18260f9a8SchristosCopyright (C) Internet Systems Consortium, Inc. ("ISC") 28260f9a8Schristos 3497bf0b8SchristosSPDX-License-Identifier: MPL-2.0 4497bf0b8Schristos 5497bf0b8SchristosThis Source Code Form is subject to the terms of the Mozilla Public 6497bf0b8SchristosLicense, v. 2.0. If a copy of the MPL was not distributed with this 7497bf0b8Schristosfile, you can obtain one at https://mozilla.org/MPL/2.0/. 8497bf0b8Schristos 9497bf0b8SchristosSee the COPYRIGHT file distributed with this work for additional 10497bf0b8Schristosinformation regarding copyright ownership. 118260f9a8Schristos 128260f9a8SchristosThe `rsabigexponent` test is used to `check max-rsa-exponent-size`. 138260f9a8Schristos 148260f9a8SchristosWe only run this test on builds without PKCS#11, as we have control over 158260f9a8Schristosthe RSA exponent size with plain OpenSSL. We have not explored how to do 168260f9a8Schristosthis with PKCS#11, which would require generating such a key and then 178260f9a8Schristossigning a zone with it. Additionally, even with control of the exponent 188260f9a8Schristossize with PKCS#11, generating a DNSKEY with this property and signing 198260f9a8Schristossuch a zone would be slow and undesirable for each test run; instead, we 208260f9a8Schristosuse a pregenerated DNSKEY and a saved signed zone. These are located in 218260f9a8Schristos`rsabigexponent/ns2` and currently use RSASHA1 for the `DNSKEY` 228260f9a8Schristosalgorithm; however, that may need to be changed in the future. 238260f9a8Schristos 248260f9a8SchristosTo generate the `DNSKEY` used in this test, we used `bigkey.c`, as 258260f9a8Schristosdnssec-keygen is not capable of generating such keys. 268260f9a8Schristos 278260f9a8SchristosDo **not** remove `bigkey.c` as it may be needed to generate a new 288260f9a8Schristos`DNSKEY` for testing purposes. 298260f9a8Schristos 308260f9a8Schristos`bigkey` is used to both test that we are not running under PKCS#11 and 318260f9a8Schristosgenerate a `DNSKEY` key with a large RSA exponent. 32*4bcbe0a3Schristos 33*4bcbe0a3SchristosTo regenerate `ns2/example.db.bad` comment out the range test in 34*4bcbe0a3Schristosopensslrsa_parse before signing the zone with a ZSK key generated 35*4bcbe0a3Schristosby `bigkey`. 36*4bcbe0a3Schristos 37*4bcbe0a3Schristos if (BN_num_bits(e) > RSA_MAX_PUBEXP_BITS) { 38*4bcbe0a3Schristos DST_RET(ISC_R_RANGE); 39*4bcbe0a3Schristos } 40