|
 |
bb0ded |
From 0edf915efbb39fac45c784171dd715ec6b28861a Mon Sep 17 00:00:00 2001
|
|
|
bb0ded |
From: Sumedh Sidhaye <ssidhaye@redhat.com>
|
|
|
bb0ded |
Date: Fri, 14 Jan 2022 19:55:13 +0530
|
|
|
bb0ded |
Subject: [PATCH] Added test automation for SHA384withRSA CSR support
|
|
|
bb0ded |
|
|
|
bb0ded |
Scenario 1:
|
|
|
bb0ded |
Setup master with --ca-signing-algorithm=SHA384withRSA
|
|
|
bb0ded |
Run certutil and check Signing Algorithm
|
|
|
bb0ded |
|
|
|
bb0ded |
Scenario 2:
|
|
|
bb0ded |
Setup a master
|
|
|
bb0ded |
Stop services
|
|
|
bb0ded |
Modify default.params.signingAlg in CS.cfg
|
|
|
bb0ded |
Restart services
|
|
|
bb0ded |
Resubmit cert (Resubmitted cert should have new Algorithm)
|
|
|
bb0ded |
|
|
|
bb0ded |
Pagure Link: https://pagure.io/freeipa/issue/8906
|
|
|
bb0ded |
|
|
|
bb0ded |
Signed-off-by: Sumedh Sidhaye <ssidhaye@redhat.com>
|
|
|
bb0ded |
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
|
|
bb0ded |
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
|
bb0ded |
Reviewed-By: Antonio Torres <antorres@redhat.com>
|
|
|
bb0ded |
---
|
|
|
bb0ded |
.../test_integration/test_installation.py | 63 +++++++++++++++++++
|
|
|
bb0ded |
1 file changed, 63 insertions(+)
|
|
|
bb0ded |
|
|
|
bb0ded |
diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
|
|
|
bb0ded |
index 0947241ae2738419c4855e2517670c9033e634f0..f2d372c0c0356f244971a2af808db45dd6c8cb5b 100644
|
|
|
bb0ded |
--- a/ipatests/test_integration/test_installation.py
|
|
|
bb0ded |
+++ b/ipatests/test_integration/test_installation.py
|
|
|
bb0ded |
@@ -34,6 +34,7 @@ from ipatests.pytest_ipa.integration import tasks
|
|
|
bb0ded |
from ipatests.pytest_ipa.integration.env_config import get_global_config
|
|
|
bb0ded |
from ipatests.test_integration.base import IntegrationTest
|
|
|
bb0ded |
from ipatests.test_integration.test_caless import CALessBase, ipa_certs_cleanup
|
|
|
bb0ded |
+from ipatests.test_integration.test_cert import get_certmonger_fs_id
|
|
|
bb0ded |
from ipaplatform import services
|
|
|
bb0ded |
|
|
|
bb0ded |
|
|
|
bb0ded |
@@ -1916,3 +1917,65 @@ class TestInstallWithoutNamed(IntegrationTest):
|
|
|
bb0ded |
tasks.install_replica(
|
|
|
bb0ded |
self.master, self.replicas[0], setup_ca=False, setup_dns=False
|
|
|
bb0ded |
)
|
|
|
bb0ded |
+
|
|
|
bb0ded |
+
|
|
|
bb0ded |
+class TestInstallwithSHA384withRSA(IntegrationTest):
|
|
|
bb0ded |
+ num_replicas = 0
|
|
|
bb0ded |
+
|
|
|
bb0ded |
+ def test_install_master_withalgo_sha384withrsa(self, server_cleanup):
|
|
|
bb0ded |
+ tasks.install_master(
|
|
|
bb0ded |
+ self.master,
|
|
|
bb0ded |
+ extra_args=['--ca-signing-algorithm=SHA384withRSA'],
|
|
|
bb0ded |
+ )
|
|
|
bb0ded |
+
|
|
|
bb0ded |
+ # check Signing Algorithm post installation
|
|
|
bb0ded |
+ dashed_domain = self.master.domain.realm.replace(".", '-')
|
|
|
bb0ded |
+ cmd_args = ['certutil', '-L', '-d',
|
|
|
bb0ded |
+ '/etc/dirsrv/slapd-{}/'.format(dashed_domain),
|
|
|
bb0ded |
+ '-n', 'Server-Cert']
|
|
|
bb0ded |
+ result = self.master.run_command(cmd_args)
|
|
|
bb0ded |
+ assert 'SHA-384 With RSA Encryption' in result.stdout_text
|
|
|
bb0ded |
+
|
|
|
bb0ded |
+ def test_install_master_modify_existing(self, server_cleanup):
|
|
|
bb0ded |
+ """
|
|
|
bb0ded |
+ Setup a master
|
|
|
bb0ded |
+ Stop services
|
|
|
bb0ded |
+ Modify default.params.signingAlg in CS.cfg
|
|
|
bb0ded |
+ Restart services
|
|
|
bb0ded |
+ Resubmit cert (Resubmitted cert should have new Algorithm)
|
|
|
bb0ded |
+ """
|
|
|
bb0ded |
+ tasks.install_master(self.master)
|
|
|
bb0ded |
+ self.master.run_command(['ipactl', 'stop'])
|
|
|
bb0ded |
+ cs_cfg_content = self.master.get_file_contents(paths.CA_CS_CFG_PATH,
|
|
|
bb0ded |
+ encoding='utf-8')
|
|
|
bb0ded |
+ new_lines = []
|
|
|
bb0ded |
+ replace_str = "ca.signing.defaultSigningAlgorithm=SHA384withRSA"
|
|
|
bb0ded |
+ ocsp_rep_str = "ca.ocsp_signing.defaultSigningAlgorithm=SHA384withRSA"
|
|
|
bb0ded |
+ for line in cs_cfg_content.split('\n'):
|
|
|
bb0ded |
+ if line.startswith('ca.signing.defaultSigningAlgorithm'):
|
|
|
bb0ded |
+ new_lines.append(replace_str)
|
|
|
bb0ded |
+ elif line.startswith('ca.ocsp_signing.defaultSigningAlgorithm'):
|
|
|
bb0ded |
+ new_lines.append(ocsp_rep_str)
|
|
|
bb0ded |
+ else:
|
|
|
bb0ded |
+ new_lines.append(line)
|
|
|
bb0ded |
+ self.master.put_file_contents(paths.CA_CS_CFG_PATH,
|
|
|
bb0ded |
+ '\n'.join(new_lines))
|
|
|
bb0ded |
+ self.master.run_command(['ipactl', 'start'])
|
|
|
bb0ded |
+
|
|
|
bb0ded |
+ cmd = ['getcert', 'list', '-f', paths.RA_AGENT_PEM]
|
|
|
bb0ded |
+ result = self.master.run_command(cmd)
|
|
|
bb0ded |
+ request_id = get_certmonger_fs_id(result.stdout_text)
|
|
|
bb0ded |
+
|
|
|
bb0ded |
+ # resubmit RA Agent cert
|
|
|
bb0ded |
+ cmd = ['getcert', 'resubmit', '-f', paths.RA_AGENT_PEM]
|
|
|
bb0ded |
+ self.master.run_command(cmd)
|
|
|
bb0ded |
+
|
|
|
bb0ded |
+ tasks.wait_for_certmonger_status(self.master,
|
|
|
bb0ded |
+ ('CA_WORKING', 'MONITORING'),
|
|
|
bb0ded |
+ request_id)
|
|
|
bb0ded |
+
|
|
|
bb0ded |
+ cmd_args = ['openssl', 'x509', '-in',
|
|
|
bb0ded |
+ paths.RA_AGENT_PEM, '-noout', '-text']
|
|
|
bb0ded |
+ result = self.master.run_command(cmd_args)
|
|
|
bb0ded |
+ assert_str = 'Signature Algorithm: sha384WithRSAEncryption'
|
|
|
bb0ded |
+ assert assert_str in result.stdout_text
|
|
|
bb0ded |
--
|
|
|
bb0ded |
2.34.1
|
|
|
bb0ded |
|