Commit 8061acdc authored by Jan Včelák's avatar Jan Včelák 🚀

tests: dnssec/dnskey_timestamps migrate to new key format

parent e704de66
example.com. IN DNSKEY 257 3 7 AwEAAbvXqLB1/wIPCdK+9ZU/bc0HlmxGUQDmWPMPswuIak77QGXhPUrA fqaaDTPG73WsS1UDSCCiqjsbLXjmWMTBYnE=
Private-key-format: v1.3
Algorithm: 7 (NSEC3RSASHA1)
Modulus: u9eosHX/Ag8J0r71lT9tzQeWbEZRAOZY8w+zC4hqTvtAZeE9SsB+ppoNM8bvdaxLVQNIIKKqOxsteOZYxMFicQ==
PublicExponent: AQAB
PrivateExponent: tXq84oeNsRqAXhjaQbB/T8gV31PsLNdfdq1jSTAprVVOmHSkCfKq30FOdIXnlLum2kypxejpdHGocI1rqZLzBQ==
Prime1: 6g826H+Tc14Rq7ZVm310Q00kvgHJWkwbaAyOK5weXns=
Prime2: zXNc16CmvEfQ/i3JhEhbb1I8o7QGsOk9v8MP/DEzpQM=
Exponent1: XwRwKPBpfoMor0mk9St3wD6X9N6qzBJradD3AjMtjPM=
Exponent2: zBl4+DV+rrjhpEE0WpfPTe3yk+Z6ZzGuyFwt+ymd1qU=
Coefficient: HMTnrV7i4Tm3I8HjrJsz/Tb38YVrz3PQPVkEpUXsBaI=
Created: 19700101000001
Publish: 19700101000001
Activate: 19700101000001
example.com. IN DNSKEY 256 3 7 AwEAAaEKJNHrzrCitxCNzya1FMoXjfcwEFGELa1SvJFHYMqsvkaFtpkj BvGsOf24263lP/sINDtcZqbPZ3Z/VHM/j3s=
Private-key-format: v1.3
Algorithm: 7 (NSEC3RSASHA1)
Modulus: oQok0evOsKK3EI3PJrUUyheN9zAQUYQtrVK8kUdgyqy+RoW2mSMG8aw5/bjbreU/+wg0O1xmps9ndn9Ucz+Pew==
PublicExponent: AQAB
PrivateExponent: Mhw+8tdmnI41WsBVylykmHIV6eoZ2dPAhuNs6+QDGW2C5IYTefTllC5GdHS68DjsP67oUEqTnPZI61oHtsi6WQ==
Prime1: 0gsSz0cU8A0xQ88aQbHOi3eZEXvtoj0LecrbIy+ACI8=
Prime2: xEZIYq6Bb2rnNqwDLH7FRAphY88mnKZmMbbNSoyjyFU=
Exponent1: wEgI2R3OSg8ZqWS/OaKnXT+ILdxQZ3QQvFb7ExPZ1ns=
Exponent2: qGnOLq6h7aKDJsxOJN3aEln92xCihwPY6It8d51Z48k=
Coefficient: YeNurpSYJlSuE5IebVebybzRcDrrZpHD5kueq1SMzg0=
Created: 19700101000001
Publish: 19700101000001
Activate: 19700101000001
-----BEGIN PRIVATE KEY-----
MIIBVQIBADANBgkqhkiG9w0BAQEFAASCAT8wggE7AgEAAkEAybrKa545nAsfsu9m
RYuyTg0WmUquP2MIwHCCRFHBTX7x9oxuj78yXtCZghZjm+GSl698kMBwm0V/2JbG
pApgDwIDAQABAkB1bfzDZNnYUkljmiSIu2dSNCBBn82LLJU9oMDUEFtcRk7gdyS2
taDBh6eCZVUsGErDg4kCHIQdrFjD0MuouXIBAiEA6NqaRS0mkuHiO2J+4XTCRzMV
w3Bu+K88BfqFIkDQKoECIQDdyCx66rvJ8YApy7Tt86hM/chNjFg+j4ZknxM3RF2i
jwIgFmJNSjEY8C2+ra6+O7YZpvaGNQ9t24Ic5wY6HhzU5gECIQDRcLIguf/xa3E/
BzKr7Agp/Rfls/25xsyBxX/eF1/dnQIhAI+z7XQNd/cZUD1TwdziKBuWBDcYp/qH
DmKe/7Xh+MZJ
-----END PRIVATE KEY-----
-----BEGIN PRIVATE KEY-----
MIIBVQIBADANBgkqhkiG9w0BAQEFAASCAT8wggE7AgEAAkEAu9eosHX/Ag8J0r71
lT9tzQeWbEZRAOZY8w+zC4hqTvtAZeE9SsB+ppoNM8bvdaxLVQNIIKKqOxsteOZY
xMFicQIDAQABAkEAtXq84oeNsRqAXhjaQbB/T8gV31PsLNdfdq1jSTAprVVOmHSk
CfKq30FOdIXnlLum2kypxejpdHGocI1rqZLzBQIhAOoPNuh/k3NeEau2VZt9dENN
JL4ByVpMG2gMjiucHl57AiEAzXNc16CmvEfQ/i3JhEhbb1I8o7QGsOk9v8MP/DEz
pQMCIF8EcCjwaX6DKK9JpPUrd8A+l/TeqswSa2nQ9wIzLYzzAiEAzBl4+DV+rrjh
pEE0WpfPTe3yk+Z6ZzGuyFwt+ymd1qUCIBzE561e4uE5tyPB46ybM/029/GFa89z
0D1ZBKVF7AWi
-----END PRIVATE KEY-----
-----BEGIN PRIVATE KEY-----
MIIBVQIBADANBgkqhkiG9w0BAQEFAASCAT8wggE7AgEAAkEAoQok0evOsKK3EI3P
JrUUyheN9zAQUYQtrVK8kUdgyqy+RoW2mSMG8aw5/bjbreU/+wg0O1xmps9ndn9U
cz+PewIDAQABAkAyHD7y12acjjVawFXKXKSYchXp6hnZ08CG42zr5AMZbYLkhhN5
9OWULkZ0dLrwOOw/ruhQSpOc9kjrWge2yLpZAiEA0gsSz0cU8A0xQ88aQbHOi3eZ
EXvtoj0LecrbIy+ACI8CIQDERkhiroFvauc2rAMsfsVECmFjzyacpmYxts1KjKPI
VQIhAMBICNkdzkoPGalkvzmip10/iC3cUGd0ELxW+xMT2dZ7AiEAqGnOLq6h7aKD
JsxOJN3aEln92xCihwPY6It8d51Z48kCIGHjbq6UmCZUrhOSHm1Xm8m80XA662aR
w+ZLnqtUjM4N
-----END PRIVATE KEY-----
example.com. IN DNSKEY 256 3 7 AwEAAcm6ymueOZwLH7LvZkWLsk4NFplKrj9jCMBwgkRRwU1+8faMbo+/ Ml7QmYIWY5vhkpevfJDAcJtFf9iWxqQKYA8=
Private-key-format: v1.3
Algorithm: 7 (NSEC3RSASHA1)
Modulus: ybrKa545nAsfsu9mRYuyTg0WmUquP2MIwHCCRFHBTX7x9oxuj78yXtCZghZjm+GSl698kMBwm0V/2JbGpApgDw==
PublicExponent: AQAB
PrivateExponent: dW38w2TZ2FJJY5okiLtnUjQgQZ/NiyyVPaDA1BBbXEZO4HcktrWgwYengmVVLBhKw4OJAhyEHaxYw9DLqLlyAQ==
Prime1: 6NqaRS0mkuHiO2J+4XTCRzMVw3Bu+K88BfqFIkDQKoE=
Prime2: 3cgseuq7yfGAKcu07fOoTP3ITYxYPo+GZJ8TN0Rdoo8=
Exponent1: FmJNSjEY8C2+ra6+O7YZpvaGNQ9t24Ic5wY6HhzU5gE=
Exponent2: 0XCyILn/8WtxPwcyq+wIKf0X5bP9ucbMgcV/3hdf3Z0=
Coefficient: j7PtdA139xlQPVPB3OIoG5YENxin+ocOYp7/teH4xkk=
Created: 19700101000001
Publish: 20400101000000
Activate: 20400101000000
{
"keys": [
{
"id": "7a3500c7feac3fd99f09a208a83b97f7455fa3e0",
"keytag": 58041,
"algorithm": 7,
"public_key": "AwEAAbvXqLB1/wIPCdK+9ZU/bc0HlmxGUQDmWPMPswuIak77QGXhPUrAfqaaDTPG73WsS1UDSCCiqjsbLXjmWMTBYnE=",
"ksk": true,
"publish": "1970-01-01T00:00:01+0000",
"active": "1970-01-01T00:00:01+0000"
},
{
"id": "f3b8db9d60fb412d0363dd0c0ac2ea72dc212777",
"keytag": 29654,
"algorithm": 7,
"public_key": "AwEAAaEKJNHrzrCitxCNzya1FMoXjfcwEFGELa1SvJFHYMqsvkaFtpkjBvGsOf24263lP/sINDtcZqbPZ3Z/VHM/j3s=",
"ksk": false,
"publish": "1970-01-01T00:00:01+0000",
"active": "1970-01-01T00:00:01+0000"
},
{
"id": "712d0d0d57fa0aa006b5e20cd84e23941e5f3ab2",
"keytag": 55574,
"algorithm": 7,
"public_key": "AwEAAcm6ymueOZwLH7LvZkWLsk4NFplKrj9jCMBwgkRRwU1+8faMbo+/Ml7QmYIWY5vhkpevfJDAcJtFf9iWxqQKYA8=",
"ksk": false,
"publish": "2040-01-01T00:00:00+0000",
"active": "2040-01-01T00:00:00+0000"
}
]
}
......@@ -8,26 +8,23 @@ import collections
import os
import shutil
import datetime
import subprocess
from dnstest.utils import *
from dnstest.test import Test
# change timestamps in DNSSEC key file
def key_settime(filename, **new_values):
lines = open(filename).readlines()
def keymgr(server, args):
cmd = subprocess.Popen([params.keymgr_bin, "--dir", server.keydir] + args)
(stdout, stderr) = cmd.communicate()
return (cmd.returncode, stdout, stderr)
values = collections.OrderedDict()
for line in lines:
key, sep, value = line.partition(":")
values[key.strip()] = value.strip()
for key, value in new_values.items():
values[key] = value
with open(filename, "w") as keyfile:
for key, value in values.items():
if value is not None:
keyfile.write("%s: %s\n" % (key, value))
def key_set(server, zone, key_id, **new_values):
cmd = ["zone", "key", "set", zone, key_id]
for option, value in new_values.items():
cmd += [option, value]
(exitcode, _x, _y) = keymgr(server, cmd)
if exitcode != 0:
raise Failed("Unable to modify key timing values.")
# check zone if keys are present and used for signing
def check_zone(server, expect_dnskey, expect_rrsig, msg):
......@@ -49,13 +46,6 @@ def check_zone(server, expect_dnskey, expect_rrsig, msg):
detail_log(SEP)
# return date 'offset' seconds in future
def date_offset(offset):
delta = datetime.timedelta(seconds = offset)
current_time = datetime.datetime.utcnow()
future_time = current_time + delta
return datetime.datetime.strftime(future_time, "%Y%m%d%H%M%S")
t = Test()
knot = t.server("knot")
......@@ -67,9 +57,8 @@ t.link(zone, knot)
shutil.copytree(os.path.join(t.data_dir, "keys"), knot.keydir)
# parameters
key_file = os.path.join(knot.keydir, "test.private")
date_past = "19700101000001"
date_future = "20400101000000"
ZONE = "example.com"
KEYID = "712d0d0d57fa0aa006b5e20cd84e23941e5f3ab2"
WAIT_SIGN = 2
#
......@@ -79,37 +68,37 @@ WAIT_SIGN = 2
check_log("Common cases")
# key not published, not active
key_settime(key_file, Publish=date_future, Activate=date_future)
key_set(knot, ZONE, KEYID, publish="+10y", active="+10y")
t.start()
t.sleep(WAIT_SIGN)
check_zone(knot, False, False, "not published, not active")
# key published, not active
key_settime(key_file, Publish=date_past)
key_set(knot, ZONE, KEYID, publish="-10y")
knot.reload()
t.sleep(WAIT_SIGN)
check_zone(knot, True, False, "published, not active")
# key published, active
key_settime(key_file, Activate=date_past)
key_set(knot, ZONE, KEYID, active="-10y")
knot.reload()
t.sleep(WAIT_SIGN)
check_zone(knot, True, True, "published, active")
# key published, inactive
key_settime(key_file, Inactive=date_past)
key_set(knot, ZONE, KEYID, retire="-10y")
knot.reload()
t.sleep(WAIT_SIGN)
check_zone(knot, True, False, "published, inactive")
# key deleted, inactive
key_settime(key_file, Delete=date_past)
key_set(knot, ZONE, KEYID, remove="-10y")
knot.reload()
t.sleep(WAIT_SIGN)
check_zone(knot, False, False, "deleted, inactive")
# key not published, active (algorithm rotation)
key_settime(key_file, Publish=date_future, Activate=date_past, Inactive=None, Delete=None)
key_set(knot, ZONE, KEYID, publish="+10y", active="-10y", retire="0", remove="0")
knot.reload()
t.sleep(WAIT_SIGN)
check_zone(knot, False, True, "not published, active")
......@@ -122,7 +111,7 @@ check_log("Planned events")
# key about to be published
event_in = 7
key_settime(key_file, Publish=date_offset(event_in), Activate=date_future, Inactive=None, Delete=None)
key_set(knot, ZONE, KEYID, publish=("+%d" % event_in), active="+10y", retire="0", remove="0")
knot.reload()
t.sleep(WAIT_SIGN)
check_zone(knot, False, False, "to be published - pre")
......@@ -130,7 +119,7 @@ t.sleep(event_in)
check_zone(knot, True, False, "to be published - post")
# key about to be activated
key_settime(key_file, Publish=date_past, Activate=date_offset(event_in), Inactive=None, Delete=None)
key_set(knot, ZONE, KEYID, publish="-10y", active=("+%d" % event_in), retire="0", remove="0")
knot.reload()
t.sleep(WAIT_SIGN)
check_zone(knot, True, False, "to be activated - pre")
......@@ -138,7 +127,7 @@ t.sleep(event_in)
check_zone(knot, True, True, "to be activated - post")
#key about to be inactivated
key_settime(key_file, Publish=date_past, Activate=date_past, Inactive=date_offset(event_in), Delete=None)
key_set(knot, ZONE, KEYID, publish="-10y", active="-10y", retire=("+%d" % event_in), remove="0")
knot.reload()
t.sleep(WAIT_SIGN)
check_zone(knot, True, True, "to be inactivated - pre")
......@@ -146,7 +135,7 @@ t.sleep(event_in)
check_zone(knot, True, False, "to be inactivated - post")
#key about to be deleted
key_settime(key_file, Publish=date_past, Activate=date_past, Inactive=date_past, Delete=date_offset(event_in))
key_set(knot, ZONE, KEYID, publish="-10y", active="-10y", retire="-10y", remove=("+%d" % event_in))
knot.reload()
t.sleep(WAIT_SIGN)
check_zone(knot, True, False, "to be deleted - pre")
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment