#!/usr/bin/env bash # MIT License # Copyright (c) 2026 Sławomir Koszewski # # Permission is hereby granted, free of charge, to any person obtaining a copy # of this software and associated documentation files (the "Software"), to deal # in the Software without restriction, including without limitation the rights # to use, copy, modify, merge, publish, distribute, sublicense, and/or sell # copies of the Software, and to permit persons to whom the Software is # furnished to do so, subject to the following conditions: # # The above copyright notice and this permission notice shall be included in all # copies or substantial portions of the Software. # # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE # AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE # SOFTWARE. # Integration tests for simple-ca.sh. # Usage: run-tests.sh set -e SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" source "$SCRIPT_DIR/simple-ca.sh" # Temporary test directory — cleaned up on exit. TEST_DIR="$(mktemp -d)" trap 'rm -rf "$TEST_DIR"' EXIT CA_DIR="$TEST_DIR/ca" reset_dirs() { rm -rf "$CA_DIR" mkdir -p "$CA_DIR" SIMPLE_CA_DIR="" } assert_file() { if [[ ! -f "$1" ]]; then echo "ERROR: expected file not found: $1" >&2 exit 1 fi } verify_cert() { local CERT_PATH="$1" if ! openssl verify -CAfile "$CA_DIR/ca_bundle.pem" "$CERT_PATH" 2>/dev/null; then echo "ERROR: Certificate verification failed: $CERT_PATH" >&2 exit 1 fi echo "Verified: $CERT_PATH" } assert_eku() { local CERT_PATH="$1" local EKU="$2" local TEXT TEXT="$(openssl x509 -in "$CERT_PATH" -noout -text 2>/dev/null)" if ! echo "$TEXT" | grep -q "$EKU"; then echo "ERROR: EKU '$EKU' not found in $CERT_PATH" >&2 exit 1 fi echo "EKU OK: $EKU" } # --------------------------------------------------------------------------- # Standalone CA — certs issued by root CA go into CA_DIR # --------------------------------------------------------------------------- echo echo "--- [shell] Standalone CA ---" reset_dirs make_ca --ca-dir "$CA_DIR" "Test CA" 2>/dev/null assert_file "$CA_DIR/ca_cert.pem" assert_file "$CA_DIR/ca_bundle.pem" verify_cert "$CA_DIR/ca_cert.pem" make_cert "test" "test.example.com" "127.0.0.1" 2>/dev/null assert_file "$CA_DIR/test_cert.pem" verify_cert "$CA_DIR/test_cert.pem" # --------------------------------------------------------------------------- # Two-level CA — issuing CA and its certs go into CA_DIR/issuing_ca/ # --------------------------------------------------------------------------- echo echo "--- [shell] Two-level CA ---" reset_dirs make_ca --ca-dir "$CA_DIR" "Test Root CA" 2>/dev/null verify_cert "$CA_DIR/ca_cert.pem" make_ca --issuing-ca "issuing_ca" "Issuing CA" 2>/dev/null assert_file "$CA_DIR/issuing_ca/ca_cert.pem" verify_cert "$CA_DIR/issuing_ca/ca_cert.pem" make_cert --issuing-ca "issuing_ca" "test" "test.example.com" "127.0.0.1" 2>/dev/null assert_file "$CA_DIR/issuing_ca/test_cert.pem" verify_cert "$CA_DIR/issuing_ca/test_cert.pem" assert_eku "$CA_DIR/issuing_ca/test_cert.pem" "TLS Web Server Authentication" assert_eku "$CA_DIR/issuing_ca/test_cert.pem" "TLS Web Client Authentication" make_pfx --issuing-ca "issuing_ca" --password "s3cr3t" "$CA_DIR/issuing_ca/test_cert.pem" 2>/dev/null assert_file "$CA_DIR/issuing_ca/test.pfx" if ! openssl pkcs12 -in "$CA_DIR/issuing_ca/test.pfx" -noout -info -password pass:"s3cr3t" 2>/dev/null; then echo "ERROR: PFX verification failed" >&2 exit 1 fi echo "PFX: OK" # --------------------------------------------------------------------------- # User certificate # --------------------------------------------------------------------------- echo echo "--- [shell] User certificate ---" make_cert --issuing-ca "issuing_ca" --type user "Alice Example" "alice@example.com" 2>/dev/null assert_file "$CA_DIR/issuing_ca/Alice Example_cert.pem" verify_cert "$CA_DIR/issuing_ca/Alice Example_cert.pem" assert_eku "$CA_DIR/issuing_ca/Alice Example_cert.pem" "TLS Web Client Authentication" assert_eku "$CA_DIR/issuing_ca/Alice Example_cert.pem" "E-mail Protection" assert_eku "$CA_DIR/issuing_ca/Alice Example_cert.pem" "Code Signing" echo echo "All shell tests passed."