tools/testcase1.py


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194

#!/usr/bin/env python
# -*- coding: utf-8 -*-

# Copyright (c) 2014, NORDUnet A/S.
# See LICENSE for licensing information.

import urllib2
import urllib
import json
import base64
import sys
import struct
import hashlib
import itertools
from certtools import *
from dnstools import c14n_dsrr, unpack_rrset

baseurls = [sys.argv[1]]
logpublickeyfile = sys.argv[2]
cacertfile = sys.argv[3]

RRfiles = ["../test/testdata/dnssec/testrrsets/req-basic"]

def get_rrset_from_file(filename):
    return open(filename, 'r').read()

# TODO: Add more tests, like 4 more would be good.
rr1 = get_rrset_from_file(RRfiles[0])

create_ssl_context(cafile=cacertfile)

failures = 0
indentation = ""

logpublickey = get_public_key_from_file(logpublickeyfile)

def testgroup(name):
    global indentation
    print "testgroup " + name + ":"
    indentation = "    "

def print_error(message, *args):
    global failures, indentation
    print indentation + "ERROR:", message % args
    failures += 1

def print_success(message, *args):
    print indentation + message % args

def assert_equal(actual, expected, name, quiet=False, nodata=False, fatal=False):
    global failures
    if actual != expected:
        if nodata:
            print_error("%s differs", name)
        else:
            print_error("%s expected %s got %s", name, repr(expected),
                        repr(actual))
        if fatal:
            sys.exit(1)
    elif not quiet:
        print_success("%s was correct", name)

def print_and_check_tree_size(expected, baseurl):
    global failures
    sth = get_sth(baseurl)
    try:
        check_sth_signature(baseurl, sth, publickey=logpublickey)
    except AssertionError, e:
        print_error("%s", e)
    except ecdsa.keys.BadSignatureError, e:
        print_error("bad STH signature")
    tree_size = sth["tree_size"]
    assert_equal(tree_size, expected, "tree size", quiet=True)

def do_add_chain(ignore1, ignore2): assert 0, "use do_add_rr() instead" # FIXME: remove

def do_add_rr(rrset, baseurl):
    global failures
    try:
        result = add_chain(baseurl, {"chain":base64.b64encode(rrset)})
    except ValueError, e:
        print_error("%s", e)
    try:
        print "result:", result
        signed_entry = pack_cert(c14n_dsrr(rrset))
        print "signed_entry:", repr(signed_entry)
        check_sct_signature(baseurl, signed_entry, result, publickey=logpublickey)
        print_success("signature check succeeded")
    except AssertionError, e:
        print_error("%s", e)
    except ecdsa.keys.BadSignatureError, e:
        print e
        print_error("bad SCT signature")
    return result

def get_and_validate_proof(timestamp, chain, leaf_index, nentries, baseurl):
    dsrr = c14n_dsrr(chain)
    merkle_tree_leaf = pack_mtl(timestamp, dsrr)
    leaf_hash = get_leaf_hash(merkle_tree_leaf)
    sth = get_sth(baseurl)
    proof = get_proof_by_hash(baseurl, leaf_hash, sth["tree_size"])
    leaf_index = proof["leaf_index"]
    inclusion_proof = [base64.b64decode(e) for e in proof["audit_path"]]
    assert_equal(leaf_index, leaf_index, "leaf_index", quiet=True)
    assert_equal(len(inclusion_proof), nentries, "audit_path length", quiet=True)

    calc_root_hash = verify_inclusion_proof(inclusion_proof, leaf_index, sth["tree_size"], leaf_hash)
    root_hash = base64.b64decode(sth["sha256_root_hash"])

    assert_equal(root_hash, calc_root_hash, "verified root hash", nodata=True, quiet=True)
    get_and_check_entry(timestamp, chain, leaf_index, baseurl)

def get_and_validate_consistency_proof(sth1, sth2, size1, size2, baseurl):
    consistency_proof = [base64.decodestring(entry) for entry in get_consistency_proof(baseurl, size1, size2)]
    (old_treehead, new_treehead) = verify_consistency_proof(consistency_proof, size1, size2, sth1)
    #print repr(sth1), repr(old_treehead)
    #print repr(sth2), repr(new_treehead)
    assert_equal(old_treehead, sth1, "sth1", nodata=True, quiet=True)
    assert_equal(new_treehead, sth2, "sth2", nodata=True, quiet=True)


def get_and_check_entry(timestamp, chain, leaf_index, baseurl):
    entries = get_entries(baseurl, leaf_index, leaf_index)
    assert_equal(len(entries), 1, "get_entries", quiet=True)
    fetched_entry = entries["entries"][0]
    merkle_tree_leaf = pack_mtl(timestamp, c14n_dsrr(chain))
    leaf_input =  base64.decodestring(fetched_entry["leaf_input"])
    assert_equal(leaf_input, merkle_tree_leaf, "entry", nodata=True, quiet=True)
    extra_data = base64.decodestring(fetched_entry["extra_data"])
    chain_fetched = unpack_rrset(decode_certificate_chain(extra_data)[0])
    chain_submitted = unpack_rrset(chain)[1:]
    # FIXME: Might not have submited trust anchors.
    assert_equal(chain_fetched, chain_submitted, "chain", quiet=True)

def merge():
    return subprocess.call(["../tools/merge", "--config", "../test/catlfish-test.cfg",
                            "--localconfig", "../test/catlfish-test-local-merge.cfg"])

mergeresult = merge()
assert_equal(mergeresult, 0, "merge", quiet=True, fatal=True)

for baseurl in baseurls:
    print_and_check_tree_size(0, baseurl)

testgroup("rr1")

result1 = do_add_rr(rr1, baseurls[0])

mergeresult = merge()
assert_equal(mergeresult, 0, "merge", quiet=True, fatal=True)

size_sth = {}

for baseurl in baseurls:
    print_and_check_tree_size(1, baseurl)
size_sth[1] = base64.b64decode(get_sth(baseurls[0])["sha256_root_hash"])

result2 = do_add_rr(rr1, baseurls[0])

assert_equal(result2["timestamp"], result1["timestamp"], "timestamp")

mergeresult = merge()
assert_equal(mergeresult, 0, "merge", quiet=True, fatal=True)

for baseurl in baseurls:
    print_and_check_tree_size(1, baseurl)
size1_v2_sth = base64.b64decode(get_sth(baseurls[0])["sha256_root_hash"])

assert_equal(size_sth[1], size1_v2_sth, "sth", nodata=True)

# TODO: add an invalid chain and check that it generates an error and
#       that treesize still is 1

get_and_validate_proof(result1["timestamp"], rr1, 0, 0, baseurls[0])

testgroup("proofs")

mergeresult = merge()
assert_equal(mergeresult, 0, "merge", quiet=True, fatal=True)

for first_size in range(1, 1):
    for second_size in range(first_size + 1, 2):
        get_and_validate_consistency_proof(size_sth[first_size],
                                           size_sth[second_size],
                                           first_size,
                                           second_size,
                                           baseurls[0])

print "-------"
if failures:
    print failures, "failed tests" if failures != 1 else "failed test"
    sys.exit(1)
else:
    print "all tests succeeded"