Commit 7be18357 authored by Matthijs Mekking's avatar Matthijs Mekking 🏡

Add kasp tests for Ed25519 and Ed448

Use the testcrypto script to see if these algorithms are supported by
openssl. If so, add the specific configuration to the named.conf file
and touch a file to indicate support. If the file exists, the
corresponding setup and tests are performed.
parent e620f3a3
......@@ -26,3 +26,4 @@ rm -f ns*/zones ns*/*.db.infile
rm -f *.created published.test* retired.test*
rm -f rndc.dnssec.*.out.*
rm -f python.out.*
rm -f *-supported.file
dnssec-policy "ed25519" {
dnskey-ttl 1234;
keys {
ksk key-directory lifetime P10Y algorithm 15;
zsk key-directory lifetime P5Y algorithm 15;
zsk key-directory lifetime P1Y algorithm 15 256;
};
};
zone "ed25519.kasp" {
type primary;
file "ed25519.kasp.db";
dnssec-policy "ed25519";
};
dnssec-policy "ed448" {
dnskey-ttl 1234;
keys {
ksk key-directory lifetime P10Y algorithm 16;
zsk key-directory lifetime P5Y algorithm 16;
zsk key-directory lifetime P1Y algorithm 16 456;
};
};
zone "ed448.kasp" {
type primary;
file "ed448.kasp.db";
dnssec-policy "ed448";
};
......@@ -59,6 +59,18 @@ do
cp template.db.in "$zonefile"
done
if [ -f ../ed25519-supported.file ]; then
setup "ed25519.kasp"
cp template.db.in "$zonefile"
cat ed25519.conf >> named.conf
fi
if [ -f ../ed448-supported.file ]; then
setup "ed448.kasp"
cp template.db.in "$zonefile"
cat ed448.conf >> named.conf
fi
# Set up zone that stays unsigned.
zone="unsigned.kasp"
echo_i "setting up zone: $zone"
......
......@@ -24,6 +24,14 @@ copy_setports ns4/named.conf.in ns4/named.conf
copy_setports ns5/named.conf.in ns5/named.conf
copy_setports ns6/named.conf.in ns6/named.conf
if $SHELL ../testcrypto.sh ed25519; then
echo "yes" > ed25519-supported.file
fi
if $SHELL ../testcrypto.sh ed448; then
echo "yes" > ed448-supported.file
fi
# Setup zones
(
cd ns2
......
......@@ -2041,7 +2041,49 @@ check_apex
check_subdomain
dnssec_verify
# TODO: ED25519 and ED448.
#
# Zone: ed25519.kasp.
#
if [ -f ed25519-supported.file ]; then
set_zone "ed25519.kasp"
set_policy "ed25519" "3" "1234"
set_server "ns3" "10.53.0.3"
# Key properties.
set_keyalgorithm "KEY1" "15" "ED25519" "256"
set_keyalgorithm "KEY2" "15" "ED25519" "256"
set_keyalgorithm "KEY3" "15" "ED25519" "256"
# Key timings and states same as above.
check_keys
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
set_keytimes_algorithm_policy
check_keytimes
check_apex
check_subdomain
dnssec_verify
fi
#
# Zone: ed448.kasp.
#
if [ -f ed448-supported.file ]; then
set_zone "ed448.kasp"
set_policy "ed448" "3" "1234"
set_server "ns3" "10.53.0.3"
# Key properties.
set_keyalgorithm "KEY1" "16" "ED448" "456"
set_keyalgorithm "KEY2" "16" "ED448" "456"
set_keyalgorithm "KEY3" "16" "ED448" "456"
# Key timings and states same as above.
check_keys
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
set_keytimes_algorithm_policy
check_keytimes
check_apex
check_subdomain
dnssec_verify
fi
# Set key times for 'autosign' policy.
set_keytimes_autosign_policy() {
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment