diff --git a/bin/tests/system/rsabigexponent/conf/bad02.conf b/bin/tests/system/rsabigexponent/conf/bad02.conf deleted file mode 100644 index bd1e827380..0000000000 --- a/bin/tests/system/rsabigexponent/conf/bad02.conf +++ /dev/null @@ -1,16 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * SPDX-License-Identifier: MPL-2.0 - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, you can obtain one at https://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -options { - max-rsa-exponent-size 34; -}; diff --git a/bin/tests/system/rsabigexponent/conf/bad03.conf b/bin/tests/system/rsabigexponent/conf/bad03.conf deleted file mode 100644 index 4331b52b79..0000000000 --- a/bin/tests/system/rsabigexponent/conf/bad03.conf +++ /dev/null @@ -1,16 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * SPDX-License-Identifier: MPL-2.0 - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, you can obtain one at https://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -options { - max-rsa-exponent-size 4097; -}; diff --git a/bin/tests/system/rsabigexponent/conf/good01.conf b/bin/tests/system/rsabigexponent/conf/good01.conf deleted file mode 100644 index 1d2cd0181c..0000000000 --- a/bin/tests/system/rsabigexponent/conf/good01.conf +++ /dev/null @@ -1,16 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * SPDX-License-Identifier: MPL-2.0 - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, you can obtain one at https://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -options { - max-rsa-exponent-size 0; -}; diff --git a/bin/tests/system/rsabigexponent/conf/good02.conf b/bin/tests/system/rsabigexponent/conf/good02.conf deleted file mode 100644 index 861e054840..0000000000 --- a/bin/tests/system/rsabigexponent/conf/good02.conf +++ /dev/null @@ -1,16 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * SPDX-License-Identifier: MPL-2.0 - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, you can obtain one at https://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -options { - max-rsa-exponent-size 35; -}; diff --git a/bin/tests/system/rsabigexponent/conf/good03.conf b/bin/tests/system/rsabigexponent/conf/good03.conf deleted file mode 100644 index 14a98f8468..0000000000 --- a/bin/tests/system/rsabigexponent/conf/good03.conf +++ /dev/null @@ -1,16 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * SPDX-License-Identifier: MPL-2.0 - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, you can obtain one at https://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -options { - max-rsa-exponent-size 4096; -}; diff --git a/bin/tests/system/rsabigexponent/conf/bad01.conf b/bin/tests/system/rsabigexponent/options.conf.j2.manual similarity index 90% rename from bin/tests/system/rsabigexponent/conf/bad01.conf rename to bin/tests/system/rsabigexponent/options.conf.j2.manual index 720d19758c..3113d021ad 100644 --- a/bin/tests/system/rsabigexponent/conf/bad01.conf +++ b/bin/tests/system/rsabigexponent/options.conf.j2.manual @@ -12,5 +12,5 @@ */ options { - max-rsa-exponent-size 1; + max-rsa-exponent-size @max_rsa_exponent_size@; }; diff --git a/bin/tests/system/rsabigexponent/tests.sh b/bin/tests/system/rsabigexponent/tests.sh deleted file mode 100644 index 5914695cf0..0000000000 --- a/bin/tests/system/rsabigexponent/tests.sh +++ /dev/null @@ -1,56 +0,0 @@ -#!/bin/sh - -# Copyright (C) Internet Systems Consortium, Inc. ("ISC") -# -# SPDX-License-Identifier: MPL-2.0 -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, you can obtain one at https://mozilla.org/MPL/2.0/. -# -# See the COPYRIGHT file distributed with this work for additional -# information regarding copyright ownership. - -set -e - -. ../conf.sh - -status=0 - -rm -f dig.out.* - -DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p ${PORT}" - -for f in conf/good*.conf; do - echo_i "checking '$f'" - ret=0 - $CHECKCONF $f >/dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) -done - -for f in conf/bad*.conf; do - echo_i "checking '$f'" - ret=0 - $CHECKCONF $f >/dev/null && ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) -done - -echo_i "checking that RSA big exponent keys can't be loaded" -ret=0 -grep "out of range" ns2/signer.err >/dev/null || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status + ret)) - -echo_i "checking that RSA big exponent signature can't validate" -ret=0 -$DIG $DIGOPTS a.example @10.53.0.2 >dig.out.ns2 || ret=1 -$DIG $DIGOPTS a.example @10.53.0.3 >dig.out.ns3 || ret=1 -grep "status: NOERROR" dig.out.ns2 >/dev/null || ret=1 -grep "status: SERVFAIL" dig.out.ns3 >/dev/null || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status + ret)) - -echo_i "exit status: $status" -[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/rsabigexponent/tests_rsabigexponent.py b/bin/tests/system/rsabigexponent/tests_rsabigexponent.py new file mode 100644 index 0000000000..c0c288e652 --- /dev/null +++ b/bin/tests/system/rsabigexponent/tests_rsabigexponent.py @@ -0,0 +1,49 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +import os +import subprocess + +import dns.message +import pytest + +import isctest + +CHECKCONF = os.environ["CHECKCONF"] + + +@pytest.mark.parametrize("exponent_size", [0, 35, 666, 1024, 2048, 3072, 4096]) +def test_max_rsa_exponent_size_good(exponent_size, templates): + templates.render("options.conf", {"max_rsa_exponent_size": exponent_size}) + isctest.run.cmd([CHECKCONF, "options.conf"]) + + +@pytest.mark.parametrize("exponent_size", [1, 34, 4097]) +def test_max_rsa_exponent_size_bad(exponent_size, templates): + templates.render("options.conf", {"max_rsa_exponent_size": exponent_size}) + with pytest.raises(subprocess.CalledProcessError): + isctest.run.cmd([CHECKCONF, "options.conf"], log_stdout=True) + + +def test_rsa_big_exponent_keys_cant_load(): + with open("ns2/signer.err", encoding="utf-8") as file: + assert ( + "dnssec-signzone: fatal: cannot load dnskey Kexample.+008+52810.key: out of range" + in file.read() + ) + + +def test_rsa_big_exponent_keys_cant_validate(): + msg = dns.message.make_query("a.example.", "A") + res2 = isctest.query.tcp(msg, "10.53.0.2") + isctest.check.noerror(res2) + res3 = isctest.query.tcp(msg, "10.53.0.3") + isctest.check.servfail(res3) diff --git a/bin/tests/system/rsabigexponent/tests_sh_rsabigexponent.py b/bin/tests/system/rsabigexponent/tests_sh_rsabigexponent.py deleted file mode 100644 index 38ab3810d4..0000000000 --- a/bin/tests/system/rsabigexponent/tests_sh_rsabigexponent.py +++ /dev/null @@ -1,14 +0,0 @@ -# Copyright (C) Internet Systems Consortium, Inc. ("ISC") -# -# SPDX-License-Identifier: MPL-2.0 -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, you can obtain one at https://mozilla.org/MPL/2.0/. -# -# See the COPYRIGHT file distributed with this work for additional -# information regarding copyright ownership. - - -def test_rsabigexponent(run_tests_sh): - run_tests_sh()