Commit 4538d8dd authored by Matthijs Mekking's avatar Matthijs Mekking 🏡
Browse files

Refactor eddsa system test

Test for Ed25519 and Ed448. If both algorithms are not supported, skip
test. If only one algorithm is supported, run test, skip the
unsupported algorithm. If both are supported, run test normally.

Create new ns3. This will test Ed448 specifically, while now ns2 only
tests Ed25519. This moves some files from ns2/ to ns3/.

(cherry picked from commit 8bf31d05)
parent 5af3a46a
......@@ -9,11 +9,15 @@
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
rm -f */K* */dsset-* */*.signed */trusted.conf
rm -f ns1/root.db
rm -f ns*/signer.err
rm -f */K* */dsset-* */*.signed
rm -f dig.out*
rm -f */named.run
rm -f */named.memstats
rm -f ns*/root.db
rm -f ns*/signer.err
rm -f ns*/named.run
rm -f ns*/named.memstats
rm -f ns*/named.lock
rm -f ns*/managed-keys.bind*
rm -f ns*/trusted.conf
rm -f ns*/example.com.db
rm -f ns*/named.conf
rm -f *-supported.file
......@@ -17,7 +17,7 @@ options {
query-source address 10.53.0.1;
notify-source 10.53.0.1;
transfer-source 10.53.0.1;
port 5300;
port @PORT@;
pid-file "named.pid";
listen-on { 10.53.0.1; };
listen-on-v6 { none; };
......
......@@ -16,17 +16,39 @@ zone=.
infile=root.db.in
zonefile=root.db
key1=`$KEYGEN -q -a ED25519 -n zone $zone`
key2=`$KEYGEN -q -a ED25519 -n zone -f KSK $zone`
#key2=`$KEYGEN -q -a ED448 -n zone -f KSK $zone`
$DSFROMKEY -a sha-256 $key2.key > dsset-256
echo_i "ns1/sign.sh"
cat $infile $key1.key $key2.key > $zonefile
cp $infile $zonefile
$SIGNER -P -g -o $zone $zonefile > /dev/null 2> signer.err || cat signer.err
if [ -f ../ed25519-supported.file ]; then
zsk25519=$($KEYGEN -q -a ED25519 -n zone "$zone")
ksk25519=$($KEYGEN -q -a ED25519 -n zone -f KSK "$zone")
cat "$ksk25519.key" "$zsk25519.key" >> "$zonefile"
$DSFROMKEY -a sha-256 "$ksk25519.key" >> dsset-256
fi
if [ -f ../ed448-supported.file ]; then
zsk448=$($KEYGEN -q -a ED448 -n zone "$zone")
ksk448=$($KEYGEN -q -a ED448 -n zone -f KSK "$zone")
cat "$ksk448.key" "$zsk448.key" >> "$zonefile"
$DSFROMKEY -a sha-256 "$ksk448.key" >> dsset-256
fi
# Configure the resolving server with a static key.
keyfile_to_static_ds $key1 > trusted.conf
cp trusted.conf ../ns2/trusted.conf
if [ -f ../ed25519-supported.file ]; then
keyfile_to_static_ds $ksk25519 > trusted.conf
cp trusted.conf ../ns2/trusted.conf
else
keyfile_to_static_ds $ksk448 > trusted.conf
cp trusted.conf ../ns2/trusted.conf
fi
if [ -f ../ed448-supported.file ]; then
keyfile_to_static_ds $ksk448 > trusted.conf
cp trusted.conf ../ns3/trusted.conf
else
keyfile_to_static_ds $ksk25519 > trusted.conf
cp trusted.conf ../ns3/trusted.conf
fi
cd ../ns2 && $SHELL sign.sh
$SIGNER -P -g -o "$zone" "$zonefile" > /dev/null 2> signer.err || cat signer.err
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 3600
@ IN SOA fdupont.isc.org. ns.example.com. (
2012040600 ; serial
600 ; refresh
600 ; retry
1200 ; expire
3600 ; minimum
)
MX 10 mail.example.com.
NS ns.example.com.
ns.example.com. A 10.53.0.2
......@@ -17,7 +17,7 @@ options {
query-source address 10.53.0.2;
notify-source 10.53.0.2;
transfer-source 10.53.0.2;
port 5300;
port @PORT@;
pid-file "named.pid";
listen-on { 10.53.0.2; };
listen-on-v6 { none; };
......
......@@ -13,16 +13,23 @@ SYSTEMTESTTOP=../..
. $SYSTEMTESTTOP/conf.sh
zone=example.com.
infile=example.com.db.in
zonefile=example.com.db
starttime=20150729220000
endtime=20150819220000
for i in Xexample.com.+015+03613.key Xexample.com.+015+03613.private \
Xexample.com.+015+35217.key Xexample.com.+015+35217.private \
Xexample.com.+016+09713.key Xexample.com.+016+09713.private \
Xexample.com.+016+38353.key Xexample.com.+016+38353.private
do
cp $i `echo $i | sed s/X/K/`
done
echo_i "ns2/sign.sh"
cp $infile $zonefile
if [ -f ../ed25519-supported.file ]; then
for i in Xexample.com.+015+03613 Xexample.com.+015+35217
do
cp "$i.key" "$(echo $i.key | sed s/X/K/)"
cp "$i.private" "$(echo $i.private | sed s/X/K/)"
cat "$(echo $i.key | sed s/X/K/)" >> "$zonefile"
done
fi
$SIGNER -P -z -s $starttime -e $endtime -o $zone $zonefile > /dev/null 2> signer.err || cat signer.err
......@@ -8,18 +8,13 @@
; information regarding copyright ownership.
$TTL 3600
@ IN SOA fdupont.isc.org. ns.example.com. (
2012040600 ; serial
600 ; refresh
600 ; retry
1200 ; expire
3600 ; minimum
@ IN SOA fdupont.isc.org. ns.example.com. (
2012040600 ; serial
600 ; refresh
600 ; retry
1200 ; expire
3600 ; minimum
)
MX 10 mail.example.com.
MX 10 mail.example.com.
NS ns.example.com.
ns.example.com. A 10.53.0.3
;
$INCLUDE Kexample.com.+015+03613.key
$INCLUDE Kexample.com.+015+35217.key
$INCLUDE Kexample.com.+016+09713.key
$INCLUDE Kexample.com.+016+38353.key
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
// NS2
controls { /* empty */ };
options {
query-source address 10.53.0.3;
notify-source 10.53.0.3;
transfer-source 10.53.0.3;
port @PORT@;
pid-file "named.pid";
listen-on { 10.53.0.3; };
listen-on-v6 { none; };
recursion yes;
notify yes;
dnssec-validation yes;
};
zone "." {
type hint;
file "../../common/root.hint";
};
include "trusted.conf";
#!/bin/sh -e
#
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, you can obtain one at https://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
set -e
. ../../conf.sh
zone=example.com.
infile=example.com.db.in
zonefile=example.com.db
starttime=20150729220000
endtime=20150819220000
echo_i "ns3/sign.sh"
cp $infile $zonefile
if [ -f ../ed448-supported.file ]; then
for i in Xexample.com.+016+09713 Xexample.com.+016+38353
do
cp "$i.key" "$(echo $i.key | sed s/X/K/)"
cp "$i.private" "$(echo $i.private | sed s/X/K/)"
cat "$(echo $i.key | sed s/X/K/)" >> "$zonefile"
done
fi
$SIGNER -P -z -s "$starttime" -e "$endtime" -o "$zone" "$zonefile" > /dev/null 2> signer.err || cat signer.err
......@@ -12,4 +12,12 @@
SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
exec $SHELL ../testcrypto.sh eddsa
supported=0
if $SHELL ../testcrypto.sh ed25519; then
supported=1
fi
if $SHELL ../testcrypto.sh ed448; then
supported=1
fi
[ "$supported" -eq 1 ] || exit 1
......@@ -12,4 +12,27 @@
SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
cd ns1 && $SHELL sign.sh
if $SHELL ../testcrypto.sh ed25519; then
echo "yes" > ed25519-supported.file
fi
if $SHELL ../testcrypto.sh ed448; then
echo "yes" > ed448-supported.file
fi
copy_setports ns1/named.conf.in ns1/named.conf
copy_setports ns2/named.conf.in ns2/named.conf
copy_setports ns3/named.conf.in ns3/named.conf
(
cd ns1
$SHELL sign.sh
)
(
cd ns2
$SHELL sign.sh
)
(
cd ns3
$SHELL sign.sh
)
......@@ -13,53 +13,70 @@ SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
status=0
n=1
n=0
rm -f dig.out.*
dig_with_opts() {
"$DIG" +tcp +noau +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@"
}
DIGOPTS="+tcp +noau +noadd +nosea +nostat +nocmd +dnssec -p 5300"
if [ -f ed25519-supported.file ]; then
# Check the example. domain
n=$((n+1))
echo_i "checking that Ed25519 positive validation works ($n)"
ret=0
dig_with_opts . @10.53.0.1 soa > dig.out.ns1.test$n || ret=1
dig_with_opts . @10.53.0.2 soa > dig.out.ns2.test$n || ret=1
$PERL ../digcomp.pl dig.out.ns1.test$n dig.out.ns2.test$n || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
# Check the example. domain
# Check test vectors (RFC 8080 + errata)
n=$((n+1))
echo_i "checking that Ed25519 test vectors match ($n)"
ret=0
grep 'oL9krJun7xfBOIWcGHi7mag5/hdZrKWw15jP' ns2/example.com.db.signed > /dev/null || ret=1
grep 'VrbpMngwcrqNAg==' ns2/example.com.db.signed > /dev/null || ret=1
grep 'zXQ0bkYgQTEFyfLyi9QoiY6D8ZdYo4wyUhVi' ns2/example.com.db.signed > /dev/null || ret=1
grep 'R0O7KuI5k2pcBg==' ns2/example.com.db.signed > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
else
echo_i "algorithm Ed25519 not supported, skipping vectors match test"
fi
echo_i "checking that positive validation works ($n)"
ret=0
$DIG $DIGOPTS . @10.53.0.1 soa > dig.out.ns1.test$n || ret=1
$DIG $DIGOPTS . @10.53.0.2 soa > dig.out.ns2.test$n || ret=1
$PERL ../digcomp.pl dig.out.ns1.test$n dig.out.ns2.test$n || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1
n=$((n+1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
if [ -f ed448-supported.file ]; then
# Check the example. domain
n=$((n+1))
echo_i "checking that Ed448 positive validation works ($n)"
ret=0
dig_with_opts . @10.53.0.1 soa > dig.out.ns1.test$n || ret=1
dig_with_opts . @10.53.0.3 soa > dig.out.ns3.test$n || ret=1
$PERL ../digcomp.pl dig.out.ns1.test$n dig.out.ns3.test$n || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns3.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
# Check test vectors (RFC 8080 + errata)
# Check test vectors (RFC 8080 + errata)
n=$((n+1))
echo_i "checking that Ed448 test vectors match ($n)"
ret=0
grep '3cPAHkmlnxcDHMyg7vFC34l0blBhuG1qpwLm' ns3/example.com.db.signed > /dev/null || ret=1
grep 'jInI8w1CMB29FkEAIJUA0amxWndkmnBZ6SKi' ns3/example.com.db.signed > /dev/null || ret=1
grep 'wZSAxGILn/NBtOXft0+Gj7FSvOKxE/07+4RQ' ns3/example.com.db.signed > /dev/null || ret=1
grep 'vE581N3Aj/JtIyaiYVdnYtyMWbSNyGEY2213' ns3/example.com.db.signed > /dev/null || ret=1
grep 'WKsJlwEA' ns3/example.com.db.signed > /dev/null || ret=1
echo_i "checking that Ed25519 test vectors match ($n)"
ret=0
grep 'oL9krJun7xfBOIWcGHi7mag5/hdZrKWw15jP' ns2/example.com.db.signed > /dev/null || ret=1
grep 'VrbpMngwcrqNAg==' ns2/example.com.db.signed > /dev/null || ret=1
grep 'zXQ0bkYgQTEFyfLyi9QoiY6D8ZdYo4wyUhVi' ns2/example.com.db.signed > /dev/null || ret=1
grep 'R0O7KuI5k2pcBg==' ns2/example.com.db.signed > /dev/null || ret=1
n=$((n+1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
echo_i "checking that Ed448 test vectors match ($n)"
ret=0
grep '3cPAHkmlnxcDHMyg7vFC34l0blBhuG1qpwLm' ns2/example.com.db.signed > /dev/null || ret=1
grep 'jInI8w1CMB29FkEAIJUA0amxWndkmnBZ6SKi' ns2/example.com.db.signed > /dev/null || ret=1
grep 'wZSAxGILn/NBtOXft0+Gj7FSvOKxE/07+4RQ' ns2/example.com.db.signed > /dev/null || ret=1
grep 'vE581N3Aj/JtIyaiYVdnYtyMWbSNyGEY2213' ns2/example.com.db.signed > /dev/null || ret=1
grep 'WKsJlwEA' ns2/example.com.db.signed > /dev/null || ret=1
grep 'E1/oLjSGIbmLny/4fcgM1z4oL6aqo+izT3ur' ns2/example.com.db.signed > /dev/null || ret=1
grep 'CyHyvEp4Sp8Syg1eI+lJ57CSnZqjJP41O/9l' ns2/example.com.db.signed > /dev/null || ret=1
grep '4m0AsQ4f7qI1gVnML8vWWiyW2KXhT9kuAICU' ns2/example.com.db.signed > /dev/null || ret=1
grep 'Sxv5OWbf81Rq7Yu60npabODB0QFPb/rkW3kU' ns2/example.com.db.signed > /dev/null || ret=1
grep 'ZmQ0YQUA' ns2/example.com.db.signed > /dev/null || ret=1
n=$((n+1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
grep 'E1/oLjSGIbmLny/4fcgM1z4oL6aqo+izT3ur' ns3/example.com.db.signed > /dev/null || ret=1
grep 'CyHyvEp4Sp8Syg1eI+lJ57CSnZqjJP41O/9l' ns3/example.com.db.signed > /dev/null || ret=1
grep '4m0AsQ4f7qI1gVnML8vWWiyW2KXhT9kuAICU' ns3/example.com.db.signed > /dev/null || ret=1
grep 'Sxv5OWbf81Rq7Yu60npabODB0QFPb/rkW3kU' ns3/example.com.db.signed > /dev/null || ret=1
grep 'ZmQ0YQUA' ns3/example.com.db.signed > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
else
echo_i "algorithm Ed448 not supported, skipping vectors match test"
fi
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment