diff options
| author | gregor herrmann <gregoa@debian.org> | 2022-10-08 18:10:05 +0200 |
|---|---|---|
| committer | gregor herrmann <gregoa@debian.org> | 2022-10-08 18:10:05 +0200 |
| commit | 3f183ca68e780dcb673d0617f220672779c9bc34 (patch) | |
| tree | 226c5c4b6dc1291cdc667c1ef058ea6e616895a1 | |
| parent | 515c2e7ec3e794823f611bf2f9e60a34059da078 (diff) | |
| parent | f68147a2413be08a4a77f30409092cbeb483068d (diff) | |
Update upstream source from tag 'upstream/1.20'
Update to upstream version '1.20'
with Debian dir 9b15deca80c9e4ad8b408b4ddd243adabf785de4
| -rw-r--r-- | Changes | 21 | ||||
| -rw-r--r-- | MANIFEST | 1 | ||||
| -rw-r--r-- | META.json | 22 | ||||
| -rw-r--r-- | META.yml | 19 | ||||
| -rw-r--r-- | Makefile.PL | 86 | ||||
| -rw-r--r-- | SEC.xs | 102 | ||||
| -rw-r--r-- | demo/getkeyset | 32 | ||||
| -rw-r--r-- | demo/key2ds | 25 | ||||
| -rw-r--r-- | demo/make-signed-keyset | 26 | ||||
| -rw-r--r-- | lib/Net/DNS/SEC.pm | 28 | ||||
| -rw-r--r-- | lib/Net/DNS/SEC/DSA.pm | 17 | ||||
| -rw-r--r-- | lib/Net/DNS/SEC/ECCGOST.pm | 113 | ||||
| -rw-r--r-- | lib/Net/DNS/SEC/Keyset.pm | 15 | ||||
| -rw-r--r-- | lib/Net/DNS/SEC/RSA.pm | 20 | ||||
| -rw-r--r-- | t/00-load.t | 67 | ||||
| -rw-r--r-- | t/10-keyset.t | 232 | ||||
| -rw-r--r-- | t/20-digest.t | 37 | ||||
| -rw-r--r-- | t/21-RSA-MD5.t | 7 | ||||
| -rw-r--r-- | t/22-RSA-SHA1.t | 79 | ||||
| -rw-r--r-- | t/23-RSA-SHA256.t | 69 | ||||
| -rw-r--r-- | t/24-RSA-SHA512.t | 4 | ||||
| -rw-r--r-- | t/31-DSA-SHA1.t | 5 | ||||
| -rw-r--r-- | t/61-Ed25519.t | 6 | ||||
| -rw-r--r-- | t/62-Ed448.t | 8 |
24 files changed, 408 insertions, 633 deletions
@@ -1,12 +1,16 @@ Revision history for Perl extension Net::DNS::SEC. -**** 1.19 Oct 11, 2021 +**** 1.20 Oct 4, 2022 + + Circumvent failure of EdDSA test on EBCDIC platforms. + Improve Net::DNS::SEC::Keyset tests and error reporting. + Avoid test failures if/when DSA|MD5|SHA1 become unsupported. - Use new EVP_PKEY construction API for OpenSSL post 3.x.x. - Remove support for obsolete ECC-GOST. +**** 1.19 Oct 11, 2021 + Discontinue support for obsolete ECC-GOST. Add LICENSE file to comply with Fedora/RedHat announcement and WARNING of restrictions on use of strong cryptography. @@ -26,9 +30,7 @@ Revision history for Perl extension Net::DNS::SEC. **** 1.16 May 11, 2020 Improve testing of verify() functions. - Rework code in Digest.pm - SEC.xs code reduction. @@ -40,7 +42,6 @@ Revision history for Perl extension Net::DNS::SEC. **** 1.14 October 14, 2019 Improve exception capture in test scripts. - Support more efficient algorithm mapping in Net::DNS. @@ -53,28 +54,24 @@ Revision history for Perl extension Net::DNS::SEC. Avoid use of EC_POINT_set_affine_coordinates_GFp which is deprecated in OpenSSL 3.0.0 - Reduce level of support for OpenSSL non-LTS releases. **** 1.11 Dec 11, 2018 Explain why compilation aborted in Net::DNS::SEC::DSA et al. - Fix Makefile.PL to suppress parallel test execution. **** 1.10 Aug 31, 2018 - make test_cover - now collects SEC.xs test coverage metrics using gcc and gcov. + Collect test coverage metrics for SEC.xs using gcc and gcov. **** 1.09 Jun 4, 2018 Avoid use of EC_GROUP_new, EC_GROUP_set_curve_GFp, and EC_GFp_mont_method which are expected to disappear. - Fix filename conflict when tests run in parallel. @@ -660,4 +657,4 @@ Net::DNS. The history of those is documented below. --------------------------------------------------------------------------- -$Id: Changes 1854 2021-10-11 10:43:36Z willem $ +$Id: Changes 1882 2022-10-04 19:53:44Z willem $ @@ -15,7 +15,6 @@ lib/Net/DNS/SEC/Keyset.pm lib/Net/DNS/SEC/Private.pm lib/Net/DNS/SEC/DSA.pm lib/Net/DNS/SEC/ECDSA.pm -lib/Net/DNS/SEC/ECCGOST.pm lib/Net/DNS/SEC/EdDSA.pm lib/Net/DNS/SEC/RSA.pm lib/Net/DNS/SEC/libcrypto.pod @@ -5,7 +5,7 @@ "Olaf Kolkman" ], "dynamic_config" : 1, - "generated_by" : "ExtUtils::MakeMaker version 7.44, CPAN::Meta::Converter version 2.150010", + "generated_by" : "ExtUtils::MakeMaker version 7.64, CPAN::Meta::Converter version 2.150010", "license" : [ "mit" ], @@ -28,30 +28,32 @@ }, "configure" : { "requires" : { - "ExtUtils::MakeMaker" : "6.66" + "ExtUtils::MakeMaker" : "6.48" } }, "runtime" : { - "recommends" : {}, "requires" : { "Carp" : "1.1", "DynaLoader" : "1.04", "Exporter" : "5.56", - "File::Spec" : "0.86", + "File::Spec" : "3.29", + "IO::File" : "1.14", "MIME::Base64" : "2.13", "Net::DNS" : "1.08", - "perl" : "5.008008" + "perl" : "5.008009" } }, "test" : { "requires" : { - "File::Find" : "1.05", - "File::Spec" : "0.86", - "Test::More" : "0.47" + "ExtUtils::MakeMaker" : "0", + "File::Find" : "1.13", + "File::Spec" : "3.29", + "IO::File" : "1.14", + "Test::More" : "0.8" } } }, "release_status" : "stable", - "version" : "1.19", - "x_serialization_backend" : "JSON::PP version 4.00" + "version" : "1.20", + "x_serialization_backend" : "JSON::PP version 4.08" } @@ -5,13 +5,14 @@ author: - 'Olaf Kolkman' build_requires: ExtUtils::MakeMaker: '0' - File::Find: '1.05' - File::Spec: '0.86' - Test::More: '0.47' + File::Find: '1.13' + File::Spec: '3.29' + IO::File: '1.14' + Test::More: '0.8' configure_requires: - ExtUtils::MakeMaker: '6.66' + ExtUtils::MakeMaker: '6.48' dynamic_config: 1 -generated_by: 'ExtUtils::MakeMaker version 7.44, CPAN::Meta::Converter version 2.150010' +generated_by: 'ExtUtils::MakeMaker version 7.64, CPAN::Meta::Converter version 2.150010' license: mit meta-spec: url: http://module-build.sourceforge.net/META-spec-v1.4.html @@ -21,14 +22,14 @@ no_index: directory: - t - inc -recommends: {} requires: Carp: '1.1' DynaLoader: '1.04' Exporter: '5.56' - File::Spec: '0.86' + File::Spec: '3.29' + IO::File: '1.14' MIME::Base64: '2.13' Net::DNS: '1.08' - perl: '5.008008' -version: '1.19' + perl: '5.008009' +version: '1.20' x_serialization_backend: 'CPAN::Meta::YAML version 0.018' diff --git a/Makefile.PL b/Makefile.PL index d03face..6206247 100644 --- a/Makefile.PL +++ b/Makefile.PL @@ -1,34 +1,37 @@ # -# $Id: Makefile.PL 1853 2021-10-11 10:40:59Z willem $ -*-perl-*- +# $Id: Makefile.PL 1874 2022-09-23 13:37:00Z willem $ -*-perl-*- # -use 5.008008; +use 5.008009; use strict; use warnings; use Config; use ExtUtils::MakeMaker; -my $MM = $ExtUtils::MakeMaker::VERSION; +use constant MSWin32 => $^O eq 'MSWin32'; + +my $distro = 'Net::DNS::SEC'; +my $module = join '/', 'lib', split /::/, "$distro.pm"; +my $author = ['Dick Franks', 'Olaf Kolkman']; +$author = join ', ', @$author if $ExtUtils::MakeMaker::VERSION < 6.58; # See perldoc ExtUtils::MakeMaker for details of how to influence # the contents of the Makefile that is written. -my @author = ( 'Dick Franks', 'Olaf Kolkman' ); - my %metadata = ( - NAME => 'Net::DNS::SEC', - VERSION_FROM => 'lib/Net/DNS/SEC.pm', - ABSTRACT_FROM => 'lib/Net/DNS/SEC.pm', - AUTHOR => $MM < 6.58 ? "$author[0] et al" : [@author], - LICENSE => 'mit', - MIN_PERL_VERSION => 5.008008, - CONFIGURE_REQUIRES => { - 'ExtUtils::MakeMaker' => 6.66, - }, - TEST_REQUIRES => { - 'File::Find' => 1.05, - 'File::Spec' => 0.86, - 'Test::More' => 0.47, + NAME => $distro, + VERSION_FROM => $module, + ABSTRACT_FROM => $module, + AUTHOR => $author, + LICENSE => 'mit', + MIN_PERL_VERSION => 5.008009, + CONFIGURE_REQUIRES => {'ExtUtils::MakeMaker' => 6.48}, + TEST_REQUIRES => { + 'ExtUtils::MakeMaker' => 0, + 'File::Find' => 1.13, + 'File::Spec' => 3.29, + 'IO::File' => 1.14, + 'Test::More' => 0.80, } ); @@ -36,23 +39,22 @@ my %prerequisite = ( 'Carp' => 1.10, 'DynaLoader' => 1.04, 'Exporter' => 5.56, - 'File::Spec' => 0.86, + 'File::Spec' => 3.29, + 'IO::File' => 1.14, 'MIME::Base64' => 2.13, 'Net::DNS' => 1.08, ); -my %optional; - - my @debris = qw(*.gcov *.gcda *.gcno *.lock); my $inc = ''; my $lib = '-lcrypto'; -my $nul = $^O eq 'MSWin32' ? 'nul' : '/dev/null'; +my $nul = MSWin32 ? 'nul' : '/dev/null'; if ( my $dir = $ENV{OPENSSL_PREFIX} ) { + chomp $dir; $inc = "-I$dir/include"; $lib = "-L$dir/lib -lcrypto"; @@ -60,23 +62,26 @@ if ( my $dir = $ENV{OPENSSL_PREFIX} ) { $inc = `pkg-config --cflags libcrypto 2>$nul`; $lib = `pkg-config --libs libcrypto 2>$nul`; -} elsif ( $^O eq 'MSWin32' ) { +} elsif (MSWin32) { $lib = '-llibeay32' if $Config{cc} =~ /cl/; $lib = '-leay32' if $Config{cc} =~ /gcc/; } $inc = $ENV{OPENSSL_INCLUDE} if $ENV{OPENSSL_INCLUDE}; $lib = $ENV{OPENSSL_LIB} if $ENV{OPENSSL_LIB}; +chomp $_ for ( $inc, $lib ); + WriteMakefile( %metadata, - PREREQ_PM => {%prerequisite}, - INC => $inc, - LIBS => [$lib], - META_MERGE => {recommends => {%optional}}, - clean => {FILES => "@debris"}, + PREREQ_PM => {%prerequisite}, + INC => $inc, + LIBS => [$lib], + clean => {FILES => "@debris"}, ); +exit; + package MY; ## customise generated Makefile @@ -85,7 +90,7 @@ sub test { return join '', shift->SUPER::test(), <<'END'; # suppress parallel test execution -FULLPERLRUN = HARNESS_OPTIONS=c $(FULLPERL) +FULLPERLRUN = HARNESS_OPTIONS=j1:c $(FULLPERL) END } @@ -109,9 +114,10 @@ sub install { s|([/])[/]+|$1|g; # remove gratuitous //s } - my @version = ( 'version', eval { require Net::DNS::SEC; $Net::DNS::SEC::VERSION; } ); + eval "require $distro"; ## no critic + my @version = grep {$_} 'version', eval { $distro->VERSION }; - my $nameregex = '\W+Net\W+DNS\W+SEC.pm$'; + my $nameregex = join '\W+', '', split /::/, "$distro.pm\$"; my @installed = grep { $_ && m/$nameregex/io } values %INC; my %occluded; @@ -132,12 +138,12 @@ sub install { my $message; warn $message = <<"AMEN"; ## -## The install location for this version of Net::DNS::SEC differs -## from the existing @version in your perl library at +## The install location for this version of $distro +## differs from the existing @version in your perl library at ## @installed ## ## The installation would be rendered ineffective because the -## installed version occurs in the library search path before +## existing @version occurs in the library search path before ## $install_site ## ## The generated Makefile supports build and test only. @@ -146,13 +152,10 @@ AMEN my $echo = ' $(NOECHO) $(ECHO) "##"'; $message =~ s/##/$echo/eg; - return join '', <<'END', $message; + return join '', <<"END"; install : - $(NOECHO) $(ECHO) "## Makefile supports build and test only" - $(NOECHO) $(ECHO) "## (see message from Makefile.PL)" - $(NOECHO) $(FALSE) - -test :: $(TEST_TYPE) + $message + \$(NOECHO) \$(FALSE) END } @@ -170,7 +173,6 @@ PlanB return <<"PlanA"; test_cover : cover -delete - \$(NOECHO) \$(TOUCH) SEC.c # recompile XS component HARNESS_PERL_SWITCHES=-MDevel::Cover \$(MAKE) -W SEC.xs test CCFLAGS="$ccflags" OTHERLDFLAGS="$ldflags" gcov SEC.xs gcov2perl SEC.xs.gcov @@ -1,5 +1,5 @@ -#define XS_Id "$Id: SEC.xs 1853 2021-10-11 10:40:59Z willem $" +#define XS_Id "$Id: SEC.xs 1872 2022-09-16 09:33:02Z willem $" =head1 NAME @@ -44,9 +44,9 @@ extern "C" { #define PERL_NO_GET_CONTEXT #define PERL_REENTRANT -#include "EXTERN.h" -#include "perl.h" -#include "XSUB.h" +#include <EXTERN.h> +#include <perl.h> +#include <XSUB.h> #include <openssl/opensslv.h> #include <openssl/bn.h> @@ -92,11 +92,13 @@ static OSSL_LIB_CTX *libctx = NULL; #endif #ifdef OPENSSL_IS_BORINGSSL +#define NO_DSA +#define NO_EdDSA #define NO_SHA3 #endif #ifdef LIBRESSL_VERSION_NUMBER -#undef OPENSSL_VERSION_NUMBER +#undef OPENSSL_VERSION_NUMBER #define OPENSSL_VERSION_NUMBER 0x10100000L #endif @@ -145,6 +147,7 @@ int RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q) #if (OPENSSL_VERSION_NUMBER < 0x10101000) +#define EOL #define NO_EdDSA #define NO_SHA3 @@ -166,26 +169,25 @@ int EVP_DigestVerify(EVP_MD_CTX *ctx, #endif -#define checkerr(arg) checkret( (arg), __LINE__ ) -void checkret(const int ret, int line) -{ - if ( ret <= 0 ) croak( "libcrypto error (%s line %d)", __FILE__, line ); -} - - #ifndef OBSOLETE_API int EVP_PKEY_fromparams(EVP_PKEY_CTX *ctx, EVP_PKEY **ppkey, int selection, OSSL_PARAM_BLD *bld) { OSSL_PARAM *params = OSSL_PARAM_BLD_to_param(bld); - int retval; - checkerr( EVP_PKEY_fromdata_init(ctx) ); - retval = EVP_PKEY_fromdata( ctx, ppkey, selection, params ); + int retval = EVP_PKEY_fromdata_init(ctx); + if ( retval > 0 ) retval = EVP_PKEY_fromdata( ctx, ppkey, selection, params ); OSSL_PARAM_free(params); return retval; } #endif +#define checkerr(arg) checkret( (arg), __LINE__ ) +void checkret(const int ret, int line) +{ + if ( ret <= 0 ) croak( "libcrypto error (%s line %d)", __FILE__, line ); +} + + MODULE = Net::DNS::SEC PACKAGE = Net::DNS::SEC::libcrypto PROTOTYPES: ENABLE @@ -195,7 +197,11 @@ VERSION(void) PREINIT: char *v = SvEND( newSVpv(XS_Id, 17) ); CODE: +#ifdef EOL + RETVAL = newSVpvf( "%s %s [UNSUPPORTED]", v-5, OPENSSL_VERSION_TEXT ); +#else RETVAL = newSVpvf( "%s %s", v-5, OPENSSL_VERSION_TEXT ); +#endif OUTPUT: RETVAL @@ -208,33 +214,31 @@ EVP_PKEY_new() SV* EVP_sign(SV *message, EVP_PKEY *pkey, const EVP_MD *md=NULL) INIT: +#define msgbuf (unsigned char*) SvPVX(message) +#define msglen SvCUR(message) EVP_MD_CTX *ctx = EVP_MD_CTX_new(); - unsigned char *m = (unsigned char*) SvPVX(message); unsigned char sigbuf[512]; /* RFC3110(2) */ - STRLEN mlen = SvCUR(message); - STRLEN slen = sizeof(sigbuf); + STRLEN buflen = sizeof(sigbuf); int r; CODE: checkerr( EVP_DigestSignInit( ctx, NULL, md, NULL, pkey ) ); - r = EVP_DigestSign( ctx, sigbuf, &slen, m, mlen ); + r = EVP_DigestSign( ctx, sigbuf, &buflen, msgbuf, msglen ); EVP_MD_CTX_free(ctx); EVP_PKEY_free(pkey); checkerr(r); - RETVAL = newSVpvn( (char*)sigbuf, slen ); + RETVAL = newSVpvn( (char*)sigbuf, buflen ); OUTPUT: RETVAL int EVP_verify(SV *message, SV *signature, EVP_PKEY *pkey, const EVP_MD *md=NULL) INIT: +#define sigbuf (unsigned char*) SvPVX(signature) +#define siglen SvCUR(signature) EVP_MD_CTX *ctx = EVP_MD_CTX_new(); - unsigned char *m = (unsigned char*) SvPVX(message); - unsigned char *s = (unsigned char*) SvPVX(signature); - STRLEN mlen = SvCUR(message); - STRLEN slen = SvCUR(signature); CODE: checkerr( EVP_DigestVerifyInit( ctx, NULL, md, NULL, pkey ) ); - RETVAL = EVP_DigestVerify( ctx, s, slen, m, mlen ); + RETVAL = EVP_DigestVerify( ctx, sigbuf, siglen, msgbuf, msglen ); EVP_MD_CTX_free(ctx); EVP_PKEY_free(pkey); OUTPUT: @@ -254,11 +258,8 @@ EVP_DigestInit(EVP_MD_CTX *ctx, const EVP_MD *type) void EVP_DigestUpdate(EVP_MD_CTX *ctx, SV *message) - INIT: - unsigned char *m = (unsigned char*) SvPVX(message); - STRLEN mlen = SvCUR(message); CODE: - checkerr( EVP_DigestUpdate( ctx, m, mlen ) ); + checkerr( EVP_DigestUpdate( ctx, msgbuf, msglen ) ); SV* EVP_DigestFinal(EVP_MD_CTX *ctx) @@ -454,33 +455,38 @@ EVP_PKEY_new_ECDSA(int nid, SV *qx_SV, SV *qy_SV) EVP_PKEY* EVP_PKEY_new_raw_public_key(int nid, SV *key) - ALIAS: - EVP_PKEY_new_raw_private_key = 1 - INIT: - unsigned char *rawkey = (unsigned char*) SvPVX(key); - STRLEN keylen = SvCUR(key); -#ifndef OBSOLETE_API + CODE: +#define rawkey (unsigned char*) SvPVX(key) +#define keylen SvCUR(key) +#ifdef OBSOLETE_API + RETVAL = EVP_PKEY_new_raw_public_key( nid, NULL, rawkey , keylen ); +#else EVP_PKEY_CTX *ctx = NULL; OSSL_PARAM_BLD *bld = OSSL_PARAM_BLD_new(); + RETVAL = NULL; + if ( nid == 1087 ) ctx = EVP_PKEY_CTX_new_from_name( libctx, "ED25519", NULL ); + if ( nid == 1088 ) ctx = EVP_PKEY_CTX_new_from_name( libctx, "ED448", NULL ); + checkerr( OSSL_PARAM_BLD_push_octet_string( bld, OSSL_PKEY_PARAM_PUB_KEY, rawkey, keylen ) ); + checkerr( EVP_PKEY_fromparams( ctx, &RETVAL, EVP_PKEY_PUBLIC_KEY, bld ) ); + OSSL_PARAM_BLD_free(bld); + EVP_PKEY_CTX_free(ctx); #endif + OUTPUT: + RETVAL + +EVP_PKEY* +EVP_PKEY_new_raw_private_key(int nid, SV *key) CODE: #ifdef OBSOLETE_API - if ( ix > 0 ) { - RETVAL = EVP_PKEY_new_raw_private_key( nid, NULL, rawkey , keylen ); - } else { - RETVAL = EVP_PKEY_new_raw_public_key( nid, NULL, rawkey , keylen ); - } + RETVAL = EVP_PKEY_new_raw_private_key( nid, NULL, rawkey , keylen ); #else + EVP_PKEY_CTX *ctx = NULL; + OSSL_PARAM_BLD *bld = OSSL_PARAM_BLD_new(); + RETVAL = NULL; if ( nid == 1087 ) ctx = EVP_PKEY_CTX_new_from_name( libctx, "ED25519", NULL ); if ( nid == 1088 ) ctx = EVP_PKEY_CTX_new_from_name( libctx, "ED448", NULL ); - RETVAL = NULL; - if ( ix > 0 ) { - checkerr( OSSL_PARAM_BLD_push_octet_string( bld, OSSL_PKEY_PARAM_PRIV_KEY, rawkey, keylen ) ); - checkerr( EVP_PKEY_fromparams( ctx, &RETVAL, EVP_PKEY_KEYPAIR, bld ) ); - } else { - checkerr( OSSL_PARAM_BLD_push_octet_string( bld, OSSL_PKEY_PARAM_PUB_KEY, rawkey, keylen ) ); - checkerr( EVP_PKEY_fromparams( ctx, &RETVAL, EVP_PKEY_PUBLIC_KEY, bld ) ); - } + checkerr( OSSL_PARAM_BLD_push_octet_string( bld, OSSL_PKEY_PARAM_PRIV_KEY, rawkey, keylen ) ); + checkerr( EVP_PKEY_fromparams( ctx, &RETVAL, EVP_PKEY_KEYPAIR, bld ) ); OSSL_PARAM_BLD_free(bld); EVP_PKEY_CTX_free(ctx); #endif diff --git a/demo/getkeyset b/demo/getkeyset index 0c40cd7..6c2ebf8 100644 --- a/demo/getkeyset +++ b/demo/getkeyset @@ -1,5 +1,5 @@ #!/usr/bin/perl -#$Id: getkeyset 1807 2020-09-28 11:38:28Z willem $ +#$Id: getkeyset 1862 2021-12-24 10:09:08Z willem $ use strict; use warnings; @@ -63,25 +63,23 @@ This is only a demonstration program to show how the interface can be used. =head1 COPYRIGHT Copyright (c) 2002 RIPE NCC. Author Olaf M. Kolkman -<net-dns-sec@ripe.net> All Rights Reserved Permission to use, copy, modify, and distribute this software and its -documentation for any purpose and without fee is hereby granted, -provided that the above copyright notice appear in all copies and that -both that copyright notice and this permission notice appear in -supporting documentation, and that the name of the author not be used -in advertising or publicity pertaining to distribution of the software -without specific, written prior permission. - -THE AUTHOR DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, -INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS; IN NO -EVENT SHALL AUTHOR BE LIABLE FOR ANY SPECIAL, INDIRECT OR -CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF -USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR -OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -PERFORMANCE OF THIS SOFTWARE. +documentation for any purpose and without fee is hereby granted, provided +that the original copyright notices appear in all copies and that both +copyright notice and this permission notice appear in supporting +documentation, and that the name of the author not be used in advertising +or publicity pertaining to distribution of the software without specific +prior written permission. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL +THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING +FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER +DEALINGS IN THE SOFTWARE. =cut - diff --git a/demo/key2ds b/demo/key2ds index b2b6ba7..00de184 100644 --- a/demo/key2ds +++ b/demo/key2ds @@ -1,5 +1,5 @@ #!/usr/bin/perl -#$Id: key2ds 1807 2020-09-28 11:38:28Z willem $ +#$Id: key2ds 1862 2021-12-24 10:09:08Z willem $ # A little util to convert DNSKEY records to DS records # from stdin to stdout @@ -39,8 +39,25 @@ DS record on STDOUT. =head1 COPYRIGHT -This program is free software; you can redistribute it and/or modify -it under the same terms as Perl itself. +Copyright (c)2002 Miek Gieben -=cut +All Rights Reserved + + +Permission to use, copy, modify, and distribute this software and its +documentation for any purpose and without fee is hereby granted, provided +that the original copyright notices appear in all copies and that both +copyright notice and this permission notice appear in supporting +documentation, and that the name of the author not be used in advertising +or publicity pertaining to distribution of the software without specific +prior written permission. +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL +THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING +FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER +DEALINGS IN THE SOFTWARE. + +=cut diff --git a/demo/make-signed-keyset b/demo/make-signed-keyset index 402d963..594a952 100644 --- a/demo/make-signed-keyset +++ b/demo/make-signed-keyset @@ -1,5 +1,5 @@ #!/usr/bin/perl -#$Id: make-signed-keyset 1807 2020-09-28 11:38:28Z willem $ +#$Id: make-signed-keyset 1862 2021-12-24 10:09:08Z willem $ # # takes a bind public key file and creates a self-signed keyset @@ -130,8 +130,28 @@ The options are as follows: =back -=head1 AUTHOR -Contributed by Wes Griffin <wgriffin@jtan.com> +=head1 COPYRIGHT + +Copyright (c)2002 Wes Griffin + +All Rights Reserved + + +Permission to use, copy, modify, and distribute this software and its +documentation for any purpose and without fee is hereby granted, provided +that the original copyright notices appear in all copies and that both +copyright notice and this permission notice appear in supporting +documentation, and that the name of the author not be used in advertising +or publicity pertaining to distribution of the software without specific +prior written permission. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL +THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING +FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER +DEALINGS IN THE SOFTWARE. =cut diff --git a/lib/Net/DNS/SEC.pm b/lib/Net/DNS/SEC.pm index f1acf6d..406162e 100644 --- a/lib/Net/DNS/SEC.pm +++ b/lib/Net/DNS/SEC.pm @@ -2,10 +2,20 @@ package Net::DNS::SEC; use strict; use warnings; +use Carp; +our $SVNVERSION = (qw$Id: SEC.pm 1882 2022-10-04 19:53:44Z willem $)[2]; our $VERSION; -$VERSION = '1.19'; -our $SVNVERSION = (qw$Id: SEC.pm 1854 2021-10-11 10:43:36Z willem $)[2]; +$VERSION = '1.20'; + +use base qw(Exporter DynaLoader); + +eval { __PACKAGE__->bootstrap($VERSION) }; +warn "\n\n$@\n" if $@; + +use Net::DNS 1.01 qw(:DEFAULT); + +our @EXPORT = ( @Net::DNS::EXPORT, qw(algorithm digtype key_difference) ); =head1 NAME @@ -33,16 +43,6 @@ Net::DNS::SEC in the use declaration. =cut -use base qw(Exporter DynaLoader); - -use Net::DNS 1.01 qw(:DEFAULT); - -our @EXPORT = ( @Net::DNS::EXPORT, qw(algorithm digtype key_difference) ); - -use integer; -use Carp; - - =head1 UTILITY FUNCTIONS =head2 algorithm @@ -99,14 +99,10 @@ sub key_difference { ######################################## -eval { Net::DNS::SEC->bootstrap($VERSION) } || croak; - - foreach (qw(DS CDS RRSIG)) { Net::DNS::RR->new( type => $_ ); # pre-load to access class methods } - 1; __END__ diff --git a/lib/Net/DNS/SEC/DSA.pm b/lib/Net/DNS/SEC/DSA.pm index a56851f..73e5d7a 100644 --- a/lib/Net/DNS/SEC/DSA.pm +++ b/lib/Net/DNS/SEC/DSA.pm @@ -3,7 +3,7 @@ package Net::DNS::SEC::DSA; use strict; use warnings; -our $VERSION = (qw$Id: DSA.pm 1853 2021-10-11 10:40:59Z willem $)[2]; +our $VERSION = (qw$Id: DSA.pm 1863 2022-03-14 14:59:21Z willem $)[2]; =head1 NAME @@ -44,14 +44,15 @@ public key resource record. use integer; use MIME::Base64; -use constant DSA_configured => Net::DNS::SEC::libcrypto->can('EVP_PKEY_new_DSA'); +use constant Digest_SHA1 => Net::DNS::SEC::libcrypto->can('EVP_sha1'); +use constant DSA_configured => Digest_SHA1 && Net::DNS::SEC::libcrypto->can('EVP_PKEY_new_DSA'); BEGIN { die 'DSA disabled or application has no "use Net::DNS::SEC"' unless DSA_configured } my %parameters = ( - 3 => Net::DNS::SEC::libcrypto::EVP_sha1(), - 6 => Net::DNS::SEC::libcrypto::EVP_sha1(), + 3 => scalar eval { Net::DNS::SEC::libcrypto::EVP_sha1() }, + 6 => scalar eval { Net::DNS::SEC::libcrypto::EVP_sha1() }, ); sub _index { return keys %parameters } @@ -60,8 +61,8 @@ sub _index { return keys %parameters } sub sign { my ( $class, $sigdata, $private ) = @_; - my $index = $private->algorithm; - my $evpmd = $parameters{$index} || die 'private key not DSA'; + my $evpmd = $parameters{$private->algorithm}; + die 'private key not DSA' unless $evpmd; my ( $p, $q, $g, $x, $y ) = map { decode_base64( $private->$_ ) } qw(prime subprime base private_value public_value); @@ -77,8 +78,8 @@ sub sign { sub verify { my ( $class, $sigdata, $keyrr, $sigbin ) = @_; - my $index = $keyrr->algorithm; - my $evpmd = $parameters{$index} || die 'public key not DSA'; + my $evpmd = $parameters{$keyrr->algorithm}; + die 'public key not DSA' unless $evpmd; return unless $sigbin; diff --git a/lib/Net/DNS/SEC/ECCGOST.pm b/lib/Net/DNS/SEC/ECCGOST.pm deleted file mode 100644 index e251fdc..0000000 --- a/lib/Net/DNS/SEC/ECCGOST.pm +++ /dev/null @@ -1,113 +0,0 @@ -package Net::DNS::SEC::ECCGOST; - -use strict; -use warnings; - -our $VERSION = (qw$Id: ECCGOST.pm 1853 2021-10-11 10:40:59Z willem $)[2]; - - -=head1 NAME - -Net::DNS::SEC::ECCGOST - DNSSEC ECC-GOST digital signature algorithm - - -=head1 SYNOPSIS - - require Net::DNS::SEC::ECCGOST; - - $validated = Net::DNS::SEC::ECCGOST->verify( $sigdata, $keyrr, $sigbin ); - - -=head1 DESCRIPTION - -Implementation of GOST R 34.10-2001 elliptic curve digital signature -verification procedure. - -=head2 sign - -Signature generation is not implemented. - -=head2 verify - - $validated = Net::DNS::SEC::ECCGOST->verify( $sigdata, $keyrr, $sigbin ); - -Verifies the signature over the binary sigdata using the specified -public key resource record. - -=cut - - -use constant Digest_GOST => defined( eval { require Digest::GOST } ); -use constant ECCGOST_configured => Digest_GOST && Net::DNS::SEC::libcrypto->can('ECCGOST_verify'); - -BEGIN { die 'ECCGOST disabled or application has no "use Net::DNS::SEC"' unless ECCGOST_configured } - -my %parameters = ( 12 => [840, 'Digest::GOST::CryptoPro'] ); - -sub _index { return keys %parameters } - - -sub sign { - die 'Russian Federation standard GOST R 34.10-2001 is obsolete'; -} - - -sub verify { - my ( $class, $sigdata, $keyrr, $sigbin ) = @_; - - my $algorithm = $keyrr->algorithm; - my ( $nid, $object ) = @{$parameters{$algorithm} || []}; - die 'public key not ECC-GOST' unless $nid; - my $hash = $object->new(); - $hash->add($sigdata); - my $H = reverse $hash->digest; - - return unless $sigbin; - - my ( $y, $x ) = unpack 'a32 a32', reverse $keyrr->keybin; # public key - my $eckey = Net::DNS::SEC::libcrypto::EC_KEY_new_ECCGOST( $x, $y ); - - my ( $s, $r ) = unpack 'a32 a32', $sigbin; # RFC5933, RFC4490 - return Net::DNS::SEC::libcrypto::ECCGOST_verify( $H, $r, $s, $eckey ); -} - - -1; - -__END__ - -######################################## - -=head1 COPYRIGHT - -Copyright (c)2014,2018 Dick Franks. - -All rights reserved. - - -=head1 LICENSE - -Permission to use, copy, modify, and distribute this software and its -documentation for any purpose and without fee is hereby granted, provided -that the original copyright notices appear in all copies and that both -copyright notice and this permission notice appear in supporting -documentation, and that the name of the author not be used in advertising -or publicity pertaining to distribution of the software without specific -prior written permission. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL -THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING -FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER -DEALINGS IN THE SOFTWARE. - - -=head1 SEE ALSO - -L<Net::DNS>, L<Net::DNS::SEC>, L<Digest::GOST>, -RFC4357, RFC4490, RFC5832, RFC5933, RFC7091 - -=cut - diff --git a/lib/Net/DNS/SEC/Keyset.pm b/lib/Net/DNS/SEC/Keyset.pm index 99dc4ef..1b2ae36 100644 --- a/lib/Net/DNS/SEC/Keyset.pm +++ b/lib/Net/DNS/SEC/Keyset.pm @@ -3,7 +3,7 @@ package Net::DNS::SEC::Keyset; use strict; use warnings; -our $VERSION = (qw$Id: Keyset.pm 1853 2021-10-11 10:40:59Z willem $)[2]; +our $VERSION = (qw$Id: Keyset.pm 1868 2022-08-31 20:13:35Z willem $)[2]; =head1 NAME @@ -192,7 +192,8 @@ sub sigs { =head2 extract_ds - @ds = $keyset->extract_ds; + @ds = $keyset->extract_ds(); # default SHA-1 + @ds = $keyset->extract_ds( digtype => 'SHA-256' ); die Net::DNS::SEC::Keyset->keyset_err unless @ds; Extracts DS records from the keyset. Note that the keyset will be verified @@ -203,9 +204,9 @@ The method sets keyset_err if verification fails. =cut sub extract_ds { - my $self = shift; + my ( $self, @arg ) = @_; my @ds; - @ds = map { Net::DNS::RR::DS->create($_) } $self->keys if $self->verify; + @ds = map { Net::DNS::RR::DS->create( $_, @arg ) } $self->keys if $self->verify; return @ds; } @@ -261,9 +262,10 @@ sub verify { my @names = CORE::keys %names; push @keyset_err, "Multiple names in keyset: @names" if scalar(@names) > 1; + if ($keyid) { @sigs = grep { $_->keytag == $keyid } @sigs; - push @keyset_err, "No signature made with $keyid found" unless @sigs; + push @keyset_err, "No signature made with key $keyid" unless @sigs; } elsif ( my @sepkeys = grep { $_->sep } @keys ) { my %sepkey = map { ( $_->keytag => $_ ) } @sepkeys; push @keyset_err, 'No signature found for key with SEP flag' @@ -274,8 +276,7 @@ sub verify { my $keytag = $sig->keytag; next if $sig->verify( \@keys, $keysbytag{$keytag} || [] ); my $vrfyerr = $sig->vrfyerrstr; - my $signame = $sig->signame; - push @keyset_err, "$vrfyerr on key $signame $keytag "; + push @keyset_err, "$vrfyerr for keyset @names"; } $keyset_err = join "\n", @keyset_err; diff --git a/lib/Net/DNS/SEC/RSA.pm b/lib/Net/DNS/SEC/RSA.pm index bda2bcf..112f7d3 100644 --- a/lib/Net/DNS/SEC/RSA.pm +++ b/lib/Net/DNS/SEC/RSA.pm @@ -3,7 +3,7 @@ package Net::DNS::SEC::RSA; use strict; use warnings; -our $VERSION = (qw$Id: RSA.pm 1853 2021-10-11 10:40:59Z willem $)[2]; +our $VERSION = (qw$Id: RSA.pm 1863 2022-03-14 14:59:21Z willem $)[2]; =head1 NAME @@ -50,11 +50,11 @@ BEGIN { die 'RSA disabled or application has no "use Net::DNS::SEC"' unless RSA_ my %parameters = ( - 1 => Net::DNS::SEC::libcrypto::EVP_md5(), - 5 => Net::DNS::SEC::libcrypto::EVP_sha1(), - 7 => Net::DNS::SEC::libcrypto::EVP_sha1(), - 8 => Net::DNS::SEC::libcrypto::EVP_sha256(), - 10 => Net::DNS::SEC::libcrypto::EVP_sha512(), + 1 => scalar eval { Net::DNS::SEC::libcrypto::EVP_md5() }, + 5 => scalar eval { Net::DNS::SEC::libcrypto::EVP_sha1() }, + 7 => scalar eval { Net::DNS::SEC::libcrypto::EVP_sha1() }, + 8 => scalar eval { Net::DNS::SEC::libcrypto::EVP_sha256() }, + 10 => scalar eval { Net::DNS::SEC::libcrypto::EVP_sha512() }, ); sub _index { return keys %parameters } @@ -63,8 +63,8 @@ sub _index { return keys %parameters } sub sign { my ( $class, $sigdata, $private ) = @_; - my $index = $private->algorithm; - my $evpmd = $parameters{$index} || die 'private key not RSA'; + my $evpmd = $parameters{$private->algorithm}; + die 'private key not RSA' unless $evpmd; my ( $n, $e, $d, $p, $q ) = map { decode_base64( $private->$_ ) } qw(Modulus PublicExponent PrivateExponent Prime1 Prime2); @@ -78,8 +78,8 @@ sub sign { sub verify { my ( $class, $sigdata, $keyrr, $sigbin ) = @_; - my $index = $keyrr->algorithm; - my $evpmd = $parameters{$index} || die 'public key not RSA'; + my $evpmd = $parameters{$keyrr->algorithm}; + die 'public key not RSA' unless $evpmd; return unless $sigbin; diff --git a/t/00-load.t b/t/00-load.t index 04bb4cf..fd40df8 100644 --- a/t/00-load.t +++ b/t/00-load.t @@ -1,39 +1,48 @@ #!/usr/bin/perl -# $Id: 00-load.t 1831 2021-02-11 23:03:17Z willem $ -*-perl-*- +# $Id: 00-load.t 1872 2022-09-16 09:33:02Z willem $ -*-perl-*- # use strict; use warnings; -use Test::More tests => 4; +use IO::File; +use Test::More tests => 3; my @module = qw( + Net::DNS Net::DNS::SEC - Net::DNS::SEC::DSA - Net::DNS::SEC::ECDSA - Net::DNS::SEC::ECCGOST - Net::DNS::SEC::EdDSA - Net::DNS::SEC::RSA - Net::DNS::SEC::Digest - Net::DNS::SEC::Keyset - Net::DNS::SEC::Private Net::DNS::SEC::libcrypto - File::Spec - IO::File - MIME::Base64 - Net::DNS - Test::More ); +my %metadata; +my $handle = IO::File->new('MYMETA.json') || IO::File->new('META.json'); +if ($handle) { + my $json = join '', (<$handle>); + for ($json) { + s/\s:\s/ => /g; # Perl? en voilĂ ! + my $hashref = eval $_; + %metadata = %$hashref; + } + close $handle; +} + +my %prerequisite; +foreach ( values %{$metadata{prereqs}} ) { # build, runtime, etc. + foreach ( values %$_ ) { # requires + $prerequisite{$_}++ for keys %$_; + } + delete @prerequisite{@module}; + delete $prerequisite{perl}; +} -my @diag = "\nThese tests were run using:"; -foreach my $module ( sort @module ) { +my @diag; +foreach my $module ( @module, sort keys %prerequisite ) { eval "require $module"; ## no critic for ( eval { $module->VERSION || () } ) { s/^(\d+\.\d)$/${1}0/; push @diag, sprintf "%-25s %s", $module, $_; } } -diag join "\n\t", @diag; +diag join "\n\t", "\nThese tests were run using:", @diag; ok( eval { Net::DNS::SEC::libcrypto->VERSION }, 'XS component SEC.xs loaded' ) @@ -42,14 +51,6 @@ ok( eval { Net::DNS::SEC::libcrypto->VERSION }, 'XS component SEC.xs loaded' ) use_ok('Net::DNS::SEC'); -my @index; -foreach my $class ( map {"Net::DNS::SEC::$_"} qw(RSA DSA ECCGOST ECDSA EdDSA) ) { - my @algorithms = eval join '', qw(r e q u i r e), " $class; $class->_index"; ## no critic - push @index, map { $_ => $class } @algorithms; -} -ok( scalar(@index), 'create consolidated algorithm index' ); - - eval { # Exercise checkerr() response to failed OpenSSL operation Net::DNS::SEC::libcrypto::checkerr(0); @@ -58,20 +59,6 @@ my ($exception) = split /\n/, "$@\n"; ok( $exception, "XS libcrypto error\t[$exception]" ); -eval { - # Exercise residual XS support for deprecated ECCGOST algorithm - my $d = pack 'H*', '9df69fc32cd2d369a42ecb63512bc7e25d71b1af7a303ec38a8326809cdef349'; - my $q = pack 'H*', 'ffffffffffffffffffffffffffffffff6c611070995ad10045841b09b761b893'; - my $r = pack 'H*', '36b98722d79b1cce42cdb9a6503d2fa16ce85969eae711b758aabfe3a39f5d0c'; - my $s = pack 'H*', '22c1d462f790afab1624e211531d1d455d285978bb0d4875c428811d7028fc33'; - my $x = pack 'H*', 'cadb74b9950fcf3728ad232626b0dc63f350c25dd09456cd155f413d35205ce9'; - my $y = pack 'H*', '050fd637ab18f8f443eac48c26c12566e655e4d3b15046e0fef296a8835ebeee'; - foreach my $H ( $d, $q ) { ## including specific case (alpha mod q) = 0 - my $eckey = Net::DNS::SEC::libcrypto::EC_KEY_new_ECCGOST( $x, $y ); - Net::DNS::SEC::libcrypto::ECCGOST_verify( $H, $r, $s, $eckey ); - } -}; - exit; diff --git a/t/10-keyset.t b/t/10-keyset.t index bc54973..3bde253 100644 --- a/t/10-keyset.t +++ b/t/10-keyset.t @@ -1,5 +1,5 @@ #!/usr/bin/perl -# $Id: 10-keyset.t 1830 2021-01-26 09:08:12Z willem $ -*-perl-*- +# $Id: 10-keyset.t 1868 2022-08-31 20:13:35Z willem $ -*-perl-*- # use strict; @@ -23,7 +23,7 @@ foreach my $package ( sort keys %prerequisite ) { plan skip_all => 'disabled RSA' unless eval { Net::DNS::SEC::libcrypto->can('EVP_PKEY_new_RSA') }; -plan tests => 29; +plan tests => 27; use_ok('Net::DNS::SEC::Keyset'); @@ -46,10 +46,12 @@ END { # RSA keypair 1 # my $keyrr1 = Net::DNS::RR->new( <<'END' ); -test.tld. IN DNSKEY ( 256 3 5 - AQO1gY5UFltQ4f0ZHnXPFQZfcQQNpXK5r0Rk05rLLmY0XeA1lu8ek7W1VHsBjkge9WU7efdp3U4a - mxULRMQj7F0ByOK318agap2sIWYN13jV1RLxF5GPyLq+tp2ihEyI8x0P8c9RzgVn1ix4Xcoq+vKm - WqDT1jHE4oBY/DzI8gyuJw== ) ; Key ID = 15791 +test.tld. IN DNSKEY ( 257 3 10 + AwEAAb/7yz0lSf3nFy7MPhkbnqOlaExKlJ8rMmYVEhFYZ5qS/ufQbfQ3stb0opr68eitrauolthm + P325OvNxdzSq5rgURjx9ZitDlhxDyPfQhDzY+/CBhY/z++DRIr+v3AN/7kRW8sYwC+2Hoa1+VxQZ + 1fSQ4J46ZwoN5slpar9G/Gv5aPgsvweQDI285eQVlIQ9NL00bODOHzoKvh9BAx07MOOcT9q6r9xs + MPg6M4C8ykH2zVY5x1iGxT8Syzh/mecSiJtv+b1W4j49pCNj19uenW3oUnyfHg/FBmQpxTiHqs6b + 1ZfVH7akvsQqwk12xT0hDEfeyj4jswDiSsEsLqt1DM0= ) ; Key ID = 39948 END ok( $keyrr1, join ' ', algorithm( $keyrr1->algorithm ), 'public key created' ); @@ -58,15 +60,15 @@ my $keyfile1 = $filename{key1} = $keyrr1->privatekeyname; my $handle1 = IO::File->new( $keyfile1, '>' ) or die qq(open: "$keyfile1" $!); print $handle1 <<'END'; Private-key-format: v1.2 -Algorithm: 5 (RSASHA1) -Modulus: tYGOVBZbUOH9GR51zxUGX3EEDaVyua9EZNOayy5mNF3gNZbvHpO1tVR7AY5IHvVlO3n3ad1OGpsVC0TEI+xdAcjit9fGoGqdrCFmDdd41dUS8ReRj8i6vradooRMiPMdD/HPUc4FZ9YseF3KKvryplqg09YxxOKAWPw8yPIMric= -PublicExponent: Aw== -PrivateExponent: eQEJjWQ84Jaou2mj32NZlPYCs8Oh0R+C7eJnMh7uzZPqzmSfabfOeOL8q7QwFKOY0lFPm+jevGdjXNiCwp2TVWZrFINEMwUpxPJCvQQLh0k9Ah3NN2ELPBSlUjkRa10KaRSVSdDaYUM9X1/ZT/9RQagi4ckuy0x6UcRmoSng/Ms= -Prime1: 3SNqKvY2geGDxgpqUKy2gGKq2LBRZ0CruBsVQXtoBH2dwq1bUScC9HxrTYaGxn2BELZsYRMeGVqZ1WqzsLXeTw== -Prime2: 0h6u5+odYP2A7/eIALrUZtTDEi1rT+k434qR7Tb/4w/UkEIHw5bS/NP+AH2sNXtCzbYUx1h11m5EgDgjgoVUqQ== -Exponent1: k2zxcfl5q+utLrGcNch5quxx5crg74Byery41lJFWFO+gcjni29XTahHiQRZ2akAtc7y62IUEOcROPHNIHk+3w== -Exponent2: jBR0mpwTlf5V9U+wAHyNmeMstsjyNUYl6lxhSM9VQgqNtYFagmSMqI1UAFPII6eB3nljL5BOjvQtqtAXrFjjGw== -Coefficient: YJYWzNpbdj/11mE4kUwaiH9GQbY+uA28tv4aVAwAEcKPaU1QQ2k8Jlm+VXxh9v02QCFJYln3416972oeCx9eyw== +Algorithm: 10 (RSASHA512) +Modulus: v/vLPSVJ/ecXLsw+GRueo6VoTEqUnysyZhUSEVhnmpL+59Bt9Dey1vSimvrx6K2tq6iW2GY/fbk683F3NKrmuBRGPH1mK0OWHEPI99CEPNj78IGFj/P74NEiv6/cA3/uRFbyxjAL7YehrX5XFBnV9JDgnjpnCg3myWlqv0b8a/lo+Cy/B5AMjbzl5BWUhD00vTRs4M4fOgq+H0EDHTsw45xP2rqv3Gww+DozgLzKQfbNVjnHWIbFPxLLOH+Z5xKIm2/5vVbiPj2kI2PX256dbehSfJ8eD8UGZCnFOIeqzpvVl9UftqS+xCrCTXbFPSEMR97KPiOzAOJKwSwuq3UMzQ== +PublicExponent: AQAB +PrivateExponent: MnqyZdF4MxqgLd3mNhPdEopbcjPqADALgGvp5EWqeCpOfAWB48UBcSPB3Z4+HUANeiVKBHxeFWCu73PWNDL7l0s9bIpMYvPSdHweS4q4OoeTNxnXVJKCmAplaKGE6CarL6ztCM95U2tmR4gAvXhNmZC+ftw8W5hsJmlheAniNUFaRK28K0+Tlge7XkRxSwK63sjMRHHxAbclr8K2j/GUVkXG9yOrMqgXUJ0WOg9E5BTW+gdkGl4kB5U2gvgRwxkEwY9x7yzrg2cUxrEi9hDlS9HiG5NZizcQqAWkKcdHo28ZB5E4NZBLrKQFjrkOQz3ZjtpUcsTRf/lOvkCOoaveAQ== +Prime1: 7lgM8XyKy3IHYC3+GX1bS0LZFqBhUvYuZ52i2dfKoG9XglVKKe0Pmu/Hkgkdc2/mottVdYHpMZ4t/Wt0OXdqfttoYTgIOFTw4t3Jk9HV4aPIRvVD7LRnRQiKEW9OiS9ixplatrlgMqyOIpx3bou6eRzOs1yfBsNSr+LZbHQ50/U= +Prime2: zjSQ7ylj386G6bFXMKLAjApYy7cQA9T4/URnonUYjXwzQRaDvfAGoRNRA4e0RagVd/x2Dk5hs2UYLMIhpmQWNoSK/ZAFS02RzapMZTV2jya4cJZ83qjYtMYEx8Lff5dHX3lz/uAkcJCasIbyEodi0btJkCZQFAsCMbGlhguTpnk= +Exponent1: U8jEFAfRyp61FQxV7KPyecxv/9I1JDLCMU5qtuVyp188heZxgbeB6tcrcpydq7zEeK9dpUcbsIOIazNg0eq2lw2N7c8CpLrHSxjoCXyUERPADaGeVRE91DiiQGq+Ut9De8jg6KbVuDqMZIJYQZYA4R5NUyPWC0ySPp4iDEv3IBk= +Exponent2: tJ867SM2Rs6jQoSCuSl2u7Q8f4UE1DZzO3X1yUoEjbpjMvpDv9ZGGEXRSuRNtk47L/TGfFWQIxHEkUAjNZqqEmsbTGwhFwsFUj9/149zIIVsPcKz8l24JPDnMwuxthOPA0RhpLo1cRxZQ5OQ60YH+2qwT0IgFs5lx52yPa5aURE= +Coefficient: Y7KhcJe8vcW9h/bxClHMjlB0sYYvdqo7/iwjxiaCD4suPAUpLMxNgeR3TJHT1RYaHQSuFB3Mc9f58hoHe3dncxF+Eey9SdTH53c0+V95tJpAsqirFaqvei+xgikcmhYsWLOQHayul5ZMsfpiph3R90QUYg3Kpbni4W0ALeGswv4= END close($handle1); @@ -104,18 +106,18 @@ close($handle2); # Create keysets -my $datarrset = [$keyrr1, $keyrr2]; +my $keyrrset = [$keyrr1, $keyrr2]; -my $sigrr1 = Net::DNS::RR::RRSIG->create( $datarrset, $keyfile1, ttl => 3600 ); +my $sigrr1 = Net::DNS::RR::RRSIG->create( $keyrrset, $keyfile1, ttl => 3600 ); ok( $sigrr1, join ' ', algorithm( $sigrr1->algorithm ), 'signature created' ); -my $sigrr2 = Net::DNS::RR::RRSIG->create( $datarrset, $keyfile2, ttl => 3600 ); +my $sigrr2 = Net::DNS::RR::RRSIG->create( $keyrrset, $keyfile2, ttl => 3600 ); ok( $sigrr2, join ' ', algorithm( $sigrr2->algorithm ), 'signature created' ); -my $keyset = Net::DNS::SEC::Keyset->new($datarrset); +my $keyset = Net::DNS::SEC::Keyset->new($keyrrset); is( ref($keyset), "Net::DNS::SEC::Keyset", "Keyset object created" ); @@ -131,13 +133,13 @@ my $read = Net::DNS::SEC::Keyset->new( $filename{set2} ); is( ref($read), "Net::DNS::SEC::Keyset", "read Keyset object" ); -my @ds = $keyset->extract_ds; +my @ds = $keyset->extract_ds( digtype => 'SHA-256' ); my $string0 = $ds[0]->string; my $string1 = $ds[1]->string; -my $expect0 = Net::DNS::RR->new('test.tld. IN DS 15791 5 1 C355F0F3F30C69BF2F7EA253ED82FBC280C2496B')->string; -my $expect1 = Net::DNS::RR->new('test.tld. IN DS 63426 8 1 6173eae9bf79853e2c041b1cda02a3d70c86a20b')->string; +my $expect0 = Net::DNS::RR->new('test.tld. IN DS 39948 10 2 94e22598a45d485926d8e3944f871dc605ef52db59f346066bf2b0d20d6d8ed4')->string; +my $expect1 = Net::DNS::RR->new('test.tld. IN DS 63426 8 2 ee74fe86f0d9499ef1abe414039ffaf34f05d3e71a4899882c714395d9047368')->string; my $alg0 = algorithm( $ds[0]->algorithm ); my $dig0 = digtype( $ds[0]->digtype ); @@ -168,152 +170,17 @@ close($handle3); my $corrupt = Net::DNS::SEC::Keyset->new( $filename{set3} ); ok( !$corrupt, "Corrupted keyset not loaded" ); -like( Net::DNS::SEC::Keyset->keyset_err, '/failed.+key/', 'Expected error message' ); - - -# -# The packet contains a keyset as returned from a bind nameserver -# the keyset is signed with a signature valid until 2030 06 .. -# After that the test may fail :-( - -# This is the code snippet used to get such a little packet as below. -#use Net::DNS::Resolver; -#my $res=Net::DNS::Resolver->new(); -#$res->nameserver("10.0.53.204"); -#$res->dnssec(1); -#my $a_packet=$res->send("sub.tld","DNSKEY"); -#$a_packet->print; -#print unpack("H*",$a_packet->data); - - -my $HexadecimalPacket = "e6cc81a000010004000000010373756203746c - 640000300001c00c00300001000000200086010103050103bc54beaee1 - 1dc1a29ba945bf69d0db27b364b2dfe60396efff4c6fb359127ea696e1 - 4c66e1c6d23cd6f6c335e1679c61dd3fa4d68a689b8709ea686e43f175 - 6831193903613f6a5f3ff039b21eed9faad4edcb43191c76490ca0947a - 9fa726740bc4449d6c58472a605913337d2dbddc94a7271d25c358fdaa - 60fe1272a5f8b9c00c00300001000000200086010003050103f6d63a8a - b9f775a0c7194d67edb5f249bf398c3d27d2985facf6fb7e25cc35c876 - 2eb8ea22200c847963442fb6634916dc2ec21cdbf2c7378799b8e7e399 - e751ca1e25133349cab52ebf3fe8a5bc0239c28d64f4d8f609c191a7d2 - d364578a159701ef73af93946b281f0aac42b42be17362c68d7a54bbb8 - fa7bc6f70f455a75c00c002e000100000020009b003005020000006470 - dc814040c02ced39d40373756203746c6400a7d9db75a4115794f871ec - 71fc7469c74a6be1cf95434a00363506b354bf15656f7556c51355c8dc - ac7f6c0a4061c0923e0bf341094e586619c2cb316949772ce5bd1e9949 - f91b016f7e6bee0f6878e16b6e59ece086f8d5df68f048524e1bff3c09 - dd15c203d28416600e936451d1646e71611ec95e12d709839369cbc442 - c0c00c002e000100000020009b003005020000006470dc814040c02ced - fbaf0373756203746c640017c6e59f317119da812c6b1e175e8aaec742 - 35a4bfad777e7759fa2daf7959f9611c26e11adde9bdc901c624ca6965 - 7b79653495e22647c5e0e5bedfe5524397d769d816746d10b2067472b4 - f9b04fbde8e39d7861bd6773c80f632f55b46c7a537a83f0b5a50200c9 - d2847b71d9dfaa643f558383e6e13d4e75f70029849444000029100000 - 0080000000"; - -$HexadecimalPacket =~ s/\n//g; -$HexadecimalPacket =~ s/\s//g; - -my $packetdata = pack( "H*", $HexadecimalPacket ); -my $packet = Net::DNS::Packet->new( \$packetdata ); - - -$keyset = Net::DNS::SEC::Keyset->new($packet); -is( ref($keyset), "Net::DNS::SEC::Keyset", "Keyset object from packet" ); - -is( join( " ", sort( $keyset->verify ) ), "14804 64431", "Verify method returned the two proper keytags" ); - - -my $keyset2 = Net::DNS::SEC::Keyset->new($datarrset); -is( ref($keyset2), "Net::DNS::SEC::Keyset", "Keyset object from DNSKEY RRset" ); - -#print $Net::DNS::SEC::Keyset->keyset_err; -#$keyset->print; - -######### - -my $rr; -my @keyrr; -my @sigrr; - - -# Note that the order of pushing the RRs is important for successful testing. - -# All signatures have expiration date in 2030... this test should work for a while - -push( @keyrr, Net::DNS::RR->new( <<'END' ) ); -example.com 100 IN DNSKEY 256 3 5 ( - AQOxFlzX8vShSG3JG2J/fngkgy64RoWr8ovGe7MuvPJqOMHTLM5V8+TJIahSoyUd990ictNv - hDegUqLtZ8k5oQq44viFCU/H1apdEaJnLnXscVo+08ATlEb90MYznK9K0pm2ixbyspzRrrXp - nPi9vo9iU2xqWqw/Efha4vfi6QVs4w== ) -END - - -push( @keyrr, Net::DNS::RR->new( <<'END' ) ); -example.com 100 IN DNSKEY 256 3 5 ( - AQO4jhl6ilWV2mYjwWl7kcxrYyQsnnbV7pxXm48p+SgAr+R5SKyihkjg86IjZBQHFJKZ8RsZ - dhclH2dikM+53uUEhrqVGhsqF8FsNi4nE9aMISiX9Zs61pTYGYboYDvgpD1WwFbD4YVVlfk7 - rCDP/zOE7H/AhkOenK2w7oiO0Jehcw== ) -END +my $corrupt_keyset = Net::DNS::SEC::Keyset->keyset_err; +like( $corrupt_keyset, '/failed.+key/', "Expected error [$corrupt_keyset]" ); -push( @keyrr, Net::DNS::RR->new( <<'END' ) ); -example.com 100 IN DNSKEY 256 3 5 ( - AQO5fWabr7bNxDXT8YrIeclI9nvYYdKni3efgJfU749O3QVX9MON6WK0ed00odQF4cLeN3vP - SdhasLDI3Z3TzyAPBQS926oodxe78K9zwtPT1kzJxvunOdJr6+6a7/+B6rF/cwfWTW50I0+q - FykldldB44a1uS34u3HgZRQXDmAesw== ) -END - - -push( @keyrr, Net::DNS::RR->new( <<'END' ) ); -example.com 100 IN DNSKEY 256 3 5 ( - AQO6uGWsox2oH36zusGA0+w3uxkZMdByanSCjiaRHtkOA+gIxT8jmFvohxQBpVfYD+xG2pt+ - qUWauWPFPjsIUBoFqHNpqr2/B4CTiZm/rSayHDghZBIMceMa6t4NpaOep79QmiE6oGq6yWRB - swBkPZx9uZE7BqG+WLKEp136iwWyyQ== ) -END - - -push( @sigrr, Net::DNS::RR->new( <<'END' ) ); -example.com 100 IN RRSIG DNSKEY 5 2 100 20300101000000 ( - 20040601105519 11354 example.com. - GTqyJTRbKJ0LuWbAnNni1M4JZ1pn+nXY1ZuzZ0Kvt6OMTYCAFMFt0Wv9bncYkUuUSMGM7yGG - 9Z7g7tcdb4TKCqQPYo4gr3Qj/xgC4LESoQs0yAsJtLUiDfO6e4aWHmanpMGyGixYzHriS1pt - SRzirL1fTgV+kdNs5zBatUHRnQc= ) -END - - -push( @sigrr, Net::DNS::RR->new( <<'END' ) ); -example.com 100 IN RRSIG DNSKEY 5 2 100 20300101000000 ( - 20040601105519 28109 example.com. - WemQqA+uaeKqCy6sEVBU3LDORG3f+Zmix6qK9j1WL83UMWdd6sxNh0QJ0YL54lh9NBx+Viz7 - gajO+IM4MmayxKY4QVjp+6mHeE5zBVHMpTTur5T0reNtTsa8sHr15fsI49yn5KOvuq+DKG1C - gI6siM5RdFpDsS3Rmf8fiK1PyTs= ) -END - - -push( @sigrr, Net::DNS::RR->new( <<'END' ) ); -example.com 100 IN RRSIG DNSKEY 5 2 100 20300101000000 ( - 20040601105519 33695 example.com. - M3yVwTOMw+jAKYY5c6oS4DH7OjOdfMOevpIezdKqWXkehoDg9YOwz8ai17AmfgkjZnsoNu0W - NMIcaVubR3n02bkVhJb7dEd8bhbegF8T1xkL7rf9EQrPmM5GhHmVC90BGrcEhe//94hdXSVU - CRBi6KPFWSZDldd1go133bk/b/o= ) -END - - -push( @sigrr, Net::DNS::RR->new( <<'END' ) ); -example.com 100 IN RRSIG DNSKEY 5 2 100 20300101000000 ( - 20040601105519 39800 example.com. - Mmhn2Ql6ExmyHvZFWgt+CBRw5No8yM0rdH1beU4is5gRbd3I0j5z6PdtpYjAkWiZNdYsRT0o - P7TQIsADfB0FLIFojoREg8kp+OmbpRTsLTgOQYC95u5WodYGz03O0EbnQ7k4gkje6385G40D - JVl0xVfujHBMbB+keiSphD3mG4I= ) -END - +my @keyrr = ( $keyrr1, $keyrr2 ); +my @sigrr = ( $sigrr1, $sigrr2 ); my $ks = Net::DNS::SEC::Keyset->new( [@keyrr], [@sigrr] ); ok( $ks, "Keyset created from two arrays." ); - my @ks_sigs = $ks->sigs; ok( eq_array( [@ks_sigs], [@sigrr] ), "Sigs out equal to sigs in" ); @@ -323,28 +190,20 @@ my @keydiff = key_difference( [@keyrr], [@ks_keys] ); is( scalar(@keydiff), 0, "Keys out equal to keys in" ); -$datarrset = [$keyrr1, $keyrr2]; - -$sigrr1 = Net::DNS::RR::RRSIG->create( $datarrset, $keyfile1, ttl => 3600 ); - -$sigrr2 = Net::DNS::RR::RRSIG->create( $datarrset, $keyfile2, ttl => 3600 ); +my @keytags = $ks->verify; +is( scalar(@keytags), 2, "Verify method returned the keytags" ); -ok( $sigrr1, 'RSA signature created' ); +my $good_tag = 39948; +ok( $ks->verify($good_tag), "Verification against keytag $good_tag" ); +my $bad_tag = 9734; +ok( !$ks->verify($bad_tag), "Verification against keytag $bad_tag failed" ); +my $missing_signature = Net::DNS::SEC::Keyset->keyset_err; +like( $missing_signature, "/No signature.+$bad_tag/", "Expected error [$missing_signature]" ); -$keyset = Net::DNS::SEC::Keyset->new( $datarrset, [$sigrr1] ); -my @keytags = $keyset->verify; -is( scalar(@keytags), 1, "Verify method returned the keytags" ); - -ok( $keyset->verify(15791), "Verification against keytag 15791" ); - -ok( !$keyset->verify(9734), "Verification against keytag 9734 failed" ); -is( $keyset->keyset_err, "No signature made with 9734 found", "Expected error message" ); - - -my $corruptible = Net::DNS::RR::RRSIG->create( $datarrset, $keyfile1, ttl => 3600 ); -my $unverifiable = Net::DNS::SEC::Keyset->new( $datarrset, [$corruptible] ); +my $corruptible = Net::DNS::RR::RRSIG->create( $keyrrset, $keyfile1, ttl => 3600 ); +my $unverifiable = Net::DNS::SEC::Keyset->new( $keyrrset, [$corruptible] ); my $badsig = Net::DNS::RR::RRSIG->create( [$sigrr1], $keyfile1, ttl => 3600 ); $corruptible->sigbin( $badsig->sigbin ); @@ -355,15 +214,22 @@ my $bogus = Net::DNS::RR->new( <<'END' ); bogus.tld. IN DNSKEY 257 3 5 ( AQO1gY5UFltQ4f0ZHnXPFQZfcQQNpXK5r0Rk05rLLmY0XeA1lu8ek7W1VHsBjkge9WU7efdp3U4a mxULRMQj7F0ByOK318agap2sIWYN13jV1RLxF5GPyLq+tp2ihEyI8x0P8c9RzgVn1ix4Xcoq+vKm - WqDT1jHE4oBY/DzI8gyuJw== ; Key ID = 15791 + WqDT1jHE4oBY/DzI8gyuJw== ; Key ID = 15792 ) END my $mixed = Net::DNS::SEC::Keyset->new( [$bogus], [$sigrr1] ); - ok( !$mixed, "Mixed keyset not loaded" ); -like( Net::DNS::SEC::Keyset->keyset_err, '/No signature.+SEP/', 'Expected error message' ); -like( Net::DNS::SEC::Keyset->keyset_err, '/Multiple names/', 'Expected error message' ); +like( Net::DNS::SEC::Keyset->keyset_err, '/No signature.+SEP/', 'Expected "No signature for KSK" error' ); +like( Net::DNS::SEC::Keyset->keyset_err, '/Multiple names/', 'Expected "Multiple names" error' ); + + +my $packet = Net::DNS::Packet->new( 'test.tld', 'DNSKEY' ); +$packet->push( answer => @keyrr, @sigrr ); +ok( Net::DNS::SEC::Keyset->new($packet)->verify(), "Verify keyset extracted from packet" ); + + +ok( Net::DNS::SEC::Keyset->new( [$keyrr2] )->verify(), "Verify keyset with no KSK" ); eval { $keyset->writekeyset( File::Spec->rel2abs('nonexdir') ) }; diff --git a/t/20-digest.t b/t/20-digest.t index c14b85f..8b10351 100644 --- a/t/20-digest.t +++ b/t/20-digest.t @@ -1,5 +1,5 @@ #!/usr/bin/perl -# $Id: 20-digest.t 1830 2021-01-26 09:08:12Z willem $ -*-perl-*- +# $Id: 20-digest.t 1863 2022-03-14 14:59:21Z willem $ -*-perl-*- # use strict; @@ -42,38 +42,33 @@ use_ok('Net::DNS::SEC::Digest'); sub test { my ( $mnemonic, $class, @parameter ) = @_; - my $object = $class->new(@parameter); my ( $head, $tail ) = unpack 'a20 a*', $text; - $object->add($text); - is( unpack( 'H*', $object->digest ), $digest{$mnemonic}, "message digest $mnemonic" ); - $object->add($head); - $object->add($tail); - is( unpack( 'H*', $object->digest ), $digest{$mnemonic}, "concatenated digest $mnemonic" ); +SKIP: { + my $object = eval { $class->new(@parameter) }; + skip( "digest algorithm $mnemonic not supported", 2 ) unless $object; + $object->add($text); + is( unpack( 'H*', $object->digest ), $digest{$mnemonic}, "digest algorithm $mnemonic" ); + $object->add($head); + $object->add($tail); + is( unpack( 'H*', $object->digest ), $digest{$mnemonic}, "digest algorithm $mnemonic (concatenated)" ); + } return; } -SKIP: { - skip( 'MD5 digest algorithm not supported', 1 ) - unless eval { Net::DNS::SEC::libcrypto->can('EVP_md5') }; - test( 'MD5', 'Net::DNS::SEC::Digest::MD5' ); -} +test( 'MD5', 'Net::DNS::SEC::Digest::MD5' ); test( 'SHA1', 'Net::DNS::SEC::Digest::SHA', 1 ); + test( 'SHA224', 'Net::DNS::SEC::Digest::SHA', 224 ); test( 'SHA256', 'Net::DNS::SEC::Digest::SHA', 256 ); test( 'SHA384', 'Net::DNS::SEC::Digest::SHA', 384 ); test( 'SHA512', 'Net::DNS::SEC::Digest::SHA', 512 ); -SKIP: { - skip( 'SHA3 digest algorithm not supported', 8 ) - unless eval { Net::DNS::SEC::libcrypto->can('EVP_sha3_256') }; - test( 'SHA3_224', 'Net::DNS::SEC::Digest::SHA3', 224 ); - test( 'SHA3_256', 'Net::DNS::SEC::Digest::SHA3', 256 ); - test( 'SHA3_384', 'Net::DNS::SEC::Digest::SHA3', 384 ); - test( 'SHA3_512', 'Net::DNS::SEC::Digest::SHA3', 512 ); -} - +test( 'SHA3_224', 'Net::DNS::SEC::Digest::SHA3', 224 ); +test( 'SHA3_256', 'Net::DNS::SEC::Digest::SHA3', 256 ); +test( 'SHA3_384', 'Net::DNS::SEC::Digest::SHA3', 384 ); +test( 'SHA3_512', 'Net::DNS::SEC::Digest::SHA3', 512 ); exit; diff --git a/t/21-RSA-MD5.t b/t/21-RSA-MD5.t index 5e06983..85c17b2 100644 --- a/t/21-RSA-MD5.t +++ b/t/21-RSA-MD5.t @@ -1,5 +1,5 @@ #!/usr/bin/perl -# $Id: 21-RSA-MD5.t 1830 2021-01-26 09:08:12Z willem $ -*-perl-*- +# $Id: 21-RSA-MD5.t 1863 2022-03-14 14:59:21Z willem $ -*-perl-*- # use strict; @@ -22,6 +22,9 @@ foreach my $package ( sort keys %prerequisite ) { plan skip_all => 'disabled RSA' unless eval { Net::DNS::SEC::libcrypto->can('EVP_PKEY_new_RSA') }; +plan skip_all => 'disabled MD5' + unless eval { Net::DNS::SEC::libcrypto->can('EVP_md5') }; + plan tests => 8; @@ -83,7 +86,7 @@ is( $verified, 1, 'signature verified using public key' ); my $verifiable = $class->verify( $corrupt, $key, $signature ); -is( $verifiable, 0, 'signature not verifiable if data corrupt' ); +is( $verifiable, 0, 'signature not verifiable if data corrupted' ); exit; diff --git a/t/22-RSA-SHA1.t b/t/22-RSA-SHA1.t index 3597b55..317d444 100644 --- a/t/22-RSA-SHA1.t +++ b/t/22-RSA-SHA1.t @@ -1,5 +1,5 @@ #!/usr/bin/perl -# $Id: 22-RSA-SHA1.t 1830 2021-01-26 09:08:12Z willem $ -*-perl-*- +# $Id: 22-RSA-SHA1.t 1863 2022-03-14 14:59:21Z willem $ -*-perl-*- # use strict; @@ -22,7 +22,10 @@ foreach my $package ( sort keys %prerequisite ) { plan skip_all => 'disabled RSA' unless eval { Net::DNS::SEC::libcrypto->can('EVP_PKEY_new_RSA') }; -plan tests => 17; +plan skip_all => 'disabled SHA1' + unless eval { Net::DNS::SEC::libcrypto->can('EVP_sha1') }; + +plan tests => 8; my %filename; @@ -56,9 +59,6 @@ my $keyfile = $filename{keyfile} = $key->privatekeyname; my $privatekey = IO::File->new( $keyfile, '>' ) or die qq(open: "$keyfile" $!); print $privatekey <<'END'; Private-key-format: v1.2 -; comment discarded - -; empty line discarded Algorithm: 5 (RSASHA1) Modulus: 58/RHMrcrf1rnDOeN5YDU+ywjZ3Go9v1Iv6mljzByKY64QGZIk/mfr9vCD3bdUWVGJgkd7mJ/ixrFYJh6dDjqFbPjiwr3jcrTe18eTGjnhrICT/t0yPXBDsNvLkUnUAAwZlk7rkGUpIP7YFNzCkgv2YBi6Edh+QboVMQQqAdWY5Wa3IpYDeCXdGtJKBfNNadRLlv+MR6HZJ+Vcb15dptqhVcQdA36gl1OICIStlbj5mXHmkitLJxkGkh1a+fi3vUveKToZy1Cob2WfXaPaeCOLduVUjcQ0ydRzbfuNR5izKTsTlO6CFBy0tg4Vcdp5MyAm3QtRPK/eAiANNGa+BANQ== PublicExponent: AQAB @@ -90,75 +90,6 @@ my $verifiable = $class->verify( $corrupt, $key, $signature ); is( $verifiable, 0, 'signature not verifiable if data corrupted' ); -# The following tests are not replicated for other RSA/SHA flavours - -my $wrongkey = Net::DNS::RR->new( <<'END' ); -DSA.example. IN DNSKEY 256 3 3 ( - CMKzsCaT2Jy1w/sPdpigEE+nbeJ/x5C6cruWvStVum6/YulcR7MHeujx9c2iBDbo3kW4X8/l+qgk - 7ZEZ+yV5lphWtJMmMtOHIU+YdAhgLpt84NKhcupWL8wfuBW/97cqIv5Z+51fwn0YEAcZsoCrE0nL - 5+31VfkK9LTNuVo38hsbWa3eWZFalID5NesF6sJRgXZoAyeAH46EQVCq1UBnnaHslvSDkdb+Z1kT - bMQ64ZVI/sBRXRbqIcDlXVZurCTDV7JL9KZwwfeyrQcnVyYh5mdHPsXbpX5NQJvoqPgvRZWBpP4h - pjkAm9UrUbow9maPCQ1JQ3JuiU5buh9cjAI+QIyGMujKLT2OsogSZD2IFUciaZBL/rSe0gmAUv0q - XrczmIYFUCoRGZ6+lKVqQQ6f2U7Gsr6zRbeJN+JCVD6BJ52zjLUaWUPHbakhZb/wMO7roX/tnA/w - zoDYBIIF7yuRYWblgPXBJTK2Bp07xre8lKCRbzY4J/VXZFziZgHgcn9tkHnrfov04UG9zlWEdT6X - E/60HjrP ; Key ID = 53244 - ) -END - -ok( $wrongkey, 'set up non-RSA public key' ); - - -my $wrongfile = $filename{wrongfile} = $wrongkey->privatekeyname; - -my $handle = IO::File->new( $wrongfile, '>' ) or die qq(open: "$wrongfile" $!); -print $handle <<'END'; -Private-key-format: v1.2 -Algorithm: 3 (DSA) -Prime(p): x5C6cruWvStVum6/YulcR7MHeujx9c2iBDbo3kW4X8/l+qgk7ZEZ+yV5lphWtJMmMtOHIU+YdAhgLpt84NKhcupWL8wfuBW/97cqIv5Z+51fwn0YEAcZsoCrE0nL5+31VfkK9LTNuVo38hsbWa3eWZFalID5NesF6sJRgXZoAyc= -Subprime(q): wrOwJpPYnLXD+w92mKAQT6dt4n8= -Base(g): gB+OhEFQqtVAZ52h7Jb0g5HW/mdZE2zEOuGVSP7AUV0W6iHA5V1Wbqwkw1eyS/SmcMH3sq0HJ1cmIeZnRz7F26V+TUCb6Kj4L0WVgaT+IaY5AJvVK1G6MPZmjwkNSUNybolOW7ofXIwCPkCMhjLoyi09jrKIEmQ9iBVHImmQS/4= -Private_value(x): vdClrOqZ1qONKg0CZH5hVnq1i40= -Public_value(y): tJ7SCYBS/SpetzOYhgVQKhEZnr6UpWpBDp/ZTsayvrNFt4k34kJUPoEnnbOMtRpZQ8dtqSFlv/Aw7uuhf+2cD/DOgNgEggXvK5FhZuWA9cElMrYGnTvGt7yUoJFvNjgn9VdkXOJmAeByf22Qeet+i/ThQb3OVYR1PpcT/rQeOs8= -END -close($handle); - -my $wrongprivate = Net::DNS::SEC::Private->new($wrongfile); -ok( $wrongprivate, 'set up non-RSA private key' ); - - -is( eval { $class->sign( $sigdata, $wrongprivate ) }, undef, 'signature not created using wrong private key' ); - -is( eval { $class->verify( $sigdata, $wrongkey, $signature ) }, undef, 'verify fails using wrong public key' ); - -is( eval { $class->verify( $sigdata, $key, undef ) }, undef, 'verify fails if signature undefined' ); - - -# test detection of invalid private key descriptors -eval { Net::DNS::SEC::Private->new('Kinvalid.private') }; -my ($exception1) = split /\n/, "$@\n"; -ok( $exception1, "invalid keyfile: [$exception1]" ); - -eval { Net::DNS::SEC::Private->new('Kinvalid.+0+0.private') }; -my ($exception2) = split /\n/, "$@\n"; -ok( $exception2, "missing keyfile: [$exception2]" ); - -eval { Net::DNS::SEC::Private->new( signame => 'private' ) }; -my ($exception3) = split /\n/, "$@\n"; -ok( $exception3, "unspecified algorithm: [$exception3]" ); - -eval { Net::DNS::SEC::Private->new( algorithm => 1 ) }; -my ($exception4) = split /\n/, "$@\n"; -ok( $exception4, "unspecified signame: [$exception4]" ); - - -# exercise code for key with long exponent (not required for DNSSEC) -eval { - my $longformat = pack 'xn a*', unpack 'C a*', $key->keybin; - $key->keybin($longformat); - $class->verify( $sigdata, $key, $signature ); -}; - - exit; __END__ diff --git a/t/23-RSA-SHA256.t b/t/23-RSA-SHA256.t index 83c38f9..13a5be6 100644 --- a/t/23-RSA-SHA256.t +++ b/t/23-RSA-SHA256.t @@ -1,5 +1,5 @@ #!/usr/bin/perl -# $Id: 23-RSA-SHA256.t 1830 2021-01-26 09:08:12Z willem $ -*-perl-*- +# $Id: 23-RSA-SHA256.t 1863 2022-03-14 14:59:21Z willem $ -*-perl-*- # use strict; @@ -22,7 +22,7 @@ foreach my $package ( sort keys %prerequisite ) { plan skip_all => 'disabled RSA' unless eval { Net::DNS::SEC::libcrypto->can('EVP_PKEY_new_RSA') }; -plan tests => 8; +plan tests => 17; my %filename; @@ -83,7 +83,70 @@ is( $verified, 1, 'signature verified using public key' ); my $verifiable = $class->verify( $corrupt, $key, $signature ); -is( $verifiable, 0, 'signature not verifiable if data corrupt' ); +is( $verifiable, 0, 'signature not verifiable if data corrupted' ); + + +# The following tests are not replicated for other RSA/SHA flavours + +my $wrongkey = Net::DNS::RR->new( <<'END' ); +ECDSAP256SHA256.example. IN DNSKEY ( 257 3 13 + IYHbvpnqrhxM4i0SuOyAq9hk19tNXpjja7jCQnfAjZBFBfcLorJPnq4FWMVDg6QT2C4JeW0yCxK4 + iEhb4w9KWQ== ) ; Key ID = 27566 +END +ok( $wrongkey, 'set up non-RSA public key' ); + + +my $wrongfile = $filename{wrongfile} = $wrongkey->privatekeyname; + +my $handle = IO::File->new( $wrongfile, '>' ) or die qq(open: "$wrongfile" $!); +print $handle <<'END'; +Private-key-format: v1.3 +; comment discarded +; empty line discarded + +Algorithm: 13 (ECDSAP256SHA256) +PrivateKey: w+AjPo650IA8DWeEq5QqZ2LWYpuC/oeEaYaGE1ZvKyA= +Created: 20141209015301 +Publish: 20141209015301 +Activate: 20141209015301 +END +close($handle); + +my $wrongprivate = Net::DNS::SEC::Private->new($wrongfile); +ok( $wrongprivate, 'set up non-RSA private key' ); + + +is( eval { $class->sign( $sigdata, $wrongprivate ) }, undef, 'signature not created using wrong private key' ); + +is( eval { $class->verify( $sigdata, $wrongkey, $signature ) }, undef, 'verify fails using wrong public key' ); + +is( eval { $class->verify( $sigdata, $key, undef ) }, undef, 'verify fails if signature undefined' ); + + +# test detection of invalid private key descriptors +eval { Net::DNS::SEC::Private->new('Kinvalid.private') }; +my ($exception1) = split /\n/, "$@\n"; +ok( $exception1, "invalid keyfile: [$exception1]" ); + +eval { Net::DNS::SEC::Private->new('Kinvalid.+0+0.private') }; +my ($exception2) = split /\n/, "$@\n"; +ok( $exception2, "missing keyfile: [$exception2]" ); + +eval { Net::DNS::SEC::Private->new( signame => 'private' ) }; +my ($exception3) = split /\n/, "$@\n"; +ok( $exception3, "unspecified algorithm: [$exception3]" ); + +eval { Net::DNS::SEC::Private->new( algorithm => 1 ) }; +my ($exception4) = split /\n/, "$@\n"; +ok( $exception4, "unspecified signame: [$exception4]" ); + + +# exercise code for key with long exponent (not required for DNSSEC) +eval { + my $longformat = pack 'xn a*', unpack 'C a*', $key->keybin; + $key->keybin($longformat); + $class->verify( $sigdata, $key, $signature ); +}; exit; diff --git a/t/24-RSA-SHA512.t b/t/24-RSA-SHA512.t index 8c6f3e7..84a92d5 100644 --- a/t/24-RSA-SHA512.t +++ b/t/24-RSA-SHA512.t @@ -1,5 +1,5 @@ #!/usr/bin/perl -# $Id: 24-RSA-SHA512.t 1830 2021-01-26 09:08:12Z willem $ -*-perl-*- +# $Id: 24-RSA-SHA512.t 1862 2021-12-24 10:09:08Z willem $ -*-perl-*- # use strict; @@ -86,7 +86,7 @@ is( $verified, 1, 'signature verified using public key' ); my $verifiable = $class->verify( $corrupt, $key, $signature ); -is( $verifiable, 0, 'signature not verifiable if data corrupt' ); +is( $verifiable, 0, 'signature not verifiable if data corrupted' ); exit; diff --git a/t/31-DSA-SHA1.t b/t/31-DSA-SHA1.t index 38c1400..bd49c72 100644 --- a/t/31-DSA-SHA1.t +++ b/t/31-DSA-SHA1.t @@ -1,5 +1,5 @@ #!/usr/bin/perl -# $Id: 31-DSA-SHA1.t 1830 2021-01-26 09:08:12Z willem $ -*-perl-*- +# $Id: 31-DSA-SHA1.t 1863 2022-03-14 14:59:21Z willem $ -*-perl-*- # use strict; @@ -23,6 +23,9 @@ foreach my $package ( sort keys %prerequisite ) { plan skip_all => "disabled DSA" unless eval { Net::DNS::SEC::libcrypto->can('EVP_PKEY_new_DSA') }; +plan skip_all => "disabled SHA1" + unless eval { Net::DNS::SEC::libcrypto->can('EVP_sha1') }; + plan tests => 13; diff --git a/t/61-Ed25519.t b/t/61-Ed25519.t index a406e39..29d3dde 100644 --- a/t/61-Ed25519.t +++ b/t/61-Ed25519.t @@ -1,5 +1,5 @@ #!/usr/bin/perl -# $Id: 61-Ed25519.t 1808 2020-09-28 22:08:11Z willem $ -*-perl-*- +# $Id: 61-Ed25519.t 1868 2022-08-31 20:13:35Z willem $ -*-perl-*- # use strict; @@ -87,7 +87,7 @@ my $wrongprivate = Net::DNS::SEC::Private->new($wrongfile); ok( $wrongprivate, 'set up non-EdDSA private key' ); -my $sigdata = 'arbitrary data'; ## Note: ED25519 signing is deterministic +my $sigdata = Net::DNS::RR->new('. TXT arbitrary data')->txtdata; # character set independent my $corrupt = 'corrupted data'; my $signature = pack 'H*', join '', qw( @@ -95,7 +95,7 @@ my $signature = pack 'H*', join '', qw( c14292cf8c28af0efe6ee30cbf9d643cba3ab56f1e1ae27b6074147ed9c55a0e ); -my $signed = eval { $class->sign( $sigdata, $private ); } || ''; +my $signed = eval { $class->sign( $sigdata, $private ); } || ''; # Note: ED25519 signing is deterministic ok( $signed eq $signature, 'signature created using private key' ); diff --git a/t/62-Ed448.t b/t/62-Ed448.t index 48b27b9..6d47eb7 100644 --- a/t/62-Ed448.t +++ b/t/62-Ed448.t @@ -1,5 +1,5 @@ #!/usr/bin/perl -# $Id: 62-Ed448.t 1808 2020-09-28 22:08:11Z willem $ -*-perl-*- +# $Id: 62-Ed448.t 1868 2022-08-31 20:13:35Z willem $ -*-perl-*- # use strict; @@ -64,7 +64,7 @@ my $private = Net::DNS::SEC::Private->new($keyfile); ok( $private, 'set up EdDSA private key' ); -my $sigdata = 'arbitrary data'; ## Note: ED448 signing is deterministic +my $sigdata = Net::DNS::RR->new('. TXT arbitrary data')->txtdata; # character set independent my $corrupt = 'corrupted data'; my $signature = pack 'H*', join '', qw( @@ -74,7 +74,7 @@ my $signature = pack 'H*', join '', qw( f7651f828fb64c200e2ee5d0686490910c00 ); -my $signed = eval { $class->sign( $sigdata, $private ) } || ''; +my $signed = eval { $class->sign( $sigdata, $private ); } || ''; # Note: ED448 signing is deterministic ok( $signed eq $signature, 'signature created using private key' ); @@ -83,7 +83,7 @@ is( $verified, 1, 'signature verified using public key' ); my $verifiable = $class->verify( $corrupt, $key, $signature ); -is( $verifiable, 0, 'signature not verifiable if data corrupt' ); +is( $verifiable, 0, 'signature not verifiable if data corrupted' ); exit; |