aboutsummaryrefslogtreecommitdiffstats
path: root/tests
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2020-12-09 15:11:45 +0100
committerGuilhem Moulin <guilhem@fripost.org>2020-12-09 15:29:59 +0100
commit51df40cf82c67ae828c325a42e28b3155fce9864 (patch)
tree7c55c9f424aa3171496e37445f8a0e67193df139 /tests
parent83f85ee3a6fde64a0809180a13e0cc8a3d703bca (diff)
New test with a server offering both RSA+ECDSA certificates.
This requires dovecot-imapd 2.2.31 or later. Certificate generated with: $ openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:P-256 -pkeyopt ec_param_enc:named_curve \ -out tests/snippets/dovecot/dovecot.ecdsa.key $ openssl req -x509 -days 3650 -subj "/CN=InterIMAP test suite" \ -key tests/snippets/dovecot/dovecot.ecdsa.key \ -out tests/snippets/dovecot/dovecot.ecdsa.crt
Diffstat (limited to 'tests')
-rw-r--r--tests/list1
-rw-r--r--tests/snippets/dovecot/dovecot.ecdsa.crt11
-rw-r--r--tests/snippets/dovecot/dovecot.ecdsa.key5
l---------tests/tls-rsa+ecdsa/interimap.remote1
-rw-r--r--tests/tls-rsa+ecdsa/remote.conf5
-rw-r--r--tests/tls-rsa+ecdsa/t49
6 files changed, 72 insertions, 0 deletions
diff --git a/tests/list b/tests/list
index db77f50..0ad86e4 100644
--- a/tests/list
+++ b/tests/list
@@ -51,6 +51,7 @@ split-set Split large sets to avoid extra-long command lines
tls SSL/TLS handshake
... tls-verify-peer
tls-pin-fingerprint pubkey fingerprint pinning
+ tls-rsa+ecdsa pubkey fingerprint pinning for hybrid RSA+ECDSA
tls-protocols force TLS protocol versions
. Live synchronization (60s)
diff --git a/tests/snippets/dovecot/dovecot.ecdsa.crt b/tests/snippets/dovecot/dovecot.ecdsa.crt
new file mode 100644
index 0000000..b928d4d
--- /dev/null
+++ b/tests/snippets/dovecot/dovecot.ecdsa.crt
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBkjCCATmgAwIBAgIUWyEAqMhQ0uRLtagXgm68bUypQa4wCgYIKoZIzj0EAwIw
+HzEdMBsGA1UEAwwUSW50ZXJJTUFQIHRlc3Qgc3VpdGUwHhcNMjAxMjA5MTQwOTUy
+WhcNMzAxMjA3MTQwOTUyWjAfMR0wGwYDVQQDDBRJbnRlcklNQVAgdGVzdCBzdWl0
+ZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABFP7A0ivFsHK/WuCQzz+WWh2jBLO
+7uqhWSMh+1cc//jmn2q910XNH3xVFNkIRo7ddg6X8twli3OvC66/YIbxiTyjUzBR
+MB0GA1UdDgQWBBS/p0mJpdBjKpNrQ/t+oJMrehS7wzAfBgNVHSMEGDAWgBS/p0mJ
+pdBjKpNrQ/t+oJMrehS7wzAPBgNVHRMBAf8EBTADAQH/MAoGCCqGSM49BAMCA0cA
+MEQCIFMlTb7E92tElIueK8TxbllJ3NOaMb1TMjSScM38N8oOAiAiNI4AkESnimPN
+IOsdnydFYjOkDEhzpXbrBEcP3EgJuQ==
+-----END CERTIFICATE-----
diff --git a/tests/snippets/dovecot/dovecot.ecdsa.key b/tests/snippets/dovecot/dovecot.ecdsa.key
new file mode 100644
index 0000000..dfbd4a7
--- /dev/null
+++ b/tests/snippets/dovecot/dovecot.ecdsa.key
@@ -0,0 +1,5 @@
+-----BEGIN PRIVATE KEY-----
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgleLchaikcJbUnkps
+4ITR6FGkW2S2+S+w2ISJSsvgt0ehRANCAART+wNIrxbByv1rgkM8/llodowSzu7q
+oVkjIftXHP/45p9qvddFzR98VRTZCEaO3XYOl/LcJYtzrwuuv2CG8Yk8
+-----END PRIVATE KEY-----
diff --git a/tests/tls-rsa+ecdsa/interimap.remote b/tests/tls-rsa+ecdsa/interimap.remote
new file mode 120000
index 0000000..daf3741
--- /dev/null
+++ b/tests/tls-rsa+ecdsa/interimap.remote
@@ -0,0 +1 @@
+../tls/interimap.remote \ No newline at end of file
diff --git a/tests/tls-rsa+ecdsa/remote.conf b/tests/tls-rsa+ecdsa/remote.conf
new file mode 100644
index 0000000..72ca135
--- /dev/null
+++ b/tests/tls-rsa+ecdsa/remote.conf
@@ -0,0 +1,5 @@
+!include conf.d/imapd.conf
+!include conf.d/ssl.conf
+
+ssl_alt_cert = <conf.d/dovecot.ecdsa.crt
+ssl_alt_key = <conf.d/dovecot.ecdsa.key
diff --git a/tests/tls-rsa+ecdsa/t b/tests/tls-rsa+ecdsa/t
new file mode 100644
index 0000000..29352e9
--- /dev/null
+++ b/tests/tls-rsa+ecdsa/t
@@ -0,0 +1,49 @@
+doveconf_remote() {
+ doveconf -c "$HOME_remote/.dovecot/config" -hx "$1"
+}
+pkey_sha256() {
+ openssl x509 -pubkey | openssl pkey -pubin -outform DER \
+ | openssl dgst -sha256 | sed -rn "/^.*=\\s*/ {s///p;q}"
+}
+x509_sha256() {
+ openssl x509 -noout -fingerprint -sha256 \
+ | sed -rn "/^.*=\\s*/ {s///p;q}" | tr -d : | tr "[A-Z]" "[a-z]"
+}
+
+PKEY_SHA256="$(doveconf_remote ssl_cert | pkey_sha256)"
+X509_SHA256="$(doveconf_remote ssl_cert | x509_sha256)"
+PKEY_ALT_SHA256="$(doveconf_remote ssl_alt_cert | pkey_sha256)"
+X509_ALT_SHA256="$(doveconf_remote ssl_alt_cert | x509_sha256)"
+
+# pinned valid fingerprints
+cat >>"$XDG_CONFIG_HOME/interimap/config" <<-EOF
+ SSL_fingerprint = sha256\$$PKEY_SHA256 sha256\$$PKEY_ALT_SHA256
+EOF
+
+for ((i = 0; i < 32; i++)); do
+ u="$(shuf -n1 -e "local" "remote")"
+ sample_message | deliver -u "$u"
+done
+interimap_init
+check_mailbox_status "INBOX"
+
+interimap --debug || error
+# which peer certificate is used is up to libssl
+grep -Fx -e "remote: Peer certificate fingerprint: sha256\$$X509_SHA256" \
+ -e "remote: Peer certificate fingerprint: sha256\$$X509_ALT_SHA256" \
+ <"$STDERR" || error
+
+# force RSA (XXX do we really have to force TLSv1.2 here?)
+cat >>"$XDG_CONFIG_HOME/interimap/config" <<-EOF
+ SSL_protocols = TLSv1.2
+ SSL_cipherlist = EECDH+AESGCM+aRSA
+EOF
+interimap --debug || error
+grep -Fx "remote: Peer certificate fingerprint: sha256\$$X509_SHA256" <"$STDERR" || error
+
+# force ECDSA
+sed -i "s/^SSL_cipherlist\\s*=.*/SSL_cipherlist = EECDH+AESGCM+aECDSA/" "$XDG_CONFIG_HOME/interimap/config"
+interimap --debug || error
+grep -Fx "remote: Peer certificate fingerprint: sha256\$$X509_ALT_SHA256" <"$STDERR" || error
+
+# vim: set filetype=sh :