From ac3bb7b2d4b8aba75650d461310f3f79793db65d Mon Sep 17 00:00:00 2001 From: Tin Vo Date: Thu, 23 Jan 2025 11:30:20 -0800 Subject: [PATCH] VAULT-32188: Enos test for PKI certificates (#29007) * updating pki test * updating pki test * updating pki test * updating pki script * resolving conflicts * adding pki cert verifications * resolving conflicts * updating test * removing comments * addressing bash formatting * updating test * adding description * fixing lint error * fixing lint error * fixing lint issue * removing unneeded scenario * resolving conflicts * debugging pipeline error * fixing pipeline tests' * fixing pipeline tests' * testing smoke test * fixing pipeline error * debugging pipeline error * debugging pipeline error * debugging pipeline error * debugging agent test ci failure * fixing ci errors * uncomment token * updating script * updating hosts * fixing lint * fixing lint * fixing lint * adding revoked certificate * undo kv.tf change * updating cert issuing * updating issuing certs to include issuer * updating pki cert verification * addressing comments * fixing lint * fixing lint * fixing lint * fixing lint * updating verify_secrets_engine_read module * fixing lint * fixing lint * fixing lint * debugging lint * testing pipeline * adding verify variables for autopilot * adding pki read variable for autopilot * updating vault engine read variables * addressing comments * fixing lint * update test for enterprise * update pki tests to adapt to enterprise --- enos/enos-scenario-agent.hcl | 1 + enos/enos-scenario-autopilot.hcl | 1 + enos/enos-scenario-dr-replication.hcl | 4 + enos/enos-scenario-pr-replication.hcl | 2 + enos/enos-scenario-proxy.hcl | 1 + enos/enos-scenario-seal-ha.hcl | 2 + enos/enos-scenario-smoke.hcl | 1 + enos/enos-scenario-upgrade.hcl | 1 + .../modules/create/main.tf | 1 + .../modules/create/pki.tf | 69 +++++++++++ .../modules/read/main.tf | 6 + .../modules/read/pki.tf | 31 +++++ .../scripts/pki-issue-certificates.sh | 61 ++++++++++ .../scripts/pki-verify-certificates.sh | 107 ++++++++++++++++++ 14 files changed, 288 insertions(+) create mode 100644 enos/modules/verify_secrets_engines/modules/create/pki.tf create mode 100644 enos/modules/verify_secrets_engines/modules/read/pki.tf create mode 100755 enos/modules/verify_secrets_engines/scripts/pki-issue-certificates.sh create mode 100755 enos/modules/verify_secrets_engines/scripts/pki-verify-certificates.sh diff --git a/enos/enos-scenario-agent.hcl b/enos/enos-scenario-agent.hcl index 70e00b0f72f8..bb94f861df12 100644 --- a/enos/enos-scenario-agent.hcl +++ b/enos/enos-scenario-agent.hcl @@ -582,6 +582,7 @@ scenario "agent" { hosts = step.get_vault_cluster_ips.follower_hosts vault_addr = step.create_vault_cluster.api_addr_localhost vault_install_dir = global.vault_install_dir[matrix.artifact_type] + vault_root_token = step.create_vault_cluster.root_token } } diff --git a/enos/enos-scenario-autopilot.hcl b/enos/enos-scenario-autopilot.hcl index 968f1fb30916..a92b25909383 100644 --- a/enos/enos-scenario-autopilot.hcl +++ b/enos/enos-scenario-autopilot.hcl @@ -592,6 +592,7 @@ scenario "autopilot" { hosts = step.get_updated_vault_cluster_ips.follower_hosts vault_addr = step.upgrade_vault_cluster_with_autopilot.api_addr_localhost vault_install_dir = local.vault_install_dir + vault_root_token = step.create_vault_cluster.root_token } } diff --git a/enos/enos-scenario-dr-replication.hcl b/enos/enos-scenario-dr-replication.hcl index 656f747fccf1..cc3f7f127b7c 100644 --- a/enos/enos-scenario-dr-replication.hcl +++ b/enos/enos-scenario-dr-replication.hcl @@ -1111,6 +1111,8 @@ scenario "dr_replication" { hosts = step.get_secondary_cluster_ips.follower_hosts vault_addr = step.create_secondary_cluster.api_addr_localhost vault_install_dir = global.vault_install_dir[matrix.artifact_type] + vault_root_token = step.create_secondary_cluster.root_token + verify_pki_certs = false } } @@ -1247,6 +1249,8 @@ scenario "dr_replication" { hosts = step.get_secondary_cluster_ips.follower_hosts vault_addr = step.create_secondary_cluster.api_addr_localhost vault_install_dir = global.vault_install_dir[matrix.artifact_type] + vault_root_token = step.create_secondary_cluster.root_token + verify_pki_certs = false } } diff --git a/enos/enos-scenario-pr-replication.hcl b/enos/enos-scenario-pr-replication.hcl index 5f6eb76509f4..b3d153a076db 100644 --- a/enos/enos-scenario-pr-replication.hcl +++ b/enos/enos-scenario-pr-replication.hcl @@ -943,6 +943,8 @@ scenario "pr_replication" { hosts = step.get_secondary_cluster_ips.follower_hosts vault_addr = step.create_secondary_cluster.api_addr_localhost vault_install_dir = global.vault_install_dir[matrix.artifact_type] + vault_root_token = step.create_secondary_cluster.root_token + verify_pki_certs = false } } diff --git a/enos/enos-scenario-proxy.hcl b/enos/enos-scenario-proxy.hcl index df69e728103e..ee794b3f00d4 100644 --- a/enos/enos-scenario-proxy.hcl +++ b/enos/enos-scenario-proxy.hcl @@ -559,6 +559,7 @@ scenario "proxy" { hosts = step.get_vault_cluster_ips.follower_hosts vault_addr = step.create_vault_cluster.api_addr_localhost vault_install_dir = global.vault_install_dir[matrix.artifact_type] + vault_root_token = step.create_vault_cluster.root_token } } diff --git a/enos/enos-scenario-seal-ha.hcl b/enos/enos-scenario-seal-ha.hcl index 8c98552e32af..28df6019e010 100644 --- a/enos/enos-scenario-seal-ha.hcl +++ b/enos/enos-scenario-seal-ha.hcl @@ -812,6 +812,7 @@ scenario "seal_ha" { hosts = step.get_updated_cluster_ips.follower_hosts vault_addr = step.create_vault_cluster.api_addr_localhost vault_install_dir = global.vault_install_dir[matrix.artifact_type] + vault_root_token = step.create_vault_cluster.root_token } } @@ -1040,6 +1041,7 @@ scenario "seal_ha" { hosts = step.get_cluster_ips_after_migration.follower_hosts vault_addr = step.create_vault_cluster.api_addr_localhost vault_install_dir = global.vault_install_dir[matrix.artifact_type] + vault_root_token = step.create_vault_cluster.root_token } } diff --git a/enos/enos-scenario-smoke.hcl b/enos/enos-scenario-smoke.hcl index 90507d7a9849..b6835c09f3f6 100644 --- a/enos/enos-scenario-smoke.hcl +++ b/enos/enos-scenario-smoke.hcl @@ -601,6 +601,7 @@ scenario "smoke" { hosts = step.get_vault_cluster_ips.follower_hosts vault_addr = step.create_vault_cluster.api_addr_localhost vault_install_dir = global.vault_install_dir[matrix.artifact_type] + vault_root_token = step.create_vault_cluster.root_token } } diff --git a/enos/enos-scenario-upgrade.hcl b/enos/enos-scenario-upgrade.hcl index 40b39e15cdd3..0e6a8d720c36 100644 --- a/enos/enos-scenario-upgrade.hcl +++ b/enos/enos-scenario-upgrade.hcl @@ -668,6 +668,7 @@ scenario "upgrade" { hosts = step.get_updated_vault_cluster_ips.follower_hosts vault_addr = step.create_vault_cluster.api_addr_localhost vault_install_dir = global.vault_install_dir[matrix.artifact_type] + vault_root_token = step.create_vault_cluster.root_token } } diff --git a/enos/modules/verify_secrets_engines/modules/create/main.tf b/enos/modules/verify_secrets_engines/modules/create/main.tf index 89ca1c80b406..424e1c948a7c 100644 --- a/enos/modules/verify_secrets_engines/modules/create/main.tf +++ b/enos/modules/verify_secrets_engines/modules/create/main.tf @@ -49,5 +49,6 @@ output "state" { auth = local.auth_output identity = local.identity_output kv = local.kv_output + pki = local.pki_output } } diff --git a/enos/modules/verify_secrets_engines/modules/create/pki.tf b/enos/modules/verify_secrets_engines/modules/create/pki.tf new file mode 100644 index 000000000000..1a69ca4b5886 --- /dev/null +++ b/enos/modules/verify_secrets_engines/modules/create/pki.tf @@ -0,0 +1,69 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: BUSL-1.1 + +locals { + // Variables + pki_mount = "pki" # secret + pki_issuer_name = "issuer" + pki_common_name = "common" + pki_default_ttl = "72h" + pki_test_dir = "tmp-test-results" + + // Output + pki_output = { + common_name = local.pki_common_name + issuer_name = local.pki_issuer_name + mount = local.pki_mount + ttl = local.pki_default_ttl + test_dir = local.pki_test_dir + } + +} + +output "pki" { + value = local.pki_output +} + +# Enable pki secrets engine +resource "enos_remote_exec" "secrets_enable_pki_secret" { + environment = { + ENGINE = local.pki_mount + MOUNT = local.pki_mount + VAULT_ADDR = var.vault_addr + VAULT_TOKEN = var.vault_root_token + VAULT_INSTALL_DIR = var.vault_install_dir + } + + scripts = [abspath("${path.module}/../../scripts/secrets-enable.sh")] + + transport = { + ssh = { + host = var.leader_host.public_ip + } + } +} + +# Issue RSA Certificate +resource "enos_remote_exec" "pki_issue_certificates" { + depends_on = [enos_remote_exec.secrets_enable_pki_secret] + for_each = var.hosts + + environment = { + MOUNT = local.pki_mount + VAULT_ADDR = var.vault_addr + VAULT_INSTALL_DIR = var.vault_install_dir + VAULT_TOKEN = var.vault_root_token + COMMON_NAME = local.pki_common_name + ISSUER_NAME = local.pki_issuer_name + TTL = local.pki_default_ttl + TEST_DIR = local.pki_test_dir + } + + scripts = [abspath("${path.module}/../../scripts/pki-issue-certificates.sh")] + + transport = { + ssh = { + host = each.value.public_ip + } + } +} diff --git a/enos/modules/verify_secrets_engines/modules/read/main.tf b/enos/modules/verify_secrets_engines/modules/read/main.tf index f2ad27a60f3f..52a1ba293e8e 100644 --- a/enos/modules/verify_secrets_engines/modules/read/main.tf +++ b/enos/modules/verify_secrets_engines/modules/read/main.tf @@ -38,6 +38,12 @@ variable "vault_root_token" { default = null } +variable "verify_pki_certs" { + type = bool + description = "Flag to verify pki certificates" + default = true +} + locals { vault_bin_path = "${var.vault_install_dir}/vault" } diff --git a/enos/modules/verify_secrets_engines/modules/read/pki.tf b/enos/modules/verify_secrets_engines/modules/read/pki.tf new file mode 100644 index 000000000000..cde0cc921d61 --- /dev/null +++ b/enos/modules/verify_secrets_engines/modules/read/pki.tf @@ -0,0 +1,31 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: BUSL-1.1 + +# Verify PKI Certificate +resource "enos_remote_exec" "pki_verify_certificates" { + for_each = var.hosts + + environment = { + MOUNT = var.create_state.pki.mount + AUTH_PATH = "${var.create_state.auth.userpass.path}" + USERNAME = "${var.create_state.auth.userpass.user.name}" + PASSWORD = "${var.create_state.auth.userpass.user.password}" + VAULT_ADDR = var.vault_addr + VAULT_INSTALL_DIR = var.vault_install_dir + VAULT_TOKEN = var.vault_root_token + COMMON_NAME = var.create_state.pki.common_name + ISSUER_NAME = var.create_state.pki.issuer_name + TTL = var.create_state.pki.ttl + TEST_DIR = var.create_state.pki.test_dir + VERIFY_PKI_CERTS = var.verify_pki_certs + } + + scripts = [abspath("${path.module}/../../scripts/pki-verify-certificates.sh")] + + transport = { + ssh = { + host = each.value.public_ip + } + } +} + diff --git a/enos/modules/verify_secrets_engines/scripts/pki-issue-certificates.sh b/enos/modules/verify_secrets_engines/scripts/pki-issue-certificates.sh new file mode 100755 index 000000000000..f4592ebf37d8 --- /dev/null +++ b/enos/modules/verify_secrets_engines/scripts/pki-issue-certificates.sh @@ -0,0 +1,61 @@ +#!/usr/bin/env bash +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: BUSL-1.1 + +set -e + +fail() { + echo "$1" 1>&2 + exit 1 +} + +[[ -z "$MOUNT" ]] && fail "MOUNT env variable has not been set" +[[ -z "$VAULT_ADDR" ]] && fail "VAULT_ADDR env variable has not been set" +[[ -z "$VAULT_INSTALL_DIR" ]] && fail "VAULT_INSTALL_DIR env variable has not been set" +[[ -z "$VAULT_TOKEN" ]] && fail "VAULT_TOKEN env variable has not been set" +[[ -z "$COMMON_NAME" ]] && fail "COMMON_NAME env variable has not been set" +[[ -z "$ISSUER_NAME" ]] && fail "ISSUER_NAME env variable has not been set" +[[ -z "$TTL" ]] && fail "TTL env variable has not been set" +[[ -z "$TEST_DIR" ]] && fail "TEST_DIR env variable has not been set" + +binpath=${VAULT_INSTALL_DIR}/vault +test -x "$binpath" || fail "unable to locate vault binary at $binpath" +export VAULT_FORMAT=json + +# ------ Generate and sign certificate ------ +CA_NAME="${MOUNT}-ca.pem" +ISSUED_CERT_NAME="${MOUNT}-issued.pem" +ROLE_NAME="${COMMON_NAME}-role" +SUBJECT="test.${COMMON_NAME}" +TMP_TTL="1h" +rm -rf "${TEST_DIR}" +mkdir "${TEST_DIR}" + +## Setting AIA fields for Certificate +"$binpath" write "${MOUNT}/config/urls" issuing_certificates="${VAULT_ADDR}/v1/pki/ca" crl_distribution_points="${VAULT_ADDR}/v1/pki/crl" + +# Generating CA Certificate +"$binpath" write "${MOUNT}/root/generate/internal" common_name="${COMMON_NAME}.com" issuer_name="${ISSUER_NAME}" ttl="${TTL}" | jq -r '.data.issuing_ca' > "${TEST_DIR}/${CA_NAME}" +# Creating a role +"$binpath" write "${MOUNT}/roles/${ROLE_NAME}" allowed_domains="${COMMON_NAME}.com" allow_subdomains=true max_ttl="${TMP_TTL}" +# Issuing Signed Certificate +"$binpath" write "${MOUNT}/issue/${ROLE_NAME}" common_name="${SUBJECT}.com" ttl="${TMP_TTL}" | jq -r '.data.certificate' > "${TEST_DIR}/${ISSUED_CERT_NAME}" + +# ------ Generate and sign intermediate ------ +INTERMEDIATE_COMMON_NAME="intermediate-${COMMON_NAME}" +INTERMEDIATE_ISSUER_NAME="intermediate-${ISSUER_NAME}" +INTERMEDIATE_ROLE_NAME="intermediate-${COMMON_NAME}-role" +INTERMEDIATE_CA_NAME="${MOUNT}-${INTERMEDIATE_COMMON_NAME}.pem" +INTERMEDIATE_SIGNED_NAME="${MOUNT}-${INTERMEDIATE_COMMON_NAME}-ca.pem" +INTERMEDIATE_ISSUED_NAME="${MOUNT}-${INTERMEDIATE_COMMON_NAME}-issued.pem" + +# Generate Intermediate CSR +"$binpath" write "${MOUNT}/intermediate/generate/internal" common_name="${INTERMEDIATE_COMMON_NAME}.com" issuer_name="${INTERMEDIATE_ISSUER_NAME}" ttl="${TTL}" | jq -r '.data.csr' > "${TEST_DIR}/${INTERMEDIATE_CA_NAME}" +# Creating a intermediate role +"$binpath" write "${MOUNT}/roles/${INTERMEDIATE_ROLE_NAME}" allowed_domains="${INTERMEDIATE_COMMON_NAME}.com" allow_subdomains=true max_ttl="${TMP_TTL}" +# Sign Intermediate Certificate +"$binpath" write "${MOUNT}/root/sign-intermediate" csr="@${TEST_DIR}/${INTERMEDIATE_CA_NAME}" format=pem_bundle ttl="${TMP_TTL}" | jq -r '.data.certificate' > "${TEST_DIR}/${INTERMEDIATE_SIGNED_NAME}" +# Import Signed Intermediate Certificate into Vault +"$binpath" write "${MOUNT}/intermediate/set-signed" certificate="@${TEST_DIR}/${INTERMEDIATE_SIGNED_NAME}" +# Issuing Signed Certificate with the intermediate role +"$binpath" write "${MOUNT}/issue/${INTERMEDIATE_ROLE_NAME}" common_name="www.${INTERMEDIATE_COMMON_NAME}.com" ttl="${TMP_TTL}" | jq -r '.data.certificate' > "${TEST_DIR}/${INTERMEDIATE_ISSUED_NAME}" diff --git a/enos/modules/verify_secrets_engines/scripts/pki-verify-certificates.sh b/enos/modules/verify_secrets_engines/scripts/pki-verify-certificates.sh new file mode 100755 index 000000000000..728245d90640 --- /dev/null +++ b/enos/modules/verify_secrets_engines/scripts/pki-verify-certificates.sh @@ -0,0 +1,107 @@ +#!/usr/bin/env bash +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: BUSL-1.1 + +set -e + +fail() { + echo "$1" 1>&2 + exit 1 +} + +[[ -z "$AUTH_PATH" ]] && fail "AUTH_PATH env variable has not been set" +[[ -z "$USERNAME" ]] && fail "USERNAME env variable has not been set" +[[ -z "$PASSWORD" ]] && fail "PASSWORD env variable has not been set" +[[ -z "$VERIFY_PKI_CERTS" ]] && fail "VERIFY_CERT_DETAILS env variable has not been set" +[[ -z "$MOUNT" ]] && fail "MOUNT env variable has not been set" +[[ -z "$VAULT_ADDR" ]] && fail "VAULT_ADDR env variable has not been set" +[[ -z "$VAULT_INSTALL_DIR" ]] && fail "VAULT_INSTALL_DIR env variable has not been set" +[[ -z "$VAULT_TOKEN" ]] && fail "VAULT_TOKEN env variable has not been set" +[[ -z "$COMMON_NAME" ]] && fail "COMMON_NAME env variable has not been set" +[[ -z "$ISSUER_NAME" ]] && fail "ISSUER_NAME env variable has not been set" +[[ -z "$TTL" ]] && fail "TTL env variable has not been set" +[[ -z "$TEST_DIR" ]] && fail "TEST_DIR env variable has not been set" + +binpath=${VAULT_INSTALL_DIR}/vault +test -x "$binpath" || fail "unable to locate vault binary at $binpath" || fail "The certificate appears to be improperly configured or contains errors" +export VAULT_FORMAT=json + +# Log in so this vault instance have access to the primary pki roles, issuers, and etc +if [ "${VERIFY_PKI_CERTS}" = false ]; then + echo "Logging in Vault with username and password: ${USERNAME}" + VAULT_TOKEN=$("$binpath" write "auth/$AUTH_PATH/login/$USERNAME" password="$PASSWORD" | jq -r '.auth.client_token') +fi + +# Verifying List Roles +ROLE=$("$binpath" list "${MOUNT}/roles" | jq -r '.[]') +[[ -z "$ROLE" ]] && fail "No roles created!" + +# Verifying List Issuer +ISSUER=$("$binpath" list "${MOUNT}/issuers" | jq -r '.[]') +[[ -z "$ISSUER" ]] && fail "No issuers created!" + +# Verifying Root CA Certificate +ROOT_CA_CERT=$("$binpath" read pki/cert/ca | jq -r '.data.certificate') +[[ -z "$ROOT_CA_CERT" ]] && fail "No root ca certificate generated" + +# Verifying Certificates +if [ "${VERIFY_PKI_CERTS}" = true ]; then + if [ ! -d "${TEST_DIR}" ]; then + echo "Directory does not exist. Creating it now." + mkdir -p "${TEST_DIR}" # Need to create this directory for Enterprise test + fi + TMP_FILE="tmp-vault-cert.pem" + + # Verify List Certificate + VAULT_CERTS=$("$binpath" list "${MOUNT}/certs" | jq -r '.[]') + [[ -z "$VAULT_CERTS" ]] && fail "VAULT_CERTS should include vault certificates" + for CERT in $VAULT_CERTS; do + echo "Getting certificate from Vault PKI: ${CERT}" + "$binpath" read "${MOUNT}/cert/${CERT}" | jq -r '.data.certificate' > "${TEST_DIR}/${TMP_FILE}" + echo "Verifying certificate contents..." + openssl x509 -in "${TEST_DIR}/${TMP_FILE}" -text -noout || fail "The certificate appears to be improperly configured or contains errors" + CURR_CERT_SERIAL=$(echo "${CERT}" | tr -d ':' | tr '[:lower:]' '[:upper:]') + TMP_CERT_SUBJECT=$(openssl x509 -in "${TEST_DIR}/${TMP_FILE}" -noout -subject | awk -F'= ' '{print $2}') + TMP_CERT_ISSUER=$(openssl x509 -in "${TEST_DIR}/${TMP_FILE}" -noout -issuer | awk -F'= ' '{print $2}') + TMP_CERT_SERIAL=$(openssl x509 -in "${TEST_DIR}/${TMP_FILE}" -noout -serial | awk -F'=' '{print $2}') + [[ "${TMP_CERT_SUBJECT}" == *"${COMMON_NAME}.com"* ]] || fail "Subject is incorrect. Actual Subject: ${TMP_CERT_SUBJECT}" + [[ "${TMP_CERT_ISSUER}" == *"${COMMON_NAME}.com"* ]] || fail "Issuer is incorrect. Actual Issuer: ${TMP_CERT_ISSUER}" + [[ "${TMP_CERT_SERIAL}" == *"${CURR_CERT_SERIAL}"* ]] || fail "Certificate Serial is incorrect. Actual certificate Serial: ${CURR_CERT_SERIAL},${TMP_CERT_SERIAL}" + echo "Successfully verified certificate contents." + + # Setting up variables for types of certificates + IS_CA=$(openssl x509 -in "${TEST_DIR}/${TMP_FILE}" -text -noout | grep -q "CA:TRUE" && echo "TRUE" || echo "FALSE") + if [[ "${IS_CA}" == "TRUE" ]]; then + if [[ "${COMMON_NAME}.com" == "${TMP_CERT_SUBJECT}" ]]; then + CA_CERT=${CERT} + elif [[ "intermediate-${COMMON_NAME}.com" == "${TMP_CERT_SUBJECT}" ]]; then + INTERMEDIATE_CA_CERT=${CERT} + fi + elif [[ "${IS_CA}" == "FALSE" ]]; then + INTERMEDIATE_ISSUED_CERT=${CERT} + fi + + done + + echo "Verifying that Vault PKI has successfully generated valid certificates for the CA, Intermediate CA, and issued certificates..." + if [[ -n "${CA_CERT}" ]] && [[ -n "${INTERMEDIATE_CA_CERT}" ]] && [[ -n "${INTERMEDIATE_ISSUED_CERT}" ]]; then + CA_NAME="ca.pem" + INTERMEDIATE_CA_NAME="intermediate-ca.pem" + ISSUED_NAME="issued.pem" + "$binpath" read "${MOUNT}/cert/${CA_CERT}" | jq -r '.data.certificate' > "${TEST_DIR}/${CA_NAME}" + "$binpath" read "${MOUNT}/cert/${INTERMEDIATE_CA_CERT}" | jq -r '.data.certificate' > "${TEST_DIR}/${INTERMEDIATE_CA_NAME}" + "$binpath" read "${MOUNT}/cert/${INTERMEDIATE_ISSUED_CERT}" | jq -r '.data.certificate' > "${TEST_DIR}/${ISSUED_NAME}" + openssl verify --CAfile "${TEST_DIR}/${CA_NAME}" -untrusted "${TEST_DIR}/${INTERMEDIATE_CA_NAME}" "${TEST_DIR}/${ISSUED_NAME}" || fail "One or more Certificate is not valid." + else + echo "CA Cert: ${CA_CERT}, Intermedidate Cert: ${INTERMEDIATE_CA_CERT}, Issued Cert: ${INTERMEDIATE_ISSUED_CERT}" + fi + + echo "Revoking certificate: ${INTERMEDIATE_ISSUED_CERT}" + "$binpath" write "${MOUNT}/revoke" serial_number="${INTERMEDIATE_ISSUED_CERT}" || fail "Could not revoke certificate ${INTERMEDIATE_ISSUED_CERT}" + echo "Verifying Revoked Certificate" + REVOKED_CERT_FROM_LIST=$("$binpath" list "${MOUNT}/certs/revoked" | jq -r '.[0]') + [[ "${INTERMEDIATE_ISSUED_CERT}" == "${REVOKED_CERT_FROM_LIST}" ]] || fail "Expected: ${INTERMEDIATE_ISSUED_CERT}, actual: ${REVOKED_CERT_FROM_LIST}" + echo "Successfully verified revoked certificate" +else + echo "Skipping verify certificates!" +fi