summaryrefslogtreecommitdiff
path: root/tests/test_dnssec.py
diff options
context:
space:
mode:
Diffstat (limited to 'tests/test_dnssec.py')
-rw-r--r--tests/test_dnssec.py119
1 files changed, 93 insertions, 26 deletions
diff --git a/tests/test_dnssec.py b/tests/test_dnssec.py
index 9aed879..4a25cd2 100644
--- a/tests/test_dnssec.py
+++ b/tests/test_dnssec.py
@@ -576,7 +576,20 @@ fake_gost_ns_rrsig = dns.rrset.from_text(
@unittest.skipUnless(dns.dnssec._have_pyca, "Python Cryptography cannot be imported")
class DNSSECValidatorTestCase(unittest.TestCase):
def testAbsoluteRSAMD5Good(self): # type: () -> None
- dns.dnssec.validate(rsamd5_ns, rsamd5_ns_rrsig, rsamd5_keys, None, rsamd5_when)
+ dns.dnssec.validate(
+ rsamd5_ns,
+ rsamd5_ns_rrsig,
+ rsamd5_keys,
+ None,
+ rsamd5_when,
+ policy=dns.dnssec.allow_all_policy,
+ )
+
+ def testAbsoluteRSAMD5GoodDeniedByPolicy(self): # type: () -> None
+ with self.assertRaises(dns.dnssec.ValidationFailure):
+ dns.dnssec.validate(
+ rsamd5_ns, rsamd5_ns_rrsig, rsamd5_keys, None, rsamd5_when
+ )
def testRSAMD5Keyid(self):
self.assertEqual(dns.dnssec.key_id(rsamd5_keys[abs_example][0]), 30239)
@@ -610,12 +623,30 @@ class DNSSECValidatorTestCase(unittest.TestCase):
self.assertRaises(dns.dnssec.ValidationFailure, bad)
def testAbsoluteDSAGood(self): # type: () -> None
- dns.dnssec.validate(abs_dsa_soa, abs_dsa_soa_rrsig, abs_dsa_keys, None, when2)
+ dns.dnssec.validate(
+ abs_dsa_soa,
+ abs_dsa_soa_rrsig,
+ abs_dsa_keys,
+ None,
+ when2,
+ policy=dns.dnssec.allow_all_policy,
+ )
+
+ def testAbsoluteDSAGoodDeniedByPolicy(self): # type: () -> None
+ with self.assertRaises(dns.dnssec.ValidationFailure):
+ dns.dnssec.validate(
+ abs_dsa_soa, abs_dsa_soa_rrsig, abs_dsa_keys, None, when2
+ )
def testAbsoluteDSABad(self): # type: () -> None
def bad(): # type: () -> None
dns.dnssec.validate(
- abs_other_dsa_soa, abs_dsa_soa_rrsig, abs_dsa_keys, None, when2
+ abs_other_dsa_soa,
+ abs_dsa_soa_rrsig,
+ abs_dsa_keys,
+ None,
+ when2,
+ policy=dns.dnssec.allow_all_policy,
)
self.assertRaises(dns.dnssec.ValidationFailure, bad)
@@ -855,9 +886,39 @@ class DNSSECMakeDSTestCase(unittest.TestCase):
def testMakeExampleSHA1DS(self): # type: () -> None
algorithm: Any
for algorithm in ("SHA1", "sha1", dns.dnssec.DSDigest.SHA1):
- ds = dns.dnssec.make_ds(abs_example, example_sep_key, algorithm)
+ ds = dns.dnssec.make_ds(
+ abs_example,
+ example_sep_key,
+ algorithm,
+ policy=dns.dnssec.allow_all_policy,
+ )
+ self.assertEqual(ds, example_ds_sha1)
+ ds = dns.dnssec.make_ds(
+ "example.",
+ example_sep_key,
+ algorithm,
+ policy=dns.dnssec.allow_all_policy,
+ )
+ self.assertEqual(ds, example_ds_sha1)
+
+ def testMakeExampleSHA1DSValidationOkByPolicy(self): # type: () -> None
+ algorithm: Any
+ for algorithm in ("SHA1", "sha1", dns.dnssec.DSDigest.SHA1):
+ ds = dns.dnssec.make_ds(
+ abs_example,
+ example_sep_key,
+ algorithm,
+ policy=dns.dnssec.allow_all_policy,
+ )
+ self.assertEqual(ds, example_ds_sha1)
+ ds = dns.dnssec.make_ds(
+ "example.", example_sep_key, algorithm, validating=True
+ )
self.assertEqual(ds, example_ds_sha1)
- ds = dns.dnssec.make_ds("example.", example_sep_key, algorithm)
+
+ def testMakeExampleSHA1DSDeniedByPolicy(self): # type: () -> None
+ with self.assertRaises(dns.dnssec.DeniedByPolicy):
+ ds = dns.dnssec.make_ds(abs_example, example_sep_key, "SHA1")
self.assertEqual(ds, example_ds_sha1)
def testMakeExampleSHA256DS(self): # type: () -> None
@@ -974,24 +1035,27 @@ class DNSSECMakeDNSKEYTestCase(unittest.TestCase):
with self.assertRaises(ValueError):
dns.dnssec.make_dnskey(key.public_key(), dns.dnssec.Algorithm.DSA)
- def testRSALargeExponent(self): # type: () -> None
- for key_size, public_exponent, dnskey_key_length in [
- (1024, 3, 130),
- (1024, 65537, 132),
- (2048, 3, 258),
- (2048, 65537, 260),
- (4096, 3, 514),
- (4096, 65537, 516),
- ]:
- key = rsa.generate_private_key(
- public_exponent=public_exponent,
- key_size=key_size,
- backend=default_backend(),
- )
- dnskey = dns.dnssec.make_dnskey(
- key.public_key(), algorithm=dns.dnssec.Algorithm.RSASHA256
- )
- self.assertEqual(len(dnskey.key), dnskey_key_length)
+ # XXXRTH This test is fine but is noticably slow, so I have commented it out for
+ # now
+
+ # def testRSALargeExponent(self): # type: () -> None
+ # for key_size, public_exponent, dnskey_key_length in [
+ # (1024, 3, 130),
+ # (1024, 65537, 132),
+ # (2048, 3, 258),
+ # (2048, 65537, 260),
+ # (4096, 3, 514),
+ # (4096, 65537, 516),
+ # ]:
+ # key = rsa.generate_private_key(
+ # public_exponent=public_exponent,
+ # key_size=key_size,
+ # backend=default_backend(),
+ # )
+ # dnskey = dns.dnssec.make_dnskey(
+ # key.public_key(), algorithm=dns.dnssec.Algorithm.RSASHA256
+ # )
+ # self.assertEqual(len(dnskey.key), dnskey_key_length)
@unittest.skipUnless(dns.dnssec._have_pyca, "Python Cryptography cannot be imported")
@@ -1014,7 +1078,9 @@ class DNSSECSignatureTestCase(unittest.TestCase):
def testSignatureDSA(self): # type: () -> None
key = dsa.generate_private_key(key_size=1024)
- self._test_signature(key, dns.dnssec.Algorithm.DSA, abs_soa)
+ self._test_signature(
+ key, dns.dnssec.Algorithm.DSA, abs_soa, policy=dns.dnssec.allow_all_policy
+ )
def testSignatureECDSAP256SHA256(self): # type: () -> None
key = ec.generate_private_key(curve=ec.SECP256R1, backend=default_backend())
@@ -1039,7 +1105,7 @@ class DNSSECSignatureTestCase(unittest.TestCase):
rrset = (name, rdataset)
self._test_signature(key, dns.dnssec.Algorithm.ED448, rrset)
- def _test_signature(self, key, algorithm, rrset, signer=None): # type: () -> None
+ def _test_signature(self, key, algorithm, rrset, signer=None, policy=None):
ttl = 60
lifetime = 3600
if isinstance(rrset, tuple):
@@ -1058,10 +1124,11 @@ class DNSSECSignatureTestCase(unittest.TestCase):
lifetime=lifetime,
signer=signer,
verify=True,
+ policy=policy,
)
keys = {signer: dnskey_rrset}
rrsigset = dns.rrset.from_rdata(rrname, ttl, rrsig)
- dns.dnssec.validate(rrset=rrset, rrsigset=rrsigset, keys=keys)
+ dns.dnssec.validate(rrset=rrset, rrsigset=rrsigset, keys=keys, policy=policy)
if __name__ == "__main__":
View Lorry Controller Status