Skip to content

Commit

Permalink
Add test for installing CA with obsolete admin cert
Browse files Browse the repository at this point in the history 
The test for installing CA with existing config (which includes
the certs) has been updated to reinstall the CA with new system
certs but with an old admin cert in ca_admin_cert.p12 from the
previous installation (which should fail). Then the test will
remove the ca_admin_cert.p12 and reinstall the CA again (which
should succeed) and it will create a new admin cert.

pkispawn has been updated to indicate that the admin cert that
cannot be verified might be obsolete.
  • Loading branch information
@edewata
edewata committed Feb 6, 2025
1 parent d245397 commit 950439b
Show file tree
Hide file tree
Showing 4 changed files with 132 additions and 9 deletions.
115 changes: 111 additions & 4 deletions .github/workflows/ca-existing-config-test.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -100,9 +100,9 @@ jobs:
docker exec pki pki pkcs12-import \
--pkcs12 /root/.dogtag/localhost/ca_admin_cert.p12 \
--pkcs12-password Secret.123
--password Secret.123
docker exec pki pki nss-cert-find | tee admin-cert.orig
docker exec pki pki nss-cert-show caadmin | tee admin-cert.orig
docker exec pki pki -n caadmin ca-user-show caadmin
Expand Down Expand Up @@ -211,7 +211,18 @@ jobs:
diff expected output
- name: Install CA again
- name: Check admin cert after first removal
run: |
docker exec pki ls -l /root/.dogtag/localhost
docker exec pki pki nss-cert-show \
--cert-file /root/.dogtag/localhost/ca_admin.cert
docker exec pki pki pkcs12-cert-find \
--pkcs12 /root/.dogtag/localhost/ca_admin_cert.p12 \
--password Secret.123
- name: Install CA with the same config
run: |
docker exec pki pkispawn \
-f /usr/share/pki/server/examples/installation/ca.cfg \
Expand Down Expand Up @@ -283,7 +294,7 @@ jobs:
- name: Check CA admin again
run: |
docker exec pki pki nss-cert-find | tee admin-cert.new
docker exec pki pki nss-cert-show caadmin | tee admin-cert.new
# admin cert should not change
diff admin-cert.orig admin-cert.new
Expand Down Expand Up @@ -362,6 +373,102 @@ jobs:
diff expected stderr
- name: Check admin cert after second removal
run: |
docker exec pki ls -l /root/.dogtag/localhost
docker exec pki pki nss-cert-show \
--cert-file /root/.dogtag/localhost/ca_admin.cert
docker exec pki pki pkcs12-cert-find \
--pkcs12 /root/.dogtag/localhost/ca_admin_cert.p12 \
--password Secret.123
- name: Install CA with new config and old admin cert
run: |
rc=0
docker exec pki pkispawn \
-f /usr/share/pki/server/examples/installation/ca.cfg \
-s CA \
-D pki_instance_name=localhost \
-D pki_ds_url=ldap://ds.example.com:3389 \
-v \
|| rc=$?
# pkispawn should fail
[ $rc -ne 0 ]
- name: Remove old admin cert
run: |
docker exec pki rm -f /root/.dogtag/localhost/ca_admin.cert
docker exec pki rm -f /root/.dogtag/localhost/ca_admin_cert.p12
- name: Install CA with new config and no admin cert
run: |
docker exec pki pkispawn \
-f /usr/share/pki/server/examples/installation/ca.cfg \
-s CA \
-D pki_instance_name=localhost \
-D pki_ds_url=ldap://ds.example.com:3389 \
-v
# pkispawn should succeed
- name: Check system certs again
run: |
docker exec pki pki \
-d /var/lib/pki/localhost/conf/alias \
nss-cert-find | tee system-certs.new
# system certs should be different
rc=0
diff system-certs.orig system-certs.new || rc=$?
[ $rc -ne 0 ]
- name: Check CA admin
run: |
# remove old certs
docker exec pki pki nss-cert-del caadmin
docker exec pki pki nss-cert-del ca_signing
# export new CA signing cert
docker exec pki pki-server \
cert-export \
-i localhost \
--cert-file ca_signing.crt \
ca_signing
# import new CA signing cert
docker exec pki pki nss-cert-import \
--cert ca_signing.crt \
--trust CT,C,C \
ca_signing
# import new admin cert
docker exec pki pki pkcs12-import \
--pkcs12 /root/.dogtag/localhost/ca_admin_cert.p12 \
--password Secret.123
docker exec pki pki nss-cert-show caadmin | tee admin-cert.new
# admin cert should be different
rc=0
diff admin-cert.orig admin-cert.new || rc=$?
[ $rc -ne 0 ]
docker exec pki pki -n caadmin ca-user-show caadmin
- name: Remove CA again
run: |
docker exec pki pkidestroy \
-i localhost \
-s CA \
--remove-conf \
--remove-logs \
-v
- name: Check DS server systemd journal
if: always()
run: |
Expand Down
14 changes: 9 additions & 5 deletions base/server/python/pki/server/deployment/__init__.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2583,7 +2583,8 @@ def import_system_certs(self, nssdb, subsystem):
logger.info('Verifying admin cert in %s', cert_file)
self.instance.verify_cert(admin_cert)
except Exception:
raise pki.cli.CLIException('Invalid admin certificate in %s' % cert_file)
raise pki.cli.CLIException(
'Invalid/obsolete admin certificate in %s' % cert_file)

self.import_admin_cert(admin_cert)

Expand Down Expand Up @@ -4013,7 +4014,7 @@ def setup_admin_cert(self, subsystem):
self.instance.verify_cert(pem_cert)
except Exception:
raise pki.cli.CLIException(
'Invalid admin certificate in %s' % client_nssdb.directory)
'Invalid/obsolete admin certificate in %s' % client_nssdb.directory)

if external and subsystem.type != 'CA' or standalone:
# no need to re-import admin cert into NSS database
Expand Down Expand Up @@ -4048,7 +4049,8 @@ def setup_admin_cert(self, subsystem):
logger.info('Verifying admin cert in %s', pkcs12_file)
self.instance.verify_cert(pem_cert)
except Exception:
raise pki.cli.CLIException('Invalid admin certificate in %s' % pkcs12_file)
raise pki.cli.CLIException(
'Invalid/obsolete admin certificate in %s' % pkcs12_file)

logger.info('Importing admin cert into %s', client_nssdb.directory)

Expand Down Expand Up @@ -4080,7 +4082,8 @@ def setup_admin_cert(self, subsystem):
logger.info('Verifying admin cert in %s', cert_path)
self.instance.verify_cert(pem_cert)
except Exception:
raise pki.cli.CLIException('Invalid admin certificate in %s' % cert_path)
raise pki.cli.CLIException(
'Invalid/obsolete admin certificate in %s' % cert_path)

if external and subsystem.type != 'CA' or standalone:
self.import_admin_cert(pem_cert)
Expand All @@ -4104,7 +4107,8 @@ def setup_admin_cert(self, subsystem):
logger.info('Verifying admin cert in %s', cert_file)
self.instance.verify_cert(pem_cert)
except Exception:
raise pki.cli.CLIException('Invalid admin certificate in %s' % cert_file)
raise pki.cli.CLIException(
'Invalid/obsolete admin certificate in %s' % cert_file)

if external and subsystem.type != 'CA' or standalone:
self.import_admin_cert(pem_cert)
Expand Down
6 changes: 6 additions & 0 deletions base/server/python/pki/server/pkidestroy.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -246,6 +246,12 @@ def main(argv):
print()
sys.exit(1)

except pki.cli.CLIException as e:
print()
print('Uninstallation failed: %s' % str(e))
print()
sys.exit(1)

except Exception as e: # pylint: disable=broad-except
log_error_details()
print()
Expand Down
6 changes: 6 additions & 0 deletions base/server/python/pki/server/pkispawn.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -628,6 +628,12 @@ def main(argv):

sys.exit(1)

except pki.cli.CLIException as e:
print()
print('Installation failed: %s' % str(e))
print()
sys.exit(1)

except Exception as e: # pylint: disable=broad-except
log_error_details()
print()
Expand Down

0 comments on commit 950439b

Please sign in to comment.