QA:Testcase Certificate Trust:Upgrade Bundle

From FedoraProject

(Difference between revisions)
Jump to: navigation, search
(Add template for this test case)
 
 
(5 intermediate revisions by 3 users not shown)
Line 3: Line 3:
 
|setup=
 
|setup=
 
# Prepare a clean Fedora 18 install.
 
# Prepare a clean Fedora 18 install.
 +
#: You can setup a new virtual machine using the [http://download.fedoraproject.org/pub/fedora/linux/releases/18/Live/x86_64/Fedora-18-x86_64-Live-Desktop.iso Fedora 18 Live CD].
 +
#: Proceed with the setup as usual, and complete first boot, then log in.
 +
# Install `wget`
 +
#: <pre>sudo yum install wget</pre>
 +
# Download the necessary certificate file:
 +
#: <pre>$ wget https://fedoraproject.org/w/uploads/b/b1/Cert-trust-test-ca.pem</pre>
 +
# Become root
 +
#: <pre>$ sudo -s</pre>
 +
#: The commands below should be executed as root
 
|actions=
 
|actions=
# TODO: Write the test case.
+
# Modify the `ca-bundle.crt` `ca-bundle.trust.crt' and `cacerts` files, by adding a certificate:
 
+
#: <pre># cat Cert-trust-test-ca.pem >> /etc/pki/tls/certs/ca-bundle.crt</pre>
 +
#: <pre># cat Cert-trust-test-ca.pem >> /etc/pki/tls/certs/ca-bundle.trust.crt</pre>
 +
# Modify the 'cacerts` file by adding a certificate:
 +
#: <pre># openssl x509 -in Cert-trust-test-ca.pem -out cert-test.der -outform DER</pre>
 +
#: <pre># keytool -importcert -file cert-test.der -keystore /etc/pki/java/cacerts -alias p11-test</pre>
 +
#: The password is 'changeit', answer 'yes' when prompted
 +
#: Should see "Certificate was added to keystore"
 +
# Verify that the files have been modified
 +
#: <pre>#rpm -V ca-certificates</pre>
 +
#: You should see all the three files modified above listed.
 +
# Upgrade the packages in question to Fedora 19
 +
#: <pre># yum update --nogpgcheck --releasever=19 ca-certificates</pre>
 +
#: A whole bunch of packages will be updated, and this step depends on the state of Fedora 19 at the time when this test is performed. If you hit broken dependencies during the update, do not hesitate to try --skip-broken, update should then proceed smoothly.
 +
#: Alternatively you may perform a complete upgrade
 
|results=
 
|results=
* TODO: Write the results. The goal is that the modified ca-bundle.crt is moved into the /etc/pki/ca-trust/source/anchors directory, or a modified ca-bundle.trust.crt is moved into the /etc/pki/ca-trust/source directory.
+
# You should see that the bundles which were modified above, are now saved as `.rpmsave` files in these locations:
 +
#: `/etc/pki/java/cacerts.rpmsave`
 +
#: `/etc/pki/tls/certs/ca-bundle.crt.rpmsave`
 +
#: `/etc/pki/tls/certs/ca-bundle.trust.crt.rpmsave`
 +
# Verify that the java `.rpmsave` file contains the added certificate:
 +
#: <pre>$ keytool -list -keystore /etc/pki/java/cacerts.rpmsave | grep p11-test</pre>
 +
#: The password is 'changeit'
 +
#: You should see a line of output that contains "p11-test" and "trustedCertEntry"
 +
# Verify that the java in use cacerts file does not contain the added certificate:
 +
#: <pre>$ keytool -list -keystore /etc/pki/java/cacerts | grep p11-test</pre>
 +
#: The password is 'changeit'
 +
#: You should see no certificate lines of output.
 +
# Verify that the `ca-bundle.crt.rpmsave` file contains your added certificate:
 +
#: <pre>$ tail -n 21 /etc/pki/tls/certs/ca-bundle.crt.rpmsave | openssl x509 -noout -subject</pre>
 +
#: You should see a line of output that contains "p11-kit Test CA"
 +
# Verify that the `ca-bundle.trust.crt.rpmsave` file contains your added certificate:
 +
#: <pre>$ tail -n 21 /etc/pki/tls/certs/ca-bundle.trust.crt.rpmsave | openssl x509 -noout -subject</pre>
 +
#: You should see a line of output that contains "p11-kit Test CA"
 
}}
 
}}
  
 
== Troubleshooting ==
 
== Troubleshooting ==
  
* ''No notes at this time''
+
* Because rpm is broken in this case (see [https://bugzilla.redhat.com/show_bug.cgi?id=445202 bug for details]), we use `.rpmsave` instead of `.rpmnew` files here. But because upgrading a Fedora system is not a completely seamless and supported operation this is an appropriate compromise.
  
 
[[Category:Certificate_Trust_Test_Cases]]
 
[[Category:Certificate_Trust_Test_Cases]]

Latest revision as of 12:27, 28 March 2013

Contents

Description

This tests what happens when a ca-bundle.crt bundle has been modified in a previous Fedora release, which is then upgraded to use shared system cetrificates.

Setup

  1. Prepare a clean Fedora 18 install.
    You can setup a new virtual machine using the Fedora 18 Live CD.
    Proceed with the setup as usual, and complete first boot, then log in.
  2. Install `wget`
    sudo yum install wget
  3. Download the necessary certificate file:
    $ wget https://fedoraproject.org/w/uploads/b/b1/Cert-trust-test-ca.pem
  4. Become root
    $ sudo -s
    The commands below should be executed as root

How to test

  1. Modify the `ca-bundle.crt` `ca-bundle.trust.crt' and `cacerts` files, by adding a certificate:
    # cat Cert-trust-test-ca.pem >> /etc/pki/tls/certs/ca-bundle.crt
    # cat Cert-trust-test-ca.pem >> /etc/pki/tls/certs/ca-bundle.trust.crt
  2. Modify the 'cacerts` file by adding a certificate:
    # openssl x509 -in Cert-trust-test-ca.pem -out cert-test.der -outform DER
    # keytool -importcert -file cert-test.der -keystore /etc/pki/java/cacerts -alias p11-test
    The password is 'changeit', answer 'yes' when prompted
    Should see "Certificate was added to keystore"
  3. Verify that the files have been modified
    #rpm -V ca-certificates
    You should see all the three files modified above listed.
  4. Upgrade the packages in question to Fedora 19
    # yum update --nogpgcheck --releasever=19 ca-certificates
    A whole bunch of packages will be updated, and this step depends on the state of Fedora 19 at the time when this test is performed. If you hit broken dependencies during the update, do not hesitate to try --skip-broken, update should then proceed smoothly.
    Alternatively you may perform a complete upgrade

Expected Results

  1. You should see that the bundles which were modified above, are now saved as `.rpmsave` files in these locations:
    `/etc/pki/java/cacerts.rpmsave`
    `/etc/pki/tls/certs/ca-bundle.crt.rpmsave`
    `/etc/pki/tls/certs/ca-bundle.trust.crt.rpmsave`
  2. Verify that the java `.rpmsave` file contains the added certificate:
    $ keytool -list -keystore /etc/pki/java/cacerts.rpmsave | grep p11-test
    The password is 'changeit'
    You should see a line of output that contains "p11-test" and "trustedCertEntry"
  3. Verify that the java in use cacerts file does not contain the added certificate:
    $ keytool -list -keystore /etc/pki/java/cacerts | grep p11-test
    The password is 'changeit'
    You should see no certificate lines of output.
  4. Verify that the `ca-bundle.crt.rpmsave` file contains your added certificate:
    $ tail -n 21 /etc/pki/tls/certs/ca-bundle.crt.rpmsave | openssl x509 -noout -subject
    You should see a line of output that contains "p11-kit Test CA"
  5. Verify that the `ca-bundle.trust.crt.rpmsave` file contains your added certificate:
    $ tail -n 21 /etc/pki/tls/certs/ca-bundle.trust.crt.rpmsave | openssl x509 -noout -subject
    You should see a line of output that contains "p11-kit Test CA"



Troubleshooting

  • Because rpm is broken in this case (see bug for details), we use `.rpmsave` instead of `.rpmnew` files here. But because upgrading a Fedora system is not a completely seamless and supported operation this is an appropriate compromise.