From 8019375d9bbb2ecd1581e85d46632ddb3dd18f5a Mon Sep 17 00:00:00 2001 From: Asha Akkiangady Date: Tue, 31 Mar 2015 17:01:38 -0400 Subject: Created new scep tests for CA and SUBCA. --- .../legacy/ca-tests/scep_tests/scep-enroll.sh | 106 +++++++++++++++++---- .../subca-tests/scep_tests/subca-scep-enroll.sh | 105 ++++++++++++++++---- tests/dogtag/shared/rhcs-shared.sh | 4 +- 3 files changed, 179 insertions(+), 36 deletions(-) (limited to 'tests/dogtag') diff --git a/tests/dogtag/acceptance/legacy/ca-tests/scep_tests/scep-enroll.sh b/tests/dogtag/acceptance/legacy/ca-tests/scep_tests/scep-enroll.sh index 01eec386b..f3eac02b6 100644 --- a/tests/dogtag/acceptance/legacy/ca-tests/scep_tests/scep-enroll.sh +++ b/tests/dogtag/acceptance/legacy/ca-tests/scep_tests/scep-enroll.sh @@ -42,7 +42,7 @@ run_pki-legacy-ca-scep_tests() local subsystemType=$1 local csRole=$2 - rlPhaseStartSetup "Create temporary directory" + rlPhaseStartSetup "Create temporary directory and enable scep" rlRun "TmpDir=\`mktemp -d\`" 0 "Creating tmp directory" rlRun "pushd $TmpDir" rlPhaseEnd @@ -67,13 +67,13 @@ run_pki-legacy-ca-scep_tests() local search_string="ca.scep.enable=false" local replace_string="ca.scep.enable=true" + local scep_location="ftp://wiki.idm.lab.bos.redhat.com/dirsec/images-mp1/packages/scep_software/sscep/rhel7-x86_64_modified" + local scep_enroll_pin="netscape" + local scep_password="netscape" + local scep_host_ip=$(ip addr | grep 'state UP' -A2 | tail -n1 | awk '{print $2}' | cut -f1 -d'/') + local scep_enroll_url="http://$ca_host:$ca_unsecure_port/ca/cgi-bin/pkiclient.exe" - rlPhaseStartTest "pki_ca_scep_tests-001: Perform scep enrollment with CA using sha512 fingerprint" - local scep_enroll_url="http://$ca_host:$ca_unsecure_port/ca/cgi-bin/pkiclient.exe" - local scep_location="ftp://wiki.idm.lab.bos.redhat.com/dirsec/images-mp1/packages/scep_software/sscep/rhel7-x86_64_modified" - local scep_enroll_pin="netscape" - local scep_password="netscape" - local scep_host_ip=$(ip addr | grep 'state UP' -A2 | tail -n1 | awk '{print $2}' | cut -f1 -d'/') + rlPhaseStartTest "pki_ca_scep_tests-001: Perform scep enrollment with the CA using sha512 fingerprint" #Turn on scep replace_string_in_a_file $ca_config_file $search_string $replace_string @@ -116,16 +116,17 @@ ca_file_loc_EOF rlAssertGrep "certificate written as $TmpDir/cert.crt" "$TmpDir/scep_enroll.out" rlAssertGrep "-----BEGIN CERTIFICATE-----" "$TmpDir/cert.crt" rlAssertGrep "-----END CERTIFICATE-----" "$TmpDir/cert.crt" + + #Verify certificate is created with sha512 signing algorithm + rlRun "cp $TmpDir/cert.crt $TmpDir/cert.crt.mod" + rlRun "sed '/^-----BEGIN CERTIFICATE-----/d' $TmpDir/cert.crt.mod > $TmpDir/cert.crt.mod.1" + rlRun "sed '/^-----END CERTIFICATE-----/d' $TmpDir/cert.crt.mod.1 > $TmpDir/cert.crt.mod.2" + rlRun "PrettyPrintCert $TmpDir/cert.crt.mod.2 $TmpDir/cert.crt.pretty" + rlAssertGrep "Signature Algorithm: SHA512withRSA" "$TmpDir/cert.crt.pretty" rlPhaseEnd - rlPhaseStartTest "pki_ca_scep_tests-002: Perform scep enrollment with CA using sha256 fingerprint" - local scep_enroll_url="http://$ca_host:$ca_unsecure_port/ca/cgi-bin/pkiclient.exe" - local scep_location="ftp://wiki.idm.lab.bos.redhat.com/dirsec/images-mp1/packages/scep_software/sscep/rhel7-x86_64_modified" - local scep_enroll_pin="netscape" - local scep_password="netscape" - local scep_host_ip=$(ip addr | grep 'state UP' -A2 | tail -n1 | awk '{print $2}' | cut -f1 -d'/') - + rlPhaseStartTest "pki_ca_scep_tests-002: Perform scep enrollment using sha256 fingerprint BZ1199692" #Turn on scep replace_string_in_a_file $ca_config_file $search_string $replace_string if [ $? -eq 0 ] ; then @@ -160,10 +161,14 @@ ca_file_loc_EOF #Copy sscep.conf file rlRun "wget $scep_location/sscep.conf -O $TmpDir/sscep.conf" - local orig_fingerprint="FingerPrint sha512" - local replace_fingerprint="FingerPrint $digest" - replace_string_in_a_file $TmpDir/sscep.conf $orig_fingerprint $replace_fingerprint - + local orig_fingerprint="FingerPrint\tsha512" + local replace_fingerprint="FingerPrint\t$digest" + replace_string_in_a_file $TmpDir/sscep.conf "$orig_fingerprint" "$replace_fingerprint" + + local orig_sigalgorithm="SigAlgorithm\tsha512" + local replace_sigalgorithm="SigAlgorithm\t$digest" + replace_string_in_a_file $TmpDir/sscep.conf "$orig_sigalgorithm" "$replace_sigalgorithm" + #do scep enrollment rlRun "scep_do_enroll_with_sscep $scep_enroll_pin $scep_enroll_url $scep_host_ip $TmpDir $digest" @@ -171,7 +176,72 @@ ca_file_loc_EOF rlAssertGrep "certificate written as $TmpDir/cert.crt" "$TmpDir/scep_enroll.out" rlAssertGrep "-----BEGIN CERTIFICATE-----" "$TmpDir/cert.crt" rlAssertGrep "-----END CERTIFICATE-----" "$TmpDir/cert.crt" + rlRun "cp $TmpDir/cert.crt $TmpDir/cert.crt2.mod" + rlRun "sed '/^-----BEGIN CERTIFICATE-----/d' $TmpDir/cert.crt2.mod > $TmpDir/cert.crt2.mod.1" + rlRun "sed '/^-----END CERTIFICATE-----/d' $TmpDir/cert.crt2.mod.1 > $TmpDir/cert.crt2.mod.2" + rlRun "PrettyPrintCert $TmpDir/cert.crt2.mod.2 $TmpDir/cert.crt2.pretty" + rlAssertGrep "Signature Algorithm: SHA256withRSA" "$TmpDir/cert.crt2.pretty" + rlLog "BZ1199692 - https://bugzilla.redhat.com/show_bug.cgi?id=1199692" rlPhaseEnd + + rlPhaseStartTest "pki_ca_scep_tests-003: Perform scep enrollment using sha1 fingerprint BZ1199692" + #Turn on scep + replace_string_in_a_file $ca_config_file $search_string $replace_string + if [ $? -eq 0 ] ; then + chown pkiuser:pkiuser $ca_config_file + rhcs_stop_instance $tomcat_name + rhcs_start_instance $tomcat_name + fi + + rlRun "wget $scep_location/sscep -O $TmpDir/sscep" + #delete extisting sscep from /usr/bin if any + rlLog "Delete existing sscep from /usr/bin = rm -rf /usr/bin/sscep" + rlRun "rm -rf /usr/bin/sscep" + #Move sscep to /usr/bin + rlRun "mv $TmpDir/sscep /usr/bin" + rlRun "chmod +x /usr/bin/sscep" + #Get mkrequest + rlRun "wget $scep_location/mkrequest -O $TmpDir/mkrequest" + rlRun "mv $TmpDir/mkrequest /usr/bin" + rlRun "chmod +x /usr/bin/mkrequest" + + #Add a flatfile auth to the CA instance conf dir + local ca_file_loc="/var/lib/pki/$tomcat_name/ca/conf/flatfile.txt" + cat > $ca_file_loc << ca_file_loc_EOF +UID:$scep_host_ip +PWD:$scep_password +ca_file_loc_EOF + #Restart CA + rhcs_stop_instance $tomcat_name + rhcs_start_instance $tomcat_name + + local digest="sha1" + + #Copy sscep.conf file + rlRun "wget $scep_location/sscep.conf -O $TmpDir/sscep.conf" + local orig_fingerprint="FingerPrint\tsha512" + local replace_fingerprint="FingerPrint\t$digest" + replace_string_in_a_file $TmpDir/sscep.conf "$orig_fingerprint" "$replace_fingerprint" + + local orig_sigalgorithm="SigAlgorithm\tsha512" + local replace_sigalgorithm="SigAlgorithm\t$digest" + replace_string_in_a_file $TmpDir/sscep.conf "$orig_sigalgorithm" "$replace_sigalgorithm" + + #do scep enrollment + rlRun "scep_do_enroll_with_sscep $scep_enroll_pin $scep_enroll_url $scep_host_ip $TmpDir $digest" + + rlAssertGrep "pkistatus: SUCCESS" "$TmpDir/scep_enroll.out" + rlAssertGrep "certificate written as $TmpDir/cert.crt" "$TmpDir/scep_enroll.out" + rlAssertGrep "-----BEGIN CERTIFICATE-----" "$TmpDir/cert.crt" + rlAssertGrep "-----END CERTIFICATE-----" "$TmpDir/cert.crt" + rlRun "cp $TmpDir/cert.crt $TmpDir/cert.crt3.mod" + rlRun "sed '/^-----BEGIN CERTIFICATE-----/d' $TmpDir/cert.crt3.mod > $TmpDir/cert.crt3.mod.1" + rlRun "sed '/^-----END CERTIFICATE-----/d' $TmpDir/cert.crt3.mod.1 > $TmpDir/cert.crt3.mod.2" + rlRun "PrettyPrintCert $TmpDir/cert.crt3.mod.2 $TmpDir/cert.crt3.pretty" + rlAssertGrep "Signature Algorithm: SHA1withRSA" "$TmpDir/cert.crt3.pretty" + rlLog "BZ1199692 - https://bugzilla.redhat.com/show_bug.cgi?id=1199692" + rlPhaseEnd + rlPhaseStartTest "pki_ca_scep_tests_cleanup: delete temporary directory and turn off sscep " #Delete temporary directory rlRun "popd" diff --git a/tests/dogtag/acceptance/legacy/subca-tests/scep_tests/subca-scep-enroll.sh b/tests/dogtag/acceptance/legacy/subca-tests/scep_tests/subca-scep-enroll.sh index 8c9c76af1..d2605d440 100644 --- a/tests/dogtag/acceptance/legacy/subca-tests/scep_tests/subca-scep-enroll.sh +++ b/tests/dogtag/acceptance/legacy/subca-tests/scep_tests/subca-scep-enroll.sh @@ -71,13 +71,13 @@ run_pki-legacy-subca-scep_tests() local search_string="ca.scep.enable=false" local replace_string="ca.scep.enable=true" + local scep_enroll_url="http://$ca_host:$ca_unsecure_port/ca/cgi-bin/pkiclient.exe" + local scep_location="ftp://wiki.idm.lab.bos.redhat.com/dirsec/images-mp1/packages/scep_software/sscep/rhel7-x86_64_modified" + local scep_enroll_pin="netscape" + local scep_password="netscape" + local scep_host_ip=$(ip addr | grep 'state UP' -A2 | tail -n1 | awk '{print $2}' | cut -f1 -d'/') + rlPhaseStartTest "pki_subca_scep_tests-001: Perform scep enrollment with the SUBCA using sha512 fingerprint" - local scep_enroll_url="http://$ca_host:$ca_unsecure_port/ca/cgi-bin/pkiclient.exe" - local scep_location="ftp://wiki.idm.lab.bos.redhat.com/dirsec/images-mp1/packages/scep_software/sscep/rhel7-x86_64_modified" - local scep_enroll_pin="netscape" - local scep_password="netscape" - local scep_host_ip=$(ip addr | grep 'state UP' -A2 | tail -n1 | awk '{print $2}' | cut -f1 -d'/') - #Turn on scep replace_string_in_a_file $ca_config_file $search_string $replace_string if [ $? -eq 0 ] ; then @@ -108,7 +108,7 @@ ca_file_loc_EOF rhcs_stop_instance $tomcat_name rhcs_start_instance $tomcat_name - local digest=sha512 + local digest="sha512" #Copy sscep.conf file rlRun "wget $scep_location/sscep.conf -O $TmpDir/sscep.conf" @@ -119,15 +119,16 @@ ca_file_loc_EOF rlAssertGrep "certificate written as $TmpDir/cert.crt" "$TmpDir/scep_enroll.out" rlAssertGrep "-----BEGIN CERTIFICATE-----" "$TmpDir/cert.crt" rlAssertGrep "-----END CERTIFICATE-----" "$TmpDir/cert.crt" + + #Verify certificate is created with sha512 signing algorithm + rlRun "cp $TmpDir/cert.crt $TmpDir/cert.crt.mod" + rlRun "sed '/^-----BEGIN CERTIFICATE-----/d' $TmpDir/cert.crt.mod > $TmpDir/cert.crt.mod.1" + rlRun "sed '/^-----END CERTIFICATE-----/d' $TmpDir/cert.crt.mod.1 > $TmpDir/cert.crt.mod.2" + rlRun "PrettyPrintCert $TmpDir/cert.crt.mod.2 $TmpDir/cert.crt.pretty" + rlAssertGrep "Signature Algorithm: SHA512withRSA" "$TmpDir/cert.crt.pretty" rlPhaseEnd rlPhaseStartTest "pki_subca_scep_tests-002: Perform scep enrollment with the SUBCA using sha256 fingerprint" - local scep_enroll_url="http://$ca_host:$ca_unsecure_port/ca/cgi-bin/pkiclient.exe" - local scep_location="ftp://wiki.idm.lab.bos.redhat.com/dirsec/images-mp1/packages/scep_software/sscep/rhel7-x86_64_modified" - local scep_enroll_pin="netscape" - local scep_password="netscape" - local scep_host_ip=$(ip addr | grep 'state UP' -A2 | tail -n1 | awk '{print $2}' | cut -f1 -d'/') - #Turn on scep replace_string_in_a_file $ca_config_file $search_string $replace_string if [ $? -eq 0 ] ; then @@ -162,9 +163,72 @@ ca_file_loc_EOF #Copy sscep.conf file rlRun "wget $scep_location/sscep.conf -O $TmpDir/sscep.conf" - local orig_fingerprint="FingerPrint sha512" - local replace_fingerprint="FingerPrint $digest" - replace_string_in_a_file $TmpDir/sscep.conf $orig_fingerprint $replace_fingerprint + local orig_fingerprint="FingerPrint\tsha512" + local replace_fingerprint="FingerPrint\t$digest" + replace_string_in_a_file $TmpDir/sscep.conf "$orig_fingerprint" "$replace_fingerprint" + + local orig_sigalgorithm="SigAlgorithm\tsha512" + local replace_sigalgorithm="SigAlgorithm\t$digest" + replace_string_in_a_file $TmpDir/sscep.conf "$orig_sigalgorithm" "$replace_sigalgorithm" + + #do scep enrollment + rlRun "scep_do_enroll_with_sscep $scep_enroll_pin $scep_enroll_url $scep_host_ip $TmpDir $digest" + + rlAssertGrep "pkistatus: SUCCESS" "$TmpDir/scep_enroll.out" + rlAssertGrep "certificate written as $TmpDir/cert.crt" "$TmpDir/scep_enroll.out" + rlAssertGrep "-----BEGIN CERTIFICATE-----" "$TmpDir/cert.crt" + rlAssertGrep "-----END CERTIFICATE-----" "$TmpDir/cert.crt" + rlRun "cp $TmpDir/cert.crt $TmpDir/cert.crt2.mod" + rlRun "sed '/^-----BEGIN CERTIFICATE-----/d' $TmpDir/cert.crt2.mod > $TmpDir/cert.crt2.mod.1" + rlRun "sed '/^-----END CERTIFICATE-----/d' $TmpDir/cert.crt2.mod.1 > $TmpDir/cert.crt2.mod.2" + rlRun "PrettyPrintCert $TmpDir/cert.crt2.mod.2 $TmpDir/cert.crt2.pretty" + rlAssertGrep "Signature Algorithm: SHA256withRSA" "$TmpDir/cert.crt2.pretty" + rlLog "BZ1199692 - https://bugzilla.redhat.com/show_bug.cgi?id=1199692" + rlPhaseEnd + + + rlPhaseStartTest "pki_subca_scep_tests-003: Perform scep enrollment with the SUBCA using sha1 fingerprint" + #Turn on scep + replace_string_in_a_file $ca_config_file $search_string $replace_string + if [ $? -eq 0 ] ; then + chown pkiuser:pkiuser $ca_config_file + rhcs_stop_instance $tomcat_name + rhcs_start_instance $tomcat_name + fi + + rlRun "wget $scep_location/sscep -O $TmpDir/sscep" + #delete extisting sscep from /usr/bin if any + rlLog "Delete existing sscep from /usr/bin = rm -rf /usr/bin/sscep" + rlRun "rm -rf /usr/bin/sscep" + #Move sscep to /usr/bin + rlRun "mv $TmpDir/sscep /usr/bin" + rlRun "chmod +x /usr/bin/sscep" + #Get mkrequest + rlRun "wget $scep_location/mkrequest -O $TmpDir/mkrequest" + rlRun "mv $TmpDir/mkrequest /usr/bin" + rlRun "chmod +x /usr/bin/mkrequest" + + #Add a flatfile auth to the SUBCA instance conf dir + local ca_file_loc="/var/lib/pki/$tomcat_name/ca/conf/flatfile.txt" + cat > $ca_file_loc << ca_file_loc_EOF +UID:$scep_host_ip +PWD:$scep_password +ca_file_loc_EOF + #Restart SUBCA + rhcs_stop_instance $tomcat_name + rhcs_start_instance $tomcat_name + + local digest=sha1 + + #Copy sscep.conf file + rlRun "wget $scep_location/sscep.conf -O $TmpDir/sscep.conf" + local orig_fingerprint="FingerPrint\tsha512" + local replace_fingerprint="FingerPrint\t$digest" + replace_string_in_a_file $TmpDir/sscep.conf "$orig_fingerprint" "$replace_fingerprint" + + local orig_sigalgorithm="SigAlgorithm\tsha512" + local replace_sigalgorithm="SigAlgorithm\t$digest" + replace_string_in_a_file $TmpDir/sscep.conf "$orig_sigalgorithm" "$replace_sigalgorithm" #do scep enrollment rlRun "scep_do_enroll_with_sscep $scep_enroll_pin $scep_enroll_url $scep_host_ip $TmpDir $digest" @@ -173,9 +237,18 @@ ca_file_loc_EOF rlAssertGrep "certificate written as $TmpDir/cert.crt" "$TmpDir/scep_enroll.out" rlAssertGrep "-----BEGIN CERTIFICATE-----" "$TmpDir/cert.crt" rlAssertGrep "-----END CERTIFICATE-----" "$TmpDir/cert.crt" + rlRun "cp $TmpDir/cert.crt $TmpDir/cert.crt3.mod" + rlRun "sed '/^-----BEGIN CERTIFICATE-----/d' $TmpDir/cert.crt3.mod > $TmpDir/cert.crt3.mod.1" + rlRun "sed '/^-----END CERTIFICATE-----/d' $TmpDir/cert.crt3.mod.1 > $TmpDir/cert.crt3.mod.2" + rlRun "PrettyPrintCert $TmpDir/cert.crt3.mod.2 $TmpDir/cert.crt3.pretty" + rlAssertGrep "Signature Algorithm: SHA256withRSA" "$TmpDir/cert.crt3.pretty" + rlLog "BZ1199692 - https://bugzilla.redhat.com/show_bug.cgi?id=1199692" rlPhaseEnd + rlPhaseStartTest "pki_subca_scep_tests_cleanup: delete temporary directory and turn off sscep " + #Delete temporary directory + rlRun "popd" rlPhaseStartTest "pki_subca_scep_tests_cleanup: delete temporary directory and turn off sscep " #Delete temporary directory rlRun "popd" diff --git a/tests/dogtag/shared/rhcs-shared.sh b/tests/dogtag/shared/rhcs-shared.sh index e12631908..a1398d450 100755 --- a/tests/dogtag/shared/rhcs-shared.sh +++ b/tests/dogtag/shared/rhcs-shared.sh @@ -368,8 +368,8 @@ scep_do_enroll_with_sscep() rlRun "/usr/bin/sscep getca -c $temp_dir/ca.crt -u $scep_enroll_url > $temp_dir/getca_out" #submit enrollment request - rlLog "/usr/bin/sscep enroll -f $temp_dir/sscep.conf -c $temp_dir/ca.crt -k $temp_dir/local.key -r $temp_dir/local.csr -l $temp_dir/cert.crt -u $scep_enroll_url" - rlRun "/usr/bin/sscep enroll -f $temp_dir/sscep.conf -c $temp_dir/ca.crt -k $temp_dir/local.key -r $temp_dir/local.csr -l $temp_dir/cert.crt -u $scep_enroll_url > $temp_dir/scep_enroll.out" + rlLog "/usr/bin/sscep enroll -f $temp_dir/sscep.conf -c $temp_dir/ca.crt -k $temp_dir/local.key -r $temp_dir/local.csr -S $digest -l $temp_dir/cert.crt -u $scep_enroll_url" + rlRun "/usr/bin/sscep enroll -f $temp_dir/sscep.conf -c $temp_dir/ca.crt -k $temp_dir/local.key -r $temp_dir/local.csr -S $digest -l $temp_dir/cert.crt -u $scep_enroll_url > $temp_dir/scep_enroll.out" if [ $? -ne 0 ] ; then rc=1 fi -- cgit