diff options
Diffstat (limited to 'bin/tests/system/cds')
-rw-r--r-- | bin/tests/system/cds/checkmtime.pl | 18 | ||||
-rw-r--r-- | bin/tests/system/cds/checktime.pl | 27 | ||||
-rw-r--r-- | bin/tests/system/cds/clean.sh | 23 | ||||
-rw-r--r-- | bin/tests/system/cds/mangle.pl | 19 | ||||
-rw-r--r-- | bin/tests/system/cds/setup.sh | 133 | ||||
-rw-r--r-- | bin/tests/system/cds/tests.sh | 243 |
6 files changed, 463 insertions, 0 deletions
diff --git a/bin/tests/system/cds/checkmtime.pl b/bin/tests/system/cds/checkmtime.pl new file mode 100644 index 0000000..be53584 --- /dev/null +++ b/bin/tests/system/cds/checkmtime.pl @@ -0,0 +1,18 @@ +#!/usr/bin/perl + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +my $target = shift; +my $file = shift; +my $mtime = time - (stat $file)[9]; +die "bad mtime $mtime" + unless ($mtime - $target >= 0 && $mtime - $target < 60); diff --git a/bin/tests/system/cds/checktime.pl b/bin/tests/system/cds/checktime.pl new file mode 100644 index 0000000..d85fd91 --- /dev/null +++ b/bin/tests/system/cds/checktime.pl @@ -0,0 +1,27 @@ +#!/usr/bin/perl + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +use strict; +use warnings; + +my $target = shift; +my $notbefore; +my $inception; +while (<>) { + $notbefore = $1 if m{^.* must not be signed before \d+ [(](\d+)[)]}; + $inception = $1 if m{^.* inception time \d+ [(](\d+)[)]}; +} +die "missing notbefore time" unless $notbefore; +die "missing inception time" unless $inception; +my $delta = $inception - $notbefore; +die "bad inception time $delta" unless abs($delta - $target) <= 10; diff --git a/bin/tests/system/cds/clean.sh b/bin/tests/system/cds/clean.sh new file mode 100644 index 0000000..b9743a5 --- /dev/null +++ b/bin/tests/system/cds/clean.sh @@ -0,0 +1,23 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +rm -f CDNSKEY* CDS* DS* +rm -f K* +rm -f UP* +rm -f brk.* +rm -f db.* +rm -f dsset-* +rm -f empty +rm -f sig.* +rm -f vars.sh +rm -f err* out* xerr xout diff --git a/bin/tests/system/cds/mangle.pl b/bin/tests/system/cds/mangle.pl new file mode 100644 index 0000000..9268cc0 --- /dev/null +++ b/bin/tests/system/cds/mangle.pl @@ -0,0 +1,19 @@ +#!/usr/bin/perl + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +my $re = $ARGV[0]; +shift; +while (<>) { + s{($re)........}{${1}00000000}; + print; +} diff --git a/bin/tests/system/cds/setup.sh b/bin/tests/system/cds/setup.sh new file mode 100644 index 0000000..6e3197d --- /dev/null +++ b/bin/tests/system/cds/setup.sh @@ -0,0 +1,133 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +set -e + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +set -u + +touch empty + +Z=cds.test + +keyz=$($KEYGEN -q -a $DEFAULT_ALGORITHM $Z) +key1=$($KEYGEN -q -a $DEFAULT_ALGORITHM -f KSK $Z) +key2=$($KEYGEN -q -a $DEFAULT_ALGORITHM -f KSK $Z) + +idz=$(keyfile_to_key_id $keyz) +id1=$(keyfile_to_key_id $key1) +id2=$(keyfile_to_key_id $key2) + +cat <<EOF >vars.sh +Z=$Z +key1=$key1 +key2=$key2 +idz=$idz +id1=$id1 +id2=$id2 +EOF + +tac() { + $PERL -e 'print reverse <>' +} + +convert() { + key=$1 + n=$2 + $DSFROMKEY -12 $key >DS.$n + grep " ${DEFAULT_ALGORITHM_NUMBER} 1 " DS.$n >DS.$n-1 + grep " ${DEFAULT_ALGORITHM_NUMBER} 2 " DS.$n >DS.$n-2 + sed 's/ IN DS / IN CDS /' <DS.$n >>CDS.$n + sed 's/ IN DNSKEY / IN CDNSKEY /' <$key.key >CDNSKEY.$n + sed 's/ IN DS / 3600 IN DS /' <DS.$n >DS.ttl$n + sed 's/ IN DS / 7200 IN DS /' <DS.$n >DS.ttlong$n + tac <DS.$n >DS.rev$n +} +convert $key1 1 +convert $key2 2 + +# consistent order wrt IDs +sort DS.1 DS.2 >DS.both + +cp DS.1 DS.inplace +$PERL -we 'utime time, time - 7200, "DS.inplace" or die' + +mangle="$PERL mangle.pl" + +$mangle " IN DS $id1 ${DEFAULT_ALGORITHM_NUMBER} 1 " <DS.1 >DS.broke1 +$mangle " IN DS $id1 ${DEFAULT_ALGORITHM_NUMBER} 2 " <DS.1 >DS.broke2 +$mangle " IN DS $id1 ${DEFAULT_ALGORITHM_NUMBER} [12] " <DS.1 >DS.broke12 + +sed 's/^/update add / +$a\ +send +' <DS.2 >UP.add2 + +sed 's/^/update del / +$a\ +send +' <DS.1 >UP.del1 + +cat UP.add2 UP.del1 | sed 3d >UP.swap + +sed 's/ add \(.*\) IN DS / add \1 3600 IN DS /' <UP.swap >UP.swapttl + +sign() { + cat >db.$1 + $SIGNER >/dev/null \ + -S -O full -o $Z -f sig.$1 db.$1 +} + +sign null <<EOF +\$TTL 1h +@ SOA localhost. root.localhost. ( + 1 ; serial + 1h ; refresh + 1h ; retry + 1w ; expiry + 1h ; minimum + ) +; + NS localhost. +; +EOF + +cat sig.null CDS.1 >brk.unsigned-cds + +cat db.null CDS.1 | sign cds.1 +cat db.null CDS.2 | sign cds.2 +cat db.null CDS.1 CDS.2 | sign cds.both + +tac <sig.cds.1 >sig.cds.rev1 + +cat db.null CDNSKEY.2 | sign cdnskey.2 +cat db.null CDS.2 CDNSKEY.2 | sign cds.cdnskey.2 + +$mangle '\s+IN\s+RRSIG\s+CDS .* '$idz' '$Z'\. ' \ + <sig.cds.1 >brk.rrsig.cds.zsk +$mangle '\s+IN\s+RRSIG\s+CDS .* '$id1' '$Z'\. ' \ + <sig.cds.1 >brk.rrsig.cds.ksk + +$mangle " IN CDS $id1 ${DEFAULT_ALGORITHM_NUMBER} 1 " <db.cds.1 | +sign cds-mangled + +bad=$($PERL -le "print ($id1 ^ 255);") +sed "s/IN CDS $id1 ${DEFAULT_ALGORITHM_NUMBER} 1 /IN CDS $bad ${DEFAULT_ALGORITHM_NUMBER} 1 /" <db.cds.1 | +sign bad-digests + +sed "/IN CDS $id1 ${DEFAULT_ALGORITHM_NUMBER} /p;s//IN CDS $bad $ALTERNATIVE_ALGORITHM_NUMBER /" <db.cds.1 | +sign bad-algos + +rm -f dsset-* diff --git a/bin/tests/system/cds/tests.sh b/bin/tests/system/cds/tests.sh new file mode 100644 index 0000000..700ae63 --- /dev/null +++ b/bin/tests/system/cds/tests.sh @@ -0,0 +1,243 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +status=0 +n=0 +fail() { + echo_i "failed" + status=$((status + 1)) +} + +runcmd() { + "$@" 1> out.$n 2> err.$n + echo $? +} + +testcase() { + n=$((n + 1)) + echo_i "$name ($n)" + expect=$1 + shift + result=$(runcmd "$@") + check_stdout + check_stderr + if [ "$expect" -ne "$result" ]; then + echo_d "exit status does not match $expect" + fail + fi + unset name err out +} + +check_stderr() { + if [ -n "${err:=}" ]; then + grep -E "$err" err.$n >/dev/null && return 0 + echo_d "stderr did not match '$err'" + else + [ -s err.$n ] || return 0 + fi + cat err.$n | cat_d + fail +} + +check_stdout() { + $DIFF out.$n "${out:-empty}" >/dev/null && return + echo_d "stdout did not match '$out'" + ( echo "wanted" + cat "$out" + echo "got" + cat out.$n + ) | cat_d + fail +} + +Z=cds.test + +name='usage' +err='Usage' +testcase 1 $CDS + +name='need a DS file' +err='DS pathname' +testcase 1 $CDS $Z + +name='name of dsset in directory' +err="./dsset-$Z.: file not found" +testcase 1 $CDS -d . $Z + +name='load a file' +err='could not find DS records' +testcase 1 $CDS -d empty $Z + +name='load DS records' +err='path to file containing child data must be specified' +testcase 1 $CDS -d DS.1 $Z + +name='missing DNSKEY' +err='could not find signed DNSKEY RRset' +testcase 1 $CDS -f db.null -d DS.1 $Z + +name='sigs too old' +err='could not validate child DNSKEY RRset' +testcase 1 $CDS -f sig.null -d DS.1 $Z + +name='sigs too old, verbosely' +err='skip RRSIG by key [0-9]+: too old' +testcase 1 $CDS -v1 -f sig.null -d DS.1 $Z + +name='old sigs are allowed' +err='found RRSIG by key' +out=DS.1 +testcase 0 $CDS -v1 -s -7200 -f sig.null -d DS.1 $Z + +name='no CDS/CDNSKEY records' +out=DS.1 +testcase 0 $CDS -s -7200 -f sig.null -d DS.1 $Z + +name='no child records, verbosely' +err='has neither CDS nor CDNSKEY records' +out=DS.1 +testcase 0 $CDS -v1 -s -7200 -f sig.null -d DS.1 $Z + +name='unsigned CDS' +err='missing RRSIG CDS records' +testcase 1 $CDS -f brk.unsigned-cds -d DS.1 $Z + +name='correct signature inception time' +$CDS -v3 -s -7200 -f sig.cds.1 -d DS.1 $Z 1>xout 2>xerr +testcase 0 $PERL checktime.pl 3600 xerr + +name='in-place reads modification time' +testcase 0 $CDS -f sig.cds.1 -i.bak -d DS.inplace $Z + +name='in-place output correct modification time' +testcase 0 $PERL checkmtime.pl 3600 DS.inplace + +name='in-place backup correct modification time' +testcase 0 $PERL checkmtime.pl 7200 DS.inplace.bak + +name='in-place correct output' +testcase 0 $DIFF DS.1 DS.inplace + +name='in-place backup unmodified' +testcase 0 $DIFF DS.1 DS.inplace.bak + +name='one mangled DS' +err='found RRSIG by key' +out=DS.1 +testcase 0 $CDS -v1 -s -7200 -f sig.cds.1 -d DS.broke1 $Z + +name='other mangled DS' +err='found RRSIG by key' +out=DS.1 +testcase 0 $CDS -v1 -s -7200 -f sig.cds.1 -d DS.broke2 $Z + +name='both mangled DS' +err='could not validate child DNSKEY RRset' +testcase 1 $CDS -v1 -s -7200 -f sig.cds.1 -d DS.broke12 $Z + +name='mangle RRSIG CDS by ZSK' +err='found RRSIG by key' +out=DS.1 +testcase 0 $CDS -v1 -s -7200 -f brk.rrsig.cds.zsk -d DS.1 $Z + +name='mangle RRSIG CDS by KSK' +err='could not validate child CDS RRset' +testcase 1 $CDS -v1 -s -7200 -f brk.rrsig.cds.ksk -d DS.1 $Z + +name='mangle CDS 1' +err='could not validate child DNSKEY RRset with new DS records' +testcase 1 $CDS -s -7200 -f sig.cds-mangled -d DS.1 $Z + +name='inconsistent digests' +err='do not cover each key with the same set of digest types' +testcase 1 $CDS -s -7200 -f sig.bad-digests -d DS.1 $Z + +name='inconsistent algorithms' +err='missing signature for algorithm' +testcase 1 $CDS -s -7200 -f sig.bad-algos -d DS.1 $Z + +name='add DS records' +out=DS.both +$CDS -s -7200 -f sig.cds.both -d DS.1 $Z >DS.out +# sort to allow for numerical vs lexical order of key tags +testcase 0 sort DS.out + +name='update add' +out=UP.add2 +testcase 0 $CDS -u -s -7200 -f sig.cds.both -d DS.1 $Z + +name='remove DS records' +out=DS.2 +testcase 0 $CDS -s -7200 -f sig.cds.2 -d DS.both $Z + +name='update del' +out=UP.del1 +testcase 0 $CDS -u -s -7200 -f sig.cds.2 -d DS.both $Z + +name='swap DS records' +out=DS.2 +testcase 0 $CDS -s -7200 -f sig.cds.2 -d DS.1 $Z + +name='update swap' +out=UP.swap +testcase 0 $CDS -u -s -7200 -f sig.cds.2 -d DS.1 $Z + +name='TTL from -T' +out=DS.ttl2 +testcase 0 $CDS -T 3600 -s -7200 -f sig.cds.2 -d DS.1 $Z + +name='update TTL from -T' +out=UP.swapttl +testcase 0 $CDS -u -T 3600 -s -7200 -f sig.cds.2 -d DS.1 $Z + +name='update TTL from dsset' +out=UP.swapttl +testcase 0 $CDS -u -s -7200 -f sig.cds.2 -d DS.ttl1 $Z + +name='TTL from -T overrides dsset' +out=DS.ttlong2 +testcase 0 $CDS -T 7200 -s -7200 -f sig.cds.2 -d DS.ttl1 $Z + +name='stable DS record order (changes)' +out=DS.1 +testcase 0 $CDS -s -7200 -f sig.cds.rev1 -d DS.2 $Z + +name='CDNSKEY default algorithm' +out=DS.2-2 +testcase 0 $CDS -s -7200 -f sig.cdnskey.2 -d DS.1 $Z + +name='CDNSKEY SHA1' +out=DS.2-1 +testcase 0 $CDS -a SHA1 -s -7200 -f sig.cdnskey.2 -d DS.1 $Z + +name='CDNSKEY two algorithms' +out=DS.2 +testcase 0 $CDS -a SHA1 -a SHA256 -s -7200 -f sig.cdnskey.2 -d DS.1 $Z + +name='CDNSKEY two algorithms, reversed' +out=DS.2 +testcase 0 $CDS -a SHA256 -a SHA1 -s -7200 -f sig.cdnskey.2 -d DS.1 $Z + +name='CDNSKEY and CDS' +out=DS.2 +testcase 0 $CDS -s -7200 -f sig.cds.cdnskey.2 -d DS.1 $Z + +name='prefer CDNSKEY' +out=DS.2-2 +testcase 0 $CDS -D -s -7200 -f sig.cds.cdnskey.2 -d DS.1 $Z + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 |