From e737eed0c29467dc378912e6ab4e1d9a517b94ed Mon Sep 17 00:00:00 2001 From: Matthew Zipkin Date: Fri, 29 Apr 2022 22:02:13 -0400 Subject: [PATCH 1/2] ownership: upgrade sha1 key algorithms --- bin/bns-prove | 81 +++++++++----- lib/dnssec.js | 15 +++ test/proof-key-upgrade-test.js | 105 ++++++++++++++++++ test/prove-util/K.+015+63077.key | 5 + test/prove-util/K.+015+63077.private | 6 + test/prove-util/K.+015+64078.key | 5 + test/prove-util/K.+015+64078.private | 6 + test/prove-util/Kweakkeytld.+005+08014.key | 5 + .../prove-util/Kweakkeytld.+005+08014.private | 13 +++ test/prove-util/Kweakkeytld.+005+11037.key | 5 + .../prove-util/Kweakkeytld.+005+11037.private | 13 +++ test/prove-util/fakeownership.js | 41 +++++++ test/prove-util/root.zone | 10 ++ test/prove-util/root.zone.signed | 53 +++++++++ test/prove-util/weakkeytld.zone | 9 ++ test/prove-util/weakkeytld.zone.signed | 95 ++++++++++++++++ 16 files changed, 442 insertions(+), 25 deletions(-) create mode 100644 test/proof-key-upgrade-test.js create mode 100644 test/prove-util/K.+015+63077.key create mode 100644 test/prove-util/K.+015+63077.private create mode 100644 test/prove-util/K.+015+64078.key create mode 100644 test/prove-util/K.+015+64078.private create mode 100644 test/prove-util/Kweakkeytld.+005+08014.key create mode 100644 test/prove-util/Kweakkeytld.+005+08014.private create mode 100644 test/prove-util/Kweakkeytld.+005+11037.key create mode 100644 test/prove-util/Kweakkeytld.+005+11037.private create mode 100644 test/prove-util/fakeownership.js create mode 100644 test/prove-util/root.zone create mode 100644 test/prove-util/root.zone.signed create mode 100644 test/prove-util/weakkeytld.zone create mode 100644 test/prove-util/weakkeytld.zone.signed diff --git a/bin/bns-prove b/bin/bns-prove index 1969954..a90bf11 100755 --- a/bin/bns-prove +++ b/bin/bns-prove @@ -17,6 +17,9 @@ const Ownership = require('../lib/ownership'); const util = require('../lib/util'); const wire = require('../lib/wire'); +// bns-prove --test -K ./test/prove-util weakkeytld "hello, world!" +const {fakeOwnership, FakeStub} = require('../test/prove-util/fakeownership'); + const { keyFlags, classes, @@ -36,6 +39,7 @@ let lifespan = 365 * 24 * 60 * 60; let dir = '.'; let name = null; let txt = null; +let test = false; for (let i = 2; i < process.argv.length; i++) { const arg = process.argv[i]; @@ -80,6 +84,11 @@ for (let i = 2; i < process.argv.length; i++) { break; } + case '--test': { + test = true; + break; + } + case '-h': case '--help': case '-?': @@ -88,7 +97,6 @@ for (let i = 2; i < process.argv.length; i++) { process.exit(0); break; } - default: { if (!name) { if (!util.isName(arg)) @@ -109,9 +117,8 @@ if (!txt) throw new Error('No text provided.'); (async () => { - const ctx = new Ownership(); - - ctx.Resolver = Resolver; + const ctx = test ? fakeOwnership : new Ownership(); + ctx.Resolver = test ? FakeStub : Resolver; ctx.secure = secure; const proof = await ctx.prove(name, true); @@ -123,51 +130,75 @@ if (!txt) zone.claim.length = 0; - for (const key of zone.keys) { - if (key.type !== types.DNSKEY) + let pub, priv; + for (pub of zone.keys) { + if (pub.type !== types.DNSKEY) continue; - const kd = key.data; + const kd = pub.data; if (!(kd.flags & keyFlags.ZONE)) continue; - if (kd.flags & keyFlags.SEP) - continue; - if (kd.flags & keyFlags.REVOKE) continue; - if (!ctx.verifyKey(key, hardened)) + if (!ctx.verifyKey(pub, hardened)) continue; - const priv = await dnssec.readPrivateAsync(dir, key); + console.log('Searching for key: ', pub.data.keyTag()); + priv = await dnssec.readPrivateAsync(dir, pub); if (!priv) continue; - const rr = new Record(); - const rd = new TXTRecord(); - - rr.name = name; - rr.type = types.TXT; - rr.class = classes.IN; - rr.ttl = 3600; - rr.data = rd; + // If we found a KSK, check it for SHA1 and upgrade to SHA256 + if (kd.flags & keyFlags.SEP) { + if (ctx.isSHA1(pub.data.algorithm)) { + console.log(`Upgrading key algorithm for key ID ${pub.data.keyTag()}`); - rd.txt.push(txt); + // Create new DNSKEY RRset with old key and new key + const upgradedPub = dnssec.upgradeDNSKEY(pub); + zone.keys.length = 0; + zone.keys.push(pub); + zone.keys.push(upgradedPub); - const sig = dnssec.sign(key, priv, [rr], lifespan); + // Sign DNSKEY RRset with new key only + zone.keys.push( + dnssec.sign(upgradedPub, priv, [pub, upgradedPub], lifespan) + ); - zone.claim.push(rr); - zone.claim.push(sig); + // Throw out old key for the remainder of the process + pub = upgradedPub; + } + } else { + // We found a ZSK we can use if we can't find a KSK + continue; + } + // Stop searching, we have a key we can use. break; } - if (zone.claim.length === 0) + if (!priv) throw new Error('Could not find suitable key to sign with.'); + const rr = new Record(); + const rd = new TXTRecord(); + + rr.name = name; + rr.type = types.TXT; + rr.class = classes.IN; + rr.ttl = 3600; + rr.data = rd; + + rd.txt.push(txt); + + const sig = dnssec.sign(pub, priv, [rr], lifespan); + + zone.claim.push(rr); + zone.claim.push(sig); + if (hex) process.stdout.write(proof.toHex() + '\n'); else if (base64) diff --git a/lib/dnssec.js b/lib/dnssec.js index ecd4e22..2cb7f5a 100644 --- a/lib/dnssec.js +++ b/lib/dnssec.js @@ -705,6 +705,21 @@ dnssec.stripSignatures = function stripSignatures(msg) { return msg; }; +dnssec.upgradeDNSKEY = function upgradeDNSKEY(ksk) { + assert(ksk instanceof Record); + assert(ksk.type === types.DNSKEY); + const key = ksk.deepClone(); + switch(key.data.algorithm) { + case algs.RSASHA1: + case algs.RSASHA1NSEC3SHA1: + key.data.algorithm = algs.RSASHA256; + break; + default: + throw new Error('Algorithm is not SHA1.'); + } + return key; +}; + /* * Helpers */ diff --git a/test/proof-key-upgrade-test.js b/test/proof-key-upgrade-test.js new file mode 100644 index 0000000..018c2db --- /dev/null +++ b/test/proof-key-upgrade-test.js @@ -0,0 +1,105 @@ +/* eslint-env mocha */ +/* eslint prefer-arrow-callback: "off" */ + +'use strict'; + +const assert = require('bsert'); +const path = require('path'); +const {fakeOwnership, FakeStub} = require('./prove-util/fakeownership'); +const dnssec = require('../lib/dnssec'); +const {types, keyFlags} = require('../lib/wire'); + +describe('Ownership Proof Key Upgrade', function () { + const ownership = fakeOwnership; + + it('should fail by default to generate insecure proof', async () => { + // They don't even count as actual RRSIGs + await assert.rejects( + ownership._prove(new FakeStub(), 'weakkeytld.', false), + {message: 'No RRSIG(TXT) records for weakkeytld.'} + ); + + // Sanity check + const res = new FakeStub().lookup('weakkeytld.', types.TXT); + assert(res.answer[1].type === types.RRSIG); + assert(ownership.isSHA1(res.answer[1].data.algorithm)); + }); + + it('should generate insecure proof when forced', async () => { + try { + ownership.secure = false; + const fakeStub = new FakeStub(); + + const proof = await ownership._prove( + fakeStub, + 'weakkeytld.', + false + ); + assert(ownership.isSane(proof)); + assert(ownership.verifySignatures(proof)); + + // Sanity checks + const claim = proof.zones[proof.zones.length - 1].claim; + const claimSig = claim[claim.length - 1]; + // Signed with SHA1 + assert(ownership.isSHA1(claimSig.data.algorithm)); + // Signed with ZSK, not KSK + const keyTag = claimSig.data.keyTag; + const dnskeys = await fakeStub.lookup('weakkeytld.', types.DNSKEY); + let foundKey = false; + for (const rr of dnskeys.answer) { + if (rr.type === types.DNSKEY && rr.data.keyTag() === keyTag) { + foundKey = true; + assert(rr.data.flags & keyFlags.ZONE); + assert(!(rr.data.flags & keyFlags.SEP)); + } + } + assert(foundKey); + } finally { + ownership.secure = true; + } + }); + + it('should upgrade weak key algorithm', async () => { + let proof, target; + try { + ownership.secure = false; // needed to get proof template + proof = await ownership._prove(new FakeStub(), 'weakkeytld.', true); + target = proof.zones[1]; + const key = target.keys[1]; + const txtRR = proof.zones[1].claim[0]; + + assert(key.type === types.DNSKEY); + assert(key.data.flags & keyFlags.SEP); + assert(txtRR.type === types.TXT); + + // Kweakkeytld.+005+08014.key + const priv = await dnssec.readPrivateAsync( + path.join(__dirname, 'prove-util'), + key + ); + + // Here's the sneaky magic: create a duplicate key with better algorithm. + const key256 = dnssec.upgradeDNSKEY(key); + + // Sign DNSKEY RRset now including both old and new keys. + const keySig = dnssec.sign(key256, priv, [key256, key], 24 * 60 * 60); + target.keys[0] = key; + target.keys[1] = key256; + target.keys[2] = keySig; + + // Now sign the claim TXT with the new key + const txtSig = dnssec.sign(key256, priv, [txtRR], 24 * 60 * 60); + target.claim[1] = txtSig; + } finally { + ownership.secure = true; // default, and required by HNS consensus rules + } + + assert(ownership.isSane(proof)); + assert(ownership.verifySignatures(proof)); + + // Sanity check + assert(target.claim[1].type === types.RRSIG); + assert(!ownership.isSHA1(target.claim[1].data.algorithm)); + }); +}); diff --git a/test/prove-util/K.+015+63077.key b/test/prove-util/K.+015+63077.key new file mode 100644 index 0000000..3cda51e --- /dev/null +++ b/test/prove-util/K.+015+63077.key @@ -0,0 +1,5 @@ +; This is a key-signing key, keyid 63077, for . +; Created: 20220503145307 (Tue May 3 10:53:07 2022) +; Publish: 20220503145307 (Tue May 3 10:53:07 2022) +; Activate: 20220503145307 (Tue May 3 10:53:07 2022) +. IN DNSKEY 257 3 15 6GIGM0kYoQgXi3eWvx7AaPnAl/jXgino35a7TZVRR5s= diff --git a/test/prove-util/K.+015+63077.private b/test/prove-util/K.+015+63077.private new file mode 100644 index 0000000..e1a9c62 --- /dev/null +++ b/test/prove-util/K.+015+63077.private @@ -0,0 +1,6 @@ +Private-key-format: v1.3 +Algorithm: 15 (ED25519) +PrivateKey: ZTN43rFvzpPBChiu1kkr0OtZeuLt2ClcEJ2P5awVej8= +Created: 20220503145307 +Publish: 20220503145307 +Activate: 20220503145307 diff --git a/test/prove-util/K.+015+64078.key b/test/prove-util/K.+015+64078.key new file mode 100644 index 0000000..bb41707 --- /dev/null +++ b/test/prove-util/K.+015+64078.key @@ -0,0 +1,5 @@ +; This is a zone-signing key, keyid 64078, for . +; Created: 20220503145259 (Tue May 3 10:52:59 2022) +; Publish: 20220503145259 (Tue May 3 10:52:59 2022) +; Activate: 20220503145259 (Tue May 3 10:52:59 2022) +. IN DNSKEY 256 3 15 dicBi2zCKiwhkLn51roAZW77uv5WYGlRU39jlpsZ+Rk= diff --git a/test/prove-util/K.+015+64078.private b/test/prove-util/K.+015+64078.private new file mode 100644 index 0000000..b83d235 --- /dev/null +++ b/test/prove-util/K.+015+64078.private @@ -0,0 +1,6 @@ +Private-key-format: v1.3 +Algorithm: 15 (ED25519) +PrivateKey: lA87yC4HN9Y8hOOw5egO8kPGleY5+/2O7Fo5/NRG6N8= +Created: 20220503145259 +Publish: 20220503145259 +Activate: 20220503145259 diff --git a/test/prove-util/Kweakkeytld.+005+08014.key b/test/prove-util/Kweakkeytld.+005+08014.key new file mode 100644 index 0000000..eba2f97 --- /dev/null +++ b/test/prove-util/Kweakkeytld.+005+08014.key @@ -0,0 +1,5 @@ +; This is a key-signing key, keyid 8014, for weakkeytld. +; Created: 20220503145332 (Tue May 3 10:53:32 2022) +; Publish: 20220503145332 (Tue May 3 10:53:32 2022) +; Activate: 20220503145332 (Tue May 3 10:53:32 2022) +weakkeytld. IN DNSKEY 257 3 5 AwEAAaetfppm5u8sT+tIXeSyjHSoLgv2GEMi03eG8JkpjLfhYnwCRN2W WqGmIxd8zMHmJw7fPjiWMr+Or1TuLfGibQOnEPSEiazO31hR/awAavA5 NtjBlcVey0OR9Hmiib5LrhNUOc7JDrTjj8vR8SsOV18Lw2gp0v5B62RV oiDIfRpc3nHvLs3OZ3teUCJoeirnGEWf/AhXz5ms8HlyTLPyZU9jT44k UQUWtAkRR5/FmizeV0oznDMqOBEq9vQ9+tp72PqQ91AopaIZo66bTJ/r Js2IZIYiBH/7Hjc00K1g3BPMWyi8LKBA0QxiJGDDrpjfayCfGhSH/lJT NWBnfxu0Nk8= diff --git a/test/prove-util/Kweakkeytld.+005+08014.private b/test/prove-util/Kweakkeytld.+005+08014.private new file mode 100644 index 0000000..2f4b4ed --- /dev/null +++ b/test/prove-util/Kweakkeytld.+005+08014.private @@ -0,0 +1,13 @@ +Private-key-format: v1.3 +Algorithm: 5 (RSASHA1) +Modulus: p61+mmbm7yxP60hd5LKMdKguC/YYQyLTd4bwmSmMt+FifAJE3ZZaoaYjF3zMweYnDt8+OJYyv46vVO4t8aJtA6cQ9ISJrM7fWFH9rABq8Dk22MGVxV7LQ5H0eaKJvkuuE1Q5zskOtOOPy9HxKw5XXwvDaCnS/kHrZFWiIMh9Glzece8uzc5ne15QImh6KucYRZ/8CFfPmazweXJMs/JlT2NPjiRRBRa0CRFHn8WaLN5XSjOcMyo4ESr29D362nvY+pD3UCilohmjrptMn+smzYhkhiIEf/seNzTQrWDcE8xbKLwsoEDRDGIkYMOumN9rIJ8aFIf+UlM1YGd/G7Q2Tw== +PublicExponent: AQAB +PrivateExponent: pDDBXhQRYnZzs6LjPkSQQNNGc7QBQgxiIhLimjgTcSOkOmZGZO0LxmpWxnMQVXY3HNsBpIt/GhBwI6wvFQPF1+PKOIVoAu13ypZO3hRyotSDnnDBZclTJNFRIaJFWy/kP00kZhZ+7iY+8oibrVuXtpxgNiluUEbgZxlrbsqjpiFfo3pk/x240TheL99EZ4dhVW9lRC8F/qi3zDPCy9mXbeaYqxtkC4lEXnbyJe/yioKdQ4qt09F4w4hR0ZoNtQY/3pyCHwdUIei7dyQJGQ0+Xp7vnjWCDYyHcIGvgj/AE75A+f2M0QGbJxdaf3ZLuN/N2YUafHZp6Jp1KIgC91n0sQ== +Prime1: 3NatHII1ysavP+v58RfGbVu3lvdZy5q9qhRUQJj8uUmtMphbXUjsRvNVDObzb7P7oH1/7d65jJF3aXYHnx5GYX4DkC5CM6TUDfLO/lP1U7YzmondhUDFWDYIyHOcle7XrnVql4e4g1f8elPH6QcFZW4tztyKbOfv2+o2T1J5K5U= +Prime2: wl/+vZl6PzhefBoy3193BXrvQNrBKhHRBPgcixsHqG8g8L7Ymdb3tVhz3yS2FJHmpfTvzNAfZonOOg5hgf6vLiV/4G+9HvhYgw6PHoa4GUTVkuwruzk/eJxgpiYIBDrGbfEuLe8fklbbf18Z3oNjjKkq/zYKSr1aYf6ZwJxhgVM= +Exponent1: AdKv2SVmBkd/mNp81LWqiKqSKGfgUOL1H9tNGr9ojqsCCAHj9zAr6yYFFLcvWUO2FwwSK0eEZpmoz7EOvQyF7jYZF26aU0zQB1FyzfypcMh3QpZSws/XETRY/DagG0i+dQ05FQkkx8jJJ8VbSBwrujufmy6M4ftEKp+TVTJMF8U= +Exponent2: pOu6QrjURovXb0jzXR+s5xN1qPty5fUT+jliTozypHEV6+6h7XW92zpfpjeJ3k4k+y6lwIvd+Kx4ND47cYbcsDTVGWL1fi+NOjXCLU51KcuDwxNrz4E1X2qffpnKN3x/HI2EdyjrCslzl9DjLC8i6hgnCT+a3+tlorvZTNniyU0= +Coefficient: KutUYQnvVtF7j4+Ac6wovqjaqQRF2j6+//HNrNzXlwyAgRLkcyQ1FIzMA7vE+aQenWLztvwPU7XKUkRnOTwJtkiAZuIJUVwbWR2F5xiBUpfiOiKCYhmpJi5qOhe7t1vf3aoqhOOtXrjQyMxibjiy749ec1tbU9BPfeZPaxTjsKY= +Created: 20220503145332 +Publish: 20220503145332 +Activate: 20220503145332 diff --git a/test/prove-util/Kweakkeytld.+005+11037.key b/test/prove-util/Kweakkeytld.+005+11037.key new file mode 100644 index 0000000..7c0929b --- /dev/null +++ b/test/prove-util/Kweakkeytld.+005+11037.key @@ -0,0 +1,5 @@ +; This is a zone-signing key, keyid 11037, for weakkeytld. +; Created: 20220503145326 (Tue May 3 10:53:26 2022) +; Publish: 20220503145326 (Tue May 3 10:53:26 2022) +; Activate: 20220503145326 (Tue May 3 10:53:26 2022) +weakkeytld. IN DNSKEY 256 3 5 AwEAAb1lMEgqXLg5CIcnHyDoUKPEBysVLcCQK4c79wvZVTkuVif0Q7+e RUfNVAdeekucx+jlhvRJW7eDtDUjbhMDD9IWJSlIofAQoP6iw1KtG/lZ yDnbQ5pqR/BDQxOUVkLwE2RrSi6FlFTkCngNlitxSqoc5oXeuDg17jm/ KCH+Np/Yw9dNEhB5Iq46yttIgBfDwLWckXCmwUegBUacWsfzo/tYgFN/ B8Mw9QFdOIL83rhz5hDBgB4go/EDyUZqrqnpsUGO6d3bGA/0jG3a67lc EB0B41xXdoPgh7A0rjNd2kp/tuttRQP7MVkbCjiJSCFMz1MGeb/OA7eI dUWPQBsa8JM= diff --git a/test/prove-util/Kweakkeytld.+005+11037.private b/test/prove-util/Kweakkeytld.+005+11037.private new file mode 100644 index 0000000..c294018 --- /dev/null +++ b/test/prove-util/Kweakkeytld.+005+11037.private @@ -0,0 +1,13 @@ +Private-key-format: v1.3 +Algorithm: 5 (RSASHA1) +Modulus: vWUwSCpcuDkIhycfIOhQo8QHKxUtwJArhzv3C9lVOS5WJ/RDv55FR81UB156S5zH6OWG9Elbt4O0NSNuEwMP0hYlKUih8BCg/qLDUq0b+VnIOdtDmmpH8ENDE5RWQvATZGtKLoWUVOQKeA2WK3FKqhzmhd64ODXuOb8oIf42n9jD100SEHkirjrK20iAF8PAtZyRcKbBR6AFRpxax/Oj+1iAU38HwzD1AV04gvzeuHPmEMGAHiCj8QPJRmquqemxQY7p3dsYD/SMbdrruVwQHQHjXFd2g+CHsDSuM13aSn+2621FA/sxWRsKOIlIIUzPUwZ5v84Dt4h1RY9AGxrwkw== +PublicExponent: AQAB +PrivateExponent: O3WsLcvW5iNJsRywIiWtQ2zEj1sLzRu1/rPtwHOP1O7eL5b5OgxXVc55pgKcRGbJQC3nK4RoXfnkNpaT9TYN3ngDXK2n4XVnBepVhfxA/wyX1somtDDPuvdy9I+qcUNr4yfn1ykqw2gAfWZOkf70YOnH2ZltnoAX9Vs1H07vGUlq9ASDvHsMsgKJgn4e5FD015hmitglPjLRucf7sld3G+Ui/Oiz+U+GvovYry1Yx/IYf1yrlSFFEyIkPLJMEcwGuMHXPTe/bGCZp9oPivuqr7lK22TNeGldxx3d4Gw0U5ACYTfrHi1O/lkqA/C1e7l7Sb/w1YmxN2dgVIRfGRVNiQ== +Prime1: 5l7QURvppZuL1CRmB59IsdVGHjcyZhUJZ/cBe3ae2ey+ZZyYGJR3tJZzc3au6hCqJMDiIBbcflz2N+Yl71L8CuoMijaPlEEE5RQg+N7OK++CzDpfrG4luH6uJX+RR9HgAvD9/V71+pipuMQ3DVhhTBN1xd1wFe5J/BTIql/Pb4c= +Prime2: 0ndcl+7jtUyGVUzeWO+6vForZeh76FneK8ezltZcsmy2XLuPMVm0nCdYHhKDSKl+hggA+39JS5wAPNH/L34+p7A0DKzYKruDcVhpN9ur5M6y7h1ICzey/kTgsNzIccaYb/2kHjkaZqV3P6XumVc/aS3ISZvWZepIiuKBSUF0gZU= +Exponent1: EWAPWD7BtaLwvfRs2aBS7E7Ithi1rWtixTulGfnNa2Rmy+Uut5PjH3TFimzmLnNJUfJWW9M9mC5Mx9SNAesBZZVXkskgtS7ePqTxA7RSWo/7DopMkwXPxIWRfvSLMZ6Lxc0FaynRZbBEBNKP0GrdE87X8C+Od6j8XY33wJnvXFs= +Exponent2: Bcb/BLCrEYP7QAYvKFPUVW1IObDrDdLBtYPy2xYhT0iKrPr9EEa9HXg7BABQGEOG1JkNpdm1olyy6Ph+v8gAYkwE8cAg4vNoxUi/AqiGDG7cHIszOhOaVz5+yHwXCICCGLjms2mv3td18YpVhWIOvI1kLRkZBo0q1p0nHWKtlw0= +Coefficient: tUK/ZP/YmmwQ3/3WeLMvkxHXIsxlkPiakz/ko1uNJxHPFZKNAVcy7m3X+bo/FtNSlwb1/d+P8Vkfkj4vtkqCLGlvKI7DFgTYK54Lo8sHyluNo0jsXeOfxy1XDWElpod1aRCQfTjxU/A5HSCls/EdGLdjiQ8fJbUxoZbo1XewOgM= +Created: 20220503145326 +Publish: 20220503145326 +Activate: 20220503145326 diff --git a/test/prove-util/fakeownership.js b/test/prove-util/fakeownership.js new file mode 100644 index 0000000..a6ced66 --- /dev/null +++ b/test/prove-util/fakeownership.js @@ -0,0 +1,41 @@ +'use strict'; + +const path = require('path'); +const Ownership = require('../../lib/ownership'); +const {Record, Message} = require('../../lib/wire'); +const Zone = require('../../lib/zone'); + +const KSK = Record.fromString( + '. IN DS 63077 15 2 ' + + '433633AAAE8780F7EA8C46D403195A3BB58992D64B7C79E61EAB4D7EC336D077' +); +const ROOT_ZONE = Zone.fromFile( + '.', + path.join(__dirname, 'root.zone.signed') +); +const WEAKKEYTLD_ZONE = Zone.fromFile( + 'weakkeytld.', + path.join(__dirname, 'weakkeytld.zone.signed') +); + +class FakeStub { + open() {} + close() {} + lookup (name, type) { + const msg = new Message(); + + msg.answer = ROOT_ZONE.get(name, type); + if (!msg.answer.length) + msg.answer = WEAKKEYTLD_ZONE.get(name, type); + + return msg; + } +} + +const fakeOwnership = new Ownership(); +fakeOwnership.anchors = [KSK]; +fakeOwnership.rootAnchors = fakeOwnership.anchors; +fakeOwnership.Resolver = FakeStub; + +exports.fakeOwnership = fakeOwnership; +exports.FakeStub = FakeStub; diff --git a/test/prove-util/root.zone b/test/prove-util/root.zone new file mode 100644 index 0000000..0341532 --- /dev/null +++ b/test/prove-util/root.zone @@ -0,0 +1,10 @@ +$ORIGIN . +$TTL 1m + +. IN SOA . . 2020010100 1000 1000 1000 1000 + +weakkeytld. IN DS 8014 5 2 D33EA661650431DA314CA3609D7E04023634952E0F48D07548A0CFDEDE6F24B9 +weakkeytld. IN NS weakkeytld. + +$INCLUDE K.+015+63077.key +$INCLUDE K.+015+64078.key diff --git a/test/prove-util/root.zone.signed b/test/prove-util/root.zone.signed new file mode 100644 index 0000000..4028959 --- /dev/null +++ b/test/prove-util/root.zone.signed @@ -0,0 +1,53 @@ +; File written on Tue May 3 11:02:51 2022 +; dnssec_signzone version 9.18.0 +. 60 IN SOA . . ( + 2020010100 ; serial + 1000 ; refresh (16 minutes 40 seconds) + 1000 ; retry (16 minutes 40 seconds) + 1000 ; expire (16 minutes 40 seconds) + 1000 ; minimum (16 minutes 40 seconds) + ) + 60 RRSIG SOA 15 0 60 ( + 20220602140251 20220503140251 64078 . + qlXo+kwwXdoYKcpresFqsJxbvDNcn9Rv9VA6 + 2G2wc3dFdisZ4+2R+f6MbsU+d5GYO6ZDtEI0 + Kh8ZIj/IRR0SDQ== ) + 60 NSEC weakkeytld. SOA RRSIG NSEC DNSKEY + 60 RRSIG NSEC 15 0 60 ( + 20220602140251 20220503140251 64078 . + PR4APSMUpxtp3SF+H7h6EpxoS0PIuLPfRyMW + AGEheO4KN1c2SepgY+NMUiIbBEXb2dQ9ip/k + gC2GKgy0RLUYCQ== ) + 60 DNSKEY 256 3 15 ( + dicBi2zCKiwhkLn51roAZW77uv5WYGlRU39j + lpsZ+Rk= + ) ; ZSK; alg = ED25519 ; key id = 64078 + 60 DNSKEY 257 3 15 ( + 6GIGM0kYoQgXi3eWvx7AaPnAl/jXgino35a7 + TZVRR5s= + ) ; KSK; alg = ED25519 ; key id = 63077 + 60 RRSIG DNSKEY 15 0 60 ( + 20220602140251 20220503140251 63077 . + kBZulyt4zA5Yg1wjVs5meC0RV26i5S05n8pl + ZrzdJR0W6TEldFihBuK6s2EHrGFff6JDk2HB + uOS+u4R9YIWhBQ== ) + 60 RRSIG DNSKEY 15 0 60 ( + 20220602140251 20220503140251 64078 . + qTkOK0rEBCGMUfOBuj+4Wwc31pjvVXDu2vBg + Yq55FsdEZbDYAcaYXL1GoTYiY65zoHbAsDuf + qnWQlVKI+2QSCQ== ) +weakkeytld. 60 IN NS weakkeytld. + 60 DS 8014 5 2 ( + D33EA661650431DA314CA3609D7E04023634 + 952E0F48D07548A0CFDEDE6F24B9 ) + 60 RRSIG DS 15 1 60 ( + 20220602140251 20220503140251 64078 . + DknzxYoVFCAowxWXUG0jH7p1cyiDcXjguz2H + 3qdO7ZEq9MhLk6+6b6wp0J6RZLKwxyUIAe5g + kPI6xu0dEdBuDg== ) + 60 NSEC . NS DS RRSIG NSEC + 60 RRSIG NSEC 15 1 60 ( + 20220602140251 20220503140251 64078 . + W/jtM+Kisvg1QcxokNLYEurHp33eV3eMp+12 + ZbvQ12Up1PvMKUzIazAoP5h5l3Qj1byydf6r + YBixKHFVxJJJBg== ) diff --git a/test/prove-util/weakkeytld.zone b/test/prove-util/weakkeytld.zone new file mode 100644 index 0000000..4c95b0d --- /dev/null +++ b/test/prove-util/weakkeytld.zone @@ -0,0 +1,9 @@ +$ORIGIN weakkeytld. +$TTL 1m + +weakkeytld. IN SOA weakkeytld. weakkeytld. 2020010100 1000 1000 1000 1000 + +weakkeytld. IN TXT "TXT signed with SHA1 in zone file" + +$INCLUDE Kweakkeytld.+005+08014.key +$INCLUDE Kweakkeytld.+005+11037.key diff --git a/test/prove-util/weakkeytld.zone.signed b/test/prove-util/weakkeytld.zone.signed new file mode 100644 index 0000000..2aafa36 --- /dev/null +++ b/test/prove-util/weakkeytld.zone.signed @@ -0,0 +1,95 @@ +; File written on Tue May 3 11:05:39 2022 +; dnssec_signzone version 9.18.0 +weakkeytld. 60 IN SOA weakkeytld. weakkeytld. ( + 2020010100 ; serial + 1000 ; refresh (16 minutes 40 seconds) + 1000 ; retry (16 minutes 40 seconds) + 1000 ; expire (16 minutes 40 seconds) + 1000 ; minimum (16 minutes 40 seconds) + ) + 60 RRSIG SOA 5 1 60 ( + 20220602140539 20220503140539 11037 weakkeytld. + Nj0ZOGGXyci9lWYyQzcI9NEfKOgK8VmB9AOX + z1lmTJPXWheAlfHLDg0v9turmS3v6+yl8Sqj + MEEvKbQBAm9g4P5QW9T19dUIZdq0697aBXbS + ZreTtBjqGHY0nzd/86Z+hRdTfqHUOhkDKXf/ + waq001TCbvdT5gCIsmsqcRd3tDN+IrwRNM4f + avzbqxB4GNROHRThhlylCgaQy8vDZXdqbJxN + P3T0mn2xVHx8dbIa6V0xAfhDz/Wd7TpqJT5i + N54d8fu73DurqRiGL9qTGLgNsaM8wgkNjHC9 + oz1NZ79ICD0UOUBGeVXRj9pU6YHGZim7LajE + mNHbJIYydczY3SE+Tw== ) + 60 TXT "TXT signed with SHA1 in zone file" + 60 RRSIG TXT 5 1 60 ( + 20220602140539 20220503140539 11037 weakkeytld. + Rt/9DfS3IsmaAggVDLWQUq1aYsO5Oy31uhES + PjgzAkkpXWG9hcBakK8axptducbuSr5PVvCr + sdDH8YJ92M4EWmQb92xauzcsY9EhXFvhbVFW + Dol177z7IOajNsLApfJkJ/SUzisAC+q96Z+j + a5CQYBVBcWPpD2lKDzcTURzriRVcJFLS1ogm + A6iLoODGllIw69VHvshoCnK5LbN6Xi4WzkOW + riXCqZyT0uFyZULYM/3gUdntE7osG19hfWgf + HeR5pcOO68TL14CpRbe75P3NVr16CnwsKRTE + D1l2NWYDbBOp81JTbqaDnkwoqfDGeAyh5u1k + 0B/bRlh5RdQXzDNHNw== ) + 60 NSEC weakkeytld. SOA TXT RRSIG NSEC DNSKEY + 60 RRSIG NSEC 5 1 60 ( + 20220602140539 20220503140539 11037 weakkeytld. + elxt+Tt9kc+As4XFPc7eJc64H0ruyRwCkdUf + iEWSGmBfhIvXDlAMGyjizjmuHWPmOD5kq8FE + XwEP1m80Qo8CsGbQjqnjgES6OwiXzPJz9gFx + dqyl9gKkF/BuP/1zZsLOiwYyRNKC1IoE4Y1V + veVhU/8EnB65MQcCLHwmcHJqAtxMezDw5Jg2 + FA2v/WydDf5OdqT5OB//p9dnGY2zx4yaj3zh + QthwMIpRK0GIj59AX1jj7EkTgOTTt2RVGdXB + QioVgaxhfIwKTDnXuhhM2NpOs8uLFiyWWH5i + +AlNdrAfv3KQ7fAYx2bUKH0+cYLeexB2cVSd + LwAKVvxJGzp6bgPbcg== ) + 60 DNSKEY 256 3 5 ( + AwEAAb1lMEgqXLg5CIcnHyDoUKPEBysVLcCQ + K4c79wvZVTkuVif0Q7+eRUfNVAdeekucx+jl + hvRJW7eDtDUjbhMDD9IWJSlIofAQoP6iw1Kt + G/lZyDnbQ5pqR/BDQxOUVkLwE2RrSi6FlFTk + CngNlitxSqoc5oXeuDg17jm/KCH+Np/Yw9dN + EhB5Iq46yttIgBfDwLWckXCmwUegBUacWsfz + o/tYgFN/B8Mw9QFdOIL83rhz5hDBgB4go/ED + yUZqrqnpsUGO6d3bGA/0jG3a67lcEB0B41xX + doPgh7A0rjNd2kp/tuttRQP7MVkbCjiJSCFM + z1MGeb/OA7eIdUWPQBsa8JM= + ) ; ZSK; alg = RSASHA1 ; key id = 11037 + 60 DNSKEY 257 3 5 ( + AwEAAaetfppm5u8sT+tIXeSyjHSoLgv2GEMi + 03eG8JkpjLfhYnwCRN2WWqGmIxd8zMHmJw7f + PjiWMr+Or1TuLfGibQOnEPSEiazO31hR/awA + avA5NtjBlcVey0OR9Hmiib5LrhNUOc7JDrTj + j8vR8SsOV18Lw2gp0v5B62RVoiDIfRpc3nHv + Ls3OZ3teUCJoeirnGEWf/AhXz5ms8HlyTLPy + ZU9jT44kUQUWtAkRR5/FmizeV0oznDMqOBEq + 9vQ9+tp72PqQ91AopaIZo66bTJ/rJs2IZIYi + BH/7Hjc00K1g3BPMWyi8LKBA0QxiJGDDrpjf + ayCfGhSH/lJTNWBnfxu0Nk8= + ) ; KSK; alg = RSASHA1 ; key id = 8014 + 60 RRSIG DNSKEY 5 1 60 ( + 20220602140539 20220503140539 8014 weakkeytld. + fA9uKhikNyQ3ey2iAHZcwMQjS2xIfTxoyZBF + ldKKYPVsc1lTjKJOIqWo5tdmwsncR29J/8XG + HONHn7+bNU/tbut5ANfKToXDbhnYy1BMDtwp + BOTtdItR6y1pU2dKBIAD5dEnuFnnM2sg45VD + LdBVfFYWLSwO4jCAzgdyJkqEi964D6I8EbyQ + 2QOecO4RmHL/ksbCc+fj4/yf3RdLO0EVKTM3 + XjFHPuYoxQ4Ir0QL1LZZ+SRPP2/rvUWdCujZ + /03anVnzudinpZiLG4mERansFkqBSMgO4933 + 3EdE1EByMeJI3g/8CZ+SbeudfmjL8wu/05Ew + MXnxwrkRjvyvZyYEcA== ) + 60 RRSIG DNSKEY 5 1 60 ( + 20220602140539 20220503140539 11037 weakkeytld. + i5FROggw67aWYxhiLZoifaah7rBRdv8pkwDe + 7PVXqmOMTGPvOOH8MlTnK6C/zFbmWQGCTA1Z + l8FJeds/Bx4943eUdG4iNNCElggjbksjbXFm + J2jvZNHrGmfrsYnAJfZQU0ErTJHgZqoxaFvZ + VxmVlOFMlhG3BqHOCh4zOM17gaurSwhqGAS4 + /zIZyzRVCUNrWk750D03pf72TRIeVI9ETOqi + HAsGZl8HndXz6n7B0KyC56J2MSWJ/hKthau3 + 17P/MF2dquXmWh9+zo2WUkhhv0F6dqVey33t + quF+NQQOWkBDCXGUx4Nbz/NC6yd33skvhdAq + Q3wmWqTFIfRSlC291w== ) From f2975e65b426e6d63b35693ff7aa0554afa16e29 Mon Sep 17 00:00:00 2001 From: Matthew Zipkin Date: Tue, 3 May 2022 13:26:24 -0400 Subject: [PATCH 2/2] bns-prove: fix lifespan option --- bin/bns-prove | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bin/bns-prove b/bin/bns-prove index a90bf11..28c183e 100755 --- a/bin/bns-prove +++ b/bin/bns-prove @@ -69,7 +69,7 @@ for (let i = 2; i < process.argv.length; i++) { } case '-t': { - lifespan = util.parseU32(lifespan); + lifespan = util.parseU32(next); i += 1; break; }