Add negative cert update cases to Cert Service CSITs

Issue-ID: OOM-2752 Signed-off-by: Remigiusz Janeczek <remigiusz.janeczek@nokia.com> Change-Id: Id86afdd4ec6477d263d1dfe2672eace94cf4cca8
author: Remigiusz Janeczek <remigiusz.janeczek@nokia.com> 2021-07-19 16:26:35 +0200
committer: Remigiusz Janeczek <remigiusz.janeczek@nokia.com> 2021-07-22 08:52:56 +0000
commit: cb86eb84d57e5569df874a9ca93ace9332ccae99 (patch)
tree: 5b663e6ef08f309214576fdd76f1898adba43b57
parent: 2e07e35b23e1e3f3d2373def701b110cba92295d (diff)
4 files changed, 82 insertions, 0 deletions
diff --git a/tests/oom-platform-cert-service/certservice/assets/invalid_ir_for_update.key b/tests/oom-platform-cert-service/certservice/assets/invalid_ir_for_update.key
new file mode 100644
index 00000000..63b4c918
--- /dev/null
+++ b/tests/oom-platform-cert-service/certservice/assets/invalid_ir_for_update.key
@@ -0,0 +1 @@
+LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRRERPVGZBU1QvNXNtemQKbjN3MjhNRjFBWFdQc1Z3SzE0cE9GampFV1hTd1FBZi8zTUNtU08zOXZYVjRsclJTb2RjZ0xEZFNKbUs4K0NjUgpZUGJUc05ucGtUSjRVdFdRZlpNQlFTVEMxTWJTWTJBQ2k0VlBWeWVjUGZJanMyMjEzN1JLaUhxSms1QXNQUGRiCkFVNHBuMU5FODJXclBIYUo4enVuR3ZWbG15T2k1RWgrVy9jNk1ONlJpVlhhTmVLUEhxS1JpNmlZRzVnVkVrQTcKaFpXM0dNd3JwUUpIalZhaWlwWW4rUXJJbUdmUmJBdXZVQWxNTkI1ZWR0NmMzclhzZE9Ya0dKZFNNR1U4U1gvegpvQmlaMTVCSkdzYlhxdURqRGNuVHJBMEE1OGdxOHZTdXZlZnJkbUdFYkdUT2RObDA0QUJUR1dEZ0ljMlU0TGcyCm50RmhxejFIQWdNQkFBRUNnZ0VBSFQ0LzdLek1TWUlCcnIwS0pVeXhIZTdIQm14QjVsbmRITTlWVjR3eTM0Zm4KNnRyTmZOc2wwMEdERERvKzdyWFJmTDlDMWlwcjFmU3lIWGRSNGVuMjZuYldnWkdlN2hMeFoxbXp3UCtRZk1sbwpBMW1VOFlxVG8yTGdGNXIwRHk5Z1dWM1NSVE4yZ0RudHI1TWxlelNqaTR1T0tqVlhhRmlvRWVNRzZWNXcyeUJsCnN2d1FZajhVSThobnIwaVFKemt6VXFrRG1OM1RRTytZSVBqbVd4dWxLVEMzN2g0VnltMzdYU3l5M0tmRkw2V2UKWmd1anNIK0t6Q1kzZUhXWHJaUi9mMXJSVmZJemE4ZDVTbjdWTFhjYXZKbzB6Z1pnang3L3VtMGhxVjVFODFjUwp5dmF0NXAxVnlvbE8yRG1UVXVrT3JLemdGVTBxb2h4VExTZ3Y0TE9DYVFLQmdRRDJwVkxrZlRqRWNyQTZPWFE3CmU3YUVYRDlETGZJaXJDdVR0bjdycHBPQWZqYXVYNmdzTGc1WWQ5dXBoQVlkU1VhcUNUTWdTKzZ4Y0tjc2xhWHkKaFp6U1JuQWQrT0ZKaUova2JCMTR3OUpDRWxmQzlpMEc0VzE4dTdxMnJIZ3lhZDlYUUNSODZKTUZuRldWdi81MQpnd3hBd29XMG91b1hlSEZQNjQxZXRjcDVPd0tCZ1FES29LTDRweUZsOU9iV29zSUlUQmJmakZ5SC93YVhHNVlLCm5oWGloWURHK1kyeURJSFhFcCtiWjhaaXFyTU1XbFZjd1U5N0ZQOGRGcXlHOVFTb1RaSVZWejNNMnJDdCtDdU0KWjhWait5VzIxK1QxQXNMcU5xQm96WEdiMXJGLzlyNHV1N2t1Ly96R0VmNGFqK3pFUXQxOFpaWld4NHo4VGIrUApydTgxS0gyclpRS0JnUURSOXA4QUg1RnB1bkJHd0k0djdQck01bko4VCtxbWxZWnJNcG9OSlRxLzBiSGU4MU9JCmVKU0J2MWJoa2FCYTRmd2oxNzBNSzFmQStiTjJndFpJQkhJaGx4RHVrdVhGNFdhcjMxV2ZicVBZMXlDYXVWSlAKWHl3RFdSUnpXWkxnNTd2VzNLV3pKNUd3M3dzRWRmSzZPcHI5cmhxQVVZZVIvMWdHdnZFVHhSSGQ3UUtCZ0ZRbgo0V2ZxYWhtaFhGcGFvTUczY0d5S0xFZ2phRVpNSThYbklHbkRUdGZVLzcrcUtDYitTaUhPT1B2enI0ZDY0U2N6CjltSEZONnVLSmorcTliTTgvR1kycEtrM1R0Z0NVWHZ3QVhCajk2YjRCZFNvdi9Gc25MVEtWdHdGa0JUNGtzWncKR3hwbElVUFdaelg2L3JnSW1WcTRDbmVpUzNEaWphUU1ZTGN3U1BsdEFvR0FHRWZ6Z0RBMzZ1WkJ3ZEhXM0pLQwp5Y2kxeSt5Wjg3YllKUkE0Ujd3ZE1RakRzdTNYMXdBdWxhM2xGak4yQ2ZuZUJKMHBHVytsaGhkd0pPNlBBWXFBCnZCc3VLK2ZUTjFQMlhNdkdDeGFQditMbnFOUCtUVFJlaXdjWlNPWTlybXZqS0U0aW9mRlBXOXU1cjA1L2xhd2cKVDVKTm1CVEpyOGxrd1J4UlNlRmFnNzA9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K
+\ No newline at end of file
diff --git a/tests/oom-platform-cert-service/certservice/cert-service-test.robot b/tests/oom-platform-cert-service/certservice/cert-service-test.robot
index 338d8117..a0934541 100644
--- a/tests/oom-platform-cert-service/certservice/cert-service-test.robot
+++ b/tests/oom-platform-cert-service/certservice/cert-service-test.robot
@@ -71,6 +71,60 @@ Update Certificate With Certification Request When Sans Changed In RA Mode Shoul
     Send Initialization Request And Certification Request And Expect Success  ${CERT_SERVICE_ENDPOINT}${RA_CA_NAME}  ${CERT_SERVICE_UPDATE_ENDPOINT}${RA_CA_NAME}
     ...  ${VALID_IR_CSR_FOR_UPDATE}  ${VALID_IR_KEY_FOR_UPDATE}  ${VALID_CR_CSR_CHANGED_SANS}  ${VALID_CR_KEY_CHANGED_SANS}
 
+Update Certificate With Key Update Request In RA Mode Should Fail When Wrong Old Private Key Is Used
+    [Tags]      OOM-CERT-SERVICE    CERTIFICATE-UPDATE
+    [Documentation]  Send Initialization Request to ${CERT_SERVICE_ENDPOINT}${RA_CA_NAME} then for received certificate send Key Update Request to ${CERT_SERVICE_UPDATE_ENDPOINT}${RA_CA_NAME} endpoint and expect 500
+    Send Initialization Request And Key Update Request With Wrong Old Private Key And Expect Error  ${CERT_SERVICE_ENDPOINT}${RA_CA_NAME}  ${CERT_SERVICE_UPDATE_ENDPOINT}${RA_CA_NAME}
+    ...  ${VALID_IR_CSR_FOR_UPDATE}  ${VALID_IR_KEY_FOR_UPDATE}  ${VALID_KUR_CSR}  ${VALID_KUR_KEY}  ${INVALID_IR_KEY_FOR_UPDATE}
+
+Update Certificate In RA Mode Should Fail When OLD_CERT Header Is Incorrect
+    [Tags]      OOM-CERT-SERVICE    CERTIFICATE-UPDATE
+    [Documentation]  Send Update Request to ${CERT_SERVICE_UPDATE_ENDPOINT}${RA_CA_NAME} endpoint with wrong OLD_CERT header and expect 400
+    Send Update Request With Wrong Header And Expect Error   ${CERT_SERVICE_UPDATE_ENDPOINT}${RA_CA_NAME}
+    ...  ${VALID_KUR_CSR}  ${VALID_KUR_KEY}  ${INVALID_OLD_CERT_BASE64}  ${VALID_IR_KEY_FOR_UPDATE}
+
+Update Certificate In RA Mode Should Fail When OLD_CERT Header Is Missing
+    [Tags]      OOM-CERT-SERVICE    CERTIFICATE-UPDATE
+    [Documentation]  Send Update Request to ${CERT_SERVICE_UPDATE_ENDPOINT}${RA_CA_NAME} endpoint with missing OLD_CERT header and expect 400
+    Send Update Request With Missing Header And Expect Error   ${CERT_SERVICE_UPDATE_ENDPOINT}${RA_CA_NAME}
+    ...  ${VALID_KUR_CSR}  ${VALID_KUR_KEY}  ${VALID_OLD_CERT_BASE64}  ${VALID_IR_KEY_FOR_UPDATE}  OLD_CERT
+
+Update Certificate In RA Mode Should Fail When OLD_PK Header Is Incorrect
+    [Tags]      OOM-CERT-SERVICE    CERTIFICATE-UPDATE
+    [Documentation]  Send Update Request to ${CERT_SERVICE_UPDATE_ENDPOINT}${RA_CA_NAME} endpoint with wrong OLD_PK header and expect 400
+    Send Update Request With Wrong Header And Expect Error   ${CERT_SERVICE_UPDATE_ENDPOINT}${RA_CA_NAME}
+    ...  ${VALID_KUR_CSR}  ${VALID_KUR_KEY}  ${VALID_OLD_CERT_BASE64}  ${INVALID_PK_FILE}
+
+Update Certificate In RA Mode Should Fail When OLD_PK Header Is Missing
+    [Tags]      OOM-CERT-SERVICE    CERTIFICATE-UPDATE
+    [Documentation]  Send Update Request to ${CERT_SERVICE_UPDATE_ENDPOINT}${RA_CA_NAME} endpoint with missing OLD_PK header and expect 400
+    Send Update Request With Missing Header And Expect Error   ${CERT_SERVICE_UPDATE_ENDPOINT}${RA_CA_NAME}
+    ...  ${VALID_KUR_CSR}  ${VALID_KUR_KEY}  ${VALID_OLD_CERT_BASE64}  ${VALID_IR_KEY_FOR_UPDATE}  OLD_PK
+
+Update Certificate In RA Mode Should Fail When CSR Header Is Incorrect
+    [Tags]      OOM-CERT-SERVICE    CERTIFICATE-UPDATE
+    [Documentation]  Send Update Request to ${CERT_SERVICE_UPDATE_ENDPOINT}${RA_CA_NAME} endpoint with wrong CSR header and expect 400
+    Send Update Request With Wrong Header And Expect Error   ${CERT_SERVICE_UPDATE_ENDPOINT}${RA_CA_NAME}
+    ...  ${INVALID_CSR_FILE}  ${VALID_KUR_KEY}  ${VALID_OLD_CERT_BASE64}  ${VALID_IR_KEY_FOR_UPDATE}
+
+Update Certificate In RA Mode Should Fail When CSR Header Is Missing
+    [Tags]      OOM-CERT-SERVICE    CERTIFICATE-UPDATE
+    [Documentation]  Send Update Request to ${CERT_SERVICE_UPDATE_ENDPOINT}${RA_CA_NAME} endpoint with missing CSR header and expect 400
+    Send Update Request With Missing Header And Expect Error   ${CERT_SERVICE_UPDATE_ENDPOINT}${RA_CA_NAME}
+    ...  ${VALID_KUR_CSR}  ${VALID_KUR_KEY}  ${VALID_OLD_CERT_BASE64}  ${VALID_IR_KEY_FOR_UPDATE}  CSR
+
+Update Certificate In RA Mode Should Fail When PK Header Is Incorrect
+    [Tags]      OOM-CERT-SERVICE    CERTIFICATE-UPDATE
+    [Documentation]  Send Update Request to ${CERT_SERVICE_UPDATE_ENDPOINT}${RA_CA_NAME} endpoint with wrong PK header and expect 400
+    Send Update Request With Wrong Header And Expect Error   ${CERT_SERVICE_UPDATE_ENDPOINT}${RA_CA_NAME}
+    ...  ${VALID_KUR_CSR}  ${INVALID_PK_FILE}  ${VALID_OLD_CERT_BASE64}  ${VALID_IR_KEY_FOR_UPDATE}
+
+Update Certificate In RA Mode Should Fail When PK Header Is Missing
+    [Tags]      OOM-CERT-SERVICE    CERTIFICATE-UPDATE
+    [Documentation]  Send Update Request to ${CERT_SERVICE_UPDATE_ENDPOINT}${RA_CA_NAME} endpoint with missing PK header and expect 400
+    Send Update Request With Missing Header And Expect Error   ${CERT_SERVICE_UPDATE_ENDPOINT}${RA_CA_NAME}
+    ...  ${VALID_KUR_CSR}  ${VALID_KUR_KEY}  ${VALID_OLD_CERT_BASE64}  ${VALID_IR_KEY_FOR_UPDATE}  PK
+
 Cert Service Client successfully creates keystore.p12 and truststore.p12
     [Tags]      OOM-CERT-SERVICE    OOM-CERT-SERVICE-CLIENT
     [Documentation]  Run with correct env and expected exit code 0
diff --git a/tests/oom-platform-cert-service/certservice/resources/cert-service-keywords.robot b/tests/oom-platform-cert-service/certservice/resources/cert-service-keywords.robot
index 4d05af74..755cf989 100644
--- a/tests/oom-platform-cert-service/certservice/resources/cert-service-keywords.robot
+++ b/tests/oom-platform-cert-service/certservice/resources/cert-service-keywords.robot
@@ -107,6 +107,29 @@ Send Initialization Request And Certification Request And Expect Success
     ...  ${update_csr_file}  ${update_pk_file}  200
     Verify Certification Request Sent By Cert Service  ${start_time}
 
+Send Initialization Request And Key Update Request With Wrong Old Private Key And Expect Error
+    [Documentation]   Send initialization request and then key update request to passed urls and expect status code 500
+    [Arguments]   ${path}  ${update_path}   ${csr_file}  ${pk_file}  ${update_csr_file}  ${update_pk_file}  ${wrong_old_pk_file}
+    ${start_time}=  Get Current Timestamp For Docker Log
+    ${old_cert}=  Send Certificate Initialization Request And Return Certificate  ${path}  ${csr_file}  ${pk_file}
+    ${resp}=  Send Certificate Update Request And Return Response  ${update_path}  ${update_csr_file}  ${update_pk_file}  ${old_cert}  ${wrong_old_pk_file}
+    Should Be Equal As Strings 	${resp.status_code}  500
+    Verify Key Update Request Sent By Cert Service  ${start_time}
+
+Send Update Request With Wrong Header And Expect Error
+    [Documentation]   Send update request to passed url and expect wrong header response
+    [Arguments]  ${update_path}  ${update_csr_file}  ${update_pk_file}  ${old_cert_base64}  ${old_pk_file}
+    ${resp}=  Send Certificate Update Request And Return Response  ${update_path}  ${update_csr_file}  ${update_pk_file}  ${old_cert_base64}  ${old_pk_file}
+    Should Be Equal As Strings 	${resp.status_code}  400
+
+Send Update Request With Missing Header And Expect Error
+    [Documentation]   Send update request to passed url and expect wrong header response
+    [Arguments]  ${update_path}  ${update_csr_file}  ${update_pk_file}  ${old_cert_base64}  ${old_pk_file}  ${header_to_remove}
+    ${headers}=  Create Header for Certificate Update  ${update_csr_file}  ${update_pk_file}  ${old_cert_base64}  ${old_pk_file}
+    Remove From Dictionary  ${headers}  ${header_to_remove}
+    ${resp}=  Get Request  ${https_valid_cert_session}  ${update_path}  headers=${headers}
+    Should Be Equal As Strings 	${resp.status_code}  400
+
 Send Initialization Request And Update Request And Check Status Code
     [Documentation]   Send certificate update request and check status code
     [Arguments]   ${path}  ${update_path}   ${csr_file}  ${pk_file}  ${update_csr_file}  ${update_pk_file}  ${expected_status_code}
diff --git a/tests/oom-platform-cert-service/certservice/resources/cert-service-properties.robot b/tests/oom-platform-cert-service/certservice/resources/cert-service-properties.robot
index d02dc752..f5882abe 100644
--- a/tests/oom-platform-cert-service/certservice/resources/cert-service-properties.robot
+++ b/tests/oom-platform-cert-service/certservice/resources/cert-service-properties.robot
@@ -21,6 +21,7 @@ ${INVALID_CSR_FILE}                      ${ASSETS_DIR}/invalid.csr
 ${INVALID_PK_FILE}                       ${ASSETS_DIR}/invalid.csr
 ${VALID_IR_CSR_FOR_UPDATE}               ${ASSETS_DIR}/valid_ir_for_update.csr
 ${VALID_IR_KEY_FOR_UPDATE}               ${ASSETS_DIR}/valid_ir_for_update.key
+${INVALID_IR_KEY_FOR_UPDATE}             ${ASSETS_DIR}/invalid_ir_for_update.key
 ${VALID_KUR_CSR}                         ${ASSETS_DIR}/valid_kur.csr
 ${VALID_KUR_KEY}                         ${ASSETS_DIR}/valid_kur.key
 ${VALID_CR_CSR_CHANGED_SUBJECT}          ${ASSETS_DIR}/valid_cr_changed_subject.csr
@@ -29,6 +30,9 @@ ${VALID_CR_CSR_CHANGED_SANS}             ${ASSETS_DIR}/valid_cr_changed_sans.csr
 ${VALID_CR_KEY_CHANGED_SANS}             ${ASSETS_DIR}/valid_cr_changed_sans.key
 ${EXPECTED_KUR_LOG}                      Preparing Key Update Request
 ${EXPECTED_CR_LOG}                       Preparing Certification Request
+${VALID_OLD_CERT_BASE64}                 LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVpekNDQXZPZ0F3SUJBZ0lVR0VwMkdaNlk4bnpEQTlDS2w1blVSSTdDVU44d0RRWUpLb1pJaHZjTkFRRUwKQlFBd1lURWpNQ0VHQ2dtU0pvbVQ4aXhrQVFFTUUyTXRNR3BpWm5FNGNXRXhabTh3ZDJ0dGJua3hGVEFUQmdOVgpCQU1NREUxaGJtRm5aVzFsYm5SRFFURWpNQ0VHQTFVRUNnd2FSVXBDUTBFZ1EyOXVkR0ZwYm1WeUlGRjFhV05yCmMzUmhjblF3SGhjTk1qRXdOakk1TURZMU1ESTFXaGNOTWpNd05qSTVNRFkxTURJMFdqQjNNUkV3RHdZRFZRUUQKREFodmJtRndMbTl5WnpFWk1CY0dBMVVFQ3d3UVRHbHVkWGd0Um05MWJtUmhkR2x2YmpFTk1Bc0dBMVVFQ2d3RQpUMDVCVURFV01CUUdBMVVFQnd3TlUyRnVMVVp5WVc1amFYTmpiekVUTUJFR0ExVUVDQXdLUTJGc2FXWnZjbTVwCllURUxNQWtHQTFVRUJoTUNWVk13Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRREIKenZieXJyRWlhb0JqOGttYTJRbUMrVkxtbXRXRld5QUpnU3JZQTRreHV5cmpRQ1c0SnlGR3ZtemJZb1VGRkxPRgpoZnExOFZqVHMwY2JUeXNYOGNGU2ZrVjJFS0dFUkJhWm5aUlFzbzZTSUpOR2EzeE1lNUZIalJFeTM0TnAwNElICmpTUTQyZUlCZ2NOaUlhZGE0amdFbklRUVlRSlNQUXRIa2ZPTUM2TyszUnBUL2VIdHZvNXVyUjE2TUZZMUs2c28KbldZaXRJNVRwRUtSb3phdjZ6cVUvb3RIZ241alJMcnlqMElaeTBpamxCZlNLVHhyRmZacjNLb01EdWRWRWZVTQp0c3FFUjNwb2MxZ0ZrcW1DUkszOEJQTmlZN3Y1S0FUUkIrZldOK1A3NW13NDNkcng5ckltcCtKdHBPVXNESzhyCklCZDhvNGFmTnZyL1dyeWdCQjhyQWdNQkFBR2pnYVF3Z2FFd0RBWURWUjBUQVFIL0JBSXdBREFmQmdOVkhTTUUKR0RBV2dCUjlNMXFVblFNMENwSFV6MzRGNXNWVVVjSUR0akFZQmdOVkhSRUVFVEFQZ2cxMFpYTjBMbTl1WVhBdQpiM0puTUNjR0ExVWRKUVFnTUI0R0NDc0dBUVVGQndNQ0JnZ3JCZ0VGQlFjREJBWUlLd1lCQlFVSEF3RXdIUVlEClZSME9CQllFRkFmcWNVNnhHaThqempsUnVLUUJ0cVJjWGkrdU1BNEdBMVVkRHdFQi93UUVBd0lGNERBTkJna3EKaGtpRzl3MEJBUXNGQUFPQ0FZRUFBZHc3N3E3c2hLdFM4bERHY0ovWThkRWpqTlNsUnRVMTRFTUM1OWttS2VmdApSaTdkMG9DUVh0ZFJDdXQzeW1pekxWcVFrbVg2U3JHc2hwV1VzTnpUZElUalE2SkIyS09haUlXSUY2ME5TbGVXCjB2TG0zNkVtWTFFcksrektlN3R2R1daaFROVnpCWHRucStBTWZKYzQxdTJ1ZWxreDBMTmN6c1g5YUNhakxIMXYKNHo0WHNVbm05cWlYcG5FbTYzMmVtdUp5ajZOdDBKV1Z1TlRKVFBSbnFWWmY2S0tSODN2OEp1VjBFZWZXZDVXVgpjRnNwTDBIM01LSlY3dWY3aGZsbG5JY1J0elhhNXBjdEJDYm9GU2hWa1JOYUFNUHBKZjBEQkxReG03ZEFXajVBCmhHMXJ3bVRtek02TnB3R0hXL0kxU0ZNbXRRaUYwUEFDejFVbjZuRFcvUmYxaUhFb0dmOFlCTFAzMzJMSlNEdWcKUktuMGNNM1FUY3lVRXpDWnhTd0tKMm5nQzllRzlDMmQzWWhCNlp4dGwrZ1VJYTNBd3dQYnFyN1lSOVFrRDJFbwpkNExxRUg5em55QmZpN2syWUN3UDZydGZTaTZDbHliWGU4ZUJjdU1FUzRUQVFmRks2RlZmNTh0R1FJeDA2STBPCjM0bmVtWndrTG9PQnpaa2VwYVF2Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
+${INVALID_OLD_CERT_BASE64}               aW5jb3JyZWN0X29sZF9jZXJ0Cg==
+
 
 ${CERT_SERVICE_ADDRESS}                  https://${CERT_SERVICE_CONTAINER_NAME}:${CERT_SERVICE_PORT}
 ${VALID_ENV_FILE}                        ${ASSETS_DIR}/valid_client_docker.env
author	Remigiusz Janeczek <remigiusz.janeczek@nokia.com>	2021-07-19 16:26:35 +0200
committer	Remigiusz Janeczek <remigiusz.janeczek@nokia.com>	2021-07-22 08:52:56 +0000
commit	cb86eb84d57e5569df874a9ca93ace9332ccae99 (patch)
tree	5b663e6ef08f309214576fdd76f1898adba43b57
parent	2e07e35b23e1e3f3d2373def701b110cba92295d (diff)