From Fedora Project Wiki

(Add template for this test case)
 
(Complete the test case)
Line 3: Line 3:
 
|setup=
 
|setup=
 
# Prepare a clean Fedora 18 install.
 
# Prepare a clean Fedora 18 install.
 +
#: You can setup a new virtual machine using the [http://download.fedoraproject.org/pub/fedora/linux/releases/18/Live/x86_64/Fedora-18-x86_64-Live-Desktop.iso Fedora 18 Live CD].
 +
#: Proceed with the setup as usual, and complete first boot, then log in.
 +
# Install `wget`
 +
#: <pre>sudo yum install wget</pre>
 +
# Download the necessary certificate file:
 +
#: <pre>$ wget https://fedoraproject.org/w/uploads/b/b1/Cert-trust-test-ca.pem</pre>
 +
# Become root
 +
#: <pre>$ sudo -s</pre>
 +
#: The commands below should be executed as root
 
|actions=
 
|actions=
# TODO: Write the test case.
+
# Modify the `ca-bundle.crt` `ca-bundle.trust.crt' and `cacerts` files, by adding a certificate:
 
+
#: <pre># cat Cert-trust-test-ca.pem >> /etc/pki/tls/certs/ca-bundle.crt</pre>
 +
#: <pre># cat Cert-trust-test-ca.pem >> /etc/pki/tls/certs/ca-bundle.trust.crt</pre>
 +
# Modify the 'cacerts` file by adding a certificate:
 +
#: <pre># openssl x509 -in Cert-trust-test-ca.pem -out cert-test.der -outform DER</pre>
 +
#: <pre># keytool -importcert cert-test-der -keystore /etc/pki/java/cacerts -alias p11-test</pre>
 +
#: The password is 'changeit', answer 'yes' when prompted
 +
#: Should see "Certificate was added to keystore"
 +
# Verify that the files have been modified
 +
#: <pre>#rpm -V ca-certificates</pre>
 +
#: You should see all the three files modified above listed.
 +
# Upgrade the packages in question to Fedora 19
 +
#: <pre># yum update --nogpgcheck --releasever=19 update ca-certificates</pre>
 +
#: A whole bunch of packages will be updated, and this step depends on the state of Fedora 19 at the time when this test is performed.
 +
#: Alternatively you may perform a complete upgrade
 
|results=
 
|results=
* TODO: Write the results. The goal is that the modified ca-bundle.crt is moved into the /etc/pki/ca-trust/source/anchors directory, or a modified ca-bundle.trust.crt is moved into the /etc/pki/ca-trust/source directory.
+
# You should see that the bundles which were modified above, are now saved as `.rpmsave` files in these locations:
 +
#: `/etc/pki/java/cacerts.rpmsave`
 +
#: `/etc/pki/tls/certs/ca-bundle.crt.rpmsave`
 +
#: `/etc/pki/tls/certs/ca-bundle.trust.crt.rpmsave`
 +
# Verify that the java `.rpmsave` file contains the added certificate:
 +
#: <pre>$ keytool -list -keystore /etc/pki/java/cacerts.rpmsave | grep p11-test</pre>
 +
#: The password is 'changeit'
 +
#: You should see a line of output that contains "p11-test" and "trustedCertEntry"
 +
# Verify that the java in use cacerts file does not contain the added certificate:
 +
#: <pre>$ keytool -list -keystore /etc/pki/java/cacerts | grep p11-test</pre>
 +
#: The password is 'changeit'
 +
#: You should see no certificate lines of output.
 +
# Verify that the `ca-bundle.crt.rpmsave` file contains your added certificate:
 +
#: <pre>$ tail -n 21 /etc/pki/tls/certs/ca-bundle.crt.rpmsave | openssl x509 -noout -subject</pre>
 +
#: You should see a line of output that contains "p11-kit Test CA"
 +
# Verify that the `ca-bundle.trust.crt.rpmsave` file contains your added certificate:
 +
#: <pre>$ tail -n 21 /etc/pki/tls/certs/ca-bundle.trust.crt.rpmsave | openssl x509 -noout -subject</pre>
 +
#: You should see a line of output that contains "p11-kit Test CA"
 
}}
 
}}
  

Revision as of 08:58, 27 March 2013

Description

This tests what happens when a ca-bundle.crt bundle has been modified in a previous Fedora release, which is then upgraded to use shared system cetrificates.

Setup

  1. Prepare a clean Fedora 18 install.
    You can setup a new virtual machine using the Fedora 18 Live CD.
    Proceed with the setup as usual, and complete first boot, then log in.
  2. Install wget
    sudo yum install wget
  3. Download the necessary certificate file:
    $ wget https://fedoraproject.org/w/uploads/b/b1/Cert-trust-test-ca.pem
  4. Become root
    $ sudo -s
    The commands below should be executed as root

How to test

  1. Modify the ca-bundle.crt ca-bundle.trust.crt' and cacerts` files, by adding a certificate:
    # cat Cert-trust-test-ca.pem >> /etc/pki/tls/certs/ca-bundle.crt
    # cat Cert-trust-test-ca.pem >> /etc/pki/tls/certs/ca-bundle.trust.crt
  2. Modify the 'cacerts` file by adding a certificate:
    # openssl x509 -in Cert-trust-test-ca.pem -out cert-test.der -outform DER
    # keytool -importcert cert-test-der -keystore /etc/pki/java/cacerts -alias p11-test
    The password is 'changeit', answer 'yes' when prompted
    Should see "Certificate was added to keystore"
  3. Verify that the files have been modified
    #rpm -V ca-certificates
    You should see all the three files modified above listed.
  4. Upgrade the packages in question to Fedora 19
    # yum update --nogpgcheck --releasever=19 update ca-certificates
    A whole bunch of packages will be updated, and this step depends on the state of Fedora 19 at the time when this test is performed.
    Alternatively you may perform a complete upgrade

Expected Results

  1. You should see that the bundles which were modified above, are now saved as .rpmsave files in these locations:
    /etc/pki/java/cacerts.rpmsave
    /etc/pki/tls/certs/ca-bundle.crt.rpmsave
    /etc/pki/tls/certs/ca-bundle.trust.crt.rpmsave
  2. Verify that the java .rpmsave file contains the added certificate:
    $ keytool -list -keystore /etc/pki/java/cacerts.rpmsave | grep p11-test
    The password is 'changeit'
    You should see a line of output that contains "p11-test" and "trustedCertEntry"
  3. Verify that the java in use cacerts file does not contain the added certificate:
    $ keytool -list -keystore /etc/pki/java/cacerts | grep p11-test
    The password is 'changeit'
    You should see no certificate lines of output.
  4. Verify that the ca-bundle.crt.rpmsave file contains your added certificate:
    $ tail -n 21 /etc/pki/tls/certs/ca-bundle.crt.rpmsave | openssl x509 -noout -subject
    You should see a line of output that contains "p11-kit Test CA"
  5. Verify that the ca-bundle.trust.crt.rpmsave file contains your added certificate:
    $ tail -n 21 /etc/pki/tls/certs/ca-bundle.trust.crt.rpmsave | openssl x509 -noout -subject
    You should see a line of output that contains "p11-kit Test CA"



Troubleshooting

  • No notes at this time