test suite: always generate new certificates on `make test`.

In addition, sign test certificates with the same root CA.  Hence
running `make test` now requires OpenSSL 1.1.1 or later.

2 files changed, 42 insertions, 0 deletions

diff --git a/tests/certs/.gitignore b/tests/certs/.gitignore
new file mode 100644
index 0000000..8b2d0ad
--- /dev/null
+++ b/tests/certs/.gitignore
@@ -0,0 +1,4 @@
+!/generate
+/*.key
+/*.crt
+/*.pem
diff --git a/tests/certs/generate b/tests/certs/generate
new file mode 100755
index 0000000..19463d5
--- /dev/null
+++ b/tests/certs/generate
@@ -0,0 +1,38 @@
+#!/bin/sh
+
+set -ue
+PATH="/usr/bin:/bin"
+export PATH
+
+BASEDIR="$(dirname -- "$0")"
+OU="InterIMAP test suite"
+cd "$BASEDIR"
+
+cadir="$(mktemp --tmpdir --directory)"
+trap 'rm -rf -- "$cadir"' EXIT INT TERM
+
+# generate CA (we intentionally throw away the private key and serial
+# file to avoid reuse)
+openssl genpkey -algorithm RSA -out "$cadir/ca.key"
+openssl req -new -x509 -rand /dev/urandom -subj "/OU=$OU/CN=Fake Root CA" -key "$cadir/ca.key" -out ./ca.crt
+
+SERIAL=1
+new() {
+    local key="$1" cn="$2"
+    openssl req -new -rand /dev/urandom -key "$key" \
+        -subj "/OU=$OU/CN=$cn" \
+        -out "$cadir/new.csr"
+	cat >"$cadir/new-ext.cnf" <<-EOF
+		basicConstraints = critical, CA:FALSE
+		keyUsage = critical, digitalSignature, keyEncipherment
+		extendedKeyUsage = critical, serverAuth
+	EOF
+    openssl x509 -req -in "$cadir/new.csr" -CA ./ca.crt -CAkey "$cadir/ca.key" \
+        -CAserial "$cadir/ca.srl" -CAcreateserial -extfile "$cadir/new-ext.cnf"
+}
+
+openssl genpkey -algorithm RSA -out ./dovecot.rsa.key
+new ./dovecot.rsa.key "localhost" >./dovecot.rsa.crt
+
+openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:P-256 -pkeyopt ec_param_enc:named_curve -out ./dovecot.ecdsa.key
+new ./dovecot.ecdsa.key "localhost" >./dovecot.ecdsa.crt