Skip to content

CVE-2023-4727 Fix token authentication bypass vulnerability #5590

CVE-2023-4727 Fix token authentication bypass vulnerability

CVE-2023-4727 Fix token authentication bypass vulnerability #5590

Workflow file for this run

name: OCSP Tests
on: [push, pull_request]
jobs:
init:
name: Initialization
uses: ./.github/workflows/init.yml
secrets: inherit
build:
name: Waiting for build
needs: init
runs-on: ubuntu-latest
steps:
- name: Wait for build
uses: lewagon/wait-on-check-action@v1.2.0
with:
ref: ${{ github.ref }}
check-name: 'Building PKI'
repo-token: ${{ secrets.GITHUB_TOKEN }}
wait-interval: 30
if: github.event_name == 'push'
- name: Wait for build
uses: lewagon/wait-on-check-action@v1.2.0
with:
ref: ${{ github.event.pull_request.head.sha }}
check-name: 'Building PKI'
repo-token: ${{ secrets.GITHUB_TOKEN }}
wait-interval: 30
if: github.event_name == 'pull_request'
# docs/installation/ocsp/Installing_OCSP.md
ocsp-test:
name: Testing OCSP
needs: [init, build]
runs-on: ubuntu-latest
env:
PKIDIR: /tmp/workdir/pki
steps:
- name: Clone repository
uses: actions/checkout@v3
- name: Retrieve pki-runner image
uses: actions/cache@v3
with:
key: pki-runner-${{ github.sha }}
path: pki-runner.tar
- name: Load runner image
run: docker load --input pki-runner.tar
- name: Run container
run: |
IMAGE=pki-runner \
NAME=pki \
HOSTNAME=pki.example.com \
tests/bin/runner-init.sh
- name: Install dependencies
run: docker exec pki dnf install -y 389-ds-base
- name: Install DS
run: docker exec pki ${PKIDIR}/tests/bin/ds-create.sh
- name: Install CA
run: docker exec pki pkispawn -f /usr/share/pki/server/examples/installation/ca.cfg -s CA -v
- name: Install OCSP
run: docker exec pki pkispawn -f /usr/share/pki/server/examples/installation/ocsp.cfg -s OCSP -v
- name: Run PKI healthcheck
run: docker exec pki pki-healthcheck --failures-only
- name: Verify OCSP admin
run: |
docker exec pki pki-server cert-export ca_signing --cert-file ca_signing.crt
docker exec pki pki client-cert-import ca_signing --ca-cert ca_signing.crt
docker exec pki pki client-cert-import \
--pkcs12 /root/.dogtag/pki-tomcat/ca_admin_cert.p12 \
--pkcs12-password-file /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf
docker exec pki pki -n caadmin ocsp-user-show ocspadmin
- name: Gather artifacts
if: always()
run: |
tests/bin/ds-artifacts-save.sh pki
tests/bin/pki-artifacts-save.sh pki
- name: Remove OCSP
run: docker exec pki pkidestroy -i pki-tomcat -s OCSP -v
- name: Remove CA
run: docker exec pki pkidestroy -i pki-tomcat -s CA -v
- name: Remove DS
run: docker exec pki ${PKIDIR}/tests/bin/ds-remove.sh
- name: Upload artifacts
if: always()
uses: actions/upload-artifact@v3
with:
name: ocsp
path: |
/tmp/artifacts/pki
ocsp-separate-test:
name: Testing OCSP on separate instance
needs: [init, build]
runs-on: ubuntu-latest
env:
PKIDIR: /tmp/workdir/pki
steps:
- name: Clone repository
uses: actions/checkout@v3
- name: Retrieve pki-runner image
uses: actions/cache@v3
with:
key: pki-runner-${{ github.sha }}
path: pki-runner.tar
- name: Load runner image
run: docker load --input pki-runner.tar
- name: Create network
run: docker network create example
- name: Setup CA container
run: |
IMAGE=pki-runner \
NAME=ca \
HOSTNAME=ca.example.com \
tests/bin/runner-init.sh
- name: Connect CA container to network
run: docker network connect example ca --alias ca.example.com
- name: Install dependencies in CA container
run: docker exec ca dnf install -y 389-ds-base
- name: Install DS in CA container
run: docker exec ca ${PKIDIR}/tests/bin/ds-create.sh
- name: Install CA in CA container
run: docker exec ca pkispawn -f /usr/share/pki/server/examples/installation/ca.cfg -s CA -v
- name: Install banner in CA container
run: docker exec ca cp /usr/share/pki/server/examples/banner/banner.txt /etc/pki/pki-tomcat
- name: Setup OCSP container
run: |
IMAGE=pki-runner \
NAME=ocsp \
HOSTNAME=ocsp.example.com \
tests/bin/runner-init.sh
- name: Connect OCSP container to network
run: docker network connect example ocsp --alias ocsp.example.com
- name: Install dependencies in OCSP container
run: docker exec ocsp dnf install -y 389-ds-base
- name: Install DS in OCSP container
run: docker exec ocsp ${PKIDIR}/tests/bin/ds-create.sh
- name: Install OCSP in OCSP container
run: |
docker exec ca pki-server cert-export ca_signing --cert-file ${PKIDIR}/ca_signing.crt
docker exec ca cp /root/.dogtag/pki-tomcat/ca_admin.cert ${PKIDIR}/ca_admin.cert
docker exec ocsp cp ${PKIDIR}/ca_signing.crt .
docker exec ocsp cp ${PKIDIR}/ca_admin.cert .
docker exec ocsp pkispawn -f /usr/share/pki/server/examples/installation/ocsp-separate.cfg -s OCSP -v
- name: Install banner in OCSP container
run: docker exec ocsp cp /usr/share/pki/server/examples/banner/banner.txt /etc/pki/pki-tomcat
- name: Run PKI healthcheck
run: docker exec ocsp pki-healthcheck --debug
- name: Verify OCSP admin
run: |
docker exec ca cp /root/.dogtag/pki-tomcat/ca_admin_cert.p12 ${PKIDIR}/ca_admin_cert.p12
docker exec ca cp /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf ${PKIDIR}/pkcs12_password.conf
docker exec ocsp pki client-cert-import ca_signing --ca-cert ca_signing.crt
docker exec ocsp pki client-cert-import \
--pkcs12 ${PKIDIR}/ca_admin_cert.p12 \
--pkcs12-password-file ${PKIDIR}/pkcs12_password.conf
docker exec ocsp pki -n caadmin --ignore-banner ocsp-user-show ocspadmin
- name: Gather artifacts from CA container
if: always()
run: |
tests/bin/ds-artifacts-save.sh ca
tests/bin/pki-artifacts-save.sh ca
- name: Gather artifacts from OCSP container
if: always()
run: |
tests/bin/ds-artifacts-save.sh ocsp
tests/bin/pki-artifacts-save.sh ocsp
- name: Remove OCSP from OCSP container
run: docker exec ocsp pkidestroy -i pki-tomcat -s OCSP -v
- name: Remove DS from OCSP container
run: docker exec ocsp ${PKIDIR}/tests/bin/ds-remove.sh
- name: Disconnect OCSP container from network
run: docker network disconnect example ocsp
- name: Remove CA from CA container
run: docker exec ca pkidestroy -i pki-tomcat -s CA -v
- name: Remove DS from CA container
run: docker exec ca ${PKIDIR}/tests/bin/ds-remove.sh
- name: Disconnect CA container from network
run: docker network disconnect example ca
- name: Remove network
run: docker network rm example
- name: Upload artifacts from CA container
if: always()
uses: actions/upload-artifact@v3
with:
name: ocsp-separate-ca
path: |
/tmp/artifacts/ca
- name: Upload artifacts from OCSP container
if: always()
uses: actions/upload-artifact@v3
with:
name: ocsp-separate-ocsp
path: |
/tmp/artifacts/ocsp
# docs/installation/ocsp/Installing_OCSP_with_External_Certificates.md
ocsp-external-certs-test:
name: Testing OCSP with external certificates
needs: [init, build]
runs-on: ubuntu-latest
env:
PKIDIR: /tmp/workdir/pki
steps:
- name: Clone repository
uses: actions/checkout@v3
- name: Retrieve pki-runner image
uses: actions/cache@v3
with:
key: pki-runner-${{ github.sha }}
path: pki-runner.tar
- name: Load runner image
run: docker load --input pki-runner.tar
- name: Create network
run: docker network create example
- name: Setup CA container
run: |
IMAGE=pki-runner \
NAME=ca \
HOSTNAME=ca.example.com \
tests/bin/runner-init.sh
- name: Connect CA container to network
run: docker network connect example ca --alias ca.example.com
- name: Install dependencies in CA container
run: docker exec ca dnf install -y 389-ds-base
- name: Install DS in CA container
run: docker exec ca ${PKIDIR}/tests/bin/ds-create.sh
- name: Install CA in CA container
run: docker exec ca pkispawn -f /usr/share/pki/server/examples/installation/ca.cfg -s CA -v
- name: Initialize CA admin in CA container
run: |
docker exec ca pki-server cert-export ca_signing --cert-file ${PKIDIR}/ca_signing.crt
docker exec ca pki client-cert-import ca_signing --ca-cert ${PKIDIR}/ca_signing.crt
docker exec ca pki client-cert-import \
--pkcs12 /root/.dogtag/pki-tomcat/ca_admin_cert.p12 \
--pkcs12-password-file /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf
- name: Setup OCSP container
run: |
IMAGE=pki-runner \
NAME=ocsp \
HOSTNAME=ocsp.example.com \
tests/bin/runner-init.sh
- name: Connect OCSP container to network
run: docker network connect example ocsp --alias ocsp.example.com
- name: Install dependencies in OCSP container
run: docker exec ocsp dnf install -y 389-ds-base
- name: Install DS in OCSP container
run: docker exec ocsp ${PKIDIR}/tests/bin/ds-create.sh
- name: Install OCSP in OCSP container (step 1)
run: |
docker exec ocsp cp ${PKIDIR}/ca_signing.crt .
docker exec ocsp pkispawn -f /usr/share/pki/server/examples/installation/ocsp-external-certs-step1.cfg -s OCSP -v
- name: Issue OCSP signing cert
run: |
docker exec ocsp cp ocsp_signing.csr ${PKIDIR}/ocsp_signing.csr
docker exec ca bash -c "pki ca-cert-request-submit --profile caOCSPCert --csr-file ${PKIDIR}/ocsp_signing.csr | sed -n 's/Request ID: *\(.*\)/\1/p' > ${PKIDIR}/ocsp_signing.reqid"
docker exec ca bash -c "pki -n caadmin ca-cert-request-approve `cat ocsp_signing.reqid` --force | sed -n 's/Certificate ID: *\(.*\)/\1/p' > ${PKIDIR}/ocsp_signing.certid"
docker exec ca bash -c "pki ca-cert-export `cat ocsp_signing.certid` --output-file ${PKIDIR}/ocsp_signing.crt"
docker exec ocsp cp ${PKIDIR}/ocsp_signing.crt ocsp_signing.crt
- name: Issue subsystem cert
run: |
docker exec ocsp cp subsystem.csr ${PKIDIR}/subsystem.csr
docker exec ca bash -c "pki ca-cert-request-submit --profile caSubsystemCert --csr-file ${PKIDIR}/subsystem.csr | sed -n 's/Request ID: *\(.*\)/\1/p' > ${PKIDIR}/subsystem.reqid"
docker exec ca bash -c "pki -n caadmin ca-cert-request-approve `cat subsystem.reqid` --force | sed -n 's/Certificate ID: *\(.*\)/\1/p' > ${PKIDIR}/subsystem.certid"
docker exec ca bash -c "pki ca-cert-export `cat subsystem.certid` --output-file ${PKIDIR}/subsystem.crt"
docker exec ocsp cp ${PKIDIR}/subsystem.crt subsystem.crt
- name: Issue SSL server cert
run: |
docker exec ocsp cp sslserver.csr ${PKIDIR}/sslserver.csr
docker exec ca bash -c "pki ca-cert-request-submit --profile caServerCert --csr-file ${PKIDIR}/sslserver.csr | sed -n 's/Request ID: *\(.*\)/\1/p' > ${PKIDIR}/sslserver.reqid"
docker exec ca bash -c "pki -n caadmin ca-cert-request-approve `cat sslserver.reqid` --force | sed -n 's/Certificate ID: *\(.*\)/\1/p' > ${PKIDIR}/sslserver.certid"
docker exec ca bash -c "pki ca-cert-export `cat sslserver.certid` --output-file ${PKIDIR}/sslserver.crt"
docker exec ocsp cp ${PKIDIR}/sslserver.crt sslserver.crt
- name: Issue OCSP audit signing cert
run: |
docker exec ocsp cp ocsp_audit_signing.csr ${PKIDIR}/ocsp_audit_signing.csr
docker exec ca bash -c "pki ca-cert-request-submit --profile caAuditSigningCert --csr-file ${PKIDIR}/ocsp_audit_signing.csr | sed -n 's/Request ID: *\(.*\)/\1/p' > ${PKIDIR}/ocsp_audit_signing.reqid"
docker exec ca bash -c "pki -n caadmin ca-cert-request-approve `cat ocsp_audit_signing.reqid` --force | sed -n 's/Certificate ID: *\(.*\)/\1/p' > ${PKIDIR}/ocsp_audit_signing.certid"
docker exec ca bash -c "pki ca-cert-export `cat ocsp_audit_signing.certid` --output-file ${PKIDIR}/ocsp_audit_signing.crt"
docker exec ocsp cp ${PKIDIR}/ocsp_audit_signing.crt ocsp_audit_signing.crt
- name: Issue OCSP admin cert
run: |
docker exec ocsp cp ocsp_admin.csr ${PKIDIR}/ocsp_admin.csr
docker exec ca bash -c "pki ca-cert-request-submit --profile caUserCert --csr-file ${PKIDIR}/ocsp_admin.csr --subject uid=ocspadmin | sed -n 's/Request ID: *\(.*\)/\1/p' > ${PKIDIR}/ocsp_admin.reqid"
docker exec ca bash -c "pki -n caadmin ca-cert-request-approve `cat ocsp_admin.reqid` --force | sed -n 's/Certificate ID: *\(.*\)/\1/p' > ${PKIDIR}/ocsp_admin.certid"
docker exec ca bash -c "pki ca-cert-export `cat ocsp_admin.certid` --output-file ${PKIDIR}/ocsp_admin.crt"
docker exec ocsp cp ${PKIDIR}/ocsp_admin.crt ocsp_admin.crt
- name: Install OCSP in OCSP container (step 2)
run: |
docker exec ocsp pkispawn -f /usr/share/pki/server/examples/installation/ocsp-external-certs-step2.cfg -s OCSP -v
- name: Run PKI healthcheck
run: docker exec ocsp pki-healthcheck --failures-only
- name: Verify OCSP admin
run: |
docker exec ocsp pki client-cert-import ca_signing --ca-cert ca_signing.crt
docker exec ocsp pki client-cert-import \
--pkcs12 /root/.dogtag/pki-tomcat/ocsp_admin_cert.p12 \
--pkcs12-password-file /root/.dogtag/pki-tomcat/ocsp/pkcs12_password.conf
docker exec ocsp pki -n ocspadmin ocsp-user-show ocspadmin
- name: Gather artifacts from CA container
if: always()
run: |
tests/bin/ds-artifacts-save.sh ca
tests/bin/pki-artifacts-save.sh ca
- name: Gather artifacts from OCSP container
if: always()
run: |
tests/bin/ds-artifacts-save.sh ocsp
tests/bin/pki-artifacts-save.sh ocsp
- name: Remove OCSP from OCSP container
run: docker exec ocsp pkidestroy -i pki-tomcat -s OCSP -v
- name: Remove DS from OCSP container
run: docker exec ocsp ${PKIDIR}/tests/bin/ds-remove.sh
- name: Disconnect OCSP container from network
run: docker network disconnect example ocsp
- name: Remove CA from CA container
run: docker exec ca pkidestroy -i pki-tomcat -s CA -v
- name: Remove DS from CA container
run: docker exec ca ${PKIDIR}/tests/bin/ds-remove.sh
- name: Disconnect CA container from network
run: docker network disconnect example ca
- name: Remove network
run: docker network rm example
- name: Upload artifacts from CA container
if: always()
uses: actions/upload-artifact@v3
with:
name: ocsp-external-certs-ca
path: |
/tmp/artifacts/ca
- name: Upload artifacts from OCSP container
if: always()
uses: actions/upload-artifact@v3
with:
name: ocsp-external-certs-ocsp
path: |
/tmp/artifacts/ocsp
# docs/installation/ocsp/Installing_OCSP_Clone.md
ocsp-clone-test:
name: Testing OCSP clone
needs: [init, build]
runs-on: ubuntu-latest
env:
PKIDIR: /tmp/workdir/pki
steps:
- name: Clone repository
uses: actions/checkout@v3
- name: Retrieve pki-runner image
uses: actions/cache@v3
with:
key: pki-runner-${{ github.sha }}
path: pki-runner.tar
- name: Load runner image
run: docker load --input pki-runner.tar
- name: Create network
run: docker network create example
- name: Run primary container
run: |
IMAGE=pki-runner \
NAME=primary \
HOSTNAME=primary.example.com \
tests/bin/runner-init.sh
- name: Connect primary container to network
run: docker network connect example primary --alias primary.example.com
- name: Install dependencies in primary container
run: docker exec primary dnf install -y 389-ds-base
- name: Install DS in primary container
run: docker exec primary ${PKIDIR}/tests/bin/ds-create.sh
- name: Install primary CA in primary container
run: docker exec primary pkispawn -f /usr/share/pki/server/examples/installation/ca.cfg -s CA -v
- name: Install primary OCSP in primary container
run: docker exec primary pkispawn -f /usr/share/pki/server/examples/installation/ocsp.cfg -s OCSP -v
- name: Setup secondary container
run: |
IMAGE=pki-runner \
NAME=secondary \
HOSTNAME=secondary.example.com \
tests/bin/runner-init.sh
- name: Connect secondary container to network
run: docker network connect example secondary --alias secondary.example.com
- name: Install dependencies in secondary container
run: docker exec secondary dnf install -y 389-ds-base
- name: Install DS in secondary container
run: docker exec secondary ${PKIDIR}/tests/bin/ds-create.sh
- name: Install CA in secondary container
run: |
docker exec primary pki-server cert-export ca_signing --cert-file ${PKIDIR}/ca_signing.crt
docker exec primary pki-server ca-clone-prepare --pkcs12-file ${PKIDIR}/ca-certs.p12 --pkcs12-password Secret.123
docker exec secondary cp ${PKIDIR}/ca_signing.crt .
docker exec secondary cp ${PKIDIR}/ca-certs.p12 .
docker exec secondary pkispawn -f /usr/share/pki/server/examples/installation/ca-clone.cfg -s CA -v
- name: Install OCSP in secondary container
run: |
docker exec primary pki-server ocsp-clone-prepare --pkcs12-file ${PKIDIR}/ocsp-certs.p12 --pkcs12-password Secret.123
docker exec secondary cp ${PKIDIR}/ocsp-certs.p12 .
docker exec secondary pkispawn -f /usr/share/pki/server/examples/installation/ocsp-clone.cfg -s OCSP -v
- name: Verify OCSP admin in secondary container
run: |
docker exec primary cp /root/.dogtag/pki-tomcat/ca_admin_cert.p12 ${PKIDIR}/ca_admin_cert.p12
docker exec primary cp /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf ${PKIDIR}/pkcs12_password.conf
docker exec secondary pki client-cert-import ca_signing --ca-cert ca_signing.crt
docker exec secondary pki client-cert-import \
--pkcs12 ${PKIDIR}/ca_admin_cert.p12 \
--pkcs12-password-file ${PKIDIR}/pkcs12_password.conf
docker exec secondary pki -n caadmin ocsp-user-show ocspadmin
- name: Setup tertiary container
run: |
IMAGE=pki-runner \
NAME=tertiary \
HOSTNAME=tertiary.example.com \
tests/bin/runner-init.sh
- name: Connect tertiary container to network
run: docker network connect example tertiary --alias tertiary.example.com
- name: Install dependencies in tertiary container
run: docker exec tertiary dnf install -y 389-ds-base
- name: Install DS in tertiary container
run: docker exec tertiary ${PKIDIR}/tests/bin/ds-create.sh
- name: Install CA in tertiary container
run: |
docker exec secondary pki-server cert-export ca_signing --cert-file ${PKIDIR}/ca_signing.crt
docker exec secondary pki-server ca-clone-prepare --pkcs12-file ${PKIDIR}/ca-certs.p12 --pkcs12-password Secret.123
docker exec tertiary cp ${PKIDIR}/ca_signing.crt .
docker exec tertiary cp ${PKIDIR}/ca-certs.p12 .
docker exec tertiary pkispawn -f /usr/share/pki/server/examples/installation/ca-clone-of-clone.cfg -s CA -v
- name: Install OCSP in tertiary container
run: |
docker exec secondary pki-server ocsp-clone-prepare --pkcs12-file ${PKIDIR}/ocsp-certs.p12 --pkcs12-password Secret.123
docker exec tertiary cp ${PKIDIR}/ocsp-certs.p12 .
docker exec tertiary pkispawn -f /usr/share/pki/server/examples/installation/ocsp-clone-of-clone.cfg -s OCSP -v
- name: Verify OCSP admin in tertiary container
run: |
docker exec tertiary pki client-cert-import ca_signing --ca-cert ca_signing.crt
docker exec tertiary pki client-cert-import \
--pkcs12 ${PKIDIR}/ca_admin_cert.p12 \
--pkcs12-password-file ${PKIDIR}/pkcs12_password.conf
docker exec tertiary pki -n caadmin ocsp-user-show ocspadmin
- name: Gather artifacts from primary container
if: always()
run: |
tests/bin/ds-artifacts-save.sh primary
tests/bin/pki-artifacts-save.sh primary
- name: Gather artifacts from secondary container
if: always()
run: |
tests/bin/ds-artifacts-save.sh secondary
tests/bin/pki-artifacts-save.sh secondary
- name: Gather artifacts from tertiary container
if: always()
run: |
tests/bin/ds-artifacts-save.sh tertiary
tests/bin/pki-artifacts-save.sh tertiary
- name: Remove OCSP from tertiary container
run: docker exec tertiary pkidestroy -i pki-tomcat -s OCSP -v
- name: Remove CA from tertiary container
run: docker exec tertiary pkidestroy -i pki-tomcat -s CA -v
- name: Remove DS from tertiary container
run: docker exec tertiary ${PKIDIR}/tests/bin/ds-remove.sh
- name: Disconnect tertiary container from network
run: docker network disconnect example tertiary
- name: Remove OCSP from secondary container
run: docker exec secondary pkidestroy -i pki-tomcat -s OCSP -v
- name: Remove CA from secondary container
run: docker exec secondary pkidestroy -i pki-tomcat -s CA -v
- name: Remove DS from secondary container
run: docker exec secondary ${PKIDIR}/tests/bin/ds-remove.sh
- name: Disconnect secondary container from network
run: docker network disconnect example secondary
- name: Remove OCSP from primary container
run: docker exec primary pkidestroy -i pki-tomcat -s OCSP -v
- name: Remove CA from primary container
run: docker exec primary pkidestroy -i pki-tomcat -s CA -v
- name: Remove DS from primary container
run: docker exec primary ${PKIDIR}/tests/bin/ds-remove.sh
- name: Disconnect primary container from network
run: docker network disconnect example primary
- name: Remove network
run: docker network rm example
- name: Upload artifacts from primary container
if: always()
uses: actions/upload-artifact@v3
with:
name: ocsp-clone-primary
path: |
/tmp/artifacts/primary
- name: Upload artifacts from secondary container
if: always()
uses: actions/upload-artifact@v3
with:
name: ocsp-clone-secondary
path: |
/tmp/artifacts/secondary
- name: Upload artifacts from tertiary container
if: always()
uses: actions/upload-artifact@v3
with:
name: ocsp-clone-tertiary
path: |
/tmp/artifacts/tertiary
ocsp-standalone-test:
name: Testing standalone OCSP
needs: [init, build]
runs-on: ubuntu-latest
env:
PKIDIR: /tmp/workdir/pki
steps:
- name: Clone repository
uses: actions/checkout@v3
- name: Retrieve pki-runner image
uses: actions/cache@v3
with:
key: pki-runner-${{ github.sha }}
path: pki-runner.tar
- name: Load runner image
run: docker load --input pki-runner.tar
- name: Run container
run: |
IMAGE=pki-runner \
NAME=pki \
HOSTNAME=pki.example.com \
tests/bin/runner-init.sh
- name: Install dependencies
run: docker exec pki dnf install -y 389-ds-base
- name: Install DS
run: docker exec pki ${PKIDIR}/tests/bin/ds-create.sh
- name: Create CA signing cert
run: |
docker exec pki pki -d nssdb nss-cert-request \
--subject "CN=CA Signing Certificate" \
--ext /usr/share/pki/server/certs/ca_signing.conf \
--csr ca_signing.csr
docker exec pki pki -d nssdb nss-cert-issue \
--csr ca_signing.csr \
--ext /usr/share/pki/server/certs/ca_signing.conf \
--serial 1 \
--cert ca_signing.crt
docker exec pki pki -d nssdb nss-cert-import \
--cert ca_signing.crt \
--trust CT,C,C \
ca_signing
- name: Install OCSP (step 1)
run: |
docker exec pki pkispawn -f /usr/share/pki/server/examples/installation/ocsp-standalone-step1.cfg -s OCSP -v
- name: Issue OCSP signing cert
run: |
docker exec pki pki -d nssdb nss-cert-issue \
--issuer ca_signing \
--csr ocsp_signing.csr \
--ext /usr/share/pki/server/certs/ocsp_signing.conf \
--serial 2 \
--cert ocsp_signing.crt
- name: Issue subsystem cert
run: |
docker exec pki pki -d nssdb nss-cert-issue \
--issuer ca_signing \
--csr subsystem.csr \
--ext /usr/share/pki/server/certs/subsystem.conf \
--serial 3 \
--cert subsystem.crt
- name: Issue SSL server cert
run: |
docker exec pki pki -d nssdb nss-cert-issue \
--issuer ca_signing \
--csr sslserver.csr \
--ext /usr/share/pki/server/certs/sslserver.conf \
--serial 4 \
--cert sslserver.crt
- name: Issue OCSP audit signing cert
run: |
docker exec pki pki -d nssdb nss-cert-issue \
--issuer ca_signing \
--csr ocsp_audit_signing.csr \
--ext /usr/share/pki/server/certs/audit_signing.conf \
--serial 5 \
--cert ocsp_audit_signing.crt
- name: Issue OCSP admin cert
run: |
docker exec pki pki -d nssdb nss-cert-issue \
--issuer ca_signing \
--csr ocsp_admin.csr \
--ext /usr/share/pki/server/certs/admin.conf \
--serial 6 \
--cert ocsp_admin.crt
- name: Install OCSP (step 2)
run: |
docker exec pki pkispawn -f /usr/share/pki/server/examples/installation/ocsp-standalone-step2.cfg -s OCSP -v
# TODO: Fix DogtagOCSPConnectivityCheck to work without CA
# - name: Run PKI healthcheck
# run: docker exec pki pki-healthcheck --failures-only
- name: Verify admin user
run: |
docker exec pki pki client-cert-import ca_signing --ca-cert ca_signing.crt
docker exec pki pki client-cert-import \
--pkcs12 /root/.dogtag/pki-tomcat/ocsp_admin_cert.p12 \
--pkcs12-password-file /root/.dogtag/pki-tomcat/ocsp/pkcs12_password.conf
docker exec pki pki -n ocspadmin ocsp-user-show ocspadmin
- name: Gather artifacts
if: always()
run: |
tests/bin/ds-artifacts-save.sh pki
tests/bin/pki-artifacts-save.sh pki
- name: Remove OCSP
run: docker exec pki pkidestroy -i pki-tomcat -s OCSP -v
- name: Remove DS
run: docker exec pki ${PKIDIR}/tests/bin/ds-remove.sh
- name: Upload artifacts
if: always()
uses: actions/upload-artifact@v3
with:
name: ocsp-standalone
path: |
/tmp/artifacts/pki