diff options
Diffstat (limited to '')
25 files changed, 856 insertions, 0 deletions
diff --git a/bin/tests/system/rsabigexponent/Makefile.in b/bin/tests/system/rsabigexponent/Makefile.in new file mode 100644 index 0000000..af2b0f1 --- /dev/null +++ b/bin/tests/system/rsabigexponent/Makefile.in @@ -0,0 +1,50 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# $Id$ + +srcdir = @srcdir@ +VPATH = @srcdir@ +top_srcdir = @top_srcdir@ + +VERSION=@BIND9_VERSION@ + +@BIND9_MAKE_INCLUDES@ + +CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} @DST_OPENSSL_INC@ + +CDEFINES = @CRYPTO@ +CWARNINGS = + +DNSLIBS = ../../../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@ +ISCLIBS = ../../../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@ + +DNSDEPLIBS = ../../../../lib/dns/libdns.@A@ +ISCDEPLIBS = ../../../../lib/isc/libisc.@A@ + +DEPLIBS = ${DNSDEPLIBS} ${ISCDEPLIBS} + +LIBS = ${DNSLIBS} ${ISCLIBS} @LIBS@ + +TARGETS = bigkey@EXEEXT@ + +OBJS = bigkey.@O@ + +SRCS = bigkey.c + +@BIND9_MAKE_RULES@ + +all: bigkey@EXEEXT@ + +bigkey@EXEEXT@: ${OBJS} ${DEPLIBS} + ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ ${OBJS} ${LIBS} + +clean distclean:: + rm -f ${TARGETS} + diff --git a/bin/tests/system/rsabigexponent/bigkey.c b/bin/tests/system/rsabigexponent/bigkey.c new file mode 100644 index 0000000..4462f2e --- /dev/null +++ b/bin/tests/system/rsabigexponent/bigkey.c @@ -0,0 +1,258 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + + +#include <config.h> + +#if defined(OPENSSL) || defined(PKCS11CRYPTO) + +#include <stdio.h> +#include <stdlib.h> + +#include <isc/buffer.h> +#include <isc/entropy.h> +#include <isc/mem.h> +#include <isc/print.h> +#include <isc/region.h> +#include <isc/stdio.h> +#include <isc/string.h> +#include <isc/util.h> + +#define DST_KEY_INTERNAL + +#include <dns/dnssec.h> +#include <dns/fixedname.h> +#include <dns/keyvalues.h> +#include <dns/log.h> +#include <dns/name.h> +#include <dns/rdataclass.h> +#include <dns/result.h> +#include <dns/secalg.h> + +#include <dst/dst.h> +#include <dst/result.h> + +#ifdef OPENSSL +#include <openssl/opensslv.h> +#if OPENSSL_VERSION_NUMBER <= 0x00908000L +#define USE_FIX_KEY_FILES +#endif +#else +#define USE_FIX_KEY_FILES +#endif + +#ifdef USE_FIX_KEY_FILES + +/* + * Use a fixed key file pair if OpenSSL doesn't support > 32 bit exponents. + */ + +int +main(int argc, char **argv) { + FILE *fp; + + UNUSED(argc); + UNUSED(argv); + + fp = fopen("Kexample.+005+10264.private", "w"); + if (fp == NULL) { + perror("fopen(Kexample.+005+10264.private)"); + exit(1); + } + + fputs("Private-key-format: v1.3\n", fp); + fputs("Algorithm: 5 (RSASHA1)\n", fp); + fputs("Modulus: yhNbLRPA7VpLCXcgMvBwsfe7taVaTvLPY3AI+YolKwqD6" + "/3nLlCcz4kBOTOkQBf9bmO98WnKuOWoxuEOgudoDvQOzXNl9RJtt61" + "IRMscAlsVtTIfAjPLhcGy32l2s5VYWWVXx/qkcf+i/JC38YXIuVdiA" + "MtbgQV40ffM4lAbZ7M=\n", fp); + fputs("PublicExponent: AQAAAAAAAQ==\n", fp); + fputs("PrivateExponent: gfXvioazoFIJp3/H2kJncrRZaqjIf9+21CL1i" + "XecBOof03er8ym5AKopZQM8ie+qxvhDkIJ8YDrB7UbDxmFpPceHWYM" + "X0vDWQCIiEiKzRfCsBOjgJu6HS15G/oZDqDwKat+yegtzxhg48BCPq" + "zfHLXXUvBTA/HK/u8L1LwggqHk=\n", fp); + fputs("Prime1: 7xAPHsNnS0w7CoEnIQiu+SrmHsy86HKJOEm9FiQybRVCwf" + "h4ZRQl+Z9mUbb9skjPvkM6ZeuzXTFkOjdck2y1NQ==\n", fp); + fputs("Prime2: 2GRzzqyRR2gfITPug8Rddxt647/2DrAuKricX/AXyGcuHM" + "vTZ+v+mfgJn6TFqSn4SBF2zHJ876lWbQ+12aNORw==\n", fp); + fputs("Exponent1: PnGTwxiT59N/Rq/FSAwcwoAudiF/X3iK0X09j9Dl8cY" + "DYAJ0bhB9es1LIaSsgLSER2b1kHbCp+FQXGVHJeZ07Q==\n", fp); + fputs("Exponent2: Ui+zxA/zbnUSYnz+wdbrfBD2aTeKytZG4ASI3oPDZag" + "V9YC0eZRPjI82KQcFXoj1b/fV/HzT9/9rhU4mvCGjLw==\n", fp); + fputs("Coefficient: sdCL6AdOaCr9c+RO8NCA492MOT9w7K9d/HauC+fif" + "2iWN36dA+BCKaeldS/+6ZTnV2ZVyVFQTeLJM8hplxDBwQ==\n", fp); + + if (fclose(fp) != 0) { + perror("fclose(Kexample.+005+10264.private)"); + exit(1); + } + + fp = fopen("Kexample.+005+10264.key", "w"); + if (fp == NULL) { + perror("fopen(Kexample.+005+10264.key)"); + exit(1); + } + + fputs("; This is a zone-signing key, keyid 10264, for example.\n", fp); + fputs("example. IN DNSKEY 256 3 5 BwEAAAAAAAHKE1stE8DtWksJdyA" + "y8HCx97u1pVpO8s9jcAj5iiUrCoPr /ecuUJzPiQE5M6RAF/1uY73x" + "acq45ajG4Q6C52gO9A7Nc2X1Em23rUhE yxwCWxW1Mh8CM8uFwbLfaX" + "azlVhZZVfH+qRx/6L8kLfxhci5V2IAy1uB BXjR98ziUBtnsw==\n", fp); + + if (fclose(fp) != 0) { + perror("close(Kexample.+005+10264.key)"); + exit(1); + } + + return(0); +} +#else +#include <openssl/err.h> +#include <openssl/objects.h> +#include <openssl/rsa.h> +#include <openssl/bn.h> +#include <openssl/evp.h> + +dst_key_t *key; +dns_fixedname_t fname; +dns_name_t *name; +unsigned int bits = 1024U; +isc_entropy_t *ectx; +isc_entropysource_t *source; +isc_mem_t *mctx; +isc_log_t *log_; +isc_logconfig_t *logconfig; +int level = ISC_LOG_WARNING; +isc_logdestination_t destination; +char filename[255]; +isc_result_t result; +isc_buffer_t buf; +RSA *rsa; +BIGNUM *e; +EVP_PKEY *pkey; + +#define CHECK(op, msg) \ +do { result = (op); \ + if (result != ISC_R_SUCCESS) { \ + fprintf(stderr, \ + "fatal error: %s returns %s at file %s line %d\n", \ + msg, isc_result_totext(result), __FILE__, __LINE__); \ + exit(1); \ + } \ +} while (0) + +int +main(int argc, char **argv) { + UNUSED(argc); + UNUSED(argv); + + rsa = RSA_new(); + e = BN_new(); + pkey = EVP_PKEY_new(); + + if ((rsa == NULL) || (e == NULL) || (pkey == NULL) || + !EVP_PKEY_set1_RSA(pkey, rsa)) { + fprintf(stderr, "fatal error: basic OpenSSL failure\n"); + exit(1); + } + + /* e = 0x1000000000001 */ + BN_set_bit(e, 0); + BN_set_bit(e, 48); + + if (RSA_generate_key_ex(rsa, bits, e, NULL)) { + BN_free(e); + RSA_free(rsa); + } else { + fprintf(stderr, + "fatal error: RSA_generate_key_ex() fails " + "at file %s line %d\n", + __FILE__, __LINE__); + exit(1); + } + + dns_result_register(); + + CHECK(isc_mem_create(0, 0, &mctx), "isc_mem_create()"); + CHECK(isc_entropy_create(mctx, &ectx), "isc_entropy_create()"); + CHECK(isc_entropy_usebestsource(ectx, &source, + "../random.data", + ISC_ENTROPY_KEYBOARDNO), + "isc_entropy_usebestsource(\"../random.data\")"); + CHECK(dst_lib_init2(mctx, ectx, NULL, 0), "dst_lib_init2()"); + CHECK(isc_log_create(mctx, &log_, &logconfig), "isc_log_create()"); + isc_log_setcontext(log_); + dns_log_init(log_); + dns_log_setcontext(log_); + CHECK(isc_log_settag(logconfig, "bigkey"), "isc_log_settag()"); + destination.file.stream = stderr; + destination.file.name = NULL; + destination.file.versions = ISC_LOG_ROLLNEVER; + destination.file.maximum_size = 0; + CHECK(isc_log_createchannel(logconfig, "stderr", + ISC_LOG_TOFILEDESC, + level, + &destination, + ISC_LOG_PRINTTAG | ISC_LOG_PRINTLEVEL), + "isc_log_createchannel()"); + CHECK(isc_log_usechannel(logconfig, "stderr", NULL, NULL), + "isc_log_usechannel()"); + name = dns_fixedname_initname(&fname); + isc_buffer_constinit(&buf, "example.", strlen("example.")); + isc_buffer_add(&buf, strlen("example.")); + CHECK(dns_name_fromtext(name, &buf, dns_rootname, 0, NULL), + "dns_name_fromtext(\"example.\")"); + + CHECK(dst_key_buildinternal(name, DNS_KEYALG_RSASHA1, + bits, DNS_KEYOWNER_ZONE, + DNS_KEYPROTO_DNSSEC, dns_rdataclass_in, + pkey, mctx, &key), + "dst_key_buildinternal(...)"); + + CHECK(dst_key_tofile(key, DST_TYPE_PRIVATE | DST_TYPE_PUBLIC, NULL), + "dst_key_tofile()"); + isc_buffer_init(&buf, filename, sizeof(filename) - 1); + isc_buffer_clear(&buf); + CHECK(dst_key_buildfilename(key, 0, NULL, &buf), + "dst_key_buildfilename()"); + printf("%s\n", filename); + dst_key_free(&key); + + isc_log_destroy(&log_); + isc_log_setcontext(NULL); + dns_log_setcontext(NULL); + if (source != NULL) + isc_entropy_destroysource(&source); + isc_entropy_detach(&ectx); + dst_lib_destroy(); + dns_name_destroy(); + isc_mem_destroy(&mctx); + return (0); +} +#endif + +#else /* OPENSSL || PKCS11CRYPTO */ + +#include <stdio.h> +#include <stdlib.h> + +#include <isc/util.h> + +int +main(int argc, char **argv) { + UNUSED(argc); + UNUSED(argv); + fprintf(stderr, "Compiled without Crypto\n"); + exit(1); +} + +#endif /* OPENSSL || PKCS11CRYPTO */ +/*! \file */ diff --git a/bin/tests/system/rsabigexponent/clean.sh b/bin/tests/system/rsabigexponent/clean.sh new file mode 100644 index 0000000..bba0f11 --- /dev/null +++ b/bin/tests/system/rsabigexponent/clean.sh @@ -0,0 +1,20 @@ +#!/bin/sh +# +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +rm -f K* */K* */dsset-*. */*.signed */trusted.conf */tmp* +rm -f ns*/dsset-example +rm -f ns*/named.run +rm -f ns*/named.memstats +rm -f ns1/root.db +rm -f ns2/signer.err +rm -f dig.out.* +rm -f ns*/named.lock +rm -f ns*/named.conf diff --git a/bin/tests/system/rsabigexponent/conf/bad01.conf b/bin/tests/system/rsabigexponent/conf/bad01.conf new file mode 100644 index 0000000..1c56cc3 --- /dev/null +++ b/bin/tests/system/rsabigexponent/conf/bad01.conf @@ -0,0 +1,14 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + max-rsa-exponent-size 1; +}; diff --git a/bin/tests/system/rsabigexponent/conf/bad02.conf b/bin/tests/system/rsabigexponent/conf/bad02.conf new file mode 100644 index 0000000..671199d --- /dev/null +++ b/bin/tests/system/rsabigexponent/conf/bad02.conf @@ -0,0 +1,14 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + max-rsa-exponent-size 34; +}; diff --git a/bin/tests/system/rsabigexponent/conf/bad03.conf b/bin/tests/system/rsabigexponent/conf/bad03.conf new file mode 100644 index 0000000..d7edae6 --- /dev/null +++ b/bin/tests/system/rsabigexponent/conf/bad03.conf @@ -0,0 +1,14 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + max-rsa-exponent-size 4097; +}; diff --git a/bin/tests/system/rsabigexponent/conf/good01.conf b/bin/tests/system/rsabigexponent/conf/good01.conf new file mode 100644 index 0000000..bfa7a45 --- /dev/null +++ b/bin/tests/system/rsabigexponent/conf/good01.conf @@ -0,0 +1,14 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + max-rsa-exponent-size 0; +}; diff --git a/bin/tests/system/rsabigexponent/conf/good02.conf b/bin/tests/system/rsabigexponent/conf/good02.conf new file mode 100644 index 0000000..d87fb7f --- /dev/null +++ b/bin/tests/system/rsabigexponent/conf/good02.conf @@ -0,0 +1,14 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + max-rsa-exponent-size 35; +}; diff --git a/bin/tests/system/rsabigexponent/conf/good03.conf b/bin/tests/system/rsabigexponent/conf/good03.conf new file mode 100644 index 0000000..0a70e29 --- /dev/null +++ b/bin/tests/system/rsabigexponent/conf/good03.conf @@ -0,0 +1,14 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + max-rsa-exponent-size 4096; +}; diff --git a/bin/tests/system/rsabigexponent/ns1/named.conf.in b/bin/tests/system/rsabigexponent/ns1/named.conf.in new file mode 100644 index 0000000..a43c02b --- /dev/null +++ b/bin/tests/system/rsabigexponent/ns1/named.conf.in @@ -0,0 +1,33 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS1 + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + dnssec-enable yes; + dnssec-validation yes; +}; + +zone "." { + type master; + file "root.db.signed"; +}; + +include "trusted.conf"; diff --git a/bin/tests/system/rsabigexponent/ns1/root.db.in b/bin/tests/system/rsabigexponent/ns1/root.db.in new file mode 100644 index 0000000..d205fc8 --- /dev/null +++ b/bin/tests/system/rsabigexponent/ns1/root.db.in @@ -0,0 +1,22 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +. IN SOA gson.nominum.com. a.root.servers.nil. ( + 2012050600 ; serial + 3600 ; refresh + 1200 ; retry + 604800 ; expire + 60 ; minimum + ) +@ NS a.root-servers.nil. +a.root-servers.nil. A 10.53.0.1 +; +example. NS ns2.example. +ns2.example. A 10.53.0.2 diff --git a/bin/tests/system/rsabigexponent/ns1/sign.sh b/bin/tests/system/rsabigexponent/ns1/sign.sh new file mode 100755 index 0000000..8570855 --- /dev/null +++ b/bin/tests/system/rsabigexponent/ns1/sign.sh @@ -0,0 +1,32 @@ +#!/bin/sh +# +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=../.. +. $SYSTEMTESTTOP/conf.sh + +zone=. +infile=root.db.in +zonefile=root.db + +cp ../ns2/dsset-example.in dsset-example$TP + +keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone` + +cat $infile $keyname.key > $zonefile + +$SIGNER -P -g -r $RANDFILE -o $zone $zonefile > /dev/null + +# Configure the resolving server with a trusted key. +keyfile_to_trusted_keys $keyname > trusted.conf +cp trusted.conf ../ns2/trusted.conf +cp trusted.conf ../ns3/trusted.conf + +cd ../ns2 && $SHELL -e ./sign.sh diff --git a/bin/tests/system/rsabigexponent/ns2/Xexample.+005+05896.key b/bin/tests/system/rsabigexponent/ns2/Xexample.+005+05896.key new file mode 100644 index 0000000..1030c21 --- /dev/null +++ b/bin/tests/system/rsabigexponent/ns2/Xexample.+005+05896.key @@ -0,0 +1,2 @@ +; This is a key-signing key, keyid 5896, for example. +example. IN DNSKEY 257 3 5 AwEAAaLNbgMfH/XUwZC9DBVG4OpYVUVyCyZEBqhk3k6WziIAY+2f7MN3 L9CoZR9GqfqM+/c6g8gfkIaZZ2YP/YUUaN73xH/nxtHYkrP5Rqe/dw7q ONnsVwvf3HJ8HvURG3wjaOrPoe207+HpNTNhe/sT2usKhokSU8yKB0DK lnrKQvp9vScsIB/RsIxOXWmYgOMkSXtpI3lQ07l1i2Tv6UnecD9s8ruk fl/gPbRBketLYACrqpb2j/1f7ciQv+rz1GnN9ma8XK1Yw8173/hrVL1S /ZqTGczwdeA3AVyiHThOZ15EPhSuL7jaJusHOi43Aa8ZfCMCeimT73F5 epktGomAxFU= diff --git a/bin/tests/system/rsabigexponent/ns2/Xexample.+005+05896.private b/bin/tests/system/rsabigexponent/ns2/Xexample.+005+05896.private new file mode 100644 index 0000000..dbac306 --- /dev/null +++ b/bin/tests/system/rsabigexponent/ns2/Xexample.+005+05896.private @@ -0,0 +1,10 @@ +Private-key-format: v1.3 +Algorithm: 5 (RSASHA1) +Modulus: os1uAx8f9dTBkL0MFUbg6lhVRXILJkQGqGTeTpbOIgBj7Z/sw3cv0KhlH0ap+oz79zqDyB+QhplnZg/9hRRo3vfEf+fG0diSs/lGp793Duo42exXC9/ccnwe9REbfCNo6s+h7bTv4ek1M2F7+xPa6wqGiRJTzIoHQMqWespC+n29JywgH9GwjE5daZiA4yRJe2kjeVDTuXWLZO/pSd5wP2zyu6R+X+A9tEGR60tgAKuqlvaP/V/tyJC/6vPUac32ZrxcrVjDzXvf+GtUvVL9mpMZzPB14DcBXKIdOE5nXkQ+FK4vuNom6wc6LjcBrxl8IwJ6KZPvcXl6mS0aiYDEVQ== +PublicExponent: AQAB +PrivateExponent: K9juX1LbtccmlwgDoBtl6lf+J2UO0bCSpnn8UehV/lxijZZ8Gy0XqLgh/Cl5EG02U6Dj61ts/oOEkL2Px272y86pktVm/A+7e1ORDw8HTvIQe8kmrKEPa5o4cEK6R1X2JP/lGfOYhBzeYkdIMBhp5tH/6B0Sis1GJNIrc0jUf0g+JvOH/j1SpLoKoDpHUwOWnAt92AZsYhyJgeDXgw+xTBcOVvRfmh3Zmoi6x58lmQsU3loloqQ2V2V3xw1qEhTwBtFiguqeUV/FZl+RerT+lld7v2KkuxchyxlCCavgq6bZSUpn3TxcmnK6pj42oTy11hG9PHvIS8VNpGLr0p6mpQ== +Prime1: 2KZlb2BXJHEJJv2iuJoddNuDlDStG77cA7FR84Dsarbc5rHj1BjwOPDec235LQOzNAAVMTh3B8/8kcAkx/U0F2FPfgAS/ZK2dOBKcJFU4bmUQDsLMXJn67Pf7d1HeDYfVPSFp1Ib/G91dXuo11+nRZJRfKUW19aFYXybSLVmifM= +Prime2: wF9HHnv17f1L3VLBJ+qndiPcp/l24fVk5xWrbZlivK+WFrZkHFbmN+WRIkjKbe1mBf4z2fMp1JZKt8wViJVG9Bkk2wSCQA74MrejPFlD9AEMC/TrV7F/l89DryG9YeLAk6td38opGiAmRHzSdrjstUF+iv7IAW+fghPQ3O4ogpc= +Exponent1: Nmtlo1phyUeTcvXW/+PGbmoNXRb2PLfucAcEfNPvjsasKk6Y2dgBz2vBlOEU7Be31eIHcLusOowl9z56fre7A/xviUjffE50AluslyYKWkDRWmj6YMtKC0y9fPROVYXSzPY29FaNrRUaPg531NG0JKeiTFrzp/e8vUYdg1/9h70= +Exponent2: r5+MNwlmaQJBG2psivuQLKvqy7NU1E8K8mj3G1TYLniCpnOXC8RN4yQDDvCzVg5QgRIk1kpHmxwmVIvN8OaPY1P9MLJ6Eu9Xqj26meLIxd+a1uOfY2zZloeTPDSqR84Sj/338tIGGiLVrNrj7Z1ABO4pD84wXBdC4SckHD6U3zs= +Coefficient: c1jE021ke1G/1+C/mqhVtXF9/+ivfw9Ae6na3PofQREs3wiBJH7kpbLmTqc1ovXrHA3BbD1CfWUBhrFK/n5MvsU59VGmz5mD+HGsHC1eoaS4JCG5EWFUP8MStiv+JJGyfuK8MUGsEXQorfQmzGXhe5N2S+4dEYDfksSVd9Wg9d0= diff --git a/bin/tests/system/rsabigexponent/ns2/Xexample.+005+51829.key b/bin/tests/system/rsabigexponent/ns2/Xexample.+005+51829.key new file mode 100644 index 0000000..5343267 --- /dev/null +++ b/bin/tests/system/rsabigexponent/ns2/Xexample.+005+51829.key @@ -0,0 +1,2 @@ +; This is a zone-signing key, keyid 51829, for example. +example. IN DNSKEY 256 3 5 BwEAAAAAAAGfDKVFak/2o446xOsi39QnfZmRidaRyg3LaCxDBM6kVqCH QKI3a2lEf4FWVSbp+dYjGavsqWJ/Z7poMRy9JJol2bMLhtsZhESK5EYR aR/2dLw5H10SR+wb/qRVVYovWlk67sql7XYc3x5cjc4XaMVziBBrQMiW qkQS2oGQLwKCLw== diff --git a/bin/tests/system/rsabigexponent/ns2/Xexample.+005+51829.private b/bin/tests/system/rsabigexponent/ns2/Xexample.+005+51829.private new file mode 100644 index 0000000..35acd10 --- /dev/null +++ b/bin/tests/system/rsabigexponent/ns2/Xexample.+005+51829.private @@ -0,0 +1,10 @@ +Private-key-format: v1.3 +Algorithm: 5 (RSASHA1) +Modulus: nwylRWpP9qOOOsTrIt/UJ32ZkYnWkcoNy2gsQwTOpFagh0CiN2tpRH+BVlUm6fnWIxmr7Klif2e6aDEcvSSaJdmzC4bbGYREiuRGEWkf9nS8OR9dEkfsG/6kVVWKL1pZOu7Kpe12HN8eXI3OF2jFc4gQa0DIlqpEEtqBkC8Cgi8= +PublicExponent: AQAAAAAAAQ== +PrivateExponent: Aidz1Ah0WnUxdjZQ5J2bkXXOvP7ZhxtrmNvaQkQpEOjc5EW0mh+8f6rmp19CZHVwjk1nRfTgSnPk/y+xsyfroBRf5RH+6bjvB3mk+uSor6+xibdTy+HlEyd5YPdGzHmqFUe7pcL25kO0QSqdEVjvBP9SCgscDBhrTHURYsPxudE= +Prime1: 0nuP62sq8a1OyjGqmsqhf6XrpwRXSKYVjdJEdRzogi/fnU/AWDZdc2W8JOC1nxdbfVC68b8G+Vc+5GOsuUw56Q== +Prime2: wXG1f8INIsNLGtEhAuqw320onFrqBEgs+EkEZeUxHP5hUkchoUSnqTZrfRUA+UuOD2sI0NtA3OYCXaihgWu0Vw== +Exponent1: QooxjUxTEcn9N5ehnpK0VD3gKwoW3C2NIv/2GeKVpL+ZcsD6iMzmHou/WVOAt0oz+RdWDLxpEzakwUhslPN6+Q== +Exponent2: PP9JlJFaGEs3ckmvj53NXKz0fkbjtIOJvWwnkT7WrVpTgaUISjuSxLOfUDrrFC9JGAIAmoWDrI76QrTanbLiyw== +Coefficient: u4jEvCVMxzmDBCjw8MLuTZtuBqs0ScAT7NkceBrjhdpCV1DtzVGJgbwI2GEHqEcSlcVAQCM92vPz76lL4Q94zw== diff --git a/bin/tests/system/rsabigexponent/ns2/dsset-example.in b/bin/tests/system/rsabigexponent/ns2/dsset-example.in new file mode 100644 index 0000000..06bc89a --- /dev/null +++ b/bin/tests/system/rsabigexponent/ns2/dsset-example.in @@ -0,0 +1,2 @@ +example. IN DS 5896 5 1 07766192DA7BDE32F6DC719B9F5A3476686F8758 +example. IN DS 5896 5 2 CFBFD9C06EA15B0A984566573A18ACEC234FDC9C09103C0C53E75989 088A8FB4 diff --git a/bin/tests/system/rsabigexponent/ns2/example.db.bad b/bin/tests/system/rsabigexponent/ns2/example.db.bad new file mode 100644 index 0000000..1d0d4b5 --- /dev/null +++ b/bin/tests/system/rsabigexponent/ns2/example.db.bad @@ -0,0 +1,110 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +example. 300 IN SOA mname1. . ( + 2012050601 ; serial + 3600 ; refresh (1 hour) + 600 ; retry (10 minutes) + 604800 ; expire (1 week) + 3600 ; minimum (1 hour) + ) + 300 RRSIG SOA 5 1 300 ( + 20361231235959 20000101000000 51829 example. + HW8O/KHJEObWSYtQD14+3MRtD6rasy/AeIAo + 1HmtELxeUoMvVcQzm7z1RoeV6S7+r/SrUjAz + PwtlE4TpyTEj9sfTr4mJhU0DwrNW6dN6qHCw + vB3nuURVOKzU8V26PdFcjJB+/HnJT2LyLUqr + KAzHwU1tAXkgx0FOwfyOs2rxooo= ) + 300 NS ns2.example. + 300 RRSIG NS 5 1 300 ( + 20361231235959 20000101000000 51829 example. + EO8/KzfhppvhD2b0hGCdEN8/WTNexK6zkC1Z + oW3vu0cFVvac+wrV9Vox90lHI0jTce/R+bvT + T9RbpZiZcBKLVyBuHIdFPOdc3ogHMPwaPNkD + pvVvLfV6auHCvINiVw+jWinBpTjqoROH/yTC + 03BQ41vewKsz3fYZ03XUr2xga5Q= ) + 3600 NSEC a.example. NS SOA RRSIG NSEC DNSKEY + 3600 RRSIG NSEC 5 1 3600 ( + 20361231235959 20000101000000 51829 example. + FiUyrwO7MV9Lhg6yu0XN/hLZPOiDg/NqIIUc + HfA9Yix90Z9G/yzn8NBC92Yp5EPiI4HiE24T + t1p4YwHe6n/IJA4KZUIpCxEY5xhQL/mVMeuj + dlFA2LaiDwbOh//42zdocaeGPrcV+u6OmXoU + xkQIuWeJ1QCaD5FXJdN6zELZsnw= ) + 300 DNSKEY 256 3 5 ( + BwEAAAAAAAGfDKVFak/2o446xOsi39QnfZmR + idaRyg3LaCxDBM6kVqCHQKI3a2lEf4FWVSbp + +dYjGavsqWJ/Z7poMRy9JJol2bMLhtsZhESK + 5EYRaR/2dLw5H10SR+wb/qRVVYovWlk67sql + 7XYc3x5cjc4XaMVziBBrQMiWqkQS2oGQLwKC + Lw== + ) ; ZSK; alg = RSASHA1; key id = 51829 + 300 DNSKEY 257 3 5 ( + AwEAAaLNbgMfH/XUwZC9DBVG4OpYVUVyCyZE + Bqhk3k6WziIAY+2f7MN3L9CoZR9GqfqM+/c6 + g8gfkIaZZ2YP/YUUaN73xH/nxtHYkrP5Rqe/ + dw7qONnsVwvf3HJ8HvURG3wjaOrPoe207+Hp + NTNhe/sT2usKhokSU8yKB0DKlnrKQvp9vScs + IB/RsIxOXWmYgOMkSXtpI3lQ07l1i2Tv6Une + cD9s8rukfl/gPbRBketLYACrqpb2j/1f7ciQ + v+rz1GnN9ma8XK1Yw8173/hrVL1S/ZqTGczw + deA3AVyiHThOZ15EPhSuL7jaJusHOi43Aa8Z + fCMCeimT73F5epktGomAxFU= + ) ; KSK; alg = RSASHA1; key id = 5896 + 300 RRSIG DNSKEY 5 1 300 ( + 20361231235959 20000101000000 5896 example. + b07impYEH+uW8iPCVE0QXqYSs6Yyu7Nb8q1f + rXv+NgE5wbsIvdo4PDdSfScP41WgVKdLPipH + gaTyk4CKAuGSvIBMzlc3yib03zdvzBDgn3Yi + lONpl2yH47vhvn5iXYcVV4kbuYE9+SFVoVO8 + m6xvihm1D17m8emivnG6DuJSpJJM09v0toSd + 3yGI3bgUtki85ehOPU0ZkvA20InVgP5kKUgw + /M4vP4VkcwenNO7koMZOorI02KFOH3vvZSI4 + hzuwJVaQZ35IBBVmSSMAD+0LTBk6sMPSpcmP + Pff75NLhU+4+UflWie6mzWIvm3ovcG3fveq0 + W4G3TCriTIKSjY3Jqg== ) + 300 RRSIG DNSKEY 5 1 300 ( + 20361231235959 20000101000000 51829 example. + a7WU2WcHEpDfM5NBUzN7t4WXEwldn1EM/HkH + XEo9NnZhFV16414qbuwWMlUsc5MTii+T4OFZ + p2+XHj9M8glM1d98o+EDSYT7LdrrE7AqdtSO + gcXdeY6WRI9R5wkLP3cP6kADp5WIOcQ78IPb + pRJ4jhxqMPFV3cqCWH/Lp8JPghY= ) +a.example. 300 IN A 10.0.0.1 + 300 RRSIG A 5 2 300 ( + 20361231235959 20000101000000 51829 example. + h4WyY0hUkZobUbt2xWC4lJLEbGvzxGczH/mN + WHZBpgg+1tuoTAdVbt6a2TfQcJV/iPQGAHte + Vu/U6tD8KzP08krlqrcefwvR5LDAQygWRdjt + Rx105w9F0GiL6kpDH6S9T8xCw3aF5Rl1lu/u + 8eiUzDIMIBTijhXmM96Nde18RdA= ) + 3600 NSEC ns2.example. A RRSIG NSEC + 3600 RRSIG NSEC 5 2 3600 ( + 20361231235959 20000101000000 51829 example. + LbzeWbk9r119I95TVCebEPfnCCk9zBRq4nAR + swliQVQ84bCjwVJfakvlD4mgilSPtypxpyXC + DQaiOQWOz9LFzro5u71VuSS5fY7U4elp/lq6 + 5BJB6o/dmk5xASAHHbOO6e5dcoQ5vRxcnJaE + 0vE1jGppo2FiQzkVi7Zbrghoolg= ) +ns2.example. 300 IN A 10.53.0.2 + 300 RRSIG A 5 2 300 ( + 20361231235959 20000101000000 51829 example. + Jfp3xzrym5GksbZ+a2rjOXzV/Ct+eX2DCo8a + lSbriEhuK9OR3WUnXoDqp1X/d7adNL2lI9c+ + B3UVL+EOCyvNxt9kECcN8KgQdXKExZEQUwnN + UB51QESM9pW6akavhXJu98sjnhtpdTwrtKbg + nMJkfYe5Mw3e/8RFY+wpEq/8cHw= ) + 3600 NSEC example. A RRSIG NSEC + 3600 RRSIG NSEC 5 2 3600 ( + 20361231235959 20000101000000 51829 example. + Wxkz4nY5rty6O90QhFZguyqbaz9njnJKUs7m + qYF9u7dDk8vUf3yS97fw3e0N13X5zGZa7hTr + +65U4NKEOqYDBbvWaXSVFxrzVfSVXqY6l4jX + kWjA6q4q5TTgcjOUJ0MfvcjtgxcaKUiPGmPJ + RWdOV7t9YMWnf7QAbPI55QN9sfY= ) diff --git a/bin/tests/system/rsabigexponent/ns2/example.db.in b/bin/tests/system/rsabigexponent/ns2/example.db.in new file mode 100644 index 0000000..3a958b5 --- /dev/null +++ b/bin/tests/system/rsabigexponent/ns2/example.db.in @@ -0,0 +1,21 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2012050601 ; serial + 3600 ; refresh + 600 ; retry + 604800 ; expire + 3600 ; minimum + ) + NS ns2 +ns2 A 10.53.0.2 + +a A 10.0.0.1 diff --git a/bin/tests/system/rsabigexponent/ns2/named.conf.in b/bin/tests/system/rsabigexponent/ns2/named.conf.in new file mode 100644 index 0000000..2e8eb7a --- /dev/null +++ b/bin/tests/system/rsabigexponent/ns2/named.conf.in @@ -0,0 +1,37 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS2 + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + dnssec-enable yes; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +zone "example" { + type master; + file "example.db.bad"; +}; + +include "trusted.conf"; diff --git a/bin/tests/system/rsabigexponent/ns2/sign.sh b/bin/tests/system/rsabigexponent/ns2/sign.sh new file mode 100755 index 0000000..da479b2 --- /dev/null +++ b/bin/tests/system/rsabigexponent/ns2/sign.sh @@ -0,0 +1,27 @@ +#!/bin/sh +# +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=../.. +. $SYSTEMTESTTOP/conf.sh + +zone=example. +infile=example.db.in +outfile=example.db.bad + +for i in Xexample.+005+51829.key Xexample.+005+51829.private \ + Xexample.+005+05896.key Xexample.+005+05896.private +do + cp $i `echo $i | sed s/X/K/` +done + +$SIGNER -r $RANDFILE -g -s 20000101000000 -e 20361231235959 -o $zone \ + $infile Kexample.+005+51829 Kexample.+005+51829 \ + > /dev/null 2> signer.err diff --git a/bin/tests/system/rsabigexponent/ns3/named.conf.in b/bin/tests/system/rsabigexponent/ns3/named.conf.in new file mode 100644 index 0000000..99d2a0d --- /dev/null +++ b/bin/tests/system/rsabigexponent/ns3/named.conf.in @@ -0,0 +1,34 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS3 + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + recursion yes; + notify yes; + dnssec-enable yes; + dnssec-validation yes; + max-rsa-exponent-size 35; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +include "trusted.conf"; diff --git a/bin/tests/system/rsabigexponent/prereq.sh b/bin/tests/system/rsabigexponent/prereq.sh new file mode 100644 index 0000000..e27f193 --- /dev/null +++ b/bin/tests/system/rsabigexponent/prereq.sh @@ -0,0 +1,24 @@ +#!/bin/sh +# +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +test -r $RANDFILE || $GENRANDOM 400 $RANDFILE + +if $BIGKEY > /dev/null 2>&1 +then + rm -f Kexample.* +else + echo_i "This test requires cryptography" >&2 + echo_i "configure with --with-openssl, or --with-pkcs11 and --enable-native-pkcs11" >&2 + exit 255 +fi diff --git a/bin/tests/system/rsabigexponent/setup.sh b/bin/tests/system/rsabigexponent/setup.sh new file mode 100644 index 0000000..ad46921 --- /dev/null +++ b/bin/tests/system/rsabigexponent/setup.sh @@ -0,0 +1,23 @@ +#!/bin/sh +# +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +$SHELL clean.sh + +test -r $RANDFILE || $GENRANDOM 400 $RANDFILE + +copy_setports ns1/named.conf.in ns1/named.conf +copy_setports ns2/named.conf.in ns2/named.conf +copy_setports ns3/named.conf.in ns3/named.conf + +cd ns1 && $SHELL -e sign.sh diff --git a/bin/tests/system/rsabigexponent/tests.sh b/bin/tests/system/rsabigexponent/tests.sh new file mode 100644 index 0000000..b530528 --- /dev/null +++ b/bin/tests/system/rsabigexponent/tests.sh @@ -0,0 +1,55 @@ +#!/bin/sh +# +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +status=0 + +rm -f dig.out.* + +DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p ${PORT}" + +for f in conf/good*.conf +do + echo_i "checking '$f'" + ret=0 + $CHECKCONF $f > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` +done + +for f in conf/bad*.conf +do + echo_i "checking '$f'" + ret=0 + $CHECKCONF $f > /dev/null && ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` +done + +echo_i "checking that RSA big exponent keys can't be loaded" +ret=0 +grep "out of range" ns2/signer.err > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking that RSA big exponent signature can't validate" +ret=0 +$DIG $DIGOPTS a.example @10.53.0.2 > dig.out.ns2 || ret=1 +$DIG $DIGOPTS a.example @10.53.0.3 > dig.out.ns3 || ret=1 +grep "status: NOERROR" dig.out.ns2 > /dev/null || ret=1 +grep "status: SERVFAIL" dig.out.ns3 > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 |