diff options
author | Guilhem Moulin <guilhem@fripost.org> | 2020-12-09 14:57:11 +0100 |
---|---|---|
committer | Guilhem Moulin <guilhem@fripost.org> | 2020-12-09 14:57:11 +0100 |
commit | b13c9fa6f442f555af65f869b954935dae40fcc4 (patch) | |
tree | 18134835502271153c51fa7d0fb60e1c454016e7 /tests | |
parent | 1630f2387c52a0ac460922eda6535165fdb279d1 (diff) |
test suite: use a RSA certificate rather than ECDSA.
It's arguably the most common use-case. Generated with
$ openssl genpkey -algorithm RSA -out tests/snippets/dovecot/dovecot.rsa.key
$ openssl req -x509 -days 3650 -subj "/CN=InterIMAP test suite" \
-key tests/snippets/dovecot/dovecot.rsa.key \
-out tests/snippets/dovecot/dovecot.rsa.crt
Diffstat (limited to 'tests')
-rw-r--r-- | tests/snippets/dovecot/dovecot.key | 5 | ||||
-rw-r--r-- | tests/snippets/dovecot/dovecot.pem | 11 | ||||
-rw-r--r-- | tests/snippets/dovecot/dovecot.rsa.crt | 19 | ||||
-rw-r--r-- | tests/snippets/dovecot/dovecot.rsa.key | 28 | ||||
-rw-r--r-- | tests/snippets/dovecot/ssl.conf | 4 | ||||
-rwxr-xr-x | tests/starttls-injection/imapd | 4 | ||||
-rw-r--r-- | tests/starttls/t | 6 | ||||
-rw-r--r-- | tests/tls-pin-fingerprint/t | 6 | ||||
-rw-r--r-- | tests/tls-verify-peer/t | 18 | ||||
-rw-r--r-- | tests/tls/t | 6 |
10 files changed, 75 insertions, 32 deletions
diff --git a/tests/snippets/dovecot/dovecot.key b/tests/snippets/dovecot/dovecot.key deleted file mode 100644 index 95c9846..0000000 --- a/tests/snippets/dovecot/dovecot.key +++ /dev/null @@ -1,5 +0,0 @@ ------BEGIN EC PRIVATE KEY----- -MHcCAQEEIGkqkKq69zVeF17S3y2U2HkQWh8z9M/xeblCztkKIfzJoAoGCCqGSM49 -AwEHoUQDQgAE1LLppulKw8KjINrDhOjEd0NTax5iDCds+vpA2PwsvvtGoprNAjQM -zX+40u30N3CE0r591txqohSBQ/X+nvG2ug== ------END EC PRIVATE KEY----- diff --git a/tests/snippets/dovecot/dovecot.pem b/tests/snippets/dovecot/dovecot.pem deleted file mode 100644 index 7e53d90..0000000 --- a/tests/snippets/dovecot/dovecot.pem +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIBkzCCATmgAwIBAgIUQ+3hBMsPJcl59xDDujDDfexurOswCgYIKoZIzj0EAwIw -HzEdMBsGA1UEAwwUSW50ZXJJTUFQIHRlc3Qgc3VpdGUwHhcNMTkxMTEwMTM1NDAw -WhcNMjkxMTA3MTM1NDAwWjAfMR0wGwYDVQQDDBRJbnRlcklNQVAgdGVzdCBzdWl0 -ZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABNSy6abpSsPCoyDaw4ToxHdDU2se -YgwnbPr6QNj8LL77RqKazQI0DM1/uNLt9DdwhNK+fdbcaqIUgUP1/p7xtrqjUzBR -MB0GA1UdDgQWBBRlh8nSwyX+VlhwuhV7RKYwvKLyDzAfBgNVHSMEGDAWgBRlh8nS -wyX+VlhwuhV7RKYwvKLyDzAPBgNVHRMBAf8EBTADAQH/MAoGCCqGSM49BAMCA0gA -MEUCIQDK8xPPHTbYW5JnZ1Siy8ChZ6GOu2sRwQu7OgtGYGZRSQIgFKn1oAhnq2Oi -aIPqxjvBPMsK/sjrdI/rNsr2XgaulU4= ------END CERTIFICATE----- diff --git a/tests/snippets/dovecot/dovecot.rsa.crt b/tests/snippets/dovecot/dovecot.rsa.crt new file mode 100644 index 0000000..d10204b --- /dev/null +++ b/tests/snippets/dovecot/dovecot.rsa.crt @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDHzCCAgegAwIBAgIUKSm5of13M/4NiGfhLMspFl/+YmYwDQYJKoZIhvcNAQEL +BQAwHzEdMBsGA1UEAwwUSW50ZXJJTUFQIHRlc3Qgc3VpdGUwHhcNMjAxMjA5MTM1 +NjI1WhcNMzAxMjA3MTM1NjI1WjAfMR0wGwYDVQQDDBRJbnRlcklNQVAgdGVzdCBz +dWl0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM1DTaSl/4UtngRG +bAHmxHlNFZJxQVK9AM4tcYna1PGrY/JbmS5kKVFLSM6znHD5aBvTaOy0HLpF15wY +Vj+zbaWmgqtlKGYGSGoXcTzNYFNJNB/WNhOv25q5VHNNFePTX/zOgQS8geza7qrK +MZDiMlbuGKCQSKtZqKiEGiMWIyXtVi8BkkHXcTrvDggOTCQlk/0v8dWbGFZZA9ly +f7PIdxtfm6tacw6Fxcz4ukWx2uoEjOIyOYhgd4WYdM7L9Jnabrh9OHYknuiGZv38 +b2GUZZ0h0RtkcdP1zOxaz4ZTaewo+gLm6yTFsL3mhnNsK/xxx00/QE6C9OyU0Nip +gGmpT9ECAwEAAaNTMFEwHQYDVR0OBBYEFHlctzGj8GhUJ8GrlHb0mT7DR/mEMB8G +A1UdIwQYMBaAFHlctzGj8GhUJ8GrlHb0mT7DR/mEMA8GA1UdEwEB/wQFMAMBAf8w +DQYJKoZIhvcNAQELBQADggEBAJ/FGOVrBmYujPk2ZzJHJZE/+7+upZndrUA+27l7 +u/bHxhLnl94gfGmOaflU+Zyy/9eqLzllY40wkMT6d/SQmfv4C6d+fqk/dDPfdLdk +N3ew/q/sPvLuEyoj1QoHamWqc3dfgV6p5j4ek6kjyWtjBPcQbVOZ02Xes1GSLzVJ +Yo9kfbZxk4Y2mqiBDHCM+erNkG002D7cWErjj/fqhYlnjOxU+v9FEm0gLc3VqAkE +BRuYZbmyMJUklH00R39G2Fey34kcpaB1VCMOLsymWLkZEhfgrl2qPRwGyh+Wc8N5 +gR/w97oHDOfJ2oZRzjRUB7MIhGoY0ED42Ma44Ub4al57XbY= +-----END CERTIFICATE----- diff --git a/tests/snippets/dovecot/dovecot.rsa.key b/tests/snippets/dovecot/dovecot.rsa.key new file mode 100644 index 0000000..ed77230 --- /dev/null +++ b/tests/snippets/dovecot/dovecot.rsa.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDNQ02kpf+FLZ4E +RmwB5sR5TRWScUFSvQDOLXGJ2tTxq2PyW5kuZClRS0jOs5xw+Wgb02jstBy6Rdec +GFY/s22lpoKrZShmBkhqF3E8zWBTSTQf1jYTr9uauVRzTRXj01/8zoEEvIHs2u6q +yjGQ4jJW7higkEirWaiohBojFiMl7VYvAZJB13E67w4IDkwkJZP9L/HVmxhWWQPZ +cn+zyHcbX5urWnMOhcXM+LpFsdrqBIziMjmIYHeFmHTOy/SZ2m64fTh2JJ7ohmb9 +/G9hlGWdIdEbZHHT9czsWs+GU2nsKPoC5uskxbC95oZzbCv8ccdNP0BOgvTslNDY +qYBpqU/RAgMBAAECggEANzx5VGlnTYttDnF09z4GeS4JNBNOJNm/sbwA5bwBudcJ +WlrT6ewCQmIkAZvL6Yr0PSiy/5+oa2gIEXVrIFFEnGMmnsDmEi52pjYQvu/1j/QP +FtIqUznrusNMuopv7ZMgLYPUrFWeEQMJXuRyWi7EpSgFcI/jPlkuTcrezbpTUw0D +bNAQjgXiDGNzyJDVmx496CWtTJHE94wwKo2QAiFU7zCZcqM7JlNCnRenws4KGqJ1 +qyFeCJJlgORQDMpiqaJLMreF41WPs++Xsu07RzQdmFKaS/sX4Um/5uyhlApmxepR +cwx3RYvOtGArQKreNONn5j16O012DSbFXIyrUjJgAQKBgQD48iZmm2iiq4oC1u+/ +kYPXMHjUBHeMj8D3lA2mnCh4W/vcEj+ZBFgmR90KyYkK2eDuFslvfwzxZqU3sqJE +au4OsITsSrxhJHAz4pVWPlJiWUCrz/7ektxY6Jw2+Jk8lR3UvLMgJbKpLWkd5Od+ +h5xKNU5Xzu198yX703k4+v5rgQKBgQDTFEcIJK9BffQ5hqMiM7NujdbMQ4ldxUy+ +ivyHk4MX4Z/kequE1rMJ1Ap8hypPJz10NhXM2naQWa8APnFYkNygwbtwTSZaiyMY +Tav8rjYoA0CfEsPfIx2AFPtDtrhWGH5o9LZI9sjhH79ud412IDZxSGdZmAho8Xdj +ky5sQr9MUQKBgByF+jplcg65Yt3CbMPhU17TkfSQ8nWrfuufDhVZ7RUlTO1BNgI9 +SjBQqZXz03zny+rbt4bL4trB7Qo9sHPwYIhUV1aPlZf3yddYDc5M47mbClrlQQmV +gCO7uzJdN4mGeF2IpWl4iEj0CAhB0vhfZ1vlUa2j6vg0ZNS+vTP3JjGBAoGAQ+gW +IgyLRWqcE5W5DdvMMhj3radcngpHclWMgKF4X0p7Aipk28umtda9uOpTNjvNjYGI +6equkioIHu/3zyJrmFw7TRnE6QQyOjNizVvOmHjTZVnIIhVN/FLDszkpfKlMob94 +lWivn51zHLrhi8s5OKCufyhmLDzix+ol2TZwDMECgYEAwjhuZRXZeIgjKkvkG+FT +8ThPNcxSplNca+YM9fQuWAuKkCbKCtvl8m5HDWYYIDx1jkKGHvDGtUl7vV4TtCgJ +OeCQPjT5SLYs9ienMqitbzKfvCGRNsIG/1NsUrerD0Lau+V0YmbqYYk1Pptr3R8x +bLzY7IMbPzdI+aPyhNF9KSg= +-----END PRIVATE KEY----- diff --git a/tests/snippets/dovecot/ssl.conf b/tests/snippets/dovecot/ssl.conf index 240f24b..2d68c80 100644 --- a/tests/snippets/dovecot/ssl.conf +++ b/tests/snippets/dovecot/ssl.conf @@ -1,4 +1,4 @@ ssl = required -ssl_cert = <dovecot.pem -ssl_key = <dovecot.key +ssl_cert = <dovecot.rsa.crt +ssl_key = <dovecot.rsa.key ssl_dh = <dhparams.pem diff --git a/tests/starttls-injection/imapd b/tests/starttls-injection/imapd index 9000c8d..15c53c7 100755 --- a/tests/starttls-injection/imapd +++ b/tests/starttls-injection/imapd @@ -26,9 +26,9 @@ Net::SSLeay::CTX_set_mode($CTX, Net::SSLeay::MODE_ACCEPT_MOVING_WRITE_BUFFER() | Net::SSLeay::MODE_AUTO_RETRY() | # don't fail SSL_read on renegotiation Net::SSLeay::MODE_RELEASE_BUFFERS() ); -Net::SSLeay::CTX_use_PrivateKey_file($CTX, "$CONFDIR/dovecot.key", &Net::SSLeay::FILETYPE_PEM) +Net::SSLeay::CTX_use_PrivateKey_file($CTX, "$CONFDIR/dovecot.rsa.key", &Net::SSLeay::FILETYPE_PEM) or die_if_ssl_error("Can't load private key: $!"); -Net::SSLeay::CTX_use_certificate_file($CTX, "$CONFDIR/dovecot.pem", &Net::SSLeay::FILETYPE_PEM) +Net::SSLeay::CTX_use_certificate_file($CTX, "$CONFDIR/dovecot.rsa.crt", &Net::SSLeay::FILETYPE_PEM) or die_if_ssl_error("Can't load certificate: $!"); while (1) { diff --git a/tests/starttls/t b/tests/starttls/t index 99a39c2..5f9bd4f 100644 --- a/tests/starttls/t +++ b/tests/starttls/t @@ -1,3 +1,7 @@ +X509_SHA256="$(doveconf -c "$HOME_remote/.dovecot/config" -hx ssl_cert \ + | openssl x509 -noout -fingerprint -sha256 \ + | sed -rn "/^.*=\\s*/ {s///p;q}" | tr -d : | tr "[A-Z]" "[a-z]")" + for ((i = 0; i < 32; i++)); do u="$(shuf -n1 -e "local" "remote")" sample_message | deliver -u "$u" @@ -18,7 +22,7 @@ grep -Fx "remote: C: 000000 STARTTLS" <"$STDERR" || error grep -Fx "remote: C: 000001 CAPABILITY" <"$STDERR" || error grep -Fx "remote: Disabling SSL protocols: SSLv3, TLSv1, TLSv1.1" <"$STDERR" || error -grep -Fx "remote: Peer certificate fingerprint: sha256\$35944e3bd3300d3ac310bb497a32cc1eef6931482a587ddbc95343740cdf1323" <"$STDERR" || error +grep -Fx "remote: Peer certificate fingerprint: sha256\$$X509_SHA256" <"$STDERR" || error grep "^remote: SSL protocol: TLSv1\.[23] " <"$STDERR" || error grep "^remote: SSL cipher: " <"$STDERR" || error diff --git a/tests/tls-pin-fingerprint/t b/tests/tls-pin-fingerprint/t index 1b84390..612bc44 100644 --- a/tests/tls-pin-fingerprint/t +++ b/tests/tls-pin-fingerprint/t @@ -1,3 +1,7 @@ +PKEY_SHA256="$(doveconf -c "$HOME_remote/.dovecot/config" -hx ssl_cert \ + | openssl x509 -pubkey | openssl pkey -pubin -outform DER \ + | openssl dgst -sha256 | sed -rn "/^.*=\\s*/ {s///p;q}")" + # backup config install -m0600 "$XDG_CONFIG_HOME/interimap/config" "$XDG_CONFIG_HOME/interimap/config~" with_remote_config() { @@ -7,7 +11,7 @@ with_remote_config() { # pinned valid fingerprint with_remote_config <<-EOF - SSL_fingerprint = sha256\$e8fc8d03ffe75e03897136a2f1c5647bf8c36be7136a6883a732a8c4961c1614 + SSL_fingerprint = sha256\$$PKEY_SHA256 EOF for ((i = 0; i < 32; i++)); do diff --git a/tests/tls-verify-peer/t b/tests/tls-verify-peer/t index d84328a..9e4d9fa 100644 --- a/tests/tls-verify-peer/t +++ b/tests/tls-verify-peer/t @@ -1,5 +1,3 @@ -CERT=~/.dovecot/conf.d/dovecot.pem - unverified_peer() { ! interimap --debug || error @@ -41,36 +39,38 @@ unverified_peer step_done step_start "peer verification result honored when pinned pubkey matches" -pkey_sha256="$(openssl x509 -pubkey <"$CERT" | openssl pkey -pubin -outform DER \ +PKEY_SHA256="$(doveconf -c "$HOME_remote/.dovecot/config" -hx ssl_cert \ + | openssl x509 -pubkey | openssl pkey -pubin -outform DER \ | openssl dgst -sha256 | sed -rn "/^.*=\\s*/ {s///p;q}")" with_remote_config <<-EOF - SSL_fingerprint = sha256\$$pkey_sha256 + SSL_fingerprint = sha256\$$PKEY_SHA256 EOF unverified_peer ! grep -Fx "remote: WARNING: Fingerprint doesn't match! MiTM in action?" <"$STDERR" || error step_done +capath=$(mktemp --tmpdir="$TMPDIR" --directory capath.XXXXXX) step_start "SSL_CAfile" if [ -f "/etc/ssl/certs/ca-certificates.crt" ]; then - # the self-signed cert should not be in there + # our self-signed test cert should not be in there with_remote_config <<<"SSL_CAfile = /etc/ssl/certs/ca-certificates.crt" unverified_peer fi -with_remote_config <<<"SSL_CAfile = $CERT" + +doveconf -c "$HOME_remote/.dovecot/config" -hx ssl_cert >"$capath/ca-certificates.crt" +with_remote_config <<<"SSL_CAfile = $capath/ca-certificates.crt" verified_peer step_done step_start "SSL_CApath" if [ -d "/etc/ssl/certs" ]; then - # the self-signed cert should not be in there + # our self-signed test cert should not be in there with_remote_config <<<"SSL_CApath = /etc/ssl/certs" unverified_peer fi -capath=$(mktemp --tmpdir="$TMPDIR" --directory capath.XXXXXX) -cp -t"$capath" "$CERT" c_rehash "$capath" with_remote_config <<<"SSL_CApath = $capath" diff --git a/tests/tls/t b/tests/tls/t index dd6d955..9fdd399 100644 --- a/tests/tls/t +++ b/tests/tls/t @@ -1,3 +1,7 @@ +X509_SHA256="$(doveconf -c "$HOME_remote/.dovecot/config" -hx ssl_cert \ + | openssl x509 -noout -fingerprint -sha256 \ + | sed -rn "/^.*=\\s*/ {s///p;q}" | tr -d : | tr "[A-Z]" "[a-z]")" + for ((i = 0; i < 32; i++)); do u="$(shuf -n1 -e "local" "remote")" sample_message | deliver -u "$u" @@ -5,7 +9,7 @@ done interimap --debug || error grep -Fx "remote: Disabling SSL protocols: SSLv3, TLSv1, TLSv1.1" <"$STDERR" || error -grep -Fx "remote: Peer certificate fingerprint: sha256\$35944e3bd3300d3ac310bb497a32cc1eef6931482a587ddbc95343740cdf1323" <"$STDERR" || error +grep -Fx "remote: Peer certificate fingerprint: sha256\$$X509_SHA256" <"$STDERR" || error grep "^remote: SSL protocol: TLSv1\.[23] " <"$STDERR" || error grep "^remote: SSL cipher: " <"$STDERR" || error |