mirror of
https://github.com/isc-projects/bind9.git
synced 2026-02-26 03:11:56 -05:00
autosign: use FIPS compatible algorithms and key sizes
The nsec-only.example zone was not converted as we use it to test nsec-only DNSSEC algorithms to nsec3 conversion failure. The subtest is skipped in fips mode. Update "checking revoked key with duplicate key ID" test to use FIPS compatible algorithm. (cherry picked from commit 99ad09975e07cce3cadf7b6b75cda745e72d87a0)
This commit is contained in:
Mark Andrews
Michal Nowak
parent
e6d1117891
commit
77e0878444
12 changed files with 65 additions and 60 deletions
|
|
@ -1,5 +0,0 @@
|
|||
; This is a key-signing key, keyid 30676, for bar.
|
||||
; Created: Sat Dec 26 03:13:10 2009
|
||||
; Publish: Sat Dec 26 03:13:10 2009
|
||||
; Activate: Sat Dec 26 03:13:10 2009
|
||||
bar. IN DNSKEY 257 3 5 AwEAAc7ppysDZjlldTwsvcXcTTOYJd5TvW5RUWWYKRsee+ozwY6C7vNI 0Xp1PiY+H31GhcnNMCjQU00y8Vezo42oJ4kpRTDevL0STksExXi1/wG+ M4j1CFMh2wgJ/9XLFzHaEWzt4sflVBAVZVXa/qNkRWDXYjsr30MWyylA wHCIxEuyA+NxAL6UL+ZuFo1j84AvfwkGcMbXTcOBSCaHT6AJToSXAcCa X4fnKJIzG4RyJoN2GK4TVdj4qSzLxL1lRkYHNqJvcmMjezxUs9A5fHNI iBEBRPs7NKrQJxegAGVn9ALylKHyhJW6uyBjleOWUDom4ej2J1vGrpQT /KCA35toCvU=
|
||||
|
|
@ -1,13 +0,0 @@
|
|||
Private-key-format: v1.3
|
||||
Algorithm: 5 (RSASHA1)
|
||||
Modulus: zumnKwNmOWV1PCy9xdxNM5gl3lO9blFRZZgpGx576jPBjoLu80jRenU+Jj4ffUaFyc0wKNBTTTLxV7OjjagniSlFMN68vRJOSwTFeLX/Ab4ziPUIUyHbCAn/1csXMdoRbO3ix+VUEBVlVdr+o2RFYNdiOyvfQxbLKUDAcIjES7ID43EAvpQv5m4WjWPzgC9/CQZwxtdNw4FIJodPoAlOhJcBwJpfh+cokjMbhHImg3YYrhNV2PipLMvEvWVGRgc2om9yYyN7PFSz0Dl8c0iIEQFE+zs0qtAnF6AAZWf0AvKUofKElbq7IGOV45ZQOibh6PYnW8aulBP8oIDfm2gK9Q==
|
||||
PublicExponent: AQAB
|
||||
PrivateExponent: BcfjYsFCjuH1x4ucdbW09ncOv8ppJXbiJkt9AoP0hFOT2c5wrJ1hNOGnrdvYd2CMBlpUOR+w5BxDP+cF78Q97ogXpcjjTwj+5PuqJLg4+qx8thvacrAkdXIKEsgMytjD2d4/ksQmeBiQ7zgiGyCHC7CYzvxnzXEKlgl4FuzLRy4SH1YiSTxKfw1ANKKHxmw8Xvav9ljubrzNdBEQNs6eJNkC6c3aGqiPFyTWGa90s6t1mwTXSxFqBUR1WlbfyYfuiAK2CAvFHeNo7VuC934ri7ceEq8jeOSuY0IqDq2pA3gVWVOyR4NFLXJWeDA3pjqi109t/WGg9IGydD/hsleP4Q==
|
||||
Prime1: /hz+WxAL+9bO1l/857ME/OhxImSp86Xi7eA920sAo5ukOIQAQ6hbaKemYxyUbwBmGHEX9d0GOU+xAgZWUU9PbZgXw0fdf+uw6Hrgfce0rWY+uJpUcVHfjLPFgMC/XYrfcVQ8tsCXqRsIbqL+ynsEkQ4vybLhlSAyFqGqYFk/Qt0=
|
||||
Prime2: 0HLxXynoSxUcNW15cbuMRHD34ri8sUQsqCtezofPWcCo/17jqf42W7X9YGO70+BvmG3awSr3LaLf862ovCR5+orwE2MqamAV6JZMyR7nvMNGSHTdg3Kk7Jv7T5Gu7Cg6K+on8pMRW3aIms4gs/Z16j0Gxz74ES9IP3vsvC+q6vk=
|
||||
Exponent1: NLeXHRUrJ0fdCSRIt1iwRDeEoPn5OA7GEUtgCcp5i3eSjhb0ZxTaQc/l+NHJCW4vwApWSi9cRy99LUpbResKM1ZGN8EE9rDStqgnQnDXztFTWcDKm+e8VNhGtPtHuARDbqNnJRK3Y+Gz0iAGc8Mpo14qE9IEcoeHXKKVUf+x3BE=
|
||||
Exponent2: dKCbJB+SdM/u5IXH+TZyGKkMSLIMATKfucfqV6vs+86rv5Yb0zUEvPNqPNAQe0+LoMF2L7YWblY+71wumHXgOaobAP3u8W2pVGUjuTOtfRPU8x1QAwfV9vye87oTINaxFXkBuNtITuBXNiY2bfprpw9WB4zXxuWpiruPjQsumiE=
|
||||
Coefficient: qk8HX5fy74Sx6z3niBfTM/SUEjcsnJCTTmsXy6e7nOXWBK5ihKkmMw7LDhaY4OwjXvaVQH0Z190dfyOkWYTbXInIyNNnqCD+xZXkuzuvsUwLNgvXEFhVnzrrj3ozNiizZsyeAhFCKcITz3ci15HB3y8ZLChGYBPFU1ui7MsSkc8=
|
||||
Created: 20091226021310
|
||||
Publish: 20091226021310
|
||||
Activate: 20091226021310
|
||||
|
|
@ -1,5 +0,0 @@
|
|||
; This is a key-signing key, keyid 30804, for bar.
|
||||
; Created: Sat Dec 26 03:13:10 2009
|
||||
; Publish: Sat Dec 26 03:13:10 2009
|
||||
; Activate: Sat Dec 26 03:13:10 2009
|
||||
bar. IN DNSKEY 257 3 5 AwEAgc7ppysDZjlldTwsvcXcTTOYJd5TvW5RUWWYKRsee+ozwY6C7vNI 0Xp1PiY+H31GhcnNMCjQU00y8Vezo42oJ4kpRTDevL0STksExXi1/wG+ M4j1CFMh2wgJ/9XLFzHaEWzt4sflVBAVZVXa/qNkRWDXYjsr30MWyylA wHCIxEuyA+NxAL6UL+ZuFo1j84AvfwkGcMbXTcOBSCaHT6AJToSXAcCa X4fnKJIzG4RyJoN2GK4TVdj4qSzLxL1lRkYHNqJvcmMjezxUs9A5fHNI iBEBRPs7NKrQJxegAGVn9ALylKHyhJW6uyBjleOWUDom4ej2J1vGrpQT /KCA35toCvU=
|
||||
|
|
@ -1,13 +0,0 @@
|
|||
Private-key-format: v1.3
|
||||
Algorithm: 5 (RSASHA1)
|
||||
Modulus: zumnKwNmOWV1PCy9xdxNM5gl3lO9blFRZZgpGx576jPBjoLu80jRenU+Jj4ffUaFyc0wKNBTTTLxV7OjjagniSlFMN68vRJOSwTFeLX/Ab4ziPUIUyHbCAn/1csXMdoRbO3ix+VUEBVlVdr+o2RFYNdiOyvfQxbLKUDAcIjES7ID43EAvpQv5m4WjWPzgC9/CQZwxtdNw4FIJodPoAlOhJcBwJpfh+cokjMbhHImg3YYrhNV2PipLMvEvWVGRgc2om9yYyN7PFSz0Dl8c0iIEQFE+zs0qtAnF6AAZWf0AvKUofKElbq7IGOV45ZQOibh6PYnW8aulBP8oIDfm2gK9Q==
|
||||
PublicExponent: AQCB
|
||||
PrivateExponent: I5TcRq2sbSi1u5a+jL6VVBBu3nyY7p3NXeD1WYYYD66b8RWbgJdTtsZxgixD5sKKrW/xT68d3FUsIjs36w7yp5+g99q7lJ3v35VcMuLXbaKitS/LJdTZF/GIWwRs+DHdt+chh0QeNLzclq8ZfBeTAycFxwC7zVDLsqqcL6/JHiJhHT+dNEqj6/AIOgSYJzVeBI34LtZLW94IKf4dHLzREnLK6+64PFjpwjOG12O9klKfwHRIRN9WUsDG4AuzDSABH+qo2Zc6uJusC/D6HADbiG7tXmLYL6IxanWTbTrx4Hfp01fF+JQCuyOCRmN47X/nCumvDXKMn9Ve5+OlYi0vAQ==
|
||||
Prime1: /hz+WxAL+9bO1l/857ME/OhxImSp86Xi7eA920sAo5ukOIQAQ6hbaKemYxyUbwBmGHEX9d0GOU+xAgZWUU9PbZgXw0fdf+uw6Hrgfce0rWY+uJpUcVHfjLPFgMC/XYrfcVQ8tsCXqRsIbqL+ynsEkQ4vybLhlSAyFqGqYFk/Qt0=
|
||||
Prime2: 0HLxXynoSxUcNW15cbuMRHD34ri8sUQsqCtezofPWcCo/17jqf42W7X9YGO70+BvmG3awSr3LaLf862ovCR5+orwE2MqamAV6JZMyR7nvMNGSHTdg3Kk7Jv7T5Gu7Cg6K+on8pMRW3aIms4gs/Z16j0Gxz74ES9IP3vsvC+q6vk=
|
||||
Exponent1: JDLRyjRz53hTP7H2oaKgQYADs/UDswN2lwWpuag0wsPwQmeRAZZY2TiISPSu+3Mvh4XJ6r5UHQd5FbAN1v2mG4aYgWwoYwoxyvdTLcnQXciX2z+7877GcEyKHPno4fYXRqhVH4i1QjKaQl8dw9LFvzbVvGvvwsHGwQeqPprw7hk=
|
||||
Exponent2: vbnob7AZKqKhiVdEcnnhbeZBGcaKkTpE+RAkUL7spNQDiTPvJgo5fcTk/h6G7ijAXK0j62ZHZ3RS7RnaRa+KhO7usPcYMFiJ/VdAyRlIivhyi+WNQ2x4vSygwDy2VV9elljFeNe4dV1Cb+ssE8kAmbP52JjJD6MkhvVLd0u/jMk=
|
||||
Coefficient: qk8HX5fy74Sx6z3niBfTM/SUEjcsnJCTTmsXy6e7nOXWBK5ihKkmMw7LDhaY4OwjXvaVQH0Z190dfyOkWYTbXInIyNNnqCD+xZXkuzuvsUwLNgvXEFhVnzrrj3ozNiizZsyeAhFCKcITz3ci15HB3y8ZLChGYBPFU1ui7MsSkc8=
|
||||
Created: 20091226021310
|
||||
Publish: 20091226021310
|
||||
Activate: 20091226021310
|
||||
5
bin/tests/system/autosign/ns2/Xbar.+013+59973.key
Normal file
5
bin/tests/system/autosign/ns2/Xbar.+013+59973.key
Normal file
|
|
@ -0,0 +1,5 @@
|
|||
; This is a key-signing key, keyid 59973, for bar.
|
||||
; Created: 20220623022335 (Thu Jun 23 12:23:35 2022)
|
||||
; Publish: 20220623022335 (Thu Jun 23 12:23:35 2022)
|
||||
; Activate: 20220623022335 (Thu Jun 23 12:23:35 2022)
|
||||
bar. IN DNSKEY 257 3 13 QT6CpMaV4BT072+NaKLY5H01Mj2r1MOgsxgoiTAq1Fbf6rrkEWpnbktu Dh9Ol9kuzcUrefxDuxNwsXJu3iDPxw==
|
||||
6
bin/tests/system/autosign/ns2/Xbar.+013+59973.private
Normal file
6
bin/tests/system/autosign/ns2/Xbar.+013+59973.private
Normal file
|
|
@ -0,0 +1,6 @@
|
|||
Private-key-format: v1.3
|
||||
Algorithm: 13 (ECDSAP256SHA256)
|
||||
PrivateKey: joFZ8vCdyqkgMb6rZ0zanrdrzOSCg1GyEJV6tp5F+Bw=
|
||||
Created: 20220623022335
|
||||
Publish: 20220623022335
|
||||
Activate: 20220623022335
|
||||
5
bin/tests/system/autosign/ns2/Xbar.+013+60101.key
Normal file
5
bin/tests/system/autosign/ns2/Xbar.+013+60101.key
Normal file
|
|
@ -0,0 +1,5 @@
|
|||
; This is a key-signing key, keyid 60101, for bar.
|
||||
; Created: 20220623022331 (Thu Jun 23 12:23:31 2022)
|
||||
; Publish: 20220623022331 (Thu Jun 23 12:23:31 2022)
|
||||
; Activate: 20220623022331 (Thu Jun 23 12:23:31 2022)
|
||||
bar. IN DNSKEY 257 3 13 dLGGOAE5uJd53Gci9MdymaRTMwsXVn13j05IfGJoVt9ucpeXpoIKVViX JNVE/uO4eJvkHycdEAvdVUWcslEmMQ==
|
||||
6
bin/tests/system/autosign/ns2/Xbar.+013+60101.private
Normal file
6
bin/tests/system/autosign/ns2/Xbar.+013+60101.private
Normal file
|
|
@ -0,0 +1,6 @@
|
|||
Private-key-format: v1.3
|
||||
Algorithm: 13 (ECDSAP256SHA256)
|
||||
PrivateKey: pTTXxZUTzeVBXHMUJxTMxjh9yU4oxDtEhEvpkj+olf0=
|
||||
Created: 20220623022331
|
||||
Publish: 20220623022331
|
||||
Activate: 20220623022331
|
||||
|
|
@ -49,10 +49,10 @@ zone=bar
|
|||
zonefile="${zone}.db"
|
||||
infile="${zonefile}.in"
|
||||
cat $infile > $zonefile
|
||||
for i in Xbar.+005+30676.key Xbar.+005+30804.key Xbar.+005+30676.private \
|
||||
Xbar.+005+30804.private
|
||||
for i in Xbar.+013+59973.key Xbar.+013+59973.private \
|
||||
Xbar.+013+60101.key Xbar.+013+60101.private
|
||||
do
|
||||
cp $i $(echo $i | sed s/X/K/)
|
||||
cp $i $(echo $i | sed s/X/K/)
|
||||
done
|
||||
$KEYGEN -a RSASHA1 -q $zone > /dev/null
|
||||
$DSFROMKEY Kbar.+005+30804.key > dsset-bar$TP
|
||||
$KEYGEN -a ECDSAP256SHA256 -q $zone > /dev/null
|
||||
$DSFROMKEY Kbar.+013+60101.key > dsset-bar$TP
|
||||
|
|
|
|||
|
|
@ -140,7 +140,7 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP
|
|||
setup rsasha256.example
|
||||
cp $infile $zonefile
|
||||
ksk=$($KEYGEN -q -a RSASHA256 -b 2048 -fk $zone 2> kg.out) || dumpit kg.out
|
||||
$KEYGEN -q -a RSASHA256 -b 1024 $zone > kg.out 2>&1 || dumpit kg.out
|
||||
$KEYGEN -q -a RSASHA256 -b 2048 $zone > kg.out 2>&1 || dumpit kg.out
|
||||
$DSFROMKEY $ksk.key > dsset-${zone}$TP
|
||||
|
||||
#
|
||||
|
|
@ -149,17 +149,24 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP
|
|||
setup rsasha512.example
|
||||
cp $infile $zonefile
|
||||
ksk=$($KEYGEN -q -a RSASHA512 -b 2048 -fk $zone 2> kg.out) || dumpit kg.out
|
||||
$KEYGEN -q -a RSASHA512 -b 1024 $zone > kg.out 2>&1 || dumpit kg.out
|
||||
$KEYGEN -q -a RSASHA512 -b 2048 $zone > kg.out 2>&1 || dumpit kg.out
|
||||
$DSFROMKEY $ksk.key > dsset-${zone}$TP
|
||||
|
||||
#
|
||||
# NSEC-only zone. A zone using NSEC-only DNSSEC algorithms.
|
||||
# None of these algorithms are supported for signing in FIPS mode
|
||||
# as they are MD5 and SHA1 based.
|
||||
#
|
||||
setup nsec-only.example
|
||||
cp $infile $zonefile
|
||||
ksk=$($KEYGEN -q -a RSASHA1 -fk $zone 2> kg.out) || dumpit kg.out
|
||||
$KEYGEN -q -a RSASHA1 $zone > kg.out 2>&1 || dumpit kg.out
|
||||
$DSFROMKEY $ksk.key > dsset-${zone}$TP
|
||||
if (cd ..; SYSTEMTESTTOP=.. $SHELL ../testcrypto.sh -q RSASHA1)
|
||||
then
|
||||
setup nsec-only.example
|
||||
cp $infile $zonefile
|
||||
ksk=$($KEYGEN -q -a RSASHA1 -fk $zone 2> kg.out) || dumpit kg.out
|
||||
$KEYGEN -q -a RSASHA1 $zone > kg.out 2>&1 || dumpit kg.out
|
||||
$DSFROMKEY $ksk.key > dsset-${zone}$TP
|
||||
else
|
||||
echo_i "skip: nsec-only.example - signing with RSASHA1 not supported"
|
||||
fi
|
||||
|
||||
#
|
||||
# Signature refresh test zone. Signatures are set to expire long
|
||||
|
|
@ -171,7 +178,7 @@ count=1
|
|||
while [ $count -le 1000 ]
|
||||
do
|
||||
echo "label${count} IN TXT label${count}" >> $zonefile
|
||||
count=$(expr $count + 1)
|
||||
count=$((count + 1))
|
||||
done
|
||||
$KEYGEN -q -a $DEFAULT_ALGORITHM -fk $zone > kg.out 2>&1 || dumpit kg.out
|
||||
$KEYGEN -q -a $DEFAULT_ALGORITHM $zone > kg.out 2>&1 || dumpit kg.out
|
||||
|
|
@ -182,8 +189,8 @@ mv $zonefile.signed $zonefile
|
|||
# NSEC3->NSEC transition test zone.
|
||||
#
|
||||
setup nsec3-to-nsec.example
|
||||
$KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -fk $zone > kg.out 2>&1 || dumpit kg.out
|
||||
$KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS $zone > kg.out 2>&1 || dumpit kg.out
|
||||
$KEYGEN -q -a $DEFAULT_ALGORITHM -fk $zone > kg.out 2>&1 || dumpit kg.out
|
||||
$KEYGEN -q -a $DEFAULT_ALGORITHM $zone > kg.out 2>&1 || dumpit kg.out
|
||||
$SIGNER -S -3 beef -A -o $zone -f $zonefile $infile > s.out || dumpit s.out
|
||||
|
||||
#
|
||||
|
|
|
|||
|
|
@ -305,14 +305,18 @@ update add optout.example. 3600 NSEC3PARAM 1 1 10 BEEF
|
|||
send
|
||||
END
|
||||
|
||||
# try to convert nsec-only.example; this should fail due to non-NSEC key
|
||||
echo_i "preset nsec3param in unsigned zone via nsupdate ($n)"
|
||||
$NSUPDATE > nsupdate.out 2>&1 <<END
|
||||
if $SHELL ../testcrypto.sh -q RSASHA1
|
||||
then
|
||||
# try to convert nsec-only.example; this should fail due to
|
||||
# non-NSEC3 compatible keys
|
||||
echo_i "preset nsec3param in unsigned zone via nsupdate ($n)"
|
||||
$NSUPDATE > nsupdate.out 2>&1 <<END
|
||||
server 10.53.0.3 ${PORT}
|
||||
zone nsec-only.example.
|
||||
update add nsec-only.example. 3600 NSEC3PARAM 1 0 10 BEEF
|
||||
send
|
||||
END
|
||||
fi
|
||||
|
||||
echo_i "checking for nsec3param in unsigned zone ($n)"
|
||||
ret=0
|
||||
|
|
@ -483,7 +487,12 @@ status=$((status + ret))
|
|||
|
||||
echo_i "checking NSEC->NSEC3 conversion failed with NSEC-only key ($n)"
|
||||
ret=0
|
||||
grep "failed: REFUSED" nsupdate.out > /dev/null || ret=1
|
||||
if $SHELL ../testcrypto.sh -q RSASHA1
|
||||
then
|
||||
grep "failed: REFUSED" nsupdate.out > /dev/null || ret=1
|
||||
else
|
||||
echo_i "skip: RSASHA1 not supported"
|
||||
fi
|
||||
n=$((n + 1))
|
||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
status=$((status + ret))
|
||||
|
|
@ -1137,7 +1146,7 @@ oldserial=$($DIG $DIGOPTS +short soa . @10.53.0.1 | awk '{print $3}')
|
|||
sleep 4
|
||||
|
||||
echo_i "revoking key to duplicated key ID"
|
||||
$SETTIME -R now -K ns2 Kbar.+005+30676.key > settime.out.test$n.3 || ret=1
|
||||
$SETTIME -R now -K ns2 Kbar.+013+59973.key > settime.out.test$n.3 || ret=1
|
||||
|
||||
($RNDCCMD 10.53.0.2 loadkeys bar. 2>&1 | sed 's/^/ns2 /' | cat_i) || ret=1
|
||||
|
||||
|
|
@ -1171,7 +1180,10 @@ checkprivate nsec3.example 10.53.0.3 || ret=1
|
|||
checkprivate nsec3.nsec3.example 10.53.0.3 || ret=1
|
||||
checkprivate nsec3.optout.example 10.53.0.3 || ret=1
|
||||
checkprivate nsec3-to-nsec.example 10.53.0.3 || ret=1
|
||||
checkprivate nsec-only.example 10.53.0.3 || ret=1
|
||||
if $SHELL ../testcrypto.sh -q RSASHA1
|
||||
then
|
||||
checkprivate nsec-only.example 10.53.0.3 || ret=1
|
||||
fi
|
||||
checkprivate oldsigs.example 10.53.0.3 || ret=1
|
||||
checkprivate optout.example 10.53.0.3 || ret=1
|
||||
checkprivate optout.nsec3.example 10.53.0.3 || ret=1
|
||||
|
|
@ -1304,8 +1316,8 @@ status=$((status + ret))
|
|||
|
||||
echo_i "checking revoked key with duplicate key ID ($n)"
|
||||
ret=0
|
||||
id=30676
|
||||
rid=30804
|
||||
id=59973
|
||||
rid=60101
|
||||
$DIG $DIGOPTS +multi dnskey bar @10.53.0.2 > dig.out.ns2.test$n || ret=1
|
||||
grep '; key id = '"$id"'$' dig.out.ns2.test$n > /dev/null && ret=1
|
||||
keys=$(grep '; key id = '"$rid"'$' dig.out.ns2.test$n | wc -l)
|
||||
|
|
|
|||
|
|
@ -27,7 +27,7 @@ while test "$#" -gt 0; do
|
|||
args="$args -q"
|
||||
quiet=1
|
||||
;;
|
||||
rsa|RSA)
|
||||
rsa|RSA|rsasha1|RSASHA1)
|
||||
alg="-a RSASHA1"
|
||||
msg="RSA cryptography"
|
||||
;;
|
||||
|
|
|
|||
Loading…
Reference in a new issue