Test legacy HMAC key files with dig

tsig-keygen is now used to generate key files for TSIG.  These have
a different format to those that were generated by dnssec-keygen.
Test that dig can still read these files.

diff --git a/bin/tests/system/tsig/ns1/legacy/Khmac-md5-legacy.+157+22023.key b/bin/tests/system/tsig/ns1/legacy/Khmac-md5-legacy.+157+22023.key
new file mode 100644 (file)
index 0000000..37ee8ae
--- /dev/null
+++ b/bin/tests/system/tsig/ns1/legacy/Khmac-md5-legacy.+157+22023.key
@@ -0,0 +1 @@
+hmac-md5-legacy. IN KEY 0 3 157 B7HCXJs0XnSPzypG5oHuGw==

diff --git a/bin/tests/system/tsig/ns1/legacy/Khmac-md5-legacy.+157+22023.private b/bin/tests/system/tsig/ns1/legacy/Khmac-md5-legacy.+157+22023.private
new file mode 100644 (file)
index 0000000..8b2f435
--- /dev/null
+++ b/bin/tests/system/tsig/ns1/legacy/Khmac-md5-legacy.+157+22023.private
@@ -0,0 +1,7 @@
+Private-key-format: v1.3
+Algorithm: 157 (HMAC_MD5)
+Key: B7HCXJs0XnSPzypG5oHuGw==
+Bits: AAA=
+Created: 20230619071002
+Publish: 20230619071002
+Activate: 20230619071002

diff --git a/bin/tests/system/tsig/ns1/legacy/Khmac-sha1-legacy.+161+50591.key b/bin/tests/system/tsig/ns1/legacy/Khmac-sha1-legacy.+161+50591.key
new file mode 100644 (file)
index 0000000..bd1445d
--- /dev/null
+++ b/bin/tests/system/tsig/ns1/legacy/Khmac-sha1-legacy.+161+50591.key
@@ -0,0 +1 @@
+hmac-sha1-legacy. IN KEY 0 3 161 TxGx9XBp6Pp5yYAOKXdERA==

diff --git a/bin/tests/system/tsig/ns1/legacy/Khmac-sha1-legacy.+161+50591.private b/bin/tests/system/tsig/ns1/legacy/Khmac-sha1-legacy.+161+50591.private
new file mode 100644 (file)
index 0000000..fe3d7ec
--- /dev/null
+++ b/bin/tests/system/tsig/ns1/legacy/Khmac-sha1-legacy.+161+50591.private
@@ -0,0 +1,7 @@
+Private-key-format: v1.3
+Algorithm: 161 (HMAC_SHA1)
+Key: TxGx9XBp6Pp5yYAOKXdERA==
+Bits: AAA=
+Created: 20230619071031
+Publish: 20230619071031
+Activate: 20230619071031

diff --git a/bin/tests/system/tsig/ns1/legacy/Khmac-sha224-legacy.+162+50865.key b/bin/tests/system/tsig/ns1/legacy/Khmac-sha224-legacy.+162+50865.key
new file mode 100644 (file)
index 0000000..c849be9
--- /dev/null
+++ b/bin/tests/system/tsig/ns1/legacy/Khmac-sha224-legacy.+162+50865.key
@@ -0,0 +1 @@
+hmac-sha224-legacy. IN KEY 0 3 162 H8Hyw718rLqToQFRLAeFWQ==

diff --git a/bin/tests/system/tsig/ns1/legacy/Khmac-sha224-legacy.+162+50865.private b/bin/tests/system/tsig/ns1/legacy/Khmac-sha224-legacy.+162+50865.private
new file mode 100644 (file)
index 0000000..a2f31ec
--- /dev/null
+++ b/bin/tests/system/tsig/ns1/legacy/Khmac-sha224-legacy.+162+50865.private
@@ -0,0 +1,7 @@
+Private-key-format: v1.3
+Algorithm: 162 (HMAC_SHA224)
+Key: H8Hyw718rLqToQFRLAeFWQ==
+Bits: AAA=
+Created: 20230619071136
+Publish: 20230619071136
+Activate: 20230619071136

diff --git a/bin/tests/system/tsig/ns1/legacy/Khmac-sha256-legacy.+163+38999.key b/bin/tests/system/tsig/ns1/legacy/Khmac-sha256-legacy.+163+38999.key
new file mode 100644 (file)
index 0000000..1bbb6f0
--- /dev/null
+++ b/bin/tests/system/tsig/ns1/legacy/Khmac-sha256-legacy.+163+38999.key
@@ -0,0 +1 @@
+hmac-sha256-legacy. IN KEY 0 3 163 fdT9hiPov4ThMEfRv1FNmA==

diff --git a/bin/tests/system/tsig/ns1/legacy/Khmac-sha256-legacy.+163+38999.private b/bin/tests/system/tsig/ns1/legacy/Khmac-sha256-legacy.+163+38999.private
new file mode 100644 (file)
index 0000000..0b209c6
--- /dev/null
+++ b/bin/tests/system/tsig/ns1/legacy/Khmac-sha256-legacy.+163+38999.private
@@ -0,0 +1,7 @@
+Private-key-format: v1.3
+Algorithm: 163 (HMAC_SHA256)
+Key: fdT9hiPov4ThMEfRv1FNmA==
+Bits: AAA=
+Created: 20230619071043
+Publish: 20230619071043
+Activate: 20230619071043

diff --git a/bin/tests/system/tsig/ns1/legacy/Khmac-sha384-legacy.+164+56610.key b/bin/tests/system/tsig/ns1/legacy/Khmac-sha384-legacy.+164+56610.key
new file mode 100644 (file)
index 0000000..46fae39
--- /dev/null
+++ b/bin/tests/system/tsig/ns1/legacy/Khmac-sha384-legacy.+164+56610.key
@@ -0,0 +1 @@
+hmac-sha384-legacy. IN KEY 0 3 164 fnshFIjQTLFap6+j2JGBkA==

diff --git a/bin/tests/system/tsig/ns1/legacy/Khmac-sha384-legacy.+164+56610.private b/bin/tests/system/tsig/ns1/legacy/Khmac-sha384-legacy.+164+56610.private
new file mode 100644 (file)
index 0000000..be5aa12
--- /dev/null
+++ b/bin/tests/system/tsig/ns1/legacy/Khmac-sha384-legacy.+164+56610.private
@@ -0,0 +1,7 @@
+Private-key-format: v1.3
+Algorithm: 164 (HMAC_SHA384)
+Key: fnshFIjQTLFap6+j2JGBkA==
+Bits: AAA=
+Created: 20230619071109
+Publish: 20230619071109
+Activate: 20230619071109

diff --git a/bin/tests/system/tsig/ns1/legacy/Khmac-sha512-legacy.+165+22767.key b/bin/tests/system/tsig/ns1/legacy/Khmac-sha512-legacy.+165+22767.key
new file mode 100644 (file)
index 0000000..0defc84
--- /dev/null
+++ b/bin/tests/system/tsig/ns1/legacy/Khmac-sha512-legacy.+165+22767.key
@@ -0,0 +1 @@
+hmac-sha512-legacy. IN KEY 0 3 165 BZwNLICp2tj4hi6gil41eg==

diff --git a/bin/tests/system/tsig/ns1/legacy/Khmac-sha512-legacy.+165+22767.private b/bin/tests/system/tsig/ns1/legacy/Khmac-sha512-legacy.+165+22767.private
new file mode 100644 (file)
index 0000000..21268e5
--- /dev/null
+++ b/bin/tests/system/tsig/ns1/legacy/Khmac-sha512-legacy.+165+22767.private
@@ -0,0 +1,7 @@
+Private-key-format: v1.3
+Algorithm: 165 (HMAC_SHA512)
+Key: BZwNLICp2tj4hi6gil41eg==
+Bits: AAA=
+Created: 20230619071124
+Publish: 20230619071124
+Activate: 20230619071124

diff --git a/bin/tests/system/tsig/ns1/named-fips.conf.in b/bin/tests/system/tsig/ns1/named-fips.conf.in
index b783805aac599442b839aaf1267e509de3eed37e..6925f0f9c5133ddacffdc94899ec4bb251d98ec5 100644 (file)
--- a/bin/tests/system/tsig/ns1/named-fips.conf.in
+++ b/bin/tests/system/tsig/ns1/named-fips.conf.in
@@ -49,6 +49,31 @@ key "sha512" {
        algorithm hmac-sha512;
 };
 
+key "hmac-sha1-legacy" {
+       algorithm "hmac-sha1";
+       secret "TxGx9XBp6Pp5yYAOKXdERA==";
+};
+
+key "hmac-sha224-legacy" {
+       algorithm "hmac-sha224";
+       secret "H8Hyw718rLqToQFRLAeFWQ==";
+};
+
+key "hmac-sha256-legacy" {
+       algorithm "hmac-sha256";
+       secret "fdT9hiPov4ThMEfRv1FNmA==";
+};
+
+key "hmac-sha384-legacy" {
+       algorithm "hmac-sha384";
+       secret "fnshFIjQTLFap6+j2JGBkA==";
+};
+
+key "hmac-sha512-legacy" {
+       algorithm "hmac-sha512";
+       secret "BZwNLICp2tj4hi6gil41eg==";
+};
+
 key "sha1-trunc" {
        secret "FrSt77yPTFx6hTs4i2tKLB9LmE0=";
        algorithm hmac-sha1-80;

diff --git a/bin/tests/system/tsig/ns1/named.conf.in b/bin/tests/system/tsig/ns1/named.conf.in
index 17f2aba5e9e1e3dad67d972f33a46280e99b8dfe..cae7d592f96f3e5f49a5f6611411900f671ba8e7 100644 (file)
--- a/bin/tests/system/tsig/ns1/named.conf.in
+++ b/bin/tests/system/tsig/ns1/named.conf.in
@@ -22,3 +22,8 @@ key "md5-trunc" {
        secret "97rnFx24Tfna4mHPfgnerA==";
        algorithm hmac-md5-80;
 };
+
+key "hmac-md5-legacy" {
+        algorithm "hmac-md5";
+        secret "B7HCXJs0XnSPzypG5oHuGw==";
+};

diff --git a/bin/tests/system/tsig/tests.sh b/bin/tests/system/tsig/tests.sh
index da85e7d622403f5d1a243d3fcf65c5dd47660345..42ee16cf54541b7faa770914269c4a7bb3657339 100644 (file)
--- a/bin/tests/system/tsig/tests.sh
+++ b/bin/tests/system/tsig/tests.sh
@@ -257,5 +257,58 @@ if [ $ret -eq 1 ] ; then
     echo_i "failed"; status=1
 fi
 
+if $FEATURETEST --md5
+then
+       echo_i "fetching using hmac-md5 (legacy)"
+       ret=0
+       $DIG $DIGOPTS example.nil. -k ns1/legacy/Khmac-md5-legacy.+*.key @10.53.0.1 soa > dig.out.md5.legacy || ret=1
+       grep -i "md5.*TSIG.*NOERROR" dig.out.md5.legacy > /dev/null || ret=1
+       if [ $ret -eq 1 ] ; then
+               echo_i "failed"; status=1
+       fi
+else
+       echo_i "skipping using hmac-md5"
+fi
+
+echo_i "fetching using hmac-sha1 (legacy)"
+ret=0
+$DIG $DIGOPTS example.nil. -k ns1/legacy/Khmac-sha1-legacy.+*.key @10.53.0.1 soa > dig.out.sha1.legacy || ret=1
+grep -i "sha1.*TSIG.*NOERROR" dig.out.sha1.legacy > /dev/null || ret=1
+if [ $ret -eq 1 ] ; then
+       echo_i "failed"; status=1
+fi
+
+echo_i "fetching using hmac-sha224 (legacy)"
+ret=0
+$DIG $DIGOPTS example.nil. -k ns1/legacy/Khmac-sha224-legacy.+*.key @10.53.0.1 soa > dig.out.sha224 || ret=1
+grep -i "sha224.*TSIG.*NOERROR" dig.out.sha224 > /dev/null || ret=1
+if [ $ret -eq 1 ] ; then
+       echo_i "failed"; status=1
+fi
+
+echo_i "fetching using hmac-sha256 (legacy)"
+ret=0
+$DIG $DIGOPTS example.nil. -k ns1/legacy/Khmac-sha256-legacy.*.key @10.53.0.1 soa > dig.out.sha256 || ret=1
+grep -i "sha256.*TSIG.*NOERROR" dig.out.sha256 > /dev/null || ret=1
+if [ $ret -eq 1 ] ; then
+       echo_i "failed"; status=1
+fi
+
+echo_i "fetching using hmac-sha384 (legacy)"
+ret=0
+$DIG $DIGOPTS example.nil. -k ns1/legacy/Khmac-sha384-legacy.*.key @10.53.0.1 soa > dig.out.sha384 || ret=1
+grep -i "sha384.*TSIG.*NOERROR" dig.out.sha384 > /dev/null || ret=1
+if [ $ret -eq 1 ] ; then
+       echo_i "failed"; status=1
+fi
+
+echo_i "fetching using hmac-sha512 (legacy)"
+ret=0
+$DIG $DIGOPTS example.nil. -k ns1/legacy/Khmac-sha512-legacy.*.key @10.53.0.1 soa > dig.out.sha512 || ret=1
+grep -i "sha512.*TSIG.*NOERROR" dig.out.sha512 > /dev/null || ret=1
+if [ $ret -eq 1 ] ; then
+       echo_i "failed"; status=1
+fi
+
 echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1