131 lines
4.5 KiB
Bash
Executable File
131 lines
4.5 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
|
|
# MIT License
|
|
# Copyright (c) 2026 Sławomir Koszewski
|
|
#
|
|
# Permission is hereby granted, free of charge, to any person obtaining a copy
|
|
# of this software and associated documentation files (the "Software"), to deal
|
|
# in the Software without restriction, including without limitation the rights
|
|
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
|
# copies of the Software, and to permit persons to whom the Software is
|
|
# furnished to do so, subject to the following conditions:
|
|
#
|
|
# The above copyright notice and this permission notice shall be included in all
|
|
# copies or substantial portions of the Software.
|
|
#
|
|
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
|
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
|
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
|
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
|
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
|
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
|
# SOFTWARE.
|
|
|
|
# Integration tests for simple-ca.sh.
|
|
# Usage: run-tests.sh
|
|
set -e
|
|
|
|
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
|
|
|
source "$SCRIPT_DIR/simple-ca.sh"
|
|
|
|
# Temporary test directory — cleaned up on exit.
|
|
TEST_DIR="$(mktemp -d)"
|
|
trap 'rm -rf "$TEST_DIR"' EXIT
|
|
|
|
CA_DIR="$TEST_DIR/ca"
|
|
|
|
reset_dirs() {
|
|
rm -rf "$CA_DIR"
|
|
mkdir -p "$CA_DIR"
|
|
SIMPLE_CA_DIR=""
|
|
}
|
|
|
|
assert_file() {
|
|
if [[ ! -f "$1" ]]; then
|
|
echo "ERROR: expected file not found: $1" >&2
|
|
exit 1
|
|
fi
|
|
}
|
|
|
|
verify_cert() {
|
|
local CERT_PATH="$1"
|
|
if ! openssl verify -CAfile "$CA_DIR/ca_bundle.pem" "$CERT_PATH" 2>/dev/null; then
|
|
echo "ERROR: Certificate verification failed: $CERT_PATH" >&2
|
|
exit 1
|
|
fi
|
|
echo "Verified: $CERT_PATH"
|
|
}
|
|
|
|
assert_eku() {
|
|
local CERT_PATH="$1"
|
|
local EKU="$2"
|
|
local TEXT
|
|
TEXT="$(openssl x509 -in "$CERT_PATH" -noout -text 2>/dev/null)"
|
|
if ! echo "$TEXT" | grep -q "$EKU"; then
|
|
echo "ERROR: EKU '$EKU' not found in $CERT_PATH" >&2
|
|
exit 1
|
|
fi
|
|
echo "EKU OK: $EKU"
|
|
}
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Standalone CA — certs issued by root CA go into CA_DIR
|
|
# ---------------------------------------------------------------------------
|
|
|
|
echo
|
|
echo "--- [shell] Standalone CA ---"
|
|
reset_dirs
|
|
make_ca --ca-dir "$CA_DIR" "Test CA" 2>/dev/null
|
|
assert_file "$CA_DIR/ca_cert.pem"
|
|
assert_file "$CA_DIR/ca_bundle.pem"
|
|
verify_cert "$CA_DIR/ca_cert.pem"
|
|
|
|
make_cert "test" "test.example.com" "127.0.0.1" 2>/dev/null
|
|
assert_file "$CA_DIR/test_cert.pem"
|
|
verify_cert "$CA_DIR/test_cert.pem"
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Two-level CA — issuing CA and its certs go into CA_DIR/issuing_ca/
|
|
# ---------------------------------------------------------------------------
|
|
|
|
echo
|
|
echo "--- [shell] Two-level CA ---"
|
|
reset_dirs
|
|
make_ca --ca-dir "$CA_DIR" "Test Root CA" 2>/dev/null
|
|
verify_cert "$CA_DIR/ca_cert.pem"
|
|
|
|
make_ca --issuing-ca "issuing_ca" "Issuing CA" 2>/dev/null
|
|
assert_file "$CA_DIR/issuing_ca/ca_cert.pem"
|
|
verify_cert "$CA_DIR/issuing_ca/ca_cert.pem"
|
|
|
|
make_cert --issuing-ca "issuing_ca" "test" "test.example.com" "127.0.0.1" 2>/dev/null
|
|
assert_file "$CA_DIR/issuing_ca/test_cert.pem"
|
|
verify_cert "$CA_DIR/issuing_ca/test_cert.pem"
|
|
assert_eku "$CA_DIR/issuing_ca/test_cert.pem" "TLS Web Server Authentication"
|
|
assert_eku "$CA_DIR/issuing_ca/test_cert.pem" "TLS Web Client Authentication"
|
|
|
|
make_pfx --issuing-ca "issuing_ca" --password "s3cr3t" "$CA_DIR/issuing_ca/test_cert.pem" 2>/dev/null
|
|
assert_file "$CA_DIR/issuing_ca/test.pfx"
|
|
if ! openssl pkcs12 -in "$CA_DIR/issuing_ca/test.pfx" -noout -info -password pass:"s3cr3t" 2>/dev/null; then
|
|
echo "ERROR: PFX verification failed" >&2
|
|
exit 1
|
|
fi
|
|
echo "PFX: OK"
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# User certificate
|
|
# ---------------------------------------------------------------------------
|
|
|
|
echo
|
|
echo "--- [shell] User certificate ---"
|
|
make_cert --issuing-ca "issuing_ca" --type user "Alice Example" "alice@example.com" 2>/dev/null
|
|
assert_file "$CA_DIR/issuing_ca/Alice Example_cert.pem"
|
|
verify_cert "$CA_DIR/issuing_ca/Alice Example_cert.pem"
|
|
assert_eku "$CA_DIR/issuing_ca/Alice Example_cert.pem" "TLS Web Client Authentication"
|
|
assert_eku "$CA_DIR/issuing_ca/Alice Example_cert.pem" "E-mail Protection"
|
|
assert_eku "$CA_DIR/issuing_ca/Alice Example_cert.pem" "Code Signing"
|
|
|
|
echo
|
|
echo "All shell tests passed."
|