.github/workflows/tools-tests.yml

name: Tools Tests

on: [push, pull_request]

jobs:
  init:
    name: Initializing Workflow
    runs-on: ubuntu-latest
    container: fedora:latest
    outputs:
      matrix: ${{ steps.set-matrix.outputs.matrix }}
    steps:
      - name: Set up test matrix
        id: set-matrix
        run: |
          export latest=$(cat /etc/fedora-release | awk '{ print $3 }')
          export previous=$(cat /etc/fedora-release | awk '{ print $3 - 1}')
          echo "Running CI against Fedora $previous and $latest"
          if [ "${{ secrets.MATRIX }}" == "" ]
          then
              echo "::set-output name=matrix::{\"os\":[\"$previous\", \"$latest\"]}"
          else
              echo "::set-output name=matrix::${{ secrets.MATRIX }}"
          fi

  # docs/development/Building_PKI.md
  build:
    name: Building PKI
    needs: init
    runs-on: ubuntu-latest
    container: registry.fedoraproject.org/fedora:${{ matrix.os }}
    env:
      COPR_REPO: "@pki/master"
    strategy:
      matrix: ${{ fromJSON(needs.init.outputs.matrix) }}
    steps:
      - name: Install git
        run: dnf install -y git

      - name: Clone repository
        uses: actions/checkout@v2

      - name: Install dependencies
        run: |
          dnf install -y dnf-plugins-core rpm-build
          dnf copr enable -y $COPR_REPO
          dnf builddep -y --allowerasing --spec ./pki.spec --nogpgcheck

      - name: Build PKI packages
        run: ./build.sh --with-pkgs=base,server --with-timestamp --with-commit-id --work-dir=build rpm

      - name: Upload PKI packages
        uses: actions/upload-artifact@v2
        with:
          name: pki-build-${{ matrix.os }}
          path: build/RPMS/

  PKICertImport-test:
    name: PKICertImport test
    needs: [init, build]
    runs-on: ubuntu-latest
    container: registry.fedoraproject.org/fedora:${{ matrix.os }}
    env:
      COPR_REPO: "@pki/master"
    strategy:
      matrix: ${{ fromJSON(needs.init.outputs.matrix) }}
    steps:
      - name: Clone repository
        uses: actions/checkout@v2

      - name: Download PKI packages
        uses: actions/download-artifact@v2
        with:
          name: pki-build-${{ matrix.os }}
          path: build/RPMS

      - name: Install PKI packages
        run: |
          dnf install -y dnf-plugins-core
          dnf copr enable -y $COPR_REPO
          dnf -y localinstall build/RPMS/*

      - name: Run PKICertImport test
        run: bash base/util/src/test/shell/test_PKICertImport.bash

  # https://github.com/dogtagpki/pki/wiki/PKI-NSS-CLI
  pki-nss-rsa-test:
    name: Testing PKI NSS CLI with RSA
    needs: [init, build]
    runs-on: ubuntu-latest
    container: registry.fedoraproject.org/fedora:${{ matrix.os }}
    env:
      COPR_REPO: "@pki/master"
    strategy:
      matrix: ${{ fromJSON(needs.init.outputs.matrix) }}
    steps:
      - name: Download PKI packages
        uses: actions/download-artifact@v2
        with:
          name: pki-build-${{ matrix.os }}
          path: build/RPMS

      - name: Install PKI packages
        run: |
          dnf install -y dnf-plugins-core
          dnf copr enable -y $COPR_REPO
          dnf -y localinstall build/RPMS/*

      # https://github.com/dogtagpki/pki/wiki/Generating-CA-Signing-CSR-with-PKI-NSS
      - name: Create CA signing cert request with new RSA key
        run: |
          pki nss-cert-request \
              --key-type RSA \
              --subject "CN=Certificate Authority" \
              --ext /usr/share/pki/server/certs/ca_signing.conf \
              --csr ca_signing.csr
          openssl req -text -noout -in ca_signing.csr

      # https://github.com/dogtagpki/pki/wiki/Issuing-CA-Signing-Certificate-with-PKI-NSS
      - name: Issue self-signed CA signing cert
        run: |
          pki nss-cert-issue \
              --csr ca_signing.csr \
              --ext /usr/share/pki/server/certs/ca_signing.conf \
              --cert ca_signing.crt
          openssl x509 -text -noout -in ca_signing.crt

      - name: Import CA signing cert
        run: |
          pki nss-cert-import \
              --cert ca_signing.crt \
              --trust CT,C,C \
              ca_signing

          # verify trust flags
          certutil -L -d /root/.dogtag/nssdb
          certutil -L -d /root/.dogtag/nssdb | sed -n 's/^ca_signing\s*\(\S\+\)\s*$/\1/p' > actual
          echo "CTu,Cu,Cu" > expected
          diff actual expected

          # verify key type
          certutil -K -d /root/.dogtag/nssdb
          certutil -K -d /root/.dogtag/nssdb | sed -n 's/^<.*>\s\+\(\S\+\)\s\+\S\+\s\+NSS Certificate DB:ca_signing$/\1/p' > actual
          echo rsa > expected
          diff actual expected

      # https://github.com/dogtagpki/pki/wiki/Generating-SSL-Server-CSR-with-PKI-NSS
      - name: Create SSL server cert request with new RSA key
        run: |
          pki nss-cert-request \
              --key-type RSA \
              --subject "CN=pki.example.com" \
              --ext /usr/share/pki/server/certs/sslserver.conf \
              --csr sslserver.csr
          openssl req -text -noout -in sslserver.csr

      # https://github.com/dogtagpki/pki/wiki/Issuing-SSL-Server-Certificate-with-PKI-NSS
      - name: Issue SSL server cert
        run: |
          pki nss-cert-issue \
              --issuer ca_signing \
              --csr sslserver.csr \
              --ext /usr/share/pki/server/certs/sslserver.conf \
              --cert sslserver.crt
          openssl x509 -text -noout -in sslserver.crt

      - name: Import SSL server cert
        run: |
          pki nss-cert-import \
              --cert sslserver.crt \
              sslserver

          # verify trust flags
          certutil -L -d /root/.dogtag/nssdb
          certutil -L -d /root/.dogtag/nssdb | sed -n 's/^sslserver\s*\(\S\+\)\s*$/\1/p' > actual
          echo "u,u,u" > expected
          diff actual expected

          # verify key type
          certutil -K -d /root/.dogtag/nssdb
          certutil -K -d /root/.dogtag/nssdb | sed -n 's/^<.*>\s\+\(\S\+\)\s\+\S\+\s\+NSS Certificate DB:sslserver$/\1/p' > actual
          echo rsa > expected
          diff actual expected

          # get key ID
          certutil -K -d /root/.dogtag/nssdb | sed -n 's/^<.*>\s\+\S\+\s\+\(\S\+\)\s\+NSS Certificate DB:sslserver$/\1/p' > sslserver_key_id

      - name: Delete SSL server cert
        run: |
          certutil -D -d /root/.dogtag/nssdb -n sslserver
          certutil -L -d /root/.dogtag/nssdb
          certutil -K -d /root/.dogtag/nssdb

      - name: Create new SSL server cert request with existing RSA key
        run: |
          pki nss-cert-request \
              --key-id `cat sslserver_key_id` \
              --subject "CN=pki.example.com" \
              --ext /usr/share/pki/server/certs/sslserver.conf \
              --csr new_sslserver.csr
          openssl req -text -noout -in new_sslserver.csr

      - name: Issue new SSL server cert
        run: |
          pki nss-cert-issue \
              --issuer ca_signing \
              --csr new_sslserver.csr \
              --ext /usr/share/pki/server/certs/sslserver.conf \
              --cert new_sslserver.crt
          openssl x509 -text -noout -in new_sslserver.crt

      - name: Import new SSL server cert
        run: |
          pki nss-cert-import \
              --cert new_sslserver.crt \
              new_sslserver

          # verify trust flags
          certutil -L -d /root/.dogtag/nssdb
          certutil -L -d /root/.dogtag/nssdb | sed -n 's/^new_sslserver\s*\(\S\+\)\s*$/\1/p' > actual
          echo "u,u,u" > expected
          diff actual expected

          # verify key type
          certutil -K -d /root/.dogtag/nssdb
          certutil -K -d /root/.dogtag/nssdb | sed -n 's/^<.*>\s\+\(\S\+\)\s\+\S\+\s\+NSS Certificate DB:new_sslserver$/\1/p' > actual
          echo rsa > expected
          diff actual expected

          # verify key ID
          certutil -K -d /root/.dogtag/nssdb | sed -n 's/^<.*>\s\+\S\+\s\+\(\S\+\)\s\+NSS Certificate DB:new_sslserver$/\1/p' > new_sslserver_key_id
          diff sslserver_key_id new_sslserver_key_id

  # https://github.com/dogtagpki/pki/wiki/PKI-NSS-CLI
  pki-nss-ecc-test:
    name: Testing PKI NSS CLI with ECC
    needs: [init, build]
    runs-on: ubuntu-latest
    container: registry.fedoraproject.org/fedora:${{ matrix.os }}
    env:
      COPR_REPO: "@pki/master"
    strategy:
      matrix: ${{ fromJSON(needs.init.outputs.matrix) }}
    steps:
      - name: Download PKI packages
        uses: actions/download-artifact@v2
        with:
          name: pki-build-${{ matrix.os }}
          path: build/RPMS

      - name: Install PKI packages
        run: |
          dnf install -y dnf-plugins-core
          dnf copr enable -y $COPR_REPO
          dnf -y localinstall build/RPMS/*

      # https://github.com/dogtagpki/pki/wiki/Generating-CA-Signing-CSR-with-PKI-NSS
      - name: Create CA signing cert request with new EC key
        run: |
          pki nss-cert-request \
              --key-type EC \
              --curve nistp256 \
              --subject "CN=Certificate Authority" \
              --ext /usr/share/pki/server/certs/ca_signing.conf \
              --csr ca_signing.csr
          openssl req -text -noout -in ca_signing.csr

      # https://github.com/dogtagpki/pki/wiki/Issuing-CA-Signing-Certificate-with-PKI-NSS
      - name: Issue self-signed CA signing cert
        run: |
          pki nss-cert-issue \
              --csr ca_signing.csr \
              --ext /usr/share/pki/server/certs/ca_signing.conf \
              --cert ca_signing.crt
          openssl x509 -text -noout -in ca_signing.crt

      - name: Import CA signing cert
        run: |
          pki nss-cert-import \
              --cert ca_signing.crt \
              --trust CT,C,C \
              ca_signing

          # verify trust flags
          certutil -L -d /root/.dogtag/nssdb
          certutil -L -d /root/.dogtag/nssdb | sed -n 's/^ca_signing\s*\(\S\+\)\s*$/\1/p' > actual
          echo "CTu,Cu,Cu" > expected
          diff actual expected

          # verify key type
          certutil -K -d /root/.dogtag/nssdb
          certutil -K -d /root/.dogtag/nssdb | sed -n 's/^<.*>\s\+\(\S\+\)\s\+\S\+\s\+NSS Certificate DB:ca_signing$/\1/p' > actual
          echo ec > expected
          diff actual expected

      # https://github.com/dogtagpki/pki/wiki/Generating-SSL-Server-CSR-with-PKI-NSS
      - name: Create SSL server cert request with new EC key
        run: |
          pki nss-cert-request \
              --key-type EC \
              --curve nistp256 \
              --subject "CN=pki.example.com" \
              --ext /usr/share/pki/server/certs/sslserver.conf \
              --csr sslserver.csr
          openssl req -text -noout -in sslserver.csr

      # https://github.com/dogtagpki/pki/wiki/Issuing-SSL-Server-Certificate-with-PKI-NSS
      - name: Issue SSL server cert
        run: |
          pki nss-cert-issue \
              --issuer ca_signing \
              --csr sslserver.csr \
              --ext /usr/share/pki/server/certs/sslserver.conf \
              --cert sslserver.crt
          openssl x509 -text -noout -in sslserver.crt

      - name: Import SSL server cert
        run: |
          pki nss-cert-import \
              --cert sslserver.crt \
              sslserver

          # verify trust flags
          certutil -L -d /root/.dogtag/nssdb
          certutil -L -d /root/.dogtag/nssdb | sed -n 's/^sslserver\s*\(\S\+\)\s*$/\1/p' > actual
          echo "u,u,u" > expected
          diff actual expected

          # verify key type
          certutil -K -d /root/.dogtag/nssdb
          certutil -K -d /root/.dogtag/nssdb | sed -n 's/^<.*>\s\+\(\S\+\)\s\+\S\+\s\+NSS Certificate DB:sslserver$/\1/p' > actual
          echo ec > expected
          diff actual expected

          # get key ID
          certutil -K -d /root/.dogtag/nssdb | sed -n 's/^<.*>\s\+\S\+\s\+\(\S\+\)\s\+NSS Certificate DB:sslserver$/\1/p' > sslserver_key_id

      - name: Delete SSL server cert
        run: |
          certutil -D -d /root/.dogtag/nssdb -n sslserver
          certutil -L -d /root/.dogtag/nssdb
          certutil -K -d /root/.dogtag/nssdb

      - name: Create new SSL server cert request with existing EC key
        run: |
          pki nss-cert-request \
              --key-id `cat sslserver_key_id` \
              --subject "CN=pki.example.com" \
              --ext /usr/share/pki/server/certs/sslserver.conf \
              --csr new_sslserver.csr
          openssl req -text -noout -in new_sslserver.csr

      - name: Issue new SSL server cert
        run: |
          pki nss-cert-issue \
              --issuer ca_signing \
              --csr new_sslserver.csr \
              --ext /usr/share/pki/server/certs/sslserver.conf \
              --cert new_sslserver.crt
          openssl x509 -text -noout -in new_sslserver.crt

      - name: Import new SSL server cert
        run: |
          pki nss-cert-import \
              --cert new_sslserver.crt \
              new_sslserver

          # verify trust flags
          certutil -L -d /root/.dogtag/nssdb
          certutil -L -d /root/.dogtag/nssdb | sed -n 's/^new_sslserver\s*\(\S\+\)\s*$/\1/p' > actual
          echo "u,u,u" > expected
          diff actual expected

          # verify key type
          certutil -K -d /root/.dogtag/nssdb
          certutil -K -d /root/.dogtag/nssdb | sed -n 's/^<.*>\s\+\(\S\+\)\s\+\S\+\s\+NSS Certificate DB:new_sslserver$/\1/p' > actual
          echo ec > expected
          diff actual expected

          # verify key ID
          certutil -K -d /root/.dogtag/nssdb | sed -n 's/^<.*>\s\+\S\+\s\+\(\S\+\)\s\+NSS Certificate DB:new_sslserver$/\1/p' > new_sslserver_key_id
          diff sslserver_key_id new_sslserver_key_id

  # https://github.com/dogtagpki/pki/wiki/PKI-NSS-CLI
  pki-nss-hsm-test:
    name: PKI NSS CLI with HSM
    needs: [init, build]
    runs-on: ubuntu-latest
    container: registry.fedoraproject.org/fedora:${{ matrix.os }}
    env:
      COPR_REPO: "@pki/master"
    strategy:
      matrix:
        # NSS cannot find the SoftHSM token on F33
        os: ['34']
    steps:
      - name: Download PKI packages
        uses: actions/download-artifact@v2
        with:
          name: pki-build-${{ matrix.os }}
          path: build/RPMS

      - name: Install PKI packages
        run: |
          dnf install -y dnf-plugins-core softhsm
          dnf copr enable -y $COPR_REPO
          dnf -y localinstall build/RPMS/*

      - name: Create HSM token
        run: |
          softhsm2-util --init-token \
              --label HSM \
              --so-pin Secret.123 \
              --pin Secret.123 \
              --free
          softhsm2-util --show-slots

      # https://github.com/dogtagpki/pki/wiki/Generating-CA-Signing-CSR-with-PKI-NSS
      - name: Generate CA signing cert request with key in HSM
        run: |
          echo "internal=" > password.conf
          echo "hardware-HSM=Secret.123" >> password.conf
          pki --token HSM -f password.conf nss-cert-request \
              --subject "CN=Certificate Authority" \
              --ext /usr/share/pki/server/certs/ca_signing.conf \
              --csr ca_signing.csr
          openssl req -text -noout -in ca_signing.csr

      # https://github.com/dogtagpki/pki/wiki/Issuing-CA-Signing-Certificate-with-PKI-NSS
      - name: Issue self-signed CA signing cert
        run: |
          pki --token HSM -f password.conf nss-cert-issue \
              --csr ca_signing.csr \
              --ext /usr/share/pki/server/certs/ca_signing.conf \
              --cert ca_signing.crt
          openssl x509 -text -noout -in ca_signing.crt

      - name: Import CA signing cert into internal token and HSM
        run: |
          pki --token HSM -f password.conf nss-cert-import \
              --cert ca_signing.crt \
              --trust CT,C,C \
              ca_signing

      - name: Verify CA signing cert trust flags in internal token
        run: |
          certutil -L -d /root/.dogtag/nssdb | sed -n 's/^ca_signing\s*\(\S\+\)\s*$/\1/p' > actual
          echo "CT,C,C" > expected
          diff actual expected

      - name: Verify CA signing cert trust flags in HSM
        run: |
          echo "Secret.123" > password.txt
          certutil -L -d /root/.dogtag/nssdb -h HSM -f password.txt | sed -n 's/^HSM:ca_signing\s*\(\S\+\)\s*$/\1/p' > actual
          echo "CTu,Cu,Cu" > expected
          diff actual expected

      - name: Remove HSM token
        run: softhsm2-util --delete-token --token HSM

  # docs/user/tools/Using-PKI-PKCS7-CLI.adoc
  pki-pkcs7-test:
    name: PKI PKCS7 CLI
    needs: [init, build]
    runs-on: ubuntu-latest
    container: registry.fedoraproject.org/fedora:${{ matrix.os }}
    env:
      COPR_REPO: "@pki/master"
    strategy:
      matrix: ${{ fromJSON(needs.init.outputs.matrix) }}
    steps:
      - name: Download PKI packages
        uses: actions/download-artifact@v2
        with:
          name: pki-build-${{ matrix.os }}
          path: build/RPMS

      - name: Install PKI packages
        run: |
          dnf install -y dnf-plugins-core
          dnf copr enable -y $COPR_REPO
          dnf -y localinstall build/RPMS/*

      - name: Generate CA signing cert request
        run: |
          pki nss-cert-request \
              --subject "CN=Certificate Authority" \
              --ext /usr/share/pki/server/certs/ca_signing.conf \
              --csr ca_signing.csr

      - name: Issue self-signed CA signing cert
        run: |
          pki nss-cert-issue \
              --csr ca_signing.csr \
              --ext /usr/share/pki/server/certs/ca_signing.conf \
              --cert ca_signing.crt

      - name: Import CA signing cert
        run: |
          pki nss-cert-import \
              --cert ca_signing.crt \
              --trust CT,C,C \
              ca_signing

      - name: Generate SSL server cert request
        run: |
          pki nss-cert-request \
              --subject "CN=localhost.localdomain" \
              --ext /usr/share/pki/server/certs/sslserver.conf \
              --csr sslserver.csr

      - name: Issue SSL server cert signed by CA signing cert
        run: |
          pki nss-cert-issue \
              --issuer ca_signing \
              --csr sslserver.csr \
              --ext /usr/share/pki/server/certs/ca_signing.conf \
              --cert sslserver.crt

      - name: Import SSL server cert
        run: pki nss-cert-import sslserver --cert sslserver.crt

      - name: "Export SSL server cert chain into PKCS #7 chain"
        run: |
          pki pkcs7-export sslserver --pkcs7 cert_chain.p7b
          pki pkcs7-cert-find --pkcs7 cert_chain.p7b

      - name: Convert cert chain into separate PEM certificates
        run: |
          pki pkcs7-cert-export --pkcs7 cert_chain.p7b --output-prefix cert- --output-suffix .pem
          cat cert-0.pem
          cat cert-1.pem

      - name: "Merge PEM certificates into a PKCS #7 chain"
        run: |
          rm -f cert_chain.p7b
          pki pkcs7-cert-import --pkcs7 cert_chain.p7b --input-file cert-0.pem
          pki pkcs7-cert-import --pkcs7 cert_chain.p7b --input-file cert-1.pem --append
          pki pkcs7-cert-find --pkcs7 cert_chain.p7b

      - name: Remove certs from NSS database
        run: |
          certutil -D -d /root/.dogtag/nssdb -n sslserver
          certutil -D -d /root/.dogtag/nssdb -n ca_signing
          certutil -L -d /root/.dogtag/nssdb

      - name: "Import PKCS #7 chain into NSS database"
        run: |
          pki pkcs7-import sslserver --pkcs7 cert_chain.p7b
          certutil -L -d /root/.dogtag/nssdb

      - name: Verify CA signing cert trust flags
        run: |
          certutil -L -d /root/.dogtag/nssdb | sed -n 's/^Certificate Authority *\(\S\+\)/\1/p' > actual
          echo "CTu,Cu,Cu" > expected
          diff actual expected

      - name: Verify SSL server cert trust flags
        run: |
          certutil -L -d /root/.dogtag/nssdb | sed -n 's/^sslserver *\(\S\+\)/\1/p' > actual
          echo "u,u,u" > expected
          diff actual expected

      - name: "Convert PKCS #7 chain into a series of PEM certificates"
        run: |
          pki pkcs7-cert-export --pkcs7 cert_chain.p7b --output-file cert_chain.pem
          cat cert_chain.pem

      - name: Remove certs from NSS database
        run: |
          certutil -D -d /root/.dogtag/nssdb -n sslserver
          certutil -D -d /root/.dogtag/nssdb -n "Certificate Authority"
          certutil -L -d /root/.dogtag/nssdb

      - name: Import PEM certificates into NSS database
        run: |
          rm -f cert_chain.p7b
          pki pkcs7-cert-import --pkcs7 cert_chain.p7b --input-file cert_chain.pem
          pki pkcs7-import sslserver --pkcs7 cert_chain.p7b
          certutil -L -d /root/.dogtag/nssdb

      - name: Verify CA signing cert trust flags
        run: |
          certutil -L -d /root/.dogtag/nssdb | sed -n 's/^Certificate Authority *\(\S\+\)/\1/p' > actual
          echo "CTu,Cu,Cu" > expected
          diff actual expected

      - name: Verify SSL server cert trust flags
        run: |
          certutil -L -d /root/.dogtag/nssdb | sed -n 's/^sslserver *\(\S\+\)/\1/p' > actual
          echo "u,u,u" > expected
          diff actual expected