From c416878297b365f018983e4d62ba9bcb9404f218 Mon Sep 17 00:00:00 2001 From: Niranjan Mallapadi Date: Tue, 3 Feb 2015 17:51:49 +0530 Subject: Add Legacy drm-logs and some subca tests Sub CA cert-enrollment, profiles and logs are added DRM logs are added Signed-off-by: Niranjan Mallapadi --- tests/dogtag/Makefile | 8 + .../legacy/drm-tests/logs/drm-ad-logs.sh | 194 + .../cert-enrollment/subca-ag-certificates.sh | 337 ++ .../cert-enrollment/subca-ag-requests.sh | 1543 +++++++ .../cert-enrollment/subca-ee-enrollments.sh | 4819 ++++++++++++++++++++ .../cert-enrollment/subca-ee-retrieval.sh | 1032 +++++ .../legacy/subca-tests/logs/subca-ad-logs.sh | 201 + .../subca-tests/profiles/subca-ad-profiles.sh | 1607 +++++++ .../subca-tests/profiles/subca-ag-profiles.sh | 691 +++ tests/dogtag/runtest.sh | 48 + 10 files changed, 10480 insertions(+) create mode 100755 tests/dogtag/acceptance/legacy/drm-tests/logs/drm-ad-logs.sh create mode 100755 tests/dogtag/acceptance/legacy/subca-tests/cert-enrollment/subca-ag-certificates.sh create mode 100755 tests/dogtag/acceptance/legacy/subca-tests/cert-enrollment/subca-ag-requests.sh create mode 100755 tests/dogtag/acceptance/legacy/subca-tests/cert-enrollment/subca-ee-enrollments.sh create mode 100755 tests/dogtag/acceptance/legacy/subca-tests/cert-enrollment/subca-ee-retrieval.sh create mode 100755 tests/dogtag/acceptance/legacy/subca-tests/logs/subca-ad-logs.sh create mode 100755 tests/dogtag/acceptance/legacy/subca-tests/profiles/subca-ad-profiles.sh create mode 100755 tests/dogtag/acceptance/legacy/subca-tests/profiles/subca-ag-profiles.sh (limited to 'tests/dogtag') diff --git a/tests/dogtag/Makefile b/tests/dogtag/Makefile index d7f4faed3..c337ef837 100755 --- a/tests/dogtag/Makefile +++ b/tests/dogtag/Makefile @@ -263,12 +263,20 @@ build: $(BUILT_FILES) chmod a+x ./acceptance/legacy/drm-tests/agent/drm-ag-tests.sh chmod a+x ./acceptance/legacy/drm-tests/internaldb/drm-ad-internaldb.sh chmod a+x ./acceptance/legacy/drm-tests/usergroups/drm-ad-usergroups.sh + chmod a+x ./acceptance/legacy/drm-tests/logs/drm-ad-logs.sh chmod a+x ./acceptance/legacy/subca-tests/acls/subca-ad-acls.sh chmod a+x ./acceptance/legacy/subca-tests/internaldb/subca-ad-internaldb.sh chmod a+x ./acceptance/legacy/subca-tests/authplugin/subca-ad-authplugin.sh chmod a+x ./acceptance/legacy/subca-tests/crlissuingpoint/subca-ad-crlissuingpoints.sh chmod a+x ./acceptance/legacy/subca-tests/publishing/subca-ad-publishing.sh chmod a+x ./acceptance/legacy/subca-tests/crls/subca-ag-crls.sh + chmod a+x ./acceptance/legacy/subca-tests/cert-enrollment/subca-ag-certificates.sh + chmod a+x ./acceptance/legacy/subca-tests/cert-enrollment/subca-ag-requests.sh + chmod a+x ./acceptance/legacy/subca-tests/cert-enrollment/subca-ee-enrollments.sh + chmod a+x ./acceptance/legacy/subca-tests/cert-enrollment/subca-ee-retrieval.sh + chmod a+x ./acceptance/legacy/subca-tests/profiles/subca-ad-profiles.sh + chmod a+x ./acceptance/legacy/subca-tests/profiles/subca-ag-profiles.sh + chmod a+x ./acceptance/legacy/subca-tests/logs/subca-ad-logs.sh # bug verifications chmod a+x ./acceptance/bugzilla/tomcatjss-bugs/bug-1058366.sh chmod a+x ./acceptance/bugzilla/tomcatjss-bugs/bug-1084224.sh diff --git a/tests/dogtag/acceptance/legacy/drm-tests/logs/drm-ad-logs.sh b/tests/dogtag/acceptance/legacy/drm-tests/logs/drm-ad-logs.sh new file mode 100755 index 000000000..136ff26e2 --- /dev/null +++ b/tests/dogtag/acceptance/legacy/drm-tests/logs/drm-ad-logs.sh @@ -0,0 +1,194 @@ +#!/bin/bash +# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# runtest.sh of /CoreOS/rhcs/acceptance/legacy/drm-tests/drm-ad-logs.sh +# Description: DRM Admin logs tests +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# The following pki key cli commands needs to be tested: +# DRM Admin logs test +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Author: Niranjan Mallapadi +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2013 Red Hat, Inc. All rights reserved. +# +# This copyrighted material is made available to anyone wishing +# to use, modify, copy, or redistribute it subject to the terms +# and conditions of the GNU General Public License version 2. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public +# License along with this program; if not, write to the Free +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301, USA. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +# Include rhts environment +. /usr/bin/rhts-environment.sh +. /usr/share/beakerlib/beakerlib.sh +. /opt/rhqa_pki/rhcs-shared.sh +. /opt/rhqa_pki/pki-cert-cli-lib.sh +. /opt/rhqa_pki/env.sh + +run_admin-kra-log_tests() +{ + local cs_Type=$1 + local cs_Role=$2 + + # Creating Temporary Directory for legacy test + rlPhaseStartSetup "Create Temporary Directory" + rlRun "TmpDir=\`mktemp -d\`" 0 "Creating tmp directory" + rlRun "pushd $TmpDir" + rlPhaseEnd + + # Local Variables + get_topo_stack $cs_Role $TmpDir/topo_file + local CA_INST=$(cat $TmpDir/topo_file | grep MY_CA | cut -d= -f2) + local KRA_INST=$(cat $TmpDir/topo_file | grep MY_KRA | cut -d= -f2) + local tomcat_name=$(eval echo \$${CA_INST}_TOMCAT_INSTANCE_NAME) + local target_unsecure_port=$(eval echo \$${CA_INST}_UNSECURE_PORT) + local target_secure_port=$(eval echo \$${CA_INST}_SECURE_PORT) + local tmp_ca_port=$(eval echo \$${CA_INST}_UNSECURE_PORT) + local tmp_kra_host=$(eval echo \$${cs_Role}) + local tmp_ca_host=$(eval echo \$${cs_Role}) + local valid_ca_agent_cert=$CA_INST\_agentV + local valid_agent=$KRA_INST\_agentV + local valid_agent_pwd=$KRA_INST\_agentV_password + local valid_audit=$KRA_INST\_auditV + local valid_audit_pwd=$KRA_INST\_auditV_password + local valid_operator=$KRA_INST\_operatorV + local valid_operator_pwd=$KRA_INST\_operatorV_password + local valid_admin=$KRA_INST\_adminV + local valid_admin_pwd=$KRA_INST\_adminV_password + local revoked_agent=$KRA_INST\_agentR + local revoked_admin=$KRA_INST\_adminR + local expired_admin=$KRA_INST\_adminE + local expired_agent=$KRA_INST\_agentE + local admin_out="$TmpDir/admin_out" + local TEMP_NSS_DB="$TmpDir/nssdb" + local TEMP_NSS_DB_PWD="redhat" + + + rlPhaseStartTest "pki_console_log-001: DRM Admin Interface - Add a new log file" + rlLog "Create a new log of type system" + local logfile=log$RANDOM + local level=0 + local rolloverinterval=1 + local logtype="system" + local flushinterval=5 + local filename=/tmp/$logfile + local logenable="True" + local signedAuditCertNickname="kraauditsigningcert" + rlRun "curl --capath "$CERTDB_DIR" --basic --user "$valid_admin:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=logRule&RS_ID=$logfile&unselected.events=&level=$level&rolloverInterval=$rolloverinterval&flushInterval=$flushinterval&mandatory.events=&bufferSize=512&maxFileSize=2000&fileName=$filename&enable=$logenable&signedAuditCertNickname=$signedAuditCertNickname&implName=file&type=$logtype&logSigning=true&events=&RULENAME=$logfile\" -k https://$tmp_kra_host:$target_secure_port/kra/log >> $admin_out" 0 "Create $logfile file of type $logtype" + rlLog "List all logs" + rlRun "curl --capath "$CERTDB_DIR" --basic --user "$valid_admin:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_SEARCH&OP_SCOPE=logRule\" -k https://$tmp_kra_host:$target_secure_port/kra/log > $admin_out" 0 "List all logs configured" + rlRun "process_curl_output $admin_out" 0 "Process curl output file" + rlAssertGrep "$logfile=file:visible" "$admin_out" + rlPhaseEnd + + rlPhaseStartTest "pki_console_log-002: DRM Admin Interface - List all logs" + rlLog "List all logs" + rlRun "curl --capath "$CERTDB_DIR" --basic --user "$valid_admin:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_SEARCH&OP_SCOPE=logRule\" -k https://$tmp_kra_host:$target_secure_port/kra/log > $admin_out" 0 "List all logs configured" + rlRun "process_curl_output $admin_out" 0 "Process curl output file" + rlAssertGrep "Transactions=file:visible" "$admin_out" + rlAssertGrep "SignedAudit=file:visible" "$admin_out" + rlAssertGrep "System=file:visible" "$admin_out" + rlAssertGrep "$logfile=file:visible" "$admin_out" + rlPhaseEnd + + rlPhaseStartTest "pki_console_log-003: DRM Admin Interface - Edit log file configuration" + local level=0 + local rolloverinterval=1 + local logtype="system" + local flushinterval=5 + local filename=/tmp/$logfile + local logenable="false" + local maxfilesize=3000 + local buffersize=512 + rlRun "curl --capath "$CERTDB_DIR" --basic --user "$valid_admin:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_MODIFY&OP_SCOPE=logRule&RS_ID=$logfile&level=$level&rolloverInterval=$rolloverinterval&flushInterval=$flushinterval&bufferSize=$buffersize&maxFileSize=$maxfilesize&fileName=$filename&enable=$logenable&implName=file&type=$logtype&RULENAME=$logfile\" -k https://$tmp_kra_host:$target_secure_port/kra/log >> $admin_out" 0 "Modify $logfile file" + rlLog "Changes require restart of CA instance" + rlRun "rhcs_stop_instance $tomcat_name" + rlRun "rhcs_start_instance $tomcat_name" + rlLog "Read $logfile and verify values are updated" + rlRun "curl --capath "$CERTDB_DIR" --basic --user "$valid_admin:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_READ&OP_SCOPE=logRule&RS_ID=$logfile\" -k https://$tmp_kra_host:$target_secure_port/kra/log > $admin_out" 0 "Read $logfile file" + rlRun "process_curl_output $admin_out" 0 "Process curl output file" + rlAssertGrep "maxFileSize=$maxfilesize" "$admin_out" + rlAssertGrep "enable=$logenable" "$admin_out" + rlPhaseEnd + + rlPhaseStartTest "pki_console_log-004: DRM Admin Interface - View log file" + rlLog "Read $logfile" + rlRun "curl --capath "$CERTDB_DIR" --basic --user "$valid_admin:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_READ&OP_SCOPE=logRule&RS_ID=$logfile\" -k https://$tmp_kra_host:$target_secure_port/kra/log > $admin_out" 0 "Read $logfile file" + rlRun "process_curl_output $admin_out" 0 "Process curl output file" + rlAssertGrep "implName=file" "$admin_out" + rlAssertGrep "type=$logtype" "$admin_out" + rlAssertGrep "enable=$logenable" "$admin_out" + rlAssertGrep "level=Debug" "$admin_out" + rlAssertGrep "bufferSize=$buffersize" "$admin_out" + rlAssertGrep "maxFileSize=$maxfilesize" "$admin_out" + rlPhaseEnd + + rlPhaseStartTest "pki_console_log-005: DRM Admin Interface - Delete log file" + rlLog "Delete log $logfile file" + rlRun "curl --capath "$CERTDB_DIR" --basic --user "$valid_admin:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_DELETE&OP_SCOPE=logRule&RS_ID=$logfile\" -k https://$tmp_kra_host:$target_secure_port/kra/log > $admin_out" 0 "Read $logfile file" + rlRun "process_curl_output $admin_out" 0 "Process curl output file" + rlLog "List all logs" + rlRun "curl --capath "$CERTDB_DIR" --basic --user "$valid_admin:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_SEARCH&OP_SCOPE=logRule\" -k https://$tmp_kra_host:$target_secure_port/kra/log > $admin_out" 0 "List all logs configured" + rlRun "process_curl_output $admin_out" 0 "Process curl output file" + rlAssertGrep "Transactions=file:visible" "$admin_out" + rlAssertGrep "SignedAudit=file:visible" "$admin_out" + rlAssertGrep "System=file:visible" "$admin_out" + rlAssertNotGrep "$logfile=file:visible" "$admin_out" + rlPhaseEnd + + rlPhaseStartTest "pki_console_log-006: DRM Admin Interface - Adding a log file with agent privileges should fail" + local logfile=log$RANDOM + local level=0 + local rolloverinterval=1 + local logtype="system" + local flushinterval=5 + local filename=/tmp/$logfile + local logenable="True" + local signedAuditCertNickname="caauditsigningcert" + rlRun "curl --capath "$CERTDB_DIR" --basic --user "$valid_agent:$valid_agent_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=logRule&RS_ID=$logfile&unselected.events=&level=$level&rolloverInterval=$rolloverinterval&flushInterval=$flushinterval&mandatory.events=&bufferSize=512&maxFileSize=2000&fileName=$filename&enable=$logenable&signedAuditCertNickname=$signedAuditCertNickname&implName=file&type=$logtype&logSigning=true&events=&RULENAME=$logfile\" -k https://$tmp_kra_host:$target_secure_port/kra/log > $admin_out" 0 "Create $logfile file of type $logtype" + rlAssertGrep "You are not authorized to perform this operation" "$admin_out" + rlPhaseEnd + + rlPhaseStartTest "pki_console_log-007: DRM Admin Interface - Adding a log file with audit privileges should fail" + local logfile=log$RANDOM + local level=0 + local rolloverinterval=1 + local logtype="system" + local flushinterval=5 + local filename=/tmp/$logfile + local logenable="True" + local signedAuditCertNickname="caauditsigningcert" + rlRun "curl --capath "$CERTDB_DIR" --basic --user "$valid_audit:$valid_audit_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=logRule&RS_ID=$logfile&unselected.events=&level=$level&rolloverInterval=$rolloverinterval&flushInterval=$flushinterval&mandatory.events=&bufferSize=512&maxFileSize=2000&fileName=$filename&enable=$logenable&signedAuditCertNickname=$signedAuditCertNickname&implName=file&type=$logtype&logSigning=true&events=&RULENAME=$logfile\" -k https://$tmp_kra_host:$target_secure_port/kra/log > $admin_out" 0 "Create $logfile file of type $logtype" + rlAssertGrep "You are not authorized to perform this operation" "$admin_out" + rlPhaseEnd + + rlPhaseStartCleanup "Delete temporary dir" + rlRun "popd" + rlRun "rm -r $TmpDir" 0 "Removing tmp directory" + rlPhaseEnd + + +} diff --git a/tests/dogtag/acceptance/legacy/subca-tests/cert-enrollment/subca-ag-certificates.sh b/tests/dogtag/acceptance/legacy/subca-tests/cert-enrollment/subca-ag-certificates.sh new file mode 100755 index 000000000..53f411a59 --- /dev/null +++ b/tests/dogtag/acceptance/legacy/subca-tests/cert-enrollment/subca-ag-certificates.sh @@ -0,0 +1,337 @@ +#!/bin/bash +# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# runtest.sh of /CoreOS/rhcs/acceptance/legacy/ca-tests/cert-enrollment/subca-ag-certificates +# Description: Subordiate CA Agent Certificates +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# The following legacy tests is being tested: +# subca-ag-certificates +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Author: Niranjan Mallapadi +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2013 Red Hat, Inc. All rights reserved. +# +# This copyrighted material is made available to anyone wishing +# to use, modify, copy, or redistribute it subject to the terms +# and conditions of the GNU General Public License version 2. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public +# License along with this program; if not, write to the Free +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301, USA. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +# Include rhts environment +. /usr/bin/rhts-environment.sh +. /usr/share/beakerlib/beakerlib.sh +. /opt/rhqa_pki/rhcs-shared.sh +. /opt/rhqa_pki/pki-cert-cli-lib.sh +. /opt/rhqa_pki/pki-auth-plugin-lib.sh +. /opt/rhqa_pki/env.sh + +run_subca-ag-certificates_tests() +{ + + # Creating Temporary Directory + rlPhaseStartSetup "Create Temporary Directory" + rlRun "TmpDir=\`mktemp -d\`" 0 "Creating tmp directory" + rlRun "pushd $TmpDir" + rlRun "export PYTHONPATH=$PYTHONPATH:/opt/rhqa_pki/" + rlPhaseEnd + + # Disable Nonce + rlPhaseStartSetup "Disable Nonce" + local cs_Type=$1 + local cs_Role=$2 + get_topo_stack $cs_Role $TmpDir/topo_file + if [ $cs_Role="MASTER" ]; then + SUBCA_INST=$(cat $TmpDir/topo_file | grep MY_SUBCA | cut -d= -f2) + elif [ $cs_Role="SUBCA2" || $cs_Role="SUBCA1" ]; then + SUBCA_INST=$(cat $TmpDir/topo_file | grep MY_CA | cut -d= -f2) + fi + local tomcat_name=$(eval echo \$${SUBCA_INST}_TOMCAT_INSTANCE_NAME) + rlRun "disable_ca_nonce $tomcat_name" + rlPhaseEnd + + # Local Variables + local target_unsecure_port=$(eval echo \$${SUBCA_INST}_UNSECURE_PORT) + local target_secure_port=$(eval echo \$${SUBCA_INST}_SECURE_PORT) + local tmp_ca_port=$(eval echo \$${SUBCA_INST}_UNSECURE_PORT) + local tmp_ca_host=$(eval echo \$${cs_Role}) + local valid_agent_cert=$SUBCA_INST\_agentV + local valid_audit_cert=$SUBCA_INST\_auditV + local valid_operator_cert=$SUBCA_INST\_operatorV + local valid_admin_cert=$SUBCA_INST\_adminV + local cert_find_info="$TmpDir/cert_find_info" + local revoked_agent_cert=$SUBCA_INST\_agentR + local revoked_admin_cert=$SUBCA_INST\_adminR + local expired_admin_cert=$SUBCA_INST\_adminE + local expired_agent_cert=$SUBCA_INST\_agentE + local admin_out="$TmpDir/admin_out" + local TEMP_NSS_DB="$TmpDir/nssdb" + local TEMP_NSS_DB_PWD="redhat" + local cert_info="$TmpDir/cert_info" + local ca_profile_out="$TmpDir/ca-profile-out" + local cert_out="$TmpDir/cert-show.out" + local cert_show_out="$TmpDir/cert_show.out" + local rand=$RANDOM + local tmp_junk_data=$(openssl rand -base64 50 | perl -p -e 's/\n//') + local SSL_DIR=$CERTDB_DIR + + + + rlPhaseStartTest "pki_subca_ag-certificates-001: CA Agent Page: List Certificates" + local op=listCerts + local queryCertFilter='(|(certStatus=VALID)(certStatus=REVOKED))' + local serialFrom='' + local serialTo='' + local skipNonValid='' + local querySentinelDown='0' + local querySentinelUp='' + local direction='' + local maxCount='10' + local test_out=$op + rlRun "export SSL_DIR=$CERTDB_DIR" + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"op=$op&queryCertFilter=$queryCertFilter&serialFrom=$serialFrom&serialTo=$serialTo&skipNonValid=$skipNonValid&querySentinelDown=$querySentinelDown&querySentinelUp=$querySentinelUp&direction=$direction&maxCount=$maxCount\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/listCerts\" > $TmpDir/$test_out" 0 "List Certificates" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"op=$op&queryCertFilter=$queryCertFilter&serialFrom=$serialFrom&serialTo=$serialTo&skipNonValid=$skipNonValid&querySentinelDown=$querySentinelDown&querySentinelUp=$querySentinelUp&direction=$direction&maxCount=$maxCount\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/listCerts\" > $TmpDir/$test_out" 0 "List Certificates" + local no_of_records=$(cat $TmpDir/$test_out | grep record.subject= | wc -l) + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertEquals "Verify number of records is $maxCount" $maxCount $no_of_records + rlPhaseEnd + + rlPhaseStartSetup "Generate Cert which will be revoked" + local request_type=pkcs10 + local request_key_type=rsa + local request_key_size=1024 + local profile=caUserCert + local cert_ext_exKeyUsageOIDs="1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4" + local userid="fooUser" + local usercn="fooUser" + local phone="1234" + local usermail="fooUser@example.org" + local test_out=ca-$profile-test.txt + rlRun "export SSL_DIR=$CERTDB_DIR" + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"$usercn\" \ + subject_uid:$userid \ + subject_email:$usermail \ + subject_ou:IDM \ + subject_organization:RedHat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" 0 "Create $request_type request for $profile" + local cert_requestdn=$(cat $TEMP_NSS_DB/$rand-subject.out | grep Request_DN | cut -d ":" -f2) + rlLog "cert_requestdn=cert_requestdn" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic \ + --dump-header $admin_out \ + -d \"profileId=$profile&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$usercn&sn_e=$usermail&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$useremail&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $admin_out \ + -d \"profileId=$profile&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$usercn&sn_e=$usermail&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$useremail&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/$test_out" 0 "Submit Certificate request to $profile" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local request_id=$(cat -v $TmpDir/$test_out | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "request_id=$request_id" + rlLog "Approve $request_id using $valid_agent_cert" + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$Year+1 + local end_day="1" + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$Month-$end_day $Hour:$Minute:$Second" + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/profileProcess\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/$test_out" 0 "Submit Certificare request" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + local serial_number=$(cat -v $TmpDir/$test_out | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + rlRun "verify_cert \"$serial_number\" \"$cert_requestdn\"" 0 "Verify cert" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ag-certificates-002: CA Agent Page: Revoke Certificates" + local STRIP_HEX=$(echo $serial_number | cut -dx -f2) + local serial=$STRIP_HEX + local CONV_UPP_VAL=${STRIP_HEX^^} + local decimal_serial_number=$(echo "ibase=16;$CONV_UPP_VAL"|bc) + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local revocationReason="0" + rlRun "export SSL_DIR=$CERTDB_DIR" + rlLog "Revoked cert with serial Number: $serial_number" + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"$serial=on&day=0&month=$Month&year=0&revocationReason=$revocationReason&csrRequestorComments=&submit=Submit&op=doRevoke&templateType=RevocationSuccess&serialNumber=$serial&revokeAll=(|(certRecordId=$decimal_serial_number))&totalRecordCount=1&verifiedRecordCount=1&invalidityDate=0\" -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/doRevoke\" > $TmpDir/$test_out" 0 "Revoke cert with serial Number $serial_number" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"$serial=on&day=0&month=$Month&year=0&revocationReason=$revocationReason&csrRequestorComments=&submit=Submit&op=doRevoke&templateType=RevocationSuccess&serialNumber=$serial&revokeAll=(|(certRecordId=$decimal_serial_number))&totalRecordCount=1&verifiedRecordCount=1&invalidityDate=0\" -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/doRevoke\" > $TmpDir/$test_out" 0 "Revoke cert with serial Number $serial_number" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertGrep "header.revoked = \"yes\"" "$TmpDir/$test_out" + rlAssertGrep "header.revoked = \"yes\"" "$TmpDir/$test_out" + rlAssertGrep "header.error = null" "$TmpDir/$test_out" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ag-certificates-003: CA Agent Page: Display Revocation List(type: Entire CRL)" + rlLog "Display Cached CRL" + rlRun "export SSL_DIR=$CERTDB_DIR" + local crlIssuingPoint='MasterCRL' + local crlDisplayType='cachedCRL' + local pageStart='1' + local pageSize='50' + local test_out=$crlDisplayType + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"crlIssuingPoint=$crlIssuingPoint&crlDisplayType=$crlDisplayType&pageStart=$pageStart&pageSize=$pageSize\" -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/displayCRL\" > $TmpDir/$test_out" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"crlIssuingPoint=$crlIssuingPoint&crlDisplayType=$crlDisplayType&pageStart=$pageStart&pageSize=$pageSize\" -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/displayCRL\" > $TmpDir/$test_out" 0 "Display cached CRL" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertGrep "header.crlIssuingPoint = \"$crlIssuingPoint\"" "$TmpDir/$test_out" + rlAssertGrep "header.crlDisplayType = \"$crlDisplayType\"" "$TmpDir/$test_out" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ag-certificates-004: CA Agent Page: Display Revocation List(type: Entire CRL)" + rlLog "Display Entire CRL" + rlRun "export SSL_DIR=$CERTDB_DIR" + local crlIssuingPoint='MasterCRL' + local crlDisplayType='entireCRL' + local pageStart='1' + local pageSize='50' + local test_out=$crlDisplayType + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"crlIssuingPoint=$crlIssuingPoint&crlDisplayType=$crlDisplayType&pageStart=$pageStart&pageSize=$pageSize\" -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/displayCRL\" > $TmpDir/$test_out" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"crlIssuingPoint=$crlIssuingPoint&crlDisplayType=$crlDisplayType&pageStart=$pageStart&pageSize=$pageSize\" -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/displayCRL\" > $TmpDir/$test_out" 0 "Display cached CRL" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertGrep "header.crlIssuingPoint = \"$crlIssuingPoint\"" "$TmpDir/$test_out" + rlAssertGrep "header.crlDisplayType = \"$crlDisplayType\"" "$TmpDir/$test_out" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ag-certificates-005: CA Agent Page: Display Revocation List(type: CRLHeader)" + rlLog "Display CRL Header" + rlRun "export SSL_DIR=$CERTDB_DIR" + local crlIssuingPoint='MasterCRL' + local crlDisplayType='crlHeader' + local pageStart='1' + local pageSize='50' + local test_out=$crlDisplayType + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"crlIssuingPoint=$crlIssuingPoint&crlDisplayType=$crlDisplayType&pageStart=$pageStart&pageSize=$pageSize\" -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/displayCRL\" > $TmpDir/$test_out" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"crlIssuingPoint=$crlIssuingPoint&crlDisplayType=$crlDisplayType&pageStart=$pageStart&pageSize=$pageSize\" -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/displayCRL\" > $TmpDir/$test_out" 0 "Display cached CRL" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertGrep "header.crlIssuingPoint = \"$crlIssuingPoint\"" "$TmpDir/$test_out" + rlAssertGrep "header.crlDisplayType = \"$crlDisplayType\"" "$TmpDir/$test_out" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ag-certificates-006: CA Agent Page: Display Revocation List(type: Base64 Encoded)" + rlLog "Display Base64 Encoded CRL" + rlRun "export SSL_DIR=$CERTDB_DIR" + local crlIssuingPoint='MasterCRL' + local crlDisplayType='base64Encoded' + local pageStart='1' + local pageSize='50' + local test_out=$crlDisplayType + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"crlIssuingPoint=$crlIssuingPoint&crlDisplayType=$crlDisplayType&pageStart=$pageStart&pageSize=$pageSize\" -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/displayCRL\" > $TmpDir/$test_out" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"crlIssuingPoint=$crlIssuingPoint&crlDisplayType=$crlDisplayType&pageStart=$pageStart&pageSize=$pageSize\" -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/displayCRL\" > $TmpDir/$test_out" 0 "Display cached CRL" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertGrep "header.crlIssuingPoint = \"$crlIssuingPoint\"" "$TmpDir/$test_out" + rlAssertGrep "header.crlDisplayType = \"$crlDisplayType\"" "$TmpDir/$test_out" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ag-certificates-007: CA Agent Page: Update Revocation List" + rlLog "Update Revocation List" + local crlIssuingPoint=MasterCRL + local signatureAlgorithm='SHA512withRSA' + local test_out=updateCRL + rlRun "export SSL_DIR=$CERTDB_DIR" + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"crlIssuingPoint=$crlIssuingPoint&signatureAlgorithm=$signatureAlgorithm\" -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/updateCRL\" > $TmpDir/$test_out" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"crlIssuingPoint=$crlIssuingPoint&signatureAlgorithm=$signatureAlgorithm\" -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/updateCRL\" > $TmpDir/$test_out" 0 "Update Revocation List" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertGrep "header.crlIssuingPoint = \"$crlIssuingPoint\"" "$TmpDir/$test_out" + rlAssertGrep "header.crlUpdate = \"Scheduled\"" "$TmpDir/$test_out" + rlPhaseEnd + + rlPhaseStartCleanup "Delete temp dir and enable nonce" + rlRun "popd" + rlRun "rm -r $TmpDir" 0 "Removing tmp directory" + enable_ca_nonce $tomcat_name + rlPhaseEnd + +} +verify_cert() +{ + local serial_number=$1 + local request_dn=$2 + STRIP_HEX=$(echo $serial_number | cut -dx -f2) + CONV_LOW_VAL=${STRIP_HEX,,} + rlRun "pki -h $tmp_ca_host -p $target_unsecure_port cert-show $serial_number > $cert_show_out" 0 "Executing pki cert-show $serial_number" + rlAssertGrep "Serial Number: 0x$CONV_LOW_VAL" "$cert_show_out" + rlAssertGrep "Issuer: CN=PKI $SUBCA_INST Signing Cert,O=redhat" "$cert_show_out" + rlAssertGrep "Subject: $request_dn" "$cert_show_out" + rlAssertGrep "Status: VALID" "$cert_show_out" +} + diff --git a/tests/dogtag/acceptance/legacy/subca-tests/cert-enrollment/subca-ag-requests.sh b/tests/dogtag/acceptance/legacy/subca-tests/cert-enrollment/subca-ag-requests.sh new file mode 100755 index 000000000..b79a5a9b2 --- /dev/null +++ b/tests/dogtag/acceptance/legacy/subca-tests/cert-enrollment/subca-ag-requests.sh @@ -0,0 +1,1543 @@ +#!/bin/bash +# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# runtest.sh of /CoreOS/rhcs/acceptance/legacy/ca-tests/cert-enrollment/subca-ag-requests +# Description: Subordiate CA Agent Requests +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# The following legacy test is being tested: +# subca-ag-requests +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Author: Niranjan Mallapadi +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2013 Red Hat, Inc. All rights reserved. +# +# This copyrighted material is made available to anyone wishing +# to use, modify, copy, or redistribute it subject to the terms +# and conditions of the GNU General Public License version 2. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public +# License along with this program; if not, write to the Free +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301, USA. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +# Include rhts environment +. /usr/bin/rhts-environment.sh +. /usr/share/beakerlib/beakerlib.sh +. /opt/rhqa_pki/rhcs-shared.sh +. /opt/rhqa_pki/pki-cert-cli-lib.sh +. /opt/rhqa_pki/pki-auth-plugin-lib.sh +. /opt/rhqa_pki/env.sh + +run_subca-ag-requests_tests() +{ + + # Creating Temporary Directory + rlPhaseStartSetup "Create Temporary Directory" + rlRun "TmpDir=\`mktemp -d\`" 0 "Creating tmp directory" + rlRun "pushd $TmpDir" + rlRun "export PYTHONPATH=$PYTHONPATH:/opt/rhqa_pki/" + rlPhaseEnd + + # Disable Nonce + rlPhaseStartSetup "Disable Nonce" + local cs_Type=$1 + local cs_Role=$2 + get_topo_stack $cs_Role $TmpDir/topo_file + if [ $cs_Role="MASTER" ]; then + SUBCA_INST=$(cat $TmpDir/topo_file | grep MY_SUBCA | cut -d= -f2) + elif [ $cs_Role="SUBCA2" || $cs_Role="SUBCA1" ]; then + SUBCA_INST=$(cat $TmpDir/topo_file | grep MY_CA | cut -d= -f2) + fi + local tomcat_name=$(eval echo \$${SUBCA_INST}_TOMCAT_INSTANCE_NAME) + disable_ca_nonce $tomcat_name + rlPhaseEnd + + #local variables + local target_unsecure_port=$(eval echo \$${SUBCA_INST}_UNSECURE_PORT) + local target_secure_port=$(eval echo \$${SUBCA_INST}_SECURE_PORT) + local tmp_ca_agent=$SUBCA_INST\_agentV + local tmp_ca_admin=$SUBCA_INST\_adminV + local tmp_ca_port=$(eval echo \$${SUBCA_INST}_UNSECURE_PORT) + local tmp_ca_host=$(eval echo \$${cs_Role}) + local valid_agent_cert=$SUBCA_INST\_agentV + local valid_audit_cert=$SUBCA_INST\_auditV + local valid_operator_cert=$SUBCA_INST\_operatorV + local valid_admin_cert=$SUBCA_INST\_adminV + local cert_find_info="$TmpDir/cert_find_info" + local revoked_agent_cert=$SUBCA_INST\_agentR + local revoked_admin_cert=$SUBCA_INST\_adminR + local expired_admin_cert=$SUBCA_INST\_adminE + local expired_agent_cert=$SUBCA_INST\_agentE + local admin_out="$TmpDir/admin_out" + local TEMP_NSS_DB="$TmpDir/nssdb" + local TEMP_NSS_DB_PWD="redhat" + local cert_info="$TmpDir/cert_info" + local ca_profile_out="$TmpDir/ca-profile-out" + local cert_out="$TmpDir/cert-show.out" + local cert_show_out="$TmpDir/cert_show.out" + local rand=$RANDOM + local tmp_junk_data=$(openssl rand -base64 50 | perl -p -e 's/\n//') + local SSL_DIR=$CERTDB_DIR + + rlPhaseStartTest "pki_subca_ag-requests-001: CA Agent Page: List Requests try to display 100 requests and their details" + local reqType='enrollment' + local reqState='showWaiting' + local lastEntryOnPage='0' + local direction='first' + local maxCount='100' + local test_out='agent.out' + rlRun "export SSL_DIR=$CERTDB_DIR" + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"reqType=$reqType&reqState=$reqState&lastEntryOnPage=$lastEntryOnPage&direction=$direction&maxCount=$maxCount\" -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/queryReq\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"reqType=$reqType&reqState=$reqState&lastEntryOnPage=$lastEntryOnPage&direction=$direction&maxCount=$maxCount\" -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/queryReq\" > $TmpDir/$test_out" + rlAssertGrep "record.callerName=\"$valid_agent_cert\"" "$TmpDir/$test_out" + local no_of_records=$(cat $TmpDir/$test_out | grep record.subject | wc -l) + rlAssertGreater "Verify No of records displayed is more than 1" $no_of_records 1 + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlPhaseEnd + + rlPhaseStartSetup "Create certificate request for review" + rlLog "Create a pkcs10 cert request" + local request_type=pkcs10 + local request_key_type=rsa + local request_key_size=1024 + local profile=caUserCert + local cert_ext_exKeyUsageOIDs="1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4" + local userid="foo$RANDOM" + local usercn="foo$RANDOM" + local phone="1234" + local usermail="$userid@example.org" + local test_out=ca-$profile-test1.txt + rlRun "export SSL_DIR=$CERTDB_DIR" + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"$usercn\" \ + subject_uid:$userid \ + subject_email:$usermail \ + subject_ou:IDM \ + subject_organization:RedHat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" 0 "Create $request_type request for $profile" + local cert_requestdn=$(cat $TEMP_NSS_DB/$rand-subject.out | grep Request_DN | cut -d ":" -f2) + rlLog "cert_requestdn=$cert_requestdn" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic \ + --dump-header $admin_out \ + -d \"profileId=$profile&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$usercn&sn_e=$usermail&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$useremail&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $admin_out \ + -d \"profileId=$profile&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$usercn&sn_e=$usermail&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$useremail&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/$test_out" 0 "Submit Certificate request to $profile" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local request_id=$(cat -v $TmpDir/$test_out | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "request_id=$request_id" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ag-requests-002: CA Agent Page: view a particular profile based certificate request" + rlLog "View certificate request details" + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id\" -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/profileReview\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id\" -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/profileReview\" > $TmpDir/$test_out" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertGrep "defList.defVal=\"RSA - 1.2.840.113549.1.1.1\"" "$TmpDir/$test_out" + rlAssertGrep "defList.defVal=\"$cert_ext_exKeyUsageOIDs\"" "$TmpDir/$test_out" + rlAssertGrep "inputList.inputVal=\"$useid\"" "$TmpDir/$test_out" + rlAssertGrep "inputList.inputVal=\"$usercn\"" "$TmpDir/$test_out" + rlAssertGrep "inputList.inputVal=\"$usermail\"" "$TmpDir/$test_out" + rlAssertGrep "profileName=\"Manual User Dual-Use Certificate Enrollment\"" "$TmpDir/$test_out" + rlAssertGrep "requestStatus=\"pending\"" "$TmpDir/$test_out" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ag-requests-003: CA Agent Page: Approve Profile request" + local request_type=pkcs10 + local request_key_type=rsa + local request_key_size=1024 + local profile=caUserCert + local cert_ext_exKeyUsageOIDs="1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4" + local userid="fooUser$RANDOM" + local usercn="fooUser$RANDOM" + local phone="1234-$RANDOM" + local usermail="$userid@example.org" + local test_out=ca-$profile-test.txt + rlRun "export SSL_DIR=$CERTDB_DIR" + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"$usercn\" \ + subject_uid:$userid \ + subject_email:$usermail \ + subject_ou:IDM \ + subject_organization:RedHat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" 0 "Create $request_type request for $profile" + local cert_requestdn=$(cat $TEMP_NSS_DB/$rand-subject.out | grep Request_DN | cut -d ":" -f2) + rlLog "cert_requestdn=cert_requestdn" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic \ + --dump-header $admin_out \ + -d \"profileId=$profile&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$usercn&sn_e=$usermail&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$useremail&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $admin_out \ + -d \"profileId=$profile&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$usercn&sn_e=$usermail&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$useremail&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/$test_out" 0 "Submit Certificate request to $profile" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local request_id=$(cat -v $TmpDir/$test_out | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "request_id=$request_id" + rlLog "Approve $request_id using $valid_agent_cert" + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$Year+1 + local end_day="1" + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$Month-$end_day $Hour:$Minute:$Second" + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/profileProcess\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/$test_out" 0 "Submit certificate request" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + local serial_number=$(cat -v $TmpDir/$test_out | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + local serial_number_without_hex=$(echo $serial_number | cut -dx -f2) + local serial_number_without_hex_lower=${serial_number_without_hex,,} + rlLog "serial_number=$serial_number" + rlRun "verify_cert \"$serial_number\" \"$cert_requestdn\"" 0 "Verify cert" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ag-requests-004: CA Agent Page: Cancel Certificate request" + local request_type=pkcs10 + local request_key_type=rsa + local request_key_size=1024 + local profile=caUserCert + local cert_ext_exKeyUsageOIDs="1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4" + local userid="fooUser$RANDOM" + local usercn="fooUser$RANDOM" + local phone="1234-$RANDOM" + local usermail="$userid@example.org" + local test_out=ca-$profile-test.txt + rlRun "export SSL_DIR=$CERTDB_DIR" + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"$usercn\" \ + subject_uid:$userid \ + subject_email:$usermail \ + subject_ou:IDM \ + subject_organization:RedHat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" 0 "Create $request_type request for $profile" + local cert_requestdn=$(cat $TEMP_NSS_DB/$rand-subject.out | grep Request_DN | cut -d ":" -f2) + rlLog "cert_requestdn=cert_requestdn" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic \ + --dump-header $admin_out \ + -d \"profileId=$profile&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$usercn&sn_e=$usermail&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$useremail&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $admin_out \ + -d \"profileId=$profile&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$usercn&sn_e=$usermail&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$useremail&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/$test_out" 0 "Submit Certificate request to $profile" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local request_id=$(cat -v $TmpDir/$test_out | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "request_id=$request_id" + rlLog "Approve $request_id using $valid_agent_cert" + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$Year+1 + local end_day="1" + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$Month-$end_day $Hour:$Minute:$Second" + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=cancel&submit=submit&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/profileProcess\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=cancel&submit=submit&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/$test_out" 0 "cancel certificate request" + rlAssertGrep "requestType=\"enrollment\"" "$TmpDir/$test_out" + rlAssertGrep "profileId=\"caUserCert\"" "$TmpDir/$test_out" + rlAssertGrep "requestId=\"$request_id\"" "$TmpDir/$test_out" + rlAssertGrep "errorCode=\"0\"" "$TmpDir/$test_out" + rlAssertGrep "requestStatus=\"canceled\"" "$TmpDir/$test_out" + rlPhaseEnd + + + rlPhaseStartTest "pki_subca_ag-requests-005: CA Agent Page: Reject Certificate request" + local request_type=pkcs10 + local request_key_type=rsa + local request_key_size=1024 + local profile=caUserCert + local cert_ext_exKeyUsageOIDs="1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4" + local userid="fooUser$RANDOM" + local usercn="fooUser$RANDOM" + local phone="1234-$RANDOM" + local usermail="$userid@example.org" + local test_out=ca-$profile-test.txt + rlRun "export SSL_DIR=$CERTDB_DIR" + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"$usercn\" \ + subject_uid:$userid \ + subject_email:$usermail \ + subject_ou:IDM \ + subject_organization:RedHat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" 0 "Create $request_type request for $profile" + local cert_requestdn=$(cat $TEMP_NSS_DB/$rand-subject.out | grep Request_DN | cut -d ":" -f2) + rlLog "cert_requestdn=cert_requestdn" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic \ + --dump-header $admin_out \ + -d \"profileId=$profile&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$usercn&sn_e=$usermail&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$useremail&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $admin_out \ + -d \"profileId=$profile&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$usercn&sn_e=$usermail&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$useremail&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/$test_out" 0 "Submit Certificate request to $profile" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local request_id=$(cat -v $TmpDir/$test_out | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "request_id=$request_id" + rlLog "Approve $request_id using $valid_agent_cert" + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$Year+1 + local end_day="1" + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$Month-$end_day $Hour:$Minute:$Second" + local action=reject + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=$action&submit=submit&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/profileProcess\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=$action&submit=submit&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/$test_out" 0 "$action certificate request" + rlAssertGrep "requestType=\"enrollment\"" "$TmpDir/$test_out" + rlAssertGrep "profileId=\"caUserCert\"" "$TmpDir/$test_out" + rlAssertGrep "requestId=\"$request_id\"" "$TmpDir/$test_out" + rlAssertGrep "errorCode=\"0\"" "$TmpDir/$test_out" + rlAssertGrep "requestStatus=\"rejected\"" "$TmpDir/$test_out" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ag-requests-006: CA Agent Page: Assign Certificate request" + local request_type=pkcs10 + local request_key_type=rsa + local request_key_size=1024 + local profile=caUserCert + local cert_ext_exKeyUsageOIDs="1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4" + local userid="fooUser$RANDOM" + local usercn="fooUser$RANDOM" + local phone="1234-$RANDOM" + local usermail="$userid@example.org" + local test_out=ca-$profile-test.txt + rlRun "export SSL_DIR=$CERTDB_DIR" + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"$usercn\" \ + subject_uid:$userid \ + subject_email:$usermail \ + subject_ou:IDM \ + subject_organization:RedHat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" 0 "Create $request_type request for $profile" + local cert_requestdn=$(cat $TEMP_NSS_DB/$rand-subject.out | grep Request_DN | cut -d ":" -f2) + rlLog "cert_requestdn=cert_requestdn" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic \ + --dump-header $admin_out \ + -d \"profileId=$profile&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$usercn&sn_e=$usermail&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$useremail&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $admin_out \ + -d \"profileId=$profile&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$usercn&sn_e=$usermail&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$useremail&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/$test_out" 0 "Submit Certificate request to $profile" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local request_id=$(cat -v $TmpDir/$test_out | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "request_id=$request_id" + rlLog "Approve $request_id using $valid_agent_cert" + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$Year+1 + local end_day="1" + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$Month-$end_day $Hour:$Minute:$Second" + local action=assign + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=$action&submit=submit&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/profileProcess\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=$action&submit=submit&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/$test_out" 0 "$action certificate request" + rlAssertGrep "requestType=\"enrollment\"" "$TmpDir/$test_out" + rlAssertGrep "profileId=\"caUserCert\"" "$TmpDir/$test_out" + rlAssertGrep "requestId=\"$request_id\"" "$TmpDir/$test_out" + rlAssertGrep "errorCode=\"0\"" "$TmpDir/$test_out" + rlAssertGrep "requestStatus=\"pending\"" "$TmpDir/$test_out" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ag-requests-007: CA Agent Page: UnAssign Certificate request" + local request_type=pkcs10 + local request_key_type=rsa + local request_key_size=1024 + local profile=caUserCert + local cert_ext_exKeyUsageOIDs="1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4" + local userid="fooUser$RANDOM" + local usercn="fooUser$RANDOM" + local phone="1234-$RANDOM" + local usermail="$userid@example.org" + local test_out=ca-$profile-test.txt + rlRun "export SSL_DIR=$CERTDB_DIR" + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"$usercn\" \ + subject_uid:$userid \ + subject_email:$usermail \ + subject_ou:IDM \ + subject_organization:RedHat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" 0 "Create $request_type request for $profile" + local cert_requestdn=$(cat $TEMP_NSS_DB/$rand-subject.out | grep Request_DN | cut -d ":" -f2) + rlLog "cert_requestdn=cert_requestdn" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic \ + --dump-header $admin_out \ + -d \"profileId=$profile&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$usercn&sn_e=$usermail&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$useremail&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $admin_out \ + -d \"profileId=$profile&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$usercn&sn_e=$usermail&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$useremail&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/$test_out" 0 "Submit Certificate request to $profile" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local request_id=$(cat -v $TmpDir/$test_out | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "request_id=$request_id" + rlLog "Approve $request_id using $valid_agent_cert" + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$Year+1 + local end_day="1" + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$Month-$end_day $Hour:$Minute:$Second" + local action=unassign + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=$action&submit=submit&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/profileProcess\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=$action&submit=submit&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/$test_out" 0 "$action certificate request" + rlAssertGrep "requestType=\"enrollment\"" "$TmpDir/$test_out" + rlAssertGrep "profileId=\"caUserCert\"" "$TmpDir/$test_out" + rlAssertGrep "requestId=\"$request_id\"" "$TmpDir/$test_out" + rlAssertGrep "errorCode=\"0\"" "$TmpDir/$test_out" + rlAssertGrep "requestStatus=\"pending\"" "$TmpDir/$test_out" + rlPhaseEnd + + + rlPhaseStartTest "pki_subca_ag-requests-008: CA Agent Page: Validate Certificate request" + local request_type=pkcs10 + local request_key_type=rsa + local request_key_size=1024 + local profile=caUserCert + local cert_ext_exKeyUsageOIDs="1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4" + local userid="fooUser$RANDOM" + local usercn="fooUser$RANDOM" + local phone="1234-$RANDOM" + local usermail="$userid@example.org" + local test_out=ca-$profile-test.txt + rlRun "export SSL_DIR=$CERTDB_DIR" + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"$usercn\" \ + subject_uid:$userid \ + subject_email:$usermail \ + subject_ou:IDM \ + subject_organization:RedHat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" 0 "Create $request_type request for $profile" + local cert_requestdn=$(cat $TEMP_NSS_DB/$rand-subject.out | grep Request_DN | cut -d ":" -f2) + rlLog "cert_requestdn=cert_requestdn" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic \ + --dump-header $admin_out \ + -d \"profileId=$profile&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$usercn&sn_e=$usermail&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$useremail&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $admin_out \ + -d \"profileId=$profile&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$usercn&sn_e=$usermail&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$useremail&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/$test_out" 0 "Submit Certificate request to $profile" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local request_id=$(cat -v $TmpDir/$test_out | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "request_id=$request_id" + rlLog "Approve $request_id using $valid_agent_cert" + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$Year+1 + local end_day="1" + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$Month-$end_day $Hour:$Minute:$Second" + local action=validate + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=$action&submit=submit&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/profileProcess\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=$action&submit=submit&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/$test_out" 0 "$action certificate request" + rlAssertGrep "requestType=\"enrollment\"" "$TmpDir/$test_out" + rlAssertGrep "profileId=\"caUserCert\"" "$TmpDir/$test_out" + rlAssertGrep "requestId=\"$request_id\"" "$TmpDir/$test_out" + rlAssertGrep "errorCode=\"0\"" "$TmpDir/$test_out" + rlAssertGrep "requestStatus=\"pending\"" "$TmpDir/$test_out" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ag-requests-009: CA Agent Page: Update Certificate request" + local request_type=pkcs10 + local request_key_type=rsa + local request_key_size=1024 + local profile=caUserCert + local cert_ext_exKeyUsageOIDs="1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4" + local userid="fooUser$RANDOM" + local usercn="fooUser$RANDOM" + local phone="1234-$RANDOM" + local usermail="$userid@example.org" + local test_out=ca-$profile-test.txt + rlRun "export SSL_DIR=$CERTDB_DIR" + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"$usercn\" \ + subject_uid:$userid \ + subject_email:$usermail \ + subject_ou:IDM \ + subject_organization:RedHat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" 0 "Create $request_type request for $profile" + local cert_requestdn=$(cat $TEMP_NSS_DB/$rand-subject.out | grep Request_DN | cut -d ":" -f2) + rlLog "cert_requestdn=cert_requestdn" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic \ + --dump-header $admin_out \ + -d \"profileId=$profile&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$usercn&sn_e=$usermail&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$useremail&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $admin_out \ + -d \"profileId=$profile&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$usercn&sn_e=$usermail&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$useremail&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/$test_out" 0 "Submit Certificate request to $profile" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local request_id=$(cat -v $TmpDir/$test_out | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "request_id=$request_id" + rlLog "Approve $request_id using $valid_agent_cert" + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$Year+1 + local end_day="1" + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$Month-$end_day $Hour:$Minute:$Second" + local action=update + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=$action&submit=submit&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/profileProcess\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=$action&submit=submit&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/$test_out" 0 "$action certificate request" + rlAssertGrep "requestType=\"enrollment\"" "$TmpDir/$test_out" + rlAssertGrep "profileId=\"caUserCert\"" "$TmpDir/$test_out" + rlAssertGrep "requestId=\"$request_id\"" "$TmpDir/$test_out" + rlAssertGrep "errorCode=\"0\"" "$TmpDir/$test_out" + rlAssertGrep "requestStatus=\"pending\"" "$TmpDir/$test_out" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ag-requests-0010: Search certs with serial Number range" + local maxCount=10 + local test_out=srcCerts.txt + local op=srchCerts + local serialNumberRangeInUse="on" + local serialFrom=0 + local serialTo=300 + local queryCertFilter="(&(certRecordId>=$serialFrom)(certRecordId<=$serialTo))" + local statusInUse='' + local cert_status='VALID' + local subjectInUse='' + local eMail='' + local commonName='' + local userID='' + local orgUnit='' + local org='' + local locality='' + local state='' + local country='' + local match='partial' + local revokedBy='' + local revokedByInUse='' + local revokedOnInUse='' + local revokedOnFrom='' + local revokedOnTo='' + local revocationReasonInUse='' + local revocationReason='' + local profileInUse='' + local profile='' + local issuedByInUse='' + local issuedBy='' + local issuedOnInUse='' + local issuedOnFrom='' + local issuedOnTo='' + local basicConstraintsInUse='' + local validNotBeforeInUse='' + local validNotBeforeFrom='' + local validNotBeforeTo='' + local validNotAfterInUse='' + local validNotAfterFrom='' + local validNotAfterTo='' + local validityLengthInUse='' + local validityOp='' + local count='' + local unit="2592000000" + local certTypeInUse='' + local SubordinateEmailCA='' + local SubordinateSSLCA='' + local SecureEmail='' + local SSLClient='' + local SSLServer='' + local maxResults='10' + local timeLimit='5' + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem --dump-header $admin_out -E $valid_agent_cert:$CERTDB_DIR_PASSWORD -d \"op=$op&queryCertFilter=$queryCertFilter&serialNumberRangeInUse=$serialNumberRangeInUse&serialFrom=$serialFrom&serialTo=$serialTo&statusInUse=$statusInUse&status=$cert_status&subjectInUse=$subjectInUse&eMail=$eMail&commonName=$commonName&userID=$userID&orgUnit=$orgUnit&org=$org&locality=$locality&state=$state&country=$country&match=$match&revokedBy=$revokedBy&revokedByInUse=$revokedByInUse&revokedOnInUse=$revokedOnInUse&revokedOnFrom=$revokedOnFrom&revokedOnTo=$revokedOnTo&revocationReasonInUse=$revocationReasonInUse&revocationReason=$revocationReason&profileInUse=$profileInUse&profile=$profile&issuedByInUse=$issuedByInUse&issuedBy=$issuedBy&issuedOnInUse=$issuedOnInUse&issuedOnFrom=$issuedOnFrom&issuedOnTo=$issuedOnTo&basicConstraintsInUse=$basicConstraintsInUse&validNotBeforeInUse=$validNotBeforeInUse&validNotBeforeFrom=$validNotBeforeFrom&validNotBeforeTo=$validNotBeforeTo&validNotAfterInUse=$validNotAfterInUse&validNotAfterFrom=$validNotAfterFrom&validNotAfterTo=$validNotAfterTo&validityLengthInUse=$validityLengthInUse&validityOp=$validityOp&count=$count&unit=$unit&certTypeInUse=$certTypeInUse&SubordinateEmailCA=$SubordinateEmailCA&SubordinateSSLCA=$SubordinateSSLCA&SecureEmail=$SecureEmail&SSLClient=$SSLClient&SSLServer=$SSLServer&maxResults=$maxResults&timeLimit=$timeLimit\" -k https://$tmp_ca_host:$target_secure_port/ca/agent/ca/srchCerts > $TmpDir/$test_out" 0 "Search Certs with serialNumber range starting from $serialFrom to $serialTo with maxCount of $maxResults" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem --dump-header $admin_out -E $valid_agent_cert:$CERTDB_DIR_PASSWORD -d \"op=$op&queryCertFilter=$queryCertFilter&serialNumberRangeInUse=$serialNumberRangeInUse&serialFrom=$serialFrom&serialTo=$serialTo&statusInUse=$statusInUse&status=$cert_status&subjectInUse=$subjectInUse&eMail=$eMail&commonName=$commonName&userID=$userID&orgUnit=$orgUnit&org=$org&locality=$locality&state=$state&country=$country&match=$match&revokedBy=$revokedBy&revokedByInUse=$revokedByInUse&revokedOnInUse=$revokedOnInUse&revokedOnFrom=$revokedOnFrom&revokedOnTo=$revokedOnTo&revocationReasonInUse=$revocationReasonInUse&revocationReason=$revocationReason&profileInUse=$profileInUse&profile=$profile&issuedByInUse=$issuedByInUse&issuedBy=$issuedBy&issuedOnInUse=$issuedOnInUse&issuedOnFrom=$issuedOnFrom&issuedOnTo=$issuedOnTo&basicConstraintsInUse=$basicConstraintsInUse&validNotBeforeInUse=$validNotBeforeInUse&validNotBeforeFrom=$validNotBeforeFrom&validNotBeforeTo=$validNotBeforeTo&validNotAfterInUse=$validNotAfterInUse&validNotAfterFrom=$validNotAfterFrom&validNotAfterTo=$validNotAfterTo&validityLengthInUse=$validityLengthInUse&validityOp=$validityOp&count=$count&unit=$unit&certTypeInUse=$certTypeInUse&SubordinateEmailCA=$SubordinateEmailCA&SubordinateSSLCA=$SubordinateSSLCA&SecureEmail=$SecureEmail&SSLClient=$SSLClient&SSLServer=$SSLServer&maxResults=$maxResults&timeLimit=$timeLimit\" -k https://$tmp_ca_host:$target_secure_port/ca/agent/ca/srchCerts > $TmpDir/$test_out" 0 "Search Certs with serialNumber range starting from $serialFrom to $serialTo with maxCount of $maxResults" + local no_of_records=$(cat $TmpDir/$test_out | grep "record.subject=" | wc -l) + rlAssertEquals "Verify No of records displayed is equal to $maxCount" $no_of_records $maxResults + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ag-requests-0011: Search certs with status VALID" + local maxCount=10 + local test_out=srcCerts.txt + local op=srchCerts + local serialNumberRangeInUse='' + local serialFrom='' + local serialTo='' + local queryCertFilter="(&(certStatus=VALID))" + local statusInUse='on' + local cert_status='VALID' + local subjectInUse='' + local eMail='' + local commonName='' + local userID='' + local orgUnit='' + local org='' + local locality='' + local state='' + local country='' + local match='partial' + local revokedBy='' + local revokedByInUse='' + local revokedOnInUse='' + local revokedOnFrom='' + local revokedOnTo='' + local revocationReasonInUse='' + local revocationReason='' + local profileInUse='' + local profile='' + local issuedByInUse='' + local issuedBy='' + local issuedOnInUse='' + local issuedOnFrom='' + local issuedOnTo='' + local basicConstraintsInUse='' + local validNotBeforeInUse='' + local validNotBeforeFrom='' + local validNotBeforeTo='' + local validNotAfterInUse='' + local validNotAfterFrom='' + local validNotAfterTo='' + local validityLengthInUse='' + local validityOp='' + local count='' + local unit="2592000000" + local certTypeInUse='' + local SubordinateEmailCA='' + local SubordinateSSLCA='' + local SecureEmail='' + local SSLClient='' + local SSLServer='' + local maxResults='1000' + local timeLimit='5' + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem --dump-header $admin_out -E $valid_agent_cert:$CERTDB_DIR_PASSWORD -d \"op=$op&queryCertFilter=$queryCertFilter&serialNumberRangeInUse=$serialNumberRangeInUse&serialFrom=$serialFrom&serialTo=$serialTo&statusInUse=$statusInUse&status=$cert_status&subjectInUse=$subjectInUse&eMail=$eMail&commonName=$commonName&userID=$userID&orgUnit=$orgUnit&org=$org&locality=$locality&state=$state&country=$country&match=$match&revokedBy=$revokedBy&revokedByInUse=$revokedByInUse&revokedOnInUse=$revokedOnInUse&revokedOnFrom=$revokedOnFrom&revokedOnTo=$revokedOnTo&revocationReasonInUse=$revocationReasonInUse&revocationReason=$revocationReason&profileInUse=$profileInUse&profile=$profile&issuedByInUse=$issuedByInUse&issuedBy=$issuedBy&issuedOnInUse=$issuedOnInUse&issuedOnFrom=$issuedOnFrom&issuedOnTo=$issuedOnTo&basicConstraintsInUse=$basicConstraintsInUse&validNotBeforeInUse=$validNotBeforeInUse&validNotBeforeFrom=$validNotBeforeFrom&validNotBeforeTo=$validNotBeforeTo&validNotAfterInUse=$validNotAfterInUse&validNotAfterFrom=$validNotAfterFrom&validNotAfterTo=$validNotAfterTo&validityLengthInUse=$validityLengthInUse&validityOp=$validityOp&count=$count&unit=$unit&certTypeInUse=$certTypeInUse&SubordinateEmailCA=$SubordinateEmailCA&SubordinateSSLCA=$SubordinateSSLCA&SecureEmail=$SecureEmail&SSLClient=$SSLClient&SSLServer=$SSLServer&maxResults=$maxResults&timeLimit=$timeLimit\" -k https://$tmp_ca_host:$target_secure_port/ca/agent/ca/srchCerts > $TmpDir/$test_out" 0 "Search Certs with serialNumber range starting from $serialFrom to $serialTo with maxCount of $maxResults" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem --dump-header $admin_out -E $valid_agent_cert:$CERTDB_DIR_PASSWORD -d \"op=$op&queryCertFilter=$queryCertFilter&serialNumberRangeInUse=$serialNumberRangeInUse&serialFrom=$serialFrom&serialTo=$serialTo&statusInUse=$statusInUse&status=$cert_status&subjectInUse=$subjectInUse&eMail=$eMail&commonName=$commonName&userID=$userID&orgUnit=$orgUnit&org=$org&locality=$locality&state=$state&country=$country&match=$match&revokedBy=$revokedBy&revokedByInUse=$revokedByInUse&revokedOnInUse=$revokedOnInUse&revokedOnFrom=$revokedOnFrom&revokedOnTo=$revokedOnTo&revocationReasonInUse=$revocationReasonInUse&revocationReason=$revocationReason&profileInUse=$profileInUse&profile=$profile&issuedByInUse=$issuedByInUse&issuedBy=$issuedBy&issuedOnInUse=$issuedOnInUse&issuedOnFrom=$issuedOnFrom&issuedOnTo=$issuedOnTo&basicConstraintsInUse=$basicConstraintsInUse&validNotBeforeInUse=$validNotBeforeInUse&validNotBeforeFrom=$validNotBeforeFrom&validNotBeforeTo=$validNotBeforeTo&validNotAfterInUse=$validNotAfterInUse&validNotAfterFrom=$validNotAfterFrom&validNotAfterTo=$validNotAfterTo&validityLengthInUse=$validityLengthInUse&validityOp=$validityOp&count=$count&unit=$unit&certTypeInUse=$certTypeInUse&SubordinateEmailCA=$SubordinateEmailCA&SubordinateSSLCA=$SubordinateSSLCA&SecureEmail=$SecureEmail&SSLClient=$SSLClient&SSLServer=$SSLServer&maxResults=$maxResults&timeLimit=$timeLimit\" -k https://$tmp_ca_host:$target_secure_port/ca/agent/ca/srchCerts > $TmpDir/$test_out" 0 "Search Certs with serialNumber range starting from $serialFrom to $serialTo with maxCount of $maxResults" + local no_of_records=$(cat $TmpDir/$test_out | grep "record.subject=" | wc -l) + rlAssertGreater "Verify No of records displayed is more than $maxCount" $maxResults $no_of_records + rlPhaseEnd + + + rlPhaseStartTest "pki_subca_ag-requests-0012: Search certs with status REVOKED" + local maxCount=10 + local test_out=srcCerts.txt + local op=srchCerts + local serialNumberRangeInUse='' + local serialFrom='' + local serialTo='' + local queryCertFilter="(&(certStatus=REVOKED))" + local statusInUse='on' + local cert_status='REVOKED' + local subjectInUse='' + local eMail='' + local commonName='' + local userID='' + local orgUnit='' + local org='' + local locality='' + local state='' + local country='' + local match='partial' + local revokedBy='' + local revokedByInUse='' + local revokedOnInUse='' + local revokedOnFrom='' + local revokedOnTo='' + local revocationReasonInUse='' + local revocationReason='' + local profileInUse='' + local profile='' + local issuedByInUse='' + local issuedBy='' + local issuedOnInUse='' + local issuedOnFrom='' + local issuedOnTo='' + local basicConstraintsInUse='' + local validNotBeforeInUse='' + local validNotBeforeFrom='' + local validNotBeforeTo='' + local validNotAfterInUse='' + local validNotAfterFrom='' + local validNotAfterTo='' + local validityLengthInUse='' + local validityOp='' + local count='' + local unit="2592000000" + local certTypeInUse='' + local SubordinateEmailCA='' + local SubordinateSSLCA='' + local SecureEmail='' + local SSLClient='' + local SSLServer='' + local maxResults='1000' + local timeLimit='5' + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem --dump-header $admin_out -E $valid_agent_cert:$CERTDB_DIR_PASSWORD -d \"op=$op&queryCertFilter=$queryCertFilter&serialNumberRangeInUse=$serialNumberRangeInUse&serialFrom=$serialFrom&serialTo=$serialTo&statusInUse=$statusInUse&status=$cert_status&subjectInUse=$subjectInUse&eMail=$eMail&commonName=$commonName&userID=$userID&orgUnit=$orgUnit&org=$org&locality=$locality&state=$state&country=$country&match=$match&revokedBy=$revokedBy&revokedByInUse=$revokedByInUse&revokedOnInUse=$revokedOnInUse&revokedOnFrom=$revokedOnFrom&revokedOnTo=$revokedOnTo&revocationReasonInUse=$revocationReasonInUse&revocationReason=$revocationReason&profileInUse=$profileInUse&profile=$profile&issuedByInUse=$issuedByInUse&issuedBy=$issuedBy&issuedOnInUse=$issuedOnInUse&issuedOnFrom=$issuedOnFrom&issuedOnTo=$issuedOnTo&basicConstraintsInUse=$basicConstraintsInUse&validNotBeforeInUse=$validNotBeforeInUse&validNotBeforeFrom=$validNotBeforeFrom&validNotBeforeTo=$validNotBeforeTo&validNotAfterInUse=$validNotAfterInUse&validNotAfterFrom=$validNotAfterFrom&validNotAfterTo=$validNotAfterTo&validityLengthInUse=$validityLengthInUse&validityOp=$validityOp&count=$count&unit=$unit&certTypeInUse=$certTypeInUse&SubordinateEmailCA=$SubordinateEmailCA&SubordinateSSLCA=$SubordinateSSLCA&SecureEmail=$SecureEmail&SSLClient=$SSLClient&SSLServer=$SSLServer&maxResults=$maxResults&timeLimit=$timeLimit\" -k https://$tmp_ca_host:$target_secure_port/ca/agent/ca/srchCerts > $TmpDir/$test_out" 0 "Search Certs with serialNumber range starting from $serialFrom to $serialTo with maxCount of $maxResults" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem --dump-header $admin_out -E $valid_agent_cert:$CERTDB_DIR_PASSWORD -d \"op=$op&queryCertFilter=$queryCertFilter&serialNumberRangeInUse=$serialNumberRangeInUse&serialFrom=$serialFrom&serialTo=$serialTo&statusInUse=$statusInUse&status=$cert_status&subjectInUse=$subjectInUse&eMail=$eMail&commonName=$commonName&userID=$userID&orgUnit=$orgUnit&org=$org&locality=$locality&state=$state&country=$country&match=$match&revokedBy=$revokedBy&revokedByInUse=$revokedByInUse&revokedOnInUse=$revokedOnInUse&revokedOnFrom=$revokedOnFrom&revokedOnTo=$revokedOnTo&revocationReasonInUse=$revocationReasonInUse&revocationReason=$revocationReason&profileInUse=$profileInUse&profile=$profile&issuedByInUse=$issuedByInUse&issuedBy=$issuedBy&issuedOnInUse=$issuedOnInUse&issuedOnFrom=$issuedOnFrom&issuedOnTo=$issuedOnTo&basicConstraintsInUse=$basicConstraintsInUse&validNotBeforeInUse=$validNotBeforeInUse&validNotBeforeFrom=$validNotBeforeFrom&validNotBeforeTo=$validNotBeforeTo&validNotAfterInUse=$validNotAfterInUse&validNotAfterFrom=$validNotAfterFrom&validNotAfterTo=$validNotAfterTo&validityLengthInUse=$validityLengthInUse&validityOp=$validityOp&count=$count&unit=$unit&certTypeInUse=$certTypeInUse&SubordinateEmailCA=$SubordinateEmailCA&SubordinateSSLCA=$SubordinateSSLCA&SecureEmail=$SecureEmail&SSLClient=$SSLClient&SSLServer=$SSLServer&maxResults=$maxResults&timeLimit=$timeLimit\" -k https://$tmp_ca_host:$target_secure_port/ca/agent/ca/srchCerts > $TmpDir/$test_out" 0 "Search Certs with serialNumber range starting from $serialFrom to $serialTo with maxCount of $maxResults" + local no_of_records=$(cat $TmpDir/$test_out | grep "record.subject=" | wc -l) + rlAssertGreater "Verify No of records displayed is more than $maxCount" $maxResults $no_of_records + rlAssertNotGrep "record.revokedOn=null" "$TmpDir/$test_out" + rlPhaseEnd + + + rlPhaseStartSetup "pki_subca_ag-requests-0013: Generate a profile which generates cert with 1 day validity period" + local profile="caUserCert$RANDOM" + local pki_user="pki_foo_bar$RANDOM" + local pki_user_fullName="$pki_user User" + local profilename="$profile Enrollment Profile" + rlRun "python -m PkiLib.pkiprofilecli \ + --new user --profileId "$profile" \ + --profilename=\"$profilename\" \ + --notBefore 1 \ + --notAfter 1 \ + --validfor 1 \ + --maxvalidity 1 \ + --outputfile $TmpDir/$profile\.xml" + rlLog "Add $profile" + rlRun "pki -h $tmp_ca_host \ + -p $tmp_ca_port \ + -d $CERTDB_DIR \ + -c $CERTDB_DIR_PASSWORD \ + -n $valid_admin_cert \ + ca-profile-add $TmpDir/$profile\.xml > $ca_profile_out" + rlAssertGrep "Added profile $profile" "$ca_profile_out" + rlLog "Enable $profile" + rlRun "pki -h $tmp_ca_host \ + -p $tmp_ca_port \ + -d $CERTDB_DIR \ + -c $CERTDB_DIR_PASSWORD \ + -n $valid_agent_cert \ + ca-profile-enable $profile > $ca_profile_out" + rlAssertGrep "Enabled profile \"$profile\"" "$ca_profile_out" + rlRun "generate_new_cert tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_pwd:$TEMP_NSS_DB_PWD \ + myreq_type:pkcs10 \ + algo:rsa \ + key_size:2048 \ + subject_cn:\"$pki_user_fullName\" \ + subject_uid:$pki_user \ + subject_email:$pki_user@example.org \ + subject_ou: \ + subject_o: \ + subject_c: \ + archive:false \ + req_profile:$profile \ + target_host:$tmp_ca_host \ + protocol: \ + port:$tmp_ca_port \ + cert_db_dir:$CERTDB_DIR \ + cert_db_pwd:$CERTDB_DIR_PASSWORD \ + certdb_nick:$valid_agent_cert \ + cert_info:$cert_info" + local cert_serialNumber=$(cat $cert_info| grep cert_serialNumber | cut -d- -f2) + local cert_subject=$(cat $cert_info | grep cert_subject | cut -d- -f2) + local NotAfterDate="$(date +"%a %b %d %I:%M:%S" --date "1 day")" + rlRun "pki -h $tmp_ca_host -p $tmp_ca_port cert-show $cert_serialNumber > $cert_out" + rlAssertGrep "Serial Number: $cert_serialNumber" "$cert_out" + rlAssertGrep "Issuer: CN=PKI $SUBCA_INST Signing Cert,O=redhat" "$cert_out" + rlAssertGrep "Subject: $cert_subject" "$cert_out" + rlAssertGrep "Status: VALID" "$cert_out" + rlRun "pki -h $tmp_ca_host -p $tmp_ca_port cert-show $cert_serialNumber --encoded --output $TEMP_NSS_DB/$pki_user-out.pem 1> $TEMP_NSS_DB/pki-cert-show.out" + rlAssertGrep "Certificate \"$cert_serialNumber\"" "$TEMP_NSS_DB/pki-cert-show.out" + rlRun "pki -h $tmp_ca_host -p $tmp_ca_port cert-show 0x1 --encoded --output $TEMP_NSS_DB/ca_cert.pem 1> $TEMP_NSS_DB/ca-cert-show.out" + rlAssertGrep "Certificate \"0x1\"" "$TEMP_NSS_DB/ca-cert-show.out" + rlLog "Add the $cn cert to $TEMP_NSS_DB NSS DB" + rlRun "pki -d $TEMP_NSS_DB \ + -h $tmp_ca_host \ + -p $tmp_ca_port \ + -c $TEMP_NSS_DB_PWD \ + -n \"$pki_user\" client-cert-import \ + --cert $TEMP_NSS_DB/$pki_user-out.pem 1> $TEMP_NSS_DB/pki-client-cert.out" + rlAssertGrep "Imported certificate \"$pki_user\"" "$TEMP_NSS_DB/pki-client-cert.out" + rlLog "Get CA cert imported to $TEMP_NSS_DB NSS DB" + rlRun "pki -d $TEMP_NSS_DB \ + -h $tmp_ca_host \ + -p $tmp_ca_port \ + -c $TEMP_NSS_DB_PWD \ + -n \"casigningcert\" client-cert-import \ + --ca-cert $TEMP_NSS_DB/ca_cert.pem 1> $TEMP_NSS_DB/pki-ca-cert.out" + rlAssertGrep "Imported certificate \"casigningcert\"" "$TEMP_NSS_DB/pki-ca-cert.out" + local cur_date=$(date) + local end_date=$(certutil -L -d $TEMP_NSS_DB -n $pki_user | grep "Not After" | awk -F ": " '{print $2}') + rlLog "Current Date/Time: $(date)" + rlLog "Current Date/Time: before modifying using chrony $(date)" + rlRun "chronyc -a 'manual on' 1> $TmpDir/chrony.out" 0 "Set chrony to manual mode" + rlAssertGrep "200 OK" "$TmpDir/chrony.out" + rlLog "Move system to $end_date + 1 day ahead" + rlRun "chronyc -a -m 'offline' 'settime $end_date + 1 day' 'makestep' 'manual reset' 1> $TmpDir/chrony.out" + rlRun "date" + rlAssertGrep "200 OK" "$TmpDir/chrony.out" + rlLog "Date after modifying using chrony: $(date)" + rlLog "Restart $tomcat_name service to update cert status" + rlRun "rhcs_stop_instance $tomcat_name" + rlRun "rhcs_start_instance $tomcat_name" + rlRun "sleep 30" + rlRun "pki -h $tmp_ca_host -p $tmp_ca_port cert-show $cert_serialNumber --encoded > $cert_out" + rlAssertGrep "Serial Number: $cert_serialNumber" "$cert_out" + rlAssertGrep "Issuer: CN=PKI $SUBCA_INST Signing Cert,O=redhat" "$cert_out" + rlAssertGrep "Subject: $cert_subject" "$cert_out" + rlAssertGrep "Status: EXPIRED" "$cert_out" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ag-requests-0014: Search certs with status EXPIRED" + local maxCount=10 + local test_out=srcCerts.txt + local op=srchCerts + local serialNumberRangeInUse='' + local serialFrom='' + local serialTo='' + local queryCertFilter="(&(certStatus=EXPIRED))" + local statusInUse='on' + local cert_status='EXPIRED' + local subjectInUse='' + local eMail='' + local commonName='' + local userID='' + local orgUnit='' + local org='' + local locality='' + local state='' + local country='' + local match='partial' + local revokedBy='' + local revokedByInUse='' + local revokedOnInUse='' + local revokedOnFrom='' + local revokedOnTo='' + local revocationReasonInUse='' + local revocationReason='' + local profileInUse='' + local profile='' + local issuedByInUse='' + local issuedBy='' + local issuedOnInUse='' + local issuedOnFrom='' + local issuedOnTo='' + local basicConstraintsInUse='' + local validNotBeforeInUse='' + local validNotBeforeFrom='' + local validNotBeforeTo='' + local validNotAfterInUse='' + local validNotAfterFrom='' + local validNotAfterTo='' + local validityLengthInUse='' + local validityOp='' + local count='' + local unit="2592000000" + local certTypeInUse='' + local SubordinateEmailCA='' + local SubordinateSSLCA='' + local SecureEmail='' + local SSLClient='' + local SSLServer='' + local maxResults='1000' + local timeLimit='5' + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem --dump-header $admin_out -E $valid_agent_cert:$CERTDB_DIR_PASSWORD -d \"op=$op&queryCertFilter=$queryCertFilter&serialNumberRangeInUse=$serialNumberRangeInUse&serialFrom=$serialFrom&serialTo=$serialTo&statusInUse=$statusInUse&status=$cert_status&subjectInUse=$subjectInUse&eMail=$eMail&commonName=$commonName&userID=$userID&orgUnit=$orgUnit&org=$org&locality=$locality&state=$state&country=$country&match=$match&revokedBy=$revokedBy&revokedByInUse=$revokedByInUse&revokedOnInUse=$revokedOnInUse&revokedOnFrom=$revokedOnFrom&revokedOnTo=$revokedOnTo&revocationReasonInUse=$revocationReasonInUse&revocationReason=$revocationReason&profileInUse=$profileInUse&profile=$profile&issuedByInUse=$issuedByInUse&issuedBy=$issuedBy&issuedOnInUse=$issuedOnInUse&issuedOnFrom=$issuedOnFrom&issuedOnTo=$issuedOnTo&basicConstraintsInUse=$basicConstraintsInUse&validNotBeforeInUse=$validNotBeforeInUse&validNotBeforeFrom=$validNotBeforeFrom&validNotBeforeTo=$validNotBeforeTo&validNotAfterInUse=$validNotAfterInUse&validNotAfterFrom=$validNotAfterFrom&validNotAfterTo=$validNotAfterTo&validityLengthInUse=$validityLengthInUse&validityOp=$validityOp&count=$count&unit=$unit&certTypeInUse=$certTypeInUse&SubordinateEmailCA=$SubordinateEmailCA&SubordinateSSLCA=$SubordinateSSLCA&SecureEmail=$SecureEmail&SSLClient=$SSLClient&SSLServer=$SSLServer&maxResults=$maxResults&timeLimit=$timeLimit\" -k https://$tmp_ca_host:$target_secure_port/ca/agent/ca/srchCerts > $TmpDir/$test_out" 0 "Search Certs with serialNumber range starting from $serialFrom to $serialTo with maxCount of $maxResults" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem --dump-header $admin_out -E $valid_agent_cert:$CERTDB_DIR_PASSWORD -d \"op=$op&queryCertFilter=$queryCertFilter&serialNumberRangeInUse=$serialNumberRangeInUse&serialFrom=$serialFrom&serialTo=$serialTo&statusInUse=$statusInUse&status=$cert_status&subjectInUse=$subjectInUse&eMail=$eMail&commonName=$commonName&userID=$userID&orgUnit=$orgUnit&org=$org&locality=$locality&state=$state&country=$country&match=$match&revokedBy=$revokedBy&revokedByInUse=$revokedByInUse&revokedOnInUse=$revokedOnInUse&revokedOnFrom=$revokedOnFrom&revokedOnTo=$revokedOnTo&revocationReasonInUse=$revocationReasonInUse&revocationReason=$revocationReason&profileInUse=$profileInUse&profile=$profile&issuedByInUse=$issuedByInUse&issuedBy=$issuedBy&issuedOnInUse=$issuedOnInUse&issuedOnFrom=$issuedOnFrom&issuedOnTo=$issuedOnTo&basicConstraintsInUse=$basicConstraintsInUse&validNotBeforeInUse=$validNotBeforeInUse&validNotBeforeFrom=$validNotBeforeFrom&validNotBeforeTo=$validNotBeforeTo&validNotAfterInUse=$validNotAfterInUse&validNotAfterFrom=$validNotAfterFrom&validNotAfterTo=$validNotAfterTo&validityLengthInUse=$validityLengthInUse&validityOp=$validityOp&count=$count&unit=$unit&certTypeInUse=$certTypeInUse&SubordinateEmailCA=$SubordinateEmailCA&SubordinateSSLCA=$SubordinateSSLCA&SecureEmail=$SecureEmail&SSLClient=$SSLClient&SSLServer=$SSLServer&maxResults=$maxResults&timeLimit=$timeLimit\" -k https://$tmp_ca_host:$target_secure_port/ca/agent/ca/srchCerts > $TmpDir/$test_out" 0 "Search Certs with serialNumber range starting from $serialFrom to $serialTo with maxCount of $maxResults" + local no_of_records=$(cat $TmpDir/$test_out | grep "record.subject=" | wc -l) + for i in $(cat $TmpDir/$test_out | grep record.validNotBefore | cut -d"=" -f2 | tr -d "\"" | tr -d ";"); do if [ $i -ge $(date +%s) ]; then result="fail"; fi; done + if [ $result == "fail" ]; then + rlFail "Records contain entries with valid certs" + else + rlPass "Records Contain entries with expired certs" + fi + rlAssertGrep "record.subject=\"$cert_subject\"" "$TmpDir/$test_out" + rlLog "Set the date back to it's original date & time" + rlRun "chronyc -a -m 'settime $cur_date + 10 seconds' 'makestep' 'manual reset' 'online' 1> $TmpDir/chrony.out" + rlAssertGrep "200 OK" "$TmpDir/chrony.out" + rlLog "Current Date/Time after setting system date back using chrony $(date)" + rlRun "date" + rlAssertGrep "200 OK" "$TmpDir/chrony.out" + rlPhaseEnd + + + rlPhaseStartTest "pki_subca_ag-requests-0015: Search certs with subject Name" + local maxCount=1 + local test_out=srcCerts.txt + local op=srchCerts + local serialNumberRangeInUse='' + local serialFrom='' + local serialTo='' + local queryCertFilter="(&(&(|(x509Cert.subject=*CN=$pki_user_fullName,*)(x509Cert.subject=*CN=$pki_user_fullName))))" + local statusInUse='' + local cert_status='VALID' + local subjectInUse='on' + local eMail='' + local commonName='$pki_user_fullName' + local userID='' + local orgUnit='' + local org='' + local locality='' + local state='' + local country='' + local match='partial' + local revokedBy='' + local revokedByInUse='' + local revokedOnInUse='' + local revokedOnFrom='' + local revokedOnTo='' + local revocationReasonInUse='' + local revocationReason='' + local profileInUse='' + local profile='' + local issuedByInUse='' + local issuedBy='' + local issuedOnInUse='' + local issuedOnFrom='' + local issuedOnTo='' + local basicConstraintsInUse='' + local validNotBeforeInUse='' + local validNotBeforeFrom='' + local validNotBeforeTo='' + local validNotAfterInUse='' + local validNotAfterFrom='' + local validNotAfterTo='' + local validityLengthInUse='' + local validityOp='' + local count='' + local unit="2592000000" + local certTypeInUse='' + local SubordinateEmailCA='' + local SubordinateSSLCA='' + local SecureEmail='' + local SSLClient='' + local SSLServer='' + local maxResults='1000' + local timeLimit='5' + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem --dump-header $admin_out -E $valid_agent_cert:$CERTDB_DIR_PASSWORD -d \"op=$op&queryCertFilter=$queryCertFilter&serialNumberRangeInUse=$serialNumberRangeInUse&serialFrom=$serialFrom&serialTo=$serialTo&statusInUse=$statusInUse&status=$cert_status&subjectInUse=$subjectInUse&eMail=$eMail&commonName=$commonName&userID=$userID&orgUnit=$orgUnit&org=$org&locality=$locality&state=$state&country=$country&match=$match&revokedBy=$revokedBy&revokedByInUse=$revokedByInUse&revokedOnInUse=$revokedOnInUse&revokedOnFrom=$revokedOnFrom&revokedOnTo=$revokedOnTo&revocationReasonInUse=$revocationReasonInUse&revocationReason=$revocationReason&profileInUse=$profileInUse&profile=$profile&issuedByInUse=$issuedByInUse&issuedBy=$issuedBy&issuedOnInUse=$issuedOnInUse&issuedOnFrom=$issuedOnFrom&issuedOnTo=$issuedOnTo&basicConstraintsInUse=$basicConstraintsInUse&validNotBeforeInUse=$validNotBeforeInUse&validNotBeforeFrom=$validNotBeforeFrom&validNotBeforeTo=$validNotBeforeTo&validNotAfterInUse=$validNotAfterInUse&validNotAfterFrom=$validNotAfterFrom&validNotAfterTo=$validNotAfterTo&validityLengthInUse=$validityLengthInUse&validityOp=$validityOp&count=$count&unit=$unit&certTypeInUse=$certTypeInUse&SubordinateEmailCA=$SubordinateEmailCA&SubordinateSSLCA=$SubordinateSSLCA&SecureEmail=$SecureEmail&SSLClient=$SSLClient&SSLServer=$SSLServer&maxResults=$maxResults&timeLimit=$timeLimit\" -k https://$tmp_ca_host:$target_secure_port/ca/agent/ca/srchCerts > $TmpDir/$test_out" 0 "Search Certs with serialNumber range starting from $serialFrom to $serialTo with maxCount of $maxResults" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem --dump-header $admin_out -E $valid_agent_cert:$CERTDB_DIR_PASSWORD -d \"op=$op&queryCertFilter=$queryCertFilter&serialNumberRangeInUse=$serialNumberRangeInUse&serialFrom=$serialFrom&serialTo=$serialTo&statusInUse=$statusInUse&status=$cert_status&subjectInUse=$subjectInUse&eMail=$eMail&commonName=$commonName&userID=$userID&orgUnit=$orgUnit&org=$org&locality=$locality&state=$state&country=$country&match=$match&revokedBy=$revokedBy&revokedByInUse=$revokedByInUse&revokedOnInUse=$revokedOnInUse&revokedOnFrom=$revokedOnFrom&revokedOnTo=$revokedOnTo&revocationReasonInUse=$revocationReasonInUse&revocationReason=$revocationReason&profileInUse=$profileInUse&profile=$profile&issuedByInUse=$issuedByInUse&issuedBy=$issuedBy&issuedOnInUse=$issuedOnInUse&issuedOnFrom=$issuedOnFrom&issuedOnTo=$issuedOnTo&basicConstraintsInUse=$basicConstraintsInUse&validNotBeforeInUse=$validNotBeforeInUse&validNotBeforeFrom=$validNotBeforeFrom&validNotBeforeTo=$validNotBeforeTo&validNotAfterInUse=$validNotAfterInUse&validNotAfterFrom=$validNotAfterFrom&validNotAfterTo=$validNotAfterTo&validityLengthInUse=$validityLengthInUse&validityOp=$validityOp&count=$count&unit=$unit&certTypeInUse=$certTypeInUse&SubordinateEmailCA=$SubordinateEmailCA&SubordinateSSLCA=$SubordinateSSLCA&SecureEmail=$SecureEmail&SSLClient=$SSLClient&SSLServer=$SSLServer&maxResults=$maxResults&timeLimit=$timeLimit\" -k https://$tmp_ca_host:$target_secure_port/ca/agent/ca/srchCerts > $TmpDir/$test_out" 0 "Search Certs with serialNumber range starting from $serialFrom to $serialTo with maxCount of $maxResults" + local no_of_records=$(cat $TmpDir/$test_out | grep "record.subject=" | wc -l) + rlAssertEquals "Verify No of records displayed is more than $maxCount" $maxCount $no_of_records + rlAssertGrep "record.subject=\"$cert_subject\"" "$TmpDir/$test_out" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ag-requests-0016: Search certs with status REVOKED by Agent" + local maxCount=10 + local test_out=srcCerts.txt + local op=srchCerts + local serialNumberRangeInUse='' + local serialFrom='' + local serialTo='' + local queryCertFilter="(&(certRevokedBy=$valid_agent_cert))" + local statusInUse='' + local cert_status='' + local subjectInUse='' + local eMail='' + local commonName='' + local userID='' + local orgUnit='' + local org='' + local locality='' + local state='' + local country='' + local match='partial' + local revokedBy="$valid_agent_cert" + local revokedByInUse='on' + local revokedOnInUse='' + local revokedOnFrom='' + local revokedOnTo='' + local revocationReasonInUse='' + local revocationReason='' + local profileInUse='' + local profile='' + local issuedByInUse='' + local issuedBy='' + local issuedOnInUse='' + local issuedOnFrom='' + local issuedOnTo='' + local basicConstraintsInUse='' + local validNotBeforeInUse='' + local validNotBeforeFrom='' + local validNotBeforeTo='' + local validNotAfterInUse='' + local validNotAfterFrom='' + local validNotAfterTo='' + local validityLengthInUse='' + local validityOp='' + local count='' + local unit="2592000000" + local certTypeInUse='' + local SubordinateEmailCA='' + local SubordinateSSLCA='' + local SecureEmail='' + local SSLClient='' + local SSLServer='' + local maxResults='1000' + local timeLimit='5' + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem --dump-header $admin_out -E $valid_agent_cert:$CERTDB_DIR_PASSWORD -d \"op=$op&queryCertFilter=$queryCertFilter&serialNumberRangeInUse=$serialNumberRangeInUse&serialFrom=$serialFrom&serialTo=$serialTo&statusInUse=$statusInUse&status=$cert_status&subjectInUse=$subjectInUse&eMail=$eMail&commonName=$commonName&userID=$userID&orgUnit=$orgUnit&org=$org&locality=$locality&state=$state&country=$country&match=$match&revokedBy=$revokedBy&revokedByInUse=$revokedByInUse&revokedOnInUse=$revokedOnInUse&revokedOnFrom=$revokedOnFrom&revokedOnTo=$revokedOnTo&revocationReasonInUse=$revocationReasonInUse&revocationReason=$revocationReason&profileInUse=$profileInUse&profile=$profile&issuedByInUse=$issuedByInUse&issuedBy=$issuedBy&issuedOnInUse=$issuedOnInUse&issuedOnFrom=$issuedOnFrom&issuedOnTo=$issuedOnTo&basicConstraintsInUse=$basicConstraintsInUse&validNotBeforeInUse=$validNotBeforeInUse&validNotBeforeFrom=$validNotBeforeFrom&validNotBeforeTo=$validNotBeforeTo&validNotAfterInUse=$validNotAfterInUse&validNotAfterFrom=$validNotAfterFrom&validNotAfterTo=$validNotAfterTo&validityLengthInUse=$validityLengthInUse&validityOp=$validityOp&count=$count&unit=$unit&certTypeInUse=$certTypeInUse&SubordinateEmailCA=$SubordinateEmailCA&SubordinateSSLCA=$SubordinateSSLCA&SecureEmail=$SecureEmail&SSLClient=$SSLClient&SSLServer=$SSLServer&maxResults=$maxResults&timeLimit=$timeLimit\" -k https://$tmp_ca_host:$target_secure_port/ca/agent/ca/srchCerts > $TmpDir/$test_out" 0 "Search Certs with serialNumber range starting from $serialFrom to $serialTo with maxCount of $maxResults" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem --dump-header $admin_out -E $valid_agent_cert:$CERTDB_DIR_PASSWORD -d \"op=$op&queryCertFilter=$queryCertFilter&serialNumberRangeInUse=$serialNumberRangeInUse&serialFrom=$serialFrom&serialTo=$serialTo&statusInUse=$statusInUse&status=$cert_status&subjectInUse=$subjectInUse&eMail=$eMail&commonName=$commonName&userID=$userID&orgUnit=$orgUnit&org=$org&locality=$locality&state=$state&country=$country&match=$match&revokedBy=$revokedBy&revokedByInUse=$revokedByInUse&revokedOnInUse=$revokedOnInUse&revokedOnFrom=$revokedOnFrom&revokedOnTo=$revokedOnTo&revocationReasonInUse=$revocationReasonInUse&revocationReason=$revocationReason&profileInUse=$profileInUse&profile=$profile&issuedByInUse=$issuedByInUse&issuedBy=$issuedBy&issuedOnInUse=$issuedOnInUse&issuedOnFrom=$issuedOnFrom&issuedOnTo=$issuedOnTo&basicConstraintsInUse=$basicConstraintsInUse&validNotBeforeInUse=$validNotBeforeInUse&validNotBeforeFrom=$validNotBeforeFrom&validNotBeforeTo=$validNotBeforeTo&validNotAfterInUse=$validNotAfterInUse&validNotAfterFrom=$validNotAfterFrom&validNotAfterTo=$validNotAfterTo&validityLengthInUse=$validityLengthInUse&validityOp=$validityOp&count=$count&unit=$unit&certTypeInUse=$certTypeInUse&SubordinateEmailCA=$SubordinateEmailCA&SubordinateSSLCA=$SubordinateSSLCA&SecureEmail=$SecureEmail&SSLClient=$SSLClient&SSLServer=$SSLServer&maxResults=$maxResults&timeLimit=$timeLimit\" -k https://$tmp_ca_host:$target_secure_port/ca/agent/ca/srchCerts > $TmpDir/$test_out" 0 "Search Certs with serialNumber range starting from $serialFrom to $serialTo with maxCount of $maxResults" + local no_of_records=$(cat $TmpDir/$test_out | grep "record.subject=" | wc -l) + rlAssertGreater "Verify No of records displayed is more than $maxCount" $no_of_records $maxCount + rlAssertNotGrep "record.revokedOn=null" "$TmpDir/$test_out" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ag-requests-0017: Search certs with status REVOKED with reason unspecified" + local maxCount=10 + local test_out=srcCerts.txt + local op=srchCerts + local serialNumberRangeInUse='' + local serialFrom='' + local serialTo='' + local queryCertFilter="(&(x509cert.certRevoInfo=0))" + local statusInUse='' + local cert_status='' + local subjectInUse='' + local eMail='' + local commonName='' + local userID='' + local orgUnit='' + local org='' + local locality='' + local state='' + local country='' + local match='partial' + local revokedBy="" + local revokedByInUse='' + local revokedOnInUse='' + local revokedOnFrom='' + local revokedOnTo='' + local revocationReasonInUse='on' + local revocationReason='0' + local profileInUse='' + local profile='' + local issuedByInUse='' + local issuedBy='' + local issuedOnInUse='' + local issuedOnFrom='' + local issuedOnTo='' + local basicConstraintsInUse='' + local validNotBeforeInUse='' + local validNotBeforeFrom='' + local validNotBeforeTo='' + local validNotAfterInUse='' + local validNotAfterFrom='' + local validNotAfterTo='' + local validityLengthInUse='' + local validityOp='' + local count='' + local unit="2592000000" + local certTypeInUse='' + local SubordinateEmailCA='' + local SubordinateSSLCA='' + local SecureEmail='' + local SSLClient='' + local SSLServer='' + local maxResults='1000' + local timeLimit='5' + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem --dump-header $admin_out -E $valid_agent_cert:$CERTDB_DIR_PASSWORD -d \"op=$op&queryCertFilter=$queryCertFilter&serialNumberRangeInUse=$serialNumberRangeInUse&serialFrom=$serialFrom&serialTo=$serialTo&statusInUse=$statusInUse&status=$cert_status&subjectInUse=$subjectInUse&eMail=$eMail&commonName=$commonName&userID=$userID&orgUnit=$orgUnit&org=$org&locality=$locality&state=$state&country=$country&match=$match&revokedBy=$revokedBy&revokedByInUse=$revokedByInUse&revokedOnInUse=$revokedOnInUse&revokedOnFrom=$revokedOnFrom&revokedOnTo=$revokedOnTo&revocationReasonInUse=$revocationReasonInUse&revocationReason=$revocationReason&profileInUse=$profileInUse&profile=$profile&issuedByInUse=$issuedByInUse&issuedBy=$issuedBy&issuedOnInUse=$issuedOnInUse&issuedOnFrom=$issuedOnFrom&issuedOnTo=$issuedOnTo&basicConstraintsInUse=$basicConstraintsInUse&validNotBeforeInUse=$validNotBeforeInUse&validNotBeforeFrom=$validNotBeforeFrom&validNotBeforeTo=$validNotBeforeTo&validNotAfterInUse=$validNotAfterInUse&validNotAfterFrom=$validNotAfterFrom&validNotAfterTo=$validNotAfterTo&validityLengthInUse=$validityLengthInUse&validityOp=$validityOp&count=$count&unit=$unit&certTypeInUse=$certTypeInUse&SubordinateEmailCA=$SubordinateEmailCA&SubordinateSSLCA=$SubordinateSSLCA&SecureEmail=$SecureEmail&SSLClient=$SSLClient&SSLServer=$SSLServer&maxResults=$maxResults&timeLimit=$timeLimit\" -k https://$tmp_ca_host:$target_secure_port/ca/agent/ca/srchCerts > $TmpDir/$test_out" 0 "Search Certs with serialNumber range starting from $serialFrom to $serialTo with maxCount of $maxResults" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem --dump-header $admin_out -E $valid_agent_cert:$CERTDB_DIR_PASSWORD -d \"op=$op&queryCertFilter=$queryCertFilter&serialNumberRangeInUse=$serialNumberRangeInUse&serialFrom=$serialFrom&serialTo=$serialTo&statusInUse=$statusInUse&status=$cert_status&subjectInUse=$subjectInUse&eMail=$eMail&commonName=$commonName&userID=$userID&orgUnit=$orgUnit&org=$org&locality=$locality&state=$state&country=$country&match=$match&revokedBy=$revokedBy&revokedByInUse=$revokedByInUse&revokedOnInUse=$revokedOnInUse&revokedOnFrom=$revokedOnFrom&revokedOnTo=$revokedOnTo&revocationReasonInUse=$revocationReasonInUse&revocationReason=$revocationReason&profileInUse=$profileInUse&profile=$profile&issuedByInUse=$issuedByInUse&issuedBy=$issuedBy&issuedOnInUse=$issuedOnInUse&issuedOnFrom=$issuedOnFrom&issuedOnTo=$issuedOnTo&basicConstraintsInUse=$basicConstraintsInUse&validNotBeforeInUse=$validNotBeforeInUse&validNotBeforeFrom=$validNotBeforeFrom&validNotBeforeTo=$validNotBeforeTo&validNotAfterInUse=$validNotAfterInUse&validNotAfterFrom=$validNotAfterFrom&validNotAfterTo=$validNotAfterTo&validityLengthInUse=$validityLengthInUse&validityOp=$validityOp&count=$count&unit=$unit&certTypeInUse=$certTypeInUse&SubordinateEmailCA=$SubordinateEmailCA&SubordinateSSLCA=$SubordinateSSLCA&SecureEmail=$SecureEmail&SSLClient=$SSLClient&SSLServer=$SSLServer&maxResults=$maxResults&timeLimit=$timeLimit\" -k https://$tmp_ca_host:$target_secure_port/ca/agent/ca/srchCerts > $TmpDir/$test_out" 0 "Search Certs with serialNumber range starting from $serialFrom to $serialTo with maxCount of $maxResults" + local no_of_records=$(cat $TmpDir/$test_out | grep "record.subject=" | wc -l) + rlAssertGreater "Verify No of records displayed is more than $maxCount" $no_of_records $maxCount + rlAssertNotGrep "record.revokedOn=null" "$TmpDir/$test_out" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ag-requests-0018: Search certs issued by valid agent" + local maxCount=10 + local test_out=srcCerts.txt + local op=srchCerts + local serialNumberRangeInUse='' + local serialFrom='' + local serialTo='' + local queryCertFilter="(&(certIssuedBy=$valid_agent_cert))" + local statusInUse='' + local cert_status='' + local subjectInUse='' + local eMail='' + local commonName='' + local userID='' + local orgUnit='' + local org='' + local locality='' + local state='' + local country='' + local match='partial' + local revokedBy="" + local revokedByInUse='' + local revokedOnInUse='' + local revokedOnFrom='' + local revokedOnTo='' + local revocationReasonInUse='' + local revocationReason='' + local profileInUse='' + local profile='' + local issuedByInUse='on' + local issuedBy="$valid_agent_cert" + local issuedOnInUse='' + local issuedOnFrom='' + local issuedOnTo='' + local basicConstraintsInUse='' + local validNotBeforeInUse='' + local validNotBeforeFrom='' + local validNotBeforeTo='' + local validNotAfterInUse='' + local validNotAfterFrom='' + local validNotAfterTo='' + local validityLengthInUse='' + local validityOp='' + local count='' + local unit="2592000000" + local certTypeInUse='' + local SubordinateEmailCA='' + local SubordinateSSLCA='' + local SecureEmail='' + local SSLClient='' + local SSLServer='' + local maxResults='1000' + local timeLimit='5' + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem --dump-header $admin_out -E $valid_agent_cert:$CERTDB_DIR_PASSWORD -d \"op=$op&queryCertFilter=$queryCertFilter&serialNumberRangeInUse=$serialNumberRangeInUse&serialFrom=$serialFrom&serialTo=$serialTo&statusInUse=$statusInUse&status=$cert_status&subjectInUse=$subjectInUse&eMail=$eMail&commonName=$commonName&userID=$userID&orgUnit=$orgUnit&org=$org&locality=$locality&state=$state&country=$country&match=$match&revokedBy=$revokedBy&revokedByInUse=$revokedByInUse&revokedOnInUse=$revokedOnInUse&revokedOnFrom=$revokedOnFrom&revokedOnTo=$revokedOnTo&revocationReasonInUse=$revocationReasonInUse&revocationReason=$revocationReason&profileInUse=$profileInUse&profile=$profile&issuedByInUse=$issuedByInUse&issuedBy=$issuedBy&issuedOnInUse=$issuedOnInUse&issuedOnFrom=$issuedOnFrom&issuedOnTo=$issuedOnTo&basicConstraintsInUse=$basicConstraintsInUse&validNotBeforeInUse=$validNotBeforeInUse&validNotBeforeFrom=$validNotBeforeFrom&validNotBeforeTo=$validNotBeforeTo&validNotAfterInUse=$validNotAfterInUse&validNotAfterFrom=$validNotAfterFrom&validNotAfterTo=$validNotAfterTo&validityLengthInUse=$validityLengthInUse&validityOp=$validityOp&count=$count&unit=$unit&certTypeInUse=$certTypeInUse&SubordinateEmailCA=$SubordinateEmailCA&SubordinateSSLCA=$SubordinateSSLCA&SecureEmail=$SecureEmail&SSLClient=$SSLClient&SSLServer=$SSLServer&maxResults=$maxResults&timeLimit=$timeLimit\" -k https://$tmp_ca_host:$target_secure_port/ca/agent/ca/srchCerts > $TmpDir/$test_out" 0 "Search Certs with serialNumber range starting from $serialFrom to $serialTo with maxCount of $maxResults" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem --dump-header $admin_out -E $valid_agent_cert:$CERTDB_DIR_PASSWORD -d \"op=$op&queryCertFilter=$queryCertFilter&serialNumberRangeInUse=$serialNumberRangeInUse&serialFrom=$serialFrom&serialTo=$serialTo&statusInUse=$statusInUse&status=$cert_status&subjectInUse=$subjectInUse&eMail=$eMail&commonName=$commonName&userID=$userID&orgUnit=$orgUnit&org=$org&locality=$locality&state=$state&country=$country&match=$match&revokedBy=$revokedBy&revokedByInUse=$revokedByInUse&revokedOnInUse=$revokedOnInUse&revokedOnFrom=$revokedOnFrom&revokedOnTo=$revokedOnTo&revocationReasonInUse=$revocationReasonInUse&revocationReason=$revocationReason&profileInUse=$profileInUse&profile=$profile&issuedByInUse=$issuedByInUse&issuedBy=$issuedBy&issuedOnInUse=$issuedOnInUse&issuedOnFrom=$issuedOnFrom&issuedOnTo=$issuedOnTo&basicConstraintsInUse=$basicConstraintsInUse&validNotBeforeInUse=$validNotBeforeInUse&validNotBeforeFrom=$validNotBeforeFrom&validNotBeforeTo=$validNotBeforeTo&validNotAfterInUse=$validNotAfterInUse&validNotAfterFrom=$validNotAfterFrom&validNotAfterTo=$validNotAfterTo&validityLengthInUse=$validityLengthInUse&validityOp=$validityOp&count=$count&unit=$unit&certTypeInUse=$certTypeInUse&SubordinateEmailCA=$SubordinateEmailCA&SubordinateSSLCA=$SubordinateSSLCA&SecureEmail=$SecureEmail&SSLClient=$SSLClient&SSLServer=$SSLServer&maxResults=$maxResults&timeLimit=$timeLimit\" -k https://$tmp_ca_host:$target_secure_port/ca/agent/ca/srchCerts > $TmpDir/$test_out" 0 "Search Certs with serialNumber range starting from $serialFrom to $serialTo with maxCount of $maxResults" + local no_of_records=$(cat $TmpDir/$test_out | grep "record.subject=" | wc -l) + rlAssertGreater "Verify No of records displayed is more than $maxCount" $no_of_records $maxCount + rlAssertGrep "record.revokedOn=null" "$TmpDir/$test_out" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ag-requests-0019: Search certs with validity period of 1 day" + local maxCount=1 + local test_out=srcCerts.txt + local op=srchCerts + local serialNumberRangeInUse='' + local serialFrom='' + local serialTo='' + local queryCertFilter="(&(x509cert.duration<=86400000))" + local statusInUse='' + local cert_status='' + local subjectInUse='' + local eMail='' + local commonName='' + local userID='' + local orgUnit='' + local org='' + local locality='' + local state='' + local country='' + local match='partial' + local revokedBy="" + local revokedByInUse='' + local revokedOnInUse='' + local revokedOnFrom='' + local revokedOnTo='' + local revocationReasonInUse='' + local revocationReason='' + local profileInUse='' + local profile='' + local issuedByInUse='' + local issuedBy='' + local issuedOnInUse='' + local issuedOnFrom='' + local issuedOnTo='' + local basicConstraintsInUse='' + local validNotBeforeInUse='' + local validNotBeforeFrom='' + local validNotBeforeTo='' + local validNotAfterInUse='' + local validNotAfterFrom='' + local validNotAfterTo='' + local validityLengthInUse='on' + local validityOp='<=' + local count='1' + local unit="86400000" + local certTypeInUse='' + local SubordinateEmailCA='' + local SubordinateSSLCA='' + local SecureEmail='' + local SSLClient='' + local SSLServer='' + local maxResults='1000' + local timeLimit='5' + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem --dump-header $admin_out -E $valid_agent_cert:$CERTDB_DIR_PASSWORD -d \"op=$op&queryCertFilter=$queryCertFilter&serialNumberRangeInUse=$serialNumberRangeInUse&serialFrom=$serialFrom&serialTo=$serialTo&statusInUse=$statusInUse&status=$cert_status&subjectInUse=$subjectInUse&eMail=$eMail&commonName=$commonName&userID=$userID&orgUnit=$orgUnit&org=$org&locality=$locality&state=$state&country=$country&match=$match&revokedBy=$revokedBy&revokedByInUse=$revokedByInUse&revokedOnInUse=$revokedOnInUse&revokedOnFrom=$revokedOnFrom&revokedOnTo=$revokedOnTo&revocationReasonInUse=$revocationReasonInUse&revocationReason=$revocationReason&profileInUse=$profileInUse&profile=$profile&issuedByInUse=$issuedByInUse&issuedBy=$issuedBy&issuedOnInUse=$issuedOnInUse&issuedOnFrom=$issuedOnFrom&issuedOnTo=$issuedOnTo&basicConstraintsInUse=$basicConstraintsInUse&validNotBeforeInUse=$validNotBeforeInUse&validNotBeforeFrom=$validNotBeforeFrom&validNotBeforeTo=$validNotBeforeTo&validNotAfterInUse=$validNotAfterInUse&validNotAfterFrom=$validNotAfterFrom&validNotAfterTo=$validNotAfterTo&validityLengthInUse=$validityLengthInUse&validityOp=$validityOp&count=$count&unit=$unit&certTypeInUse=$certTypeInUse&SubordinateEmailCA=$SubordinateEmailCA&SubordinateSSLCA=$SubordinateSSLCA&SecureEmail=$SecureEmail&SSLClient=$SSLClient&SSLServer=$SSLServer&maxResults=$maxResults&timeLimit=$timeLimit\" -k https://$tmp_ca_host:$target_secure_port/ca/agent/ca/srchCerts > $TmpDir/$test_out" 0 "Search Certs with serialNumber range starting from $serialFrom to $serialTo with maxCount of $maxCount" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem --dump-header $admin_out -E $valid_agent_cert:$CERTDB_DIR_PASSWORD -d \"op=$op&queryCertFilter=$queryCertFilter&serialNumberRangeInUse=$serialNumberRangeInUse&serialFrom=$serialFrom&serialTo=$serialTo&statusInUse=$statusInUse&status=$cert_status&subjectInUse=$subjectInUse&eMail=$eMail&commonName=$commonName&userID=$userID&orgUnit=$orgUnit&org=$org&locality=$locality&state=$state&country=$country&match=$match&revokedBy=$revokedBy&revokedByInUse=$revokedByInUse&revokedOnInUse=$revokedOnInUse&revokedOnFrom=$revokedOnFrom&revokedOnTo=$revokedOnTo&revocationReasonInUse=$revocationReasonInUse&revocationReason=$revocationReason&profileInUse=$profileInUse&profile=$profile&issuedByInUse=$issuedByInUse&issuedBy=$issuedBy&issuedOnInUse=$issuedOnInUse&issuedOnFrom=$issuedOnFrom&issuedOnTo=$issuedOnTo&basicConstraintsInUse=$basicConstraintsInUse&validNotBeforeInUse=$validNotBeforeInUse&validNotBeforeFrom=$validNotBeforeFrom&validNotBeforeTo=$validNotBeforeTo&validNotAfterInUse=$validNotAfterInUse&validNotAfterFrom=$validNotAfterFrom&validNotAfterTo=$validNotAfterTo&validityLengthInUse=$validityLengthInUse&validityOp=$validityOp&count=$count&unit=$unit&certTypeInUse=$certTypeInUse&SubordinateEmailCA=$SubordinateEmailCA&SubordinateSSLCA=$SubordinateSSLCA&SecureEmail=$SecureEmail&SSLClient=$SSLClient&SSLServer=$SSLServer&maxResults=$maxResults&timeLimit=$timeLimit\" -k https://$tmp_ca_host:$target_secure_port/ca/agent/ca/srchCerts > $TmpDir/$test_out" 0 "Search Certs with serialNumber range starting from $serialFrom to $serialTo with maxCount of $maxCount" + local no_of_records=$(cat $TmpDir/$test_out | grep "record.subject=" | wc -l) + rlAssertGreater "Verify No of records displayed is more than $maxCount" $no_of_records $maxCount + rlAssertGrep "record.revokedOn=null" "$TmpDir/$test_out" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ag-requests-0020: Search certs with Basic Contraints" + local maxCount=1 + local test_out=srcCerts.txt + local op=srchCerts + local serialNumberRangeInUse='' + local serialFrom='' + local serialTo='' + local queryCertFilter="(&(x509cert.BasicConstraints.isCA=on))" + local statusInUse='' + local cert_status='' + local subjectInUse='' + local eMail='' + local commonName='' + local userID='' + local orgUnit='' + local org='' + local locality='' + local state='' + local country='' + local match='partial' + local revokedBy="" + local revokedByInUse='' + local revokedOnInUse='' + local revokedOnFrom='' + local revokedOnTo='' + local revocationReasonInUse='' + local revocationReason='' + local profileInUse='' + local profile='' + local issuedByInUse='' + local issuedBy='' + local issuedOnInUse='' + local issuedOnFrom='' + local issuedOnTo='' + local basicConstraintsInUse='on' + local validNotBeforeInUse='' + local validNotBeforeFrom='' + local validNotBeforeTo='' + local validNotAfterInUse='' + local validNotAfterFrom='' + local validNotAfterTo='' + local validityLengthInUse='' + local validityOp='' + local count='' + local unit="2592000000" + local certTypeInUse='' + local SubordinateEmailCA='' + local SubordinateSSLCA='' + local SecureEmail='' + local SSLClient='' + local SSLServer='' + local maxResults='1000' + local timeLimit='5' + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem --dump-header $admin_out -E $valid_agent_cert:$CERTDB_DIR_PASSWORD -d \"op=$op&queryCertFilter=$queryCertFilter&serialNumberRangeInUse=$serialNumberRangeInUse&serialFrom=$serialFrom&serialTo=$serialTo&statusInUse=$statusInUse&status=$cert_status&subjectInUse=$subjectInUse&eMail=$eMail&commonName=$commonName&userID=$userID&orgUnit=$orgUnit&org=$org&locality=$locality&state=$state&country=$country&match=$match&revokedBy=$revokedBy&revokedByInUse=$revokedByInUse&revokedOnInUse=$revokedOnInUse&revokedOnFrom=$revokedOnFrom&revokedOnTo=$revokedOnTo&revocationReasonInUse=$revocationReasonInUse&revocationReason=$revocationReason&profileInUse=$profileInUse&profile=$profile&issuedByInUse=$issuedByInUse&issuedBy=$issuedBy&issuedOnInUse=$issuedOnInUse&issuedOnFrom=$issuedOnFrom&issuedOnTo=$issuedOnTo&basicConstraintsInUse=$basicConstraintsInUse&validNotBeforeInUse=$validNotBeforeInUse&validNotBeforeFrom=$validNotBeforeFrom&validNotBeforeTo=$validNotBeforeTo&validNotAfterInUse=$validNotAfterInUse&validNotAfterFrom=$validNotAfterFrom&validNotAfterTo=$validNotAfterTo&validityLengthInUse=$validityLengthInUse&validityOp=$validityOp&count=$count&unit=$unit&certTypeInUse=$certTypeInUse&SubordinateEmailCA=$SubordinateEmailCA&SubordinateSSLCA=$SubordinateSSLCA&SecureEmail=$SecureEmail&SSLClient=$SSLClient&SSLServer=$SSLServer&maxResults=$maxResults&timeLimit=$timeLimit\" -k https://$tmp_ca_host:$target_secure_port/ca/agent/ca/srchCerts > $TmpDir/$test_out" 0 "Search Certs with serialNumber range starting from $serialFrom to $serialTo with maxCount of $maxResults" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem --dump-header $admin_out -E $valid_agent_cert:$CERTDB_DIR_PASSWORD -d \"op=$op&queryCertFilter=$queryCertFilter&serialNumberRangeInUse=$serialNumberRangeInUse&serialFrom=$serialFrom&serialTo=$serialTo&statusInUse=$statusInUse&status=$cert_status&subjectInUse=$subjectInUse&eMail=$eMail&commonName=$commonName&userID=$userID&orgUnit=$orgUnit&org=$org&locality=$locality&state=$state&country=$country&match=$match&revokedBy=$revokedBy&revokedByInUse=$revokedByInUse&revokedOnInUse=$revokedOnInUse&revokedOnFrom=$revokedOnFrom&revokedOnTo=$revokedOnTo&revocationReasonInUse=$revocationReasonInUse&revocationReason=$revocationReason&profileInUse=$profileInUse&profile=$profile&issuedByInUse=$issuedByInUse&issuedBy=$issuedBy&issuedOnInUse=$issuedOnInUse&issuedOnFrom=$issuedOnFrom&issuedOnTo=$issuedOnTo&basicConstraintsInUse=$basicConstraintsInUse&validNotBeforeInUse=$validNotBeforeInUse&validNotBeforeFrom=$validNotBeforeFrom&validNotBeforeTo=$validNotBeforeTo&validNotAfterInUse=$validNotAfterInUse&validNotAfterFrom=$validNotAfterFrom&validNotAfterTo=$validNotAfterTo&validityLengthInUse=$validityLengthInUse&validityOp=$validityOp&count=$count&unit=$unit&certTypeInUse=$certTypeInUse&SubordinateEmailCA=$SubordinateEmailCA&SubordinateSSLCA=$SubordinateSSLCA&SecureEmail=$SecureEmail&SSLClient=$SSLClient&SSLServer=$SSLServer&maxResults=$maxResults&timeLimit=$timeLimit\" -k https://$tmp_ca_host:$target_secure_port/ca/agent/ca/srchCerts > $TmpDir/$test_out" 0 "Search Certs with serialNumber range starting from $serialFrom to $serialTo with maxCount of $maxResults" + local no_of_records=$(cat $TmpDir/$test_out | grep "record.subject=" | wc -l) + rlAssertEquals "Verify No of records displayed is more than $maxCount" $maxCount $no_of_records + rlAssertGrep "record.revokedOn=null" "$TmpDir/$test_out" + rlPhaseEnd + + rlPhaseStartSetup "Generate a profile with Netscape Extensions" + local profile="caUserCert$RANDOM" + local pki_user="pki_foo_bar$RANDOM" + local pki_user_fullName="$pki_user User" + local profilename="$profile Enrollment Profile" + rlLog "Create Profile $profile" + rlRun "python -m PkiLib.pkiprofilecli \ + --new user \ + --profileId $profile \ + --profilename \"$profilename\" \ + --netscapeextensions \"nsCertCritical,nsCertSSLClient,nsCertEmail\" \ + --outputfile $TmpDir/$profile\.xml" + rlLog "Add Profile $profile" + rlRun "pki -h $tmp_ca_host \ + -p $tmp_ca_port \ + -d $CERTDB_DIR \ + -c $CERTDB_DIR_PASSWORD \ + -n $valid_admin_cert \ + ca-profile-add $TmpDir/$profile\.xml > $ca_profile_out" + rlAssertGrep "Added profile $profile" "$ca_profile_out" + rlLog "Enable $profile" + rlRun "pki -h $tmp_ca_host \ + -p $tmp_ca_port \ + -d $CERTDB_DIR \ + -c $CERTDB_DIR_PASSWORD \ + -n $valid_agent_cert \ + ca-profile-enable $profile > $ca_profile_out" + rlLog "Verify by creating a user cert using the profile" + rlRun "generate_new_cert tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_pwd:$TEMP_NSS_DB_PWD \ + myreq_type:pkcs10 \ + algo:rsa \ + key_size:2048 \ + subject_cn:\"$pki_user_fullName\" \ + subject_uid:$pki_user \ + subject_email:$pki_user@example.org \ + subject_ou: \ + subject_o: \ + subject_c: \ + archive:false \ + req_profile:$profile \ + target_host:$tmp_ca_host \ + protocol: \ + port:$tmp_ca_port \ + cert_db_dir:$CERTDB_DIR \ + cert_db_pwd:$CERTDB_DIR_PASSWORD \ + certdb_nick:$valid_agent_cert \ + cert_info:$cert_info" + local cert_serialNumber=$(cat $cert_info| grep cert_serialNumber | cut -d- -f2) + local cert_subject=$(cat $cert_info | grep cert_subject | cut -d- -f2) + rlRun "pki -h $tmp_ca_host -p $tmp_ca_port cert-show $cert_serialNumber --pretty > $cert_out" + rlAssertGrep "Serial Number: $cert_serialNumber" "$cert_out" + rlAssertGrep "Issuer: CN=PKI $SUBCA_INST Signing Cert,O=redhat" "$cert_out" + rlAssertGrep "Subject: $cert_subject" "$cert_out" + rlAssertGrep "Status: VALID" "$cert_out" + rlAssertGrep "Identifier: Netscape Certificate Type - 2.16.840.1.113730.1.1" "$cert_out" + rlAssertGrep "SSL Client" "$cert_out" + rlAssertGrep "Secure Email" "$cert_out" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ag-requests-0021: Search certs of type SSLCLient" + local maxCount=0 + local test_out=srcCerts.txt + local op=srchCerts + local serialNumberRangeInUse='' + local serialFrom='' + local serialTo='' + local queryCertFilter="(&(x509cert.nsExtension.SSLClient=on))" + local statusInUse='' + local cert_status='' + local subjectInUse='' + local eMail='' + local commonName='' + local userID='' + local orgUnit='' + local org='' + local locality='' + local state='' + local country='' + local match='partial' + local revokedBy="" + local revokedByInUse='' + local revokedOnInUse='' + local revokedOnFrom='' + local revokedOnTo='' + local revocationReasonInUse='' + local revocationReason='' + local profileInUse='' + local profile='' + local issuedByInUse='' + local issuedBy='' + local issuedOnInUse='' + local issuedOnFrom='' + local issuedOnTo='' + local basicConstraintsInUse='' + local validNotBeforeInUse='' + local validNotBeforeFrom='' + local validNotBeforeTo='' + local validNotAfterInUse='' + local validNotAfterFrom='' + local validNotAfterTo='' + local validityLengthInUse='' + local validityOp='' + local count='' + local unit="2592000000" + local certTypeInUse='on' + local SubordinateEmailCA='' + local SubordinateSSLCA='' + local SecureEmail='' + local SSLClient='on' + local SSLServer='' + local maxResults='10' + local timeLimit='5' + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem --dump-header $admin_out -E $valid_agent_cert:$CERTDB_DIR_PASSWORD -d \"op=$op&queryCertFilter=$queryCertFilter&serialNumberRangeInUse=$serialNumberRangeInUse&serialFrom=$serialFrom&serialTo=$serialTo&statusInUse=$statusInUse&status=$cert_status&subjectInUse=$subjectInUse&eMail=$eMail&commonName=$commonName&userID=$userID&orgUnit=$orgUnit&org=$org&locality=$locality&state=$state&country=$country&match=$match&revokedBy=$revokedBy&revokedByInUse=$revokedByInUse&revokedOnInUse=$revokedOnInUse&revokedOnFrom=$revokedOnFrom&revokedOnTo=$revokedOnTo&revocationReasonInUse=$revocationReasonInUse&revocationReason=$revocationReason&profileInUse=$profileInUse&profile=$profile&issuedByInUse=$issuedByInUse&issuedBy=$issuedBy&issuedOnInUse=$issuedOnInUse&issuedOnFrom=$issuedOnFrom&issuedOnTo=$issuedOnTo&basicConstraintsInUse=$basicConstraintsInUse&validNotBeforeInUse=$validNotBeforeInUse&validNotBeforeFrom=$validNotBeforeFrom&validNotBeforeTo=$validNotBeforeTo&validNotAfterInUse=$validNotAfterInUse&validNotAfterFrom=$validNotAfterFrom&validNotAfterTo=$validNotAfterTo&validityLengthInUse=$validityLengthInUse&validityOp=$validityOp&count=$count&unit=$unit&certTypeInUse=$certTypeInUse&SubordinateEmailCA=$SubordinateEmailCA&SubordinateSSLCA=$SubordinateSSLCA&SecureEmail=$SecureEmail&SSLClient=$SSLClient&SSLServer=$SSLServer&maxResults=$maxResults&timeLimit=$timeLimit\" -k https://$tmp_ca_host:$target_secure_port/ca/agent/ca/srchCerts > $TmpDir/$test_out" 0 "Search Certs with serialNumber range starting from $serialFrom to $serialTo with maxCount of $maxResults" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem --dump-header $admin_out -E $valid_agent_cert:$CERTDB_DIR_PASSWORD -d \"op=$op&queryCertFilter=$queryCertFilter&serialNumberRangeInUse=$serialNumberRangeInUse&serialFrom=$serialFrom&serialTo=$serialTo&statusInUse=$statusInUse&status=$cert_status&subjectInUse=$subjectInUse&eMail=$eMail&commonName=$commonName&userID=$userID&orgUnit=$orgUnit&org=$org&locality=$locality&state=$state&country=$country&match=$match&revokedBy=$revokedBy&revokedByInUse=$revokedByInUse&revokedOnInUse=$revokedOnInUse&revokedOnFrom=$revokedOnFrom&revokedOnTo=$revokedOnTo&revocationReasonInUse=$revocationReasonInUse&revocationReason=$revocationReason&profileInUse=$profileInUse&profile=$profile&issuedByInUse=$issuedByInUse&issuedBy=$issuedBy&issuedOnInUse=$issuedOnInUse&issuedOnFrom=$issuedOnFrom&issuedOnTo=$issuedOnTo&basicConstraintsInUse=$basicConstraintsInUse&validNotBeforeInUse=$validNotBeforeInUse&validNotBeforeFrom=$validNotBeforeFrom&validNotBeforeTo=$validNotBeforeTo&validNotAfterInUse=$validNotAfterInUse&validNotAfterFrom=$validNotAfterFrom&validNotAfterTo=$validNotAfterTo&validityLengthInUse=$validityLengthInUse&validityOp=$validityOp&count=$count&unit=$unit&certTypeInUse=$certTypeInUse&SubordinateEmailCA=$SubordinateEmailCA&SubordinateSSLCA=$SubordinateSSLCA&SecureEmail=$SecureEmail&SSLClient=$SSLClient&SSLServer=$SSLServer&maxResults=$maxResults&timeLimit=$timeLimit\" -k https://$tmp_ca_host:$target_secure_port/ca/agent/ca/srchCerts > $TmpDir/$test_out" 0 "Search Certs with serialNumber range starting from $serialFrom to $serialTo with maxCount of $maxResults" + local no_of_records=$(cat $TmpDir/$test_out | grep "record.subject=" | wc -l) + rlAssertGreater "Verify No of records displayed is more than $maxCount" $no_of_records $maxCount + rlAssertGrep "record.revokedOn=null" "$TmpDir/$test_out" + rlAssertGrep "record.subject=\"$cert_subject\"" "$TmpDir/$test_out" + rlPhaseEnd + + rlPhaseStartCleanup "Delete temporary dir and enable nonce" + rlRun "popd" + rlRun "rm -r $TmpDir" 0 "Removing tmp directory" + enable_ca_nonce $tomcat_name + rlPhaseEnd +} +verify_cert() +{ + local serial_number=$1 + local request_dn=$2 + STRIP_HEX=$(echo $serial_number | cut -dx -f2) + CONV_LOW_VAL=${STRIP_HEX,,} + rlRun "pki -h $tmp_ca_host -p $target_unsecure_port cert-show $serial_number > $cert_show_out" 0 "Executing pki cert-show $serial_number" + rlAssertGrep "Serial Number: 0x$CONV_LOW_VAL" "$cert_show_out" + rlAssertGrep "Issuer: CN=PKI $SUBCA_INST Signing Certificate,O=redhat" "$cert_show_out" + rlAssertGrep "Subject: $request_dn" "$cert_show_out" + rlAssertGrep "Status: VALID" "$cert_show_out" +} + diff --git a/tests/dogtag/acceptance/legacy/subca-tests/cert-enrollment/subca-ee-enrollments.sh b/tests/dogtag/acceptance/legacy/subca-tests/cert-enrollment/subca-ee-enrollments.sh new file mode 100755 index 000000000..5b082011f --- /dev/null +++ b/tests/dogtag/acceptance/legacy/subca-tests/cert-enrollment/subca-ee-enrollments.sh @@ -0,0 +1,4819 @@ +#!/bin/bash +# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# runtest.sh of /CoreOS/rhcs/acceptance/legacy/ca-tests/cert-enrollment/subca-ee-enrollments +# Description: Legacy cert end-entity enrollment tests +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# The following Legacy tests needs to be tested: +# Subordiate CA End Entity Enrollment Tests +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Author: Niranjan Mallapadi +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2013 Red Hat, Inc. All rights reserved. +# +# This copyrighted material is made available to anyone wishing +# to use, modify, copy, or redistribute it subject to the terms +# and conditions of the GNU General Public License version 2. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public +# License along with this program; if not, write to the Free +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301, USA. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +# Include rhts environment +. /usr/bin/rhts-environment.sh +. /usr/share/beakerlib/beakerlib.sh +. /opt/rhqa_pki/rhcs-shared.sh +. /opt/rhqa_pki/pki-cert-cli-lib.sh +. /opt/rhqa_pki/pki-auth-plugin-lib.sh +. /opt/rhqa_pki/env.sh + +run_ee-subca-enrollment_tests() +{ + # Creating Temporary Directory + rlPhaseStartSetup "Create Temporary Directory" + rlRun "TmpDir=\`mktemp -d\`" 0 "Creating tmp directory" + rlRun "pushd $TmpDir" + rlRun "export PYTHONPATH=$PYTHONPATH:/opt/rhqa_pki/" + rlPhaseEnd + + # Disable Nonce + rlPhaseStartSetup "Disable Nonce" + local cs_Type=$1 + local cs_Role=$2 + get_topo_stack $cs_Role $TmpDir/topo_file + if [ $cs_Role="MASTER" ]; then + SUBCA_INST=$(cat $TmpDir/topo_file | grep MY_SUBCA | cut -d= -f2) + elif [ $cs_Role="SUBCA2" || $cs_Role="SUBCA1" ]; then + SUBCA_INST=$(cat $TmpDir/topo_file | grep MY_CA | cut -d= -f2) + fi + local tomcat_name=$(eval echo \$${SUBCA_INST}_TOMCAT_INSTANCE_NAME) + disable_ca_nonce $tomcat_name + rlPhaseEnd + + # Local Variables + local target_unsecure_port=$(eval echo \$${SUBCA_INST}_UNSECURE_PORT) + local target_secure_port=$(eval echo \$${SUBCA_INST}_SECURE_PORT) + local tmp_ca_agent=$SUBCA_INST\_agentV + local tmp_ca_admin=$SUBCA_INST\_adminV + local tmp_ca_port=$(eval echo \$${SUBCA_INST}_UNSECURE_PORT) + local tmp_ca_host=$(eval echo \$${cs_Role}) + local valid_agent_cert=$SUBCA_INST\_agentV + local valid_audit_cert=$SUBCA_INST\_auditV + local valid_operator_cert=$SUBCA_INST\_operatorV + local valid_admin_cert=$SUBCA_INST\_adminV + local cert_find_info="$TmpDir/cert_find_info" + local revoked_agent_cert=$SUBCA_INST\_agentR + local revoked_admin_cert=$SUBCA_INST\_adminR + local expired_admin_cert=$SUBCA_INST\_adminE + local expired_agent_cert=$SUBCA_INST\_agentE + local admin_out="$TmpDir/admin_out" + local TEMP_NSS_DB="$TmpDir/nssdb" + local TEMP_NSS_DB_PWD="redhat" + local cert_info="$TmpDir/cert_info" + local ca_profile_out="$TmpDir/ca-profile-out" + local cert_out="$TmpDir/cert-show.out" + local cert_show_out="$TmpDir/cert_show.out" + local rand=$RANDOM + local tmp_junk_data=$(openssl rand -base64 50 | perl -p -e 's/\n//') + local SSL_DIR=$CERTDB_DIR + + + + rlPhaseStartTest "pki_subca_ee-001: SUBCA Profile Enrollment - AgentFileSigning using CRMF Request of key size 4096" + rlLog "Create a new certificate request of type" + local request_type=crmf + local request_key_type=rsa + local request_key_size=4096 + local filename=SecureFile-$RANDOM + local filelocation=$TmpDir/$filename + local profile="caAgentFileSigning" + local test_out=ca-$profile-1.txt + rlRun "export SSL_DIR=$CERTDB_DIR" + rlLog "Write some random text in $filename" + rlRun "echo "Secret123" > $filelocation" 0 "Create a file with text Secret123" + rlRun "chmod 777 $TmpDir" 0 "Set Directory permissions to 777" + rlRun "chmod 777 $TmpDir/$filename" 0 "Set file permsions to 777" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:$filename \ + subject_uid: \ + subject_email: \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" 0 "Create CRMF request for file signing" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E \"$valid_agent_cert:$CERTDB_DIR_PASSWORD\" \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&file_signing_url=file://$filelocation&file_signing_text=&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient > $TmpDir/$test_out" + local serial_number=$(cat -v $TmpDir/$test_out | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + rlAssertNotGrep "Request Rejected" "$TmpDir/$test_out" + rlLog "BUGZILLA: https://bugzilla.redhat.com/show_bug.cgi?id=1175269" + rlPhaseEnd + + + rlPhaseStartTest "pki_subca_ee-002: SUBCA Profile Enrollment - AgentFileSigning using CRMF Request of key size 3072" + rlLog "Create a new certificate request of type" + local request_type=crmf + local request_key_type=rsa + local request_key_size=3072 + local filename=SecureFile-$RANDOM + local filelocation=$TmpDir/$filename + local profile="caAgentFileSigning" + local test_out=ca-$profile-2.txt + rlRun "export SSL_DIR=$CERTDB_DIR" + rlLog "Write some random text in $filename" + rlRun "echo "Secret123" > $filelocation" 0 "Create a file with text Secret123" + rlRun "chmod 777 $TmpDir" 0 "Set Directory permissions to 777" + rlRun "chmod 777 $TmpDir/$filename" 0 "Set file permsions to 777" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:$filename \ + subject_uid: \ + subject_email: \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" 0 "Create CRMF request for file signing" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E \"$valid_agent_cert:$CERTDB_DIR_PASSWORD\" \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&file_signing_url=file://$filelocation&file_signing_text=&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient > $TmpDir/$test_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local serial_number=$(cat -v $TmpDir/$test_out | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "Serial Number: $serial_number" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + rlAssertNotGrep "Request Rejected" "$TmpDir/$test_out" + rlLog "BUGZILLA: https://bugzilla.redhat.com/show_bug.cgi?id=1175269" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ee-003: SUBCA Profile Enrollment - AgentFileSigning using CRMF Request of key size 2048" + local request_type=crmf + local request_key_type=rsa + local request_key_size=2048 + local filename=SecureFile-$RANDOM + local filelocation=$TmpDir/$filename + local profile="caAgentFileSigning" + local test_out=ca-$profile-3.txt + rlRun "export SSL_DIR=$CERTDB_DIR" + rlLog "Write some random text in $filename" + rlRun "echo "Secret123" > $filelocation" 0 "Create a file with text Secret123" + rlRun "chmod 777 $TmpDir" 0 "Set Directory permissions to 777" + rlRun "chmod 777 $TmpDir/$filename" 0 "Set file permsions to 777" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:$filename \ + subject_uid: \ + subject_email: \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" 0 "Create CRMF request for file signing" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E \"$valid_agent_cert:$CERTDB_DIR_PASSWORD\" \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&file_signing_url=file://$filelocation&file_signing_text=&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient > $TmpDir/$test_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local serial_number=$(cat -v $TmpDir/$test_out | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "Serial Number=$serial_number" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + rlAssertNotGrep "Request Rejected" "$TmpDir/$test_out" + rlLog "BUGZILLA: https://bugzilla.redhat.com/show_bug.cgi?id=1175269" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ee-004: SUBCA Profile Enrollment - AgentFileSigning using CRMF Request of key size 1024" + rlLog "Create a new certificate request of type" + local request_type=crmf + local request_key_type=rsa + local request_key_size=1024 + local filename=SecureFile-$RANDOM + local filelocation=$TmpDir/$filename + local profile="caAgentFileSigning" + local test_out=ca-$profile-4.txt + rlRun "export SSL_DIR=$CERTDB_DIR" + rlLog "Write some random text in $filename" + rlRun "echo "Secret123" > $filelocation" 0 "Create a file with text Secret123" + rlRun "chmod 777 $TmpDir" 0 "Set Directory permissions to 777" + rlRun "chmod 777 $TmpDir/$filename" 0 "Set file permsions to 777" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:$filename \ + subject_uid: \ + subject_email: \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" 0 "Create CRMF request for file signing" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E \"$valid_agent_cert:$CERTDB_DIR_PASSWORD\" \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&file_signing_url=file://$filelocation&file_signing_text=&requestor_name=&requestor_email=&requestor_phone=&profileId=caAgentFileSigning&renewal=false&xmlOutput\" \ + https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient > $TmpDir/$test_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local serial_number=$(cat -v $TmpDir/$test_out | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "Serial Number=$serial_number" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + rlAssertNotGrep "Request Rejected" "$TmpDir/$test_out" + rlLog "BUGZILLA: https://bugzilla.redhat.com/show_bug.cgi?id=1175269" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ee-005: SUBCA Profile Enrollment - caSignedLogCert using CRMF Request of key size 4096" + local request_type=crmf + local request_key_type=rsa + local request_key_size=4096 + local profile=caSignedLogCert + local subject="PKI-$RANDOM Audit Signing Certificate" + local test_out=ca-$profile-test1-out.txt + rlRun "export SSL_DIR=$CERTDB_DIR" + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"$subject\" \ + subject_uid: \ + subject_email: \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" 0 "Create $request_type request for $profile" + local cert_requestdn=$(cat $TEMP_NSS_DB/$rand-subject.out | grep Request_DN | cut -d ":" -f2) + rlLog "cert_requestdn=$cert_requestdn" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient" + + rlRun "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient > $TmpDir/$test_out" 0 "Submit Certificate request to $profile" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local request_id=$(cat -v $TmpDir/$test_out | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "Approve $request_id using $valid_agent_cert" + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$Year+1 + local end_day="1" + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$Month-$end_day $Hour:$Minute:$Second" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem --dump-header $admin_out -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=false&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&signingAlg=SHA1withRSA&requestNotes=&op=approve&submit=submit\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/$test_out" 0 "Approve $request_id" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + local serial_number=$(cat -v $TmpDir/$test_out | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + rlAssertNotGrep "Request Rejected" "$TmpDir/$test_out" + rlRun "verify_cert \"$serial_number\" \"$cert_requestdn\"" 0 "Verify cert" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ee-006: SUBCA Profile Enrollment - caSignedLogCert using CRMF Request of key size 3072" + local request_type=crmf + local request_key_type=rsa + local request_key_size=3072 + local profile=caSignedLogCert + local subject="PKI-$RANDOM Audit Signing Certificate" + local test_out=ca-$profile-test1-out.txt + rlRun "export SSL_DIR=$CERTDB_DIR" + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"$subject\" \ + subject_uid: \ + subject_email: \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" 0 "Create $request_type request for $profile" + local cert_requestdn=$(cat $TEMP_NSS_DB/$rand-subject.out | grep Request_DN | cut -d ":" -f2) + rlLog "cert_requestdn=$cert_requestdn" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient" + + rlRun "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient > $TmpDir/$test_out" 0 "Submit Certificate request to $profile" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local request_id=$(cat -v $TmpDir/$test_out | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "Approve $request_id using $valid_agent_cert" + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$Year+1 + local end_day="1" + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$Month-$end_day $Hour:$Minute:$Second" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem --dump-header $admin_out -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=false&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&signingAlg=SHA1withRSA&requestNotes=&op=approve&submit=submit\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/$test_out" 0 "Approve $request_id" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + local serial_number=$(cat -v $TmpDir/$test_out | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + rlAssertNotGrep "Request Rejected" "$TmpDir/$test_out" + rlRun "verify_cert \"$serial_number\" \"$cert_requestdn\"" 0 "Verify cert" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ee-007: SUBCA Profile Enrollment - caSignedLogCert using CRMF Request of key size 2048" + local request_type=crmf + local request_key_type=rsa + local request_key_size=2048 + local profile=caSignedLogCert + local subject="PKI-$RANDOM Audit Signing Certificate" + local test_out=ca-$profile-test2-out.txt + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"$subject\" \ + subject_uid: \ + subject_email: \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" 0 "Create $request_type request for $profile" + local cert_requestdn=$(cat $TEMP_NSS_DB/$rand-subject.out | grep Request_DN | cut -d ":" -f2) + rlLog "cert_requestdn=$cert_requestdn" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient > $TmpDir/$test_out" + + rlRun "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient > $TmpDir/$test_out" 0 "Submit Certificate request to $profile" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local request_id=$(cat -v $TmpDir/$test_out | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "Approve $request_id using $valid_agent_cert" + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$Year+1 + local end_day="1" + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$Year+1 + local end_day="1" + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$Month-$end_day $Hour:$Minute:$Second" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem --dump-header $admin_out -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=false&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&signingAlg=SHA1withRSA&requestNotes=&op=approve&submit=submit\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/$test_out" 0 "Approve $request_id" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + local serial_number=$(cat -v $TmpDir/$test_out | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + rlRun "verify_cert \"$serial_number\" \"$cert_requestdn\"" 0 + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ee-008: SUBCA Profile Enrollment - caSignedLogCert using CRMF Request of key size 1024" + local request_type=crmf + local request_key_type=rsa + local request_key_size=1024 + local profile=caSignedLogCert + local subject="PKI-$RANDOM Audit Signing Certificate" + local test_out=ca-$profile-test3-out.txt + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"$subject\" \ + subject_uid: \ + subject_email: \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" 0 "Create $request_type request for $profile" + local cert_requestdn=$(cat $TEMP_NSS_DB/$rand-subject.out | grep Request_DN | cut -d ":" -f2) + rlLog "cert_requestdn=$cert_requestdn" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient > $TmpDir/$test_out" + + rlRun "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient > $TmpDir/$test_out" 0 "Submit Certificate request to $profile" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local request_id=$(cat -v $TmpDir/$test_out | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "Approve $request_id using $valid_agent_cert" + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$Year+1 + local end_day="1" + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$Month-$end_day $Hour:$Minute:$Second" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem --dump-header $admin_out -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=false&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&signingAlg=SHA1withRSA&requestNotes=&op=approve&submit=submit\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/$test_out" 0 "Approve $request_id" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + local serial_number=$(cat -v $TmpDir/$test_out | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + rlRun "verify_cert \"$serial_number\" \"$cert_requestdn\"" 0 "Verify cert" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ee-009: SUBCA Profile Enrollment - caSignedLogCert using PKCS10 Request of key size 4096" + local request_type=pkcs10 + local request_key_type=rsa + local request_key_size=4096 + local profile=caSignedLogCert + local subject="PKI-$RANDOM Audit Signing Certificate" + local test_out=ca-$profile-test4-out.txt + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"$subject\" \ + subject_uid: \ + subject_email: \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" 0 "Create $request_type request for $profile" + local cert_requestdn=$(cat $TEMP_NSS_DB/$rand-subject.out | grep Request_DN | cut -d ":" -f2) + rlLog "cert_requestdn=$cert_requestdn" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient > $TmpDir/$test_out" + + rlRun "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient > $TmpDir/$test_out" 0 "Submit Certificate request to $profile" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local request_id=$(cat -v $TmpDir/$test_out | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "Approve $request_id using $valid_agent_cert" + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$Year+1 + local end_day="1" + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$Month-$end_day $Hour:$Minute:$Second" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem --dump-header $admin_out -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=false&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&signingAlg=SHA1withRSA&requestNotes=&op=approve&submit=submit\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/$test_out" 0 "Approve $request_id" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + local serial_number=$(cat -v $TmpDir/$test_out | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + rlRun "verify_cert \"$serial_number\" \"$cert_requestdn\"" 0 "Verify cert" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ee-0010: SUBCA Profile Enrollment - caSignedLogCert using PKCS10 Request of key size 3072" + local request_type=pkcs10 + local request_key_type=rsa + local request_key_size=3072 + local profile=caSignedLogCert + local subject="PKI-$RANDOM Audit Signing Certificate" + local test_out=ca-$profile-test5-out.txt + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"$subject\" \ + subject_uid: \ + subject_email: \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" 0 "Create $request_type request for $profile" + local cert_requestdn=$(cat $TEMP_NSS_DB/$rand-subject.out | grep Request_DN | cut -d ":" -f2) + rlLog "cert_requestdn=$cert_requestdn" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient > $TmpDir/$test_out" + + rlRun "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient > $TmpDir/$test_out" 0 "Submit Certificate request to $profile" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local request_id=$(cat -v $TmpDir/$test_out | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "Approve $request_id using $valid_agent_cert" + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$Year+1 + local end_day="1" + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$Month-$end_day $Hour:$Minute:$Second" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem --dump-header $admin_out -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=false&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&signingAlg=SHA1withRSA&requestNotes=&op=approve&submit=submit\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/$test_out" 0 "Approve $request_id" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + local serial_number=$(cat -v $TmpDir/$test_out | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + rlRun "verify_cert \"$serial_number\" \"$cert_requestdn\"" 0 "Verify cert" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ee-0011: SUBCA Profile Enrollment - caSignedLogCert using PKCS10 Request of key size 2048" + local request_type=pkcs10 + local request_key_type=rsa + local request_key_size=2048 + local profile=caSignedLogCert + local subject="PKI-$RANDOM Audit Signing Certificate" + local test_out=ca-$profile-test6-out.txt + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"$subject\" \ + subject_uid: \ + subject_email: \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" 0 "Create $request_type request for $profile" + local cert_requestdn=$(cat $TEMP_NSS_DB/$rand-subject.out | grep Request_DN | cut -d ":" -f2) + rlLog "cert_requestdn=$cert_requestdn" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient > $TmpDir/$test_out" + + rlRun "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient > $TmpDir/$test_out" 0 "Submit Certificate request to $profile" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local request_id=$(cat -v $TmpDir/$test_out | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "Approve $request_id using $valid_agent_cert" + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$Year+1 + local end_day="1" + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$Month-$end_day $Hour:$Minute:$Second" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem --dump-header $admin_out -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=false&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&signingAlg=SHA1withRSA&requestNotes=&op=approve&submit=submit\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/$test_out" 0 "Approve $request_id" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + local serial_number=$(cat -v $TmpDir/$test_out | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + rlRun "verify_cert \"$serial_number\" \"$cert_requestdn\"" 0 "Verify cert" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ee-0012: SUBCA Profile Enrollment - caSignedLogCert using PKCS10 Request of key size 1024" + local request_type=pkcs10 + local request_key_type=rsa + local request_key_size=1024 + local profile=caSignedLogCert + local subject="PKI-$RANDOM Audit Signing Certificate" + local test_out=ca-$profile-test6-out.txt + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"$subject\" \ + subject_uid: \ + subject_email: \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" 0 "Create $request_type request for $profile" + local cert_requestdn=$(cat $TEMP_NSS_DB/$rand-subject.out | grep Request_DN | cut -d ":" -f2) + rlLog "cert_requestdn=$cert_requestdn" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient > $TmpDir/$test_out" + + rlRun "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient > $TmpDir/$test_out" 0 "Submit Certificate request to $profile" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local request_id=$(cat -v $TmpDir/$test_out | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "Approve $request_id using $valid_agent_cert" + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$Year+1 + local end_day="1" + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$Month-$end_day $Hour:$Minute:$Second" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem --dump-header $admin_out -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=false&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&signingAlg=SHA1withRSA&requestNotes=&op=approve&submit=submit\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/$test_out" 0 "Approve $request_id" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + local serial_number=$(cat -v $TmpDir/$test_out | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + rlRun "verify_cert \"$serial_number\" \"$cert_requestdn\"" 0 "Verify cert" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ee-0013: SUBCA Profile Enrollment - caAgentServerCert using CRMF Request of key size 4096" + local request_type=crmf + local request_key_type=rsa + local request_key_size=4096 + local profile=caAgentServerCert + local subject="Server-$RANDOM-1.example.com" + local test_out=ca-$profile-test1.txt + rlRun "export SSL_DIR=$CERTDB_DIR" + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"$subject\" \ + subject_uid: \ + subject_email: \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" 0 "Create $request_type request for $profile" + local cert_requestdn=$(cat $TEMP_NSS_DB/$rand-subject.out | grep Request_DN | cut -d ":" -f2) + rlLog "cert_requestdn=$cert_requestdn" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem --dump-header $admin_out \ + -E \"$valid_agent_cert:$CERTDB_DIR_PASSWORD\" \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient > $TmpDir/$test_out" + + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem --dump-header $admin_out \ + -E \"$valid_agent_cert:$CERTDB_DIR_PASSWORD\" \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient > $TmpDir/$test_out" 0 "Submit Certificate request to $profile" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local serial_number=$(cat -v $TmpDir/$test_out | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + rlRun "verify_cert \"$serial_number\" \"$cert_requestdn\"" 0 "Verify cert" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ee-0014: SUBCA Profile Enrollment - caAgentServerCert using CRMF Request of key size 3072" + local request_type=crmf + local request_key_type=rsa + local request_key_size=3072 + local profile=caAgentServerCert + local subject="Server-$RANDOM-1.example.com" + local test_out=ca-$profile-test1.txt + rlRun "export SSL_DIR=$CERTDB_DIR" + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"$subject\" \ + subject_uid: \ + subject_email: \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" 0 "Create $request_type request for $profile" + local cert_requestdn=$(cat $TEMP_NSS_DB/$rand-subject.out | grep Request_DN | cut -d ":" -f2) + rlLog "cert_requestdn=$cert_requestdn" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem --dump-header $admin_out \ + -E \"$valid_agent_cert:$CERTDB_DIR_PASSWORD\" \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient > $TmpDir/$test_out" + + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem --dump-header $admin_out \ + -E \"$valid_agent_cert:$CERTDB_DIR_PASSWORD\" \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient > $TmpDir/$test_out" 0 "Submit Certificate request to $profile" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local serial_number=$(cat -v $TmpDir/$test_out | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + rlRun "verify_cert \"$serial_number\" \"$cert_requestdn\"" 0 "Verify cert" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ee-0015: SUBCA Profile Enrollment - caAgentServerCert using CRMF Request of key size 2048" + local request_type=crmf + local request_key_type=rsa + local request_key_size=2048 + local profile=caAgentServerCert + local subject="Server-$RANDOM-1.example.com" + local test_out=ca-$profile-test1.txt + rlRun "export SSL_DIR=$CERTDB_DIR" + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"$subject\" \ + subject_uid: \ + subject_email: \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" 0 "Create $request_type request for $profile" + local cert_requestdn=$(cat $TEMP_NSS_DB/$rand-subject.out | grep Request_DN | cut -d ":" -f2) + rlLog "cert_requestdn=$cert_requestdn" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem --dump-header $admin_out \ + -E \"$valid_agent_cert:$CERTDB_DIR_PASSWORD\" \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient > $TmpDir/$test_out" + + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem --dump-header $admin_out \ + -E \"$valid_agent_cert:$CERTDB_DIR_PASSWORD\" \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient > $TmpDir/$test_out" 0 "Submit Certificate request to $profile" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local serial_number=$(cat -v $TmpDir/$test_out | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + rlRun "verify_cert \"$serial_number\" \"$cert_requestdn\"" 0 "Verify cert" + rlPhaseEnd + + + rlPhaseStartTest "pki_subca_ee-0016: SUBCA Profile Enrollment - caAgentServerCert using CRMF Request of key size 1024" + local request_type=crmf + local request_key_type=rsa + local request_key_size=1024 + local profile=caAgentServerCert + local subject="Server-$RANDOM-1.example.com" + local test_out=ca-$profile-test1.txt + rlRun "export SSL_DIR=$CERTDB_DIR" + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"$subject\" \ + subject_uid: \ + subject_email: \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" 0 "Create $request_type request for $profile" + local cert_requestdn=$(cat $TEMP_NSS_DB/$rand-subject.out | grep Request_DN | cut -d ":" -f2) + rlLog "cert_requestdn=$cert_requestdn" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem --dump-header $admin_out \ + -E \"$valid_agent_cert:$CERTDB_DIR_PASSWORD\" \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient > $TmpDir/$test_out" + + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem --dump-header $admin_out \ + -E \"$valid_agent_cert:$CERTDB_DIR_PASSWORD\" \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient > $TmpDir/$test_out" 0 "Submit Certificate request to $profile" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local serial_number=$(cat -v $TmpDir/$test_out | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + rlRun "verify_cert \"$serial_number\" \"$cert_requestdn\"" 0 "Verify cert" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ee-0017: SUBCA Profile Enrollment - caAgentServerCert using PKCS10 Request of key size 4096" + local request_type=pkcs10 + local request_key_type=rsa + local request_key_size=4096 + local profile=caAgentServerCert + local subject="Server-$RANDOM-1.example.com" + local test_out=ca-$profile-test1.txt + rlRun "export SSL_DIR=$CERTDB_DIR" + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"$subject\" \ + subject_uid: \ + subject_email: \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" 0 "Create $request_type request for $profile" + local cert_requestdn=$(cat $TEMP_NSS_DB/$rand-subject.out | grep Request_DN | cut -d ":" -f2) + rlLog "cert_requestdn=$cert_requestdn" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem --dump-header $admin_out \ + -E \"$valid_agent_cert:$CERTDB_DIR_PASSWORD\" \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient > $TmpDir/$test_out" + + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem --dump-header $admin_out \ + -E \"$valid_agent_cert:$CERTDB_DIR_PASSWORD\" \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient > $TmpDir/$test_out" 0 "Submit Certificate request to $profile" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local serial_number=$(cat -v $TmpDir/$test_out | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + rlRun "verify_cert \"$serial_number\" \"$cert_requestdn\"" 0 "Verify cert" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ee-0018: SUBCA Profile Enrollment - caAgentServerCert using PKCS10 Request of key size 3072" + local request_type=pkcs10 + local request_key_type=rsa + local request_key_size=3072 + local profile=caAgentServerCert + local subject="Server-$RANDOM-1.example.com" + local test_out=ca-$profile-test1.txt + rlRun "export SSL_DIR=$CERTDB_DIR" + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"$subject\" \ + subject_uid: \ + subject_email: \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" 0 "Create $request_type request for $profile" + local cert_requestdn=$(cat $TEMP_NSS_DB/$rand-subject.out | grep Request_DN | cut -d ":" -f2) + rlLog "cert_requestdn=$cert_requestdn" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem --dump-header $admin_out \ + -E \"$valid_agent_cert:$CERTDB_DIR_PASSWORD\" \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient > $TmpDir/$test_out" + + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem --dump-header $admin_out \ + -E \"$valid_agent_cert:$CERTDB_DIR_PASSWORD\" \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient > $TmpDir/$test_out" 0 "Submit Certificate request to $profile" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local serial_number=$(cat -v $TmpDir/$test_out | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + rlRun "verify_cert \"$serial_number\" \"$cert_requestdn\"" 0 "Verify cert" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ee-0019: SUBCA Profile Enrollment - caAgentServerCert using PKCS10 Request of key size 2048" + local request_type=pkcs10 + local request_key_type=rsa + local request_key_size=2048 + local profile=caAgentServerCert + local subject="Server-$RANDOM-1.example.com" + local test_out=ca-$profile-test1.txt + rlRun "export SSL_DIR=$CERTDB_DIR" + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"$subject\" \ + subject_uid: \ + subject_email: \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" 0 "Create $request_type request for $profile" + local cert_requestdn=$(cat $TEMP_NSS_DB/$rand-subject.out | grep Request_DN | cut -d ":" -f2) + rlLog "cert_requestdn=$cert_requestdn" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem --dump-header $admin_out \ + -E \"$valid_agent_cert:$CERTDB_DIR_PASSWORD\" \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient > $TmpDir/$test_out" + + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem --dump-header $admin_out \ + -E \"$valid_agent_cert:$CERTDB_DIR_PASSWORD\" \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient > $TmpDir/$test_out" 0 "Submit Certificate request to $profile" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local serial_number=$(cat -v $TmpDir/$test_out | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + rlRun "verify_cert \"$serial_number\" \"$cert_requestdn\"" 0 "Verify cert" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ee-0020: SUBCA Profile Enrollment - caAgentServerCert using PKCS10 Request of key size 1024" + local request_type=pkcs10 + local request_key_type=rsa + local request_key_size=1024 + local profile=caAgentServerCert + local subject="Server-$RANDOM-1.example.com" + local test_out=ca-$profile-test1.txt + rlRun "export SSL_DIR=$CERTDB_DIR" + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"$subject\" \ + subject_uid: \ + subject_email: \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" 0 "Create $request_type request for $profile" + local cert_requestdn=$(cat $TEMP_NSS_DB/$rand-subject.out | grep Request_DN | cut -d ":" -f2) + rlLog "cert_requestdn=$cert_requestdn" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem --dump-header $admin_out \ + -E \"$valid_agent_cert:$CERTDB_DIR_PASSWORD\" \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient > $TmpDir/$test_out" + + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem --dump-header $admin_out \ + -E \"$valid_agent_cert:$CERTDB_DIR_PASSWORD\" \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient > $TmpDir/$test_out" 0 "Submit Certificate request to $profile" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local serial_number=$(cat -v $TmpDir/$test_out | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + rlRun "verify_cert \"$serial_number\" \"$cert_requestdn\"" 0 "Verify cert" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ee-0021: SUBCA Profile Enrollment - caCACert using CRMF Request of key size 4096" + local request_type=crmf + local request_key_type=rsa + local request_key_size=4096 + local profile=caCACert + local subject="PKI-$RANDOM CA Signing Certificate" + local test_out=ca-$profile-test1-out.txt + rlRun "export SSL_DIR=$CERTDB_DIR" + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"$subject\" \ + subject_uid: \ + subject_email: \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" 0 "Create $request_type request for $profile" + local cert_requestdn=$(cat $TEMP_NSS_DB/$rand-subject.out | grep Request_DN | cut -d ":" -f2) + rlLog "cert_requestdn=$cert_requestdn" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient" + + rlRun "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient > $TmpDir/$test_out" 0 "Submit Certificate request to $profile" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local request_id=$(cat -v $TmpDir/$test_out | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "Approve $request_id using $valid_agent_cert" + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$Year+1 + local end_day="1" + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$Month-$end_day $Hour:$Minute:$Second" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem --dump-header $admin_out -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&bypassCAnotafter=false&basicConstraintsCritical=true&basicConstraintsIsCA=true&basicConstraintsPathLen=-1&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=false&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=true&keyUsageCrlSign=true&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&signingAlg=SHA1withRSA&authInfoAccessCritical=false&authInfoAccessGeneralNames=&requestNotes=&op=approve&submit=submit\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/$test_out" 0 "Approve $request_id" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + local serial_number=$(cat -v $TmpDir/$test_out | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + rlRun "verify_cert \"$serial_number\" \"$cert_requestdn\"" 0 "Verify cert" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ee-0022: SUBCA Profile Enrollment - caCACert using CRMF Request of key size 3072" + local request_type=crmf + local request_key_type=rsa + local request_key_size=3072 + local profile=caCACert + local subject="PKI-$RANDOM CA Signing Certificate" + local test_out=ca-$profile-test1-out.txt + rlRun "export SSL_DIR=$CERTDB_DIR" + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"$subject\" \ + subject_uid: \ + subject_email: \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" 0 "Create $request_type request for $profile" + local cert_requestdn=$(cat $TEMP_NSS_DB/$rand-subject.out | grep Request_DN | cut -d ":" -f2) + rlLog "cert_requestdn=$cert_requestdn" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient" + + rlRun "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient > $TmpDir/$test_out" 0 "Submit Certificate request to $profile" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local request_id=$(cat -v $TmpDir/$test_out | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "Approve $request_id using $valid_agent_cert" + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$Year+1 + local end_day="1" + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$Month-$end_day $Hour:$Minute:$Second" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem --dump-header $admin_out -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&bypassCAnotafter=false&basicConstraintsCritical=true&basicConstraintsIsCA=true&basicConstraintsPathLen=-1&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=false&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=true&keyUsageCrlSign=true&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&signingAlg=SHA1withRSA&authInfoAccessCritical=false&authInfoAccessGeneralNames=&requestNotes=&op=approve&submit=submit\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/$test_out" 0 "Approve $request_id" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + local serial_number=$(cat -v $TmpDir/$test_out | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + rlRun "verify_cert \"$serial_number\" \"$cert_requestdn\"" 0 "Verify cert" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ee-0023: SUBCA Profile Enrollment - caCACert using CRMF Request of key size 2048" + local request_type=crmf + local request_key_type=rsa + local request_key_size=2048 + local profile=caCACert + local subject="PKI-$RANDOM CA Signing Certificate" + local test_out=ca-$profile-test2-out.txt + rlRun "export SSL_DIR=$CERTDB_DIR" + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"$subject\" \ + subject_uid: \ + subject_email: \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" 0 "Create $request_type request for $profile" + local cert_requestdn=$(cat $TEMP_NSS_DB/$rand-subject.out | grep Request_DN | cut -d ":" -f2) + rlLog "cert_requestdn=$cert_requestdn" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient" + + rlRun "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient > $TmpDir/$test_out" 0 "Submit Certificate request to $profile" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local request_id=$(cat -v $TmpDir/$test_out | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "Approve $request_id using $valid_agent_cert" + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$Year+1 + local end_day="1" + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$Month-$end_day $Hour:$Minute:$Second" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem --dump-header $admin_out -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&bypassCAnotafter=false&basicConstraintsCritical=true&basicConstraintsIsCA=true&basicConstraintsPathLen=-1&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=false&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=true&keyUsageCrlSign=true&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&signingAlg=SHA1withRSA&authInfoAccessCritical=false&authInfoAccessGeneralNames=&requestNotes=&op=approve&submit=submit\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/$test_out" 0 "Approve $request_id" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + local serial_number=$(cat -v $TmpDir/$test_out | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + rlRun "verify_cert \"$serial_number\" \"$cert_requestdn\"" 0 "Verify cert" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ee-0024: SUBCA Profile Enrollment - caCACert using CRMF Request of key size 1024" + local request_type=crmf + local request_key_type=rsa + local request_key_size=1024 + local profile=caCACert + local subject="PKI-$RANDOM CA Signing Certificate" + local test_out=ca-$profile-test3-out.txt + rlRun "export SSL_DIR=$CERTDB_DIR" + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"$subject\" \ + subject_uid: \ + subject_email: \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" 0 "Create $request_type request for $profile" + local cert_requestdn=$(cat $TEMP_NSS_DB/$rand-subject.out | grep Request_DN | cut -d ":" -f2) + rlLog "cert_requestdn=$cert_requestdn" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient" + + rlRun "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient > $TmpDir/$test_out" 0 "Submit Certificate request to $profile" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local request_id=$(cat -v $TmpDir/$test_out | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "Approve $request_id using $valid_agent_cert" + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$Year+1 + local end_day="1" + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$Month-$end_day $Hour:$Minute:$Second" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem --dump-header $admin_out -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&bypassCAnotafter=false&basicConstraintsCritical=true&basicConstraintsIsCA=true&basicConstraintsPathLen=-1&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=false&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=true&keyUsageCrlSign=true&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&signingAlg=SHA1withRSA&authInfoAccessCritical=false&authInfoAccessGeneralNames=&requestNotes=&op=approve&submit=submit\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/$test_out" 0 "Approve $request_id" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + local serial_number=$(cat -v $TmpDir/$test_out | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + rlRun "verify_cert \"$serial_number\" \"$cert_requestdn\"" 0 "Verify cert" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ee-0025: SUBCA Profile Enrollment - caCACert using PKCS10 Request of key size 4096" + local request_type=pkcs10 + local request_key_type=rsa + local request_key_size=4096 + local profile=caCACert + local subject="PKI-$RANDOM CA Signing Certificate" + local test_out=ca-$profile-test4-out.txt + rlRun "export SSL_DIR=$CERTDB_DIR" + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"$subject\" \ + subject_uid: \ + subject_email: \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" 0 "Create $request_type request for $profile" + local cert_requestdn=$(cat $TEMP_NSS_DB/$rand-subject.out | grep Request_DN | cut -d ":" -f2) + rlLog "cert_requestdn=$cert_requestdn" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient" + + rlRun "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient > $TmpDir/$test_out" 0 "Submit Certificate request to $profile" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local request_id=$(cat -v $TmpDir/$test_out | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "Approve $request_id using $valid_agent_cert" + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$Year+1 + local end_day="1" + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$Month-$end_day $Hour:$Minute:$Second" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem --dump-header $admin_out -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&bypassCAnotafter=false&basicConstraintsCritical=true&basicConstraintsIsCA=true&basicConstraintsPathLen=-1&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=false&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=true&keyUsageCrlSign=true&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&signingAlg=SHA1withRSA&authInfoAccessCritical=false&authInfoAccessGeneralNames=&requestNotes=&op=approve&submit=submit\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/$test_out" 0 "Approve $request_id" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + local serial_number=$(cat -v $TmpDir/$test_out | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + rlRun "verify_cert \"$serial_number\" \"$cert_requestdn\"" 0 "Verify cert" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ee-0026: SUBCA Profile Enrollment - caCACert using PKCS10 Request of key size 3072" + local request_type=pkcs10 + local request_key_type=rsa + local request_key_size=3072 + local profile=caCACert + local subject="PKI-$RANDOM CA Signing Certificate" + local test_out=ca-$profile-test4-out.txt + rlRun "export SSL_DIR=$CERTDB_DIR" + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"$subject\" \ + subject_uid: \ + subject_email: \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" 0 "Create $request_type request for $profile" + local cert_requestdn=$(cat $TEMP_NSS_DB/$rand-subject.out | grep Request_DN | cut -d ":" -f2) + rlLog "cert_requestdn=$cert_requestdn" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient" + + rlRun "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient > $TmpDir/$test_out" 0 "Submit Certificate request to $profile" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local request_id=$(cat -v $TmpDir/$test_out | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "Approve $request_id using $valid_agent_cert" + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$Year+1 + local end_day="1" + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$Month-$end_day $Hour:$Minute:$Second" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem --dump-header $admin_out -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&bypassCAnotafter=false&basicConstraintsCritical=true&basicConstraintsIsCA=true&basicConstraintsPathLen=-1&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=false&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=true&keyUsageCrlSign=true&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&signingAlg=SHA1withRSA&authInfoAccessCritical=false&authInfoAccessGeneralNames=&requestNotes=&op=approve&submit=submit\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/$test_out" 0 "Approve $request_id" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + local serial_number=$(cat -v $TmpDir/$test_out | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + rlRun "verify_cert \"$serial_number\" \"$cert_requestdn\"" 0 "Verify cert" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ee-0027: SUBCA Profile Enrollment - caCACert using PKCS10 Request of key size 2048" + local request_type=pkcs10 + local request_key_type=rsa + local request_key_size=2048 + local profile=caCACert + local subject="PKI-$RANDOM CA Signing Certificate" + local test_out=ca-$profile-test5-out.txt + rlRun "export SSL_DIR=$CERTDB_DIR" + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"$subject\" \ + subject_uid: \ + subject_email: \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" 0 "Create $request_type request for $profile" + local cert_requestdn=$(cat $TEMP_NSS_DB/$rand-subject.out | grep Request_DN | cut -d ":" -f2) + rlLog "cert_requestdn=$cert_requestdn" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient" + + rlRun "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient > $TmpDir/$test_out" 0 "Submit Certificate request to $profile" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local request_id=$(cat -v $TmpDir/$test_out | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "Approve $request_id using $valid_agent_cert" + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$Year+1 + local end_day="1" + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$Month-$end_day $Hour:$Minute:$Second" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem --dump-header $admin_out -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&bypassCAnotafter=false&basicConstraintsCritical=true&basicConstraintsIsCA=true&basicConstraintsPathLen=-1&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=false&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=true&keyUsageCrlSign=true&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&signingAlg=SHA1withRSA&authInfoAccessCritical=false&authInfoAccessGeneralNames=&requestNotes=&op=approve&submit=submit\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/$test_out" 0 "Approve $request_id" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + local serial_number=$(cat -v $TmpDir/$test_out | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + rlRun "verify_cert \"$serial_number\" \"$cert_requestdn\"" 0 "Verify cert" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ee-0028: SUBCA Profile Enrollment - caCACert using pkcs10 Request of key size 1024" + local request_type=pkcs10 + local request_key_type=rsa + local request_key_size=1024 + local profile=caCACert + local subject="PKI-$RANDOM CA Signing Certificate" + local test_out=ca-$profile-test6-out.txt + rlRun "export SSL_DIR=$CERTDB_DIR" + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"$subject\" \ + subject_uid: \ + subject_email: \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" 0 "Create $request_type request for $profile" + local cert_requestdn=$(cat $TEMP_NSS_DB/$rand-subject.out | grep Request_DN | cut -d ":" -f2) + rlLog "cert_requestdn=$cert_requestdn" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient" + + rlRun "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient > $TmpDir/$test_out" 0 "Submit Certificate request to $profile" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local request_id=$(cat -v $TmpDir/$test_out | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "Approve $request_id using $valid_agent_cert" + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$Year+1 + local end_day="1" + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$Month-$end_day $Hour:$Minute:$Second" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem --dump-header $admin_out -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&bypassCAnotafter=false&basicConstraintsCritical=true&basicConstraintsIsCA=true&basicConstraintsPathLen=-1&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=false&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=true&keyUsageCrlSign=true&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&signingAlg=SHA1withRSA&authInfoAccessCritical=false&authInfoAccessGeneralNames=&requestNotes=&op=approve&submit=submit\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/$test_out" 0 "Approve $request_id" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + local serial_number=$(cat -v $TmpDir/$test_out | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + rlRun "verify_cert \"$serial_number\" \"$cert_requestdn\"" 0 "Verify cert" + rlPhaseEnd + + + rlPhaseStartSetup "Enable UidPwdDirAuth Plugin" + local LDAP_PORT=20389 + local INSTANCE_NAME=ldap-$RANDOM + local LDAP_ROOTDN="cn=Directory Manager" + local LDAP_ROOTDNPWD="Secret123" + local LDAP_BASEDN="DC=example,DC=org" + local count=100 + rlRun "rhcs_install_set_ldap_vars" + rlRun "rhds_install $LDAP_PORT $INSTANCE_NAME \"$LDAP_ROOTDN\" $LDAP_ROOTDNPWD $LDAP_BASEDN" 0 + if [ $? != 0 ]; then + rlFail "Unable to setup ldap instance" + return 1 + fi + rlRun "UidPwdDirAuth $cs_Role $SUBCA_INST subcaadmin Secret123 add $tmp_ca_host \"$LDAP_BASEDN\" $LDAP_PORT" + rlLog "Add 100 users to ou=People,$LDAP_BASEDN" + rlRun "create_dir_user $LDAP_BASEDN 100 > $TmpDir/ldapusers.ldif" + rlRun "ldapadd -x -D \"$LDAP_ROOTDN\" -w $LDAP_ROOTDNPWD -h $tmp_ca_host -p $LDAP_PORT -f $TmpDir/ldapusers.ldif > $TmpDir/ldapadd.out" 0 "Add test users for Directory-Authenticated Enrollment" + rlAssertGrep "adding new entry \"cn=idmusers,ou=Groups,$LDAP_BASEDN\"" "$TmpDir/ldapadd.out" + rlPhaseEnd + + + + rlPhaseStartTest "pki_subca_ee-0029: SUBCA Profile Enrollment - caDirUserCert using CRMF Request of key size 4096" + local request_type=crmf + local request_key_type=rsa + local request_key_size=4096 + local profile=caDirUserCert + local userid="idmuser1" + local password="redhat" + local test_out=ca-$profile-test1.txt + local LDAP_BASEDN="DC=example,DC=org" + rlRun "export SSL_DIR=$CERTDB_DIR" + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:$userid \ + subject_uid:$userid \ + subject_email: \ + subject_ou:People \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" 0 "Create $request_type request for $profile" + #local cert_requestdn=$(cat $TEMP_NSS_DB/$rand-subject.out | grep Request_DN | cut -d ":" -f2) + local cert_requestdn="UID=$userid,OU=People,$LDAP_BASEDN" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic --dump-header $admin_out \ + -d \"uid=$userid&pwd=$password&cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&profileId=$profile&renewal=false&xmlOutput=false\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient" + rlRun "curl --basic --dump-header $admin_out \ + -d \"uid=$userid&pwd=$password&cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&profileId=$profile&renewal=false&xmlOutput=false\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient > $TmpDir/$test_out" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local serial_number=$(cat -v $TmpDir/$test_out | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + rlRun "verify_cert \"$serial_number\" \"$cert_requestdn\"" 0 "Verify cert" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ee-0030: SUBCA Profile Enrollment - caDirUserCert using CRMF Request of key size 3072" + local request_type=crmf + local request_key_type=rsa + local request_key_size=3072 + local profile=caDirUserCert + local userid="idmuser1" + local password="redhat" + local test_out=ca-$profile-test1.txt + rlRun "export SSL_DIR=$CERTDB_DIR" + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"$subject\" \ + subject_uid: \ + subject_email: \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" 0 "Create $request_type request for $profile" + #local cert_requestdn=$(cat $TEMP_NSS_DB/$rand-subject.out | grep Request_DN | cut -d ":" -f2) + local cert_requestdn="UID=$userid,OU=People,$LDAP_BASEDN" + rlLog "cert_requestdn=$cert_requestdn" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic --dump-header $admin_out \ + -d \"uid=$userid&pwd=$password&cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&profileId=$profile&renewal=false&xmlOutput=false\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient" + rlRun "curl --basic --dump-header $admin_out \ + -d \"uid=$userid&pwd=$password&cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&profileId=$profile&renewal=false&xmlOutput=false\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient > $TmpDir/$test_out" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local serial_number=$(cat -v $TmpDir/$test_out | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + rlRun "verify_cert \"$serial_number\" \"$cert_requestdn\"" 0 "Verify cert" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ee-0031: SUBCA Profile Enrollment - caDirUserCert using CRMF Request of key size 4096" + local request_type=crmf + local request_key_type=rsa + local request_key_size=4096 + local profile=caDirUserCert + local userid="idmuser2" + local password="redhat" + local test_out=ca-$profile-test2.txt + rlRun "export SSL_DIR=$CERTDB_DIR" + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"$subject\" \ + subject_uid: \ + subject_email: \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" 0 "Create $request_type request for $profile" + #local cert_requestdn=$(cat $TEMP_NSS_DB/$rand-subject.out | grep Request_DN | cut -d ":" -f2) + local cert_requestdn="UID=$userid,OU=People,$LDAP_BASEDN" + rlLog "cert_requestdn=$cert_requestdn" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic --dump-header $admin_out \ + -d \"uid=$userid&pwd=$password&cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&profileId=$profile&renewal=false&xmlOutput=false\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient" + rlRun "curl --basic --dump-header $admin_out \ + -d \"uid=$userid&pwd=$password&cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&profileId=$profile&renewal=false&xmlOutput=false\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient > $TmpDir/$test_out" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local serial_number=$(cat -v $TmpDir/$test_out | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + rlRun "verify_cert \"$serial_number\" \"$cert_requestdn\"" 0 "Verify cert" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ee-0032: SUBCA Profile Enrollment - caDirUserCert using CRMF Request of key size 2048" + local request_type=crmf + local request_key_type=rsa + local request_key_size=2048 + local profile=caDirUserCert + local userid="idmuser3" + local password="redhat" + local test_out=ca-$profile-test3.txt + rlRun "export SSL_DIR=$CERTDB_DIR" + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"$subject\" \ + subject_uid: \ + subject_email: \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" 0 "Create $request_type request for $profile" + #local cert_requestdn=$(cat $TEMP_NSS_DB/$rand-subject.out | grep Request_DN | cut -d ":" -f2) + local cert_requestdn="UID=$userid,OU=People,$LDAP_BASEDN" + rlLog "cert_requestdn=$cert_requestdn" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic --dump-header $admin_out \ + -d \"uid=$userid&pwd=$password&cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&profileId=$profile&renewal=false&xmlOutput=false\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient" + rlRun "curl --basic --dump-header $admin_out \ + -d \"uid=$userid&pwd=$password&cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&profileId=$profile&renewal=false&xmlOutput=false\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient > $TmpDir/$test_out" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local serial_number=$(cat -v $TmpDir/$test_out | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + rlRun "verify_cert \"$serial_number\" \"$cert_requestdn\"" 0 "Verify cert" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ee-0033: SUBCA Profile Enrollment - caDirUserCert using CRMF Request of key size 1024" + local request_type=crmf + local request_key_type=rsa + local request_key_size=1024 + local profile=caDirUserCert + local userid="idmuser4" + local password="redhat" + local test_out=ca-$profile-test4.txt + rlRun "export SSL_DIR=$CERTDB_DIR" + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"$subject\" \ + subject_uid: \ + subject_email: \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" 0 "Create $request_type request for $profile" + #local cert_requestdn=$(cat $TEMP_NSS_DB/$rand-subject.out | grep Request_DN | cut -d ":" -f2) + local cert_requestdn="UID=$userid,OU=People,$LDAP_BASEDN" + rlLog "cert_requestdn=$cert_requestdn" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic --dump-header $admin_out \ + -d \"uid=$userid&pwd=$password&cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&profileId=$profile&renewal=false&xmlOutput=false\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient" + rlRun "curl --basic --dump-header $admin_out \ + -d \"uid=$userid&pwd=$password&cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&profileId=$profile&renewal=false&xmlOutput=false\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient > $TmpDir/$test_out" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local serial_number=$(cat -v $TmpDir/$test_out | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + rlRun "verify_cert \"$serial_number\" \"$cert_requestdn\"" 0 "Verify cert" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ee-0034: SUBCA Profile Enrollment - caDirUserCert using PKCS10 Request of key size 4096" + local request_type=pkcs10 + local request_key_type=rsa + local request_key_size=4096 + local profile=caDirUserCert + local userid="idmuser5" + local password="redhat" + local test_out=ca-$profile-test5.txt + rlRun "export SSL_DIR=$CERTDB_DIR" + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"$subject\" \ + subject_uid: \ + subject_email: \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" 0 "Create $request_type request for $profile" + #local cert_requestdn=$(cat $TEMP_NSS_DB/$rand-subject.out | grep Request_DN | cut -d ":" -f2) + local cert_requestdn="UID=$userid,OU=People,$LDAP_BASEDN" + rlLog "cert_requestdn=$cert_requestdn" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic --dump-header $admin_out \ + -d \"uid=$userid&pwd=$password&cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&profileId=$profile&renewal=false&xmlOutput=false\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient" + rlRun "curl --basic --dump-header $admin_out \ + -d \"uid=$userid&pwd=$password&cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&profileId=$profile&renewal=false&xmlOutput=false\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient > $TmpDir/$test_out" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local serial_number=$(cat -v $TmpDir/$test_out | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + rlRun "verify_cert \"$serial_number\" \"$cert_requestdn\"" 0 "Verify cert" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ee-0035: SUBCA Profile Enrollment - caDirUserCert using PKCS10 Request of key size 3072" + local request_type=pkcs10 + local request_key_type=rsa + local request_key_size=3072 + local profile=caDirUserCert + local userid="idmuser5" + local password="redhat" + local test_out=ca-$profile-test6.txt + rlRun "export SSL_DIR=$CERTDB_DIR" + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"$subject\" \ + subject_uid: \ + subject_email: \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" 0 "Create $request_type request for $profile" + #local cert_requestdn=$(cat $TEMP_NSS_DB/$rand-subject.out | grep Request_DN | cut -d ":" -f2) + local cert_requestdn="UID=$userid,OU=People,$LDAP_BASEDN" + rlLog "cert_requestdn=$cert_requestdn" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic --dump-header $admin_out \ + -d \"uid=$userid&pwd=$password&cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&profileId=$profile&renewal=false&xmlOutput=false\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient" + rlRun "curl --basic --dump-header $admin_out \ + -d \"uid=$userid&pwd=$password&cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&profileId=$profile&renewal=false&xmlOutput=false\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient > $TmpDir/$test_out" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local serial_number=$(cat -v $TmpDir/$test_out | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + rlRun "verify_cert \"$serial_number\" \"$cert_requestdn\"" 0 "Verify cert" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ee-0036: SUBCA Profile Enrollment - caDirUserCert using PKCS10 Request of key size 2048" + local request_type=pkcs10 + local request_key_type=rsa + local request_key_size=2048 + local profile=caDirUserCert + local userid="idmuser6" + local password="redhat" + local test_out=ca-$profile-test7.txt + rlRun "export SSL_DIR=$CERTDB_DIR" + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"$subject\" \ + subject_uid: \ + subject_email: \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" 0 "Create $request_type request for $profile" + #local cert_requestdn=$(cat $TEMP_NSS_DB/$rand-subject.out | grep Request_DN | cut -d ":" -f2) + local cert_requestdn="UID=$userid,OU=People,$LDAP_BASEDN" + rlLog "cert_requestdn=$cert_requestdn" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic --dump-header $admin_out \ + -d \"uid=$userid&pwd=$password&cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&profileId=$profile&renewal=false&xmlOutput=false\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient" + rlRun "curl --basic --dump-header $admin_out \ + -d \"uid=$userid&pwd=$password&cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&profileId=$profile&renewal=false&xmlOutput=false\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient > $TmpDir/$test_out" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local serial_number=$(cat -v $TmpDir/$test_out | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + rlRun "verify_cert \"$serial_number\" \"$cert_requestdn\"" 0 "Verify cert" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ee-0037: SUBCA Profile Enrollment - caDirUserCert using pkcs10 Request of key size 1024" + local request_type=pkcs10 + local request_key_type=rsa + local request_key_size=1024 + local profile=caDirUserCert + local userid="idmuser7" + local password="redhat" + local test_out=ca-$profile-test8.txt + rlRun "export SSL_DIR=$CERTDB_DIR" + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"$subject\" \ + subject_uid: \ + subject_email: \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" 0 "Create $request_type request for $profile" + #local cert_requestdn=$(cat $TEMP_NSS_DB/$rand-subject.out | grep Request_DN | cut -d ":" -f2) + local cert_requestdn="UID=$userid,OU=People,$LDAP_BASEDN" + rlLog "cert_requestdn=$cert_requestdn" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic --dump-header $admin_out \ + -d \"uid=$userid&pwd=$password&cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&profileId=$profile&renewal=false&xmlOutput=false\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient" + rlRun "curl --basic --dump-header $admin_out \ + -d \"uid=$userid&pwd=$password&cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&profileId=$profile&renewal=false&xmlOutput=false\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient > $TmpDir/$test_out" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local serial_number=$(cat -v $TmpDir/$test_out | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + rlRun "verify_cert \"$serial_number\" \"$cert_requestdn\"" 0 "Verify cert" + rlPhaseEnd + + + rlPhaseStartTest "pki_subca_ee-0038: SUBCA Profile Enrollment - caOCSPCert using CRMF Request of key size 4096" + local request_type=crmf + local request_key_type=rsa + local request_key_size=4096 + local profile=caOCSPCert + local subject="PKI-$RANDOM OCSP Signing Certificate" + local test_out=ca-$profile-test1.txt + rlRun "export SSL_DIR=$CERTDB_DIR" + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"$subject\" \ + subject_uid: \ + subject_email: \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" 0 "Create $request_type request for $profile" + local cert_requestdn=$(cat $TEMP_NSS_DB/$rand-subject.out | grep Request_DN | cut -d ":" -f2) + rlLog "cert_requestdn=$cert_requestdn" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient" + + rlRun "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient > $TmpDir/$test_out" 0 "Submit Certificate request to $profile" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local request_id=$(cat -v $TmpDir/$test_out | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "Approve $request_id using $valid_agent_cert" + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$Year+1 + local end_day="1" + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$Month-$end_day $Hour:$Minute:$Second" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem --dump-header $admin_out -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&exKeyUsageCritical=false&exKeyUsageOIDs=1.3.6.1.5.5.7.3.9&ocspNoCheckCritical=false&signingAlg=SHA1withRSA&requestNotes=&op=approve&submit=submit\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/$test_out" 0 "Approve $request_id" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + local serial_number=$(cat -v $TmpDir/$test_out | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + rlRun "verify_cert \"$serial_number\" \"$cert_requestdn\"" 0 "Verify cert" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ee-0039: SUBCA Profile Enrollment - caOCSPCert using CRMF Request of key size 3072" + local request_type=crmf + local request_key_type=rsa + local request_key_size=3072 + local profile=caOCSPCert + local subject="PKI-$RANDOM OCSP Signing Certificate" + local test_out=ca-$profile-test2.txt + rlRun "export SSL_DIR=$CERTDB_DIR" + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"$subject\" \ + subject_uid: \ + subject_email: \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" 0 "Create $request_type request for $profile" + local cert_requestdn=$(cat $TEMP_NSS_DB/$rand-subject.out | grep Request_DN | cut -d ":" -f2) + rlLog "cert_requestdn=$cert_requestdn" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient" + + rlRun "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient > $TmpDir/$test_out" 0 "Submit Certificate request to $profile" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local request_id=$(cat -v $TmpDir/$test_out | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "Approve $request_id using $valid_agent_cert" + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$Year+1 + local end_day="1" + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$Month-$end_day $Hour:$Minute:$Second" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem --dump-header $admin_out -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&exKeyUsageCritical=false&exKeyUsageOIDs=1.3.6.1.5.5.7.3.9&ocspNoCheckCritical=false&signingAlg=SHA1withRSA&requestNotes=&op=approve&submit=submit\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/$test_out" 0 "Approve $request_id" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + local serial_number=$(cat -v $TmpDir/$test_out | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + rlRun "verify_cert \"$serial_number\" \"$cert_requestdn\"" 0 "Verify cert" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ee-0040: SUBCA Profile Enrollment - caOCSPCert using CRMF Request of key size 2048" + local request_type=crmf + local request_key_type=rsa + local request_key_size=2048 + local profile=caOCSPCert + local subject="PKI-$RANDOM OCSP Signing Certificate" + local test_out=ca-$profile-test3.txt + rlRun "export SSL_DIR=$CERTDB_DIR" + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"$subject\" \ + subject_uid: \ + subject_email: \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" 0 "Create $request_type request for $profile" + local cert_requestdn=$(cat $TEMP_NSS_DB/$rand-subject.out | grep Request_DN | cut -d ":" -f2) + rlLog "cert_requestdn=$cert_requestdn" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient" + + rlRun "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient > $TmpDir/$test_out" 0 "Submit Certificate request to $profile" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local request_id=$(cat -v $TmpDir/$test_out | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "Approve $request_id using $valid_agent_cert" + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$Year+1 + local end_day="1" + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$Month-$end_day $Hour:$Minute:$Second" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem --dump-header $admin_out -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&exKeyUsageCritical=false&exKeyUsageOIDs=1.3.6.1.5.5.7.3.9&ocspNoCheckCritical=false&signingAlg=SHA1withRSA&requestNotes=&op=approve&submit=submit\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/$test_out" 0 "Approve $request_id" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + local serial_number=$(cat -v $TmpDir/$test_out | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + rlRun "verify_cert \"$serial_number\" \"$cert_requestdn\"" 0 "Verify cert" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ee-0041: SUBCA Profile Enrollment - caOCSPCert using CRMF Request of key size 1024" + local request_type=crmf + local request_key_type=rsa + local request_key_size=1024 + local profile=caOCSPCert + local subject="PKI-$RANDOM OCSP Signing Certificate" + local test_out=ca-$profile-test4.txt + rlRun "export SSL_DIR=$CERTDB_DIR" + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"$subject\" \ + subject_uid: \ + subject_email: \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" 0 "Create $request_type request for $profile" + local cert_requestdn=$(cat $TEMP_NSS_DB/$rand-subject.out | grep Request_DN | cut -d ":" -f2) + rlLog "cert_requestdn=$cert_requestdn" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient" + + rlRun "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient > $TmpDir/$test_out" 0 "Submit Certificate request to $profile" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local request_id=$(cat -v $TmpDir/$test_out | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "Approve $request_id using $valid_agent_cert" + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$Year+1 + local end_day="1" + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$Month-$end_day $Hour:$Minute:$Second" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem --dump-header $admin_out -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&exKeyUsageCritical=false&exKeyUsageOIDs=1.3.6.1.5.5.7.3.9&ocspNoCheckCritical=false&signingAlg=SHA1withRSA&requestNotes=&op=approve&submit=submit\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/$test_out" 0 "Approve $request_id" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + local serial_number=$(cat -v $TmpDir/$test_out | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + rlRun "verify_cert \"$serial_number\" \"$cert_requestdn\"" 0 "Verify cert" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ee-0042: SUBCA Profile Enrollment - caOCSPCert using pkcs10 Request of key size 4096" + local request_type=pkcs10 + local request_key_type=rsa + local request_key_size=4096 + local profile=caOCSPCert + local subject="PKI-$RANDOM OCSP Signing Certificate" + local test_out=ca-$profile-test5.txt + rlRun "export SSL_DIR=$CERTDB_DIR" + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"$subject\" \ + subject_uid: \ + subject_email: \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" 0 "Create $request_type request for $profile" + local cert_requestdn=$(cat $TEMP_NSS_DB/$rand-subject.out | grep Request_DN | cut -d ":" -f2) + rlLog "cert_requestdn=$cert_requestdn" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient" + + rlRun "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient > $TmpDir/$test_out" 0 "Submit Certificate request to $profile" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local request_id=$(cat -v $TmpDir/$test_out | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "Approve $request_id using $valid_agent_cert" + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$Year+1 + local end_day="1" + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$Month-$end_day $Hour:$Minute:$Second" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem --dump-header $admin_out -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&exKeyUsageCritical=false&exKeyUsageOIDs=1.3.6.1.5.5.7.3.9&ocspNoCheckCritical=false&signingAlg=SHA1withRSA&requestNotes=&op=approve&submit=submit\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/$test_out" 0 "Approve $request_id" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + local serial_number=$(cat -v $TmpDir/$test_out | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + rlRun "verify_cert \"$serial_number\" \"$cert_requestdn\"" 0 "Verify cert" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ee-0043: SUBCA Profile Enrollment - caOCSPCert using PKCS10 Request of key size 3072" + local request_type=pkcs10 + local request_key_type=rsa + local request_key_size=3072 + local profile=caOCSPCert + local subject="PKI-$RANDOM OCSP Signing Certificate" + local test_out=ca-$profile-test6.txt + rlRun "export SSL_DIR=$CERTDB_DIR" + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"$subject\" \ + subject_uid: \ + subject_email: \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" 0 "Create $request_type request for $profile" + local cert_requestdn=$(cat $TEMP_NSS_DB/$rand-subject.out | grep Request_DN | cut -d ":" -f2) + rlLog "cert_requestdn=$cert_requestdn" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient" + + rlRun "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient > $TmpDir/$test_out" 0 "Submit Certificate request to $profile" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local request_id=$(cat -v $TmpDir/$test_out | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "Approve $request_id using $valid_agent_cert" + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$Year+1 + local end_day="1" + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$Month-$end_day $Hour:$Minute:$Second" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem --dump-header $admin_out -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&exKeyUsageCritical=false&exKeyUsageOIDs=1.3.6.1.5.5.7.3.9&ocspNoCheckCritical=false&signingAlg=SHA1withRSA&requestNotes=&op=approve&submit=submit\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/$test_out" 0 "Approve $request_id" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + local serial_number=$(cat -v $TmpDir/$test_out | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + rlRun "verify_cert \"$serial_number\" \"$cert_requestdn\"" 0 "Verify cert" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ee-0044: SUBCA Profile Enrollment - caOCSPCert using PKCS10 Request of key size 2048" + local request_type=pkcs10 + local request_key_type=rsa + local request_key_size=2048 + local profile=caOCSPCert + local subject="PKI-$RANDOM OCSP Signing Certificate" + local test_out=ca-$profile-test7.txt + rlRun "export SSL_DIR=$CERTDB_DIR" + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"$subject\" \ + subject_uid: \ + subject_email: \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" 0 "Create $request_type request for $profile" + local cert_requestdn=$(cat $TEMP_NSS_DB/$rand-subject.out | grep Request_DN | cut -d ":" -f2) + rlLog "cert_requestdn=$cert_requestdn" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient" + + rlRun "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient > $TmpDir/$test_out" 0 "Submit Certificate request to $profile" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local request_id=$(cat -v $TmpDir/$test_out | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "Approve $request_id using $valid_agent_cert" + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$Year+1 + local end_day="1" + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$Month-$end_day $Hour:$Minute:$Second" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem --dump-header $admin_out -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&exKeyUsageCritical=false&exKeyUsageOIDs=1.3.6.1.5.5.7.3.9&ocspNoCheckCritical=false&signingAlg=SHA1withRSA&requestNotes=&op=approve&submit=submit\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/$test_out" 0 "Approve $request_id" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + local serial_number=$(cat -v $TmpDir/$test_out | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + rlRun "verify_cert \"$serial_number\" \"$cert_requestdn\"" 0 "Verify cert" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ee-0045: SUBCA Profile Enrollment - caOCSPCert using PKCS10 Request of key size 1024" + local request_type=pkcs10 + local request_key_type=rsa + local request_key_size=1024 + local profile=caOCSPCert + local subject="PKI-$RANDOM OCSP Signing Certificate" + local test_out=ca-$profile-test8.txt + rlRun "export SSL_DIR=$CERTDB_DIR" + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"$subject\" \ + subject_uid: \ + subject_email: \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" 0 "Create $request_type request for $profile" + local cert_requestdn=$(cat $TEMP_NSS_DB/$rand-subject.out | grep Request_DN | cut -d ":" -f2) + rlLog "cert_requestdn=$cert_requestdn" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient" + + rlRun "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient > $TmpDir/$test_out" 0 "Submit Certificate request to $profile" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local request_id=$(cat -v $TmpDir/$test_out | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "Approve $request_id using $valid_agent_cert" + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$Year+1 + local end_day="1" + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$Month-$end_day $Hour:$Minute:$Second" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem --dump-header $admin_out -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&exKeyUsageCritical=false&exKeyUsageOIDs=1.3.6.1.5.5.7.3.9&ocspNoCheckCritical=false&signingAlg=SHA1withRSA&requestNotes=&op=approve&submit=submit\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/$test_out" 0 "Approve $request_id" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + local serial_number=$(cat -v $TmpDir/$test_out | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + rlRun "verify_cert \"$serial_number\" \"$cert_requestdn\"" 0 "Verify cert" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ee-0046: SUBCA Profile Enrollment - caOtherCert using CRMF Request of key size 4096" + local request_type=crmf + local request_key_type=rsa + local request_key_size=4096 + local profile=caOtherCert + local subject="PKI-$RANDOM Certificate" + local test_out=ca-$profile-test1.txt + rlRun "export SSL_DIR=$CERTDB_DIR" + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"$subject\" \ + subject_uid: \ + subject_email: \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" 0 "Create $request_type request for $profile" + local cert_requestdn=$(cat $TEMP_NSS_DB/$rand-subject.out | grep Request_DN | cut -d ":" -f2) + rlLog "cert_requestdn=$cert_requestdn" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient" + + rlRun "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient > $TmpDir/$test_out" 0 "Submit Certificate request to $profile" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local request_id=$(cat -v $TmpDir/$test_out | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "Approve $request_id using $valid_agent_cert" + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$Year+1 + local end_day="1" + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$Month-$end_day $Hour:$Minute:$Second" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem --dump-header $admin_out -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=true&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2&signingAlg=SHA1withRSA&requestNotes=&op=approve&submit=submit\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/$test_out" 0 "Approve $request_id" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + local serial_number=$(cat -v $TmpDir/$test_out | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + rlRun "verify_cert \"$serial_number\" \"$cert_requestdn\"" 0 "Verify cert" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ee-0047: SUBCA Profile Enrollment - caOtherCert using CRMF Request of key size 3072" + local request_type=crmf + local request_key_type=rsa + local request_key_size=3072 + local profile=caOtherCert + local subject="PKI-$RANDOM Certificate" + local test_out=ca-$profile-test2.txt + rlRun "export SSL_DIR=$CERTDB_DIR" + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"$subject\" \ + subject_uid: \ + subject_email: \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" 0 "Create $request_type request for $profile" + local cert_requestdn=$(cat $TEMP_NSS_DB/$rand-subject.out | grep Request_DN | cut -d ":" -f2) + rlLog "cert_requestdn=$cert_requestdn" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient" + + rlRun "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient > $TmpDir/$test_out" 0 "Submit Certificate request to $profile" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local request_id=$(cat -v $TmpDir/$test_out | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "Approve $request_id using $valid_agent_cert" + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$Year+1 + local end_day="1" + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$Month-$end_day $Hour:$Minute:$Second" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem --dump-header $admin_out -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=true&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2&signingAlg=SHA1withRSA&requestNotes=&op=approve&submit=submit\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/$test_out" 0 "Approve $request_id" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + local serial_number=$(cat -v $TmpDir/$test_out | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + rlRun "verify_cert \"$serial_number\" \"$cert_requestdn\"" 0 "Verify cert" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ee-0048: SUBCA Profile Enrollment - caOtherCert using CRMF Request of key size 2048" + local request_type=crmf + local request_key_type=rsa + local request_key_size=2048 + local profile=caOtherCert + local subject="PKI-$RANDOM Certificate" + local test_out=ca-$profile-test3.txt + rlRun "export SSL_DIR=$CERTDB_DIR" + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"$subject\" \ + subject_uid: \ + subject_email: \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" 0 "Create $request_type request for $profile" + local cert_requestdn=$(cat $TEMP_NSS_DB/$rand-subject.out | grep Request_DN | cut -d ":" -f2) + rlLog "cert_requestdn=$cert_requestdn" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient" + + rlRun "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient > $TmpDir/$test_out" 0 "Submit Certificate request to $profile" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local request_id=$(cat -v $TmpDir/$test_out | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "Approve $request_id using $valid_agent_cert" + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$Year+1 + local end_day="1" + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$Month-$end_day $Hour:$Minute:$Second" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem --dump-header $admin_out -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=true&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2&signingAlg=SHA1withRSA&requestNotes=&op=approve&submit=submit\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/$test_out" 0 "Approve $request_id" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + local serial_number=$(cat -v $TmpDir/$test_out | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + rlRun "verify_cert \"$serial_number\" \"$cert_requestdn\"" 0 "Verify cert" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ee-0049: SUBCA Profile Enrollment - caOtherCert using CRMF Request of key size 1024" + local request_type=crmf + local request_key_type=rsa + local request_key_size=1024 + local profile=caOtherCert + local subject="PKI-$RANDOM Certificate" + local test_out=ca-$profile-test4.txt + rlRun "export SSL_DIR=$CERTDB_DIR" + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"$subject\" \ + subject_uid: \ + subject_email: \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" 0 "Create $request_type request for $profile" + local cert_requestdn=$(cat $TEMP_NSS_DB/$rand-subject.out | grep Request_DN | cut -d ":" -f2) + rlLog "cert_requestdn=$cert_requestdn" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient" + + rlRun "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient > $TmpDir/$test_out" 0 "Submit Certificate request to $profile" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local request_id=$(cat -v $TmpDir/$test_out | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "Approve $request_id using $valid_agent_cert" + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$Year+1 + local end_day="1" + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$Month-$end_day $Hour:$Minute:$Second" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem --dump-header $admin_out -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=true&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2&signingAlg=SHA1withRSA&requestNotes=&op=approve&submit=submit\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/$test_out" 0 "Approve $request_id" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + local serial_number=$(cat -v $TmpDir/$test_out | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + rlRun "verify_cert \"$serial_number\" \"$cert_requestdn\"" 0 "Verify cert" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ee-0050: SUBCA Profile Enrollment - caOtherCert using PKCS10 Request of key size 4096" + local request_type=pkcs10 + local request_key_type=rsa + local request_key_size=4096 + local profile=caOtherCert + local subject="PKI-$RANDOM Certificate" + local test_out=ca-$profile-test5.txt + rlRun "export SSL_DIR=$CERTDB_DIR" + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"$subject\" \ + subject_uid: \ + subject_email: \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" 0 "Create $request_type request for $profile" + local cert_requestdn=$(cat $TEMP_NSS_DB/$rand-subject.out | grep Request_DN | cut -d ":" -f2) + rlLog "cert_requestdn=$cert_requestdn" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient" + + rlRun "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient > $TmpDir/$test_out" 0 "Submit Certificate request to $profile" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local request_id=$(cat -v $TmpDir/$test_out | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "Approve $request_id using $valid_agent_cert" + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$Year+1 + local end_day="1" + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$Month-$end_day $Hour:$Minute:$Second" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem --dump-header $admin_out -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=true&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2&signingAlg=SHA1withRSA&requestNotes=&op=approve&submit=submit\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/$test_out" 0 "Approve $request_id" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + local serial_number=$(cat -v $TmpDir/$test_out | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + rlRun "verify_cert \"$serial_number\" \"$cert_requestdn\"" 0 "Verify cert" + rlPhaseEnd + + + rlPhaseStartTest "pki_subca_ee-0051: SUBCA Profile Enrollment - caOtherCert using PKCS10 Request of key size 3072" + local request_type=pkcs10 + local request_key_type=rsa + local request_key_size=3072 + local profile=caOtherCert + local subject="PKI-$RANDOM Certificate" + local test_out=ca-$profile-test6.txt + rlRun "export SSL_DIR=$CERTDB_DIR" + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"$subject\" \ + subject_uid: \ + subject_email: \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" 0 "Create $request_type request for $profile" + local cert_requestdn=$(cat $TEMP_NSS_DB/$rand-subject.out | grep Request_DN | cut -d ":" -f2) + rlLog "cert_requestdn=$cert_requestdn" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient" + + rlRun "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient > $TmpDir/$test_out" 0 "Submit Certificate request to $profile" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local request_id=$(cat -v $TmpDir/$test_out | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "Approve $request_id using $valid_agent_cert" + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$Year+1 + local end_day="1" + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$Month-$end_day $Hour:$Minute:$Second" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem --dump-header $admin_out -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=true&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2&signingAlg=SHA1withRSA&requestNotes=&op=approve&submit=submit\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/$test_out" 0 "Approve $request_id" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + local serial_number=$(cat -v $TmpDir/$test_out | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + rlRun "verify_cert \"$serial_number\" \"$cert_requestdn\"" 0 "Verify cert" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ee-0052: SUBCA Profile Enrollment - caOtherCert using PKCS10 Request of key size 2048" + local request_type=pkcs10 + local request_key_type=rsa + local request_key_size=2048 + local profile=caOtherCert + local subject="PKI-$RANDOM Certificate" + local test_out=ca-$profile-test7.txt + rlRun "export SSL_DIR=$CERTDB_DIR" + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"$subject\" \ + subject_uid: \ + subject_email: \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" 0 "Create $request_type request for $profile" + local cert_requestdn=$(cat $TEMP_NSS_DB/$rand-subject.out | grep Request_DN | cut -d ":" -f2) + rlLog "cert_requestdn=$cert_requestdn" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient" + + rlRun "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient > $TmpDir/$test_out" 0 "Submit Certificate request to $profile" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local request_id=$(cat -v $TmpDir/$test_out | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "Approve $request_id using $valid_agent_cert" + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$Year+1 + local end_day="1" + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$Month-$end_day $Hour:$Minute:$Second" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem --dump-header $admin_out -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=true&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2&signingAlg=SHA1withRSA&requestNotes=&op=approve&submit=submit\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/$test_out" 0 "Approve $request_id" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + local serial_number=$(cat -v $TmpDir/$test_out | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + rlRun "verify_cert \"$serial_number\" \"$cert_requestdn\"" 0 "Verify cert" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ee-0053: SUBCA Profile Enrollment - caOtherCert using PKCS10 Request of key size 1024" + local request_type=pkcs10 + local request_key_type=rsa + local request_key_size=1024 + local profile=caOtherCert + local subject="PKI-$RANDOM Certificate" + local test_out=ca-$profile-test8.txt + rlRun "export SSL_DIR=$CERTDB_DIR" + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"$subject\" \ + subject_uid: \ + subject_email: \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" 0 "Create $request_type request for $profile" + local cert_requestdn=$(cat $TEMP_NSS_DB/$rand-subject.out | grep Request_DN | cut -d ":" -f2) + rlLog "cert_requestdn=$cert_requestdn" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient" + + rlRun "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient > $TmpDir/$test_out" 0 "Submit Certificate request to $profile" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local request_id=$(cat -v $TmpDir/$test_out | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "Approve $request_id using $valid_agent_cert" + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$Year+1 + local end_day="1" + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$Month-$end_day $Hour:$Minute:$Second" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem --dump-header $admin_out -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=true&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2&signingAlg=SHA1withRSA&requestNotes=&op=approve&submit=submit\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/$test_out" 0 "Approve $request_id" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + local serial_number=$(cat -v $TmpDir/$test_out | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + rlRun "verify_cert \"$serial_number\" \"$cert_requestdn\"" 0 "Verify cert" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ee-0054: SUBCA Profile Enrollment - caTPSCert using CRMF Request of key size 4096" + local request_type=crmf + local request_key_type=rsa + local request_key_size=4096 + local profile=caTPSCert + local subject="PKI-$RANDOM TPS Signing Certificate" + local test_out=ca-$profile-test1.txt + rlRun "export SSL_DIR=$CERTDB_DIR" + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"$subject\" \ + subject_uid: \ + subject_email: \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" 0 "Create $request_type request for $profile" + local cert_requestdn=$(cat $TEMP_NSS_DB/$rand-subject.out | grep Request_DN | cut -d ":" -f2) + rlLog "cert_requestdn=$cert_requestdn" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient" + + rlRun "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient > $TmpDir/$test_out" 0 "Submit Certificate request to $profile" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local request_id=$(cat -v $TmpDir/$test_out | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "Approve $request_id using $valid_agent_cert" + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$Year+1 + local end_day="1" + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$Month-$end_day $Hour:$Minute:$Second" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem --dump-header $admin_out -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=true&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&signingAlg=SHA1withRSA&authInfoAccessCritical=false&authInfoAccessGeneralNames=&requestNotes=&op=approve&submit=submit\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/$test_out" 0 "Approve $request_id" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + local serial_number=$(cat -v $TmpDir/$test_out | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + rlRun "verify_cert \"$serial_number\" \"$cert_requestdn\"" 0 "Verify cert" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ee-0055: SUBCA Profile Enrollment - caTPSCert using CRMF Request of key size 3072" + local request_type=crmf + local request_key_type=rsa + local request_key_size=3072 + local profile=caTPSCert + local subject="PKI-$RANDOM TPS Signing Certificate" + local test_out=ca-$profile-test2.txt + rlRun "export SSL_DIR=$CERTDB_DIR" + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"$subject\" \ + subject_uid: \ + subject_email: \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" 0 "Create $request_type request for $profile" + local cert_requestdn=$(cat $TEMP_NSS_DB/$rand-subject.out | grep Request_DN | cut -d ":" -f2) + rlLog "cert_requestdn=$cert_requestdn" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient" + + rlRun "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient > $TmpDir/$test_out" 0 "Submit Certificate request to $profile" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local request_id=$(cat -v $TmpDir/$test_out | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "Approve $request_id using $valid_agent_cert" + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$Year+1 + local end_day="1" + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$Month-$end_day $Hour:$Minute:$Second" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem --dump-header $admin_out -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=true&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&signingAlg=SHA1withRSA&authInfoAccessCritical=false&authInfoAccessGeneralNames=&requestNotes=&op=approve&submit=submit\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/$test_out" 0 "Approve $request_id" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + local serial_number=$(cat -v $TmpDir/$test_out | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + rlRun "verify_cert \"$serial_number\" \"$cert_requestdn\"" 0 "Verify cert" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ee-0056: SUBCA Profile Enrollment - caTPSCert using CRMF Request of key size 2048" + local request_type=crmf + local request_key_type=rsa + local request_key_size=2048 + local profile=caTPSCert + local subject="PKI-$RANDOM TPS Signing Certificate" + local test_out=ca-$profile-test3.txt + rlRun "export SSL_DIR=$CERTDB_DIR" + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"$subject\" \ + subject_uid: \ + subject_email: \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" 0 "Create $request_type request for $profile" + local cert_requestdn=$(cat $TEMP_NSS_DB/$rand-subject.out | grep Request_DN | cut -d ":" -f2) + rlLog "cert_requestdn=$cert_requestdn" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient" + + rlRun "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient > $TmpDir/$test_out" 0 "Submit Certificate request to $profile" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local request_id=$(cat -v $TmpDir/$test_out | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "Approve $request_id using $valid_agent_cert" + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$Year+1 + local end_day="1" + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$Month-$end_day $Hour:$Minute:$Second" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem --dump-header $admin_out -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=true&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&signingAlg=SHA1withRSA&authInfoAccessCritical=false&authInfoAccessGeneralNames=&requestNotes=&op=approve&submit=submit\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/$test_out" 0 "Approve $request_id" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + local serial_number=$(cat -v $TmpDir/$test_out | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + rlRun "verify_cert \"$serial_number\" \"$cert_requestdn\"" 0 "Verify cert" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ee-0057: SUBCA Profile Enrollment - caTPSCert using CRMF Request of key size 1024" + local request_type=crmf + local request_key_type=rsa + local request_key_size=1024 + local profile=caTPSCert + local subject="PKI-$RANDOM TPS Signing Certificate" + local test_out=ca-$profile-test4.txt + rlRun "export SSL_DIR=$CERTDB_DIR" + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"$subject\" \ + subject_uid: \ + subject_email: \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" 0 "Create $request_type request for $profile" + local cert_requestdn=$(cat $TEMP_NSS_DB/$rand-subject.out | grep Request_DN | cut -d ":" -f2) + rlLog "cert_requestdn=$cert_requestdn" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient" + + rlRun "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient > $TmpDir/$test_out" 0 "Submit Certificate request to $profile" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local request_id=$(cat -v $TmpDir/$test_out | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "Approve $request_id using $valid_agent_cert" + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$Year+1 + local end_day="1" + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$Month-$end_day $Hour:$Minute:$Second" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem --dump-header $admin_out -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=true&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&signingAlg=SHA1withRSA&authInfoAccessCritical=false&authInfoAccessGeneralNames=&requestNotes=&op=approve&submit=submit\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/$test_out" 0 "Approve $request_id" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + local serial_number=$(cat -v $TmpDir/$test_out | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + rlRun "verify_cert \"$serial_number\" \"$cert_requestdn\"" 0 "Verify cert" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ee-0058: SUBCA Profile Enrollment - caTPSCert using PKCS10 Request of key size 4096" + local request_type=pkcs10 + local request_key_type=rsa + local request_key_size=4096 + local profile=caTPSCert + local subject="PKI-$RANDOM TPS Signing Certificate" + local test_out=ca-$profile-test5.txt + rlRun "export SSL_DIR=$CERTDB_DIR" + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"$subject\" \ + subject_uid: \ + subject_email: \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" 0 "Create $request_type request for $profile" + local cert_requestdn=$(cat $TEMP_NSS_DB/$rand-subject.out | grep Request_DN | cut -d ":" -f2) + rlLog "cert_requestdn=$cert_requestdn" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient" + + rlRun "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient > $TmpDir/$test_out" 0 "Submit Certificate request to $profile" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local request_id=$(cat -v $TmpDir/$test_out | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "Approve $request_id using $valid_agent_cert" + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$Year+1 + local end_day="1" + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$Month-$end_day $Hour:$Minute:$Second" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem --dump-header $admin_out -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=true&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&signingAlg=SHA1withRSA&authInfoAccessCritical=false&authInfoAccessGeneralNames=&requestNotes=&op=approve&submit=submit\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/$test_out" 0 "Approve $request_id" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + local serial_number=$(cat -v $TmpDir/$test_out | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + rlRun "verify_cert \"$serial_number\" \"$cert_requestdn\"" 0 "Verify cert" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ee-0059: SUBCA Profile Enrollment - caTPSCert using PKCS10 Request of key size 3072" + local request_type=pkcs10 + local request_key_type=rsa + local request_key_size=3072 + local profile=caTPSCert + local subject="PKI-$RANDOM TPS Signing Certificate" + local test_out=ca-$profile-test6.txt + rlRun "export SSL_DIR=$CERTDB_DIR" + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"$subject\" \ + subject_uid: \ + subject_email: \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" 0 "Create $request_type request for $profile" + local cert_requestdn=$(cat $TEMP_NSS_DB/$rand-subject.out | grep Request_DN | cut -d ":" -f2) + rlLog "cert_requestdn=$cert_requestdn" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient" + + rlRun "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient > $TmpDir/$test_out" 0 "Submit Certificate request to $profile" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local request_id=$(cat -v $TmpDir/$test_out | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "Approve $request_id using $valid_agent_cert" + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$Year+1 + local end_day="1" + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$Month-$end_day $Hour:$Minute:$Second" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem --dump-header $admin_out -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=true&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&signingAlg=SHA1withRSA&authInfoAccessCritical=false&authInfoAccessGeneralNames=&requestNotes=&op=approve&submit=submit\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/$test_out" 0 "Approve $request_id" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + local serial_number=$(cat -v $TmpDir/$test_out | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + rlRun "verify_cert \"$serial_number\" \"$cert_requestdn\"" 0 "Verify cert" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ee-0060: SUBCA Profile Enrollment - caTPSCert using PKCS10 Request of key size 2048" + local request_type=pkcs10 + local request_key_type=rsa + local request_key_size=2048 + local profile=caTPSCert + local subject="PKI-$RANDOM TPS Signing Certificate" + local test_out=ca-$profile-test7.txt + rlRun "export SSL_DIR=$CERTDB_DIR" + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"$subject\" \ + subject_uid: \ + subject_email: \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" 0 "Create $request_type request for $profile" + local cert_requestdn=$(cat $TEMP_NSS_DB/$rand-subject.out | grep Request_DN | cut -d ":" -f2) + rlLog "cert_requestdn=$cert_requestdn" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient" + + rlRun "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient > $TmpDir/$test_out" 0 "Submit Certificate request to $profile" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local request_id=$(cat -v $TmpDir/$test_out | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "Approve $request_id using $valid_agent_cert" + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$Year+1 + local end_day="1" + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$Month-$end_day $Hour:$Minute:$Second" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem --dump-header $admin_out -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=true&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&signingAlg=SHA1withRSA&authInfoAccessCritical=false&authInfoAccessGeneralNames=&requestNotes=&op=approve&submit=submit\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/$test_out" 0 "Approve $request_id" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + local serial_number=$(cat -v $TmpDir/$test_out | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + rlRun "verify_cert \"$serial_number\" \"$cert_requestdn\"" 0 "Verify cert" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ee-0061: SUBCA Profile Enrollment - caTPSCert using PKCS10 Request of key size 1024" + local request_type=pkcs10 + local request_key_type=rsa + local request_key_size=4096 + local profile=caTPSCert + local subject="PKI-$RANDOM TPS Signing Certificate" + local test_out=ca-$profile-test8.txt + rlRun "export SSL_DIR=$CERTDB_DIR" + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"$subject\" \ + subject_uid: \ + subject_email: \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" 0 "Create $request_type request for $profile" + local cert_requestdn=$(cat $TEMP_NSS_DB/$rand-subject.out | grep Request_DN | cut -d ":" -f2) + rlLog "cert_requestdn=$cert_requestdn" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient" + + rlRun "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient > $TmpDir/$test_out" 0 "Submit Certificate request to $profile" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local request_id=$(cat -v $TmpDir/$test_out | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "Approve $request_id using $valid_agent_cert" + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$Year+1 + local end_day="1" + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$Month-$end_day $Hour:$Minute:$Second" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem --dump-header $admin_out -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=true&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&signingAlg=SHA1withRSA&authInfoAccessCritical=false&authInfoAccessGeneralNames=&requestNotes=&op=approve&submit=submit\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/$test_out" 0 "Approve $request_id" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + local serial_number=$(cat -v $TmpDir/$test_out | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + rlRun "verify_cert \"$serial_number\" \"$cert_requestdn\"" 0 "Verify cert" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ee-0062: SUBCA Profile Enrollment - caTransportCert using CRMF Request of key size 4096" + local request_type=crmf + local request_key_type=rsa + local request_key_size=4096 + local profile=caTransportCert + local subject="PKI-$RANDOM Transport Certificate" + local test_out=ca-$profile-test1.txt + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"$subject\" \ + subject_uid: \ + subject_email: \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" 0 "Create $request_type request for $profile" + local cert_requestdn=$(cat $TEMP_NSS_DB/$rand-subject.out | grep Request_DN | cut -d ":" -f2) + rlLog "cert_requestdn=$cert_requestdn" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient" + + rlRun "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient > $TmpDir/$test_out" 0 "Submit Certificate request to $profile" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local request_id=$(cat -v $TmpDir/$test_out | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "Approve $request_id using $valid_agent_cert" + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$Year+1 + local end_day="1" + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem --dump-header $admin_out -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=true&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&signingAlg=SHA1withRSA&authInfoAccessCritical=false&authInfoAccessGeneralNames=&requestNotes=&op=approve&submit=submit\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/$test_out" 0 "Approve $request_id" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + local serial_number=$(cat -v $TmpDir/$test_out | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + rlRun "verify_cert \"$serial_number\" \"$cert_requestdn\"" 0 "Verify cert" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ee-0063: SUBCA Profile Enrollment - caTransportCert using CRMF Request of key size 3072" + local request_type=crmf + local request_key_type=rsa + local request_key_size=3072 + local profile=caTransportCert + local subject="PKI-$RANDOM Transport Certificate" + local test_out=ca-$profile-test2.txt + rlRun "export SSL_DIR=$CERTDB_DIR" + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"$subject\" \ + subject_uid: \ + subject_email: \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" 0 "Create $request_type request for $profile" + local cert_requestdn=$(cat $TEMP_NSS_DB/$rand-subject.out | grep Request_DN | cut -d ":" -f2) + rlLog "cert_requestdn=$cert_requestdn" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient" + + rlRun "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient > $TmpDir/$test_out" 0 "Submit Certificate request to $profile" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local request_id=$(cat -v $TmpDir/$test_out | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "Approve $request_id using $valid_agent_cert" + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$Year+1 + local end_day="1" + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem --dump-header $admin_out -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=true&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&signingAlg=SHA1withRSA&authInfoAccessCritical=false&authInfoAccessGeneralNames=&requestNotes=&op=approve&submit=submit\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/$test_out" 0 "Approve $request_id" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + local serial_number=$(cat -v $TmpDir/$test_out | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + rlRun "verify_cert \"$serial_number\" \"$cert_requestdn\"" 0 "Verify cert" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ee-0064: SUBCA Profile Enrollment - caTransportCert using CRMF Request of key size 2048" + local request_type=crmf + local request_key_type=rsa + local request_key_size=2048 + local profile=caTransportCert + local subject="PKI-$RANDOM Transport Certificate" + local test_out=ca-$profile-test3.txt + rlRun "export SSL_DIR=$CERTDB_DIR" + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"$subject\" \ + subject_uid: \ + subject_email: \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" 0 "Create $request_type request for $profile" + local cert_requestdn=$(cat $TEMP_NSS_DB/$rand-subject.out | grep Request_DN | cut -d ":" -f2) + rlLog "cert_requestdn=$cert_requestdn" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient" + + rlRun "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient > $TmpDir/$test_out" 0 "Submit Certificate request to $profile" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local request_id=$(cat -v $TmpDir/$test_out | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "Approve $request_id using $valid_agent_cert" + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$Year+1 + local end_day="1" + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem --dump-header $admin_out -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=true&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&signingAlg=SHA1withRSA&authInfoAccessCritical=false&authInfoAccessGeneralNames=&requestNotes=&op=approve&submit=submit\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/$test_out" 0 "Approve $request_id" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + local serial_number=$(cat -v $TmpDir/$test_out | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + rlRun "verify_cert \"$serial_number\" \"$cert_requestdn\"" 0 "Verify cert" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ee-0065: SUBCA Profile Enrollment - caTransportCert using CRMF Request of key size 1024" + local request_type=crmf + local request_key_type=rsa + local request_key_size=1024 + local profile=caTransportCert + local subject="PKI-$RANDOM Transport Certificate" + local test_out=ca-$profile-test4.txt + rlRun "export SSL_DIR=$CERTDB_DIR" + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"$subject\" \ + subject_uid: \ + subject_email: \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" 0 "Create $request_type request for $profile" + local cert_requestdn=$(cat $TEMP_NSS_DB/$rand-subject.out | grep Request_DN | cut -d ":" -f2) + rlLog "cert_requestdn=$cert_requestdn" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient" + + rlRun "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient > $TmpDir/$test_out" 0 "Submit Certificate request to $profile" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local request_id=$(cat -v $TmpDir/$test_out | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "Approve $request_id using $valid_agent_cert" + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$Year+1 + local end_day="1" + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem --dump-header $admin_out -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=true&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&signingAlg=SHA1withRSA&authInfoAccessCritical=false&authInfoAccessGeneralNames=&requestNotes=&op=approve&submit=submit\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/$test_out" 0 "Approve $request_id" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + local serial_number=$(cat -v $TmpDir/$test_out | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + rlRun "verify_cert \"$serial_number\" \"$cert_requestdn\"" 0 "Verify cert" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ee-0066: SUBCA Profile Enrollment - caTransportCert using PKCS10 Request of key size 4096" + local request_type=pkcs10 + local request_key_type=rsa + local request_key_size=4096 + local profile=caTransportCert + local subject="PKI-$RANDOM Transport Certificate" + local test_out=ca-$profile-test5.txt + rlRun "export SSL_DIR=$CERTDB_DIR" + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"$subject\" \ + subject_uid: \ + subject_email: \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" 0 "Create $request_type request for $profile" + local cert_requestdn=$(cat $TEMP_NSS_DB/$rand-subject.out | grep Request_DN | cut -d ":" -f2) + rlLog "cert_requestdn=$cert_requestdn" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient" + + rlRun "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient > $TmpDir/$test_out" 0 "Submit Certificate request to $profile" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local request_id=$(cat -v $TmpDir/$test_out | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "Approve $request_id using $valid_agent_cert" + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$Year+1 + local end_day="1" + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem --dump-header $admin_out -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=true&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&signingAlg=SHA1withRSA&authInfoAccessCritical=false&authInfoAccessGeneralNames=&requestNotes=&op=approve&submit=submit\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/$test_out" 0 "Approve $request_id" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + local serial_number=$(cat -v $TmpDir/$test_out | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + rlRun "verify_cert \"$serial_number\" \"$cert_requestdn\"" 0 "Verify cert" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ee-0067: SUBCA Profile Enrollment - caTransportCert using PKCS10 Request of key size 3072" + local request_type=pkcs10 + local request_key_type=rsa + local request_key_size=3072 + local profile=caTransportCert + local subject="PKI-$RANDOM Transport Certificate" + local test_out=ca-$profile-test6.txt + rlRun "export SSL_DIR=$CERTDB_DIR" + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"$subject\" \ + subject_uid: \ + subject_email: \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" 0 "Create $request_type request for $profile" + local cert_requestdn=$(cat $TEMP_NSS_DB/$rand-subject.out | grep Request_DN | cut -d ":" -f2) + rlLog "cert_requestdn=$cert_requestdn" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient" + + rlRun "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient > $TmpDir/$test_out" 0 "Submit Certificate request to $profile" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local request_id=$(cat -v $TmpDir/$test_out | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "Approve $request_id using $valid_agent_cert" + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$Year+1 + local end_day="1" + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem --dump-header $admin_out -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=true&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&signingAlg=SHA1withRSA&authInfoAccessCritical=false&authInfoAccessGeneralNames=&requestNotes=&op=approve&submit=submit\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/$test_out" 0 "Approve $request_id" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + local serial_number=$(cat -v $TmpDir/$test_out | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + rlRun "verify_cert \"$serial_number\" \"$cert_requestdn\"" 0 "Verify cert" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ee-0068: SUBCA Profile Enrollment - caTransportCert using PKCS10 Request of key size 2048" + local request_type=pkcs10 + local request_key_type=rsa + local request_key_size=2048 + local profile=caTransportCert + local subject="PKI-$RANDOM Transport Certificate" + local test_out=ca-$profile-test7.txt + rlRun "export SSL_DIR=$CERTDB_DIR" + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"$subject\" \ + subject_uid: \ + subject_email: \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" 0 "Create $request_type request for $profile" + local cert_requestdn=$(cat $TEMP_NSS_DB/$rand-subject.out | grep Request_DN | cut -d ":" -f2) + rlLog "cert_requestdn=$cert_requestdn" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient" + + rlRun "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient > $TmpDir/$test_out" 0 "Submit Certificate request to $profile" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local request_id=$(cat -v $TmpDir/$test_out | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "Approve $request_id using $valid_agent_cert" + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$Year+1 + local end_day="1" + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem --dump-header $admin_out -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=true&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&signingAlg=SHA1withRSA&authInfoAccessCritical=false&authInfoAccessGeneralNames=&requestNotes=&op=approve&submit=submit\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/$test_out" 0 "Approve $request_id" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + local serial_number=$(cat -v $TmpDir/$test_out | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + rlRun "verify_cert \"$serial_number\" \"$cert_requestdn\"" 0 "Verify cert" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ee-0069: SUBCA Profile Enrollment - caTransportCert using PKCS10 Request of key size 1024" + local request_type=pkcs10 + local request_key_type=rsa + local request_key_size=1024 + local profile=caTransportCert + local subject="PKI-$RANDOM Transport Certificate" + local test_out=ca-$profile-test8.txt + rlRun "export SSL_DIR=$CERTDB_DIR" + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"$subject\" \ + subject_uid: \ + subject_email: \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" 0 "Create $request_type request for $profile" + local cert_requestdn=$(cat $TEMP_NSS_DB/$rand-subject.out | grep Request_DN | cut -d ":" -f2) + rlLog "cert_requestdn=$cert_requestdn" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient" + + rlRun "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient > $TmpDir/$test_out" 0 "Submit Certificate request to $profile" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local request_id=$(cat -v $TmpDir/$test_out | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "Approve $request_id using $valid_agent_cert" + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$Year+1 + local end_day="1" + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem --dump-header $admin_out -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=true&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&signingAlg=SHA1withRSA&authInfoAccessCritical=false&authInfoAccessGeneralNames=&requestNotes=&op=approve&submit=submit\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/$test_out" 0 "Approve $request_id" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + local serial_number=$(cat -v $TmpDir/$test_out | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + rlRun "verify_cert \"$serial_number\" \"$cert_requestdn\"" 0 "Verify cert" + rlPhaseEnd + + + rlPhaseStartTest "pki_subca_ee-0070: SUBCA Profile Enrollment - caServerCert using CRMF Request of key size 4096" + local request_type=crmf + local request_key_type=rsa + local request_key_size=4096 + local profile=caServerCert + local subject="PKI-$RANDOM-1.example.org" + local test_out=ca-$profile-test1.txt + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"$subject\" \ + subject_uid: \ + subject_email: \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" 0 "Create $request_type request for $profile" + local cert_requestdn=$(cat $TEMP_NSS_DB/$rand-subject.out | grep Request_DN | cut -d ":" -f2) + rlLog "cert_requestdn=$cert_requestdn" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient" + + rlRun "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient > $TmpDir/$test_out" 0 "Submit Certificate request to $profile" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local request_id=$(cat -v $TmpDir/$test_out | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "Approve $request_id using $valid_agent_cert" + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$Year+1 + local end_day="1" + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem --dump-header $admin_out -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=true&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&signingAlg=SHA1withRSA&authInfoAccessCritical=false&authInfoAccessGeneralNames=&requestNotes=&op=approve&submit=submit\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/$test_out" 0 "Approve $request_id" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + local serial_number=$(cat -v $TmpDir/$test_out | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + rlRun "verify_cert \"$serial_number\" \"$cert_requestdn\"" 0 "Verify cert" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ee-0071: SUBCA Profile Enrollment - caServerCert using CRMF Request of key size 3072" + local request_type=crmf + local request_key_type=rsa + local request_key_size=3072 + local profile=caServerCert + local subject="PKI-$RANDOM-2.example.org" + local test_out=ca-$profile-test2.txt + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"$subject\" \ + subject_uid: \ + subject_email: \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" 0 "Create $request_type request for $profile" + local cert_requestdn=$(cat $TEMP_NSS_DB/$rand-subject.out | grep Request_DN | cut -d ":" -f2) + rlLog "cert_requestdn=$cert_requestdn" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient" + + rlRun "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient > $TmpDir/$test_out" 0 "Submit Certificate request to $profile" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local request_id=$(cat -v $TmpDir/$test_out | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "Approve $request_id using $valid_agent_cert" + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$Year+1 + local end_day="1" + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem --dump-header $admin_out -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=true&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&signingAlg=SHA1withRSA&authInfoAccessCritical=false&authInfoAccessGeneralNames=&requestNotes=&op=approve&submit=submit\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/$test_out" 0 "Approve $request_id" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + local serial_number=$(cat -v $TmpDir/$test_out | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + rlRun "verify_cert \"$serial_number\" \"$cert_requestdn\"" 0 "Verify cert" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ee-0072: SUBCA Profile Enrollment - caServerCert using CRMF Request of key size 2048" + local request_type=crmf + local request_key_type=rsa + local request_key_size=2048 + local profile=caServerCert + local subject="PKI-$RANDOM-3.example.org" + local test_out=ca-$profile-test3.txt + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"$subject\" \ + subject_uid: \ + subject_email: \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" 0 "Create $request_type request for $profile" + local cert_requestdn=$(cat $TEMP_NSS_DB/$rand-subject.out | grep Request_DN | cut -d ":" -f2) + rlLog "cert_requestdn=$cert_requestdn" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient" + + rlRun "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient > $TmpDir/$test_out" 0 "Submit Certificate request to $profile" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local request_id=$(cat -v $TmpDir/$test_out | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "Approve $request_id using $valid_agent_cert" + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$Year+1 + local end_day="1" + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem --dump-header $admin_out -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=true&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&signingAlg=SHA1withRSA&authInfoAccessCritical=false&authInfoAccessGeneralNames=&requestNotes=&op=approve&submit=submit\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/$test_out" 0 "Approve $request_id" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + local serial_number=$(cat -v $TmpDir/$test_out | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + rlRun "verify_cert \"$serial_number\" \"$cert_requestdn\"" 0 "Verify cert" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ee-0073: SUBCA Profile Enrollment - caServerCert using CRMF Request of key size 1024" + local request_type=crmf + local request_key_type=rsa + local request_key_size=1024 + local profile=caServerCert + local subject="PKI-$RANDOM-4.example.org" + local test_out=ca-$profile-test4.txt + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"$subject\" \ + subject_uid: \ + subject_email: \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" 0 "Create $request_type request for $profile" + local cert_requestdn=$(cat $TEMP_NSS_DB/$rand-subject.out | grep Request_DN | cut -d ":" -f2) + rlLog "cert_requestdn=$cert_requestdn" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient" + + rlRun "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient > $TmpDir/$test_out" 0 "Submit Certificate request to $profile" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local request_id=$(cat -v $TmpDir/$test_out | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "Approve $request_id using $valid_agent_cert" + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$Year+1 + local end_day="1" + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem --dump-header $admin_out -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=true&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&signingAlg=SHA1withRSA&authInfoAccessCritical=false&authInfoAccessGeneralNames=&requestNotes=&op=approve&submit=submit\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/$test_out" 0 "Approve $request_id" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + local serial_number=$(cat -v $TmpDir/$test_out | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + rlRun "verify_cert \"$serial_number\" \"$cert_requestdn\"" 0 "Verify cert" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ee-0074: SUBCA Profile Enrollment - caServerCert using PKCS10 Request of key size 4096" + local request_type=pkcs10 + local request_key_type=rsa + local request_key_size=4096 + local profile=caServerCert + local subject="PKI-$RANDOM-5.example.org" + local test_out=ca-$profile-test5.txt + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"$subject\" \ + subject_uid: \ + subject_email: \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" 0 "Create $request_type request for $profile" + local cert_requestdn=$(cat $TEMP_NSS_DB/$rand-subject.out | grep Request_DN | cut -d ":" -f2) + rlLog "cert_requestdn=$cert_requestdn" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient" + + rlRun "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient > $TmpDir/$test_out" 0 "Submit Certificate request to $profile" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local request_id=$(cat -v $TmpDir/$test_out | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "Approve $request_id using $valid_agent_cert" + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$Year+1 + local end_day="1" + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem --dump-header $admin_out -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=true&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&signingAlg=SHA1withRSA&authInfoAccessCritical=false&authInfoAccessGeneralNames=&requestNotes=&op=approve&submit=submit\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/$test_out" 0 "Approve $request_id" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + local serial_number=$(cat -v $TmpDir/$test_out | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + rlRun "verify_cert \"$serial_number\" \"$cert_requestdn\"" 0 "Verify cert" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ee-0075: SUBCA Profile Enrollment - caServerCert using PKCS10 Request of key size 3072" + local request_type=pkcs10 + local request_key_type=rsa + local request_key_size=3072 + local profile=caServerCert + local subject="PKI-$RANDOM-6.example.org" + local test_out=ca-$profile-test6.txt + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"$subject\" \ + subject_uid: \ + subject_email: \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" 0 "Create $request_type request for $profile" + local cert_requestdn=$(cat $TEMP_NSS_DB/$rand-subject.out | grep Request_DN | cut -d ":" -f2) + rlLog "cert_requestdn=$cert_requestdn" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient" + + rlRun "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient > $TmpDir/$test_out" 0 "Submit Certificate request to $profile" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local request_id=$(cat -v $TmpDir/$test_out | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "Approve $request_id using $valid_agent_cert" + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$Year+1 + local end_day="1" + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem --dump-header $admin_out -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=true&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&signingAlg=SHA1withRSA&authInfoAccessCritical=false&authInfoAccessGeneralNames=&requestNotes=&op=approve&submit=submit\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/$test_out" 0 "Approve $request_id" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + local serial_number=$(cat -v $TmpDir/$test_out | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + rlRun "verify_cert \"$serial_number\" \"$cert_requestdn\"" 0 "Verify cert" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ee-0076: SUBCA Profile Enrollment - caServerCert using PKCS10 Request of key size 2048" + local request_type=pkcs10 + local request_key_type=rsa + local request_key_size=2048 + local profile=caServerCert + local subject="PKI-$RANDOM-7.example.org" + local test_out=ca-$profile-test7.txt + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"$subject\" \ + subject_uid: \ + subject_email: \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" 0 "Create $request_type request for $profile" + local cert_requestdn=$(cat $TEMP_NSS_DB/$rand-subject.out | grep Request_DN | cut -d ":" -f2) + rlLog "cert_requestdn=$cert_requestdn" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient" + + rlRun "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient > $TmpDir/$test_out" 0 "Submit Certificate request to $profile" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local request_id=$(cat -v $TmpDir/$test_out | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "Approve $request_id using $valid_agent_cert" + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$Year+1 + local end_day="1" + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem --dump-header $admin_out -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=true&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&signingAlg=SHA1withRSA&authInfoAccessCritical=false&authInfoAccessGeneralNames=&requestNotes=&op=approve&submit=submit\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/$test_out" 0 "Approve $request_id" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + local serial_number=$(cat -v $TmpDir/$test_out | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + rlRun "verify_cert \"$serial_number\" \"$cert_requestdn\"" 0 "Verify cert" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ee-0077: SUBCA Profile Enrollment - caServerCert using PKCS10 Request of key size 1024" + local request_type=pkcs10 + local request_key_type=rsa + local request_key_size=1024 + local profile=caServerCert + local subject="PKI-$RANDOM-8.example.org" + local test_out=ca-$profile-test8.txt + rlRun "export SSL_DIR=$CERTDB_DIR" + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"$subject\" \ + subject_uid: \ + subject_email: \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" 0 "Create $request_type request for $profile" + local cert_requestdn=$(cat $TEMP_NSS_DB/$rand-subject.out | grep Request_DN | cut -d ":" -f2) + rlLog "cert_requestdn=$cert_requestdn" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient" + + rlRun "curl --basic --dump-header $admin_out \ + -d \"cert_request_type=$request_type&keyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/eeca/ca/profileSubmitSSLClient > $TmpDir/$test_out" 0 "Submit Certificate request to $profile" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local request_id=$(cat -v $TmpDir/$test_out | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "Approve $request_id using $valid_agent_cert" + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$Year+1 + local end_day="1" + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem --dump-header $admin_out -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=true&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&signingAlg=SHA1withRSA&authInfoAccessCritical=false&authInfoAccessGeneralNames=&requestNotes=&op=approve&submit=submit\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/$test_out" 0 "Approve $request_id" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + local serial_number=$(cat -v $TmpDir/$test_out | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + rlRun "verify_cert \"$serial_number\" \"$cert_requestdn\"" 0 "Verify cert" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ee-0078: SUBCA Profile Enrollment - caUserCert using CRMF Request of key size 4096" + local request_type=crmf + local request_key_type=rsa + local request_key_size=4096 + local profile=caUserCert + local cert_ext_exKeyUsageOIDs="1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4" + local userid="fooUser1" + local usercn="fooUser1" + local phone="1234" + local usermail="fooUser1@example.org" + local test_out=ca-$profile-test1.txt + rlRun "export SSL_DIR=$CERTDB_DIR" + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:$usercn \ + subject_uid:$userid \ + subject_email:$usermail \ + subject_ou:IDM \ + subject_organization:RedHat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" 0 "Create $request_type request for $profile" + local cert_requestdn=$(cat $TEMP_NSS_DB/$rand-subject.out | grep Request_DN | cut -d ":" -f2) + rlLog "cert_requestdn=$cert_requestdn" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic \ + --dump-header $admin_out \ + -d \"profileId=$profile&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$usercn&sn_e=$usermail&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$useremail&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $admin_out \ + -d \"profileId=$profile&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$usercn&sn_e=$usermail&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$useremail&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/$test_out" 0 "Submit Certificate request to $profile" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local request_id=$(cat -v $TmpDir/$test_out | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "Approve $request_id using $valid_agent_cert" + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$Year+1 + local end_day="1" + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$Month-$end_day $Hour:$Minute:$Second" + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/profileProcess\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/$test_out" 0 "Submit Certificare request" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + local serial_number=$(cat -v $TmpDir/$test_out | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + rlRun "verify_cert \"$serial_number\" \"$cert_requestdn\"" 0 "Verify cert" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ee-0079: SUBCA Profile Enrollment - caUserCert using CRMF Request of key size 3072" + local request_type=crmf + local request_key_type=rsa + local request_key_size=3072 + local profile=caUserCert + local cert_ext_exKeyUsageOIDs="1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4" + local userid="fooUser2" + local usercn="fooUser2" + local phone="1234" + local usermail="fooUser2@example.org" + local test_out=ca-$profile-test2.txt + rlRun "export SSL_DIR=$CERTDB_DIR" + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:$usercn \ + subject_uid:$userid \ + subject_email:$usermail \ + subject_ou:IDM \ + subject_organization:RedHat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" 0 "Create $request_type request for $profile" + local cert_requestdn=$(cat $TEMP_NSS_DB/$rand-subject.out | grep Request_DN | cut -d ":" -f2) + rlLog "cert_requestdn=$cert_requestdn" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic \ + --dump-header $admin_out \ + -d \"profileId=$profile&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$usercn&sn_e=$usermail&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$useremail&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $admin_out \ + -d \"profileId=$profile&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$usercn&sn_e=$usermail&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$useremail&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/$test_out" 0 "Submit Certificate request to $profile" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local request_id=$(cat -v $TmpDir/$test_out | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "Approve $request_id using $valid_agent_cert" + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$Year+1 + local end_day="1" + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$Month-$end_day $Hour:$Minute:$Second" + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/profileProcess\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/$test_out" 0 "Submit Certificare request" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + local serial_number=$(cat -v $TmpDir/$test_out | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + rlRun "verify_cert \"$serial_number\" \"$cert_requestdn\"" 0 "Verify cert" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ee-0080: SUBCA Profile Enrollment - caUserCert using CRMF Request of key size 2048" + local request_type=crmf + local request_key_type=rsa + local request_key_size=2048 + local profile=caUserCert + local cert_ext_exKeyUsageOIDs="1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4" + local userid="fooUser3" + local usercn="fooUser3" + local phone="1234" + local usermail="fooUser3@example.org" + local test_out=ca-$profile-test3.txt + rlRun "export SSL_DIR=$CERTDB_DIR" + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"$usercn\" \ + subject_uid:$userid \ + subject_email:$usermail \ + subject_ou:IDM \ + subject_organization:RedHat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" 0 "Create $request_type request for $profile" + local cert_requestdn=$(cat $TEMP_NSS_DB/$rand-subject.out | grep Request_DN | cut -d ":" -f2) + rlLog "cert_requestdn=$cert_requestdn" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic \ + --dump-header $admin_out \ + -d \"profileId=$profile&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$usercn&sn_e=$usermail&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$useremail&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $admin_out \ + -d \"profileId=$profile&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$usercn&sn_e=$usermail&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$useremail&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/$test_out" 0 "Submit Certificate request to $profile" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local request_id=$(cat -v $TmpDir/$test_out | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "Approve $request_id using $valid_agent_cert" + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$Year+1 + local end_day="1" + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$Month-$end_day $Hour:$Minute:$Second" + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/profileProcess\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/$test_out" 0 "Submit Certificare request" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + local serial_number=$(cat -v $TmpDir/$test_out | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + rlRun "verify_cert \"$serial_number\" \"$cert_requestdn\"" 0 "Verify cert" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ee-0081: SUBCA Profile Enrollment - caUserCert using CRMF Request of key size 1024" + local request_type=crmf + local request_key_type=rsa + local request_key_size=1024 + local profile=caUserCert + local cert_ext_exKeyUsageOIDs="1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4" + local userid="fooUser4" + local usercn="fooUser4" + local phone="1234" + local usermail="fooUser4@example.org" + local test_out=ca-$profile-test4.txt + rlRun "export SSL_DIR=$CERTDB_DIR" + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"$usercn\" \ + subject_uid:$userid \ + subject_email:$usermail \ + subject_ou:IDM \ + subject_organization:RedHat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" 0 "Create $request_type request for $profile" + local cert_requestdn=$(cat $TEMP_NSS_DB/$rand-subject.out | grep Request_DN | cut -d ":" -f2) + rlLog "cert_requestdn=$cert_requestdn" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic \ + --dump-header $admin_out \ + -d \"profileId=$profile&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$usercn&sn_e=$usermail&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$useremail&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $admin_out \ + -d \"profileId=$profile&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$usercn&sn_e=$usermail&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$useremail&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/$test_out" 0 "Submit Certificate request to $profile" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local request_id=$(cat -v $TmpDir/$test_out | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "Approve $request_id using $valid_agent_cert" + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$Year+1 + local end_day="1" + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$Month-$end_day $Hour:$Minute:$Second" + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/profileProcess\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/$test_out" 0 "Submit Certificare request" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + local serial_number=$(cat -v $TmpDir/$test_out | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + rlRun "verify_cert \"$serial_number\" \"$cert_requestdn\"" 0 "Verify cert" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ee-0082: SUBCA Profile Enrollment - caUserCert using PKCS10 Request of key size 4096" + local request_type=pkcs10 + local request_key_type=rsa + local request_key_size=4096 + local profile=caUserCert + local cert_ext_exKeyUsageOIDs="1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4" + local userid="fooUser5" + local usercn="fooUser5" + local phone="1234" + local usermail="fooUser5@example.org" + local test_out=ca-$profile-test5.txt + rlRun "export SSL_DIR=$CERTDB_DIR" + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"$usercn\" \ + subject_uid:$userid \ + subject_email:$usermail \ + subject_ou:IDM \ + subject_organization:RedHat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" 0 "Create $request_type request for $profile" + local cert_requestdn=$(cat $TEMP_NSS_DB/$rand-subject.out | grep Request_DN | cut -d ":" -f2) + rlLog "cert_requestdn=$cert_requestdn" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic \ + --dump-header $admin_out \ + -d \"profileId=$profile&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$usercn&sn_e=$usermail&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$useremail&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $admin_out \ + -d \"profileId=$profile&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$usercn&sn_e=$usermail&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$useremail&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/$test_out" 0 "Submit Certificate request to $profile" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local request_id=$(cat -v $TmpDir/$test_out | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "Approve $request_id using $valid_agent_cert" + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$Year+1 + local end_day="1" + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$Month-$end_day $Hour:$Minute:$Second" + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/profileProcess\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/$test_out" 0 "Submit Certificare request" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + local serial_number=$(cat -v $TmpDir/$test_out | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + rlRun "verify_cert \"$serial_number\" \"$cert_requestdn\"" 0 "Verify cert" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ee-0083: SUBCA Profile Enrollment - caUserCert using PKCS10 Request of key size 3072" + local request_type=pkcs10 + local request_key_type=rsa + local request_key_size=3072 + local profile=caUserCert + local cert_ext_exKeyUsageOIDs="1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4" + local userid="fooUser6" + local usercn="fooUser6" + local phone="1234" + local usermail="fooUser6@example.org" + local test_out=ca-$profile-test6.txt + rlRun "export SSL_DIR=$CERTDB_DIR" + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"$usercn\" \ + subject_uid:$userid \ + subject_email:$usermail \ + subject_ou:IDM \ + subject_organization:RedHat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" 0 "Create $request_type request for $profile" + local cert_requestdn=$(cat $TEMP_NSS_DB/$rand-subject.out | grep Request_DN | cut -d ":" -f2) + rlLog "cert_requestdn=$cert_requestdn" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic \ + --dump-header $admin_out \ + -d \"profileId=$profile&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$usercn&sn_e=$usermail&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$useremail&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $admin_out \ + -d \"profileId=$profile&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$usercn&sn_e=$usermail&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$useremail&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/$test_out" 0 "Submit Certificate request to $profile" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local request_id=$(cat -v $TmpDir/$test_out | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "Approve $request_id using $valid_agent_cert" + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$Year+1 + local end_day="1" + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$Month-$end_day $Hour:$Minute:$Second" + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/profileProcess\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/$test_out" 0 "Submit Certificare request" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + local serial_number=$(cat -v $TmpDir/$test_out | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + rlRun "verify_cert \"$serial_number\" \"$cert_requestdn\"" 0 "Verify cert" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ee-0084: SUBCA Profile Enrollment - caUserCert using PKCS10 Request of key size 2048" + local request_type=pkcs10 + local request_key_type=rsa + local request_key_size=2048 + local profile=caUserCert + local cert_ext_exKeyUsageOIDs="1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4" + local userid="fooUser7" + local usercn="fooUser7" + local phone="1234" + local usermail="fooUser7@example.org" + local test_out=ca-$profile-test7.txt + rlRun "export SSL_DIR=$CERTDB_DIR" + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"$usercn\" \ + subject_uid:$userid \ + subject_email:$usermail \ + subject_ou:IDM \ + subject_organization:RedHat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" 0 "Create $request_type request for $profile" + local cert_requestdn=$(cat $TEMP_NSS_DB/$rand-subject.out | grep Request_DN | cut -d ":" -f2) + rlLog "cert_requestdn=$cert_requestdn" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic \ + --dump-header $admin_out \ + -d \"profileId=$profile&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$usercn&sn_e=$usermail&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$useremail&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $admin_out \ + -d \"profileId=$profile&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$usercn&sn_e=$usermail&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$useremail&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/$test_out" 0 "Submit Certificate request to $profile" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local request_id=$(cat -v $TmpDir/$test_out | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "Approve $request_id using $valid_agent_cert" + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$Year+1 + local end_day="1" + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$Month-$end_day $Hour:$Minute:$Second" + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/profileProcess\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/$test_out" 0 "Submit Certificare request" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + local serial_number=$(cat -v $TmpDir/$test_out | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + rlRun "verify_cert \"$serial_number\" \"$cert_requestdn\"" 0 "Verify cert" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ee-0085: SUBCA Profile Enrollment - caUserCert using PKCS10 Request of key size 1024" + local request_type=pkcs10 + local request_key_type=rsa + local request_key_size=1024 + local profile=caUserCert + local cert_ext_exKeyUsageOIDs="1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4" + local userid="fooUser8" + local usercn="fooUser8" + local phone="1234" + local usermail="fooUser8@example.org" + local test_out=ca-$profile-test8.txt + rlRun "export SSL_DIR=$CERTDB_DIR" + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"$usercn\" \ + subject_uid:$userid \ + subject_email:$usermail \ + subject_ou:IDM \ + subject_organization:RedHat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" 0 "Create $request_type request for $profile" + local cert_requestdn=$(cat $TEMP_NSS_DB/$rand-subject.out | grep Request_DN | cut -d ":" -f2) + rlLog "cert_requestdn=$cert_requestdn" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic \ + --dump-header $admin_out \ + -d \"profileId=$profile&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$usercn&sn_e=$usermail&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$useremail&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $admin_out \ + -d \"profileId=$profile&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$usercn&sn_e=$usermail&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$useremail&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/$test_out" 0 "Submit Certificate request to $profile" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local request_id=$(cat -v $TmpDir/$test_out | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "Approve $request_id using $valid_agent_cert" + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$Year+1 + local end_day="1" + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$Month-$end_day $Hour:$Minute:$Second" + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/profileProcess\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/$test_out" 0 "Submit Certificare request" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + local serial_number=$(cat -v $TmpDir/$test_out | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + rlRun "verify_cert \"$serial_number\" \"$cert_requestdn\"" 0 "Verify cert" + rlPhaseEnd + + rlPhaseStartCleanup "Delete temporary dir and enable nonce" + rlRun "popd" + rlRun "rm -r $TmpDir" 0 "Removing tmp directory" + enable_ca_nonce $tomcat_name + rlPhaseEnd + +} +verify_cert() +{ + local serial_number=$1 + local request_dn=$2 + STRIP_HEX=$(echo $serial_number | cut -dx -f2) + CONV_LOW_VAL=${STRIP_HEX,,} + rlRun "pki -h $tmp_ca_host -p $target_unsecure_port cert-show $serial_number > $cert_show_out" 0 "Executing pki cert-show $serial_number" + rlAssertGrep "Serial Number: 0x$CONV_LOW_VAL" "$cert_show_out" + rlAssertGrep "Issuer: CN=PKI $SUBCA_INST Signing Certificate,O=redhat" "$cert_show_out" + rlAssertGrep "Subject: $request_dn" "$cert_show_out" + rlAssertGrep "Status: VALID" "$cert_show_out" +} + diff --git a/tests/dogtag/acceptance/legacy/subca-tests/cert-enrollment/subca-ee-retrieval.sh b/tests/dogtag/acceptance/legacy/subca-tests/cert-enrollment/subca-ee-retrieval.sh new file mode 100755 index 000000000..2c419664f --- /dev/null +++ b/tests/dogtag/acceptance/legacy/subca-tests/cert-enrollment/subca-ee-retrieval.sh @@ -0,0 +1,1032 @@ +#!/bin/bash +# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# runtest.sh of /CoreOS/rhcs/acceptance/legacy/ca-tests/cert-enrollment/cert-ee-retrieval +# Description: Legacy cert retrieval tests +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Author: Niranjan Mallapadi +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2013 Red Hat, Inc. All rights reserved. +# +# This copyrighted material is made available to anyone wishing +# to use, modify, copy, or redistribute it subject to the terms +# and conditions of the GNU General Public License version 2. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public +# License along with this program; if not, write to the Free +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301, USA. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +# Include rhts environment +. /usr/bin/rhts-environment.sh +. /usr/share/beakerlib/beakerlib.sh +. /opt/rhqa_pki/rhcs-shared.sh +. /opt/rhqa_pki/pki-cert-cli-lib.sh +. /opt/rhqa_pki/pki-auth-plugin-lib.sh +. /opt/rhqa_pki/env.sh + +run_ee-subca-retrieval_tests() +{ + + # Creating Temporary Directory + rlPhaseStartSetup "Create Temporary Directory" + rlRun "TmpDir=\`mktemp -d\`" 0 "Creating tmp directory" + rlRun "pushd $TmpDir" + rlRun "export PYTHONPATH=$PYTHONPATH:/opt/rhqa_pki/" + rlPhaseEnd + + # Disable Nonce + rlPhaseStartSetup "Disable Nonce" + local cs_Type=$1 + local cs_Role=$2 + get_topo_stack $cs_Role $TmpDir/topo_file + if [ $cs_Role="MASTER" ]; then + SUBCA_INST=$(cat $TmpDir/topo_file | grep MY_SUBCA | cut -d= -f2) + elif [ $cs_Role="SUBCA2" || $cs_Role="SUBCA1" ]; then + SUBCA_INST=$(cat $TmpDir/topo_file | grep MY_CA | cut -d= -f2) + fi + local tomcat_name=$(eval echo \$${SUBCA_INST}_TOMCAT_INSTANCE_NAME) + disable_ca_nonce $tomcat_name + rlPhaseEnd + + # Local Variables + local target_unsecure_port=$(eval echo \$${SUBCA_INST}_UNSECURE_PORT) + local target_secure_port=$(eval echo \$${SUBCA_INST}_SECURE_PORT) + local tmp_ca_agent=$SUBCA_INST\_agentV + local tmp_ca_admin=$SUBCA_INST\_adminV + local tmp_ca_port=$(eval echo \$${SUBCA_INST}_UNSECURE_PORT) + local tmp_ca_host=$(eval echo \$${cs_Role}) + local valid_agent_cert=$SUBCA_INST\_agentV + local valid_audit_cert=$SUBCA_INST\_auditV + local valid_operator_cert=$SUBCA_INST\_operatorV + local valid_admin_cert=$SUBCA_INST\_adminV + local cert_find_info="$TmpDir/cert_find_info" + local admin_out="$TmpDir/admin_out" + local TEMP_NSS_DB="$TmpDir/nssdb" + local TEMP_NSS_DB_PWD="redhat" + local cert_info="$TmpDir/cert_info" + local ca_profile_out="$TmpDir/ca-profile-out" + local cert_out="$TmpDir/cert-show.out" + local cert_show_out="$TmpDir/cert_show.out" + local rand=$RANDOM + local tmp_junk_data=$(openssl rand -base64 50 | perl -p -e 's/\n//') + local SSL_DIR=$CERTDB_DIR + + rlPhaseStartTest "pki_subca_ee-retrieval-001: CA Cert Retrieval - Check Request Status servlet(pending request)" + rlLog "Create a pkcs10 cert request" + local request_type=pkcs10 + local request_key_type=rsa + local request_key_size=1024 + local profile=caUserCert + local cert_ext_exKeyUsageOIDs="1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4" + local userid="foo1" + local usercn="foo1" + local phone="1234" + local usermail="foo1@example.org" + local test_out=ca-$profile-test1.txt + rlRun "export SSL_DIR=$CERTDB_DIR" + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"$usercn\" \ + subject_uid:$userid \ + subject_email:$usermail \ + subject_ou:IDM \ + subject_organization:RedHat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" 0 "Create $request_type request for $profile" + local cert_requestdn=$(cat $TEMP_NSS_DB/$rand-subject.out | grep Request_DN | cut -d ":" -f2) + rlLog "cert_requestdn=$cert_requestdn" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic \ + --dump-header $admin_out \ + -d \"profileId=$profile&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$usercn&sn_e=$usermail&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$useremail&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $admin_out \ + -d \"profileId=$profile&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$usercn&sn_e=$usermail&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$useremail&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/$test_out" 0 "Submit Certificate request to $profile" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local request_id=$(cat -v $TmpDir/$test_out | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "request_id=$request_id" + rlLog "curl --basic --dump-header $admin_out -d \"format=id&requestId=$request_id&submit=Submit\" -k \"https://$tmp_ca_host:$target_secure_port/ca/ee/ca/checkRequest\"" + rlRun "curl --basic --dump-header $admin_out -d \"format=id&requestId=$request_id&submit=Submit\" -k \"https://$tmp_ca_host:$target_secure_port/ca/ee/ca/checkRequest\" >> $TmpDir/$test_out" 0 "Check certificate request status of $request_id" + rlAssertGrep "header.status = \"pending\"" "$TmpDir/$test_out" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ee-retrieval-002: CA Cert Retrieval - Check Request Status servlet(completed request)" + local request_id="1" + rlLog "curl --basic --dump-header $admin_out -d \"format=id&requestId=$request_id&submit=Submit\" -k \"https://$tmp_ca_host:$target_secure_port/ca/ee/ca/checkRequest\"" + rlRun "curl --basic --dump-header $admin_out -d \"format=id&requestId=$request_id&submit=Submit\" -k \"https://$tmp_ca_host:$target_secure_port/ca/ee/ca/checkRequest\" > $TmpDir/$test_out" 0 "Check certificate request status of $request_id" + rlAssertGrep "header.status = \"complete\"" "$TmpDir/$test_out" + rlPhaseEnd + + + rlPhaseStartTest "pki_subca_ee-retrieval-003: CA Cert Retrieval - Check Request Status servlet(Negative Value)" + local request_id="-1" + rlLog "curl --basic --dump-header $admin_out -d \"format=id&requestId=$request_id&submit=Submit\" -k \"https://$tmp_ca_host:$target_secure_port/ca/ee/ca/checkRequest\"" + rlRun "curl --basic --dump-header $admin_out -d \"format=id&requestId=$request_id&submit=Submit\" -k \"https://$tmp_ca_host:$target_secure_port/ca/ee/ca/checkRequest\" > $TmpDir/$test_out" 0 "Check certificate request status of $request_id" + rlAssertGrep "Request ID -1 was not found in the request queue" "$TmpDir/$test_out" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ee-retrieval-004: CA Cert Retrieval - Check Request Status servlet(Non numerical characters)" + local request_id="abcd" + rlLog "curl --basic --dump-header $admin_out -d \"format=id&requestId=$request_id&submit=Submit\" -k \"https://$tmp_ca_host:$target_secure_port/ca/ee/ca/checkRequest\"" + rlRun "curl --basic --dump-header $admin_out -d \"format=id&requestId=$request_id&submit=Submit\" -k \"https://$tmp_ca_host:$target_secure_port/ca/ee/ca/checkRequest\" > $TmpDir/$test_out" 0 "Check certificate request status of $request_id" + rlAssertGrep "Invalid number format: abcd" "$TmpDir/$test_out" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ee-retrieval-004: CA Cert Retrieval - List Certificates(Default values list first 20 records)" + local op=listCerts + local queryCertFilter="(|(certStatus=VALID)(certStatus=REVOKED))" + local serialFrom="" + local serialTo="" + local skipNonValid="on" + local querySentinelDown="0" + local querySentinelUp="" + local direction="begin" + local maxCount="20" + rlLog "curl --basic --dump-header $admin_out -d \"op=$op&queryCertFilter=$queryCertFilter&serialFrom=$serialFrom&serialTo=$serialTo&skipNonValid=$skipNonValid&querySentinelDown=$querySentinelDown&querySentinelUp=$querySentinelUp&direction=$direction&maxCount=$maxCount\" -k https://$tmp_ca_host:$target_secure_port/ca/ee/ca/listCerts" + rlRun "curl --basic --dump-header $admin_out -d \"op=$op&queryCertFilter=$queryCertFilter&serialFrom=$serialFrom&serialTo=$serialTo&skipNonValid=$skipNonValid&querySentinelDown=$querySentinelDown&querySentinelUp=$querySentinelUp&direction=$direction&maxCount=$maxCount\" -k https://$tmp_ca_host:$target_secure_port/ca/ee/ca/listCerts > $TmpDir/$test_out" 0 "List certificate with $queryCertFilter of maxCount $maxCount" + local no_of_records=$(cat $TmpDir/$test_out | grep "record.subject=" | wc -l) + rlAssertEquals "Verify No of records displayed is equal to $maxCount" $no_of_records $maxCount + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ee-retrieval-005: CA Cert Retrieval - List Certificates from range 0x5 to 0x20" + local op=listCerts + local queryCertFilter="(|(certStatus=VALID)(certStatus=REVOKED))" + local serialFrom="0x5" + local serialTo="0x1c" + local skipNonValid="on" + local querySentinelDown="0x5" + local querySentinelUp="0x5" + local direction="down" + local maxCount="20" + rlLog "curl --basic --dump-header $admin_out -d \"op=$op&queryCertFilter=$queryCertFilter&serialFrom=$serialFrom&serialTo=$serialTo&skipNonValid=$skipNonValid&querySentinelDown=$querySentinelDown&querySentinelUp=$querySentinelUp&direction=$direction&maxCount=$maxCount\" -k https://$tmp_ca_host:$target_secure_port/ca/ee/ca/listCerts" + rlRun "curl --basic --dump-header $admin_out -d \"op=$op&queryCertFilter=$queryCertFilter&serialFrom=$serialFrom&serialTo=$serialTo&skipNonValid=$skipNonValid&querySentinelDown=$querySentinelDown&querySentinelUp=$querySentinelUp&direction=$direction&maxCount=$maxCount\" -k https://$tmp_ca_host:$target_secure_port/ca/ee/ca/listCerts > $TmpDir/$test_out" 0 "List certificate with $queryCertFilter of maxCount $maxCount" + local no_of_records=$(cat $TmpDir/$test_out | grep "record.subject=" | wc -l) + rlAssertEquals "Verify No of records displayed is equal to $maxCount" $no_of_records $maxCount + rlAssertGrep "record.serialNumberDecimal=\"5\"" "$TmpDir/$test_out" + rlAssertNotGrep "record.serialNumber=\"1d\"" "$TmpDir/$test_out" + rlAssertNotGrep "record.serialNumber=\"4\"" "$TmpDir/$test_out" + rlPhaseEnd + + rlPhaseStartSetup "Generate 10 Certs of which 5 will be revoked" + local request_type=pkcs10 + local request_key_type=rsa + local request_key_size=1024 + local profile=caUserCert + local cert_ext_exKeyUsageOIDs="1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4" + local userid="fooUser" + local usercn="fooUser" + local phone="1234" + local usermail="fooUser@example.org" + local test_out=ca-$profile-test.txt + local i=1 + local upperlimit=10 + while [ $i -ne $upperlimit ];do + rlRun "export SSL_DIR=$CERTDB_DIR" + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"$usercn-$i\" \ + subject_uid:$userid-$i \ + subject_email:$usermail \ + subject_ou:IDM \ + subject_organization:RedHat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-$i-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-$i-subject.out" 0 "Create $request_type request for $profile" + local cert_requestdn=$(cat $TEMP_NSS_DB/$rand-$i-subject.out | grep Request_DN | cut -d ":" -f2) + rlLog "cert_requestdn=cert_requestdn" + rlRun "cat $TEMP_NSS_DB/$rand-$i-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-$i-encoded-request.pem" + rlLog "curl --basic \ + --dump-header $admin_out \ + -d \"profileId=$profile&cert_request_type=$request_type&sn_uid=$userid-$i&sn_cn=$usercn-$i&sn_e=$usermail&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$useremail&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/$rand-$i-encoded-request.pem)\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $admin_out \ + -d \"profileId=$profile&cert_request_type=$request_type&sn_uid=$userid-$i&sn_cn=$usercn-$i&sn_e=$usermail&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$useremail&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/$rand-$i-encoded-request.pem)\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/$test_out" 0 "Submit Certificate request to $profile" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local request_id=$(cat -v $TmpDir/$test_out | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "request_id=$request_id" + rlLog "Approve $request_id using $valid_agent_cert" + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$Year+1 + local end_day="1" + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$Month-$end_day $Hour:$Minute:$Second" + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid-$i\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/profileProcess\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid-$i\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/$test_out" 0 "Submit Certificare request" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + local serial_number=$(cat -v $TmpDir/$test_out | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + rlRun "verify_cert \"$serial_number\" \"$cert_requestdn\"" 0 "Verify cert" + if [ $i -le 5 ]; then + local STRIP_HEX=$(echo $serial_number | cut -dx -f2) + local serial=$STRIP_HEX + local CONV_UPP_VAL=${STRIP_HEX^^} + local decimal_serial_number=$(echo "ibase=16;$CONV_UPP_VAL"|bc) + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local revocationReason="0" + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"$serial=on&day=0&month=$Month&year=0&revocationReason=$revocationReason&csrRequestorComments=&submit=Submit&op=doRevoke&templateType=RevocationSuccess&serialNumber=$serial&revokeAll=(|(certRecordId=$decimal_serial_number))&totalRecordCount=1&verifiedRecordCount=1&invalidityDate=0\" -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/doRevoke\" > $TmpDir/$test_out" 0 "Revoke cert with serial Number $serial_number" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"$serial=on&day=0&month=$Month&year=0&revocationReason=$revocationReason&csrRequestorComments=&submit=Submit&op=doRevoke&templateType=RevocationSuccess&serialNumber=$serial&revokeAll=(|(certRecordId=$decimal_serial_number))&totalRecordCount=1&verifiedRecordCount=1&invalidityDate=0\" -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/doRevoke\" > $TmpDir/$test_out" 0 "Revoke cert with serial Number $serial_number" + rlAssertGrep "header.revoked = \"yes\"" "$TmpDir/$test_out" + rlAssertGrep "header.error = null" "$TmpDir/$test_out" + fi + let i=$i+1 + done + + rlPhaseStartTest "pki_subca_ee-retrieval-006: CA Cert Retrieval - List only valid certificates" + local op=listCerts + local queryCertFilter="(certStatus=VALID)" + local serialFrom="0" + local serialTo="300" + local skipNonValid="on" + local querySentinelDown="0" + local querySentinelUp="0" + local direction="down" + local maxCount="1000" + local test_out="retrieval.txt" + rlLog "curl --basic --dump-header $admin_out -d \"op=$op&queryCertFilter=$queryCertFilter&serialFrom=$serialFrom&serialTo=$serialTo&skipNonValid=$skipNonValid&querySentinelDown=$querySentinelDown&querySentinelUp=$querySentinelUp&direction=$direction&maxCount=$maxCount\" -k https://$tmp_ca_host:$target_secure_port/ca/ee/ca/listCerts" + rlRun "curl --basic --dump-header $admin_out -d \"op=$op&queryCertFilter=$queryCertFilter&serialFrom=$serialFrom&serialTo=$serialTo&skipNonValid=$skipNonValid&querySentinelDown=$querySentinelDown&querySentinelUp=$querySentinelUp&direction=$direction&maxCount=$maxCount\" -k https://$tmp_ca_host:$target_secure_port/ca/ee/ca/listCerts > $TmpDir/$test_out" 0 "List certificate with $queryCertFilter of maxCount $maxCount" + local no_of_records=$(cat $TmpDir/$test_out | grep "record.subject=" | wc -l) + rlLog "no_of_records=$no_of_records" + rlAssertNotGrep "record.revokedBy=\"$valid_agent_cert\"" "$TmpDir/$test_out" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ee-retrieval-007: CA Cert Retrieval - List certs with max count of 10" + local op=listCerts + local queryCertFilter="(certStatus=VALID)" + local serialFrom="0" + local serialTo="20" + local skipNonValid="on" + local querySentinelDown="0" + local querySentinelUp="0" + local direction="down" + local maxCount="10" + local test_out="retrieval.txt" + rlLog "curl --basic --dump-header $admin_out -d \"op=$op&queryCertFilter=$queryCertFilter&serialFrom=$serialFrom&serialTo=$serialTo&skipNonValid=$skipNonValid&querySentinelDown=$querySentinelDown&querySentinelUp=$querySentinelUp&direction=$direction&maxCount=$maxCount\" -k https://$tmp_ca_host:$target_secure_port/ca/ee/ca/listCerts" + rlRun "curl --basic --dump-header $admin_out -d \"op=$op&queryCertFilter=$queryCertFilter&serialFrom=$serialFrom&serialTo=$serialTo&skipNonValid=$skipNonValid&querySentinelDown=$querySentinelDown&querySentinelUp=$querySentinelUp&direction=$direction&maxCount=$maxCount\" -k https://$tmp_ca_host:$target_secure_port/ca/ee/ca/listCerts > $TmpDir/$test_out" 0 "List certificate with $queryCertFilter of maxCount $maxCount" + local no_of_records=$(cat $TmpDir/$test_out | grep "record.subject=" | wc -l) + rlLog "no_of_records=$no_of_records" + local no_of_records=$(cat $TmpDir/$test_out | grep "record.subject=" | wc -l) + rlAssertEquals "Verify No of records displayed is equal to $maxCount" $no_of_records $maxCount + rlPhaseEnd + + + rlPhaseStartTest "pki_subca_ee-retrieval-008: CA Cert Retrieval - Search certs with max count of 10" + local test_out=srcCerts.txt + local op=srchCerts + local serialNumberRangeInUse="on" + local serialFrom=0 + local serialTo=300 + local queryCertFilter="(&(certRecordId>=$serialFrom)(certRecordId<=$serialTo))" + local subjectInUse='' + local eMail='' + local commonName='' + local userID='' + local orgUnit='' + local org='' + local locality='' + local state='' + local country='' + local match='partial' + local revokedBy='' + local revokedOnInUse='' + local revokedOnFrom='' + local revokedOnTo='' + local revocationReasonInUse='' + local revocationReason='' + local issuedByInUse='' + local issuedBy='' + local issuedOnInUse='' + local issuedOnFrom='' + local issuedOnTo='' + local validNotBeforeInUse='' + local validNotBeforeFrom='' + local validNotBeforeTo='' + local validNotAfterInUse='' + local validNotAfterFrom='' + local validNotAfterTo='' + local validityLengthInUse='' + local validityOp='' + local count='' + local unit="2592000000" + local certTypeInUse='' + local SubordinateEmailCA='' + local SubordinateSSLCA='' + local SecureEmail='' + local SSLClient='' + local SSLServer='' + local maxResults='10' + local timeLimit='5' + rlLog "curl --basic --dump-header $admin_out -d \"op=$op&queryCertFilter=$queryCertFilter&serialNumberRangeInUse=$serialNumberRangeInUse&serialFrom=$serialFrom&serialTo=$serialTo&subjectInUse=$subjectInUse&eMail=$eMail&commonName=$commonName&userID=$userID&orgUnit=$orgUnit&org=$org&locality=$locality&state=$state&country=$country&match=$match&revokedBy=$revokedBy&revokedOnInUse=$revokedOnInUse&revokedOnFrom=$revokedOnFrom&revokedOnTo=$revokedOnTo&revocationReasonInUse=$revocationReasonInUse&revocationReason=$revocationReason&issuedByInUse=$issuedByInUse&issuedBy=$issuedBy&issuedOnInUse=$issuedOnInUse&issuedOnFrom=$issuedOnFrom&issuedOnTo=$issuedOnTo&validNotBeforeInUse=$validNotBeforeInUse&validNotBeforeFrom=$validNotBeforeFrom&validNotBeforeTo=$validNotBeforeTo&validNotAfterInUse=$validNotAfterInUse&validNotAfterFrom=$validNotAfterFrom&validNotAfterTo=$validNotAfterTo&validityLengthInUse=$validityLengthInUse&validityOp=$validityOp&count=$count&unit=$unit&certTypeInUse=$certTypeInUse&SubordinateEmailCA=$SubordinateEmailCA&SubordinateSSLCA=$SubordinateSSLCA&SecureEmail=$SecureEmail&SSLClient=$SSLClient&SSLServer=$SSLServer&maxResults=$maxResults&timeLimit=$timeLimit\" -k https://$tmp_ca_host:$target_secure_port/ca/ee/ca/srchCerts > $TmpDir/$test_out" 0 "Search Certs with serialNumber range starting from $serialFrom to $serialTo with maxCount of $maxResults" + rlRun "curl --basic --dump-header $admin_out -d \"op=$op&queryCertFilter=$queryCertFilter&serialNumberRangeInUse=$serialNumberRangeInUse&serialFrom=$serialFrom&serialTo=$serialTo&subjectInUse=$subjectInUse&eMail=$eMail&commonName=$commonName&userID=$userID&orgUnit=$orgUnit&org=$org&locality=$locality&state=$state&country=$country&match=$match&revokedBy=$revokedBy&revokedOnInUse=$revokedOnInUse&revokedOnFrom=$revokedOnFrom&revokedOnTo=$revokedOnTo&revocationReasonInUse=$revocationReasonInUse&revocationReason=$revocationReason&issuedByInUse=$issuedByInUse&issuedBy=$issuedBy&issuedOnInUse=$issuedOnInUse&issuedOnFrom=$issuedOnFrom&issuedOnTo=$issuedOnTo&validNotBeforeInUse=$validNotBeforeInUse&validNotBeforeFrom=$validNotBeforeFrom&validNotBeforeTo=$validNotBeforeTo&validNotAfterInUse=$validNotAfterInUse&validNotAfterFrom=$validNotAfterFrom&validNotAfterTo=$validNotAfterTo&validityLengthInUse=$validityLengthInUse&validityOp=$validityOp&count=$count&unit=$unit&certTypeInUse=$certTypeInUse&SubordinateEmailCA=$SubordinateEmailCA&SubordinateSSLCA=$SubordinateSSLCA&SecureEmail=$SecureEmail&SSLClient=$SSLClient&SSLServer=$SSLServer&maxResults=$maxResults&timeLimit=$timeLimit\" -k https://$tmp_ca_host:$target_secure_port/ca/ee/ca/srchCerts > $TmpDir/$test_out" 0 "Search Certs with serialNumber range starting from $serialFrom to $serialTo with maxCount of $maxResults" + local no_of_records=$(cat $TmpDir/$test_out | grep "record.subject=" | wc -l) + rlAssertEquals "Verify No of records displayed is equal to $maxCount" $no_of_records $maxResults + rlPhaseEnd + + rlPhaseStartSetup "Generate a user cert" + local request_type=pkcs10 + local request_key_type=rsa + local request_key_size=1024 + local profile=caUserCert + local cert_ext_exKeyUsageOIDs="1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4" + local userid="fooUser$RANDOM" + local usercn="fooUser$RANDOM" + local phone="1234-$RANDOM" + local usermail="$userid@example.org" + local test_out=ca-$profile-test.txt + rlRun "export SSL_DIR=$CERTDB_DIR" + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"$usercn\" \ + subject_uid:$userid \ + subject_email:$usermail \ + subject_ou:IDM \ + subject_organization:RedHat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" 0 "Create $request_type request for $profile" + local cert_requestdn=$(cat $TEMP_NSS_DB/$rand-subject.out | grep Request_DN | cut -d ":" -f2) + rlLog "cert_requestdn=cert_requestdn" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic \ + --dump-header $admin_out \ + -d \"profileId=$profile&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$usercn&sn_e=$usermail&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$useremail&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $admin_out \ + -d \"profileId=$profile&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$usercn&sn_e=$usermail&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$useremail&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/$test_out" 0 "Submit Certificate request to $profile" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local request_id=$(cat -v $TmpDir/$test_out | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "request_id=$request_id" + rlLog "Approve $request_id using $valid_agent_cert" + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$Year+1 + local end_day="1" + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$Month-$end_day $Hour:$Minute:$Second" + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/profileProcess\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/$test_out" 0 "Submit Certificare request" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + local serial_number=$(cat -v $TmpDir/$test_out | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + local serial_number_without_hex=$(echo $serial_number | cut -dx -f2) + local serial_number_without_hex_lower=${serial_number_without_hex,,} + rlLog "serial_number=$serial_number" + rlRun "verify_cert \"$serial_number\" \"$cert_requestdn\"" 0 "Verify cert" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ee-retrieval-009: CA Cert Retrieval - Search certs with subject Name matching Email Address(method=exact)" + local test_out=srcCerts.txt + local op=srchCerts + local serialNumberRangeInUse='' + local serialFrom='' + local serialTo='' + local queryCertFilter="(&(&(|(x509Cert.subject=*E=$usermail,*)(x509Cert.subject=*E=$usermail))))" + local subjectInUse='on' + local eMail="$usermail" + local commonName='' + local userID='' + local orgUnit='' + local org='' + local locality='' + local state='' + local country='' + local match='exact' + local revokedBy='' + local revokedOnInUse='' + local revokedOnFrom='' + local revokedOnTo='' + local revocationReasonInUse='' + local revocationReason='' + local issuedByInUse='' + local issuedBy='' + local issuedOnInUse='' + local issuedOnFrom='' + local issuedOnTo='' + local validNotBeforeInUse='' + local validNotBeforeFrom='' + local validNotBeforeTo='' + local validNotAfterInUse='' + local validNotAfterFrom='' + local validNotAfterTo='' + local validityLengthInUse='' + local validityOp='' + local count='' + local unit="2592000000" + local certTypeInUse='' + local SubordinateEmailCA='' + local SubordinateSSLCA='' + local SecureEmail='' + local SSLClient='' + local SSLServer='' + local maxResults='10' + local timeLimit='5' + rlLog "curl --basic --dump-header $admin_out -d \"op=$op&queryCertFilter=$queryCertFilter&serialNumberRangeInUse=$serialNumberRangeInUse&serialFrom=$serialFrom&serialTo=$serialTo&subjectInUse=$subjectInUse&eMail=$eMail&commonName=$commonName&userID=$userID&orgUnit=$orgUnit&org=$org&locality=$locality&state=$state&country=$country&match=$match&revokedBy=$revokedBy&revokedOnInUse=$revokedOnInUse&revokedOnFrom=$revokedOnFrom&revokedOnTo=$revokedOnTo&revocationReasonInUse=$revocationReasonInUse&revocationReason=$revocationReason&issuedByInUse=$issuedByInUse&issuedBy=$issuedBy&issuedOnInUse=$issuedOnInUse&issuedOnFrom=$issuedOnFrom&issuedOnTo=$issuedOnTo&validNotBeforeInUse=$validNotBeforeInUse&validNotBeforeFrom=$validNotBeforeFrom&validNotBeforeTo=$validNotBeforeTo&validNotAfterInUse=$validNotAfterInUse&validNotAfterFrom=$validNotAfterFrom&validNotAfterTo=$validNotAfterTo&validityLengthInUse=$validityLengthInUse&validityOp=$validityOp&count=$count&unit=$unit&certTypeInUse=$certTypeInUse&SubordinateEmailCA=$SubordinateEmailCA&SubordinateSSLCA=$SubordinateSSLCA&SecureEmail=$SecureEmail&SSLClient=$SSLClient&SSLServer=$SSLServer&maxResults=$maxResults&timeLimit=$timeLimit\" -k https://$tmp_ca_host:$target_secure_port/ca/ee/ca/srchCerts > $TmpDir/$test_out" 0 "Search Certificate with subject DN containing $usermail" + rlRun "curl --basic --dump-header $admin_out -d \"op=$op&queryCertFilter=$queryCertFilter&serialNumberRangeInUse=$serialNumberRangeInUse&serialFrom=$serialFrom&serialTo=$serialTo&subjectInUse=$subjectInUse&eMail=$eMail&commonName=$commonName&userID=$userID&orgUnit=$orgUnit&org=$org&locality=$locality&state=$state&country=$country&match=$match&revokedBy=$revokedBy&revokedOnInUse=$revokedOnInUse&revokedOnFrom=$revokedOnFrom&revokedOnTo=$revokedOnTo&revocationReasonInUse=$revocationReasonInUse&revocationReason=$revocationReason&issuedByInUse=$issuedByInUse&issuedBy=$issuedBy&issuedOnInUse=$issuedOnInUse&issuedOnFrom=$issuedOnFrom&issuedOnTo=$issuedOnTo&validNotBeforeInUse=$validNotBeforeInUse&validNotBeforeFrom=$validNotBeforeFrom&validNotBeforeTo=$validNotBeforeTo&validNotAfterInUse=$validNotAfterInUse&validNotAfterFrom=$validNotAfterFrom&validNotAfterTo=$validNotAfterTo&validityLengthInUse=$validityLengthInUse&validityOp=$validityOp&count=$count&unit=$unit&certTypeInUse=$certTypeInUse&SubordinateEmailCA=$SubordinateEmailCA&SubordinateSSLCA=$SubordinateSSLCA&SecureEmail=$SecureEmail&SSLClient=$SSLClient&SSLServer=$SSLServer&maxResults=$maxResults&timeLimit=$timeLimit\" -k https://$tmp_ca_host:$target_secure_port/ca/ee/ca/srchCerts > $TmpDir/$test_out" 0 "Search Certificate with subject DN containing $usermail" + rlAssertGrep "record.subject=\"$cert_requestdn\"" "$TmpDir/$test_out" + local no_of_records=$(cat $TmpDir/$test_out | grep "record.subject=" | wc -l) + rlAssertEquals "Verify No of records displayed is equal to 1" $no_of_records 1 + rlAssertGrep "record.serialNumber=\"$serial_number_without_hex_lower\"" "$TmpDir/$test_out" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ee-retrieval-0010: CA Cert Retrieval - Search certs with subject Name matching userID(method=exact)" + local test_out=srcCerts.txt + local op=srchCerts + local serialNumberRangeInUse='' + local serialFrom='' + local serialTo='' + local queryCertFilter="(&(&(|(x509Cert.subject=*UID=$userid,*)(x509Cert.subject=*UID=$userid))))" + local subjectInUse='on' + local eMail='' + local commonName='' + local userID="$userid" + local orgUnit='' + local org='' + local locality='' + local state='' + local country='' + local match='exact' + local revokedBy='' + local revokedOnInUse='' + local revokedOnFrom='' + local revokedOnTo='' + local revocationReasonInUse='' + local revocationReason='' + local issuedByInUse='' + local issuedBy='' + local issuedOnInUse='' + local issuedOnFrom='' + local issuedOnTo='' + local validNotBeforeInUse='' + local validNotBeforeFrom='' + local validNotBeforeTo='' + local validNotAfterInUse='' + local validNotAfterFrom='' + local validNotAfterTo='' + local validityLengthInUse='' + local validityOp='' + local count='' + local unit="2592000000" + local certTypeInUse='' + local SubordinateEmailCA='' + local SubordinateSSLCA='' + local SecureEmail='' + local SSLClient='' + local SSLServer='' + local maxResults='10' + local timeLimit='5' + rlLog "curl --basic --dump-header $admin_out -d \"op=$op&queryCertFilter=$queryCertFilter&serialNumberRangeInUse=$serialNumberRangeInUse&serialFrom=$serialFrom&serialTo=$serialTo&subjectInUse=$subjectInUse&eMail=$eMail&commonName=$commonName&userID=$userID&orgUnit=$orgUnit&org=$org&locality=$locality&state=$state&country=$country&match=$match&revokedBy=$revokedBy&revokedOnInUse=$revokedOnInUse&revokedOnFrom=$revokedOnFrom&revokedOnTo=$revokedOnTo&revocationReasonInUse=$revocationReasonInUse&revocationReason=$revocationReason&issuedByInUse=$issuedByInUse&issuedBy=$issuedBy&issuedOnInUse=$issuedOnInUse&issuedOnFrom=$issuedOnFrom&issuedOnTo=$issuedOnTo&validNotBeforeInUse=$validNotBeforeInUse&validNotBeforeFrom=$validNotBeforeFrom&validNotBeforeTo=$validNotBeforeTo&validNotAfterInUse=$validNotAfterInUse&validNotAfterFrom=$validNotAfterFrom&validNotAfterTo=$validNotAfterTo&validityLengthInUse=$validityLengthInUse&validityOp=$validityOp&count=$count&unit=$unit&certTypeInUse=$certTypeInUse&SubordinateEmailCA=$SubordinateEmailCA&SubordinateSSLCA=$SubordinateSSLCA&SecureEmail=$SecureEmail&SSLClient=$SSLClient&SSLServer=$SSLServer&maxResults=$maxResults&timeLimit=$timeLimit\" -k https://$tmp_ca_host:$target_secure_port/ca/ee/ca/srchCerts > $TmpDir/$test_out" 0 "Search Certificate with subject DN containing $usermail" + rlRun "curl --basic --dump-header $admin_out -d \"op=$op&queryCertFilter=$queryCertFilter&serialNumberRangeInUse=$serialNumberRangeInUse&serialFrom=$serialFrom&serialTo=$serialTo&subjectInUse=$subjectInUse&eMail=$eMail&commonName=$commonName&userID=$userID&orgUnit=$orgUnit&org=$org&locality=$locality&state=$state&country=$country&match=$match&revokedBy=$revokedBy&revokedOnInUse=$revokedOnInUse&revokedOnFrom=$revokedOnFrom&revokedOnTo=$revokedOnTo&revocationReasonInUse=$revocationReasonInUse&revocationReason=$revocationReason&issuedByInUse=$issuedByInUse&issuedBy=$issuedBy&issuedOnInUse=$issuedOnInUse&issuedOnFrom=$issuedOnFrom&issuedOnTo=$issuedOnTo&validNotBeforeInUse=$validNotBeforeInUse&validNotBeforeFrom=$validNotBeforeFrom&validNotBeforeTo=$validNotBeforeTo&validNotAfterInUse=$validNotAfterInUse&validNotAfterFrom=$validNotAfterFrom&validNotAfterTo=$validNotAfterTo&validityLengthInUse=$validityLengthInUse&validityOp=$validityOp&count=$count&unit=$unit&certTypeInUse=$certTypeInUse&SubordinateEmailCA=$SubordinateEmailCA&SubordinateSSLCA=$SubordinateSSLCA&SecureEmail=$SecureEmail&SSLClient=$SSLClient&SSLServer=$SSLServer&maxResults=$maxResults&timeLimit=$timeLimit\" -k https://$tmp_ca_host:$target_secure_port/ca/ee/ca/srchCerts > $TmpDir/$test_out" 0 "Search Certificate with subject DN containing $userid" + local no_of_records=$(cat $TmpDir/$test_out | grep "record.subject=" | wc -l) + rlAssertGrep "record.subject=\"$cert_requestdn\"" "$TmpDir/$test_out" + rlAssertEquals "Verify No of records displayed is equal to 1" $no_of_records 1 + rlAssertGrep "record.serialNumber=\"$serial_number_without_hex_lower\"" "$TmpDir/$test_out" + rlPhaseEnd + + + rlPhaseStartTest "pki_subca_ee-retrieval-0011: CA Cert Retrieval - Search revoked certs with revoked by valid agent" + local test_out=srcCerts.txt + local op=srchCerts + local serialNumberRangeInUse='' + local serialFrom='' + local serialTo='' + local queryCertFilter="(&(certRevokedBy=$valid_agent_cert))" + local subjectInUse='' + local eMail='' + local commonName='' + local userID='' + local orgUnit='' + local org='' + local locality='' + local state='' + local country='' + local match='partial' + local revokedBy="$valid_agent_cert" + local revokedOnInUse='' + local revokedByInUse='on' + local revokedOnFrom='' + local revokedOnTo='' + local revocationReasonInUse='' + local revocationReason='' + local issuedByInUse='' + local issuedBy='' + local issuedOnInUse='' + local issuedOnFrom='' + local issuedOnTo='' + local validNotBeforeInUse='' + local validNotBeforeFrom='' + local validNotBeforeTo='' + local validNotAfterInUse='' + local validNotAfterFrom='' + local validNotAfterTo='' + local validityLengthInUse='' + local validityOp='' + local count='' + local unit="2592000000" + local certTypeInUse='' + local SubordinateEmailCA='' + local SubordinateSSLCA='' + local SecureEmail='' + local SSLClient='' + local SSLServer='' + local maxResults='10' + local timeLimit='5' + rlLog "curl --basic --dump-header $admin_out -d \"op=$op&queryCertFilter=(&(certRevokedBy=ROOTCA_agentV))&serialNumberRangeInUse=$serialNumberRangeInUse&serialFrom=$serialFrom&serialTo=$serialTo&subjectInUse=$subjectInUse&eMail=$eMail&commonName=$commonName&userID=$userID&orgUnit=$orgUnit&org=$org&locality=$locality&state=$state&country=$country&match=$match&revokedBy=$revokedBy&revokedOnInUse=$revokedOnInUse&revokedByInUse=$revokedByInUse&revokedOnFrom=$revokedOnFrom&revokedOnTo=$revokedOnTo&revocationReasonInUse=$revocationReasonInUse&revocationReason=$revocationReason&issuedByInUse=$issuedByInUse&issuedBy=$issuedBy&issuedOnInUse=$issuedOnInUse&issuedOnFrom=$issuedOnFrom&issuedOnTo=$issuedOnTo&validNotBeforeInUse=$validNotBeforeInUse&validNotBeforeFrom=$validNotBeforeFrom&validNotBeforeTo=$validNotBeforeTo&validNotAfterInUse=$validNotAfterInUse&validNotAfterFrom=$validNotAfterFrom&validNotAfterTo=$validNotAfterTo&validityLengthInUse=$validityLengthInUse&validityOp=$validityOp&count=$count&unit=$unit&certTypeInUse=$certTypeInUse&SubordinateEmailCA=$SubordinateEmailCA&SubordinateSSLCA=$SubordinateSSLCA&SecureEmail=$SecureEmail&SSLClient=$SSLClient&SSLServer=$SSLServer&maxResults=$maxResults&timeLimit=$timeLimit\" -k https://$tmp_ca_host:$target_secure_port/ca/ee/ca/srchCerts > $TmpDir/$test_out" 0 "Search certs revoked by $valid_agent_cert" + rlRun "curl --basic --dump-header $admin_out -d \"op=$op&queryCertFilter=(&(certRevokedBy=ROOTCA_agentV))&serialNumberRangeInUse=$serialNumberRangeInUse&serialFrom=$serialFrom&serialTo=$serialTo&subjectInUse=$subjectInUse&eMail=$eMail&commonName=$commonName&userID=$userID&orgUnit=$orgUnit&org=$org&locality=$locality&state=$state&country=$country&match=$match&revokedBy=$revokedBy&revokedOnInUse=$revokedOnInUse&revokedByInUse=$revokedByInUse&revokedOnFrom=$revokedOnFrom&revokedOnTo=$revokedOnTo&revocationReasonInUse=$revocationReasonInUse&revocationReason=$revocationReason&issuedByInUse=$issuedByInUse&issuedBy=$issuedBy&issuedOnInUse=$issuedOnInUse&issuedOnFrom=$issuedOnFrom&issuedOnTo=$issuedOnTo&validNotBeforeInUse=$validNotBeforeInUse&validNotBeforeFrom=$validNotBeforeFrom&validNotBeforeTo=$validNotBeforeTo&validNotAfterInUse=$validNotAfterInUse&validNotAfterFrom=$validNotAfterFrom&validNotAfterTo=$validNotAfterTo&validityLengthInUse=$validityLengthInUse&validityOp=$validityOp&count=$count&unit=$unit&certTypeInUse=$certTypeInUse&SubordinateEmailCA=$SubordinateEmailCA&SubordinateSSLCA=$SubordinateSSLCA&SecureEmail=$SecureEmail&SSLClient=$SSLClient&SSLServer=$SSLServer&maxResults=$maxResults&timeLimit=$timeLimit\" -k https://$tmp_ca_host:$target_secure_port/ca/ee/ca/srchCerts > $TmpDir/$test_out" 0 "Search certs revoked by $valid_agent_cert" + local no_of_records=$(cat $TmpDir/$test_out | grep "record.subject=" | wc -l) + rlAssertGrep "record.revokedBy=\"$valid_agent_cert\"" "$TmpDir/$test_out" + rlAssertGreater "Verify No of records displayed is greater than 3" $no_of_records 3 + rlPhaseEnd + + + rlPhaseStartTest "pki_subca_ee-retrieval-0012: CA Cert Retrieval - Search revoked certs with revoked by reason Unspecified" + local op=srchCerts + local serialNumberRangeInUse='' + local serialFrom='' + local serialTo='' + local queryCertFilter="(&(x509cert.certRevoInfo=0))" + local subjectInUse='' + local eMail='' + local commonName='' + local userID='' + local orgUnit='' + local org='' + local locality='' + local state='' + local country='' + local match='partial' + local revokedBy="" + local revokedOnInUse='' + local revokedByInUse='' + local revokedOnFrom='' + local revokedOnTo='' + local revocationReasonInUse='on' + local revocationReason='0' + local issuedByInUse='' + local issuedBy='' + local issuedOnInUse='' + local issuedOnFrom='' + local issuedOnTo='' + local validNotBeforeInUse='' + local validNotBeforeFrom='' + local validNotBeforeTo='' + local validNotAfterInUse='' + local validNotAfterFrom='' + local validNotAfterTo='' + local validityLengthInUse='' + local validityOp='<=' + local count='' + local unit="2592000000" + local certTypeInUse='' + local SubordinateEmailCA='' + local SubordinateSSLCA='' + local SecureEmail='' + local SSLClient='' + local SSLServer='' + local maxResults='10' + local timeLimit='5' + rlLog "curl --basic --dump-header $admin_out -d \"op=$op&queryCertFilter=$queryCertFilter&serialNumberRangeInUse=$serialNumberRangeInUse&serialFrom=$serialFrom&serialTo=$serialTo&subjectInUse=$subjectInUse&eMail=$eMail&commonName=$commonName&userID=$userID&orgUnit=$orgUnit&org=$org&locality=$locality&state=$state&country=$country&match=$match&revokedBy=$revokedBy&revokedOnInUse=$revokedOnInUse&revokedByInUse=$revokedByInUse&revokedOnFrom=$revokedOnFrom&revokedOnTo=$revokedOnTo&revocationReasonInUse=$revocationReasonInUse&revocationReason=$revocationReason&issuedByInUse=$issuedByInUse&issuedBy=$issuedBy&issuedOnInUse=$issuedOnInUse&issuedOnFrom=$issuedOnFrom&issuedOnTo=$issuedOnTo&validNotBeforeInUse=$validNotBeforeInUse&validNotBeforeFrom=$validNotBeforeFrom&validNotBeforeTo=$validNotBeforeTo&validNotAfterInUse=$validNotAfterInUse&validNotAfterFrom=$validNotAfterFrom&validNotAfterTo=$validNotAfterTo&validityLengthInUse=$validityLengthInUse&validityOp=$validityOp&count=$count&unit=$unit&certTypeInUse=$certTypeInUse&SubordinateEmailCA=$SubordinateEmailCA&SubordinateSSLCA=$SubordinateSSLCA&SecureEmail=$SecureEmail&SSLClient=$SSLClient&SSLServer=$SSLServer&maxResults=$maxResults&timeLimit=$timeLimit\" -k https://$tmp_ca_host:$target_secure_port/ca/ee/ca/srchCerts > $TmpDir/$test_out" 0 "Search certs revoked by $valid_agent_cert" + rlRun "curl --basic --dump-header $admin_out -d \"op=$op&queryCertFilter=$queryCertFilter&serialNumberRangeInUse=$serialNumberRangeInUse&serialFrom=$serialFrom&serialTo=$serialTo&subjectInUse=$subjectInUse&eMail=$eMail&commonName=$commonName&userID=$userID&orgUnit=$orgUnit&org=$org&locality=$locality&state=$state&country=$country&match=$match&revokedBy=$revokedBy&revokedOnInUse=$revokedOnInUse&revokedByInUse=$revokedByInUse&revokedOnFrom=$revokedOnFrom&revokedOnTo=$revokedOnTo&revocationReasonInUse=$revocationReasonInUse&revocationReason=$revocationReason&issuedByInUse=$issuedByInUse&issuedBy=$issuedBy&issuedOnInUse=$issuedOnInUse&issuedOnFrom=$issuedOnFrom&issuedOnTo=$issuedOnTo&validNotBeforeInUse=$validNotBeforeInUse&validNotBeforeFrom=$validNotBeforeFrom&validNotBeforeTo=$validNotBeforeTo&validNotAfterInUse=$validNotAfterInUse&validNotAfterFrom=$validNotAfterFrom&validNotAfterTo=$validNotAfterTo&validityLengthInUse=$validityLengthInUse&validityOp=$validityOp&count=$count&unit=$unit&certTypeInUse=$certTypeInUse&SubordinateEmailCA=$SubordinateEmailCA&SubordinateSSLCA=$SubordinateSSLCA&SecureEmail=$SecureEmail&SSLClient=$SSLClient&SSLServer=$SSLServer&maxResults=$maxResults&timeLimit=$timeLimit\" -k https://$tmp_ca_host:$target_secure_port/ca/ee/ca/srchCerts > $TmpDir/$test_out" 0 "Search certs revoked by $valid_agent_cert" + local no_of_records=$(cat $TmpDir/$test_out | grep "record.subject=" | wc -l) + rlAssertGrep "record.revokedBy=\"$valid_agent_cert\"" "$TmpDir/$test_out" + rlAssertGreater "Verify No of records displayed is greater than 3" $no_of_records 3 + rlPhaseEnd + + + + rlPhaseStartSetup "Generate a user cert and revoke with reason Key compromised" + local request_type=pkcs10 + local request_key_type=rsa + local request_key_size=1024 + local profile=caUserCert + local cert_ext_exKeyUsageOIDs="1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4" + local userid="fooUser$RANDOM" + local usercn="fooUser$RANDOM" + local phone="1234-$RANDOM" + local usermail="$userid@example.org" + local test_out=ca-$profile-test.txt + rlRun "export SSL_DIR=$CERTDB_DIR" + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"$usercn\" \ + subject_uid:$userid \ + subject_email:$usermail \ + subject_ou:IDM \ + subject_organization:RedHat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" 0 "Create $request_type request for $profile" + local cert_requestdn=$(cat $TEMP_NSS_DB/$rand-subject.out | grep Request_DN | cut -d ":" -f2) + rlLog "cert_requestdn=cert_requestdn" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic \ + --dump-header $admin_out \ + -d \"profileId=$profile&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$usercn&sn_e=$usermail&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$useremail&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $admin_out \ + -d \"profileId=$profile&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$usercn&sn_e=$usermail&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$useremail&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/$test_out" 0 "Submit Certificate request to $profile" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertNotGrep "Sorry, your request has been rejected" "$admin_out" + local request_id=$(cat -v $TmpDir/$test_out | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "request_id=$request_id" + rlLog "Approve $request_id using $valid_agent_cert" + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$Year+1 + local end_day="1" + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$Month-$end_day $Hour:$Minute:$Second" + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/profileProcess\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=$cert_requestdn¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/$test_out" 0 "Submit Certificare request" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + local serial_number=$(cat -v $TmpDir/$test_out | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + local serial_number_without_hex=$(echo $serial_number | cut -dx -f2) + local serial_number_without_hex_lower=${serial_number_without_hex,,} + rlLog "serial_number=$serial_number" + rlRun "verify_cert \"$serial_number\" \"$cert_requestdn\"" 0 "Verify cert" + local STRIP_HEX=$(echo $serial_number | cut -dx -f2) + local serial=$STRIP_HEX + local CONV_UPP_VAL=${STRIP_HEX^^} + local decimal_serial_number=$(echo "ibase=16;$CONV_UPP_VAL"|bc) + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local revocationReason="1" + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"$serial=on&day=0&month=$Month&year=0&revocationReason=$revocationReason&csrRequestorComments=&submit=Submit&op=doRevoke&templateType=RevocationSuccess&serialNumber=$serial&revokeAll=(|(certRecordId=$decimal_serial_number))&totalRecordCount=1&verifiedRecordCount=1&invalidityDate=0\" -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/doRevoke\" > $TmpDir/$test_out" 0 "Revoke cert with serial Number $serial_number" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $admin_out \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"$serial=on&day=0&month=$Month&year=0&revocationReason=$revocationReason&csrRequestorComments=&submit=Submit&op=doRevoke&templateType=RevocationSuccess&serialNumber=$serial&revokeAll=(|(certRecordId=$decimal_serial_number))&totalRecordCount=1&verifiedRecordCount=1&invalidityDate=0\" -k \"https://$tmp_ca_host:$target_secure_port/ca/agent/ca/doRevoke\" > $TmpDir/$test_out" 0 "Revoke cert with serial Number $serial_number" + rlAssertGrep "header.revoked = \"yes\"" "$TmpDir/$test_out" + rlAssertGrep "header.error = null" "$TmpDir/$test_out" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ee-retrieval-0013: CA Cert Retrieval - Search revoked certs with revoked by reason Unspecified & key compromise" + local op=srchCerts + local serialNumberRangeInUse='' + local serialFrom='' + local serialTo='' + local queryCertFilter="(&(|(x509cert.certRevoInfo=0)(x509cert.certRevoInfo=1)))" + local subjectInUse='' + local eMail='' + local commonName='' + local userID='' + local orgUnit='' + local org='' + local locality='' + local state='' + local country='' + local match='partial' + local revokedBy="" + local revokedOnInUse='' + local revokedByInUse='' + local revokedOnFrom='' + local revokedOnTo='' + local revocationReasonInUse='on' + local revocationReason='0,1' + local issuedByInUse='' + local issuedBy='' + local issuedOnInUse='' + local issuedOnFrom='' + local issuedOnTo='' + local validNotBeforeInUse='' + local validNotBeforeFrom='' + local validNotBeforeTo='' + local validNotAfterInUse='' + local validNotAfterFrom='' + local validNotAfterTo='' + local validityLengthInUse='' + local validityOp='<=' + local count='' + local unit="2592000000" + local certTypeInUse='' + local SubordinateEmailCA='' + local SubordinateSSLCA='' + local SecureEmail='' + local SSLClient='' + local SSLServer='' + local maxResults='1000' + local timeLimit='5' + rlLog "curl --basic --dump-header $admin_out -d \"op=$op&queryCertFilter=$queryCertFilter&serialNumberRangeInUse=$serialNumberRangeInUse&serialFrom=$serialFrom&serialTo=$serialTo&subjectInUse=$subjectInUse&eMail=$eMail&commonName=$commonName&userID=$userID&orgUnit=$orgUnit&org=$org&locality=$locality&state=$state&country=$country&match=$match&revokedBy=$revokedBy&revokedOnInUse=$revokedOnInUse&revokedByInUse=$revokedByInUse&revokedOnFrom=$revokedOnFrom&revokedOnTo=$revokedOnTo&revocationReasonInUse=$revocationReasonInUse&revocationReason=$revocationReason&issuedByInUse=$issuedByInUse&issuedBy=$issuedBy&issuedOnInUse=$issuedOnInUse&issuedOnFrom=$issuedOnFrom&issuedOnTo=$issuedOnTo&validNotBeforeInUse=$validNotBeforeInUse&validNotBeforeFrom=$validNotBeforeFrom&validNotBeforeTo=$validNotBeforeTo&validNotAfterInUse=$validNotAfterInUse&validNotAfterFrom=$validNotAfterFrom&validNotAfterTo=$validNotAfterTo&validityLengthInUse=$validityLengthInUse&validityOp=$validityOp&count=$count&unit=$unit&certTypeInUse=$certTypeInUse&SubordinateEmailCA=$SubordinateEmailCA&SubordinateSSLCA=$SubordinateSSLCA&SecureEmail=$SecureEmail&SSLClient=$SSLClient&SSLServer=$SSLServer&maxResults=$maxResults&timeLimit=$timeLimit\" -k https://$tmp_ca_host:$target_secure_port/ca/ee/ca/srchCerts > $TmpDir/$test_out" 0 "Search certs revoked by $valid_agent_cert" + rlRun "curl --basic --dump-header $admin_out -d \"op=$op&queryCertFilter=$queryCertFilter&serialNumberRangeInUse=$serialNumberRangeInUse&serialFrom=$serialFrom&serialTo=$serialTo&subjectInUse=$subjectInUse&eMail=$eMail&commonName=$commonName&userID=$userID&orgUnit=$orgUnit&org=$org&locality=$locality&state=$state&country=$country&match=$match&revokedBy=$revokedBy&revokedOnInUse=$revokedOnInUse&revokedByInUse=$revokedByInUse&revokedOnFrom=$revokedOnFrom&revokedOnTo=$revokedOnTo&revocationReasonInUse=$revocationReasonInUse&revocationReason=$revocationReason&issuedByInUse=$issuedByInUse&issuedBy=$issuedBy&issuedOnInUse=$issuedOnInUse&issuedOnFrom=$issuedOnFrom&issuedOnTo=$issuedOnTo&validNotBeforeInUse=$validNotBeforeInUse&validNotBeforeFrom=$validNotBeforeFrom&validNotBeforeTo=$validNotBeforeTo&validNotAfterInUse=$validNotAfterInUse&validNotAfterFrom=$validNotAfterFrom&validNotAfterTo=$validNotAfterTo&validityLengthInUse=$validityLengthInUse&validityOp=$validityOp&count=$count&unit=$unit&certTypeInUse=$certTypeInUse&SubordinateEmailCA=$SubordinateEmailCA&SubordinateSSLCA=$SubordinateSSLCA&SecureEmail=$SecureEmail&SSLClient=$SSLClient&SSLServer=$SSLServer&maxResults=$maxResults&timeLimit=$timeLimit\" -k https://$tmp_ca_host:$target_secure_port/ca/ee/ca/srchCerts > $TmpDir/$test_out" 0 "Search certs revoked by $valid_agent_cert" + rlAssertGrep "record.revocationReason=0" "$TmpDir/$test_out" + rlAssertGrep "record.revocationReason=1" "$TmpDir/$test_out" + rlAssertNotGrep "record.revocationReason=2" "$TmpDir/$test_out" + rlAssertNotGrep "record.revocationReason=3" "$TmpDir/$test_out" + rlAssertNotGrep "record.revocationReason=4" "$TmpDir/$test_out" + rlAssertNotGrep "record.revocationReason=5" "$TmpDir/$test_out" + rlAssertNotGrep "record.revocationReason=6" "$TmpDir/$test_out" + local no_of_records=$(cat $TmpDir/$test_out | grep "record.subject=" | wc -l) + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ee-retrieval-0014: CA Cert Retrieval - Search certs issued by Valid agent cert" + local op=srchCerts + local serialNumberRangeInUse='' + local serialFrom='' + local serialTo='' + local queryCertFilter="(&(certIssuedBy=$valid_agent_cert))" + local subjectInUse='' + local eMail='' + local commonName='' + local userID='' + local orgUnit='' + local org='' + local locality='' + local state='' + local country='' + local match='partial' + local revokedBy="" + local revokedOnInUse='' + local revokedByInUse='' + local revokedOnFrom='' + local revokedOnTo='' + local revocationReasonInUse='' + local revocationReason='' + local issuedByInUse='on' + local issuedBy='' + local issuedOnInUse='' + local issuedOnFrom='' + local issuedOnTo='' + local validNotBeforeInUse='' + local validNotBeforeFrom='' + local validNotBeforeTo='' + local validNotAfterInUse='' + local validNotAfterFrom='' + local validNotAfterTo='' + local validityLengthInUse='' + local validityOp='<=' + local count='' + local unit="2592000000" + local certTypeInUse='' + local SubordinateEmailCA='' + local SubordinateSSLCA='' + local SecureEmail='' + local SSLClient='' + local SSLServer='' + local maxResults='1000' + local timeLimit='5' + rlLog "curl --basic --dump-header $admin_out -d \"op=$op&queryCertFilter=$queryCertFilter&serialNumberRangeInUse=$serialNumberRangeInUse&serialFrom=$serialFrom&serialTo=$serialTo&subjectInUse=$subjectInUse&eMail=$eMail&commonName=$commonName&userID=$userID&orgUnit=$orgUnit&org=$org&locality=$locality&state=$state&country=$country&match=$match&revokedBy=$revokedBy&revokedOnInUse=$revokedOnInUse&revokedByInUse=$revokedByInUse&revokedOnFrom=$revokedOnFrom&revokedOnTo=$revokedOnTo&revocationReasonInUse=$revocationReasonInUse&revocationReason=$revocationReason&issuedByInUse=$issuedByInUse&issuedBy=$issuedBy&issuedOnInUse=$issuedOnInUse&issuedOnFrom=$issuedOnFrom&issuedOnTo=$issuedOnTo&validNotBeforeInUse=$validNotBeforeInUse&validNotBeforeFrom=$validNotBeforeFrom&validNotBeforeTo=$validNotBeforeTo&validNotAfterInUse=$validNotAfterInUse&validNotAfterFrom=$validNotAfterFrom&validNotAfterTo=$validNotAfterTo&validityLengthInUse=$validityLengthInUse&validityOp=$validityOp&count=$count&unit=$unit&certTypeInUse=$certTypeInUse&SubordinateEmailCA=$SubordinateEmailCA&SubordinateSSLCA=$SubordinateSSLCA&SecureEmail=$SecureEmail&SSLClient=$SSLClient&SSLServer=$SSLServer&maxResults=$maxResults&timeLimit=$timeLimit\" -k https://$tmp_ca_host:$target_secure_port/ca/ee/ca/srchCerts > $TmpDir/$test_out" 0 "Search certs revoked by $valid_agent_cert" + rlRun "curl --basic --dump-header $admin_out -d \"op=$op&queryCertFilter=$queryCertFilter&serialNumberRangeInUse=$serialNumberRangeInUse&serialFrom=$serialFrom&serialTo=$serialTo&subjectInUse=$subjectInUse&eMail=$eMail&commonName=$commonName&userID=$userID&orgUnit=$orgUnit&org=$org&locality=$locality&state=$state&country=$country&match=$match&revokedBy=$revokedBy&revokedOnInUse=$revokedOnInUse&revokedByInUse=$revokedByInUse&revokedOnFrom=$revokedOnFrom&revokedOnTo=$revokedOnTo&revocationReasonInUse=$revocationReasonInUse&revocationReason=$revocationReason&issuedByInUse=$issuedByInUse&issuedBy=$issuedBy&issuedOnInUse=$issuedOnInUse&issuedOnFrom=$issuedOnFrom&issuedOnTo=$issuedOnTo&validNotBeforeInUse=$validNotBeforeInUse&validNotBeforeFrom=$validNotBeforeFrom&validNotBeforeTo=$validNotBeforeTo&validNotAfterInUse=$validNotAfterInUse&validNotAfterFrom=$validNotAfterFrom&validNotAfterTo=$validNotAfterTo&validityLengthInUse=$validityLengthInUse&validityOp=$validityOp&count=$count&unit=$unit&certTypeInUse=$certTypeInUse&SubordinateEmailCA=$SubordinateEmailCA&SubordinateSSLCA=$SubordinateSSLCA&SecureEmail=$SecureEmail&SSLClient=$SSLClient&SSLServer=$SSLServer&maxResults=$maxResults&timeLimit=$timeLimit\" -k https://$tmp_ca_host:$target_secure_port/ca/ee/ca/srchCerts > $TmpDir/$test_out" 0 "Search certs revoked by $valid_agent_cert" + local no_of_records=$(cat $TmpDir/$test_out | grep "record.issuedBy=\"$valid_agent_cert\"" | wc -l) + rlAssertGrep "record.issuedBy=\"$valid_agent_cert\"" "$TmpDir/$test_out" + rlAssertGreater "Verify No of records displayed is greater than 10" $no_of_records 10 + rlPhaseEnd + + rlPhaseStartSetup "Create custom user profile which is valid for 15 days" + local profile="caUserCert$RANDOM" + local pki_user="pki_foo_bar2" + local pki_user_fullName="pki1 Foo Bar2" + local profilename="$profile Enrollment Profile" + rlRun "python -m PkiLib.pkiprofilecli \ + --new user --profileId "$profile" \ + --profilename=\"$profilename\" \ + --notBefore 5 \ + --notAfter 5 \ + --validfor 15 \ + --maxvalidity 30 \ + --outputfile $TmpDir/$profile\.xml" + rlLog "Add $profile" + rlRun "pki -h $tmp_ca_host \ + -p $tmp_ca_port \ + -d $CERTDB_DIR \ + -c $CERTDB_DIR_PASSWORD \ + -n $valid_admin_cert \ + ca-profile-add $TmpDir/$profile\.xml > $ca_profile_out" + rlAssertGrep "Added profile $profile" "$ca_profile_out" + rlLog "Enable $profile" + rlRun "pki -h $tmp_ca_host \ + -p $tmp_ca_port \ + -d $CERTDB_DIR \ + -c $CERTDB_DIR_PASSWORD \ + -n $valid_agent_cert \ + ca-profile-enable $profile > $ca_profile_out" + rlLog "Verify by creating a user cert using the profile" + rlAssertGrep "Enabled profile \"$profile\"" "$ca_profile_out" + rlRun "generate_new_cert tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_pwd:$TEMP_NSS_DB_PWD \ + myreq_type:pkcs10 \ + algo:rsa \ + key_size:2048 \ + subject_cn:\"$pki_user_fullName\" \ + subject_uid:$pki_user \ + subject_email:$pki_user@example.org \ + subject_ou: \ + subject_o: \ + subject_c: \ + archive:false \ + req_profile:$profile \ + target_host:$tmp_ca_host \ + protocol: \ + port:$tmp_ca_port \ + cert_db_dir:$CERTDB_DIR \ + cert_db_pwd:$CERTDB_DIR_PASSWORD \ + certdb_nick:$valid_agent_cert \ + cert_info:$cert_info" + local cert_serialNumber=$(cat $cert_info| grep cert_serialNumber | cut -d- -f2) + local cert_subject=$(cat $cert_info | grep cert_subject | cut -d- -f2) + local NotAfterDate=$(date +"%A, %B %d, %Y" --date "15 days") + rlRun "pki -h $tmp_ca_host -p $tmp_ca_port cert-show $cert_serialNumber --pretty > $cert_out" + rlAssertGrep "Serial Number: $cert_serialNumber" "$cert_out" + rlAssertGrep "Issuer: CN=PKI $SUBCA_INST Signing Cert,O=redhat" "$cert_out" + rlAssertGrep "Subject: $cert_subject" "$cert_out" + rlAssertGrep "Status: VALID" "$cert_out" + rlAssertGrep "Not After: $NotAfterDate" "$cert_out" + + rlPhaseStartTest "pki_subca_ee-retrieval-0015: CA Cert Retrieval - Search certs with a validity period of 15 days" + local op=srchCerts + local serialNumberRangeInUse='' + local serialFrom='' + local serialTo='' + local queryCertFilter="(&(x509cert.duration<=1296000000))" + local subjectInUse='' + local eMail='' + local commonName='' + local userID='' + local orgUnit='' + local org='' + local locality='' + local state='' + local country='' + local match='partial' + local revokedBy="" + local revokedOnInUse='' + local revokedByInUse='' + local revokedOnFrom='' + local revokedOnTo='' + local revocationReasonInUse='' + local revocationReason='' + local issuedByInUse='' + local issuedBy='' + local issuedOnInUse='' + local issuedOnFrom='' + local issuedOnTo='' + local validNotBeforeInUse='' + local validNotBeforeFrom='' + local validNotBeforeTo='' + local validNotAfterInUse='' + local validNotAfterFrom='' + local validNotAfterTo='' + local validityLengthInUse='on' + local validityOp='<=' + local count='15' + local unit="86400000" + local certTypeInUse='' + local SubordinateEmailCA='' + local SubordinateSSLCA='' + local SecureEmail='' + local SSLClient='' + local SSLServer='' + local maxResults='1000' + local timeLimit='5' + rlLog "curl --basic --dump-header $admin_out -d \"op=$op&queryCertFilter=$queryCertFilter&serialNumberRangeInUse=$serialNumberRangeInUse&serialFrom=$serialFrom&serialTo=$serialTo&subjectInUse=$subjectInUse&eMail=$eMail&commonName=$commonName&userID=$userID&orgUnit=$orgUnit&org=$org&locality=$locality&state=$state&country=$country&match=$match&revokedBy=$revokedBy&revokedOnInUse=$revokedOnInUse&revokedByInUse=$revokedByInUse&revokedOnFrom=$revokedOnFrom&revokedOnTo=$revokedOnTo&revocationReasonInUse=$revocationReasonInUse&revocationReason=$revocationReason&issuedByInUse=$issuedByInUse&issuedBy=$issuedBy&issuedOnInUse=$issuedOnInUse&issuedOnFrom=$issuedOnFrom&issuedOnTo=$issuedOnTo&validNotBeforeInUse=$validNotBeforeInUse&validNotBeforeFrom=$validNotBeforeFrom&validNotBeforeTo=$validNotBeforeTo&validNotAfterInUse=$validNotAfterInUse&validNotAfterFrom=$validNotAfterFrom&validNotAfterTo=$validNotAfterTo&validityLengthInUse=$validityLengthInUse&validityOp=$validityOp&count=$count&unit=$unit&certTypeInUse=$certTypeInUse&SubordinateEmailCA=$SubordinateEmailCA&SubordinateSSLCA=$SubordinateSSLCA&SecureEmail=$SecureEmail&SSLClient=$SSLClient&SSLServer=$SSLServer&maxResults=$maxResults&timeLimit=$timeLimit\" -k https://$tmp_ca_host:$target_secure_port/ca/ee/ca/srchCerts > $TmpDir/$test_out" 0 "Search certs revoked by $valid_agent_cert" + rlRun "curl --basic --dump-header $admin_out -d \"op=$op&queryCertFilter=$queryCertFilter&serialNumberRangeInUse=$serialNumberRangeInUse&serialFrom=$serialFrom&serialTo=$serialTo&subjectInUse=$subjectInUse&eMail=$eMail&commonName=$commonName&userID=$userID&orgUnit=$orgUnit&org=$org&locality=$locality&state=$state&country=$country&match=$match&revokedBy=$revokedBy&revokedOnInUse=$revokedOnInUse&revokedByInUse=$revokedByInUse&revokedOnFrom=$revokedOnFrom&revokedOnTo=$revokedOnTo&revocationReasonInUse=$revocationReasonInUse&revocationReason=$revocationReason&issuedByInUse=$issuedByInUse&issuedBy=$issuedBy&issuedOnInUse=$issuedOnInUse&issuedOnFrom=$issuedOnFrom&issuedOnTo=$issuedOnTo&validNotBeforeInUse=$validNotBeforeInUse&validNotBeforeFrom=$validNotBeforeFrom&validNotBeforeTo=$validNotBeforeTo&validNotAfterInUse=$validNotAfterInUse&validNotAfterFrom=$validNotAfterFrom&validNotAfterTo=$validNotAfterTo&validityLengthInUse=$validityLengthInUse&validityOp=$validityOp&count=$count&unit=$unit&certTypeInUse=$certTypeInUse&SubordinateEmailCA=$SubordinateEmailCA&SubordinateSSLCA=$SubordinateSSLCA&SecureEmail=$SecureEmail&SSLClient=$SSLClient&SSLServer=$SSLServer&maxResults=$maxResults&timeLimit=$timeLimit\" -k https://$tmp_ca_host:$target_secure_port/ca/ee/ca/srchCerts > $TmpDir/$test_out" 0 "Search certs revoked by $valid_agent_cert with a validity period of 15 days" + local no_of_records=$(cat $TmpDir/$test_out | grep "record.issuedBy=\"$valid_agent_cert\"" | wc -l) + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlAssertGrep "record.subject=\"$cert_subject\"" "$TmpDir/$test_out" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ee-retrieval-0015: CA Cert Retrieval - Import CA Certificate chain" + local op='download' + local mimetype='application/x-x509-ca-cert' + local test_out=cacert.out + rlLog "curl --basic --dump-header $admin_out -d \"op=$op&mimeType=$mimetype&submit=Submit\" -k https://$tmp_ca_host:$target_secure_port/ca/ee/ca/getCAChain 1> $TmpDir/$test_out" + rlRun "curl --basic --dump-header $admin_out -d \"op=$op&mimeType=$mimetype&submit=Submit\" -k https://$tmp_ca_host:$target_secure_port/ca/ee/ca/getCAChain 1> $TmpDir/$test_out" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ee-retrieval-0016: CA Cert Retrieval - Download CA certificate in binary format" + local op='downloadBin' + local mimetype='application/x-x509-ca-cert' + local test_out=cacert.out + rlLog "curl --basic --dump-header $admin_out -d \"op=$op&mimeType=$mimetype&submit=Submit\" -k https://$tmp_ca_host:$target_secure_port/ca/ee/ca/getCAChain 1> $TmpDir/$test_out" + rlRun "curl --basic --dump-header $admin_out -d \"op=$op&mimeType=$mimetype&submit=Submit\" -k https://$tmp_ca_host:$target_secure_port/ca/ee/ca/getCAChain 1> $TmpDir/$test_out" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_ee-retrieval-0017: CA Cert Retrieval - Import latest CRL" + local crlIssuingPoint='MasterCRL' + local certSerialNumber='' + local op='importCRL' + local crlDisplayType='cachedCRL' + local pageStart='1' + local pageSize='50' + local submit='Submit' + local test_out='crl.out' + rlLog "curl --basic --dump-header $admin_out -d \"crlIssuingPoint=$crlIssuingPoint&certSerialNumber=$certSerialNumber&op=$op&crlDisplayType=$crlDisplayType&pageStart=$pageStart&pageSize=$pageSize&submit=$submit\" -k https://$tmp_ca_host:$target_secure_port/ca/ee/ca/getCRL 1> $TmpDir/$test_out" + rlRun "curl --basic --dump-header $admin_out -d \"crlIssuingPoint=$crlIssuingPoint&certSerialNumber=$certSerialNumber&op=$op&crlDisplayType=$crlDisplayType&pageStart=$pageStart&pageSize=$pageSize&submit=$submit\" -k https://$tmp_ca_host:$target_secure_port/ca/ee/ca/getCRL 1> $TmpDir/$test_out" + rlAssertGrep "HTTP/1.1 200 OK" "$admin_out" + rlPhaseEnd + + rlPhaseStartCleanup "Delete Temporary Directory and enable nonce" + rlRun "popd" + rlRun "rm -r $TmpDir" 0 "Removing tmp directory" + enable_ca_nonce $tomcat_name + rlPhaseEnd + +} +verify_cert() +{ + local serial_number=$1 + local request_dn=$2 + STRIP_HEX=$(echo $serial_number | cut -dx -f2) + CONV_LOW_VAL=${STRIP_HEX,,} + rlRun "pki -h $tmp_ca_host -p $target_unsecure_port cert-show $serial_number > $cert_show_out" 0 "Executing pki cert-show $serial_number" + rlAssertGrep "Serial Number: 0x$CONV_LOW_VAL" "$cert_show_out" + rlAssertGrep "Issuer: CN=PKI $SUBCA_INST Signing Certificate,O=redhat" "$cert_show_out" + rlAssertGrep "Subject: $request_dn" "$cert_show_out" + rlAssertGrep "Status: VALID" "$cert_show_out" +} diff --git a/tests/dogtag/acceptance/legacy/subca-tests/logs/subca-ad-logs.sh b/tests/dogtag/acceptance/legacy/subca-tests/logs/subca-ad-logs.sh new file mode 100755 index 000000000..9d3303782 --- /dev/null +++ b/tests/dogtag/acceptance/legacy/subca-tests/logs/subca-ad-logs.sh @@ -0,0 +1,201 @@ +#!/bin/bash +# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# runtest.sh of /CoreOS/rhcs/acceptance/legacy/subca-tests/subca-ad-logs +# Description: Subordinate CA Ad logs +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# The following legacy test needs be tested: +# subca-ad-tests +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Author: Niranjan Mallapadi +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2013 Red Hat, Inc. All rights reserved. +# +# This copyrighted material is made available to anyone wishing +# to use, modify, copy, or redistribute it subject to the terms +# and conditions of the GNU General Public License version 2. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public +# License along with this program; if not, write to the Free +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301, USA. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +# Include rhts environment +. /usr/bin/rhts-environment.sh +. /usr/share/beakerlib/beakerlib.sh +. /opt/rhqa_pki/rhcs-shared.sh +. /opt/rhqa_pki/pki-cert-cli-lib.sh +. /opt/rhqa_pki/env.sh + +run_admin-subca-log_tests() +{ + # Creating Temporary Directory + rlPhaseStartSetup "Create Temporary Directory" + rlRun "TmpDir=\`mktemp -d\`" 0 "Creating tmp directory" + rlRun "pushd $TmpDir" + rlRun "export PYTHONPATH=$PYTHONPATH:/opt/rhqa_pki/" + rlPhaseEnd + + # Local Variables + local cs_Type=$1 + local cs_Role=$2 + get_topo_stack $cs_Role $TmpDir/topo_file + if [ $cs_Role="MASTER" ]; then + SUBCA_INST=$(cat $TmpDir/topo_file | grep MY_SUBCA | cut -d= -f2) + elif [ $cs_Role="SUBCA2" || $cs_Role="SUBCA1" ]; then + SUBCA_INST=$(cat $TmpDir/topo_file | grep MY_CA | cut -d= -f2) + fi + local tomcat_name=$(eval echo \$${SUBCA_INST}_TOMCAT_INSTANCE_NAME) + local target_unsecure_port=$(eval echo \$${SUBCA_INST}_UNSECURE_PORT) + local target_secure_port=$(eval echo \$${SUBCA_INST}_SECURE_PORT) + local tmp_ca_port=$(eval echo \$${SUBCA_INST}_UNSECURE_PORT) + local tmp_ca_host=$(eval echo \$${cs_Role}) + local valid_agent_cert=$SUBCA_INST\_agentV + local valid_audit_cert=$SUBCA_INST\_auditV + local valid_operator_cert=$SUBCA_INST\_operatorV + local valid_admin_cert=$SUBCA_INST\_adminV + local valid_admin_user=$SUBCA_INST\_adminV + local valid_admin_pwd=$SUBCA_INST\_adminV_password + local valid_agent_user=$SUBCA_INST\_agentV + local valid_agent_pwd=$SUBCA_INST\_agentV_password + local valid_audit_user=$SUBCA_INST\_auditV + local valid_audit_pwd=$SUBCA_INST\_auditV_password + local valid_operator_user=$SUBCA_INST\_operatorV + local valid_operator_pwd=$SUBCA_INST\_operatorV_password + local cert_find_info="$TmpDir/cert_find_info" + local PKIDAEMON_STATUS="$TmpDir/pkidaemon-status" + local admin_out="$TmpDir/admin_out" + local TEMP_NSS_DB="$TmpDir/nssdb" + local TEMP_NSS_DB_PWD="redhat" + local cert_info="$TmpDir/cert_info" + local ca_profile_out="$TmpDir/ca-profile-out" + local cert_out="$TmpDir/cert-show.out" + local rand=$RANDOM + local tmp_junk_data=$(openssl rand -base64 50 | perl -p -e 's/\n//') + local SSL_DIR=$CERTDB_DIR + + + rlPhaseStartTest "pki_console_log-001: SUBCA Admin Interface - Add a new log file" + rlLog "Create a new log of type system" + local logfile=log$RANDOM + local level=0 + local rolloverinterval=1 + local logtype="system" + local flushinterval=5 + local filename=/tmp/$logfile + local logenable="True" + local signedAuditCertNickname="caauditsigningcert" + rlRun "curl --capath "$CERTDB_DIR" --basic --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=logRule&RS_ID=$logfile&unselected.events=&level=$level&rolloverInterval=$rolloverinterval&flushInterval=$flushinterval&mandatory.events=&bufferSize=512&maxFileSize=2000&fileName=$filename&enable=$logenable&signedAuditCertNickname=$signedAuditCertNickname&implName=file&type=$logtype&logSigning=true&events=&RULENAME=$logfile\" -k https://$tmp_ca_host:$target_secure_port/ca/log >> $admin_out" 0 "Create $logfile file of type $logtype" + rlLog "List all logs" + rlRun "curl --capath "$CERTDB_DIR" --basic --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_SEARCH&OP_SCOPE=logRule\" -k https://$tmp_ca_host:$target_secure_port/ca/log > $admin_out" 0 "List all logs configured" + rlRun "process_curl_output $admin_out" 0 "Process curl output file" + rlAssertGrep "$logfile=file:visible" "$admin_out" + rlPhaseEnd + + rlPhaseStartTest "pki_console_log-002: SUBCA Admin Interface - List all logs" + rlLog "List all logs" + rlRun "curl --capath "$CERTDB_DIR" --basic --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_SEARCH&OP_SCOPE=logRule\" -k https://$tmp_ca_host:$target_secure_port/ca/log > $admin_out" 0 "List all logs configured" + rlRun "process_curl_output $admin_out" 0 "Process curl output file" + rlAssertGrep "Transactions=file:visible" "$admin_out" + rlAssertGrep "SignedAudit=file:visible" "$admin_out" + rlAssertGrep "System=file:visible" "$admin_out" + rlAssertGrep "$logfile=file:visible" "$admin_out" + rlPhaseEnd + + rlPhaseStartTest "pki_console_log-003: SUBCA Admin Interface - Edit log file configuration" + local level=0 + local rolloverinterval=1 + local logtype="system" + local flushinterval=5 + local filename=/tmp/$logfile + local logenable="false" + local maxfilesize=3000 + local buffersize=512 + rlRun "curl --capath "$CERTDB_DIR" --basic --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_MODIFY&OP_SCOPE=logRule&RS_ID=$logfile&level=$level&rolloverInterval=$rolloverinterval&flushInterval=$flushinterval&bufferSize=$buffersize&maxFileSize=$maxfilesize&fileName=$filename&enable=$logenable&implName=file&type=$logtype&RULENAME=$logfile\" -k https://$tmp_ca_host:$target_secure_port/ca/log >> $admin_out" 0 "Modify $logfile file" + rlLog "Changes require restart of CA instance" + rlRun "rhcs_stop_instance $tomcat_name" + rlRun "rhcs_start_instance $tomcat_name" + rlLog "Read $logfile and verify values are updated" + rlRun "curl --capath "$CERTDB_DIR" --basic --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_READ&OP_SCOPE=logRule&RS_ID=$logfile\" -k https://$tmp_ca_host:$target_secure_port/ca/log > $admin_out" 0 "Read $logfile file" + rlRun "process_curl_output $admin_out" 0 "Process curl output file" + rlAssertGrep "maxFileSize=$maxfilesize" "$admin_out" + rlAssertGrep "enable=$logenable" "$admin_out" + rlPhaseEnd + + rlPhaseStartTest "pki_console_log-004: SUBCA Admin Interface - View log file" + rlLog "Read $logfile" + rlRun "curl --capath "$CERTDB_DIR" --basic --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_READ&OP_SCOPE=logRule&RS_ID=$logfile\" -k https://$tmp_ca_host:$target_secure_port/ca/log > $admin_out" 0 "Read $logfile file" + rlRun "process_curl_output $admin_out" 0 "Process curl output file" + rlAssertGrep "implName=file" "$admin_out" + rlAssertGrep "type=$logtype" "$admin_out" + rlAssertGrep "enable=$logenable" "$admin_out" + rlAssertGrep "level=Debug" "$admin_out" + rlAssertGrep "bufferSize=$buffersize" "$admin_out" + rlAssertGrep "maxFileSize=$maxfilesize" "$admin_out" + rlPhaseEnd + + rlPhaseStartTest "pki_console_log-005: SUBCA Admin Interface - Delete log file" + rlLog "Delete log $logfile file" + rlRun "curl --capath "$CERTDB_DIR" --basic --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_DELETE&OP_SCOPE=logRule&RS_ID=$logfile\" -k https://$tmp_ca_host:$target_secure_port/ca/log > $admin_out" 0 "Read $logfile file" + rlRun "process_curl_output $admin_out" 0 "Process curl output file" + rlLog "List all logs" + rlRun "curl --capath "$CERTDB_DIR" --basic --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_SEARCH&OP_SCOPE=logRule\" -k https://$tmp_ca_host:$target_secure_port/ca/log > $admin_out" 0 "List all logs configured" + rlRun "process_curl_output $admin_out" 0 "Process curl output file" + rlAssertGrep "Transactions=file:visible" "$admin_out" + rlAssertGrep "SignedAudit=file:visible" "$admin_out" + rlAssertGrep "System=file:visible" "$admin_out" + rlAssertNotGrep "$logfile=file:visible" "$admin_out" + rlPhaseEnd + + rlPhaseStartTest "pki_console_log-006: SUBCA Admin Interface - Adding a log file with agent privileges should fail" + local logfile=log$RANDOM + local level=0 + local rolloverinterval=1 + local logtype="system" + local flushinterval=5 + local filename=/tmp/$logfile + local logenable="True" + local signedAuditCertNickname="caauditsigningcert" + rlRun "curl --capath "$CERTDB_DIR" --basic --user "$valid_agent_user:$valid_agent_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=logRule&RS_ID=$logfile&unselected.events=&level=$level&rolloverInterval=$rolloverinterval&flushInterval=$flushinterval&mandatory.events=&bufferSize=512&maxFileSize=2000&fileName=$filename&enable=$logenable&signedAuditCertNickname=$signedAuditCertNickname&implName=file&type=$logtype&logSigning=true&events=&RULENAME=$logfile\" -k https://$tmp_ca_host:$target_secure_port/ca/log > $admin_out" 0 "Create $logfile file of type $logtype" + rlAssertGrep "You are not authorized to perform this operation" "$admin_out" + rlPhaseEnd + + rlPhaseStartTest "pki_console_log-007: SUBCA Admin Interface - Adding a log file with audit privileges should fail" + local logfile=log$RANDOM + local level=0 + local rolloverinterval=1 + local logtype="system" + local flushinterval=5 + local filename=/tmp/$logfile + local logenable="True" + local signedAuditCertNickname="caauditsigningcert" + rlRun "curl --capath "$CERTDB_DIR" --basic --user "$valid_audit_user:$valid_audit_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=logRule&RS_ID=$logfile&unselected.events=&level=$level&rolloverInterval=$rolloverinterval&flushInterval=$flushinterval&mandatory.events=&bufferSize=512&maxFileSize=2000&fileName=$filename&enable=$logenable&signedAuditCertNickname=$signedAuditCertNickname&implName=file&type=$logtype&logSigning=true&events=&RULENAME=$logfile\" -k https://$tmp_ca_host:$target_secure_port/ca/log > $admin_out" 0 "Create $logfile file of type $logtype" + rlAssertGrep "You are not authorized to perform this operation" "$admin_out" + rlPhaseEnd + + rlPhaseStartCleanup "Delete Temporary Directory" + rlRun "popd" + rlRun "rm -r $TmpDir" 0 "Removing tmp directory" + rlPhaseEnd +} diff --git a/tests/dogtag/acceptance/legacy/subca-tests/profiles/subca-ad-profiles.sh b/tests/dogtag/acceptance/legacy/subca-tests/profiles/subca-ad-profiles.sh new file mode 100755 index 000000000..2c70ba911 --- /dev/null +++ b/tests/dogtag/acceptance/legacy/subca-tests/profiles/subca-ad-profiles.sh @@ -0,0 +1,1607 @@ +#!/bin/bash +# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# runtest.sh of /CoreOS/rhcs/acceptance/cli-tests/pki-ca-profile-cli +# Description: PKI CA PROFILE CLI tests +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# The following pki key cli commands needs to be tested: +# pki ca-profile-add +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Author: Niranjan Mallapadi +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2013 Red Hat, Inc. All rights reserved. +# +# This copyrighted material is made available to anyone wishing +# to use, modify, copy, or redistribute it subject to the terms +# and conditions of the GNU General Public License version 2. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public +# License along with this program; if not, write to the Free +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301, USA. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +# Include rhts environment +. /usr/bin/rhts-environment.sh +. /usr/share/beakerlib/beakerlib.sh +. /opt/rhqa_pki/rhcs-shared.sh +. /opt/rhqa_pki/pki-cert-cli-lib.sh +. /opt/rhqa_pki/env.sh + +run_admin-subca-profile_tests() +{ + # Creating Temporary Directory + rlPhaseStartSetup "Create Temporary Directory" + rlRun "TmpDir=\`mktemp -d\`" 0 "Creating tmp directory" + rlRun "pushd $TmpDir" + rlRun "export PYTHONPATH=$PYTHONPATH:/opt/rhqa_pki/" + rlPhaseEnd + + # Local Variables + local cs_Type=$1 + local cs_Role=$2 + get_topo_stack $cs_Role $TmpDir/topo_file + if [ $cs_Role="MASTER" ]; then + SUBCA_INST=$(cat $TmpDir/topo_file | grep MY_SUBCA | cut -d= -f2) + elif [ $cs_Role="SUBCA2" || $cs_Role="SUBCA1" ]; then + SUBCA_INST=$(cat $TmpDir/topo_file | grep MY_CA | cut -d= -f2) + fi + local tomcat_name=$(eval echo \$${SUBCA_INST}_TOMCAT_INSTANCE_NAME) + local target_unsecure_port=$(eval echo \$${SUBCA_INST}_UNSECURE_PORT) + local target_secure_port=$(eval echo \$${SUBCA_INST}_SECURE_PORT) + local tmp_ca_agent=$SUBCA_INST\_agentV + local tmp_ca_admin=$SUBCA_INST\_adminV + local tmp_ca_port=$(eval echo \$${SUBCA_INST}_UNSECURE_PORT) + local tmp_ca_host=$(eval echo \$${cs_Role}) + local valid_agent_user=$SUBCA_INST\_agentV + local valid_agent_cert=$SUBCA_INST\_agentV + local valid_audit_user=$SUBCA_INST\_auditV + local valid_operator_user=$SUBCA_INST\_operatorV + local valid_admin_user=$SUBCA_INST\_adminV + local valid_admin_cert=$SUBCA_INST\_adminV + local cert_find_info="$TmpDir/cert_find_info" + local valid_admin_pwd=$SUBCA_INST\_adminV_password + local valid_agent_pwd=$SUBCA_INST\_agentV_password + local valid_audit_pwd=$SUBCA_INST\_auditV_password + local valid_operator_pwd=$SUBCA_INST\_operatorV_password + local admin_out="$TmpDir/admin_out" + local TEMP_NSS_DB="$TmpDir/nssdb" + local TEMP_NSS_DB_PWD="redhat" + local cert_info="$TmpDir/cert_info" + local ca_profile_out="$TmpDir/ca-profile-out" + local cert_out="$TmpDir/cert-show.out" + local rand=$RANDOM + local tmp_junk_data=$(openssl rand -base64 50 | perl -p -e 's/\n//') + local SSL_DIR=$CERTDB_DIR + + rlPhaseStartTest "pki_console_profile-001: SUBCA - Admin Interface - list all profiles" + rlLog "List all Profiles" + local default_profiles=(caUserCert caECUserCert caUserSMIMEcapCert caDualCert caECDualCert AdminCert caSignedLogCert caTPSCert caRARouterCert caRouterCert caServerCert caSubsystemCert caStorageCert) + rlRun "curl --capath "$CERTDB_DIR" --basic --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_SEARCH&OP_SCOPE=rules&\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile >> $admin_out" 0 "List all defaul Profiles" + for i in ${default_profiles[@]}; do + rlAssertGrep "$i" "$admin_out" + done + rlPhaseEnd + + rlPhaseStartTest "pki_console_profile-002: SUBCA - Admin Interface - View Profile Details" + local profile="caUserSMIMEcapCert" + rlLog "View Profile Details $profile" + rlRun "curl --capath "$CERTDB_DIR" --basic --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_READ&OP_SCOPE=policies&RS_ID=$profile\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 "View details of Profile $profile" + rlRun "process_curl_output $admin_out" 0 "Process curl output file" + rlLog "Verify Policy & Constraints" + rlAssertGrep "SubjectNameDefault:SubjectNameConstraint" "$admin_out" + rlAssertGrep "NoDefault:RenewalGracePeriodConstraint" "$admin_out" + rlAssertGrep "ValidityDefault:ValidityConstraint" "$admin_out" + rlAssertGrep "KeyDefault:KeyConstraint" "$admin_out" + rlAssertGrep "AuthorityKeyIdentifierDefault:NoConstraint" "$admin_out" + rlAssertGrep "AIAExtensionDefault:NoConstraint" "$admin_out" + rlAssertGrep "KeyUsageDefault:KeyUsageExtensionConstraint" "$admin_out" + rlAssertGrep "ExtendedKeyUsageExtensionDefault:NoConstraint" "$admin_out" + rlAssertGrep "SubjectAltNameConstraint:NoConstraint" "$admin_out" + rlAssertGrep "SigningAlg:NoConstraint" "$admin_out" + local scope=profileInput + rlLog "Verify $scope" + rlRun "curl --capath "$CERTDB_DIR" --basic --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_READ&OP_SCOPE=profileInput&RS_ID=$profile\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 "View details of Profile $profile" + rlRun "process_curl_output $admin_out" 0 "Process curl output file" + rlAssertGrep "KeyGeneration" "$admin_out" + rlAssertGrep "SubjectName" "$admin_out" + rlAssertGrep "RequestorInformation" "$admin_out" + local scope=profileOutput + rlLog "Verify $scope" + rlRun "curl --capath "$CERTDB_DIR" --basic --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_READ&OP_SCOPE=$scope&RS_ID=$profile\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 "View details of Profile $profile" + rlRun "process_curl_output $admin_out" 0 "Process curl output file" + rlAssertGrep "CertificateOutput" "$admin_out" + rlPhaseEnd + + rlPhaseStartTest "pki_console_profile-003: SUBCA - Admin Interface - Verify Deleting enabled profile fails" + local profile="caUserSMIMEcapCert" + local op_scope=rules + local op_type='OP_DELETE' + rlLog "View Profile Details $profile" + rlRun "curl --capath "$CERTDB_DIR" --basic --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=$op_type&OP_SCOPE=$op_scope&RS_ID=$profile\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 "View details of Profile $profile" + rlAssertGrep "Cannot delete enabled profile: $profile" "$admin_out" + rlPhaseEnd + + rlPhaseStartTest "pki_console_profile-004: SUBCA - Admin Interface - Create a new user Profile using caUserCertEnrollImpl with Profile Authencation set to AgentCertAuth" + local profile="caUserCert$RANDOM" + local op_scope=rules + local class=caUserCertEnrollImpl + rlLog "Create new profile $profile" + rlRun "curl --capath "$CERTDB_DIR" --basic --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=rules&RS_ID=$profile&impl=$class&name=$profile&visible=true&auth=AgentCertAuth&desc=$profile\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 "Create a new profile for user cert enrollment" + rlLog "List all default Profiles" + rlRun "curl --capath "$CERTDB_DIR" --basic --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_SEARCH&OP_SCOPE=rules&\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile >> $admin_out" 0 "List all default Profiles" + rlRun "process_curl_output $admin_out" 0 "Process curl output file" + rlAssertGrep "$profile=$profile:visible:disabled" "$admin_out" + rlPhaseEnd + + rlPhaseStartTest "pki_console_profile-005: SUBCA - Admin Interface - Add Authority Info Access Extension Default Policy" + local op_scope=policies + local policy=authInfoAccessExtDefaultImpl + local policyname=AuthorityInfoAccessExtensionDefault + local constraintname=NoConstraint + local constraint=noConstraintImpl + rlLog "Add Policy" + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=policies&RS_ID=$profile;set1:p6;$policy;$constraint\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile" 0 "Add Policy Authority Info Access Extension Default Policy to $profile" 0 "Add Authority Info Access Extension Policy" + local op_scope=defaultPolicy + rlLog "Add $policy Details" + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_pwd" -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p6;$policy;$constraint&authInfoAccessCritical=false&authInfoAccessNumADs=1&authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1&authInfoAccessADLocationType_0=URIName&authInfoAccessADLocation_0=&authInfoAccessADEnable_0=false\" -k https://$tmp_ca_host:$target_secure_port/ca/caprofile" 0 "Add Policy Details" + rlLog "Add Policy Constraint" + local op_scope=constraintPolicy + rlRun "curl --capath "$CERTDB_DIR" --basic \ + --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p6;$policy;$constraint\" -k https://$tmp_ca_host:$target_secure_port/ca/caprofile" + rlLog "Read all policies of $profile" + rlRun "curl --capath "$CERTDB_DIR" --basic \ + --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_READ&OP_SCOPE=policies&RS_ID=$profile\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" + rlRun "process_curl_output $admin_out" 0 "Process curl output file" + rlAssertGrep "$policyname:$constraintname" "$admin_out" + rlPhaseEnd + + rlPhaseStartTest "pki_console_profile-006: SUBCA - Admin Interface - Add Authority key Identifier Extension Default Policy" + local op_scope=policies + local policy=authorityKeyIdentifierExtDefaultImpl + local policyname=AuthorityKeyIdentifierExtensionDefault + local constraintname=NoConstraint + local constraint=noConstraintImpl + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=policies&RS_ID=$profile;set1:p7;$policy;$constraint\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile" 0 "Add Policy Authority Key Identifier Extension Default Policy to $profile" + local op_scope=defaultPolicy + rlLog "Add $policy Details" + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p7;$policy;$constraint\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile" 0 "Add Policy Details" + rlLog "Add Policy Constraint" + local op_scope=constraintPolicy + rlRun "curl --capath "$CERTDB_DIR" --basic \ + --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p7;$policy;$constraint\" -k https://$tmp_ca_host:$target_secure_port/ca/caprofile" + rlLog "Get all policies of $profile" + local op_scope=policies + rlRun "curl --capath "$CERTDB_DIR" --basic \ + --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_READ&OP_SCOPE=$op_scope&RS_ID=$profile\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 "Read all existing policies of $profile" + rlRun "process_curl_output $admin_out" 0 "Process curl output file" + rlAssertGrep "$policyname:$constraintname" "$admin_out" + rlPhaseEnd + + rlPhaseStartTest "pki_console_profile-007: SUBCA - Admin Interface - Add Auto request Assignment Default" + local op_scope=policies + local policy=autoAssignDefaultImpl + local policyname=AutoRequestAssignmentDefault + local constraintname=NoConstraint + local constraint=noConstraintImpl + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=policies&RS_ID=$profile;set1:p8;$policy;$constraint\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile" 0 "Add Policy Authority Info Access Extension Default Policy to $profile" + local op_scope=defaultPolicy + rlLog "Add $policy Details" + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p8;$policy;$constraint\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile" 0 "Add Policy Details" 0 + rlLog "Add Policy Constraint" + local op_scope=constraintPolicy + rlRun "curl --capath "$CERTDB_DIR" --basic \ + --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p8;$policy;$constraint\" -k https://$tmp_ca_host:$target_secure_port/ca/caprofile" 0 + rlLog "Get all policies of $profile" + local op_scope=policies + rlRun "curl --capath "$CERTDB_DIR" --basic \ + --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_READ&OP_SCOPE=$op_scope&RS_ID=$profile\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 "Read all existing policies of $profile" + rlRun "process_curl_output $admin_out" 0 "Process curl output file" + rlAssertGrep "$policyname:$constraintname" "$admin_out" + rlPhaseEnd + + + rlPhaseStartTest "pki_console_profile-008: SUBCA - Admin Interface - Add Basic Constraints Extension Default" + local op_scope=policies + local policy=basicConstraintsExtDefaultImpl + local policyname=BasicConstraintsExtensionDefault + local constraintname=NoConstraint + local constraint=noConstraintImpl + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=policies&RS_ID=$profile;set1:p9;$policy;$constraint\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile" 0 "Add Basic Constraints Extension to $profile" + local op_scope=defaultPolicy + rlLog "Add $policy Details" + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p9;$policy;$constraint&basicConstraintsCritical=false&basicConstraintsIsCA=false&basicConstraintsPathLen=-1\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile" 0 "Add Policy Details" + rlLog "Add Policy Constraint" + local op_scope=constraintPolicy + rlRun "curl --capath "$CERTDB_DIR" --basic \ + --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p9;$policy;$constraint\" -k https://$tmp_ca_host:$target_secure_port/ca/caprofile" 0 + rlLog "Get all policies of $profile" + local op_scope=policies + rlRun "curl --capath "$CERTDB_DIR" --basic \ + --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_READ&OP_SCOPE=$op_scope&RS_ID=$profile\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 "Read all existing policies of $profile" + rlRun "process_curl_output $admin_out" 0 "Process curl output file" + rlAssertGrep "$policyname:$constraintname" "$admin_out" + rlPhaseEnd + + rlPhaseStartTest "pki_console_profile-009: SUBCA - Admin Interface - Add Certificate Version Default Policy" + local policy=certificateVersionDefaultImpl + local policyname=CertificateVersionDefault + local constraintname=NoConstraint + local constraint=noConstraintImpl + local op_scope=policies + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p10;$policy;$constraint\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile" 0 "Add Certificate Version Default Policy to $profile" + local op_scope=defaultPolicy + rlLog "Add $policy Details" + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p10;$policy;$constraint&basicConstraintsCritical=false&basicConstraintsIsCA=false&basicConstraintsPathLen=-1\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile" 0 "Add Policy Details" + rlLog "Add Policy Constraint" + local op_scope=constraintPolicy + rlRun "curl --capath "$CERTDB_DIR" --basic \ + --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p10;$policy;$constraint\" -k https://$tmp_ca_host:$target_secure_port/ca/caprofile" + rlLog "Get all policies of $profile" + local op_scope=policies + rlRun "curl --capath "$CERTDB_DIR" --basic \ + --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_READ&OP_SCOPE=$op_scope&RS_ID=$profile\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 "Read all existing policies of $profile" + rlRun "process_curl_output $admin_out" 0 "Process curl output file" + rlAssertGrep "$policyname:$constraintname" "$admin_out" + rlPhaseEnd + + rlPhaseStartTest "pki_console_profile-0010: SUBCA - Admin Interface - Add CRL Distribution Points Extension Default Policy & add custom CRL Url" + local policy=crlDistributionPointsExtDefaultImpl + local policyname=CRLDistributionPointsExtensionDefault + local constraintname=NoConstraint + local constraint=noConstraintImpl + local op_scope=policies + local crlurl='https://pki2.example.org:30042/crl/Mastercrl.bin' + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p11;$policy;$constraint\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile" 0 "Add Policy CRL Distribution Points Extension Default to $profile" + local op_scope=defaultPolicy + rlLog "Add $policy Details" + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p11;$policy;$constraint&crlDistPointsCritical=false&crlDistPointsNum=1&crlDistPointsPointType_0=URIName&crlDistPointsPointName_0=$crlurl&crlDistPointsReasons_0=&crlDistPointsIssuerType_0=&crlDistPointsIssuerName_0=&crlDistPointsEnable_0=true\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile" 0 "Add Policy Details" + rlLog "Add Policy Constraint" + local op_scope=constraintPolicy + rlRun "curl --capath "$CERTDB_DIR" --basic \ + --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p11;$policy;$constraint\" -k https://$tmp_ca_host:$target_secure_port/ca/caprofile" 0 + rlLog "Get all policies of $profile" + local op_scope=policies + rlRun "curl --capath "$CERTDB_DIR" --basic \ + --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_READ&OP_SCOPE=$op_scope&RS_ID=$profile\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 "Read all existing policies of $profile" + rlRun "process_curl_output $admin_out" 0 "Process curl output file" + rlAssertGrep "$policyname:$constraintname" "$admin_out" + rlPhaseEnd + + rlPhaseStartTest "pki_console_profile-0011: SUBCA - Admin Interface - Add Extended Key Usage Extension Default Policy" + local policy=extendedKeyUsageExtDefaultImpl + local policyname=ExtendedKeyUsageExtensionDefault + local constraintname=NoConstraint + local constraint=noConstraintImpl + local op_scope=policies + local crlurl='https://pki2.example.org:30042/crl/Mastercrl.bin' + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p12;$policy;$constraint\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile" 0 "Add Policy Extended Key Usage Extension Default to $profile" + local op_scope=defaultPolicy + rlLog "Add $policy Details" + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p12;$policy;$constraint&exKeyUsageCritical=false&exKeyUsageOIDs=1.3.6.1.5.5.7.3.2, 1.3.6.1.5.5.7.3.4\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile" 0 "Add Policy Details" 0 + rlLog "Add Policy Constraint" + local op_scope=constraintPolicy + rlRun "curl --capath "$CERTDB_DIR" --basic \ + --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p12;$policy;$constraint\" -k https://$tmp_ca_host:$target_secure_port/ca/caprofile" 0 + rlLog "Get all policies of $profile" + local op_scope=policies + rlRun "curl --capath "$CERTDB_DIR" --basic \ + --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_READ&OP_SCOPE=$op_scope&RS_ID=$profile\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 "Read all existing policies of $profile" + rlRun "process_curl_output $admin_out" 0 "Process curl output file" + rlAssertGrep "$policyname:$constraintname" "$admin_out" + rlPhaseEnd + + rlPhaseStartTest "pki_console_profile-0012: SUBCA - Admin Interface - Add Freshest CRL Extension Default" + local policy=freshestCRLExtDefaultImpl + local policyname=FreshestCRLExtensionDefault + local constraintname=NoConstraint + local constraint=noConstraintImpl + local op_scope=policies + local crlurl="https://$tmp_ca_host:$target_secure_port/crl/Mastercrl.bin" + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p13;$policy;$constraint\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile" 0 "Add Freshest CRL Extension to $profile" + local op_scope=defaultPolicy + rlLog "Add $policy Details" + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p13;$policy;$constraint&freshestCRLCritical=false&freshestCRLPointNum=1&freshestCRLPointType_0=URIName&freshestCRLPointName_0=$crlurl&freshestCRLPointIssuerType_0=&freshestCRLPointIssuerName_0=&freshestCRLPointEnable_0='true'\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile" 0 "Add Policy Details" + rlLog "Add Policy Constraint" + local op_scope=constraintPolicy + rlRun "curl --capath "$CERTDB_DIR" --basic \ + --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p13;$policy;$constraint\" -k https://$tmp_ca_host:$target_secure_port/ca/caprofile" + rlLog "Get all policies of $profile" + local op_scope=policies + rlRun "curl --capath "$CERTDB_DIR" --basic \ + --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_READ&OP_SCOPE=$op_scope&RS_ID=$profile\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 "Read all existing policies of $profile" + rlRun "process_curl_output $admin_out" 0 "Process curl output file" + rlAssertGrep "$policyname:$constraintname" "$admin_out" + rlPhaseEnd + + + rlPhaseStartTest "pki_console_profile-0013: SUBCA - Admin Interface - Add Key Usage Extension Default" + local policy=keyUsageExtDefaultImpl + local policyname=KeyUsageExtensionDefault + local constraintname=KeyUsageExtensionConstraint + local constraint=keyUsageExtConstraintImpl + rlLog "Delete Existing Key Usage Policy" + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_DELETE&OP_SCOPE=policies&RS_ID=$profile&POLICYID=set1:p5\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile" 0 "Delete Existing Key Usage Policy" + rlLog "Add Key Usage Policy" + local op_scope=policies + local crlurl="https://$tmp_ca_host:$target_secure_port/crl/Mastercrl.bin" + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p14;$policy;$constraint\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile" 0 "Add Key Usage Extension Default to $profile" + local op_scope=defaultPolicy + rlLog "Add $policy Details" + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p14;$policy;$constraint&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile" 0 "Add Policy Details" + rlLog "Add Policy Constraint" + local op_scope=constraintPolicy + rlRun "curl --capath "$CERTDB_DIR" --basic \ + --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p14;$policy;$constraint&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false\" -k https://$tmp_ca_host:$target_secure_port/ca/caprofile" 0 + rlLog "Get all policies of $profile" + local op_scope=policies + rlRun "curl --capath "$CERTDB_DIR" --basic \ + --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_READ&OP_SCOPE=$op_scope&RS_ID=$profile\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 "Read all existing policies of $profile" + rlRun "process_curl_output $admin_out" 0 "Process curl output file" + rlAssertGrep "$policyname:$constraintname" "$admin_out" + rlPhaseEnd + + rlPhaseStartTest "pki_console_profile-0014: SUBCA - Admin Interface - Add Issuer Alternative Name Extension Default" + local policy=issuerAltNameExtDefaultImpl + local policyname=IssuerAlternativeNameExtensionDefault + local constraintname=NoConstraint + local constraint=noConstraintImpl + local op_scope=policies + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p15;$policy;$constraint\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile" 0 "Add Policy Issuer Alternative Name Extension Default to $profile" + local op_scope=defaultPolicy + rlLog "Add $policy Details" + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p15;$policy;$constraint&issuerAltNameExtCritical=false&issuerAltExtType=RFC822Name&issuerAltExtPattern=$request.requestor_email\$\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile" 0 "Add Policy Details" + rlLog "Add Policy Constraint" + local op_scope=constraintPolicy + rlRun "curl --capath "$CERTDB_DIR" --basic \ + --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p15;$policy;$constraint\" -k https://$tmp_ca_host:$target_secure_port/ca/caprofile" 0 + rlLog "Get all policies of $profile" + local op_scope=policies + rlRun "curl --capath "$CERTDB_DIR" --basic \ + --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_READ&OP_SCOPE=$op_scope&RS_ID=$profile\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 "Read all existing policies of $profile" + rlRun "process_curl_output $admin_out" 0 "Process curl output file" + rlAssertGrep "$policyname:$constraintname" "$admin_out" + rlPhaseEnd + + rlPhaseStartTest "pki_console_profile-0014: SUBCA - Admin Interface - Add Name Constraints Extension Default" + local policy=nameConstraintsExtDefaultImpl + local policyname=IssuerAlternativeNameExtensionDefault + local constraintname=NoConstraint + local constraint=noConstraintImpl + local op_scope=policies + local crlurl="https://$tmp_ca_host:$target_secure_port/crl/Mastercrl.bin" + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p15;$policy;$constraint\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile" 0 "Add Name Constraints Extension Default to $profile" + local op_scope=defaultPolicy + rlLog "Add $policy Details" + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p15;$policy;$constraint&nameConstraintsCritical=false&nameConstraintsNumPermittedSubtrees=1&nameConstraintsPermittedSubtreeMinValue_0=1&nameConstraintsPermittedSubtreeNameChoice_0=URIName&nameConstraintsPermittedSubtreeNameValue_0=https://$tmp_ca_host:80&nameConstraintsPermittedSubtreeEnable_0=false&nameConstraintsNumExcludedSubtrees=1&nameConstraintsExcludedSubtreeMinValue_0=&nameConstraintsExcludedSubtreeMaxValue_0=&nameConstraintsExcludedSubtreeNameChoice_0=&nameConstraintsExcludedSubtreeNameValue_0=&nameConstraintsExcludedSubtreeEnable_0=false\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile" 0 "Add Policy Details" + rlLog "Add Policy Constraint" + local op_scope=constraintPolicy + rlRun "curl --capath "$CERTDB_DIR" --basic \ + --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p15;$policy;$constraint\" -k https://$tmp_ca_host:$target_secure_port/ca/caprofile" 0 + rlLog "Get all policies of $profile" + local op_scope=policies + rlRun "curl --capath "$CERTDB_DIR" --basic \ + --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_READ&OP_SCOPE=$op_scope&RS_ID=$profile\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 "Read all existing policies of $profile" + rlRun "process_curl_output $admin_out" 0 "Process curl output file" + rlAssertGrep "$policyname:$constraintname" "$admin_out" + rlPhaseEnd + + rlPhaseStartTest "pki_console_profile-0015: SUBCA - Admin Interface - Add Netscape Certificate Type Extension Default Policy" + local policy=nsCertTypeExtDefaultImpl + local policyname=NetscapeCertificateTypeExtensionDefault + local constraintname=NoConstraint + local constraint=noConstraintImpl + local op_scope=policies + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p16;$policy;$constraint\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile" 0 "Add Policy Netscape Certificate Type Extension Default to $profile" + local op_scope=defaultPolicy + rlLog "Add $policy Details" + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p16;$policy;$constraint&nsCertCritical=true&nsCertSSLClient=true&nsCertSSLServer=true&nsCertEmail=true&nsCertObjectSigning=false&nsCertSSLCA=false&nsCertEmailCA=false&nsCertObjectSigningCA=false\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile" 0 "Add Policy Details" + rlLog "Add Policy Constraint" + local op_scope=constraintPolicy + rlRun "curl --capath "$CERTDB_DIR" --basic \ + --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p16;$policy;$constraint\" -k https://$tmp_ca_host:$target_secure_port/ca/caprofile" 0 + rlLog "Get all policies of $profile" + local op_scope=policies + rlRun "curl --capath "$CERTDB_DIR" --basic \ + --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_READ&OP_SCOPE=$op_scope&RS_ID=$profile\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 "Read all existing policies of $profile" + rlRun "process_curl_output $admin_out" 0 "Process curl output file" + rlAssertGrep "$policyname:$constraintname" "$admin_out" + rlPhaseEnd + + + rlPhaseStartTest "pki_console_profile-0016: SUBCA - Admin Interface - Add OCSP No check Extension Default Policy" + local policy=ocspNoCheckExtDefaultImpl + local policyname=OCSPNoCheckExtensionDefault + local constraintname=ExtensionConstraint + local constraint=extensionConstraintImpl + local op_scope=policies + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p17;$policy;$constraint\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile" 0 "Add Policy OCSP No check Extension Default to $profile" + local op_scope=defaultPolicy + rlLog "Add $policy Details" + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p17;$policy;$constraint&ocspNoCheckCritical=false\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile" 0 "Add Policy Details" + rlLog "Add Policy Constraint" + local op_scope=constraintPolicy + rlRun "curl --capath "$CERTDB_DIR" --basic \ + --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p17;$policy;$constraint&extCritical=false&extOID=1.1.1.1.1\" -k https://$tmp_ca_host:$target_secure_port/ca/caprofile" 0 + rlLog "Get all policies of $profile" + local op_scope=policies + rlRun "curl --capath "$CERTDB_DIR" --basic \ + --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_READ&OP_SCOPE=$op_scope&RS_ID=$profile\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 "Read all existing policies of $profile" + rlRun "process_curl_output $admin_out" 0 "Process curl output file" + rlAssertGrep "$policyname:$constraintname" "$admin_out" + rlPhaseEnd + + rlPhaseStartTest "pki_console_profile-0017: SUBCA - Admin Interface - Add Signing Algorithm Default Policy" + local policy=signingAlgDefaultImpl + local policyname=SigningAlgorithmDefault + local constraintname=SigningAlgorithmConstraint + local constraint=signingAlgConstraintImpl + rlLog "Delete Existing Key Usage Policy" + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_DELETE&OP_SCOPE=policies&RS_ID=$profile&POLICYID=set1:p4\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile" 0 "Delete Existing Signing Algorithm Usage Policy" + local op_scope=policies + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p18;$policy;$constraint\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile" 0 "Add Policy Signing Algorithm Default to $profile" + local op_scope=defaultPolicy + rlLog "Add $policy Details" + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p18;$policy;$constraint&signingAlg=SHA256withRSA\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile" 0 "Add Policy Details" + rlLog "Add Policy Constraint" + local op_scope=constraintPolicy + rlRun "curl --capath "$CERTDB_DIR" --basic \ + --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p18;$policy;$constraint&signingAlgsAllowed=SHA1withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA256withRSA,SHA512withRSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\" -k https://$tmp_ca_host:$target_secure_port/ca/caprofile" 0 + rlLog "Get all policies of $profile" + local op_scope=policies + rlRun "curl --capath "$CERTDB_DIR" --basic \ + --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_READ&OP_SCOPE=$op_scope&RS_ID=$profile\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 "Read all existing policies of $profile" + rlRun "process_curl_output $admin_out" 0 "Process curl output file" + rlAssertGrep "$policyname:$constraintname" "$admin_out" + rlPhaseEnd + + rlPhaseStartTest "pki_console_profile-0018: SUBCA - Admin Interface - Add OCSP No check Extension Default Policy" + local policy=ocspNoCheckExtDefaultImpl + local policyname=OCSPNoCheckExtensionDefault + local constraintname=ExtensionConstraint + local constraint=extensionConstraintImpl + local op_scope=policies + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p17;$policy;$constraint\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile" 0 "Add Policy OCSP No check Extension Default to $profile" + local op_scope=defaultPolicy + rlLog "Add $policy Details" + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p17;$policy;$constraint&ocspNoCheckCritical=false\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile" 0 "Add Policy Details" + rlLog "Add Policy Constraint" + local op_scope=constraintPolicy + rlRun "curl --capath "$CERTDB_DIR" --basic \ + --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p17;$policy;$constraint&extCritical=false&extOID=1.1.1.1.1\" -k https://$tmp_ca_host:$target_secure_port/ca/caprofile" 0 + rlLog "Get all policies of $profile" + local op_scope=policies + rlRun "curl --capath "$CERTDB_DIR" --basic \ + --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_READ&OP_SCOPE=$op_scope&RS_ID=$profile\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 "Read all existing policies of $profile" + rlRun "process_curl_output $admin_out" 0 "Process curl output file" + rlAssertGrep "$policyname:$constraintname" "$admin_out" + rlPhaseEnd + + rlPhaseStartTest "pki_console_profile-0019: SUBCA - Admin Interface - Add signing Algorithm" + local policy=signingAlgDefaultImpl + local policyname=SigningAlgorithmDefault + local constraintname=SigningAlgorithmConstraint + local constraint=noConstraintImpl + local op_scope=policies + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p18;$policy;$constraint\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile" 0 "Add Policy Signing Algorithm to $profile" + local op_scope=defaultPolicy + rlLog "Add $policy Details" + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p18;$policy;$constraint&signingAlg=SHA256withRSA\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile" 0 "Add Policy Details" + rlLog "Add Policy Constraint" + local op_scope=constraintPolicy + rlRun "curl --capath "$CERTDB_DIR" --basic \ + --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p18;$policy;$constraint\" -k https://$tmp_ca_host:$target_secure_port/ca/caprofile" 0 + rlLog "Get all policies of $profile" + local op_scope=policies + rlRun "curl --capath "$CERTDB_DIR" --basic \ + --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_READ&OP_SCOPE=$op_scope&RS_ID=$profile\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 "Read all existing policies of $profile" + rlRun "process_curl_output $admin_out" 0 "Process curl output file" + rlAssertGrep "$policyname:$constraintname" "$admin_out" + rlPhaseEnd + + rlPhaseStartTest "pki_console_profile-0020: SUBCA - Admin Interface - Add Subject Alternative Name Extension Policy" + local policy=subjectAltNameExtDefaultImpl + local policyname=SubjectAlternativeNameExtensionDefault + local constraintname=NoConstraint + local constraint=noConstraintImpl + local op_scope=policies + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p19;$policy;$constraint\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile" 0 "Add Policy Subject Alternative Name Extension to $profile" + local op_scope=defaultPolicy + rlLog "Add $policy Details" + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p19;$policy;$constraint&subjAltNameExtCritical=false&subjAltNameNumGNs=1&subjAltExtType_0=RFC822Name&subjAltExtPattern_0=\$request.requestor_email\$&subjAltExtGNEnable_0=false\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile" 0 "Add Policy Details" + rlLog "Add Policy Constraint" + local op_scope=constraintPolicy + rlRun "curl --capath "$CERTDB_DIR" --basic \ + --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p19;$policy;$constraint\" -k https://$tmp_ca_host:$target_secure_port/ca/caprofile" 0 + rlLog "Get all policies of $profile" + local op_scope=policies + rlRun "curl --capath "$CERTDB_DIR" --basic \ + --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_READ&OP_SCOPE=$op_scope&RS_ID=$profile\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 "Read all existing policies of $profile" + rlRun "process_curl_output $admin_out" 0 "Process curl output file" + rlAssertGrep "$policyname:$constraintname" "$admin_out" + rlPhaseEnd + + rlPhaseStartTest "pki_console_profile-0021: SUBCA - Admin Interface - Add Subject Directory Attributes Extension Policy" + local policy=subjectDirAttributesExtDefaultImpl + local policyname=SubjectDirectoryAttributesExtensionDefault + local constraintname=NoConstraint + local constraint=noConstraintImpl + local op_scope=policies + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p20;$policy;$constraint\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile" 0 "Add Policy Subject Directory Attributes Extension to $profile" + local op_scope=defaultPolicy + rlLog "Add $policy Details" + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p20;$policy;$constraint&subjDirAttrsCritical=false&subjDirAttrsNum=1&subjDirAttrName_0=email&subjDirAttrPattern_0=\$request.requestor_email\$&subjDirAttrEnable=false\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile" 0 "Add Policy Details" + rlLog "Add Policy Constraint" + local op_scope=constraintPolicy + rlRun "curl --capath "$CERTDB_DIR" --basic \ + --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p20;$policy;$constraint\" -k https://$tmp_ca_host:$target_secure_port/ca/caprofile" 0 + rlLog "Get all policies of $profile" + local op_scope=policies + rlRun "curl --capath "$CERTDB_DIR" --basic \ + --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_READ&OP_SCOPE=$op_scope&RS_ID=$profile\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 "Read all existing policies of $profile" + rlRun "process_curl_output $admin_out" 0 "Process curl output file" + rlAssertGrep "$policyname:$constraintname" "$admin_out" + rlPhaseEnd + + rlPhaseStartTest "pki_console_profile-0022: SUBCA - Admin Interface - Add Subject Info Access Extension Policy" + local policy=subjectInfoAccessExtDefaultImpl + local policyname=SubjectInfoAccessExtensionDefault + local constraintname=NoConstraint + local constraint=noConstraintImpl + local op_scope=policies + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p21;$policy;$constraint\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile" 0 "Add Policy Subject Info access extension default a1to $profile" + local op_scope=defaultPolicy + rlLog "Add $policy Details" + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p21;$policy;$constraint&subjInfoAccessCritical=false&subjInfoAccessNumADs=1&subjInfoAccessADMethod_0=1.2.3.4.5.6&subjInfoAccessADLocationType_0=URINAME&subjInfoAccessADLocation_0=&subjInfoAccessADEnable_0=false\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile" 0 "Add Policy Details" + rlLog "Add Policy Constraint" + local op_scope=constraintPolicy + rlRun "curl --capath "$CERTDB_DIR" --basic \ + --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p21;$policy;$constraint\" -k https://$tmp_ca_host:$target_secure_port/ca/caprofile" 0 + rlLog "Get all policies of $profile" + local op_scope=policies + rlRun "curl --capath "$CERTDB_DIR" --basic \ + --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_READ&OP_SCOPE=$op_scope&RS_ID=$profile\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 "Read all existing policies of $profile" + rlRun "process_curl_output $admin_out" 0 "Process curl output file" + rlAssertGrep "$policyname:$constraintname" "$admin_out" + rlPhaseEnd + + rlPhaseStartTest "pki_console_profile-0023: SUBCA - Admin Interface - Add Subject key Identifier Policy" + local policy=subjectKeyIdentifierExtDefaultImpl + local policyname=SubjectKeyIdentifierDefault + local constraintname=NoConstraint + local constraint=noConstraintImpl + local op_scope=policies + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p22;$policy;$constraint\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile" 0 "Add Policy Subject key Identifier to $profile" + local op_scope=defaultPolicy + rlLog "Add $policy Details" + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p22;$policy;$constraint\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile" 0 "Add Policy Details" + rlLog "Add Policy Constraint" + local op_scope=constraintPolicy + rlRun "curl --capath "$CERTDB_DIR" --basic \ + --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p22;$policy;$constraint\" -k https://$tmp_ca_host:$target_secure_port/ca/caprofile" 0 + rlLog "Get all policies of $profile" + local op_scope=policies + rlRun "curl --capath "$CERTDB_DIR" --basic \ + --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_READ&OP_SCOPE=$op_scope&RS_ID=$profile\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 "Read all existing policies of $profile" + rlRun "process_curl_output $admin_out" 0 "Process curl output file" + rlAssertGrep "$policyname:$constraintname" "$admin_out" + rlPhaseEnd + + rlPhaseStartTest "pki_console_profile-0024: SUBCA - Admin Interface - Add Subject Name Default Policy" + local policy=subjectNameDefaultImpl + local policyname=SubjectNameDefault + local constraintname=SubjectNameConstraint + local constraint=subjectNameConstraintImpl + local op_scope=policies + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p23;$policy;$constraint\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile" 0 "Add Policy Subject Info access extension default a1to $profile" + local op_scope=defaultPolicy + rlLog "Add $policy Details" + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p23;$policy;$constraint&CN=TEST\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile" 0 "Add Policy Details" + rlLog "Add Policy Constraint" + local op_scope=constraintPolicy + rlRun "curl --capath "$CERTDB_DIR" --basic \ + --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p23;$policy;$constraint&pattern=cn=\*\" -k https://$tmp_ca_host:$target_secure_port/ca/caprofile" 0 + rlLog "Get all policies of $profile" + local op_scope=policies + rlRun "curl --capath "$CERTDB_DIR" --basic \ + --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_READ&OP_SCOPE=$op_scope&RS_ID=$profile\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 "Read all existing policies of $profile" + rlRun "process_curl_output $admin_out" 0 "Process curl output file" + rlAssertGrep "$policyname:$constraintname" "$admin_out" + rlPhaseEnd + + rlPhaseStartTest "pki_console_profile-0025: SUBCA - Admin Interface - Add Validity Default Policy" + local policy=validityDefaultImpl + local policyname=ValidityDefault + local constraintname=ValidityConstraint + local constraint=validityConstraintImpl + local op_scope=policies + rlLog "Delete Existing Key Usage Policy" + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_DELETE&OP_SCOPE=policies&RS_ID=$profile&POLICYID=set1:p2\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile" 0 "Delete Existing Validity Default usage Policy" + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p24;$policy;$constraint\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile" 0 "Add Validity Default policy $profile" + local op_scope=defaultPolicy + rlLog "Add $policy Details" + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p24;$policy;$constraint&range=180&startTime=60\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile" 0 "Add Policy Details" + rlLog "Add Policy Constraint" + local op_scope=constraintPolicy + rlRun "curl --capath "$CERTDB_DIR" --basic \ + --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p24;$policy;$constraint&range=365¬BeforeGracePeriod=0¬BeforeCheck=false¬AfterCheck=false\" -k https://$tmp_ca_host:$target_secure_port/ca/caprofile" 0 + rlLog "Get all policies of $profile" + local op_scope=policies + rlRun "curl --capath "$CERTDB_DIR" --basic \ + --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_READ&OP_SCOPE=$op_scope&RS_ID=$profile\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 "Read all existing policies of $profile" + rlRun "process_curl_output $admin_out" 0 "Process curl output file" + rlAssertGrep "$policyname:$constraintname" "$admin_out" + rlPhaseEnd + + rlPhaseStartTest "pki_console_profile-0026: SUBCA - Admin Interface - Add Certificate Request Input" + local Input=certReqInputImpl + local op_scope=profileInput + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;i4;$Input\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile" 0 "Add Certificate Request Input $profile" + rlRun "curl --capath "$CERTDB_DIR" --basic \ + --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_READ&OP_SCOPE=$op_scope&RS_ID=$profile\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 "Read all existing policies of $profile" + rlRun "process_curl_output $admin_out" 0 "Process curl output file" + rlAssertGrep "i4=CertificateRequestInput" "$admin_out" + rlPhaseEnd + + rlPhaseStartTest "pki_console_profile-0027: SUBCA - Admin Interface - Add CMC Request Input" + local Input=cmcCertReqInputImpl + local op_scope=profileInput + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;i5;$Input\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile" 0 "Add CMC Request Input $profile" + rlRun "curl --capath "$CERTDB_DIR" --basic \ + --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_READ&OP_SCOPE=$op_scope&RS_ID=$profile\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 "Read all existing policies of $profile" + rlRun "process_curl_output $admin_out" 0 "Process curl output file" + rlAssertGrep "i5=CertificateRequestInput" "$admin_out" + rlPhaseEnd + + rlPhaseStartTest "pki_console_profile-0028: SUBCA - Admin Interface - Add Dual Key Generation Input" + local Input=dualKeyGenInputImpl + local op_scope=profileInput + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;i6;$Input\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile" 0 "Add Dual Key Generation Input to $profile" + rlRun "curl --capath "$CERTDB_DIR" --basic \ + --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_READ&OP_SCOPE=$op_scope&RS_ID=$profile\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 "Read all existing policies of $profile" + rlRun "process_curl_output $admin_out" 0 "Process curl output file" + rlAssertGrep "i6=DualKeyGeneration" "$admin_out" + rlPhaseEnd# + + rlPhaseStartTest "pki_console_profile-0029: SUBCA - Admin Interface - Add File Signing Input" + local Input=fileSigningInputImpl + local op_scope=profileInput + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;i7;$Input\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile" 0 "Add File Signing Input $profile" + rlRun "curl --capath "$CERTDB_DIR" --basic \ + --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_READ&OP_SCOPE=$op_scope&RS_ID=$profile\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 "Read all existing policies of $profile" + rlRun "process_curl_output $admin_out" 0 "Process curl output file" + rlAssertGrep "i7=FileSigningInput" "$admin_out" + rlPhaseEnd + + rlPhaseStartTest "pki_console_profile-0030: SUBCA - Admin Interface - Add Key Generation Input" + local Input=keyGenInputImpl + local op_scope=profileInput + rlLog "Delete Existing Key Generation Input" + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_DELETE&OP_SCOPE=profileInput&RS_ID=$profile&INPUTID=i1\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile" 0 "Delete Existing Validity Default usage Policy" + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;i1;$Input\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile" 0 "Add Key Generation Input to $profile" + rlRun "curl --capath "$CERTDB_DIR" --basic \ + --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_READ&OP_SCOPE=$op_scope&RS_ID=$profile\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 "Read all existing policies of $profile" + rlRun "process_curl_output $admin_out" 0 "Process curl output file" + rlAssertGrep "i1=KeyGeneration" "$admin_out" + rlPhaseEnd + + rlPhaseStartTest "pki_console_profile-0031: SUBCA - Admin Interface - Add Subject DN Input" + local Input=subjectDNInputImpl + local op_scope=profileInput + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;i8;$Input\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile" 0 "Add Subject DN Input to $profile" + rlRun "curl --capath "$CERTDB_DIR" --basic \ + --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_READ&OP_SCOPE=$op_scope&RS_ID=$profile\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 "Read all existing policies of $profile" + rlRun "process_curl_output $admin_out" 0 "Process curl output file" + rlAssertGrep "i8=SubjectName" "$admin_out" + rlPhaseEnd + + rlPhaseStartTest "pki_console_profile-0032: SUBCA - Admin Interface - Add Subject Name Input" + local Input=subjectNameInputImpl + local op_scope=profileInput + rlLog "Delete Existing Subject Name Input" + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_DELETE&OP_SCOPE=profileInput&RS_ID=$profile&INPUTID=i2\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile" 0 "Delete Existing Subject Name Input" + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;i2;$Input&sn_uid=true&sn_e=true&sn_cn=true&sn_ou3=true&sn_ou2=true&sn_ou1=true&sn_ou=true&sn_o=true&sn_c=true\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile" 0 "Add Subject Name Input to $profile" + rlRun "curl --capath "$CERTDB_DIR" --basic \ + --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_READ&OP_SCOPE=$op_scope&RS_ID=$profile\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 "Read all existing policies of $profile" + rlRun "process_curl_output $admin_out" 0 "Process curl output file" + rlAssertGrep "i2=SubjectName" "$admin_out" + rlPhaseEnd + + rlPhaseStartTest "pki_console_profile-0033: SUBCA - Admin Interface - Add Certificate Output" + local Input=certOutputImpl + local op_scope=profileOutput + rlLog "Delete Existing Certificate Output" + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_DELETE&OP_SCOPE=profileOutput&RS_ID=$profile&OUTPUTID=o1\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile" 0 "Delete Existing Certificate Output" + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;o1;$Input\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile" 0 "Add Certificate Output to $profile" + rlRun "curl --capath "$CERTDB_DIR" --basic \ + --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_READ&OP_SCOPE=$op_scope&RS_ID=$profile\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 "Read all existing policies of $profile" + rlRun "process_curl_output $admin_out" 0 "Process curl output file" + rlAssertGrep "o1=CertificateOutput" "$admin_out" + rlPhaseEnd + + + rlPhaseStartTest "pki_console_profile-0034: SUBCA - Admin Interface - Add CMMF Output" + local Input=cmmfOutputImpl + local op_scope=profileOutput + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;o1;$Input\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile" 0 "Add Certificate Output to $profile" + rlRun "curl --capath "$CERTDB_DIR" --basic \ + --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_READ&OP_SCOPE=$op_scope&RS_ID=$profile\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 "Read all existing policies of $profile" + rlRun "process_curl_output $admin_out" 0 "Process curl output file" + rlAssertGrep "o1=CertificateOutput" "$admin_out" + rlPhaseEnd + + rlPhaseStartTest "pki_console_profile-0035: SUBCA - Admin Interface - Delete an existing Policy from Profile" + local op_scope=policies + rlLog "Read all the existing Policies" + rlRun "curl --capath "$CERTDB_DIR" --basic \ + --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_READ&OP_SCOPE=$op_scope&RS_ID=$profile\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 "Read all existing policies of $profile" + rlRun "process_curl_output $admin_out" 0 "Process curl output file" + rlLog "Delete signing Algorithm Policy from the profile" + local policyId=$(cat -v $admin_out | grep SigningAlgorithmDefault | awk -F ":" '{print $2}' | awk -F "=" '{print $1}') + rlLog "policyId=$policyId" + rlLog "Delete Existing Key Usage Policy" + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_DELETE&OP_SCOPE=policies&RS_ID=$profile&POLICYID=set1:$policyId\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile" 0 "Delete Existing Validity Default usage Policy" + rlLog "Read all the existing Policies" + rlRun "curl --capath "$CERTDB_DIR" --basic \ + --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_READ&OP_SCOPE=$op_scope&RS_ID=$profile\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 "Read all existing policies of $profile" + rlRun "process_curl_output $admin_out" 0 "Process curl output file" + rlAssertNotGrep "SigningAlgorithmDefault:SigningAlgorithmConstraint" "$admin_out" + rlPhaseEnd + + rlPhaseStartTest "pki_console_profile-0036: SUBCA - Admin Interface - Delete Dual Key Generation Input from Profile" + local op_scope=profileInput + rlLog "Read Existing Certificate Input" + rlRun "curl --capath "$CERTDB_DIR" --basic \ + --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_READ&OP_SCOPE=$op_scope&RS_ID=$profile\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 "Read all existing policies of $profile" + rlRun "process_curl_output $admin_out" 0 "Process curl output file" + local inputId=$(cat -v $admin_out | grep DualKeyGeneration | awk -F "=" '{print $1}') + rlLog "Delete Dual Key Generation Input" + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_DELETE&OP_SCOPE=profileInput&RS_ID=$profile&INPUTID=$inputId\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile" 0 "Delete Existing Dual Key Generation Input" + rlLog "Read Existing Certificate Input to verify Dual Key Generation Input is deleted" + rlRun "curl --capath "$CERTDB_DIR" --basic \ + --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_READ&OP_SCOPE=$op_scope&RS_ID=$profile\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 "Read all existing policies of $profile" + rlAssertNotGrep "DualKeyGeneration" "$admin_out" + rlPhaseEnd + + rlPhaseStartTest "pki_console_profile-0037: SUBCA - Admin Interface - Delete Certificate request output from Existing Profile" + local Input=certOutputImpl + local op_scope=profileOutput + rlRun "curl --capath "$CERTDB_DIR" --basic \ + --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_READ&OP_SCOPE=$op_scope&RS_ID=$profile\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 "Read all existing policies of $profile" + rlRun "process_curl_output $admin_out" 0 "Process curl output file" + rlAssertGrep "o1=CertificateOutput" "$admin_out" + rlLog "Delete Existing Certificate Output" + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_DELETE&OP_SCOPE=profileOutput&RS_ID=$profile&OUTPUTID=o1\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile" 0 "Delete Existing Certificate Output" + rlLog "Read Existing Outputs to verify Certificate Output is not present" + rlRun "curl --capath "$CERTDB_DIR" --basic \ + --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_READ&OP_SCOPE=$op_scope&RS_ID=$profile\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 "Read all existing policies of $profile" + rlRun "process_curl_output $admin_out" 0 "Process curl output file" + rlAssertNotGrep "o1=CertificateOutput" "$admin_out" + rlPhaseEnd + + rlPhaseStartTest "pki_console_profile-0038: SUBCA - Admin Interface - Enable Existing Profile" + rlLog "Enable a Disabled profile" + local action=Approve + rlRun "export SSL_DIR=$CERTDB_DIR" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem -E \"$valid_agent_cert:$CERTDB_DIR_PASSWORD\" -d \"profileId=$profile&Approve=$action\" https://$tmp_ca_host:$target_secure_port/ca/agent/ca/profileApprove > $admin_out" + rlLog "Verify if $profile is enabled by enabling using pki command" + rlRun "pki -h $tmp_ca_host -p $tmp_ca_port -d $CERTDB_DIR -c $CERTDB_DIR_PASSWORD -n $valid_agent_cert ca-profile-enable $profile > $ca_profile_out 2>&1" 255,1 "Execute pki ca-profile-enable $profile" + rlAssertGrep "BadRequestException: Profile already enabled" "$ca_profile_out" + rlPhaseEnd + + rlPhaseStartTest "pki_console_profile-0039: SUBCA - Admin Interface - Disable Existing Profile" + rlLog "Disable a Enabled profile" + local action=Disable + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + -E \"$tmp_ca_agent:$CERTDB_DIR_PASSWORD\" \ + -d \"profileId=$profile&Disable=$action\" https://$tmp_ca_host:$target_secure_port/ca/agent/ca/profileApprove" + rlLog "Disable profile $profile and verify profile is already disabled" + rlRun "pki -h $tmp_ca_host \ + -p $tmp_ca_port \ + -d $CERTDB_DIR \ + -c $CERTDB_DIR_PASSWORD \ + -n $valid_agent_cert \ + ca-profile-disable $profile > $ca_profile_out 2>&1" \ + 255,1 "Disable already disabled profile $profile" + rlAssertGrep "BadRequestException: Profile already disabled" "$ca_profile_out" + rlPhaseEnd + + rlPhaseStartTest "pki_console_profile-0040: SUBCA - Admin Interface - Create a new profile as Admin Only user with caEnrollImpl with No Profile Authentication" + local profile="caUserCert$RANDOM" + local op_scope=rules + local op_type='OP_DELETE' + local class=caEnrollImpl + rlLog "Create new profile $profile" + rlRun "curl --capath "$CERTDB_DIR" --basic --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=rules&RS_ID=$profile&impl=$class&name=$profile&visible=true&auth=&desc=$profile\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 "Create a new profile for user cert enrollment" + rlLog "List all default Profiles" + rlRun "curl --capath "$CERTDB_DIR" --basic --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_SEARCH&OP_SCOPE=rules&\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile >> $admin_out" 0 "List all default Profiles" + rlRun "process_curl_output $admin_out" 0 "Process curl output file" + rlAssertGrep "$profile=$profile:visible:disabled" "$admin_out" + rlPhaseEnd + + rlPhaseStartTest "pki_console_profile-0041: SUBCA - Admin Interface - Add Key Generation Input " + rlLog "Add Key Generation Input" + local Input=keyGenInputImpl + local op_scope=profileInput + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;i1;$Input\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile" 0 "Add Key Generation Input to $profile" + rlRun "curl --capath "$CERTDB_DIR" --basic \ + --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_READ&OP_SCOPE=$op_scope&RS_ID=$profile\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 "Read all existing policies of $profile" + rlRun "process_curl_output $admin_out" 0 "Process curl output file" + rlAssertGrep "i1=KeyGeneration" "$admin_out" + rlPhaseEnd + + rlPhaseStartTest "pki_console_profile-0042: SUBCA - Admin Interface - Add subject Name Input " + rlLog "Add Subject Name Input" + local Input=subjectNameInputImpl + local op_scope=profileInput + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;i2;$Input&sn_uid=true&sn_e=true&sn_cn=true&sn_ou3=true&sn_ou2=true&sn_ou1=true&sn_ou=true&sn_o=true&sn_c=true\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile" 0 "Add Subject Name Input to $profile" + rlRun "curl --capath "$CERTDB_DIR" --basic \ + --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_READ&OP_SCOPE=$op_scope&RS_ID=$profile\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 "Read all existing policies of $profile" + rlRun "process_curl_output $admin_out" 0 "Process curl output file" + rlAssertGrep "i2=SubjectName" "$admin_out" + rlPhaseEnd + + rlPhaseStartTest "pki_console_profile-0043: SUBCA - Admin Interface - Add Requestor Information Input " + rlLog "Add Requestor Information" + local Input=submitterInfoInputImpl + local op_scope=profileInput + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;i3;$Input\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile" 0 "Add Subject Name Input to $profile" + rlRun "curl --capath "$CERTDB_DIR" --basic \ + --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_READ&OP_SCOPE=$op_scope&RS_ID=$profile\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 "Read all existing policies of $profile" + rlRun "process_curl_output $admin_out" 0 "Process curl output file" + rlAssertGrep "i3=RequestorInformation" "$admin_out" + rlPhaseEnd + + rlPhaseStartTest "pki_console_profile-0044: SUBCA - Admin Interface - Add Certificate Output " + local Input=certOutputImpl + local op_scope=profileOutput + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;o1;$Input\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile" 0 "Add Certificate Output to $profile" + rlRun "curl --capath "$CERTDB_DIR" --basic \ + --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_READ&OP_SCOPE=$op_scope&RS_ID=$profile\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 "Read all existing policies of $profile" + rlRun "process_curl_output $admin_out" 0 "Process curl output file" + rlAssertGrep "o1=CertificateOutput" "$admin_out" + rlPhaseEnd + + rlPhaseStartTest "pki_console_profile-0045: SUBCA - Admin Interface - Add User Supplied Subject Name Input Default Policy" + local policy=userSubjectNameDefaultImpl + local policyname=UserSuppliedSubjectNameDefault + local constraintname=SubjectNameConstraint + local constraint=subjectNameConstraintImpl + local op_scope=policies + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p1;$policy;$constraint\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile" 0 "Add Policy Subject Info access extension default a1to $profile" + rlAssertNotGrep "The server encountered an internal error" "$admin_out" + local op_scope=defaultPolicy + rlLog "Add $policy Details" + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p1;$policy;$constraint\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile" 0 "Add Policy Details" + rlAssertNotGrep "The server encountered an internal error" "$admin_out" + rlLog "Add Policy Constraint" + local op_scope=constraintPolicy + rlRun "curl --capath "$CERTDB_DIR" --basic \ + --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p1;$policy;$constraint&pattern=UID=.*\" -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 + rlAssertNotGrep "The server encountered an internal error" "$admin_out" + rlLog "Get all policies of $profile" + local op_scope=policies + rlRun "curl --capath "$CERTDB_DIR" --basic \ + --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_READ&OP_SCOPE=$op_scope&RS_ID=$profile\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 "Read all existing policies of $profile" + rlRun "process_curl_output $admin_out" 0 "Process curl output file" + rlAssertGrep "$policyname:$constraintname" "$admin_out" + rlPhaseEnd + + rlPhaseStartTest "pki_console_profile-0046: SUBCA - Admin Interface - Add NoDefault Policy" + local policy=noDefaultImpl + local policyname=NoDefault + local constraintname=RenewalGracePeriodConstraint + local constraint=renewGracePeriodConstraintImpl + local op_scope=policies + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p2;$policy;$constraint\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile" 0 "Add Policy NoDefault to $profile" + rlAssertNotGrep "The server encountered an internal error" "$admin_out" + local op_scope=defaultPolicy + rlLog "Add $policy Details" + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p2;$policy;$constraint\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile" 0 "Add Policy Details" + rlAssertNotGrep "The server encountered an internal error" "$admin_out" + rlLog "Add Policy Constraint" + local op_scope=constraintPolicy + rlRun "curl --capath "$CERTDB_DIR" --basic \ + --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p2;$policy;$constraint&renewal.graceBefore=30&renewal.graceAfter=30\" -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 + rlAssertNotGrep "The server encountered an internal error" "$admin_out" + rlLog "Get all policies of $profile" + local op_scope=policies + rlRun "curl --capath "$CERTDB_DIR" --basic \ + --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_READ&OP_SCOPE=$op_scope&RS_ID=$profile\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 "Read all existing policies of $profile" + rlRun "process_curl_output $admin_out" 0 "Process curl output file" + #rlAssertGrep "$policyname:$constraintname" "$admin_out" + rlPhaseEnd + + rlPhaseStartTest "pki_console_profile-0047: SUBCA - Admin Interface - Add Validity Default Policy" + local policy=validityDefaultImpl + local policyname=ValidityDefault + local constraintname=ValidityConstraint + local constraint=validityConstraintImpl + local op_scope=policies + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p3;$policy;$constraint\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile" 0 "Add Validity Default policy $profile" + rlAssertNotGrep "The server encountered an internal error" "$admin_out" + local op_scope=defaultPolicy + rlLog "Add $policy Details" + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p3;$policy;$constraint&range=180&startTime=0\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile" 0 "Add Policy Details" + rlAssertNotGrep "The server encountered an internal error" "$admin_out" + rlLog "Add Policy Constraint" + local op_scope=constraintPolicy + rlRun "curl --capath "$CERTDB_DIR" --basic \ + --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p3;$policy;$constraint&range=365¬BeforeGracePeriod=0¬BeforeCheck=false¬AfterCheck=false\" -k https://$tmp_ca_host:$target_secure_port/ca/caprofile" 0 + rlAssertNotGrep "The server encountered an internal error" "$admin_out" + rlLog "Get all policies of $profile" + local op_scope=policies + rlRun "curl --capath "$CERTDB_DIR" --basic \ + --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_READ&OP_SCOPE=$op_scope&RS_ID=$profile\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 "Read all existing policies of $profile" + rlRun "process_curl_output $admin_out" 0 "Process curl output file" + rlAssertGrep "$policyname:$constraintname" "$admin_out" + rlPhaseEnd + + rlPhaseStartTest "pki_console_profile-0048: SUBCA - Admin Interface - Add Extended Key Usage Extension Default Policy" + local policy=extendedKeyUsageExtDefaultImpl + local policyname=ExtendedKeyUsageExtensionDefault + local constraintname=NoConstraint + local constraint=noConstraintImpl + local op_scope=policies + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p4;$policy;$constraint\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 "Add Policy Extended Key Usage Extension Default to $profile" + rlAssertNotGrep "The server encountered an internal error" "$admin_out" + local op_scope=defaultPolicy + rlLog "Add $policy Details" + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p4;$policy;$constraint&exKeyUsageCritical=false&exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 "Add Policy Details" 0 + rlAssertNotGrep "The server encountered an internal error" "$admin_out" + rlLog "Add Policy Constraint" + local op_scope=constraintPolicy + rlRun "curl --capath "$CERTDB_DIR" --basic \ + --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p4;$policy;$constraint\" -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 + rlAssertNotGrep "The server encountered an internal error" "$admin_out" + rlLog "Get all policies of $profile" + local op_scope=policies + rlRun "curl --capath "$CERTDB_DIR" --basic \ + --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_READ&OP_SCOPE=$op_scope&RS_ID=$profile\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 "Read all existing policies of $profile" + rlRun "process_curl_output $admin_out" 0 "Process curl output file" + rlAssertGrep "$policyname:$constraintname" "$admin_out" + rlPhaseEnd + + rlPhaseStartTest "pki_console_profile-0049: SUBCA - Admin Interface - Add Subject Alternative Name Extension Policy" + local policy=subjectAltNameExtDefaultImpl + local policyname=SubjectAlternativeNameExtensionDefault + local constraintname=NoConstraint + local constraint=noConstraintImpl + local op_scope=policies + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p5;$policy;$constraint\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile" 0 "Add Policy Subject Alternative Name Extension to $profile" + rlAssertNotGrep "The server encountered an internal error" "$admin_out" + local op_scope=defaultPolicy + rlLog "Add $policy Details" + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p5;$policy;$constraint&subjAltNameExtCritical=false&subjAltNameNumGNs=1&subjAltExtType_0=RFC822Name&subjAltExtPattern_0='$request.requestor_email$'&subjAltExtGNEnable_0=false\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 "Add Policy Details" + rlAssertNotGrep "The server encountered an internal error" "$admin_out" + rlLog "Add Policy Constraint" + local op_scope=constraintPolicy + rlRun "curl --capath "$CERTDB_DIR" --basic \ + --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p5;$policy;$constraint\" -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 + rlAssertNotGrep "The server encountered an internal error" "$admin_out" + rlLog "Get all policies of $profile" + local op_scope=policies + rlRun "curl --capath "$CERTDB_DIR" --basic \ + --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_READ&OP_SCOPE=$op_scope&RS_ID=$profile\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 "Read all existing policies of $profile" + rlRun "process_curl_output $admin_out" 0 "Process curl output file" + rlAssertGrep "$policyname:$constraintname" "$admin_out" + rlPhaseEnd + + rlPhaseStartTest "pki_console_profile-0049: SUBCA - Admin Interface - Add User Key Default Policy(Admin Only)" + local policy=userKeyDefaultImpl + local policyname=UserSuppliedKeyDefault + local constraintname=KeyConstraint + local constraint=keyConstraintImpl + local op_scope=policies + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p6;$policy;$constraint\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 "Add Policy Userkey Default to $profile" + rlAssertNotGrep "The server encountered an internal error" "$admin_out" + local op_scope=defaultPolicy + rlLog "Add $policy Details" + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p6;$policy;$constraint\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 "Add Policy Details" + rlAssertNotGrep "The server encountered an internal error" "$admin_out" + rlLog "Add Policy Constraint" + local op_scope=constraintPolicy + rlRun "curl --capath "$CERTDB_DIR" --basic \ + --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p6;$policy;$constraint&keyType=-&keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521\" -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 + rlAssertNotGrep "The server encountered an internal error" "$admin_out" + rlLog "Get all policies of $profile" + local op_scope=policies + rlRun "curl --capath "$CERTDB_DIR" --basic \ + --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_READ&OP_SCOPE=$op_scope&RS_ID=$profile\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 "Read all existing policies of $profile" + rlRun "process_curl_output $admin_out" 0 "Process curl output file" + rlAssertGrep "$policyname:$constraintname" "$admin_out" + rlPhaseEnd + + rlPhaseStartTest "pki_console_profile-0050: SUBCA - Admin Interface - Add Authority key Identifier Extension Default Policy" + local op_scope=policies + local policy=authorityKeyIdentifierExtDefaultImpl + local policyname=AuthorityKeyIdentifierExtensionDefault + local constraintname=NoConstraint + local constraint=noConstraintImpl + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=policies&RS_ID=$profile;set1:p7;$policy;$constraint\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 "Add Policy Authority Key Identifier Extension Default Policy to $profile" + rlAssertNotGrep "The server encountered an internal error" "$admin_out" + local op_scope=defaultPolicy + rlLog "Add $policy Details" + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p7;$policy;$constraint\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 "Add Policy Details" + rlAssertNotGrep "The server encountered an internal error" "$admin_out" + rlLog "Add Policy Constraint" + local op_scope=constraintPolicy + rlRun "curl --capath "$CERTDB_DIR" --basic \ + --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p7;$policy;$constraint\" -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 + rlAssertNotGrep "The server encountered an internal error" "$admin_out" + rlLog "Get all policies of $profile" + local op_scope=policies + rlRun "curl --capath "$CERTDB_DIR" --basic \ + --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_READ&OP_SCOPE=$op_scope&RS_ID=$profile\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 "Read all existing policies of $profile" + rlRun "process_curl_output $admin_out" 0 "Process curl output file" + rlAssertGrep "$policyname:$constraintname" "$admin_out" + rlPhaseEnd + + rlPhaseStartTest "pki_console_profile-0051: SUBCA - Admin Interface - Add Authority Info Access Extension Default Policy" + local op_scope=policies + local policy=authInfoAccessExtDefaultImpl + local policyname=AuthorityInfoAccessExtensionDefault + local constraintname=NoConstraint + local constraint=noConstraintImpl + rlLog "Add Policy" + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=policies&RS_ID=$profile;set1:p8;$policy;$constraint\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 "Add Policy Authority Info Access Extension Default Policy to $profile" + rlAssertNotGrep "The server encountered an internal error" "$admin_out" + local op_scope=defaultPolicy + rlLog "Add $policy Details" + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_pwd" -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p8;$policy;$constraint&authInfoAccessCritical=false&authInfoAccessNumADs=1&authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1&authInfoAccessADLocationType_0=URIName&authInfoAccessADLocation_0=&authInfoAccessADEnable_0=false\" -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 "Add Policy Details" + rlAssertNotGrep "The server encountered an internal error" "$admin_out" + rlLog "Add Policy Constraint" + local op_scope=constraintPolicy + rlRun "curl --capath "$CERTDB_DIR" --basic \ + --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p8;$policy;$constraint\" -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" + rlAssertNotGrep "The server encountered an internal error" "$admin_out" + rlLog "Read all policies of $profile" + rlRun "curl --capath "$CERTDB_DIR" --basic \ + --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_READ&OP_SCOPE=policies&RS_ID=$profile\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" + rlRun "process_curl_output $admin_out" 0 "Process curl output file" + rlAssertGrep "$policyname:$constraintname" "$admin_out" + rlPhaseEnd + + rlPhaseStartTest "pki_console_profile-0052: SUBCA - Admin Interface - Add Key Usage Extension Default" + local policy=keyUsageExtDefaultImpl + local policyname=KeyUsageExtensionDefault + local constraintname=KeyUsageExtensionConstraint + local constraint=keyUsageExtConstraintImpl + rlLog "Add Key Usage Policy" + local op_scope=policies + local crlurl="https://$tmp_ca_host:$target_secure_port/crl/Mastercrl.bin" + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p9;$policy;$constraint\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 "Add Key Usage Extension Default to $profile" + rlAssertNotGrep "The server encountered an internal error" "$admin_out" + local op_scope=defaultPolicy + rlLog "Add $policy Details" + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p9;$policy;$constraint&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 "Add Policy Details" + rlAssertNotGrep "The server encountered an internal error" "$admin_out" + rlLog "Add Policy Constraint" + local op_scope=constraintPolicy + rlRun "curl --capath "$CERTDB_DIR" --basic \ + --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p9;$policy;$constraint&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false\" -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 + rlAssertNotGrep "The server encountered an internal error" "$admin_out" + rlLog "Get all policies of $profile" + local op_scope=policies + rlRun "curl --capath "$CERTDB_DIR" --basic \ + --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_READ&OP_SCOPE=$op_scope&RS_ID=$profile\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 "Read all existing policies of $profile" + rlRun "process_curl_output $admin_out" 0 "Process curl output file" + rlAssertGrep "$policyname:$constraintname" "$admin_out" + rlPhaseEnd + + rlPhaseStartTest "pki_console_profile-0053: SUBCA - Admin Interface - Add Signing Algorithm Default Policy" + local policy=signingAlgDefaultImpl + local policyname=SigningAlgorithmDefault + local constraintname=SigningAlgorithmConstraint + local constraint=signingAlgConstraintImpl + local op_scope=policies + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p10;$policy;$constraint\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 "Add Policy Signing Algorithm Default to $profile" + rlAssertNotGrep "The server encountered an internal error" "$admin_out" + local op_scope=defaultPolicy + rlLog "Add $policy Details" + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p10;$policy;$constraint&signingAlg=SHA256withRSA\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 "Add Policy Details" + rlAssertNotGrep "The server encountered an internal error" "$admin_out" + rlLog "Add Policy Constraint" + local op_scope=constraintPolicy + rlRun "curl --capath "$CERTDB_DIR" --basic \ + --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p10;$policy;$constraint&signingAlgsAllowed=SHA1withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA256withRSA,SHA512withRSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\" -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 + rlAssertNotGrep "The server encountered an internal error" "$admin_out" + rlLog "Get all policies of $profile" + local op_scope=policies + rlRun "curl --capath "$CERTDB_DIR" --basic \ + --user "$valid_admin_user:$valid_admin_pwd" \ + -d \"OP_TYPE=OP_READ&OP_SCOPE=$op_scope&RS_ID=$profile\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 "Read all existing policies of $profile" + rlRun "process_curl_output $admin_out" 0 "Process curl output file" + rlAssertGrep "$policyname:$constraintname" "$admin_out" + rlPhaseEnd + + rlPhaseStartTest "pki_console_profile-0054: SUBCA - Enroll a user certificate with newly created profile" + rlLog "Enable a Disabled profile" + local action=Approve + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + -E \"$valid_agent_cert:$CERTDB_DIR_PASSWORD\" \ + -d \"profileId=$profile&Approve=$action\" https://$tmp_ca_host:$target_secure_port/ca/agent/ca/profileApprove > $admin_out 2>&1" + rlLog "Verify $profile is by disabling the profile using pki cli" + rlLog "Verify if $profile is enabled by enabling using pki command" + rlRun "pki -h $tmp_ca_host \ + -p $tmp_ca_port \ + -d $CERTDB_DIR \ + -c $CERTDB_DIR_PASSWORD \ + -n $valid_agent_cert \ + ca-profile-enable $profile > $ca_profile_out 2>&1" 255,1 "Execute pki ca-profile-enable $profile" + rlAssertGrep "BadRequestException: Profile already enabled" "$ca_profile_out" + local temp_user=foo_User_$RANDOM + rlLog "Generate a cert with subject name CN=Foo User_1,UID=$Temp_user,E=$temp_user@example.org,OU=FOO,O=Example.org,C=US" + rlRun "generate_new_cert tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_pwd:$TEMP_NSS_DB_PWD \ + req_type:pkcs10 \ + algo:rsa \ + key_size:1024 \ + subject_cn:\"Foo User_1\" \ + subject_uid:FooUser_1 \ + subject_email:FooUser_1@example.org \ + subject_ou:FOO \ + subject_o:Example.org \ + subject_c:US \ + archive:false \ + req_profile:$profile \ + target_host:$tmp_ca_host \ + protocol: \ + port:$tmp_ca_port \ + cert_db_dir:$CERTDB_DIR \ + cert_db_pwd:$CERTDB_DIR_PASSWORD \ + certdb_nick:\"$valid_agent_cert\" \ + cert_info:$cert_info" + local cert_serialNumber=$(cat $cert_info| grep cert_serialNumber | cut -d- -f2) + local cert_requestdn=$(cat $cert_info | grep cert_requestdn | cut -d- -f2) + rlRun "pki -h $tmp_ca_host -p $tmp_ca_port cert-show $cert_serialNumber > $cert_out" 0 "Executing pki cert-show $cert_serialNumber" + rlAssertGrep "Certificate \"$cert_serialNumber\"" "$cert_out" + rlAssertGrep "Serial Number: $cert_serialNumber" "$cert_out" + rlAssertGrep "Issuer: CN=PKI $SUBCA_INST Signing Certificate,O=redhat" "$cert_out" + rlAssertGrep "Subject: $pkcs10_requestdn" "$cert_out" + rlAssertGrep "Status: VALID" "$cert_out" + rlPhaseEnd + + rlPhaseStartTest "pki_console_profile-0055: SUB CA Admin Interface - Creating a new profile by user member of Certificate Agents should fail" + local profile="caUserCert$RANDOM" + local op_scope=rules + local class=caEnrollImpl + rlLog "Create new profile $profile" + rlRun "curl --capath "$CERTDB_DIR" --basic --user "$valid_agent_user:$valid_agent_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=rules&RS_ID=$profile&impl=$class&name=$profile&visible=true&auth=&desc=$profile\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 "Create a new profile as $valid_agent_user" + rlAssertGrep "You are not authorized to perform this operation" "$admin_out" + rlPhaseEnd + + rlPhaseStartTest "pki_console_profile-0056: SUB CA Admin Interface - Creating a new profile by user member of Auditors group should fail" + local profile="caUserCert$RANDOM" + local op_scope=rules + local class=caEnrollImpl + rlLog "Create new profile $profile" + rlRun "curl --capath "$CERTDB_DIR" --basic --user "$valid_audit_user:$valid_audit_pwd" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=rules&RS_ID=$profile&impl=$class&name=$profile&visible=true&auth=&desc=$profile\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 "Create a new profile as $valid_audit_user" + rlAssertGrep "You are not authorized to perform this operation" "$admin_out" + rlPhaseEnd + + rlPhaseStartCleanup "Delete temp dir" + rlRun "popd" + rlRun "rm -r $TmpDir" 0 "Removing tmp directory" + rlPhaseEnd + +} diff --git a/tests/dogtag/acceptance/legacy/subca-tests/profiles/subca-ag-profiles.sh b/tests/dogtag/acceptance/legacy/subca-tests/profiles/subca-ag-profiles.sh new file mode 100755 index 000000000..6c02064f6 --- /dev/null +++ b/tests/dogtag/acceptance/legacy/subca-tests/profiles/subca-ag-profiles.sh @@ -0,0 +1,691 @@ +#!/bin/bash +# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# runtest.sh of /CoreOS/rhcs/acceptance/cli-tests/pki-ca-profile-cli +# Description: PKI CA PROFILE CLI tests +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# The following pki key cli commands needs to be tested: +# pki ca-profile-add +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Author: Niranjan Mallapadi +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2013 Red Hat, Inc. All rights reserved. +# +# This copyrighted material is made available to anyone wishing +# to use, modify, copy, or redistribute it subject to the terms +# and conditions of the GNU General Public License version 2. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public +# License along with this program; if not, write to the Free +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301, USA. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +# Include rhts environment +. /usr/bin/rhts-environment.sh +. /usr/share/beakerlib/beakerlib.sh +. /opt/rhqa_pki/rhcs-shared.sh +. /opt/rhqa_pki/pki-cert-cli-lib.sh +. /opt/rhqa_pki/env.sh + +run_agent-subca-profile_tests() +{ + + # Creating Temporary Directory + rlPhaseStartSetup "Create Temporary Directory" + rlRun "TmpDir=\`mktemp -d\`" 0 "Creating tmp directory" + rlRun "pushd $TmpDir" + rlRun "export PYTHONPATH=$PYTHONPATH:/opt/rhqa_pki/" + rlPhaseEnd + + # Local Variables + local cs_Type=$1 + local cs_Role=$2 + get_topo_stack $cs_Role $TmpDir/topo_file + if [ $cs_Role="MASTER" ]; then + SUBCA_INST=$(cat $TmpDir/topo_file | grep MY_SUBCA | cut -d= -f2) + elif [ $cs_Role="SUBCA2" || $cs_Role="SUBCA1" ]; then + SUBCA_INST=$(cat $TmpDir/topo_file | grep MY_CA | cut -d= -f2) + fi + local tomcat_name=$(eval echo \$${SUBCA_INST}_TOMCAT_INSTANCE_NAME) + local target_unsecure_port=$(eval echo \$${SUBCA_INST}_UNSECURE_PORT) + local target_secure_port=$(eval echo \$${SUBCA_INST}_SECURE_PORT) + local tmp_ca_agent=$SUBCA_INST\_agentV + local tmp_ca_admin=$SUBCA_INST\_adminV + local tmp_ca_port=$(eval echo \$${SUBCA_INST}_UNSECURE_PORT) + local tmp_ca_host=$(eval echo \$${cs_Role}) + local valid_agent_cert=$SUBCA_INST\_agentV + local valid_audit_cert=$SUBCA_INST\_auditV + local valid_operator_cert=$SUBCA_INST\_operatorV + local valid_admin_cert=$SUBCA_INST\_adminV + local cert_find_info="$TmpDir/cert_find_info" + local revoked_agent_cert=$SUBCA_INST\_agentR + local revoked_admin_cert=$SUBCA_INST\_adminR + local expired_admin_cert=$SUBCA_INST\_adminE + local expired_agent_cert=$SUBCA_INST\_agentE + #users + local valid_agent_user=$SUBCA_INST\_agentV + local valid_audit_user=$SUBCA_INST\_auditV + local valid_operator_user=$SUBCA_INST\_operatorV + local valid_admin_user=$SUBCA_INST\_adminV + local admin_out="$TmpDir/admin_out" + local TEMP_NSS_DB="$TmpDir/nssdb" + local TEMP_NSS_DB_PWD="redhat" + local cert_info="$TmpDir/cert_info" + local ca_profile_out="$TmpDir/ca-profile-out" + local cert_out="$TmpDir/cert-show.out" + local rand=$RANDOM + local tmp_junk_data=$(openssl rand -base64 50 | perl -p -e 's/\n//') + local SSL_DIR=$CERTDB_DIR + + rlPhaseStartSetup "CA Admin Interface - Create a new profile as Admin Only user with caEnrollImpl with No Profile Authentication" + local profile="caUserCert$RANDOM" + local op_scope=rules + local class=caEnrollImpl + rlLog "Create new profile $profile" + rlRun "curl --capath "$CERTDB_DIR" --basic --user "$valid_admin_user:$valid_admin_user\_password" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=rules&RS_ID=$profile&impl=$class&name=$profile&visible=true&auth=&desc=$profile\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 "Create a new profile for user cert enrollment" + rlLog "List all default Profiles" + rlRun "curl --capath "$CERTDB_DIR" --basic --user "$valid_admin_user:$valid_admin_user\_password" \ + -d \"OP_TYPE=OP_SEARCH&OP_SCOPE=rules&\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile >> $admin_out" 0 "List all default Profiles" + rlRun "process_curl_output $admin_out" 0 "Process curl output file" + rlAssertGrep "$profile=$profile:visible:disabled" "$admin_out" + rlPhaseEnd + + rlPhaseStartSetup "Admin Interface - Add Key Generation Input " + rlLog "Add Key Generation Input" + local Input=keyGenInputImpl + local op_scope=profileInput + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_user\_password" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;i1;$Input\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile" 0 "Add Key Generation Input to $profile" + rlRun "curl --capath "$CERTDB_DIR" --basic \ + --user "$valid_admin_user:$valid_admin_user\_password" \ + -d \"OP_TYPE=OP_READ&OP_SCOPE=$op_scope&RS_ID=$profile\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 "Read all existing policies of $profile" + rlRun "process_curl_output $admin_out" 0 "Process curl output file" + rlAssertGrep "i1=KeyGeneration" "$admin_out" + rlPhaseEnd + + rlPhaseStartSetup "Admin Interface - Add subject Name Input " + rlLog "Add Subject Name Input" + local Input=subjectNameInputImpl + local op_scope=profileInput + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_user\_password" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;i2;$Input&sn_uid=true&sn_e=true&sn_cn=true&sn_ou3=true&sn_ou2=true&sn_ou1=true&sn_ou=true&sn_o=true&sn_c=true\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile" 0 "Add Subject Name Input to $profile" + rlRun "curl --capath "$CERTDB_DIR" --basic \ + --user "$valid_admin_user:$valid_admin_user\_password" \ + -d \"OP_TYPE=OP_READ&OP_SCOPE=$op_scope&RS_ID=$profile\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 "Read all existing policies of $profile" + rlRun "process_curl_output $admin_out" 0 "Process curl output file" + rlAssertGrep "i2=SubjectName" "$admin_out" + rlPhaseEnd + + rlPhaseStartSetup "Admin Interface - Add Requestor Information Input " + rlLog "Add Requestor Information" + local Input=submitterInfoInputImpl + local op_scope=profileInput + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_user\_password" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;i3;$Input\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile" 0 "Add Subject Name Input to $profile" + rlRun "curl --capath "$CERTDB_DIR" --basic \ + --user "$valid_admin_user:$valid_admin_user\_password" \ + -d \"OP_TYPE=OP_READ&OP_SCOPE=$op_scope&RS_ID=$profile\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 "Read all existing policies of $profile" + rlRun "process_curl_output $admin_out" 0 "Process curl output file" + rlAssertGrep "i3=RequestorInformation" "$admin_out" + rlPhaseEnd + + rlPhaseStartSetup "Admin Interface - Add Certificate Output " + local Input=certOutputImpl + local op_scope=profileOutput + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_user\_password" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;o1;$Input\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile" 0 "Add Certificate Output to $profile" + rlRun "curl --capath "$CERTDB_DIR" --basic \ + --user "$valid_admin_user:$valid_admin_user\_password" \ + -d \"OP_TYPE=OP_READ&OP_SCOPE=$op_scope&RS_ID=$profile\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 "Read all existing policies of $profile" + rlRun "process_curl_output $admin_out" 0 "Process curl output file" + rlAssertGrep "o1=CertificateOutput" "$admin_out" + rlPhaseEnd + + rlPhaseStartSetup "Admin Interface - Add User Supplied Subject Name Input Default Policy" + local policy=userSubjectNameDefaultImpl + local policyname=UserSuppliedSubjectNameDefault + local constraintname=SubjectNameConstraint + local constraint=subjectNameConstraintImpl + local op_scope=policies + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_user\_password" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p1;$policy;$constraint\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile" 0 "Add Policy Subject Info access extension default a1to $profile" + rlAssertNotGrep "The server encountered an internal error" "$admin_out" + local op_scope=defaultPolicy + rlLog "Add $policy Details" + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_user\_password" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p1;$policy;$constraint\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile" 0 "Add Policy Details" + rlAssertNotGrep "The server encountered an internal error" "$admin_out" + rlLog "Add Policy Constraint" + local op_scope=constraintPolicy + rlRun "curl --capath "$CERTDB_DIR" --basic \ + --user "$valid_admin_user:$valid_admin_user\_password" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p1;$policy;$constraint&pattern=UID=.*\" -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 + rlAssertNotGrep "The server encountered an internal error" "$admin_out" + rlLog "Get all policies of $profile" + local op_scope=policies + rlRun "curl --capath "$CERTDB_DIR" --basic \ + --user "$valid_admin_user:$valid_admin_user\_password" \ + -d \"OP_TYPE=OP_READ&OP_SCOPE=$op_scope&RS_ID=$profile\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 "Read all existing policies of $profile" + rlRun "process_curl_output $admin_out" 0 "Process curl output file" + rlAssertGrep "$policyname:$constraintname" "$admin_out" + rlPhaseEnd + + rlPhaseStartSetup "Admin Interface - Add NoDefault Policy" + local policy=noDefaultImpl + local policyname=NoDefault + local constraintname=RenewalGracePeriodConstraint + local constraint=renewGracePeriodConstraintImpl + local op_scope=policies + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_user\_password" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p2;$policy;$constraint\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile" 0 "Add Policy NoDefault to $profile" + rlAssertNotGrep "The server encountered an internal error" "$admin_out" + local op_scope=defaultPolicy + rlLog "Add $policy Details" + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_user\_password" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p2;$policy;$constraint\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile" 0 "Add Policy Details" + rlAssertNotGrep "The server encountered an internal error" "$admin_out" + rlLog "Add Policy Constraint" + local op_scope=constraintPolicy + rlRun "curl --capath "$CERTDB_DIR" --basic \ + --user "$valid_admin_user:$valid_admin_user\_password" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p2;$policy;$constraint&renewal.graceBefore=30&renewal.graceAfter=30\" -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 + rlAssertNotGrep "The server encountered an internal error" "$admin_out" + rlLog "Get all policies of $profile" + local op_scope=policies + rlRun "curl --capath "$CERTDB_DIR" --basic \ + --user "$valid_admin_user:$valid_admin_user\_password" \ + -d \"OP_TYPE=OP_READ&OP_SCOPE=$op_scope&RS_ID=$profile\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 "Read all existing policies of $profile" + rlRun "process_curl_output $admin_out" 0 "Process curl output file" + #rlAssertGrep "$policyname:$constraintname" "$admin_out" + rlPhaseEnd + + rlPhaseStartSetup "Admin Interface - Add Validity Default Policy" + local policy=validityDefaultImpl + local policyname=ValidityDefault + local constraintname=ValidityConstraint + local constraint=validityConstraintImpl + local op_scope=policies + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_user\_password" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p3;$policy;$constraint\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile" 0 "Add Validity Default policy $profile" + rlAssertNotGrep "The server encountered an internal error" "$admin_out" + local op_scope=defaultPolicy + rlLog "Add $policy Details" + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_user\_password" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p3;$policy;$constraint&range=180&startTime=0\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile" 0 "Add Policy Details" + rlAssertNotGrep "The server encountered an internal error" "$admin_out" + rlLog "Add Policy Constraint" + local op_scope=constraintPolicy + rlRun "curl --capath "$CERTDB_DIR" --basic \ + --user "$valid_admin_user:$valid_admin_user\_password" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p3;$policy;$constraint&range=365¬BeforeGracePeriod=0¬BeforeCheck=false¬AfterCheck=false\" -k https://$tmp_ca_host:$target_secure_port/ca/caprofile" 0 + rlAssertNotGrep "The server encountered an internal error" "$admin_out" + rlLog "Get all policies of $profile" + local op_scope=policies + rlRun "curl --capath "$CERTDB_DIR" --basic \ + --user "$valid_admin_user:$valid_admin_user\_password" \ + -d \"OP_TYPE=OP_READ&OP_SCOPE=$op_scope&RS_ID=$profile\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 "Read all existing policies of $profile" + rlRun "process_curl_output $admin_out" 0 "Process curl output file" + rlAssertGrep "$policyname:$constraintname" "$admin_out" + rlPhaseEnd + + rlPhaseStartSetup "Admin Interface - Add Extended Key Usage Extension Default Policy" + local policy=extendedKeyUsageExtDefaultImpl + local policyname=ExtendedKeyUsageExtensionDefault + local constraintname=NoConstraint + local constraint=noConstraintImpl + local op_scope=policies + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_user\_password" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p4;$policy;$constraint\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 "Add Policy Extended Key Usage Extension Default to $profile" + rlAssertNotGrep "The server encountered an internal error" "$admin_out" + local op_scope=defaultPolicy + rlLog "Add $policy Details" + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_user\_password" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p4;$policy;$constraint&exKeyUsageCritical=false&exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 "Add Policy Details" 0 + rlAssertNotGrep "The server encountered an internal error" "$admin_out" + rlLog "Add Policy Constraint" + local op_scope=constraintPolicy + rlRun "curl --capath "$CERTDB_DIR" --basic \ + --user "$valid_admin_user:$valid_admin_user\_password" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p4;$policy;$constraint\" -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 + rlAssertNotGrep "The server encountered an internal error" "$admin_out" + rlLog "Get all policies of $profile" + local op_scope=policies + rlRun "curl --capath "$CERTDB_DIR" --basic \ + --user "$valid_admin_user:$valid_admin_user\_password" \ + -d \"OP_TYPE=OP_READ&OP_SCOPE=$op_scope&RS_ID=$profile\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 "Read all existing policies of $profile" + rlRun "process_curl_output $admin_out" 0 "Process curl output file" + rlAssertGrep "$policyname:$constraintname" "$admin_out" + rlPhaseEnd + + rlPhaseStartSetup "Admin Interface - Add Subject Alternative Name Extension Policy" + local policy=subjectAltNameExtDefaultImpl + local policyname=SubjectAlternativeNameExtensionDefault + local constraintname=NoConstraint + local constraint=noConstraintImpl + local op_scope=policies + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_user\_password" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p5;$policy;$constraint\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile" 0 "Add Policy Subject Alternative Name Extension to $profile" + rlAssertNotGrep "The server encountered an internal error" "$admin_out" + local op_scope=defaultPolicy + rlLog "Add $policy Details" + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_user\_password" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p5;$policy;$constraint&subjAltNameExtCritical=false&subjAltNameNumGNs=1&subjAltExtType_0=RFC822Name&subjAltExtPattern_0='$request.requestor_email$'&subjAltExtGNEnable_0=false\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 "Add Policy Details" + rlAssertNotGrep "The server encountered an internal error" "$admin_out" + rlLog "Add Policy Constraint" + local op_scope=constraintPolicy + rlRun "curl --capath "$CERTDB_DIR" --basic \ + --user "$valid_admin_user:$valid_admin_user\_password" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p5;$policy;$constraint\" -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 + rlAssertNotGrep "The server encountered an internal error" "$admin_out" + rlLog "Get all policies of $profile" + local op_scope=policies + rlRun "curl --capath "$CERTDB_DIR" --basic \ + --user "$valid_admin_user:$valid_admin_user\_password" \ + -d \"OP_TYPE=OP_READ&OP_SCOPE=$op_scope&RS_ID=$profile\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 "Read all existing policies of $profile" + rlRun "process_curl_output $admin_out" 0 "Process curl output file" + rlAssertGrep "$policyname:$constraintname" "$admin_out" + rlPhaseEnd + + rlPhaseStartSetup "Admin Interface - Add User Key Default Policy(Admin Only)" + local policy=userKeyDefaultImpl + local policyname=UserSuppliedKeyDefault + local constraintname=KeyConstraint + local constraint=keyConstraintImpl + local op_scope=policies + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_user\_password" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p6;$policy;$constraint\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 "Add Policy Userkey Default to $profile" + rlAssertNotGrep "The server encountered an internal error" "$admin_out" + local op_scope=defaultPolicy + rlLog "Add $policy Details" + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_user\_password" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p6;$policy;$constraint\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 "Add Policy Details" + rlAssertNotGrep "The server encountered an internal error" "$admin_out" + rlLog "Add Policy Constraint" + local op_scope=constraintPolicy + rlRun "curl --capath "$CERTDB_DIR" --basic \ + --user "$valid_admin_user:$valid_admin_user\_password" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p6;$policy;$constraint&keyType=-&keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521\" -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 + rlAssertNotGrep "The server encountered an internal error" "$admin_out" + rlLog "Get all policies of $profile" + local op_scope=policies + rlRun "curl --capath "$CERTDB_DIR" --basic \ + --user "$valid_admin_user:$valid_admin_user\_password" \ + -d \"OP_TYPE=OP_READ&OP_SCOPE=$op_scope&RS_ID=$profile\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 "Read all existing policies of $profile" + rlRun "process_curl_output $admin_out" 0 "Process curl output file" + rlAssertGrep "$policyname:$constraintname" "$admin_out" + rlPhaseEnd + + rlPhaseStartSetup "Admin Interface - Add Authority key Identifier Extension Default Policy" + local op_scope=policies + local policy=authorityKeyIdentifierExtDefaultImpl + local policyname=AuthorityKeyIdentifierExtensionDefault + local constraintname=NoConstraint + local constraint=noConstraintImpl + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_user\_password" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=policies&RS_ID=$profile;set1:p7;$policy;$constraint\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 "Add Policy Authority Key Identifier Extension Default Policy to $profile" + rlAssertNotGrep "The server encountered an internal error" "$admin_out" + local op_scope=defaultPolicy + rlLog "Add $policy Details" + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_user\_password" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p7;$policy;$constraint\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 "Add Policy Details" + rlAssertNotGrep "The server encountered an internal error" "$admin_out" + rlLog "Add Policy Constraint" + local op_scope=constraintPolicy + rlRun "curl --capath "$CERTDB_DIR" --basic \ + --user "$valid_admin_user:$valid_admin_user\_password" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p7;$policy;$constraint\" -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 + rlAssertNotGrep "The server encountered an internal error" "$admin_out" + rlLog "Get all policies of $profile" + local op_scope=policies + rlRun "curl --capath "$CERTDB_DIR" --basic \ + --user "$valid_admin_user:$valid_admin_user\_password" \ + -d \"OP_TYPE=OP_READ&OP_SCOPE=$op_scope&RS_ID=$profile\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 "Read all existing policies of $profile" + rlRun "process_curl_output $admin_out" 0 "Process curl output file" + rlAssertGrep "$policyname:$constraintname" "$admin_out" + rlPhaseEnd + + rlPhaseStartSetup "Admin Interface - Add Authority Info Access Extension Default Policy" + local op_scope=policies + local policy=authInfoAccessExtDefaultImpl + local policyname=AuthorityInfoAccessExtensionDefault + local constraintname=NoConstraint + local constraint=noConstraintImpl + rlLog "Add Policy" + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_user\_password" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=policies&RS_ID=$profile;set1:p8;$policy;$constraint\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 "Add Policy Authority Info Access Extension Default Policy to $profile" + rlAssertNotGrep "The server encountered an internal error" "$admin_out" + local op_scope=defaultPolicy + rlLog "Add $policy Details" + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_user\_password" -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p8;$policy;$constraint&authInfoAccessCritical=false&authInfoAccessNumADs=1&authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1&authInfoAccessADLocationType_0=URIName&authInfoAccessADLocation_0=&authInfoAccessADEnable_0=false\" -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 "Add Policy Details" + rlAssertNotGrep "The server encountered an internal error" "$admin_out" + rlLog "Add Policy Constraint" + local op_scope=constraintPolicy + rlRun "curl --capath "$CERTDB_DIR" --basic \ + --user "$valid_admin_user:$valid_admin_user\_password" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p8;$policy;$constraint\" -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" + rlAssertNotGrep "The server encountered an internal error" "$admin_out" + rlLog "Read all policies of $profile" + rlRun "curl --capath "$CERTDB_DIR" --basic \ + --user "$valid_admin_user:$valid_admin_user\_password" \ + -d \"OP_TYPE=OP_READ&OP_SCOPE=policies&RS_ID=$profile\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" + rlRun "process_curl_output $admin_out" 0 "Process curl output file" + rlAssertGrep "$policyname:$constraintname" "$admin_out" + rlPhaseEnd + + rlPhaseStartSetup "Admin Interface - Add Key Usage Extension Default" + local policy=keyUsageExtDefaultImpl + local policyname=KeyUsageExtensionDefault + local constraintname=KeyUsageExtensionConstraint + local constraint=keyUsageExtConstraintImpl + rlLog "Add Key Usage Policy" + local op_scope=policies + local crlurl="https://$tmp_ca_host:$target_secure_port/crl/Mastercrl.bin" + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_user\_password" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p9;$policy;$constraint\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 "Add Key Usage Extension Default to $profile" + rlAssertNotGrep "The server encountered an internal error" "$admin_out" + local op_scope=defaultPolicy + rlLog "Add $policy Details" + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_user\_password" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p9;$policy;$constraint&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 "Add Policy Details" + rlAssertNotGrep "The server encountered an internal error" "$admin_out" + rlLog "Add Policy Constraint" + local op_scope=constraintPolicy + rlRun "curl --capath "$CERTDB_DIR" --basic \ + --user "$valid_admin_user:$valid_admin_user\_password" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p9;$policy;$constraint&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false\" -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 + rlAssertNotGrep "The server encountered an internal error" "$admin_out" + rlLog "Get all policies of $profile" + local op_scope=policies + rlRun "curl --capath "$CERTDB_DIR" --basic \ + --user "$valid_admin_user:$valid_admin_user\_password" \ + -d \"OP_TYPE=OP_READ&OP_SCOPE=$op_scope&RS_ID=$profile\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 "Read all existing policies of $profile" + rlRun "process_curl_output $admin_out" 0 "Process curl output file" + rlAssertGrep "$policyname:$constraintname" "$admin_out" + rlPhaseEnd + + rlPhaseStartSetup "Admin Interface - Add Signing Algorithm Default Policy" + local policy=signingAlgDefaultImpl + local policyname=SigningAlgorithmDefault + local constraintname=SigningAlgorithmConstraint + local constraint=signingAlgConstraintImpl + local op_scope=policies + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_user\_password" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p10;$policy;$constraint\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 "Add Policy Signing Algorithm Default to $profile" + rlAssertNotGrep "The server encountered an internal error" "$admin_out" + local op_scope=defaultPolicy + rlLog "Add $policy Details" + rlRun "curl --capath "$CERTDB_DIR" \ + --basic --user "$valid_admin_user:$valid_admin_user\_password" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p10;$policy;$constraint&signingAlg=SHA256withRSA\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 "Add Policy Details" + rlAssertNotGrep "The server encountered an internal error" "$admin_out" + rlLog "Add Policy Constraint" + local op_scope=constraintPolicy + rlRun "curl --capath "$CERTDB_DIR" --basic \ + --user "$valid_admin_user:$valid_admin_user\_password" \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=$op_scope&RS_ID=$profile;set1:p10;$policy;$constraint&signingAlgsAllowed=SHA1withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA256withRSA,SHA512withRSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\" -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 + rlAssertNotGrep "The server encountered an internal error" "$admin_out" + rlLog "Get all policies of $profile" + local op_scope=policies + rlRun "curl --capath "$CERTDB_DIR" --basic \ + --user "$valid_admin_user:$valid_admin_user\_password" \ + -d \"OP_TYPE=OP_READ&OP_SCOPE=$op_scope&RS_ID=$profile\" \ + -k https://$tmp_ca_host:$target_secure_port/ca/caprofile > $admin_out" 0 "Read all existing policies of $profile" + rlRun "process_curl_output $admin_out" 0 "Process curl output file" + rlAssertGrep "$policyname:$constraintname" "$admin_out" + rlPhaseEnd + + rlPhaseStartSetup "Enroll a user certificate with newly created profile" + rlRun "pki -h $tmp_ca_host \ + -p $tmp_ca_port \ + -d $CERTDB_DIR \ + -c $CERTDB_DIR_PASSWORD \ + -n $valid_agent_cert \ + ca-profile-enable $profile > $ca_profile_out 2>&1" 0 "Execute pki ca-profile-enable $profile" + local temp_user=foo_User_$RANDOM + rlLog "Generate a cert with subject name CN=Foo User_1,UID=$Temp_user,E=$temp_user@example.org,OU=FOO,O=Example.org,C=US" + rlRun "generate_new_cert tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_pwd:$TEMP_NSS_DB_PWD \ + req_type:pkcs10 \ + algo:rsa \ + key_size:1024 \ + subject_cn:\"Foo User_1\" \ + subject_uid:FooUser_1 \ + subject_email:FooUser_1@example.org \ + subject_ou:FOO \ + subject_o:Example.org \ + subject_c:US \ + archive:false \ + req_profile:$profile \ + target_host:$tmp_ca_host \ + protocol: \ + port:$tmp_ca_port \ + cert_db_dir:$CERTDB_DIR \ + cert_db_pwd:$CERTDB_DIR_PASSWORD \ + certdb_nick:\"$valid_agent_cert\" \ + cert_info:$cert_info" + local cert_serialNumber=$(cat $cert_info| grep cert_serialNumber | cut -d- -f2) + local cert_requestdn=$(cat $cert_info | grep cert_requestdn | cut -d- -f2) + rlRun "pki -h $tmp_ca_host -p $tmp_ca_port cert-show $cert_serialNumber > $cert_out" 0 "Executing pki cert-show $cert_serialNumber" + rlAssertGrep "Certificate \"$cert_serialNumber\"" "$cert_out" + rlAssertGrep "Serial Number: $cert_serialNumber" "$cert_out" + rlAssertGrep "Issuer: CN=PKI $SUBCA_INST Signing Certificate,O=redhat" "$cert_out" + rlAssertGrep "Subject: $pkcs10_requestdn" "$cert_out" + rlAssertGrep "Status: VALID" "$cert_out" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_agent_profile-001: SUBCA - Verify Disabling the profile with Admin only cert fails" + rlRun "export SSL_DIR=$CERTDB_DIR" + rlLog "Disable a Enabled profile" + local action=Disable + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + -E \"$valid_admin_cert:$CERTDB_DIR_PASSWORD\" \ + -d \"profileId=$profile&Disable=$action\" https://$tmp_ca_host:$target_secure_port/ca/agent/ca/profileApprove" + rlLog "Disable profile $profile and verify profile is already disabled" + rlRun "pki -h $tmp_ca_host \ + -p $tmp_ca_port \ + -d $CERTDB_DIR \ + -c $CERTDB_DIR_PASSWORD \ + -n $valid_agent_cert \ + ca-profile-enable $profile > $ca_profile_out 2>&1" \ + 255,1 "Enable already Enabled profile $profile" + rlAssertGrep "BadRequestException: Profile already enabled" "$ca_profile_out" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_agent_profile-002: SUBCA - Verify Enabling the profile with Admin cert fails" + rlLog "Disable profile using Agent Cert" + local action="Disable" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + -E \"$valid_agent_cert:$CERTDB_DIR_PASSWORD\" \ + -d \"profileId=$profile&$action=$action\" \ + https://$tmp_ca_host:$target_secure_port/ca/agent/ca/profileApprove > $admin_out" + rlLog "Enable a Disabled profile" + local action=Approve + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + -E \"$valid_admin_cert:$CERTDB_DIR_PASSWORD\" \ + -d \"profileId=$profile&$action=$action\" \ + https://$tmp_ca_host:$target_secure_port/ca/agent/ca/profileApprove > $admin_out" + rlLog "Verify if $profile is enabled by enabling using pki command" + rlRun "pki -h $tmp_ca_host \ + -p $tmp_ca_port \ + -d $CERTDB_DIR \ + -c $CERTDB_DIR_PASSWORD \ + -n $valid_agent_cert ca-profile-disable $profile > $ca_profile_out 2>&1" 255,1 "Execute pki ca-profile-enable $profile" + rlAssertGrep "BadRequestException: Profile already disabled" "$ca_profile_out" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_agent_profile-003: SUBCA - Verify Disabling the profile with Audit cert fails" + rlLog "Enable $profile" + rlRun "pki -h $tmp_ca_host \ + -p $tmp_ca_port \ + -d $CERTDB_DIR \ + -c $CERTDB_DIR_PASSWORD \ + -n $valid_agent_cert \ + ca-profile-enable $profile > $ca_profile_out" + rlAssertGrep "Enabled profile \"$profile\"" "$ca_profile_out" + rlLog "Disable a Enabled profile" + local action=Disable + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + -E \"$valid_audit_cert:$CERTDB_DIR_PASSWORD\" \ + -d \"profileId=$profile&$action=$action\" https://$tmp_ca_host:$target_secure_port/ca/agent/ca/profileApprove" + rlLog "Disable profile $profile and verify profile is already disabled" + rlRun "pki -h $tmp_ca_host \ + -p $tmp_ca_port \ + -d $CERTDB_DIR \ + -c $CERTDB_DIR_PASSWORD \ + -n $valid_agent_cert \ + ca-profile-enable $profile > $ca_profile_out 2>&1" \ + 255,1 "Enable already Enabled profile $profile" + rlAssertGrep "BadRequestException: Profile already enabled" "$ca_profile_out" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_agent_profile-004: SUBCA - Verify Enabling a disabled profile with Audit cert fails" + rlLog "Disable $profile" + rlRun "pki -h $tmp_ca_host \ + -p $tmp_ca_port \ + -d $CERTDB_DIR \ + -c $CERTDB_DIR_PASSWORD \ + -n $valid_agent_cert \ + ca-profile-disable $profile > $ca_profile_out" + rlAssertGrep "Disabled profile \"$profile\"" "$ca_profile_out" + rlLog "Enable a Disabled profile" + local action=Approve + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + -E \"$valid_audit_cert:$CERTDB_DIR_PASSWORD\" \ + -d \"profileId=$profile&Approve=$action\" \ + https://$tmp_ca_host:$target_secure_port/ca/agent/ca/profileApprove > $admin_out" + rlLog "Verify if $profile is disabled by disabling using pki command" + rlRun "pki -h $tmp_ca_host \ + -p $tmp_ca_port \ + -d $CERTDB_DIR \ + -c $CERTDB_DIR_PASSWORD \ + -n $valid_agent_cert ca-profile-disable $profile > $ca_profile_out 2>&1" 255,1 "Execute pki ca-profile-disable $profile" + rlAssertGrep "BadRequestException: Profile already disabled" "$ca_profile_out" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_agent_profile-005: SUBCA - Verify Disabling the enabled profile with Operator cert fails" + rlLog "Enable $profile" + rlRun "pki -h $tmp_ca_host \ + -p $tmp_ca_port \ + -d $CERTDB_DIR \ + -c $CERTDB_DIR_PASSWORD \ + -n $valid_agent_cert \ + ca-profile-enable $profile > $ca_profile_out" + rlAssertGrep "Enabled profile \"$profile\"" "$ca_profile_out" + rlLog "Disable a Enabled profile" + local action=Disable + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + -E \"$valid_operator_cert:$CERTDB_DIR_PASSWORD\" \ + -d \"profileId=$profile&Disable=$action\" https://$tmp_ca_host:$target_secure_port/ca/agent/ca/profileApprove" + rlLog "verify profile is in enabled state by enabling it again using pki ca-profile-enable" + rlRun "pki -h $tmp_ca_host \ + -p $tmp_ca_port \ + -d $CERTDB_DIR \ + -c $CERTDB_DIR_PASSWORD \ + -n $valid_agent_cert \ + ca-profile-enable $profile > $ca_profile_out 2>&1" \ + 255,1 "Enable already Enabled profile $profile" + rlAssertGrep "BadRequestException: Profile already enabled" "$ca_profile_out" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_agent_profile-006: SUBCA - Verify Enabling a disabled profile with Operator cert fails" + rlLog "Disable $profile" + rlRun "pki -h $tmp_ca_host \ + -p $tmp_ca_port \ + -d $CERTDB_DIR \ + -c $CERTDB_DIR_PASSWORD \ + -n $valid_agent_cert \ + ca-profile-disable $profile > $ca_profile_out" + rlLog "Enable a Disabled profile" + local action=Approve + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + -E \"$valid_operator_cert:$CERTDB_DIR_PASSWORD\" \ + -d \"profileId=$profile&Approve=$action\" \ + https://$tmp_ca_host:$target_secure_port/ca/agent/ca/profileApprove > $admin_out" + rlLog "Verify if $profile is disabled by disabling using pki command which should fail" + rlRun "pki -h $tmp_ca_host \ + -p $tmp_ca_port \ + -d $CERTDB_DIR \ + -c $CERTDB_DIR_PASSWORD \ + -n $valid_agent_cert ca-profile-disable $profile > $ca_profile_out 2>&1" 255,1 "Execute pki ca-profile-enable $profile" + rlAssertGrep "BadRequestException: Profile already disabled" "$ca_profile_out" + rlPhaseEnd + + rlPhaseStartCleanup "Delete temp dir" + rlRun "popd" + rlRun "rm -r $TmpDir" 0 "Removing tmp directory" + rlPhaseEnd + +} diff --git a/tests/dogtag/runtest.sh b/tests/dogtag/runtest.sh index f129a7be1..e6b2cfadf 100755 --- a/tests/dogtag/runtest.sh +++ b/tests/dogtag/runtest.sh @@ -197,10 +197,18 @@ . ./acceptance/legacy/subca-tests/crlissuingpoint/subca-ad-crlissuingpoints.sh . ./acceptance/legacy/subca-tests/publishing/subca-ad-publishing.sh . ./acceptance/legacy/subca-tests/crls/subca-ag-crls.sh +. ./acceptance/legacy/subca-tests/cert-enrollment/subca-ag-certificates.sh +. ./acceptance/legacy/subca-tests/cert-enrollment/subca-ag-requests.sh +. ./acceptance/legacy/subca-tests/cert-enrollment/subca-ee-enrollments.sh +. ./acceptance/legacy/subca-tests/cert-enrollment/subca-ee-retrieval.sh +. ./acceptance/legacy/subca-tests/profiles/subca-ad-profiles.sh +. ./acceptance/legacy/subca-tests/profiles/subca-ag-profiles.sh +. ./acceptance/legacy/subca-tests/logs/subca-ad-logs.sh . ./acceptance/legacy/drm-tests/acls/drm-ad-acls.sh . ./acceptance/legacy/drm-tests/agent/drm-ag-tests.sh . ./acceptance/legacy/drm-tests/internaldb/drm-ad-internaldb.sh . ./acceptance/legacy/drm-tests/usergroups/drm-ad-usergroups.sh +. ./acceptance/legacy/drm-tests/logs/drm-ad-logs.sh . ./acceptance/bugzilla/bug_setup.sh . ./acceptance/bugzilla/bug_uninstall.sh . ./acceptance/bugzilla/tomcatjss-bugs/bug-1058366.sh @@ -1544,6 +1552,11 @@ rlJournalStart subsystemType=kra run_admin-kra-internaldb_tests $subsystemType $MYROLE fi + PKI_LEGACY_KRA_AD_LOGS_UPPERCASE=$(echo $PKI_LEGACY_KRA_AD_LOGS | tr [a-z] [A-Z]) + if [ "$PKI_LEGACY_KRA_AD_LOGS_UPPERCASE" = "TRUE" ] || [ "$TEST_ALL_UPPERCASE" = "TRUE" ]; then + subsystemType=kra + run_admin-kra-log_tests $subsystemType $MYROLE + fi PKI_LEGACY_SUBCA_ADMIN_ACLS_UPPERCASE=$(echo $PKI_LEGACY_SUBCA_ADMIN_ACLS | tr [a-z] [A-Z]) if [ "$PKI_LEGACY_SUBCA_ADMIN_ACLS_UPPERCASE" = "TRUE" ] || [ "$TEST_ALL_UPPERCASE" = "TRUE" ]; then subsystemType=ca @@ -1574,6 +1587,41 @@ rlJournalStart subsystemType=ca run_agent-subca-crls_tests $subsystemType $MYROLE fi + PKI_LEGACY_SUBCA_AG_CERTIFICATES_UPPERCASE=$(echo $PKI_LEGACY_SUBCA_AG_CERTIFICATES | tr [a-z] [A-Z]) + if [ "$PKI_LEGACY_SUBCA_AG_CERTIFICATES_UPPERCASE" = "TRUE" ] || [ "$TEST_ALL_UPPERCASE" = "TRUE" ]; then + subsystemType=ca + run_subca-ag-certificates_tests $subsystemType $MYROLE + fi + PKI_LEGACY_SUBCA_AG_REQUESTS_UPPERCASE=$(echo $PKI_LEGACY_SUBCA_AG_REQUESTS | tr [a-z] [A-Z]) + if [ "$PKI_LEGACY_SUBCA_AG_REQUESTS_UPPERCASE" = "TRUE" ] || [ "$TEST_ALL_UPPERCASE" = "TRUE" ]; then + subsystemType=ca + run_subca-ag-requests_tests $subsystemType $MYROLE + fi + PKI_LEGACY_SUBCA_EE_ENROLLMENT_UPPERCASE=$(echo $PKI_LEGACY_SUBCA_EE_ENROLLMENT | tr [a-z] [A-Z]) + if [ "$PKI_LEGACY_SUBCA_EE_ENROLLMENT_UPPERCASE" = "TRUE" ] || [ "$TEST_ALL_UPPERCASE" = "TRUE" ]; then + subsystemType=ca + run_ee-subca-enrollment_tests $subsystemType $MYROLE + fi + PKI_LEGACY_SUBCA_EE_RETRIEVAL_UPPERCASE=$(echo $PKI_LEGACY_SUBCA_EE_RETRIEVAL | tr [a-z] [A-Z]) + if [ "$PKI_LEGACY_SUBCA_EE_RETRIEVAL_UPPERCASE" = "TRUE" ] || [ "$TEST_ALL_UPPERCASE" = "TRUE" ]; then + subsystemType=ca + run_ee-subca-retrieval_tests $subsystemType $MYROLE + fi + PKI_LEGACY_SUBCA_ADMIN_PROFILE_UPPERCASE=$(echo $PKI_LEGACY_SUBCA_ADMIN_PROFILE | tr [a-z] [A-Z]) + if [ "$PKI_LEGACY_SUBCA_ADMIN_PROFILE_UPPERCASE" = "TRUE" ] || [ "$TEST_ALL_UPPERCASE" = "TRUE" ]; then + subsystemType=ca + run_admin-subca-profile_tests $subsystemType $MYROLE + fi + PKI_LEGACY_SUBCA_AGENT_PROFILE_UPPERCASE=$(echo $PKI_LEGACY_SUBCA_AGENT_PROFILE | tr [a-z] [A-Z]) + if [ "$PKI_LEGACY_SUBCA_AGENT_PROFILE_UPPERCASE" = "TRUE" ] || [ "$TEST_ALL_UPPERCASE" = "TRUE" ]; then + subsystemType=ca + run_agent-subca-profile_tests $subsystemType $MYROLE + fi + PKI_LEGACY_SUBCA_ADMIN_LOGS_UPPERCASE=$(echo $PKI_LEGACY_SUBCA_ADMIN_LOGS | tr [a-z] [A-Z]) + if [ "$PKI_LEGACY_SUBCA_ADMIN_LOGS_UPPERCASE" = "TRUE" ] || [ "$TEST_ALL_UPPERCASE" = "TRUE" ]; then + subsystemType=ca + run_admin-subca-log_tests $subsystemType $MYROLE + fi rlPhaseEnd ######## DEV UNIT TESTS ############ DEV_JAVA_TESTS_UPPERCASE=$(echo $DEV_JAVA_TESTS | tr [a-z] [A-Z]) -- cgit