QA:Testcase Certificate Trust:Upgrade Bundle

From FedoraProject

(Difference between revisions)
Jump to: navigation, search
(Add template for this test case)
 
(Complete the test case)
Line 3: Line 3:
 
|setup=
 
|setup=
 
# Prepare a clean Fedora 18 install.
 
# Prepare a clean Fedora 18 install.
 +
#: You can setup a new virtual machine using the [http://download.fedoraproject.org/pub/fedora/linux/releases/18/Live/x86_64/Fedora-18-x86_64-Live-Desktop.iso Fedora 18 Live CD].
 +
#: Proceed with the setup as usual, and complete first boot, then log in.
 +
# Install `wget`
 +
#: <pre>sudo yum install wget</pre>
 +
# Download the necessary certificate file:
 +
#: <pre>$ wget https://fedoraproject.org/w/uploads/b/b1/Cert-trust-test-ca.pem</pre>
 +
# Become root
 +
#: <pre>$ sudo -s</pre>
 +
#: The commands below should be executed as root
 
|actions=
 
|actions=
# TODO: Write the test case.
+
# Modify the `ca-bundle.crt` `ca-bundle.trust.crt' and `cacerts` files, by adding a certificate:
 
+
#: <pre># cat Cert-trust-test-ca.pem >> /etc/pki/tls/certs/ca-bundle.crt</pre>
 +
#: <pre># cat Cert-trust-test-ca.pem >> /etc/pki/tls/certs/ca-bundle.trust.crt</pre>
 +
# Modify the 'cacerts` file by adding a certificate:
 +
#: <pre># openssl x509 -in Cert-trust-test-ca.pem -out cert-test.der -outform DER</pre>
 +
#: <pre># keytool -importcert cert-test-der -keystore /etc/pki/java/cacerts -alias p11-test</pre>
 +
#: The password is 'changeit', answer 'yes' when prompted
 +
#: Should see "Certificate was added to keystore"
 +
# Verify that the files have been modified
 +
#: <pre>#rpm -V ca-certificates</pre>
 +
#: You should see all the three files modified above listed.
 +
# Upgrade the packages in question to Fedora 19
 +
#: <pre># yum update --nogpgcheck --releasever=19 update ca-certificates</pre>
 +
#: A whole bunch of packages will be updated, and this step depends on the state of Fedora 19 at the time when this test is performed.
 +
#: Alternatively you may perform a complete upgrade
 
|results=
 
|results=
* TODO: Write the results. The goal is that the modified ca-bundle.crt is moved into the /etc/pki/ca-trust/source/anchors directory, or a modified ca-bundle.trust.crt is moved into the /etc/pki/ca-trust/source directory.
+
# You should see that the bundles which were modified above, are now saved as `.rpmsave` files in these locations:
 +
#: `/etc/pki/java/cacerts.rpmsave`
 +
#: `/etc/pki/tls/certs/ca-bundle.crt.rpmsave`
 +
#: `/etc/pki/tls/certs/ca-bundle.trust.crt.rpmsave`
 +
# Verify that the java `.rpmsave` file contains the added certificate:
 +
#: <pre>$ keytool -list -keystore /etc/pki/java/cacerts.rpmsave | grep p11-test</pre>
 +
#: The password is 'changeit'
 +
#: You should see a line of output that contains "p11-test" and "trustedCertEntry"
 +
# Verify that the java in use cacerts file does not contain the added certificate:
 +
#: <pre>$ keytool -list -keystore /etc/pki/java/cacerts | grep p11-test</pre>
 +
#: The password is 'changeit'
 +
#: You should see no certificate lines of output.
 +
# Verify that the `ca-bundle.crt.rpmsave` file contains your added certificate:
 +
#: <pre>$ tail -n 21 /etc/pki/tls/certs/ca-bundle.crt.rpmsave | openssl x509 -noout -subject</pre>
 +
#: You should see a line of output that contains "p11-kit Test CA"
 +
# Verify that the `ca-bundle.trust.crt.rpmsave` file contains your added certificate:
 +
#: <pre>$ tail -n 21 /etc/pki/tls/certs/ca-bundle.trust.crt.rpmsave | openssl x509 -noout -subject</pre>
 +
#: You should see a line of output that contains "p11-kit Test CA"
 
}}
 
}}
  

Revision as of 08:58, 27 March 2013

Contents

Description

This tests what happens when a ca-bundle.crt bundle has been modified in a previous Fedora release, which is then upgraded to use shared system cetrificates.

Setup

  1. Prepare a clean Fedora 18 install.
    You can setup a new virtual machine using the Fedora 18 Live CD.
    Proceed with the setup as usual, and complete first boot, then log in.
  2. Install `wget`
    sudo yum install wget
  3. Download the necessary certificate file:
    $ wget https://fedoraproject.org/w/uploads/b/b1/Cert-trust-test-ca.pem
  4. Become root
    $ sudo -s
    The commands below should be executed as root

How to test

  1. Modify the `ca-bundle.crt` `ca-bundle.trust.crt' and `cacerts` files, by adding a certificate:
    # cat Cert-trust-test-ca.pem >> /etc/pki/tls/certs/ca-bundle.crt
    # cat Cert-trust-test-ca.pem >> /etc/pki/tls/certs/ca-bundle.trust.crt
  2. Modify the 'cacerts` file by adding a certificate:
    # openssl x509 -in Cert-trust-test-ca.pem -out cert-test.der -outform DER
    # keytool -importcert cert-test-der -keystore /etc/pki/java/cacerts -alias p11-test
    The password is 'changeit', answer 'yes' when prompted
    Should see "Certificate was added to keystore"
  3. Verify that the files have been modified
    #rpm -V ca-certificates
    You should see all the three files modified above listed.
  4. Upgrade the packages in question to Fedora 19
    # yum update --nogpgcheck --releasever=19 update ca-certificates
    A whole bunch of packages will be updated, and this step depends on the state of Fedora 19 at the time when this test is performed.
    Alternatively you may perform a complete upgrade

Expected Results

  1. You should see that the bundles which were modified above, are now saved as `.rpmsave` files in these locations:
    `/etc/pki/java/cacerts.rpmsave`
    `/etc/pki/tls/certs/ca-bundle.crt.rpmsave`
    `/etc/pki/tls/certs/ca-bundle.trust.crt.rpmsave`
  2. Verify that the java `.rpmsave` file contains the added certificate:
    $ keytool -list -keystore /etc/pki/java/cacerts.rpmsave | grep p11-test
    The password is 'changeit'
    You should see a line of output that contains "p11-test" and "trustedCertEntry"
  3. Verify that the java in use cacerts file does not contain the added certificate:
    $ keytool -list -keystore /etc/pki/java/cacerts | grep p11-test
    The password is 'changeit'
    You should see no certificate lines of output.
  4. Verify that the `ca-bundle.crt.rpmsave` file contains your added certificate:
    $ tail -n 21 /etc/pki/tls/certs/ca-bundle.crt.rpmsave | openssl x509 -noout -subject
    You should see a line of output that contains "p11-kit Test CA"
  5. Verify that the `ca-bundle.trust.crt.rpmsave` file contains your added certificate:
    $ tail -n 21 /etc/pki/tls/certs/ca-bundle.trust.crt.rpmsave | openssl x509 -noout -subject
    You should see a line of output that contains "p11-kit Test CA"



Troubleshooting

  • No notes at this time