# $Id: 65-RRSIG-RSASHA1.t 1392 2015-09-13 16:30:51Z willem $ -*-perl-*-
#
use strict;
use Test::More;
my @prerequisite = qw(
MIME::Base64
Time::Local
Net::DNS::RR::RRSIG
Net::DNS::SEC
Net::DNS::SEC::RSA
Crypt::OpenSSL::Bignum
Crypt::OpenSSL::RSA
);
foreach my $package (@prerequisite) {
next if eval "require $package";
plan skip_all => "$package not installed";
exit;
}
plan tests => 30;
use_ok('Net::DNS::SEC');
my $ksk = new Net::DNS::RR <<'END';
RSASHA1.example. IN DNSKEY 257 3 5 (
AwEAAefP0RzK3K39a5wznjeWA1PssI2dxqPb9SL+ppY8wcimOuEBmSJP5n6/bwg923VFlRiYJHe5
if4saxWCYenQ46hWz44sK943K03tfHkxo54ayAk/7dMj1wQ7Dby5FJ1AAMGZZO65BlKSD+2BTcwp
IL9mAYuhHYfkG6FTEEKgHVmOVmtyKWA3gl3RrSSgXzTWnUS5b/jEeh2SflXG9eXabaoVXEHQN+oJ
dTiAiErZW4+Zlx5pIrSycZBpIdWvn4t71L3ik6GctQqG9ln12j2ngji3blVI3ENMnUc237jUeYsy
k7E5TughQctLYOFXHaeTMgJt0LUTyv3gIgDTRmvgQDU= ; Key ID = 4501
)
END
ok( $ksk, 'set up RSA public ksk' );
my $keyfile = $ksk->privatekeyname;
END { unlink($keyfile) if defined $keyfile; }
open( KSK, ">$keyfile" ) or die "$keyfile $!";
print KSK <<'END';
Private-key-format: v1.2
Algorithm: 5 (RSASHA1)
Modulus: 58/RHMrcrf1rnDOeN5YDU+ywjZ3Go9v1Iv6mljzByKY64QGZIk/mfr9vCD3bdUWVGJgkd7mJ/ixrFYJh6dDjqFbPjiwr3jcrTe18eTGjnhrICT/t0yPXBDsNvLkUnUAAwZlk7rkGUpIP7YFNzCkgv2YBi6Edh+QboVMQQqAdWY5Wa3IpYDeCXdGtJKBfNNadRLlv+MR6HZJ+Vcb15dptqhVcQdA36gl1OICIStlbj5mXHmkitLJxkGkh1a+fi3vUveKToZy1Cob2WfXaPaeCOLduVUjcQ0ydRzbfuNR5izKTsTlO6CFBy0tg4Vcdp5MyAm3QtRPK/eAiANNGa+BANQ==
PublicExponent: AQAB
PrivateExponent: qVfDp4j61ZAAAMgkmO7Z14FdKNdNuX6CAeKNx8rytaXZ9W25dLtx4r3uWtL1cyI13RWn7l54VFoWkEwDQ0/6P4vLbE0QbvFWjUMkX1TH9kQSRc+R6WCRPuH1Ex0R1h5fbw6kEVDRMZjKUfLX5oFVDv1xu5Mjg5Y8KQoJIuLdDgHtRRV7ZETcGcSXBQ1eY2rNxui2YzM0mtqzApgGq7pLb3GfiM5aqW5fSdRaFajGC2VIXkN3jZYxAryT8EYJ6uRFJk0X3VegEwj6keHOem/tBV2DaNlv1JWidauPeU67evKNTQVW3h3AbQxnOtegdWrRKoa9Ksf27bgoKAlveHIfsQ==
Prime1: +s1y+iP+AoB4UVS4S5njIZD21AWm36JTaqEvRPdevjuzc9q7yJATROdRdcAitdSPHeRC8xtQw/C9zGhJRdynlxfmUTeyYgM0EYHYiG7PLwkW5Wu9EeXJ7/Fpct51L+ednloQ0d7tYP/5QUd6cqbFGGKH0yF5zZMO0k+ZZ/saeCs=
Prime2: 7J2eVZ5Psue4BTNya8PMA89cC0Gf51zFeQ8dPBZIOpN28DJN2EN6C6fwGtnr6BO+M/6loXzcekPGgRkpNcQ6MzJup8hZQmU8RxESAMlmQzOtaBbtmMwPa0p6IcZBUWpbRaKwQ4ZjAUS9R13PFwgEU+a855o0XRRTupdmyZ6OmR8=
Exponent1: nGakbdMmIx9EaMuhRhwIJTWGhz+jCdDrnhI4LRTqM019oiDke7VFHvH1va18t9F/Ek/3ZC1Dl304jxD1qKhqpnGUAk/uYOrIfKZxhts7PoS3j4g5VsDqxkPQ035gq+gPReG6nXYcqCHYqVnOxVK0lHlVZFd64rTzSDm1W7+eiRM=
Exponent2: evAuKygVGsxghXtEkQ9rOfOMTGDtdyVxiMO8mdKt9plV69kHLz1n9RRtoVXmx28ynQtK/YvFdlUulzb+fWwWHTGv4scq8V9uITKSWwxJcNMx3upCyugDfuh0aoX6vBV5lMXBtWPmnusbOTBZgArvTLSPI/qwCEiedE1j34/dYVs=
Coefficient: JTEzUDflC+G0if7uqsJ2sw/x2aCHMjsCxYSmx2bJOW/nhQTQpzafL0N8E6WmKuEP4qAaqQjWrDyxy0XcAJrfcojJb+a3j2ndxYpev7Rq8f7P6M7qqVL0Nzj9rWFH7pyvWMnH584viuhPcDogy8ymHpNNuAF+w98qjnGD8UECiV4=
END
close(KSK);
my $bad1 = new Net::DNS::RR <<'END';
RSASHA1.example. IN DNSKEY 256 3 5 (
AwEAAZHbngk6sMoFHN8fsYY6bmGR4B9UYJIqDp+mORLEH53Xg0f6RMDtfx+H3/x7bHTUikTr26bV
AqsxOs2KxyJ2Xx9RGG0DB9O4gpANljtTq2tLjvaQknhJpSq9vj4CqUtr6Wu152J2aQYITBoQLHDV
i8mIIunparIKDmhy8TclVXg9 ; Key ID = 1623
)
END
my $bad2 = new Net::DNS::RR <<'END';
ECDSAP256SHA256.example. IN DNSKEY ( 256 3 13
7Y4BZY1g9uzBwt3OZexWk7iWfkiOt0PZ5o7EMip0KBNxlBD+Z58uWutYZIMolsW8v/3rfgac45lO
IikBZK4KZg== ; Key ID = 44222
)
END
my @rrset = ( $bad1, $ksk );
my @badrrset = ($bad1);
{
my $object = create Net::DNS::RR::RRSIG( \@rrset, $keyfile );
ok( $object->sig(), 'create RRSIG over rrset using private ksk' );
my $verified = $object->verify( \@rrset, $ksk );
ok( $verified, 'verify using public ksk' );
is( $object->vrfyerrstr, '', 'observe no object->vrfyerrstr' );
}
{
my $object = create Net::DNS::RR::RRSIG( \@rrset, $keyfile );
my $verified = $object->verify( \@badrrset, $bad1 );
ok( !$verified, 'verify fails using wrong key' );
ok( $object->vrfyerrstr, 'observe rrsig->vrfyerrstr' );
}
{
my $object = create Net::DNS::RR::RRSIG( \@rrset, $keyfile );
my $verified = $object->verify( \@badrrset, $bad2 );
ok( !$verified, 'verify fails using key with wrong algorithm' );
ok( $object->vrfyerrstr, 'observe rrsig->vrfyerrstr' );
}
{
my $object = create Net::DNS::RR::RRSIG( \@rrset, $keyfile );
my $verified = $object->verify( \@rrset, [$bad1, $bad2, $ksk] );
ok( $verified, 'verify using array of keys' );
is( $object->vrfyerrstr, '', 'observe no rrsig->vrfyerrstr' );
}
{
my $object = create Net::DNS::RR::RRSIG( \@rrset, $keyfile );
my $verified = $object->verify( \@badrrset, [$bad1, $bad2, $ksk] );
ok( !$verified, 'verify fails using wrong rrset' );
ok( $object->vrfyerrstr, 'observe rrsig->vrfyerrstr' );
}
{
my $wild = new Net::DNS::RR('*.example. A 10.1.2.3');
my $match = new Net::DNS::RR('leaf.twig.example. A 10.1.2.3');
my $object = create Net::DNS::RR::RRSIG( [$wild], $keyfile );
my $verified = $object->verify( [$match], $ksk );
ok( $verified, 'wildcard matches child domain name' );
is( $object->vrfyerrstr, '', 'observe no rrsig->vrfyerrstr' );
}
{
my $wild = new Net::DNS::RR('*.example. A 10.1.2.3');
my $bogus = new Net::DNS::RR('example. A 10.1.2.3');
my $object = create Net::DNS::RR::RRSIG( [$wild], $keyfile );
my $verified = $object->verify( [$bogus], $ksk );
ok( !$verified, 'wildcard does not match parent domain' );
ok( $object->vrfyerrstr, 'observe rrsig->vrfyerrstr' );
}
{
my $time = time() + 3;
my %args = (
siginception => $time,
sigexpiration => $time,
);
my $object = create Net::DNS::RR::RRSIG( \@rrset, $keyfile, %args );
ok( !$object->verify( \@rrset, $ksk ), 'verify fails for postdated RRSIG' );
ok( $object->vrfyerrstr, 'observe rrsig->vrfyerrstr' );
sleep 1 until $time < time();
ok( !$object->verify( \@rrset, $ksk ), 'verify fails for expired RRSIG' );
ok( $object->vrfyerrstr, 'observe rrsig->vrfyerrstr' );
}
{
my $object = new Net::DNS::RR( type => 'RRSIG' );
my $class = ref($object);
my $array = [];
my $dnskey = new Net::DNS::RR( type => 'DNSKEY' );
my $private = new Net::DNS::SEC::Private($keyfile);
my $packet = new Net::DNS::Packet();
my $rr1 = new Net::DNS::RR( name => 'example', type => 'A' );
my $rr2 = new Net::DNS::RR( name => 'differs', type => 'A' );
my $rr3 = new Net::DNS::RR( type => 'A', ttl => 1 );
my $rr4 = new Net::DNS::RR( type => 'A', ttl => 2 );
my $rr5 = new Net::DNS::RR( class => 'IN', type => 'A' );
my $rr6 = new Net::DNS::RR( class => 'ANY', type => 'A' );
my $rr7 = new Net::DNS::RR( type => 'A' );
my $rr8 = new Net::DNS::RR( type => 'AAAA' );
my @testcase = ( ## test create() with invalid arguments
[$dnskey, $dnskey],
[$array, $private],
[[$rr1, $rr2], $private],
[[$rr3, $rr4], $private],
[[$rr5, $rr6], $private],
[[$rr7, $rr8], $private],
);
foreach my $arglist (@testcase) {
my @argtype = map ref($_), @$arglist;
eval { $class->create(@$arglist); };
my $exception = $1 if $@ =~ /^(.*)\n*/;
ok( defined $exception, "create(@argtype)\t[$exception]" );
}
}
{
my $object = new Net::DNS::RR( type => 'RRSIG' );
my $packet = new Net::DNS::Packet();
my $dnskey = new Net::DNS::RR( type => 'DNSKEY' );
my $dsrec = new Net::DNS::RR( type => 'DS' );
my $scalar = 'SCALAR';
my @testcase = ( ## test verify() with invalid arguments
[$packet, $dnskey],
[$dnskey, $dsrec],
[$dnskey, $scalar],
);
foreach my $arglist (@testcase) {
my @argtype = map ref($_) || $_, @$arglist;
eval { $object->verify(@$arglist); };
my $exception = $1 if $@ =~ /^(.*)\n*/;
ok( defined $exception, "verify(@argtype)\t[$exception]" );
}
}
exit;
__END__