Software / code / prosody
Annotate
spec/tls/lib.sh @ 13816:4122978f2575 13.0
spec/tls: Add TLS/certificate integration tests
These tests help to verify that various configurations translate into the
expected running TLS setups. Specifically right now we are checking the
correct certificate is served.
| author | Matthew Wild <mwild1@gmail.com> |
|---|---|
| date | Thu, 03 Apr 2025 15:11:58 +0100 |
| rev | line source |
|---|---|
|
13816
4122978f2575
spec/tls: Add TLS/certificate integration tests
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
1 #!/bin/bash |
|
4122978f2575
spec/tls: Add TLS/certificate integration tests
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
2 |
|
4122978f2575
spec/tls: Add TLS/certificate integration tests
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
3 test_name="$(basename "$PWD")" |
|
4122978f2575
spec/tls: Add TLS/certificate integration tests
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
4 export failures=0 |
|
4122978f2575
spec/tls: Add TLS/certificate integration tests
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
5 |
|
4122978f2575
spec/tls: Add TLS/certificate integration tests
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
6 get_net_cert () { |
|
4122978f2575
spec/tls: Add TLS/certificate integration tests
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
7 address="${1?}" |
|
4122978f2575
spec/tls: Add TLS/certificate integration tests
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
8 sni="${2?}" |
|
4122978f2575
spec/tls: Add TLS/certificate integration tests
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
9 proto="${3?}" |
|
4122978f2575
spec/tls: Add TLS/certificate integration tests
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
10 local flags=() |
|
4122978f2575
spec/tls: Add TLS/certificate integration tests
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
11 case "$proto" in |
|
4122978f2575
spec/tls: Add TLS/certificate integration tests
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
12 "xmpp") flags=(-starttls xmpp -name "$sni");; |
|
4122978f2575
spec/tls: Add TLS/certificate integration tests
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
13 "xmpps") flags=(-alpn xmpp-client);; |
|
4122978f2575
spec/tls: Add TLS/certificate integration tests
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
14 "xmpp-server") flags=(-starttls xmpp-server -name "$sni");; |
|
4122978f2575
spec/tls: Add TLS/certificate integration tests
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
15 "xmpps-server") flags=(-alpn xmpp-server);; |
|
4122978f2575
spec/tls: Add TLS/certificate integration tests
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
16 "tls") ;; |
|
4122978f2575
spec/tls: Add TLS/certificate integration tests
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
17 *) printf "EE: Unknown protocol: %s\n" "$proto" >&2; exit 1;; |
|
4122978f2575
spec/tls: Add TLS/certificate integration tests
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
18 esac |
|
4122978f2575
spec/tls: Add TLS/certificate integration tests
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
19 openssl s_client -connect "$address" -servername "$sni" "${flags[@]}" 2>/dev/null </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' |
|
4122978f2575
spec/tls: Add TLS/certificate integration tests
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
20 } |
|
4122978f2575
spec/tls: Add TLS/certificate integration tests
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
21 |
|
4122978f2575
spec/tls: Add TLS/certificate integration tests
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
22 get_file_cert () { |
|
4122978f2575
spec/tls: Add TLS/certificate integration tests
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
23 fn="${1?}" |
|
4122978f2575
spec/tls: Add TLS/certificate integration tests
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
24 sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' "$fn" |
|
4122978f2575
spec/tls: Add TLS/certificate integration tests
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
25 } |
|
4122978f2575
spec/tls: Add TLS/certificate integration tests
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
26 |
|
4122978f2575
spec/tls: Add TLS/certificate integration tests
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
27 expect_cert () { |
|
4122978f2575
spec/tls: Add TLS/certificate integration tests
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
28 fn="${1?}" |
|
4122978f2575
spec/tls: Add TLS/certificate integration tests
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
29 address="${2?}" |
|
4122978f2575
spec/tls: Add TLS/certificate integration tests
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
30 sni="${3?}" |
|
4122978f2575
spec/tls: Add TLS/certificate integration tests
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
31 proto="${4?}" |
|
4122978f2575
spec/tls: Add TLS/certificate integration tests
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
32 net_cert="$(get_net_cert "$address" "$sni" "$proto")" |
|
4122978f2575
spec/tls: Add TLS/certificate integration tests
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
33 file_cert="$(get_file_cert "$fn")" |
|
4122978f2575
spec/tls: Add TLS/certificate integration tests
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
34 if [[ "$file_cert" != "$net_cert" ]]; then |
|
4122978f2575
spec/tls: Add TLS/certificate integration tests
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
35 echo "---" |
|
4122978f2575
spec/tls: Add TLS/certificate integration tests
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
36 echo "NOT OK: $test_name: Expected $fn on $address (SNI $sni)" |
|
4122978f2575
spec/tls: Add TLS/certificate integration tests
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
37 echo "Received:" |
|
4122978f2575
spec/tls: Add TLS/certificate integration tests
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
38 openssl x509 -in <(echo "$net_cert") -text |
|
4122978f2575
spec/tls: Add TLS/certificate integration tests
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
39 echo "---" |
|
4122978f2575
spec/tls: Add TLS/certificate integration tests
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
40 failures=1; |
|
4122978f2575
spec/tls: Add TLS/certificate integration tests
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
41 return 1; |
|
4122978f2575
spec/tls: Add TLS/certificate integration tests
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
42 fi |
|
4122978f2575
spec/tls: Add TLS/certificate integration tests
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
43 echo "OK: $test_name: $fn observed on $address (SNI $sni)" |
|
4122978f2575
spec/tls: Add TLS/certificate integration tests
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
44 return 0; |
|
4122978f2575
spec/tls: Add TLS/certificate integration tests
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
45 } |
