Revision 931b6fcd
Added by Joniel Pasqualetto about 2 months ago
bin/katello-certs-check | ||
---|---|---|
error 4 "The $CA_BUNDLE_FILE does not verify the $CERT_FILE"
|
||
echo -e "${CHECK/OK/}\n"
|
||
else
|
||
success
|
||
success
|
||
fi
|
||
}
|
||
|
||
... | ... | |
CHECK=$(grep -c "^--*BEGIN" $CA_BUNDLE_FILE)
|
||
printf $CHECK
|
||
if [[ $CHECK -lt $CABUNDLE_MAX_ISSUERS ]]; then
|
||
success
|
||
success
|
||
else
|
||
CERRTISSUER=$(openssl x509 -noout -in $CERT_FILE -issuer 2>&1)
|
||
error 10 "The CA bundle counts $CHECK issuers. Please trim your CA bundle and include only the certs relevant to your cert file"
|
||
echo $CERTISSUER
|
||
echo
|
||
fi
|
||
}
|
||
|
||
function check-ca-bundle-trust-rules () {
|
||
printf "Checking if CA bundle has trust rules: "
|
||
CHECK=$(grep 'BEGIN TRUSTED CERTIFICATE' $CA_BUNDLE_FILE| wc -l)
|
||
printf $CHECK
|
||
if [[ $CHECK -lt 1 ]]; then
|
||
success
|
||
else
|
||
CERTISSUER=$(openssl x509 -noout -in $CERT_FILE -issuer 2>&1)
|
||
error 10 "The CA bundle counts $CHECK issuers. Please trim your CA bundle and include only the certs relevant to your cert file"
|
||
echo $CERTISSUER
|
||
echo
|
||
error 10 "The CA bundle contains $CHECK certificate(s) with trust rules. This may create problems for older systems to trust the bundle. Please, recreate the bundle using certificates without trust rules"
|
||
echo
|
||
fi
|
||
}
|
||
|
||
... | ... | |
check-priv-key
|
||
check-ca-bundle
|
||
check-ca-bundle-size
|
||
check-ca-bundle-trust-rules
|
||
check-cert-san
|
||
check-cert-usage-key-encipherment
|
||
check-shortname
|
spec/fixtures/katello-certs-check/certs/ca-bundle-with-trust-rules.crt | ||
---|---|---|
-----BEGIN CERTIFICATE-----
|
||
MIIDETCCAfmgAwIBAgIUW99nJU3DgZdPE4KtDWgL6cTrEAgwDQYJKoZIhvcNAQEL
|
||
BQAwGDEWMBQGA1UEAwwNVGhpcmRwYXJ0eSBDQTAeFw0yMDExMTgxNTQ0NTJaFw0z
|
||
MDExMTYxNTQ0NTJaMBgxFjAUBgNVBAMMDVRoaXJkcGFydHkgQ0EwggEiMA0GCSqG
|
||
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDs4Haoc6xj4cTiGYzcqLBiX6fnDpmVPXaD
|
||
kE6s0iFYuqZcZgFIuVetgWn4ew7NvDgm1HwCA6EnKBY4zxMd+xic2vO8Pm9SqNWB
|
||
0bIdyKvHn1o3u9TMRcnHbp4MvlTTsd0Hr91n+J6Kv7TVUihhsWQH6YILqaKMaEa3
|
||
78ssaLrTULdCHQ3vB0XyZGj3NLv5PYq6Yt92hG8M7vyVeBPdEECidD1csAOefk8T
|
||
EBRgXgl7dpBa16dZ9nNQzurxOGrRgFsW4wIQit3AU/Y3Zyz1f9hTcG+xHGHUzzsy
|
||
jaV345Mdito5DNaGqkh+7PUccb1JihuS6ePZl5J6GQSjktFwPL2jAgMBAAGjUzBR
|
||
MB0GA1UdDgQWBBRKB5Wwmh4CsZHFmnAczPb6wjMRajAfBgNVHSMEGDAWgBRKB5Ww
|
||
mh4CsZHFmnAczPb6wjMRajAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUA
|
||
A4IBAQCs7kfOgqFXpYqAYjxq+NlQeeWSyEMdU/5QbSjxS68U3wXZ2JR+N7ptmn8B
|
||
IaeIF8BMFkLKKCG0s486YnOGKBkmbE5xxAJYctzJSrAjCtkBqqCVMtqpomuXawJv
|
||
tB+HwKV3IW43lM8S3DJ5XbEWlZctqGb803ud6Mt2Rlyc6afPyFzt5DPrgvwkgKmX
|
||
cLgkvUP0W4dinOG3PqE5NbxqIMw+0kzyrbGYLO7Klwsqjfms++XXIdREzS/nt8+9
|
||
c2uERABlpV58p/xyZjJMGGnU0YIhOfn6+LQ6gyqU3qKdj6/VtcQ6SnZC3GE3adqT
|
||
LpdSdMc5aL5hr2hZl/uVvrKLYDGz
|
||
-----END CERTIFICATE-----
|
||
-----BEGIN TRUSTED CERTIFICATE-----
|
||
MIIDHTCCAgWgAwIBAgIUK+x25LNYYMHS83aWDnAYviwxEYEwDQYJKoZIhvcNAQEL
|
||
BQAwHjEcMBoGA1UEAwwTVGVzdCBTZWxmLVNpZ25lZCBDQTAeFw0yMDExMTgwMjMw
|
||
NDNaFw0zMDExMTYwMjMwNDNaMB4xHDAaBgNVBAMME1Rlc3QgU2VsZi1TaWduZWQg
|
||
Q0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC92114uygw5KcqPCz1
|
||
E/Cwd3Lo2ytyPD9FchWKPOxXpNisHMOr4zAfsxERXmgBLawHIkqc2Xae3TqHGGQa
|
||
ll3J3HukwghZQAyjcNG/Q2Q2QqfQW1tzxHRnz2EKBoRoyhmVXcnu+qBoEgkf5QI/
|
||
Rk9HzLJINZPcZuMEkRgcf5q1h/F+PY2yCMwT5qjB6whn6zX6FP6G3//fRtkZw4cI
|
||
FPPjKJedbHlYEifRigmJfu+T5Q5xz19Og/1zDwfl7is5eBUV+KEoIE7UpmvR1UrM
|
||
+T6WYl3vxeM08y1QU6vR9GqummDMinfWLj0hV+dYwI9/1fHIjfPqgxPUa5AGw7ik
|
||
vyrvAgMBAAGjUzBRMB0GA1UdDgQWBBQz80R5aRb/egnEMKHQonUM3xgj6DAfBgNV
|
||
HSMEGDAWgBQz80R5aRb/egnEMKHQonUM3xgj6DAPBgNVHRMBAf8EBTADAQH/MA0G
|
||
CSqGSIb3DQEBCwUAA4IBAQCdiBvQx6ExmteTzwkGCheKwUMvzCehuwvpoJRE/JXo
|
||
zz67414oyWXkSN8/9HE3nkH/xxunD/Ni+N9ppk7iicSpyOKfdDXiaS8qq1O1OXCx
|
||
CjoVuIFAPFWOEEhLdnb1v8YVWx2JwcbGvhCLNSoK1a6uwCmWixtoeQiKspBfwFcb
|
||
wfU9qNdXsezBljahE4Q2E4SR+XclA6iHdooX4ajnleamqeH0ephyCqvMAhzfJA5F
|
||
O1+SJRFbIjwfKxsEJS6Czrn+EU2eLtxk5g5+oO06ZYj4rVOfgc2Wc0+cisgP0fT/
|
||
WVkAxgGS6L0jGvZSisEUBpoidJNddWnf9mzUT2kJ5DCOMAwwCgYIKwYBBQUHAwE=
|
||
-----END TRUSTED CERTIFICATE-----
|
spec/fixtures/katello-certs-check/certs/ca-with-trust-rules.crt | ||
---|---|---|
-----BEGIN TRUSTED CERTIFICATE-----
|
||
MIIDHTCCAgWgAwIBAgIUK+x25LNYYMHS83aWDnAYviwxEYEwDQYJKoZIhvcNAQEL
|
||
BQAwHjEcMBoGA1UEAwwTVGVzdCBTZWxmLVNpZ25lZCBDQTAeFw0yMDExMTgwMjMw
|
||
NDNaFw0zMDExMTYwMjMwNDNaMB4xHDAaBgNVBAMME1Rlc3QgU2VsZi1TaWduZWQg
|
||
Q0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC92114uygw5KcqPCz1
|
||
E/Cwd3Lo2ytyPD9FchWKPOxXpNisHMOr4zAfsxERXmgBLawHIkqc2Xae3TqHGGQa
|
||
ll3J3HukwghZQAyjcNG/Q2Q2QqfQW1tzxHRnz2EKBoRoyhmVXcnu+qBoEgkf5QI/
|
||
Rk9HzLJINZPcZuMEkRgcf5q1h/F+PY2yCMwT5qjB6whn6zX6FP6G3//fRtkZw4cI
|
||
FPPjKJedbHlYEifRigmJfu+T5Q5xz19Og/1zDwfl7is5eBUV+KEoIE7UpmvR1UrM
|
||
+T6WYl3vxeM08y1QU6vR9GqummDMinfWLj0hV+dYwI9/1fHIjfPqgxPUa5AGw7ik
|
||
vyrvAgMBAAGjUzBRMB0GA1UdDgQWBBQz80R5aRb/egnEMKHQonUM3xgj6DAfBgNV
|
||
HSMEGDAWgBQz80R5aRb/egnEMKHQonUM3xgj6DAPBgNVHRMBAf8EBTADAQH/MA0G
|
||
CSqGSIb3DQEBCwUAA4IBAQCdiBvQx6ExmteTzwkGCheKwUMvzCehuwvpoJRE/JXo
|
||
zz67414oyWXkSN8/9HE3nkH/xxunD/Ni+N9ppk7iicSpyOKfdDXiaS8qq1O1OXCx
|
||
CjoVuIFAPFWOEEhLdnb1v8YVWx2JwcbGvhCLNSoK1a6uwCmWixtoeQiKspBfwFcb
|
||
wfU9qNdXsezBljahE4Q2E4SR+XclA6iHdooX4ajnleamqeH0ephyCqvMAhzfJA5F
|
||
O1+SJRFbIjwfKxsEJS6Czrn+EU2eLtxk5g5+oO06ZYj4rVOfgc2Wc0+cisgP0fT/
|
||
WVkAxgGS6L0jGvZSisEUBpoidJNddWnf9mzUT2kJ5DCOMAwwCgYIKwYBBQUHAwE=
|
||
-----END TRUSTED CERTIFICATE-----
|
spec/fixtures/katello-certs-check/create_cert.sh | ||
---|---|---|
echo "CA certificate bundle exists. Skipping."
|
||
fi
|
||
|
||
CA_BUNDLE=ca-bundle-with-trust-rules
|
||
CA_CERT_WITH_TRUST_RULES=ca-with-trust-rules
|
||
if [[ ! -f "$CERTS_DIR/$CA_BUNDLE.crt" ]]; then
|
||
echo "Generate CA bundle with trust rules"
|
||
openssl x509 -in $CERTS_DIR/$CA_CERT_NAME.crt -addtrust serverAuth -out $CERTS_DIR/$CA_CERT_WITH_TRUST_RULES.crt
|
||
cat $CERTS_DIR/$THIRDPARTY_CA_CERT_NAME.crt $CERTS_DIR/$CA_CERT_WITH_TRUST_RULES.crt > $CERTS_DIR/$CA_BUNDLE.crt
|
||
else
|
||
echo "CA certificate bundle with trust rules exists. Skipping."
|
||
fi
|
||
|
||
CERT_NAME=foreman.example.com
|
||
if [[ ! -f "$CERTS_DIR/$CERT_NAME.key" || ! -f "$CERTS_DIR/$CERT_NAME.crt" ]]; then
|
||
echo "Generate server certificate"
|
spec/katello_certs_check_spec.rb | ||
---|---|---|
expect(status.exitstatus).to eq 1
|
||
end
|
||
end
|
||
|
||
context 'with bundle containing trust rules' do
|
||
let(:key) { File.join(certs_directory, 'foreman.example.com.key') }
|
||
let(:cert) { File.join(certs_directory, 'foreman.example.com.crt') }
|
||
let(:ca) { File.join(certs_directory, 'ca-bundle-with-trust-rules.crt') }
|
||
|
||
it 'fails on bundle validation' do
|
||
command_with_certs = "#{command} -b #{ca} -k #{key} -c #{cert}"
|
||
_stdout, stderr, status = Open3.capture3(command_with_certs)
|
||
expect(stderr).to include 'The CA bundle contains 1 certificate(s) with trust rules. This may create problems for older systems to trust the bundle. Please, recreate the bundle using certificates without trust rules'
|
||
expect(status.exitstatus).to eq 10
|
||
end
|
||
end
|
||
end
|
Also available in: Unified diff
Fixes #37063 - Add feature in katello-certs-check to verify if CA bundle has any certificates with trust rules