This adds hash.go and creates a identityHash that is used for algorithms that do their own hashing (ED25519) for instance. This unifies the hash variable naming between dnssec and sig(0) signing and removes the special casing that existed for ED25519. This unifies the variable naming between sig(0) and dnssec signing and verifying. I didn't want to used crypto.RegisterHash as not to fiddle with the global namespaces of hashes, so the value of '0' from AlgorithmsToHash is handled specially in dnssec and sig(0) code. Note that ED448 isn't implemented at all. Signed-off-by: Miek Gieben <miek@miek.nl>
92 lines
2.2 KiB
Go
92 lines
2.2 KiB
Go
package dns
|
|
|
|
import (
|
|
"crypto"
|
|
"testing"
|
|
"time"
|
|
)
|
|
|
|
func TestSIG0(t *testing.T) {
|
|
if testing.Short() {
|
|
t.Skip("skipping test in short mode.")
|
|
}
|
|
m := new(Msg)
|
|
m.SetQuestion("example.org.", TypeSOA)
|
|
for _, alg := range []uint8{ECDSAP256SHA256, ECDSAP384SHA384, RSASHA1, RSASHA256, RSASHA512, ED25519} {
|
|
algstr := AlgorithmToString[alg]
|
|
keyrr := new(KEY)
|
|
keyrr.Hdr.Name = algstr + "."
|
|
keyrr.Hdr.Rrtype = TypeKEY
|
|
keyrr.Hdr.Class = ClassINET
|
|
keyrr.Algorithm = alg
|
|
keysize := 512
|
|
switch alg {
|
|
case ECDSAP256SHA256, ED25519:
|
|
keysize = 256
|
|
case ECDSAP384SHA384:
|
|
keysize = 384
|
|
case RSASHA512:
|
|
keysize = 1024
|
|
}
|
|
pk, err := keyrr.Generate(keysize)
|
|
if err != nil {
|
|
t.Errorf("failed to generate key for %q: %v", algstr, err)
|
|
continue
|
|
}
|
|
now := uint32(time.Now().Unix())
|
|
sigrr := new(SIG)
|
|
sigrr.Hdr.Name = "."
|
|
sigrr.Hdr.Rrtype = TypeSIG
|
|
sigrr.Hdr.Class = ClassANY
|
|
sigrr.Algorithm = alg
|
|
sigrr.Expiration = now + 300
|
|
sigrr.Inception = now - 300
|
|
sigrr.KeyTag = keyrr.KeyTag()
|
|
sigrr.SignerName = keyrr.Hdr.Name
|
|
mb, err := sigrr.Sign(pk.(crypto.Signer), m)
|
|
if err != nil {
|
|
t.Errorf("failed to sign message using %q: %v", algstr, err)
|
|
continue
|
|
}
|
|
m := new(Msg)
|
|
if err := m.Unpack(mb); err != nil {
|
|
t.Errorf("failed to unpack message signed using %q: %v", algstr, err)
|
|
continue
|
|
}
|
|
if len(m.Extra) != 1 {
|
|
t.Errorf("missing SIG for message signed using %q", algstr)
|
|
continue
|
|
}
|
|
var sigrrwire *SIG
|
|
switch rr := m.Extra[0].(type) {
|
|
case *SIG:
|
|
sigrrwire = rr
|
|
default:
|
|
t.Errorf("expected SIG RR, instead: %v", rr)
|
|
continue
|
|
}
|
|
for _, rr := range []*SIG{sigrr, sigrrwire} {
|
|
id := "sigrr"
|
|
if rr == sigrrwire {
|
|
id = "sigrrwire"
|
|
}
|
|
if err := rr.Verify(keyrr, mb); err != nil {
|
|
t.Errorf("failed to verify %q signed SIG(%s): %v", algstr, id, err)
|
|
continue
|
|
}
|
|
}
|
|
mb[13]++
|
|
if err := sigrr.Verify(keyrr, mb); err == nil {
|
|
t.Errorf("verify succeeded on an altered message using %q", algstr)
|
|
continue
|
|
}
|
|
sigrr.Expiration = 2
|
|
sigrr.Inception = 1
|
|
mb, _ = sigrr.Sign(pk.(crypto.Signer), m)
|
|
if err := sigrr.Verify(keyrr, mb); err == nil {
|
|
t.Errorf("verify succeeded on an expired message using %q", algstr)
|
|
continue
|
|
}
|
|
}
|
|
}
|