diff options
author | Guilhem Moulin <guilhem@fripost.org> | 2020-12-09 15:11:45 +0100 |
---|---|---|
committer | Guilhem Moulin <guilhem@fripost.org> | 2020-12-09 15:29:59 +0100 |
commit | 51df40cf82c67ae828c325a42e28b3155fce9864 (patch) | |
tree | 7c55c9f424aa3171496e37445f8a0e67193df139 /tests/tls-rsa+ecdsa | |
parent | 83f85ee3a6fde64a0809180a13e0cc8a3d703bca (diff) |
New test with a server offering both RSA+ECDSA certificates.
This requires dovecot-imapd 2.2.31 or later.
Certificate generated with:
$ openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:P-256 -pkeyopt ec_param_enc:named_curve \
-out tests/snippets/dovecot/dovecot.ecdsa.key
$ openssl req -x509 -days 3650 -subj "/CN=InterIMAP test suite" \
-key tests/snippets/dovecot/dovecot.ecdsa.key \
-out tests/snippets/dovecot/dovecot.ecdsa.crt
Diffstat (limited to 'tests/tls-rsa+ecdsa')
l--------- | tests/tls-rsa+ecdsa/interimap.remote | 1 | ||||
-rw-r--r-- | tests/tls-rsa+ecdsa/remote.conf | 5 | ||||
-rw-r--r-- | tests/tls-rsa+ecdsa/t | 49 |
3 files changed, 55 insertions, 0 deletions
diff --git a/tests/tls-rsa+ecdsa/interimap.remote b/tests/tls-rsa+ecdsa/interimap.remote new file mode 120000 index 0000000..daf3741 --- /dev/null +++ b/tests/tls-rsa+ecdsa/interimap.remote @@ -0,0 +1 @@ +../tls/interimap.remote
\ No newline at end of file diff --git a/tests/tls-rsa+ecdsa/remote.conf b/tests/tls-rsa+ecdsa/remote.conf new file mode 100644 index 0000000..72ca135 --- /dev/null +++ b/tests/tls-rsa+ecdsa/remote.conf @@ -0,0 +1,5 @@ +!include conf.d/imapd.conf +!include conf.d/ssl.conf + +ssl_alt_cert = <conf.d/dovecot.ecdsa.crt +ssl_alt_key = <conf.d/dovecot.ecdsa.key diff --git a/tests/tls-rsa+ecdsa/t b/tests/tls-rsa+ecdsa/t new file mode 100644 index 0000000..29352e9 --- /dev/null +++ b/tests/tls-rsa+ecdsa/t @@ -0,0 +1,49 @@ +doveconf_remote() { + doveconf -c "$HOME_remote/.dovecot/config" -hx "$1" +} +pkey_sha256() { + openssl x509 -pubkey | openssl pkey -pubin -outform DER \ + | openssl dgst -sha256 | sed -rn "/^.*=\\s*/ {s///p;q}" +} +x509_sha256() { + openssl x509 -noout -fingerprint -sha256 \ + | sed -rn "/^.*=\\s*/ {s///p;q}" | tr -d : | tr "[A-Z]" "[a-z]" +} + +PKEY_SHA256="$(doveconf_remote ssl_cert | pkey_sha256)" +X509_SHA256="$(doveconf_remote ssl_cert | x509_sha256)" +PKEY_ALT_SHA256="$(doveconf_remote ssl_alt_cert | pkey_sha256)" +X509_ALT_SHA256="$(doveconf_remote ssl_alt_cert | x509_sha256)" + +# pinned valid fingerprints +cat >>"$XDG_CONFIG_HOME/interimap/config" <<-EOF + SSL_fingerprint = sha256\$$PKEY_SHA256 sha256\$$PKEY_ALT_SHA256 +EOF + +for ((i = 0; i < 32; i++)); do + u="$(shuf -n1 -e "local" "remote")" + sample_message | deliver -u "$u" +done +interimap_init +check_mailbox_status "INBOX" + +interimap --debug || error +# which peer certificate is used is up to libssl +grep -Fx -e "remote: Peer certificate fingerprint: sha256\$$X509_SHA256" \ + -e "remote: Peer certificate fingerprint: sha256\$$X509_ALT_SHA256" \ + <"$STDERR" || error + +# force RSA (XXX do we really have to force TLSv1.2 here?) +cat >>"$XDG_CONFIG_HOME/interimap/config" <<-EOF + SSL_protocols = TLSv1.2 + SSL_cipherlist = EECDH+AESGCM+aRSA +EOF +interimap --debug || error +grep -Fx "remote: Peer certificate fingerprint: sha256\$$X509_SHA256" <"$STDERR" || error + +# force ECDSA +sed -i "s/^SSL_cipherlist\\s*=.*/SSL_cipherlist = EECDH+AESGCM+aECDSA/" "$XDG_CONFIG_HOME/interimap/config" +interimap --debug || error +grep -Fx "remote: Peer certificate fingerprint: sha256\$$X509_ALT_SHA256" <"$STDERR" || error + +# vim: set filetype=sh : |