mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-09-02 07:35:26 +00:00
Code Issues Releases Wiki Activity

Refactor ecdsa system test

Browse Source 
Similar to eddsa system test.
This commit is contained in:
Matthijs Mekking
2021-02-03 11:52:30 +01:00
parent fd7d0f7968
commit 650b0d4691
5 changed files with 107 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
bin/tests/system/ecdsa/clean.sh
View File

@@ -23,3 +23,4 @@ rm -f ns*/named.run
rm -f ns*/root.db rm -f ns*/root.db
rm -f ns*/signer.err rm -f ns*/signer.err
rm -f ns*/trusted.conf rm -f ns*/trusted.conf
rm -f *-supported.file

39
bin/tests/system/ecdsa/ns1/sign.sh
View File

@@ -17,14 +17,39 @@ zone=.
infile=root.db.in infile=root.db.in
zonefile=root.db zonefile=root.db
key1=$($KEYGEN -q -a ECDSAP256SHA256 -n zone "$zone") echo_i "ns1/sign.sh"
key2=$($KEYGEN -q -a ECDSAP384SHA384 -n zone -f KSK "$zone")
$DSFROMKEY -a sha-384 "$key2.key" > dsset-384
cat "$infile" "$key1.key" "$key2.key" > $zonefile cp $infile $zonefile
$SIGNER -P -g -o "$zone" "$zonefile" > /dev/null 2> signer.err || cat signer.err if [ -f ../ecdsa256-supported.file ]; then
zsk256=$($KEYGEN -q -a ECDSA256 -n zone "$zone")
ksk256=$($KEYGEN -q -a ECDSA256 -n zone -f KSK "$zone")
cat "$ksk256.key" "$zsk256.key" >> "$zonefile"
$DSFROMKEY -a sha-256 "$ksk256.key" >> dsset-256
fi
if [ -f ../ecdsa384-supported.file ]; then
zsk384=$($KEYGEN -q -a ECDSA384 -n zone "$zone")
ksk384=$($KEYGEN -q -a ECDSA384 -n zone -f KSK "$zone")
cat "$ksk384.key" "$zsk384.key" >> "$zonefile"
$DSFROMKEY -a sha-256 "$ksk384.key" >> dsset-256
fi
# Configure the resolving server with a static key. # Configure the resolving server with a static key.
keyfile_to_static_ds "$key1" > trusted.conf if [ -f ../ecdsa256-supported.file ]; then
cp trusted.conf ../ns2/trusted.conf keyfile_to_static_ds $ksk256 > trusted.conf
cp trusted.conf ../ns2/trusted.conf
else
keyfile_to_static_ds $ksk384 > trusted.conf
cp trusted.conf ../ns2/trusted.conf
fi
if [ -f ../ecdsa384-supported.file ]; then
keyfile_to_static_ds $ksk384 > trusted.conf
cp trusted.conf ../ns3/trusted.conf
else
keyfile_to_static_ds $ksk256 > trusted.conf
cp trusted.conf ../ns3/trusted.conf
fi
$SIGNER -P -g -o "$zone" "$zonefile" > /dev/null 2> signer.err || cat signer.err

34
bin/tests/system/ecdsa/ns3/named.conf.in Normal file
View File

@@ -0,0 +1,34 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
// NS2
controls { /* empty */ };
options {
query-source address 10.53.0.3;
notify-source 10.53.0.3;
transfer-source 10.53.0.3;
port @PORT@;
pid-file "named.pid";
listen-on { 10.53.0.3; };
listen-on-v6 { none; };
recursion yes;
notify yes;
dnssec-validation yes;
};
zone "." {
type hint;
file "../../common/root.hint";
};
include "trusted.conf";

15
bin/tests/system/ecdsa/setup.sh
View File

@@ -13,7 +13,18 @@ set -e
. ../conf.sh . ../conf.sh
if $SHELL ../testcrypto.sh ecdsap384sha384; then
echo "yes" > ecdsa256-supported.file
fi
if $SHELL ../testcrypto.sh ecdsap384sha384; then
echo "yes" > ecdsa384-supported.file
fi
copy_setports ns1/named.conf.in ns1/named.conf copy_setports ns1/named.conf.in ns1/named.conf
copy_setports ns2/named.conf.in ns2/named.conf copy_setports ns2/named.conf.in ns2/named.conf
copy_setports ns3/named.conf.in ns3/named.conf
cd ns1 && $SHELL sign.sh (
cd ns1
$SHELL sign.sh
)

38
bin/tests/system/ecdsa/tests.sh
View File

@@ -14,23 +14,39 @@ set -e
. ../conf.sh . ../conf.sh
status=0 status=0
n=1 n=0
dig_with_opts() { dig_with_opts() {
"$DIG" +tcp +noau +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@" "$DIG" +tcp +noau +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@"
} }
if [ -f ecdsa256-supported.file ]; then
n=$((n+1))
echo_i "checking that ECDSA256 positive validation works ($n)"
ret=0
dig_with_opts . @10.53.0.1 soa > dig.out.ns1.test$n || ret=1
dig_with_opts . @10.53.0.2 soa > dig.out.ns2.test$n || ret=1
$PERL ../digcomp.pl dig.out.ns1.test$n dig.out.ns2.test$n || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
else
echo_i "algorithm ECDSA256 not supported, skipping test"
fi
# Check the example. domain if [ -f ecdsa384-supported.file ]; then
echo_i "checking that positive validation works ($n)" n=$((n+1))
ret=0 echo_i "checking that ECDSA384 positive validation works ($n)"
dig_with_opts . @10.53.0.1 soa > dig.out.ns1.test$n || ret=1 ret=0
dig_with_opts . @10.53.0.2 soa > dig.out.ns2.test$n || ret=1 dig_with_opts . @10.53.0.1 soa > dig.out.ns1.test$n || ret=1
$PERL ../digcomp.pl dig.out.ns1.test$n dig.out.ns2.test$n || ret=1 dig_with_opts . @10.53.0.3 soa > dig.out.ns3.test$n || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1 $PERL ../digcomp.pl dig.out.ns1.test$n dig.out.ns3.test$n || ret=1
n=$((n+1)) grep "flags:.*ad.*QUERY" dig.out.ns3.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret)) status=$((status+ret))
else
echo_i "algorithm ECDSA384 not supported, skipping test"
fi
echo_i "exit status: $status" echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1 [ $status -eq 0 ] || exit 1