Skip to content

Commit

Permalink
Use new CA and cert for the system certstore scenario
Browse files Browse the repository at this point in the history
  • Loading branch information
@kkaarreell
kkaarreell committed Sep 23, 2024
1 parent e8777e2 commit dea8973
Show file tree
Hide file tree
Showing 2 changed files with 12 additions and 28 deletions.
20 changes: 10 additions & 10 deletions functional/webhook-certificate-on-localhost/test.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,33 +20,33 @@ rlJournalStart
done
fi

# restart journald as it seems to get stuck on RHEL-10 but
# I wasn't able to figure out the details yet
rlRun "systemctl restart systemd-journald "

# Create directory to store certificates and keys
CERTDIR=/var/lib/keylime/certs
rlRun "mkdir -p $CERTDIR"

# Generate keys for TLS certificates
rlRun "x509KeyGen good-ca" 0 "Generating good CA RSA key pair"
rlRun "x509KeyGen bad-ca" 0 "Generating bad CA RSA key pair"
rlRun "x509KeyGen installed-ca" 0 "Generating bad CA RSA key pair"
rlRun "x509KeyGen intermediate-ca" 0 "Generating Intermediate CA RSA key pair"
rlRun "x509KeyGen verifier" 0 "Generating verifier RSA key pair"
rlRun "x509KeyGen verifier-client" 0 "Generating verifier-client RSA key pair"
rlRun "x509KeyGen registrar" 0 "Generating registrar RSA key pair"
rlRun "x509KeyGen tenant" 0 "Generating tenant RSA key pair"
rlRun "x509KeyGen good-webhook" 0 "Generating webhook RSA key pair"
rlRun "x509KeyGen bad-webhook" 0 "Generating bad webhook RSA key pair"
rlRun "x509KeyGen installed-webhook" 0 "Generating installed webhook RSA key pair"

# Sign good certificates for each component and the webhook
rlRun "x509SelfSign good-ca" 0 "Selfsigning good CA certificate"
rlRun "x509SelfSign installed-ca" 0 "Selfsigning good CA certificate"
rlRun "x509CertSign --CA good-ca --DN 'CN = ${HOSTNAME}' -t CA --subjectAltName 'IP = ${MY_IP}' intermediate-ca" 0 "Signing intermediate CA certificate with our goot CA key"
rlRun "x509CertSign --CA intermediate-ca --DN 'CN = ${HOSTNAME}' -t webserver --subjectAltName 'IP = ${MY_IP}' verifier" 0 "Signing verifier certificate with intermediate CA key"
rlRun "x509CertSign --CA intermediate-ca --DN 'CN = ${HOSTNAME}' -t webclient --subjectAltName 'IP = ${MY_IP}' verifier-client" 0 "Signing verifier-client certificate with intermediate CA key"
rlRun "x509CertSign --CA intermediate-ca --DN 'CN = ${HOSTNAME}' -t webserver --subjectAltName 'IP = ${MY_IP}' registrar" 0 "Signing registrar certificate with intermediate CA key"
rlRun "x509CertSign --CA intermediate-ca --DN 'CN = ${HOSTNAME}' -t webclient --subjectAltName 'IP = ${MY_IP}' tenant" 0 "Signing tenant certificate with intermediate CA key"
rlRun "x509CertSign --CA intermediate-ca --DN 'CN = ${HOSTNAME}' -t webserver --subjectAltName 'IP = ${MY_IP}' good-webhook" 0 "Signing webhook certificate with intermediate CA key"
rlRun "x509CertSign --CA installed-ca --DN 'CN = ${HOSTNAME}' -t webserver --subjectAltName 'IP = ${MY_IP}' installed-webhook" 0 "Signing webhook certificate with installed CA key"

# Sign bad certificate for the webhook
rlRun "x509SelfSign bad-ca" 0 "Selfsigning bad CA certificate"
Expand All @@ -68,6 +68,8 @@ rlJournalStart
rlRun "cp $(x509Key good-webhook) $CERTDIR/good-webhook-key.pem"
rlRun "cp $(x509Cert bad-webhook) $CERTDIR/bad-webhook-cert.pem"
rlRun "cp $(x509Key bad-webhook) $CERTDIR/bad-webhook-key.pem"
rlRun "cp $(x509Cert installed-webhook) $CERTDIR/installed-webhook-cert.pem"
rlRun "cp $(x509Key installed-webhook) $CERTDIR/installed-webhook-key.pem"
# assign cert ownership to keylime user if it exists
id keylime && rlRun "chown -R keylime:keylime $CERTDIR"

Expand Down Expand Up @@ -120,20 +122,18 @@ rlJournalStart
limeCreateTestPolicy
rlPhaseEnd

for i in "good-webhook good 8980 none" "bad-webhook bad 8981 CERTIFICATE_VERIFY_FAILED" "none bad 8982 SSLError" "installed good 8983 none"; do
for i in "good-webhook good 8980 none" "bad-webhook bad 8981 CERTIFICATE_VERIFY_FAILED" "none bad 8982 SSLError" "installed-webhook good 8983 none"; do
read -r WEBHOOK EXPECTED_RESULT WEBHOOK_SERVER_PORT EXPECTED_ERROR <<< "${i}"

# This case is to test that the verifier is including the system-wide
# installed certificates when verifying the revocation notification
# webhook certificate
if [ "${WEBHOOK}" = "installed" ]; then
if [ "${WEBHOOK}" = "installed-webhook" ]; then
rlPhaseStartTest "Install CA certificate on system-wide store, and run on port ${WEBHOOK_SERVER_PORT}"
rlRun "limeUpdateConf revocations webhook_url https://localhost:${WEBHOOK_SERVER_PORT}"
# Install the "bad" CA certificate on system-wide trust store
rlRun "cp $(x509Cert bad-ca) /etc/pki/ca-trust/source/anchors/webhook-ca.crt"
# Install the "installed" CA certificate on system-wide trust store
rlRun "cp $(x509Cert installed-ca) /etc/pki/ca-trust/source/anchors/webhook-ca.crt"
rlRun "update-ca-trust"
# Use the "bad" revocation notification webhook certificate
WEBHOOK="bad-webhook"
rlPhaseEnd
fi

Expand Down
20 changes: 2 additions & 18 deletions plans/upstream-keylime-all-tests.fmf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,27 +8,11 @@ environment+:
discover:
how: fmf
test:
- /setup/apply_workarounds
- /setup/configure_tpm_emulator
- /setup/install_upstream_keylime
- /setup/install_upstream_rust_keylime
#- /setup/enable_keylime_debug_messages
- /setup/enable_keylime_coverage
- install_rust_keylime_from_copr
# change IMA policy to simple and run one attestation scenario
# this is to utilize also a different parser
- /setup/configure_kernel_ima_module/ima_policy_simple
- /functional/basic-attestation-on-localhost
# now change IMA policy to signing and run all tests
- /setup/configure_kernel_ima_module/ima_policy_signing
- "^/functional/.*"
- "^/compatibility/.*"
- "^/regression/.*"
- /update/basic-attestation-on-localhost/all
- "/sanity/.*"
# run upstream test suite
- /upstream/run_keylime_tests
- /setup/generate_coverage_report
- /setup/generate_upstream_rust_keylime_code_coverage
- /functional/webhook

execute:
how: tmt
Expand Down

0 comments on commit dea8973

Please sign in to comment.