Commit 11a2a8bb authored by Daniel Salzman's avatar Daniel Salzman

Merge branch 'test_fix_csk_roll' into 'master'

Test fix csk roll

See merge request !859
parents 17f731bf c07dea00
......@@ -69,7 +69,7 @@ static unsigned algorithm_present(const kdnssec_ctx_t *ctx, uint8_t alg)
static bool signing_scheme_present(const kdnssec_ctx_t *ctx)
{
if (ctx->policy->singe_type_signing) {
return (!key_present(ctx, true, false) || !key_present(ctx, false, true));
return (!key_present(ctx, true, false) || !key_present(ctx, false, true) || key_present(ctx, true, true));
} else {
return (key_present(ctx, true, false) && key_present(ctx, false, true));
}
......@@ -173,9 +173,14 @@ static int share_or_generate_key(kdnssec_ctx_t *ctx, bool ksk, bool zsk, knot_ti
if (ret == KNOT_EOK) {
knot_kasp_key_t *newkey = key_get_by_id(ctx, borrow_key);
assert(newkey != NULL);
newkey->timing.publish = ctx->now;
newkey->timing.ready = when_active;
newkey->timing.remove = 0;
newkey->timing.retire = 0;
newkey->timing.active = (ksk ? 0 : when_active);
newkey->timing.ready = (ksk ? when_active : 0);
newkey->timing.publish = (pre_active ? 0 : ctx->now);
newkey->timing.pre_active = (pre_active ? ctx->now : 0);
newkey->is_ksk = ksk;
newkey->is_zsk = zsk;
}
}
free(borrow_zone);
......
......@@ -73,7 +73,8 @@ static bool is_timestamp(char *arg, knot_kasp_key_timing_t *timing)
static bool genkeyargs(int argc, char *argv[], bool just_timing,
bool *isksk, dnssec_key_algorithm_t *algorithm,
uint16_t *keysize, knot_kasp_key_timing_t *timing)
uint16_t *keysize, knot_kasp_key_timing_t *timing,
const char **addtopolicy)
{
// generate algorithms field
char *algnames[256] = { 0 };
......@@ -116,6 +117,8 @@ static bool genkeyargs(int argc, char *argv[], bool just_timing,
}
} else if (!just_timing && strncasecmp(argv[i], "size=", 5) == 0) {
*keysize = atol(argv[i] + 5);
} else if (!just_timing && strncasecmp(argv[i], "addtopolicy=", 12) == 0) {
*addtopolicy = argv[i] + 12;
} else if (!is_timestamp(argv[i], timing)) {
printf("Invalid parameter: %s\n", argv[i]);
return false;
......@@ -131,8 +134,9 @@ int keymgr_generate_key(kdnssec_ctx_t *ctx, int argc, char *argv[])
knot_kasp_key_timing_t gen_timing = { now, infty, now, infty, now, infty, infty, infty, infty };
bool isksk = false;
uint16_t keysize = 0;
const char *addtopolicy = NULL;
if (!genkeyargs(argc, argv, false, &isksk, &ctx->policy->algorithm,
&keysize, &gen_timing)) {
&keysize, &gen_timing, &addtopolicy)) {
return KNOT_EINVAL;
}
if (keysize > 0) {
......@@ -161,6 +165,23 @@ int keymgr_generate_key(kdnssec_ctx_t *ctx, int argc, char *argv[])
key->timing = gen_timing;
if (addtopolicy != NULL) {
char *last_policy_last = NULL;
knot_dname_t *unused;
ret = kasp_db_get_policy_last(*ctx->kasp_db, addtopolicy, &unused,
&last_policy_last);
if (ret != KNOT_EOK && ret != KNOT_ENOENT) {
return ret;
}
ret = kasp_db_set_policy_last(*ctx->kasp_db, addtopolicy, last_policy_last,
ctx->zone->dname, key->id);
if (ret != KNOT_EOK) {
return ret;
}
}
ret = kdnssec_ctx_commit(ctx);
if (ret == KNOT_EOK) {
......@@ -347,7 +368,7 @@ int keymgr_import_pem(kdnssec_ctx_t *ctx, const char *import_file, int argc, cha
bool isksk = false;
uint16_t keysize = 0;
if (!genkeyargs(argc, argv, false, &isksk, &ctx->policy->algorithm,
&keysize, &timing)) {
&keysize, &timing, NULL)) {
return KNOT_EINVAL;
}
......@@ -590,7 +611,7 @@ int keymgr_set_timing(knot_kasp_key_t *key, int argc, char *argv[])
{
knot_kasp_key_timing_t temp = key->timing;
if (genkeyargs(argc, argv, true, NULL, NULL, NULL, &temp)) {
if (genkeyargs(argc, argv, true, NULL, NULL, NULL, &temp, NULL)) {
key->timing = temp;
return KNOT_EOK;
}
......
......@@ -15,6 +15,14 @@ from dnstest.utils import *
from dnstest.keys import Keymgr
from dnstest.test import Test
def pregenerate_key(server, zone, alg):
class a_class_with_name:
def __init__(self, name):
self.name = name
server.gen_key(a_class_with_name("notexisting.zone."), ksk=True, alg=alg,
addtopolicy=zone[0].name)
# check zone if keys are present and used for signing
def check_zone(server, zone, dnskeys, dnskey_rrsigs, cdnskeys, soa_rrsigs, msg):
qdnskeys = server.dig("example.com", "DNSKEY", bufsize=4096)
......@@ -167,13 +175,14 @@ child.zonefile_sync = 24 * 60 * 60
child.dnssec(child_zone).enable = True
child.dnssec(child_zone).manual = False
child.dnssec(child_zone).alg = "RSASHA512"
child.dnssec(child_zone).alg = "ECDSAP384SHA384"
child.dnssec(child_zone).dnskey_ttl = 2
child.dnssec(child_zone).zsk_lifetime = 99999
child.dnssec(child_zone).ksk_lifetime = 300 # this can be possibly left also infinity
child.dnssec(child_zone).propagation_delay = 11
child.dnssec(child_zone).ksk_sbm_check = [ parent ]
child.dnssec(child_zone).ksk_sbm_check_interval = 2
child.dnssec(child_zone).ksk_shared = True
# parameters
ZONE = "example.com."
......@@ -181,18 +190,25 @@ ZONE = "example.com."
t.start()
child.zone_wait(child_zone)
watch_alg_rollover(t, child, child_zone, 2, 1, "KZSK to CSK alg", "RSASHA256", True, cds_submission)
pregenerate_key(child, child_zone, "ECDSAP256SHA256")
watch_alg_rollover(t, child, child_zone, 2, 1, "KZSK to CSK alg", "ECDSAP256SHA256", True, cds_submission)
pregenerate_key(child, child_zone, "ECDSAP256SHA256")
watch_ksk_rollover(t, child, child_zone, 1, 1, 2, "CSK rollover", True, 27, cds_submission)
pregenerate_key(child, child_zone, "ECDSAP256SHA256")
watch_ksk_rollover(t, child, child_zone, 1, 2, 3, "CSK to KZSK", False, 0, cds_submission)
pregenerate_key(child, child_zone, "ECDSAP256SHA256")
watch_ksk_rollover(t, child, child_zone, 2, 2, 3, "KSK rollover", False, 27, cds_submission)
pregenerate_key(child, child_zone, "ECDSAP256SHA256")
watch_ksk_rollover(t, child, child_zone, 2, 1, 3, "KZSK to CSK", True, 0, cds_submission)
watch_alg_rollover(t, child, child_zone, 1, 1, "CSK to CSK alg", "RSASHA512", True, cds_submission)
pregenerate_key(child, child_zone, "ECDSAP384SHA384")
watch_alg_rollover(t, child, child_zone, 1, 1, "CSK to CSK alg", "ECDSAP384SHA384", True, cds_submission)
watch_alg_rollover(t, child, child_zone, 1, 2, "CSK to KZSK alg", "RSASHA256", False, cds_submission)
pregenerate_key(child, child_zone, "ECDSAP256SHA256")
watch_alg_rollover(t, child, child_zone, 1, 2, "CSK to KZSK alg", "ECDSAP256SHA256", False, cds_submission)
t.end()
......@@ -108,12 +108,22 @@ class Keymgr(object):
class Key(object):
'''DNSSEC key generator'''
def __init__(self, key_dir, zone_name, ksk=False, alg="rsasha256", key_len=512):
def __init__(self, key_dir, zone_name, ksk=False, alg="ECDSAP256SHA256",
key_len=-1, addtopolicy=None):
self.dir = key_dir
self.zone_name = zone_name
self.alg = alg
self.len = key_len
self.ksk = ksk
self.len = int(key_len)
self.ksk = bool(ksk)
self.addtopolicy = addtopolicy
if self.len < 0:
try:
self.len = int(alg[-3:])
except ValueError:
pass
if self.len < 100 or self.len % 128 != 0:
self.len = 256
def _keymgr(self, *args):
return Keymgr.run(self.dir, *args)
......@@ -126,10 +136,14 @@ class Key(object):
"size=" + str(self.len)
]
if self.addtopolicy is not None:
cmd.append("addtopolicy=" + str(self.addtopolicy))
return cmd
def generate(self):
command = self._gen_command()
(exit_code, _, _) = self._keymgr(*command)
(exit_code, stdout, stderr) = self._keymgr(*command)
if exit_code != 0:
raise Failed("Can't generate key for zone '%s'." % self.zone_name)
raise Failed("Can't generate key for zone '%s'. Stderr: %s" % (self.zone_name, stderr))
......@@ -56,6 +56,7 @@ class ZoneDnssec(object):
self.nsec3_salt_len = None
self.ksk_sbm_check = []
self.ksk_sbm_check_interval = None
self.ksk_shared = None
class Zone(object):
'''DNS zone description'''
......@@ -1180,6 +1181,7 @@ class Knot(Server):
self._str(s, "nsec3-salt-length", z.dnssec.nsec3_salt_len)
if len(z.dnssec.ksk_sbm_check) > 0:
s.item("ksk-submission", z.name)
self._bool(s, "ksk-shared", z.dnssec.ksk_shared)
if have_policy:
s.end()
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment