Add Perl/Python behavioral parity test suite#11
Open
ecrist wants to merge 2 commits into
Open
Conversation
tests/conftest.py - shared fixtures: CA environment setup,
Perl/Python script builders, run_script()
tests/test_parity.py - 24 behavioral parity tests covering quit,
create+sign, server certs, revocation, renew,
CRL view/generate, separate create/sign, and
index lookup — each verified for both scripts
tests/test_validation.py - 23 tests for specific bug fixes: key size
validation (numeric vs string compare), CN
regex acceptance/rejection, and serial number
hex regex for lowercase OpenSSL output
tests/openssl_wrapper.py - thin wrapper that expands $ENV::VAR tokens
in openssl.conf before invoking the real
binary; required because LibreSSL 3.3 (macOS
default) does not support $ENV:: expansion
tests/bin/openssl - symlink to the wrapper, prepended to PATH in
test environments
Also fixes found during test development:
- openssl.conf [v3_req]: remove authorityKeyIdentifier — LibreSSL
correctly rejects AKI in a CSR (issuer not yet known at request time)
- python/ssl-admin sign_csr()/sign_server(): unlink existing key before
moving to active/ — shutil.move raises in Python 3.9 if destination
file exists, unlike Unix mv which silently overwrites
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Adds `Getopt::Long`-based CLI argument parsing so ssl-admin can be driven non-interactively (e.g. from scripts or cron). - New `yn_prompt_or_default()` helper returns a pre-set answer in batch mode rather than blocking on stdin - `common_name()` and `project_info()` honour `--cn`, `--days`, `--size`, and `--intermediate` flags without prompting - All y/n prompts throughout `menu_handler()` are routed through the new helper - Named sub-commands (`create-sign`, `revoke`, `server`, `gen-crl`, …) map to the existing menu-item handlers via `%cmd_to_menu` - `crl` sub-command (legacy argv path) is preserved and handled before batch-mode dispatch - `sleep` calls are suppressed in batch mode - Trailing whitespace cleaned up throughout Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
tests/test_parity.py— 24 behavioral tests that run identical input sequences through both scripts and assert the same filesystem state results (cert files, CRL, revoked directory, etc.)tests/test_validation.py— 23 tests targeting specific bug fixes: key size numeric vs string comparison, CN regex validation, and serial number hex parsing for lowercase OpenSSL outputtests/openssl_wrapper.py— thin OpenSSL wrapper that expands$ENV::VARtokens in config files before invoking the real binary; required because LibreSSL 3.3 (macOS default) does not support$ENV::expansiontests/conftest.py— shared pytest fixtures that build isolated CA environments, build test copies of both scripts with placeholder substitution, and manage the wrapper PATHBugs found during test development
openssl.conf [v3_req]:authorityKeyIdentifierwas incorrectly present — LibreSSL correctly rejects AKI in a CSR request (issuer is not yet known at request time)python/ssl-admin sign_csr()/sign_server():shutil.moveraises in Python 3.9 when the destination file already exists (unlike Unixmv); fixed by unlinking the existing key before moving — matters on re-sign/renew workflowsTest plan
All 47 tests pass on macOS with LibreSSL 3.3.6 and Python 3.9.
🤖 Generated with Claude Code