Skip to content

Commit

Permalink
updating pki cert verification
Browse files Browse the repository at this point in the history
  • Loading branch information
tvo0813 committed Dec 17, 2024
1 parent f3ed581 commit 155f26f
Show file tree
Hide file tree
Showing 4 changed files with 32 additions and 16 deletions.
6 changes: 3 additions & 3 deletions enos/modules/verify_secrets_engines/modules/create/pki.tf
Original file line number Diff line number Diff line change
Expand Up @@ -8,13 +8,13 @@ locals {
pki_common_name = "common"
pki_default_ttl = "72h"
pki_test_data_path_prefix = "smoke"
tmp_test_results = "tmp_test_results"
pki_tmp_test_results = "tmp-test-results"

// Output
pki_output = {
mount = local.pki_mount
common_name = local.pki_common_name
test_results = local.tmp_test_results
test_results = local.pki_tmp_test_results
}

test = {
Expand Down Expand Up @@ -58,7 +58,7 @@ resource "enos_remote_exec" "pki_issue_certificates" {
COMMON_NAME = local.pki_common_name
ISSUER_NAME = local.pki_issuer_name
TTL = local.pki_default_ttl
TMP_TEST_RESULTS = local.tmp_test_results
TMP_TEST_RESULTS = local.pki_tmp_test_results
}

scripts = [abspath("${path.module}/../../scripts/kv-pki-issue-certificates.sh")]
Expand Down
6 changes: 3 additions & 3 deletions enos/modules/verify_secrets_engines/modules/read/pki.tf
Original file line number Diff line number Diff line change
Expand Up @@ -8,13 +8,13 @@ locals {
pki_common_name = "common"
pki_default_ttl = "72h"
pki_test_data_path_prefix = "smoke"
tmp_test_results = "tmp_test_results"
pki_tmp_test_results = "tmp-test-results"

// Output
pki_output = {
mount = local.pki_mount
common_name = local.pki_common_name
test_results = local.tmp_test_results
test_results = local.pki_tmp_test_results
}

test = {
Expand All @@ -38,7 +38,7 @@ resource "enos_remote_exec" "pki_verify_certificates" {
COMMON_NAME = local.pki_common_name
ISSUER_NAME = local.pki_issuer_name
TTL = local.pki_default_ttl
TMP_TEST_RESULTS = local.tmp_test_results
TMP_TEST_RESULTS = local.pki_tmp_test_results
}

scripts = [abspath("${path.module}/../../scripts/kv-pki-verify-certificates.sh")]
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ export VAULT_FORMAT=json
CA_NAME="${MOUNT}.pem"
SIGNED_CERT_NAME="${MOUNT}-signed.pem"
ROLE_NAME="${COMMON_NAME}-role"
SUBJECT="test.${COMMON_NAME}"
TMP_TTL="1h"
rm -rf "${TMP_TEST_RESULTS}"
mkdir "${TMP_TEST_RESULTS}"
Expand All @@ -38,7 +39,7 @@ mkdir "${TMP_TEST_RESULTS}"
# Creating a role
"$binpath" write "${MOUNT}/roles/${ROLE_NAME}" allowed_domains="${COMMON_NAME}.com" allow_subdomains=true max_ttl="${TMP_TTL}"
# Issuing Signed Certificate
"$binpath" write "${MOUNT}/issue/${ROLE_NAME}" common_name="test.${COMMON_NAME}.com" ttl="${TMP_TTL}" | jq -r '.data.certificate' > "${TMP_TEST_RESULTS}/${SIGNED_CERT_NAME}"
"$binpath" write "${MOUNT}/issue/${ROLE_NAME}" common_name="${SUBJECT}.com" ttl="${TMP_TTL}" | jq -r '.data.certificate' > "${TMP_TEST_RESULTS}/${SIGNED_CERT_NAME}"

# ------ Generate and sign intermediate ------
INTERMEDIATE_COMMON_NAME="intermediate-${COMMON_NAME}"
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -39,21 +39,36 @@ VAULT_CERTS=$("$binpath" list -format=json "${MOUNT}/certs" | jq -r '.[]')
[[ -z "$VAULT_CERTS" ]] && fail "VAULT_CERTS should include vault certificates"

# Verifying Certificates
TMP_FILE="tmp-vault-cert.pem"
REVOKED_CERTS=()
for CERT in $VAULT_CERTS; do
echo "Getting Certificate from Vault PKI: ${CERT}"
"$binpath" read "${MOUNT}/cert/${CERT}" | jq -r '.data.certificate' > "${TMP_TEST_RESULTS}/tmp_vault_cert.pem"
echo "Verifying Certificate..."
openssl x509 -in "${TMP_TEST_RESULTS}/tmp_vault_cert.pem" -text -noout || fail "The certificate appears to be improperly configured or contains errors"
echo "Successfully Verified Certificate"
echo "Getting certificate from Vault PKI: ${CERT}"
"$binpath" read "${MOUNT}/cert/${CERT}" | jq -r '.data.certificate' > "${TMP_TEST_RESULTS}/${TMP_FILE}"
echo "Verifying certificate..."
openssl x509 -in "${TMP_TEST_RESULTS}/${TMP_FILE}" -text -noout || fail "The certificate appears to be improperly configured or contains errors"
CURR_CERT_SERIAL=$(echo "${CERT}" | tr -d ':' | tr '[:lower:]' '[:upper:]')
TMP_CERT_SUBJECT=$(openssl x509 -in "${TMP_TEST_RESULTS}/${TMP_FILE}" -noout -subject)
TMP_CERT_ISSUER=$(openssl x509 -in "${TMP_TEST_RESULTS}/${TMP_FILE}" -noout -issuer)
TMP_CERT_SERIAL=$(openssl x509 -in "${TMP_TEST_RESULTS}/${TMP_FILE}" -noout -serial)
[[ "${TMP_CERT_SUBJECT}" == *"${COMMON_NAME}.com"* ]] || fail "Subject is incorrect. Actual Subject: ${TMP_CERT_SUBJECT}"
[[ "${TMP_CERT_ISSUER}" == *"${COMMON_NAME}.com"* ]] || fail "Issuer is incorrect. Actual Issuer: ${TMP_CERT_ISSUER}"
[[ "${TMP_CERT_SERIAL}" == *"${CURR_CERT_SERIAL}"* ]] || fail "Certificate Serial is incorrect. Actual certificate Serial: ${CURR_CERT_SERIAL},${TMP_CERT_SERIAL}"
echo "Certificate successfully verified"

IS_CA=$(openssl x509 -in "${TMP_TEST_RESULTS}/tmp_vault_cert.pem" -text -noout | grep -q "CA:TRUE" && echo "TRUE" || echo "FALSE")
IS_CA=$(openssl x509 -in "${TMP_TEST_RESULTS}/${TMP_FILE}" -text -noout | grep -q "CA:TRUE" && echo "TRUE" || echo "FALSE")
if [[ "${IS_CA}" == "FALSE" ]]; then
echo "Revoking Certificate: ${CERT}"
echo "Revoking certificate: ${CERT}"
"$binpath" write "${MOUNT}/revoke" serial_number="${CERT}" || fail "Could not revoke certificate ${CERT}"
REVOKED_CERTS+=("$CERT")
else
echo "Skipping revoking step for this certificate to being a root CA Cert: ${CERT}"
fi
done

# Verify List Revoked Certificate
"$binpath" list -format=json "${MOUNT}/certs/revoked" | jq -r '.[]' || fail "There are no revoked certificate listed"
echo "Verifying Revoked Certificates"
REVOKED_CERT_FROM_LIST=$("$binpath" list -format=json "${MOUNT}/certs/revoked" | jq -r '.[]')
[[ -z "$REVOKED_CERT_FROM_LIST" ]] && fail "No revoked certificates are listed."
for CERT in "${REVOKED_CERTS[@]}"; do
[[ "${REVOKED_CERT_FROM_LIST}" == *"${CERT}"* ]] || fail "Unable to locate certificate in the Vault Revoked Certificate List: ${CERT}"
done
echo "Revoked certificate successfully verified"

0 comments on commit 155f26f

Please sign in to comment.