Add kasp tests for Ed25519 and Ed448

Use the testcrypto script to see if these algorithms are supported by
openssl. If so, add the specific configuration to the named.conf file
and touch a file to indicate support. If the file exists, the
corresponding setup and tests are performed.

diff --git a/bin/tests/system/kasp/clean.sh b/bin/tests/system/kasp/clean.sh
index 7ab6c7913071c3e25a204a93d4734e2968158f67..ce556893bd8e7712b9f165eb3723972f153c48f4 100644 (file)
--- a/bin/tests/system/kasp/clean.sh
+++ b/bin/tests/system/kasp/clean.sh
@@ -26,3 +26,4 @@ rm -f ns*/zones ns*/*.db.infile
 rm -f *.created published.test* retired.test*
 rm -f rndc.dnssec.*.out.*
 rm -f python.out.*
+rm -f *-supported.file

diff --git a/bin/tests/system/kasp/ns3/ed25519.conf b/bin/tests/system/kasp/ns3/ed25519.conf
new file mode 100644 (file)
index 0000000..89380e1
--- /dev/null
+++ b/bin/tests/system/kasp/ns3/ed25519.conf
@@ -0,0 +1,15 @@
+dnssec-policy "ed25519" {
+        dnskey-ttl 1234;
+
+        keys {
+                ksk key-directory lifetime P10Y algorithm 15;
+                zsk key-directory lifetime P5Y  algorithm 15;
+                zsk key-directory lifetime P1Y  algorithm 15 256;
+        };
+};
+
+zone "ed25519.kasp" {
+        type primary;
+        file "ed25519.kasp.db";
+        dnssec-policy "ed25519";
+};

diff --git a/bin/tests/system/kasp/ns3/ed448.conf b/bin/tests/system/kasp/ns3/ed448.conf
new file mode 100644 (file)
index 0000000..379f02c
--- /dev/null
+++ b/bin/tests/system/kasp/ns3/ed448.conf
@@ -0,0 +1,15 @@
+dnssec-policy "ed448" {
+        dnskey-ttl 1234;
+
+        keys {
+                ksk key-directory lifetime P10Y algorithm 16;
+                zsk key-directory lifetime P5Y  algorithm 16;
+                zsk key-directory lifetime P1Y  algorithm 16 456;
+        };
+};
+
+zone "ed448.kasp" {
+        type primary;
+        file "ed448.kasp.db";
+        dnssec-policy "ed448";
+};

diff --git a/bin/tests/system/kasp/ns3/setup.sh b/bin/tests/system/kasp/ns3/setup.sh
index 5ab3f7dc9717f04805256bac3696cb035f9f979d..b72067b4b4bd95a7d96ea9564515885ed7e37d7e 100644 (file)
--- a/bin/tests/system/kasp/ns3/setup.sh
+++ b/bin/tests/system/kasp/ns3/setup.sh
@@ -59,6 +59,18 @@ do
        cp template.db.in "$zonefile"
 done
 
+if [ -f ../ed25519-supported.file ]; then
+       setup "ed25519.kasp"
+       cp template.db.in "$zonefile"
+       cat ed25519.conf >> named.conf
+fi
+
+if [ -f ../ed448-supported.file ]; then
+       setup "ed448.kasp"
+       cp template.db.in "$zonefile"
+       cat ed448.conf >> named.conf
+fi
+
 # Set up zone that stays unsigned.
 zone="unsigned.kasp"
 echo_i "setting up zone: $zone"

diff --git a/bin/tests/system/kasp/setup.sh b/bin/tests/system/kasp/setup.sh
index b499fb8dae50b4374a137efbd1492638d39a7ebb..5a1f853d3c43cd2b5f109dfadf829fec248ed9ec 100644 (file)
--- a/bin/tests/system/kasp/setup.sh
+++ b/bin/tests/system/kasp/setup.sh
@@ -24,6 +24,14 @@ copy_setports ns4/named.conf.in ns4/named.conf
 copy_setports ns5/named.conf.in ns5/named.conf
 copy_setports ns6/named.conf.in ns6/named.conf
 
+if $SHELL ../testcrypto.sh ed25519; then
+       echo "yes" > ed25519-supported.file
+fi
+
+if $SHELL ../testcrypto.sh ed448; then
+       echo "yes" > ed448-supported.file
+fi
+
 # Setup zones
 (
        cd ns2

diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh
index c5262a8fa97f0a8e76399b539a512ed4d4dff92d..4e4c12e1f2cb70ec8bd76095669e48d752601f9f 100644 (file)
--- a/bin/tests/system/kasp/tests.sh
+++ b/bin/tests/system/kasp/tests.sh
@@ -2041,7 +2041,49 @@ check_apex
 check_subdomain
 dnssec_verify
 
-# TODO: ED25519 and ED448.
+#
+# Zone: ed25519.kasp.
+#
+if [ -f ed25519-supported.file ]; then
+       set_zone "ed25519.kasp"
+       set_policy "ed25519" "3" "1234"
+       set_server "ns3" "10.53.0.3"
+       # Key properties.
+       set_keyalgorithm "KEY1" "15" "ED25519" "256"
+       set_keyalgorithm "KEY2" "15" "ED25519" "256"
+       set_keyalgorithm "KEY3" "15" "ED25519" "256"
+       # Key timings and states same as above.
+
+       check_keys
+       check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+       set_keytimes_algorithm_policy
+       check_keytimes
+       check_apex
+       check_subdomain
+       dnssec_verify
+fi
+
+#
+# Zone: ed448.kasp.
+#
+if [ -f ed448-supported.file ]; then
+       set_zone "ed448.kasp"
+       set_policy "ed448" "3" "1234"
+       set_server "ns3" "10.53.0.3"
+       # Key properties.
+       set_keyalgorithm "KEY1" "16" "ED448" "456"
+       set_keyalgorithm "KEY2" "16" "ED448" "456"
+       set_keyalgorithm "KEY3" "16" "ED448" "456"
+       # Key timings and states same as above.
+
+       check_keys
+       check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+       set_keytimes_algorithm_policy
+       check_keytimes
+       check_apex
+       check_subdomain
+       dnssec_verify
+fi
 
 # Set key times for 'autosign' policy.
 set_keytimes_autosign_policy() {