Fix ECDSA algorithms
Current code was completely wrong, so validation of ECDSA didn't work. The new tests now works, the old one now doesn't
This commit is contained in:
parent
643720d10d
commit
6ecd49ff89
166
dnssec_test.go
166
dnssec_test.go
|
@ -6,6 +6,7 @@ package dns
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"crypto/rsa"
|
"crypto/rsa"
|
||||||
|
"reflect"
|
||||||
"strings"
|
"strings"
|
||||||
"testing"
|
"testing"
|
||||||
"time"
|
"time"
|
||||||
|
@ -429,14 +430,14 @@ PrivateKey: WURgWHCcYIYUPWgeLmiPY2DJJk02vgrmTfitxgqcL4vwW7BOrbawVmVe0d9V94SR`
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Fatal(err.Error())
|
t.Fatal(err.Error())
|
||||||
}
|
}
|
||||||
// // Create seperate test for this
|
// // Create seperate test for this
|
||||||
// ds := eckey.(*DNSKEY).ToDS(SHA384)
|
// ds := eckey.(*DNSKEY).ToDS(SHA384)
|
||||||
// if ds.KeyTag != 10771 {
|
// if ds.KeyTag != 10771 {
|
||||||
// t.Fatal("wrong keytag on DS")
|
// t.Fatal("wrong keytag on DS")
|
||||||
// }
|
// }
|
||||||
// if ds.Digest != "72d7b62976ce06438e9c0bf319013cf801f09ecc84b8d7e9495f27e305c6a9b0563a9b5f4d288405c3008a946df983d6" {
|
// if ds.Digest != "72d7b62976ce06438e9c0bf319013cf801f09ecc84b8d7e9495f27e305c6a9b0563a9b5f4d288405c3008a946df983d6" {
|
||||||
// t.Fatal("wrong DS Digest")
|
// t.Fatal("wrong DS Digest")
|
||||||
// }
|
// }
|
||||||
a, _ := NewRR("www.example.net. 3600 IN A 192.0.2.1")
|
a, _ := NewRR("www.example.net. 3600 IN A 192.0.2.1")
|
||||||
sig := new(RRSIG)
|
sig := new(RRSIG)
|
||||||
sig.Hdr = RR_Header{"example.net.", TypeRRSIG, ClassINET, 14400, 0}
|
sig.Hdr = RR_Header{"example.net.", TypeRRSIG, ClassINET, 14400, 0}
|
||||||
|
@ -495,3 +496,152 @@ func TestSignVerifyECDSA2(t *testing.T) {
|
||||||
t.Fatal("failure to validate")
|
t.Fatal("failure to validate")
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// rfc6605 6.1
|
||||||
|
func TestRFC6605P256(t *testing.T) {
|
||||||
|
exDNSKEY := `example.net. 3600 IN DNSKEY 257 3 13 (
|
||||||
|
GojIhhXUN/u4v54ZQqGSnyhWJwaubCvTmeexv7bR6edb
|
||||||
|
krSqQpF64cYbcB7wNcP+e+MAnLr+Wi9xMWyQLc8NAA== )`
|
||||||
|
exPriv := `Private-key-format: v1.2
|
||||||
|
Algorithm: 13 (ECDSAP256SHA256)
|
||||||
|
PrivateKey: GU6SnQ/Ou+xC5RumuIUIuJZteXT2z0O/ok1s38Et6mQ=`
|
||||||
|
rrDNSKEY, err := NewRR(exDNSKEY)
|
||||||
|
if err != nil {
|
||||||
|
t.Fatal(err.Error())
|
||||||
|
}
|
||||||
|
priv, err := rrDNSKEY.(*DNSKEY).NewPrivateKey(exPriv)
|
||||||
|
if err != nil {
|
||||||
|
t.Fatal(err.Error())
|
||||||
|
}
|
||||||
|
|
||||||
|
exDS := `example.net. 3600 IN DS 55648 13 2 (
|
||||||
|
b4c8c1fe2e7477127b27115656ad6256f424625bf5c1
|
||||||
|
e2770ce6d6e37df61d17 )`
|
||||||
|
rrDS, err := NewRR(exDS)
|
||||||
|
if err != nil {
|
||||||
|
t.Fatal(err.Error())
|
||||||
|
}
|
||||||
|
ourDS := rrDNSKEY.(*DNSKEY).ToDS(SHA256)
|
||||||
|
if !reflect.DeepEqual(ourDS, rrDS.(*DS)) {
|
||||||
|
t.Errorf("DS record differs:\n%v\n%v\n", ourDS, rrDS.(*DS))
|
||||||
|
}
|
||||||
|
|
||||||
|
exA := `www.example.net. 3600 IN A 192.0.2.1`
|
||||||
|
exRRSIG := `www.example.net. 3600 IN RRSIG A 13 3 3600 (
|
||||||
|
20100909100439 20100812100439 55648 example.net.
|
||||||
|
qx6wLYqmh+l9oCKTN6qIc+bw6ya+KJ8oMz0YP107epXA
|
||||||
|
yGmt+3SNruPFKG7tZoLBLlUzGGus7ZwmwWep666VCw== )`
|
||||||
|
rrA, err := NewRR(exA)
|
||||||
|
if err != nil {
|
||||||
|
t.Fatal(err.Error())
|
||||||
|
}
|
||||||
|
rrRRSIG, err := NewRR(exRRSIG)
|
||||||
|
if err != nil {
|
||||||
|
t.Fatal(err.Error())
|
||||||
|
}
|
||||||
|
if err = rrRRSIG.(*RRSIG).Verify(rrDNSKEY.(*DNSKEY), []RR{rrA}); err != nil {
|
||||||
|
t.Errorf("Failure to validate the spec RRSIG: %v", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
ourRRSIG := &RRSIG{
|
||||||
|
Hdr: RR_Header{
|
||||||
|
Ttl: rrA.Header().Ttl,
|
||||||
|
},
|
||||||
|
KeyTag: rrDNSKEY.(*DNSKEY).KeyTag(),
|
||||||
|
SignerName: rrDNSKEY.(*DNSKEY).Hdr.Name,
|
||||||
|
Algorithm: rrDNSKEY.(*DNSKEY).Algorithm,
|
||||||
|
}
|
||||||
|
ourRRSIG.Expiration, _ = StringToTime("20100909100439")
|
||||||
|
ourRRSIG.Inception, _ = StringToTime("20100812100439")
|
||||||
|
err = ourRRSIG.Sign(priv, []RR{rrA})
|
||||||
|
if err != nil {
|
||||||
|
t.Fatal(err.Error())
|
||||||
|
}
|
||||||
|
|
||||||
|
if err = ourRRSIG.Verify(rrDNSKEY.(*DNSKEY), []RR{rrA}); err != nil {
|
||||||
|
t.Errorf("Failure to validate our RRSIG: %v", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Signatures are randomized
|
||||||
|
rrRRSIG.(*RRSIG).Signature = ""
|
||||||
|
ourRRSIG.Signature = ""
|
||||||
|
if !reflect.DeepEqual(ourRRSIG, rrRRSIG.(*RRSIG)) {
|
||||||
|
t.Fatalf("RRSIG record differs:\n%v\n%v\n", ourRRSIG, rrRRSIG.(*RRSIG))
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// rfc6605 6.2
|
||||||
|
func TestRFC6605P384(t *testing.T) {
|
||||||
|
exDNSKEY := `example.net. 3600 IN DNSKEY 257 3 14 (
|
||||||
|
xKYaNhWdGOfJ+nPrL8/arkwf2EY3MDJ+SErKivBVSum1
|
||||||
|
w/egsXvSADtNJhyem5RCOpgQ6K8X1DRSEkrbYQ+OB+v8
|
||||||
|
/uX45NBwY8rp65F6Glur8I/mlVNgF6W/qTI37m40 )`
|
||||||
|
exPriv := `Private-key-format: v1.2
|
||||||
|
Algorithm: 14 (ECDSAP384SHA384)
|
||||||
|
PrivateKey: WURgWHCcYIYUPWgeLmiPY2DJJk02vgrmTfitxgqcL4vwW7BOrbawVmVe0d9V94SR`
|
||||||
|
rrDNSKEY, err := NewRR(exDNSKEY)
|
||||||
|
if err != nil {
|
||||||
|
t.Fatal(err.Error())
|
||||||
|
}
|
||||||
|
priv, err := rrDNSKEY.(*DNSKEY).NewPrivateKey(exPriv)
|
||||||
|
if err != nil {
|
||||||
|
t.Fatal(err.Error())
|
||||||
|
}
|
||||||
|
|
||||||
|
exDS := `example.net. 3600 IN DS 10771 14 4 (
|
||||||
|
72d7b62976ce06438e9c0bf319013cf801f09ecc84b8
|
||||||
|
d7e9495f27e305c6a9b0563a9b5f4d288405c3008a94
|
||||||
|
6df983d6 )`
|
||||||
|
rrDS, err := NewRR(exDS)
|
||||||
|
if err != nil {
|
||||||
|
t.Fatal(err.Error())
|
||||||
|
}
|
||||||
|
ourDS := rrDNSKEY.(*DNSKEY).ToDS(SHA384)
|
||||||
|
if !reflect.DeepEqual(ourDS, rrDS.(*DS)) {
|
||||||
|
t.Fatalf("DS record differs:\n%v\n%v\n", ourDS, rrDS.(*DS))
|
||||||
|
}
|
||||||
|
|
||||||
|
exA := `www.example.net. 3600 IN A 192.0.2.1`
|
||||||
|
exRRSIG := `www.example.net. 3600 IN RRSIG A 14 3 3600 (
|
||||||
|
20100909102025 20100812102025 10771 example.net.
|
||||||
|
/L5hDKIvGDyI1fcARX3z65qrmPsVz73QD1Mr5CEqOiLP
|
||||||
|
95hxQouuroGCeZOvzFaxsT8Glr74hbavRKayJNuydCuz
|
||||||
|
WTSSPdz7wnqXL5bdcJzusdnI0RSMROxxwGipWcJm )`
|
||||||
|
rrA, err := NewRR(exA)
|
||||||
|
if err != nil {
|
||||||
|
t.Fatal(err.Error())
|
||||||
|
}
|
||||||
|
rrRRSIG, err := NewRR(exRRSIG)
|
||||||
|
if err != nil {
|
||||||
|
t.Fatal(err.Error())
|
||||||
|
}
|
||||||
|
if err = rrRRSIG.(*RRSIG).Verify(rrDNSKEY.(*DNSKEY), []RR{rrA}); err != nil {
|
||||||
|
t.Errorf("Failure to validate the spec RRSIG: %v", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
ourRRSIG := &RRSIG{
|
||||||
|
Hdr: RR_Header{
|
||||||
|
Ttl: rrA.Header().Ttl,
|
||||||
|
},
|
||||||
|
KeyTag: rrDNSKEY.(*DNSKEY).KeyTag(),
|
||||||
|
SignerName: rrDNSKEY.(*DNSKEY).Hdr.Name,
|
||||||
|
Algorithm: rrDNSKEY.(*DNSKEY).Algorithm,
|
||||||
|
}
|
||||||
|
ourRRSIG.Expiration, _ = StringToTime("20100909102025")
|
||||||
|
ourRRSIG.Inception, _ = StringToTime("20100812102025")
|
||||||
|
err = ourRRSIG.Sign(priv, []RR{rrA})
|
||||||
|
if err != nil {
|
||||||
|
t.Fatal(err.Error())
|
||||||
|
}
|
||||||
|
|
||||||
|
if err = ourRRSIG.Verify(rrDNSKEY.(*DNSKEY), []RR{rrA}); err != nil {
|
||||||
|
t.Errorf("Failure to validate our RRSIG: %v", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Signatures are randomized
|
||||||
|
rrRRSIG.(*RRSIG).Signature = ""
|
||||||
|
ourRRSIG.Signature = ""
|
||||||
|
if !reflect.DeepEqual(ourRRSIG, rrRRSIG.(*RRSIG)) {
|
||||||
|
t.Fatalf("RRSIG record differs:\n%v\n%v\n", ourRRSIG, rrRRSIG.(*RRSIG))
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
Loading…
Reference in New Issue