Move CSR/cert extension tests into scripts

.github/workflows/tools-tests.yml

@@ -52,7 +52,7 @@ jobs:
           rm -f `find /var/cache/dnf -name '*.rpm' | grep '/var/cache/dnf/copr:'`
 
       - name: Build PKI packages
-        run: ./build.sh --with-pkgs=base,server --with-timestamp --work-dir=build rpm
+        run: ./build.sh --with-pkgs=base,server,tests --with-timestamp --work-dir=build rpm
 
       - name: Upload PKI packages
         uses: actions/upload-artifact@v2
@@ -525,44 +525,17 @@ jobs:
               --subject "CN=Certificate Authority" \
               --ext /usr/share/pki/server/certs/ca_signing.conf \
               --csr ca_signing.csr
-          openssl req -text -noout -in ca_signing.csr | tee output
 
-          # verfiy basic constraints extension
-          echo "X509v3 Basic Constraints: critical" > expected
-          echo "CA:TRUE" >> expected
-          sed -En 'N; s/^ *(X509v3 Basic Constraints: .*)\n *(.*)$/\1\n\2/p; D' output | tee actual
-          diff actual expected
-
-          # verfiy key usage extension
-          echo "X509v3 Key Usage: critical" > expected
-          echo "Digital Signature, Non Repudiation, Certificate Sign, CRL Sign" >> expected
-          sed -En 'N; s/^ *(X509v3 Key Usage: .*)\n *(.*)$/\1\n\2/p; D' output | tee actual
-          diff actual expected
+          /usr/share/pki/tests/ca/bin/test-ca-signing-csr-ext.sh
 
       - name: Issue self-signed CA signing cert
         run: |
           pki nss-cert-issue \
               --csr ca_signing.csr \
               --ext /usr/share/pki/server/certs/ca_signing.conf \
               --cert ca_signing.crt
-          openssl x509 -text -noout -in ca_signing.crt | tee output
-
-          # verfiy SKI extension
-          echo "X509v3 Subject Key Identifier: " > expected
-          sed -En 's/^ *(X509v3 Subject Key Identifier: .*)$/\1/p' output | tee actual
-          diff actual expected
 
-          # verfiy basic constraints extension
-          echo "X509v3 Basic Constraints: critical" > expected
-          echo "CA:TRUE" >> expected
-          sed -En 'N; s/^ *(X509v3 Basic Constraints: .*)\n *(.*)$/\1\n\2/p; D' output | tee actual
-          diff actual expected
-
-          # verfiy key usage extension
-          echo "X509v3 Key Usage: critical" > expected
-          echo "Digital Signature, Non Repudiation, Certificate Sign, CRL Sign" >> expected
-          sed -En 'N; s/^ *(X509v3 Key Usage: .*)\n *(.*)$/\1\n\2/p; D' output | tee actual
-          diff actual expected
+          /usr/share/pki/tests/ca/bin/test-ca-signing-cert-ext.sh
 
       - name: Import CA signing cert
         run: |
@@ -578,26 +551,8 @@ jobs:
               --subject "CN=Subordinate CA" \
               --ext /usr/share/pki/server/certs/subca_signing.conf \
               --csr subca_signing.csr
-          openssl req -text -noout -in subca_signing.csr | tee output
 
-          # verfiy basic constraints extension
-          echo "X509v3 Basic Constraints: critical" > expected
-          echo "CA:TRUE" >> expected
-          sed -En 'N; s/^ *(X509v3 Basic Constraints: .*)\n *(.*)$/\1\n\2/p; D' output | tee actual
-          diff actual expected
-
-          # verfiy key usage extension
-          echo "X509v3 Key Usage: critical" > expected
-          echo "Digital Signature, Non Repudiation, Certificate Sign, CRL Sign" >> expected
-          sed -En 'N; s/^ *(X509v3 Key Usage: .*)\n *(.*)$/\1\n\2/p; D' output | tee actual
-          diff actual expected
-
-          # verfiy subordinate CA extension
-          echo "1.3.6.1.4.1.311.20.2: " > expected
-          echo "." >> expected
-          echo ".S.u.b.C.A" >> expected
-          sed -En '1N;$!N;s/^ *(1.3.6.1.4.1.311.20.2: .*)\n *(.*)\n *(.*)/\1\n\2\n\3/p;D' output | tee actual
-          diff  actual expected
+          /usr/share/pki/tests/ca/bin/test-subca-signing-csr-ext.sh
 
       - name: Issue subordinate CA signing cert
         run: |
@@ -606,62 +561,17 @@ jobs:
               --csr subca_signing.csr \
               --ext /usr/share/pki/server/certs/subca_signing.conf \
               --cert subca_signing.crt
-          openssl x509 -text -noout -in subca_signing.crt | tee output
 
-          # verfiy SKI extension
-          echo "X509v3 Subject Key Identifier: " > expected
-          sed -En 's/^ *(X509v3 Subject Key Identifier: .*)$/\1/p' output | tee actual
-          diff actual expected
-
-          # verfiy AKI extension
-          echo "X509v3 Authority Key Identifier: " > expected
-          sed -En 's/^ *(X509v3 Authority Key Identifier: .*)$/\1/p' output | tee actual
-          diff actual expected
-
-          # verfiy basic constraints extension
-          echo "X509v3 Basic Constraints: critical" > expected
-          echo "CA:TRUE" >> expected
-          sed -En 'N; s/^ *(X509v3 Basic Constraints: .*)\n *(.*)$/\1\n\2/p; D' output | tee actual
-          diff actual expected
-
-          # verfiy key usage extension
-          echo "X509v3 Key Usage: critical" > expected
-          echo "Digital Signature, Non Repudiation, Certificate Sign, CRL Sign" >> expected
-          sed -En 'N; s/^ *(X509v3 Key Usage: .*)\n *(.*)$/\1\n\2/p; D' output | tee actual
-          diff actual expected
-
-          # verfiy subordinate CA extension
-          echo "1.3.6.1.4.1.311.20.2: " > expected
-          echo "." >> expected
-          echo ".S.u.b.C.A" >> expected
-          sed -En '1N;$!N;s/^ *(1.3.6.1.4.1.311.20.2: .*)\n *(.*)\n *(.*)/\1\n\2\n\3/p;D' output | tee actual
-          diff actual expected
+          /usr/share/pki/tests/ca/bin/test-subca-signing-cert-ext.sh
 
       - name: Create SSL server cert request
         run: |
           pki nss-cert-request \
               --subject "CN=pki.example.com" \
               --ext /usr/share/pki/server/certs/sslserver.conf \
               --csr sslserver.csr
-          openssl req -text -noout -in sslserver.csr | tee output
 
-          # verfiy basic constraints extension
-          echo "X509v3 Basic Constraints: critical" > expected
-          echo "CA:FALSE" >> expected
-          sed -En 'N; s/^ *(X509v3 Basic Constraints: .*)\n *(.*)$/\1\n\2/p; D' output | tee actual
-          diff actual expected
-
-          # verfiy key usage extension
-          echo "X509v3 Key Usage: critical" > expected
-          echo "Digital Signature, Key Encipherment" >> expected
-          sed -En 'N; s/^ *(X509v3 Key Usage: .*)\n *(.*)$/\1\n\2/p; D' output | tee actual
-          diff actual expected
-
-          # verfiy extended key usage extension
-          echo "X509v3 Extended Key Usage: " > expected
-          echo "TLS Web Server Authentication, TLS Web Client Authentication" >> expected
-          sed -En 'N; s/^ *(X509v3 Extended Key Usage: .*)\n *(.*)$/\1\n\2/p; D' output | tee actual
-          diff actual expected
+          /usr/share/pki/tests/bin/test-sslserver-csr-ext.sh
 
       - name: Issue SSL server cert
         run: |
@@ -670,41 +580,8 @@ jobs:
               --csr sslserver.csr \
               --ext /usr/share/pki/server/certs/sslserver.conf \
               --cert sslserver.crt
-          openssl x509 -text -noout -in sslserver.crt | tee output
-
-          # verfiy SKI extension
-          echo "X509v3 Subject Key Identifier: " > expected
-          sed -En 's/^ *(X509v3 Subject Key Identifier: .*)$/\1/p' output | tee actual
-          diff actual expected
 
-          # verfiy AKI extension
-          echo "X509v3 Authority Key Identifier: " > expected
-          sed -En 's/^ *(X509v3 Authority Key Identifier: .*)$/\1/p' output | tee actual
-          diff actual expected
-
-          # verfiy basic constraints extension
-          echo "X509v3 Basic Constraints: critical" > expected
-          echo "CA:FALSE" >> expected
-          sed -En 'N; s/^ *(X509v3 Basic Constraints: .*)\n *(.*)$/\1\n\2/p; D' output | tee actual
-          diff actual expected
-
-          # verfiy key usage extension
-          echo "X509v3 Key Usage: critical" > expected
-          echo "Digital Signature, Key Encipherment" >> expected
-          sed -En 'N; s/^ *(X509v3 Key Usage: .*)\n *(.*)$/\1\n\2/p; D' output | tee actual
-          diff actual expected
-
-          # verfiy extended key usage extension
-          echo "X509v3 Extended Key Usage: " > expected
-          echo "TLS Web Server Authentication, TLS Web Client Authentication" >> expected
-          sed -En 'N; s/^ *(X509v3 Extended Key Usage: .*)\n *(.*)$/\1\n\2/p; D' output | tee actual
-          diff actual expected
-
-          # verfiy SAN extension
-          echo "X509v3 Subject Alternative Name: " > expected
-          echo "DNS:pki.example.com" >> expected
-          sed -En 'N; s/^ *(X509v3 Subject Alternative Name: .*)\n *(.*)$/\1\n\2/p; D' output | tee actual
-          diff actual expected
+          /usr/share/pki/tests/bin/test-sslserver-cert-ext.sh
 
   # docs/user/tools/Using-PKI-PKCS7-CLI.adoc
   pki-pkcs7-test:

tests/bin/test-sslserver-cert-ext.sh

@@ -0,0 +1,43 @@
+#!/bin/bash -e
+
+INPUT=$1
+
+if [ "$INPUT" = "" ]; then
+    INPUT=sslserver.crt
+fi
+
+openssl x509 -text -noout -in $INPUT | tee output
+
+# verfiy SKI extension
+echo "X509v3 Subject Key Identifier: " > expected
+sed -En 's/^ *(X509v3 Subject Key Identifier: .*)$/\1/p' output | tee actual
+diff actual expected
+
+# verfiy AKI extension
+echo "X509v3 Authority Key Identifier: " > expected
+sed -En 's/^ *(X509v3 Authority Key Identifier: .*)$/\1/p' output | tee actual
+diff actual expected
+
+# verfiy basic constraints extension
+echo "X509v3 Basic Constraints: critical" > expected
+echo "CA:FALSE" >> expected
+sed -En 'N; s/^ *(X509v3 Basic Constraints: .*)\n *(.*)$/\1\n\2/p; D' output | tee actual
+diff actual expected
+
+# verfiy key usage extension
+echo "X509v3 Key Usage: critical" > expected
+echo "Digital Signature, Key Encipherment" >> expected
+sed -En 'N; s/^ *(X509v3 Key Usage: .*)\n *(.*)$/\1\n\2/p; D' output | tee actual
+diff actual expected
+
+# verfiy extended key usage extension
+echo "X509v3 Extended Key Usage: " > expected
+echo "TLS Web Server Authentication, TLS Web Client Authentication" >> expected
+sed -En 'N; s/^ *(X509v3 Extended Key Usage: .*)\n *(.*)$/\1\n\2/p; D' output | tee actual
+diff actual expected
+
+# verfiy SAN extension
+echo "X509v3 Subject Alternative Name: " > expected
+echo "DNS:pki.example.com" >> expected
+sed -En 'N; s/^ *(X509v3 Subject Alternative Name: .*)\n *(.*)$/\1\n\2/p; D' output | tee actual
+diff actual expected

tests/bin/test-sslserver-csr-ext.sh

@@ -0,0 +1,27 @@
+#!/bin/bash -e
+
+INPUT=$1
+
+if [ "$INPUT" = "" ]; then
+    INPUT=sslserver.csr
+fi
+
+openssl req -text -noout -in $INPUT | tee output
+
+# verfiy basic constraints extension
+echo "X509v3 Basic Constraints: critical" > expected
+echo "CA:FALSE" >> expected
+sed -En 'N; s/^ *(X509v3 Basic Constraints: .*)\n *(.*)$/\1\n\2/p; D' output | tee actual
+diff actual expected
+
+# verfiy key usage extension
+echo "X509v3 Key Usage: critical" > expected
+echo "Digital Signature, Key Encipherment" >> expected
+sed -En 'N; s/^ *(X509v3 Key Usage: .*)\n *(.*)$/\1\n\2/p; D' output | tee actual
+diff actual expected
+
+# verfiy extended key usage extension
+echo "X509v3 Extended Key Usage: " > expected
+echo "TLS Web Server Authentication, TLS Web Client Authentication" >> expected
+sed -En 'N; s/^ *(X509v3 Extended Key Usage: .*)\n *(.*)$/\1\n\2/p; D' output | tee actual
+diff actual expected

tests/ca/bin/test-ca-signing-cert-ext.sh

@@ -0,0 +1,26 @@
+#!/bin/bash -e
+
+INPUT=$1
+
+if [ "$INPUT" = "" ]; then
+    INPUT=ca_signing.crt
+fi
+
+openssl x509 -text -noout -in $INPUT | tee output
+
+# verfiy SKI extension
+echo "X509v3 Subject Key Identifier: " > expected
+sed -En 's/^ *(X509v3 Subject Key Identifier: .*)$/\1/p' output | tee actual
+diff actual expected
+
+# verfiy basic constraints extension
+echo "X509v3 Basic Constraints: critical" > expected
+echo "CA:TRUE" >> expected
+sed -En 'N; s/^ *(X509v3 Basic Constraints: .*)\n *(.*)$/\1\n\2/p; D' output | tee actual
+diff actual expected
+
+# verfiy key usage extension
+echo "X509v3 Key Usage: critical" > expected
+echo "Digital Signature, Non Repudiation, Certificate Sign, CRL Sign" >> expected
+sed -En 'N; s/^ *(X509v3 Key Usage: .*)\n *(.*)$/\1\n\2/p; D' output | tee actual
+diff actual expected

tests/ca/bin/test-ca-signing-csr-ext.sh

@@ -0,0 +1,21 @@
+#!/bin/bash -e
+
+INPUT=$1
+
+if [ "$INPUT" = "" ]; then
+    INPUT=ca_signing.csr
+fi
+
+openssl req -text -noout -in $INPUT | tee output
+
+# verfiy basic constraints extension
+echo "X509v3 Basic Constraints: critical" > expected
+echo "CA:TRUE" >> expected
+sed -En 'N; s/^ *(X509v3 Basic Constraints: .*)\n *(.*)$/\1\n\2/p; D' output | tee actual
+diff actual expected
+
+# verfiy key usage extension
+echo "X509v3 Key Usage: critical" > expected
+echo "Digital Signature, Non Repudiation, Certificate Sign, CRL Sign" >> expected
+sed -En 'N; s/^ *(X509v3 Key Usage: .*)\n *(.*)$/\1\n\2/p; D' output | tee actual
+diff actual expected

tests/ca/bin/test-subca-signing-cert-ext.sh

@@ -0,0 +1,38 @@
+#!/bin/bash -e
+
+INPUT=$1
+
+if [ "$INPUT" = "" ]; then
+    INPUT=subca_signing.crt
+fi
+
+openssl x509 -text -noout -in $INPUT | tee output
+
+# verfiy SKI extension
+echo "X509v3 Subject Key Identifier: " > expected
+sed -En 's/^ *(X509v3 Subject Key Identifier: .*)$/\1/p' output | tee actual
+diff actual expected
+
+# verfiy AKI extension
+echo "X509v3 Authority Key Identifier: " > expected
+sed -En 's/^ *(X509v3 Authority Key Identifier: .*)$/\1/p' output | tee actual
+diff actual expected
+
+# verfiy basic constraints extension
+echo "X509v3 Basic Constraints: critical" > expected
+echo "CA:TRUE" >> expected
+sed -En 'N; s/^ *(X509v3 Basic Constraints: .*)\n *(.*)$/\1\n\2/p; D' output | tee actual
+diff actual expected
+
+# verfiy key usage extension
+echo "X509v3 Key Usage: critical" > expected
+echo "Digital Signature, Non Repudiation, Certificate Sign, CRL Sign" >> expected
+sed -En 'N; s/^ *(X509v3 Key Usage: .*)\n *(.*)$/\1\n\2/p; D' output | tee actual
+diff actual expected
+
+# verfiy subordinate CA extension
+echo "1.3.6.1.4.1.311.20.2: " > expected
+echo "." >> expected
+echo ".S.u.b.C.A" >> expected
+sed -En '1N;$!N;s/^ *(1.3.6.1.4.1.311.20.2: .*)\n *(.*)\n *(.*)/\1\n\2\n\3/p;D' output | tee actual
+diff actual expected

tests/ca/bin/test-subca-signing-csr-ext.sh

@@ -0,0 +1,28 @@
+#!/bin/bash -e
+
+INPUT=$1
+
+if [ "$INPUT" = "" ]; then
+    INPUT=subca_signing.csr
+fi
+
+openssl req -text -noout -in $INPUT | tee output
+
+# verfiy basic constraints extension
+echo "X509v3 Basic Constraints: critical" > expected
+echo "CA:TRUE" >> expected
+sed -En 'N; s/^ *(X509v3 Basic Constraints: .*)\n *(.*)$/\1\n\2/p; D' output | tee actual
+diff actual expected
+
+# verfiy key usage extension
+echo "X509v3 Key Usage: critical" > expected
+echo "Digital Signature, Non Repudiation, Certificate Sign, CRL Sign" >> expected
+sed -En 'N; s/^ *(X509v3 Key Usage: .*)\n *(.*)$/\1\n\2/p; D' output | tee actual
+diff actual expected
+
+# verfiy subordinate CA extension
+echo "1.3.6.1.4.1.311.20.2: " > expected
+echo "." >> expected
+echo ".S.u.b.C.A" >> expected
+sed -En '1N;$!N;s/^ *(1.3.6.1.4.1.311.20.2: .*)\n *(.*)\n *(.*)/\1\n\2\n\3/p;D' output | tee actual
+diff  actual expected