t/65-RRSIG-RSASHA1.t - metacpan.org

# $Id: 65-RRSIG-RSASHA1.t 1392 2015-09-13 16:30:51Z willem $	-*-perl-*-
#

use strict;
use Test::More;

my @prerequisite = qw(
		MIME::Base64
		Time::Local
		Net::DNS::RR::RRSIG
		Net::DNS::SEC
		Net::DNS::SEC::RSA
		Crypt::OpenSSL::Bignum
		Crypt::OpenSSL::RSA
		);

foreach my $package (@prerequisite) {
	next if eval "require $package";
	plan skip_all => "$package not installed";
	exit;
}

plan tests => 30;

use_ok('Net::DNS::SEC');


my $ksk = new Net::DNS::RR <<'END';
RSASHA1.example.	IN	DNSKEY	257 3 5 (
	AwEAAefP0RzK3K39a5wznjeWA1PssI2dxqPb9SL+ppY8wcimOuEBmSJP5n6/bwg923VFlRiYJHe5
	if4saxWCYenQ46hWz44sK943K03tfHkxo54ayAk/7dMj1wQ7Dby5FJ1AAMGZZO65BlKSD+2BTcwp
	IL9mAYuhHYfkG6FTEEKgHVmOVmtyKWA3gl3RrSSgXzTWnUS5b/jEeh2SflXG9eXabaoVXEHQN+oJ
	dTiAiErZW4+Zlx5pIrSycZBpIdWvn4t71L3ik6GctQqG9ln12j2ngji3blVI3ENMnUc237jUeYsy
	k7E5TughQctLYOFXHaeTMgJt0LUTyv3gIgDTRmvgQDU= ; Key ID = 4501
	)
END

ok( $ksk, 'set up RSA public ksk' );


my $keyfile = $ksk->privatekeyname;

END { unlink($keyfile) if defined $keyfile; }

open( KSK, ">$keyfile" ) or die "$keyfile $!";
print KSK <<'END';
Private-key-format: v1.2
Algorithm: 5 (RSASHA1)
Modulus: 58/RHMrcrf1rnDOeN5YDU+ywjZ3Go9v1Iv6mljzByKY64QGZIk/mfr9vCD3bdUWVGJgkd7mJ/ixrFYJh6dDjqFbPjiwr3jcrTe18eTGjnhrICT/t0yPXBDsNvLkUnUAAwZlk7rkGUpIP7YFNzCkgv2YBi6Edh+QboVMQQqAdWY5Wa3IpYDeCXdGtJKBfNNadRLlv+MR6HZJ+Vcb15dptqhVcQdA36gl1OICIStlbj5mXHmkitLJxkGkh1a+fi3vUveKToZy1Cob2WfXaPaeCOLduVUjcQ0ydRzbfuNR5izKTsTlO6CFBy0tg4Vcdp5MyAm3QtRPK/eAiANNGa+BANQ==
PublicExponent: AQAB
PrivateExponent: qVfDp4j61ZAAAMgkmO7Z14FdKNdNuX6CAeKNx8rytaXZ9W25dLtx4r3uWtL1cyI13RWn7l54VFoWkEwDQ0/6P4vLbE0QbvFWjUMkX1TH9kQSRc+R6WCRPuH1Ex0R1h5fbw6kEVDRMZjKUfLX5oFVDv1xu5Mjg5Y8KQoJIuLdDgHtRRV7ZETcGcSXBQ1eY2rNxui2YzM0mtqzApgGq7pLb3GfiM5aqW5fSdRaFajGC2VIXkN3jZYxAryT8EYJ6uRFJk0X3VegEwj6keHOem/tBV2DaNlv1JWidauPeU67evKNTQVW3h3AbQxnOtegdWrRKoa9Ksf27bgoKAlveHIfsQ==
Prime1: +s1y+iP+AoB4UVS4S5njIZD21AWm36JTaqEvRPdevjuzc9q7yJATROdRdcAitdSPHeRC8xtQw/C9zGhJRdynlxfmUTeyYgM0EYHYiG7PLwkW5Wu9EeXJ7/Fpct51L+ednloQ0d7tYP/5QUd6cqbFGGKH0yF5zZMO0k+ZZ/saeCs=
Prime2: 7J2eVZ5Psue4BTNya8PMA89cC0Gf51zFeQ8dPBZIOpN28DJN2EN6C6fwGtnr6BO+M/6loXzcekPGgRkpNcQ6MzJup8hZQmU8RxESAMlmQzOtaBbtmMwPa0p6IcZBUWpbRaKwQ4ZjAUS9R13PFwgEU+a855o0XRRTupdmyZ6OmR8=
Exponent1: nGakbdMmIx9EaMuhRhwIJTWGhz+jCdDrnhI4LRTqM019oiDke7VFHvH1va18t9F/Ek/3ZC1Dl304jxD1qKhqpnGUAk/uYOrIfKZxhts7PoS3j4g5VsDqxkPQ035gq+gPReG6nXYcqCHYqVnOxVK0lHlVZFd64rTzSDm1W7+eiRM=
Exponent2: evAuKygVGsxghXtEkQ9rOfOMTGDtdyVxiMO8mdKt9plV69kHLz1n9RRtoVXmx28ynQtK/YvFdlUulzb+fWwWHTGv4scq8V9uITKSWwxJcNMx3upCyugDfuh0aoX6vBV5lMXBtWPmnusbOTBZgArvTLSPI/qwCEiedE1j34/dYVs=
Coefficient: JTEzUDflC+G0if7uqsJ2sw/x2aCHMjsCxYSmx2bJOW/nhQTQpzafL0N8E6WmKuEP4qAaqQjWrDyxy0XcAJrfcojJb+a3j2ndxYpev7Rq8f7P6M7qqVL0Nzj9rWFH7pyvWMnH584viuhPcDogy8ymHpNNuAF+w98qjnGD8UECiV4=
END
close(KSK);


my $bad1 = new Net::DNS::RR <<'END';
RSASHA1.example.	IN	DNSKEY	256 3 5 (
	AwEAAZHbngk6sMoFHN8fsYY6bmGR4B9UYJIqDp+mORLEH53Xg0f6RMDtfx+H3/x7bHTUikTr26bV
	AqsxOs2KxyJ2Xx9RGG0DB9O4gpANljtTq2tLjvaQknhJpSq9vj4CqUtr6Wu152J2aQYITBoQLHDV
	i8mIIunparIKDmhy8TclVXg9 ; Key ID = 1623
	)
END


my $bad2 = new Net::DNS::RR <<'END';
ECDSAP256SHA256.example.	IN	DNSKEY	( 256 3 13
	7Y4BZY1g9uzBwt3OZexWk7iWfkiOt0PZ5o7EMip0KBNxlBD+Z58uWutYZIMolsW8v/3rfgac45lO
	IikBZK4KZg== ; Key ID = 44222
	)
END


my @rrset = ( $bad1, $ksk );
my @badrrset = ($bad1);

{
	my $object = create Net::DNS::RR::RRSIG( \@rrset, $keyfile );
	ok( $object->sig(), 'create RRSIG over rrset using private ksk' );

	my $verified = $object->verify( \@rrset, $ksk );
	ok( $verified, 'verify using public ksk' );
	is( $object->vrfyerrstr, '', 'observe no object->vrfyerrstr' );
}


{
	my $object = create Net::DNS::RR::RRSIG( \@rrset, $keyfile );

	my $verified = $object->verify( \@badrrset, $bad1 );
	ok( !$verified,		 'verify fails using wrong key' );
	ok( $object->vrfyerrstr, 'observe rrsig->vrfyerrstr' );
}


{
	my $object = create Net::DNS::RR::RRSIG( \@rrset, $keyfile );

	my $verified = $object->verify( \@badrrset, $bad2 );
	ok( !$verified,		 'verify fails using key with wrong algorithm' );
	ok( $object->vrfyerrstr, 'observe rrsig->vrfyerrstr' );
}


{
	my $object = create Net::DNS::RR::RRSIG( \@rrset, $keyfile );

	my $verified = $object->verify( \@rrset, [$bad1, $bad2, $ksk] );
	ok( $verified, 'verify using array of keys' );
	is( $object->vrfyerrstr, '', 'observe no rrsig->vrfyerrstr' );
}


{
	my $object = create Net::DNS::RR::RRSIG( \@rrset, $keyfile );

	my $verified = $object->verify( \@badrrset, [$bad1, $bad2, $ksk] );
	ok( !$verified,		 'verify fails using wrong rrset' );
	ok( $object->vrfyerrstr, 'observe rrsig->vrfyerrstr' );
}


{
	my $wild   = new Net::DNS::RR('*.example. A 10.1.2.3');
	my $match  = new Net::DNS::RR('leaf.twig.example. A 10.1.2.3');
	my $object = create Net::DNS::RR::RRSIG( [$wild], $keyfile );

	my $verified = $object->verify( [$match], $ksk );
	ok( $verified, 'wildcard matches child domain name' );
	is( $object->vrfyerrstr, '', 'observe no rrsig->vrfyerrstr' );
}


{
	my $wild   = new Net::DNS::RR('*.example. A 10.1.2.3');
	my $bogus  = new Net::DNS::RR('example. A 10.1.2.3');
	my $object = create Net::DNS::RR::RRSIG( [$wild], $keyfile );

	my $verified = $object->verify( [$bogus], $ksk );
	ok( !$verified,		 'wildcard does not match parent domain' );
	ok( $object->vrfyerrstr, 'observe rrsig->vrfyerrstr' );
}


{
	my $time = time() + 3;
	my %args = (
		siginception  => $time,
		sigexpiration => $time,
		);
	my $object = create Net::DNS::RR::RRSIG( \@rrset, $keyfile, %args );

	ok( !$object->verify( \@rrset, $ksk ), 'verify fails for postdated RRSIG' );
	ok( $object->vrfyerrstr, 'observe rrsig->vrfyerrstr' );
	sleep 1 until $time < time();
	ok( !$object->verify( \@rrset, $ksk ), 'verify fails for expired RRSIG' );
	ok( $object->vrfyerrstr, 'observe rrsig->vrfyerrstr' );
}


{
	my $object   = new Net::DNS::RR( type => 'RRSIG' );
	my $class    = ref($object);
	my $array    = [];
	my $dnskey   = new Net::DNS::RR( type => 'DNSKEY' );
	my $private  = new Net::DNS::SEC::Private($keyfile);
	my $packet   = new Net::DNS::Packet();
	my $rr1	     = new Net::DNS::RR( name => 'example', type => 'A' );
	my $rr2	     = new Net::DNS::RR( name => 'differs', type => 'A' );
	my $rr3	     = new Net::DNS::RR( type => 'A', ttl => 1 );
	my $rr4	     = new Net::DNS::RR( type => 'A', ttl => 2 );
	my $rr5	     = new Net::DNS::RR( class => 'IN', type => 'A' );
	my $rr6	     = new Net::DNS::RR( class => 'ANY', type => 'A' );
	my $rr7	     = new Net::DNS::RR( type => 'A' );
	my $rr8	     = new Net::DNS::RR( type => 'AAAA' );
	my @testcase = (		## test create() with invalid arguments
		[$dnskey, $dnskey],
		[$array,  $private],
		[[$rr1, $rr2], $private],
		[[$rr3, $rr4], $private],
		[[$rr5, $rr6], $private],
		[[$rr7, $rr8], $private],
		);

	foreach my $arglist (@testcase) {
		my @argtype = map ref($_), @$arglist;
		eval { $class->create(@$arglist); };
		my $exception = $1 if $@ =~ /^(.*)\n*/;
		ok( defined $exception, "create(@argtype)\t[$exception]" );
	}
}


{
	my $object   = new Net::DNS::RR( type => 'RRSIG' );
	my $packet   = new Net::DNS::Packet();
	my $dnskey   = new Net::DNS::RR( type => 'DNSKEY' );
	my $dsrec    = new Net::DNS::RR( type => 'DS' );
	my $scalar   = 'SCALAR';
	my @testcase = (		## test verify() with invalid arguments
		[$packet, $dnskey],
		[$dnskey, $dsrec],
		[$dnskey, $scalar],
		);

	foreach my $arglist (@testcase) {
		my @argtype = map ref($_) || $_, @$arglist;
		eval { $object->verify(@$arglist); };
		my $exception = $1 if $@ =~ /^(.*)\n*/;
		ok( defined $exception, "verify(@argtype)\t[$exception]" );
	}
}


exit;

__END__
	Global
`s`	Focus search bar
`?`	Bring up this help dialog
	GitHub
`g` `p`	Go to pull requests
`g` `i`	go to github issues (only if github is preferred repository)
	POD
`g` `a`	Go to author
`g` `c`	Go to changes
`g` `i`	Go to issues
`g` `d`	Go to dist
`g` `r`	Go to repository/SCM
`g` `s`	Go to source
`g` `b`	Go to file browse
	Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)