Skip to content
Snippets Groups Projects
Commit e872962e authored by Jan Včelák's avatar Jan Včelák :rocket:
Browse files

DNSSEC tests: algorithm dependent Single-Type Signing Scheme

parent 3c54c086
Branches
Tags v1.6.2
No related merge requests found
Hide whitespace changes
Inline Side-by-side
tests-extra/tests/dnssec/dnskey_algorithms/data/generate_keys.sh
+ 45
26
View file @ e872962e
......@@ -22,52 +22,71 @@ pushd "$keydir"
# valid scenarios
#
keygen -a RSASHA256 -b 2048 -P $TIME_PAST -A $TIME_PAST -f KSK rsa_ok
keygen -a RSASHA256 -b 1024 -P $TIME_PAST -A $TIME_PAST rsa_ok
keygen -a RSASHA256 -b 2048 -P $TIME_PAST -A $TIME_PAST rsa_ecdsa_ok
keygen -a RSASHA256 -b 1024 -P $TIME_PAST -A $TIME_PAST -f KSK rsa_ecdsa_ok
keygen -a ECDSAP256SHA256 -P $TIME_PAST -A $TIME_PAST rsa_ecdsa_ok
keygen -a ECDSAP256SHA256 -P $TIME_PAST -A $TIME_PAST -f KSK rsa_ecdsa_ok
keygen -a RSASHA256 -b 2048 -P $TIME_PAST -A $TIME_PAST -f KSK rsa_ecdsa_roll_ok
keygen -a RSASHA256 -b 1024 -P $TIME_PAST -A $TIME_PAST rsa_ecdsa_roll_ok
keygen -a ECDSAP256SHA256 -P $TIME_FUTURE -A $TIME_PAST rsa_ecdsa_roll_ok
#
# valid single-type signing scheme scenarios
#
keygen -a RSASHA256 -b 2048 -P $TIME_PAST -A $TIME_PAST -f KSK rsa_stss_ksk
keygen -a RSASHA256 -b 2048 -P $TIME_PAST -A $TIME_PAST rsa_stss_zsk
# KSK+ZSK, simple
keygen -a RSASHA256 -b 2048 -P $TIME_PAST -A $TIME_PAST -f KSK rsa
keygen -a RSASHA256 -b 1024 -P $TIME_PAST -A $TIME_PAST rsa
# KSK+ZSK, two algorithms
keygen -a RSASHA256 -b 2048 -P $TIME_PAST -A $TIME_PAST rsa_ecdsa
keygen -a RSASHA256 -b 1024 -P $TIME_PAST -A $TIME_PAST -f KSK rsa_ecdsa
keygen -a ECDSAP256SHA256 -P $TIME_PAST -A $TIME_PAST rsa_ecdsa
keygen -a ECDSAP256SHA256 -P $TIME_PAST -A $TIME_PAST -f KSK rsa_ecdsa
# KSK+ZSK: RSA enabled, ECDSA in future
keygen -a RSASHA256 -b 2048 -P $TIME_PAST -A $TIME_PAST -f KSK rsa_now_ecdsa_future
keygen -a RSASHA256 -b 1024 -P $TIME_PAST -A $TIME_PAST rsa_now_ecdsa_future
keygen -a ECDSAP256SHA256 -P $TIME_FUTURE -A $TIME_FUTURE -f KSK rsa_now_ecdsa_future
keygen -a ECDSAP256SHA256 -P $TIME_FUTURE -A $TIME_FUTURE rsa_now_ecdsa_future
# KSK+ZSK, algorithm rollover (signatures pre-published)
keygen -a RSASHA256 -b 2048 -P $TIME_PAST -A $TIME_PAST -f KSK rsa_ecdsa_roll
keygen -a RSASHA256 -b 1024 -P $TIME_PAST -A $TIME_PAST rsa_ecdsa_roll
keygen -a ECDSAP256SHA256 -P $TIME_FUTURE -A $TIME_PAST -f KSK rsa_ecdsa_roll
keygen -a ECDSAP256SHA256 -P $TIME_FUTURE -A $TIME_PAST rsa_ecdsa_roll
# STSS: KSK only
keygen -a RSASHA256 -b 2048 -P $TIME_PAST -A $TIME_PAST -f KSK stss_ksk
# STSS: ZSK only
keygen -a RSASHA256 -b 2048 -P $TIME_PAST -A $TIME_PAST stss_zsk
# STSS: two KSKs
keygen -a RSASHA256 -b 1024 -P $TIME_PAST -A $TIME_PAST -f KSK stss_two_ksk
keygen -a RSASHA256 -b 1024 -P $TIME_PAST -A $TIME_PAST -f KSK stss_two_ksk
# STSS: different algorithms
keygen -a RSASHA256 -b 2048 -P $TIME_PAST -A $TIME_PAST -f KSK stss_rsa256_rsa512
keygen -a RSASHA512 -b 2048 -P $TIME_PAST -A $TIME_PAST stss_rsa256_rsa512
# KSK+ZSK for RSA, STSS for ECDSA
keygen -a RSASHA256 -b 2048 -P $TIME_PAST -A $TIME_PAST -f KSK rsa_split_ecdsa_stss
keygen -a RSASHA256 -b 1024 -P $TIME_PAST -A $TIME_PAST rsa_split_ecdsa_stss
keygen -a ECDSAP256SHA256 -P $TIME_PAST -A $TIME_PAST -f KSK rsa_split_ecdsa_stss
#
# invalid scenarios
#
# no key for now
keygen -a RSASHA256 -b 2048 -P $TIME_FUTURE -A $TIME_FUTURE -f KSK rsa_future_all
keygen -a RSASHA256 -b 1024 -P $TIME_FUTURE -A $TIME_FUTURE rsa_future_all
# key active, not published
keygen -a RSASHA512 -b 2048 -P $TIME_FUTURE -A $TIME_PAST -f KSK rsa_future_publish
keygen -a RSASHA256 -b 1024 -P $TIME_FUTURE -A $TIME_PAST rsa_future_publish
# key published, not active
keygen -a RSASHA512 -b 2048 -P $TIME_PAST -A $TIME_FUTURE -f KSK rsa_future_active
keygen -a RSASHA256 -b 1024 -P $TIME_PAST -A $TIME_FUTURE rsa_future_active
# no signatures for KSK
keygen -a RSASHA256 -b 2048 -P $TIME_PAST -A $TIME_PAST -f KSK rsa_inactive_zsk
keygen -a RSASHA256 -b 1024 -P $TIME_PAST -A $TIME_FUTURE rsa_inactive_zsk
# no signatures for ZSK
keygen -a RSASHA256 -b 2048 -P $TIME_FUTURE -A $TIME_FUTURE -f KSK rsa_no_zsk
keygen -a RSASHA256 -b 1024 -P $TIME_PAST -A $TIME_PAST rsa_no_zsk
keygen -a RSASHA256 -b 2048 -P $TIME_PAST -A $TIME_PAST -f KSK rsa_ecdsa_ksk_only
keygen -a RSASHA256 -b 1024 -P $TIME_PAST -A $TIME_PAST rsa_ecdsa_ksk_only
keygen -a ECDSAP256SHA256 -P $TIME_PAST -A $TIME_PAST -f KSK rsa_ecdsa_ksk_only
keygen -a RSASHA256 -b 2048 -P $TIME_PAST -A $TIME_PAST -f KSK rsa256_rsa512
keygen -a RSASHA512 -b 2048 -P $TIME_PAST -A $TIME_PAST rsa256_rsa512
tar czf "$dir/keys.tgz" K*.{key,private}
popd
rm -rf "$keydir"
tests-extra/tests/dnssec/dnskey_algorithms/data/keys.tgz
+ 0
0
View file @ e872962e
No preview for this file type
tests-extra/tests/dnssec/dnskey_algorithms/test.py
+ 15
15
View file @ e872962e
......@@ -10,21 +10,21 @@ import dnstest.zonefile
from dnstest.test import Test
TEST_CASES = {
# valid cases
"rsa_ok": True,
"rsa_ecdsa_ok": True,
"rsa_ecdsa_roll_ok": True,
# valid single-type signing
"rsa_stss_ksk": True,
"rsa_stss_zsk": True,
# invalid cases
"rsa_future_all": False,
"rsa_future_publish": False,
"rsa_future_active": False,
"rsa_inactive_zsk": False,
"rsa_no_zsk": False,
"rsa_ecdsa_ksk_only": False,
"rsa256_rsa512": False,
"rsa": True,
"rsa_ecdsa": True,
"rsa_now_ecdsa_future": True,
"rsa_ecdsa_roll": True,
"stss_ksk": True,
"stss_zsk": True,
"stss_two_ksk": True,
"stss_rsa256_rsa512": True,
"rsa_split_ecdsa_stss": True,
"rsa_future_all": False,
"rsa_future_publish": False,
"rsa_future_active": False,
"rsa_inactive_zsk": False,
"rsa_no_zsk": False,
}
t = Test()
......
tests-extra/tests/dnssec/single_type_signing/test.py
+ 6
1
View file @ e872962e
......@@ -8,7 +8,7 @@ from dnstest.test import Test
t = Test()
knot = t.server("knot")
zones = t.zone_rnd(3, dnssec=False, records=10)
zones = t.zone_rnd(4, dnssec=False, records=10)
t.link(zones, knot)
t.start()
......@@ -22,6 +22,11 @@ knot.gen_key(zones[1], ksk=False, alg="RSASHA512", key_len="1024")
knot.gen_key(zones[2], ksk=True, alg="RSASHA512", key_len="1024")
knot.gen_key(zones[2], ksk=True, alg="RSASHA256", key_len="512")
# different algorithms: KSK+ZSK pair, one ZSK
knot.gen_key(zones[3], ksk=True, alg="RSASHA256", key_len="1024")
knot.gen_key(zones[3], ksk=False, alg="RSASHA256", key_len="1024")
knot.gen_key(zones[3], ksk=False, alg="RSASHA512", key_len="1024")
knot.dnssec_enable = True
knot.gen_confile()
knot.reload()
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment