From a8b6bed6633fa31263a6fd84d68c23d6b742ba5a Mon Sep 17 00:00:00 2001 From: Marco Fargetta Date: Fri, 11 Oct 2024 18:04:03 +0200 Subject: [PATCH] Add test for newLegacy id generator The test convert from legacy generator to newLegacy and verify that not gaps are present when new ranges are created --- .github/workflows/ca-sequential-test.yml | 589 +++++++++++++++++++++++ 1 file changed, 589 insertions(+) diff --git a/.github/workflows/ca-sequential-test.yml b/.github/workflows/ca-sequential-test.yml index 33e51ebece2..f572b311d55 100644 --- a/.github/workflows/ca-sequential-test.yml +++ b/.github/workflows/ca-sequential-test.yml @@ -1836,6 +1836,595 @@ jobs: diff expected actual + #################################################################################################### + # Switch cert request ID generator to newLegacy and verify if serials + # have gaps when range is updated + # + # It should work like the legacy but with correct range. + - name: Switch to newLegacy + run: | + # Update CS.cfg + docker exec ds ldapsearch \ + -H ldap://ds.example.com:3389 \ + -D "cn=Directory Manager" \ + -w Secret.123 \ + -b ou=certificateRepository,ou=ranges,dc=ca,dc=pki,dc=example,dc=com \ + -s one \ + -o ldif_wrap=no \ + -LLL beginRange | tee output + + # Since there is a range the value are retrieved from the range. In general, id range is not + # present the value from CS.cfg are used. + BEGIN_SERIAL=0x$(cat output | sed -n 's/beginRange: \(.*\)/\1/p' | sort -n | tail -1) + END_SERIAL=$(printf "0x%x\n" $(( BEGIN_SERIAL + 0x10 -1 )) ) + + docker exec pki pki-server ca-config-set dbs.beginSerialNumber $BEGIN_SERIAL + docker exec pki pki-server ca-config-set dbs.endSerialNumber $END_SERIAL + + docker exec pki pki-server ca-config-set dbs.serialIncrement 0x10 + docker exec pki pki-server ca-config-set dbs.serialLowWaterMark 0x8 + docker exec pki pki-server ca-config-set dbs.serialCloneTransferNumber 0x8 + docker exec pki pki-server ca-config-set dbs.request.id.generator newLegacy + + docker exec pki pki-server ca-config-set dbs.cert.id.generator newLegacy + + # Update new_range in DS + NEW_NEXT=$((END_SERIAL + 1)) + docker exec -i ds ldapmodify \ + -H ldap://ds.example.com:3389 \ + -D "cn=Directory Manager" \ + -w Secret.123 << EOF + dn: ou=certificateRepository,ou=ca,dc=ca,dc=pki,dc=example,dc=com + changeType: modify + replace: nextRange + nextRange: $NEW_NEXT + EOF + + # restart CA subsystem + docker exec pki pki-server restart --wait + + + - name: Check request range config + run: | + docker exec pki pki-server ca-config-find \ + | grep \ + -e dbs.beginRequestNumber \ + -e dbs.endRequestNumber \ + -e dbs.requestCloneTransferNumber \ + -e dbs.requestIncrement \ + -e dbs.requestLowWaterMark \ + | tee actual + + # request range should be the same + cat > expected << EOF + dbs.beginRequestNumber=31 + dbs.endRequestNumber=40 + dbs.requestCloneTransferNumber=5 + dbs.requestIncrement=10 + dbs.requestLowWaterMark=5 + EOF + + diff expected actual + + - name: Check cert range config + run: | + docker exec pki pki-server ca-config-find \ + | grep \ + -e dbs.beginSerialNumber \ + -e dbs.endSerialNumber \ + -e dbs.serialCloneTransferNumber \ + -e dbs.serialIncrement \ + -e dbs.serialLowWaterMark \ + | tee actual + + # cert range should be the same + cat > expected << EOF + dbs.beginSerialNumber=0x27 + dbs.endSerialNumber=0x36 + dbs.serialCloneTransferNumber=0x8 + dbs.serialIncrement=0x10 + dbs.serialLowWaterMark=0x8 + EOF + + diff expected actual + + - name: Check request repository + run: | + docker exec ds ldapsearch \ + -H ldap://ds.example.com:3389 \ + -D "cn=Directory Manager" \ + -w Secret.123 \ + -b ou=ca,ou=requests,dc=ca,dc=pki,dc=example,dc=com \ + -s base \ + -o ldif_wrap=no \ + -LLL | tee output + + grep \ + -e serialno: \ + -e nextRange: \ + output \ + | sort > actual + + # request nextRange should be incremented by 10 decimal to 41 decimal + cat > expected << EOF + nextRange: 51 + serialno: 010 + EOF + + diff expected actual + + - name: Check cert repository + run: | + docker exec ds ldapsearch \ + -H ldap://ds.example.com:3389 \ + -D "cn=Directory Manager" \ + -w Secret.123 \ + -b ou=certificateRepository,ou=ca,dc=ca,dc=pki,dc=example,dc=com \ + -s base \ + -o ldif_wrap=no \ + -LLL | tee output + + grep \ + -e serialno: \ + -e nextRange: \ + output \ + | sort > actual + + # cert nextRange should be incremented by 10 hex (16 decimal) to 43 decimal + cat > expected << EOF + nextRange: 55 + serialno: 011 + EOF + + diff expected actual + + - name: Check request range objects + run: | + docker exec ds ldapsearch \ + -H ldap://ds.example.com:3389 \ + -D "cn=Directory Manager" \ + -w Secret.123 \ + -b ou=requests,ou=ranges,dc=ca,dc=pki,dc=example,dc=com \ + -s one \ + -o ldif_wrap=no \ + -LLL | tee output + + rm -f actual + + for DN in $(sed -n 's/^dn: *\(.*\)$/\1/p' output) + do + docker exec ds ldapsearch \ + -H ldap://ds.example.com:3389 \ + -D "cn=Directory Manager" \ + -w Secret.123 \ + -b $DN \ + -s base \ + -o ldif_wrap=no \ + -LLL \ + | grep \ + -e SecurePort: \ + -e beginRange: \ + -e endRange: \ + -e host: \ + | sort >> actual + + echo >> actual + done + + # new request range should be 31 - 40 decimal (total: 10) + cat > expected << EOF + SecurePort: 8443 + beginRange: 11 + endRange: 20 + host: pki.example.com + + SecurePort: 8443 + beginRange: 21 + endRange: 30 + host: pki.example.com + + SecurePort: 8443 + beginRange: 31 + endRange: 40 + host: pki.example.com + + SecurePort: 8443 + beginRange: 41 + endRange: 50 + host: pki.example.com + + EOF + + diff expected actual + + - name: Check cert range objects + run: | + docker exec ds ldapsearch \ + -H ldap://ds.example.com:3389 \ + -D "cn=Directory Manager" \ + -w Secret.123 \ + -b ou=certificateRepository,ou=ranges,dc=ca,dc=pki,dc=example,dc=com \ + -s one \ + -o ldif_wrap=no \ + -LLL | tee output + + rm -f actual + + for DN in $(sed -n 's/^dn: *\(.*\)$/\1/p' output) + do + docker exec ds ldapsearch \ + -H ldap://ds.example.com:3389 \ + -D "cn=Directory Manager" \ + -w Secret.123 \ + -b $DN \ + -s base \ + -o ldif_wrap=no \ + -LLL \ + | grep \ + -e SecurePort: \ + -e beginRange: \ + -e endRange: \ + -e host: \ + | sort >> actual + + echo >> actual + done + + # new cert range should be 27 - 42 decimal (total: 16) + cat > expected << EOF + SecurePort: 8443 + beginRange: 11 + endRange: 26 + host: pki.example.com + + SecurePort: 8443 + beginRange: 27 + endRange: 42 + host: pki.example.com + + EOF + + diff expected actual + + #################################################################################################### + # Enroll additional certs updating the range + # + + - name: Enroll additional certs + run: | + # Enroll until request range exhausted + for i in $(seq 1 9); do + docker exec pki pki \ + -n caadmin \ + ca-cert-issue \ + --profile caUserCert \ + --csr-file testuser.csr \ + --output-file testuser.crt + + docker exec pki openssl x509 -in testuser.crt -serial -noout + done + docker exec pki pki -n caadmin ca-job-start serialNumberUpdate + # Enroll until request range exhausted + for i in $(seq 1 10); do + docker exec pki pki \ + -n caadmin \ + ca-cert-issue \ + --profile caUserCert \ + --csr-file testuser.csr \ + --output-file testuser.crt + + docker exec pki openssl x509 -in testuser.crt -serial -noout + done + docker exec pki pki -n caadmin ca-job-start serialNumberUpdate + # Enroll until request range exhausted + for i in $(seq 1 10); do + docker exec pki pki \ + -n caadmin \ + ca-cert-issue \ + --profile caUserCert \ + --csr-file testuser.csr \ + --output-file testuser.crt + + docker exec pki openssl x509 -in testuser.crt -serial -noout + done + docker exec pki pki -n caadmin ca-job-start serialNumberUpdate + # Enroll until request range exhausted + for i in $(seq 1 10); do + docker exec pki pki \ + -n caadmin \ + ca-cert-issue \ + --profile caUserCert \ + --csr-file testuser.csr \ + --output-file testuser.crt + + docker exec pki openssl x509 -in testuser.crt -serial -noout + done + docker exec pki pki -n caadmin ca-job-start serialNumberUpdate + # Enroll until request range exhausted + for i in $(seq 1 10); do + docker exec pki pki \ + -n caadmin \ + ca-cert-issue \ + --profile caUserCert \ + --csr-file testuser.csr \ + --output-file testuser.crt + + docker exec pki openssl x509 -in testuser.crt -serial -noout + done + docker exec pki pki -n caadmin ca-job-start serialNumberUpdate + + - name: Check request range config + run: | + docker exec pki pki-server ca-config-find \ + | grep \ + -e dbs.beginRequestNumber \ + -e dbs.endRequestNumber \ + -e dbs.requestCloneTransferNumber \ + -e dbs.requestIncrement \ + -e dbs.requestLowWaterMark \ + | tee actual + + # request range should be the same + cat > expected << EOF + dbs.beginRequestNumber=81 + dbs.endRequestNumber=90 + dbs.requestCloneTransferNumber=5 + dbs.requestIncrement=10 + dbs.requestLowWaterMark=5 + EOF + + diff expected actual + + - name: Check cert range config + run: | + docker exec pki pki-server ca-config-find \ + | grep \ + -e dbs.beginSerialNumber \ + -e dbs.endSerialNumber \ + -e dbs.serialCloneTransferNumber \ + -e dbs.serialIncrement \ + -e dbs.serialLowWaterMark \ + | tee actual + + # cert range should be the same + cat > expected << EOF + dbs.beginSerialNumber=0x57 + dbs.endSerialNumber=0x66 + dbs.serialCloneTransferNumber=0x8 + dbs.serialIncrement=0x10 + dbs.serialLowWaterMark=0x8 + EOF + + diff expected actual + + - name: Check request repository + run: | + docker exec ds ldapsearch \ + -H ldap://ds.example.com:3389 \ + -D "cn=Directory Manager" \ + -w Secret.123 \ + -b ou=ca,ou=requests,dc=ca,dc=pki,dc=example,dc=com \ + -s base \ + -o ldif_wrap=no \ + -LLL | tee output + + grep \ + -e serialno: \ + -e nextRange: \ + output \ + | sort > actual + + # request nextRange should be incremented by 10 decimal to 41 decimal + cat > expected << EOF + nextRange: 101 + serialno: 010 + EOF + + diff expected actual + + - name: Check cert repository + run: | + docker exec ds ldapsearch \ + -H ldap://ds.example.com:3389 \ + -D "cn=Directory Manager" \ + -w Secret.123 \ + -b ou=certificateRepository,ou=ca,dc=ca,dc=pki,dc=example,dc=com \ + -s base \ + -o ldif_wrap=no \ + -LLL | tee output + + grep \ + -e serialno: \ + -e nextRange: \ + output \ + | sort > actual + + # cert nextRange should be incremented by 10 hex (16 decimal) to 43 decimal + cat > expected << EOF + nextRange: 103 + serialno: 011 + EOF + + diff expected actual + + - name: Check request range objects + run: | + docker exec ds ldapsearch \ + -H ldap://ds.example.com:3389 \ + -D "cn=Directory Manager" \ + -w Secret.123 \ + -b ou=requests,ou=ranges,dc=ca,dc=pki,dc=example,dc=com \ + -s one \ + -o ldif_wrap=no \ + -LLL | tee output + + rm -f actual + + for DN in $(sed -n 's/^dn: *\(.*\)$/\1/p' output) + do + docker exec ds ldapsearch \ + -H ldap://ds.example.com:3389 \ + -D "cn=Directory Manager" \ + -w Secret.123 \ + -b $DN \ + -s base \ + -o ldif_wrap=no \ + -LLL \ + | grep \ + -e SecurePort: \ + -e beginRange: \ + -e endRange: \ + -e host: \ + | sort >> actual + + echo >> actual + done + + # new request range should be 31 - 40 decimal (total: 10) + cat > expected << EOF + SecurePort: 8443 + beginRange: 11 + endRange: 20 + host: pki.example.com + + SecurePort: 8443 + beginRange: 21 + endRange: 30 + host: pki.example.com + + SecurePort: 8443 + beginRange: 31 + endRange: 40 + host: pki.example.com + + SecurePort: 8443 + beginRange: 41 + endRange: 50 + host: pki.example.com + + SecurePort: 8443 + beginRange: 51 + endRange: 60 + host: pki.example.com + + SecurePort: 8443 + beginRange: 61 + endRange: 70 + host: pki.example.com + + SecurePort: 8443 + beginRange: 71 + endRange: 80 + host: pki.example.com + + SecurePort: 8443 + beginRange: 81 + endRange: 90 + host: pki.example.com + + SecurePort: 8443 + beginRange: 91 + endRange: 100 + host: pki.example.com + + EOF + + diff expected actual + + - name: Check cert range objects + run: | + docker exec ds ldapsearch \ + -H ldap://ds.example.com:3389 \ + -D "cn=Directory Manager" \ + -w Secret.123 \ + -b ou=certificateRepository,ou=ranges,dc=ca,dc=pki,dc=example,dc=com \ + -s one \ + -o ldif_wrap=no \ + -LLL | tee output + + rm -f actual + + for DN in $(sed -n 's/^dn: *\(.*\)$/\1/p' output) + do + docker exec ds ldapsearch \ + -H ldap://ds.example.com:3389 \ + -D "cn=Directory Manager" \ + -w Secret.123 \ + -b $DN \ + -s base \ + -o ldif_wrap=no \ + -LLL \ + | grep \ + -e SecurePort: \ + -e beginRange: \ + -e endRange: \ + -e host: \ + | sort >> actual + + echo >> actual + done + + # new cert range should be 27 - 42 decimal (total: 16) + cat > expected << EOF + SecurePort: 8443 + beginRange: 11 + endRange: 26 + host: pki.example.com + + SecurePort: 8443 + beginRange: 27 + endRange: 42 + host: pki.example.com + + SecurePort: 8443 + beginRange: 55 + endRange: 70 + host: pki.example.com + + SecurePort: 8443 + beginRange: 71 + endRange: 86 + host: pki.example.com + + SecurePort: 8443 + beginRange: 87 + endRange: 102 + host: pki.example.com + + EOF + + diff expected actual + + - name: Check requests + run: | + docker exec pki pki-server ca-cert-request-find | tee output + + sed -n "s/^ *Request ID: *\(.*\)$/\1/p" output > actual + + # there should be 40 requests (30 existing + 10 new) + seq 1 89 > expected + + diff expected actual + + #################################################################################################### + # Checking certs no gap should be present after switching to newLegacy + # so the last gap is between 32 and 39 + # + - name: Check certs + run: | + docker exec pki pki-server ca-cert-find | tee output + + sed -n "s/^ *Serial Number: *\(.*\)$/\1/p" output > actual + + # there should be 39 certs (29 existing + 10 new) + # but due to a bug the serial numbers have a gap + + # seq 1 39 | while read n; do printf "0x%x\n" $n; done > expected + seq 1 32 | while read n; do printf "0x%x\n" $n; done > expected + seq 39 94 | while read n; do printf "0x%x\n" $n; done >> expected + + diff expected actual + #################################################################################################### # Enroll a cert with RSNv3 #