rpms / ipa

Clone
Source Code
GIT

Blame SOURCES/0013-Added-test-automation-for-SHA384withRSA-CSR-support.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8-beta-stream-DL1 c8-beta-stream-client c8-stream-DL1 c8-stream-client c8s-stream-DL1 c8s-stream-client c9 c9-beta
  1.   29766b399574bf5a29a0d275d8df8eebc944ef7c
  2.   SOURCES
  3.   0013-Added-test-automation-for-SHA384withRSA-CSR-support.patch
Blob History Raw
a99c7c 
From 0edf915efbb39fac45c784171dd715ec6b28861a Mon Sep 17 00:00:00 2001
a99c7c 
From: Sumedh Sidhaye <ssidhaye@redhat.com>
a99c7c 
Date: Fri, 14 Jan 2022 19:55:13 +0530
a99c7c 
Subject: [PATCH] Added test automation for SHA384withRSA CSR support
a99c7c
a99c7c 
Scenario 1:
a99c7c 
Setup master with --ca-signing-algorithm=SHA384withRSA
a99c7c 
Run certutil and check Signing Algorithm
a99c7c
a99c7c 
Scenario 2:
a99c7c 
Setup a master
a99c7c 
Stop services
a99c7c 
Modify default.params.signingAlg in CS.cfg
a99c7c 
Restart services
a99c7c 
Resubmit cert (Resubmitted cert should have new Algorithm)
a99c7c
a99c7c 
Pagure Link: https://pagure.io/freeipa/issue/8906
a99c7c
a99c7c 
Signed-off-by: Sumedh Sidhaye <ssidhaye@redhat.com>
a99c7c 
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
a99c7c 
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
a99c7c 
Reviewed-By: Antonio Torres <antorres@redhat.com>
a99c7c 
---
a99c7c 
 .../test_integration/test_installation.py     | 63 +++++++++++++++++++
a99c7c 
 1 file changed, 63 insertions(+)
a99c7c
a99c7c 
diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
a99c7c 
index 0947241ae2738419c4855e2517670c9033e634f0..f2d372c0c0356f244971a2af808db45dd6c8cb5b 100644
a99c7c 
--- a/ipatests/test_integration/test_installation.py
a99c7c 
+++ b/ipatests/test_integration/test_installation.py
a99c7c 
@@ -34,6 +34,7 @@ from ipatests.pytest_ipa.integration import tasks
a99c7c 
 from ipatests.pytest_ipa.integration.env_config import get_global_config
a99c7c 
 from ipatests.test_integration.base import IntegrationTest
a99c7c 
 from ipatests.test_integration.test_caless import CALessBase, ipa_certs_cleanup
a99c7c 
+from ipatests.test_integration.test_cert import get_certmonger_fs_id
a99c7c 
 from ipaplatform import services
a99c7c
a99c7c
a99c7c 
@@ -1916,3 +1917,65 @@ class TestInstallWithoutNamed(IntegrationTest):
a99c7c 
         tasks.install_replica(
a99c7c 
             self.master, self.replicas[0], setup_ca=False, setup_dns=False
a99c7c 
         )
a99c7c 
+
a99c7c 
+
a99c7c 
+class TestInstallwithSHA384withRSA(IntegrationTest):
a99c7c 
+    num_replicas = 0
a99c7c 
+
a99c7c 
+    def test_install_master_withalgo_sha384withrsa(self, server_cleanup):
a99c7c 
+        tasks.install_master(
a99c7c 
+            self.master,
a99c7c 
+            extra_args=['--ca-signing-algorithm=SHA384withRSA'],
a99c7c 
+        )
a99c7c 
+
a99c7c 
+        # check Signing Algorithm post installation
a99c7c 
+        dashed_domain = self.master.domain.realm.replace(".", '-')
a99c7c 
+        cmd_args = ['certutil', '-L', '-d',
a99c7c 
+                    '/etc/dirsrv/slapd-{}/'.format(dashed_domain),
a99c7c 
+                    '-n', 'Server-Cert']
a99c7c 
+        result = self.master.run_command(cmd_args)
a99c7c 
+        assert 'SHA-384 With RSA Encryption' in result.stdout_text
a99c7c 
+
a99c7c 
+    def test_install_master_modify_existing(self, server_cleanup):
a99c7c 
+        """
a99c7c 
+        Setup a master
a99c7c 
+        Stop services
a99c7c 
+        Modify default.params.signingAlg in CS.cfg
a99c7c 
+        Restart services
a99c7c 
+        Resubmit cert (Resubmitted cert should have new Algorithm)
a99c7c 
+        """
a99c7c 
+        tasks.install_master(self.master)
a99c7c 
+        self.master.run_command(['ipactl', 'stop'])
a99c7c 
+        cs_cfg_content = self.master.get_file_contents(paths.CA_CS_CFG_PATH,
a99c7c 
+                                                       encoding='utf-8')
a99c7c 
+        new_lines = []
a99c7c 
+        replace_str = "ca.signing.defaultSigningAlgorithm=SHA384withRSA"
a99c7c 
+        ocsp_rep_str = "ca.ocsp_signing.defaultSigningAlgorithm=SHA384withRSA"
a99c7c 
+        for line in cs_cfg_content.split('\n'):
a99c7c 
+            if line.startswith('ca.signing.defaultSigningAlgorithm'):
a99c7c 
+                new_lines.append(replace_str)
a99c7c 
+            elif line.startswith('ca.ocsp_signing.defaultSigningAlgorithm'):
a99c7c 
+                new_lines.append(ocsp_rep_str)
a99c7c 
+            else:
a99c7c 
+                new_lines.append(line)
a99c7c 
+        self.master.put_file_contents(paths.CA_CS_CFG_PATH,
a99c7c 
+                                      '\n'.join(new_lines))
a99c7c 
+        self.master.run_command(['ipactl', 'start'])
a99c7c 
+
a99c7c 
+        cmd = ['getcert', 'list', '-f', paths.RA_AGENT_PEM]
a99c7c 
+        result = self.master.run_command(cmd)
a99c7c 
+        request_id = get_certmonger_fs_id(result.stdout_text)
a99c7c 
+
a99c7c 
+        # resubmit RA Agent cert
a99c7c 
+        cmd = ['getcert', 'resubmit', '-f', paths.RA_AGENT_PEM]
a99c7c 
+        self.master.run_command(cmd)
a99c7c 
+
a99c7c 
+        tasks.wait_for_certmonger_status(self.master,
a99c7c 
+                                         ('CA_WORKING', 'MONITORING'),
a99c7c 
+                                         request_id)
a99c7c 
+
a99c7c 
+        cmd_args = ['openssl', 'x509', '-in',
a99c7c 
+                    paths.RA_AGENT_PEM, '-noout', '-text']
a99c7c 
+        result = self.master.run_command(cmd_args)
a99c7c 
+        assert_str = 'Signature Algorithm: sha384WithRSAEncryption'
a99c7c 
+        assert assert_str in result.stdout_text
a99c7c 
--
a99c7c 
2.34.1
a99c7c

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation