From 9202baa8b0d247a16487035b944f683070e42ad0 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Mon, 8 May 2023 11:43:37 -0500
Subject: [PATCH] Update root CA and sub CA tests

Some CI tests have been updated to validate the AIA
extension removal from root CA signing certs.

The test-ca-signing-cert-ext.sh has been modified to verify
that there's no AIA extensions in root CA signing cert.

The test-subca-signing-cert-ext.sh has been modified to check
for an AIA extension in sub CA signing cert pointing to the
root CA's OCSP responder.

A new test-ms-subca-signing-cert-ext.sh has been added as a
copy of the original test-subca-signing-cert-ext.sh to check
for MS sub CA extensions.
---
 .github/workflows/ca-basic-test.yml           |  4 +-
 .github/workflows/pki-nss-exts-test.yml       |  3 +-
 .github/workflows/subca-basic-test.yml        |  4 +-
 .github/workflows/subca-cmc-test.yml          |  4 +-
 .github/workflows/subca-external-test.yml     |  4 +-
 tests/ca/bin/test-ca-signing-cert-ext.sh      |  4 ++
 .../ca/bin/test-ms-subca-signing-cert-ext.sh  | 38 +++++++++++++++++++
 tests/ca/bin/test-subca-signing-cert-ext.sh   |  9 ++---
 8 files changed, 60 insertions(+), 10 deletions(-)
 create mode 100755 tests/ca/bin/test-ms-subca-signing-cert-ext.sh

diff --git a/.github/workflows/ca-basic-test.yml b/.github/workflows/ca-basic-test.yml
index f032e5aa370..8284c702bed 100644
--- a/.github/workflows/ca-basic-test.yml
+++ b/.github/workflows/ca-basic-test.yml
@@ -83,7 +83,9 @@ jobs:
               --csr-file ca_signing.csr \
               --cert-file ca_signing.crt
           docker exec pki openssl req -text -noout -in ca_signing.csr
-          docker exec pki openssl x509 -text -noout -in ca_signing.crt
+
+          # check CA signing cert extensions
+          docker exec pki /usr/share/pki/tests/ca/bin/test-ca-signing-cert-ext.sh
 
       - name: Check CA OCSP signing cert
         run: |
diff --git a/.github/workflows/pki-nss-exts-test.yml b/.github/workflows/pki-nss-exts-test.yml
index 946a334d55b..ff4e95076b9 100644
--- a/.github/workflows/pki-nss-exts-test.yml
+++ b/.github/workflows/pki-nss-exts-test.yml
@@ -76,7 +76,8 @@ jobs:
               --ext /usr/share/pki/server/certs/subca_signing.conf \
               --cert subca_signing.crt
 
-          docker exec pki /usr/share/pki/tests/ca/bin/test-subca-signing-cert-ext.sh
+          # check MS sub CA signing cert extensions
+          docker exec pki /usr/share/pki/tests/ca/bin/test-ms-subca-signing-cert-ext.sh
 
       - name: Create SSL server cert request
         run: |
diff --git a/.github/workflows/subca-basic-test.yml b/.github/workflows/subca-basic-test.yml
index 1a53716f64d..96cc42a4abd 100644
--- a/.github/workflows/subca-basic-test.yml
+++ b/.github/workflows/subca-basic-test.yml
@@ -103,7 +103,9 @@ jobs:
       - name: Check CA signing cert
         run: |
           docker exec subordinate pki-server cert-export ca_signing --cert-file ca_signing.crt
-          docker exec subordinate openssl x509 -text -noout -in ca_signing.crt
+
+          # check sub CA signing cert extensions
+          docker exec subordinate /usr/share/pki/tests/ca/bin/test-subca-signing-cert-ext.sh ca_signing.crt
 
       - name: Check CA OCSP signing cert
         run: |
diff --git a/.github/workflows/subca-cmc-test.yml b/.github/workflows/subca-cmc-test.yml
index 818e80b8c57..8269ab2bf8f 100644
--- a/.github/workflows/subca-cmc-test.yml
+++ b/.github/workflows/subca-cmc-test.yml
@@ -157,7 +157,9 @@ jobs:
       - name: Check subordinate CA signing cert
         run: |
           docker exec subordinate pki-server cert-export ca_signing --cert-file ca_signing.crt
-          docker exec subordinate openssl x509 -text -noout -in ca_signing.crt
+
+          # check sub CA signing cert extensions
+          docker exec subordinate /usr/share/pki/tests/ca/bin/test-subca-signing-cert-ext.sh ca_signing.crt
 
       - name: Check subordinate CA OCSP signing cert
         run: |
diff --git a/.github/workflows/subca-external-test.yml b/.github/workflows/subca-external-test.yml
index ca4deb82fbb..1417215a6b9 100644
--- a/.github/workflows/subca-external-test.yml
+++ b/.github/workflows/subca-external-test.yml
@@ -108,7 +108,9 @@ jobs:
           docker exec pki pki-server cert-find
 
           docker exec pki pki-server cert-export ca_signing --cert-file ca_signing.crt
-          docker exec pki /usr/share/pki/tests/ca/bin/test-subca-signing-cert-ext.sh ca_signing.crt
+
+          # check MS sub CA signing cert extensions
+          docker exec pki /usr/share/pki/tests/ca/bin/test-ms-subca-signing-cert-ext.sh ca_signing.crt
 
       - name: Run PKI healthcheck
         run: docker exec pki pki-healthcheck --failures-only
diff --git a/tests/ca/bin/test-ca-signing-cert-ext.sh b/tests/ca/bin/test-ca-signing-cert-ext.sh
index 5ccfddc39d9..bacf6bc456d 100755
--- a/tests/ca/bin/test-ca-signing-cert-ext.sh
+++ b/tests/ca/bin/test-ca-signing-cert-ext.sh
@@ -24,3 +24,7 @@ echo "X509v3 Key Usage: critical" > expected
 echo "Digital Signature, Non Repudiation, Certificate Sign, CRL Sign" >> expected
 sed -En 'N; s/^ *(X509v3 Key Usage: .*)\n *(.*)$/\1\n\2/p; D' output | tee actual
 diff actual expected
+
+# verify there is no AIA extensions
+sed -En 'N; s/^ *(Authority Information Access: .*)\n *(.*)$/\1\n\2/p; D' output | tee actual
+diff actual /dev/null
diff --git a/tests/ca/bin/test-ms-subca-signing-cert-ext.sh b/tests/ca/bin/test-ms-subca-signing-cert-ext.sh
new file mode 100755
index 00000000000..11b007f33a1
--- /dev/null
+++ b/tests/ca/bin/test-ms-subca-signing-cert-ext.sh
@@ -0,0 +1,38 @@
+#!/bin/bash -e
+
+INPUT=$1
+
+if [ "$INPUT" = "" ]; then
+    INPUT=subca_signing.crt
+fi
+
+openssl x509 -text -noout -in $INPUT | tee output
+
+# verify SKI extension
+echo "X509v3 Subject Key Identifier: " > expected
+sed -En 's/^ *(X509v3 Subject Key Identifier: .*)$/\1/p' output | tee actual
+diff actual expected
+
+# verify AKI extension
+echo "X509v3 Authority Key Identifier: " > expected
+sed -En 's/^ *(X509v3 Authority Key Identifier: .*)$/\1/p' output | tee actual
+diff actual expected
+
+# verify basic constraints extension
+echo "X509v3 Basic Constraints: critical" > expected
+echo "CA:TRUE" >> expected
+sed -En 'N; s/^ *(X509v3 Basic Constraints: .*)\n *(.*)$/\1\n\2/p; D' output | tee actual
+diff actual expected
+
+# verify key usage extension
+echo "X509v3 Key Usage: critical" > expected
+echo "Digital Signature, Non Repudiation, Certificate Sign, CRL Sign" >> expected
+sed -En 'N; s/^ *(X509v3 Key Usage: .*)\n *(.*)$/\1\n\2/p; D' output | tee actual
+diff actual expected
+
+# verify MS subordinate CA extension
+echo "1.3.6.1.4.1.311.20.2: " > expected
+echo "." >> expected
+echo ".S.u.b.C.A" >> expected
+sed -En '1N;$!N;s/^ *(1.3.6.1.4.1.311.20.2: .*)\n *(.*)\n *(.*)/\1\n\2\n\3/p;D' output | tee actual
+diff actual expected
diff --git a/tests/ca/bin/test-subca-signing-cert-ext.sh b/tests/ca/bin/test-subca-signing-cert-ext.sh
index 77aa5534025..c2f99605b0f 100755
--- a/tests/ca/bin/test-subca-signing-cert-ext.sh
+++ b/tests/ca/bin/test-subca-signing-cert-ext.sh
@@ -30,9 +30,8 @@ echo "Digital Signature, Non Repudiation, Certificate Sign, CRL Sign" >> expecte
 sed -En 'N; s/^ *(X509v3 Key Usage: .*)\n *(.*)$/\1\n\2/p; D' output | tee actual
 diff actual expected
 
-# verify subordinate CA extension
-echo "1.3.6.1.4.1.311.20.2: " > expected
-echo "." >> expected
-echo ".S.u.b.C.A" >> expected
-sed -En '1N;$!N;s/^ *(1.3.6.1.4.1.311.20.2: .*)\n *(.*)\n *(.*)/\1\n\2\n\3/p;D' output | tee actual
+# verify there is an AIA extension pointing to root CA's OCSP responsder
+echo "Authority Information Access: " > expected
+echo "OCSP - URI:http://root.example.com:8080/ca/ocsp" >> expected
+sed -En 'N; s/^ *(Authority Information Access: .*)\n *(.*)$/\1\n\2/p; D' output | tee actual
 diff actual expected