Its validating
This commit is contained in:
Miek Gieben
parent
e1d0db4107
commit
ffe027b4b9
|
|
@ -0,0 +1 @@
|
|||
miek.nl. 3600 IN DS 12273 8 2 beb0b9e415c223543e9cc1c76518839e6eb3bdec83103a2e90553e3a4db16f04 ; xozir-bevav-gahis-dymuh-gazan-sybys-lenyc-meban-vorir-fezuv-sibac-bovud-vegoh-hizyf-pyfor-cyrob-goxex
|
||||
|
|
@ -0,0 +1 @@
|
|||
miek.nl. 3600 IN DNSKEY 256 3 8 AwEAAcELcuxHosJX3LjbR6EFzsqI3mKivwvO6Y5Kzt/OXYmLQUI8tnOrX9ilT/0qGraxoONayVX3A6bl1pG3h/xOxVEGcJGqbrZnhr2+4S9tW2GWQwevV+NhinE7v6MCCCheVCnAPh0KFb/u14ng3DQizP1spBU/NoAN31l678snBpZX ;{id = 12273 (zsk), size = 1024b}
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
Private-key-format: v1.2
|
||||
Algorithm: 8 (RSASHA256)
|
||||
Modulus: wQty7EeiwlfcuNtHoQXOyojeYqK/C87pjkrO385diYtBQjy2c6tf2KVP/SoatrGg41rJVfcDpuXWkbeH/E7FUQZwkaputmeGvb7hL21bYZZDB69X42GKcTu/owIIKF5UKcA+HQoVv+7XieDcNCLM/WykFT82gA3fWXrvyycGllc=
|
||||
PublicExponent: AQAB
|
||||
PrivateExponent: bp2R16Rgtf3Eo0Q7MiBy0wlEbL6WvDxvBjMFgabtYDAkT8EcRwFvJWPshsOGlSMJbt2JurGVLSBMKClDSacVVo4r86ND0ylj/1kfmHMEy49mu824Jbf9b1Aen4pR0I5KVAf0cHITY1xYag95C+Zdj91ymyBual+VLchBEIJ2NhE=
|
||||
Prime1: 62QkvleT+6uDJRct5tqeDoRCxBIWWMFJ2+VgNsuo9+fCYhwjbFNHFV6BR20VrVWYH9WpuDKnxS0B41Jz6eDDDw==
|
||||
Prime2: 0fIwIh53eBlCROIiZJfpFX1fPWsRD3/eX7W5VC5moFP/IiO+qLc8EFg4b2uCnmLJR07/vHowmv6yfpHjyDJYOQ==
|
||||
Exponent1: 1ctLJCZfHgIVRybaZgbB7+VozrSu30YPU03uKVaozSEOiBWOhuDMezguqzUErz5CwQdK8yXvA0Nxp4pIBXBDOQ==
|
||||
Exponent2: RQw0DGScwiD8jI8a5J6Zh/nNwvNdjw1s42lu5GLGWeCGPoInCHILDQ0Wsn5XXSP8MrmmniRJrBAsQDhXA9aa8Q==
|
||||
Coefficient: Ntr5xV/6TtnlpNSg4WQNvaEdS7n7Lf7r+fS3/sHzqGkv8GT6gsRdQLQVu8Ml9t/GAPfUK4KsH7zmqr6N5dy9+g==
|
||||
|
|
@ -0,0 +1,54 @@
|
|||
package dnssec
|
||||
|
||||
import (
|
||||
"testing"
|
||||
"fmt"
|
||||
"dns"
|
||||
)
|
||||
|
||||
func TestDnskey(t *testing.T) {
|
||||
return
|
||||
// This key was generate with LDNS:
|
||||
// ldns-keygen -a RSASHA256 -r /dev/urandom -b 1024 miek.nl
|
||||
// Show that we have al the RSA parameters and can check them
|
||||
// here to see what I came up with
|
||||
key := new(dns.RR_DNSKEY)
|
||||
key.Hdr.Name = "miek.nl."
|
||||
key.Hdr.Rrtype = dns.TypeDNSKEY
|
||||
key.Hdr.Class = dns.ClassINET
|
||||
key.Hdr.Ttl = 3600
|
||||
key.Flags = 256
|
||||
key.Protocol = 3
|
||||
key.Algorithm = AlgRSASHA256
|
||||
key.PubKey = "AwEAAcELcuxHosJX3LjbR6EFzsqI3mKivwvO6Y5Kzt/OXYmLQUI8tnOrX9ilT/0qGraxoONayVX3A6bl1pG3h/xOxVEGcJGqbrZnhr2+4S9tW2GWQwevV+NhinE7v6MCCCheVCnAPh0KFb/u14ng3DQizP1spBU/NoAN31l678snBpZX"
|
||||
fmt.Printf("%v\n", key)
|
||||
|
||||
soa := new(dns.RR_SOA)
|
||||
soa.Hdr = dns.RR_Header{"Miek.nl.", dns.TypeSOA, dns.ClassINET, 875, 0}
|
||||
soa.Ns = "open.nlnetlabs.nl."
|
||||
soa.Mbox = "miekg.atoom.net."
|
||||
soa.Serial = 1293513905
|
||||
soa.Refresh = 14400
|
||||
soa.Retry = 3600
|
||||
soa.Expire = 604800
|
||||
soa.Minttl = 86400
|
||||
|
||||
sig := new(dns.RR_RRSIG)
|
||||
sig.Hdr = dns.RR_Header{"miek.nl.", dns.TypeRRSIG, dns.ClassINET, 14400, 0}
|
||||
sig.TypeCovered = dns.TypeSOA
|
||||
sig.Algorithm = AlgRSASHA256
|
||||
sig.Labels = 2
|
||||
sig.Expiration = 1296098705 // date '+%s' -d"2011-01-27 04:25:05
|
||||
sig.Inception = 1293506705
|
||||
sig.OrigTtl = 14400
|
||||
//sig.KeyTag = 12051
|
||||
sig.KeyTag = 12273 //faked
|
||||
sig.SignerName = "miek.nl."
|
||||
sig.Signature = "kLq/5oFy3Sh5ZxPGFMCyHq8MtN6E17R1Ln9+bJ2Q76YYAxFE8Xlie33A1GFctH2uhzRzJKuP/JSjUkrvGk2rjBm32z9zXtZsKx/4yV0da2nLRm44NOmX6gsP4Yia8mdqPUajjkyLzAzU2bevtesJm0Z65AcmPdq3tUZODdRAcng="
|
||||
|
||||
Verify(sig, key, []dns.RR{soa})
|
||||
|
||||
// From Kmiek.nl*.private
|
||||
openssl := "135560614087352210480379313279722604826647214111257577861451621491284835543707521986085999189597017237768514876957888744370440811423088511394629855684615382349190289731989185193184712980579812986523080792122141528583964882610028199770199112837017606561901919812183422914622295620927795008308854924436086101591"
|
||||
println("OPENSSL key: what should be is: ",openssl)
|
||||
}
|
||||
|
|
@ -1,7 +1,9 @@
|
|||
// Package dnssec implements all client side DNSSEC function, like
|
||||
// validation, keytag/DS calculation.
|
||||
// validation, keytag/DS calculation.
|
||||
package dnssec
|
||||
|
||||
// Put tsig and tkey stuff here too
|
||||
|
||||
import (
|
||||
"crypto/sha1"
|
||||
"crypto/sha256"
|
||||
|
|
@ -147,12 +149,15 @@ func Verify(s *dns.RR_RRSIG, k *dns.RR_DNSKEY, rrset dns.RRset) bool {
|
|||
|
||||
// RFC 4035 5.3.2. Reconstructing the Signed Data
|
||||
// Copy the sig, except the rrsig data
|
||||
// Can this be done easier? TODO(mg)
|
||||
s1 := &dns.RR_RRSIG{s.Hdr, s.TypeCovered, s.Algorithm, s.Labels, s.OrigTtl, s.Expiration, s.Inception, s.KeyTag, s.SignerName, ""}
|
||||
signeddata, ok := dns.WireRdata(s1)
|
||||
if !ok {
|
||||
return false
|
||||
}
|
||||
println("length of date s1", s1.Hdr.Rdlength)
|
||||
println("length of signeddata buf", len(signeddata))
|
||||
|
||||
fmt.Printf("PRE SIGNEDDATA BUF %v\n", signeddata)
|
||||
|
||||
for _, r := range rrset {
|
||||
h := r.Header()
|
||||
|
|
@ -181,45 +186,54 @@ func Verify(s *dns.RR_RRSIG, k *dns.RR_DNSKEY, rrset dns.RRset) bool {
|
|||
return false
|
||||
}
|
||||
signeddata = append(signeddata, wire...)
|
||||
fmt.Printf("WIREBUF %v\n", wire)
|
||||
fmt.Printf("SIGNEDDATA BUF %v\n", signeddata)
|
||||
}
|
||||
fmt.Fprintf(os.Stderr, "lengthed signeddata %d\n", len(signeddata))
|
||||
keybuf := make([]byte, 1024)
|
||||
keybuflen := base64.StdEncoding.DecodedLen(len(k.PubKey))
|
||||
base64.StdEncoding.Decode(keybuf[0:keybuflen], []byte(k.PubKey))
|
||||
keybuf = keybuf[:keybuflen]
|
||||
|
||||
fmt.Printf("\n%d KEYBUF %v\n", keybuflen, keybuf)
|
||||
|
||||
sigbuf := make([]byte, 1024)
|
||||
sigbuflen := base64.StdEncoding.DecodedLen(len(s.Signature))
|
||||
base64.StdEncoding.Decode(sigbuf[0:sigbuflen], []byte(s.Signature))
|
||||
sigbuf = sigbuf[:sigbuflen]
|
||||
sigbuf = sigbuf[:sigbuflen-1] // Why the -1 here, and not for the keybuf??
|
||||
fmt.Fprintf(os.Stderr, "len of sigbuf: %d\n", len(sigbuf))
|
||||
|
||||
fmt.Printf("\nSIGBUF %v\n", sigbuf)
|
||||
|
||||
switch s.Algorithm {
|
||||
case AlgRSASHA1:
|
||||
|
||||
case AlgRSASHA256:
|
||||
// RFC 3110, section 2. RSA Public KEY Resource Records
|
||||
// Assume length is in the first byte!
|
||||
// keybuf[1]
|
||||
_E := int(keybuf[3]) <<16
|
||||
_E += int(keybuf[2]) <<8
|
||||
_E += int(keybuf[1])
|
||||
println("_E", _E)
|
||||
pubkey := new(rsa.PublicKey)
|
||||
pubkey.E = _E
|
||||
pubkey.N = big.NewInt(0)
|
||||
pubkey.N.SetBytes(keybuf[4:])
|
||||
fmt.Fprintf(os.Stderr, "%s\n", pubkey.N)
|
||||
fmt.Fprintf(os.Stderr, "keybug len %d", len(keybuf[4:]))
|
||||
fmt.Fprintf(os.Stderr, "PubKey %s\n", pubkey.N)
|
||||
|
||||
// Hash the signeddata
|
||||
s := sha256.New()
|
||||
io.WriteString(s, string(sigbuf))
|
||||
io.WriteString(s, string(signeddata))
|
||||
sighash := s.Sum()
|
||||
|
||||
|
||||
println("sig hash", len(sighash))
|
||||
|
||||
err := rsa.VerifyPKCS1v15(pubkey, rsa.HashSHA256, sighash, sigbuf)
|
||||
if err == nil {
|
||||
fmt.Fprintf(os.Stderr, "NO SHIT!!\n")
|
||||
fmt.Fprintf(os.Stderr, "NO SHIT Sherlock!!\n")
|
||||
} else {
|
||||
fmt.Fprintf(os.Stderr, "%v\n", err)
|
||||
fmt.Fprintf(os.Stderr, "*********** %v\n", err)
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -10,10 +10,10 @@ import (
|
|||
func TestSecure(t *testing.T) {
|
||||
// once this was valid
|
||||
soa := new(dns.RR_SOA)
|
||||
soa.Hdr = dns.RR_Header{"Miek.nl.", dns.TypeSOA, dns.ClassINET, 875, 0}
|
||||
soa.Hdr = dns.RR_Header{"miek.nl.", dns.TypeSOA, dns.ClassINET, 14400, 0}
|
||||
soa.Ns = "open.nlnetlabs.nl."
|
||||
soa.Mbox = "miekg.atoom.net."
|
||||
soa.Serial = 1293513905
|
||||
soa.Serial = 1293945905
|
||||
soa.Refresh = 14400
|
||||
soa.Retry = 3600
|
||||
soa.Expire = 604800
|
||||
|
|
@ -24,12 +24,13 @@ func TestSecure(t *testing.T) {
|
|||
sig.TypeCovered = dns.TypeSOA
|
||||
sig.Algorithm = AlgRSASHA256
|
||||
sig.Labels = 2
|
||||
sig.Expiration = 1296098705 // date '+%s' -d"2011-01-27 04:25:05
|
||||
sig.Inception = 1293506705
|
||||
// UTC LUL!
|
||||
sig.Expiration = 1296534305 // date -u '+%s' -d"2011-02-01 04:25:05"
|
||||
sig.Inception = 1293942305 // date -u '+%s' -d"2011-01-02 04:25:05"
|
||||
sig.OrigTtl = 14400
|
||||
sig.KeyTag = 12051
|
||||
sig.SignerName = "miek.nl."
|
||||
sig.Signature = "kLq/5oFy3Sh5ZxPGFMCyHq8MtN6E17R1Ln9+bJ2Q76YYAxFE8Xlie33A1GFctH2uhzRzJKuP/JSjUkrvGk2rjBm32z9zXtZsKx/4yV0da2nLRm44NOmX6gsP4Yia8mdqPUajjkyLzAzU2bevtesJm0Z65AcmPdq3tUZODdRAcng="
|
||||
sig.Signature = "oMCbslaAVIp/8kVtLSms3tDABpcPRUgHLrOR48OOplkYo+8TeEGWwkSwaz/MRo2fB4FxW0qj/hTlIjUGuACSd+b1wKdH5GvzRJc2pFmxtCbm55ygAh4EUL0F6U5cKtGJGSXxxg6UFCQ0doJCmiGFa78LolaUOXImJrk6AFrGa0M="
|
||||
|
||||
key := new(dns.RR_DNSKEY)
|
||||
key.Hdr.Name = "miek.nl."
|
||||
|
|
@ -46,5 +47,4 @@ func TestSecure(t *testing.T) {
|
|||
t.Log("Failure to validate")
|
||||
t.Fail()
|
||||
}
|
||||
fmt.Fprintf(os.Stderr, "%v\n%v\n", sig, soa)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -7,7 +7,7 @@ import (
|
|||
|
||||
func TestTag(t *testing.T) {
|
||||
key := new(dns.RR_DNSKEY)
|
||||
key.Hdr.Name = "miek.nl"
|
||||
key.Hdr.Name = "miek.nl."
|
||||
key.Hdr.Rrtype = dns.TypeDNSKEY
|
||||
key.Hdr.Class = dns.ClassINET
|
||||
key.Hdr.Ttl = 3600
|
||||
|
|
|
|||
Loading…
Reference in New Issue