From: Fred Morcos Date: Tue, 26 Apr 2022 13:31:50 +0000 (+0200) Subject: Test Ed448 as part of the generic mechanism for testing signers X-Git-Tag: auth-4.8.0-alpha0~117^2~2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=59f254ab2361c28fdd958cd7fa128a8fb4da625b;p=thirdparty%2Fpdns.git Test Ed448 as part of the generic mechanism for testing signers This also automatically tests a few things that weren't being tested before. --- diff --git a/pdns/test-signers.cc b/pdns/test-signers.cc index d4c8c28226..9b0b7586a0 100644 --- a/pdns/test-signers.cc +++ b/pdns/test-signers.cc @@ -167,8 +167,8 @@ static const SignerParams ed25519 = SignerParams{ .name = "ed25519.", - // vector extracted from https://gitlab.labs.nic.cz/labs/ietf/blob/master/dnskey.py - // (rev 476d6ded) by printing signature_data + // vector extracted from https://gitlab.labs.nic.cz/labs/ietf/blob/master/dnskey.py (rev + // 476d6ded) by printing signature_data .rfcMsgDump = "00 0f 0f 02 00 00 0e 10 55 d4 fc 60 55 b9 4c e0 0e 1d 07 65 78 " "61 6d 70 6c 65 03 63 6f 6d 00 07 65 78 61 6d 70 6c 65 03 63 6f " "6d 00 00 0f 00 01 00 00 0e 10 00 14 00 0a 04 6d 61 69 6c 07 65 " @@ -190,6 +190,64 @@ static const SignerParams ed25519 = SignerParams{ "MC4CAQAwBQYDK2VwBCIEIDgyMjYwMzg0NjI4MDgwMTIyNjQ1MTkwMjA0MTQyMjYy\n" "-----END PRIVATE KEY-----\n"}; +/* Ed448. + */ +static const SignerParams ed448 = SignerParams{ + .iscMap = "Private-key-format: v1.2\n" + "Algorithm: 16 (ED448)\n" + "PrivateKey: xZ+5Cgm463xugtkY5B0Jx6erFTXp13rYegst0qRtNsOYnaVpMx0Z/c5EiA9x8wWbDDct/U3FhYWA\n", + + .dsSHA1 = "9712 16 1 2873e800eb2d784cdd1802f884b3c540b573eaa0", + + .dsSHA256 = "9712 16 2 9aa27306f8a04a0a6fae8affd65d6f35875dcb134c05bd7c7b61bd0dc44009cd", + + .dsSHA384 = "9712 16 4 3876e5d892d3f31725f9964a332f9b9afd791171833480f2e71af78efb985cde9900ba95315287123a5908ca8f334369", + + // clang-format off + .signature = { + 0xb5, 0xcc, 0x21, 0x5a, 0x52, 0x21, 0x60, 0xa3, 0xb8, 0xd9, 0x3a, 0xd7, 0x05, + 0xdd, 0x4a, 0x32, 0x96, 0xce, 0x08, 0xde, 0x74, 0x5f, 0xdb, 0xde, 0x54, 0x95, + 0x97, 0x93, 0x6f, 0x3a, 0x4a, 0x34, 0x41, 0x14, 0xba, 0x99, 0x86, 0x0d, 0xe2, + 0x99, 0xf1, 0x14, 0x6a, 0x1b, 0x7a, 0xfa, 0xef, 0xab, 0x62, 0xd2, 0x71, 0x85, + 0xae, 0xd1, 0x84, 0x80, 0x00, 0x50, 0x03, 0x9e, 0x73, 0x53, 0xe8, 0x9e, 0x19, + 0xb8, 0xc0, 0xdb, 0xd4, 0xf0, 0x1e, 0x44, 0x4c, 0xb7, 0x32, 0x07, 0xda, 0x0b, + 0x64, 0x22, 0xa8, 0x63, 0xaa, 0x7a, 0x12, 0x73, 0xc9, 0x29, 0xfd, 0x50, 0x85, + 0x0f, 0x43, 0x72, 0x77, 0x86, 0xec, 0x88, 0x1a, 0x96, 0x95, 0x4a, 0x01, 0xfe, + 0xf2, 0xe6, 0x77, 0x4a, 0x2e, 0x43, 0xdd, 0x60, 0x29, 0x00, + }, + // clang-format on + + .zoneRepresentation = "256 3 16 " + "3kgROaDjrh0H2iuixWBrc8g2EpBBLCdGzHmn+" + "G2MpTPhpj/OiBVHHSfPodx1FYYUcJKm1MDpJtIA", + + .name = "ed448.", + + // vector extracted from https://gitlab.labs.nic.cz/labs/ietf/blob/master/dnskey.py (rev + // 476d6ded) by printing signature_data + .rfcMsgDump = "00 0f 10 02 00 00 0e 10 55 d4 fc 60 55 b9 4c e0 25 f1 07 65 78 " + "61 6d 70 6c 65 03 63 6f 6d 00 07 65 78 61 6d 70 6c 65 03 63 6f " + "6d 00 00 0f 00 01 00 00 0e 10 00 14 00 0a 04 6d 61 69 6c 07 65 " + "78 61 6d 70 6c 65 03 63 6f 6d 00 ", + + // vector verified from dnskey.py as above, and confirmed with + // https://www.rfc-editor.org/errata_search.php?rfc=8080&eid=4935 + .rfcB64Signature = "3cPAHkmlnxcDHMyg7vFC34l0blBhuG1qpwLmjInI8w1CMB29FkEA" + "IJUA0amxWndkmnBZ6SKiwZSAxGILn/NBtOXft0+Gj7FSvOKxE/07" + "+4RQvE581N3Aj/JtIyaiYVdnYtyMWbSNyGEY2213WKsJlwEA", + + .bits = 456, + .flags = 256, + .rfcFlags = 257, + + .algorithm = DNSSECKeeper::ED448, + .isDeterministic = true, + + .pem = "-----BEGIN PRIVATE KEY-----\n" + "MEcCAQAwBQYDK2VxBDsEOcWfuQoJuOt8boLZGOQdCcenqxU16dd62HoLLdKkbTbD\n" + "mJ2laTMdGf3ORIgPcfMFmww3Lf1NxYWFgA==\n" + "-----END PRIVATE KEY-----\n"}; + struct Fixture { Fixture() @@ -211,6 +269,10 @@ struct Fixture #if defined(HAVE_LIBSODIUM) || defined(HAVE_LIBDECAF) || defined(HAVE_LIBCRYPTO_ED25519) addSignerParams(DNSSECKeeper::ED25519, "ED25519", ed25519); #endif + + #if defined(HAVE_LIBDECAF) || defined(HAVE_LIBCRYPTO_ED448) + addSignerParams(DNSSECKeeper::ED448, "ED448", ed448); + #endif } void addSignerParams(const uint8_t algorithm, const std::string& name, const SignerParams& params) @@ -373,49 +435,6 @@ BOOST_FIXTURE_TEST_CASE(test_generic_signers, Fixture) } } -#if defined(HAVE_LIBDECAF) || defined(HAVE_LIBCRYPTO_ED448) -BOOST_AUTO_TEST_CASE(test_ed448_signer) { - sortedRecords_t rrs; - DNSName qname("example.com."); - DNSKEYRecordContent drc; - - // TODO: make this a collection of inputs and resulting sigs for various algos - shared_ptr engine = DNSCryptoKeyEngine::makeFromISCString(drc, -"Private-key-format: v1.2\n" -"Algorithm: 16 (ED448)\n" -"PrivateKey: xZ+5Cgm463xugtkY5B0Jx6erFTXp13rYegst0qRtNsOYnaVpMx0Z/c5EiA9x8wWbDDct/U3FhYWA\n"); - - DNSSECPrivateKey dpk; - dpk.setKey(engine); - - reportBasicTypes(); - - rrs.insert(DNSRecordContent::mastermake(QType::MX, 1, "10 mail.example.com.")); - - RRSIGRecordContent rrc; - rrc.d_originalttl = 3600; - rrc.d_sigexpire = 1440021600; - rrc.d_siginception = 1438207200; - rrc.d_signer = qname; - rrc.d_type = QType::MX; - rrc.d_labels = 2; - // TODO: derive the next two from the key - rrc.d_tag = 9713; - rrc.d_algorithm = 16; - - string msg = getMessageForRRSET(qname, rrc, rrs, false); - - // vector extracted from https://gitlab.labs.nic.cz/labs/ietf/blob/master/dnskey.py (rev 476d6ded) by printing signature_data - BOOST_CHECK_EQUAL(makeHexDump(msg), "00 0f 10 02 00 00 0e 10 55 d4 fc 60 55 b9 4c e0 25 f1 07 65 78 61 6d 70 6c 65 03 63 6f 6d 00 07 65 78 61 6d 70 6c 65 03 63 6f 6d 00 00 0f 00 01 00 00 0e 10 00 14 00 0a 04 6d 61 69 6c 07 65 78 61 6d 70 6c 65 03 63 6f 6d 00 "); - - string signature = engine->sign(msg); - string b64 = Base64Encode(signature); - - // vector verified from dnskey.py as above, and confirmed with https://www.rfc-editor.org/errata_search.php?rfc=8080&eid=4935 - BOOST_CHECK_EQUAL(b64, "3cPAHkmlnxcDHMyg7vFC34l0blBhuG1qpwLmjInI8w1CMB29FkEAIJUA0amxWndkmnBZ6SKiwZSAxGILn/NBtOXft0+Gj7FSvOKxE/07+4RQvE581N3Aj/JtIyaiYVdnYtyMWbSNyGEY2213WKsJlwEA"); -} -#endif /* defined(HAVE_LIBDECAF) || defined(HAVE_LIBCRYPTO_ED448) */ - BOOST_AUTO_TEST_CASE(test_hash_qname_with_salt) { { // rfc5155 appendix A