feat: Add integration tests for simple-ca functionality and implement shell script for CA operations

2026-05-24 21:04:00 +02:00
parent cb858a96b1
commit 04d8dab9bc
4 changed files with 544 additions and 207 deletions
@@ -0,0 +1,160 @@
+#!/usr/bin/env python3
+# MIT License
+# Copyright (c) 2026 Sławomir Koszewski
+
+import subprocess
+import sys
+from pathlib import Path
+
+import pytest
+
+SCRIPT = Path(__file__).parent / "simple-ca.py"
+
+
+def py(*args, check=True):
+    return subprocess.run(
+        [sys.executable, str(SCRIPT), *args],
+        capture_output=True, text=True, check=check,
+    )
+
+
+def openssl(*args, check=True):
+    return subprocess.run(["openssl", *args], capture_output=True, text=True, check=check)
+
+
+def cert_serial(cert_path):
+    out = openssl("x509", "-in", str(cert_path), "-noout", "-serial").stdout
+    return out.strip().split("=", 1)[-1].upper()
+
+
+def verify_cert(cert_path, bundle_path):
+    result = openssl("verify", "-CAfile", str(bundle_path), str(cert_path), check=False)
+    assert result.returncode == 0, f"Certificate verification failed:\n{result.stderr}"
+
+
+@pytest.fixture
+def dirs(tmp_path):
+    ca = tmp_path / "ca"
+    certs = tmp_path / "certs"
+    ca.mkdir()
+    certs.mkdir()
+    return ca, certs
+
+
+# ---------------------------------------------------------------------------
+# Standalone CA
+# ---------------------------------------------------------------------------
+
+def test_standalone_ca(dirs):
+    ca, certs = dirs
+    py("make-ca", "--ca-dir", str(ca), "Test CA")
+
+    assert (ca / "ca_cert.pem").exists()
+    assert (ca / "ca_bundle.pem").exists()
+    assert (ca / "simple-ca.json").exists()
+    verify_cert(ca / "ca_cert.pem", ca / "ca_bundle.pem")
+
+    py("make-cert", "--ca-dir", str(ca), "--cert-dir", str(certs),
+       "test", "test.example.com", "127.0.0.1")
+
+    assert (certs / "test_cert.pem").exists()
+    verify_cert(certs / "test_cert.pem", ca / "ca_bundle.pem")
+
+
+# ---------------------------------------------------------------------------
+# Two-level CA
+# ---------------------------------------------------------------------------
+
+def test_two_level_ca(dirs):
+    ca, certs = dirs
+    py("make-ca", "--ca-dir", str(ca), "Test Root CA")
+    py("make-ca", "--ca-dir", str(ca), "--issuing-ca", "issuing_ca", "Issuing CA")
+
+    assert (ca / "issuing_ca" / "ca_cert.pem").exists()
+    verify_cert(ca / "issuing_ca" / "ca_cert.pem", ca / "ca_bundle.pem")
+
+    py("make-cert", "--ca-dir", str(ca), "--cert-dir", str(certs),
+       "--issuing-ca", "issuing_ca", "test", "test.example.com", "127.0.0.1")
+
+    verify_cert(certs / "test_cert.pem", ca / "ca_bundle.pem")
+
+    py("make-pfx", "--ca-dir", str(ca), "--issuing-ca", "issuing_ca",
+       "--password", "s3cr3t", str(certs / "test_cert.pem"))
+
+    assert (certs / "test.pfx").exists()
+    result = openssl("pkcs12", "-in", str(certs / "test.pfx"), "-noout", "-info",
+                     "-password", "pass:s3cr3t")
+    assert result.returncode == 0
+
+
+# ---------------------------------------------------------------------------
+# PFX algorithm variants
+# ---------------------------------------------------------------------------
+
+def test_pfx_modern(dirs):
+    ca, certs = dirs
+    py("make-ca", "--ca-dir", str(ca), "PFX Test CA")
+    py("make-ca", "--ca-dir", str(ca), "--issuing-ca", "issuing_ca", "Issuing CA")
+    py("make-cert", "--ca-dir", str(ca), "--cert-dir", str(certs),
+       "--issuing-ca", "issuing_ca", "test", "test.example.com", "127.0.0.1")
+    py("make-pfx", "--ca-dir", str(ca), "--issuing-ca", "issuing_ca",
+       "--password", "s3cr3t", str(certs / "test_cert.pem"))
+
+    info = openssl("pkcs12", "-in", str(certs / "test.pfx"), "-noout", "-info",
+                   "-password", "pass:s3cr3t")
+    assert "PBES2" in (info.stdout + info.stderr), "Expected modern PBES2 encryption"
+
+
+@pytest.mark.skipif(sys.platform != "darwin", reason="macOS only")
+def test_pfx_apple_openssl(dirs):
+    ca, certs = dirs
+    py("make-ca", "--ca-dir", str(ca), "PFX Test CA")
+    py("make-ca", "--ca-dir", str(ca), "--issuing-ca", "issuing_ca", "Issuing CA")
+    py("make-cert", "--ca-dir", str(ca), "--cert-dir", str(certs),
+       "--issuing-ca", "issuing_ca", "test", "test.example.com", "127.0.0.1")
+    py("make-pfx", "--apple-openssl", "--ca-dir", str(ca), "--issuing-ca", "issuing_ca",
+       "--password", "s3cr3t", str(certs / "test_cert.pem"))
+
+    result = subprocess.run(
+        ["/usr/bin/openssl", "pkcs12", "-in", str(certs / "test.pfx"),
+         "-noout", "-info", "-password", "pass:s3cr3t"],
+        capture_output=True, text=True,
+    )
+    assert result.returncode == 0
+    combined = result.stdout + result.stderr
+    assert "PBES2" not in combined, "Expected Apple-compatible (non-PBES2) format"
+
+
+# ---------------------------------------------------------------------------
+# CRL and revocation
+# ---------------------------------------------------------------------------
+
+def test_crl(dirs):
+    ca, certs = dirs
+    py("make-ca", "--ca-dir", str(ca), "CRL Test CA")
+    py("make-ca", "--ca-dir", str(ca), "--issuing-ca", "issuing_ca", "Issuing CA")
+
+    py("make-cert", "--ca-dir", str(ca), "--cert-dir", str(certs),
+       "--issuing-ca", "issuing_ca", "alice", "alice.example.com")
+    py("make-cert", "--ca-dir", str(ca), "--cert-dir", str(certs),
+       "--issuing-ca", "issuing_ca", "bob", "bob.example.com")
+
+    alice_serial = cert_serial(certs / "alice_cert.pem")
+    bob_serial   = cert_serial(certs / "bob_cert.pem")
+
+    py("revoke-cert", "--ca-dir", str(ca), "--issuing-ca", "issuing_ca",
+       str(certs / "alice_cert.pem"))
+
+    py("make-crl", "--ca-dir", str(ca), "--issuing-ca", "issuing_ca")
+    issuing_crl = ca / "issuing_ca" / "crl.pem"
+    assert issuing_crl.exists()
+
+    crl_text = openssl("crl", "-in", str(issuing_crl), "-noout", "-text").stdout.upper()
+    assert alice_serial in crl_text, f"Alice's serial {alice_serial} not found in issuing CA CRL"
+    assert bob_serial not in crl_text, f"Bob's serial {bob_serial} unexpectedly found in issuing CA CRL"
+
+    py("make-crl", "--ca-dir", str(ca))
+    root_crl = ca / "crl.pem"
+    assert root_crl.exists()
+    root_crl_text = openssl("crl", "-in", str(root_crl), "-noout", "-text").stdout
+    assert "No Revoked Certificates" in root_crl_text, "Root CA CRL should be empty"