From b13c9fa6f442f555af65f869b954935dae40fcc4 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Wed, 9 Dec 2020 14:57:11 +0100
Subject: test suite: use a RSA certificate rather than ECDSA.

It's arguably the most common use-case.  Generated with

  $ openssl genpkey -algorithm RSA -out tests/snippets/dovecot/dovecot.rsa.key
  $ openssl req -x509 -days 3650 -subj "/CN=InterIMAP test suite" \
        -key tests/snippets/dovecot/dovecot.rsa.key \
        -out tests/snippets/dovecot/dovecot.rsa.crt
---
 tests/tls-verify-peer/t | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

(limited to 'tests/tls-verify-peer/t')

diff --git a/tests/tls-verify-peer/t b/tests/tls-verify-peer/t
index d84328a..9e4d9fa 100644
--- a/tests/tls-verify-peer/t
+++ b/tests/tls-verify-peer/t
@@ -1,5 +1,3 @@
-CERT=~/.dovecot/conf.d/dovecot.pem
-
 unverified_peer() {
     ! interimap --debug || error
 
@@ -41,36 +39,38 @@ unverified_peer
 step_done
 
 step_start "peer verification result honored when pinned pubkey matches"
-pkey_sha256="$(openssl x509 -pubkey <"$CERT" | openssl pkey -pubin -outform DER \
+PKEY_SHA256="$(doveconf -c "$HOME_remote/.dovecot/config" -hx ssl_cert \
+    | openssl x509 -pubkey | openssl pkey -pubin -outform DER \
     | openssl dgst -sha256 | sed -rn "/^.*=\\s*/ {s///p;q}")"
 with_remote_config <<-EOF
-	SSL_fingerprint = sha256\$$pkey_sha256
+	SSL_fingerprint = sha256\$$PKEY_SHA256
 EOF
 unverified_peer
 ! grep -Fx "remote: WARNING: Fingerprint doesn't match! MiTM in action?" <"$STDERR" || error
 step_done
 
+capath=$(mktemp --tmpdir="$TMPDIR" --directory capath.XXXXXX)
 
 step_start "SSL_CAfile"
 if [ -f "/etc/ssl/certs/ca-certificates.crt" ]; then
-    # the self-signed cert should not be in there
+    # our self-signed test cert should not be in there
     with_remote_config <<<"SSL_CAfile = /etc/ssl/certs/ca-certificates.crt"
     unverified_peer
 fi
-with_remote_config <<<"SSL_CAfile = $CERT"
+
+doveconf -c "$HOME_remote/.dovecot/config" -hx ssl_cert >"$capath/ca-certificates.crt"
+with_remote_config <<<"SSL_CAfile = $capath/ca-certificates.crt"
 verified_peer
 step_done
 
 
 step_start "SSL_CApath"
 if [ -d "/etc/ssl/certs" ]; then
-    # the self-signed cert should not be in there
+    # our self-signed test cert should not be in there
     with_remote_config <<<"SSL_CApath = /etc/ssl/certs"
     unverified_peer
 fi
 
-capath=$(mktemp --tmpdir="$TMPDIR" --directory capath.XXXXXX)
-cp -t"$capath" "$CERT"
 c_rehash "$capath"
 
 with_remote_config <<<"SSL_CApath = $capath"
-- 
cgit v1.2.3