Update root CA and sub CA tests

Some CI tests have been updated to validate the AIA
extension removal from root CA signing certs.

The test-ca-signing-cert-ext.sh has been modified to verify
that there's no AIA extensions in root CA signing cert.

The test-subca-signing-cert-ext.sh has been modified to check
for an AIA extension in sub CA signing cert pointing to the
root CA's OCSP responder.

A new test-ms-subca-signing-cert-ext.sh has been added as a
copy of the original test-subca-signing-cert-ext.sh to check
for MS sub CA extensions.

.github/workflows/ca-basic-test.yml

@@ -83,7 +83,9 @@ jobs:
               --csr-file ca_signing.csr \
               --cert-file ca_signing.crt
           docker exec pki openssl req -text -noout -in ca_signing.csr
-          docker exec pki openssl x509 -text -noout -in ca_signing.crt
+
+          # check CA signing cert extensions
+          docker exec pki /usr/share/pki/tests/ca/bin/test-ca-signing-cert-ext.sh
 
       - name: Check CA OCSP signing cert
         run: |

.github/workflows/pki-nss-exts-test.yml

@@ -76,7 +76,8 @@ jobs:
               --ext /usr/share/pki/server/certs/subca_signing.conf \
               --cert subca_signing.crt
 
-          docker exec pki /usr/share/pki/tests/ca/bin/test-subca-signing-cert-ext.sh
+          # check MS sub CA signing cert extensions
+          docker exec pki /usr/share/pki/tests/ca/bin/test-ms-subca-signing-cert-ext.sh
 
       - name: Create SSL server cert request
         run: |

.github/workflows/subca-basic-test.yml

@@ -103,7 +103,9 @@ jobs:
       - name: Check CA signing cert
         run: |
           docker exec subordinate pki-server cert-export ca_signing --cert-file ca_signing.crt
-          docker exec subordinate openssl x509 -text -noout -in ca_signing.crt
+
+          # check sub CA signing cert extensions
+          docker exec subordinate /usr/share/pki/tests/ca/bin/test-subca-signing-cert-ext.sh ca_signing.crt
 
       - name: Check CA OCSP signing cert
         run: |

.github/workflows/subca-cmc-test.yml

@@ -157,7 +157,9 @@ jobs:
       - name: Check subordinate CA signing cert
         run: |
           docker exec subordinate pki-server cert-export ca_signing --cert-file ca_signing.crt
-          docker exec subordinate openssl x509 -text -noout -in ca_signing.crt
+
+          # check sub CA signing cert extensions
+          docker exec subordinate /usr/share/pki/tests/ca/bin/test-subca-signing-cert-ext.sh ca_signing.crt
 
       - name: Check subordinate CA OCSP signing cert
         run: |

.github/workflows/subca-external-test.yml

@@ -108,7 +108,9 @@ jobs:
           docker exec pki pki-server cert-find
 
           docker exec pki pki-server cert-export ca_signing --cert-file ca_signing.crt
-          docker exec pki /usr/share/pki/tests/ca/bin/test-subca-signing-cert-ext.sh ca_signing.crt
+
+          # check MS sub CA signing cert extensions
+          docker exec pki /usr/share/pki/tests/ca/bin/test-ms-subca-signing-cert-ext.sh ca_signing.crt
 
       - name: Run PKI healthcheck
         run: docker exec pki pki-healthcheck --failures-only

tests/ca/bin/test-ca-signing-cert-ext.sh

@@ -24,3 +24,7 @@ echo "X509v3 Key Usage: critical" > expected
 echo "Digital Signature, Non Repudiation, Certificate Sign, CRL Sign" >> expected
 sed -En 'N; s/^ *(X509v3 Key Usage: .*)\n *(.*)$/\1\n\2/p; D' output | tee actual
 diff actual expected
+
+# verify there is no AIA extensions
+sed -En 'N; s/^ *(Authority Information Access: .*)\n *(.*)$/\1\n\2/p; D' output | tee actual
+diff actual /dev/null

tests/ca/bin/test-ms-subca-signing-cert-ext.sh

@@ -0,0 +1,38 @@
+#!/bin/bash -e
+
+INPUT=$1
+
+if [ "$INPUT" = "" ]; then
+    INPUT=subca_signing.crt
+fi
+
+openssl x509 -text -noout -in $INPUT | tee output
+
+# verify SKI extension
+echo "X509v3 Subject Key Identifier: " > expected
+sed -En 's/^ *(X509v3 Subject Key Identifier: .*)$/\1/p' output | tee actual
+diff actual expected
+
+# verify AKI extension
+echo "X509v3 Authority Key Identifier: " > expected
+sed -En 's/^ *(X509v3 Authority Key Identifier: .*)$/\1/p' output | tee actual
+diff actual expected
+
+# verify basic constraints extension
+echo "X509v3 Basic Constraints: critical" > expected
+echo "CA:TRUE" >> expected
+sed -En 'N; s/^ *(X509v3 Basic Constraints: .*)\n *(.*)$/\1\n\2/p; D' output | tee actual
+diff actual expected
+
+# verify key usage extension
+echo "X509v3 Key Usage: critical" > expected
+echo "Digital Signature, Non Repudiation, Certificate Sign, CRL Sign" >> expected
+sed -En 'N; s/^ *(X509v3 Key Usage: .*)\n *(.*)$/\1\n\2/p; D' output | tee actual
+diff actual expected
+
+# verify MS subordinate CA extension
+echo "1.3.6.1.4.1.311.20.2: " > expected
+echo "." >> expected
+echo ".S.u.b.C.A" >> expected
+sed -En '1N;$!N;s/^ *(1.3.6.1.4.1.311.20.2: .*)\n *(.*)\n *(.*)/\1\n\2\n\3/p;D' output | tee actual
+diff actual expected

tests/ca/bin/test-subca-signing-cert-ext.sh

@@ -30,9 +30,8 @@ echo "Digital Signature, Non Repudiation, Certificate Sign, CRL Sign" >> expecte
 sed -En 'N; s/^ *(X509v3 Key Usage: .*)\n *(.*)$/\1\n\2/p; D' output | tee actual
 diff actual expected
 
-# verify subordinate CA extension
-echo "1.3.6.1.4.1.311.20.2: " > expected
-echo "." >> expected
-echo ".S.u.b.C.A" >> expected
-sed -En '1N;$!N;s/^ *(1.3.6.1.4.1.311.20.2: .*)\n *(.*)\n *(.*)/\1\n\2\n\3/p;D' output | tee actual
+# verify there is an AIA extension pointing to root CA's OCSP responsder
+echo "Authority Information Access: " > expected
+echo "OCSP - URI:http://root.example.com:8080/ca/ocsp" >> expected
+sed -En 'N; s/^ *(Authority Information Access: .*)\n *(.*)$/\1\n\2/p; D' output | tee actual
 diff actual expected