From: Brian Wellington Date: Tue, 30 Jun 2020 19:15:35 +0000 (-0700) Subject: Add more dnssec coverage testing. X-Git-Tag: v2.0.0rc2~34 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4a1af791e410ba9b883c6beecc5eeaf4c6df518d;p=thirdparty%2Fdnspython.git Add more dnssec coverage testing. --- diff --git a/dns/dnssec.py b/dns/dnssec.py index 77c02540..0be9f711 100644 --- a/dns/dnssec.py +++ b/dns/dnssec.py @@ -423,7 +423,7 @@ def _validate_rrsig(rrset, rrsig, keys, origin=None, now=None): # since if the algorithm is really unknown we'd already have # raised an exception above raise ValidationFailure('unknown algorithm %u' % - rrsig.algorithm) + rrsig.algorithm) # pragma: no cover # If we got here, we successfully verified so we can return # without error return diff --git a/tests/test_dnssec.py b/tests/test_dnssec.py index 71d081e9..caf3f361 100644 --- a/tests/test_dnssec.py +++ b/tests/test_dnssec.py @@ -193,6 +193,18 @@ abs_ed448_mx_rrsig_2 = dns.rrset.from_text('example.com.', 3600, 'IN', 'RRSIG', when5 = 1440021600 +wildcard_keys = { + abs_example_com : dns.rrset.from_text( + 'example.com', 3600, 'IN', 'DNSKEY', + '256 3 5 AwEAAecNZbwD2thg3kaRLVqCC7ASP/3F79ZIu7pCu8HvZZ6ZdinffnxT npNoVvavjouHKFYTtJyUZAfw3ZMJSsGvEerc7uh6Ex9TgvOJtWPGUtxB Nnni2u9Nk+5k6nJzMiS3sL3RLvrfZW5d2Bwbl9L5f9Ud+r2Dbm7EG3tY pMY5OE8f') +} +wildcard_example_com = dns.name.from_text('*', abs_example_com) +wildcard_txt = dns.rrset.from_text('*.example.com.', 3600, 'IN', 'TXT', 'foo') +wildcard_txt_rrsig = dns.rrset.from_text('*.example.com.', 3600, 'IN', 'RRSIG', + 'TXT 5 2 3600 20200707211255 20200630180755 42486 example.com. qevJYhdAHq1VmehXQ5i+Epa32xs4zcd4qmb39pHa3GUKr1V504nxzdzQ gsT5mvDkRoY95+HAiysDON6DCDtZc69iBUIHWWuFo/OrcD2q/mWANG4x vyU28Pf0U1gN6Gd5iapKC0Ya12flKh//NQiNN2skOQ2MoF2MW2/MaAK2 HBc=') + +wildcard_when = 1593541048 + class DNSSECMakeDSTestCase(unittest.TestCase): def testMnemonicParser(self): good_ds_mnemonic = dns.rdata.from_text(dns.rdataclass.IN, dns.rdatatype.DS, @@ -283,6 +295,38 @@ class DNSSECValidatorTestCase(unittest.TestCase): dns.dnssec.validate(abs_other_ed448_mx, abs_ed448_mx_rrsig_2, abs_ed448_keys_2, None, when5) + def testWildcardGood(self): # type: () -> None + dns.dnssec.validate(wildcard_txt, wildcard_txt_rrsig, + wildcard_keys, None, wildcard_when) + + def clone_rrset(rrset, name): + return dns.rrset.from_rdata(name, rrset.ttl, rrset[0]) + + a_name = dns.name.from_text('a.example.com') + a_txt = clone_rrset(wildcard_txt, a_name) + a_txt_rrsig = clone_rrset(wildcard_txt_rrsig, a_name) + dns.dnssec.validate(a_txt, a_txt_rrsig, wildcard_keys, None, + wildcard_when) + + abc_name = dns.name.from_text('a.b.c.example.com') + abc_txt = clone_rrset(wildcard_txt, abc_name) + abc_txt_rrsig = clone_rrset(wildcard_txt_rrsig, abc_name) + dns.dnssec.validate(abc_txt, abc_txt_rrsig, wildcard_keys, None, + wildcard_when) + + def testAlternateParameterFormats(self): # type: () -> None + # Pass rrset and rrsigset as (name, rdataset) tuples, not rrsets + rrset = (abs_soa.name, abs_soa.to_rdataset()) + rrsigset = (abs_soa_rrsig.name, abs_soa_rrsig.to_rdataset()) + dns.dnssec.validate(rrset, rrsigset, abs_keys, None, when) + + # Pass keys as a name->node dict, not a name->rrset dict + keys = {} + for (name, key_rrset) in abs_keys.items(): + keys[name] = dns.node.Node() + keys[name].rdatasets.append(key_rrset.to_rdataset()) + dns.dnssec.validate(abs_soa, abs_soa_rrsig, keys, None, when) + class DNSSECMakeDSTestCase(unittest.TestCase): def testMakeExampleSHA1DS(self): # type: () -> None