spec/tls: Add TLS/certificate integration tests

These tests help to verify that various configurations translate into the
expected running TLS setups. Specifically right now we are checking the
correct certificate is served.

1 files changed, 45 insertions, 0 deletions

diff --git a/spec/tls/lib.sh b/spec/tls/lib.sh
new file mode 100644
index 00000000..d072802a
--- /dev/null
+++ b/spec/tls/lib.sh
@@ -0,0 +1,45 @@
+#!/bin/bash
+
+test_name="$(basename "$PWD")"
+export failures=0
+
+get_net_cert () {
+	address="${1?}"
+	sni="${2?}"
+	proto="${3?}"
+	local flags=()
+	case "$proto" in
+		"xmpp") flags=(-starttls xmpp -name "$sni");;
+		"xmpps") flags=(-alpn xmpp-client);;
+		"xmpp-server") flags=(-starttls xmpp-server -name "$sni");;
+		"xmpps-server") flags=(-alpn xmpp-server);;
+		"tls") ;;
+		*) printf "EE: Unknown protocol: %s\n" "$proto" >&2; exit 1;;
+	esac
+	openssl s_client -connect "$address" -servername "$sni" "${flags[@]}" 2>/dev/null </dev/null |  sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'
+}
+
+get_file_cert () {
+	fn="${1?}"
+	sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' "$fn"
+}
+
+expect_cert () {
+	fn="${1?}"
+	address="${2?}"
+	sni="${3?}"
+	proto="${4?}"
+	net_cert="$(get_net_cert "$address" "$sni" "$proto")"
+	file_cert="$(get_file_cert "$fn")"
+	if [[ "$file_cert" != "$net_cert" ]]; then
+		echo "---"
+		echo "NOT OK: $test_name: Expected $fn on $address (SNI $sni)"
+		echo "Received:"
+		openssl x509 -in <(echo "$net_cert") -text
+		echo "---"
+		failures=1;
+		return 1;
+	fi
+	echo "OK: $test_name: $fn observed on $address (SNI $sni)"
+	return 0;
+}