dogtagpki · edewata · May 9, 2023 · May 8, 2023 · May 8, 2023 · ladycfu
diff --git a/.github/workflows/ca-basic-test.yml b/.github/workflows/ca-basic-test.yml
@@ -83,7 +83,9 @@ jobs:
               --csr-file ca_signing.csr \
               --cert-file ca_signing.crt
           docker exec pki openssl req -text -noout -in ca_signing.csr
-          docker exec pki openssl x509 -text -noout -in ca_signing.crt
+
+          # check CA signing cert extensions
+          docker exec pki /usr/share/pki/tests/ca/bin/test-ca-signing-cert-ext.sh
 
       - name: Check CA OCSP signing cert
         run: |

diff --git a/.github/workflows/pki-nss-exts-test.yml b/.github/workflows/pki-nss-exts-test.yml
@@ -76,7 +76,8 @@ jobs:
               --ext /usr/share/pki/server/certs/subca_signing.conf \
               --cert subca_signing.crt
 
-          docker exec pki /usr/share/pki/tests/ca/bin/test-subca-signing-cert-ext.sh
+          # check MS sub CA signing cert extensions
+          docker exec pki /usr/share/pki/tests/ca/bin/test-ms-subca-signing-cert-ext.sh
 
       - name: Create SSL server cert request
         run: |

diff --git a/.github/workflows/subca-basic-test.yml b/.github/workflows/subca-basic-test.yml
@@ -103,7 +103,9 @@ jobs:
       - name: Check CA signing cert
         run: |
           docker exec subordinate pki-server cert-export ca_signing --cert-file ca_signing.crt
-          docker exec subordinate openssl x509 -text -noout -in ca_signing.crt
+
+          # check sub CA signing cert extensions
+          docker exec subordinate /usr/share/pki/tests/ca/bin/test-subca-signing-cert-ext.sh ca_signing.crt
 
       - name: Check CA OCSP signing cert
         run: |

diff --git a/.github/workflows/subca-cmc-test.yml b/.github/workflows/subca-cmc-test.yml
@@ -157,7 +157,9 @@ jobs:
       - name: Check subordinate CA signing cert
         run: |
           docker exec subordinate pki-server cert-export ca_signing --cert-file ca_signing.crt
-          docker exec subordinate openssl x509 -text -noout -in ca_signing.crt
+
+          # check sub CA signing cert extensions
+          docker exec subordinate /usr/share/pki/tests/ca/bin/test-subca-signing-cert-ext.sh ca_signing.crt
 
       - name: Check subordinate CA OCSP signing cert
         run: |

diff --git a/.github/workflows/subca-external-test.yml b/.github/workflows/subca-external-test.yml
@@ -108,7 +108,9 @@ jobs:
           docker exec pki pki-server cert-find
 
           docker exec pki pki-server cert-export ca_signing --cert-file ca_signing.crt
-          docker exec pki /usr/share/pki/tests/ca/bin/test-subca-signing-cert-ext.sh ca_signing.crt
+
+          # check MS sub CA signing cert extensions
+          docker exec pki /usr/share/pki/tests/ca/bin/test-ms-subca-signing-cert-ext.sh ca_signing.crt
 
       - name: Run PKI healthcheck
         run: docker exec pki pki-healthcheck --failures-only

diff --git a/base/ca/shared/conf/caCert.profile b/base/ca/shared/conf/caCert.profile
@@ -6,7 +6,7 @@ name=All Purpose CA Profile
 description=This profile creates a CA certificate that is valid for all signing purposes.
 profileIDMapping=caCACert
 profileSetIDMapping=caCertSet
-list=2,4,5,6,7,8
+list=2,4,5,6,7
 2.default.class=com.netscape.cms.profile.def.CAValidityDefault
 2.default.name=CA Certificate Validity Default
 2.default.params.range=7305
@@ -34,11 +34,3 @@ list=2,4,5,6,7,8
 7.default.class=com.netscape.cms.profile.def.SubjectKeyIdentifierExtDefault
 7.default.name=Subject Key Identifier Extension Default
 7.default.params.critical=false
-8.default.class=com.netscape.cms.profile.def.AuthInfoAccessExtDefault
-8.default.name=AIA Extension Default
-8.default.params.authInfoAccessADEnable_0=true
-8.default.params.authInfoAccessADLocationType_0=URIName
-8.default.params.authInfoAccessADLocation_0=
-8.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
-8.default.params.authInfoAccessCritical=false
-8.default.params.authInfoAccessNumADs=1
diff --git a/tests/ca/bin/test-ca-signing-cert-ext.sh b/tests/ca/bin/test-ca-signing-cert-ext.sh
@@ -24,3 +24,7 @@ echo "X509v3 Key Usage: critical" > expected
 echo "Digital Signature, Non Repudiation, Certificate Sign, CRL Sign" >> expected
 sed -En 'N; s/^ *(X509v3 Key Usage: .*)\n *(.*)$/\1\n\2/p; D' output | tee actual
 diff actual expected
+
+# verify there is no AIA extensions
+sed -En 'N; s/^ *(Authority Information Access: .*)\n *(.*)$/\1\n\2/p; D' output | tee actual
+diff actual /dev/null
diff --git a/tests/ca/bin/test-ms-subca-signing-cert-ext.sh b/tests/ca/bin/test-ms-subca-signing-cert-ext.sh
@@ -0,0 +1,38 @@
+#!/bin/bash -e
+
+INPUT=$1
+
+if [ "$INPUT" = "" ]; then
+    INPUT=subca_signing.crt
+fi
+
+openssl x509 -text -noout -in $INPUT | tee output
+
+# verify SKI extension
+echo "X509v3 Subject Key Identifier: " > expected
+sed -En 's/^ *(X509v3 Subject Key Identifier: .*)$/\1/p' output | tee actual
+diff actual expected
+
+# verify AKI extension
+echo "X509v3 Authority Key Identifier: " > expected
+sed -En 's/^ *(X509v3 Authority Key Identifier: .*)$/\1/p' output | tee actual
+diff actual expected
+
+# verify basic constraints extension
+echo "X509v3 Basic Constraints: critical" > expected
+echo "CA:TRUE" >> expected
+sed -En 'N; s/^ *(X509v3 Basic Constraints: .*)\n *(.*)$/\1\n\2/p; D' output | tee actual
+diff actual expected
+
+# verify key usage extension
+echo "X509v3 Key Usage: critical" > expected
+echo "Digital Signature, Non Repudiation, Certificate Sign, CRL Sign" >> expected
+sed -En 'N; s/^ *(X509v3 Key Usage: .*)\n *(.*)$/\1\n\2/p; D' output | tee actual
+diff actual expected
+
+# verify MS subordinate CA extension
+echo "1.3.6.1.4.1.311.20.2: " > expected
+echo "." >> expected
+echo ".S.u.b.C.A" >> expected
+sed -En '1N;$!N;s/^ *(1.3.6.1.4.1.311.20.2: .*)\n *(.*)\n *(.*)/\1\n\2\n\3/p;D' output | tee actual
+diff actual expected
diff --git a/tests/ca/bin/test-subca-signing-cert-ext.sh b/tests/ca/bin/test-subca-signing-cert-ext.sh
@@ -30,9 +30,8 @@ echo "Digital Signature, Non Repudiation, Certificate Sign, CRL Sign" >> expecte
 sed -En 'N; s/^ *(X509v3 Key Usage: .*)\n *(.*)$/\1\n\2/p; D' output | tee actual
 diff actual expected
 
-# verify subordinate CA extension
-echo "1.3.6.1.4.1.311.20.2: " > expected
-echo "." >> expected
-echo ".S.u.b.C.A" >> expected
-sed -En '1N;$!N;s/^ *(1.3.6.1.4.1.311.20.2: .*)\n *(.*)\n *(.*)/\1\n\2\n\3/p;D' output | tee actual
+# verify there is an AIA extension pointing to root CA's OCSP responsder
+echo "Authority Information Access: " > expected
+echo "OCSP - URI:http://root.example.com:8080/ca/ocsp" >> expected
+sed -En 'N; s/^ *(Authority Information Access: .*)\n *(.*)$/\1\n\2/p; D' output | tee actual
 diff actual expected