feat: Enhance certificate generation with user type support and additional SANs

run-tests.sh

@@ -41,6 +41,13 @@ reset_dirs() {
     SIMPLE_CA_DIR=""
 }
 
+assert_file() {
+    if [[ ! -f "$1" ]]; then
+        echo "ERROR: expected file not found: $1" >&2
+        exit 1
+    fi
+}
+
 verify_cert() {
     local CERT_PATH="$1"
     if ! openssl verify -CAfile "$CA_DIR/ca_bundle.pem" "$CERT_PATH" 2>/dev/null; then
@@ -50,6 +57,18 @@ verify_cert() {
     echo "Verified: $CERT_PATH"
 }
 
+assert_eku() {
+    local CERT_PATH="$1"
+    local EKU="$2"
+    local TEXT
+    TEXT="$(openssl x509 -in "$CERT_PATH" -noout -text 2>/dev/null)"
+    if ! echo "$TEXT" | grep -q "$EKU"; then
+        echo "ERROR: EKU '$EKU' not found in $CERT_PATH" >&2
+        exit 1
+    fi
+    echo "EKU OK: $EKU"
+}
+
 # ---------------------------------------------------------------------------
 # Standalone CA — certs issued by root CA go into CA_DIR
 # ---------------------------------------------------------------------------
@@ -58,12 +77,12 @@ echo
 echo "--- [shell] Standalone CA ---"
 reset_dirs
 make_ca --ca-dir "$CA_DIR" "Test CA" 2>/dev/null
-[[ -f "$CA_DIR/ca_cert.pem" ]]   || { echo "ERROR: ca_cert.pem not created" >&2; exit 1; }
-[[ -f "$CA_DIR/ca_bundle.pem" ]] || { echo "ERROR: ca_bundle.pem not created" >&2; exit 1; }
+assert_file "$CA_DIR/ca_cert.pem"
+assert_file "$CA_DIR/ca_bundle.pem"
 verify_cert "$CA_DIR/ca_cert.pem"
 
 make_cert "test" "test.example.com" "127.0.0.1" 2>/dev/null
-[[ -f "$CA_DIR/test_cert.pem" ]] || { echo "ERROR: test_cert.pem not created in CA_DIR" >&2; exit 1; }
+assert_file "$CA_DIR/test_cert.pem"
 verify_cert "$CA_DIR/test_cert.pem"
 
 # ---------------------------------------------------------------------------
@@ -77,18 +96,35 @@ make_ca --ca-dir "$CA_DIR" "Test Root CA" 2>/dev/null
 verify_cert "$CA_DIR/ca_cert.pem"
 
 make_ca --issuing-ca "issuing_ca" "Issuing CA" 2>/dev/null
-[[ -f "$CA_DIR/issuing_ca/ca_cert.pem" ]] || { echo "ERROR: issuing_ca/ca_cert.pem not created" >&2; exit 1; }
+assert_file "$CA_DIR/issuing_ca/ca_cert.pem"
 verify_cert "$CA_DIR/issuing_ca/ca_cert.pem"
 
 make_cert --issuing-ca "issuing_ca" "test" "test.example.com" "127.0.0.1" 2>/dev/null
-[[ -f "$CA_DIR/issuing_ca/test_cert.pem" ]] || { echo "ERROR: issuing_ca/test_cert.pem not created" >&2; exit 1; }
+assert_file "$CA_DIR/issuing_ca/test_cert.pem"
 verify_cert "$CA_DIR/issuing_ca/test_cert.pem"
+assert_eku "$CA_DIR/issuing_ca/test_cert.pem" "TLS Web Server Authentication"
+assert_eku "$CA_DIR/issuing_ca/test_cert.pem" "TLS Web Client Authentication"
 
 make_pfx --issuing-ca "issuing_ca" --password "s3cr3t" "$CA_DIR/issuing_ca/test_cert.pem" 2>/dev/null
-[[ -f "$CA_DIR/issuing_ca/test.pfx" ]] || { echo "ERROR: issuing_ca/test.pfx not created" >&2; exit 1; }
-openssl pkcs12 -in "$CA_DIR/issuing_ca/test.pfx" -noout -info -password pass:"s3cr3t" 2>/dev/null \
-    || { echo "ERROR: PFX verification failed" >&2; exit 1; }
+assert_file "$CA_DIR/issuing_ca/test.pfx"
+if ! openssl pkcs12 -in "$CA_DIR/issuing_ca/test.pfx" -noout -info -password pass:"s3cr3t" 2>/dev/null; then
+    echo "ERROR: PFX verification failed" >&2
+    exit 1
+fi
 echo "PFX: OK"
 
+# ---------------------------------------------------------------------------
+# User certificate
+# ---------------------------------------------------------------------------
+
+echo
+echo "--- [shell] User certificate ---"
+make_cert --issuing-ca "issuing_ca" --type user "Alice Example" "alice@example.com" 2>/dev/null
+assert_file "$CA_DIR/issuing_ca/Alice Example_cert.pem"
+verify_cert "$CA_DIR/issuing_ca/Alice Example_cert.pem"
+assert_eku "$CA_DIR/issuing_ca/Alice Example_cert.pem" "TLS Web Client Authentication"
+assert_eku "$CA_DIR/issuing_ca/Alice Example_cert.pem" "E-mail Protection"
+assert_eku "$CA_DIR/issuing_ca/Alice Example_cert.pem" "Code Signing"
+
 echo
 echo "All shell tests passed."