diff options
Diffstat (limited to 'vendor/github.com/miekg/dns/dnssec_test.go')
-rw-r--r-- | vendor/github.com/miekg/dns/dnssec_test.go | 189 |
1 files changed, 189 insertions, 0 deletions
diff --git a/vendor/github.com/miekg/dns/dnssec_test.go b/vendor/github.com/miekg/dns/dnssec_test.go index d5de439ba..7cf7c417a 100644 --- a/vendor/github.com/miekg/dns/dnssec_test.go +++ b/vendor/github.com/miekg/dns/dnssec_test.go @@ -8,6 +8,8 @@ import ( "strings" "testing" "time" + + "golang.org/x/crypto/ed25519" ) func getKey() *DNSKEY { @@ -461,6 +463,55 @@ func TestSignVerifyECDSA2(t *testing.T) { } } +func TestSignVerifyEd25519(t *testing.T) { + srv1, err := NewRR("srv.miek.nl. IN SRV 1000 800 0 web1.miek.nl.") + if err != nil { + t.Fatal(err) + } + srv := srv1.(*SRV) + + // With this key + key := new(DNSKEY) + key.Hdr.Rrtype = TypeDNSKEY + key.Hdr.Name = "miek.nl." + key.Hdr.Class = ClassINET + key.Hdr.Ttl = 14400 + key.Flags = 256 + key.Protocol = 3 + key.Algorithm = ED25519 + privkey, err := key.Generate(256) + if err != nil { + t.Fatal("failure to generate key") + } + + // Fill in the values of the Sig, before signing + sig := new(RRSIG) + sig.Hdr = RR_Header{"miek.nl.", TypeRRSIG, ClassINET, 14400, 0} + sig.TypeCovered = srv.Hdr.Rrtype + sig.Labels = uint8(CountLabel(srv.Hdr.Name)) // works for all 3 + sig.OrigTtl = srv.Hdr.Ttl + sig.Expiration = 1296534305 // date -u '+%s' -d"2011-02-01 04:25:05" + sig.Inception = 1293942305 // date -u '+%s' -d"2011-01-02 04:25:05" + sig.KeyTag = key.KeyTag() // Get the keyfrom the Key + sig.SignerName = key.Hdr.Name + sig.Algorithm = ED25519 + + if sig.Sign(privkey.(ed25519.PrivateKey), []RR{srv}) != nil { + t.Fatal("failure to sign the record") + } + + err = sig.Verify(key, []RR{srv}) + if err != nil { + t.Logf("failure to validate:\n%s\n%s\n%s\n\n%s\n\n%v", + key.String(), + srv.String(), + sig.String(), + key.PrivateKeyString(privkey), + err, + ) + } +} + // Here the test vectors from the relevant RFCs are checked. // rfc6605 6.1 func TestRFC6605P256(t *testing.T) { @@ -590,6 +641,144 @@ PrivateKey: WURgWHCcYIYUPWgeLmiPY2DJJk02vgrmTfitxgqcL4vwW7BOrbawVmVe0d9V94SR` } } +// rfc8080 6.1 +func TestRFC8080Ed25519Example1(t *testing.T) { + exDNSKEY := `example.com. 3600 IN DNSKEY 257 3 15 ( + l02Woi0iS8Aa25FQkUd9RMzZHJpBoRQwAQEX1SxZJA4= )` + exPriv := `Private-key-format: v1.2 +Algorithm: 15 (ED25519) +PrivateKey: ODIyNjAzODQ2MjgwODAxMjI2NDUxOTAyMDQxNDIyNjI=` + rrDNSKEY, err := NewRR(exDNSKEY) + if err != nil { + t.Fatal(err) + } + priv, err := rrDNSKEY.(*DNSKEY).NewPrivateKey(exPriv) + if err != nil { + t.Fatal(err) + } + + exDS := `example.com. 3600 IN DS 3613 15 2 ( + 3aa5ab37efce57f737fc1627013fee07bdf241bd10f3b1964ab55c78e79 + a304b )` + rrDS, err := NewRR(exDS) + if err != nil { + t.Fatal(err) + } + ourDS := rrDNSKEY.(*DNSKEY).ToDS(SHA256) + if !reflect.DeepEqual(ourDS, rrDS.(*DS)) { + t.Fatalf("DS record differs:\n%v\n%v", ourDS, rrDS.(*DS)) + } + + exMX := `example.com. 3600 IN MX 10 mail.example.com.` + exRRSIG := `example.com. 3600 IN RRSIG MX 15 2 3600 ( + 1440021600 1438207200 3613 example.com. ( + oL9krJun7xfBOIWcGHi7mag5/hdZrKWw15jPGrHpjQeRAvTdszaPD+QLs3f + x8A4M3e23mRZ9VrbpMngwcrqNAg== ) )` + rrMX, err := NewRR(exMX) + if err != nil { + t.Fatal(err) + } + rrRRSIG, err := NewRR(exRRSIG) + if err != nil { + t.Fatal(err) + } + if err = rrRRSIG.(*RRSIG).Verify(rrDNSKEY.(*DNSKEY), []RR{rrMX}); err != nil { + t.Errorf("failure to validate the spec RRSIG: %v", err) + } + + ourRRSIG := &RRSIG{ + Hdr: RR_Header{ + Ttl: rrMX.Header().Ttl, + }, + KeyTag: rrDNSKEY.(*DNSKEY).KeyTag(), + SignerName: rrDNSKEY.(*DNSKEY).Hdr.Name, + Algorithm: rrDNSKEY.(*DNSKEY).Algorithm, + } + ourRRSIG.Expiration, _ = StringToTime("20150819220000") + ourRRSIG.Inception, _ = StringToTime("20150729220000") + err = ourRRSIG.Sign(priv.(ed25519.PrivateKey), []RR{rrMX}) + if err != nil { + t.Fatal(err) + } + + if err = ourRRSIG.Verify(rrDNSKEY.(*DNSKEY), []RR{rrMX}); err != nil { + t.Errorf("failure to validate our RRSIG: %v", err) + } + + if !reflect.DeepEqual(ourRRSIG, rrRRSIG.(*RRSIG)) { + t.Fatalf("RRSIG record differs:\n%v\n%v", ourRRSIG, rrRRSIG.(*RRSIG)) + } +} + +// rfc8080 6.1 +func TestRFC8080Ed25519Example2(t *testing.T) { + exDNSKEY := `example.com. 3600 IN DNSKEY 257 3 15 ( + zPnZ/QwEe7S8C5SPz2OfS5RR40ATk2/rYnE9xHIEijs= )` + exPriv := `Private-key-format: v1.2 +Algorithm: 15 (ED25519) +PrivateKey: DSSF3o0s0f+ElWzj9E/Osxw8hLpk55chkmx0LYN5WiY=` + rrDNSKEY, err := NewRR(exDNSKEY) + if err != nil { + t.Fatal(err) + } + priv, err := rrDNSKEY.(*DNSKEY).NewPrivateKey(exPriv) + if err != nil { + t.Fatal(err) + } + + exDS := `example.com. 3600 IN DS 35217 15 2 ( + 401781b934e392de492ec77ae2e15d70f6575a1c0bc59c5275c04ebe80c + 6614c )` + rrDS, err := NewRR(exDS) + if err != nil { + t.Fatal(err) + } + ourDS := rrDNSKEY.(*DNSKEY).ToDS(SHA256) + if !reflect.DeepEqual(ourDS, rrDS.(*DS)) { + t.Fatalf("DS record differs:\n%v\n%v", ourDS, rrDS.(*DS)) + } + + exMX := `example.com. 3600 IN MX 10 mail.example.com.` + exRRSIG := `example.com. 3600 IN RRSIG MX 15 2 3600 ( + 1440021600 1438207200 35217 example.com. ( + zXQ0bkYgQTEFyfLyi9QoiY6D8ZdYo4wyUhVioYZXFdT410QPRITQSqJSnzQ + oSm5poJ7gD7AQR0O7KuI5k2pcBg== ) )` + rrMX, err := NewRR(exMX) + if err != nil { + t.Fatal(err) + } + rrRRSIG, err := NewRR(exRRSIG) + if err != nil { + t.Fatal(err) + } + if err = rrRRSIG.(*RRSIG).Verify(rrDNSKEY.(*DNSKEY), []RR{rrMX}); err != nil { + t.Errorf("failure to validate the spec RRSIG: %v", err) + } + + ourRRSIG := &RRSIG{ + Hdr: RR_Header{ + Ttl: rrMX.Header().Ttl, + }, + KeyTag: rrDNSKEY.(*DNSKEY).KeyTag(), + SignerName: rrDNSKEY.(*DNSKEY).Hdr.Name, + Algorithm: rrDNSKEY.(*DNSKEY).Algorithm, + } + ourRRSIG.Expiration, _ = StringToTime("20150819220000") + ourRRSIG.Inception, _ = StringToTime("20150729220000") + err = ourRRSIG.Sign(priv.(ed25519.PrivateKey), []RR{rrMX}) + if err != nil { + t.Fatal(err) + } + + if err = ourRRSIG.Verify(rrDNSKEY.(*DNSKEY), []RR{rrMX}); err != nil { + t.Errorf("failure to validate our RRSIG: %v", err) + } + + if !reflect.DeepEqual(ourRRSIG, rrRRSIG.(*RRSIG)) { + t.Fatalf("RRSIG record differs:\n%v\n%v", ourRRSIG, rrRRSIG.(*RRSIG)) + } +} + func TestInvalidRRSet(t *testing.T) { goodRecords := make([]RR, 2) goodRecords[0] = &TXT{Hdr: RR_Header{Name: "name.cloudflare.com.", Rrtype: TypeTXT, Class: ClassINET, Ttl: 0}, Txt: []string{"Hello world"}} |