From a13e92ed1fcd243f9d261dfcc23187952245d245 Mon Sep 17 00:00:00 2001 From: "Eric D. Helms" Date: Tue, 26 Nov 2024 15:38:01 -0500 Subject: [PATCH] Add check for sha1 CA certificate Co-authored-by: Ewoud Kohl van Wijngaarden Signed-off-by: Eric D. Helms --- bin/katello-certs-check | 11 ++++++ .../certs/ca-sha1-bundle.crt | 36 +++++++++++++++++++ .../katello-certs-check/certs/ca-sha1.crt | 17 +++++++++ .../katello-certs-check/certs/ca-sha1.key | 28 +++++++++++++++ .../certs/foreman-sha1.example.com.crt | 21 +++++++++++ .../certs/foreman-sha1.example.com.key | 28 +++++++++++++++ .../katello-certs-check/create_cert.sh | 23 ++++++++++++ spec/katello_certs_check_spec.rb | 26 ++++++++++++++ 8 files changed, 190 insertions(+) create mode 100644 spec/fixtures/katello-certs-check/certs/ca-sha1-bundle.crt create mode 100644 spec/fixtures/katello-certs-check/certs/ca-sha1.crt create mode 100644 spec/fixtures/katello-certs-check/certs/ca-sha1.key create mode 100644 spec/fixtures/katello-certs-check/certs/foreman-sha1.example.com.crt create mode 100644 spec/fixtures/katello-certs-check/certs/foreman-sha1.example.com.key diff --git a/bin/katello-certs-check b/bin/katello-certs-check index 9913ed00..0bb0328a 100755 --- a/bin/katello-certs-check +++ b/bin/katello-certs-check @@ -249,6 +249,16 @@ function check-shortname () { fi } +function check-ca-signing-algorithm () { + printf "Checking CA signing algorithm for sha1: " + CHECK=$(openssl crl2pkcs7 -nocrl -certfile "$CA_BUNDLE_FILE" | openssl pkcs7 -print | grep algorithm | grep -q 'sha1WithRSAEncryption') + if [[ $? == "0" ]]; then + error 4 "The file '$CA_BUNDLE_FILE' contains a certificate signed with sha1 and will break installation. Update the server CA certificate and its chain with one signed by sha256 or stronger." + else + success + fi +} + check-files-exist check-server-cert-encoding check-expiration @@ -261,6 +271,7 @@ check-ca-bundle-trust-rules check-cert-san check-cert-usage-key-encipherment check-shortname +check-ca-signing-algorithm if [[ $EXIT_CODE == "0" ]] && ([[ $TARGET == ${SERVER_TARGET} ]] || [[ -z "$TARGET" ]]) ; then echo -e "${GREEN}Validation succeeded${RESET}\n" diff --git a/spec/fixtures/katello-certs-check/certs/ca-sha1-bundle.crt b/spec/fixtures/katello-certs-check/certs/ca-sha1-bundle.crt new file mode 100644 index 00000000..c9de3bff --- /dev/null +++ b/spec/fixtures/katello-certs-check/certs/ca-sha1-bundle.crt @@ -0,0 +1,36 @@ +-----BEGIN CERTIFICATE----- +MIIDHTCCAgWgAwIBAgIUK+x25LNYYMHS83aWDnAYviwxEYEwDQYJKoZIhvcNAQEL +BQAwHjEcMBoGA1UEAwwTVGVzdCBTZWxmLVNpZ25lZCBDQTAeFw0yMDExMTgwMjMw +NDNaFw0zMDExMTYwMjMwNDNaMB4xHDAaBgNVBAMME1Rlc3QgU2VsZi1TaWduZWQg +Q0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC92114uygw5KcqPCz1 +E/Cwd3Lo2ytyPD9FchWKPOxXpNisHMOr4zAfsxERXmgBLawHIkqc2Xae3TqHGGQa +ll3J3HukwghZQAyjcNG/Q2Q2QqfQW1tzxHRnz2EKBoRoyhmVXcnu+qBoEgkf5QI/ +Rk9HzLJINZPcZuMEkRgcf5q1h/F+PY2yCMwT5qjB6whn6zX6FP6G3//fRtkZw4cI +FPPjKJedbHlYEifRigmJfu+T5Q5xz19Og/1zDwfl7is5eBUV+KEoIE7UpmvR1UrM ++T6WYl3vxeM08y1QU6vR9GqummDMinfWLj0hV+dYwI9/1fHIjfPqgxPUa5AGw7ik +vyrvAgMBAAGjUzBRMB0GA1UdDgQWBBQz80R5aRb/egnEMKHQonUM3xgj6DAfBgNV +HSMEGDAWgBQz80R5aRb/egnEMKHQonUM3xgj6DAPBgNVHRMBAf8EBTADAQH/MA0G +CSqGSIb3DQEBCwUAA4IBAQCdiBvQx6ExmteTzwkGCheKwUMvzCehuwvpoJRE/JXo +zz67414oyWXkSN8/9HE3nkH/xxunD/Ni+N9ppk7iicSpyOKfdDXiaS8qq1O1OXCx +CjoVuIFAPFWOEEhLdnb1v8YVWx2JwcbGvhCLNSoK1a6uwCmWixtoeQiKspBfwFcb +wfU9qNdXsezBljahE4Q2E4SR+XclA6iHdooX4ajnleamqeH0ephyCqvMAhzfJA5F +O1+SJRFbIjwfKxsEJS6Czrn+EU2eLtxk5g5+oO06ZYj4rVOfgc2Wc0+cisgP0fT/ +WVkAxgGS6L0jGvZSisEUBpoidJNddWnf9mzUT2kJ5DCO +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIICwzCCAasCFCfqmT5iimHv5Qw7DMKZztytQza5MA0GCSqGSIb3DQEBBQUAMB4x +HDAaBgNVBAMME1Rlc3QgU2VsZi1TaWduZWQgQ0EwHhcNMjQxMjA2MTk1NzM2WhcN +MzQxMjA0MTk1NzM2WjAeMRwwGgYDVQQDDBNUZXN0IFNlbGYtU2lnbmVkIENBMIIB +IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2SygWdi+BjZRyo8G5WW/527S +JB3Mpkc35G0RQ+hszXlH6XqFw5NTcTebF5UnJ/DtuKQ0r4FAmJopH5/bejysb7xe +tV6vgjcga3C7XVuHs1dbU7NUVWEiy0VvhI/znIK7HQ2AI//5v8CaDMxnBD4El55Y +dagpBFCKuiuKTy4G1l4opeZGJe5ZFs10bPX5VbrqJs6l1p5C+ylrJmMxAwTtnq1Y +qFu9B8k9wjZYTBFcEAO4CEAs/EAIfQZcd6XCq2L/YhofqBXy7Nr97NZgPUH8UtZA +nTbG0P0dEBiSEx0rbbIg2ToAhcgLAgzPZbVV+fon/V2K7yq/Y+XQWMMGqTeuZwID +AQABMA0GCSqGSIb3DQEBBQUAA4IBAQB7UCCFbs2kkpFR2epS97Zc7/OBd1M9ZLCh +YRLJEjywrEnc/m8KQ9TqVSxWnk8O2Ld7hkrME4fZ+S8riXXrjv8kfRImoZE/3h2f +QDmKOS10d79ehEtgSKBToukEcwgL5q/PjQ840wEjJK5gEG3UoFXIl3/EkvPi8Vrq +ELBKYJhzaJA1g0ziOZWJh/sXI9ryIJ9XHUPwx5elqdtXMR0SRpvo1FmtATgBtPga +wQ6H2KHLnas9h1owoyPETxYnd7qgbNORGSglhH0PiUTbucD6ozU+VcBuq9qPJnwZ +76lKsVXoyGQydEuEYOmYstJqE+nBfVgPG4OwgHHHt99htimjCcn3 +-----END CERTIFICATE----- diff --git a/spec/fixtures/katello-certs-check/certs/ca-sha1.crt b/spec/fixtures/katello-certs-check/certs/ca-sha1.crt new file mode 100644 index 00000000..e5aa5296 --- /dev/null +++ b/spec/fixtures/katello-certs-check/certs/ca-sha1.crt @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICwzCCAasCFCfqmT5iimHv5Qw7DMKZztytQza5MA0GCSqGSIb3DQEBBQUAMB4x +HDAaBgNVBAMME1Rlc3QgU2VsZi1TaWduZWQgQ0EwHhcNMjQxMjA2MTk1NzM2WhcN +MzQxMjA0MTk1NzM2WjAeMRwwGgYDVQQDDBNUZXN0IFNlbGYtU2lnbmVkIENBMIIB +IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2SygWdi+BjZRyo8G5WW/527S +JB3Mpkc35G0RQ+hszXlH6XqFw5NTcTebF5UnJ/DtuKQ0r4FAmJopH5/bejysb7xe +tV6vgjcga3C7XVuHs1dbU7NUVWEiy0VvhI/znIK7HQ2AI//5v8CaDMxnBD4El55Y +dagpBFCKuiuKTy4G1l4opeZGJe5ZFs10bPX5VbrqJs6l1p5C+ylrJmMxAwTtnq1Y +qFu9B8k9wjZYTBFcEAO4CEAs/EAIfQZcd6XCq2L/YhofqBXy7Nr97NZgPUH8UtZA +nTbG0P0dEBiSEx0rbbIg2ToAhcgLAgzPZbVV+fon/V2K7yq/Y+XQWMMGqTeuZwID +AQABMA0GCSqGSIb3DQEBBQUAA4IBAQB7UCCFbs2kkpFR2epS97Zc7/OBd1M9ZLCh +YRLJEjywrEnc/m8KQ9TqVSxWnk8O2Ld7hkrME4fZ+S8riXXrjv8kfRImoZE/3h2f +QDmKOS10d79ehEtgSKBToukEcwgL5q/PjQ840wEjJK5gEG3UoFXIl3/EkvPi8Vrq +ELBKYJhzaJA1g0ziOZWJh/sXI9ryIJ9XHUPwx5elqdtXMR0SRpvo1FmtATgBtPga +wQ6H2KHLnas9h1owoyPETxYnd7qgbNORGSglhH0PiUTbucD6ozU+VcBuq9qPJnwZ +76lKsVXoyGQydEuEYOmYstJqE+nBfVgPG4OwgHHHt99htimjCcn3 +-----END CERTIFICATE----- diff --git a/spec/fixtures/katello-certs-check/certs/ca-sha1.key b/spec/fixtures/katello-certs-check/certs/ca-sha1.key new file mode 100644 index 00000000..43a4a411 --- /dev/null +++ b/spec/fixtures/katello-certs-check/certs/ca-sha1.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDZLKBZ2L4GNlHK +jwblZb/nbtIkHcymRzfkbRFD6GzNeUfpeoXDk1NxN5sXlScn8O24pDSvgUCYmikf +n9t6PKxvvF61Xq+CNyBrcLtdW4ezV1tTs1RVYSLLRW+Ej/OcgrsdDYAj//m/wJoM +zGcEPgSXnlh1qCkEUIq6K4pPLgbWXiil5kYl7lkWzXRs9flVuuomzqXWnkL7KWsm +YzEDBO2erVioW70HyT3CNlhMEVwQA7gIQCz8QAh9Blx3pcKrYv9iGh+oFfLs2v3s +1mA9QfxS1kCdNsbQ/R0QGJITHSttsiDZOgCFyAsCDM9ltVX5+if9XYrvKr9j5dBY +wwapN65nAgMBAAECggEADqcmAI87rwPzkSUE/u2rvOFAziKxQAIrzBPsfMujVQUb +AYP8n31YEsUA3V6jwDGk0Hb1KRGhpUo4KRk/lT1KbdWPVvxsVMRZwcte5kXP351Z +cknLZbatQtAiCJcv2tOv7Ui6aHNpIJ4i/BG/Mk2UQL30flJvcLTrJJ7dxkmMOOK3 +VMjKjqpk+pQuoZ++WZ16wLcQV0UZZ2cwY5IbVfIuCAOtr95wB87D06qDkcfx6KsT +aqimFqmct+KILq1oOTdeyLNPDgW6UL7wfhJd7/3gCC+nRjNuaW1yes33eyeRQ55o +M3u8I+BqUADKYGW2+z7uObnEkNZqCbQzXOF61whCdQKBgQDzahS9rlGNunzW1Rit +pQPjQ30fumDstwGRf75go5l0np9GMiHgNb9J89xvSW59gS5bWDt6bO9hAah05DBC +IZtL66sKi1oeDiYZeV3Ua1UGBSmy8n8Zz7dSZmQUl0hxoPcnDv3iZx9UHYcuhJwW +Uii5UCJZJolJBd+v+lef9pE0ewKBgQDkZzj/8dwOGtsWUIa8NPS4n2FTafnjsVvS +lRodG+AS1YTv70RCrm0gqLWtv3BptedLeDuxUP1XWyTHMPI92xjg+Sn/3+2XdHv8 +0HoZYV7Fkmw3LkzEWrLrJ/drRNQOF9G/lVecQ/gHVQswPoaFn5U2yi3LV8avpaeU +rxNjgNh4BQKBgQDBezfDUhV3H53tsfLsy7bcZZ/GoYI7hngTrEOqU0A+J3uY825j +5rUHVnSIbQkLb6xmZSrZ9E8Of5/kUiFd35KudUQ+nGfkbgCwzPzdRPePUnlDyWdo +H+iq8cJpb5rg3z61aEA8PxXy6YmzWysqvuGp811qGayUQ7v7CHWwK/BdkwKBgCPC +uZzxLEgVElpjD0VmcS563c0mmZZ5zWuiJq2KEMJCJgc/Cgv6rWFgqNlkUOBsN6OM +VqRDjvbfcVmyoyrmI/YNbPMAB34gIc2KgqN4qFL8wu681A4mOT8ySb3E0ALI3fFG +G6p+xdW4DgFmuL8xJjam3xaoTpZvtFZGNx3sLXhVAoGBAKaQCjcR9EwCObim8+s8 +l97xSSDtkcvHBcV3bWRo+5c5RiNShjNRYGnJ2YhaVgbB3kkVZjkfdMN/Ms5H1htF +SMrVKbByAQF9p8QeOoww99sx/dExwIA5p4VuUlmFHRhDCgnLhUXe/RJP5Y2+16hn +vDYEQDTkTV2whuDB51qV29Gz +-----END PRIVATE KEY----- diff --git a/spec/fixtures/katello-certs-check/certs/foreman-sha1.example.com.crt b/spec/fixtures/katello-certs-check/certs/foreman-sha1.example.com.crt new file mode 100644 index 00000000..007898a0 --- /dev/null +++ b/spec/fixtures/katello-certs-check/certs/foreman-sha1.example.com.crt @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDejCCAmKgAwIBAgIUcHqMbOmM7gGFcfi3jIb1vTitbkQwDQYJKoZIhvcNAQEL +BQAwHjEcMBoGA1UEAwwTVGVzdCBTZWxmLVNpZ25lZCBDQTAeFw0yNDEyMDYxOTU3 +MzZaFw0zNDEyMDQxOTU3MzZaMB4xHDAaBgNVBAMME2ZvcmVtYW4uZXhhbXBsZS5j +b20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQChlvkIs/8vsEQCVN/j +73ugXfufdYah8VzkcCjSocRoisszS+GUKKawwDd1zWdwOHcoV+7HBFKLAtyjhCFR +kqezttMTePWXhT4ted9La07zasXHCmy+GUTnuf0jgEX7SeG+0HOwVrm9rvq5cswS +up/QIL9BIYn+AQQELrS63yLqblc0WdV8VMnMjj46i/qZG2iJIoM/RVIfaq90if96 +TijXt53LKHh1SV+LXZxt3BJgGTRFfaG843S1Aea6h9UFdrn7dzIDknrb7kWzz81K +Wear1trFdgkj13BbBF+AunbVejK8Pk6hm4i82ropBDxanSy7iOvlm/Uz9NDLKAON +dJ4xAgMBAAGjga8wgawwCwYDVR0PBAQDAgUgMDkGA1UdEQQyMDCCE2ZvcmVtYW4u +ZXhhbXBsZS5jb22CGWZvcmVtYW4tZWMzODQuZXhhbXBsZS5jb20wHQYDVR0OBBYE +FHnA0BUv7moEuAeEn/DGrIQbjD08MEMGA1UdIwQ8MDqhIqQgMB4xHDAaBgNVBAMM +E1Rlc3QgU2VsZi1TaWduZWQgQ0GCFCfqmT5iimHv5Qw7DMKZztytQza5MA0GCSqG +SIb3DQEBCwUAA4IBAQC0NSSu2LBWAMHol1ywQSk1+L5naiX8hn9aafgOcE8UlEAk +b05LCeqZ/MyDR1sxfDwKFIHjkDG0FjbizUr9R5J4PGHOgJuGFaePYrAGpCF03rFi +GmrYnxFo309wC2uBiuK5yMTif7/WM9QfhaZ3JGe9tpiZAHWkcjfYb5Ujc/LqQJ13 +y6W9QpKWFaMEX/N6LMai6jto69Q+2WqTruw7mqBBW0MCaHNCeLIU9zzDyvwtoHzs +EJEsvkVhUBXtWhMPomxjfybHOB7rHPbNnyY+3tCKXO80w3GuWPlpdSVvphTujZtv +KMSeO4MwrU0j69tqzIsvG3ha0PNroRL6D0p45KLy +-----END CERTIFICATE----- diff --git a/spec/fixtures/katello-certs-check/certs/foreman-sha1.example.com.key b/spec/fixtures/katello-certs-check/certs/foreman-sha1.example.com.key new file mode 100644 index 00000000..355916de --- /dev/null +++ b/spec/fixtures/katello-certs-check/certs/foreman-sha1.example.com.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQChlvkIs/8vsEQC +VN/j73ugXfufdYah8VzkcCjSocRoisszS+GUKKawwDd1zWdwOHcoV+7HBFKLAtyj +hCFRkqezttMTePWXhT4ted9La07zasXHCmy+GUTnuf0jgEX7SeG+0HOwVrm9rvq5 +cswSup/QIL9BIYn+AQQELrS63yLqblc0WdV8VMnMjj46i/qZG2iJIoM/RVIfaq90 +if96TijXt53LKHh1SV+LXZxt3BJgGTRFfaG843S1Aea6h9UFdrn7dzIDknrb7kWz +z81KWear1trFdgkj13BbBF+AunbVejK8Pk6hm4i82ropBDxanSy7iOvlm/Uz9NDL +KAONdJ4xAgMBAAECggEACZ1dkQaAwxomWcsqDTp1LSwaajkIez9MyyzfSPUmJiBI +CfPUZsfqby7oveIsavF5KZXd18qqjKntbe9ROjTTNK7GrWxvlIXxlqwfPLIUXwh1 +3yuAH+mJ/43CAahCwbp6K6vkjlQCtkYglgM+IEkpdC1Wo+32c34k+oi66TmYrsEs +xDba7VYDqsmUtkfykEGLkSMc0uUD40nh/IMo4TRvqgptJe3frjrw9TohECs1O3yt +2of2tPeto2o/L6JSYyE0gtZBgt3R7UesfP1oyWs2Z9xUGCvvei/vjCZTYVanzlaR +2E/ZUE+683XAP0M/7EkOqOVmdGdh/ogDZ5/fcKrxSQKBgQDV0AHSXqFsJHmIH9yk +NZi9Wh3+3+jSmoFwzZ5A3OL35xy8P7W9Fxo0ZGSso9bFvyAXsjkhdoAh1F99cbmA +0CSxzCQDcUZG7735ZTCcVQkpyojSee1rLdUrD3hebcg6LqQ2BBhg+JwCA22ZdUqe +cuLrAhc2XGgYoVAhRMsNebquXQKBgQDBeR0l7jUF9kDLg9hHs+QapPpYDwRYX0a2 +JBJrUI4oePxbqYOhIlY3torCAw1hda7fYE2DIp3X4IshxGP5trWc6TGcuSPwwbT1 +PsYzoNt/2qiqFo13HwukpTMUfta4ZrzECe9EVvdeVmF+g6MWPQHqrSGHM0czumS/ +TfO4j5Tp5QKBgF57LFLpvisrcwjUC4wEoxoJWHfoOdnWrJxMQEIpWaJyXiBRht2n +98xvEI25WI7JhkTyXIyM8NICJrAoMPDbCVwH+WIMDCIMjsZGENUEPqhY910Kw/84 +oZoFnAseN/x939J+vMcdFNNO8H9/dRnParauldNPwjAgGGibHZ82y2eBAoGAIwek +yWtZ2lx92ttiW4kssc5RLYR6iu2lRfE+DIQnWRieyJHmrVQkPC4m7X3T/GNsaDFt +l2K7JY0YY+LFHz9/notyWigDY+IOu6DEDjD/zSRwCWvP7VOHriXjG8Dja7veTbhm +w/7jBweo21lGPA6LvEvgmDQmni0PdLvOdwo4MikCgYBHbMGfVtl4ht/YA+dkSDZ8 +I2LvMVu7hLVrYh0OS9xVX0A21TDdA4j3aGZI1I1d5PRZ3oIlNQkbpN7uMlnpgqWO +2gw/s2fGJQ0ox0XGeJNDQQhN3BzKHy5sNDbVCwPkuBEG56c5Tj2VfgEFSucOp9AP +QvH1TYJFELH0XveWP/b/Eg== +-----END PRIVATE KEY----- diff --git a/spec/fixtures/katello-certs-check/create_cert.sh b/spec/fixtures/katello-certs-check/create_cert.sh index 0cad8b6d..e3a0cb7d 100755 --- a/spec/fixtures/katello-certs-check/create_cert.sh +++ b/spec/fixtures/katello-certs-check/create_cert.sh @@ -38,6 +38,29 @@ else echo "CA certificate bundle with trust rules exists. Skipping." fi +CA_SHA1_CERT_NAME=ca-sha1 +CA_SHA1_CERT_BUNDLE=ca-sha1-bundle +if [[ ! -f "$CERTS_DIR/$CA_SHA1_CERT_NAME.key" || ! -f "$CERTS_DIR/$CA_SHA1_CERT_NAME.crt" || ! -f "$CERTS_DIR/$CA_SHA1_CERT_BUNDLE.crt" ]]; then + echo "Generate CA with sha1 signing algorithm" + openssl genrsa -out $CERTS_DIR/$CA_SHA1_CERT_NAME.key 2048 + openssl req -new -key $CERTS_DIR/$CA_SHA1_CERT_NAME.key -sha1 -out $CERTS_DIR/$CA_SHA1_CERT_NAME.csr -subj "/CN=Test Self-Signed CA" + openssl x509 -req -in $CERTS_DIR/$CA_SHA1_CERT_NAME.csr -CA $CERTS_DIR/$CA_CERT_NAME.crt -CAkey $CERTS_DIR/$CA_CERT_NAME.key -CAcreateserial -out $CERTS_DIR/$CA_SHA1_CERT_NAME.crt -days 3650 -sha1 + + cat $CERTS_DIR/$CA_CERT_NAME.crt $CERTS_DIR/$CA_SHA1_CERT_NAME.crt > $CERTS_DIR/$CA_SHA1_CERT_BUNDLE.crt +else + echo "CA certificate exists. Skipping." +fi + +CERT_NAME=foreman-sha1.example.com +if [[ ! -f "$CERTS_DIR/$CERT_NAME.key" || ! -f "$CERTS_DIR/$CERT_NAME.crt" ]]; then + echo "Generate server certificate" + openssl genrsa -out $CERTS_DIR/$CERT_NAME.key 2048 + openssl req -new -key $CERTS_DIR/$CERT_NAME.key -out $CERTS_DIR/$CERT_NAME.csr -subj "/CN=foreman.example.com" + openssl x509 -req -in $CERTS_DIR/$CERT_NAME.csr -CA $CERTS_DIR/$CA_SHA1_CERT_NAME.crt -CAkey $CERTS_DIR/$CA_SHA1_CERT_NAME.key -CAcreateserial -out $CERTS_DIR/$CERT_NAME.crt -days 3650 -sha256 -extfile extensions.txt -extensions extensions +else + echo "Server certificate with sha1 CA exists. Skipping." +fi + CERT_NAME=foreman-bad-san.example.com if [[ ! -f "$CERTS_DIR/$CERT_NAME.key" || ! -f "$CERTS_DIR/$CERT_NAME.crt" ]]; then echo "Generate server certificate" diff --git a/spec/katello_certs_check_spec.rb b/spec/katello_certs_check_spec.rb index 80326e86..1edf0c85 100644 --- a/spec/katello_certs_check_spec.rb +++ b/spec/katello_certs_check_spec.rb @@ -123,4 +123,30 @@ def fixture(filename) expect(status.exitstatus).to eq 10 end end + + context 'with sha1 server CA certificate' do + let(:key) { File.join(certs_directory, 'foreman-sha1.example.com.key') } + let(:cert) { File.join(certs_directory, 'foreman-sha1.example.com.crt') } + let(:ca) { File.join(certs_directory, 'ca-sha1.crt') } + + it 'fails' do + command_with_certs = "#{command} -b #{ca} -k #{key} -c #{cert}" + _stdout, stderr, status = Open3.capture3(command_with_certs) + expect(stderr).to include "The file '#{ca}' contains a certificate signed with sha1 and will break installation. Update the server CA certificate and its chain with one signed by sha256 or stronger." + expect(status.exitstatus).to eq 4 + end + end + + context 'with sha1 server CA certificate bundle' do + let(:key) { File.join(certs_directory, 'foreman-sha1.example.com.key') } + let(:cert) { File.join(certs_directory, 'foreman-sha1.example.com.crt') } + let(:ca) { File.join(certs_directory, 'ca-sha1-bundle.crt') } + + it 'fails' do + command_with_certs = "#{command} -b #{ca} -k #{key} -c #{cert}" + _stdout, stderr, status = Open3.capture3(command_with_certs) + expect(stderr).to include "The file '#{ca}' contains a certificate signed with sha1 and will break installation. Update the server CA certificate and its chain with one signed by sha256 or stronger." + expect(status.exitstatus).to eq 4 + end + end end