git.samba.org - third_party/dnspython/blob - tests/dnssec.py

   1 # Copyright (C) 2011 Nominum, Inc.
   2 #
   3 # Permission to use, copy, modify, and distribute this software and its
   4 # documentation for any purpose with or without fee is hereby granted,
   5 # provided that the above copyright notice and this permission notice
   6 # appear in all copies.
   7 #
   8 # THE SOFTWARE IS PROVIDED "AS IS" AND NOMINUM DISCLAIMS ALL WARRANTIES
   9 # WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
  10 # MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL NOMINUM BE LIABLE FOR
  11 # ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
  12 # WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
  13 # ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
  14 # OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  15
  16 import unittest
  17
  18 import dns.dnssec
  19 import dns.name
  20 import dns.rdata
  21 import dns.rdataclass
  22 import dns.rdatatype
  23 import dns.rrset
  24
  25 abs_dnspython_org = dns.name.from_text('dnspython.org')
  26
  27 abs_keys = { abs_dnspython_org :
  28              dns.rrset.from_text('dnspython.org.', 3600, 'IN', 'DNSKEY',
  29                                  '257 3 5 AwEAAenVTr9L1OMlL1/N2ta0Qj9LLLnnmFWIr1dJoAsWM9BQfsbV7kFZ XbAkER/FY9Ji2o7cELxBwAsVBuWn6IUUAJXLH74YbC1anY0lifjgt29z SwDzuB7zmC7yVYZzUunBulVW4zT0tg1aePbpVL2EtTL8VzREqbJbE25R KuQYHZtFwG8S4iBxJUmT2Bbd0921LLxSQgVoFXlQx/gFV2+UERXcJ5ce iX6A6wc02M/pdg/YbJd2rBa0MYL3/Fz/Xltre0tqsImZGxzi6YtYDs45 NC8gH+44egz82e2DATCVM1ICPmRDjXYTLldQiWA2ZXIWnK0iitl5ue24 7EsWJefrIhE=',
  30                                  '256 3 5 AwEAAdSSghOGjU33IQZgwZM2Hh771VGXX05olJK49FxpSyuEAjDBXY58 LGU9R2Zgeecnk/b9EAhFu/vCV9oECtiTCvwuVAkt9YEweqYDluQInmgP NGMJCKdSLlnX93DkjDw8rMYv5dqXCuSGPlKChfTJOLQxIAxGloS7lL+c 0CTZydAF')
  31          }
  32
  33 abs_keys_duplicate_keytag = { abs_dnspython_org :
  34              dns.rrset.from_text('dnspython.org.', 3600, 'IN', 'DNSKEY',
  35                                  '257 3 5 AwEAAenVTr9L1OMlL1/N2ta0Qj9LLLnnmFWIr1dJoAsWM9BQfsbV7kFZ XbAkER/FY9Ji2o7cELxBwAsVBuWn6IUUAJXLH74YbC1anY0lifjgt29z SwDzuB7zmC7yVYZzUunBulVW4zT0tg1aePbpVL2EtTL8VzREqbJbE25R KuQYHZtFwG8S4iBxJUmT2Bbd0921LLxSQgVoFXlQx/gFV2+UERXcJ5ce iX6A6wc02M/pdg/YbJd2rBa0MYL3/Fz/Xltre0tqsImZGxzi6YtYDs45 NC8gH+44egz82e2DATCVM1ICPmRDjXYTLldQiWA2ZXIWnK0iitl5ue24 7EsWJefrIhE=',
  36                                  '256 3 5 AwEAAdSSg++++THIS/IS/NOT/THE/CORRECT/KEY++++++++++++++++ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ AaOSydAF',
  37                                  '256 3 5 AwEAAdSSghOGjU33IQZgwZM2Hh771VGXX05olJK49FxpSyuEAjDBXY58 LGU9R2Zgeecnk/b9EAhFu/vCV9oECtiTCvwuVAkt9YEweqYDluQInmgP NGMJCKdSLlnX93DkjDw8rMYv5dqXCuSGPlKChfTJOLQxIAxGloS7lL+c 0CTZydAF')
  38          }
  39
  40 rel_keys = { dns.name.empty :
  41              dns.rrset.from_text('@', 3600, 'IN', 'DNSKEY',
  42                                  '257 3 5 AwEAAenVTr9L1OMlL1/N2ta0Qj9LLLnnmFWIr1dJoAsWM9BQfsbV7kFZ XbAkER/FY9Ji2o7cELxBwAsVBuWn6IUUAJXLH74YbC1anY0lifjgt29z SwDzuB7zmC7yVYZzUunBulVW4zT0tg1aePbpVL2EtTL8VzREqbJbE25R KuQYHZtFwG8S4iBxJUmT2Bbd0921LLxSQgVoFXlQx/gFV2+UERXcJ5ce iX6A6wc02M/pdg/YbJd2rBa0MYL3/Fz/Xltre0tqsImZGxzi6YtYDs45 NC8gH+44egz82e2DATCVM1ICPmRDjXYTLldQiWA2ZXIWnK0iitl5ue24 7EsWJefrIhE=',
  43                                  '256 3 5 AwEAAdSSghOGjU33IQZgwZM2Hh771VGXX05olJK49FxpSyuEAjDBXY58 LGU9R2Zgeecnk/b9EAhFu/vCV9oECtiTCvwuVAkt9YEweqYDluQInmgP NGMJCKdSLlnX93DkjDw8rMYv5dqXCuSGPlKChfTJOLQxIAxGloS7lL+c 0CTZydAF')
  44          }
  45
  46 when = 1290250287
  47
  48 abs_soa = dns.rrset.from_text('dnspython.org.', 3600, 'IN', 'SOA',
  49                               'howl.dnspython.org. hostmaster.dnspython.org. 2010020047 3600 1800 604800 3600')
  50
  51 abs_other_soa = dns.rrset.from_text('dnspython.org.', 3600, 'IN', 'SOA',
  52                                     'foo.dnspython.org. hostmaster.dnspython.org. 2010020047 3600 1800 604800 3600')
  53
  54 abs_soa_rrsig = dns.rrset.from_text('dnspython.org.', 3600, 'IN', 'RRSIG',
  55                                     'SOA 5 2 3600 20101127004331 20101119213831 61695 dnspython.org. sDUlltRlFTQw5ITFxOXW3TgmrHeMeNpdqcZ4EXxM9FHhIlte6V9YCnDw t6dvM9jAXdIEi03l9H/RAd9xNNW6gvGMHsBGzpvvqFQxIBR2PoiZA1mX /SWHZFdbt4xjYTtXqpyYvrMK0Dt7bUYPadyhPFCJ1B+I8Zi7B5WJEOd0 8vs=')
  56
  57 rel_soa = dns.rrset.from_text('@', 3600, 'IN', 'SOA',
  58                               'howl hostmaster 2010020047 3600 1800 604800 3600')
  59
  60 rel_other_soa = dns.rrset.from_text('@', 3600, 'IN', 'SOA',
  61                                     'foo hostmaster 2010020047 3600 1800 604800 3600')
  62
  63 rel_soa_rrsig = dns.rrset.from_text('@', 3600, 'IN', 'RRSIG',
  64                                     'SOA 5 2 3600 20101127004331 20101119213831 61695 @ sDUlltRlFTQw5ITFxOXW3TgmrHeMeNpdqcZ4EXxM9FHhIlte6V9YCnDw t6dvM9jAXdIEi03l9H/RAd9xNNW6gvGMHsBGzpvvqFQxIBR2PoiZA1mX /SWHZFdbt4xjYTtXqpyYvrMK0Dt7bUYPadyhPFCJ1B+I8Zi7B5WJEOd0 8vs=')
  65
  66 sep_key = dns.rdata.from_text(dns.rdataclass.IN, dns.rdatatype.DNSKEY,
  67                               '257 3 5 AwEAAenVTr9L1OMlL1/N2ta0Qj9LLLnnmFWIr1dJoAsWM9BQfsbV7kFZ XbAkER/FY9Ji2o7cELxBwAsVBuWn6IUUAJXLH74YbC1anY0lifjgt29z SwDzuB7zmC7yVYZzUunBulVW4zT0tg1aePbpVL2EtTL8VzREqbJbE25R KuQYHZtFwG8S4iBxJUmT2Bbd0921LLxSQgVoFXlQx/gFV2+UERXcJ5ce iX6A6wc02M/pdg/YbJd2rBa0MYL3/Fz/Xltre0tqsImZGxzi6YtYDs45 NC8gH+44egz82e2DATCVM1ICPmRDjXYTLldQiWA2ZXIWnK0iitl5ue24 7EsWJefrIhE=')
  68
  69 good_ds = dns.rdata.from_text(dns.rdataclass.IN, dns.rdatatype.DS,
  70                               '57349 5 2 53A79A3E7488AB44FFC56B2D1109F0699D1796DD977E72108B841F96 E47D7013')
  71
  72 when2 = 1290425644
  73
  74 abs_example = dns.name.from_text('example')
  75
  76 abs_dsa_keys = { abs_example :
  77                  dns.rrset.from_text('example.', 86400, 'IN', 'DNSKEY',
  78                                      '257 3 3 CI3nCqyJsiCJHTjrNsJOT4RaszetzcJPYuoH3F9ZTVt3KJXncCVR3bwn 1w0iavKljb9hDlAYSfHbFCp4ic/rvg4p1L8vh5s8ToMjqDNl40A0hUGQ Ybx5hsECyK+qHoajilUX1phYSAD8d9WAGO3fDWzUPBuzR7o85NiZCDxz yXuNVfni0uhj9n1KYhEO5yAbbruDGN89wIZcxMKuQsdUY2GYD93ssnBv a55W6XRABYWayKZ90WkRVODLVYLSn53Pj/wwxGH+XdhIAZJXimrZL4yl My7rtBsLMqq8Ihs4Tows7LqYwY7cp6y/50tw6pj8tFqMYcPUjKZV36l1 M/2t5BVg3i7IK61Aidt6aoC3TDJtzAxg3ZxfjZWJfhHjMJqzQIfbW5b9 q1mjFsW5EUv39RaNnX+3JWPRLyDqD4pIwDyqfutMsdk/Py3paHn82FGp CaOg+nicqZ9TiMZURN/XXy5JoXUNQ3RNvbHCUiPUe18KUkY6mTfnyHld 1l9YCWmzXQVClkx/hOYxjJ4j8Ife58+Obu5X',
  79                                      '256 3 3 CJE1yb9YRQiw5d2xZrMUMR+cGCTt1bp1KDCefmYKmS+Z1+q9f42ETVhx JRiQwXclYwmxborzIkSZegTNYIV6mrYwbNB27Q44c3UGcspb3PiOw5TC jNPRYEcdwGvDZ2wWy+vkSV/S9tHXY8O6ODiE6abZJDDg/RnITyi+eoDL R3KZ5n/V1f1T1b90rrV6EewhBGQJpQGDogaXb2oHww9Tm6NfXyo7SoMM pbwbzOckXv+GxRPJIQNSF4D4A9E8XCksuzVVdE/0lr37+uoiAiPia38U 5W2QWe/FJAEPLjIp2eTzf0TrADc1pKP1wrA2ASpdzpm/aX3IB5RPp8Ew S9U72eBFZJAUwg635HxJVxH1maG6atzorR566E+e0OZSaxXS9o1o6QqN 3oPlYLGPORDiExilKfez3C/x/yioOupW9K5eKF0gmtaqrHX0oq9s67f/ RIM2xVaKHgG9Vf2cgJIZkhv7sntujr+E4htnRmy9P9BxyFxsItYxPI6Z bzygHAZpGhlI/7ltEGlIwKxyTK3ZKBm67q7B')
  80                  }
  81
  82 abs_dsa_soa = dns.rrset.from_text('example.', 86400, 'IN', 'SOA',
  83                                   'ns1.example. hostmaster.example. 2 10800 3600 604800 86400')
  84
  85 abs_other_dsa_soa = dns.rrset.from_text('example.', 86400, 'IN', 'SOA',
  86                                         'ns1.example. hostmaster.example. 2 10800 3600 604800 86401')
  87
  88 abs_dsa_soa_rrsig = dns.rrset.from_text('example.', 86400, 'IN', 'RRSIG',
  89                                         'SOA 3 1 86400 20101129143231 20101122112731 42088 example. CGul9SuBofsktunV8cJs4eRs6u+3NCS3yaPKvBbD+pB2C76OUXDZq9U=')
  90
  91 example_sep_key = dns.rdata.from_text(dns.rdataclass.IN, dns.rdatatype.DNSKEY,
  92                                       '257 3 3 CI3nCqyJsiCJHTjrNsJOT4RaszetzcJPYuoH3F9ZTVt3KJXncCVR3bwn 1w0iavKljb9hDlAYSfHbFCp4ic/rvg4p1L8vh5s8ToMjqDNl40A0hUGQ Ybx5hsECyK+qHoajilUX1phYSAD8d9WAGO3fDWzUPBuzR7o85NiZCDxz yXuNVfni0uhj9n1KYhEO5yAbbruDGN89wIZcxMKuQsdUY2GYD93ssnBv a55W6XRABYWayKZ90WkRVODLVYLSn53Pj/wwxGH+XdhIAZJXimrZL4yl My7rtBsLMqq8Ihs4Tows7LqYwY7cp6y/50tw6pj8tFqMYcPUjKZV36l1 M/2t5BVg3i7IK61Aidt6aoC3TDJtzAxg3ZxfjZWJfhHjMJqzQIfbW5b9 q1mjFsW5EUv39RaNnX+3JWPRLyDqD4pIwDyqfutMsdk/Py3paHn82FGp CaOg+nicqZ9TiMZURN/XXy5JoXUNQ3RNvbHCUiPUe18KUkY6mTfnyHld 1l9YCWmzXQVClkx/hOYxjJ4j8Ife58+Obu5X')
  93
  94 example_ds_sha1 = dns.rdata.from_text(dns.rdataclass.IN, dns.rdatatype.DS,
  95                                       '18673 3 1 71b71d4f3e11bbd71b4eff12cde69f7f9215bbe7')
  96
  97 example_ds_sha256 = dns.rdata.from_text(dns.rdataclass.IN, dns.rdatatype.DS,
  98                                         '18673 3 2 eb8344cbbf07c9d3d3d6c81d10c76653e28d8611a65e639ef8f716e4e4e5d913')
  99
 100 class DNSSECValidatorTestCase(unittest.TestCase):
 101
 102     def testAbsoluteRSAGood(self):
 103         dns.dnssec.validate(abs_soa, abs_soa_rrsig, abs_keys, None, when)
 104
 105     def testDuplicateKeytag(self):
 106         dns.dnssec.validate(abs_soa, abs_soa_rrsig, abs_keys_duplicate_keytag, None, when)
 107
 108     def testAbsoluteRSABad(self):
 109         def bad():
 110             dns.dnssec.validate(abs_other_soa, abs_soa_rrsig, abs_keys, None,
 111                                 when)
 112         self.failUnlessRaises(dns.dnssec.ValidationFailure, bad)
 113
 114     def testRelativeRSAGood(self):
 115         dns.dnssec.validate(rel_soa, rel_soa_rrsig, rel_keys,
 116                             abs_dnspython_org, when)
 117
 118     def testRelativeRSABad(self):
 119         def bad():
 120             dns.dnssec.validate(rel_other_soa, rel_soa_rrsig, rel_keys,
 121                                 abs_dnspython_org, when)
 122         self.failUnlessRaises(dns.dnssec.ValidationFailure, bad)
 123
 124     def testMakeSHA256DS(self):
 125         ds = dns.dnssec.make_ds(abs_dnspython_org, sep_key, 'SHA256')
 126         self.failUnless(ds == good_ds)
 127
 128     def testAbsoluteDSAGood(self):
 129         dns.dnssec.validate(abs_dsa_soa, abs_dsa_soa_rrsig, abs_dsa_keys, None,
 130                             when2)
 131
 132     def testAbsoluteDSABad(self):
 133         def bad():
 134             dns.dnssec.validate(abs_other_dsa_soa, abs_dsa_soa_rrsig,
 135                                 abs_dsa_keys, None, when2)
 136         self.failUnlessRaises(dns.dnssec.ValidationFailure, bad)
 137
 138     def testMakeExampleSHA1DS(self):
 139         ds = dns.dnssec.make_ds(abs_example, example_sep_key, 'SHA1')
 140         self.failUnless(ds == example_ds_sha1)
 141
 142     def testMakeExampleSHA256DS(self):
 143         ds = dns.dnssec.make_ds(abs_example, example_sep_key, 'SHA256')
 144         self.failUnless(ds == example_ds_sha256)
 145
 146 if __name__ == '__main__':
 147     import_ok = False
 148     try:
 149         import Crypto.Util.number
 150         import_ok = True
 151     except:
 152         pass
 153     if import_ok:
 154         unittest.main()
 155     else:
 156         print 'skipping DNSSEC tests because pycrypto is not installed'