From 51df40cf82c67ae828c325a42e28b3155fce9864 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Wed, 9 Dec 2020 15:11:45 +0100
Subject: New test with a server offering both RSA+ECDSA certificates.

This requires dovecot-imapd 2.2.31 or later.

Certificate generated with:

      $ openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:P-256 -pkeyopt ec_param_enc:named_curve \
            -out tests/snippets/dovecot/dovecot.ecdsa.key
      $ openssl req -x509 -days 3650 -subj "/CN=InterIMAP test suite" \
            -key tests/snippets/dovecot/dovecot.ecdsa.key \
            -out tests/snippets/dovecot/dovecot.ecdsa.crt
---
 tests/list                               |  1 +
 tests/snippets/dovecot/dovecot.ecdsa.crt | 11 +++++++
 tests/snippets/dovecot/dovecot.ecdsa.key |  5 ++++
 tests/tls-rsa+ecdsa/interimap.remote     |  1 +
 tests/tls-rsa+ecdsa/remote.conf          |  5 ++++
 tests/tls-rsa+ecdsa/t                    | 49 ++++++++++++++++++++++++++++++++
 6 files changed, 72 insertions(+)
 create mode 100644 tests/snippets/dovecot/dovecot.ecdsa.crt
 create mode 100644 tests/snippets/dovecot/dovecot.ecdsa.key
 create mode 120000 tests/tls-rsa+ecdsa/interimap.remote
 create mode 100644 tests/tls-rsa+ecdsa/remote.conf
 create mode 100644 tests/tls-rsa+ecdsa/t

(limited to 'tests')

diff --git a/tests/list b/tests/list
index db77f50..0ad86e4 100644
--- a/tests/list
+++ b/tests/list
@@ -51,6 +51,7 @@ split-set   Split large sets to avoid extra-long command lines
     tls                     SSL/TLS handshake
     ... tls-verify-peer
     tls-pin-fingerprint     pubkey fingerprint pinning
+    tls-rsa+ecdsa           pubkey fingerprint pinning for hybrid RSA+ECDSA
     tls-protocols           force TLS protocol versions
 
 . Live synchronization (60s)
diff --git a/tests/snippets/dovecot/dovecot.ecdsa.crt b/tests/snippets/dovecot/dovecot.ecdsa.crt
new file mode 100644
index 0000000..b928d4d
--- /dev/null
+++ b/tests/snippets/dovecot/dovecot.ecdsa.crt
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBkjCCATmgAwIBAgIUWyEAqMhQ0uRLtagXgm68bUypQa4wCgYIKoZIzj0EAwIw
+HzEdMBsGA1UEAwwUSW50ZXJJTUFQIHRlc3Qgc3VpdGUwHhcNMjAxMjA5MTQwOTUy
+WhcNMzAxMjA3MTQwOTUyWjAfMR0wGwYDVQQDDBRJbnRlcklNQVAgdGVzdCBzdWl0
+ZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABFP7A0ivFsHK/WuCQzz+WWh2jBLO
+7uqhWSMh+1cc//jmn2q910XNH3xVFNkIRo7ddg6X8twli3OvC66/YIbxiTyjUzBR
+MB0GA1UdDgQWBBS/p0mJpdBjKpNrQ/t+oJMrehS7wzAfBgNVHSMEGDAWgBS/p0mJ
+pdBjKpNrQ/t+oJMrehS7wzAPBgNVHRMBAf8EBTADAQH/MAoGCCqGSM49BAMCA0cA
+MEQCIFMlTb7E92tElIueK8TxbllJ3NOaMb1TMjSScM38N8oOAiAiNI4AkESnimPN
+IOsdnydFYjOkDEhzpXbrBEcP3EgJuQ==
+-----END CERTIFICATE-----
diff --git a/tests/snippets/dovecot/dovecot.ecdsa.key b/tests/snippets/dovecot/dovecot.ecdsa.key
new file mode 100644
index 0000000..dfbd4a7
--- /dev/null
+++ b/tests/snippets/dovecot/dovecot.ecdsa.key
@@ -0,0 +1,5 @@
+-----BEGIN PRIVATE KEY-----
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgleLchaikcJbUnkps
+4ITR6FGkW2S2+S+w2ISJSsvgt0ehRANCAART+wNIrxbByv1rgkM8/llodowSzu7q
+oVkjIftXHP/45p9qvddFzR98VRTZCEaO3XYOl/LcJYtzrwuuv2CG8Yk8
+-----END PRIVATE KEY-----
diff --git a/tests/tls-rsa+ecdsa/interimap.remote b/tests/tls-rsa+ecdsa/interimap.remote
new file mode 120000
index 0000000..daf3741
--- /dev/null
+++ b/tests/tls-rsa+ecdsa/interimap.remote
@@ -0,0 +1 @@
+../tls/interimap.remote
\ No newline at end of file
diff --git a/tests/tls-rsa+ecdsa/remote.conf b/tests/tls-rsa+ecdsa/remote.conf
new file mode 100644
index 0000000..72ca135
--- /dev/null
+++ b/tests/tls-rsa+ecdsa/remote.conf
@@ -0,0 +1,5 @@
+!include conf.d/imapd.conf
+!include conf.d/ssl.conf
+
+ssl_alt_cert = <conf.d/dovecot.ecdsa.crt
+ssl_alt_key = <conf.d/dovecot.ecdsa.key
diff --git a/tests/tls-rsa+ecdsa/t b/tests/tls-rsa+ecdsa/t
new file mode 100644
index 0000000..29352e9
--- /dev/null
+++ b/tests/tls-rsa+ecdsa/t
@@ -0,0 +1,49 @@
+doveconf_remote() {
+    doveconf -c "$HOME_remote/.dovecot/config" -hx "$1"
+}
+pkey_sha256() {
+    openssl x509 -pubkey | openssl pkey -pubin -outform DER \
+    | openssl dgst -sha256 | sed -rn "/^.*=\\s*/ {s///p;q}"
+}
+x509_sha256() {
+    openssl x509 -noout -fingerprint -sha256 \
+    | sed -rn "/^.*=\\s*/ {s///p;q}" | tr -d : | tr "[A-Z]" "[a-z]"
+}
+
+PKEY_SHA256="$(doveconf_remote ssl_cert | pkey_sha256)"
+X509_SHA256="$(doveconf_remote ssl_cert | x509_sha256)"
+PKEY_ALT_SHA256="$(doveconf_remote ssl_alt_cert | pkey_sha256)"
+X509_ALT_SHA256="$(doveconf_remote ssl_alt_cert | x509_sha256)"
+
+# pinned valid fingerprints
+cat >>"$XDG_CONFIG_HOME/interimap/config" <<-EOF
+	SSL_fingerprint = sha256\$$PKEY_SHA256 sha256\$$PKEY_ALT_SHA256
+EOF
+
+for ((i = 0; i < 32; i++)); do
+    u="$(shuf -n1 -e "local" "remote")"
+    sample_message | deliver -u "$u"
+done
+interimap_init
+check_mailbox_status "INBOX"
+
+interimap --debug || error
+# which peer certificate is used is up to libssl 
+grep -Fx -e "remote: Peer certificate fingerprint: sha256\$$X509_SHA256" \
+         -e "remote: Peer certificate fingerprint: sha256\$$X509_ALT_SHA256" \
+         <"$STDERR" || error
+
+# force RSA (XXX do we really have to force TLSv1.2 here?)
+cat >>"$XDG_CONFIG_HOME/interimap/config" <<-EOF
+	SSL_protocols = TLSv1.2
+	SSL_cipherlist = EECDH+AESGCM+aRSA
+EOF
+interimap --debug || error
+grep -Fx "remote: Peer certificate fingerprint: sha256\$$X509_SHA256" <"$STDERR" || error
+
+# force ECDSA
+sed -i "s/^SSL_cipherlist\\s*=.*/SSL_cipherlist = EECDH+AESGCM+aECDSA/" "$XDG_CONFIG_HOME/interimap/config"
+interimap --debug || error
+grep -Fx "remote: Peer certificate fingerprint: sha256\$$X509_ALT_SHA256" <"$STDERR" || error
+
+# vim: set filetype=sh :
-- 
cgit v1.2.3