From: Matthijs Mekking Date: Wed, 3 Feb 2021 09:36:30 +0000 (+0100) Subject: Refactor eddsa system test X-Git-Tag: v9.17.11~62^2~3 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=8bf31d05926960516e2756272ee43f801143ddd4;p=thirdparty%2Fbind9.git Refactor eddsa system test Test for Ed25519 and Ed448. If both algorithms are not supported, skip test. If only one algorithm is supported, run test, skip the unsupported algorithm. If both are supported, run test normally. Create new ns3. This will test Ed448 specifically, while now ns2 only tests Ed25519. This moves some files from ns2/ to ns3/. --- diff --git a/bin/tests/system/eddsa/clean.sh b/bin/tests/system/eddsa/clean.sh index 1b0d13d4262..de6e44207ae 100644 --- a/bin/tests/system/eddsa/clean.sh +++ b/bin/tests/system/eddsa/clean.sh @@ -23,3 +23,5 @@ rm -f ns*/named.run rm -f ns*/root.db rm -f ns*/signer.err rm -f ns*/trusted.conf +rm -f ns*/example.com.db +rm -f *-supported.file diff --git a/bin/tests/system/eddsa/ns1/sign.sh b/bin/tests/system/eddsa/ns1/sign.sh index 9a9c7f8dd4c..7b1425e427d 100644 --- a/bin/tests/system/eddsa/ns1/sign.sh +++ b/bin/tests/system/eddsa/ns1/sign.sh @@ -17,17 +17,39 @@ zone=. infile=root.db.in zonefile=root.db -key1=$($KEYGEN -q -a ED25519 -n zone "$zone") -key2=$($KEYGEN -q -a ED25519 -n zone -f KSK "$zone") -#key2=$($KEYGEN -q -a ED448 -n zone -f KSK "$zone") -$DSFROMKEY -a sha-256 "$key2.key" > dsset-256 +echo_i "ns1/sign.sh" -cat "$infile" "$key1.key" "$key2.key" > "$zonefile" +cp $infile $zonefile -$SIGNER -P -g -o "$zone" "$zonefile" > /dev/null 2> signer.err || cat signer.err +if [ -f ../ed25519-supported.file ]; then + zsk25519=$($KEYGEN -q -a ED25519 -n zone "$zone") + ksk25519=$($KEYGEN -q -a ED25519 -n zone -f KSK "$zone") + cat "$ksk25519.key" "$zsk25519.key" >> "$zonefile" + $DSFROMKEY -a sha-256 "$ksk25519.key" >> dsset-256 +fi + +if [ -f ../ed448-supported.file ]; then + zsk448=$($KEYGEN -q -a ED448 -n zone "$zone") + ksk448=$($KEYGEN -q -a ED448 -n zone -f KSK "$zone") + cat "$ksk448.key" "$zsk448.key" >> "$zonefile" + $DSFROMKEY -a sha-256 "$ksk448.key" >> dsset-256 +fi # Configure the resolving server with a static key. -keyfile_to_static_ds "$key1" > trusted.conf -cp trusted.conf ../ns2/trusted.conf +if [ -f ../ed25519-supported.file ]; then + keyfile_to_static_ds $ksk25519 > trusted.conf + cp trusted.conf ../ns2/trusted.conf +else + keyfile_to_static_ds $ksk448 > trusted.conf + cp trusted.conf ../ns2/trusted.conf +fi + +if [ -f ../ed448-supported.file ]; then + keyfile_to_static_ds $ksk448 > trusted.conf + cp trusted.conf ../ns3/trusted.conf +else + keyfile_to_static_ds $ksk25519 > trusted.conf + cp trusted.conf ../ns3/trusted.conf +fi -cd ../ns2 && $SHELL sign.sh +$SIGNER -P -g -o "$zone" "$zonefile" > /dev/null 2> signer.err || cat signer.err diff --git a/bin/tests/system/eddsa/ns2/example.com.db.in b/bin/tests/system/eddsa/ns2/example.com.db.in new file mode 100644 index 00000000000..c50a7875c7c --- /dev/null +++ b/bin/tests/system/eddsa/ns2/example.com.db.in @@ -0,0 +1,20 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 3600 +@ IN SOA fdupont.isc.org. ns.example.com. ( + 2012040600 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 3600 ; minimum + ) + MX 10 mail.example.com. + NS ns.example.com. +ns.example.com. A 10.53.0.2 diff --git a/bin/tests/system/eddsa/ns2/sign.sh b/bin/tests/system/eddsa/ns2/sign.sh index 2303234b67d..82850ab18b4 100644 --- a/bin/tests/system/eddsa/ns2/sign.sh +++ b/bin/tests/system/eddsa/ns2/sign.sh @@ -14,16 +14,23 @@ set -e . ../../conf.sh zone=example.com. +infile=example.com.db.in zonefile=example.com.db starttime=20150729220000 endtime=20150819220000 -for i in Xexample.com.+015+03613.key Xexample.com.+015+03613.private \ - Xexample.com.+015+35217.key Xexample.com.+015+35217.private \ - Xexample.com.+016+09713.key Xexample.com.+016+09713.private \ - Xexample.com.+016+38353.key Xexample.com.+016+38353.private -do - cp "$i" "$(echo $i | sed s/X/K/)" -done +echo_i "ns2/sign.sh" + +cp $infile $zonefile + +if [ -f ../ed25519-supported.file ]; then + + for i in Xexample.com.+015+03613 Xexample.com.+015+35217 + do + cp "$i.key" "$(echo $i.key | sed s/X/K/)" + cp "$i.private" "$(echo $i.private | sed s/X/K/)" + cat "$(echo $i.key | sed s/X/K/)" >> "$zonefile" + done +fi $SIGNER -P -z -s "$starttime" -e "$endtime" -o "$zone" "$zonefile" > /dev/null 2> signer.err || cat signer.err diff --git a/bin/tests/system/eddsa/ns2/Xexample.com.+016+09713.key b/bin/tests/system/eddsa/ns3/Xexample.com.+016+09713.key similarity index 100% rename from bin/tests/system/eddsa/ns2/Xexample.com.+016+09713.key rename to bin/tests/system/eddsa/ns3/Xexample.com.+016+09713.key diff --git a/bin/tests/system/eddsa/ns2/Xexample.com.+016+09713.private b/bin/tests/system/eddsa/ns3/Xexample.com.+016+09713.private similarity index 100% rename from bin/tests/system/eddsa/ns2/Xexample.com.+016+09713.private rename to bin/tests/system/eddsa/ns3/Xexample.com.+016+09713.private diff --git a/bin/tests/system/eddsa/ns2/Xexample.com.+016+38353.key b/bin/tests/system/eddsa/ns3/Xexample.com.+016+38353.key similarity index 100% rename from bin/tests/system/eddsa/ns2/Xexample.com.+016+38353.key rename to bin/tests/system/eddsa/ns3/Xexample.com.+016+38353.key diff --git a/bin/tests/system/eddsa/ns2/Xexample.com.+016+38353.private b/bin/tests/system/eddsa/ns3/Xexample.com.+016+38353.private similarity index 100% rename from bin/tests/system/eddsa/ns2/Xexample.com.+016+38353.private rename to bin/tests/system/eddsa/ns3/Xexample.com.+016+38353.private diff --git a/bin/tests/system/eddsa/ns2/example.com.db b/bin/tests/system/eddsa/ns3/example.com.db.in similarity index 55% rename from bin/tests/system/eddsa/ns2/example.com.db rename to bin/tests/system/eddsa/ns3/example.com.db.in index 306a1569790..5616fbdcb76 100644 --- a/bin/tests/system/eddsa/ns2/example.com.db +++ b/bin/tests/system/eddsa/ns3/example.com.db.in @@ -8,18 +8,13 @@ ; information regarding copyright ownership. $TTL 3600 -@ IN SOA fdupont.isc.org. ns.example.com. ( - 2012040600 ; serial - 600 ; refresh - 600 ; retry - 1200 ; expire - 3600 ; minimum +@ IN SOA fdupont.isc.org. ns.example.com. ( + 2012040600 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 3600 ; minimum ) - MX 10 mail.example.com. + MX 10 mail.example.com. NS ns.example.com. ns.example.com. A 10.53.0.3 -; -$INCLUDE Kexample.com.+015+03613.key -$INCLUDE Kexample.com.+015+35217.key -$INCLUDE Kexample.com.+016+09713.key -$INCLUDE Kexample.com.+016+38353.key diff --git a/bin/tests/system/eddsa/ns3/named.conf.in b/bin/tests/system/eddsa/ns3/named.conf.in new file mode 100644 index 00000000000..32d8c77d8f8 --- /dev/null +++ b/bin/tests/system/eddsa/ns3/named.conf.in @@ -0,0 +1,34 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS2 + +controls { /* empty */ }; + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + recursion yes; + notify yes; + dnssec-validation yes; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +include "trusted.conf"; diff --git a/bin/tests/system/eddsa/ns3/sign.sh b/bin/tests/system/eddsa/ns3/sign.sh new file mode 100644 index 00000000000..b36869df41a --- /dev/null +++ b/bin/tests/system/eddsa/ns3/sign.sh @@ -0,0 +1,35 @@ +#!/bin/sh -e +# +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +set -e + +. ../../conf.sh + +zone=example.com. +infile=example.com.db.in +zonefile=example.com.db +starttime=20150729220000 +endtime=20150819220000 + +echo_i "ns3/sign.sh" + +cp $infile $zonefile + +if [ -f ../ed448-supported.file ]; then + for i in Xexample.com.+016+09713 Xexample.com.+016+38353 + do + cp "$i.key" "$(echo $i.key | sed s/X/K/)" + cp "$i.private" "$(echo $i.private | sed s/X/K/)" + cat "$(echo $i.key | sed s/X/K/)" >> "$zonefile" + done +fi + +$SIGNER -P -z -s "$starttime" -e "$endtime" -o "$zone" "$zonefile" > /dev/null 2> signer.err || cat signer.err diff --git a/bin/tests/system/eddsa/prereq.sh b/bin/tests/system/eddsa/prereq.sh index fa2e99c814c..4034cd75ef9 100644 --- a/bin/tests/system/eddsa/prereq.sh +++ b/bin/tests/system/eddsa/prereq.sh @@ -13,6 +13,12 @@ set -e . ../conf.sh -if ! $SHELL ../testcrypto.sh eddsa; then - exit 1 +supported=0 +if $SHELL ../testcrypto.sh ed25519; then + supported=1 fi +if $SHELL ../testcrypto.sh ed448; then + supported=1 +fi + +[ "$supported" -eq 1 ] || exit 1 diff --git a/bin/tests/system/eddsa/setup.sh b/bin/tests/system/eddsa/setup.sh index 19bbbcf64d6..3118a8bd44b 100644 --- a/bin/tests/system/eddsa/setup.sh +++ b/bin/tests/system/eddsa/setup.sh @@ -13,7 +13,27 @@ set -e . ../conf.sh +if $SHELL ../testcrypto.sh ed25519; then + echo "yes" > ed25519-supported.file +fi + +if $SHELL ../testcrypto.sh ed448; then + echo "yes" > ed448-supported.file +fi + copy_setports ns1/named.conf.in ns1/named.conf copy_setports ns2/named.conf.in ns2/named.conf +copy_setports ns3/named.conf.in ns3/named.conf -cd ns1 && $SHELL sign.sh +( + cd ns1 + $SHELL sign.sh +) +( + cd ns2 + $SHELL sign.sh +) +( + cd ns3 + $SHELL sign.sh +) diff --git a/bin/tests/system/eddsa/tests.sh b/bin/tests/system/eddsa/tests.sh index 9055b557ae5..014ac67eb13 100644 --- a/bin/tests/system/eddsa/tests.sh +++ b/bin/tests/system/eddsa/tests.sh @@ -14,53 +14,72 @@ set -e . ../conf.sh status=0 -n=1 +n=0 dig_with_opts() { "$DIG" +tcp +noau +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@" } -# Check the example. domain +if [ -f ed25519-supported.file ]; then + # Check the example. domain + n=$((n+1)) + echo_i "checking that Ed25519 positive validation works ($n)" + ret=0 + dig_with_opts . @10.53.0.1 soa > dig.out.ns1.test$n || ret=1 + dig_with_opts . @10.53.0.2 soa > dig.out.ns2.test$n || ret=1 + $PERL ../digcomp.pl dig.out.ns1.test$n dig.out.ns2.test$n || ret=1 + grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) -echo_i "checking that positive validation works ($n)" -ret=0 -dig_with_opts . @10.53.0.1 soa > dig.out.ns1.test$n || ret=1 -dig_with_opts . @10.53.0.2 soa > dig.out.ns2.test$n || ret=1 -$PERL ../digcomp.pl dig.out.ns1.test$n dig.out.ns2.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1 -n=$((n+1)) -if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) - -# Check test vectors (RFC 8080 + errata) + # Check test vectors (RFC 8080 + errata) + n=$((n+1)) + echo_i "checking that Ed25519 test vectors match ($n)" + ret=0 + grep 'oL9krJun7xfBOIWcGHi7mag5/hdZrKWw15jP' ns2/example.com.db.signed > /dev/null || ret=1 + grep 'VrbpMngwcrqNAg==' ns2/example.com.db.signed > /dev/null || ret=1 + grep 'zXQ0bkYgQTEFyfLyi9QoiY6D8ZdYo4wyUhVi' ns2/example.com.db.signed > /dev/null || ret=1 + grep 'R0O7KuI5k2pcBg==' ns2/example.com.db.signed > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) +else + echo_i "algorithm Ed25519 not supported, skipping vectors match test" +fi -echo_i "checking that Ed25519 test vectors match ($n)" -ret=0 -grep 'oL9krJun7xfBOIWcGHi7mag5/hdZrKWw15jP' ns2/example.com.db.signed > /dev/null || ret=1 -grep 'VrbpMngwcrqNAg==' ns2/example.com.db.signed > /dev/null || ret=1 -grep 'zXQ0bkYgQTEFyfLyi9QoiY6D8ZdYo4wyUhVi' ns2/example.com.db.signed > /dev/null || ret=1 -grep 'R0O7KuI5k2pcBg==' ns2/example.com.db.signed > /dev/null || ret=1 n=$((n+1)) -if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) - -echo_i "checking that Ed448 test vectors match ($n)" ret=0 -grep '3cPAHkmlnxcDHMyg7vFC34l0blBhuG1qpwLm' ns2/example.com.db.signed > /dev/null || ret=1 -grep 'jInI8w1CMB29FkEAIJUA0amxWndkmnBZ6SKi' ns2/example.com.db.signed > /dev/null || ret=1 -grep 'wZSAxGILn/NBtOXft0+Gj7FSvOKxE/07+4RQ' ns2/example.com.db.signed > /dev/null || ret=1 -grep 'vE581N3Aj/JtIyaiYVdnYtyMWbSNyGEY2213' ns2/example.com.db.signed > /dev/null || ret=1 -grep 'WKsJlwEA' ns2/example.com.db.signed > /dev/null || ret=1 +if [ -f ed448-supported.file ]; then + # Check the example. domain + n=$((n+1)) + echo_i "checking that Ed448 positive validation works ($n)" + ret=0 + dig_with_opts . @10.53.0.1 soa > dig.out.ns1.test$n || ret=1 + dig_with_opts . @10.53.0.3 soa > dig.out.ns3.test$n || ret=1 + $PERL ../digcomp.pl dig.out.ns1.test$n dig.out.ns3.test$n || ret=1 + grep "flags:.*ad.*QUERY" dig.out.ns3.test$n > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) -grep 'E1/oLjSGIbmLny/4fcgM1z4oL6aqo+izT3ur' ns2/example.com.db.signed > /dev/null || ret=1 -grep 'CyHyvEp4Sp8Syg1eI+lJ57CSnZqjJP41O/9l' ns2/example.com.db.signed > /dev/null || ret=1 -grep '4m0AsQ4f7qI1gVnML8vWWiyW2KXhT9kuAICU' ns2/example.com.db.signed > /dev/null || ret=1 -grep 'Sxv5OWbf81Rq7Yu60npabODB0QFPb/rkW3kU' ns2/example.com.db.signed > /dev/null || ret=1 -grep 'ZmQ0YQUA' ns2/example.com.db.signed > /dev/null || ret=1 + # Check test vectors (RFC 8080 + errata) + n=$((n+1)) + echo_i "checking that Ed448 test vectors match ($n)" + ret=0 + grep '3cPAHkmlnxcDHMyg7vFC34l0blBhuG1qpwLm' ns3/example.com.db.signed > /dev/null || ret=1 + grep 'jInI8w1CMB29FkEAIJUA0amxWndkmnBZ6SKi' ns3/example.com.db.signed > /dev/null || ret=1 + grep 'wZSAxGILn/NBtOXft0+Gj7FSvOKxE/07+4RQ' ns3/example.com.db.signed > /dev/null || ret=1 + grep 'vE581N3Aj/JtIyaiYVdnYtyMWbSNyGEY2213' ns3/example.com.db.signed > /dev/null || ret=1 + grep 'WKsJlwEA' ns3/example.com.db.signed > /dev/null || ret=1 -n=$((n+1)) -if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) + grep 'E1/oLjSGIbmLny/4fcgM1z4oL6aqo+izT3ur' ns3/example.com.db.signed > /dev/null || ret=1 + grep 'CyHyvEp4Sp8Syg1eI+lJ57CSnZqjJP41O/9l' ns3/example.com.db.signed > /dev/null || ret=1 + grep '4m0AsQ4f7qI1gVnML8vWWiyW2KXhT9kuAICU' ns3/example.com.db.signed > /dev/null || ret=1 + grep 'Sxv5OWbf81Rq7Yu60npabODB0QFPb/rkW3kU' ns3/example.com.db.signed > /dev/null || ret=1 + grep 'ZmQ0YQUA' ns3/example.com.db.signed > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) +else + echo_i "algorithm Ed448 not supported, skipping vectors match test" +fi echo_i "exit status: $status" [ $status -eq 0 ] || exit 1