diff --git a/bin/tests/system/ecdsa/clean.sh b/bin/tests/system/ecdsa/clean.sh index 153364839e..6dd137dd7d 100644 --- a/bin/tests/system/ecdsa/clean.sh +++ b/bin/tests/system/ecdsa/clean.sh @@ -9,11 +9,14 @@ # See the COPYRIGHT file distributed with this work for additional # information regarding copyright ownership. -rm -f */K* */dsset-* */*.signed */trusted.conf -rm -f ns1/root.db -rm -f ns1/signer.err +rm -f */K* */dsset-* */*.signed rm -f dig.out* -rm -f */named.run -rm -f */named.memstats +rm -f ns*/named.run +rm -f ns*/named.memstats rm -f ns*/named.lock +rm -f ns*/named.conf rm -f ns*/managed-keys.bind* +rm -f ns*/root.db +rm -f ns*/signer.err +rm -f ns*/trusted.conf +rm -f *-supported.file diff --git a/bin/tests/system/ecdsa/ns1/named.conf b/bin/tests/system/ecdsa/ns1/named.conf.in similarity index 98% rename from bin/tests/system/ecdsa/ns1/named.conf rename to bin/tests/system/ecdsa/ns1/named.conf.in index f58ca7e754..a68caf9d96 100644 --- a/bin/tests/system/ecdsa/ns1/named.conf +++ b/bin/tests/system/ecdsa/ns1/named.conf.in @@ -17,7 +17,7 @@ options { query-source address 10.53.0.1; notify-source 10.53.0.1; transfer-source 10.53.0.1; - port 5300; + port @PORT@; pid-file "named.pid"; listen-on { 10.53.0.1; }; listen-on-v6 { none; }; diff --git a/bin/tests/system/ecdsa/ns1/sign.sh b/bin/tests/system/ecdsa/ns1/sign.sh index a763ec86fd..3038b6b9a4 100644 --- a/bin/tests/system/ecdsa/ns1/sign.sh +++ b/bin/tests/system/ecdsa/ns1/sign.sh @@ -16,14 +16,39 @@ zone=. infile=root.db.in zonefile=root.db -key1=`$KEYGEN -q -a ECDSAP256SHA256 -n zone $zone` -key2=`$KEYGEN -q -a ECDSAP384SHA384 -n zone -f KSK $zone` -$DSFROMKEY -a sha-384 $key2.key > dsset-384 +echo_i "ns1/sign.sh" -cat $infile $key1.key $key2.key > $zonefile +cp $infile $zonefile -$SIGNER -P -g -o $zone $zonefile > /dev/null 2> signer.err || cat signer.err +if [ -f ../ecdsa256-supported.file ]; then + zsk256=$($KEYGEN -q -a ECDSA256 -n zone "$zone") + ksk256=$($KEYGEN -q -a ECDSA256 -n zone -f KSK "$zone") + cat "$ksk256.key" "$zsk256.key" >> "$zonefile" + $DSFROMKEY -a sha-256 "$ksk256.key" >> dsset-256 +fi + +if [ -f ../ecdsa384-supported.file ]; then + zsk384=$($KEYGEN -q -a ECDSA384 -n zone "$zone") + ksk384=$($KEYGEN -q -a ECDSA384 -n zone -f KSK "$zone") + cat "$ksk384.key" "$zsk384.key" >> "$zonefile" + $DSFROMKEY -a sha-256 "$ksk384.key" >> dsset-256 +fi # Configure the resolving server with a static key. -keyfile_to_static_ds $key1 > trusted.conf -cp trusted.conf ../ns2/trusted.conf +if [ -f ../ecdsa256-supported.file ]; then + keyfile_to_static_ds $ksk256 > trusted.conf + cp trusted.conf ../ns2/trusted.conf +else + keyfile_to_static_ds $ksk384 > trusted.conf + cp trusted.conf ../ns2/trusted.conf +fi + +if [ -f ../ecdsa384-supported.file ]; then + keyfile_to_static_ds $ksk384 > trusted.conf + cp trusted.conf ../ns3/trusted.conf +else + keyfile_to_static_ds $ksk256 > trusted.conf + cp trusted.conf ../ns3/trusted.conf +fi + +$SIGNER -P -g -o "$zone" "$zonefile" > /dev/null 2> signer.err || cat signer.err diff --git a/bin/tests/system/ecdsa/ns2/named.conf b/bin/tests/system/ecdsa/ns2/named.conf.in similarity index 98% rename from bin/tests/system/ecdsa/ns2/named.conf rename to bin/tests/system/ecdsa/ns2/named.conf.in index 420073fc05..198cdbbcec 100644 --- a/bin/tests/system/ecdsa/ns2/named.conf +++ b/bin/tests/system/ecdsa/ns2/named.conf.in @@ -17,7 +17,7 @@ options { query-source address 10.53.0.2; notify-source 10.53.0.2; transfer-source 10.53.0.2; - port 5300; + port @PORT@; pid-file "named.pid"; listen-on { 10.53.0.2; }; listen-on-v6 { none; }; diff --git a/bin/tests/system/ecdsa/ns3/named.conf.in b/bin/tests/system/ecdsa/ns3/named.conf.in new file mode 100644 index 0000000000..32d8c77d8f --- /dev/null +++ b/bin/tests/system/ecdsa/ns3/named.conf.in @@ -0,0 +1,34 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS2 + +controls { /* empty */ }; + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + recursion yes; + notify yes; + dnssec-validation yes; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +include "trusted.conf"; diff --git a/bin/tests/system/ecdsa/setup.sh b/bin/tests/system/ecdsa/setup.sh index fea8a3822e..a31d77dbd5 100644 --- a/bin/tests/system/ecdsa/setup.sh +++ b/bin/tests/system/ecdsa/setup.sh @@ -12,4 +12,20 @@ SYSTEMTESTTOP=.. . $SYSTEMTESTTOP/conf.sh -cd ns1 && $SHELL sign.sh +set -e + +if $SHELL ../testcrypto.sh ecdsap384sha384; then + echo "yes" > ecdsa256-supported.file +fi + +if $SHELL ../testcrypto.sh ecdsap384sha384; then + echo "yes" > ecdsa384-supported.file +fi + +copy_setports ns1/named.conf.in ns1/named.conf +copy_setports ns2/named.conf.in ns2/named.conf +copy_setports ns3/named.conf.in ns3/named.conf +( + cd ns1 + $SHELL sign.sh +) diff --git a/bin/tests/system/ecdsa/tests.sh b/bin/tests/system/ecdsa/tests.sh index 8f8c6974a2..072463263b 100644 --- a/bin/tests/system/ecdsa/tests.sh +++ b/bin/tests/system/ecdsa/tests.sh @@ -15,20 +15,37 @@ SYSTEMTESTTOP=.. status=0 n=0 -rm -f dig.out.* +dig_with_opts() { + "$DIG" +tcp +noau +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@" +} -DIGOPTS="+tcp +noau +noadd +nosea +nostat +nocmd +dnssec -p 5300" +if [ -f ecdsa256-supported.file ]; then + n=$((n+1)) + echo_i "checking that ECDSA256 positive validation works ($n)" + ret=0 + dig_with_opts . @10.53.0.1 soa > dig.out.ns1.test$n || ret=1 + dig_with_opts . @10.53.0.2 soa > dig.out.ns2.test$n || ret=1 + $PERL ../digcomp.pl dig.out.ns1.test$n dig.out.ns2.test$n || ret=1 + grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) +else + echo_i "algorithm ECDSA256 not supported, skipping test" +fi -# Check the example. domain -echo_i "checking that positive validation works ($n)" -ret=0 -$DIG $DIGOPTS . @10.53.0.1 soa > dig.out.ns1.test$n || ret=1 -$DIG $DIGOPTS . @10.53.0.2 soa > dig.out.ns2.test$n || ret=1 -$PERL ../digcomp.pl dig.out.ns1.test$n dig.out.ns2.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1 -n=$((n+1)) -if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +if [ -f ecdsa384-supported.file ]; then + n=$((n+1)) + echo_i "checking that ECDSA384 positive validation works ($n)" + ret=0 + dig_with_opts . @10.53.0.1 soa > dig.out.ns1.test$n || ret=1 + dig_with_opts . @10.53.0.3 soa > dig.out.ns3.test$n || ret=1 + $PERL ../digcomp.pl dig.out.ns1.test$n dig.out.ns3.test$n || ret=1 + grep "flags:.*ad.*QUERY" dig.out.ns3.test$n > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) +else + echo_i "algorithm ECDSA384 not supported, skipping test" +fi echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/eddsa/clean.sh b/bin/tests/system/eddsa/clean.sh index 364b755ed3..9accedc949 100644 --- a/bin/tests/system/eddsa/clean.sh +++ b/bin/tests/system/eddsa/clean.sh @@ -9,11 +9,15 @@ # See the COPYRIGHT file distributed with this work for additional # information regarding copyright ownership. -rm -f */K* */dsset-* */*.signed */trusted.conf -rm -f ns1/root.db -rm -f ns*/signer.err +rm -f */K* */dsset-* */*.signed rm -f dig.out* -rm -f */named.run -rm -f */named.memstats +rm -f ns*/root.db +rm -f ns*/signer.err +rm -f ns*/named.run +rm -f ns*/named.memstats rm -f ns*/named.lock rm -f ns*/managed-keys.bind* +rm -f ns*/trusted.conf +rm -f ns*/example.com.db +rm -f ns*/named.conf +rm -f *-supported.file diff --git a/bin/tests/system/eddsa/ns1/named.conf b/bin/tests/system/eddsa/ns1/named.conf.in similarity index 98% rename from bin/tests/system/eddsa/ns1/named.conf rename to bin/tests/system/eddsa/ns1/named.conf.in index f58ca7e754..a68caf9d96 100644 --- a/bin/tests/system/eddsa/ns1/named.conf +++ b/bin/tests/system/eddsa/ns1/named.conf.in @@ -17,7 +17,7 @@ options { query-source address 10.53.0.1; notify-source 10.53.0.1; transfer-source 10.53.0.1; - port 5300; + port @PORT@; pid-file "named.pid"; listen-on { 10.53.0.1; }; listen-on-v6 { none; }; diff --git a/bin/tests/system/eddsa/ns1/sign.sh b/bin/tests/system/eddsa/ns1/sign.sh index db7464b385..ed7fe0a62b 100644 --- a/bin/tests/system/eddsa/ns1/sign.sh +++ b/bin/tests/system/eddsa/ns1/sign.sh @@ -16,17 +16,39 @@ zone=. infile=root.db.in zonefile=root.db -key1=`$KEYGEN -q -a ED25519 -n zone $zone` -key2=`$KEYGEN -q -a ED25519 -n zone -f KSK $zone` -#key2=`$KEYGEN -q -a ED448 -n zone -f KSK $zone` -$DSFROMKEY -a sha-256 $key2.key > dsset-256 +echo_i "ns1/sign.sh" -cat $infile $key1.key $key2.key > $zonefile +cp $infile $zonefile -$SIGNER -P -g -o $zone $zonefile > /dev/null 2> signer.err || cat signer.err +if [ -f ../ed25519-supported.file ]; then + zsk25519=$($KEYGEN -q -a ED25519 -n zone "$zone") + ksk25519=$($KEYGEN -q -a ED25519 -n zone -f KSK "$zone") + cat "$ksk25519.key" "$zsk25519.key" >> "$zonefile" + $DSFROMKEY -a sha-256 "$ksk25519.key" >> dsset-256 +fi + +if [ -f ../ed448-supported.file ]; then + zsk448=$($KEYGEN -q -a ED448 -n zone "$zone") + ksk448=$($KEYGEN -q -a ED448 -n zone -f KSK "$zone") + cat "$ksk448.key" "$zsk448.key" >> "$zonefile" + $DSFROMKEY -a sha-256 "$ksk448.key" >> dsset-256 +fi # Configure the resolving server with a static key. -keyfile_to_static_ds $key1 > trusted.conf -cp trusted.conf ../ns2/trusted.conf +if [ -f ../ed25519-supported.file ]; then + keyfile_to_static_ds $ksk25519 > trusted.conf + cp trusted.conf ../ns2/trusted.conf +else + keyfile_to_static_ds $ksk448 > trusted.conf + cp trusted.conf ../ns2/trusted.conf +fi -cd ../ns2 && $SHELL sign.sh +if [ -f ../ed448-supported.file ]; then + keyfile_to_static_ds $ksk448 > trusted.conf + cp trusted.conf ../ns3/trusted.conf +else + keyfile_to_static_ds $ksk25519 > trusted.conf + cp trusted.conf ../ns3/trusted.conf +fi + +$SIGNER -P -g -o "$zone" "$zonefile" > /dev/null 2> signer.err || cat signer.err diff --git a/bin/tests/system/eddsa/ns2/example.com.db.in b/bin/tests/system/eddsa/ns2/example.com.db.in new file mode 100644 index 0000000000..c50a7875c7 --- /dev/null +++ b/bin/tests/system/eddsa/ns2/example.com.db.in @@ -0,0 +1,20 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 3600 +@ IN SOA fdupont.isc.org. ns.example.com. ( + 2012040600 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 3600 ; minimum + ) + MX 10 mail.example.com. + NS ns.example.com. +ns.example.com. A 10.53.0.2 diff --git a/bin/tests/system/eddsa/ns2/named.conf b/bin/tests/system/eddsa/ns2/named.conf.in similarity index 98% rename from bin/tests/system/eddsa/ns2/named.conf rename to bin/tests/system/eddsa/ns2/named.conf.in index 420073fc05..198cdbbcec 100644 --- a/bin/tests/system/eddsa/ns2/named.conf +++ b/bin/tests/system/eddsa/ns2/named.conf.in @@ -17,7 +17,7 @@ options { query-source address 10.53.0.2; notify-source 10.53.0.2; transfer-source 10.53.0.2; - port 5300; + port @PORT@; pid-file "named.pid"; listen-on { 10.53.0.2; }; listen-on-v6 { none; }; diff --git a/bin/tests/system/eddsa/ns2/sign.sh b/bin/tests/system/eddsa/ns2/sign.sh index 8af7e292b6..0417922330 100644 --- a/bin/tests/system/eddsa/ns2/sign.sh +++ b/bin/tests/system/eddsa/ns2/sign.sh @@ -13,16 +13,23 @@ SYSTEMTESTTOP=../.. . $SYSTEMTESTTOP/conf.sh zone=example.com. +infile=example.com.db.in zonefile=example.com.db starttime=20150729220000 endtime=20150819220000 -for i in Xexample.com.+015+03613.key Xexample.com.+015+03613.private \ - Xexample.com.+015+35217.key Xexample.com.+015+35217.private \ - Xexample.com.+016+09713.key Xexample.com.+016+09713.private \ - Xexample.com.+016+38353.key Xexample.com.+016+38353.private -do - cp $i `echo $i | sed s/X/K/` -done +echo_i "ns2/sign.sh" + +cp $infile $zonefile + +if [ -f ../ed25519-supported.file ]; then + + for i in Xexample.com.+015+03613 Xexample.com.+015+35217 + do + cp "$i.key" "$(echo $i.key | sed s/X/K/)" + cp "$i.private" "$(echo $i.private | sed s/X/K/)" + cat "$(echo $i.key | sed s/X/K/)" >> "$zonefile" + done +fi $SIGNER -P -z -s $starttime -e $endtime -o $zone $zonefile > /dev/null 2> signer.err || cat signer.err diff --git a/bin/tests/system/eddsa/ns2/Xexample.com.+016+09713.key b/bin/tests/system/eddsa/ns3/Xexample.com.+016+09713.key similarity index 100% rename from bin/tests/system/eddsa/ns2/Xexample.com.+016+09713.key rename to bin/tests/system/eddsa/ns3/Xexample.com.+016+09713.key diff --git a/bin/tests/system/eddsa/ns2/Xexample.com.+016+09713.private b/bin/tests/system/eddsa/ns3/Xexample.com.+016+09713.private similarity index 100% rename from bin/tests/system/eddsa/ns2/Xexample.com.+016+09713.private rename to bin/tests/system/eddsa/ns3/Xexample.com.+016+09713.private diff --git a/bin/tests/system/eddsa/ns2/Xexample.com.+016+38353.key b/bin/tests/system/eddsa/ns3/Xexample.com.+016+38353.key similarity index 100% rename from bin/tests/system/eddsa/ns2/Xexample.com.+016+38353.key rename to bin/tests/system/eddsa/ns3/Xexample.com.+016+38353.key diff --git a/bin/tests/system/eddsa/ns2/Xexample.com.+016+38353.private b/bin/tests/system/eddsa/ns3/Xexample.com.+016+38353.private similarity index 100% rename from bin/tests/system/eddsa/ns2/Xexample.com.+016+38353.private rename to bin/tests/system/eddsa/ns3/Xexample.com.+016+38353.private diff --git a/bin/tests/system/eddsa/ns2/example.com.db b/bin/tests/system/eddsa/ns3/example.com.db.in similarity index 55% rename from bin/tests/system/eddsa/ns2/example.com.db rename to bin/tests/system/eddsa/ns3/example.com.db.in index 306a156979..5616fbdcb7 100644 --- a/bin/tests/system/eddsa/ns2/example.com.db +++ b/bin/tests/system/eddsa/ns3/example.com.db.in @@ -8,18 +8,13 @@ ; information regarding copyright ownership. $TTL 3600 -@ IN SOA fdupont.isc.org. ns.example.com. ( - 2012040600 ; serial - 600 ; refresh - 600 ; retry - 1200 ; expire - 3600 ; minimum +@ IN SOA fdupont.isc.org. ns.example.com. ( + 2012040600 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 3600 ; minimum ) - MX 10 mail.example.com. + MX 10 mail.example.com. NS ns.example.com. ns.example.com. A 10.53.0.3 -; -$INCLUDE Kexample.com.+015+03613.key -$INCLUDE Kexample.com.+015+35217.key -$INCLUDE Kexample.com.+016+09713.key -$INCLUDE Kexample.com.+016+38353.key diff --git a/bin/tests/system/eddsa/ns3/named.conf.in b/bin/tests/system/eddsa/ns3/named.conf.in new file mode 100644 index 0000000000..32d8c77d8f --- /dev/null +++ b/bin/tests/system/eddsa/ns3/named.conf.in @@ -0,0 +1,34 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS2 + +controls { /* empty */ }; + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + recursion yes; + notify yes; + dnssec-validation yes; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +include "trusted.conf"; diff --git a/bin/tests/system/eddsa/ns3/sign.sh b/bin/tests/system/eddsa/ns3/sign.sh new file mode 100644 index 0000000000..b36869df41 --- /dev/null +++ b/bin/tests/system/eddsa/ns3/sign.sh @@ -0,0 +1,35 @@ +#!/bin/sh -e +# +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +set -e + +. ../../conf.sh + +zone=example.com. +infile=example.com.db.in +zonefile=example.com.db +starttime=20150729220000 +endtime=20150819220000 + +echo_i "ns3/sign.sh" + +cp $infile $zonefile + +if [ -f ../ed448-supported.file ]; then + for i in Xexample.com.+016+09713 Xexample.com.+016+38353 + do + cp "$i.key" "$(echo $i.key | sed s/X/K/)" + cp "$i.private" "$(echo $i.private | sed s/X/K/)" + cat "$(echo $i.key | sed s/X/K/)" >> "$zonefile" + done +fi + +$SIGNER -P -z -s "$starttime" -e "$endtime" -o "$zone" "$zonefile" > /dev/null 2> signer.err || cat signer.err diff --git a/bin/tests/system/eddsa/prereq.sh b/bin/tests/system/eddsa/prereq.sh index 96133e4ef6..2eb9fd4db5 100644 --- a/bin/tests/system/eddsa/prereq.sh +++ b/bin/tests/system/eddsa/prereq.sh @@ -12,4 +12,12 @@ SYSTEMTESTTOP=.. . $SYSTEMTESTTOP/conf.sh -exec $SHELL ../testcrypto.sh eddsa +supported=0 +if $SHELL ../testcrypto.sh ed25519; then + supported=1 +fi +if $SHELL ../testcrypto.sh ed448; then + supported=1 +fi + +[ "$supported" -eq 1 ] || exit 1 diff --git a/bin/tests/system/eddsa/setup.sh b/bin/tests/system/eddsa/setup.sh index fea8a3822e..dfb070bff7 100644 --- a/bin/tests/system/eddsa/setup.sh +++ b/bin/tests/system/eddsa/setup.sh @@ -12,4 +12,27 @@ SYSTEMTESTTOP=.. . $SYSTEMTESTTOP/conf.sh -cd ns1 && $SHELL sign.sh +if $SHELL ../testcrypto.sh ed25519; then + echo "yes" > ed25519-supported.file +fi + +if $SHELL ../testcrypto.sh ed448; then + echo "yes" > ed448-supported.file +fi + +copy_setports ns1/named.conf.in ns1/named.conf +copy_setports ns2/named.conf.in ns2/named.conf +copy_setports ns3/named.conf.in ns3/named.conf + +( + cd ns1 + $SHELL sign.sh +) +( + cd ns2 + $SHELL sign.sh +) +( + cd ns3 + $SHELL sign.sh +) diff --git a/bin/tests/system/eddsa/tests.sh b/bin/tests/system/eddsa/tests.sh index 8efb030da5..4fcfc1293e 100644 --- a/bin/tests/system/eddsa/tests.sh +++ b/bin/tests/system/eddsa/tests.sh @@ -13,53 +13,70 @@ SYSTEMTESTTOP=.. . $SYSTEMTESTTOP/conf.sh status=0 -n=1 +n=0 -rm -f dig.out.* +dig_with_opts() { + "$DIG" +tcp +noau +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@" +} -DIGOPTS="+tcp +noau +noadd +nosea +nostat +nocmd +dnssec -p 5300" +if [ -f ed25519-supported.file ]; then + # Check the example. domain + n=$((n+1)) + echo_i "checking that Ed25519 positive validation works ($n)" + ret=0 + dig_with_opts . @10.53.0.1 soa > dig.out.ns1.test$n || ret=1 + dig_with_opts . @10.53.0.2 soa > dig.out.ns2.test$n || ret=1 + $PERL ../digcomp.pl dig.out.ns1.test$n dig.out.ns2.test$n || ret=1 + grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) -# Check the example. domain + # Check test vectors (RFC 8080 + errata) + n=$((n+1)) + echo_i "checking that Ed25519 test vectors match ($n)" + ret=0 + grep 'oL9krJun7xfBOIWcGHi7mag5/hdZrKWw15jP' ns2/example.com.db.signed > /dev/null || ret=1 + grep 'VrbpMngwcrqNAg==' ns2/example.com.db.signed > /dev/null || ret=1 + grep 'zXQ0bkYgQTEFyfLyi9QoiY6D8ZdYo4wyUhVi' ns2/example.com.db.signed > /dev/null || ret=1 + grep 'R0O7KuI5k2pcBg==' ns2/example.com.db.signed > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) +else + echo_i "algorithm Ed25519 not supported, skipping vectors match test" +fi -echo_i "checking that positive validation works ($n)" -ret=0 -$DIG $DIGOPTS . @10.53.0.1 soa > dig.out.ns1.test$n || ret=1 -$DIG $DIGOPTS . @10.53.0.2 soa > dig.out.ns2.test$n || ret=1 -$PERL ../digcomp.pl dig.out.ns1.test$n dig.out.ns2.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1 -n=$((n+1)) -if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +if [ -f ed448-supported.file ]; then + # Check the example. domain + n=$((n+1)) + echo_i "checking that Ed448 positive validation works ($n)" + ret=0 + dig_with_opts . @10.53.0.1 soa > dig.out.ns1.test$n || ret=1 + dig_with_opts . @10.53.0.3 soa > dig.out.ns3.test$n || ret=1 + $PERL ../digcomp.pl dig.out.ns1.test$n dig.out.ns3.test$n || ret=1 + grep "flags:.*ad.*QUERY" dig.out.ns3.test$n > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) -# Check test vectors (RFC 8080 + errata) + # Check test vectors (RFC 8080 + errata) + n=$((n+1)) + echo_i "checking that Ed448 test vectors match ($n)" + ret=0 + grep '3cPAHkmlnxcDHMyg7vFC34l0blBhuG1qpwLm' ns3/example.com.db.signed > /dev/null || ret=1 + grep 'jInI8w1CMB29FkEAIJUA0amxWndkmnBZ6SKi' ns3/example.com.db.signed > /dev/null || ret=1 + grep 'wZSAxGILn/NBtOXft0+Gj7FSvOKxE/07+4RQ' ns3/example.com.db.signed > /dev/null || ret=1 + grep 'vE581N3Aj/JtIyaiYVdnYtyMWbSNyGEY2213' ns3/example.com.db.signed > /dev/null || ret=1 + grep 'WKsJlwEA' ns3/example.com.db.signed > /dev/null || ret=1 -echo_i "checking that Ed25519 test vectors match ($n)" -ret=0 -grep 'oL9krJun7xfBOIWcGHi7mag5/hdZrKWw15jP' ns2/example.com.db.signed > /dev/null || ret=1 -grep 'VrbpMngwcrqNAg==' ns2/example.com.db.signed > /dev/null || ret=1 -grep 'zXQ0bkYgQTEFyfLyi9QoiY6D8ZdYo4wyUhVi' ns2/example.com.db.signed > /dev/null || ret=1 -grep 'R0O7KuI5k2pcBg==' ns2/example.com.db.signed > /dev/null || ret=1 -n=$((n+1)) -if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) - -echo_i "checking that Ed448 test vectors match ($n)" -ret=0 -grep '3cPAHkmlnxcDHMyg7vFC34l0blBhuG1qpwLm' ns2/example.com.db.signed > /dev/null || ret=1 -grep 'jInI8w1CMB29FkEAIJUA0amxWndkmnBZ6SKi' ns2/example.com.db.signed > /dev/null || ret=1 -grep 'wZSAxGILn/NBtOXft0+Gj7FSvOKxE/07+4RQ' ns2/example.com.db.signed > /dev/null || ret=1 -grep 'vE581N3Aj/JtIyaiYVdnYtyMWbSNyGEY2213' ns2/example.com.db.signed > /dev/null || ret=1 -grep 'WKsJlwEA' ns2/example.com.db.signed > /dev/null || ret=1 - -grep 'E1/oLjSGIbmLny/4fcgM1z4oL6aqo+izT3ur' ns2/example.com.db.signed > /dev/null || ret=1 -grep 'CyHyvEp4Sp8Syg1eI+lJ57CSnZqjJP41O/9l' ns2/example.com.db.signed > /dev/null || ret=1 -grep '4m0AsQ4f7qI1gVnML8vWWiyW2KXhT9kuAICU' ns2/example.com.db.signed > /dev/null || ret=1 -grep 'Sxv5OWbf81Rq7Yu60npabODB0QFPb/rkW3kU' ns2/example.com.db.signed > /dev/null || ret=1 -grep 'ZmQ0YQUA' ns2/example.com.db.signed > /dev/null || ret=1 - -n=$((n+1)) -if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) + grep 'E1/oLjSGIbmLny/4fcgM1z4oL6aqo+izT3ur' ns3/example.com.db.signed > /dev/null || ret=1 + grep 'CyHyvEp4Sp8Syg1eI+lJ57CSnZqjJP41O/9l' ns3/example.com.db.signed > /dev/null || ret=1 + grep '4m0AsQ4f7qI1gVnML8vWWiyW2KXhT9kuAICU' ns3/example.com.db.signed > /dev/null || ret=1 + grep 'Sxv5OWbf81Rq7Yu60npabODB0QFPb/rkW3kU' ns3/example.com.db.signed > /dev/null || ret=1 + grep 'ZmQ0YQUA' ns3/example.com.db.signed > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) +else + echo_i "algorithm Ed448 not supported, skipping vectors match test" +fi echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/testcrypto.sh b/bin/tests/system/testcrypto.sh index d09f2feb2e..8cdceafc37 100644 --- a/bin/tests/system/testcrypto.sh +++ b/bin/tests/system/testcrypto.sh @@ -50,7 +50,7 @@ while test "$#" -gt 0; do msg="EDDSA cryptography" ;; ed448|ED448) - alg="-a ED25519" + alg="-a ED448" msg="EDDSA cryptography" ;; *) diff --git a/util/copyrights b/util/copyrights index 3a018c4a91..54b4af1c29 100644 --- a/util/copyrights +++ b/util/copyrights @@ -550,11 +550,12 @@ ./bin/tests/system/eddsa/ns2/Xexample.com.+015+03613.private X 2017,2018,2019,2020,2021 ./bin/tests/system/eddsa/ns2/Xexample.com.+015+35217.key X 2017,2018,2019,2020,2021 ./bin/tests/system/eddsa/ns2/Xexample.com.+015+35217.private X 2017,2018,2019,2020,2021 -./bin/tests/system/eddsa/ns2/Xexample.com.+016+09713.key X 2019,2020,2021 -./bin/tests/system/eddsa/ns2/Xexample.com.+016+09713.private X 2019,2020,2021 -./bin/tests/system/eddsa/ns2/Xexample.com.+016+38353.key X 2019,2020,2021 -./bin/tests/system/eddsa/ns2/Xexample.com.+016+38353.private X 2019,2020,2021 ./bin/tests/system/eddsa/ns2/sign.sh SH 2017,2018,2019,2020,2021 +./bin/tests/system/eddsa/ns3/Xexample.com.+016+09713.key X 2021 +./bin/tests/system/eddsa/ns3/Xexample.com.+016+09713.private X 2021 +./bin/tests/system/eddsa/ns3/Xexample.com.+016+38353.key X 2021 +./bin/tests/system/eddsa/ns3/Xexample.com.+016+38353.private X 2021 +./bin/tests/system/eddsa/ns3/sign.sh SH 2021 ./bin/tests/system/eddsa/prereq.sh SH 2017,2018,2019,2020,2021 ./bin/tests/system/eddsa/setup.sh SH 2017,2018,2019,2020,2021 ./bin/tests/system/eddsa/tests.sh SH 2017,2018,2019,2020,2021