Commit 2eec47d6 authored by Libor Peltan's avatar Libor Peltan Committed by Daniel Salzman

tests: added pre-generating keys with keymgr; csk-rollovers: RSA->ECDSA

parent fa9ca08b
......@@ -15,6 +15,14 @@ from dnstest.utils import *
from dnstest.keys import Keymgr
from dnstest.test import Test
def pregenerate_key(server, zone, alg):
class a_class_with_name:
def __init__(self, name):
self.name = name
server.gen_key(a_class_with_name("notexisting.zone."), ksk=True, alg=alg,
addtopolicy=zone[0].name)
# check zone if keys are present and used for signing
def check_zone(server, zone, dnskeys, dnskey_rrsigs, cdnskeys, soa_rrsigs, msg):
qdnskeys = server.dig("example.com", "DNSKEY", bufsize=4096)
......@@ -167,13 +175,14 @@ child.zonefile_sync = 24 * 60 * 60
child.dnssec(child_zone).enable = True
child.dnssec(child_zone).manual = False
child.dnssec(child_zone).alg = "RSASHA512"
child.dnssec(child_zone).alg = "ECDSAP384SHA384"
child.dnssec(child_zone).dnskey_ttl = 2
child.dnssec(child_zone).zsk_lifetime = 99999
child.dnssec(child_zone).ksk_lifetime = 300 # this can be possibly left also infinity
child.dnssec(child_zone).propagation_delay = 11
child.dnssec(child_zone).ksk_sbm_check = [ parent ]
child.dnssec(child_zone).ksk_sbm_check_interval = 2
child.dnssec(child_zone).ksk_shared = True
# parameters
ZONE = "example.com."
......@@ -181,18 +190,25 @@ ZONE = "example.com."
t.start()
child.zone_wait(child_zone)
watch_alg_rollover(t, child, child_zone, 2, 1, "KZSK to CSK alg", "RSASHA256", True, cds_submission)
pregenerate_key(child, child_zone, "ECDSAP256SHA256")
watch_alg_rollover(t, child, child_zone, 2, 1, "KZSK to CSK alg", "ECDSAP256SHA256", True, cds_submission)
pregenerate_key(child, child_zone, "ECDSAP256SHA256")
watch_ksk_rollover(t, child, child_zone, 1, 1, 2, "CSK rollover", True, 27, cds_submission)
pregenerate_key(child, child_zone, "ECDSAP256SHA256")
watch_ksk_rollover(t, child, child_zone, 1, 2, 3, "CSK to KZSK", False, 0, cds_submission)
pregenerate_key(child, child_zone, "ECDSAP256SHA256")
watch_ksk_rollover(t, child, child_zone, 2, 2, 3, "KSK rollover", False, 27, cds_submission)
pregenerate_key(child, child_zone, "ECDSAP256SHA256")
watch_ksk_rollover(t, child, child_zone, 2, 1, 3, "KZSK to CSK", True, 0, cds_submission)
watch_alg_rollover(t, child, child_zone, 1, 1, "CSK to CSK alg", "RSASHA512", True, cds_submission)
pregenerate_key(child, child_zone, "ECDSAP384SHA384")
watch_alg_rollover(t, child, child_zone, 1, 1, "CSK to CSK alg", "ECDSAP384SHA384", True, cds_submission)
watch_alg_rollover(t, child, child_zone, 1, 2, "CSK to KZSK alg", "RSASHA256", False, cds_submission)
pregenerate_key(child, child_zone, "ECDSAP256SHA256")
watch_alg_rollover(t, child, child_zone, 1, 2, "CSK to KZSK alg", "ECDSAP256SHA256", False, cds_submission)
t.end()
......@@ -108,12 +108,22 @@ class Keymgr(object):
class Key(object):
'''DNSSEC key generator'''
def __init__(self, key_dir, zone_name, ksk=False, alg="rsasha256", key_len=512):
def __init__(self, key_dir, zone_name, ksk=False, alg="ECDSAP256SHA256",
key_len=-1, addtopolicy=None):
self.dir = key_dir
self.zone_name = zone_name
self.alg = alg
self.len = key_len
self.ksk = ksk
self.len = int(key_len)
self.ksk = bool(ksk)
self.addtopolicy = addtopolicy
if self.len < 0:
try:
self.len = int(alg[-3:])
except ValueError:
pass
if self.len < 100 or self.len % 128 != 0:
self.len = 256
def _keymgr(self, *args):
return Keymgr.run(self.dir, *args)
......@@ -126,10 +136,14 @@ class Key(object):
"size=" + str(self.len)
]
if self.addtopolicy is not None:
cmd.append("addtopolicy=" + str(self.addtopolicy))
return cmd
def generate(self):
command = self._gen_command()
(exit_code, _, _) = self._keymgr(*command)
(exit_code, stdout, stderr) = self._keymgr(*command)
if exit_code != 0:
raise Failed("Can't generate key for zone '%s'." % self.zone_name)
raise Failed("Can't generate key for zone '%s'. Stderr: %s" % (self.zone_name, stderr))
......@@ -56,6 +56,7 @@ class ZoneDnssec(object):
self.nsec3_salt_len = None
self.ksk_sbm_check = []
self.ksk_sbm_check_interval = None
self.ksk_shared = None
class Zone(object):
'''DNS zone description'''
......@@ -1180,6 +1181,7 @@ class Knot(Server):
self._str(s, "nsec3-salt-length", z.dnssec.nsec3_salt_len)
if len(z.dnssec.ksk_sbm_check) > 0:
s.item("ksk-submission", z.name)
self._bool(s, "ksk-shared", z.dnssec.ksk_shared)
if have_policy:
s.end()
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment