aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2020-12-10 14:34:48 +0100
committerGuilhem Moulin <guilhem@fripost.org>2020-12-11 11:20:41 +0100
commit26e5c04abfb81bdcbd4d89d9f9329b8433920b26 (patch)
treee73554f83d12471c55834be114bcd186885c2043
parent17b263c49df682fc45f0e50cceb01db4366ad9a7 (diff)
test suite: always generate new certificates on `make test`.
In addition, sign test certificates with the same root CA. Hence running `make test` now requires OpenSSL 1.1.1 or later.
-rw-r--r--Changelog3
-rw-r--r--Makefile3
-rw-r--r--tests/certs/.gitignore4
-rwxr-xr-xtests/certs/generate38
-rwxr-xr-xtests/run1
-rw-r--r--tests/snippets/dovecot/dovecot.ecdsa.crt11
-rw-r--r--tests/snippets/dovecot/dovecot.ecdsa.key5
-rw-r--r--tests/snippets/dovecot/dovecot.rsa.crt19
-rw-r--r--tests/snippets/dovecot/dovecot.rsa.key28
-rw-r--r--tests/tls-verify-peer/t10
10 files changed, 53 insertions, 69 deletions
diff --git a/Changelog b/Changelog
index cd474a0..7a04963 100644
--- a/Changelog
+++ b/Changelog
@@ -1,6 +1,9 @@
interimap (0.5.4) upstream;
+ libinterimap: show the matching pinned SPKI in --debug mode.
+ + test suite: always generate new certificates on `make test`. Hence
+ running `make test` now requires OpenSSL 1.1.1 or later.
+ + test suite: sign all test certificates with the same root CA.
- documentation: replace example.org with example.net for consistency.
-- Guilhem Moulin <guilhem@fripost.org> Thu, 10 Dec 2020 14:22:05 +0100
diff --git a/Makefile b/Makefile
index 3d60dfb..b85cddd 100644
--- a/Makefile
+++ b/Makefile
@@ -16,7 +16,8 @@ $(MANUAL_FILES): $(BUILD_DOCDIR)/%: ./doc/%.md
pandoc -f markdown -t json -- "$<" | ./pandoc2man.jq | pandoc -s -f json -t man -o "$@"
test:
- @./tests/run-all
+ ./tests/certs/generate
+ ./tests/run-all
## make html CSS="https://guilhem.org/static/css/bootstrap.min.css" BUILD_DOCDIR="$XDG_RUNTIME_DIR/Downloads"
$(HTML_FILES): $(BUILD_DOCDIR)/%.html: ./doc/%.md $(HTML_TEMPLATE)
diff --git a/tests/certs/.gitignore b/tests/certs/.gitignore
new file mode 100644
index 0000000..8b2d0ad
--- /dev/null
+++ b/tests/certs/.gitignore
@@ -0,0 +1,4 @@
+!/generate
+/*.key
+/*.crt
+/*.pem
diff --git a/tests/certs/generate b/tests/certs/generate
new file mode 100755
index 0000000..19463d5
--- /dev/null
+++ b/tests/certs/generate
@@ -0,0 +1,38 @@
+#!/bin/sh
+
+set -ue
+PATH="/usr/bin:/bin"
+export PATH
+
+BASEDIR="$(dirname -- "$0")"
+OU="InterIMAP test suite"
+cd "$BASEDIR"
+
+cadir="$(mktemp --tmpdir --directory)"
+trap 'rm -rf -- "$cadir"' EXIT INT TERM
+
+# generate CA (we intentionally throw away the private key and serial
+# file to avoid reuse)
+openssl genpkey -algorithm RSA -out "$cadir/ca.key"
+openssl req -new -x509 -rand /dev/urandom -subj "/OU=$OU/CN=Fake Root CA" -key "$cadir/ca.key" -out ./ca.crt
+
+SERIAL=1
+new() {
+ local key="$1" cn="$2"
+ openssl req -new -rand /dev/urandom -key "$key" \
+ -subj "/OU=$OU/CN=$cn" \
+ -out "$cadir/new.csr"
+ cat >"$cadir/new-ext.cnf" <<-EOF
+ basicConstraints = critical, CA:FALSE
+ keyUsage = critical, digitalSignature, keyEncipherment
+ extendedKeyUsage = critical, serverAuth
+ EOF
+ openssl x509 -req -in "$cadir/new.csr" -CA ./ca.crt -CAkey "$cadir/ca.key" \
+ -CAserial "$cadir/ca.srl" -CAcreateserial -extfile "$cadir/new-ext.cnf"
+}
+
+openssl genpkey -algorithm RSA -out ./dovecot.rsa.key
+new ./dovecot.rsa.key "localhost" >./dovecot.rsa.crt
+
+openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:P-256 -pkeyopt ec_param_enc:named_curve -out ./dovecot.ecdsa.key
+new ./dovecot.ecdsa.key "localhost" >./dovecot.ecdsa.crt
diff --git a/tests/run b/tests/run
index 8164524..0305812 100755
--- a/tests/run
+++ b/tests/run
@@ -102,6 +102,7 @@ prepare() {
cat >>"$home/.dovecot/config" <"$TESTDIR/$u.conf"
fi
cp -aT -- "$BASEDIR/snippets/dovecot" "$home/.dovecot/conf.d"
+ cp -at "$home/.dovecot/conf.d" -- "$BASEDIR/certs/ca.crt" "$BASEDIR/certs"/dovecot.*
proto="$(env -i "${ENVIRON[@]}" doveconf -c "$home/.dovecot/config" -h protocols)"
if [ -n "$proto" ]; then
diff --git a/tests/snippets/dovecot/dovecot.ecdsa.crt b/tests/snippets/dovecot/dovecot.ecdsa.crt
deleted file mode 100644
index b928d4d..0000000
--- a/tests/snippets/dovecot/dovecot.ecdsa.crt
+++ /dev/null
@@ -1,11 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIBkjCCATmgAwIBAgIUWyEAqMhQ0uRLtagXgm68bUypQa4wCgYIKoZIzj0EAwIw
-HzEdMBsGA1UEAwwUSW50ZXJJTUFQIHRlc3Qgc3VpdGUwHhcNMjAxMjA5MTQwOTUy
-WhcNMzAxMjA3MTQwOTUyWjAfMR0wGwYDVQQDDBRJbnRlcklNQVAgdGVzdCBzdWl0
-ZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABFP7A0ivFsHK/WuCQzz+WWh2jBLO
-7uqhWSMh+1cc//jmn2q910XNH3xVFNkIRo7ddg6X8twli3OvC66/YIbxiTyjUzBR
-MB0GA1UdDgQWBBS/p0mJpdBjKpNrQ/t+oJMrehS7wzAfBgNVHSMEGDAWgBS/p0mJ
-pdBjKpNrQ/t+oJMrehS7wzAPBgNVHRMBAf8EBTADAQH/MAoGCCqGSM49BAMCA0cA
-MEQCIFMlTb7E92tElIueK8TxbllJ3NOaMb1TMjSScM38N8oOAiAiNI4AkESnimPN
-IOsdnydFYjOkDEhzpXbrBEcP3EgJuQ==
------END CERTIFICATE-----
diff --git a/tests/snippets/dovecot/dovecot.ecdsa.key b/tests/snippets/dovecot/dovecot.ecdsa.key
deleted file mode 100644
index dfbd4a7..0000000
--- a/tests/snippets/dovecot/dovecot.ecdsa.key
+++ /dev/null
@@ -1,5 +0,0 @@
------BEGIN PRIVATE KEY-----
-MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgleLchaikcJbUnkps
-4ITR6FGkW2S2+S+w2ISJSsvgt0ehRANCAART+wNIrxbByv1rgkM8/llodowSzu7q
-oVkjIftXHP/45p9qvddFzR98VRTZCEaO3XYOl/LcJYtzrwuuv2CG8Yk8
------END PRIVATE KEY-----
diff --git a/tests/snippets/dovecot/dovecot.rsa.crt b/tests/snippets/dovecot/dovecot.rsa.crt
deleted file mode 100644
index d10204b..0000000
--- a/tests/snippets/dovecot/dovecot.rsa.crt
+++ /dev/null
@@ -1,19 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDHzCCAgegAwIBAgIUKSm5of13M/4NiGfhLMspFl/+YmYwDQYJKoZIhvcNAQEL
-BQAwHzEdMBsGA1UEAwwUSW50ZXJJTUFQIHRlc3Qgc3VpdGUwHhcNMjAxMjA5MTM1
-NjI1WhcNMzAxMjA3MTM1NjI1WjAfMR0wGwYDVQQDDBRJbnRlcklNQVAgdGVzdCBz
-dWl0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM1DTaSl/4UtngRG
-bAHmxHlNFZJxQVK9AM4tcYna1PGrY/JbmS5kKVFLSM6znHD5aBvTaOy0HLpF15wY
-Vj+zbaWmgqtlKGYGSGoXcTzNYFNJNB/WNhOv25q5VHNNFePTX/zOgQS8geza7qrK
-MZDiMlbuGKCQSKtZqKiEGiMWIyXtVi8BkkHXcTrvDggOTCQlk/0v8dWbGFZZA9ly
-f7PIdxtfm6tacw6Fxcz4ukWx2uoEjOIyOYhgd4WYdM7L9Jnabrh9OHYknuiGZv38
-b2GUZZ0h0RtkcdP1zOxaz4ZTaewo+gLm6yTFsL3mhnNsK/xxx00/QE6C9OyU0Nip
-gGmpT9ECAwEAAaNTMFEwHQYDVR0OBBYEFHlctzGj8GhUJ8GrlHb0mT7DR/mEMB8G
-A1UdIwQYMBaAFHlctzGj8GhUJ8GrlHb0mT7DR/mEMA8GA1UdEwEB/wQFMAMBAf8w
-DQYJKoZIhvcNAQELBQADggEBAJ/FGOVrBmYujPk2ZzJHJZE/+7+upZndrUA+27l7
-u/bHxhLnl94gfGmOaflU+Zyy/9eqLzllY40wkMT6d/SQmfv4C6d+fqk/dDPfdLdk
-N3ew/q/sPvLuEyoj1QoHamWqc3dfgV6p5j4ek6kjyWtjBPcQbVOZ02Xes1GSLzVJ
-Yo9kfbZxk4Y2mqiBDHCM+erNkG002D7cWErjj/fqhYlnjOxU+v9FEm0gLc3VqAkE
-BRuYZbmyMJUklH00R39G2Fey34kcpaB1VCMOLsymWLkZEhfgrl2qPRwGyh+Wc8N5
-gR/w97oHDOfJ2oZRzjRUB7MIhGoY0ED42Ma44Ub4al57XbY=
------END CERTIFICATE-----
diff --git a/tests/snippets/dovecot/dovecot.rsa.key b/tests/snippets/dovecot/dovecot.rsa.key
deleted file mode 100644
index ed77230..0000000
--- a/tests/snippets/dovecot/dovecot.rsa.key
+++ /dev/null
@@ -1,28 +0,0 @@
------BEGIN PRIVATE KEY-----
-MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDNQ02kpf+FLZ4E
-RmwB5sR5TRWScUFSvQDOLXGJ2tTxq2PyW5kuZClRS0jOs5xw+Wgb02jstBy6Rdec
-GFY/s22lpoKrZShmBkhqF3E8zWBTSTQf1jYTr9uauVRzTRXj01/8zoEEvIHs2u6q
-yjGQ4jJW7higkEirWaiohBojFiMl7VYvAZJB13E67w4IDkwkJZP9L/HVmxhWWQPZ
-cn+zyHcbX5urWnMOhcXM+LpFsdrqBIziMjmIYHeFmHTOy/SZ2m64fTh2JJ7ohmb9
-/G9hlGWdIdEbZHHT9czsWs+GU2nsKPoC5uskxbC95oZzbCv8ccdNP0BOgvTslNDY
-qYBpqU/RAgMBAAECggEANzx5VGlnTYttDnF09z4GeS4JNBNOJNm/sbwA5bwBudcJ
-WlrT6ewCQmIkAZvL6Yr0PSiy/5+oa2gIEXVrIFFEnGMmnsDmEi52pjYQvu/1j/QP
-FtIqUznrusNMuopv7ZMgLYPUrFWeEQMJXuRyWi7EpSgFcI/jPlkuTcrezbpTUw0D
-bNAQjgXiDGNzyJDVmx496CWtTJHE94wwKo2QAiFU7zCZcqM7JlNCnRenws4KGqJ1
-qyFeCJJlgORQDMpiqaJLMreF41WPs++Xsu07RzQdmFKaS/sX4Um/5uyhlApmxepR
-cwx3RYvOtGArQKreNONn5j16O012DSbFXIyrUjJgAQKBgQD48iZmm2iiq4oC1u+/
-kYPXMHjUBHeMj8D3lA2mnCh4W/vcEj+ZBFgmR90KyYkK2eDuFslvfwzxZqU3sqJE
-au4OsITsSrxhJHAz4pVWPlJiWUCrz/7ektxY6Jw2+Jk8lR3UvLMgJbKpLWkd5Od+
-h5xKNU5Xzu198yX703k4+v5rgQKBgQDTFEcIJK9BffQ5hqMiM7NujdbMQ4ldxUy+
-ivyHk4MX4Z/kequE1rMJ1Ap8hypPJz10NhXM2naQWa8APnFYkNygwbtwTSZaiyMY
-Tav8rjYoA0CfEsPfIx2AFPtDtrhWGH5o9LZI9sjhH79ud412IDZxSGdZmAho8Xdj
-ky5sQr9MUQKBgByF+jplcg65Yt3CbMPhU17TkfSQ8nWrfuufDhVZ7RUlTO1BNgI9
-SjBQqZXz03zny+rbt4bL4trB7Qo9sHPwYIhUV1aPlZf3yddYDc5M47mbClrlQQmV
-gCO7uzJdN4mGeF2IpWl4iEj0CAhB0vhfZ1vlUa2j6vg0ZNS+vTP3JjGBAoGAQ+gW
-IgyLRWqcE5W5DdvMMhj3radcngpHclWMgKF4X0p7Aipk28umtda9uOpTNjvNjYGI
-6equkioIHu/3zyJrmFw7TRnE6QQyOjNizVvOmHjTZVnIIhVN/FLDszkpfKlMob94
-lWivn51zHLrhi8s5OKCufyhmLDzix+ol2TZwDMECgYEAwjhuZRXZeIgjKkvkG+FT
-8ThPNcxSplNca+YM9fQuWAuKkCbKCtvl8m5HDWYYIDx1jkKGHvDGtUl7vV4TtCgJ
-OeCQPjT5SLYs9ienMqitbzKfvCGRNsIG/1NsUrerD0Lau+V0YmbqYYk1Pptr3R8x
-bLzY7IMbPzdI+aPyhNF9KSg=
------END PRIVATE KEY-----
diff --git a/tests/tls-verify-peer/t b/tests/tls-verify-peer/t
index 35c7c8d..9b676a6 100644
--- a/tests/tls-verify-peer/t
+++ b/tests/tls-verify-peer/t
@@ -28,9 +28,9 @@ verified_peer() {
}
# backup config
-install -m0600 "$XDG_CONFIG_HOME/interimap/config" "$XDG_CONFIG_HOME/interimap/config~"
+install -m0600 -- "$XDG_CONFIG_HOME/interimap/config" "$XDG_CONFIG_HOME/interimap/config~"
with_remote_config() {
- install -m0600 "$XDG_CONFIG_HOME/interimap/config~" "$XDG_CONFIG_HOME/interimap/config"
+ install -m0600 -- "$XDG_CONFIG_HOME/interimap/config~" "$XDG_CONFIG_HOME/interimap/config"
cat >>"$XDG_CONFIG_HOME/interimap/config"
}
@@ -53,12 +53,12 @@ capath=$(mktemp --tmpdir="$TMPDIR" --directory capath.XXXXXX)
step_start "SSL_CAfile"
if [ -f "/etc/ssl/certs/ca-certificates.crt" ]; then
- # our self-signed test cert should not be in there
+ # our fake root CA should not be in there
with_remote_config <<<"SSL_CAfile = /etc/ssl/certs/ca-certificates.crt"
unverified_peer
fi
-doveconf -c "$HOME_remote/.dovecot/config" -hx ssl_cert >"$capath/ca-certificates.crt"
+cp -T -- ~/.dovecot/conf.d/ca.crt "$capath/ca-certificates.crt"
with_remote_config <<<"SSL_CAfile = $capath/ca-certificates.crt"
verified_peer
step_done
@@ -66,7 +66,7 @@ step_done
step_start "SSL_CApath"
if [ -d "/etc/ssl/certs" ]; then
- # our self-signed test cert should not be in there
+ # our fake root CA should not be in there
with_remote_config <<<"SSL_CApath = /etc/ssl/certs"
unverified_peer
fi