Update: Fixes and updates to two-level CA handling. Updated tests.

2026-03-04 20:10:28 +01:00
parent 79ac590ba6
commit a6c0878eba
2 changed files with 73 additions and 29 deletions
--- a/cert-functions.sh
+++ b/cert-functions.sh
@@ -1,3 +1,18 @@
+function make_hash_link() {
+    local CERT_PATH="$1"
+    if [[ ! -f "$CERT_PATH" ]]; then
+        echo "ERROR: Certificate file $CERT_PATH does not exist." >&2
+        return 1
+    fi
+    local CERT_DIR="$(dirname "$CERT_PATH")"
+    local HASH="$(openssl x509 -in "$CERT_PATH" -noout -hash 2>/dev/null)"
+    if [[ -z "$HASH" ]]; then
+        echo "ERROR: Failed to calculate hash for certificate $CERT_PATH." >&2
+        return 1
+    fi
+    ln -sf "$(basename "$CERT_PATH")" "$CERT_DIR/${HASH}.0"
+}
+
 function make_ca() {
    local CA_DAYS=3650 # Default validity period for CA certificates

@@ -79,6 +94,9 @@ function make_ca() {
            return 1
        fi

+        # Make a "hash" symlink for the CA certificate to allow OpenSSL to find it when verifying other certificates
+        make_hash_link "$CA_DIR/$ROOT_CA_CERT"
+
        return 0
    fi

@@ -104,6 +122,9 @@ function make_ca() {
        fi
    fi

+    # Make a "hash" symlink for the issuing CA certificate to allow OpenSSL to find it when verifying other certificates
+    make_hash_link "$CA_DIR/${CA_CERT}"
+
    return 0
 }

@@ -126,9 +147,18 @@ function _is_dns() {
 function make_server_cert() {
    local CA_FILE_PREFIX="ca" # Default to CA if no issuing CA is used
    local CERT_DAYS=365 # Default validity period for leaf certificates
+    local CA_DIR="" # The CA directory will default to certificate directory if not specified with --ca-dir

    while [[ $# -gt 0 ]]; do
        case "$1" in
+            --ca-dir)
+                if [[ -z "$2" ]]; then
+                    echo "ERROR: Missing value for --ca-dir." >&2
+                    return 1
+                fi
+                CA_DIR="$2"
+                shift 2
+                ;;
            --issuing-ca)
                if [[ -z "$2" ]]; then
                    echo "ERROR: Missing value for --issuing-ca." >&2
@@ -157,6 +187,8 @@ function make_server_cert() {
    local CERT_SUBJECT_NAME="$2"
    shift 2

+    CA_DIR="${CA_DIR:-$CERT_DIR}"
+
    local CA_CERT="${CA_FILE_PREFIX}_cert.pem"
    local CA_KEY="${CA_FILE_PREFIX}_key.pem"

@@ -165,6 +197,11 @@ function make_server_cert() {
        return 1
    fi

+    if [[ -z "$CA_DIR" || ! -d "$CA_DIR" ]]; then
+        echo "ERROR: CA directory $CA_DIR does not exist." >&2
+        return 1
+    fi
+
    if [[ -z "$CERT_SUBJECT_NAME" ]]; then
        echo "ERROR: Subject name is required." >&2
        return 1
@@ -175,8 +212,8 @@ function make_server_cert() {
        return 1
    fi

-    if [[ ! -f "$CERT_DIR/$CA_CERT" || ! -f "$CERT_DIR/$CA_KEY" ]]; then
-        echo "ERROR: Signing CA certificate and key not found in $CERT_DIR. Please call setup a signing CA first." >&2
+    if [[ ! -f "$CA_DIR/$CA_CERT" || ! -f "$CA_DIR/$CA_KEY" ]]; then
+        echo "ERROR: Signing CA certificate and key not found in $CA_DIR. Please call setup a signing CA first." >&2
        return 1
    fi

@@ -222,8 +259,8 @@ function make_server_cert() {
            -addext "$SANS_EXT" \
        | openssl x509 \
            -req \
-            -CA "$CERT_DIR/$CA_CERT" \
-            -CAkey "$CERT_DIR/$CA_KEY" \
+            -CA "$CA_DIR/$CA_CERT" \
+            -CAkey "$CA_DIR/$CA_KEY" \
            -copy_extensions copyall \
            -days $CERT_DAYS \
            -text \
--- a/run-tests.sh
+++ b/run-tests.sh
@@ -7,32 +7,40 @@ set -e
 source "$(dirname "$BASH_SOURCE[0]")/cert-functions.sh"

 function clean_up_test_dir() {
-    local TEST_DIR="$1"
-
-    if [[ -d "$TEST_DIR" ]]; then
-        echo "Cleaning up test directory $TEST_DIR..."
-        rm -rf "$TEST_DIR"/*
+    if [[ -d "$CERT_DIR" ]]; then
+        echo "Cleaning up test directory $CERT_DIR..."
+        rm -rf "$CERT_DIR"/*
    fi

-    echo "Creating test directory $TEST_DIR and ca subdirectory..."
-    mkdir -p "$TEST_DIR/ca"
+    echo "Creating test directory $CERT_DIR and ca subdirectory..."
+    mkdir -p "$CERT_DIR/ca"
 }

 function display_certificate() {
-    local CERT_DIR="$1"
-    local CERT_FILE="$2"
+    local CERT_PATH="$1"

-    echo -e "\nDisplaying generated certificate for verification ($CERT_FILE):"
+    echo -e "\nDisplaying generated certificate for verification ($CERT_PATH):"

    # Display the certificate details for verification
-    openssl x509 -in "$CERT_DIR/$CERT_FILE" -noout -subject -issuer -serial -hash -fingerprint
+    openssl x509 -in "$CERT_PATH" -noout -subject -issuer -serial -fingerprint
    echo
+
+    echo -e "\nVerifying certificate against the CA ($CA_DIR)..."
+
+    # Verify the certificate against the CA
+    if openssl verify -CApath "$CA_DIR" "$CERT_PATH" 2>/dev/null; then
+        echo "Certificate verification successful."
+    else
+        echo "ERROR: Certificate verification failed." >&2
+    fi
 }

 # Create a temporary directory for the test certificates
-TEMP_CERT_DIR="$(dirname "$BASH_SOURCE[0]")/tests"
+CERT_DIR="$(dirname "$BASH_SOURCE[0]")/tests"
+CA_DIR="$CERT_DIR/ca"
+
 # Clean up any existing files in the temporary directory
-clean_up_test_dir "$TEMP_CERT_DIR"
+clean_up_test_dir "$CERT_DIR"

 echo
 echo "Running tests for standalone CA..."
@@ -40,25 +48,25 @@ echo "----------------------------------"
 echo

 # Create a standalone CA for testing purposes
-if ! make_ca "$TEMP_CERT_DIR" "Test CA"; then
+if ! make_ca "$CA_DIR" "Test CA"; then
    echo "ERROR: Failed to create CA." >&2
    exit 1
 fi

 # List the generated certificates and keys for verification
-display_certificate "$TEMP_CERT_DIR" "ca_cert.pem"
+display_certificate "$CA_DIR/ca_cert.pem"

 # Make a server certificate signed by the CA
-if ! make_server_cert "$TEMP_CERT_DIR" "test" "test.example.com" "127.0.0.1"; then
+if ! make_server_cert --ca-dir "$CA_DIR" "$CERT_DIR" "test" "test.example.com" "127.0.0.1"; then
    echo "ERROR: Failed to create server certificate." >&2
    exit 1
 fi

 # List the generated server certificate and key for verification
-display_certificate "$TEMP_CERT_DIR" "test_cert.pem"
+display_certificate "$CERT_DIR/test_cert.pem"

 # Remove all files from the directory
-clean_up_test_dir "$TEMP_CERT_DIR"
+clean_up_test_dir "$CERT_DIR"

 echo
 echo "Running tests for two-level CA..."
@@ -66,29 +74,28 @@ echo "---------------------------------"
 echo

 # Create a new CA with pathlen 1
-if ! make_ca --path-len 1 "$TEMP_CERT_DIR" "Test Two Level CA"; then
+if ! make_ca --path-len 1 "$CA_DIR" "Test Two Level CA"; then
    echo "ERROR: Failed to create CA." >&2
    exit 1
 fi

 # List the generated certificates and keys for verification
-display_certificate "$TEMP_CERT_DIR" "ca_cert.pem"
+display_certificate "$CA_DIR/ca_cert.pem"

 # Create an issuing CA signed by the first CA
-if ! make_ca --issuing-ca "issuing_ca" "$TEMP_CERT_DIR" "Issuing CA"; then
+if ! make_ca --issuing-ca "issuing_ca" "$CA_DIR" "Issuing CA"; then
    echo "ERROR: Failed to create issuing CA." >&2
    exit 1
 fi

 # List the generated certificates and keys for verification
-display_certificate "$TEMP_CERT_DIR" "issuing_ca_cert.pem"
+display_certificate "$CA_DIR/issuing_ca_cert.pem"

 # Make a server certificate signed by the CA
-if ! make_server_cert --issuing-ca "issuing_ca" "$TEMP_CERT_DIR" "test" "test.example.com" "127.0.0.1"; then
+if ! make_server_cert --ca-dir "$CA_DIR" --issuing-ca "issuing_ca" "$CERT_DIR" "test" "test.example.com" "127.0.0.1"; then
    echo "ERROR: Failed to create server certificate." >&2
    exit 1
 fi

 # List the generated server certificate and key for verification
-display_certificate "$TEMP_CERT_DIR" "test_cert.pem"
-
+display_certificate "$CERT_DIR/test_cert.pem"