1Copyright (C) Internet Systems Consortium, Inc. ("ISC") 2 3SPDX-License-Identifier: MPL-2.0 4 5This Source Code Form is subject to the terms of the Mozilla Public 6License, v. 2.0. If a copy of the MPL was not distributed with this 7file, you can obtain one at https://mozilla.org/MPL/2.0/. 8 9See the COPYRIGHT file distributed with this work for additional 10information regarding copyright ownership. 11 12The `rsabigexponent` test is used to `check max-rsa-exponent-size`. 13 14We only run this test on builds without PKCS#11, as we have control over 15the RSA exponent size with plain OpenSSL. We have not explored how to do 16this with PKCS#11, which would require generating such a key and then 17signing a zone with it. Additionally, even with control of the exponent 18size with PKCS#11, generating a DNSKEY with this property and signing 19such a zone would be slow and undesirable for each test run; instead, we 20use a pregenerated DNSKEY and a saved signed zone. These are located in 21`rsabigexponent/ns2` and currently use RSASHA1 for the `DNSKEY` 22algorithm; however, that may need to be changed in the future. 23 24To generate the `DNSKEY` used in this test, we used `bigkey.c`, as 25dnssec-keygen is not capable of generating such keys. 26 27Do **not** remove `bigkey.c` as it may be needed to generate a new 28`DNSKEY` for testing purposes. 29 30`bigkey` is used to both test that we are not running under PKCS#11 and 31generate a `DNSKEY` key with a large RSA exponent. 32 33To regenerate `ns2/example.db.bad` comment out the range test in 34opensslrsa_parse before signing the zone with a ZSK key generated 35by `bigkey`. 36 37 if (BN_num_bits(e) > RSA_MAX_PUBEXP_BITS) { 38 DST_RET(ISC_R_RANGE); 39 } 40