From 11cd204852f665670b5d4271eab86a3d9f5e5624 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Tue, 4 Aug 2020 02:35:05 +0200
Subject: Upgrade URLs to secure HTTP.

---
 tests/run     | 2 +-
 tests/run-all | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

(limited to 'tests')

diff --git a/tests/run b/tests/run
index 4aa0685..8164524 100755
--- a/tests/run
+++ b/tests/run
@@ -15,7 +15,7 @@
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+# along with this program.  If not, see <https://www.gnu.org/licenses/>.
 #----------------------------------------------------------------------
 
 set -ue
diff --git a/tests/run-all b/tests/run-all
index 1eca50c..d13f689 100755
--- a/tests/run-all
+++ b/tests/run-all
@@ -15,7 +15,7 @@
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+# along with this program.  If not, see <https://www.gnu.org/licenses/>.
 #----------------------------------------------------------------------
 
 set -ue
-- 
cgit v1.2.3


From b13c9fa6f442f555af65f869b954935dae40fcc4 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Wed, 9 Dec 2020 14:57:11 +0100
Subject: test suite: use a RSA certificate rather than ECDSA.

It's arguably the most common use-case.  Generated with

  $ openssl genpkey -algorithm RSA -out tests/snippets/dovecot/dovecot.rsa.key
  $ openssl req -x509 -days 3650 -subj "/CN=InterIMAP test suite" \
        -key tests/snippets/dovecot/dovecot.rsa.key \
        -out tests/snippets/dovecot/dovecot.rsa.crt
---
 tests/snippets/dovecot/dovecot.key     |  5 -----
 tests/snippets/dovecot/dovecot.pem     | 11 -----------
 tests/snippets/dovecot/dovecot.rsa.crt | 19 +++++++++++++++++++
 tests/snippets/dovecot/dovecot.rsa.key | 28 ++++++++++++++++++++++++++++
 tests/snippets/dovecot/ssl.conf        |  4 ++--
 tests/starttls-injection/imapd         |  4 ++--
 tests/starttls/t                       |  6 +++++-
 tests/tls-pin-fingerprint/t            |  6 +++++-
 tests/tls-verify-peer/t                | 18 +++++++++---------
 tests/tls/t                            |  6 +++++-
 10 files changed, 75 insertions(+), 32 deletions(-)
 delete mode 100644 tests/snippets/dovecot/dovecot.key
 delete mode 100644 tests/snippets/dovecot/dovecot.pem
 create mode 100644 tests/snippets/dovecot/dovecot.rsa.crt
 create mode 100644 tests/snippets/dovecot/dovecot.rsa.key

(limited to 'tests')

diff --git a/tests/snippets/dovecot/dovecot.key b/tests/snippets/dovecot/dovecot.key
deleted file mode 100644
index 95c9846..0000000
--- a/tests/snippets/dovecot/dovecot.key
+++ /dev/null
@@ -1,5 +0,0 @@
------BEGIN EC PRIVATE KEY-----
-MHcCAQEEIGkqkKq69zVeF17S3y2U2HkQWh8z9M/xeblCztkKIfzJoAoGCCqGSM49
-AwEHoUQDQgAE1LLppulKw8KjINrDhOjEd0NTax5iDCds+vpA2PwsvvtGoprNAjQM
-zX+40u30N3CE0r591txqohSBQ/X+nvG2ug==
------END EC PRIVATE KEY-----
diff --git a/tests/snippets/dovecot/dovecot.pem b/tests/snippets/dovecot/dovecot.pem
deleted file mode 100644
index 7e53d90..0000000
--- a/tests/snippets/dovecot/dovecot.pem
+++ /dev/null
@@ -1,11 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIBkzCCATmgAwIBAgIUQ+3hBMsPJcl59xDDujDDfexurOswCgYIKoZIzj0EAwIw
-HzEdMBsGA1UEAwwUSW50ZXJJTUFQIHRlc3Qgc3VpdGUwHhcNMTkxMTEwMTM1NDAw
-WhcNMjkxMTA3MTM1NDAwWjAfMR0wGwYDVQQDDBRJbnRlcklNQVAgdGVzdCBzdWl0
-ZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABNSy6abpSsPCoyDaw4ToxHdDU2se
-YgwnbPr6QNj8LL77RqKazQI0DM1/uNLt9DdwhNK+fdbcaqIUgUP1/p7xtrqjUzBR
-MB0GA1UdDgQWBBRlh8nSwyX+VlhwuhV7RKYwvKLyDzAfBgNVHSMEGDAWgBRlh8nS
-wyX+VlhwuhV7RKYwvKLyDzAPBgNVHRMBAf8EBTADAQH/MAoGCCqGSM49BAMCA0gA
-MEUCIQDK8xPPHTbYW5JnZ1Siy8ChZ6GOu2sRwQu7OgtGYGZRSQIgFKn1oAhnq2Oi
-aIPqxjvBPMsK/sjrdI/rNsr2XgaulU4=
------END CERTIFICATE-----
diff --git a/tests/snippets/dovecot/dovecot.rsa.crt b/tests/snippets/dovecot/dovecot.rsa.crt
new file mode 100644
index 0000000..d10204b
--- /dev/null
+++ b/tests/snippets/dovecot/dovecot.rsa.crt
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDHzCCAgegAwIBAgIUKSm5of13M/4NiGfhLMspFl/+YmYwDQYJKoZIhvcNAQEL
+BQAwHzEdMBsGA1UEAwwUSW50ZXJJTUFQIHRlc3Qgc3VpdGUwHhcNMjAxMjA5MTM1
+NjI1WhcNMzAxMjA3MTM1NjI1WjAfMR0wGwYDVQQDDBRJbnRlcklNQVAgdGVzdCBz
+dWl0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM1DTaSl/4UtngRG
+bAHmxHlNFZJxQVK9AM4tcYna1PGrY/JbmS5kKVFLSM6znHD5aBvTaOy0HLpF15wY
+Vj+zbaWmgqtlKGYGSGoXcTzNYFNJNB/WNhOv25q5VHNNFePTX/zOgQS8geza7qrK
+MZDiMlbuGKCQSKtZqKiEGiMWIyXtVi8BkkHXcTrvDggOTCQlk/0v8dWbGFZZA9ly
+f7PIdxtfm6tacw6Fxcz4ukWx2uoEjOIyOYhgd4WYdM7L9Jnabrh9OHYknuiGZv38
+b2GUZZ0h0RtkcdP1zOxaz4ZTaewo+gLm6yTFsL3mhnNsK/xxx00/QE6C9OyU0Nip
+gGmpT9ECAwEAAaNTMFEwHQYDVR0OBBYEFHlctzGj8GhUJ8GrlHb0mT7DR/mEMB8G
+A1UdIwQYMBaAFHlctzGj8GhUJ8GrlHb0mT7DR/mEMA8GA1UdEwEB/wQFMAMBAf8w
+DQYJKoZIhvcNAQELBQADggEBAJ/FGOVrBmYujPk2ZzJHJZE/+7+upZndrUA+27l7
+u/bHxhLnl94gfGmOaflU+Zyy/9eqLzllY40wkMT6d/SQmfv4C6d+fqk/dDPfdLdk
+N3ew/q/sPvLuEyoj1QoHamWqc3dfgV6p5j4ek6kjyWtjBPcQbVOZ02Xes1GSLzVJ
+Yo9kfbZxk4Y2mqiBDHCM+erNkG002D7cWErjj/fqhYlnjOxU+v9FEm0gLc3VqAkE
+BRuYZbmyMJUklH00R39G2Fey34kcpaB1VCMOLsymWLkZEhfgrl2qPRwGyh+Wc8N5
+gR/w97oHDOfJ2oZRzjRUB7MIhGoY0ED42Ma44Ub4al57XbY=
+-----END CERTIFICATE-----
diff --git a/tests/snippets/dovecot/dovecot.rsa.key b/tests/snippets/dovecot/dovecot.rsa.key
new file mode 100644
index 0000000..ed77230
--- /dev/null
+++ b/tests/snippets/dovecot/dovecot.rsa.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDNQ02kpf+FLZ4E
+RmwB5sR5TRWScUFSvQDOLXGJ2tTxq2PyW5kuZClRS0jOs5xw+Wgb02jstBy6Rdec
+GFY/s22lpoKrZShmBkhqF3E8zWBTSTQf1jYTr9uauVRzTRXj01/8zoEEvIHs2u6q
+yjGQ4jJW7higkEirWaiohBojFiMl7VYvAZJB13E67w4IDkwkJZP9L/HVmxhWWQPZ
+cn+zyHcbX5urWnMOhcXM+LpFsdrqBIziMjmIYHeFmHTOy/SZ2m64fTh2JJ7ohmb9
+/G9hlGWdIdEbZHHT9czsWs+GU2nsKPoC5uskxbC95oZzbCv8ccdNP0BOgvTslNDY
+qYBpqU/RAgMBAAECggEANzx5VGlnTYttDnF09z4GeS4JNBNOJNm/sbwA5bwBudcJ
+WlrT6ewCQmIkAZvL6Yr0PSiy/5+oa2gIEXVrIFFEnGMmnsDmEi52pjYQvu/1j/QP
+FtIqUznrusNMuopv7ZMgLYPUrFWeEQMJXuRyWi7EpSgFcI/jPlkuTcrezbpTUw0D
+bNAQjgXiDGNzyJDVmx496CWtTJHE94wwKo2QAiFU7zCZcqM7JlNCnRenws4KGqJ1
+qyFeCJJlgORQDMpiqaJLMreF41WPs++Xsu07RzQdmFKaS/sX4Um/5uyhlApmxepR
+cwx3RYvOtGArQKreNONn5j16O012DSbFXIyrUjJgAQKBgQD48iZmm2iiq4oC1u+/
+kYPXMHjUBHeMj8D3lA2mnCh4W/vcEj+ZBFgmR90KyYkK2eDuFslvfwzxZqU3sqJE
+au4OsITsSrxhJHAz4pVWPlJiWUCrz/7ektxY6Jw2+Jk8lR3UvLMgJbKpLWkd5Od+
+h5xKNU5Xzu198yX703k4+v5rgQKBgQDTFEcIJK9BffQ5hqMiM7NujdbMQ4ldxUy+
+ivyHk4MX4Z/kequE1rMJ1Ap8hypPJz10NhXM2naQWa8APnFYkNygwbtwTSZaiyMY
+Tav8rjYoA0CfEsPfIx2AFPtDtrhWGH5o9LZI9sjhH79ud412IDZxSGdZmAho8Xdj
+ky5sQr9MUQKBgByF+jplcg65Yt3CbMPhU17TkfSQ8nWrfuufDhVZ7RUlTO1BNgI9
+SjBQqZXz03zny+rbt4bL4trB7Qo9sHPwYIhUV1aPlZf3yddYDc5M47mbClrlQQmV
+gCO7uzJdN4mGeF2IpWl4iEj0CAhB0vhfZ1vlUa2j6vg0ZNS+vTP3JjGBAoGAQ+gW
+IgyLRWqcE5W5DdvMMhj3radcngpHclWMgKF4X0p7Aipk28umtda9uOpTNjvNjYGI
+6equkioIHu/3zyJrmFw7TRnE6QQyOjNizVvOmHjTZVnIIhVN/FLDszkpfKlMob94
+lWivn51zHLrhi8s5OKCufyhmLDzix+ol2TZwDMECgYEAwjhuZRXZeIgjKkvkG+FT
+8ThPNcxSplNca+YM9fQuWAuKkCbKCtvl8m5HDWYYIDx1jkKGHvDGtUl7vV4TtCgJ
+OeCQPjT5SLYs9ienMqitbzKfvCGRNsIG/1NsUrerD0Lau+V0YmbqYYk1Pptr3R8x
+bLzY7IMbPzdI+aPyhNF9KSg=
+-----END PRIVATE KEY-----
diff --git a/tests/snippets/dovecot/ssl.conf b/tests/snippets/dovecot/ssl.conf
index 240f24b..2d68c80 100644
--- a/tests/snippets/dovecot/ssl.conf
+++ b/tests/snippets/dovecot/ssl.conf
@@ -1,4 +1,4 @@
 ssl = required
-ssl_cert = <dovecot.pem
-ssl_key = <dovecot.key
+ssl_cert = <dovecot.rsa.crt
+ssl_key = <dovecot.rsa.key
 ssl_dh = <dhparams.pem
diff --git a/tests/starttls-injection/imapd b/tests/starttls-injection/imapd
index 9000c8d..15c53c7 100755
--- a/tests/starttls-injection/imapd
+++ b/tests/starttls-injection/imapd
@@ -26,9 +26,9 @@ Net::SSLeay::CTX_set_mode($CTX,
     Net::SSLeay::MODE_ACCEPT_MOVING_WRITE_BUFFER() |
     Net::SSLeay::MODE_AUTO_RETRY() | # don't fail SSL_read on renegotiation
     Net::SSLeay::MODE_RELEASE_BUFFERS() );
-Net::SSLeay::CTX_use_PrivateKey_file($CTX, "$CONFDIR/dovecot.key", &Net::SSLeay::FILETYPE_PEM)
+Net::SSLeay::CTX_use_PrivateKey_file($CTX, "$CONFDIR/dovecot.rsa.key", &Net::SSLeay::FILETYPE_PEM)
     or die_if_ssl_error("Can't load private key: $!");
-Net::SSLeay::CTX_use_certificate_file($CTX, "$CONFDIR/dovecot.pem", &Net::SSLeay::FILETYPE_PEM)
+Net::SSLeay::CTX_use_certificate_file($CTX, "$CONFDIR/dovecot.rsa.crt", &Net::SSLeay::FILETYPE_PEM)
     or die_if_ssl_error("Can't load certificate: $!");
 
 while (1) {
diff --git a/tests/starttls/t b/tests/starttls/t
index 99a39c2..5f9bd4f 100644
--- a/tests/starttls/t
+++ b/tests/starttls/t
@@ -1,3 +1,7 @@
+X509_SHA256="$(doveconf -c "$HOME_remote/.dovecot/config" -hx ssl_cert \
+    | openssl x509 -noout -fingerprint -sha256 \
+    | sed -rn "/^.*=\\s*/ {s///p;q}" | tr -d : | tr "[A-Z]" "[a-z]")"
+
 for ((i = 0; i < 32; i++)); do
     u="$(shuf -n1 -e "local" "remote")"
     sample_message | deliver -u "$u"
@@ -18,7 +22,7 @@ grep -Fx "remote: C: 000000 STARTTLS"   <"$STDERR" || error
 grep -Fx "remote: C: 000001 CAPABILITY" <"$STDERR" || error
 
 grep -Fx "remote: Disabling SSL protocols: SSLv3, TLSv1, TLSv1.1" <"$STDERR" || error
-grep -Fx "remote: Peer certificate fingerprint: sha256\$35944e3bd3300d3ac310bb497a32cc1eef6931482a587ddbc95343740cdf1323" <"$STDERR" || error
+grep -Fx "remote: Peer certificate fingerprint: sha256\$$X509_SHA256" <"$STDERR" || error
 grep "^remote: SSL protocol: TLSv1\.[23] " <"$STDERR" || error
 grep "^remote: SSL cipher: " <"$STDERR" || error
 
diff --git a/tests/tls-pin-fingerprint/t b/tests/tls-pin-fingerprint/t
index 1b84390..612bc44 100644
--- a/tests/tls-pin-fingerprint/t
+++ b/tests/tls-pin-fingerprint/t
@@ -1,3 +1,7 @@
+PKEY_SHA256="$(doveconf -c "$HOME_remote/.dovecot/config" -hx ssl_cert \
+    | openssl x509 -pubkey | openssl pkey -pubin -outform DER \
+    | openssl dgst -sha256 | sed -rn "/^.*=\\s*/ {s///p;q}")"
+
 # backup config
 install -m0600 "$XDG_CONFIG_HOME/interimap/config" "$XDG_CONFIG_HOME/interimap/config~"
 with_remote_config() {
@@ -7,7 +11,7 @@ with_remote_config() {
 
 # pinned valid fingerprint
 with_remote_config <<-EOF
-	SSL_fingerprint = sha256\$e8fc8d03ffe75e03897136a2f1c5647bf8c36be7136a6883a732a8c4961c1614
+	SSL_fingerprint = sha256\$$PKEY_SHA256
 EOF
 
 for ((i = 0; i < 32; i++)); do
diff --git a/tests/tls-verify-peer/t b/tests/tls-verify-peer/t
index d84328a..9e4d9fa 100644
--- a/tests/tls-verify-peer/t
+++ b/tests/tls-verify-peer/t
@@ -1,5 +1,3 @@
-CERT=~/.dovecot/conf.d/dovecot.pem
-
 unverified_peer() {
     ! interimap --debug || error
 
@@ -41,36 +39,38 @@ unverified_peer
 step_done
 
 step_start "peer verification result honored when pinned pubkey matches"
-pkey_sha256="$(openssl x509 -pubkey <"$CERT" | openssl pkey -pubin -outform DER \
+PKEY_SHA256="$(doveconf -c "$HOME_remote/.dovecot/config" -hx ssl_cert \
+    | openssl x509 -pubkey | openssl pkey -pubin -outform DER \
     | openssl dgst -sha256 | sed -rn "/^.*=\\s*/ {s///p;q}")"
 with_remote_config <<-EOF
-	SSL_fingerprint = sha256\$$pkey_sha256
+	SSL_fingerprint = sha256\$$PKEY_SHA256
 EOF
 unverified_peer
 ! grep -Fx "remote: WARNING: Fingerprint doesn't match! MiTM in action?" <"$STDERR" || error
 step_done
 
+capath=$(mktemp --tmpdir="$TMPDIR" --directory capath.XXXXXX)
 
 step_start "SSL_CAfile"
 if [ -f "/etc/ssl/certs/ca-certificates.crt" ]; then
-    # the self-signed cert should not be in there
+    # our self-signed test cert should not be in there
     with_remote_config <<<"SSL_CAfile = /etc/ssl/certs/ca-certificates.crt"
     unverified_peer
 fi
-with_remote_config <<<"SSL_CAfile = $CERT"
+
+doveconf -c "$HOME_remote/.dovecot/config" -hx ssl_cert >"$capath/ca-certificates.crt"
+with_remote_config <<<"SSL_CAfile = $capath/ca-certificates.crt"
 verified_peer
 step_done
 
 
 step_start "SSL_CApath"
 if [ -d "/etc/ssl/certs" ]; then
-    # the self-signed cert should not be in there
+    # our self-signed test cert should not be in there
     with_remote_config <<<"SSL_CApath = /etc/ssl/certs"
     unverified_peer
 fi
 
-capath=$(mktemp --tmpdir="$TMPDIR" --directory capath.XXXXXX)
-cp -t"$capath" "$CERT"
 c_rehash "$capath"
 
 with_remote_config <<<"SSL_CApath = $capath"
diff --git a/tests/tls/t b/tests/tls/t
index dd6d955..9fdd399 100644
--- a/tests/tls/t
+++ b/tests/tls/t
@@ -1,3 +1,7 @@
+X509_SHA256="$(doveconf -c "$HOME_remote/.dovecot/config" -hx ssl_cert \
+    | openssl x509 -noout -fingerprint -sha256 \
+    | sed -rn "/^.*=\\s*/ {s///p;q}" | tr -d : | tr "[A-Z]" "[a-z]")"
+
 for ((i = 0; i < 32; i++)); do
     u="$(shuf -n1 -e "local" "remote")"
     sample_message | deliver -u "$u"
@@ -5,7 +9,7 @@ done
 
 interimap --debug || error
 grep -Fx "remote: Disabling SSL protocols: SSLv3, TLSv1, TLSv1.1" <"$STDERR" || error
-grep -Fx "remote: Peer certificate fingerprint: sha256\$35944e3bd3300d3ac310bb497a32cc1eef6931482a587ddbc95343740cdf1323" <"$STDERR" || error
+grep -Fx "remote: Peer certificate fingerprint: sha256\$$X509_SHA256" <"$STDERR" || error
 grep "^remote: SSL protocol: TLSv1\.[23] " <"$STDERR" || error
 grep "^remote: SSL cipher: " <"$STDERR" || error
 
-- 
cgit v1.2.3


From a1ef66a76b4a6651b7371a9fd1e35f2f99e85bfa Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Wed, 9 Dec 2020 15:06:37 +0100
Subject: libinterimap: SSL_fingerprint now supports a space-separate list of
 digests to pin.

And succeeds if, and only if, the peer certificate SPKI matches one of
the pinned digest values.  Specifying multiple digest values can key
useful in key rollover scenarios and/or when the server supports
certificates of different types (for instance RSA+ECDSA).
---
 tests/tls-pin-fingerprint/t | 37 ++++++++++++++++++++++++++++++++++++-
 1 file changed, 36 insertions(+), 1 deletion(-)

(limited to 'tests')

diff --git a/tests/tls-pin-fingerprint/t b/tests/tls-pin-fingerprint/t
index 612bc44..d3830e2 100644
--- a/tests/tls-pin-fingerprint/t
+++ b/tests/tls-pin-fingerprint/t
@@ -1,6 +1,8 @@
 PKEY_SHA256="$(doveconf -c "$HOME_remote/.dovecot/config" -hx ssl_cert \
     | openssl x509 -pubkey | openssl pkey -pubin -outform DER \
     | openssl dgst -sha256 | sed -rn "/^.*=\\s*/ {s///p;q}")"
+INVALID_FPR="sha256\$deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef"
+INVALID_FPR2="sha256\$deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbee2"
 
 # backup config
 install -m0600 "$XDG_CONFIG_HOME/interimap/config" "$XDG_CONFIG_HOME/interimap/config~"
@@ -22,9 +24,28 @@ interimap_init
 check_mailbox_status "INBOX"
 
 
+# with default algorithm (SHA256)
+with_remote_config <<-EOF
+	SSL_fingerprint = $INVALID_FPR $PKEY_SHA256
+EOF
+interimap || error
+
+
 # and now an invalid one
 with_remote_config <<-EOF
-	SSL_fingerprint = sha256\$deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+	SSL_fingerprint = $INVALID_FPR
+EOF
+! interimap --debug || error
+
+grep -Fx "remote: ERROR: Can't initiate TLS/SSL handshake" <"$STDERR" || error
+grep -Fx "remote: WARNING: Fingerprint doesn't match! MiTM in action?" <"$STDERR" || error
+grep -Fx "remote: ERROR: Can't initiate TLS/SSL handshake" <"$STDERR" || error
+# make sure we didn't send any credentials
+! grep -E "^remote: C: .* (AUTHENTICATE|LOGIN) " <"$STDERR" || error
+
+# two invalid ones
+with_remote_config <<-EOF
+	SSL_fingerprint = $INVALID_FPR $INVALID_FPR2
 EOF
 ! interimap --debug || error
 
@@ -34,4 +55,18 @@ grep -Fx "remote: ERROR: Can't initiate TLS/SSL handshake" <"$STDERR" || error
 # make sure we didn't send any credentials
 ! grep -E "^remote: C: .* (AUTHENTICATE|LOGIN) " <"$STDERR" || error
 
+
+# valid + invalid
+with_remote_config <<-EOF
+	SSL_fingerprint = sha256\$$PKEY_SHA256 $INVALID_FPR
+EOF
+interimap || error
+
+
+# invalid + valid
+with_remote_config <<-EOF
+	SSL_fingerprint = $INVALID_FPR sha256\$$PKEY_SHA256
+EOF
+interimap || error
+
 # vim: set filetype=sh :
-- 
cgit v1.2.3


From 51df40cf82c67ae828c325a42e28b3155fce9864 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Wed, 9 Dec 2020 15:11:45 +0100
Subject: New test with a server offering both RSA+ECDSA certificates.

This requires dovecot-imapd 2.2.31 or later.

Certificate generated with:

      $ openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:P-256 -pkeyopt ec_param_enc:named_curve \
            -out tests/snippets/dovecot/dovecot.ecdsa.key
      $ openssl req -x509 -days 3650 -subj "/CN=InterIMAP test suite" \
            -key tests/snippets/dovecot/dovecot.ecdsa.key \
            -out tests/snippets/dovecot/dovecot.ecdsa.crt
---
 tests/list                               |  1 +
 tests/snippets/dovecot/dovecot.ecdsa.crt | 11 +++++++
 tests/snippets/dovecot/dovecot.ecdsa.key |  5 ++++
 tests/tls-rsa+ecdsa/interimap.remote     |  1 +
 tests/tls-rsa+ecdsa/remote.conf          |  5 ++++
 tests/tls-rsa+ecdsa/t                    | 49 ++++++++++++++++++++++++++++++++
 6 files changed, 72 insertions(+)
 create mode 100644 tests/snippets/dovecot/dovecot.ecdsa.crt
 create mode 100644 tests/snippets/dovecot/dovecot.ecdsa.key
 create mode 120000 tests/tls-rsa+ecdsa/interimap.remote
 create mode 100644 tests/tls-rsa+ecdsa/remote.conf
 create mode 100644 tests/tls-rsa+ecdsa/t

(limited to 'tests')

diff --git a/tests/list b/tests/list
index db77f50..0ad86e4 100644
--- a/tests/list
+++ b/tests/list
@@ -51,6 +51,7 @@ split-set   Split large sets to avoid extra-long command lines
     tls                     SSL/TLS handshake
     ... tls-verify-peer
     tls-pin-fingerprint     pubkey fingerprint pinning
+    tls-rsa+ecdsa           pubkey fingerprint pinning for hybrid RSA+ECDSA
     tls-protocols           force TLS protocol versions
 
 . Live synchronization (60s)
diff --git a/tests/snippets/dovecot/dovecot.ecdsa.crt b/tests/snippets/dovecot/dovecot.ecdsa.crt
new file mode 100644
index 0000000..b928d4d
--- /dev/null
+++ b/tests/snippets/dovecot/dovecot.ecdsa.crt
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBkjCCATmgAwIBAgIUWyEAqMhQ0uRLtagXgm68bUypQa4wCgYIKoZIzj0EAwIw
+HzEdMBsGA1UEAwwUSW50ZXJJTUFQIHRlc3Qgc3VpdGUwHhcNMjAxMjA5MTQwOTUy
+WhcNMzAxMjA3MTQwOTUyWjAfMR0wGwYDVQQDDBRJbnRlcklNQVAgdGVzdCBzdWl0
+ZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABFP7A0ivFsHK/WuCQzz+WWh2jBLO
+7uqhWSMh+1cc//jmn2q910XNH3xVFNkIRo7ddg6X8twli3OvC66/YIbxiTyjUzBR
+MB0GA1UdDgQWBBS/p0mJpdBjKpNrQ/t+oJMrehS7wzAfBgNVHSMEGDAWgBS/p0mJ
+pdBjKpNrQ/t+oJMrehS7wzAPBgNVHRMBAf8EBTADAQH/MAoGCCqGSM49BAMCA0cA
+MEQCIFMlTb7E92tElIueK8TxbllJ3NOaMb1TMjSScM38N8oOAiAiNI4AkESnimPN
+IOsdnydFYjOkDEhzpXbrBEcP3EgJuQ==
+-----END CERTIFICATE-----
diff --git a/tests/snippets/dovecot/dovecot.ecdsa.key b/tests/snippets/dovecot/dovecot.ecdsa.key
new file mode 100644
index 0000000..dfbd4a7
--- /dev/null
+++ b/tests/snippets/dovecot/dovecot.ecdsa.key
@@ -0,0 +1,5 @@
+-----BEGIN PRIVATE KEY-----
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgleLchaikcJbUnkps
+4ITR6FGkW2S2+S+w2ISJSsvgt0ehRANCAART+wNIrxbByv1rgkM8/llodowSzu7q
+oVkjIftXHP/45p9qvddFzR98VRTZCEaO3XYOl/LcJYtzrwuuv2CG8Yk8
+-----END PRIVATE KEY-----
diff --git a/tests/tls-rsa+ecdsa/interimap.remote b/tests/tls-rsa+ecdsa/interimap.remote
new file mode 120000
index 0000000..daf3741
--- /dev/null
+++ b/tests/tls-rsa+ecdsa/interimap.remote
@@ -0,0 +1 @@
+../tls/interimap.remote
\ No newline at end of file
diff --git a/tests/tls-rsa+ecdsa/remote.conf b/tests/tls-rsa+ecdsa/remote.conf
new file mode 100644
index 0000000..72ca135
--- /dev/null
+++ b/tests/tls-rsa+ecdsa/remote.conf
@@ -0,0 +1,5 @@
+!include conf.d/imapd.conf
+!include conf.d/ssl.conf
+
+ssl_alt_cert = <conf.d/dovecot.ecdsa.crt
+ssl_alt_key = <conf.d/dovecot.ecdsa.key
diff --git a/tests/tls-rsa+ecdsa/t b/tests/tls-rsa+ecdsa/t
new file mode 100644
index 0000000..29352e9
--- /dev/null
+++ b/tests/tls-rsa+ecdsa/t
@@ -0,0 +1,49 @@
+doveconf_remote() {
+    doveconf -c "$HOME_remote/.dovecot/config" -hx "$1"
+}
+pkey_sha256() {
+    openssl x509 -pubkey | openssl pkey -pubin -outform DER \
+    | openssl dgst -sha256 | sed -rn "/^.*=\\s*/ {s///p;q}"
+}
+x509_sha256() {
+    openssl x509 -noout -fingerprint -sha256 \
+    | sed -rn "/^.*=\\s*/ {s///p;q}" | tr -d : | tr "[A-Z]" "[a-z]"
+}
+
+PKEY_SHA256="$(doveconf_remote ssl_cert | pkey_sha256)"
+X509_SHA256="$(doveconf_remote ssl_cert | x509_sha256)"
+PKEY_ALT_SHA256="$(doveconf_remote ssl_alt_cert | pkey_sha256)"
+X509_ALT_SHA256="$(doveconf_remote ssl_alt_cert | x509_sha256)"
+
+# pinned valid fingerprints
+cat >>"$XDG_CONFIG_HOME/interimap/config" <<-EOF
+	SSL_fingerprint = sha256\$$PKEY_SHA256 sha256\$$PKEY_ALT_SHA256
+EOF
+
+for ((i = 0; i < 32; i++)); do
+    u="$(shuf -n1 -e "local" "remote")"
+    sample_message | deliver -u "$u"
+done
+interimap_init
+check_mailbox_status "INBOX"
+
+interimap --debug || error
+# which peer certificate is used is up to libssl 
+grep -Fx -e "remote: Peer certificate fingerprint: sha256\$$X509_SHA256" \
+         -e "remote: Peer certificate fingerprint: sha256\$$X509_ALT_SHA256" \
+         <"$STDERR" || error
+
+# force RSA (XXX do we really have to force TLSv1.2 here?)
+cat >>"$XDG_CONFIG_HOME/interimap/config" <<-EOF
+	SSL_protocols = TLSv1.2
+	SSL_cipherlist = EECDH+AESGCM+aRSA
+EOF
+interimap --debug || error
+grep -Fx "remote: Peer certificate fingerprint: sha256\$$X509_SHA256" <"$STDERR" || error
+
+# force ECDSA
+sed -i "s/^SSL_cipherlist\\s*=.*/SSL_cipherlist = EECDH+AESGCM+aECDSA/" "$XDG_CONFIG_HOME/interimap/config"
+interimap --debug || error
+grep -Fx "remote: Peer certificate fingerprint: sha256\$$X509_ALT_SHA256" <"$STDERR" || error
+
+# vim: set filetype=sh :
-- 
cgit v1.2.3