[Freeipa-devel] [freeipa PR#4150][opened] ipatest: Test if certmonger reads the token in HSM

Wed, 22 Jan 2020 02:33:54 -0800 

   URL: https://github.com/freeipa/freeipa/pull/4150
Author: mrizwan93
 Title: #4150: ipatest: Test if certmonger reads the token in HSM
Action: opened

PR body:
"""
This is to ensure added HSM support for FreeIPA. This test adds
certificate with sofhsm token and checks if certmonger is tracking
it.

related : https://pagure.io/certmonger/issue/125

Signed-off-by: Mohammad Rizwan Yusuf <myu...@redhat.com>
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/4150/head:pr4150
git checkout pr4150

From a23a61d15fbce637e9687fa60731165a5fec1ec1 Mon Sep 17 00:00:00 2001
From: Mohammad Rizwan Yusuf <myu...@redhat.com>
Date: Wed, 22 Jan 2020 16:02:12 +0530
Subject: [PATCH] Test if certmonger reads the token in HSM

This is to ensure added HSM support for FreeIPA. This test adds
certificate with sofhsm token and checks if certmonger is tracking
it.

related : https://pagure.io/certmonger/issue/125

Signed-off-by: Mohammad Rizwan Yusuf <myu...@redhat.com>
---
 .../test_integration/test_installation.py     | 79 +++++++++++++++++++
 1 file changed, 79 insertions(+)

diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
index 43dee0ebf5..6b37050b74 100644
--- a/ipatests/test_integration/test_installation.py
+++ b/ipatests/test_integration/test_installation.py
@@ -254,6 +254,85 @@ def test_replica_ca_install_with_skip_schema_check(self):
         tasks.install_replica(self.master, self.replicas[1], setup_ca=False)
         tasks.install_ca(self.replicas[1], extra_args=["--skip-schema-check"])
 
+    def test_certmonger_reads_token_HSM(self):
+        """Test if certmonger reads the token in HSM
+
+        This is to ensure added HSM support for FreeIPA. This test adds
+        certificate with sofhsm token and checks if certmonger is tracking
+        it.
+
+        related : https://pagure.io/certmonger/issue/125
+        """
+        test_service='test/%s'%self.master.hostname
+        pkcs_passwd='Secret123'
+        pin='123456'
+        noise_contents=("sjdhkjhdkjahdkjsahdhkjsahdkjsahdkjHDJSADHSADASDJHAA"
+                        "ADAJSDKJSAHDJSAHDJASHDJHSADKJAHSDKJAHDSKJAHSDKJHASA"
+                        "ASJDHASJDHASJDHJASHDJASHDKJASHDJSAHDJSAHDJSAHDJSWSH")
+        noise_file='/tmp/noise'
+        self.master.master.put_file_contents(noise_file, noise_contents)
+
+        tasks.kinit_admin(self.master)
+        self.master.run_command(['ipa', 'service-add', test_service)]
+
+        # create a csr
+        cmd_args=['certutil', '-d', paths.NSS_DB_DIR, '-R', '-a',
+                 '-o', '/root/ipa.csr', '-s', "CN=%s"%self.master.hostname]
+        self.master.run_command(cmd_args)
+
+        # request certificate
+        cmd_args=['ipa', 'cert-request', '--principal', test_service,
+                  '--certificate-out', '/root/test.pem', '/root/ipa.csr']
+        self.master.run_command(cmd_args)
+
+        # adding trust flag
+        cmd_args=['certutil', '-A', '-d', paths.NSS_DB_DIR, '-n',
+                  'test', '-a', '-i', '/root/test.pem', '-t', 'u,u,u']
+        self.master.run_command(cmd_args)
+
+        # export pkcs12 file
+        cmd_args=['pk12util', '-o', '/root/test.p12',
+                  '-d', paths.NSS_DB_DIR, '-n' 'test', '-W', pkcs_passwd]
+        self.master.run_command(cmd_args)
+
+        # add softhsm lib
+        cmd_args=['modutil', '-dbdir', paths.NSS_DB_DIR, '-add',
+                  'softhsm', '-libfile', '/usr/lib64/softhsm/libsofthsm.so']
+        self.master.run_command(cmd_args, stdin_text="\n\n")
+
+        cmd_args=['softhsm2-util', '--init-token', '--label', 'test',
+                 '--pin', pin, '--so-pin', pin, '--free']
+        self.master.run_command(cmd_args)
+
+        cmd_args=['certutil', '-F', '-d', paths.NSS_DB_DIR, '-n', 'test']
+        self.master.run_command(cmd_args)
+
+        cmd_args=['pk12util', '-i', '/root/test.p12',
+                  '-d', paths.NSS_DB_DIR, '-h', 'test']
+        self.master.run_command(cmd_args,
+                                stdin_text="%s\n%s"%(pin, pkcs_passwd))
+
+        cmd_args=['certutil', '-A', '-d', paths.NSS_DB_DIR, '-n', 'IPA CA',
+                  '-t', 'CT,,', '-a', '-i', paths.IPA_CA_CRT]
+        self.master.run_command(cmd_args)
+
+        # validate the certificate
+        cmd_args=['certutil', '-V', '-u', 'V', '-e', '-d', paths.NSS_DB_DIR,
+                  '-h', 'test', '-n', 'test:test']
+        result = self.master.run_command(cmd_args, stdin_text="%s"%pin)
+        assert 'certificate is valid' in result.stdout_text
+
+        # add certificate tracking to certmonger
+        cmd_args=['ipa-getcert', 'start-tracking', '-d', paths.NSS_DB_DIR,
+                  '-n', 'test', '-t', 'test', '-P', pin]
+        result = self.master.run_command(cmd_args)
+        request_id = re.findall(r'\d+', result.stdout_text)
+
+        # check if certificate ifs tracked by certmonger
+        cmd_args=['getcert', 'list', '-i', request_id[0]]
+        result = self.master.run_command(cmd_args)
+        assert "MONITORING" in result.stdout_text
+
 
 class TestInstallWithCA_KRA1(InstallTestBase1):
 

_______________________________________________
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org

Reply via email to