From: Matthijs Mekking Date: Fri, 14 Mar 2025 16:11:14 +0000 (+0100) Subject: Convert many kasp test cases to pytst X-Git-Tag: v9.21.8~13^2~5 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=41481af1446ad3b0e319214b3ceee8805fd67e72;p=thirdparty%2Fbind9.git Convert many kasp test cases to pytst Write python-based tests for the many test cases from the kasp system test. These test cases all follow the same pattern: - Wait until the zone is signed. - Check the keys from the key-directory against expected properties. - Set the expected key timings derived from when the key was created. - Check the key timing metadata against expected timings. - Check the 'rndc dnssec -status' output. - Check the apex is signed correctly. - Check a subdomain is signed correctly. - Verify that the zone is DNSSEC correct. Remove the counterparts for the newly added test from the kasp shell tests script. --- diff --git a/bin/tests/system/kasp/ns3/setup.sh b/bin/tests/system/kasp/ns3/setup.sh index 6985b6f7e25..76fe7b4a819 100644 --- a/bin/tests/system/kasp/ns3/setup.sh +++ b/bin/tests/system/kasp/ns3/setup.sh @@ -217,8 +217,12 @@ $SIGNER -PS -x -s now-2mo -e now-1mo -o $zone -O raw -f "${zonefile}.signed" $in # The DNSKEY's TTLs do not match the policy. setup dnskey-ttl-mismatch.autosign -KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 30 -f KSK $ksktimes $zone 2>keygen.out.$zone.1) -ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 30 $zsktimes $zone 2>keygen.out.$zone.2) +T="now-6mo" +keytimes="-P $T -A $T" +KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 30 -f KSK $keytimes $zone 2>keygen.out.$zone.1) +ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 30 $keytimes $zone 2>keygen.out.$zone.2) +$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" >settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK " >settime.out.$zone.2 2>&1 cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile" cp $infile $zonefile $SIGNER -PS -x -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh index 12f2c200a3c..e419e74b99a 100644 --- a/bin/tests/system/kasp/tests.sh +++ b/bin/tests/system/kasp/tests.sh @@ -400,92 +400,6 @@ set_keytimes_algorithm_policy() { set_addkeytime "KEY3" "REMOVED" "${retired}" 867900 } -# -# Zone: rsasha1.kasp. -# -if [ $RSASHA1_SUPPORTED = 1 ]; then - set_zone "rsasha1.kasp" - set_policy "rsasha1" "3" "1234" - set_server "ns3" "10.53.0.3" - # Key properties. - key_clear "KEY1" - set_keyrole "KEY1" "ksk" - set_keylifetime "KEY1" "315360000" - set_keyalgorithm "KEY1" "5" "RSASHA1" "2048" - set_keysigning "KEY1" "yes" - set_zonesigning "KEY1" "no" - - key_clear "KEY2" - set_keyrole "KEY2" "zsk" - set_keylifetime "KEY2" "157680000" - set_keyalgorithm "KEY2" "5" "RSASHA1" "2048" - set_keysigning "KEY2" "no" - set_zonesigning "KEY2" "yes" - - key_clear "KEY3" - set_keyrole "KEY3" "zsk" - set_keylifetime "KEY3" "31536000" - set_keyalgorithm "KEY3" "5" "RSASHA1" "2000" - set_keysigning "KEY3" "no" - set_zonesigning "KEY3" "yes" - - # KSK: DNSKEY, RRSIG (ksk) published. DS needs to wait. - # ZSK: DNSKEY, RRSIG (zsk) published. - set_keystate "KEY1" "GOAL" "omnipresent" - set_keystate "KEY1" "STATE_DNSKEY" "rumoured" - set_keystate "KEY1" "STATE_KRRSIG" "rumoured" - set_keystate "KEY1" "STATE_DS" "hidden" - - set_keystate "KEY2" "GOAL" "omnipresent" - set_keystate "KEY2" "STATE_DNSKEY" "rumoured" - set_keystate "KEY2" "STATE_ZRRSIG" "rumoured" - - set_keystate "KEY3" "GOAL" "omnipresent" - set_keystate "KEY3" "STATE_DNSKEY" "rumoured" - set_keystate "KEY3" "STATE_ZRRSIG" "rumoured" - # Three keys only. - key_clear "KEY4" - - check_keys - check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" - set_keytimes_algorithm_policy - check_keytimes - check_apex - check_subdomain - dnssec_verify -fi - -# -# Zone: unlimited.kasp. -# -set_zone "unlimited.kasp" -set_policy "unlimited" "1" "1234" -set_server "ns3" "10.53.0.3" -key_clear "KEY1" -key_clear "KEY2" -key_clear "KEY3" -key_clear "KEY4" -# Key properties. -set_keyrole "KEY1" "csk" -set_keylifetime "KEY1" "0" -set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" -set_keysigning "KEY1" "yes" -set_zonesigning "KEY1" "yes" -# DNSKEY, RRSIG (ksk), RRSIG (zsk) are published. DS needs to wait. -set_keystate "KEY1" "GOAL" "omnipresent" -set_keystate "KEY1" "STATE_DNSKEY" "rumoured" -set_keystate "KEY1" "STATE_KRRSIG" "rumoured" -set_keystate "KEY1" "STATE_ZRRSIG" "rumoured" -set_keystate "KEY1" "STATE_DS" "hidden" - -check_keys -check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" -set_keytimes_csk_policy -check_keytimes -check_apex -check_subdomain -dnssec_verify - # # Zone: keystore.kasp. # @@ -535,14 +449,7 @@ check_apex check_subdomain dnssec_verify -# -# Zone: inherit.kasp. -# -set_zone "inherit.kasp" -set_policy "rsasha256" "3" "1234" -set_server "ns3" "10.53.0.3" - -# Key properties. +# Key properties for tests below. key_clear "KEY1" set_keyrole "KEY1" "ksk" set_keylifetime "KEY1" "315360000" @@ -580,30 +487,6 @@ set_keystate "KEY3" "STATE_ZRRSIG" "rumoured" # Three keys only. key_clear "KEY4" -check_keys -check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" -set_keytimes_algorithm_policy -check_keytimes -check_apex -check_subdomain -dnssec_verify - -# -# Zone: dnssec-keygen.kasp. -# -set_zone "dnssec-keygen.kasp" -set_policy "rsasha256" "3" "1234" -set_server "ns3" "10.53.0.3" -# Key properties, timings and states same as above. - -check_keys -check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" -set_keytimes_algorithm_policy -check_keytimes -check_apex -check_subdomain -dnssec_verify - # # Zone: some-keys.kasp. # @@ -710,152 +593,6 @@ status=$((status + ret)) # - configuring a zone with too many active keys (should trigger retire). # - configuring a zone with keys not matching the policy. -# -# Zone: rsasha1-nsec3.kasp. -# -if [ $RSASHA1_SUPPORTED = 1 ]; then - set_zone "rsasha1-nsec3.kasp" - set_policy "rsasha1-nsec3" "3" "1234" - set_server "ns3" "10.53.0.3" - # Key properties. - set_keyalgorithm "KEY1" "7" "NSEC3RSASHA1" "2048" - set_keyalgorithm "KEY2" "7" "NSEC3RSASHA1" "2048" - set_keyalgorithm "KEY3" "7" "NSEC3RSASHA1" "2000" - # Key timings and states same as above. - - check_keys - check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" - set_keytimes_algorithm_policy - check_keytimes - check_apex - check_subdomain - dnssec_verify -fi - -# -# Zone: rsasha256.kasp. -# -set_zone "rsasha256.kasp" -set_policy "rsasha256" "3" "1234" -set_server "ns3" "10.53.0.3" -# Key properties. -set_keyalgorithm "KEY1" "8" "RSASHA256" "2048" -set_keyalgorithm "KEY2" "8" "RSASHA256" "2048" -set_keyalgorithm "KEY3" "8" "RSASHA256" "3072" -# Key timings and states same as above. - -check_keys -check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" -set_keytimes_algorithm_policy -check_keytimes -check_apex -check_subdomain -dnssec_verify - -# -# Zone: rsasha512.kasp. -# -set_zone "rsasha512.kasp" -set_policy "rsasha512" "3" "1234" -set_server "ns3" "10.53.0.3" -# Key properties. -set_keyalgorithm "KEY1" "10" "RSASHA512" "2048" -set_keyalgorithm "KEY2" "10" "RSASHA512" "2048" -set_keyalgorithm "KEY3" "10" "RSASHA512" "3072" -# Key timings and states same as above. - -check_keys -check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" -set_keytimes_algorithm_policy -check_keytimes -check_apex -check_subdomain -dnssec_verify - -# -# Zone: ecdsa256.kasp. -# -set_zone "ecdsa256.kasp" -set_policy "ecdsa256" "3" "1234" -set_server "ns3" "10.53.0.3" -# Key properties. -set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" -set_keyalgorithm "KEY2" "13" "ECDSAP256SHA256" "256" -set_keyalgorithm "KEY3" "13" "ECDSAP256SHA256" "256" -# Key timings and states same as above. - -check_keys -check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" -set_keytimes_algorithm_policy -check_keytimes -check_apex -check_subdomain -dnssec_verify - -# -# Zone: ecdsa512.kasp. -# -set_zone "ecdsa384.kasp" -set_policy "ecdsa384" "3" "1234" -set_server "ns3" "10.53.0.3" -# Key properties. -set_keyalgorithm "KEY1" "14" "ECDSAP384SHA384" "384" -set_keyalgorithm "KEY2" "14" "ECDSAP384SHA384" "384" -set_keyalgorithm "KEY3" "14" "ECDSAP384SHA384" "384" -# Key timings and states same as above. - -check_keys -check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" -set_keytimes_algorithm_policy -check_keytimes -check_apex -check_subdomain -dnssec_verify - -# -# Zone: ed25519.kasp. -# -if [ $ED25519_SUPPORTED = 1 ]; then - set_zone "ed25519.kasp" - set_policy "ed25519" "3" "1234" - set_server "ns3" "10.53.0.3" - # Key properties. - set_keyalgorithm "KEY1" "15" "ED25519" "256" - set_keyalgorithm "KEY2" "15" "ED25519" "256" - set_keyalgorithm "KEY3" "15" "ED25519" "256" - # Key timings and states same as above. - - check_keys - check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" - set_keytimes_algorithm_policy - check_keytimes - check_apex - check_subdomain - dnssec_verify -fi - -# -# Zone: ed448.kasp. -# -if [ $ED448_SUPPORTED = 1 ]; then - set_zone "ed448.kasp" - set_policy "ed448" "3" "1234" - set_server "ns3" "10.53.0.3" - # Key properties. - set_keyalgorithm "KEY1" "16" "ED448" "456" - set_keyalgorithm "KEY2" "16" "ED448" "456" - set_keyalgorithm "KEY3" "16" "ED448" "456" - # Key timings and states same as above. - - check_keys - check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" - set_keytimes_algorithm_policy - check_keytimes - check_apex - check_subdomain - dnssec_verify -fi - # Set key times for 'autosign' policy. set_keytimes_autosign_policy() { # The KSK was published six months ago (with settime). @@ -970,48 +707,6 @@ check_rrsig_refresh() { check_rrsig_refresh -# -# Zone: dnskey-ttl-mismatch.autosign -# -set_zone "dnskey-ttl-mismatch.autosign" -set_policy "autosign" "2" "300" -set_server "ns3" "10.53.0.3" -# Key properties. -key_clear "KEY1" -set_keyrole "KEY1" "ksk" -set_keylifetime "KEY1" "63072000" -set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" -set_keysigning "KEY1" "yes" -set_zonesigning "KEY1" "no" - -key_clear "KEY2" -set_keyrole "KEY2" "zsk" -set_keylifetime "KEY2" "31536000" -set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" -set_keysigning "KEY2" "no" -set_zonesigning "KEY2" "yes" - -# Both KSK and ZSK stay OMNIPRESENT. -set_keystate "KEY1" "GOAL" "omnipresent" -set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" -set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" -set_keystate "KEY1" "STATE_DS" "omnipresent" - -set_keystate "KEY2" "GOAL" "omnipresent" -set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" -set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" -# Expect only two keys. -key_clear "KEY3" -key_clear "KEY4" - -check_keys -check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" -set_keytimes_autosign_policy -check_keytimes -check_apex -check_subdomain -dnssec_verify - # # Zone: fresh-sigs.autosign. # diff --git a/bin/tests/system/kasp/tests_kasp.py b/bin/tests/system/kasp/tests_kasp.py index 7ffa22e7402..33bfaba3883 100644 --- a/bin/tests/system/kasp/tests_kasp.py +++ b/bin/tests/system/kasp/tests_kasp.py @@ -84,7 +84,7 @@ def check_all(server, zone, policy, ksks, zsks, tsig=None): isctest.kasp.check_dnssecstatus(server, zone, ksks + zsks, policy=policy) isctest.kasp.check_apex(server, zone, ksks, zsks, tsig=tsig) isctest.kasp.check_subdomain(server, zone, ksks, zsks, tsig=tsig) - isctest.kasp.check_dnssec_verify(server, zone) + isctest.kasp.check_dnssec_verify(server, zone, tsig=tsig) def set_keytimes_default_policy(kp): @@ -103,6 +103,198 @@ def set_keytimes_default_policy(kp): kp.timing["ZRRSIGChange"] = kp.timing["Active"] +def test_kasp_cases(servers): + # Test many different configurations and expected keys and states after + # initial startup. + server = servers["ns3"] + keydir = server.identifier + alg = os.environ["DEFAULT_ALGORITHM_NUMBER"] + size = os.environ["DEFAULT_BITS"] + + kasp_config = { + "dnskey-ttl": timedelta(seconds=1234), + "ds-ttl": timedelta(days=1), + "key-directory": keydir, + "max-zone-ttl": timedelta(days=1), + "parent-propagation-delay": timedelta(hours=1), + "publish-safety": timedelta(hours=1), + "retire-safety": timedelta(hours=1), + "signatures-refresh": timedelta(days=5), + "signatures-validity": timedelta(days=14), + "zone-propagation-delay": timedelta(minutes=5), + } + + autosign_config = { + "dnskey-ttl": timedelta(seconds=300), + "ds-ttl": timedelta(days=1), + "key-directory": keydir, + "max-zone-ttl": timedelta(days=1), + "parent-propagation-delay": timedelta(hours=1), + "publish-safety": timedelta(hours=1), + "retire-safety": timedelta(hours=1), + "signatures-refresh": timedelta(days=7), + "signatures-validity": timedelta(days=14), + "zone-propagation-delay": timedelta(minutes=5), + } + + lifetime = { + "P10Y": int(timedelta(days=10 * 365).total_seconds()), + "P5Y": int(timedelta(days=5 * 365).total_seconds()), + "P2Y": int(timedelta(days=2 * 365).total_seconds()), + "P1Y": int(timedelta(days=365).total_seconds()), + "P30D": int(timedelta(days=30).total_seconds()), + "P6M": int(timedelta(days=31 * 6).total_seconds()), + } + + autosign_properties = [ + f"ksk {lifetime['P2Y']} {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent", + f"zsk {lifetime['P1Y']} {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent", + ] + + def rsa1_properties(alg): + return [ + f"ksk {lifetime['P10Y']} {alg} 2048 goal:omnipresent dnskey:rumoured krrsig:rumoured ds:hidden", + f"zsk {lifetime['P5Y']} {alg} 2048 goal:omnipresent dnskey:rumoured zrrsig:rumoured", + f"zsk {lifetime['P1Y']} {alg} 2000 goal:omnipresent dnskey:rumoured zrrsig:rumoured", + ] + + def fips_properties(alg, bits=None): + sizes = [2048, 2048, 3072] + if bits is not None: + sizes = [bits, bits, bits] + + return [ + f"ksk {lifetime['P10Y']} {alg} {sizes[0]} goal:omnipresent dnskey:rumoured krrsig:rumoured ds:hidden", + f"zsk {lifetime['P5Y']} {alg} {sizes[1]} goal:omnipresent dnskey:rumoured zrrsig:rumoured", + f"zsk {lifetime['P1Y']} {alg} {sizes[2]} goal:omnipresent dnskey:rumoured zrrsig:rumoured", + ] + + # Test case function. + def test_case(): + zone = test["zone"] + policy = test["policy"] + ttl = int(test["config"]["dnskey-ttl"].total_seconds()) + + isctest.log.info(f"check test case zone {zone} policy {policy}") + + # Key properties. + expected = isctest.kasp.policy_to_properties( + ttl=ttl, keys=test["key-properties"] + ) + # Key files. + keys = isctest.kasp.keydir_to_keylist(zone, test["config"]["key-directory"]) + ksks = [k for k in keys if k.is_ksk()] + zsks = [k for k in keys if not k.is_ksk()] + + isctest.kasp.check_zone_is_signed(server, zone) + isctest.kasp.check_keys(zone, keys, expected) + + offset = test["offset"] if "offset" in test else None + + for kp in expected: + kp.set_expected_keytimes(test["config"], offset=offset) + + isctest.kasp.check_keytimes(keys, expected) + + check_all(server, zone, policy, ksks, zsks) + + # Test cases. + rsa_cases = [] + if os.environ["RSASHA1_SUPPORTED"] == 1: + rsa_cases = [ + { + "zone": "rsasha1.kasp", + "policy": "rsasha1", + "config": kasp_config, + "key-properties": rsa1_properties(5), + }, + { + "zone": "rsasha1-nsec3.kasp", + "policy": "rsasha1", + "config": kasp_config, + "key-properties": rsa1_properties(7), + }, + ] + + fips_cases = [ + { + "zone": "dnskey-ttl-mismatch.autosign", + "policy": "autosign", + "config": autosign_config, + "offset": -timedelta(days=30 * 6), + "key-properties": autosign_properties, + }, + { + "zone": "dnssec-keygen.kasp", + "policy": "rsasha256", + "config": kasp_config, + "key-properties": fips_properties(8), + }, + { + "zone": "ecdsa256.kasp", + "policy": "ecdsa256", + "config": kasp_config, + "key-properties": fips_properties(13, bits=256), + }, + { + "zone": "ecdsa384.kasp", + "policy": "ecdsa384", + "config": kasp_config, + "key-properties": fips_properties(14, bits=384), + }, + { + "zone": "inherit.kasp", + "policy": "rsasha256", + "config": kasp_config, + "key-properties": fips_properties(8), + }, + { + "zone": "rsasha256.kasp", + "policy": "rsasha256", + "config": kasp_config, + "key-properties": fips_properties(8), + }, + { + "zone": "rsasha512.kasp", + "policy": "rsasha512", + "config": kasp_config, + "key-properties": fips_properties(10), + }, + { + "zone": "unlimited.kasp", + "policy": "unlimited", + "config": kasp_config, + "key-properties": [ + f"csk 0 {alg} {size} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden", + ], + }, + ] + + if os.environ["ED25519_SUPPORTED"] == 1: + fips_cases.append( + { + "zone": "ed25519.kasp", + "policy": "ed25519", + "config": kasp_config, + "key-properties": fips_properties(15, bits=256), + } + ) + + if os.environ["ED448_SUPPORTED"] == 1: + fips_cases.append( + { + "zone": "ed448.kasp", + "policy": "ed448", + "config": kasp_config, + "key-properties": fips_properties(16, bits=456), + } + ) + + test_cases = rsa_cases + fips_cases + for test in test_cases: + test_case() + + def test_kasp_default(servers): server = servers["ns3"]