summaryrefslogtreecommitdiffstats
path: root/tests/deckard/tools/invalid_dsa.py
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-05-06 00:55:53 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-05-06 00:55:53 +0000
commit3d0386f27ca66379acf50199e1d1298386eeeeb8 (patch)
treef87bd4a126b3a843858eb447e8fd5893c3ee3882 /tests/deckard/tools/invalid_dsa.py
parentInitial commit. (diff)
downloadknot-resolver-3d0386f27ca66379acf50199e1d1298386eeeeb8.tar.xz
knot-resolver-3d0386f27ca66379acf50199e1d1298386eeeeb8.zip
Adding upstream version 3.2.1.upstream/3.2.1upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'tests/deckard/tools/invalid_dsa.py')
-rw-r--r--tests/deckard/tools/invalid_dsa.py83
1 files changed, 83 insertions, 0 deletions
diff --git a/tests/deckard/tools/invalid_dsa.py b/tests/deckard/tools/invalid_dsa.py
new file mode 100644
index 0000000..fd1c845
--- /dev/null
+++ b/tests/deckard/tools/invalid_dsa.py
@@ -0,0 +1,83 @@
+"""Returns 1 if there is a DNSSEC DSA signature which is not 41 bytes long.\
+0 otherwise.
+"""
+
+import os
+import sys
+import argparse
+import dns
+import pydnstest
+import pydnstest.scenario
+import pydnstest.augwrap
+
+
+def parse(test):
+ """ Parse the test"""
+ _, config = pydnstest.scenario.parse_file(os.path.realpath(test))
+ aug = pydnstest.augwrap.AugeasWrapper(
+ confpath=os.path.realpath(test),
+ lens='Deckard', loadpath="../pydnstest")
+ node = aug.tree
+ return config, node
+
+
+def get_dsakeys(config, node):
+ """ Make list of all DSA keys in the test"""
+ dsakeys = []
+ for conf in config:
+ if conf[0] == "trust-anchor":
+ conf[1] = conf[1][1:-1]
+ trust_anchor = conf[1].split()
+ for i, word in enumerate(trust_anchor):
+ if word == "DS":
+ algorithm = trust_anchor[i + 2]
+ if algorithm in ("3", "DSA"):
+ dsakeys.append(trust_anchor[i + 1])
+
+ for entry in node.match("/scenario/range/entry"):
+ records = list(entry.match("/section/answer/record"))
+ records.extend(list(entry.match("/section/authority/record")))
+ records.extend(list(entry.match("/section/additional/record")))
+
+ for record in records:
+ if record["/type"].value == "DS":
+ if record["/data"].value[1] in ["3", "DSA"]:
+ dsakeys.append(record["/data"].value[2])
+ return dsakeys
+
+
+def check_rrsig(node, dsakeys):
+ """ Find records with wrong lenght of rrsig"""
+ for key in dsakeys: # pylint: disable=too-many-nested-blocks
+ for entry in node.match("/scenario/range/entry"):
+ records = list(entry.match("/section/answer/record"))
+ records.extend(list(entry.match("/section/authority/record")))
+ records.extend(list(entry.match("/section/additional/record")))
+
+ for record in records:
+ if record["/type"].value == "RRSIG":
+ rrset = dns.rrset.from_text(record["/domain"].value, 300,
+ 1, dns.rdatatype.RRSIG,
+ record["/data"].value)
+ if rrset.items[0].key_tag == int(key):
+ if len(rrset.items[0].signature) != 41:
+ return True
+ return False
+
+
+def main():
+ """Returns 1 if there is a DNSSEC DSA signature which is not 41 bytes long. \
+ 0 otherwise."""
+ argparser = argparse.ArgumentParser()
+ argparser.add_argument("file")
+ args = argparser.parse_args()
+ config, node = parse(args.file)
+ dsakeys = get_dsakeys(config, node)
+ bad_rrsig = check_rrsig(node, dsakeys)
+ if bad_rrsig:
+ sys.exit(1)
+ else:
+ sys.exit(0)
+
+
+main()