ComputerSurge/bind9
3
0
Fork 0
Code Pull Requests 1 Activity

dnssec: test dnssec-keygen -F switches to FIPS mode

Browse Source
This commit is contained in:
Mark Andrews
2022-08-26 12:24:30 +10:00
parent ba6ee5af50
commit 78764f99ca
2 changed files with 42 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
bin/tests/system/dnssec/clean.sh
View File

@@ -21,7 +21,7 @@ rm -f ./*/named.run ./*/named.run.prev
rm -f ./*/named.secroots
rm -f ./*/tmp* ./*/*.jnl ./*/*.bk ./*/*.jbk
rm -f ./*/trusted.conf ./*/managed.conf ./*/revoked.conf
rm -f ./Kexample.* ./Kkeygen* ./keygen*.err
rm -f ./Kexample.* ./Kkeygen* ./keygen*.err*
rm -f ./ans10/query.log ./ans10/ans.run
rm -f ./canonical?.*
rm -f ./delv.out*

41
bin/tests/system/dnssec/tests.sh
View File

@@ -3538,6 +3538,47 @@ n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
echo_i "check that 'dnssec-keygen -F' disables rsasha1 ($n)"
ret=0
if $FEATURETEST --have-fips-mode
then
echo_i "skipped: already in FIPS mode"
elif ! $FEATURETEST --fips-provider
then
echo_i "skipped no FIPS provider available"
elif ! $SHELL ../testcrypto.sh -q RSASHA1
then
echo_i "skipped: RSASHA1 is not supported"
else
$KEYGEN -F -a rsasha1 example.fips 2> keygen.err$n || true
grep "unsupported algorithm: RSASHA1" "keygen.err$n" > /dev/null || ret=1
fi
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
echo_i "check that 'dnssec-keygen -F' disables nsec3rsasha1 ($n)"
ret=0
if $FEATURETEST --have-fips-mode
then
echo_i "skipped: already in FIPS mode"
elif ! $FEATURETEST --fips-set-mode
then
echo_i "skipped: cannot switch to FIPS mode"
elif ! $FEATURETEST --fips-set-mode-dst-lib-init
then
echo_i "skipped FIPS mode not properly set up"
elif ! $SHELL ../testcrypto.sh -q RSASHA1
then
echo_i "skipped: RSASHA1 is not supported"
else
$KEYGEN -F -a nsec3rsasha1 example.fips 2> keygen.err$n || true
grep "unsupported algorithm: NSEC3RSASHA1" "keygen.err$n" > /dev/null || ret=1
fi
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
echo_i "check that CDS records are signed using KSK by dnssec-signzone ($n)"
ret=0
dig_with_opts +noall +answer @10.53.0.2 cds cds.secure > dig.out.test$n