[PATCH 07/11] test: add crypto tests for signature verification and decryption
This adds a new "crypto" test script to the test suite to test PGP/MIME signature verification and message decryption. Included here is a test GNUPGHOME with a test secret key (passwordless), and test for: * signing/verification * signing/verification with full owner trust * verification with signer key unavailable * encryption/decryption * decryption failure with missing key * encryption/decryption + signing/verfifying * reply to encrypted message * verification of signature from revoked key These tests are not expected to pass now, but will as crypto functionality is included. --- test/basic |5 +- test/crypto| 330 test/gnupg-secret-key.NOTE |9 ++ test/gnupg-secret-key.asc | 34 + test/notmuch-test |1 + test/test-lib.sh | 29 6 files changed, 407 insertions(+), 1 deletions(-) create mode 100755 test/crypto create mode 100644 test/gnupg-secret-key.NOTE create mode 100644 test/gnupg-secret-key.asc diff --git a/test/basic b/test/basic index 3b43ad9..d6c0d00 100755 --- a/test/basic +++ b/test/basic @@ -57,7 +57,10 @@ available=$(ls -1 ../ | \ sed -r -e "/^(aggregate-results.sh|Makefile|Makefile.local|notmuch-test)/d" \ -e "/^(README|test-lib.sh|test-results|tmp.*|valgrind|corpus*)/d" \ -e "/^(emacs.expected-output|smtp-dummy|smtp-dummy.c|test-verbose)/d" \ - -e "/^(test.expected-output|.*~)/d" | sort) + -e "/^(test.expected-output|.*~)/d" \ + -e "/^(gnupg-secret-key.asc)/d" \ + -e "/^(gnupg-secret-key.NOTE)/d" \ + | sort) test_expect_equal "$tests_in_suite" "$available" EXPECTED=../test.expected-output diff --git a/test/crypto b/test/crypto new file mode 100755 index 000..3b0f381 --- /dev/null +++ b/test/crypto @@ -0,0 +1,330 @@ +#!/bin/bash + +# TODO: +# - decryption/verification with signer key not available +# - verification of signatures from expired/revoked keys + +test_description='PGP/MIME signature verification and decryption' +. ./test-lib.sh + +add_gnupg_home () +{ +local output +[ -d ${GNUPGHOME} ] && return +mkdir -m 0700 "$GNUPGHOME" +gpg --no-tty --import <../gnupg-secret-key.asc >"$GNUPGHOME"/import.log 2>&1 +test_debug "cat $GNUPGHOME/import.log" +if (gpg --quick-random --version >/dev/null 2>&1) ; then + echo quick-random >> "$GNUPGHOME"/gpg.conf +elif (gpg --debug-quick-random --version >/dev/null 2>&1) ; then + echo debug-quick-random >> "$GNUPGHOME"/gpg.conf +fi +} + +## + +add_gnupg_home +# get key fingerprint +FINGERPRINT=$(gpg --no-tty --list-secret-keys --with-colons --fingerprint | grep '^fpr:' | cut -d: -f10) + +# for some reason this is needed for emacs_deliver_message to work, +# although I can't figure out why +add_email_corpus + +test_expect_success 'emacs delivery of signed message' \ +'emacs_deliver_message \ +"test signed message 001" \ +"This is a test signed message." \ +"(mml-secure-message-sign)"' + +test_begin_subtest "signature verification" +output=$(notmuch show --format=json --verify subject:"test signed message 001" \ +| notmuch_json_show_sanitize \ +| sed -e 's|"created": [1234567890]*|"created": 946728000|') +expected='[[[{"id": "X", + "match": true, + "filename": "Y", + "timestamp": 946728000, + "date_relative": "2000-01-01", + "tags": ["inbox"], + "headers": {"Subject": "test signed message 001", + "From": "Notmuch Test Suite ", + "To": "test_suite at notmuchmail.org", + "Cc": "", + "Bcc": "", + "Date": "01 Jan 2000 12:00:00 -"}, + "body": [{"id": 1, + "sigstatus": [{"status": "good", + "fingerprint": "'$FINGERPRINT'", + "created": 946728000}], + "content-type": "text/plain", + "content": "This is a test signed message.\n"}]}, + [' +test_expect_equal \ +"$output" \ +"$expected" + +test_begin_subtest "signature verification with full owner trust" +# give the key full owner trust +echo "${FINGERPRINT}:6:" | gpg --no-tty --import-ownertrust >>"$GNUPGHOME"/trust.log 2>&1 +gpg --no-tty --check-trustdb >>"$GNUPGHOME"/trust.log 2>&1 +output=$(notmuch show --format=json --verify subject:"test signed message 001" \ +| notmuch_json_show_sanitize \ +| sed -e 's|"created": [1234567890]*|"created": 946728000|') +expected='[[[{"id": "X", + "match": true, + "filename": "Y", + "timestamp": 946728000, + "date_relative": "2000-01-01", + "tags": ["inbox"], + "headers": {"Subject": "test signed message 001", + "From": "Notmuch Test Suite ", + "To": "test_suite at notmuchmail.org", + "Cc": "", + "Bcc": "", + "Date": "01 Jan 2000 12:00:00 -"}, + "body": [{"id": 1, + "sigstatus": [{"status": "good", + "fingerprint": "'$FINGERPRINT'", + "created": 946728000, + "userid": " Notmuch Test Suite (INSECURE!)"}], + "content-type": "text/plain", + "content": "This is a test signed message.\n"}]}, + ['
[PATCH 07/11] test: add crypto tests for signature verification and decryption
This adds a new crypto test script to the test suite to test PGP/MIME signature verification and message decryption. Included here is a test GNUPGHOME with a test secret key (passwordless), and test for: * signing/verification * signing/verification with full owner trust * verification with signer key unavailable * encryption/decryption * decryption failure with missing key * encryption/decryption + signing/verfifying * reply to encrypted message * verification of signature from revoked key These tests are not expected to pass now, but will as crypto functionality is included. --- test/basic |5 +- test/crypto| 330 test/gnupg-secret-key.NOTE |9 ++ test/gnupg-secret-key.asc | 34 + test/notmuch-test |1 + test/test-lib.sh | 29 6 files changed, 407 insertions(+), 1 deletions(-) create mode 100755 test/crypto create mode 100644 test/gnupg-secret-key.NOTE create mode 100644 test/gnupg-secret-key.asc diff --git a/test/basic b/test/basic index 3b43ad9..d6c0d00 100755 --- a/test/basic +++ b/test/basic @@ -57,7 +57,10 @@ available=$(ls -1 ../ | \ sed -r -e /^(aggregate-results.sh|Makefile|Makefile.local|notmuch-test)/d \ -e /^(README|test-lib.sh|test-results|tmp.*|valgrind|corpus*)/d \ -e /^(emacs.expected-output|smtp-dummy|smtp-dummy.c|test-verbose)/d \ - -e /^(test.expected-output|.*~)/d | sort) + -e /^(test.expected-output|.*~)/d \ + -e /^(gnupg-secret-key.asc)/d \ + -e /^(gnupg-secret-key.NOTE)/d \ + | sort) test_expect_equal $tests_in_suite $available EXPECTED=../test.expected-output diff --git a/test/crypto b/test/crypto new file mode 100755 index 000..3b0f381 --- /dev/null +++ b/test/crypto @@ -0,0 +1,330 @@ +#!/bin/bash + +# TODO: +# - decryption/verification with signer key not available +# - verification of signatures from expired/revoked keys + +test_description='PGP/MIME signature verification and decryption' +. ./test-lib.sh + +add_gnupg_home () +{ +local output +[ -d ${GNUPGHOME} ] return +mkdir -m 0700 $GNUPGHOME +gpg --no-tty --import ../gnupg-secret-key.asc $GNUPGHOME/import.log 21 +test_debug cat $GNUPGHOME/import.log +if (gpg --quick-random --version /dev/null 21) ; then + echo quick-random $GNUPGHOME/gpg.conf +elif (gpg --debug-quick-random --version /dev/null 21) ; then + echo debug-quick-random $GNUPGHOME/gpg.conf +fi +} + +## + +add_gnupg_home +# get key fingerprint +FINGERPRINT=$(gpg --no-tty --list-secret-keys --with-colons --fingerprint | grep '^fpr:' | cut -d: -f10) + +# for some reason this is needed for emacs_deliver_message to work, +# although I can't figure out why +add_email_corpus + +test_expect_success 'emacs delivery of signed message' \ +'emacs_deliver_message \ +test signed message 001 \ +This is a test signed message. \ +(mml-secure-message-sign)' + +test_begin_subtest signature verification +output=$(notmuch show --format=json --verify subject:test signed message 001 \ +| notmuch_json_show_sanitize \ +| sed -e 's|created: [1234567890]*|created: 946728000|') +expected='[[[{id: X, + match: true, + filename: Y, + timestamp: 946728000, + date_relative: 2000-01-01, + tags: [inbox], + headers: {Subject: test signed message 001, + From: Notmuch Test Suite test_su...@notmuchmail.org, + To: test_su...@notmuchmail.org, + Cc: , + Bcc: , + Date: 01 Jan 2000 12:00:00 -}, + body: [{id: 1, + sigstatus: [{status: good, + fingerprint: '$FINGERPRINT', + created: 946728000}], + content-type: text/plain, + content: This is a test signed message.\n}]}, + [' +test_expect_equal \ +$output \ +$expected + +test_begin_subtest signature verification with full owner trust +# give the key full owner trust +echo ${FINGERPRINT}:6: | gpg --no-tty --import-ownertrust $GNUPGHOME/trust.log 21 +gpg --no-tty --check-trustdb $GNUPGHOME/trust.log 21 +output=$(notmuch show --format=json --verify subject:test signed message 001 \ +| notmuch_json_show_sanitize \ +| sed -e 's|created: [1234567890]*|created: 946728000|') +expected='[[[{id: X, + match: true, + filename: Y, + timestamp: 946728000, + date_relative: 2000-01-01, + tags: [inbox], + headers: {Subject: test signed message 001, + From: Notmuch Test Suite test_su...@notmuchmail.org, + To: test_su...@notmuchmail.org, + Cc: , + Bcc: , + Date: 01 Jan 2000 12:00:00 -}, + body: [{id: 1, + sigstatus: [{status: good, + fingerprint: '$FINGERPRINT', + created: 946728000, + userid: Notmuch Test Suite test_su...@notmuchmail.org (INSECURE!)}], + content-type: text/plain, + content: This is a test signed message.\n}]}, + [' +test_expect_equal \ +$output \ +$expected + +test_begin_subtest signature verification with signer key unavailable +# move the gnupghome temporarily