# Authors: # Ana Krivokapic # # Copyright (C) 2013 Red Hat # see file 'COPYING' for use and warranty information # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . import os from ipatests.pytest_plugins.integration import tasks from ipatests.test_integration.base import IntegrationTest class TestExternalCA(IntegrationTest): """ Test of FreeIPA server installation with exernal CA """ def test_external_ca(self): # Step 1 of ipa-server-install self.master.run_command([ 'ipa-server-install', '-U', '-a', self.master.config.admin_password, '-p', self.master.config.dirman_password, '--setup-dns', '--no-forwarders', '-n', self.master.domain.name, '-r', self.master.domain.realm, '--domain-level=%i' % self.master.config.domain_level, '--external-ca' ]) nss_db = os.path.join(self.master.config.test_dir, 'testdb') external_cert_file = os.path.join(nss_db, 'ipa.crt') external_ca_file = os.path.join(nss_db, 'ca.crt') noisefile = os.path.join(self.master.config.test_dir, 'noise.txt') pwdfile = os.path.join(self.master.config.test_dir, 'pwdfile.txt') # Create noise and password files for NSS database self.master.run_command('date | sha256sum > %s' % noisefile) self.master.run_command('echo %s > %s' % (self.master.config.admin_password, pwdfile)) # Create NSS database self.master.run_command(['mkdir', nss_db]) self.master.run_command([ 'certutil', '-N', '-d', nss_db, '-f', pwdfile ]) # Create external CA self.master.run_command([ 'certutil', '-S', '-d', nss_db, '-f', pwdfile, '-n', 'external', '-s', 'CN=External CA, O=%s' % self.master.domain.name, '-x', '-t', 'CTu,CTu,CTu', '-g', '2048', '-m', '0', '-v', '60', '-z', noisefile, '-2', '-1', '-5' ], stdin_text='5\n9\nn\ny\n10\ny\n5\n6\n7\n9\nn\n') # Sign IPA cert request using the external CA self.master.run_command([ 'certutil', '-C', '-d', nss_db, '-f', pwdfile, '-c', 'external', '-m', '1', '-v', '60', '-2', '-1', '-5', '-i', '/root/ipa.csr', '-o', external_cert_file, '-a' ], stdin_text='0\n1\n5\n9\ny\ny\n\ny\n5\n6\n7\n9\nn\n') # Export external CA file self.master.run_command( 'certutil -L -d %s -n "external" -a > %s' % (nss_db, external_ca_file) ) # Step 2 of ipa-server-install self.master.run_command([ 'ipa-server-install', '-a', self.master.config.admin_password, '-p', self.master.config.dirman_password, '--external-cert-file', external_cert_file, '--external-cert-file', external_ca_file ]) # Make sure IPA server is working properly tasks.kinit_admin(self.master) result = self.master.run_command(['ipa', 'user-show', 'admin']) assert 'User login: admin' in result.stdout_text