keymgr2kasp: use FIPS compliant algorithms and key sizes

migrate-nomatch-alglen: switched to RSASHA256 instead of RSASHA1
and the key size now changes from 2048 bits to 3072 bits instead
of 1024 bits to 2048 bits.

migrate-nomatch-algnum: switched to RSASHA256 instead of RSASHA1
as initial algorithm and adjusted mininum key size to 2048 bits.

rsasha256: adjusted minimum key size to 2048 bits.

(cherry picked from commit 048b0151665d6111bb61a98b349c510c36ed99f2)

bin/tests/system/keymgr2kasp/ns3/kasp.conf.in

@@ -63,15 +63,15 @@ dnssec-policy "migrate-nomatch-algnum" {
 };
 
 /*
- * This policy tests migration from existing keys with 1024 bits RSASHA1 keys
- * to 2048 bits RSASHA1 keys.
+ * This policy tests migration from existing keys with 2048 bits RSASHA256 keys
+ * to 3072 bits RSASHA256 keys.
  */
 dnssec-policy "migrate-nomatch-alglen" {
 	dnskey-ttl 300;
 
 	keys {
-		ksk key-directory lifetime unlimited algorithm rsasha1 2048;
-		zsk key-directory lifetime P60D algorithm rsasha1 2048;
+		ksk key-directory lifetime unlimited algorithm rsasha256 3072;
+		zsk key-directory lifetime P60D algorithm rsasha256 3072;
 	};
 
 	// Together 12h

bin/tests/system/keymgr2kasp/ns3/setup.sh

@@ -62,7 +62,7 @@ $SIGNER -S -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer
 
 # Set up a zone with auto-dnssec maintain to migrate to dnssec-policy, but this
 # time the existing keys do not match the policy.  The existing keys are
-# RSASHA1 keys, and will be migrated to a dnssec-policy that dictates
+# RSASHA256 keys, and will be migrated to a dnssec-policy that dictates
 # ECDSAP256SHA256 keys.
 setup migrate-nomatch-algnum.kasp
 echo "$zone" >> zones
@@ -71,8 +71,8 @@ Tkey="now-3900s" # DNSKEY TTL + propagation delay
 Tsig="now-12h"   # Zone's maximum TTL + propagation delay
 ksktimes="-P ${Tkey} -A ${Tkey} -P sync ${Tds}"
 zsktimes="-P ${Tkey} -A ${Tsig}"
-KSK=$($KEYGEN -a RSASHA1 -b 2048 -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
-ZSK=$($KEYGEN -a RSASHA1 -b 1024 -L 300        $zsktimes $zone 2> keygen.out.$zone.2)
+KSK=$($KEYGEN -a RSASHA256 -b 2048 -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
+ZSK=$($KEYGEN -a RSASHA256 -b 2048 -L 300        $zsktimes $zone 2> keygen.out.$zone.2)
 cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
 private_type_record $zone 5 "$KSK" >> "$infile"
 private_type_record $zone 5 "$ZSK" >> "$infile"
@@ -80,8 +80,8 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer
 
 # Set up a zone with auto-dnssec maintain to migrate to dnssec-policy, but this
 # time the existing keys do not match the policy.  The existing keys are
-# 1024 bits RSASHA1 keys, and will be migrated to a dnssec-policy that
-# dictates 2048 bits RSASHA1 keys.
+# 2048 bits RSASHA256 keys, and will be migrated to a dnssec-policy that
+# dictates 3072 bits RSASHA256 keys.
 setup migrate-nomatch-alglen.kasp
 echo "$zone" >> zones
 Tds="now-3h"     # Time according to dnssec-policy that DS will be OMNIPRESENT
@@ -89,8 +89,8 @@ Tkey="now-3900s" # DNSKEY TTL + propagation delay
 Tsig="now-12h"   # Zone's maximum TTL + propagation delay
 ksktimes="-P ${Tkey} -A ${Tkey} -P sync ${Tds}"
 zsktimes="-P ${Tkey} -A ${Tsig}"
-KSK=$($KEYGEN -a RSASHA1 -b 1024 -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
-ZSK=$($KEYGEN -a RSASHA1 -b 1024 -L 300        $zsktimes $zone 2> keygen.out.$zone.2)
+KSK=$($KEYGEN -a RSASHA256 -b 2048 -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
+ZSK=$($KEYGEN -a RSASHA256 -b 2048 -L 300        $zsktimes $zone 2> keygen.out.$zone.2)
 cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
 private_type_record $zone 5 "$KSK" >> "$infile"
 private_type_record $zone 5 "$ZSK" >> "$infile"

bin/tests/system/keymgr2kasp/ns4/named2.conf.in

@@ -37,7 +37,7 @@ controls {
 
 dnssec-policy "rsasha256" {
 	keys {
-		zsk key-directory lifetime P3M algorithm 8 1024;
+		zsk key-directory lifetime P3M algorithm 8 2048;
 		ksk key-directory lifetime P1Y algorithm 8 2048;
 	};
 

bin/tests/system/keymgr2kasp/ns4/setup.sh

@@ -33,7 +33,7 @@ echo "$zone" >> zones
 ksktimes="-P -186d -A -186d -P sync -186d"
 zsktimes="-P -186d -A -186d"
 KSK=$($KEYGEN -a $algo -L 300 -b 2048 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
-ZSK=$($KEYGEN -a $algo -L 300 -b 1024        $zsktimes $zone 2> keygen.out.$zone.2)
+ZSK=$($KEYGEN -a $algo -L 300 -b 2048        $zsktimes $zone 2> keygen.out.$zone.2)
 
 echo_i "setting up zone $zone (external)"
 view="ext"

bin/tests/system/keymgr2kasp/tests.sh

@@ -278,7 +278,7 @@ set_zone "migrate-nomatch-algnum.kasp"
 set_policy "none" "2" "300"
 set_server "ns3" "10.53.0.3"
 
-init_migration_keys "5" "RSASHA1" "2048" "1024"
+init_migration_keys "8" "RSASHA256" "2048" "2048"
 init_migration_states "omnipresent" "omnipresent"
 
 # Make sure the zone is signed with legacy keys.
@@ -315,7 +315,7 @@ set_zone "migrate-nomatch-alglen.kasp"
 set_policy "none" "2" "300"
 set_server "ns3" "10.53.0.3"
 
-init_migration_keys "5" "RSASHA1" "1024" "1024"
+init_migration_keys "8" "RSASHA256" "2048" "2048"
 init_migration_states "omnipresent" "omnipresent"
 
 # Make sure the zone is signed with legacy keys.
@@ -567,7 +567,7 @@ set_policy "migrate-nomatch-algnum" "4" "300"
 set_server "ns3" "10.53.0.3"
 # The legacy keys need to be retired, but otherwise stay present until the
 # new keys are omnipresent, and can be used to construct a chain of trust.
-init_migration_keys "5" "RSASHA1" "2048" "1024"
+init_migration_keys "8" "RSASHA256" "2048" "2048"
 init_migration_states "hidden" "omnipresent"
 key_set "KEY1" "LEGACY" "no"
 key_set "KEY2" "LEGACY" "no"
@@ -683,20 +683,20 @@ set_server "ns3" "10.53.0.3"
 
 # The legacy keys need to be retired, but otherwise stay present until the
 # new keys are omnipresent, and can be used to construct a chain of trust.
-init_migration_keys "5" "RSASHA1" "1024" "1024"
+init_migration_keys "8" "RSASHA256" "2048" "2048"
 init_migration_states "hidden" "omnipresent"
 key_set "KEY1" "LEGACY" "no"
 key_set "KEY2" "LEGACY" "no"
 
 set_keyrole      "KEY3" "ksk"
 set_keylifetime  "KEY3" "0"
-set_keyalgorithm "KEY3" "5" "RSASHA1" "2048"
+set_keyalgorithm "KEY3" "8" "RSASHA256" "3072"
 set_keysigning   "KEY3" "yes"
 set_zonesigning  "KEY3" "no"
 
 set_keyrole      "KEY4" "zsk"
 set_keylifetime  "KEY4" "5184000"
-set_keyalgorithm "KEY4" "5" "RSASHA1" "2048"
+set_keyalgorithm "KEY4" "8" "RSASHA256" "3072"
 set_keysigning   "KEY4" "no"
 # This key is considered to be prepublished, so it is not yet signing.
 set_zonesigning  "KEY4" "no"
@@ -956,7 +956,7 @@ set_policy "rsasha256" "2" "300"
 set_server "ns4" "10.53.0.4"
 init_view_migration
 set_keyalgorithm "KEY1" "8" "RSASHA256" "2048"
-set_keyalgorithm "KEY2" "8" "RSASHA256" "1024"
+set_keyalgorithm "KEY2" "8" "RSASHA256" "2048"
 TSIG="$DEFAULT_HMAC:external:$VIEW1"
 wait_for_nsec
 # Make sure the zone is signed with legacy keys.
@@ -986,7 +986,7 @@ set_policy "rsasha256" "2" "300"
 set_server "ns4" "10.53.0.4"
 init_view_migration
 set_keyalgorithm "KEY1" "8" "RSASHA256" "2048"
-set_keyalgorithm "KEY2" "8" "RSASHA256" "1024"
+set_keyalgorithm "KEY2" "8" "RSASHA256" "2048"
 TSIG="$DEFAULT_HMAC:internal:$VIEW2"
 wait_for_nsec
 # Make sure the zone is signed with legacy keys.
@@ -1026,7 +1026,7 @@ echo_i "${time_passed} seconds passed between start of tests and reconfig"
 set_zone "view-rsasha256.kasp"
 set_policy "rsasha256" "3" "300"
 set_server "ns4" "10.53.0.4"
-init_migration_keys "8" "RSASHA256" "2048" "1024"
+init_migration_keys "8" "RSASHA256" "2048" "2048"
 init_migration_states "omnipresent" "rumoured"
 # Key properties, timings and metadata should be the same as legacy keys above.
 # However, because the keys have a lifetime, kasp will set the retired time.
@@ -1045,7 +1045,7 @@ set_keystate     "KEY2" "GOAL" "hidden"
 set_keystate     "KEY3" "GOAL" "omnipresent"
 set_keyrole      "KEY3" "zsk"
 set_keylifetime  "KEY3" "8035200"
-set_keyalgorithm "KEY3" "8" "RSASHA256" "1024"
+set_keyalgorithm "KEY3" "8" "RSASHA256" "2048"
 set_keysigning   "KEY3" "no"
 set_zonesigning  "KEY3" "no" # not yet
 set_keystate     "KEY3" "STATE_DNSKEY" "rumoured"