simple-ca/run-tests.sh

#!/usr/bin/env bash

# MIT License
# Copyright (c) 2026 Sławomir Koszewski
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in all
# copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.

# This script runs integration tests against the simple-ca Python implementation.
# Usage: run-tests.sh [python|all]   (default: all)
set -e

TEST_TARGET="${1:-all}"

SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
CERT_DIR="$SCRIPT_DIR/tests"
CA_DIR="$CERT_DIR/ca"

clean_up_test_dir() {
    if [[ -d "$CERT_DIR" ]]; then
        echo "Cleaning up test directory $CERT_DIR..."
        rm -rf "$CERT_DIR"/*
    fi
    echo "Creating test directory $CERT_DIR and ca subdirectory..."
    mkdir -p "$CA_DIR"
}

display_certificate() {
    local CERT_PATH="$1"

    echo -e "\nDisplaying generated certificate for verification ($CERT_PATH):"
    openssl x509 -in "$CERT_PATH" -noout -subject -issuer -serial -fingerprint
    echo

    echo -e "\nVerifying certificate against the CA bundle ($CA_DIR/ca_bundle.pem)..."
    if openssl verify -CAfile "$CA_DIR/ca_bundle.pem" "$CERT_PATH" 2>/dev/null; then
        echo "Certificate verification successful."
    else
        echo "ERROR: Certificate verification failed." >&2
        exit 1
    fi
}

# verify_pfx LABEL PFX_PATH PASSWORD PATTERN
# Checks that PATTERN appears in the pkcs12 -info output (case-insensitive).
verify_pfx_algo() {
    local LABEL="$1" PFX_PATH="$2" PASSWORD="$3" PATTERN="$4"
    local INFO
    INFO=$(openssl pkcs12 -in "$PFX_PATH" -noout -info -password "pass:$PASSWORD" 2>&1)
    if echo "$INFO" | grep -qi "$PATTERN"; then
        echo "PFX [$LABEL]: OK"
    else
        echo "ERROR: PFX [$LABEL]: expected pattern '$PATTERN' not found in:" >&2
        echo "$INFO" >&2
        exit 1
    fi
}

# run_flow NAME MAKE_CA_CMD MAKE_CERT_CMD MAKE_PFX_CMD
# Command variables are left unquoted on use, so multi-word prefixes
# (e.g. "python3 simple-ca.py make-ca") word-split as expected.
run_flow() {
    local NAME="$1"
    local MAKE_CA_CMD="$2"
    local MAKE_CERT_CMD="$3"
    local MAKE_PFX_CMD="$4"

    echo
    echo "============================================================"
    echo "Running tests for '$NAME' implementation"
    echo "============================================================"

    echo
    echo "--- [$NAME] Standalone CA ---"
    clean_up_test_dir
    $MAKE_CA_CMD --ca-dir "$CA_DIR" "Test CA"
    [[ -f "$CA_DIR/simple-ca.json" ]] || { echo "ERROR: simple-ca.json not created" >&2; exit 1; }
    display_certificate "$CA_DIR/ca_cert.pem"
    $MAKE_CERT_CMD --ca-dir "$CA_DIR" --cert-dir "$CERT_DIR" "test" "test.example.com" "127.0.0.1"
    display_certificate "$CERT_DIR/test_cert.pem"

    echo
    echo "--- [$NAME] Two-level CA ---"
    clean_up_test_dir
    $MAKE_CA_CMD --ca-dir "$CA_DIR" "Test Two Level CA"
    [[ -f "$CA_DIR/simple-ca.json" ]] || { echo "ERROR: simple-ca.json not created" >&2; exit 1; }
    display_certificate "$CA_DIR/ca_cert.pem"
    $MAKE_CA_CMD --ca-dir "$CA_DIR" --issuing-ca "issuing_ca" "Issuing CA"
    display_certificate "$CA_DIR/issuing_ca/ca_cert.pem"
    $MAKE_CERT_CMD --ca-dir "$CA_DIR" --cert-dir "$CERT_DIR" --issuing-ca "issuing_ca" "test" "test.example.com" "127.0.0.1"
    display_certificate "$CERT_DIR/test_cert.pem"
    $MAKE_PFX_CMD --ca-dir "$CA_DIR" --issuing-ca "issuing_ca" --password "s3cr3t" "$CERT_DIR/test_cert.pem"

    echo -e "\nVerifying contents of generated PKCS#12 (PFX) file ($CERT_DIR/test.pfx):"
    openssl pkcs12 -in "$CERT_DIR/test.pfx" -noout -info -password pass:"s3cr3t"
}

# run_pfx_algorithm_tests NAME MAKE_CA_CMD MAKE_CERT_CMD MAKE_PFX_CMD
# Tests modern, legacy, and (on macOS) --apple-openssl PKCS12 variants.
run_pfx_algorithm_tests() {
    local NAME="$1"
    local MAKE_CA_CMD="$2"
    local MAKE_CERT_CMD="$3"
    local MAKE_PFX_CMD="$4"

    echo
    echo "--- [$NAME] PFX algorithm variants ---"
    clean_up_test_dir
    $MAKE_CA_CMD --ca-dir "$CA_DIR" "PFX Test CA"
    $MAKE_CA_CMD --ca-dir "$CA_DIR" --issuing-ca "issuing_ca" "Issuing CA"
    $MAKE_CERT_CMD --ca-dir "$CA_DIR" --cert-dir "$CERT_DIR" --issuing-ca "issuing_ca" \
        "test" "test.example.com" "127.0.0.1"

    # Modern (default): OpenSSL 3.x PBES2/AES-256
    $MAKE_PFX_CMD --ca-dir "$CA_DIR" --issuing-ca "issuing_ca" --password "s3cr3t" \
        "$CERT_DIR/test_cert.pem"
    verify_pfx_algo "modern" "$CERT_DIR/test.pfx" "s3cr3t" "PBES2"
    rm "$CERT_DIR/test.pfx"

    # Apple openssl (macOS only): verify the switch routes to /usr/bin/openssl
    # and that the result is readable by Apple's binary (not PBES2).
    if [[ "$(uname)" == "Darwin" ]]; then
        $MAKE_PFX_CMD --apple-openssl --ca-dir "$CA_DIR" --issuing-ca "issuing_ca" --password "s3cr3t" \
            "$CERT_DIR/test_cert.pem"
        /usr/bin/openssl pkcs12 -in "$CERT_DIR/test.pfx" -noout -info -password pass:"s3cr3t" 2>&1
        # Confirm Apple's binary produced its own (non-PBES2) format
        INFO=$(/usr/bin/openssl pkcs12 -in "$CERT_DIR/test.pfx" -noout -info -password pass:"s3cr3t" 2>&1)
        if echo "$INFO" | grep -qi "PBES2"; then
            echo "ERROR: PFX [apple-openssl]: unexpected PBES2 — Apple binary was not used" >&2
            exit 1
        fi
        echo "PFX [apple-openssl]: OK"
        rm "$CERT_DIR/test.pfx"
    fi
}

# run_crl_tests NAME MAKE_CA_CMD MAKE_CERT_CMD MAKE_PFX_CMD REVOKE_CMD MAKE_CRL_CMD
run_crl_tests() {
    local NAME="$1"
    local MAKE_CA_CMD="$2"
    local MAKE_CERT_CMD="$3"
    local REVOKE_CMD="$4"
    local MAKE_CRL_CMD="$5"

    echo
    echo "--- [$NAME] CRL tests ---"
    clean_up_test_dir

    # Build a two-level CA hierarchy
    $MAKE_CA_CMD --ca-dir "$CA_DIR" "CRL Test CA"
    $MAKE_CA_CMD --ca-dir "$CA_DIR" --issuing-ca "issuing_ca" "Issuing CA"

    # Issue two certs; revoke the first; keep the second active
    $MAKE_CERT_CMD --ca-dir "$CA_DIR" --cert-dir "$CERT_DIR" --issuing-ca "issuing_ca" \
        "alice" "alice.example.com"
    $MAKE_CERT_CMD --ca-dir "$CA_DIR" --cert-dir "$CERT_DIR" --issuing-ca "issuing_ca" \
        "bob" "bob.example.com"

    $REVOKE_CMD --ca-dir "$CA_DIR" --issuing-ca "issuing_ca" "$CERT_DIR/alice_cert.pem"

    # Generate CRL for the issuing CA
    $MAKE_CRL_CMD --ca-dir "$CA_DIR" --issuing-ca "issuing_ca"
    [[ -f "$CA_DIR/issuing_ca/crl.pem" ]] || { echo "ERROR: issuing_ca/crl.pem not created" >&2; exit 1; }

    # alice's serial must appear in the issuing CA CRL
    CRL_TEXT=$(openssl crl -in "$CA_DIR/issuing_ca/crl.pem" -noout -text 2>/dev/null)
    ALICE_SERIAL=$(openssl x509 -in "$CERT_DIR/alice_cert.pem" -noout -serial | cut -d= -f2)
    if echo "$CRL_TEXT" | grep -qi "$ALICE_SERIAL"; then
        echo "CRL [issuing_ca]: alice's serial found — OK"
    else
        echo "ERROR: CRL [issuing_ca]: alice's serial not found in CRL" >&2
        echo "$CRL_TEXT" >&2
        exit 1
    fi

    # bob's serial must NOT appear in the issuing CA CRL
    BOB_SERIAL=$(openssl x509 -in "$CERT_DIR/bob_cert.pem" -noout -serial | cut -d= -f2)
    if echo "$CRL_TEXT" | grep -qi "$BOB_SERIAL"; then
        echo "ERROR: CRL [issuing_ca]: bob's serial unexpectedly found in CRL" >&2
        exit 1
    else
        echo "CRL [issuing_ca]: bob's serial absent — OK"
    fi

    # Root CA CRL should be empty (no revoctions at root level)
    $MAKE_CRL_CMD --ca-dir "$CA_DIR"
    [[ -f "$CA_DIR/crl.pem" ]] || { echo "ERROR: root crl.pem not created" >&2; exit 1; }
    ROOT_CRL_TEXT=$(openssl crl -in "$CA_DIR/crl.pem" -noout -text 2>/dev/null)
    if echo "$ROOT_CRL_TEXT" | grep -q "No Revoked Certificates"; then
        echo "CRL [root]: empty — OK"
    else
        echo "ERROR: CRL [root]: expected empty CRL" >&2
        echo "$ROOT_CRL_TEXT" >&2
        exit 1
    fi
}

# Uses ;;& to fall through to subsequent patterns so 'all' matches every block.
case "$TEST_TARGET" in
    python|all)
        command -v python3 >/dev/null || { echo "ERROR: python3 not found" >&2; exit 1; }
        PY_PREFIX="python3 $SCRIPT_DIR/simple-ca.py"
        run_flow "python" "$PY_PREFIX make-ca" "$PY_PREFIX make-cert" "$PY_PREFIX make-pfx"
        run_pfx_algorithm_tests "python" "$PY_PREFIX make-ca" "$PY_PREFIX make-cert" "$PY_PREFIX make-pfx"
        run_crl_tests "python" "$PY_PREFIX make-ca" "$PY_PREFIX make-cert" "$PY_PREFIX revoke-cert" "$PY_PREFIX make-crl"
        ;;&
    python|all)
        ;;
    *)
        echo "ERROR: unknown target '$TEST_TARGET' (expected: python|all)" >&2
        exit 1
        ;;
esac

echo
echo "All requested tests passed."