diff options
Diffstat (limited to '')
25 files changed, 810 insertions, 0 deletions
diff --git a/bin/tests/system/rsabigexponent/README.md b/bin/tests/system/rsabigexponent/README.md new file mode 100644 index 0000000..44afdbd --- /dev/null +++ b/bin/tests/system/rsabigexponent/README.md @@ -0,0 +1,39 @@ +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +SPDX-License-Identifier: MPL-2.0 + +This Source Code Form is subject to the terms of the Mozilla Public +License, v. 2.0. If a copy of the MPL was not distributed with this +file, you can obtain one at https://mozilla.org/MPL/2.0/. + +See the COPYRIGHT file distributed with this work for additional +information regarding copyright ownership. + +The `rsabigexponent` test is used to `check max-rsa-exponent-size`. + +We only run this test on builds without PKCS#11, as we have control over +the RSA exponent size with plain OpenSSL. We have not explored how to do +this with PKCS#11, which would require generating such a key and then +signing a zone with it. Additionally, even with control of the exponent +size with PKCS#11, generating a DNSKEY with this property and signing +such a zone would be slow and undesirable for each test run; instead, we +use a pregenerated DNSKEY and a saved signed zone. These are located in +`rsabigexponent/ns2` and currently use RSASHA1 for the `DNSKEY` +algorithm; however, that may need to be changed in the future. + +To generate the `DNSKEY` used in this test, we used `bigkey.c`, as +dnssec-keygen is not capable of generating such keys. + +Do **not** remove `bigkey.c` as it may be needed to generate a new +`DNSKEY` for testing purposes. + +`bigkey` is used to both test that we are not running under PKCS#11 and +generate a `DNSKEY` key with a large RSA exponent. + +To regenerate `ns2/example.db.bad` comment out the range test in +opensslrsa_parse before signing the zone with a ZSK key generated +by `bigkey`. + + if (BN_num_bits(e) > RSA_MAX_PUBEXP_BITS) { + DST_RET(ISC_R_RANGE); + } diff --git a/bin/tests/system/rsabigexponent/bigkey.c b/bin/tests/system/rsabigexponent/bigkey.c new file mode 100644 index 0000000..19fc9ba --- /dev/null +++ b/bin/tests/system/rsabigexponent/bigkey.c @@ -0,0 +1,157 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +#include <stdio.h> +#include <stdlib.h> + +#include <isc/buffer.h> +#include <isc/mem.h> +#include <isc/print.h> +#include <isc/region.h> +#include <isc/stdio.h> +#include <isc/string.h> +#include <isc/util.h> + +#define DST_KEY_INTERNAL + +#include <openssl/bn.h> +#include <openssl/err.h> +#include <openssl/evp.h> +#include <openssl/objects.h> +#include <openssl/rsa.h> + +#include <isc/result.h> + +#include <dns/dnssec.h> +#include <dns/fixedname.h> +#include <dns/keyvalues.h> +#include <dns/log.h> +#include <dns/name.h> +#include <dns/rdataclass.h> +#include <dns/secalg.h> + +#include <dst/dst.h> + +dst_key_t *key; +dns_fixedname_t fname; +dns_name_t *name; +unsigned int bits = 2048U; +isc_mem_t *mctx; +isc_log_t *log_; +isc_logconfig_t *logconfig; +int level = ISC_LOG_WARNING; +isc_logdestination_t destination; +char filename[255]; +isc_result_t result; +isc_buffer_t buf; +RSA *rsa; +BIGNUM *e; +EVP_PKEY *pkey; + +#define CHECK(op, msg) \ + do { \ + result = (op); \ + if (result != ISC_R_SUCCESS) { \ + fprintf(stderr, \ + "fatal error: %s returns %s at file %s line " \ + "%d\n", \ + msg, isc_result_totext(result), __FILE__, \ + __LINE__); \ + ERR_clear_error(); \ + exit(1); \ + } \ + } while (0) + +int +main(int argc, char **argv) { + UNUSED(argc); + UNUSED(argv); + + rsa = RSA_new(); + e = BN_new(); + pkey = EVP_PKEY_new(); + + if ((rsa == NULL) || (e == NULL) || (pkey == NULL) || + !EVP_PKEY_set1_RSA(pkey, rsa)) + { + fprintf(stderr, "fatal error: basic OpenSSL failure\n"); + ERR_clear_error(); + exit(1); + } + + /* e = 0x1000000000001 */ + BN_set_bit(e, 0); + BN_set_bit(e, 48); + + if (RSA_generate_key_ex(rsa, bits, e, NULL)) { + BN_free(e); + RSA_free(rsa); + } else { + fprintf(stderr, + "fatal error: RSA_generate_key_ex() fails " + "at file %s line %d\n", + __FILE__, __LINE__); + ERR_clear_error(); + exit(1); + } + + isc_mem_create(&mctx); + CHECK(dst_lib_init(mctx, NULL), "dst_lib_init()"); + isc_log_create(mctx, &log_, &logconfig); + isc_log_setcontext(log_); + dns_log_init(log_); + dns_log_setcontext(log_); + isc_log_settag(logconfig, "bigkey"); + + destination.file.stream = stderr; + destination.file.name = NULL; + destination.file.versions = ISC_LOG_ROLLNEVER; + destination.file.maximum_size = 0; + isc_log_createchannel(logconfig, "stderr", ISC_LOG_TOFILEDESC, level, + &destination, + ISC_LOG_PRINTTAG | ISC_LOG_PRINTLEVEL); + + CHECK(isc_log_usechannel(logconfig, "stderr", NULL, NULL), "isc_log_" + "usechannel(" + ")"); + name = dns_fixedname_initname(&fname); + isc_buffer_constinit(&buf, "example.", strlen("example.")); + isc_buffer_add(&buf, strlen("example.")); + CHECK(dns_name_fromtext(name, &buf, dns_rootname, 0, NULL), "dns_name_" + "fromtext(" + "\"example." + "\")"); + + CHECK(dst_key_buildinternal(name, DNS_KEYALG_RSASHA256, bits, + DNS_KEYOWNER_ZONE, DNS_KEYPROTO_DNSSEC, + dns_rdataclass_in, pkey, mctx, &key), + "dst_key_buildinternal(...)"); + + CHECK(dst_key_tofile(key, DST_TYPE_PRIVATE | DST_TYPE_PUBLIC, NULL), + "dst_key_tofile()"); + isc_buffer_init(&buf, filename, sizeof(filename) - 1); + isc_buffer_clear(&buf); + CHECK(dst_key_buildfilename(key, 0, NULL, &buf), "dst_key_" + "buildfilename()"); + printf("%s\n", filename); + dst_key_free(&key); + + isc_log_destroy(&log_); + isc_log_setcontext(NULL); + dns_log_setcontext(NULL); + dst_lib_destroy(); + isc_mem_destroy(&mctx); + return (0); +} + +/*! \file */ diff --git a/bin/tests/system/rsabigexponent/clean.sh b/bin/tests/system/rsabigexponent/clean.sh new file mode 100644 index 0000000..22ea41a --- /dev/null +++ b/bin/tests/system/rsabigexponent/clean.sh @@ -0,0 +1,23 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +rm -f K* */K* */dsset-*. */*.signed */trusted.conf */tmp* +rm -f ns*/dsset-example +rm -f ns*/named.run +rm -f ns*/named.memstats +rm -f ns1/root.db +rm -f ns2/signer.err +rm -f dig.out.* +rm -f ns*/named.lock +rm -f ns*/named.conf +rm -f ns*/managed-keys.bind* diff --git a/bin/tests/system/rsabigexponent/conf/bad01.conf b/bin/tests/system/rsabigexponent/conf/bad01.conf new file mode 100644 index 0000000..720d197 --- /dev/null +++ b/bin/tests/system/rsabigexponent/conf/bad01.conf @@ -0,0 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + max-rsa-exponent-size 1; +}; diff --git a/bin/tests/system/rsabigexponent/conf/bad02.conf b/bin/tests/system/rsabigexponent/conf/bad02.conf new file mode 100644 index 0000000..bd1e827 --- /dev/null +++ b/bin/tests/system/rsabigexponent/conf/bad02.conf @@ -0,0 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + max-rsa-exponent-size 34; +}; diff --git a/bin/tests/system/rsabigexponent/conf/bad03.conf b/bin/tests/system/rsabigexponent/conf/bad03.conf new file mode 100644 index 0000000..4331b52 --- /dev/null +++ b/bin/tests/system/rsabigexponent/conf/bad03.conf @@ -0,0 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + max-rsa-exponent-size 4097; +}; diff --git a/bin/tests/system/rsabigexponent/conf/good01.conf b/bin/tests/system/rsabigexponent/conf/good01.conf new file mode 100644 index 0000000..1d2cd01 --- /dev/null +++ b/bin/tests/system/rsabigexponent/conf/good01.conf @@ -0,0 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + max-rsa-exponent-size 0; +}; diff --git a/bin/tests/system/rsabigexponent/conf/good02.conf b/bin/tests/system/rsabigexponent/conf/good02.conf new file mode 100644 index 0000000..861e054 --- /dev/null +++ b/bin/tests/system/rsabigexponent/conf/good02.conf @@ -0,0 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + max-rsa-exponent-size 35; +}; diff --git a/bin/tests/system/rsabigexponent/conf/good03.conf b/bin/tests/system/rsabigexponent/conf/good03.conf new file mode 100644 index 0000000..14a98f8 --- /dev/null +++ b/bin/tests/system/rsabigexponent/conf/good03.conf @@ -0,0 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + max-rsa-exponent-size 4096; +}; diff --git a/bin/tests/system/rsabigexponent/ns1/named.conf.in b/bin/tests/system/rsabigexponent/ns1/named.conf.in new file mode 100644 index 0000000..4a9822d --- /dev/null +++ b/bin/tests/system/rsabigexponent/ns1/named.conf.in @@ -0,0 +1,34 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS1 + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + dnssec-validation yes; +}; + +zone "." { + type primary; + file "root.db.signed"; +}; + +include "trusted.conf"; diff --git a/bin/tests/system/rsabigexponent/ns1/root.db.in b/bin/tests/system/rsabigexponent/ns1/root.db.in new file mode 100644 index 0000000..a85d814 --- /dev/null +++ b/bin/tests/system/rsabigexponent/ns1/root.db.in @@ -0,0 +1,24 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +. IN SOA gson.nominum.com. a.root.servers.nil. ( + 2012050600 ; serial + 3600 ; refresh + 1200 ; retry + 604800 ; expire + 60 ; minimum + ) +@ NS a.root-servers.nil. +a.root-servers.nil. A 10.53.0.1 +; +example. NS ns2.example. +ns2.example. A 10.53.0.2 diff --git a/bin/tests/system/rsabigexponent/ns1/sign.sh b/bin/tests/system/rsabigexponent/ns1/sign.sh new file mode 100755 index 0000000..8a2f6b9 --- /dev/null +++ b/bin/tests/system/rsabigexponent/ns1/sign.sh @@ -0,0 +1,33 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +. ../../conf.sh + +zone=. +infile=root.db.in +zonefile=root.db + +cp ../ns2/dsset-example.in dsset-example. + +keyname=$($KEYGEN -q -a RSASHA256 -b 2048 -n zone $zone) + +cat $infile $keyname.key > $zonefile + +$SIGNER -P -g -o $zone $zonefile > /dev/null + +# Configure the resolving server with a static key. +keyfile_to_static_ds $keyname > trusted.conf +cp trusted.conf ../ns2/trusted.conf +cp trusted.conf ../ns3/trusted.conf + +cd ../ns2 && $SHELL -e ./sign.sh diff --git a/bin/tests/system/rsabigexponent/ns2/Xexample.+008+51650.key b/bin/tests/system/rsabigexponent/ns2/Xexample.+008+51650.key new file mode 100644 index 0000000..60ff187 --- /dev/null +++ b/bin/tests/system/rsabigexponent/ns2/Xexample.+008+51650.key @@ -0,0 +1,5 @@ +; This is a key-signing key, keyid 51650, for example. +; Created: 20220721024334 (Thu Jul 21 12:43:34 2022) +; Publish: 20220721024334 (Thu Jul 21 12:43:34 2022) +; Activate: 20220721024334 (Thu Jul 21 12:43:34 2022) +example. IN DNSKEY 257 3 8 AwEAAeeXAGBcXxSNj5X/PWT8XDBk4U9OUkZ7YKQBf2IN3V6OZomt/s3F UWIh70Wot+z1Ld3Rfswq1DjCaWNRFOMhs+9j3Fhc46wMZ4pnsDW1nLHk 2TnQRdrbiuhLkQy5oNMjSRxu924XLw5ylsuqjxE7vXcCeKSFe674roSq wo39atWsTJMDz0FQGxlPucnXai0nHoCeC7+u1s+wLaGcpNSZlsab7Zny FD4HZ3HKUCJw/Jjr5CZjqal9KdmWSC1SINRtlAN6PX5VSiNEncnYMCdj iv+ZhRGn+aHh1BmEWomGbAm2Jjw5mrYMgDs9lJRc5Vtg0YXb9OkYvxNF V4QGw1oeF+M= diff --git a/bin/tests/system/rsabigexponent/ns2/Xexample.+008+51650.private b/bin/tests/system/rsabigexponent/ns2/Xexample.+008+51650.private new file mode 100644 index 0000000..d38a0b3 --- /dev/null +++ b/bin/tests/system/rsabigexponent/ns2/Xexample.+008+51650.private @@ -0,0 +1,13 @@ +Private-key-format: v1.3 +Algorithm: 8 (RSASHA256) +Modulus: 55cAYFxfFI2Plf89ZPxcMGThT05SRntgpAF/Yg3dXo5mia3+zcVRYiHvRai37PUt3dF+zCrUOMJpY1EU4yGz72PcWFzjrAxnimewNbWcseTZOdBF2tuK6EuRDLmg0yNJHG73bhcvDnKWy6qPETu9dwJ4pIV7rviuhKrCjf1q1axMkwPPQVAbGU+5yddqLScegJ4Lv67Wz7AtoZyk1JmWxpvtmfIUPgdnccpQInD8mOvkJmOpqX0p2ZZILVIg1G2UA3o9flVKI0SdydgwJ2OK/5mFEaf5oeHUGYRaiYZsCbYmPDmatgyAOz2UlFzlW2DRhdv06Ri/E0VXhAbDWh4X4w== +PublicExponent: AQAB +PrivateExponent: QaMgBa+YeRxIElS1g14tCMBGxXHmyrgkI0eTYWiZkbedYy8v1QU0NDJ2/NC9VEkHF2PNYrNO08lyEiaEW32NYG92n4qwMm6PmAAcRpSzFQ5N7N9VNRrdK0pjkW45IS5Shd8DfK3QdfFPQOkVxGYgpE7Mf6Cfde9gkxRMsO6erXEud6KyBm8kwBR/ipDeUQvpyGkZEQPjLxJG6REjMVhPKTzCV+82DWEf+Ok/3Uxa94+ocAbySHAV3j4YcWpVGWT002gc6CGk8c6TsPYnDkfKQ3moPQZijH7F8zrARtoobCX9TsMFhBqReceZrbzN7en2cZGR5MSISzoTNSr4rGo6aQ== +Prime1: 8AV9EllWtclD62XHo95Z3h7JJ9t2gY7fUFG0WMbkI0Wj6kcr7k3bFfLj7GEJ1qgVW4Qpu7XnBvPB9hnqoCkbHLzc8ws1D2tY+PsXzvw9IxoXNM/eCobeulu/rYhJl2PcpY9bPcaaR0hldGoCHdFYSo8oi+C5hfRtIMVjnDtHSmk= +Prime2: 9wHRxgyHjtl8ro9HAkvujxFkhChm4xLxIRM8pfZ+D1VHpzFRD3/RK8CVYVRB8GsQoFRygHBMOW1oHqynN9jddvJrQbHOqFZAbQQlesp0jRPd9Mm6q0cDwYcD4apscB2CUrUswMzoD3H4saIjGnitCsG/t+sLTvuK/giuMdS2Tms= +Exponent1: pnSH+pOuiL+dtMCPJVvsoxhilJukodD9mewv0GmOic+gD7dwBgJEcAJUgvgBJLbIqQENGDrcj3u5Bf2PM6eOP+3SpVMeZyUhPPqV1lwj4hYUBfIqoM5L5J4AXk5oCu+cc8zpj/wNvmW8xnFGKnumaX7Ctc8Rmo6ap+F8ZTrPBBE= +Exponent2: txXZKIRnAkJAwZ6f0pr3w4Hv0GmmAZArvQlmPdncDH94sfvDCssB/v0rfE4Y5hxl4YFWsc8LINHwiDQPajzLwvvi9nnWJT5xWJznLwHbrCparbPNMmFb7lmmTeGlqOCmlamG942qQLCI1xnIDTn/gWalNaz539xhZPSIMZVqX+s= +Coefficient: eK9cQKFRLaU4udqB8t8KSQxlNl0x9J+9bcaEzn0+579LrZUZvspfiR4DNGwr9qK+PWk+CU7/6xsWbq2zbKIEWucoR97t+E8Zhx00GCDbiu/QI2wviEcYbB2udznRv1WSIDoCWf2TXeh5G2E2ugt5F4+b56qMXmT7IudxYGPtQCY= +Created: 20220721024334 +Publish: 20220721024334 +Activate: 20220721024334 diff --git a/bin/tests/system/rsabigexponent/ns2/Xexample.+008+52810.key b/bin/tests/system/rsabigexponent/ns2/Xexample.+008+52810.key new file mode 100644 index 0000000..a1f14c9 --- /dev/null +++ b/bin/tests/system/rsabigexponent/ns2/Xexample.+008+52810.key @@ -0,0 +1,2 @@ +; This is a zone-signing key, keyid 52810, for example. +example. IN DNSKEY 256 3 8 BwEAAAAAAAHYYy161+wCg6yFHRlyex8oVkcK+K2SBUryI1+DEKzjusH6 yLfzzlJCPGrubmD+jseKYwXfzelJkRQbMDjWbMYLHKytuPtwnJMSeVh+ a/Ore6oVPXy716EYpsEBSmVjfQyS0mGHpwrYk4QaKjJDM7Q173EFl/sE eXjHqInlzOgJbXqsCrSfA94anSt42DGhJeeIfQ8b3vqD/nCnA6C7khIt AWlfJto7d42Ev8tckjr3CrTW9tn9pHb2DKeh85rKeJBBLMYQU3jfF5KH EEsjztLGMnPLlXTteh8wKrk/0IJrot17w0FR0H2v8oG3xDXxfhJ0OeTW 7dtBHD6ISgqeJ9zt diff --git a/bin/tests/system/rsabigexponent/ns2/Xexample.+008+52810.private b/bin/tests/system/rsabigexponent/ns2/Xexample.+008+52810.private new file mode 100644 index 0000000..bbb5ad9 --- /dev/null +++ b/bin/tests/system/rsabigexponent/ns2/Xexample.+008+52810.private @@ -0,0 +1,10 @@ +Private-key-format: v1.3 +Algorithm: 8 (RSASHA256) +Modulus: 2GMtetfsAoOshR0ZcnsfKFZHCvitkgVK8iNfgxCs47rB+si3885SQjxq7m5g/o7HimMF383pSZEUGzA41mzGCxysrbj7cJyTEnlYfmvzq3uqFT18u9ehGKbBAUplY30MktJhh6cK2JOEGioyQzO0Ne9xBZf7BHl4x6iJ5czoCW16rAq0nwPeGp0reNgxoSXniH0PG976g/5wpwOgu5ISLQFpXybaO3eNhL/LXJI69wq01vbZ/aR29gynofOayniQQSzGEFN43xeShxBLI87SxjJzy5V07XofMCq5P9CCa6Lde8NBUdB9r/KBt8Q18X4SdDnk1u3bQRw+iEoKnifc7Q== +PublicExponent: AQAAAAAAAQ== +PrivateExponent: aD+JLNdCtAk1++UwcGdPslSoWq2szZHGrY+I+YfhfcBZrPP13exC40hgUgRNuYJOaJ3WMpgsKI4p8YDVNttF6LI7WNBURQhmBSwquB5BWWkoh7uR4PfKWGB0ZkDwUQcA2IdMVS4+QAKVQMmUXGnXhQI1p8duAORZp0gE71VsHTEzwf5AIEG2+f/oCjDsMJN0J7X3qktJr5ho64aMHyHf5+yKk6fFcy7wfC175SkIZ53uBfpCsFXkgq8YukXfcyoG5o4FUHheGnDwkVOzviEUHk8xweJnNNRbV6n/ck9AXzq3VSA9BbrXtRzZmre/L6tJvEnbH0EycwDkxCMlOSqGbQ== +Prime1: /hnW5M2vzAoAjx2wum98YZZ6gv1IpV88c4HDLA3vY79Qxd8FYanldxPNjgQJEPjHD5hG6tGN+cjZdXv/X+sk5j3fmCB7RKwMKcoD8A/jyH2JaQLTbXm6EBd1BCMIN+w3W+A2E6evYYyINLwMUwqRlUcAaD8HoDLK8iz6iAUhFss= +Prime2: 2gEuuug1PDnbWWFVzzMUrVXiRiFqJVTTvR3AjJVJNZPwAL4FMenh98rtI3s1zSB6P4RSyvRJ6YMOAT0ZrMxviJy76EExGgCB5F4w7g67I7VGPuA1tLn5kt5j9j5wQmdq1yMG5QpCJWr7bxjSDYvIzy2sZjZ/KTuHGtUzFUnHrCc= +Exponent1: MaDlpmDYxZ2QvM+cp58Bj160u+21qIA/UZ2ysh6102uQmYHm92481z2+AvCJuq2PpkuROMd/4i2w7L0RbfZ2MYzUFndLZ8NgmNDjNDfUzeRQl2KQdAOLK4DNXmf3mKwLO0Sbj/pxgj0vYAe9gcU4Pe8ukVuSX0nkehbDi4cjfr0= +Exponent2: cNHFlVCwvEPNVnpQCZS3iqF/D3HN8FtP2st0CrYbjQI8DYpcQUWVMqUqdqFOkYM0/qadpkX+JMlPJTjJZ8YDYYWIZGSC2ruMPIxB7DayVDBbgugmsC1isZjyApdQ44xtdNVyMYmcYeHUz5gR1x/eWdGNyjzMEvfbEjXIKbRykAM= +Coefficient: ovH/7MP64Dai8draXD3t+jl6UTchig+LDwXA2GvlZY0HVP+9yvE49VSKhoYxolL/ZmabIgzzOAyJ66SyYq31ozxbpKrBGiFdzAbgkJgFIbdYMgfLHXNkH1vissGeY0KdS5ee6sKDfk1VmE94UOVHi11oslvnTiG2RF/I3koYV7Q= diff --git a/bin/tests/system/rsabigexponent/ns2/dsset-example.in b/bin/tests/system/rsabigexponent/ns2/dsset-example.in new file mode 100644 index 0000000..9ad254b --- /dev/null +++ b/bin/tests/system/rsabigexponent/ns2/dsset-example.in @@ -0,0 +1 @@ +example. IN DS 51650 8 2 F225122667540159A30620B2D0888036BDF76276D245DE3453C883F0C3276705 diff --git a/bin/tests/system/rsabigexponent/ns2/example.db.bad b/bin/tests/system/rsabigexponent/ns2/example.db.bad new file mode 100644 index 0000000..b105978 --- /dev/null +++ b/bin/tests/system/rsabigexponent/ns2/example.db.bad @@ -0,0 +1,156 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +example. 300 IN SOA mname1. . ( + 2012050601 ; serial + 3600 ; refresh (1 hour) + 600 ; retry (10 minutes) + 604800 ; expire (1 week) + 3600 ; minimum (1 hour) + ) + 300 RRSIG SOA 8 1 300 ( + 20361231235959 20000101000000 52810 example. + IfZrUTjdr4Ull5MSQW4eHxrub6X5O8VWB3vG + kg6TBT8f2Aw4hLcwT0X47xRqL9nU1kKA3qpu + mi71wqiZPbYI+suHYGuqRO/V6YujdQRpLhGS + gTpLmETa46unkMDY6sze41AlCyzR79yaDxVS + +pS2V1AVYzQzzeswJXHwSLO5HKtClPL3izpV + AJD1+dL0UZRs9yOqbxU1RgvASPFEt+1Wd2p6 + qwyeadJ7PB0PL7QQXSDsQ09Ms1BGoKq5p6Os + HtgXPo+aZQR2gczm3Yals9I1tZnk/ZM86aS0 + 63NrEEUQycMNCr100WgWzYQzO90SmJMqpdeZ + fxzlRQbY7jN4qRbM7A== ) + 300 NS ns2.example. + 300 RRSIG NS 8 1 300 ( + 20361231235959 20000101000000 52810 example. + VUPhDucH6rlx93V13b7OSAQ6fE/9jlxhCTXv + peBD69WOa4jZHMZf60gqy10gLVMx35gZdEaU + cJqaBcAniSwPY3a7mxclMja7fmuCB9wcSbiP + pwk5KIYSgIvoWp3ro2I19C0IDQDVWtH1xqdQ + Dv+3MV39Zpf0AnXB05mBopI2DQI9mYHCnmis + F3pfcfs+h/ipyodE5kccBBRvtfKWHly342Xe + azHKM4eyuGj9NLwuwsoVgnyQ3I9hrKVAiUjS + fQ4cxyBVhh+Wb1/VrVSbX+X9VNzQ04mcREHS + yXIPoIQBNju3dyOSTQ+VIeasRvRU8nqMS/1f + oeqj5ehTjtfejF6Jfw== ) + 300 NSEC a.example. NS SOA RRSIG NSEC DNSKEY + 300 RRSIG NSEC 8 1 300 ( + 20361231235959 20000101000000 52810 example. + bG90DOCaN7BhihvtCUs2eJhSHkRaV582ROQi + AbamawevX8NQGJeVpHb3t5ekQuK5EWjLFr6i + bga5TpeP8HOv3lDb8w7kb7xOrHycw5Sizws5 + PZTvtuty9nT6dZ9h4pfLNTbW+SBV904xv3JT + ZlXoxtm4JAdmKUcGiCFLjMvwbQ5SKEZq27uN + 9xCeY0CPkQmiGbTrySYFyNZsBBsL2OI5ec2V + TbQVSDhnnEhbVdMb8Yh2sTt9H/CT1yG2s4U9 + a9ccxguFzt6mk+f5ZL+WKgxkTOMOrZW3dyiI + x53dNQyZN/tczibox/LLG/SaET5wR/V5gDsh + 9DObfc9u1+of/H0lhg== ) + 300 DNSKEY 257 3 8 ( + AwEAAeeXAGBcXxSNj5X/PWT8XDBk4U9OUkZ7 + YKQBf2IN3V6OZomt/s3FUWIh70Wot+z1Ld3R + fswq1DjCaWNRFOMhs+9j3Fhc46wMZ4pnsDW1 + nLHk2TnQRdrbiuhLkQy5oNMjSRxu924XLw5y + lsuqjxE7vXcCeKSFe674roSqwo39atWsTJMD + z0FQGxlPucnXai0nHoCeC7+u1s+wLaGcpNSZ + lsab7ZnyFD4HZ3HKUCJw/Jjr5CZjqal9KdmW + SC1SINRtlAN6PX5VSiNEncnYMCdjiv+ZhRGn + +aHh1BmEWomGbAm2Jjw5mrYMgDs9lJRc5Vtg + 0YXb9OkYvxNFV4QGw1oeF+M= + ) ; KSK; alg = RSASHA256 ; key id = 51650 + 300 DNSKEY 256 3 8 ( + BwEAAAAAAAHYYy161+wCg6yFHRlyex8oVkcK + +K2SBUryI1+DEKzjusH6yLfzzlJCPGrubmD+ + jseKYwXfzelJkRQbMDjWbMYLHKytuPtwnJMS + eVh+a/Ore6oVPXy716EYpsEBSmVjfQyS0mGH + pwrYk4QaKjJDM7Q173EFl/sEeXjHqInlzOgJ + bXqsCrSfA94anSt42DGhJeeIfQ8b3vqD/nCn + A6C7khItAWlfJto7d42Ev8tckjr3CrTW9tn9 + pHb2DKeh85rKeJBBLMYQU3jfF5KHEEsjztLG + MnPLlXTteh8wKrk/0IJrot17w0FR0H2v8oG3 + xDXxfhJ0OeTW7dtBHD6ISgqeJ9zt + ) ; ZSK; alg = RSASHA256 ; key id = 52810 + 300 RRSIG DNSKEY 8 1 300 ( + 20361231235959 20000101000000 52810 example. + O4q1oueEgPoWHhrLiobGvMQLS2KHN+xxSddf + y6fqksqivRLgj0633fnEZrFtc44YueV+L4gQ + kaoWCCpR0yQH4BOw4p3FVjEgl+jXLzIc7amw + ZfKAnSOtMoTaBCQ2hN8b2ducUHgKV7ta9bca + lO0wuqqp2OOO/n9S3YMBVfrCW4jL2w1QPC+b + lm/4ka8OwqKKGAcO0d/nGeOPJZnfbddSzqEQ + C3j1tGavwBC4RAGilxw3XoyoICDp0LQR7M9a + tWAxYmMfilEEfpip9R3HhCa+ynIVsHP8yTXE + dlWM3LUZePm44aV38YeObJpRMkb8sO5VrbZn + 8hJoIs3eyguC4HKKTg== ) + 300 RRSIG DNSKEY 8 1 300 ( + 20361231235959 20000101000000 51650 example. + Eaw79mOoImGg+ymMJ+9paoanUgR/Od0Pxv/X + mevid1TRbssSc2KynAToxSXRcOQwRQjto9sC + qj0pOekPPmW1I6DRlMOGDS6l0Uuk51GvUuRD + Xbr19BG73mcPuKfYHNbx6cUHvBlPilnjM803 + m9E8DK6Ba9uo/MNhgtWoWj8wQxqP2YS+HW3v + bOv/p4en9Dc5ft6ATtSYj84ejuPAKnfVbleI + fJW+qIQ7q9A24xEZ4QlWuRovjsoASVsuLnX+ + X4sQYlWBIPMQYQ8RIN1CgSRPGb603pAq9ru6 + ySpjlxHQRtdOGBNJleg9Wz612rHRd3x7BM+8 + /Lvz31Ot/JSh3u4DSQ== ) +a.example. 300 IN A 10.0.0.1 + 300 RRSIG A 8 2 300 ( + 20361231235959 20000101000000 52810 example. + zp4L0Um0guehtT+4GQaMeYx5PiwEbSRyi7sg + Xv2uFn/wFML/Df0PgCxCYkWKL2Db/j15IZON + uz2CNRG7lDMZsb+JgyLZ6R3OuSKjwzA++kUu + 8ExPpdrFHxZFMPefkU1vjf7E1yt4/aSaO23T + m0F6yFHcVfBE1DElG1vLWO6cWtSIMKjXOo15 + Zy2hHhT/7jKhqcHnwwCBHLuV9/e9OmI34H7I + Sd3Ik8dnNEjRTVbLem3tQMfQ9ZfYDHPHli+z + Z5dGgPmpyNPq5bfs7O5uCO5cNCbouFdEnc6O + DA9QiyOGba8w7vI1gHMvA+rWPpA+fTGgrVRq + 7bTfa0jTOsybR8rZjg== ) + 300 NSEC ns2.example. A RRSIG NSEC + 300 RRSIG NSEC 8 2 300 ( + 20361231235959 20000101000000 52810 example. + oh6oqdC9OIoO0jIN0x9MIBlYlzAg2LFYffrP + QlgPAtPn8A9cPCxU2i6hJ1ubqc6o1LVD7LH6 + GVj842Ytys1uO2Nwf9xXS4gbchJ6NE9IjQh6 + IoBNmlgdfprzJEJlEFx73dytakfcjc+hIj8t + b14Lu2/5BBDSamw+uVyeV8Wg2jNdrN7UEqyA + ccnhLPWHAOtspzxrmCrBDPc6Geelu8KzARs5 + qOZ/p9CKffmKL/65K/N8WWKQWVNI22tAbiWT + J1t3BNkOLUSKMvEVLFcgStV4QtFcQrSB96Hu + D2rSbAGsH5Ujmz4GTxhOSqd8OJ7XDEWlhZod + LhUBltfjmakorhGqqg== ) +ns2.example. 300 IN A 10.53.0.2 + 300 RRSIG A 8 2 300 ( + 20361231235959 20000101000000 52810 example. + sDlETJwDoWqYZdcwYBW/l+Ot4Tb3mSXJvW3R + 1fsoiq/obWZeC+bU2MszckcZKPET2CRqBD+c + uLCcOhZrcH0m25Y02SAzOOG2V12KNvWVznSz + bZw+/+ucYhxhiNKherdwpHOAdjlhG//zFHDy + sAxmrtjWO2DT9pv1Hd/Hm3aGgAYTs0ryyeyo + k05sTgdr43APFkX4SNoNXGUEt8E0uMghIvhi + mgKSQ45fZFsZeUiEfwvtQ8uAuDNOLWK49Bw5 + 184QrQ/NZ3YVyJercg7wm/jFMVkgxggiOl2q + ZCLadaSQNnsvtbwgyTktRJb5YovzZEQrH7O0 + vW/DAN1Cqa1nXw/kZA== ) + 300 NSEC example. A RRSIG NSEC + 300 RRSIG NSEC 8 2 300 ( + 20361231235959 20000101000000 52810 example. + DyLuymW3Bv6irCLzfUGnz2cy1XctqfW7ycLc + 7wgDzDLNvJ6tqr8tjHKMdCODJDiG+lR5oFo7 + 8RA604OYcmJjLIAMj3fCxzBkIlH5SXRcJ86X + a8U6oXrgt6IvUMC2crdWMVgVnSWlqBS4TNNg + QhUa+vt+Em8ce3fveqh1tXm1hzysSroOQtMk + HOPAtwYR9XP4mTdbC43AU/67jsYPqXq59lm4 + sE1tmnVdhXuOk7yNAt8O2CSZGGZl5bYMC4On + IgWZP7liebXAmhmXpHbBf5/BaE9dVfvWzYTT + 4wUch+f8TDwwyTqumrlrPsVnvkQ9V0LwODox + PxWWxFAznmUMEtlo3g== ) diff --git a/bin/tests/system/rsabigexponent/ns2/example.db.in b/bin/tests/system/rsabigexponent/ns2/example.db.in new file mode 100644 index 0000000..a2a6964 --- /dev/null +++ b/bin/tests/system/rsabigexponent/ns2/example.db.in @@ -0,0 +1,23 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2012050601 ; serial + 3600 ; refresh + 600 ; retry + 604800 ; expire + 3600 ; minimum + ) + NS ns2 +ns2 A 10.53.0.2 + +a A 10.0.0.1 diff --git a/bin/tests/system/rsabigexponent/ns2/named.conf.in b/bin/tests/system/rsabigexponent/ns2/named.conf.in new file mode 100644 index 0000000..c81b3f6 --- /dev/null +++ b/bin/tests/system/rsabigexponent/ns2/named.conf.in @@ -0,0 +1,39 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS2 + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + dnssec-validation no; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +zone "example" { + type primary; + file "example.db.bad"; +}; + +include "trusted.conf"; diff --git a/bin/tests/system/rsabigexponent/ns2/sign.sh b/bin/tests/system/rsabigexponent/ns2/sign.sh new file mode 100755 index 0000000..53e2257 --- /dev/null +++ b/bin/tests/system/rsabigexponent/ns2/sign.sh @@ -0,0 +1,28 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +. ../../conf.sh + +zone=example. +infile=example.db.in +outfile=example.db.bad + +for i in Xexample.+008+51650.key Xexample.+008+51650.private \ + Xexample.+008+52810.key Xexample.+008+52810.private +do + cp $i $(echo $i | sed s/X/K/) +done + +$SIGNER -g -s 20000101000000 -e 20361231235959 -o $zone \ + $infile Kexample.+008+52810.key \ + > /dev/null 2> signer.err || true diff --git a/bin/tests/system/rsabigexponent/ns3/named.conf.in b/bin/tests/system/rsabigexponent/ns3/named.conf.in new file mode 100644 index 0000000..bc63656 --- /dev/null +++ b/bin/tests/system/rsabigexponent/ns3/named.conf.in @@ -0,0 +1,35 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS3 + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + recursion yes; + notify yes; + dnssec-validation yes; + max-rsa-exponent-size 35; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +include "trusted.conf"; diff --git a/bin/tests/system/rsabigexponent/setup.sh b/bin/tests/system/rsabigexponent/setup.sh new file mode 100644 index 0000000..b7c2801 --- /dev/null +++ b/bin/tests/system/rsabigexponent/setup.sh @@ -0,0 +1,20 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +. ../conf.sh + +copy_setports ns1/named.conf.in ns1/named.conf +copy_setports ns2/named.conf.in ns2/named.conf +copy_setports ns3/named.conf.in ns3/named.conf + +cd ns1 && $SHELL -e sign.sh diff --git a/bin/tests/system/rsabigexponent/tests.sh b/bin/tests/system/rsabigexponent/tests.sh new file mode 100644 index 0000000..39ebd8a --- /dev/null +++ b/bin/tests/system/rsabigexponent/tests.sh @@ -0,0 +1,58 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +set -e + +. ../conf.sh + +status=0 + +rm -f dig.out.* + +DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p ${PORT}" + +for f in conf/good*.conf +do + echo_i "checking '$f'" + ret=0 + $CHECKCONF $f > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) +done + +for f in conf/bad*.conf +do + echo_i "checking '$f'" + ret=0 + $CHECKCONF $f > /dev/null && ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) +done + +echo_i "checking that RSA big exponent keys can't be loaded" +ret=0 +grep "out of range" ns2/signer.err > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "checking that RSA big exponent signature can't validate" +ret=0 +$DIG $DIGOPTS a.example @10.53.0.2 > dig.out.ns2 || ret=1 +$DIG $DIGOPTS a.example @10.53.0.3 > dig.out.ns3 || ret=1 +grep "status: NOERROR" dig.out.ns2 > /dev/null || ret=1 +grep "status: SERVFAIL" dig.out.ns3 > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/rsabigexponent/tests_sh_rsabigexponent.py b/bin/tests/system/rsabigexponent/tests_sh_rsabigexponent.py new file mode 100644 index 0000000..38ab381 --- /dev/null +++ b/bin/tests/system/rsabigexponent/tests_sh_rsabigexponent.py @@ -0,0 +1,14 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + + +def test_rsabigexponent(run_tests_sh): + run_tests_sh() |