]> git.ipfire.org Git - thirdparty/bind9.git/commitdiff
projects / thirdparty / bind9.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 826e256)
check that 'dnssec-signzone -F' fails for rsasha1
authorMark Andrews <marka@isc.org>
Sat, 3 Sep 2022 05:31:40 +0000 (15:31 +1000)
committerMark Andrews <marka@isc.org>
Mon, 3 Apr 2023 02:44:27 +0000 (12:44 +1000)
bin/tests/system/dnssec/signer/general/Kexample.com.+005+19857.key [new file with mode: 0644] patch | blob
bin/tests/system/dnssec/signer/general/Kexample.com.+005+19857.private [new file with mode: 0644] patch | blob
bin/tests/system/dnssec/signer/general/Kexample.com.+005+45884.key [new file with mode: 0644] patch | blob
bin/tests/system/dnssec/signer/general/Kexample.com.+005+45884.private [new file with mode: 0644] patch | blob
bin/tests/system/dnssec/signer/general/test11.zone [new file with mode: 0644] patch | blob
bin/tests/system/dnssec/tests.sh patch | blob | blame | history

diff --git a/bin/tests/system/dnssec/signer/general/Kexample.com.+005+19857.key b/bin/tests/system/dnssec/signer/general/Kexample.com.+005+19857.key
new file mode 100644 (file)
index 0000000..104face
--- /dev/null
+++ b/bin/tests/system/dnssec/signer/general/Kexample.com.+005+19857.key
@@ -0,0 +1,5 @@
+; This is a zone-signing key, keyid 19857, for example.com.
+; Created: 20220902075244 (Fri Sep  2 17:52:44 2022)
+; Publish: 20220902075244 (Fri Sep  2 17:52:44 2022)
+; Activate: 20220902075244 (Fri Sep  2 17:52:44 2022)
+example.com. IN DNSKEY 256 3 5 AwEAAaUr14RTAa2dr/JPoMv5QM32IbLMNUZFPAM9M2Zm6Ef9S3/UsRk9 W+P08Dx5Xte/PMuZK8ejWUyou37LowmVbahkP2kcS7Z552btsLnGK2+5 me5Y/GgnodhMVN7phkEQNPRKSUQQyLdQC6Ltzt0JVp48q4PmgCta22et rgq1YEoj2E8Po53bn5eQXCUsnkBFhkql9/17Ls2ckWNBkHWiItMDaWk7 qkM4ZJu7C/jq3ybBjn0bi4Svlt7PNiuuo3h5WaJYJHXd2M7PIN14rUDE cas/b+iy4eF7VC3CRUgt1spFinW/G4wSro55e6phstc3I1BE6B+pC4pq eGlAfQqWWcs=
diff --git a/bin/tests/system/dnssec/signer/general/Kexample.com.+005+19857.private b/bin/tests/system/dnssec/signer/general/Kexample.com.+005+19857.private
new file mode 100644 (file)
index 0000000..91171b0
--- /dev/null
+++ b/bin/tests/system/dnssec/signer/general/Kexample.com.+005+19857.private
@@ -0,0 +1,13 @@
+Private-key-format: v1.3
+Algorithm: 5 (RSASHA1)
+Modulus: pSvXhFMBrZ2v8k+gy/lAzfYhssw1RkU8Az0zZmboR/1Lf9SxGT1b4/TwPHle1788y5krx6NZTKi7fsujCZVtqGQ/aRxLtnnnZu2wucYrb7mZ7lj8aCeh2ExU3umGQRA09EpJRBDIt1ALou3O3QlWnjyrg+aAK1rbZ62uCrVgSiPYTw+jndufl5BcJSyeQEWGSqX3/XsuzZyRY0GQdaIi0wNpaTuqQzhkm7sL+OrfJsGOfRuLhK+W3s82K66jeHlZolgkdd3Yzs8g3XitQMRxqz9v6LLh4XtULcJFSC3WykWKdb8bjBKujnl7qmGy1zcjUEToH6kLimp4aUB9CpZZyw==
+PublicExponent: AQAB
+PrivateExponent: HzQaIgCAd6krnS5X5VDwYjiWgy26/syDmuUL+dOFHFyIz9yBnJAP9Q/H9tTDCyUwuhH0yGFetHHIAhs8cMoPDlnp9NSIpS+AfNx4n5AFkrTQlMuw24hpNfCts/MQDuid6GzETJyTHrZ7jEs64l0qRPiXOnLoUch3XK3eDF3ZlAfFkoPBFA5KIbiK8dcCahUmV4WReyE80X2N2dUloE8vLzy/j7yY2z1/HjhAu74S264wQMxNmJ0MsHeu78y7n8SKEJxncbgAciCNoamiQFiBGYYrs72B6BGHc19fhD5G7ldjpXukes9bHJSgj5ohseRJ27hkK7sKnqzOx/5Se6F5EQ==
+Prime1: vNcFqw4Gu/gsEcte00YXSGGkOWlsEAOEARMy+l7yYVC9GMR41YuINydu42Bj+D/Qq1ifYk9ok26VnXsJ6GFWK9DdFFtSElCzq1Crb7/7yuRR86cM9UBr3045g9tvlH6sL+yeH1ESr8vNZtmlytDifw2Xp2kg0xoJnlnV0ZXphOk=
+Prime2: 3+nmSodd/lDzVvn3uGMKux2B1mI2iApKM6bbwMwrzobN5bFkLkW1y1PuOYJytX1Sm39ecLCPYEmSf56kCitAquj7B98sblg05Y1QKvTTyX4uUsKFx3YAjvgp+acuI0Rq5J5GeSFCvdttgqAWdvvjoI8ic44K3sT1XTexaoLByJM=
+Exponent1: jUmr2gHSlAzonB+3QQfuH5++iZ4Q1iJrP4qn15/2ZU1NThyh89REBFAirUjPQ0wryieyiJG1Qqm4k20dSpqZKItK/hIdY8qxwvnGawQPVgxiLJTOIykiDJ+wdLFX2Ji2J903qWK1QoaPleY+H3MOI9V9pCoJ/yg6DhpU2kz5vRE=
+Exponent2: 04rLQ0Y4ivg3rchjPRR1Iupxq/UFx+jQyZOusaszB99bztGU8BJz+jDFNBgF/2jzDm1678Qe8L0RZvidye2rHs0VvQ4fj/BNqUGkp7C+FfLcGNwmP5dAV9Ik9fP4JuGQi4Ts16uQvoX8JBjSoH7BQwN3bOyZYHV7yiG/v/zgz3k=
+Coefficient: l8vCrMMiS8eWYQNM/SPa4/swn1/EZtcgPcBqMa3zia+9rOJ4/mzRcQTKz6B7c7Z9BVoTzMWGlgd94PTDeLN9fbTNmRs/8JwwgzJ8FeJeisvZquvarFtq2PdVVZQSxTwt7N6DUMVcA8Vbdq+uGjJghs22/sJ23MS3key+PUHtwFI=
+Created: 20220902075244
+Publish: 20220902075244
+Activate: 20220902075244
diff --git a/bin/tests/system/dnssec/signer/general/Kexample.com.+005+45884.key b/bin/tests/system/dnssec/signer/general/Kexample.com.+005+45884.key
new file mode 100644 (file)
index 0000000..717d65f
--- /dev/null
+++ b/bin/tests/system/dnssec/signer/general/Kexample.com.+005+45884.key
@@ -0,0 +1,5 @@
+; This is a key-signing key, keyid 45884, for example.com.
+; Created: 20220902075336 (Fri Sep  2 17:53:36 2022)
+; Publish: 20220902075336 (Fri Sep  2 17:53:36 2022)
+; Activate: 20220902075336 (Fri Sep  2 17:53:36 2022)
+example.com. IN DNSKEY 257 3 5 AwEAAZ6aTwNhgMDJ8AObT38LEX4nZe0CFXKkFv8fzBhEJEWgJRplhEhx laqGc47NoXChBiz5qdX2qAC0zi4CRydmV8TdG9shpED9kapIl7KVM3wj +irX36R9TpFT7Otmvsh7/RbRfpKz4I0pCC01hRHyj7EodMC4j3LMF9sc GWNmiOTQI1PTxbvIEDeDfoTUDMFzvOwVmH1Bq+SzA9Ikm2VADZO4vIIO J/07lWT+LDQ/g1qiCNaSDyNhGfNVf8xYvmB8OXomGFLqDuSpUkwdL5kB 2gGmnUbIH+Pn+pcN9fxVniKH3mzYEGCxIspePbhvwDfB30gTmE8uaFMa 7McouGKW3Ps=
diff --git a/bin/tests/system/dnssec/signer/general/Kexample.com.+005+45884.private b/bin/tests/system/dnssec/signer/general/Kexample.com.+005+45884.private
new file mode 100644 (file)
index 0000000..891c6c3
--- /dev/null
+++ b/bin/tests/system/dnssec/signer/general/Kexample.com.+005+45884.private
@@ -0,0 +1,13 @@
+Private-key-format: v1.3
+Algorithm: 5 (RSASHA1)
+Modulus: nppPA2GAwMnwA5tPfwsRfidl7QIVcqQW/x/MGEQkRaAlGmWESHGVqoZzjs2hcKEGLPmp1faoALTOLgJHJ2ZXxN0b2yGkQP2RqkiXspUzfCP6KtffpH1OkVPs62a+yHv9FtF+krPgjSkILTWFEfKPsSh0wLiPcswX2xwZY2aI5NAjU9PFu8gQN4N+hNQMwXO87BWYfUGr5LMD0iSbZUANk7i8gg4n/TuVZP4sND+DWqII1pIPI2EZ81V/zFi+YHw5eiYYUuoO5KlSTB0vmQHaAaadRsgf4+f6lw31/FWeIofebNgQYLEiyl49uG/AN8HfSBOYTy5oUxrsxyi4Ypbc+w==
+PublicExponent: AQAB
+PrivateExponent: SSWu0kbaPFAGH4u2NsgSicW+5vfCj4xpRMHT/c8TkX8CDbILN+QW3D5FNnPVBJ5nPD/rGdC3/BdnTeXkDiJP0W4Ohlp2KDkqQMhZGlZgl9z56F+GeBUIstLrnkfVLp6sg6UcBKnsIv5tFHiuBjCCH/kiG64jDpVdXUMQ3HyyHyC67sB1gIqpZdhQxFliVIaebwXHlv4uWi31DxTUj0mmutmpTD1r4z+43DlU3JL07WBBpIoOmG/GoFoDr+JNWWwArnhHDZFl6XL1Z2u5ojdIOcgLTXcU1SdvFwBHIAH9PIwvow0gVcZTIHwDYJ41CL6YExXF8ymVpIPspZPaFwSxvQ==
+Prime1: 2iWvbJTRrJuceM1CgOTMMoi/qMN/GtthmbL5V0w+hyFE6UzCWYQXED5YTPtoXk9tZ/YpnD7i5i7ru8VbLx0DAIrLkAFP3Xpxa7dvdRGzyPGuYARsjgNnj57M5Sl1tTTsZpkXaKEeiONCA6+vcSuc2l1NxqdDbhC/TwlpjOAbPRc=
+Prime2: uh+ZuRel3T3qvD7acXm2UyF2BdeEEwwIvzqZVi3uxwUTd/TxFA7+3xuX6LNM+HK5fNxuB3exVC8OzALFzUOOJECVFUfhKi/1+VrVfBuJnyLlqQ14RncbZvsn+ScfGZpgYuacvq0zWiP2scxmXSQxchxcFVRCKFRCCVGVuOLzNb0=
+Exponent1: coA7TrPiRkY7YBDk6kCtiYzLhKpwaclitkkBpTeozkbBI++dR10UufrvYCDJzE7Gbz3+4zsC360bIKjbTqRcsgkoBcMah3bAV7ilsP4EruFkFJPd4sCYuAKzK0mStfU8bDHI3qtLGrCmMschQDaTEu7MZwveUcRKlhKrqzzqLys=
+Exponent2: jlnU7KeViBzvB4La96crN3GEHvuyXA78MaXT2QHQeg770OdZ6wl9DY7BJIzd9bdo/oJo9PUqf0RugMIuHsvoTvnGDDypjeaYrlo2pXE6VKgQFrfioaI/Jwg4jmrJcn+L8JiIkZ1OhUa0S1AVim9AEhJ2qymCX+3xg8cOSBXsBdE=
+Coefficient: xotWVi9P/9Xr1FlKANoKVviBZaoT0xqbrVJLdmSLvyca+OipgxDilaPq+To7nAujkwtH/qdR14CHbkFSjxzzEp3jhOOSeh1HysCDlk5N7dCz2X+FHv977IYeC9vuGPG75Vbz18D7FUEy0huXgq003zJdd0e7djNca9a/GAp3gvc=
+Created: 20220902075336
+Publish: 20220902075336
+Activate: 20220902075336
diff --git a/bin/tests/system/dnssec/signer/general/test11.zone b/bin/tests/system/dnssec/signer/general/test11.zone
new file mode 100644 (file)
index 0000000..538305f
--- /dev/null
+++ b/bin/tests/system/dnssec/signer/general/test11.zone
@@ -0,0 +1,19 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+;      This is a zone which has two DNSKEY records, both of which have
+; existing private key files available.  They should be loaded automatically
+; and the zone correctly signed.
+;
+$TTL 3600
+example.com.   IN      SOA ns hostmaster 00090000 1200 3600 604800 300
+$include Kexample.com.+005+19857.key
+$include Kexample.com.+005+45884.key
diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh
index b14fcc5331a80fa3dae3a767fb657b976b628453..224de5e0f37089be595e552a408401c6c02dc2ea 100644 (file)
--- a/bin/tests/system/dnssec/tests.sh
+++ b/bin/tests/system/dnssec/tests.sh
@@ -1426,7 +1426,7 @@ n=$((n+1))
 test "$ret" -eq 0 || echo_i "failed"
 status=$((status+ret))
 
-echo_ic "check that dnssec-signzone -F works with allowed algorithm ($n)"
+echo_ic "check that 'dnssec-signzone -F' works with allowed algorithm ($n)"
 ret=0
 if $FEATURETEST --fips-provider
 then
@@ -1443,6 +1443,25 @@ n=$((n+1))
 test "$ret" -eq 0 || echo_i "failed"
 status=$((status+ret))
 
+echo_ic "check that 'dnssec-signzone -F' failed with disallowed algorithm ($n)"
+ret=0
+if ! $FEATURETEST --fips-provider
+then
+    echo_i "skipped no FIPS provider available"
+elif ! $SHELL ../testcrypto.sh -q RSASHA1
+then
+    echo_i "skipped: RSASHA1 is not supported"
+else
+    (
+       cd signer/general || exit 1
+       rm -f signed.zone
+       $SIGNER -F -f signed.zone -o example.com. test11.zone > signer.out.$n 2>&1 && exit 1
+       grep "fatal: dnskey 'example.com/RSASHA1/19857' failed to sign data" signer.out.$n > /dev/null
+    ) || ret=1
+fi
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
 
 echo_ic "check that dnssec-signzone rejects excessive NSEC3 iterations ($n)"
 ret=0
@@ -3580,12 +3599,9 @@ ret=0
 if $FEATURETEST --have-fips-mode
 then
     echo_i "skipped: already in FIPS mode"
-elif ! $FEATURETEST --fips-set-mode
+elif ! $FEATURETEST --fips-provider
 then
     echo_i "skipped: cannot switch to FIPS mode"
-elif ! $FEATURETEST --fips-set-mode-dst-lib-init
-then
-       echo_i "skipped FIPS mode not properly set up"
 elif ! $SHELL ../testcrypto.sh -q RSASHA1
 then
     echo_i "skipped: RSASHA1 is not supported"
Mirror of https://gitlab.isc.org/isc-projects/bind9.git