From e87dfa76816f6de259b4e1fe51e00039767af476 Mon Sep 17 00:00:00 2001
From: Jan Vcelak <jan.vcelak@nic.cz>
Date: Thu, 5 Sep 2013 17:03:58 +0200
Subject: [PATCH] DNSSEC: unit tests for signatures creating and verification
- separate key manipulation and signing tests
- tests should be failing now as DSA verification is not implemented
- tests for ECDSA are missing
refs #4
---
src/tests/Makefile.am | 6 +-
.../{sign_tests.c => dnssec_keys_tests.c} | 8 +-
.../{sign_tests.h => dnssec_keys_tests.h} | 4 +-
src/tests/libknot/dnssec_sign_tests.c | 130 ++++++++++++++++++
src/tests/libknot/dnssec_sign_tests.h | 24 ++++
src/tests/unittests_main.c | 6 +-
6 files changed, 168 insertions(+), 10 deletions(-)
rename src/tests/libknot/{sign_tests.c => dnssec_keys_tests.c} (97%)
rename src/tests/libknot/{sign_tests.h => dnssec_keys_tests.h} (88%)
create mode 100644 src/tests/libknot/dnssec_sign_tests.c
create mode 100644 src/tests/libknot/dnssec_sign_tests.h
diff --git a/src/tests/Makefile.am b/src/tests/Makefile.am
index 7e3bbdac3..6e6a1e0d8 100644
--- a/src/tests/Makefile.am
+++ b/src/tests/Makefile.am
@@ -54,8 +54,10 @@ unittests_SOURCES = \
libknot/wire_tests.c \
libknot/rrset_tests.c \
libknot/rrset_tests.h \
- libknot/sign_tests.c \
- libknot/sign_tests.h \
+ libknot/dnssec_keys_tests.c \
+ libknot/dnssec_keys_tests.h \
+ libknot/dnssec_sign_tests.c \
+ libknot/dnssec_sign_tests.h \
unittests_main.c
unittests_LDADD = ../libknotd.la ../libknots.la @LIBOBJS@
diff --git a/src/tests/libknot/sign_tests.c b/src/tests/libknot/dnssec_keys_tests.c
similarity index 97%
rename from src/tests/libknot/sign_tests.c
rename to src/tests/libknot/dnssec_keys_tests.c
index 948b8a423..300b577d4 100644
--- a/src/tests/libknot/sign_tests.c
+++ b/src/tests/libknot/dnssec_keys_tests.c
@@ -1,4 +1,4 @@
-/* Copyright (C) 2011 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
+/* Copyright (C) 2013 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -15,15 +15,15 @@
*/
#include <config.h>
-#include "tests/libknot/sign_tests.h"
+#include "tests/libknot/dnssec_keys_tests.h"
#include "libknot/dnssec/key.h"
#include "libknot/dnssec/key.c" // testing static functions
static int sign_tests_count(int argc, char *argv[]);
static int sign_tests_run(int argc, char *argv[]);
-unit_api sign_tests_api = {
- "libknot/sign",
+unit_api dnssec_keys_tests_api = {
+ "libknot/dnssec/sign",
&sign_tests_count,
&sign_tests_run
};
diff --git a/src/tests/libknot/sign_tests.h b/src/tests/libknot/dnssec_keys_tests.h
similarity index 88%
rename from src/tests/libknot/sign_tests.h
rename to src/tests/libknot/dnssec_keys_tests.h
index 177f9e6fd..e764a5c5b 100644
--- a/src/tests/libknot/sign_tests.h
+++ b/src/tests/libknot/dnssec_keys_tests.h
@@ -1,4 +1,4 @@
-/* Copyright (C) 2011 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
+/* Copyright (C) 2013 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -19,6 +19,6 @@
#include "common/libtap/tap_unit.h"
-unit_api sign_tests_api;
+unit_api dnssec_keys_tests_api;
#endif
diff --git a/src/tests/libknot/dnssec_sign_tests.c b/src/tests/libknot/dnssec_sign_tests.c
new file mode 100644
index 000000000..82ff8efe0
--- /dev/null
+++ b/src/tests/libknot/dnssec_sign_tests.c
@@ -0,0 +1,130 @@
+/* Copyright (C) 2013 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
+
+ This program is free software: you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation, either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <config.h>
+#include <assert.h>
+#include "tests/libknot/dnssec_sign_tests.h"
+#include "common/errcode.h"
+#include "libknot/dnssec/sign.h"
+
+static int dnssec_sign_tests_count(int argc, char *argv[]);
+static int dnssec_sign_tests_run(int argc, char *argv[]);
+
+unit_api dnssec_sign_tests_api = {
+ "libknot/dnssec/sign",
+ &dnssec_sign_tests_count,
+ &dnssec_sign_tests_run
+};
+
+static void test_algorithm(const char *alg, const knot_key_params_t *kp)
+{
+ int result;
+
+ knot_dnssec_key_t key = { 0 };
+ result = knot_dnssec_key_from_params(kp, &key);
+ ok(result == KNOT_EOK, "%s: create key from params", alg);
+
+ knot_dnssec_sign_context_t *ctx;
+ ctx = knot_dnssec_sign_init(&key);
+ ok(ctx != NULL, "%s: create signing context", alg);
+
+ size_t sig_size = knot_dnssec_sign_size(&key);
+ ok(sig_size > 0, "%s: get signature size", alg);
+
+ uint8_t *sig = malloc(sig_size);
+ assert(sig != NULL);
+
+ result = knot_dnssec_sign_add(ctx, (uint8_t *)"test", 4);
+ ok(result == KNOT_EOK, "%s: add data A", alg);
+
+ result = knot_dnssec_sign_new(ctx);
+ ok(result == KNOT_EOK, "%s: restart context", alg);
+
+ result = knot_dnssec_sign_add(ctx, (uint8_t *)"hello", 5);
+ ok(result == KNOT_EOK, "%s: add data B", alg);
+
+ result = knot_dnssec_sign_add(ctx, (uint8_t *)"dns", 3);
+ ok(result == KNOT_EOK, "%s: add data C", alg);
+
+ result = knot_dnssec_sign_write(ctx, sig);
+ ok(result == KNOT_EOK, "%s: write signature", alg);
+
+ result = knot_dnssec_sign_new(ctx);
+ ok(result == KNOT_EOK, "%s: restart context", alg);
+
+ result = knot_dnssec_sign_add(ctx, (uint8_t *)"wrong", 5);
+ ok(result == KNOT_EOK, "%s: add data D", alg);
+
+ result = knot_dnssec_sign_verify(ctx, sig, sig_size);
+ ok(result == KNOT_DNSSEC_EINVALID_SIGNATURE, "%s: verify invalid signature", alg);
+
+ result = knot_dnssec_sign_new(ctx);
+ ok(result == KNOT_EOK, "%s: restart context", alg);
+
+ result = knot_dnssec_sign_add(ctx, (uint8_t *)"hellodns", 8);
+ ok(result == KNOT_EOK, "%s: add data B + C", alg);
+
+ result = knot_dnssec_sign_verify(ctx, sig, sig_size);
+ ok(result == KNOT_EOK, "%s: verify valid signature", alg);
+
+ knot_dnssec_sign_free(ctx);
+ knot_dnssec_key_free(&key);
+}
+
+static int dnssec_sign_tests_count(int argc, char *argv[])
+{
+ return 28;
+}
+
+static int dnssec_sign_tests_run(int argc, char *argv[])
+{
+ knot_key_params_t kp = { 0 };
+
+ // RSA
+
+ kp.name = knot_dname_from_str("example.com.", 12);
+ kp.algorithm = 5;
+ knot_binary_from_base64("pSxiFXG8wB1SSHdok+OdaAp6QdvqjpZ17ucNge21iYVfv+DZq52l21KdmmyEqoG9wG/87O7XG8XVLNyYPue8Mw==", &kp.modulus);
+ knot_binary_from_base64("AQAB", &kp.public_exponent);
+ knot_binary_from_base64("UuNK9Wf2SJJuUF9b45s9ypA3egVaV+O5mwHoDWO0ziWJxFXNMMsobDdusEDjCw64xnlLmrbzNJ3+ClrOnV04gQ==", &kp.private_exponent);
+ knot_binary_from_base64("0/wjqkgVZxqrFi5OMzq2qQYpxKn3HgS87Io9UG6iqis=", &kp.prime_one);
+ knot_binary_from_base64("x3gFCPpaJ4etPEM1hRd6WMAcmx5FBMjvuuzID6SWWhk=", &kp.prime_two);
+ knot_binary_from_base64("Z8qUS9NvZ0QPcJTLhRnCRY/W84ukivYW6lnlG3SQAHE=", &kp.exponent_one);
+ knot_binary_from_base64("C0kjH8rqZuoqRwqWcJ1Pcs4L0Er6JLcpuS3Ec/4f86E=", &kp.exponent_two);
+ knot_binary_from_base64("VYc62FQX0Vnd27VxkX6hsBcl7Oh00wVCeh3WTDutndg=", &kp.coefficient);
+
+ test_algorithm("RSA", &kp);
+ knot_free_key_params(&kp);
+
+ // DSA
+
+ kp.name = knot_dname_from_str("example.com.", 12);
+ kp.algorithm = 6;
+ knot_binary_from_base64("u7tr4jc7CH0+r2muVEZyjYu7hpMrQ1dHGAMv7hr5dBFYzkutfdBmDSW4C+qxaXWo14gi+jJ8XqFqQ7rQn23DdQ==", &kp.prime);
+ knot_binary_from_base64("tgZ5X6pFoCOM2NzfiAYVG1434Mk=", &kp.subprime);
+ knot_binary_from_base64("bHidtFIFYAHXp7ZxTFd6poJJG8brqO9eyJygvYSFCej/FGDqhF2TsboVvS/evW/qTaSvhkd/aiDg5eAfu1HvrQ==", &kp.base);
+ knot_binary_from_base64("FiTBDsbFDNTw7IrhPeVbzM0DMmI=", &kp.private_value);
+ knot_binary_from_base64("G1pX04Bcew8wyHsmno4Q0tNdmBLlaEdbqvQ03W5XVXUM6MPrtzxgc6jdOogqZsvGK4c+FbThBu42Z1t/ioQr8A==", &kp.public_value);
+
+ test_algorithm("DSA", &kp);
+ knot_free_key_params(&kp);
+
+ // ECDSA
+
+ // todo
+
+ return 0;
+}
diff --git a/src/tests/libknot/dnssec_sign_tests.h b/src/tests/libknot/dnssec_sign_tests.h
new file mode 100644
index 000000000..a5f55342b
--- /dev/null
+++ b/src/tests/libknot/dnssec_sign_tests.h
@@ -0,0 +1,24 @@
+/* Copyright (C) 2013 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
+
+ This program is free software: you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation, either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#ifndef _KNOTD_DNSSEC_SIGN_TESTS_
+#define _KNOTD_DNSSEC_SIGN_TESTS_
+
+#include "common/libtap/tap_unit.h"
+
+unit_api dnssec_sign_tests_api;
+
+#endif
diff --git a/src/tests/unittests_main.c b/src/tests/unittests_main.c
index 2ef07e46a..681f9faee 100644
--- a/src/tests/unittests_main.c
+++ b/src/tests/unittests_main.c
@@ -35,7 +35,8 @@
#include "tests/libknot/wire_tests.h"
#include "tests/libknot/dname_tests.h"
#include "tests/libknot/ztree_tests.h"
-#include "tests/libknot/sign_tests.h"
+#include "tests/libknot/dnssec_keys_tests.h"
+#include "tests/libknot/dnssec_sign_tests.h"
#include "tests/libknot/rrset_tests.h"
// Run all loaded units
@@ -70,7 +71,8 @@ int main(int argc, char *argv[])
&wire_tests_api,
&dname_tests_api,
&ztree_tests_api,
- &sign_tests_api, //! Key manipulation.
+ &dnssec_keys_tests_api, //! Key manipulation.
+ &dnssec_sign_tests_api, //! DNSSEC signing/verification.
// &rrset_tests_api,
NULL
--
GitLab