$request_info\" -v -r \"$profile_request\" \"$target_host\":\"$sub_ca_https_port\" > $sslget_output 2>&1" 0 "Un Revoke Certificate" + rlAssertGrep "TTP/1.1 200 OK" "$sslget_output" + rlAssertGrep "fixed.errorDetails = \"Record not found\"" "$sslget_output" + rlPhaseEnd + + rlPhaseStartTest "ipa_legacy_test-0030: This test is for revoked cert off hold for an ipa certificate when serial number is not provided." + local serial_number="" + local sslget_output=$TEMP_NSS_DB/sslget30.out + local profile_request="/ca/agent/ca/doUnrevoke" + local request_info="serialNumber=$serial_number" + rlLog "/usr/bin/sslget -d $TEMP_NSS_DB -w $TEMP_NSS_DB/certdb_pwd_file -n \"$ipa_cn\" -e \"$request_info\" -v -r \"$profile_request\" \"$target_host\":\"$sub_ca_https_port\" > $sslget_output 2>&1" 0 "Un Revoke Certificate" + rlRun "/usr/bin/sslget -d $TEMP_NSS_DB -w $TEMP_NSS_DB/certdb_pwd_file -n \"$ipa_cn\" -e \"$request_info\" -v -r \"$profile_request\" \"$target_host\":\"$sub_ca_https_port\" > $sslget_output 2>&1" 0 "Un Revoke Certificate" + rlAssertGrep "TTP/1.1 200 OK" "$sslget_output" + rlAssertGrep "fixed.errorDetails = \"Invalid number format\"" "$sslget_output" + rlPhaseEnd + + rlPhaseStartTest "ipa_legacy_test-0031: This test is for revoked cert off hold for an ipa certificate when serial number is junk characters." + local serial_number="jëmbëdhãøàe-ré1ürkçå" + local sslget_output=$TEMP_NSS_DB/sslget31.out + local profile_request="/ca/agent/ca/doUnrevoke" + local request_info="serialNumber=$serial_number" + rlLog "/usr/bin/sslget -d $TEMP_NSS_DB -w $TEMP_NSS_DB/certdb_pwd_file -n \"$ipa_cn\" -e \"$request_info\" -v -r \"$profile_request\" \"$target_host\":\"$sub_ca_https_port\" > $sslget_output 2>&1" 0 "Un Revoke Certificate" + rlRun "/usr/bin/sslget -d $TEMP_NSS_DB -w $TEMP_NSS_DB/certdb_pwd_file -n \"$ipa_cn\" -e \"$request_info\" -v -r \"$profile_request\" \"$target_host\":\"$sub_ca_https_port\" > $sslget_output 2>&1" 0 "Un Revoke Certificate" + rlAssertGrep "TTP/1.1 200 OK" "$sslget_output" + rlAssertGrep "fixed.errorDetails = \"Invalid number format\"" "$sslget_output" + rlPhaseEnd + + rlPhaseStartTest "ipa_legacy_test-0032: This test is to get certificate when serial number is non existent - agent interface" + local serial_number="0xEEFFDD" + local profile_Request="/ca/agent/ca/displayBySerial" + local request_info="serialNumber=$serial_number" + rlLog "/usr/bin/sslget -d $TEMP_NSS_DB -w $TEMP_NSS_DB/certdb_pwd_file -n \"$ipa_cn\" -e \"$request_info\" -v -r \"$profile_request\" \"$target_host\":\"$sub_ca_https_port\" > $sslget_output 2>&1" 0 "Un Revoke Certificate" + rlRun "/usr/bin/sslget -d $TEMP_NSS_DB -w $TEMP_NSS_DB/certdb_pwd_file -n \"$ipa_cn\" -e \"$request_info\" -v -r \"$profile_request\" \"$target_host\":\"$sub_ca_https_port\" > $sslget_output 2>&1" 0 "Un Revoke Certificate" + rlAssertGrep "TTP/1.1 200 OK" "$sslget_output" + rlAssertGrep "fixed.errorDetails = \"Record not found\"" "$sslget_output" + rlPhaseEnd + + rlPhaseStartSetup "ipa_legacy_tests cleanup" + rlLog "Destroy pki instance $subca_instance_name" + rlRun "pkidestroy -s CA -i $subca_instance_name > $TmpDir/ca-uninstall.out 2>&1" 0 + rlAssertGrep "Uninstallation complete" "$TmpDir/ca-uninstall.out" + rlLog "Remove DS instance" + rlRun "remove-ds.pl -i slapd-$subca_instance_name > $TmpDir/dsuninstall.out 2>&1" + rlAssertGrep "Instance slapd-$subca_instance_name removed" "$TmpDir/dsuninstall.out" + rlPhaseEnd + + rlPhaseStartSetup "Deleting Temporary Directory" + rlRun "popd" + rlRun "rm -r $TmpDir" 0 "Removing tmp directory" + rlPhaseEnd +} +rhcs_install_ipaca() +{ + + local SUBCA_INSTANCE_NAME=$1 + local SUBCA_LDAP_PORT=$2 + local SUBCA_HTTP_PORT=$3 + local SUBCA_HTTPS_PORT=$4 + local SUBCA_AJP_PORT=$5 + local SUBCA_TOMCAT_SERVER_PORT=$6 + local SUBCA_WORK_DIR=$7 + local SUBCA_CERTDB_DIR=$8 + local SUBCA_OUTPUT_FILE=$9 + local CA_INST=${10} + local CA_HOST=${11} + local CA_UNSECURE_PORT=${12} + local CA_SECURE_PORT=${13} + local SUBCA_INSTANCECFG="$SUBCA_WORK_DIR/subca_instance.inf" + local SUBCA_INSTANCE_CREATE_OUT="$SUBCA_WORK_DIR/subca_instance_create.out" + local SUBCA_ADMIN_CERT_LOCATION=/root/.dogtag/$SUBCA_INSTANCE_NAME/ca_admin_cert.p12 + local admin_cert_nickname="PKI Administrator for example.org" + local CA_ADMIN_PASSWORD=$(eval echo \$${CA_INST}\_ADMIN_PASSWORD) + local CA_ADMIN_USER=$(eval echo \$${CA_INST}\_ADMIN_USER) + local CA_SECURITY_DOMAIN_PASSWORD=$(eval echo \$${CA_INST}\_SECURITY_DOMAIN_PASSWORD) + local CA_CLIENT_PKCS12_PASSWORD=$(eval echo \$${CA_INST}\_CLIENT_PKCS12_PASSWORD) + local valid_admin_user_password=$CA_INST\_adminV_password + + rhcs_install_prep_disableFirewall + + for i in {$SUBCA_LDAP_PORT $SUBCA_HTTP_PORT $SUBCA_HTTPS_PORT $SUBCA_AJP_PORT $SUBCA_TOMCAT_SERVER_PORT} + do + netstat -plant | cut -d" " -f4 | cut -d":" -f2 | grep -v grep | grep $i + RETVAL=$? + if [ $RETVAL == 0 ];then + echo -e "\nThere are some process which are using those ports" + rlFail "Ports already in use installation Failed" + fi + done + + rlLog "Creating LDAP server Instance to Sub CA instace $SUBCA_INSTANCE_NAME" + rhcs_install_set_ldap_vars + rlRun "rhds_install $SUBCA_LDAP_PORT $SUBCA_INSTANCE_NAME \"$LDAP_ROOTDN\" $LDAP_ROOTDNPWD $LDAP_BASEDN" 0 + if [ $? != 0 ]; then + rlFail "Unable to setup ldap instance" + return 1 + fi + echo -e "[DEFAULT]" > $SUBCA_INSTANCECFG + echo -e "pki_instance_name = $SUBCA_INSTANCE_NAME" >> $SUBCA_INSTANCECFG + echo -e "pki_admin_password = $CA_ADMIN_PASSWORD" >> $SUBCA_INSTANCECFG + echo -e "pki_client_pkcs12_password = $CA_CLIENT_PKCS12_PASSWORD" >> $SUBCA_INSTANCECFG + echo -e "pki_client_database_password = $CA_CLIENT_PKCS12_PASSWORD" >> $SUBCA_INSTANCECFG + echo -e "pki_ds_password= $LDAP_ROOTDNPWD" >> $SUBCA_INSTANCECFG + echo -e "pki_security_domain_password = $CA_SECURITY_DOMAIN_PASSWORD" >> $SUBCA_INSTANCECFG + echo -e "pki_security_domain_hostname = $CA_HOST" >> $SUBCA_INSTANCECFG + echo -e "pki_security_domain_https_port = $CA_SECURE_PORT" >> $SUBCA_INSTANCECFG + echo -e "pki_security_domain_user = $CA_ADMIN_USER" >> $SUBCA_INSTANCECFG + echo -e "[CA]" >> $SUBCA_INSTANCECFG + echo -e "pki_subordinate=True" >> $SUBCA_INSTANCECFG + echo -e "pki_issuing_ca=https://$(hostname):$CA_SECURE_PORT" >> $SUBCA_INSTANCECFG + echo -e "pki_ca_signing_subject_dn = cn=SubCA-$SUBCA_INSTANCE_NAME,o=%(pki_security_domain_name)s" >> $SUBCA_INSTANCECFG + echo -e "pki_http_port = $SUBCA_HTTP_PORT" >> $SUBCA_INSTANCECFG + echo -e "pki_https_port = $SUBCA_HTTPS_PORT" >> $SUBCA_INSTANCECFG + echo -e "pki_ajp_port = $SUBCA_AJP_PORT" >> $SUBCA_INSTANCECFG + echo -e "pki_tomcat_server_port = $SUBCA_TOMCAT_SERVER_PORT" >> $SUBCA_INSTANCECFG + echo -e "pki_admin_uid = caadmin" >> $SUBCA_INSTANCECFG + echo -e "pki_import_admin_cert = False" >> $SUBCA_INSTANCECFG + echo -e "pki_ds_hostname = $CA_HOST" >> $SUBCA_INSTANCECFG + echo -e "pki_ds_ldap_port = $SUBCA_LDAP_PORT" >> $SUBCA_INSTANCECFG + echo -e "pki_ds_bind_dn = cn=Directory Manager" >> $SUBCA_INSTANCECFG + echo -e "pki_ds_password = $LDAP_ROOTDNPWD" >> $SUBCA_INSTANCECFG + echo -e "pki_ds_base_dn = o=$SUBCA_INSTANCE_NAME-CA" >> $SUBCA_INSTANCECFG + rlLog "Executing: pkispawn -s CA -f $SUBCA_INSTANCECFG -v " + rlRun "pkispawn -s CA -f $SUBCA_INSTANCECFG -v > $SUBCA_INSTANCE_CREATE_OUT 2>&1" + if [ $? != 0 ]; then + rlFail "FAIL Subca instance $SUBCA_INSTANCE_NAME failed" + return 1 + fi + exp_message1="Administrator's username: $PKI_SECURITY_DOMAIN_USER" + rlAssertGrep "$exp_message1" "$SUBCA_INSTANCE_CREATE_OUT" + exp_message1_1="Administrator's PKCS #12 file:" + rlAssertGrep "$exp_message1_1" "$SUBCA_INSTANCE_CREATE_OUT" + exp_message2="example.org" + rlAssertGrep "$exp_message2" "$SUBCA_INSTANCE_CREATE_OUT" + exp_message3_1="To check the status of the subsystem:" + rlAssertGrep "$exp_message3_1" "$SUBCA_INSTANCE_CREATE_OUT" + exp_message3_2="systemctl status pki-tomcatd\@$subca_instance_name.service" + rlAssertGrep "$exp_message3_2" "$SUBCA_INSTANCE_CREATE_OUT" + exp_message4_1="To restart the subsystem:" + rlAssertGrep "$exp_message4_1" "$SUBCA_INSTANCE_CREATE_OUT" + exp_message4_2=" systemctl restart pki-tomcatd\@$subca_instance_name.service" + rlAssertGrep "$exp_message4_2" "$SUBCA_INSTANCE_CREATE_OUT" + exp_message5="The URL for the subsystem is:" + rlAssertGrep "$exp_message5" "$SUBCA_INSTANCE_CREATE_OUT" + exp_message5_1="https://$(hostname):$SUBCA_HTTPS_PORT/ca" + rlAssertGrep "$exp_message5_1" "$SUBCA_INSTANCE_CREATE_OUT" + + echo -e "SUBCA_SERVER_ROOT:/var/lib/pki/$SUBCA_INSTANCE_NAME/ca" >> $SUBCA_OUTPUT_FILE + echo -e "SUBCA_CERTDB_DIR:$SUBCA_WORK_DIR/certs_db" >> $SUBCA_OUTPUT_FILE + echo -e "SUBCA_LDAP_INSTANCE_NAME:o=$SUBCA_INSTANCE_NAME-CA" >> $SUBCA_OUTPUT_FILE + echo -e "SUBCA_ADMIN_USER:$CA_ADMIN_USER" >> $SUBCA_OUTPUT_FILE + echo -e "SUBCA_ADMIN_PASSWORD:$CA_ADMIN_PASSWORD" >> $SUBCA_OUTPUT_FILE + echo -e "SUBCA_CLIENT_PKCS12_PASSWORD:$CA_CLIENT_PKCS12_PASSWORD" >> $SUBCA_OUTPUT_FILE + echo -e "SUBCA_ADMIN_CERT_LOCATION:/root/.dogtag/$SUBCA_INSTANCE_NAME/ca_admin_cert.p12" >> $SUBCA_OUTPUT_FILE + echo -e "$CA_CLIENT_PKCS12_PASSWORD" > $SUBCA_WORK_DIR/pwfile + rlRun "importP12FileNew $SUBCA_ADMIN_CERT_LOCATION $CA_CLIENT_PKCS12_PASSWORD $SUBCA_CERTDB_DIR $CA_CLIENT_PKCS12_PASSWORD $admin_cert_nickname" + return 0 +} diff --git a/tests/dogtag/runtest.sh b/tests/dogtag/runtest.sh index 8b434edfb..d613a0973 100755 --- a/tests/dogtag/runtest.sh +++ b/tests/dogtag/runtest.sh @@ -224,6 +224,8 @@ . ./acceptance/legacy/tks-tests/logs/tks-ad-logs.sh . ./acceptance/legacy/tks-tests/internaldb/tks-ad-internaldb.sh . ./acceptance/legacy/tks-tests/acls/tks-ad-acls.sh +. ./acceptance/legacy/ipa-tests/ipa_backend_plugin.sh +. ./acceptance/legacy/clone_ca_tests/clone_tests.sh . ./acceptance/bugzilla/bug_setup.sh . ./acceptance/bugzilla/bug_uninstall.sh . ./acceptance/bugzilla/tomcatjss-bugs/bug-1058366.sh @@ -1709,6 +1711,16 @@ rlJournalStart subsystemType=tks run_admin-tks-internaldb_tests $subsystemType $MYROLE fi + PKI_LEGACY_IPA_UPPERCASE=$(echo $PKI_LEGACY_IPA_TESTS | tr [a-z] [A-Z]) + if [ "$PKI_LEGACY_IPA_UPPERCASE" = "TRUE" ] || [ "$TEST_ALL_UPPERCASE" = "TRUE" ]; then + subsystemType=ca + run_ipa_backend_plugin $subsystemType $MYROLE + fi + PKI_LEGACY_CLONE_CA_TESTS_UPPERCASE=$(echo $PKI_LEGACY_CLONE_CA_TESTS | tr [a-z] [A-Z]) + if [ "$PKI_LEGACY_CLONE_CA_TESTS_UPPERCASE" = "TRUE" ] || [ "$TEST_ALL_UPERCASE" = "TRUE" ]; then + subsystemType=ca + clone_legacy_ca_tests $subsystemType $MYROLE + fi rlPhaseEnd ######## DEV UNIT TESTS ############ DEV_JAVA_TESTS_UPPERCASE=$(echo $DEV_JAVA_TESTS | tr [a-z] [A-Z]) |