456 lines
14 KiB
Go
456 lines
14 KiB
Go
// Copyright 2011 Miek Gieben. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style
|
|
// license that can be found in the LICENSE file.
|
|
|
|
package dns
|
|
|
|
import (
|
|
"crypto/rsa"
|
|
"strings"
|
|
"testing"
|
|
"time"
|
|
)
|
|
|
|
func getKey() *DNSKEY {
|
|
key := new(DNSKEY)
|
|
key.Hdr.Name = "miek.nl."
|
|
key.Hdr.Class = ClassINET
|
|
key.Hdr.Ttl = 14400
|
|
key.Flags = 256
|
|
key.Protocol = 3
|
|
key.Algorithm = RSASHA256
|
|
key.PublicKey = "AwEAAcNEU67LJI5GEgF9QLNqLO1SMq1EdoQ6E9f85ha0k0ewQGCblyW2836GiVsm6k8Kr5ECIoMJ6fZWf3CQSQ9ycWfTyOHfmI3eQ/1Covhb2y4bAmL/07PhrL7ozWBW3wBfM335Ft9xjtXHPy7ztCbV9qZ4TVDTW/Iyg0PiwgoXVesz"
|
|
return key
|
|
}
|
|
|
|
func getSoa() *SOA {
|
|
soa := new(SOA)
|
|
soa.Hdr = RR_Header{"miek.nl.", TypeSOA, ClassINET, 14400, 0}
|
|
soa.Ns = "open.nlnetlabs.nl."
|
|
soa.Mbox = "miekg.atoom.net."
|
|
soa.Serial = 1293945905
|
|
soa.Refresh = 14400
|
|
soa.Retry = 3600
|
|
soa.Expire = 604800
|
|
soa.Minttl = 86400
|
|
return soa
|
|
}
|
|
|
|
func TestGenerateEC(t *testing.T) {
|
|
key := new(DNSKEY)
|
|
key.Hdr.Rrtype = TypeDNSKEY
|
|
key.Hdr.Name = "miek.nl."
|
|
key.Hdr.Class = ClassINET
|
|
key.Hdr.Ttl = 14400
|
|
key.Flags = 256
|
|
key.Protocol = 3
|
|
key.Algorithm = ECDSAP256SHA256
|
|
privkey, _ := key.Generate(256)
|
|
t.Logf("%s\n", key.String())
|
|
t.Logf("%s\n", key.PrivateKeyString(privkey))
|
|
}
|
|
|
|
func TestGenerateDSA(t *testing.T) {
|
|
key := new(DNSKEY)
|
|
key.Hdr.Rrtype = TypeDNSKEY
|
|
key.Hdr.Name = "miek.nl."
|
|
key.Hdr.Class = ClassINET
|
|
key.Hdr.Ttl = 14400
|
|
key.Flags = 256
|
|
key.Protocol = 3
|
|
key.Algorithm = DSA
|
|
privkey, _ := key.Generate(1024)
|
|
t.Logf("%s\n", key.String())
|
|
t.Logf("%s\n", key.PrivateKeyString(privkey))
|
|
}
|
|
|
|
func TestGenerateRSA(t *testing.T) {
|
|
key := new(DNSKEY)
|
|
key.Hdr.Rrtype = TypeDNSKEY
|
|
key.Hdr.Name = "miek.nl."
|
|
key.Hdr.Class = ClassINET
|
|
key.Hdr.Ttl = 14400
|
|
key.Flags = 256
|
|
key.Protocol = 3
|
|
key.Algorithm = RSASHA256
|
|
privkey, _ := key.Generate(1024)
|
|
t.Logf("%s\n", key.String())
|
|
t.Logf("%s\n", key.PrivateKeyString(privkey))
|
|
}
|
|
|
|
func TestSecure(t *testing.T) {
|
|
soa := getSoa()
|
|
|
|
sig := new(RRSIG)
|
|
sig.Hdr = RR_Header{"miek.nl.", TypeRRSIG, ClassINET, 14400, 0}
|
|
sig.TypeCovered = TypeSOA
|
|
sig.Algorithm = RSASHA256
|
|
sig.Labels = 2
|
|
sig.Expiration = 1296534305 // date -u '+%s' -d"2011-02-01 04:25:05"
|
|
sig.Inception = 1293942305 // date -u '+%s' -d"2011-01-02 04:25:05"
|
|
sig.OrigTtl = 14400
|
|
sig.KeyTag = 12051
|
|
sig.SignerName = "miek.nl."
|
|
sig.Signature = "oMCbslaAVIp/8kVtLSms3tDABpcPRUgHLrOR48OOplkYo+8TeEGWwkSwaz/MRo2fB4FxW0qj/hTlIjUGuACSd+b1wKdH5GvzRJc2pFmxtCbm55ygAh4EUL0F6U5cKtGJGSXxxg6UFCQ0doJCmiGFa78LolaUOXImJrk6AFrGa0M="
|
|
|
|
key := new(DNSKEY)
|
|
key.Hdr.Name = "miek.nl."
|
|
key.Hdr.Class = ClassINET
|
|
key.Hdr.Ttl = 14400
|
|
key.Flags = 256
|
|
key.Protocol = 3
|
|
key.Algorithm = RSASHA256
|
|
key.PublicKey = "AwEAAcNEU67LJI5GEgF9QLNqLO1SMq1EdoQ6E9f85ha0k0ewQGCblyW2836GiVsm6k8Kr5ECIoMJ6fZWf3CQSQ9ycWfTyOHfmI3eQ/1Covhb2y4bAmL/07PhrL7ozWBW3wBfM335Ft9xjtXHPy7ztCbV9qZ4TVDTW/Iyg0PiwgoXVesz"
|
|
|
|
// It should validate. Period is checked seperately, so this will keep on working
|
|
if sig.Verify(key, []RR{soa}) != nil {
|
|
t.Log("Failure to validate")
|
|
t.Fail()
|
|
}
|
|
}
|
|
|
|
func TestSignature(t *testing.T) {
|
|
sig := new(RRSIG)
|
|
sig.Hdr.Name = "miek.nl."
|
|
sig.Hdr.Class = ClassINET
|
|
sig.Hdr.Ttl = 3600
|
|
sig.TypeCovered = TypeDNSKEY
|
|
sig.Algorithm = RSASHA1
|
|
sig.Labels = 2
|
|
sig.OrigTtl = 4000
|
|
sig.Expiration = 1000 //Thu Jan 1 02:06:40 CET 1970
|
|
sig.Inception = 800 //Thu Jan 1 01:13:20 CET 1970
|
|
sig.KeyTag = 34641
|
|
sig.SignerName = "miek.nl."
|
|
sig.Signature = "AwEAAaHIwpx3w4VHKi6i1LHnTaWeHCL154Jug0Rtc9ji5qwPXpBo6A5sRv7cSsPQKPIwxLpyCrbJ4mr2L0EPOdvP6z6YfljK2ZmTbogU9aSU2fiq/4wjxbdkLyoDVgtO+JsxNN4bjr4WcWhsmk1Hg93FV9ZpkWb0Tbad8DFqNDzr//kZ"
|
|
|
|
// Should not be valid
|
|
if sig.ValidityPeriod(time.Now()) {
|
|
t.Log("Should not be valid")
|
|
t.Fail()
|
|
}
|
|
|
|
sig.Inception = 315565800 //Tue Jan 1 10:10:00 CET 1980
|
|
sig.Expiration = 4102477800 //Fri Jan 1 10:10:00 CET 2100
|
|
if !sig.ValidityPeriod(time.Now()) {
|
|
t.Log("Should be valid")
|
|
t.Fail()
|
|
}
|
|
}
|
|
|
|
func TestSignVerify(t *testing.T) {
|
|
// The record we want to sign
|
|
soa := new(SOA)
|
|
soa.Hdr = RR_Header{"miek.nl.", TypeSOA, ClassINET, 14400, 0}
|
|
soa.Ns = "open.nlnetlabs.nl."
|
|
soa.Mbox = "miekg.atoom.net."
|
|
soa.Serial = 1293945905
|
|
soa.Refresh = 14400
|
|
soa.Retry = 3600
|
|
soa.Expire = 604800
|
|
soa.Minttl = 86400
|
|
|
|
soa1 := new(SOA)
|
|
soa1.Hdr = RR_Header{"*.miek.nl.", TypeSOA, ClassINET, 14400, 0}
|
|
soa1.Ns = "open.nlnetlabs.nl."
|
|
soa1.Mbox = "miekg.atoom.net."
|
|
soa1.Serial = 1293945905
|
|
soa1.Refresh = 14400
|
|
soa1.Retry = 3600
|
|
soa1.Expire = 604800
|
|
soa1.Minttl = 86400
|
|
|
|
srv := new(SRV)
|
|
srv.Hdr = RR_Header{"srv.miek.nl.", TypeSRV, ClassINET, 14400, 0}
|
|
srv.Port = 1000
|
|
srv.Weight = 800
|
|
srv.Target = "web1.miek.nl."
|
|
|
|
// With this key
|
|
key := new(DNSKEY)
|
|
key.Hdr.Rrtype = TypeDNSKEY
|
|
key.Hdr.Name = "miek.nl."
|
|
key.Hdr.Class = ClassINET
|
|
key.Hdr.Ttl = 14400
|
|
key.Flags = 256
|
|
key.Protocol = 3
|
|
key.Algorithm = RSASHA256
|
|
privkey, _ := key.Generate(512)
|
|
|
|
// Fill in the values of the Sig, before signing
|
|
sig := new(RRSIG)
|
|
sig.Hdr = RR_Header{"miek.nl.", TypeRRSIG, ClassINET, 14400, 0}
|
|
sig.TypeCovered = soa.Hdr.Rrtype
|
|
sig.Labels = uint8(CountLabel(soa.Hdr.Name)) // works for all 3
|
|
sig.OrigTtl = soa.Hdr.Ttl
|
|
sig.Expiration = 1296534305 // date -u '+%s' -d"2011-02-01 04:25:05"
|
|
sig.Inception = 1293942305 // date -u '+%s' -d"2011-01-02 04:25:05"
|
|
sig.KeyTag = key.KeyTag() // Get the keyfrom the Key
|
|
sig.SignerName = key.Hdr.Name
|
|
sig.Algorithm = RSASHA256
|
|
|
|
for _, r := range []RR{soa, soa1, srv} {
|
|
if sig.Sign(privkey, []RR{r}) != nil {
|
|
t.Log("Failure to sign the record")
|
|
t.Fail()
|
|
continue
|
|
}
|
|
if sig.Verify(key, []RR{r}) != nil {
|
|
t.Log("Failure to validate")
|
|
t.Fail()
|
|
continue
|
|
}
|
|
t.Logf("Validated: %s\n", r.Header().Name)
|
|
}
|
|
}
|
|
|
|
func Test65534(t *testing.T) {
|
|
t6 := new(RFC3597)
|
|
t6.Hdr = RR_Header{"miek.nl.", 65534, ClassINET, 14400, 0}
|
|
t6.Rdata = "505D870001"
|
|
key := new(DNSKEY)
|
|
key.Hdr.Name = "miek.nl."
|
|
key.Hdr.Rrtype = TypeDNSKEY
|
|
key.Hdr.Class = ClassINET
|
|
key.Hdr.Ttl = 14400
|
|
key.Flags = 256
|
|
key.Protocol = 3
|
|
key.Algorithm = RSASHA256
|
|
privkey, _ := key.Generate(1024)
|
|
|
|
sig := new(RRSIG)
|
|
sig.Hdr = RR_Header{"miek.nl.", TypeRRSIG, ClassINET, 14400, 0}
|
|
sig.TypeCovered = t6.Hdr.Rrtype
|
|
sig.Labels = uint8(CountLabel(t6.Hdr.Name))
|
|
sig.OrigTtl = t6.Hdr.Ttl
|
|
sig.Expiration = 1296534305 // date -u '+%s' -d"2011-02-01 04:25:05"
|
|
sig.Inception = 1293942305 // date -u '+%s' -d"2011-01-02 04:25:05"
|
|
sig.KeyTag = key.KeyTag()
|
|
sig.SignerName = key.Hdr.Name
|
|
sig.Algorithm = RSASHA256
|
|
if err := sig.Sign(privkey, []RR{t6}); err != nil {
|
|
t.Log(err)
|
|
t.Log("Failure to sign the TYPE65534 record")
|
|
t.Fail()
|
|
}
|
|
if err := sig.Verify(key, []RR{t6}); err != nil {
|
|
t.Log(err)
|
|
t.Log("Failure to validate")
|
|
t.Fail()
|
|
} else {
|
|
t.Logf("Validated: %s\n", t6.Header().Name)
|
|
}
|
|
}
|
|
|
|
func TestDnskey(t *testing.T) {
|
|
// f, _ := os.Open("t/Kmiek.nl.+010+05240.key")
|
|
pubkey, _ := ReadRR(strings.NewReader(`
|
|
miek.nl. IN DNSKEY 256 3 10 AwEAAZuMCu2FdugHkTrXYgl5qixvcDw1aDDlvL46/xJKbHBAHY16fNUb2b65cwko2Js/aJxUYJbZk5dwCDZxYfrfbZVtDPQuc3o8QaChVxC7/JYz2AHc9qHvqQ1j4VrH71RWINlQo6VYjzN/BGpMhOZoZOEwzp1HfsOE3lNYcoWU1smL ;{id = 5240 (zsk), size = 1024b}
|
|
`), "Kmiek.nl.+010+05240.key")
|
|
privkey, _ := pubkey.(*DNSKEY).ReadPrivateKey(strings.NewReader(`
|
|
Private-key-format: v1.2
|
|
Algorithm: 10 (RSASHA512)
|
|
Modulus: m4wK7YV26AeROtdiCXmqLG9wPDVoMOW8vjr/EkpscEAdjXp81RvZvrlzCSjYmz9onFRgltmTl3AINnFh+t9tlW0M9C5zejxBoKFXELv8ljPYAdz2oe+pDWPhWsfvVFYg2VCjpViPM38EakyE5mhk4TDOnUd+w4TeU1hyhZTWyYs=
|
|
PublicExponent: AQAB
|
|
PrivateExponent: UfCoIQ/Z38l8vB6SSqOI/feGjHEl/fxIPX4euKf0D/32k30fHbSaNFrFOuIFmWMB3LimWVEs6u3dpbB9CQeCVg7hwU5puG7OtuiZJgDAhNeOnxvo5btp4XzPZrJSxR4WNQnwIiYWbl0aFlL1VGgHC/3By89ENZyWaZcMLW4KGWE=
|
|
Prime1: yxwC6ogAu8aVcDx2wg1V0b5M5P6jP8qkRFVMxWNTw60Vkn+ECvw6YAZZBHZPaMyRYZLzPgUlyYRd0cjupy4+fQ==
|
|
Prime2: xA1bF8M0RTIQ6+A11AoVG6GIR/aPGg5sogRkIZ7ID/sF6g9HMVU/CM2TqVEBJLRPp73cv6ZeC3bcqOCqZhz+pw==
|
|
Exponent1: xzkblyZ96bGYxTVZm2/vHMOXswod4KWIyMoOepK6B/ZPcZoIT6omLCgtypWtwHLfqyCz3MK51Nc0G2EGzg8rFQ==
|
|
Exponent2: Pu5+mCEb7T5F+kFNZhQadHUklt0JUHbi3hsEvVoHpEGSw3BGDQrtIflDde0/rbWHgDPM4WQY+hscd8UuTXrvLw==
|
|
Coefficient: UuRoNqe7YHnKmQzE6iDWKTMIWTuoqqrFAmXPmKQnC+Y+BQzOVEHUo9bXdDnoI9hzXP1gf8zENMYwYLeWpuYlFQ==
|
|
`), "Kmiek.nl.+010+05240.private")
|
|
if pubkey.(*DNSKEY).PublicKey != "AwEAAZuMCu2FdugHkTrXYgl5qixvcDw1aDDlvL46/xJKbHBAHY16fNUb2b65cwko2Js/aJxUYJbZk5dwCDZxYfrfbZVtDPQuc3o8QaChVxC7/JYz2AHc9qHvqQ1j4VrH71RWINlQo6VYjzN/BGpMhOZoZOEwzp1HfsOE3lNYcoWU1smL" {
|
|
t.Log("Pubkey is not what we've read")
|
|
t.Fail()
|
|
}
|
|
// Coefficient looks fishy...
|
|
t.Logf("%s", pubkey.(*DNSKEY).PrivateKeyString(privkey))
|
|
}
|
|
|
|
func TestTag(t *testing.T) {
|
|
key := new(DNSKEY)
|
|
key.Hdr.Name = "miek.nl."
|
|
key.Hdr.Rrtype = TypeDNSKEY
|
|
key.Hdr.Class = ClassINET
|
|
key.Hdr.Ttl = 3600
|
|
key.Flags = 256
|
|
key.Protocol = 3
|
|
key.Algorithm = RSASHA256
|
|
key.PublicKey = "AwEAAcNEU67LJI5GEgF9QLNqLO1SMq1EdoQ6E9f85ha0k0ewQGCblyW2836GiVsm6k8Kr5ECIoMJ6fZWf3CQSQ9ycWfTyOHfmI3eQ/1Covhb2y4bAmL/07PhrL7ozWBW3wBfM335Ft9xjtXHPy7ztCbV9qZ4TVDTW/Iyg0PiwgoXVesz"
|
|
|
|
tag := key.KeyTag()
|
|
if tag != 12051 {
|
|
t.Logf("Wrong key tag: %d for key %v\n", tag, key)
|
|
t.Fail()
|
|
}
|
|
}
|
|
|
|
func TestKeyRSA(t *testing.T) {
|
|
key := new(DNSKEY)
|
|
key.Hdr.Name = "miek.nl."
|
|
key.Hdr.Rrtype = TypeDNSKEY
|
|
key.Hdr.Class = ClassINET
|
|
key.Hdr.Ttl = 3600
|
|
key.Flags = 256
|
|
key.Protocol = 3
|
|
key.Algorithm = RSASHA256
|
|
priv, _ := key.Generate(2048)
|
|
|
|
soa := new(SOA)
|
|
soa.Hdr = RR_Header{"miek.nl.", TypeSOA, ClassINET, 14400, 0}
|
|
soa.Ns = "open.nlnetlabs.nl."
|
|
soa.Mbox = "miekg.atoom.net."
|
|
soa.Serial = 1293945905
|
|
soa.Refresh = 14400
|
|
soa.Retry = 3600
|
|
soa.Expire = 604800
|
|
soa.Minttl = 86400
|
|
|
|
sig := new(RRSIG)
|
|
sig.Hdr = RR_Header{"miek.nl.", TypeRRSIG, ClassINET, 14400, 0}
|
|
sig.TypeCovered = TypeSOA
|
|
sig.Algorithm = RSASHA256
|
|
sig.Labels = 2
|
|
sig.Expiration = 1296534305 // date -u '+%s' -d"2011-02-01 04:25:05"
|
|
sig.Inception = 1293942305 // date -u '+%s' -d"2011-01-02 04:25:05"
|
|
sig.OrigTtl = soa.Hdr.Ttl
|
|
sig.KeyTag = key.KeyTag()
|
|
sig.SignerName = key.Hdr.Name
|
|
|
|
if err := sig.Sign(priv, []RR{soa}); err != nil {
|
|
t.Logf("Failed to sign")
|
|
t.Fail()
|
|
return
|
|
}
|
|
if err := sig.Verify(key, []RR{soa}); err != nil {
|
|
t.Logf("Failed to verify")
|
|
t.Fail()
|
|
}
|
|
}
|
|
|
|
func TestKeyToDS(t *testing.T) {
|
|
key := new(DNSKEY)
|
|
key.Hdr.Name = "miek.nl."
|
|
key.Hdr.Rrtype = TypeDNSKEY
|
|
key.Hdr.Class = ClassINET
|
|
key.Hdr.Ttl = 3600
|
|
key.Flags = 256
|
|
key.Protocol = 3
|
|
key.Algorithm = RSASHA256
|
|
key.PublicKey = "AwEAAcNEU67LJI5GEgF9QLNqLO1SMq1EdoQ6E9f85ha0k0ewQGCblyW2836GiVsm6k8Kr5ECIoMJ6fZWf3CQSQ9ycWfTyOHfmI3eQ/1Covhb2y4bAmL/07PhrL7ozWBW3wBfM335Ft9xjtXHPy7ztCbV9qZ4TVDTW/Iyg0PiwgoXVesz"
|
|
|
|
ds := key.ToDS(SHA1)
|
|
if strings.ToUpper(ds.Digest) != "B5121BDB5B8D86D0CC5FFAFBAAABE26C3E20BAC1" {
|
|
t.Logf("Wrong DS digest for SHA1\n%v\n", ds)
|
|
t.Fail()
|
|
}
|
|
}
|
|
|
|
func TestSignRSA(t *testing.T) {
|
|
pub := "miek.nl. IN DNSKEY 256 3 5 AwEAAb+8lGNCxJgLS8rYVer6EnHVuIkQDghdjdtewDzU3G5R7PbMbKVRvH2Ma7pQyYceoaqWZQirSj72euPWfPxQnMy9ucCylA+FuH9cSjIcPf4PqJfdupHk9X6EBYjxrCLY4p1/yBwgyBIRJtZtAqM3ceAH2WovEJD6rTtOuHo5AluJ"
|
|
|
|
priv := `Private-key-format: v1.3
|
|
Algorithm: 5 (RSASHA1)
|
|
Modulus: v7yUY0LEmAtLythV6voScdW4iRAOCF2N217APNTcblHs9sxspVG8fYxrulDJhx6hqpZlCKtKPvZ649Z8/FCczL25wLKUD4W4f1xKMhw9/g+ol926keT1foQFiPGsItjinX/IHCDIEhEm1m0Cozdx4AfZai8QkPqtO064ejkCW4k=
|
|
PublicExponent: AQAB
|
|
PrivateExponent: YPwEmwjk5HuiROKU4xzHQ6l1hG8Iiha4cKRG3P5W2b66/EN/GUh07ZSf0UiYB67o257jUDVEgwCuPJz776zfApcCB4oGV+YDyEu7Hp/rL8KcSN0la0k2r9scKwxTp4BTJT23zyBFXsV/1wRDK1A5NxsHPDMYi2SoK63Enm/1ptk=
|
|
Prime1: /wjOG+fD0ybNoSRn7nQ79udGeR1b0YhUA5mNjDx/x2fxtIXzygYk0Rhx9QFfDy6LOBvz92gbNQlzCLz3DJt5hw==
|
|
Prime2: wHZsJ8OGhkp5p3mrJFZXMDc2mbYusDVTA+t+iRPdS797Tj0pjvU2HN4vTnTj8KBQp6hmnY7dLp9Y1qserySGbw==
|
|
Exponent1: N0A7FsSRIg+IAN8YPQqlawoTtG1t1OkJ+nWrurPootScApX6iMvn8fyvw3p2k51rv84efnzpWAYiC8SUaQDNxQ==
|
|
Exponent2: SvuYRaGyvo0zemE3oS+WRm2scxR8eiA8WJGeOc+obwOKCcBgeZblXzfdHGcEC1KaOcetOwNW/vwMA46lpLzJNw==
|
|
Coefficient: 8+7ZN/JgByqv0NfULiFKTjtyegUcijRuyij7yNxYbCBneDvZGxJwKNi4YYXWx743pcAj4Oi4Oh86gcmxLs+hGw==
|
|
Created: 20110302104537
|
|
Publish: 20110302104537
|
|
Activate: 20110302104537`
|
|
|
|
xk, _ := NewRR(pub)
|
|
k := xk.(*DNSKEY)
|
|
p, err := k.NewPrivateKey(priv)
|
|
if err != nil {
|
|
t.Logf("%v\n", err)
|
|
t.Fail()
|
|
}
|
|
switch priv := p.(type) {
|
|
case *rsa.PrivateKey:
|
|
if 65537 != priv.PublicKey.E {
|
|
t.Log("Exponenent should be 65537")
|
|
t.Fail()
|
|
}
|
|
default:
|
|
t.Logf("We should have read an RSA key: %v", priv)
|
|
t.Fail()
|
|
}
|
|
if k.KeyTag() != 37350 {
|
|
t.Logf("%d %v\n", k.KeyTag(), k)
|
|
t.Log("Keytag should be 37350")
|
|
t.Fail()
|
|
}
|
|
|
|
soa := new(SOA)
|
|
soa.Hdr = RR_Header{"miek.nl.", TypeSOA, ClassINET, 14400, 0}
|
|
soa.Ns = "open.nlnetlabs.nl."
|
|
soa.Mbox = "miekg.atoom.net."
|
|
soa.Serial = 1293945905
|
|
soa.Refresh = 14400
|
|
soa.Retry = 3600
|
|
soa.Expire = 604800
|
|
soa.Minttl = 86400
|
|
|
|
sig := new(RRSIG)
|
|
sig.Hdr = RR_Header{"miek.nl.", TypeRRSIG, ClassINET, 14400, 0}
|
|
sig.Expiration = 1296534305 // date -u '+%s' -d"2011-02-01 04:25:05"
|
|
sig.Inception = 1293942305 // date -u '+%s' -d"2011-01-02 04:25:05"
|
|
sig.KeyTag = k.KeyTag()
|
|
sig.SignerName = k.Hdr.Name
|
|
sig.Algorithm = k.Algorithm
|
|
|
|
sig.Sign(p, []RR{soa})
|
|
if sig.Signature != "D5zsobpQcmMmYsUMLxCVEtgAdCvTu8V/IEeP4EyLBjqPJmjt96bwM9kqihsccofA5LIJ7DN91qkCORjWSTwNhzCv7bMyr2o5vBZElrlpnRzlvsFIoAZCD9xg6ZY7ZyzUJmU6IcTwG4v3xEYajcpbJJiyaw/RqR90MuRdKPiBzSo=" {
|
|
t.Log("Signature is not correct")
|
|
t.Logf("%v\n", sig)
|
|
t.Fail()
|
|
}
|
|
}
|
|
|
|
func TestSignECDSA(t *testing.T) {
|
|
pub := `example.net. 3600 IN DNSKEY 257 3 14 (
|
|
xKYaNhWdGOfJ+nPrL8/arkwf2EY3MDJ+SErKivBVSum1
|
|
w/egsXvSADtNJhyem5RCOpgQ6K8X1DRSEkrbYQ+OB+v8
|
|
/uX45NBwY8rp65F6Glur8I/mlVNgF6W/qTI37m40 )`
|
|
priv := `Private-key-format: v1.2
|
|
Algorithm: 14 (ECDSAP384SHA384)
|
|
PrivateKey: WURgWHCcYIYUPWgeLmiPY2DJJk02vgrmTfitxgqcL4vwW7BOrbawVmVe0d9V94SR`
|
|
|
|
eckey, err := NewRR(pub)
|
|
if err != nil {
|
|
t.Fatal(err.Error())
|
|
}
|
|
privkey, err := eckey.(*DNSKEY).NewPrivateKey(priv)
|
|
if err != nil {
|
|
t.Fatal(err.Error())
|
|
}
|
|
ds := eckey.(*DNSKEY).ToDS(SHA384)
|
|
if ds.KeyTag != 10771 {
|
|
t.Fatal("Wrong keytag on DS")
|
|
}
|
|
if ds.Digest != "72d7b62976ce06438e9c0bf319013cf801f09ecc84b8d7e9495f27e305c6a9b0563a9b5f4d288405c3008a946df983d6" {
|
|
t.Fatal("Wrong DS Digest")
|
|
}
|
|
a, _ := NewRR("www.example.net. 3600 IN A 192.0.2.1")
|
|
sig := new(RRSIG)
|
|
sig.Hdr = RR_Header{"example.net.", TypeRRSIG, ClassINET, 14400, 0}
|
|
sig.Expiration, _ = StringToTime("20100909102025")
|
|
sig.Inception, _ = StringToTime("20100812102025")
|
|
sig.KeyTag = eckey.(*DNSKEY).KeyTag()
|
|
sig.SignerName = eckey.(*DNSKEY).Hdr.Name
|
|
sig.Algorithm = eckey.(*DNSKEY).Algorithm
|
|
|
|
sig.Sign(privkey, []RR{a})
|
|
|
|
t.Logf("%s", sig.String())
|
|
if e := sig.Verify(eckey.(*DNSKEY), []RR{a}); e != nil {
|
|
t.Logf("Failure to validate: %s", e.Error())
|
|
t.Fail()
|
|
}
|
|
}
|