Refactor simple-ca: Remove JSON config and streamline AIA URL handling

- Removed the JSON configuration structure and related functions. - Introduced plain text file for AIA base URL management. - Updated CA and certificate creation functions to directly read/write AIA URL. - Simplified CA bundle rebuilding logic by directly reading subdirectories. - Enhanced test coverage for CA and certificate creation, including PFX generation. - Adjusted test cases to reflect changes in directory structure and file handling.
2026-05-24 21:40:06 +02:00
parent 04d8dab9bc
commit 935167ca8c
7 changed files with 440 additions and 316 deletions
@@ -34,11 +34,10 @@ TEST_DIR="$(mktemp -d)"
 trap 'rm -rf "$TEST_DIR"' EXIT

 CA_DIR="$TEST_DIR/ca"
-CERT_DIR="$TEST_DIR/certs"

 reset_dirs() {
-    rm -rf "$CA_DIR" "$CERT_DIR"
-    mkdir -p "$CA_DIR" "$CERT_DIR"
+    rm -rf "$CA_DIR"
+    mkdir -p "$CA_DIR"
    SIMPLE_CA_DIR=""
 }

@@ -52,23 +51,23 @@ verify_cert() {
 }

 # ---------------------------------------------------------------------------
-# Standalone CA
+# Standalone CA — certs issued by root CA go into CA_DIR
 # ---------------------------------------------------------------------------

 echo
 echo "--- [shell] Standalone CA ---"
 reset_dirs
 make_ca --ca-dir "$CA_DIR" "Test CA" 2>/dev/null
-[[ -f "$CA_DIR/ca_cert.pem" ]]    || { echo "ERROR: ca_cert.pem not created" >&2; exit 1; }
-[[ -f "$CA_DIR/ca_bundle.pem" ]]  || { echo "ERROR: ca_bundle.pem not created" >&2; exit 1; }
+[[ -f "$CA_DIR/ca_cert.pem" ]]   || { echo "ERROR: ca_cert.pem not created" >&2; exit 1; }
+[[ -f "$CA_DIR/ca_bundle.pem" ]] || { echo "ERROR: ca_bundle.pem not created" >&2; exit 1; }
 verify_cert "$CA_DIR/ca_cert.pem"

-make_cert --cert-dir "$CERT_DIR" "test" "test.example.com" "127.0.0.1" 2>/dev/null
-[[ -f "$CERT_DIR/test_cert.pem" ]] || { echo "ERROR: test_cert.pem not created" >&2; exit 1; }
-verify_cert "$CERT_DIR/test_cert.pem"
+make_cert "test" "test.example.com" "127.0.0.1" 2>/dev/null
+[[ -f "$CA_DIR/test_cert.pem" ]] || { echo "ERROR: test_cert.pem not created in CA_DIR" >&2; exit 1; }
+verify_cert "$CA_DIR/test_cert.pem"

 # ---------------------------------------------------------------------------
-# Two-level CA
+# Two-level CA — issuing CA and its certs go into CA_DIR/issuing_ca/
 # ---------------------------------------------------------------------------

 echo
@@ -81,12 +80,13 @@ make_ca --issuing-ca "issuing_ca" "Issuing CA" 2>/dev/null
 [[ -f "$CA_DIR/issuing_ca/ca_cert.pem" ]] || { echo "ERROR: issuing_ca/ca_cert.pem not created" >&2; exit 1; }
 verify_cert "$CA_DIR/issuing_ca/ca_cert.pem"

-make_cert --cert-dir "$CERT_DIR" --issuing-ca "issuing_ca" "test" "test.example.com" "127.0.0.1" 2>/dev/null
-verify_cert "$CERT_DIR/test_cert.pem"
+make_cert --issuing-ca "issuing_ca" "test" "test.example.com" "127.0.0.1" 2>/dev/null
+[[ -f "$CA_DIR/issuing_ca/test_cert.pem" ]] || { echo "ERROR: issuing_ca/test_cert.pem not created" >&2; exit 1; }
+verify_cert "$CA_DIR/issuing_ca/test_cert.pem"

-make_pfx --issuing-ca "issuing_ca" --password "s3cr3t" "$CERT_DIR/test_cert.pem" 2>/dev/null
-[[ -f "$CERT_DIR/test.pfx" ]] || { echo "ERROR: test.pfx not created" >&2; exit 1; }
-openssl pkcs12 -in "$CERT_DIR/test.pfx" -noout -info -password pass:"s3cr3t" 2>/dev/null \
+make_pfx --issuing-ca "issuing_ca" --password "s3cr3t" "$CA_DIR/issuing_ca/test_cert.pem" 2>/dev/null
+[[ -f "$CA_DIR/issuing_ca/test.pfx" ]] || { echo "ERROR: issuing_ca/test.pfx not created" >&2; exit 1; }
+openssl pkcs12 -in "$CA_DIR/issuing_ca/test.pfx" -noout -info -password pass:"s3cr3t" 2>/dev/null \
    || { echo "ERROR: PFX verification failed" >&2; exit 1; }
 echo "PFX: OK"