printf("verify test\n");
verifytest_file("testdata/test_signatures.1", "20070818005004");
log_info("test_signatures.2");
+ verbosity=3;
+ /*
verifytest_file("testdata/test_signatures.2", "20080414005004");
log_info("test_signatures.3");
verifytest_file("testdata/test_signatures.3", "20080416005004");
- /*
log_info("test_signatures.4");
verifytest_file("testdata/test_signatures.4", "20080416005004");
+ */
log_info("test_signatures.5");
verifytest_file("testdata/test_signatures.5", "20080416005004");
log_info("test_signatures.6");
verifytest_file("testdata/test_signatures.6", "20080416005004");
- */
+ log_info("test_signatures.7");
+ verifytest_file("testdata/test_signatures.7", "20070829144150");
+ log_info("test_signatures.8");
+ verifytest_file("testdata/test_signatures.8", "20070829144150");
dstest_file("testdata/test_ds_sig.1");
nsectest();
nsec3_hash_test("testdata/test_nsec3_hash.1");
; ldns-keygen (svn trunk 1.3.0, 15 april 2008)
; ./ldns-keygen -a DSAMD5 -b 512 nlnetlabs.nl
-; Knlnetlabs.nl.+003+16467
+; Knlnetlabs.nl.+003+08866
-; nlnetlabs.nl. 3600 IN DS 16467 3 1 fd67ce8624a0ffd16fa77e132551355f39d38b80
+; nlnetlabs.nl. 3600 IN DS 8866 3 1 1300e7258af98cef40a47e6ac1e34ea79cb4b27f
; Private-key-format: v1.2
; Algorithm: 3 (DSA)
-; Prime(p): uRJM40Uuc92dy6DAvu9WnfRmLn6y1SfRe9crmxtByRCcv6WKO+Tjecq7QdDDufVk5QB5YQgQWYlLyZSgjdrLRw==
-; Subprime(q): 6/5A4SgUoay9q6XCMhEBkbCZ8/s=
-; Base(g): rxqQtIKg4IM/Krp6/thbc6fPKvsbNnACZk4SouhQR+Khx2sp+VuXuuZ38IfUoD77GL4eEWBe0M6DH2huG/9wQA==
-; Private_value(x): n8FhvxOt6xy5d3S9A3RulEHYrw0=
-; Public_value(y): pLcgTYyGMcYD1JTEibEbvZaLRNc8S1sYKTR2DG4zf3PZtzqpFMrph8sNdnfy7K3EH30WgxS7yibZrrgUNZ5oUA==
-
+; Prime(p): qp/0xtfW76CbSH29kZmI0iUEhJ9cIs/52WsgqogqBwrY/HpT+D6G2jd66WLi88DF0z/We3/YIjZYkR5PH03IRQ==
+; Subprime(q): iTRl4piaQvy9yxIsz/c5pAaVIeM=
+; Base(g): RJhjYU22ooiTKltbGmIR6OfXZjKDBfSODrT3e3/IrwiT8oQZriDFZkExYKrKqoqZFn7y0esTf9Bwvx2IhGabQw==
+; Private_value(x): gYjuQexf8JiiVBvCcxpXO+QaD88=
+; Public_value(y): aPtEU9ui/w2+9aFnCrWUB/fGvMEyAyLyGCCaT/N+l8bPYDPCv+wDxEKHoM3HT/ZOf3RuCE/CYKVK7CDX6+AZrA==
; DSA key from ldns tool
ENTRY_BEGIN
SECTION QUESTION
nlnetlabs.nl. IN DNSKEY
SECTION ANSWER
-nlnetlabs.nl. 3600 IN DNSKEY 256 3 3 AOv+QOEoFKGsvaulwjIRAZGwmfP7uRJM40Uuc92dy6DAvu9WnfRmLn6y1SfRe9crmxtByRCcv6WKO+Tjecq7QdDDufVk5QB5YQgQWYlLyZSgjdrLR68akLSCoOCDPyq6ev7YW3Onzyr7GzZwAmZOEqLoUEfiocdrKflbl7rmd/CH1KA++xi+HhFgXtDOgx9obhv/cECktyBNjIYxxgPUlMSJsRu9lotE1zxLWxgpNHYMbjN/c9m3OqkUyumHyw12d/LsrcQffRaDFLvKJtmuuBQ1nmg= ;{id = 16467 (zsk), size = 512b}
+nlnetlabs.nl. 3600 IN DNSKEY 256 3 3 AIk0ZeKYmkL8vcsSLM/3OaQGlSHjqp/0xtfW76CbSH29kZmI0iUEhJ9cIs/52WsgqogqBwrY/HpT+D6G2jd66WLi88DF0z/We3/YIjZYkR5PH03IRUSYY2FNtqKIkypbWxpiEejn12YygwX0jg6093t/yK8Ik/KEGa4gxWZBMWCqyqqKmRZ+8tHrE3/QcL8diIRmm0No+0RT26L/Db71oWcKtZQH98a8wTIDIvIYIJpP836Xxs9gM8K/7APEQoegzcdP9k5/dG4IT8JgpUrsINfr4Bms ;{id = 8866 (zsk), size = 512b}
ENTRY_END
; entry to test
; from
-; ldns-signzone nlnetlabs.nl Knlnetlabs.nl.+003+16467
+; ldns-signzone nlnetlabs.nl Knlnetlabs.nl.+003+08866
ENTRY_BEGIN
SECTION QUESTION
nlnetlabs.nl. IN SOA
SECTION ANSWER
nlnetlabs.nl. 10200 IN SOA open.nlnetlabs.nl. hostmaster.nlnetlabs.nl. ( 2008040100 28800 7200 604800 3600 )
-nlnetlabs.nl. 10200 IN RRSIG SOA 3 2 10200 20080513144059 20080415144059 16467 nlnetlabs.nl. MCwCFDnsiLNKQoJXnHNrz6aWN+6lA/nSAhQWmlSk9TF84ab1Sm6k9gRZVR5eKg== ;{id = 16467}
+nlnetlabs.nl. 10200 IN RRSIG SOA 3 2 10200 20080513173901 20080415173901 8866 nlnetlabs.nl. MC0CFFI7JB0x4xaO0qhe9iQGk0eot8zGAhUAg/SFtf5MrR7DEkmd6vm2xf+SN9M= ;{id = 8866}
ENTRY_END
ENTRY_BEGIN
nlnetlabs.nl. 10200 NS omval.tednet.nl.
nlnetlabs.nl. 10200 NS ns7.domain-registry.nl.
nlnetlabs.nl. 10200 NS open.nlnetlabs.nl.
-nlnetlabs.nl. 10200 IN RRSIG NS 3 2 10200 20080513144059 20080415144059 16467 nlnetlabs.nl. MC4CFQCZ2AIkBczph4rI+EPSWsNT54Y5+gIVAJ4UxEbgD0FKNRFNHQ7SBy0g0lHz ;{id = 16467}
+nlnetlabs.nl. 10200 IN RRSIG NS 3 2 10200 20080513173901 20080415173901 8866 nlnetlabs.nl. MCwCFFHwxz9Kx7Un60vLMMoOrZizagNrAhR6OskQNF/KVL5/xanbOmK3ZUj0vw== ;{id = 8866}
+
ENTRY_END
; ldns-keygen (svn trunk 1.3.0, 15 april 2008)
; ./ldns-keygen -a DSAMD5 -b 768 nlnetlabs.nl
-; Knlnetlabs.nl.+003+46572
+; Knlnetlabs.nl.+003+51124
-; nlnetlabs.nl. 3600 IN DS 46572 3 1 f4d76788032fe53f69021e408df2d99688e1804a
+; nlnetlabs.nl. 3600 IN DS 51124 3 1 6f7e3ea1d525f3428ce342596f7375b1c3a71c51
; Private-key-format: v1.2
; Algorithm: 3 (DSA)
-; Prime(p): 5aZlYtjnPqmnWc7XtuyqQyzZQNsHTrOF9Z0MxrQgvTxhhsO7IqhI7P862zEva3bmfJPKLTxyffEmCN7itU2aEtFT80oU+eMc2WGQN0zHfmrn9Ukzw/skIi8IVVemIsnH
-; Subprime(q): 2Hc5Scs3iApxThBkQi13NpogZec=
-; Base(g): ugJQA3iiGIlPcAaSfvuHVdMdAr2izCvuxXOQrl6X8Un/1L1mKIYyY/tIzAWhdckHDeV5kfDfRdMSSfcc1gmeQJ9T2LmobLulBGBowUAaXddMCZZ0QcyfK5OOGtj91npN
-; Private_value(x): x4jMbAt0XBIqZMMQpL3EphYPbNQ=
-; Public_value(y): g+fULC3ElnmmJwn28k+h1YZqTt/YS/HR4ujGs6F5ZGw6Bu22/xaFayuFxiVNiUBX2srBNUy10I5hVn4Vy1LdQmhQDzAAMkhO/GfADaoLmErUQpmzimp5Y5m53MDVdNsv
+; Prime(p): 1kpY0hU98SJrpDCTKHv9TQyN6EGcY9FJ8bw0QiQdcm3nx3fkS298V9Y7ZRzjCQmkxVwNrwdhtNpz4MvrByHKy+YE/hSJamNhwKHAtiIAHNggqfutGQwUkfqHmybFO8Kx
+; Subprime(q): 3GwgwvHRyOeXNgZqR/5XpaNs6Pc=
+; Base(g): Rw1YckcZ/Es07FYrNV6soRTbcQ5NEDj7ITSUdGSLKRPQT0k4ofR3L8aslTeOJESR2s2sIay/ZHoYmdQuwLZ93HLEq5MooPO19c/GnVkOWZm1Ab9H7zttNcoKgzQ64dhT
+; Private_value(x): OoN8CQisHVjCIET7B3WdAwERRro=
+; Public_value(y): 08zY8i9l5qn1xC829beHq2Hhb8MUIvGHyW+eBchQa4S5XIRwf1rVpnw1iengslp/Y1Kx28/a9GEQbIESQORfxllPV23Uv2OJ3aNV0jP7kI2a7VLVSDSJrCh2wBCFj8tY
; DSA key from ldns tool
ENTRY_BEGIN
SECTION QUESTION
nlnetlabs.nl. IN DNSKEY
SECTION ANSWER
-nlnetlabs.nl. 3600 IN DNSKEY 256 3 3 BNh3OUnLN4gKcU4QZEItdzaaIGXn5aZlYtjnPqmnWc7XtuyqQyzZQNsHTrOF9Z0MxrQgvTxhhsO7IqhI7P862zEva3bmfJPKLTxyffEmCN7itU2aEtFT80oU+eMc2WGQN0zHfmrn9Ukzw/skIi8IVVemIsnHugJQA3iiGIlPcAaSfvuHVdMdAr2izCvuxXOQrl6X8Un/1L1mKIYyY/tIzAWhdckHDeV5kfDfRdMSSfcc1gmeQJ9T2LmobLulBGBowUAaXddMCZZ0QcyfK5OOGtj91npNg+fULC3ElnmmJwn28k+h1YZqTt/YS/HR4ujGs6F5ZGw6Bu22/xaFayuFxiVNiUBX2srBNUy10I5hVn4Vy1LdQmhQDzAAMkhO/GfADaoLmErUQpmzimp5Y5m53MDVdNs= ;{id = 46572 (zsk), size = 768b}
+nlnetlabs.nl. 3600 IN DNSKEY 256 3 3 BNxsIMLx0cjnlzYGakf+V6WjbOj31kpY0hU98SJrpDCTKHv9TQyN6EGcY9FJ8bw0QiQdcm3nx3fkS298V9Y7ZRzjCQmkxVwNrwdhtNpz4MvrByHKy+YE/hSJamNhwKHAtiIAHNggqfutGQwUkfqHmybFO8KxRw1YckcZ/Es07FYrNV6soRTbcQ5NEDj7ITSUdGSLKRPQT0k4ofR3L8aslTeOJESR2s2sIay/ZHoYmdQuwLZ93HLEq5MooPO19c/GnVkOWZm1Ab9H7zttNcoKgzQ64dhT08zY8i9l5qn1xC829beHq2Hhb8MUIvGHyW+eBchQa4S5XIRwf1rVpnw1iengslp/Y1Kx28/a9GEQbIESQORfxllPV23Uv2OJ3aNV0jP7kI2a7VLVSDSJrCh2wBCFj8tY ;{id = 51124 (zsk), size = 768b}
ENTRY_END
; entry to test
; from
-; ldns-signzone nlnetlabs.nl Knlnetlabs.nl.+003+46572
+; ldns-signzone nlnetlabs.nl Knlnetlabs.nl.+003+51124
ENTRY_BEGIN
SECTION QUESTION
nlnetlabs.nl. IN SOA
SECTION ANSWER
nlnetlabs.nl. 10200 IN SOA open.nlnetlabs.nl. hostmaster.nlnetlabs.nl. ( 2008040100 28800 7200 604800 3600 )
-nlnetlabs.nl. 10200 IN RRSIG SOA 3 2 10200 20080513144248 20080415144248 46572 nlnetlabs.nl. MCwCFFiVJdL2mGM2mhHDqjdwfmujIPUQAhRGJm4G+6c+CEr80iC4cIRLbkAjtA== ;{id = 46572}
+nlnetlabs.nl. 10200 IN RRSIG SOA 3 2 10200 20080513174626 20080415174626 51124 nlnetlabs.nl. MC0CFB3cRDHQROzkGp4NtLNc4jDA1lhWAhUAgsbb8VMxGqifShEzuCNgczxDHHg= ;{id = 51124}
ENTRY_END
ENTRY_BEGIN
nlnetlabs.nl. 10200 NS omval.tednet.nl.
nlnetlabs.nl. 10200 NS ns7.domain-registry.nl.
nlnetlabs.nl. 10200 NS open.nlnetlabs.nl.
-nlnetlabs.nl. 10200 IN RRSIG NS 3 2 10200 20080513144248 20080415144248 46572 nlnetlabs.nl. MC0CFHGST66bXko/skkeP0A7SQb4u6tGAhUAu6VeC40sFUN5WOFfIjyQQoK/wv4= ;{id = 46572}
+nlnetlabs.nl. 10200 IN RRSIG NS 3 2 10200 20080513174626 20080415174626 51124 nlnetlabs.nl. MCwCFEzgEjT0n/ooV/xZkRMzKNqeF4pkAhQxEPFtMt5LbIlsi9mSi0HS4+RZuA== ;{id = 51124}
+
ENTRY_END
--- /dev/null
+; Signature test file
+
+; first entry is a DNSKEY answer, with the DNSKEY rrset used for verification.
+; later entries are verified with it.
+
+; DSA Key from ldns tool, key used in the testbound tests.
+
+; DSA key from ldns tool
+ENTRY_BEGIN
+SECTION QUESTION
+example.com. IN DNSKEY
+SECTION ANSWER
+example.com. 3600 IN DNSKEY 256 3 3 ALXLUsWqUrY3JYER3T4TBJIIs70j+sDS/UT2QRp61SE7S3EEXopNXoFE73JLRmvpi/UrOO/Vz4Se6wXv/CYCKjGw06U4WRgRYXcpEhJROyNapmdIKSxhOzfLVE1gqA0PweZR8dtY3aNQSRn3sPpwJr6Mi/PqQKAMMrZ9ckJpf1+bQMOOvxgzz2U1GS18b3yZKcgTMEaJzd/GZYzi/BN2DzQ0MsrSwYXfsNLFOBbs8PJMW4LYIxeeOe6rUgkWOF7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b}
+ENTRY_END
+
+; entry to test
+ENTRY_BEGIN
+SECTION QUESTION
+example.com. IN NS
+SECTION ANSWER
+example.com. IN NS ns.example.com.
+example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
+ENTRY_END
+
+ENTRY_BEGIN
+SECTION QUESTION
+ns.example.com. IN A
+SECTION ANSWER
+ns.example.com. IN A 1.2.3.4
+ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
+ENTRY_END
+
--- /dev/null
+; Signature test file
+
+; first entry is a DNSKEY answer, with the DNSKEY rrset used for verification.
+; later entries are verified with it.
+
+; RSA Key from ldns tool, key used in the testbound tests.
+
+; RSA key from ldns tool
+ENTRY_BEGIN
+SECTION QUESTION
+sub.example.com. IN DNSKEY
+SECTION ANSWER
+sub.example.com. 3600 IN DNSKEY 256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b}
+ENTRY_END
+
+; entry to test
+ENTRY_BEGIN
+SECTION QUESTION
+www.sub.example.com. IN A
+SECTION ANSWER
+www.sub.example.com. 3600 IN A 11.11.11.11
+www.sub.example.com. 3600 IN RRSIG A 5 4 3600 20070926134150 20070829134150 30899 sub.example.com. 0DqqRfRtm7VSEQ4mmBbzrKRqQAay3JAE8DPDGmjtokrrjN9F1G/HxozDV7bjdIh2EChlQea8FPwf/GepJMUVxg== ;{id = 30899}
+ENTRY_END
+
setup_key_digest(int algo, EVP_PKEY* evp_key, const EVP_MD** digest_type,
unsigned char* key, size_t keylen)
{
+ DSA* dsa;
+ RSA* rsa;
+
switch(algo) {
case LDNS_DSA:
case LDNS_DSA_NSEC3:
- if(EVP_PKEY_assign_DSA(evp_key,
- ldns_key_buf2dsa_raw(key, keylen)) == 0) {
+ dsa = ldns_key_buf2dsa_raw(key, keylen);
+ if(!dsa) {
+ verbose(VERB_QUERY, "verify: "
+ "ldns_key_buf2dsa_raw failed");
+ return 0;
+ }
+ if(EVP_PKEY_assign_DSA(evp_key, dsa) == 0) {
verbose(VERB_QUERY, "verify: "
"EVP_PKEY_assign_DSA failed");
return 0;
break;
case LDNS_RSASHA1:
case LDNS_RSASHA1_NSEC3:
- if(EVP_PKEY_assign_RSA(evp_key,
- ldns_key_buf2rsa_raw(key, keylen)) == 0) {
+ rsa = ldns_key_buf2rsa_raw(key, keylen);
+ if(!rsa) {
+ verbose(VERB_QUERY, "verify: "
+ "ldns_key_buf2rsa_raw SHA1 failed");
+ return 0;
+ }
+ if(EVP_PKEY_assign_RSA(evp_key, rsa) == 0) {
verbose(VERB_QUERY, "verify: "
"EVP_PKEY_assign_RSA SHA1 failed");
return 0;
break;
case LDNS_RSAMD5:
- if(EVP_PKEY_assign_RSA(evp_key,
- ldns_key_buf2rsa_raw(key, keylen)) == 0) {
+ rsa = ldns_key_buf2rsa_raw(key, keylen);
+ if(!rsa) {
+ verbose(VERB_QUERY, "verify: "
+ "ldns_key_buf2rsa_raw MD5 failed");
+ return 0;
+ }
+ if(EVP_PKEY_assign_RSA(evp_key, rsa) == 0) {
verbose(VERB_QUERY, "verify: "
"EVP_PKEY_assign_RSA MD5 failed");
return 0;
}
/* if it is a DSA signature in XXX format, convert to DER format */
if((algo == LDNS_DSA || algo == LDNS_DSA_NSEC3) &&
- sigblock_len > 0 && sigblock[0] == 0) {
+ 0) { /*sigblock_len > 0 && sigblock[0] == 0) {*/
log_info("setup_dsa_sig_needed");
if(!setup_dsa_sig(&sigblock, &sigblock_len)) {
verbose(VERB_QUERY, "verify: failed to setup DSA sig");
if(res == 1) {
return sec_status_secure;
} else if(res == 0) {
+ verbose(VERB_QUERY, "verify: signature mismatch");
return sec_status_bogus;
}
projects / thirdparty / unbound.git / commitdiff
