feat: Add integration tests for simple-ca functionality and implement shell script for CA operations
This commit is contained in:
+58
-195
@@ -21,211 +21,74 @@
|
||||
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
||||
# SOFTWARE.
|
||||
|
||||
# This script runs integration tests against the simple-ca Python implementation.
|
||||
# Usage: run-tests.sh [python|all] (default: all)
|
||||
# Integration tests for simple-ca.sh.
|
||||
# Usage: run-tests.sh
|
||||
set -e
|
||||
|
||||
TEST_TARGET="${1:-all}"
|
||||
|
||||
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
||||
CERT_DIR="$SCRIPT_DIR/tests"
|
||||
CA_DIR="$CERT_DIR/ca"
|
||||
|
||||
clean_up_test_dir() {
|
||||
if [[ -d "$CERT_DIR" ]]; then
|
||||
echo "Cleaning up test directory $CERT_DIR..."
|
||||
rm -rf "$CERT_DIR"/*
|
||||
fi
|
||||
echo "Creating test directory $CERT_DIR and ca subdirectory..."
|
||||
mkdir -p "$CA_DIR"
|
||||
source "$SCRIPT_DIR/simple-ca.sh"
|
||||
|
||||
# Temporary test directory — cleaned up on exit.
|
||||
TEST_DIR="$(mktemp -d)"
|
||||
trap 'rm -rf "$TEST_DIR"' EXIT
|
||||
|
||||
CA_DIR="$TEST_DIR/ca"
|
||||
CERT_DIR="$TEST_DIR/certs"
|
||||
|
||||
reset_dirs() {
|
||||
rm -rf "$CA_DIR" "$CERT_DIR"
|
||||
mkdir -p "$CA_DIR" "$CERT_DIR"
|
||||
SIMPLE_CA_DIR=""
|
||||
}
|
||||
|
||||
display_certificate() {
|
||||
verify_cert() {
|
||||
local CERT_PATH="$1"
|
||||
|
||||
echo -e "\nDisplaying generated certificate for verification ($CERT_PATH):"
|
||||
openssl x509 -in "$CERT_PATH" -noout -subject -issuer -serial -fingerprint
|
||||
echo
|
||||
|
||||
echo -e "\nVerifying certificate against the CA bundle ($CA_DIR/ca_bundle.pem)..."
|
||||
if openssl verify -CAfile "$CA_DIR/ca_bundle.pem" "$CERT_PATH" 2>/dev/null; then
|
||||
echo "Certificate verification successful."
|
||||
else
|
||||
echo "ERROR: Certificate verification failed." >&2
|
||||
if ! openssl verify -CAfile "$CA_DIR/ca_bundle.pem" "$CERT_PATH" 2>/dev/null; then
|
||||
echo "ERROR: Certificate verification failed: $CERT_PATH" >&2
|
||||
exit 1
|
||||
fi
|
||||
echo "Verified: $CERT_PATH"
|
||||
}
|
||||
|
||||
# verify_pfx LABEL PFX_PATH PASSWORD PATTERN
|
||||
# Checks that PATTERN appears in the pkcs12 -info output (case-insensitive).
|
||||
verify_pfx_algo() {
|
||||
local LABEL="$1" PFX_PATH="$2" PASSWORD="$3" PATTERN="$4"
|
||||
local INFO
|
||||
INFO=$(openssl pkcs12 -in "$PFX_PATH" -noout -info -password "pass:$PASSWORD" 2>&1)
|
||||
if echo "$INFO" | grep -qi "$PATTERN"; then
|
||||
echo "PFX [$LABEL]: OK"
|
||||
else
|
||||
echo "ERROR: PFX [$LABEL]: expected pattern '$PATTERN' not found in:" >&2
|
||||
echo "$INFO" >&2
|
||||
exit 1
|
||||
fi
|
||||
}
|
||||
|
||||
# run_flow NAME MAKE_CA_CMD MAKE_CERT_CMD MAKE_PFX_CMD
|
||||
# Command variables are left unquoted on use, so multi-word prefixes
|
||||
# (e.g. "python3 simple-ca.py make-ca") word-split as expected.
|
||||
run_flow() {
|
||||
local NAME="$1"
|
||||
local MAKE_CA_CMD="$2"
|
||||
local MAKE_CERT_CMD="$3"
|
||||
local MAKE_PFX_CMD="$4"
|
||||
|
||||
echo
|
||||
echo "============================================================"
|
||||
echo "Running tests for '$NAME' implementation"
|
||||
echo "============================================================"
|
||||
|
||||
echo
|
||||
echo "--- [$NAME] Standalone CA ---"
|
||||
clean_up_test_dir
|
||||
$MAKE_CA_CMD --ca-dir "$CA_DIR" "Test CA"
|
||||
[[ -f "$CA_DIR/simple-ca.json" ]] || { echo "ERROR: simple-ca.json not created" >&2; exit 1; }
|
||||
display_certificate "$CA_DIR/ca_cert.pem"
|
||||
$MAKE_CERT_CMD --ca-dir "$CA_DIR" --cert-dir "$CERT_DIR" "test" "test.example.com" "127.0.0.1"
|
||||
display_certificate "$CERT_DIR/test_cert.pem"
|
||||
|
||||
echo
|
||||
echo "--- [$NAME] Two-level CA ---"
|
||||
clean_up_test_dir
|
||||
$MAKE_CA_CMD --ca-dir "$CA_DIR" "Test Two Level CA"
|
||||
[[ -f "$CA_DIR/simple-ca.json" ]] || { echo "ERROR: simple-ca.json not created" >&2; exit 1; }
|
||||
display_certificate "$CA_DIR/ca_cert.pem"
|
||||
$MAKE_CA_CMD --ca-dir "$CA_DIR" --issuing-ca "issuing_ca" "Issuing CA"
|
||||
display_certificate "$CA_DIR/issuing_ca/ca_cert.pem"
|
||||
$MAKE_CERT_CMD --ca-dir "$CA_DIR" --cert-dir "$CERT_DIR" --issuing-ca "issuing_ca" "test" "test.example.com" "127.0.0.1"
|
||||
display_certificate "$CERT_DIR/test_cert.pem"
|
||||
$MAKE_PFX_CMD --ca-dir "$CA_DIR" --issuing-ca "issuing_ca" --password "s3cr3t" "$CERT_DIR/test_cert.pem"
|
||||
|
||||
echo -e "\nVerifying contents of generated PKCS#12 (PFX) file ($CERT_DIR/test.pfx):"
|
||||
openssl pkcs12 -in "$CERT_DIR/test.pfx" -noout -info -password pass:"s3cr3t"
|
||||
}
|
||||
|
||||
# run_pfx_algorithm_tests NAME MAKE_CA_CMD MAKE_CERT_CMD MAKE_PFX_CMD
|
||||
# Tests modern, legacy, and (on macOS) --apple-openssl PKCS12 variants.
|
||||
run_pfx_algorithm_tests() {
|
||||
local NAME="$1"
|
||||
local MAKE_CA_CMD="$2"
|
||||
local MAKE_CERT_CMD="$3"
|
||||
local MAKE_PFX_CMD="$4"
|
||||
|
||||
echo
|
||||
echo "--- [$NAME] PFX algorithm variants ---"
|
||||
clean_up_test_dir
|
||||
$MAKE_CA_CMD --ca-dir "$CA_DIR" "PFX Test CA"
|
||||
$MAKE_CA_CMD --ca-dir "$CA_DIR" --issuing-ca "issuing_ca" "Issuing CA"
|
||||
$MAKE_CERT_CMD --ca-dir "$CA_DIR" --cert-dir "$CERT_DIR" --issuing-ca "issuing_ca" \
|
||||
"test" "test.example.com" "127.0.0.1"
|
||||
|
||||
# Modern (default): OpenSSL 3.x PBES2/AES-256
|
||||
$MAKE_PFX_CMD --ca-dir "$CA_DIR" --issuing-ca "issuing_ca" --password "s3cr3t" \
|
||||
"$CERT_DIR/test_cert.pem"
|
||||
verify_pfx_algo "modern" "$CERT_DIR/test.pfx" "s3cr3t" "PBES2"
|
||||
rm "$CERT_DIR/test.pfx"
|
||||
|
||||
# Apple openssl (macOS only): verify the switch routes to /usr/bin/openssl
|
||||
# and that the result is readable by Apple's binary (not PBES2).
|
||||
if [[ "$(uname)" == "Darwin" ]]; then
|
||||
$MAKE_PFX_CMD --apple-openssl --ca-dir "$CA_DIR" --issuing-ca "issuing_ca" --password "s3cr3t" \
|
||||
"$CERT_DIR/test_cert.pem"
|
||||
/usr/bin/openssl pkcs12 -in "$CERT_DIR/test.pfx" -noout -info -password pass:"s3cr3t" 2>&1
|
||||
# Confirm Apple's binary produced its own (non-PBES2) format
|
||||
INFO=$(/usr/bin/openssl pkcs12 -in "$CERT_DIR/test.pfx" -noout -info -password pass:"s3cr3t" 2>&1)
|
||||
if echo "$INFO" | grep -qi "PBES2"; then
|
||||
echo "ERROR: PFX [apple-openssl]: unexpected PBES2 — Apple binary was not used" >&2
|
||||
exit 1
|
||||
fi
|
||||
echo "PFX [apple-openssl]: OK"
|
||||
rm "$CERT_DIR/test.pfx"
|
||||
fi
|
||||
}
|
||||
|
||||
# run_crl_tests NAME MAKE_CA_CMD MAKE_CERT_CMD MAKE_PFX_CMD REVOKE_CMD MAKE_CRL_CMD
|
||||
run_crl_tests() {
|
||||
local NAME="$1"
|
||||
local MAKE_CA_CMD="$2"
|
||||
local MAKE_CERT_CMD="$3"
|
||||
local REVOKE_CMD="$4"
|
||||
local MAKE_CRL_CMD="$5"
|
||||
|
||||
echo
|
||||
echo "--- [$NAME] CRL tests ---"
|
||||
clean_up_test_dir
|
||||
|
||||
# Build a two-level CA hierarchy
|
||||
$MAKE_CA_CMD --ca-dir "$CA_DIR" "CRL Test CA"
|
||||
$MAKE_CA_CMD --ca-dir "$CA_DIR" --issuing-ca "issuing_ca" "Issuing CA"
|
||||
|
||||
# Issue two certs; revoke the first; keep the second active
|
||||
$MAKE_CERT_CMD --ca-dir "$CA_DIR" --cert-dir "$CERT_DIR" --issuing-ca "issuing_ca" \
|
||||
"alice" "alice.example.com"
|
||||
$MAKE_CERT_CMD --ca-dir "$CA_DIR" --cert-dir "$CERT_DIR" --issuing-ca "issuing_ca" \
|
||||
"bob" "bob.example.com"
|
||||
|
||||
$REVOKE_CMD --ca-dir "$CA_DIR" --issuing-ca "issuing_ca" "$CERT_DIR/alice_cert.pem"
|
||||
|
||||
# Generate CRL for the issuing CA
|
||||
$MAKE_CRL_CMD --ca-dir "$CA_DIR" --issuing-ca "issuing_ca"
|
||||
[[ -f "$CA_DIR/issuing_ca/crl.pem" ]] || { echo "ERROR: issuing_ca/crl.pem not created" >&2; exit 1; }
|
||||
|
||||
# alice's serial must appear in the issuing CA CRL
|
||||
CRL_TEXT=$(openssl crl -in "$CA_DIR/issuing_ca/crl.pem" -noout -text 2>/dev/null)
|
||||
ALICE_SERIAL=$(openssl x509 -in "$CERT_DIR/alice_cert.pem" -noout -serial | cut -d= -f2)
|
||||
if echo "$CRL_TEXT" | grep -qi "$ALICE_SERIAL"; then
|
||||
echo "CRL [issuing_ca]: alice's serial found — OK"
|
||||
else
|
||||
echo "ERROR: CRL [issuing_ca]: alice's serial not found in CRL" >&2
|
||||
echo "$CRL_TEXT" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# bob's serial must NOT appear in the issuing CA CRL
|
||||
BOB_SERIAL=$(openssl x509 -in "$CERT_DIR/bob_cert.pem" -noout -serial | cut -d= -f2)
|
||||
if echo "$CRL_TEXT" | grep -qi "$BOB_SERIAL"; then
|
||||
echo "ERROR: CRL [issuing_ca]: bob's serial unexpectedly found in CRL" >&2
|
||||
exit 1
|
||||
else
|
||||
echo "CRL [issuing_ca]: bob's serial absent — OK"
|
||||
fi
|
||||
|
||||
# Root CA CRL should be empty (no revoctions at root level)
|
||||
$MAKE_CRL_CMD --ca-dir "$CA_DIR"
|
||||
[[ -f "$CA_DIR/crl.pem" ]] || { echo "ERROR: root crl.pem not created" >&2; exit 1; }
|
||||
ROOT_CRL_TEXT=$(openssl crl -in "$CA_DIR/crl.pem" -noout -text 2>/dev/null)
|
||||
if echo "$ROOT_CRL_TEXT" | grep -q "No Revoked Certificates"; then
|
||||
echo "CRL [root]: empty — OK"
|
||||
else
|
||||
echo "ERROR: CRL [root]: expected empty CRL" >&2
|
||||
echo "$ROOT_CRL_TEXT" >&2
|
||||
exit 1
|
||||
fi
|
||||
}
|
||||
|
||||
# Uses ;;& to fall through to subsequent patterns so 'all' matches every block.
|
||||
case "$TEST_TARGET" in
|
||||
python|all)
|
||||
command -v python3 >/dev/null || { echo "ERROR: python3 not found" >&2; exit 1; }
|
||||
PY_PREFIX="python3 $SCRIPT_DIR/simple-ca.py"
|
||||
run_flow "python" "$PY_PREFIX make-ca" "$PY_PREFIX make-cert" "$PY_PREFIX make-pfx"
|
||||
run_pfx_algorithm_tests "python" "$PY_PREFIX make-ca" "$PY_PREFIX make-cert" "$PY_PREFIX make-pfx"
|
||||
run_crl_tests "python" "$PY_PREFIX make-ca" "$PY_PREFIX make-cert" "$PY_PREFIX revoke-cert" "$PY_PREFIX make-crl"
|
||||
;;&
|
||||
python|all)
|
||||
;;
|
||||
*)
|
||||
echo "ERROR: unknown target '$TEST_TARGET' (expected: python|all)" >&2
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
# ---------------------------------------------------------------------------
|
||||
# Standalone CA
|
||||
# ---------------------------------------------------------------------------
|
||||
|
||||
echo
|
||||
echo "All requested tests passed."
|
||||
echo "--- [shell] Standalone CA ---"
|
||||
reset_dirs
|
||||
make_ca --ca-dir "$CA_DIR" "Test CA" 2>/dev/null
|
||||
[[ -f "$CA_DIR/ca_cert.pem" ]] || { echo "ERROR: ca_cert.pem not created" >&2; exit 1; }
|
||||
[[ -f "$CA_DIR/ca_bundle.pem" ]] || { echo "ERROR: ca_bundle.pem not created" >&2; exit 1; }
|
||||
verify_cert "$CA_DIR/ca_cert.pem"
|
||||
|
||||
make_cert --cert-dir "$CERT_DIR" "test" "test.example.com" "127.0.0.1" 2>/dev/null
|
||||
[[ -f "$CERT_DIR/test_cert.pem" ]] || { echo "ERROR: test_cert.pem not created" >&2; exit 1; }
|
||||
verify_cert "$CERT_DIR/test_cert.pem"
|
||||
|
||||
# ---------------------------------------------------------------------------
|
||||
# Two-level CA
|
||||
# ---------------------------------------------------------------------------
|
||||
|
||||
echo
|
||||
echo "--- [shell] Two-level CA ---"
|
||||
reset_dirs
|
||||
make_ca --ca-dir "$CA_DIR" "Test Root CA" 2>/dev/null
|
||||
verify_cert "$CA_DIR/ca_cert.pem"
|
||||
|
||||
make_ca --issuing-ca "issuing_ca" "Issuing CA" 2>/dev/null
|
||||
[[ -f "$CA_DIR/issuing_ca/ca_cert.pem" ]] || { echo "ERROR: issuing_ca/ca_cert.pem not created" >&2; exit 1; }
|
||||
verify_cert "$CA_DIR/issuing_ca/ca_cert.pem"
|
||||
|
||||
make_cert --cert-dir "$CERT_DIR" --issuing-ca "issuing_ca" "test" "test.example.com" "127.0.0.1" 2>/dev/null
|
||||
verify_cert "$CERT_DIR/test_cert.pem"
|
||||
|
||||
make_pfx --issuing-ca "issuing_ca" --password "s3cr3t" "$CERT_DIR/test_cert.pem" 2>/dev/null
|
||||
[[ -f "$CERT_DIR/test.pfx" ]] || { echo "ERROR: test.pfx not created" >&2; exit 1; }
|
||||
openssl pkcs12 -in "$CERT_DIR/test.pfx" -noout -info -password pass:"s3cr3t" 2>/dev/null \
|
||||
|| { echo "ERROR: PFX verification failed" >&2; exit 1; }
|
||||
echo "PFX: OK"
|
||||
|
||||
echo
|
||||
echo "All shell tests passed."
|
||||
|
||||
Reference in New Issue
Block a user