b412308f26
- Resolves: rhbz#2040619 - Changing default pac type to 'nfs:NONE and MS-PAC' doesnot display error 'ipa: ERROR: no modifications to be performed' - Resolves: rhbz#2048510 - [rhel-9.0] Backport latest test fixes in python3-ipatests - Resolves: rhbz#2049104 - User can't log in after ipa-user-mod --user-auth-type=hardened - Resolves: rhbz#2049174 - KRA GetStatus service blocked by IPA proxy
108 lines
4.4 KiB
Diff
108 lines
4.4 KiB
Diff
From 0edf915efbb39fac45c784171dd715ec6b28861a Mon Sep 17 00:00:00 2001
|
|
From: Sumedh Sidhaye <ssidhaye@redhat.com>
|
|
Date: Fri, 14 Jan 2022 19:55:13 +0530
|
|
Subject: [PATCH] Added test automation for SHA384withRSA CSR support
|
|
|
|
Scenario 1:
|
|
Setup master with --ca-signing-algorithm=SHA384withRSA
|
|
Run certutil and check Signing Algorithm
|
|
|
|
Scenario 2:
|
|
Setup a master
|
|
Stop services
|
|
Modify default.params.signingAlg in CS.cfg
|
|
Restart services
|
|
Resubmit cert (Resubmitted cert should have new Algorithm)
|
|
|
|
Pagure Link: https://pagure.io/freeipa/issue/8906
|
|
|
|
Signed-off-by: Sumedh Sidhaye <ssidhaye@redhat.com>
|
|
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
|
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
Reviewed-By: Antonio Torres <antorres@redhat.com>
|
|
---
|
|
.../test_integration/test_installation.py | 63 +++++++++++++++++++
|
|
1 file changed, 63 insertions(+)
|
|
|
|
diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
|
|
index 0947241ae2738419c4855e2517670c9033e634f0..f2d372c0c0356f244971a2af808db45dd6c8cb5b 100644
|
|
--- a/ipatests/test_integration/test_installation.py
|
|
+++ b/ipatests/test_integration/test_installation.py
|
|
@@ -34,6 +34,7 @@ from ipatests.pytest_ipa.integration import tasks
|
|
from ipatests.pytest_ipa.integration.env_config import get_global_config
|
|
from ipatests.test_integration.base import IntegrationTest
|
|
from ipatests.test_integration.test_caless import CALessBase, ipa_certs_cleanup
|
|
+from ipatests.test_integration.test_cert import get_certmonger_fs_id
|
|
from ipaplatform import services
|
|
|
|
|
|
@@ -1916,3 +1917,65 @@ class TestInstallWithoutNamed(IntegrationTest):
|
|
tasks.install_replica(
|
|
self.master, self.replicas[0], setup_ca=False, setup_dns=False
|
|
)
|
|
+
|
|
+
|
|
+class TestInstallwithSHA384withRSA(IntegrationTest):
|
|
+ num_replicas = 0
|
|
+
|
|
+ def test_install_master_withalgo_sha384withrsa(self, server_cleanup):
|
|
+ tasks.install_master(
|
|
+ self.master,
|
|
+ extra_args=['--ca-signing-algorithm=SHA384withRSA'],
|
|
+ )
|
|
+
|
|
+ # check Signing Algorithm post installation
|
|
+ dashed_domain = self.master.domain.realm.replace(".", '-')
|
|
+ cmd_args = ['certutil', '-L', '-d',
|
|
+ '/etc/dirsrv/slapd-{}/'.format(dashed_domain),
|
|
+ '-n', 'Server-Cert']
|
|
+ result = self.master.run_command(cmd_args)
|
|
+ assert 'SHA-384 With RSA Encryption' in result.stdout_text
|
|
+
|
|
+ def test_install_master_modify_existing(self, server_cleanup):
|
|
+ """
|
|
+ Setup a master
|
|
+ Stop services
|
|
+ Modify default.params.signingAlg in CS.cfg
|
|
+ Restart services
|
|
+ Resubmit cert (Resubmitted cert should have new Algorithm)
|
|
+ """
|
|
+ tasks.install_master(self.master)
|
|
+ self.master.run_command(['ipactl', 'stop'])
|
|
+ cs_cfg_content = self.master.get_file_contents(paths.CA_CS_CFG_PATH,
|
|
+ encoding='utf-8')
|
|
+ new_lines = []
|
|
+ replace_str = "ca.signing.defaultSigningAlgorithm=SHA384withRSA"
|
|
+ ocsp_rep_str = "ca.ocsp_signing.defaultSigningAlgorithm=SHA384withRSA"
|
|
+ for line in cs_cfg_content.split('\n'):
|
|
+ if line.startswith('ca.signing.defaultSigningAlgorithm'):
|
|
+ new_lines.append(replace_str)
|
|
+ elif line.startswith('ca.ocsp_signing.defaultSigningAlgorithm'):
|
|
+ new_lines.append(ocsp_rep_str)
|
|
+ else:
|
|
+ new_lines.append(line)
|
|
+ self.master.put_file_contents(paths.CA_CS_CFG_PATH,
|
|
+ '\n'.join(new_lines))
|
|
+ self.master.run_command(['ipactl', 'start'])
|
|
+
|
|
+ cmd = ['getcert', 'list', '-f', paths.RA_AGENT_PEM]
|
|
+ result = self.master.run_command(cmd)
|
|
+ request_id = get_certmonger_fs_id(result.stdout_text)
|
|
+
|
|
+ # resubmit RA Agent cert
|
|
+ cmd = ['getcert', 'resubmit', '-f', paths.RA_AGENT_PEM]
|
|
+ self.master.run_command(cmd)
|
|
+
|
|
+ tasks.wait_for_certmonger_status(self.master,
|
|
+ ('CA_WORKING', 'MONITORING'),
|
|
+ request_id)
|
|
+
|
|
+ cmd_args = ['openssl', 'x509', '-in',
|
|
+ paths.RA_AGENT_PEM, '-noout', '-text']
|
|
+ result = self.master.run_command(cmd_args)
|
|
+ assert_str = 'Signature Algorithm: sha384WithRSAEncryption'
|
|
+ assert assert_str in result.stdout_text
|
|
--
|
|
2.34.1
|
|
|