From 3bbc1c7cb0400aea0235d130d36841e64ae53727 Mon Sep 17 00:00:00 2001 From: Piotr Marcinkiewicz Date: Thu, 19 Nov 2020 14:13:45 +0100 Subject: Update CertService tests for changed ejbca profile - Introduce ejbca profiles with new Sans types - email, ip, uri - Update CertService tests for changed SANs delimiter Issue-ID: OOM-2632 Signed-off-by: Piotr Marcinkiewicz Change-Id: Ie6791d08f0b6143fbcec9572edb10004769ffe00 --- .../certservice/docker-compose.yml | 4 +- .../certprofile_CUSTOM_ENDUSER-1834889499.xml | 595 +++++++++++ .../certservice/resources/ejbca-configuration.sh | 24 + .../entityprofile_Custom_EndEntity-1356531849.xml | 1107 ++++++++++++++++++++ .../certservice/scripts/ejbca-configuration.sh | 19 - .../oom-platform-cert-service/certservice/setup.sh | 18 +- .../certservice/teardown.sh | 2 +- 7 files changed, 1739 insertions(+), 30 deletions(-) create mode 100644 plans/oom-platform-cert-service/certservice/resources/certprofile_CUSTOM_ENDUSER-1834889499.xml create mode 100755 plans/oom-platform-cert-service/certservice/resources/ejbca-configuration.sh create mode 100644 plans/oom-platform-cert-service/certservice/resources/entityprofile_Custom_EndEntity-1356531849.xml delete mode 100755 plans/oom-platform-cert-service/certservice/scripts/ejbca-configuration.sh (limited to 'plans') diff --git a/plans/oom-platform-cert-service/certservice/docker-compose.yml b/plans/oom-platform-cert-service/certservice/docker-compose.yml index b281101a..329bc1c0 100644 --- a/plans/oom-platform-cert-service/certservice/docker-compose.yml +++ b/plans/oom-platform-cert-service/certservice/docker-compose.yml @@ -9,7 +9,9 @@ services: - "80:8080" - "443:8443" volumes: - - $SCRIPTS_PATH:/opt/primekey/scripts + - $RESOURCES_PATH/ejbca-configuration.sh:/opt/primekey/scripts/ejbca-configuration.sh + - $RESOURCES_PATH/certprofile_CUSTOM_ENDUSER-1834889499.xml:/opt/primekey/custom_profiles/certprofile_CUSTOM_ENDUSER-1834889499.xml + - $RESOURCES_PATH/entityprofile_Custom_EndEntity-1356531849.xml:/opt/primekey/custom_profiles/entityprofile_Custom_EndEntity-1356531849.xml healthcheck: test: ["CMD-SHELL", "curl -kI https://localhost:8443/ejbca/publicweb/healthcheck/ejbcahealth"] interval: 20s diff --git a/plans/oom-platform-cert-service/certservice/resources/certprofile_CUSTOM_ENDUSER-1834889499.xml b/plans/oom-platform-cert-service/certservice/resources/certprofile_CUSTOM_ENDUSER-1834889499.xml new file mode 100644 index 00000000..e163aed8 --- /dev/null +++ b/plans/oom-platform-cert-service/certservice/resources/certprofile_CUSTOM_ENDUSER-1834889499.xml @@ -0,0 +1,595 @@ + + + + + version + 46.0 + + + type + 1 + + + certversion + X509v3 + + + encodedvalidity + 2y + + + usecertificatevalidityoffset + false + + + certificatevalidityoffset + -10m + + + useexpirationrestrictionforweekdays + false + + + expirationrestrictionforweekdaysbefore + true + + + expirationrestrictionweekdays + + + true + + + true + + + false + + + false + + + false + + + true + + + true + + + + + allowvalidityoverride + false + + + allowextensionoverride + false + + + allowdnoverride + false + + + allowdnoverridebyeei + false + + + allowbackdatedrevokation + false + + + usecertificatestorage + true + + + storecertificatedata + true + + + storesubjectaltname + true + + + usebasicconstrants + true + + + basicconstraintscritical + true + + + usesubjectkeyidentifier + true + + + subjectkeyidentifiercritical + false + + + useauthoritykeyidentifier + true + + + authoritykeyidentifiercritical + false + + + usesubjectalternativename + true + + + subjectalternativenamecritical + false + + + useissueralternativename + true + + + issueralternativenamecritical + false + + + usecrldistributionpoint + false + + + usedefaultcrldistributionpoint + false + + + crldistributionpointcritical + false + + + crldistributionpointuri + + + + usefreshestcrl + false + + + usecadefinedfreshestcrl + false + + + freshestcrluri + + + + crlissuer + + + + usecertificatepolicies + false + + + certificatepoliciescritical + false + + + certificatepolicies + + + + availablekeyalgorithms + + + DSA + + + ECDSA + + + RSA + + + + + availableeccurves + + + ANY_EC_CURVE + + + + + availablebitlengths + + + 0 + + + 192 + + + 224 + + + 239 + + + 256 + + + 384 + + + 512 + + + 521 + + + 1024 + + + 1536 + + + 2048 + + + 3072 + + + 4096 + + + 6144 + + + 8192 + + + + + minimumavailablebitlength + 0 + + + maximumavailablebitlength + 8192 + + + signaturealgorithm + + + + usekeyusage + true + + + keyusage + + + true + + + true + + + true + + + false + + + false + + + false + + + false + + + false + + + false + + + + + allowkeyusageoverride + false + + + keyusagecritical + true + + + useextendedkeyusage + true + + + extendedkeyusage + + + 1.3.6.1.5.5.7.3.2 + + + 1.3.6.1.5.5.7.3.4 + + + 1.3.6.1.5.5.7.3.1 + + + + + extendedkeyusagecritical + false + + + usedocumenttypelist + false + + + documenttypelistcritical + false + + + documenttypelist + + + + availablecas + + + -1 + + + + + usedpublishers + + + + useocspnocheck + false + + + useldapdnorder + true + + + usecustomdnorder + false + + + usemicrosofttemplate + false + + + microsofttemplate + + + + usecardnumber + false + + + usecnpostfix + false + + + cnpostfix + + + + usesubjectdnsubset + false + + + subjectdnsubset + + + + usesubjectaltnamesubset + false + + + subjectaltnamesubset + + + + usepathlengthconstraint + false + + + pathlengthconstraint + 0 + + + useqcstatement + false + + + usepkixqcsyntaxv2 + false + + + useqcstatementcritical + false + + + useqcstatementraname + + + + useqcsematicsid + + + + useqcetsiqccompliance + false + + + useqcetsisignaturedevice + false + + + useqcetsivaluelimit + false + + + qcetsivaluelimit + 0 + + + qcetsivaluelimitexp + 0 + + + qcetsivaluelimitcurrency + + + + useqcetsiretentionperiod + false + + + qcetsiretentionperiod + 0 + + + useqccustomstring + false + + + qccustomstringoid + + + + qccustomstringtext + + + + qcetsipds + + + + qcetsitype + + + + usecertificatetransparencyincerts + false + + + usecertificatetransparencyinocsp + false + + + usecertificatetransparencyinpublisher + false + + + usesubjectdirattributes + false + + + usenameconstraints + false + + + useauthorityinformationaccess + false + + + caissuers + + + + usedefaultcaissuer + false + + + usedefaultocspservicelocator + false + + + ocspservicelocatoruri + + + + cvcaccessrights + 3 + + + usedcertificateextensions + + + + approvals + + + + org.cesecore.certificates.ca.ApprovalRequestType + REVOCATION + + -1 + + + + org.cesecore.certificates.ca.ApprovalRequestType + KEYRECOVER + + -1 + + + + org.cesecore.certificates.ca.ApprovalRequestType + ADDEDITENDENTITY + + -1 + + + + + useprivkeyusageperiodnotbefore + false + + + useprivkeyusageperiod + false + + + useprivkeyusageperiodnotafter + false + + + privkeyusageperiodstartoffset + 0 + + + privkeyusageperiodlength + 63072000 + + + usesingleactivecertificateconstraint + false + + + overridableextensionoids + + + + nonoverridableextensionoids + + + + allowcertsnoverride + false + + + usecustomdnorderldap + false + + + diff --git a/plans/oom-platform-cert-service/certservice/resources/ejbca-configuration.sh b/plans/oom-platform-cert-service/certservice/resources/ejbca-configuration.sh new file mode 100755 index 00000000..3eb146db --- /dev/null +++ b/plans/oom-platform-cert-service/certservice/resources/ejbca-configuration.sh @@ -0,0 +1,24 @@ +#!/bin/bash + +configureEjbca() { + ejbca.sh config cmp addalias --alias cmpRA + ejbca.sh config cmp updatealias --alias cmpRA --key operationmode --value ra + ejbca.sh ca editca --caname ManagementCA --field cmpRaAuthSecret --value mypassword + ejbca.sh config cmp updatealias --alias cmpRA --key responseprotection --value pbe + ejbca.sh ca importprofiles -d /opt/primekey/custom_profiles + #Profile name taken from certprofile filename (certprofile_-.xml) + ejbca.sh config cmp updatealias --alias cmpRA --key ra.certificateprofile --value CUSTOM_ENDUSER + #ID taken from entityprofile filename (entityprofile_-.xml) + ejbca.sh config cmp updatealias --alias cmpRA --key ra.endentityprofileid --value 1356531849 + ejbca.sh config cmp dumpalias --alias cmpRA + ejbca.sh config cmp addalias --alias cmp + ejbca.sh config cmp updatealias --alias cmp --key allowautomatickeyupdate --value true + ejbca.sh config cmp updatealias --alias cmp --key responseprotection --value pbe + ejbca.sh ra addendentity --username Node123 --dn "CN=Node123" --caname ManagementCA --password mypassword --type 1 --token USERGENERATED + ejbca.sh ra setclearpwd --username Node123 --password mypassword + ejbca.sh config cmp updatealias --alias cmp --key extractusernamecomponent --value CN + ejbca.sh config cmp dumpalias --alias cmp + ejbca.sh ca getcacert --caname ManagementCA -f /dev/stdout > cacert.pem +} + +configureEjbca diff --git a/plans/oom-platform-cert-service/certservice/resources/entityprofile_Custom_EndEntity-1356531849.xml b/plans/oom-platform-cert-service/certservice/resources/entityprofile_Custom_EndEntity-1356531849.xml new file mode 100644 index 00000000..ec51a80d --- /dev/null +++ b/plans/oom-platform-cert-service/certservice/resources/entityprofile_Custom_EndEntity-1356531849.xml @@ -0,0 +1,1107 @@ + + + + + version + 14.0 + + + NUMBERARRAY + + + 1 + + + 1 + + + 0 + + + 0 + + + 0 + + + 1 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 1 + + + 1 + + + 1 + + + 1 + + + 0 + + + 1 + + + 3 + + + 3 + + + 3 + + + 0 + + + 3 + + + 0 + + + 0 + + + 0 + + + 0 + + + 1 + + + 0 + + + 0 + + + 1 + + + 1 + + + 1 + + + 1 + + + 1 + + + 1 + + + 0 + + + 0 + + + 1 + + + 1 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 1 + + + 1 + + + 0 + + + 1 + + + 0 + + + 1 + + + 1 + + + 1 + + + 1 + + + 1 + + + 1 + + + 1 + + + 0 + + + 0 + + + 0 + + + + + SUBJECTDNFIELDORDER + + + 500 + + + 1100 + + + 1200 + + + 1300 + + + 1400 + + + 1600 + + + + + SUBJECTALTNAMEFIELDORDER + + + 1800 + + + 1801 + + + 1802 + + + 1700 + + + 1701 + + + 1702 + + + 1900 + + + 1901 + + + 1902 + + + 2100 + + + 2101 + + + 2102 + + + + + SUBJECTDIRATTRFIELDORDER + + + + 0 + + + + 20000 + true + + + 10000 + true + + + 30000 + true + + + 1 + + + + 20001 + true + + + 10001 + true + + + 30001 + true + + + 95 + + + + 20095 + false + + + 10095 + true + + + 30095 + true + + + 96 + + + + 20096 + false + + + 10096 + true + + + 30096 + true + + + 5 + + + + 20005 + true + + + 10005 + true + + + 30005 + true + + + 26 + + + + 20026 + false + + + 10026 + true + + + 30026 + true + + + 29 + 1834889499 + + + 20029 + true + + + 10029 + true + + + 30029 + true + + + 30 + 1834889499 + + + 20030 + true + + + 10030 + true + + + 30030 + true + + + 31 + 1 + + + 20031 + true + + + 10031 + true + + + 30031 + true + + + 32 + 1;2;3;4 + + + 20032 + true + + + 10032 + true + + + 30032 + true + + + 33 + + + + 20033 + true + + + 10033 + true + + + 30033 + true + + + 34 + + + + 20034 + true + + + 10034 + false + + + 30034 + true + + + 38 + 1 + + + 20038 + true + + + 10038 + true + + + 30038 + true + + + 37 + -29939301 + + + 20037 + true + + + 10037 + true + + + 30037 + true + + + 98 + + + + 20098 + false + + + 10098 + false + + + 30098 + true + + + 99 + + + + 20099 + false + + + 10099 + false + + + 30099 + true + + + 97 + + + + 20097 + false + + + 10097 + false + + + 30097 + true + + + 91 + false + + + 20091 + false + + + 10091 + false + + + 30091 + true + + + 94 + -1 + + + 20094 + true + + + 10094 + false + + + 30094 + false + + + 93 + -1 + + + 20093 + false + + + 10093 + false + + + 30093 + false + + + 89 + + + + 20089 + false + + + 10089 + false + + + 30089 + true + + + 88 + + + + 20088 + false + + + 10088 + false + + + 30088 + true + + + ALLOW_MERGEDN_WEBSERVICES + false + + + 2 + + + + 20002 + false + + + 10002 + false + + + 10090 + true + + + 90 + 0 + + + REVERSEFFIELDCHECKS + false + + + 28 + false + + + 20028 + false + + + 10028 + false + + + REUSECERTIFICATE + false + + + 35 + false + + + 20035 + false + + + 10035 + false + + + 10092 + false + + + USEEXTENSIONDATA + false + + + PRINTINGUSE + false + + + PRINTINGDEFAULT + false + + + PRINTINGREQUIRED + false + + + PRINTINGCOPIES + 1 + + + PRINTINGPRINTERNAME + + + + PRINTINGSVGDATA + + + + PRINTINGSVGFILENAME + + + + 11 + + + + 20011 + false + + + 10011 + true + + + 30011 + true + + + 12 + + + + 20012 + true + + + 10012 + true + + + 30012 + true + + + 13 + + + + 20013 + false + + + 10013 + true + + + 30013 + true + + + 14 + + + + 20014 + true + + + 10014 + true + + + 30014 + true + + + 16 + + + + 20016 + true + + + 10016 + true + + + 30016 + true + + + 18 + + + + 20018 + false + + + 10018 + true + + + 30018 + true + + + 118 + + + + 20118 + false + + + 10118 + true + + + 30118 + true + + + 218 + + + + 20218 + false + + + 10218 + true + + + 30218 + true + + + 17 + + + + 20017 + false + + + 10017 + false + + + 30017 + true + + + 117 + + + + 20117 + false + + + 10117 + false + + + 30117 + true + + + 217 + + + + 20217 + false + + + 10217 + false + + + 30217 + true + + + 19 + + + + 20019 + false + + + 10019 + true + + + 30019 + true + + + 119 + + + + 20119 + false + + + 10119 + true + + + 30119 + true + + + 219 + + + + 20219 + false + + + 10219 + true + + + 30219 + true + + + 21 + + + + 20021 + false + + + 10021 + true + + + 30021 + true + + + 121 + + + + 20121 + false + + + 10121 + true + + + 30121 + true + + + 221 + + + + 20221 + false + + + 10221 + true + + + 30221 + true + + + diff --git a/plans/oom-platform-cert-service/certservice/scripts/ejbca-configuration.sh b/plans/oom-platform-cert-service/certservice/scripts/ejbca-configuration.sh deleted file mode 100755 index 77f5c555..00000000 --- a/plans/oom-platform-cert-service/certservice/scripts/ejbca-configuration.sh +++ /dev/null @@ -1,19 +0,0 @@ -#!/bin/bash - -configureEjbca() { - ejbca.sh config cmp addalias --alias cmpRA - ejbca.sh config cmp updatealias --alias cmpRA --key operationmode --value ra - ejbca.sh ca editca --caname ManagementCA --field cmpRaAuthSecret --value mypassword - ejbca.sh config cmp updatealias --alias cmpRA --key responseprotection --value pbe - ejbca.sh config cmp dumpalias --alias cmpRA - ejbca.sh config cmp addalias --alias cmp - ejbca.sh config cmp updatealias --alias cmp --key allowautomatickeyupdate --value true - ejbca.sh config cmp updatealias --alias cmp --key responseprotection --value pbe - ejbca.sh ra addendentity --username Node123 --dn "CN=Node123" --caname ManagementCA --password mypassword --type 1 --token USERGENERATED - ejbca.sh ra setclearpwd --username Node123 --password mypassword - ejbca.sh config cmp updatealias --alias cmp --key extractusernamecomponent --value CN - ejbca.sh config cmp dumpalias --alias cmp - ejbca.sh ca getcacert --caname ManagementCA -f /dev/stdout > cacert.pem -} - -configureEjbca diff --git a/plans/oom-platform-cert-service/certservice/setup.sh b/plans/oom-platform-cert-service/certservice/setup.sh index bee54cde..0e2a4653 100644 --- a/plans/oom-platform-cert-service/certservice/setup.sh +++ b/plans/oom-platform-cert-service/certservice/setup.sh @@ -22,10 +22,10 @@ SCRIPT=`realpath $0` CURRENT_WORKDIR_PATH=`dirname $SCRIPT` PROJECT_DIRECTORY="plans/oom-platform-cert-service/certservice" -SCRIPTS_DIRECTORY="scripts" +RESOURCES_DIRECTORY="resources" -JENKINS_SCRIPTS_PATH="$CURRENT_WORKDIR_PATH/$PROJECT_DIRECTORY/$SCRIPTS_DIRECTORY" -LOCAL_SCRIPTS_PATH="$CURRENT_WORKDIR_PATH/$SCRIPTS_DIRECTORY" +JENKINS_RESOURCES_PATH="$CURRENT_WORKDIR_PATH/$PROJECT_DIRECTORY/$RESOURCES_DIRECTORY" +LOCAL_RESOURCES_PATH="$CURRENT_WORKDIR_PATH/$RESOURCES_DIRECTORY" # ------------------------------------ #Prepare enviroment for client @@ -50,12 +50,12 @@ unset http_proxy https_proxy export ClientContainerName=CertServiceClient # ------------------------------------ -if test -d "$JENKINS_SCRIPTS_PATH"; then - SCRIPTS_PATH=$JENKINS_SCRIPTS_PATH -else test -f "$LOCAL_SCRIPTS_PATH"; - SCRIPTS_PATH=$LOCAL_SCRIPTS_PATH +if test -d "$JENKINS_RESOURCES_PATH"; then + RESOURCES_PATH=$JENKINS_RESOURCES_PATH +else test -f "$LOCAL_RESOURCES_PATH"; + RESOURCES_PATH=$LOCAL_RESOURCES_PATH fi -echo "Use scripts from: $SCRIPTS_PATH" +echo "Use resources from: $RESOURCES_PATH" CONFIGURATION_FILE="cmpServers.json" @@ -72,7 +72,7 @@ echo "Use configuration from: $CONFIGURATION_PATH" # ------------------------------------- export CONFIGURATION_PATH=${CONFIGURATION_PATH} -export SCRIPTS_PATH=${SCRIPTS_PATH} +export RESOURCES_PATH=${RESOURCES_PATH} #Generate keystores, truststores, certificates and keys mkdir -p ${WORKSPACE}/tests/oom-platform-cert-service/certservice/assets/certs/ diff --git a/plans/oom-platform-cert-service/certservice/teardown.sh b/plans/oom-platform-cert-service/certservice/teardown.sh index f531180e..46aa25a8 100644 --- a/plans/oom-platform-cert-service/certservice/teardown.sh +++ b/plans/oom-platform-cert-service/certservice/teardown.sh @@ -22,4 +22,4 @@ echo "Removed old keystores" rm -rf ${WORKSPACE}/tests/oom-platform-cert-service/certservice/assets/certs echo "Removed old certificates" -kill-instance.sh ${ClientContainerName} \ No newline at end of file +kill-instance.sh ${ClientContainerName} -- cgit 1.2.3-korg