|
Packit |
e6c8bb |
# $Id: 65-RRSIG-RSASHA1.t 1392 2015-09-13 16:30:51Z willem $ -*-perl-*-
|
|
Packit |
e6c8bb |
#
|
|
Packit |
e6c8bb |
|
|
Packit |
e6c8bb |
use strict;
|
|
Packit |
e6c8bb |
use Test::More;
|
|
Packit |
e6c8bb |
|
|
Packit |
e6c8bb |
my @prerequisite = qw(
|
|
Packit |
e6c8bb |
MIME::Base64
|
|
Packit |
e6c8bb |
Time::Local
|
|
Packit |
e6c8bb |
Net::DNS::RR::RRSIG
|
|
Packit |
e6c8bb |
Net::DNS::SEC
|
|
Packit |
e6c8bb |
Net::DNS::SEC::RSA
|
|
Packit |
e6c8bb |
Crypt::OpenSSL::Bignum
|
|
Packit |
e6c8bb |
Crypt::OpenSSL::RSA
|
|
Packit |
e6c8bb |
);
|
|
Packit |
e6c8bb |
|
|
Packit |
e6c8bb |
foreach my $package (@prerequisite) {
|
|
Packit |
e6c8bb |
next if eval "require $package";
|
|
Packit |
e6c8bb |
plan skip_all => "$package not installed";
|
|
Packit |
e6c8bb |
exit;
|
|
Packit |
e6c8bb |
}
|
|
Packit |
e6c8bb |
|
|
Packit |
e6c8bb |
plan tests => 30;
|
|
Packit |
e6c8bb |
|
|
Packit |
e6c8bb |
use_ok('Net::DNS::SEC');
|
|
Packit |
e6c8bb |
|
|
Packit |
e6c8bb |
|
|
Packit |
e6c8bb |
my $ksk = new Net::DNS::RR <<'END';
|
|
Packit |
e6c8bb |
RSASHA1.example. IN DNSKEY 257 3 5 (
|
|
Packit |
e6c8bb |
AwEAAefP0RzK3K39a5wznjeWA1PssI2dxqPb9SL+ppY8wcimOuEBmSJP5n6/bwg923VFlRiYJHe5
|
|
Packit |
e6c8bb |
if4saxWCYenQ46hWz44sK943K03tfHkxo54ayAk/7dMj1wQ7Dby5FJ1AAMGZZO65BlKSD+2BTcwp
|
|
Packit |
e6c8bb |
IL9mAYuhHYfkG6FTEEKgHVmOVmtyKWA3gl3RrSSgXzTWnUS5b/jEeh2SflXG9eXabaoVXEHQN+oJ
|
|
Packit |
e6c8bb |
dTiAiErZW4+Zlx5pIrSycZBpIdWvn4t71L3ik6GctQqG9ln12j2ngji3blVI3ENMnUc237jUeYsy
|
|
Packit |
e6c8bb |
k7E5TughQctLYOFXHaeTMgJt0LUTyv3gIgDTRmvgQDU= ; Key ID = 4501
|
|
Packit |
e6c8bb |
)
|
|
Packit |
e6c8bb |
END
|
|
Packit |
e6c8bb |
|
|
Packit |
e6c8bb |
ok( $ksk, 'set up RSA public ksk' );
|
|
Packit |
e6c8bb |
|
|
Packit |
e6c8bb |
|
|
Packit |
e6c8bb |
my $keyfile = $ksk->privatekeyname;
|
|
Packit |
e6c8bb |
|
|
Packit |
e6c8bb |
END { unlink($keyfile) if defined $keyfile; }
|
|
Packit |
e6c8bb |
|
|
Packit |
e6c8bb |
open( KSK, ">$keyfile" ) or die "$keyfile $!";
|
|
Packit |
e6c8bb |
print KSK <<'END';
|
|
Packit |
e6c8bb |
Private-key-format: v1.2
|
|
Packit |
e6c8bb |
Algorithm: 5 (RSASHA1)
|
|
Packit |
e6c8bb |
Modulus: 58/RHMrcrf1rnDOeN5YDU+ywjZ3Go9v1Iv6mljzByKY64QGZIk/mfr9vCD3bdUWVGJgkd7mJ/ixrFYJh6dDjqFbPjiwr3jcrTe18eTGjnhrICT/t0yPXBDsNvLkUnUAAwZlk7rkGUpIP7YFNzCkgv2YBi6Edh+QboVMQQqAdWY5Wa3IpYDeCXdGtJKBfNNadRLlv+MR6HZJ+Vcb15dptqhVcQdA36gl1OICIStlbj5mXHmkitLJxkGkh1a+fi3vUveKToZy1Cob2WfXaPaeCOLduVUjcQ0ydRzbfuNR5izKTsTlO6CFBy0tg4Vcdp5MyAm3QtRPK/eAiANNGa+BANQ==
|
|
Packit |
e6c8bb |
PublicExponent: AQAB
|
|
Packit |
e6c8bb |
PrivateExponent: qVfDp4j61ZAAAMgkmO7Z14FdKNdNuX6CAeKNx8rytaXZ9W25dLtx4r3uWtL1cyI13RWn7l54VFoWkEwDQ0/6P4vLbE0QbvFWjUMkX1TH9kQSRc+R6WCRPuH1Ex0R1h5fbw6kEVDRMZjKUfLX5oFVDv1xu5Mjg5Y8KQoJIuLdDgHtRRV7ZETcGcSXBQ1eY2rNxui2YzM0mtqzApgGq7pLb3GfiM5aqW5fSdRaFajGC2VIXkN3jZYxAryT8EYJ6uRFJk0X3VegEwj6keHOem/tBV2DaNlv1JWidauPeU67evKNTQVW3h3AbQxnOtegdWrRKoa9Ksf27bgoKAlveHIfsQ==
|
|
Packit |
e6c8bb |
Prime1: +s1y+iP+AoB4UVS4S5njIZD21AWm36JTaqEvRPdevjuzc9q7yJATROdRdcAitdSPHeRC8xtQw/C9zGhJRdynlxfmUTeyYgM0EYHYiG7PLwkW5Wu9EeXJ7/Fpct51L+ednloQ0d7tYP/5QUd6cqbFGGKH0yF5zZMO0k+ZZ/saeCs=
|
|
Packit |
e6c8bb |
Prime2: 7J2eVZ5Psue4BTNya8PMA89cC0Gf51zFeQ8dPBZIOpN28DJN2EN6C6fwGtnr6BO+M/6loXzcekPGgRkpNcQ6MzJup8hZQmU8RxESAMlmQzOtaBbtmMwPa0p6IcZBUWpbRaKwQ4ZjAUS9R13PFwgEU+a855o0XRRTupdmyZ6OmR8=
|
|
Packit |
e6c8bb |
Exponent1: nGakbdMmIx9EaMuhRhwIJTWGhz+jCdDrnhI4LRTqM019oiDke7VFHvH1va18t9F/Ek/3ZC1Dl304jxD1qKhqpnGUAk/uYOrIfKZxhts7PoS3j4g5VsDqxkPQ035gq+gPReG6nXYcqCHYqVnOxVK0lHlVZFd64rTzSDm1W7+eiRM=
|
|
Packit |
e6c8bb |
Exponent2: evAuKygVGsxghXtEkQ9rOfOMTGDtdyVxiMO8mdKt9plV69kHLz1n9RRtoVXmx28ynQtK/YvFdlUulzb+fWwWHTGv4scq8V9uITKSWwxJcNMx3upCyugDfuh0aoX6vBV5lMXBtWPmnusbOTBZgArvTLSPI/qwCEiedE1j34/dYVs=
|
|
Packit |
e6c8bb |
Coefficient: JTEzUDflC+G0if7uqsJ2sw/x2aCHMjsCxYSmx2bJOW/nhQTQpzafL0N8E6WmKuEP4qAaqQjWrDyxy0XcAJrfcojJb+a3j2ndxYpev7Rq8f7P6M7qqVL0Nzj9rWFH7pyvWMnH584viuhPcDogy8ymHpNNuAF+w98qjnGD8UECiV4=
|
|
Packit |
e6c8bb |
END
|
|
Packit |
e6c8bb |
close(KSK);
|
|
Packit |
e6c8bb |
|
|
Packit |
e6c8bb |
|
|
Packit |
e6c8bb |
my $bad1 = new Net::DNS::RR <<'END';
|
|
Packit |
e6c8bb |
RSASHA1.example. IN DNSKEY 256 3 5 (
|
|
Packit |
e6c8bb |
AwEAAZHbngk6sMoFHN8fsYY6bmGR4B9UYJIqDp+mORLEH53Xg0f6RMDtfx+H3/x7bHTUikTr26bV
|
|
Packit |
e6c8bb |
AqsxOs2KxyJ2Xx9RGG0DB9O4gpANljtTq2tLjvaQknhJpSq9vj4CqUtr6Wu152J2aQYITBoQLHDV
|
|
Packit |
e6c8bb |
i8mIIunparIKDmhy8TclVXg9 ; Key ID = 1623
|
|
Packit |
e6c8bb |
)
|
|
Packit |
e6c8bb |
END
|
|
Packit |
e6c8bb |
|
|
Packit |
e6c8bb |
|
|
Packit |
e6c8bb |
my $bad2 = new Net::DNS::RR <<'END';
|
|
Packit |
e6c8bb |
ECDSAP256SHA256.example. IN DNSKEY ( 256 3 13
|
|
Packit |
e6c8bb |
7Y4BZY1g9uzBwt3OZexWk7iWfkiOt0PZ5o7EMip0KBNxlBD+Z58uWutYZIMolsW8v/3rfgac45lO
|
|
Packit |
e6c8bb |
IikBZK4KZg== ; Key ID = 44222
|
|
Packit |
e6c8bb |
)
|
|
Packit |
e6c8bb |
END
|
|
Packit |
e6c8bb |
|
|
Packit |
e6c8bb |
|
|
Packit |
e6c8bb |
my @rrset = ( $bad1, $ksk );
|
|
Packit |
e6c8bb |
my @badrrset = ($bad1);
|
|
Packit |
e6c8bb |
|
|
Packit |
e6c8bb |
{
|
|
Packit |
e6c8bb |
my $object = create Net::DNS::RR::RRSIG( \@rrset, $keyfile );
|
|
Packit |
e6c8bb |
ok( $object->sig(), 'create RRSIG over rrset using private ksk' );
|
|
Packit |
e6c8bb |
|
|
Packit |
e6c8bb |
my $verified = $object->verify( \@rrset, $ksk );
|
|
Packit |
e6c8bb |
ok( $verified, 'verify using public ksk' );
|
|
Packit |
e6c8bb |
is( $object->vrfyerrstr, '', 'observe no object->vrfyerrstr' );
|
|
Packit |
e6c8bb |
}
|
|
Packit |
e6c8bb |
|
|
Packit |
e6c8bb |
|
|
Packit |
e6c8bb |
{
|
|
Packit |
e6c8bb |
my $object = create Net::DNS::RR::RRSIG( \@rrset, $keyfile );
|
|
Packit |
e6c8bb |
|
|
Packit |
e6c8bb |
my $verified = $object->verify( \@badrrset, $bad1 );
|
|
Packit |
e6c8bb |
ok( !$verified, 'verify fails using wrong key' );
|
|
Packit |
e6c8bb |
ok( $object->vrfyerrstr, 'observe rrsig->vrfyerrstr' );
|
|
Packit |
e6c8bb |
}
|
|
Packit |
e6c8bb |
|
|
Packit |
e6c8bb |
|
|
Packit |
e6c8bb |
{
|
|
Packit |
e6c8bb |
my $object = create Net::DNS::RR::RRSIG( \@rrset, $keyfile );
|
|
Packit |
e6c8bb |
|
|
Packit |
e6c8bb |
my $verified = $object->verify( \@badrrset, $bad2 );
|
|
Packit |
e6c8bb |
ok( !$verified, 'verify fails using key with wrong algorithm' );
|
|
Packit |
e6c8bb |
ok( $object->vrfyerrstr, 'observe rrsig->vrfyerrstr' );
|
|
Packit |
e6c8bb |
}
|
|
Packit |
e6c8bb |
|
|
Packit |
e6c8bb |
|
|
Packit |
e6c8bb |
{
|
|
Packit |
e6c8bb |
my $object = create Net::DNS::RR::RRSIG( \@rrset, $keyfile );
|
|
Packit |
e6c8bb |
|
|
Packit |
e6c8bb |
my $verified = $object->verify( \@rrset, [$bad1, $bad2, $ksk] );
|
|
Packit |
e6c8bb |
ok( $verified, 'verify using array of keys' );
|
|
Packit |
e6c8bb |
is( $object->vrfyerrstr, '', 'observe no rrsig->vrfyerrstr' );
|
|
Packit |
e6c8bb |
}
|
|
Packit |
e6c8bb |
|
|
Packit |
e6c8bb |
|
|
Packit |
e6c8bb |
{
|
|
Packit |
e6c8bb |
my $object = create Net::DNS::RR::RRSIG( \@rrset, $keyfile );
|
|
Packit |
e6c8bb |
|
|
Packit |
e6c8bb |
my $verified = $object->verify( \@badrrset, [$bad1, $bad2, $ksk] );
|
|
Packit |
e6c8bb |
ok( !$verified, 'verify fails using wrong rrset' );
|
|
Packit |
e6c8bb |
ok( $object->vrfyerrstr, 'observe rrsig->vrfyerrstr' );
|
|
Packit |
e6c8bb |
}
|
|
Packit |
e6c8bb |
|
|
Packit |
e6c8bb |
|
|
Packit |
e6c8bb |
{
|
|
Packit |
e6c8bb |
my $wild = new Net::DNS::RR('*.example. A 10.1.2.3');
|
|
Packit |
e6c8bb |
my $match = new Net::DNS::RR('leaf.twig.example. A 10.1.2.3');
|
|
Packit |
e6c8bb |
my $object = create Net::DNS::RR::RRSIG( [$wild], $keyfile );
|
|
Packit |
e6c8bb |
|
|
Packit |
e6c8bb |
my $verified = $object->verify( [$match], $ksk );
|
|
Packit |
e6c8bb |
ok( $verified, 'wildcard matches child domain name' );
|
|
Packit |
e6c8bb |
is( $object->vrfyerrstr, '', 'observe no rrsig->vrfyerrstr' );
|
|
Packit |
e6c8bb |
}
|
|
Packit |
e6c8bb |
|
|
Packit |
e6c8bb |
|
|
Packit |
e6c8bb |
{
|
|
Packit |
e6c8bb |
my $wild = new Net::DNS::RR('*.example. A 10.1.2.3');
|
|
Packit |
e6c8bb |
my $bogus = new Net::DNS::RR('example. A 10.1.2.3');
|
|
Packit |
e6c8bb |
my $object = create Net::DNS::RR::RRSIG( [$wild], $keyfile );
|
|
Packit |
e6c8bb |
|
|
Packit |
e6c8bb |
my $verified = $object->verify( [$bogus], $ksk );
|
|
Packit |
e6c8bb |
ok( !$verified, 'wildcard does not match parent domain' );
|
|
Packit |
e6c8bb |
ok( $object->vrfyerrstr, 'observe rrsig->vrfyerrstr' );
|
|
Packit |
e6c8bb |
}
|
|
Packit |
e6c8bb |
|
|
Packit |
e6c8bb |
|
|
Packit |
e6c8bb |
{
|
|
Packit |
e6c8bb |
my $time = time() + 3;
|
|
Packit |
e6c8bb |
my %args = (
|
|
Packit |
e6c8bb |
siginception => $time,
|
|
Packit |
e6c8bb |
sigexpiration => $time,
|
|
Packit |
e6c8bb |
);
|
|
Packit |
e6c8bb |
my $object = create Net::DNS::RR::RRSIG( \@rrset, $keyfile, %args );
|
|
Packit |
e6c8bb |
|
|
Packit |
e6c8bb |
ok( !$object->verify( \@rrset, $ksk ), 'verify fails for postdated RRSIG' );
|
|
Packit |
e6c8bb |
ok( $object->vrfyerrstr, 'observe rrsig->vrfyerrstr' );
|
|
Packit |
e6c8bb |
sleep 1 until $time < time();
|
|
Packit |
e6c8bb |
ok( !$object->verify( \@rrset, $ksk ), 'verify fails for expired RRSIG' );
|
|
Packit |
e6c8bb |
ok( $object->vrfyerrstr, 'observe rrsig->vrfyerrstr' );
|
|
Packit |
e6c8bb |
}
|
|
Packit |
e6c8bb |
|
|
Packit |
e6c8bb |
|
|
Packit |
e6c8bb |
{
|
|
Packit |
e6c8bb |
my $object = new Net::DNS::RR( type => 'RRSIG' );
|
|
Packit |
e6c8bb |
my $class = ref($object);
|
|
Packit |
e6c8bb |
my $array = [];
|
|
Packit |
e6c8bb |
my $dnskey = new Net::DNS::RR( type => 'DNSKEY' );
|
|
Packit |
e6c8bb |
my $private = new Net::DNS::SEC::Private($keyfile);
|
|
Packit |
e6c8bb |
my $packet = new Net::DNS::Packet();
|
|
Packit |
e6c8bb |
my $rr1 = new Net::DNS::RR( name => 'example', type => 'A' );
|
|
Packit |
e6c8bb |
my $rr2 = new Net::DNS::RR( name => 'differs', type => 'A' );
|
|
Packit |
e6c8bb |
my $rr3 = new Net::DNS::RR( type => 'A', ttl => 1 );
|
|
Packit |
e6c8bb |
my $rr4 = new Net::DNS::RR( type => 'A', ttl => 2 );
|
|
Packit |
e6c8bb |
my $rr5 = new Net::DNS::RR( class => 'IN', type => 'A' );
|
|
Packit |
e6c8bb |
my $rr6 = new Net::DNS::RR( class => 'ANY', type => 'A' );
|
|
Packit |
e6c8bb |
my $rr7 = new Net::DNS::RR( type => 'A' );
|
|
Packit |
e6c8bb |
my $rr8 = new Net::DNS::RR( type => 'AAAA' );
|
|
Packit |
e6c8bb |
my @testcase = ( ## test create() with invalid arguments
|
|
Packit |
e6c8bb |
[$dnskey, $dnskey],
|
|
Packit |
e6c8bb |
[$array, $private],
|
|
Packit |
e6c8bb |
[[$rr1, $rr2], $private],
|
|
Packit |
e6c8bb |
[[$rr3, $rr4], $private],
|
|
Packit |
e6c8bb |
[[$rr5, $rr6], $private],
|
|
Packit |
e6c8bb |
[[$rr7, $rr8], $private],
|
|
Packit |
e6c8bb |
);
|
|
Packit |
e6c8bb |
|
|
Packit |
e6c8bb |
foreach my $arglist (@testcase) {
|
|
Packit |
e6c8bb |
my @argtype = map ref($_), @$arglist;
|
|
Packit |
e6c8bb |
eval { $class->create(@$arglist); };
|
|
Packit |
e6c8bb |
my $exception = $1 if $@ =~ /^(.*)\n*/;
|
|
Packit |
e6c8bb |
ok( defined $exception, "create(@argtype)\t[$exception]" );
|
|
Packit |
e6c8bb |
}
|
|
Packit |
e6c8bb |
}
|
|
Packit |
e6c8bb |
|
|
Packit |
e6c8bb |
|
|
Packit |
e6c8bb |
{
|
|
Packit |
e6c8bb |
my $object = new Net::DNS::RR( type => 'RRSIG' );
|
|
Packit |
e6c8bb |
my $packet = new Net::DNS::Packet();
|
|
Packit |
e6c8bb |
my $dnskey = new Net::DNS::RR( type => 'DNSKEY' );
|
|
Packit |
e6c8bb |
my $dsrec = new Net::DNS::RR( type => 'DS' );
|
|
Packit |
e6c8bb |
my $scalar = 'SCALAR';
|
|
Packit |
e6c8bb |
my @testcase = ( ## test verify() with invalid arguments
|
|
Packit |
e6c8bb |
[$packet, $dnskey],
|
|
Packit |
e6c8bb |
[$dnskey, $dsrec],
|
|
Packit |
e6c8bb |
[$dnskey, $scalar],
|
|
Packit |
e6c8bb |
);
|
|
Packit |
e6c8bb |
|
|
Packit |
e6c8bb |
foreach my $arglist (@testcase) {
|
|
Packit |
e6c8bb |
my @argtype = map ref($_) || $_, @$arglist;
|
|
Packit |
e6c8bb |
eval { $object->verify(@$arglist); };
|
|
Packit |
e6c8bb |
my $exception = $1 if $@ =~ /^(.*)\n*/;
|
|
Packit |
e6c8bb |
ok( defined $exception, "verify(@argtype)\t[$exception]" );
|
|
Packit |
e6c8bb |
}
|
|
Packit |
e6c8bb |
}
|
|
Packit |
e6c8bb |
|
|
Packit |
e6c8bb |
|
|
Packit |
e6c8bb |
exit;
|
|
Packit |
e6c8bb |
|
|
Packit |
e6c8bb |
__END__
|
|
Packit |
e6c8bb |
|