slawek/simple-ca
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
0d61919162ef51ab0d39930afc60378e5753871b
simple-ca/run-tests.sh
T
slawek 16c228d2b1
/ test-bash (push) Failing after 3s
Details
/ test-python (push) Successful in 18s
Details
/ test-go (push) Successful in 9m50s
Details
Refactor CA management and certificate generation 
- Removed the legacy simple-ca.sh script, consolidating functionality into Go code.
- Introduced a JSON configuration file (simple-ca.json) to manage CA settings, including validity periods and AIA base URLs.
- Enhanced the makeCA function to utilize configuration values for CA creation and AIA URL management.
- Updated makeCert and makePFX functions to support configuration-driven behavior.
- Improved error handling and user feedback throughout the CA and certificate generation processes.
- Added support for using Apple's OpenSSL for PKCS#12 file generation.
2026-05-24 14:39:47 +02:00

179 lines
7.2 KiB
Bash
Executable File
Raw Blame History

#!/usr/bin/env bash
# MIT License
# Copyright (c) 2026 Sławomir Koszewski
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in all
# copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.
# This script runs integration tests against one or more simple-ca implementations.
# Usage: run-tests.sh [python|go|all] (default: all)
set -e
TEST_TARGET="${1:-all}"
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
CERT_DIR="$SCRIPT_DIR/tests"
CA_DIR="$CERT_DIR/ca"
clean_up_test_dir() {
if [[ -d "$CERT_DIR" ]]; then
echo "Cleaning up test directory $CERT_DIR..."
rm -rf "$CERT_DIR"/*
fi
echo "Creating test directory $CERT_DIR and ca subdirectory..."
mkdir -p "$CA_DIR"
}
display_certificate() {
local CERT_PATH="$1"
echo -e "\nDisplaying generated certificate for verification ($CERT_PATH):"
openssl x509 -in "$CERT_PATH" -noout -subject -issuer -serial -fingerprint
echo
echo -e "\nVerifying certificate against the CA bundle ($CA_DIR/ca_bundle.pem)..."
if openssl verify -CAfile "$CA_DIR/ca_bundle.pem" "$CERT_PATH" 2>/dev/null; then
echo "Certificate verification successful."
else
echo "ERROR: Certificate verification failed." >&2
exit 1
fi
}
# verify_pfx LABEL PFX_PATH PASSWORD PATTERN
# Checks that PATTERN appears in the pkcs12 -info output (case-insensitive).
verify_pfx_algo() {
local LABEL="$1" PFX_PATH="$2" PASSWORD="$3" PATTERN="$4"
local INFO
INFO=$(openssl pkcs12 -in "$PFX_PATH" -noout -info -password "pass:$PASSWORD" 2>&1)
if echo "$INFO" | grep -qi "$PATTERN"; then
echo "PFX [$LABEL]: OK"
else
echo "ERROR: PFX [$LABEL]: expected pattern '$PATTERN' not found in:" >&2
echo "$INFO" >&2
exit 1
fi
}
# run_flow NAME MAKE_CA_CMD MAKE_CERT_CMD MAKE_PFX_CMD
# Command variables are left unquoted on use, so multi-word prefixes
# (e.g. "python3 simple-ca.py make-ca") word-split as expected.
run_flow() {
local NAME="$1"
local MAKE_CA_CMD="$2"
local MAKE_CERT_CMD="$3"
local MAKE_PFX_CMD="$4"
echo
echo "============================================================"
echo "Running tests for '$NAME' implementation"
echo "============================================================"
echo
echo "--- [$NAME] Standalone CA ---"
clean_up_test_dir
$MAKE_CA_CMD --ca-dir "$CA_DIR" "Test CA"
[[ -f "$CA_DIR/simple-ca.json" ]] || { echo "ERROR: simple-ca.json not created" >&2; exit 1; }
display_certificate "$CA_DIR/ca_cert.pem"
$MAKE_CERT_CMD --ca-dir "$CA_DIR" --cert-dir "$CERT_DIR" "test" "test.example.com" "127.0.0.1"
display_certificate "$CERT_DIR/test_cert.pem"
echo
echo "--- [$NAME] Two-level CA ---"
clean_up_test_dir
$MAKE_CA_CMD --ca-dir "$CA_DIR" "Test Two Level CA"
[[ -f "$CA_DIR/simple-ca.json" ]] || { echo "ERROR: simple-ca.json not created" >&2; exit 1; }
display_certificate "$CA_DIR/ca_cert.pem"
$MAKE_CA_CMD --ca-dir "$CA_DIR" --issuing-ca "issuing_ca" "Issuing CA"
display_certificate "$CA_DIR/issuing_ca/ca_cert.pem"
$MAKE_CERT_CMD --ca-dir "$CA_DIR" --cert-dir "$CERT_DIR" --issuing-ca "issuing_ca" "test" "test.example.com" "127.0.0.1"
display_certificate "$CERT_DIR/test_cert.pem"
$MAKE_PFX_CMD --ca-dir "$CA_DIR" --issuing-ca "issuing_ca" --password "s3cr3t" "$CERT_DIR/test_cert.pem"
echo -e "\nVerifying contents of generated PKCS#12 (PFX) file ($CERT_DIR/test.pfx):"
openssl pkcs12 -in "$CERT_DIR/test.pfx" -noout -info -password pass:"s3cr3t"
}
# run_pfx_algorithm_tests NAME MAKE_CA_CMD MAKE_CERT_CMD MAKE_PFX_CMD
# Tests modern, legacy, and (on macOS) --apple-openssl PKCS12 variants.
run_pfx_algorithm_tests() {
local NAME="$1"
local MAKE_CA_CMD="$2"
local MAKE_CERT_CMD="$3"
local MAKE_PFX_CMD="$4"
echo
echo "--- [$NAME] PFX algorithm variants ---"
clean_up_test_dir
$MAKE_CA_CMD --ca-dir "$CA_DIR" "PFX Test CA"
$MAKE_CA_CMD --ca-dir "$CA_DIR" --issuing-ca "issuing_ca" "Issuing CA"
$MAKE_CERT_CMD --ca-dir "$CA_DIR" --cert-dir "$CERT_DIR" --issuing-ca "issuing_ca" \
"test" "test.example.com" "127.0.0.1"
# Modern (default): OpenSSL 3.x PBES2/AES-256
$MAKE_PFX_CMD --ca-dir "$CA_DIR" --issuing-ca "issuing_ca" --password "s3cr3t" \
"$CERT_DIR/test_cert.pem"
verify_pfx_algo "modern" "$CERT_DIR/test.pfx" "s3cr3t" "PBES2"
rm "$CERT_DIR/test.pfx"
# Apple openssl (macOS only): verify the switch routes to /usr/bin/openssl
# and that the result is readable by Apple's binary (not PBES2).
if [[ "$(uname)" == "Darwin" ]]; then
$MAKE_PFX_CMD --apple-openssl --ca-dir "$CA_DIR" --issuing-ca "issuing_ca" --password "s3cr3t" \
"$CERT_DIR/test_cert.pem"
/usr/bin/openssl pkcs12 -in "$CERT_DIR/test.pfx" -noout -info -password pass:"s3cr3t" 2>&1
# Confirm Apple's binary produced its own (non-PBES2) format
INFO=$(/usr/bin/openssl pkcs12 -in "$CERT_DIR/test.pfx" -noout -info -password pass:"s3cr3t" 2>&1)
if echo "$INFO" | grep -qi "PBES2"; then
echo "ERROR: PFX [apple-openssl]: unexpected PBES2 — Apple binary was not used" >&2
exit 1
fi
echo "PFX [apple-openssl]: OK"
rm "$CERT_DIR/test.pfx"
fi
}
# Uses ;;& to fall through to subsequent patterns so 'all' matches every block.
case "$TEST_TARGET" in
python|all)
command -v python3 >/dev/null || { echo "ERROR: python3 not found" >&2; exit 1; }
PY_PREFIX="python3 $SCRIPT_DIR/simple-ca.py"
run_flow "python" "$PY_PREFIX make-ca" "$PY_PREFIX make-cert" "$PY_PREFIX make-pfx"
run_pfx_algorithm_tests "python" "$PY_PREFIX make-ca" "$PY_PREFIX make-cert" "$PY_PREFIX make-pfx"
;;&
go|all)
command -v go >/dev/null || { echo "ERROR: go not found" >&2; exit 1; }
GO_SRC="$SCRIPT_DIR/src/simple-ca"
GO_BIN="$GO_SRC/simple-ca"
echo "Building Go binary..."
(cd "$GO_SRC" && go build -o simple-ca .)
run_flow "go" "$GO_BIN make-ca" "$GO_BIN make-cert" "$GO_BIN make-pfx"
run_pfx_algorithm_tests "go" "$GO_BIN make-ca" "$GO_BIN make-cert" "$GO_BIN make-pfx"
;;&
python|go|all)
;;
*)
echo "ERROR: unknown target '$TEST_TARGET' (expected: python|go|all)" >&2
exit 1
;;
esac
echo
echo "All requested tests passed."
Reference in New Issue View Git Blame Copy Permalink