diff --git a/bin/tests/system/dnssec/signer/general/Kexample.com.+005+19857.key b/bin/tests/system/dnssec/signer/general/Kexample.com.+005+19857.key new file mode 100644 index 0000000000..104face02c --- /dev/null +++ b/bin/tests/system/dnssec/signer/general/Kexample.com.+005+19857.key @@ -0,0 +1,5 @@ +; This is a zone-signing key, keyid 19857, for example.com. +; Created: 20220902075244 (Fri Sep 2 17:52:44 2022) +; Publish: 20220902075244 (Fri Sep 2 17:52:44 2022) +; Activate: 20220902075244 (Fri Sep 2 17:52:44 2022) +example.com. IN DNSKEY 256 3 5 AwEAAaUr14RTAa2dr/JPoMv5QM32IbLMNUZFPAM9M2Zm6Ef9S3/UsRk9 W+P08Dx5Xte/PMuZK8ejWUyou37LowmVbahkP2kcS7Z552btsLnGK2+5 me5Y/GgnodhMVN7phkEQNPRKSUQQyLdQC6Ltzt0JVp48q4PmgCta22et rgq1YEoj2E8Po53bn5eQXCUsnkBFhkql9/17Ls2ckWNBkHWiItMDaWk7 qkM4ZJu7C/jq3ybBjn0bi4Svlt7PNiuuo3h5WaJYJHXd2M7PIN14rUDE cas/b+iy4eF7VC3CRUgt1spFinW/G4wSro55e6phstc3I1BE6B+pC4pq eGlAfQqWWcs= diff --git a/bin/tests/system/dnssec/signer/general/Kexample.com.+005+19857.private b/bin/tests/system/dnssec/signer/general/Kexample.com.+005+19857.private new file mode 100644 index 0000000000..91171b032b --- /dev/null +++ b/bin/tests/system/dnssec/signer/general/Kexample.com.+005+19857.private @@ -0,0 +1,13 @@ +Private-key-format: v1.3 +Algorithm: 5 (RSASHA1) +Modulus: pSvXhFMBrZ2v8k+gy/lAzfYhssw1RkU8Az0zZmboR/1Lf9SxGT1b4/TwPHle1788y5krx6NZTKi7fsujCZVtqGQ/aRxLtnnnZu2wucYrb7mZ7lj8aCeh2ExU3umGQRA09EpJRBDIt1ALou3O3QlWnjyrg+aAK1rbZ62uCrVgSiPYTw+jndufl5BcJSyeQEWGSqX3/XsuzZyRY0GQdaIi0wNpaTuqQzhkm7sL+OrfJsGOfRuLhK+W3s82K66jeHlZolgkdd3Yzs8g3XitQMRxqz9v6LLh4XtULcJFSC3WykWKdb8bjBKujnl7qmGy1zcjUEToH6kLimp4aUB9CpZZyw== +PublicExponent: AQAB +PrivateExponent: HzQaIgCAd6krnS5X5VDwYjiWgy26/syDmuUL+dOFHFyIz9yBnJAP9Q/H9tTDCyUwuhH0yGFetHHIAhs8cMoPDlnp9NSIpS+AfNx4n5AFkrTQlMuw24hpNfCts/MQDuid6GzETJyTHrZ7jEs64l0qRPiXOnLoUch3XK3eDF3ZlAfFkoPBFA5KIbiK8dcCahUmV4WReyE80X2N2dUloE8vLzy/j7yY2z1/HjhAu74S264wQMxNmJ0MsHeu78y7n8SKEJxncbgAciCNoamiQFiBGYYrs72B6BGHc19fhD5G7ldjpXukes9bHJSgj5ohseRJ27hkK7sKnqzOx/5Se6F5EQ== +Prime1: vNcFqw4Gu/gsEcte00YXSGGkOWlsEAOEARMy+l7yYVC9GMR41YuINydu42Bj+D/Qq1ifYk9ok26VnXsJ6GFWK9DdFFtSElCzq1Crb7/7yuRR86cM9UBr3045g9tvlH6sL+yeH1ESr8vNZtmlytDifw2Xp2kg0xoJnlnV0ZXphOk= +Prime2: 3+nmSodd/lDzVvn3uGMKux2B1mI2iApKM6bbwMwrzobN5bFkLkW1y1PuOYJytX1Sm39ecLCPYEmSf56kCitAquj7B98sblg05Y1QKvTTyX4uUsKFx3YAjvgp+acuI0Rq5J5GeSFCvdttgqAWdvvjoI8ic44K3sT1XTexaoLByJM= +Exponent1: jUmr2gHSlAzonB+3QQfuH5++iZ4Q1iJrP4qn15/2ZU1NThyh89REBFAirUjPQ0wryieyiJG1Qqm4k20dSpqZKItK/hIdY8qxwvnGawQPVgxiLJTOIykiDJ+wdLFX2Ji2J903qWK1QoaPleY+H3MOI9V9pCoJ/yg6DhpU2kz5vRE= +Exponent2: 04rLQ0Y4ivg3rchjPRR1Iupxq/UFx+jQyZOusaszB99bztGU8BJz+jDFNBgF/2jzDm1678Qe8L0RZvidye2rHs0VvQ4fj/BNqUGkp7C+FfLcGNwmP5dAV9Ik9fP4JuGQi4Ts16uQvoX8JBjSoH7BQwN3bOyZYHV7yiG/v/zgz3k= +Coefficient: l8vCrMMiS8eWYQNM/SPa4/swn1/EZtcgPcBqMa3zia+9rOJ4/mzRcQTKz6B7c7Z9BVoTzMWGlgd94PTDeLN9fbTNmRs/8JwwgzJ8FeJeisvZquvarFtq2PdVVZQSxTwt7N6DUMVcA8Vbdq+uGjJghs22/sJ23MS3key+PUHtwFI= +Created: 20220902075244 +Publish: 20220902075244 +Activate: 20220902075244 diff --git a/bin/tests/system/dnssec/signer/general/Kexample.com.+005+45884.key b/bin/tests/system/dnssec/signer/general/Kexample.com.+005+45884.key new file mode 100644 index 0000000000..717d65f256 --- /dev/null +++ b/bin/tests/system/dnssec/signer/general/Kexample.com.+005+45884.key @@ -0,0 +1,5 @@ +; This is a key-signing key, keyid 45884, for example.com. +; Created: 20220902075336 (Fri Sep 2 17:53:36 2022) +; Publish: 20220902075336 (Fri Sep 2 17:53:36 2022) +; Activate: 20220902075336 (Fri Sep 2 17:53:36 2022) +example.com. IN DNSKEY 257 3 5 AwEAAZ6aTwNhgMDJ8AObT38LEX4nZe0CFXKkFv8fzBhEJEWgJRplhEhx laqGc47NoXChBiz5qdX2qAC0zi4CRydmV8TdG9shpED9kapIl7KVM3wj +irX36R9TpFT7Otmvsh7/RbRfpKz4I0pCC01hRHyj7EodMC4j3LMF9sc GWNmiOTQI1PTxbvIEDeDfoTUDMFzvOwVmH1Bq+SzA9Ikm2VADZO4vIIO J/07lWT+LDQ/g1qiCNaSDyNhGfNVf8xYvmB8OXomGFLqDuSpUkwdL5kB 2gGmnUbIH+Pn+pcN9fxVniKH3mzYEGCxIspePbhvwDfB30gTmE8uaFMa 7McouGKW3Ps= diff --git a/bin/tests/system/dnssec/signer/general/Kexample.com.+005+45884.private b/bin/tests/system/dnssec/signer/general/Kexample.com.+005+45884.private new file mode 100644 index 0000000000..891c6c3831 --- /dev/null +++ b/bin/tests/system/dnssec/signer/general/Kexample.com.+005+45884.private @@ -0,0 +1,13 @@ +Private-key-format: v1.3 +Algorithm: 5 (RSASHA1) +Modulus: nppPA2GAwMnwA5tPfwsRfidl7QIVcqQW/x/MGEQkRaAlGmWESHGVqoZzjs2hcKEGLPmp1faoALTOLgJHJ2ZXxN0b2yGkQP2RqkiXspUzfCP6KtffpH1OkVPs62a+yHv9FtF+krPgjSkILTWFEfKPsSh0wLiPcswX2xwZY2aI5NAjU9PFu8gQN4N+hNQMwXO87BWYfUGr5LMD0iSbZUANk7i8gg4n/TuVZP4sND+DWqII1pIPI2EZ81V/zFi+YHw5eiYYUuoO5KlSTB0vmQHaAaadRsgf4+f6lw31/FWeIofebNgQYLEiyl49uG/AN8HfSBOYTy5oUxrsxyi4Ypbc+w== +PublicExponent: AQAB +PrivateExponent: SSWu0kbaPFAGH4u2NsgSicW+5vfCj4xpRMHT/c8TkX8CDbILN+QW3D5FNnPVBJ5nPD/rGdC3/BdnTeXkDiJP0W4Ohlp2KDkqQMhZGlZgl9z56F+GeBUIstLrnkfVLp6sg6UcBKnsIv5tFHiuBjCCH/kiG64jDpVdXUMQ3HyyHyC67sB1gIqpZdhQxFliVIaebwXHlv4uWi31DxTUj0mmutmpTD1r4z+43DlU3JL07WBBpIoOmG/GoFoDr+JNWWwArnhHDZFl6XL1Z2u5ojdIOcgLTXcU1SdvFwBHIAH9PIwvow0gVcZTIHwDYJ41CL6YExXF8ymVpIPspZPaFwSxvQ== +Prime1: 2iWvbJTRrJuceM1CgOTMMoi/qMN/GtthmbL5V0w+hyFE6UzCWYQXED5YTPtoXk9tZ/YpnD7i5i7ru8VbLx0DAIrLkAFP3Xpxa7dvdRGzyPGuYARsjgNnj57M5Sl1tTTsZpkXaKEeiONCA6+vcSuc2l1NxqdDbhC/TwlpjOAbPRc= +Prime2: uh+ZuRel3T3qvD7acXm2UyF2BdeEEwwIvzqZVi3uxwUTd/TxFA7+3xuX6LNM+HK5fNxuB3exVC8OzALFzUOOJECVFUfhKi/1+VrVfBuJnyLlqQ14RncbZvsn+ScfGZpgYuacvq0zWiP2scxmXSQxchxcFVRCKFRCCVGVuOLzNb0= +Exponent1: coA7TrPiRkY7YBDk6kCtiYzLhKpwaclitkkBpTeozkbBI++dR10UufrvYCDJzE7Gbz3+4zsC360bIKjbTqRcsgkoBcMah3bAV7ilsP4EruFkFJPd4sCYuAKzK0mStfU8bDHI3qtLGrCmMschQDaTEu7MZwveUcRKlhKrqzzqLys= +Exponent2: jlnU7KeViBzvB4La96crN3GEHvuyXA78MaXT2QHQeg770OdZ6wl9DY7BJIzd9bdo/oJo9PUqf0RugMIuHsvoTvnGDDypjeaYrlo2pXE6VKgQFrfioaI/Jwg4jmrJcn+L8JiIkZ1OhUa0S1AVim9AEhJ2qymCX+3xg8cOSBXsBdE= +Coefficient: xotWVi9P/9Xr1FlKANoKVviBZaoT0xqbrVJLdmSLvyca+OipgxDilaPq+To7nAujkwtH/qdR14CHbkFSjxzzEp3jhOOSeh1HysCDlk5N7dCz2X+FHv977IYeC9vuGPG75Vbz18D7FUEy0huXgq003zJdd0e7djNca9a/GAp3gvc= +Created: 20220902075336 +Publish: 20220902075336 +Activate: 20220902075336 diff --git a/bin/tests/system/dnssec/signer/general/test11.zone b/bin/tests/system/dnssec/signer/general/test11.zone new file mode 100644 index 0000000000..538305fc14 --- /dev/null +++ b/bin/tests/system/dnssec/signer/general/test11.zone @@ -0,0 +1,19 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +; This is a zone which has two DNSKEY records, both of which have +; existing private key files available. They should be loaded automatically +; and the zone correctly signed. +; +$TTL 3600 +example.com. IN SOA ns hostmaster 00090000 1200 3600 604800 300 +$include Kexample.com.+005+19857.key +$include Kexample.com.+005+45884.key diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index b14fcc5331..224de5e0f3 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -1426,7 +1426,7 @@ n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) -echo_ic "check that dnssec-signzone -F works with allowed algorithm ($n)" +echo_ic "check that 'dnssec-signzone -F' works with allowed algorithm ($n)" ret=0 if $FEATURETEST --fips-provider then @@ -1443,6 +1443,25 @@ n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) +echo_ic "check that 'dnssec-signzone -F' failed with disallowed algorithm ($n)" +ret=0 +if ! $FEATURETEST --fips-provider +then + echo_i "skipped no FIPS provider available" +elif ! $SHELL ../testcrypto.sh -q RSASHA1 +then + echo_i "skipped: RSASHA1 is not supported" +else + ( + cd signer/general || exit 1 + rm -f signed.zone + $SIGNER -F -f signed.zone -o example.com. test11.zone > signer.out.$n 2>&1 && exit 1 + grep "fatal: dnskey 'example.com/RSASHA1/19857' failed to sign data" signer.out.$n > /dev/null + ) || ret=1 +fi +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) echo_ic "check that dnssec-signzone rejects excessive NSEC3 iterations ($n)" ret=0 @@ -3580,12 +3599,9 @@ ret=0 if $FEATURETEST --have-fips-mode then echo_i "skipped: already in FIPS mode" -elif ! $FEATURETEST --fips-set-mode +elif ! $FEATURETEST --fips-provider then echo_i "skipped: cannot switch to FIPS mode" -elif ! $FEATURETEST --fips-set-mode-dst-lib-init -then - echo_i "skipped FIPS mode not properly set up" elif ! $SHELL ../testcrypto.sh -q RSASHA1 then echo_i "skipped: RSASHA1 is not supported"