Add key generation unit test

2022-08-01 09:41:59 +02:00
parent a35f4a7dd3
commit fab181ae34
3 changed files with 135 additions and 11 deletions
@@ -43,15 +43,17 @@ OPENSSL_BINARY = '/usr/bin/openssl'
 def eprint(*args, **kwargs):
    print(*args, file=sys.stderr, **kwargs)

-def GenRSAKeys(private_key_file):
+def GenRSAKeys(private_key_file, verbose=True):
  """ Generates a suitable private key.  Output is unprotected.
  You should encrypt your keys.
  """
+  if verbose:
    eprint('generating ' + private_key_file)
  subprocess.check_call([OPENSSL_BINARY, 'genrsa', '-out', private_key_file,
-                         str(BITS_REQUIRED)])
+                         str(BITS_REQUIRED)], 
+                         stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)

-def GenEd25519Keys(private_key_file):
+def GenEd25519Keys(private_key_file, verbose=True):
    """Generates a base64 encoded private key for ed25519 DKIM signing.
    Output is unprotected.  You should protect your keys.
    """
@@ -59,6 +61,7 @@ def GenEd25519Keys(private_key_file):
    import nacl.encoding
    import os
    skg = nacl.signing.SigningKey(seed=os.urandom(32))
+    if verbose:
        eprint('generating ' + private_key_file)
    priv_key = skg.generate()
    with open(private_key_file, 'w') as pkf:
@@ -67,13 +70,15 @@ def GenEd25519Keys(private_key_file):
        os.chmod(private_key_file, 0o600)
    return(priv_key)

-def ExtractRSADnsPublicKey(private_key_file, dns_file):
+def ExtractRSADnsPublicKey(private_key_file, dns_file, verbose=True):
  """ Given a key, extract the bit we should place in DNS.
  """
+  if verbose:
    eprint('extracting ' + private_key_file)
  working_file = tempfile.NamedTemporaryFile(delete=False).name
  subprocess.check_call([OPENSSL_BINARY, 'rsa', '-in', private_key_file,
-                         '-out', working_file, '-pubout', '-outform', 'PEM'])
+                         '-out', working_file, '-pubout', '-outform', 'PEM'],
+                          stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
  try:
      with open(working_file) as wf:
          y = ''
@@ -84,16 +89,18 @@ def ExtractRSADnsPublicKey(private_key_file, dns_file):
  finally:
      os.unlink(working_file)
  with open(dns_file, 'w') as dns_fp:
+      if verbose:
        eprint('writing ' + dns_file)
      dns_fp.write("v=DKIM1; k=rsa; h=sha256; p={0}".format(output))

-def ExtractEd25519PublicKey(dns_file, priv_key):
+def ExtractEd25519PublicKey(dns_file, priv_key, verbose=True):
    """ Given a ed25519 key, extract the bit we should place in DNS.
    """
    import nacl.encoding # Yes, pep-8, but let's not make everyone install nacl
    pubkey = priv_key.verify_key
    output = pubkey.encode(encoder=nacl.encoding.Base64Encoder).decode("utf-8")
    with open(dns_file, 'w') as dns_fp:
+        if verbose:
            eprint('writing ' + dns_file)
        dns_fp.write("v=DKIM1; k=ed25519; p={0}".format(output))

@@ -35,6 +35,7 @@ def test_suite():
        test_util,
        test_arc,
        test_dnsplug,
+        test_dkim_generate,
        )
    modules = [
        test_canonicalization,
@@ -46,6 +47,7 @@ def test_suite():
        test_util,
        test_arc,
        test_dnsplug,
+        test_dkim_generate,
        ]
    suites = [x.test_suite() for x in modules]
    return unittest.TestSuite(suites)
@@ -0,0 +1,115 @@
+# This software is provided 'as-is', without any express or implied
+# warranty.  In no event will the author be held liable for any damages
+# arising from the use of this software.
+#
+# Permission is granted to anyone to use this software for any purpose,
+# including commercial applications, and to alter it and redistribute it
+# freely, subject to the following restrictions:
+#
+# 1. The origin of this software must not be misrepresented; you must not
+#    claim that you wrote the original software. If you use this software
+#    in a product, an acknowledgment in the product documentation would be
+#    appreciated but is not required.
+# 2. Altered source versions must be plainly marked as such, and must not be
+#    misrepresented as being the original software.
+# 3. This notice may not be removed or altered from any source distribution.
+#
+# Copyright (c) 2011 William Grant <me@williamgrant.id.au>
+# Copyright (c) 2022 Adrien Precigout <dev@asdrip.fr>
+
+import os.path
+import tempfile
+import unittest
+
+import dkim
+import dknewkey
+
+def read_test_data(filename):
+    """Get the content of the given test data file.
+
+    The files live in dkim/tests/data.
+    """
+    path = os.path.join(os.path.dirname(__file__), 'data', filename)
+    with open(path, 'rb') as f:
+        return f.read()
+
+
+class TestSignAndVerify(unittest.TestCase):
+    """End-to-end signature and verification tests with a generated key."""
+
+    def setUp(self):
+        self.message = read_test_data("test.message")
+        self.ed25519_dns_key_file = ""
+        self.rsa_dns_key_file = ""
+    
+
+    def test_generate_verifies_new_RSA_key(self):
+        #Create temporary dir
+        tmpdir = tempfile.TemporaryDirectory()
+        keydir = tmpdir.name
+        rsa_key_file = os.path.join(keydir, "dkim.rsa.key")
+        self.rsa_dns_key_file = os.path.join(keydir, "dkim.rsa.key.pub.txt")
+        #Generate a rsa key
+        dknewkey.GenRSAKeys(rsa_key_file, False)
+        dknewkey.ExtractRSADnsPublicKey(rsa_key_file, self.rsa_dns_key_file, False)
+        #Load the key
+        rsakey = read_test_data(rsa_key_file)
+        #Test signature with the newely generated key  
+        for header_algo in (b"simple", b"relaxed"):
+            for body_algo in (b"simple", b"relaxed"):
+                sig = dkim.sign(
+                    self.message, b"test", b"example.com", rsakey,
+                    canonicalize=(header_algo, body_algo))
+                res = dkim.verify(sig + self.message, dnsfunc=self.dnsfuncRSA)
+                self.assertTrue(res)
+
+
+    def test_generate_verifies_Ed25519_key(self):
+        #Create temporary dir
+        tmpdir = tempfile.TemporaryDirectory()
+        keydir = tmpdir.name
+        ed25519_key_file = os.path.join(keydir, "dkim.ed25519.key")
+        self.ed25519_dns_key_file = os.path.join(keydir, "dkim.ed25519.key.pub.txt")
+        #Generate a ed25519 key
+        pkt = dknewkey.GenEd25519Keys(ed25519_key_file, False)
+        dknewkey.ExtractEd25519PublicKey(self.ed25519_dns_key_file, pkt, False)
+        #Load the key
+        ed25519key = read_test_data(ed25519_key_file)
+        #Test signature with the newely generated key 
+        for header_algo in (b"simple", b"relaxed"):
+            for body_algo in (b"simple", b"relaxed"):
+                sig = dkim.sign(
+                    self.message, b"test1", b"example.com", ed25519key,
+                    signature_algorithm=b'ed25519-sha256',
+                    canonicalize=(header_algo, body_algo))
+                res = dkim.verify(sig + self.message, dnsfunc=self.dnsfuncED25519)
+                self.assertTrue(res)
+
+
+    def dnsfuncRSA(self, domain, timeout=5):
+        _dns_responses = {
+            'test._domainkey.example.com.': read_test_data(self.rsa_dns_key_file),
+        }
+        try:
+            domain = domain.decode('ascii')
+        except UnicodeDecodeError:
+            return None
+        self.assertTrue(domain in _dns_responses,domain)
+        return _dns_responses[domain]
+
+    def dnsfuncED25519(self, domain, timeout=5):
+        _dns_responses = {
+            'test1._domainkey.example.com.': read_test_data(self.ed25519_dns_key_file),
+        }
+        try:
+            domain = domain.decode('ascii')
+        except UnicodeDecodeError:
+            return None
+        self.assertTrue(domain in _dns_responses,domain)
+        return _dns_responses[domain]
+
+   
+
+def test_suite():
+    from unittest import TestLoader
+    return TestLoader().loadTestsFromName(__name__)