[validate] Implement support for digests

The test keys have been rotated and replaced with KSKs since they have associated DS records I can verify digests against. I also expanded Ring's testing to include ECDSA keys. The validate module tests SHA-1 keys as well, which aren't supported by 'sign'.
NLnetLabs · Oct 16, 2024 · f65c5cc · f65c5cc
1 parent e0344a6
commit f65c5cc
Show file tree

Hide file tree

Showing 34 changed files with 295 additions and 72 deletions.
diff --git a/src/sign/generic.rs b/src/sign/generic.rs
@@ -436,17 +436,18 @@ mod tests {
     use crate::base::iana::SecAlg;
 
     const KEYS: &[(SecAlg, u16)] = &[
-        (SecAlg::RSASHA256, 27096),
-        (SecAlg::ECDSAP256SHA256, 40436),
-        (SecAlg::ECDSAP384SHA384, 17013),
-        (SecAlg::ED25519, 43769),
-        (SecAlg::ED448, 34114),
+        (SecAlg::RSASHA256, 60616),
+        (SecAlg::ECDSAP256SHA256, 42253),
+        (SecAlg::ECDSAP384SHA384, 33566),
+        (SecAlg::ED25519, 56037),
+        (SecAlg::ED448, 7379),
     ];
 
     #[test]
     fn secret_from_dns() {
         for &(algorithm, key_tag) in KEYS {
-            let name = format!("test.+{:03}+{}", algorithm.to_int(), key_tag);
+            let name =
+                format!("test.+{:03}+{:05}", algorithm.to_int(), key_tag);
             let path = format!("test-data/dnssec-keys/K{}.private", name);
             let data = std::fs::read_to_string(path).unwrap();
             let key = super::SecretKey::parse_from_bind(&data).unwrap();
@@ -457,7 +458,8 @@ mod tests {
     #[test]
     fn secret_roundtrip() {
         for &(algorithm, key_tag) in KEYS {
-            let name = format!("test.+{:03}+{}", algorithm.to_int(), key_tag);
+            let name =
+                format!("test.+{:03}+{:05}", algorithm.to_int(), key_tag);
             let path = format!("test-data/dnssec-keys/K{}.private", name);
             let data = std::fs::read_to_string(path).unwrap();
             let key = super::SecretKey::parse_from_bind(&data).unwrap();

diff --git a/src/sign/openssl.rs b/src/sign/openssl.rs
@@ -357,11 +357,11 @@ mod tests {
     use super::SecretKey;
 
     const KEYS: &[(SecAlg, u16)] = &[
-        (SecAlg::RSASHA256, 27096),
-        (SecAlg::ECDSAP256SHA256, 40436),
-        (SecAlg::ECDSAP384SHA384, 17013),
-        (SecAlg::ED25519, 43769),
-        (SecAlg::ED448, 34114),
+        (SecAlg::RSASHA256, 60616),
+        (SecAlg::ECDSAP256SHA256, 42253),
+        (SecAlg::ECDSAP384SHA384, 33566),
+        (SecAlg::ED25519, 56037),
+        (SecAlg::ED448, 7379),
     ];
 
     #[test]
@@ -385,7 +385,8 @@ mod tests {
     #[test]
     fn imported_roundtrip() {
         for &(algorithm, key_tag) in KEYS {
-            let name = format!("test.+{:03}+{}", algorithm.to_int(), key_tag);
+            let name =
+                format!("test.+{:03}+{:05}", algorithm.to_int(), key_tag);
 
             let path = format!("test-data/dnssec-keys/K{}.key", name);
             let data = std::fs::read_to_string(path).unwrap();
@@ -411,7 +412,8 @@ mod tests {
     #[test]
     fn public_key() {
         for &(algorithm, key_tag) in KEYS {
-            let name = format!("test.+{:03}+{}", algorithm.to_int(), key_tag);
+            let name =
+                format!("test.+{:03}+{:05}", algorithm.to_int(), key_tag);
 
             let path = format!("test-data/dnssec-keys/K{}.private", name);
             let data = std::fs::read_to_string(path).unwrap();
@@ -431,7 +433,8 @@ mod tests {
     #[test]
     fn sign() {
         for &(algorithm, key_tag) in KEYS {
-            let name = format!("test.+{:03}+{}", algorithm.to_int(), key_tag);
+            let name =
+                format!("test.+{:03}+{:05}", algorithm.to_int(), key_tag);
 
             let path = format!("test-data/dnssec-keys/K{}.private", name);
             let data = std::fs::read_to_string(path).unwrap();

diff --git a/src/sign/ring.rs b/src/sign/ring.rs
@@ -222,13 +222,18 @@ mod tests {
 
     use super::SecretKey;
 
-    const KEYS: &[(SecAlg, u16)] =
-        &[(SecAlg::RSASHA256, 27096), (SecAlg::ED25519, 43769)];
+    const KEYS: &[(SecAlg, u16)] = &[
+        (SecAlg::RSASHA256, 60616),
+        (SecAlg::ECDSAP256SHA256, 42253),
+        (SecAlg::ECDSAP384SHA384, 33566),
+        (SecAlg::ED25519, 56037),
+    ];
 
     #[test]
     fn public_key() {
         for &(algorithm, key_tag) in KEYS {
-            let name = format!("test.+{:03}+{}", algorithm.to_int(), key_tag);
+            let name =
+                format!("test.+{:03}+{:05}", algorithm.to_int(), key_tag);
             let rng = Arc::new(ring::rand::SystemRandom::new());
 
             let path = format!("test-data/dnssec-keys/K{}.private", name);
@@ -250,7 +255,8 @@ mod tests {
     #[test]
     fn sign() {
         for &(algorithm, key_tag) in KEYS {
-            let name = format!("test.+{:03}+{}", algorithm.to_int(), key_tag);
+            let name =
+                format!("test.+{:03}+{:05}", algorithm.to_int(), key_tag);
             let rng = Arc::new(ring::rand::SystemRandom::new());
 
             let path = format!("test-data/dnssec-keys/K{}.private", name);