Refactor simple-ca: Remove JSON config and streamline AIA URL handling

- Removed the JSON configuration structure and related functions.
- Introduced plain text file for AIA base URL management.
- Updated CA and certificate creation functions to directly read/write AIA URL.
- Simplified CA bundle rebuilding logic by directly reading subdirectories.
- Enhanced test coverage for CA and certificate creation, including PFX generation.
- Adjusted test cases to reflect changes in directory structure and file handling.

test_simple_ca.py

@@ -35,10 +35,8 @@ def verify_cert(cert_path, bundle_path):
 @pytest.fixture
 def dirs(tmp_path):
     ca = tmp_path / "ca"
-    certs = tmp_path / "certs"
     ca.mkdir()
-    certs.mkdir()
-    return ca, certs
+    return ca
 
 
 # ---------------------------------------------------------------------------
@@ -46,7 +44,7 @@ def dirs(tmp_path):
 # ---------------------------------------------------------------------------
 
 def test_standalone_ca(dirs):
-    ca, certs = dirs
+    ca = dirs
     py("make-ca", "--ca-dir", str(ca), "Test CA")
 
     assert (ca / "ca_cert.pem").exists()
@@ -54,11 +52,10 @@ def test_standalone_ca(dirs):
     assert (ca / "simple-ca.json").exists()
     verify_cert(ca / "ca_cert.pem", ca / "ca_bundle.pem")
 
-    py("make-cert", "--ca-dir", str(ca), "--cert-dir", str(certs),
-       "test", "test.example.com", "127.0.0.1")
+    py("make-cert", "--ca-dir", str(ca), "test", "test.example.com", "127.0.0.1")
 
-    assert (certs / "test_cert.pem").exists()
-    verify_cert(certs / "test_cert.pem", ca / "ca_bundle.pem")
+    assert (ca / "test_cert.pem").exists()
+    verify_cert(ca / "test_cert.pem", ca / "ca_bundle.pem")
 
 
 # ---------------------------------------------------------------------------
@@ -66,23 +63,23 @@ def test_standalone_ca(dirs):
 # ---------------------------------------------------------------------------
 
 def test_two_level_ca(dirs):
-    ca, certs = dirs
+    ca = dirs
     py("make-ca", "--ca-dir", str(ca), "Test Root CA")
     py("make-ca", "--ca-dir", str(ca), "--issuing-ca", "issuing_ca", "Issuing CA")
 
     assert (ca / "issuing_ca" / "ca_cert.pem").exists()
     verify_cert(ca / "issuing_ca" / "ca_cert.pem", ca / "ca_bundle.pem")
 
-    py("make-cert", "--ca-dir", str(ca), "--cert-dir", str(certs),
-       "--issuing-ca", "issuing_ca", "test", "test.example.com", "127.0.0.1")
+    py("make-cert", "--ca-dir", str(ca), "--issuing-ca", "issuing_ca",
+       "test", "test.example.com", "127.0.0.1")
 
-    verify_cert(certs / "test_cert.pem", ca / "ca_bundle.pem")
+    verify_cert(ca / "issuing_ca" / "test_cert.pem", ca / "ca_bundle.pem")
 
     py("make-pfx", "--ca-dir", str(ca), "--issuing-ca", "issuing_ca",
-       "--password", "s3cr3t", str(certs / "test_cert.pem"))
+       "--password", "s3cr3t", str(ca / "issuing_ca" / "test_cert.pem"))
 
-    assert (certs / "test.pfx").exists()
-    result = openssl("pkcs12", "-in", str(certs / "test.pfx"), "-noout", "-info",
+    assert (ca / "issuing_ca" / "test.pfx").exists()
+    result = openssl("pkcs12", "-in", str(ca / "issuing_ca" / "test.pfx"), "-noout", "-info",
                      "-password", "pass:s3cr3t")
     assert result.returncode == 0
 
@@ -92,31 +89,31 @@ def test_two_level_ca(dirs):
 # ---------------------------------------------------------------------------
 
 def test_pfx_modern(dirs):
-    ca, certs = dirs
+    ca = dirs
     py("make-ca", "--ca-dir", str(ca), "PFX Test CA")
     py("make-ca", "--ca-dir", str(ca), "--issuing-ca", "issuing_ca", "Issuing CA")
-    py("make-cert", "--ca-dir", str(ca), "--cert-dir", str(certs),
-       "--issuing-ca", "issuing_ca", "test", "test.example.com", "127.0.0.1")
+    py("make-cert", "--ca-dir", str(ca), "--issuing-ca", "issuing_ca",
+       "test", "test.example.com", "127.0.0.1")
     py("make-pfx", "--ca-dir", str(ca), "--issuing-ca", "issuing_ca",
-       "--password", "s3cr3t", str(certs / "test_cert.pem"))
+       "--password", "s3cr3t", str(ca / "issuing_ca" / "test_cert.pem"))
 
-    info = openssl("pkcs12", "-in", str(certs / "test.pfx"), "-noout", "-info",
+    info = openssl("pkcs12", "-in", str(ca / "issuing_ca" / "test.pfx"), "-noout", "-info",
                    "-password", "pass:s3cr3t")
     assert "PBES2" in (info.stdout + info.stderr), "Expected modern PBES2 encryption"
 
 
 @pytest.mark.skipif(sys.platform != "darwin", reason="macOS only")
 def test_pfx_apple_openssl(dirs):
-    ca, certs = dirs
+    ca = dirs
     py("make-ca", "--ca-dir", str(ca), "PFX Test CA")
     py("make-ca", "--ca-dir", str(ca), "--issuing-ca", "issuing_ca", "Issuing CA")
-    py("make-cert", "--ca-dir", str(ca), "--cert-dir", str(certs),
-       "--issuing-ca", "issuing_ca", "test", "test.example.com", "127.0.0.1")
+    py("make-cert", "--ca-dir", str(ca), "--issuing-ca", "issuing_ca",
+       "test", "test.example.com", "127.0.0.1")
     py("make-pfx", "--apple-openssl", "--ca-dir", str(ca), "--issuing-ca", "issuing_ca",
-       "--password", "s3cr3t", str(certs / "test_cert.pem"))
+       "--password", "s3cr3t", str(ca / "issuing_ca" / "test_cert.pem"))
 
     result = subprocess.run(
-        ["/usr/bin/openssl", "pkcs12", "-in", str(certs / "test.pfx"),
+        ["/usr/bin/openssl", "pkcs12", "-in", str(ca / "issuing_ca" / "test.pfx"),
          "-noout", "-info", "-password", "pass:s3cr3t"],
         capture_output=True, text=True,
     )
@@ -130,23 +127,24 @@ def test_pfx_apple_openssl(dirs):
 # ---------------------------------------------------------------------------
 
 def test_crl(dirs):
-    ca, certs = dirs
+    ca = dirs
     py("make-ca", "--ca-dir", str(ca), "CRL Test CA")
     py("make-ca", "--ca-dir", str(ca), "--issuing-ca", "issuing_ca", "Issuing CA")
 
-    py("make-cert", "--ca-dir", str(ca), "--cert-dir", str(certs),
-       "--issuing-ca", "issuing_ca", "alice", "alice.example.com")
-    py("make-cert", "--ca-dir", str(ca), "--cert-dir", str(certs),
-       "--issuing-ca", "issuing_ca", "bob", "bob.example.com")
+    py("make-cert", "--ca-dir", str(ca), "--issuing-ca", "issuing_ca",
+       "alice", "alice.example.com")
+    py("make-cert", "--ca-dir", str(ca), "--issuing-ca", "issuing_ca",
+       "bob", "bob.example.com")
 
-    alice_serial = cert_serial(certs / "alice_cert.pem")
-    bob_serial   = cert_serial(certs / "bob_cert.pem")
+    issuing_dir  = ca / "issuing_ca"
+    alice_serial = cert_serial(issuing_dir / "alice_cert.pem")
+    bob_serial   = cert_serial(issuing_dir / "bob_cert.pem")
 
     py("revoke-cert", "--ca-dir", str(ca), "--issuing-ca", "issuing_ca",
-       str(certs / "alice_cert.pem"))
+       str(issuing_dir / "alice_cert.pem"))
 
     py("make-crl", "--ca-dir", str(ca), "--issuing-ca", "issuing_ca")
-    issuing_crl = ca / "issuing_ca" / "crl.pem"
+    issuing_crl = issuing_dir / "crl.pem"
     assert issuing_crl.exists()
 
     crl_text = openssl("crl", "-in", str(issuing_crl), "-noout", "-text").stdout.upper()