upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-02-27 03:51:16 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions
bind9/bin/tests/system/rsabigexponent
History
Ondřej Surý f8e264ba6d
Remove the lock-file configuration and -X argument to named 
The lock-file configuration (both from configuration file and -X
argument to named) has better alternatives nowadays.  Modern process
supervisor should be used to ensure that a single named process is
running on a given configuration.

Alternatively, it's possible to wrap the named with flock(1).
2023-10-26 22:42:37 +02:00
..
conf Update the copyright information in all files in the repository 2022-01-11 09:05:02 +01:00
ns1 Reformat shell scripts with shfmt 2023-10-26 10:23:50 +02:00
ns2 Reformat shell scripts with shfmt 2023-10-26 10:23:50 +02:00
ns3 Rename system test directory with common files to _common 2023-09-19 13:29:27 +02:00
.gitignore Revert "Drop bigkey" 2020-11-10 17:34:05 +01:00
bigkey.c Clear OpenSSL error stack when exiting 2023-09-01 12:01:20 +10:00
clean.sh Remove the lock-file configuration and -X argument to named 2023-10-26 22:42:37 +02:00
README.md rsabigexponent: convert the test from RSASHA1 to RSASHA256 2022-08-09 16:22:19 +02:00
setup.sh Update the copyright information in all files in the repository 2022-01-11 09:05:02 +01:00
tests.sh Reformat shell scripts with shfmt 2023-10-26 10:23:50 +02:00
tests_sh_rsabigexponent.py Add pytest functions for shell system tests 2023-05-22 14:11:39 +02:00

README.md

Copyright (C) Internet Systems Consortium, Inc. ("ISC")

SPDX-License-Identifier: MPL-2.0

This Source Code Form is subject to the terms of the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, you can obtain one at https://mozilla.org/MPL/2.0/.

See the COPYRIGHT file distributed with this work for additional information regarding copyright ownership.

The rsabigexponent test is used to check max-rsa-exponent-size.

We only run this test on builds without PKCS#11, as we have control over the RSA exponent size with plain OpenSSL. We have not explored how to do this with PKCS#11, which would require generating such a key and then signing a zone with it. Additionally, even with control of the exponent size with PKCS#11, generating a DNSKEY with this property and signing such a zone would be slow and undesirable for each test run; instead, we use a pregenerated DNSKEY and a saved signed zone. These are located in rsabigexponent/ns2 and currently use RSASHA1 for the DNSKEY algorithm; however, that may need to be changed in the future.

To generate the DNSKEY used in this test, we used bigkey.c, as dnssec-keygen is not capable of generating such keys.

Do not remove bigkey.c as it may be needed to generate a new DNSKEY for testing purposes.

bigkey is used to both test that we are not running under PKCS#11 and generate a DNSKEY key with a large RSA exponent.

To regenerate ns2/example.db.bad comment out the range test in opensslrsa_parse before signing the zone with a ZSK key generated by bigkey.

    if (BN_num_bits(e) > RSA_MAX_PUBEXP_BITS) {
            DST_RET(ISC_R_RANGE);
    }