Merge PR #32 from 'pinheadmz/fix-tests1'

Author: pinheadmz

.github/workflows/unit-test.yml

@@ -15,14 +15,30 @@ jobs:
         node_version: [10.x, 12.x, 14.x]
 
     steps:
-      - uses: actions/checkout@v2
+      - name: Checkout Unbound
+        uses: actions/checkout@v2
+        with:
+          repository: nlnetlabs/unbound
+          path: ub
+
+      - name: Install Unbound
+        working-directory: ub
+        run: ./configure &&
+             make &&
+             sudo make install &&
+             sudo ldconfig
+
+      - name: Checkout
+        uses: actions/checkout@v2
 
       - name: Setup
         uses: actions/setup-node@v1
 
       - name: Install
-        run: sudo apt-get install -y libunbound-dev |
-             npm install
+        run: npm install
 
       - name: Test
-        run: npm test
+        run: npm run test
+
+      - name: Browser Test
+        run: npm install browserify && npm run test-browser

package.json

@@ -32,6 +32,7 @@
   "scripts": {
     "lint": "eslint bin/* lib/ test/ || exit 0",
     "test": "bmocha --reporter spec test/*-test.js",
+    "test-browser": "bmocha -H --reporter spec test/*-test.js",
     "test-file": "bmocha --reporter spec"
   },
   "dependencies": {

test/dane-test.js

@@ -4,9 +4,11 @@
 'use strict';
 
 const assert = require('bsert');
+const tls = require('tls');
 const dane = require('../lib/dane');
 const dns = require('../lib/dns');
 const tlsa = require('../lib/tlsa');
+const {usages} = require('../lib/constants');
 const wire = require('../lib/wire');
 const {Record} = wire;
 
@@ -103,59 +105,74 @@ describe('DANE', function() {
     assert(tlsa.verify(rr, cert, 'www.huque.com', 'tcp', 443));
   });
 
-  if (process.browser)
-    return;
-
-  it('should verify spki+sha256 cert (www.ietf.org)', async () => {
-    const cert = fromBase64(`
-      MIIFUTCCBDmgAwIBAgIIITAshaEP0OswDQYJKoZIhvcNAQELBQAwgcYxCzAJBgNV
-      BAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQHEwpTY290dHNkYWxlMSUw
-      IwYDVQQKExxTdGFyZmllbGQgVGVjaG5vbG9naWVzLCBJbmMuMTMwMQYDVQQLEypo
-      dHRwOi8vY2VydHMuc3RhcmZpZWxkdGVjaC5jb20vcmVwb3NpdG9yeS8xNDAyBgNV
-      BAMTK1N0YXJmaWVsZCBTZWN1cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIw
-      HhcNMTcwNjEyMTAxMjAwWhcNMTgwODExMjMxMjUwWjA4MSEwHwYDVQQLExhEb21h
-      aW4gQ29udHJvbCBWYWxpZGF0ZWQxEzARBgNVBAMMCiouaWV0Zi5vcmcwggEiMA0G
-      CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC2eMubW2zWELh8023dSdAP3LvdsNeC
-      KhPJZhIjdxr8o1+5PJ2MVMRgCaqe4asE5R+BuYfc9FDQCamqWOBZNvd3crwfhQW8
-      NZBM9JLbUgyObyip3X2cTkbFaKsa7SgNHOFYsd7VFntmuiEI+D/U5yzLjtBm4raV
-      oUHSsSatFYGYRhsOXf/DF/ld+oiqk7KckHTa2FetMJxMztHPUWoIW39lVkHmEpjZ
-      L4JN0T04hUqWvhYcx+69Rh46PToaTAsUkc2/a1T62i8jeZhHFS5jhS6mRLcwL461
-      7LtcqbU/4g2NZah6CbqIIC3dW6ylXP7qlTbGCXeesBUxAcHh9F5A8fSlAgMBAAGj
-      ggHOMIIByjAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF
-      BQcDAjAOBgNVHQ8BAf8EBAMCBaAwPAYDVR0fBDUwMzAxoC+gLYYraHR0cDovL2Ny
-      bC5zdGFyZmllbGR0ZWNoLmNvbS9zZmlnMnMxLTU2LmNybDBjBgNVHSAEXDBaME4G
-      C2CGSAGG/W4BBxcBMD8wPQYIKwYBBQUHAgEWMWh0dHA6Ly9jZXJ0aWZpY2F0ZXMu
-      c3RhcmZpZWxkdGVjaC5jb20vcmVwb3NpdG9yeS8wCAYGZ4EMAQIBMIGGBggrBgEF
-      BQcBAQR6MHgwKgYIKwYBBQUHMAGGHmh0dHA6Ly9vY3NwLnN0YXJmaWVsZHRlY2gu
-      Y29tLzBKBggrBgEFBQcwAoY+aHR0cDovL2NlcnRpZmljYXRlcy5zdGFyZmllbGR0
-      ZWNoLmNvbS9yZXBvc2l0b3J5L3NmaWcyLmNydC5kZXIwHwYDVR0jBBgwFoAUJUWB
-      aFAmOD07LSy+zWrZtj2zZmMwHwYDVR0RBBgwFoIKKi5pZXRmLm9yZ4IIaWV0Zi5v
-      cmcwHQYDVR0OBBYEFAb+C6vY5nRu/MRzAoX3qUh+0TRPMA0GCSqGSIb3DQEBCwUA
-      A4IBAQDkjdd7Mz2F83bfBNjAS0uN0mGIn2Z67dcWP+klzp7JzGb+qdbPZsI0aHKZ
-      UEh0Pl71hcn8LlhYl+n7GJUGhW7CaOVqhzHkxfyfIls6BJ+pL6mIx5be8xqSV04b
-      zyPBZcPnuFdi/dXAgjE9iSFHfNH8gthiXgzgiIPIjQp2xuJDeQHWT5ZQ5gUxF8qP
-      ecO5L6IwMzZFRuE6SYzFynsOMOGjsPYJkYLm3JYwUulDz7OtRABwN5wegc5tTgq5
-      9HaFOULLCdMakLIRmMC0PzSI+m3+cYoZ6ue/8q9my7HgekcVMYQ5lRKncrs3GMxo
-      WNyYOpbGqBfooA8nwwE20fpacX2i
-    `);
-
-    // Hack for testing.
-    dns._allowInsecure = true;
-
-    const rrs = await dns.resolveTLSA('www.ietf.org', 'tcp', 443);
-
-    assert(Array.isArray(rrs));
-    assert(rrs.length >= 1);
-
-    let valid = false;
-
-    for (const rr of rrs) {
-      if (dns.verifyTLSA(rr, cert)) {
-        valid = true;
-        break;
-      }
+  describe('Live DANE with resolver', function () {
+    if (process.browser)
+      this.skip();
+
+    // https://www.internetsociety.org/resources/deploy360/dane-test-sites/
+    const hosts = [
+      'jhcloos.com',
+      'torproject.org',
+      'fedoraproject.org',
+      'www.afnic.fr',
+      'good.dane.huque.com'
+    ];
+
+    // Nodejs has its own cert store and older versions may be missing some CAs
+    const rejectUnauthorized = false;
+
+    before(() => {
+      // ignore DNSSEC errors for this test
+      dns._allowInsecure = true;
+    });
+
+    after(() => {
+      dns._allowInsecure = false;
+    });
+
+    for (const host of hosts) {
+      it(`should verify spki+sha256 cert (${host})`, async () => {
+        let cert = await new Promise((resolve, reject) => {
+          const socket = tls.connect(
+            {port: 443, host, rejectUnauthorized, servername: host},
+            () => {
+              const cert = socket.getPeerCertificate(true);
+              socket.destroy();
+              resolve(cert);
+            }
+          );
+        });
+
+        const rrs = await dns.resolveTLSA(host, 'tcp', 443);
+
+        assert(Array.isArray(rrs));
+        assert(rrs.length >= 1);
+
+        let valid = false;
+
+        for (const rr of rrs) {
+          if (dns.verifyTLSA(rr, cert.raw)) {
+            valid = true;
+            break;
+          }
+
+          if (rr.usage === usages.CAC) {
+            while (!cert.issuerCertificate.raw.equals(cert.raw)) {
+              if (cert.issuerCertificate)
+                cert = cert.issuerCertificate;
+              else
+                break;
+
+              if (dns.verifyTLSA(rr, cert.raw)) {
+                valid = true;
+                break;
+              }
+            }
+          }
+        }
+
+        assert(valid);
+      });
     }
-
-    assert(valid);
   });
 });

test/recursive-test.js

@@ -53,9 +53,29 @@ const noNodataNames = [
 if (process.browser)
   return;
 
+function checkUBversion(string) {
+  const digits = string.split('.');
+
+  // Require support for ED448, at least version 1.8.x
+  if (parseInt(digits[0]) > 1)
+    return true;
+
+  if (parseInt(digits[0]) < 1)
+    return false;
+
+  if (parseInt(digits[1]) < 8)
+    return false;
+
+  return true;
+}
+
 describe('Recursive', function() {
   this.timeout(20000);
 
+  it(`should return the version of libunbound: ${udns.version}`, () => {
+    ;
+  });
+
   for (const Resolver of [RecursiveResolver, UnboundResolver]) {
     it('should do a recursive resolution', async () => {
       const res = new Resolver({
@@ -84,63 +104,65 @@ describe('Recursive', function() {
   }
 
   for (const dns of [rdns, udns]) {
-    for (const name of dnssecNames) {
-      if (name === 'ed25519.nl' || name === 'ed448.nl') {
-        if (dns === udns && udns.version < '1.8.1')
-          continue;
+    describe(`${dns === rdns ? 'JavaScript' : 'Unbound'}`, function () {
+      for (const name of dnssecNames) {
+        if (name === 'ed25519.nl' || name === 'ed448.nl') {
+          if (dns === udns && !checkUBversion(udns.version))
+            continue;
+        }
+
+        it(`should validate trust chain for ${name}`, async () => {
+          const res = await dns.resolveRaw(name, types.A);
+          assert.strictEqual(res.code, codes.NOERROR);
+          assert(res.answer.length > 0);
+          assert(res.ad);
+        });
       }
 
-      it(`should validate trust chain for ${name}`, async () => {
-        const res = await dns.resolveRaw(name, types.A);
-        assert.strictEqual(res.code, codes.NOERROR);
-        assert(res.answer.length > 0);
-        assert(res.ad);
-      });
-    }
-
-    for (const name of nxNames) {
-      it(`should validate NX proof for ${name}`, async () => {
-        const res = await dns.resolveRaw(name, types.A);
-        assert.strictEqual(res.code, codes.NXDOMAIN);
-        assert(res.answer.length === 0);
-        assert(res.ad);
-      });
-    }
-
-    for (const name of nodataNames) {
-      it(`should validate NODATA proof for ${name}`, async () => {
-        const res = await dns.resolveRaw(name, types.WKS);
-        assert.strictEqual(res.code, codes.NOERROR);
-        assert(res.answer.length === 0);
-        assert(res.ad);
-      });
-    }
-
-    for (const name of noDnssecNames) {
-      it(`should fail to validate trust chain for ${name}`, async () => {
-        const res = await dns.resolveRaw(name, types.A);
-        assert.strictEqual(res.code, codes.NOERROR);
-        assert(res.answer.length > 0);
-        assert(!res.ad);
-      });
-    }
-
-    for (const name of noNxNames) {
-      it(`should fail to validate NX proof for ${name}`, async () => {
-        const res = await dns.resolveRaw(name, types.A);
-        assert.strictEqual(res.code, codes.NXDOMAIN);
-        assert(res.answer.length === 0);
-        assert(!res.ad);
-      });
-    }
-
-    for (const name of noNodataNames) {
-      it(`should fail to validate NODATA proof for ${name}`, async () => {
-        const res = await dns.resolveRaw(name, types.WKS);
-        assert.strictEqual(res.code, codes.NOERROR);
-        assert(res.answer.length === 0);
-        assert(!res.ad);
-      });
-    }
+      for (const name of nxNames) {
+        it(`should validate NX proof for ${name}`, async () => {
+          const res = await dns.resolveRaw(name, types.A);
+          assert.strictEqual(res.code, codes.NXDOMAIN);
+          assert(res.answer.length === 0);
+          assert(res.ad);
+        });
+      }
+
+      for (const name of nodataNames) {
+        it(`should validate NODATA proof for ${name}`, async () => {
+          const res = await dns.resolveRaw(name, types.WKS);
+          assert.strictEqual(res.code, codes.NOERROR);
+          assert(res.answer.length === 0);
+          assert(res.ad);
+        });
+      }
+
+      for (const name of noDnssecNames) {
+        it(`should fail to validate trust chain for ${name}`, async () => {
+          const res = await dns.resolveRaw(name, types.A);
+          assert.strictEqual(res.code, codes.NOERROR);
+          assert(res.answer.length > 0);
+          assert(!res.ad);
+        });
+      }
+
+      for (const name of noNxNames) {
+        it(`should fail to validate NX proof for ${name}`, async () => {
+          const res = await dns.resolveRaw(name, types.A);
+          assert.strictEqual(res.code, codes.NXDOMAIN);
+          assert(res.answer.length === 0);
+          assert(!res.ad);
+        });
+      }
+
+      for (const name of noNodataNames) {
+        it(`should fail to validate NODATA proof for ${name}`, async () => {
+          const res = await dns.resolveRaw(name, types.WKS);
+          assert.strictEqual(res.code, codes.NOERROR);
+          assert(res.answer.length === 0);
+          assert(!res.ad);
+        });
+      }
+    });
   }
 });