1 files changed, 49 insertions, 4 deletions

diff --git a/tests/tls-pin-fingerprint/t b/tests/tls-pin-fingerprint/t
index 1b84390..6c045a1 100644
--- a/tests/tls-pin-fingerprint/t
+++ b/tests/tls-pin-fingerprint/t
@@ -1,3 +1,10 @@
+PKEY_SHA256="$(doveconf -c "$HOME_remote/.dovecot/config" -hx ssl_cert \
+    | openssl x509 -in /dev/stdin -pubkey \
+    | openssl pkey -in /dev/stdin -pubin -outform DER \
+    | openssl dgst -sha256 | sed -rn "/^.*=\\s*/ {s///p;q}")"
+INVALID_FPR="sha256\$deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef"
+INVALID_FPR2="sha256\$deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbee2"
+
 # backup config
 install -m0600 "$XDG_CONFIG_HOME/interimap/config" "$XDG_CONFIG_HOME/interimap/config~"
 with_remote_config() {
@@ -7,7 +14,7 @@ with_remote_config() {
 
 # pinned valid fingerprint
 with_remote_config <<-EOF
-	SSL_fingerprint = sha256\$e8fc8d03ffe75e03897136a2f1c5647bf8c36be7136a6883a732a8c4961c1614
+	SSL_fingerprint = sha256\$$PKEY_SHA256
 EOF
 
 for ((i = 0; i < 32; i++)); do
@@ -18,16 +25,54 @@ interimap_init
 check_mailbox_status "INBOX"
 
 
+# with default algorithm (SHA256)
+with_remote_config <<-EOF
+	SSL_fingerprint = $INVALID_FPR $PKEY_SHA256
+EOF
+interimap --debug || error
+grep -Fx "remote: Peer certificate matches pinned SPKI digest sha256\$$PKEY_SHA256" <"$STDERR" || error
+
+
 # and now an invalid one
 with_remote_config <<-EOF
-	SSL_fingerprint = sha256\$deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+	SSL_fingerprint = $INVALID_FPR
+EOF
+! interimap --debug || error
+
+grep -Fx "remote: ERROR: Can't initiate TLS/SSL handshake" <"$STDERR" || error
+grep -Fx "remote: WARNING: Fingerprint doesn't match! MiTM in action?" <"$STDERR" || error
+grep -Fx "remote: ERROR: Can't initiate TLS/SSL handshake" <"$STDERR" || error
+# make sure we didn't send any credentials or started speaking IMAP
+! grep -E "^remote: C: .* (AUTHENTICATE|LOGIN) " <"$STDERR" || error
+grep -Fx "remote: IMAP traffic (bytes): recv 0 sent 0" <"$STDERR" || error
+
+# two invalid ones
+with_remote_config <<-EOF
+	SSL_fingerprint = $INVALID_FPR $INVALID_FPR2
 EOF
 ! interimap --debug || error
 
 grep -Fx "remote: ERROR: Can't initiate TLS/SSL handshake" <"$STDERR" || error
 grep -Fx "remote: WARNING: Fingerprint doesn't match! MiTM in action?" <"$STDERR" || error
 grep -Fx "remote: ERROR: Can't initiate TLS/SSL handshake" <"$STDERR" || error
-# make sure we didn't send any credentials
+# make sure we didn't send any credentials or started speaking IMAP
 ! grep -E "^remote: C: .* (AUTHENTICATE|LOGIN) " <"$STDERR" || error
+grep -Fx "remote: IMAP traffic (bytes): recv 0 sent 0" <"$STDERR" || error
+
+
+# valid + invalid
+with_remote_config <<-EOF
+	SSL_fingerprint = sha256\$$PKEY_SHA256 $INVALID_FPR
+EOF
+interimap --debug || error
+grep -Fx "remote: Peer certificate matches pinned SPKI digest sha256\$$PKEY_SHA256" <"$STDERR" || error
+
+
+# invalid + valid
+with_remote_config <<-EOF
+	SSL_fingerprint = $INVALID_FPR sha256\$$PKEY_SHA256
+EOF
+interimap --debug || error
+grep -Fx "remote: Peer certificate matches pinned SPKI digest sha256\$$PKEY_SHA256" <"$STDERR" || error
 
-# vim: set filetype=sh :
+# vim: set filetype=bash :