Fix ECDSA algorithms
Current code was completely wrong, so validation of ECDSA didn't work. The new tests now works, the old one now doesn't
This commit is contained in:
parent
643720d10d
commit
6ecd49ff89
166
dnssec_test.go
166
dnssec_test.go
|
@ -6,6 +6,7 @@ package dns
|
|||
|
||||
import (
|
||||
"crypto/rsa"
|
||||
"reflect"
|
||||
"strings"
|
||||
"testing"
|
||||
"time"
|
||||
|
@ -429,14 +430,14 @@ PrivateKey: WURgWHCcYIYUPWgeLmiPY2DJJk02vgrmTfitxgqcL4vwW7BOrbawVmVe0d9V94SR`
|
|||
if err != nil {
|
||||
t.Fatal(err.Error())
|
||||
}
|
||||
// // Create seperate test for this
|
||||
// ds := eckey.(*DNSKEY).ToDS(SHA384)
|
||||
// if ds.KeyTag != 10771 {
|
||||
// t.Fatal("wrong keytag on DS")
|
||||
// }
|
||||
// if ds.Digest != "72d7b62976ce06438e9c0bf319013cf801f09ecc84b8d7e9495f27e305c6a9b0563a9b5f4d288405c3008a946df983d6" {
|
||||
// t.Fatal("wrong DS Digest")
|
||||
// }
|
||||
// // Create seperate test for this
|
||||
// ds := eckey.(*DNSKEY).ToDS(SHA384)
|
||||
// if ds.KeyTag != 10771 {
|
||||
// t.Fatal("wrong keytag on DS")
|
||||
// }
|
||||
// if ds.Digest != "72d7b62976ce06438e9c0bf319013cf801f09ecc84b8d7e9495f27e305c6a9b0563a9b5f4d288405c3008a946df983d6" {
|
||||
// t.Fatal("wrong DS Digest")
|
||||
// }
|
||||
a, _ := NewRR("www.example.net. 3600 IN A 192.0.2.1")
|
||||
sig := new(RRSIG)
|
||||
sig.Hdr = RR_Header{"example.net.", TypeRRSIG, ClassINET, 14400, 0}
|
||||
|
@ -495,3 +496,152 @@ func TestSignVerifyECDSA2(t *testing.T) {
|
|||
t.Fatal("failure to validate")
|
||||
}
|
||||
}
|
||||
|
||||
// rfc6605 6.1
|
||||
func TestRFC6605P256(t *testing.T) {
|
||||
exDNSKEY := `example.net. 3600 IN DNSKEY 257 3 13 (
|
||||
GojIhhXUN/u4v54ZQqGSnyhWJwaubCvTmeexv7bR6edb
|
||||
krSqQpF64cYbcB7wNcP+e+MAnLr+Wi9xMWyQLc8NAA== )`
|
||||
exPriv := `Private-key-format: v1.2
|
||||
Algorithm: 13 (ECDSAP256SHA256)
|
||||
PrivateKey: GU6SnQ/Ou+xC5RumuIUIuJZteXT2z0O/ok1s38Et6mQ=`
|
||||
rrDNSKEY, err := NewRR(exDNSKEY)
|
||||
if err != nil {
|
||||
t.Fatal(err.Error())
|
||||
}
|
||||
priv, err := rrDNSKEY.(*DNSKEY).NewPrivateKey(exPriv)
|
||||
if err != nil {
|
||||
t.Fatal(err.Error())
|
||||
}
|
||||
|
||||
exDS := `example.net. 3600 IN DS 55648 13 2 (
|
||||
b4c8c1fe2e7477127b27115656ad6256f424625bf5c1
|
||||
e2770ce6d6e37df61d17 )`
|
||||
rrDS, err := NewRR(exDS)
|
||||
if err != nil {
|
||||
t.Fatal(err.Error())
|
||||
}
|
||||
ourDS := rrDNSKEY.(*DNSKEY).ToDS(SHA256)
|
||||
if !reflect.DeepEqual(ourDS, rrDS.(*DS)) {
|
||||
t.Errorf("DS record differs:\n%v\n%v\n", ourDS, rrDS.(*DS))
|
||||
}
|
||||
|
||||
exA := `www.example.net. 3600 IN A 192.0.2.1`
|
||||
exRRSIG := `www.example.net. 3600 IN RRSIG A 13 3 3600 (
|
||||
20100909100439 20100812100439 55648 example.net.
|
||||
qx6wLYqmh+l9oCKTN6qIc+bw6ya+KJ8oMz0YP107epXA
|
||||
yGmt+3SNruPFKG7tZoLBLlUzGGus7ZwmwWep666VCw== )`
|
||||
rrA, err := NewRR(exA)
|
||||
if err != nil {
|
||||
t.Fatal(err.Error())
|
||||
}
|
||||
rrRRSIG, err := NewRR(exRRSIG)
|
||||
if err != nil {
|
||||
t.Fatal(err.Error())
|
||||
}
|
||||
if err = rrRRSIG.(*RRSIG).Verify(rrDNSKEY.(*DNSKEY), []RR{rrA}); err != nil {
|
||||
t.Errorf("Failure to validate the spec RRSIG: %v", err)
|
||||
}
|
||||
|
||||
ourRRSIG := &RRSIG{
|
||||
Hdr: RR_Header{
|
||||
Ttl: rrA.Header().Ttl,
|
||||
},
|
||||
KeyTag: rrDNSKEY.(*DNSKEY).KeyTag(),
|
||||
SignerName: rrDNSKEY.(*DNSKEY).Hdr.Name,
|
||||
Algorithm: rrDNSKEY.(*DNSKEY).Algorithm,
|
||||
}
|
||||
ourRRSIG.Expiration, _ = StringToTime("20100909100439")
|
||||
ourRRSIG.Inception, _ = StringToTime("20100812100439")
|
||||
err = ourRRSIG.Sign(priv, []RR{rrA})
|
||||
if err != nil {
|
||||
t.Fatal(err.Error())
|
||||
}
|
||||
|
||||
if err = ourRRSIG.Verify(rrDNSKEY.(*DNSKEY), []RR{rrA}); err != nil {
|
||||
t.Errorf("Failure to validate our RRSIG: %v", err)
|
||||
}
|
||||
|
||||
// Signatures are randomized
|
||||
rrRRSIG.(*RRSIG).Signature = ""
|
||||
ourRRSIG.Signature = ""
|
||||
if !reflect.DeepEqual(ourRRSIG, rrRRSIG.(*RRSIG)) {
|
||||
t.Fatalf("RRSIG record differs:\n%v\n%v\n", ourRRSIG, rrRRSIG.(*RRSIG))
|
||||
}
|
||||
}
|
||||
|
||||
// rfc6605 6.2
|
||||
func TestRFC6605P384(t *testing.T) {
|
||||
exDNSKEY := `example.net. 3600 IN DNSKEY 257 3 14 (
|
||||
xKYaNhWdGOfJ+nPrL8/arkwf2EY3MDJ+SErKivBVSum1
|
||||
w/egsXvSADtNJhyem5RCOpgQ6K8X1DRSEkrbYQ+OB+v8
|
||||
/uX45NBwY8rp65F6Glur8I/mlVNgF6W/qTI37m40 )`
|
||||
exPriv := `Private-key-format: v1.2
|
||||
Algorithm: 14 (ECDSAP384SHA384)
|
||||
PrivateKey: WURgWHCcYIYUPWgeLmiPY2DJJk02vgrmTfitxgqcL4vwW7BOrbawVmVe0d9V94SR`
|
||||
rrDNSKEY, err := NewRR(exDNSKEY)
|
||||
if err != nil {
|
||||
t.Fatal(err.Error())
|
||||
}
|
||||
priv, err := rrDNSKEY.(*DNSKEY).NewPrivateKey(exPriv)
|
||||
if err != nil {
|
||||
t.Fatal(err.Error())
|
||||
}
|
||||
|
||||
exDS := `example.net. 3600 IN DS 10771 14 4 (
|
||||
72d7b62976ce06438e9c0bf319013cf801f09ecc84b8
|
||||
d7e9495f27e305c6a9b0563a9b5f4d288405c3008a94
|
||||
6df983d6 )`
|
||||
rrDS, err := NewRR(exDS)
|
||||
if err != nil {
|
||||
t.Fatal(err.Error())
|
||||
}
|
||||
ourDS := rrDNSKEY.(*DNSKEY).ToDS(SHA384)
|
||||
if !reflect.DeepEqual(ourDS, rrDS.(*DS)) {
|
||||
t.Fatalf("DS record differs:\n%v\n%v\n", ourDS, rrDS.(*DS))
|
||||
}
|
||||
|
||||
exA := `www.example.net. 3600 IN A 192.0.2.1`
|
||||
exRRSIG := `www.example.net. 3600 IN RRSIG A 14 3 3600 (
|
||||
20100909102025 20100812102025 10771 example.net.
|
||||
/L5hDKIvGDyI1fcARX3z65qrmPsVz73QD1Mr5CEqOiLP
|
||||
95hxQouuroGCeZOvzFaxsT8Glr74hbavRKayJNuydCuz
|
||||
WTSSPdz7wnqXL5bdcJzusdnI0RSMROxxwGipWcJm )`
|
||||
rrA, err := NewRR(exA)
|
||||
if err != nil {
|
||||
t.Fatal(err.Error())
|
||||
}
|
||||
rrRRSIG, err := NewRR(exRRSIG)
|
||||
if err != nil {
|
||||
t.Fatal(err.Error())
|
||||
}
|
||||
if err = rrRRSIG.(*RRSIG).Verify(rrDNSKEY.(*DNSKEY), []RR{rrA}); err != nil {
|
||||
t.Errorf("Failure to validate the spec RRSIG: %v", err)
|
||||
}
|
||||
|
||||
ourRRSIG := &RRSIG{
|
||||
Hdr: RR_Header{
|
||||
Ttl: rrA.Header().Ttl,
|
||||
},
|
||||
KeyTag: rrDNSKEY.(*DNSKEY).KeyTag(),
|
||||
SignerName: rrDNSKEY.(*DNSKEY).Hdr.Name,
|
||||
Algorithm: rrDNSKEY.(*DNSKEY).Algorithm,
|
||||
}
|
||||
ourRRSIG.Expiration, _ = StringToTime("20100909102025")
|
||||
ourRRSIG.Inception, _ = StringToTime("20100812102025")
|
||||
err = ourRRSIG.Sign(priv, []RR{rrA})
|
||||
if err != nil {
|
||||
t.Fatal(err.Error())
|
||||
}
|
||||
|
||||
if err = ourRRSIG.Verify(rrDNSKEY.(*DNSKEY), []RR{rrA}); err != nil {
|
||||
t.Errorf("Failure to validate our RRSIG: %v", err)
|
||||
}
|
||||
|
||||
// Signatures are randomized
|
||||
rrRRSIG.(*RRSIG).Signature = ""
|
||||
ourRRSIG.Signature = ""
|
||||
if !reflect.DeepEqual(ourRRSIG, rrRRSIG.(*RRSIG)) {
|
||||
t.Fatalf("RRSIG record differs:\n%v\n%v\n", ourRRSIG, rrRRSIG.(*RRSIG))
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue