From 2a197cc7b11a5f1ba3a32a7a0c95c73b739b4542 Mon Sep 17 00:00:00 2001
From: Thomas Woerner <twoerner@redhat.com>
Date: Fri, 27 Sep 2019 15:15:56 +0200
Subject: [PATCH] tests/external-signed-ca tests: Fix external-ca.sh to use
 proper serials

The serial numbers have not been set for the creation of the CA and also
to sign the request. Because of this the local time has been used, which
resulted sometimes in the use of the same time stamp for the CA and the
signing reuqest. The import failed then with same issuer and serial number
error.

The cat to generate the chain.crt has been replaces with openssl x509 calls.

Some comments have also been added.

The script in external-signed-ca-with-manual-copy has been replaced with a
link to the external-signed-ca-with-automatic-copy directory.
---
 .../external-ca.sh                            | 18 +++++--
 .../external-ca.sh                            | 50 +------------------
 2 files changed, 15 insertions(+), 53 deletions(-)
 mode change 100644 => 120000 tests/external-signed-ca-with-manual-copy/external-ca.sh

diff --git a/tests/external-signed-ca-with-automatic-copy/external-ca.sh b/tests/external-signed-ca-with-automatic-copy/external-ca.sh
index bf4cb696..9bf6f1cc 100644
--- a/tests/external-signed-ca-with-automatic-copy/external-ca.sh
+++ b/tests/external-signed-ca-with-automatic-copy/external-ca.sh
@@ -11,7 +11,7 @@ fi
 PASSWORD="SomeCApassword"
 DBDIR="${master}-nssdb"
 PWDFILE="$DBDIR/pwdfile.txt"
-NOISE="/etc/passwd"
+NOISE="$DBDIR/noise.txt"
 
 domain=$2
 if [ -z "$domain" ]; then
@@ -29,21 +29,31 @@ fi
 ROOT_KEY_ID=0x$(dd if=/dev/urandom bs=20 count=1 | xxd -p)
 IPA_CA_KEY_ID=0x$(dd if=/dev/urandom bs=20 count=1 | xxd -p)
 
+# Prepare a new NSS database to serve us as an external CA
 rm -rf "$DBDIR"
 mkdir "$DBDIR"
 echo "$PASSWORD" > "$PWDFILE"
+dd count=10 bs=1024 if=/dev/random of="$NOISE" 2>/dev/null
 certutil -N -d "$DBDIR" -f "$PWDFILE"
+
+# Generate a CA certificate
 echo -e "0\n1\n5\n6\n9\ny\ny\n\ny\n${ROOT_KEY_ID}\nn\n" \
   | certutil -d "$DBDIR"  -f "$PWDFILE" -S -z "$NOISE" -n ca -x -t C,C,C \
-    -s "CN=PRIMARY,O=$domain" -x -1 -2 --extSKID
+    -s "CN=PRIMARY,O=$domain" -x -1 -2 --extSKID -m 1
 
+# Change the form of the CSR from PEM to DER for the NSS database
 openssl req -outform der -in "${master}-ipa.csr" -out "$DBDIR/req.csr"
+
+# Sign the certificate request
 echo -e "0\n1\n5\n6\n9\ny\ny\n\ny\ny\n${ROOT_KEY_ID}\n\n\nn\n${IPA_CA_KEY_ID}\nn\n" \
   | certutil -d "$DBDIR" -f "$PWDFILE" -C -z "$NOISE" -c ca \
-    -i "$DBDIR/req.csr" -o "$DBDIR/external.cer" -1 -2 -3 --extSKID
+    -i "$DBDIR/req.csr" -o "$DBDIR/external.cer" -1 -2 -3 --extSKID -m 2
 
 openssl x509 -inform der -in "$DBDIR/external.cer" -out "$DBDIR/external.pem"
+
+# Export the NSS CA certificate and add it to a chain file
 certutil -L -n ca -d "$DBDIR" -a > "$DBDIR/ca.crt"
-cat "$DBDIR/external.pem" "$DBDIR/ca.crt" > "$DBDIR/chain.crt"
+openssl x509 -text -in "$DBDIR/external.pem" > "$DBDIR/chain.crt"
+openssl x509 -text -in "$DBDIR/ca.crt" >> "$DBDIR/chain.crt"
 
 cp "$DBDIR/chain.crt" "${master}-chain.crt"
diff --git a/tests/external-signed-ca-with-manual-copy/external-ca.sh b/tests/external-signed-ca-with-manual-copy/external-ca.sh
deleted file mode 100644
index bf4cb696..00000000
--- a/tests/external-signed-ca-with-manual-copy/external-ca.sh
+++ /dev/null
@@ -1,49 +0,0 @@
-#!/bin/bash
-
-master=$1
-if [ -z "$master" ]; then
-    echo "ERROR: master is not set"
-    echo
-    echo "usage: $0 master-fqdn domain"
-    exit 0;
-fi
-
-PASSWORD="SomeCApassword"
-DBDIR="${master}-nssdb"
-PWDFILE="$DBDIR/pwdfile.txt"
-NOISE="/etc/passwd"
-
-domain=$2
-if [ -z "$domain" ]; then
-    echo "ERROR: domain is not set"
-    echo
-    echo "usage: $0 master-fqdn domain"
-    exit 0;
-fi
-
-if [ ! -f "${master}-ipa.csr" ]; then
-    echo "ERROR: ${master}-ipa.csr missing"
-    exit 1;
-fi
-
-ROOT_KEY_ID=0x$(dd if=/dev/urandom bs=20 count=1 | xxd -p)
-IPA_CA_KEY_ID=0x$(dd if=/dev/urandom bs=20 count=1 | xxd -p)
-
-rm -rf "$DBDIR"
-mkdir "$DBDIR"
-echo "$PASSWORD" > "$PWDFILE"
-certutil -N -d "$DBDIR" -f "$PWDFILE"
-echo -e "0\n1\n5\n6\n9\ny\ny\n\ny\n${ROOT_KEY_ID}\nn\n" \
-  | certutil -d "$DBDIR"  -f "$PWDFILE" -S -z "$NOISE" -n ca -x -t C,C,C \
-    -s "CN=PRIMARY,O=$domain" -x -1 -2 --extSKID
-
-openssl req -outform der -in "${master}-ipa.csr" -out "$DBDIR/req.csr"
-echo -e "0\n1\n5\n6\n9\ny\ny\n\ny\ny\n${ROOT_KEY_ID}\n\n\nn\n${IPA_CA_KEY_ID}\nn\n" \
-  | certutil -d "$DBDIR" -f "$PWDFILE" -C -z "$NOISE" -c ca \
-    -i "$DBDIR/req.csr" -o "$DBDIR/external.cer" -1 -2 -3 --extSKID
-
-openssl x509 -inform der -in "$DBDIR/external.cer" -out "$DBDIR/external.pem"
-certutil -L -n ca -d "$DBDIR" -a > "$DBDIR/ca.crt"
-cat "$DBDIR/external.pem" "$DBDIR/ca.crt" > "$DBDIR/chain.crt"
-
-cp "$DBDIR/chain.crt" "${master}-chain.crt"
diff --git a/tests/external-signed-ca-with-manual-copy/external-ca.sh b/tests/external-signed-ca-with-manual-copy/external-ca.sh
new file mode 120000
index 00000000..de59ac8e
--- /dev/null
+++ b/tests/external-signed-ca-with-manual-copy/external-ca.sh
@@ -0,0 +1 @@
+../external-signed-ca-with-automatic-copy/external-ca.sh
\ No newline at end of file
-- 
GitLab