[thirdparty/systemd.git] / src / resolve / test-dnssec.c

/***
  This file is part of systemd.

  Copyright 2015 Lennart Poettering

  systemd is free software; you can redistribute it and/or modify it
  under the terms of the GNU Lesser General Public License as published by
  the Free Software Foundation; either version 2.1 of the License, or
  (at your option) any later version.

  systemd is distributed in the hope that it will be useful, but
  WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  Lesser General Public License for more details.

  You should have received a copy of the GNU Lesser General Public License
  along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/

#include <arpa/inet.h>
#include <netinet/in.h>
#include <sys/socket.h>

#include "alloc-util.h"
#include "resolved-dns-dnssec.h"
#include "resolved-dns-rr.h"
#include "string-util.h"
#include "hexdecoct.h"

static void test_dnssec_canonicalize_one(const char *original, const char *canonical, int r) {
        char canonicalized[DNSSEC_CANONICAL_HOSTNAME_MAX];

        assert_se(dnssec_canonicalize(original, canonicalized, sizeof(canonicalized)) == r);
        if (r < 0)
                return;

        assert_se(streq(canonicalized, canonical));
}

static void test_dnssec_canonicalize(void) {
        test_dnssec_canonicalize_one("", ".", 1);
        test_dnssec_canonicalize_one(".", ".", 1);
        test_dnssec_canonicalize_one("foo", "foo.", 4);
        test_dnssec_canonicalize_one("foo.", "foo.", 4);
        test_dnssec_canonicalize_one("FOO.", "foo.", 4);
        test_dnssec_canonicalize_one("FOO.bar.", "foo.bar.", 8);
        test_dnssec_canonicalize_one("FOO..bar.", NULL, -EINVAL);
}

#if HAVE_GCRYPT

static void test_dnssec_verify_dns_key(void) {

        static const uint8_t ds1_fprint[] = {
                0x46, 0x8B, 0xC8, 0xDD, 0xC7, 0xE8, 0x27, 0x03, 0x40, 0xBB, 0x8A, 0x1F, 0x3B, 0x2E, 0x45, 0x9D,
                0x80, 0x67, 0x14, 0x01,
        };
        static const uint8_t ds2_fprint[] = {
                0x8A, 0xEE, 0x80, 0x47, 0x05, 0x5F, 0x83, 0xD1, 0x48, 0xBA, 0x8F, 0xF6, 0xDD, 0xA7, 0x60, 0xCE,
                0x94, 0xF7, 0xC7, 0x5E, 0x52, 0x4C, 0xF2, 0xE9, 0x50, 0xB9, 0x2E, 0xCB, 0xEF, 0x96, 0xB9, 0x98,
        };
        static const uint8_t dnskey_blob[] = {
                0x03, 0x01, 0x00, 0x01, 0xa8, 0x12, 0xda, 0x4f, 0xd2, 0x7d, 0x54, 0x14, 0x0e, 0xcc, 0x5b, 0x5e,
                0x45, 0x9c, 0x96, 0x98, 0xc0, 0xc0, 0x85, 0x81, 0xb1, 0x47, 0x8c, 0x7d, 0xe8, 0x39, 0x50, 0xcc,
                0xc5, 0xd0, 0xf2, 0x00, 0x81, 0x67, 0x79, 0xf6, 0xcc, 0x9d, 0xad, 0x6c, 0xbb, 0x7b, 0x6f, 0x48,
                0x97, 0x15, 0x1c, 0xfd, 0x0b, 0xfe, 0xd3, 0xd7, 0x7d, 0x9f, 0x81, 0x26, 0xd3, 0xc5, 0x65, 0x49,
                0xcf, 0x46, 0x62, 0xb0, 0x55, 0x6e, 0x47, 0xc7, 0x30, 0xef, 0x51, 0xfb, 0x3e, 0xc6, 0xef, 0xde,
                0x27, 0x3f, 0xfa, 0x57, 0x2d, 0xa7, 0x1d, 0x80, 0x46, 0x9a, 0x5f, 0x14, 0xb3, 0xb0, 0x2c, 0xbe,
                0x72, 0xca, 0xdf, 0xb2, 0xff, 0x36, 0x5b, 0x4f, 0xec, 0x58, 0x8e, 0x8d, 0x01, 0xe9, 0xa9, 0xdf,
                0xb5, 0x60, 0xad, 0x52, 0x4d, 0xfc, 0xa9, 0x3e, 0x8d, 0x35, 0x95, 0xb3, 0x4e, 0x0f, 0xca, 0x45,
                0x1b, 0xf7, 0xef, 0x3a, 0x88, 0x25, 0x08, 0xc7, 0x4e, 0x06, 0xc1, 0x62, 0x1a, 0xce, 0xd8, 0x77,
                0xbd, 0x02, 0x65, 0xf8, 0x49, 0xfb, 0xce, 0xf6, 0xa8, 0x09, 0xfc, 0xde, 0xb2, 0x09, 0x9d, 0x39,
                0xf8, 0x63, 0x9c, 0x32, 0x42, 0x7c, 0xa0, 0x30, 0x86, 0x72, 0x7a, 0x4a, 0xc6, 0xd4, 0xb3, 0x2d,
                0x24, 0xef, 0x96, 0x3f, 0xc2, 0xda, 0xd3, 0xf2, 0x15, 0x6f, 0xda, 0x65, 0x4b, 0x81, 0x28, 0x68,
                0xf4, 0xfe, 0x3e, 0x71, 0x4f, 0x50, 0x96, 0x72, 0x58, 0xa1, 0x89, 0xdd, 0x01, 0x61, 0x39, 0x39,
                0xc6, 0x76, 0xa4, 0xda, 0x02, 0x70, 0x3d, 0xc0, 0xdc, 0x8d, 0x70, 0x72, 0x04, 0x90, 0x79, 0xd4,
                0xec, 0x65, 0xcf, 0x49, 0x35, 0x25, 0x3a, 0x14, 0x1a, 0x45, 0x20, 0xeb, 0x31, 0xaf, 0x92, 0xba,
                0x20, 0xd3, 0xcd, 0xa7, 0x13, 0x44, 0xdc, 0xcf, 0xf0, 0x27, 0x34, 0xb9, 0xe7, 0x24, 0x6f, 0x73,
                0xe7, 0xea, 0x77, 0x03,
        };

        _cleanup_(dns_resource_record_unrefp) DnsResourceRecord *dnskey = NULL, *ds1 = NULL, *ds2 = NULL;

        /* The two DS RRs in effect for nasa.gov on 2015-12-01. */
        ds1 = dns_resource_record_new_full(DNS_CLASS_IN, DNS_TYPE_DS, "nasa.gov");
        assert_se(ds1);

        ds1->ds.key_tag = 47857;
        ds1->ds.algorithm = DNSSEC_ALGORITHM_RSASHA256;
        ds1->ds.digest_type = DNSSEC_DIGEST_SHA1;
        ds1->ds.digest_size = sizeof(ds1_fprint);
        ds1->ds.digest = memdup(ds1_fprint, ds1->ds.digest_size);
        assert_se(ds1->ds.digest);

        log_info("DS1: %s", strna(dns_resource_record_to_string(ds1)));

        ds2 = dns_resource_record_new_full(DNS_CLASS_IN, DNS_TYPE_DS, "NASA.GOV");
        assert_se(ds2);

        ds2->ds.key_tag = 47857;
        ds2->ds.algorithm = DNSSEC_ALGORITHM_RSASHA256;
        ds2->ds.digest_type = DNSSEC_DIGEST_SHA256;
        ds2->ds.digest_size = sizeof(ds2_fprint);
        ds2->ds.digest = memdup(ds2_fprint, ds2->ds.digest_size);
        assert_se(ds2->ds.digest);

        log_info("DS2: %s", strna(dns_resource_record_to_string(ds2)));

        dnskey = dns_resource_record_new_full(DNS_CLASS_IN, DNS_TYPE_DNSKEY, "nasa.GOV");
        assert_se(dnskey);

        dnskey->dnskey.flags = 257;
        dnskey->dnskey.protocol = 3;
        dnskey->dnskey.algorithm = DNSSEC_ALGORITHM_RSASHA256;
        dnskey->dnskey.key_size = sizeof(dnskey_blob);
        dnskey->dnskey.key = memdup(dnskey_blob, sizeof(dnskey_blob));
        assert_se(dnskey->dnskey.key);

        log_info("DNSKEY: %s", strna(dns_resource_record_to_string(dnskey)));
        log_info("DNSKEY keytag: %u", dnssec_keytag(dnskey, false));

        assert_se(dnssec_verify_dnskey_by_ds(dnskey, ds1, false) > 0);
        assert_se(dnssec_verify_dnskey_by_ds(dnskey, ds2, false) > 0);
}

static void test_dnssec_verify_rrset(void) {

        static const uint8_t signature_blob[] = {
                0x7f, 0x79, 0xdd, 0x5e, 0x89, 0x79, 0x18, 0xd0, 0x34, 0x86, 0x8c, 0x72, 0x77, 0x75, 0x48, 0x4d,
                0xc3, 0x7d, 0x38, 0x04, 0xab, 0xcd, 0x9e, 0x4c, 0x82, 0xb0, 0x92, 0xca, 0xe9, 0x66, 0xe9, 0x6e,
                0x47, 0xc7, 0x68, 0x8c, 0x94, 0xf6, 0x69, 0xcb, 0x75, 0x94, 0xe6, 0x30, 0xa6, 0xfb, 0x68, 0x64,
                0x96, 0x1a, 0x84, 0xe1, 0xdc, 0x16, 0x4c, 0x83, 0x6c, 0x44, 0xf2, 0x74, 0x4d, 0x74, 0x79, 0x8f,
                0xf3, 0xf4, 0x63, 0x0d, 0xef, 0x5a, 0xe7, 0xe2, 0xfd, 0xf2, 0x2b, 0x38, 0x7c, 0x28, 0x96, 0x9d,
                0xb6, 0xcd, 0x5c, 0x3b, 0x57, 0xe2, 0x24, 0x78, 0x65, 0xd0, 0x9e, 0x77, 0x83, 0x09, 0x6c, 0xff,
                0x3d, 0x52, 0x3f, 0x6e, 0xd1, 0xed, 0x2e, 0xf9, 0xee, 0x8e, 0xa6, 0xbe, 0x9a, 0xa8, 0x87, 0x76,
                0xd8, 0x77, 0xcc, 0x96, 0xa0, 0x98, 0xa1, 0xd1, 0x68, 0x09, 0x43, 0xcf, 0x56, 0xd9, 0xd1, 0x66,
        };

        static const uint8_t dnskey_blob[] = {
                0x03, 0x01, 0x00, 0x01, 0x9b, 0x49, 0x9b, 0xc1, 0xf9, 0x9a, 0xe0, 0x4e, 0xcf, 0xcb, 0x14, 0x45,
                0x2e, 0xc9, 0xf9, 0x74, 0xa7, 0x18, 0xb5, 0xf3, 0xde, 0x39, 0x49, 0xdf, 0x63, 0x33, 0x97, 0x52,
                0xe0, 0x8e, 0xac, 0x50, 0x30, 0x8e, 0x09, 0xd5, 0x24, 0x3d, 0x26, 0xa4, 0x49, 0x37, 0x2b, 0xb0,
                0x6b, 0x1b, 0xdf, 0xde, 0x85, 0x83, 0xcb, 0x22, 0x4e, 0x60, 0x0a, 0x91, 0x1a, 0x1f, 0xc5, 0x40,
                0xb1, 0xc3, 0x15, 0xc1, 0x54, 0x77, 0x86, 0x65, 0x53, 0xec, 0x10, 0x90, 0x0c, 0x91, 0x00, 0x5e,
                0x15, 0xdc, 0x08, 0x02, 0x4c, 0x8c, 0x0d, 0xc0, 0xac, 0x6e, 0xc4, 0x3e, 0x1b, 0x80, 0x19, 0xe4,
                0xf7, 0x5f, 0x77, 0x51, 0x06, 0x87, 0x61, 0xde, 0xa2, 0x18, 0x0f, 0x40, 0x8b, 0x79, 0x72, 0xfa,
                0x8d, 0x1a, 0x44, 0x47, 0x0d, 0x8e, 0x3a, 0x2d, 0xc7, 0x39, 0xbf, 0x56, 0x28, 0x97, 0xd9, 0x20,
                0x4f, 0x00, 0x51, 0x3b,
        };

        _cleanup_(dns_resource_record_unrefp) DnsResourceRecord *a = NULL, *rrsig = NULL, *dnskey = NULL;
        _cleanup_(dns_answer_unrefp) DnsAnswer *answer = NULL;
        DnssecResult result;

        a = dns_resource_record_new_full(DNS_CLASS_IN, DNS_TYPE_A, "nAsA.gov");
        assert_se(a);

        a->a.in_addr.s_addr = inet_addr("52.0.14.116");

        log_info("A: %s", strna(dns_resource_record_to_string(a)));

        rrsig = dns_resource_record_new_full(DNS_CLASS_IN, DNS_TYPE_RRSIG, "NaSa.GOV.");
        assert_se(rrsig);

        rrsig->rrsig.type_covered = DNS_TYPE_A;
        rrsig->rrsig.algorithm = DNSSEC_ALGORITHM_RSASHA256;
        rrsig->rrsig.labels = 2;
        rrsig->rrsig.original_ttl = 600;
        rrsig->rrsig.expiration = 0x5683135c;
        rrsig->rrsig.inception = 0x565b7da8;
        rrsig->rrsig.key_tag = 63876;
        rrsig->rrsig.signer = strdup("Nasa.Gov.");
        assert_se(rrsig->rrsig.signer);
        rrsig->rrsig.signature_size = sizeof(signature_blob);
        rrsig->rrsig.signature = memdup(signature_blob, rrsig->rrsig.signature_size);
        assert_se(rrsig->rrsig.signature);

        log_info("RRSIG: %s", strna(dns_resource_record_to_string(rrsig)));

        dnskey = dns_resource_record_new_full(DNS_CLASS_IN, DNS_TYPE_DNSKEY, "nASA.gOV");
        assert_se(dnskey);

        dnskey->dnskey.flags = 256;
        dnskey->dnskey.protocol = 3;
        dnskey->dnskey.algorithm = DNSSEC_ALGORITHM_RSASHA256;
        dnskey->dnskey.key_size = sizeof(dnskey_blob);
        dnskey->dnskey.key = memdup(dnskey_blob, sizeof(dnskey_blob));
        assert_se(dnskey->dnskey.key);

        log_info("DNSKEY: %s", strna(dns_resource_record_to_string(dnskey)));
        log_info("DNSKEY keytag: %u", dnssec_keytag(dnskey, false));

        assert_se(dnssec_key_match_rrsig(a->key, rrsig) > 0);
        assert_se(dnssec_rrsig_match_dnskey(rrsig, dnskey, false) > 0);

        answer = dns_answer_new(1);
        assert_se(answer);
        assert_se(dns_answer_add(answer, a, 0, DNS_ANSWER_AUTHENTICATED) >= 0);

        /* Validate the RR as it if was 2015-12-2 today */
        assert_se(dnssec_verify_rrset(answer, a->key, rrsig, dnskey, 1449092754*USEC_PER_SEC, &result) >= 0);
        assert_se(result == DNSSEC_VALIDATED);
}

static void test_dnssec_verify_rrset2(void) {

        static const uint8_t signature_blob[] = {
                0x48, 0x45, 0xc8, 0x8b, 0xc0, 0x14, 0x92, 0xf5, 0x15, 0xc6, 0x84, 0x9d, 0x2f, 0xe3, 0x32, 0x11,
                0x7d, 0xf1, 0xe6, 0x87, 0xb9, 0x42, 0xd3, 0x8b, 0x9e, 0xaf, 0x92, 0x31, 0x0a, 0x53, 0xad, 0x8b,
                0xa7, 0x5c, 0x83, 0x39, 0x8c, 0x28, 0xac, 0xce, 0x6e, 0x9c, 0x18, 0xe3, 0x31, 0x16, 0x6e, 0xca,
                0x38, 0x31, 0xaf, 0xd9, 0x94, 0xf1, 0x84, 0xb1, 0xdf, 0x5a, 0xc2, 0x73, 0x22, 0xf6, 0xcb, 0xa2,
                0xe7, 0x8c, 0x77, 0x0c, 0x74, 0x2f, 0xc2, 0x13, 0xb0, 0x93, 0x51, 0xa9, 0x4f, 0xae, 0x0a, 0xda,
                0x45, 0xcc, 0xfd, 0x43, 0x99, 0x36, 0x9a, 0x0d, 0x21, 0xe0, 0xeb, 0x30, 0x65, 0xd4, 0xa0, 0x27,
                0x37, 0x3b, 0xe4, 0xc1, 0xc5, 0xa1, 0x2a, 0xd1, 0x76, 0xc4, 0x7e, 0x64, 0x0e, 0x5a, 0xa6, 0x50,
                0x24, 0xd5, 0x2c, 0xcc, 0x6d, 0xe5, 0x37, 0xea, 0xbd, 0x09, 0x34, 0xed, 0x24, 0x06, 0xa1, 0x22,
        };

        static const uint8_t dnskey_blob[] = {
                0x03, 0x01, 0x00, 0x01, 0xc3, 0x7f, 0x1d, 0xd1, 0x1c, 0x97, 0xb1, 0x13, 0x34, 0x3a, 0x9a, 0xea,
                0xee, 0xd9, 0x5a, 0x11, 0x1b, 0x17, 0xc7, 0xe3, 0xd4, 0xda, 0x20, 0xbc, 0x5d, 0xba, 0x74, 0xe3,
                0x37, 0x99, 0xec, 0x25, 0xce, 0x93, 0x7f, 0xbd, 0x22, 0x73, 0x7e, 0x14, 0x71, 0xe0, 0x60, 0x07,
                0xd4, 0x39, 0x8b, 0x5e, 0xe9, 0xba, 0x25, 0xe8, 0x49, 0xe9, 0x34, 0xef, 0xfe, 0x04, 0x5c, 0xa5,
                0x27, 0xcd, 0xa9, 0xda, 0x70, 0x05, 0x21, 0xab, 0x15, 0x82, 0x24, 0xc3, 0x94, 0xf5, 0xd7, 0xb7,
                0xc4, 0x66, 0xcb, 0x32, 0x6e, 0x60, 0x2b, 0x55, 0x59, 0x28, 0x89, 0x8a, 0x72, 0xde, 0x88, 0x56,
                0x27, 0x95, 0xd9, 0xac, 0x88, 0x4f, 0x65, 0x2b, 0x68, 0xfc, 0xe6, 0x41, 0xc1, 0x1b, 0xef, 0x4e,
                0xd6, 0xc2, 0x0f, 0x64, 0x88, 0x95, 0x5e, 0xdd, 0x3a, 0x02, 0x07, 0x50, 0xa9, 0xda, 0xa4, 0x49,
                0x74, 0x62, 0xfe, 0xd7,
        };

        _cleanup_(dns_resource_record_unrefp) DnsResourceRecord *nsec = NULL, *rrsig = NULL, *dnskey = NULL;
        _cleanup_(dns_answer_unrefp) DnsAnswer *answer = NULL;
        DnssecResult result;

        nsec = dns_resource_record_new_full(DNS_CLASS_IN, DNS_TYPE_NSEC, "nasa.gov");
        assert_se(nsec);

        nsec->nsec.next_domain_name = strdup("3D-Printing.nasa.gov");
        assert_se(nsec->nsec.next_domain_name);

        nsec->nsec.types = bitmap_new();
        assert_se(nsec->nsec.types);
        assert_se(bitmap_set(nsec->nsec.types, DNS_TYPE_A) >= 0);
        assert_se(bitmap_set(nsec->nsec.types, DNS_TYPE_NS) >= 0);
        assert_se(bitmap_set(nsec->nsec.types, DNS_TYPE_SOA) >= 0);
        assert_se(bitmap_set(nsec->nsec.types, DNS_TYPE_MX) >= 0);
        assert_se(bitmap_set(nsec->nsec.types, DNS_TYPE_TXT) >= 0);
        assert_se(bitmap_set(nsec->nsec.types, DNS_TYPE_RRSIG) >= 0);
        assert_se(bitmap_set(nsec->nsec.types, DNS_TYPE_NSEC) >= 0);
        assert_se(bitmap_set(nsec->nsec.types, DNS_TYPE_DNSKEY) >= 0);
        assert_se(bitmap_set(nsec->nsec.types, 65534) >= 0);

        log_info("NSEC: %s", strna(dns_resource_record_to_string(nsec)));

        rrsig = dns_resource_record_new_full(DNS_CLASS_IN, DNS_TYPE_RRSIG, "NaSa.GOV.");
        assert_se(rrsig);

        rrsig->rrsig.type_covered = DNS_TYPE_NSEC;
        rrsig->rrsig.algorithm = DNSSEC_ALGORITHM_RSASHA256;
        rrsig->rrsig.labels = 2;
        rrsig->rrsig.original_ttl = 300;
        rrsig->rrsig.expiration = 0x5689002f;
        rrsig->rrsig.inception = 0x56617230;
        rrsig->rrsig.key_tag = 30390;
        rrsig->rrsig.signer = strdup("Nasa.Gov.");
        assert_se(rrsig->rrsig.signer);
        rrsig->rrsig.signature_size = sizeof(signature_blob);
        rrsig->rrsig.signature = memdup(signature_blob, rrsig->rrsig.signature_size);
        assert_se(rrsig->rrsig.signature);

        log_info("RRSIG: %s", strna(dns_resource_record_to_string(rrsig)));

        dnskey = dns_resource_record_new_full(DNS_CLASS_IN, DNS_TYPE_DNSKEY, "nASA.gOV");
        assert_se(dnskey);

        dnskey->dnskey.flags = 256;
        dnskey->dnskey.protocol = 3;
        dnskey->dnskey.algorithm = DNSSEC_ALGORITHM_RSASHA256;
        dnskey->dnskey.key_size = sizeof(dnskey_blob);
        dnskey->dnskey.key = memdup(dnskey_blob, sizeof(dnskey_blob));
        assert_se(dnskey->dnskey.key);

        log_info("DNSKEY: %s", strna(dns_resource_record_to_string(dnskey)));
        log_info("DNSKEY keytag: %u", dnssec_keytag(dnskey, false));

        assert_se(dnssec_key_match_rrsig(nsec->key, rrsig) > 0);
        assert_se(dnssec_rrsig_match_dnskey(rrsig, dnskey, false) > 0);

        answer = dns_answer_new(1);
        assert_se(answer);
        assert_se(dns_answer_add(answer, nsec, 0, DNS_ANSWER_AUTHENTICATED) >= 0);

        /* Validate the RR as it if was 2015-12-11 today */
        assert_se(dnssec_verify_rrset(answer, nsec->key, rrsig, dnskey, 1449849318*USEC_PER_SEC, &result) >= 0);
        assert_se(result == DNSSEC_VALIDATED);
}

static void test_dnssec_nsec3_hash(void) {
        static const uint8_t salt[] = { 0xB0, 0x1D, 0xFA, 0xCE };
        static const uint8_t next_hashed_name[] = { 0x84, 0x10, 0x26, 0x53, 0xc9, 0xfa, 0x4d, 0x85, 0x6c, 0x97, 0x82, 0xe2, 0x8f, 0xdf, 0x2d, 0x5e, 0x87, 0x69, 0xc4, 0x52 };
        _cleanup_(dns_resource_record_unrefp) DnsResourceRecord *rr = NULL;
        uint8_t h[DNSSEC_HASH_SIZE_MAX];
        _cleanup_free_ char *b = NULL;
        int k;

        /* The NSEC3 RR for eurid.eu on 2015-12-14. */
        rr = dns_resource_record_new_full(DNS_CLASS_IN, DNS_TYPE_NSEC3, "PJ8S08RR45VIQDAQGE7EN3VHKNROTBMM.eurid.eu.");
        assert_se(rr);

        rr->nsec3.algorithm = DNSSEC_DIGEST_SHA1;
        rr->nsec3.flags = 1;
        rr->nsec3.iterations = 1;
        rr->nsec3.salt = memdup(salt, sizeof(salt));
        assert_se(rr->nsec3.salt);
        rr->nsec3.salt_size = sizeof(salt);
        rr->nsec3.next_hashed_name = memdup(next_hashed_name, sizeof(next_hashed_name));
        assert_se(rr->nsec3.next_hashed_name);
        rr->nsec3.next_hashed_name_size = sizeof(next_hashed_name);

        log_info("NSEC3: %s", strna(dns_resource_record_to_string(rr)));

        k = dnssec_nsec3_hash(rr, "eurid.eu", &h);
        assert_se(k >= 0);

        b = base32hexmem(h, k, false);
        assert_se(b);
        assert_se(strcasecmp(b, "PJ8S08RR45VIQDAQGE7EN3VHKNROTBMM") == 0);
}

#endif

int main(int argc, char*argv[]) {

        test_dnssec_canonicalize();

#if HAVE_GCRYPT
        test_dnssec_verify_dns_key();
        test_dnssec_verify_rrset();
        test_dnssec_verify_rrset2();
        test_dnssec_nsec3_hash();
#endif

        return 0;
}
Commit	Line	Data
2b442ac8 LP	1	/***
	2	This file is part of systemd.
	3
	4	Copyright 2015 Lennart Poettering
	5
	6	systemd is free software; you can redistribute it and/or modify it
	7	under the terms of the GNU Lesser General Public License as published by
	8	the Free Software Foundation; either version 2.1 of the License, or
	9	(at your option) any later version.
	10
	11	systemd is distributed in the hope that it will be useful, but
	12	WITHOUT ANY WARRANTY; without even the implied warranty of
	13	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
	14	Lesser General Public License for more details.
	15
	16	You should have received a copy of the GNU Lesser General Public License
	17	along with systemd; If not, see <http://www.gnu.org/licenses/>.
	18	***/
	19
	20	#include <arpa/inet.h>
	21	#include <netinet/in.h>
	22	#include <sys/socket.h>
	23
	24	#include "alloc-util.h"
	25	#include "resolved-dns-dnssec.h"
2b442ac8 LP	26	#include "resolved-dns-rr.h"
2b442ac8 LP	27	#include "string-util.h"
72667f08	28	#include "hexdecoct.h"
2b442ac8	29
1691cfd8 ZJS	30	static void test_dnssec_canonicalize_one(const char original, const char canonical, int r) {
1691cfd8 ZJS	31	char canonicalized[DNSSEC_CANONICAL_HOSTNAME_MAX];
a3db237b	32
1691cfd8 ZJS	33	assert_se(dnssec_canonicalize(original, canonicalized, sizeof(canonicalized)) == r);
	34	if (r < 0)
	35	return;
a3db237b	36
1691cfd8 ZJS	37	assert_se(streq(canonicalized, canonical));
	38	}
	39
	40	static void test_dnssec_canonicalize(void) {
	41	test_dnssec_canonicalize_one("", ".", 1);
	42	test_dnssec_canonicalize_one(".", ".", 1);
	43	test_dnssec_canonicalize_one("foo", "foo.", 4);
	44	test_dnssec_canonicalize_one("foo.", "foo.", 4);
	45	test_dnssec_canonicalize_one("FOO.", "foo.", 4);
	46	test_dnssec_canonicalize_one("FOO.bar.", "foo.bar.", 8);
	47	test_dnssec_canonicalize_one("FOO..bar.", NULL, -EINVAL);
	48	}
	49
349cc4a5	50	#if HAVE_GCRYPT
1691cfd8 ZJS	51
	52	static void test_dnssec_verify_dns_key(void) {
	53
	54	static const uint8_t ds1_fprint[] = {
	55	0x46, 0x8B, 0xC8, 0xDD, 0xC7, 0xE8, 0x27, 0x03, 0x40, 0xBB, 0x8A, 0x1F, 0x3B, 0x2E, 0x45, 0x9D,
	56	0x80, 0x67, 0x14, 0x01,
	57	};
	58	static const uint8_t ds2_fprint[] = {
	59	0x8A, 0xEE, 0x80, 0x47, 0x05, 0x5F, 0x83, 0xD1, 0x48, 0xBA, 0x8F, 0xF6, 0xDD, 0xA7, 0x60, 0xCE,
	60	0x94, 0xF7, 0xC7, 0x5E, 0x52, 0x4C, 0xF2, 0xE9, 0x50, 0xB9, 0x2E, 0xCB, 0xEF, 0x96, 0xB9, 0x98,
	61	};
a3db237b	62	static const uint8_t dnskey_blob[] = {
1691cfd8 ZJS	63	0x03, 0x01, 0x00, 0x01, 0xa8, 0x12, 0xda, 0x4f, 0xd2, 0x7d, 0x54, 0x14, 0x0e, 0xcc, 0x5b, 0x5e,
	64	0x45, 0x9c, 0x96, 0x98, 0xc0, 0xc0, 0x85, 0x81, 0xb1, 0x47, 0x8c, 0x7d, 0xe8, 0x39, 0x50, 0xcc,
	65	0xc5, 0xd0, 0xf2, 0x00, 0x81, 0x67, 0x79, 0xf6, 0xcc, 0x9d, 0xad, 0x6c, 0xbb, 0x7b, 0x6f, 0x48,
	66	0x97, 0x15, 0x1c, 0xfd, 0x0b, 0xfe, 0xd3, 0xd7, 0x7d, 0x9f, 0x81, 0x26, 0xd3, 0xc5, 0x65, 0x49,
	67	0xcf, 0x46, 0x62, 0xb0, 0x55, 0x6e, 0x47, 0xc7, 0x30, 0xef, 0x51, 0xfb, 0x3e, 0xc6, 0xef, 0xde,
	68	0x27, 0x3f, 0xfa, 0x57, 0x2d, 0xa7, 0x1d, 0x80, 0x46, 0x9a, 0x5f, 0x14, 0xb3, 0xb0, 0x2c, 0xbe,
	69	0x72, 0xca, 0xdf, 0xb2, 0xff, 0x36, 0x5b, 0x4f, 0xec, 0x58, 0x8e, 0x8d, 0x01, 0xe9, 0xa9, 0xdf,
	70	0xb5, 0x60, 0xad, 0x52, 0x4d, 0xfc, 0xa9, 0x3e, 0x8d, 0x35, 0x95, 0xb3, 0x4e, 0x0f, 0xca, 0x45,
	71	0x1b, 0xf7, 0xef, 0x3a, 0x88, 0x25, 0x08, 0xc7, 0x4e, 0x06, 0xc1, 0x62, 0x1a, 0xce, 0xd8, 0x77,
	72	0xbd, 0x02, 0x65, 0xf8, 0x49, 0xfb, 0xce, 0xf6, 0xa8, 0x09, 0xfc, 0xde, 0xb2, 0x09, 0x9d, 0x39,
	73	0xf8, 0x63, 0x9c, 0x32, 0x42, 0x7c, 0xa0, 0x30, 0x86, 0x72, 0x7a, 0x4a, 0xc6, 0xd4, 0xb3, 0x2d,
	74	0x24, 0xef, 0x96, 0x3f, 0xc2, 0xda, 0xd3, 0xf2, 0x15, 0x6f, 0xda, 0x65, 0x4b, 0x81, 0x28, 0x68,
	75	0xf4, 0xfe, 0x3e, 0x71, 0x4f, 0x50, 0x96, 0x72, 0x58, 0xa1, 0x89, 0xdd, 0x01, 0x61, 0x39, 0x39,
	76	0xc6, 0x76, 0xa4, 0xda, 0x02, 0x70, 0x3d, 0xc0, 0xdc, 0x8d, 0x70, 0x72, 0x04, 0x90, 0x79, 0xd4,
	77	0xec, 0x65, 0xcf, 0x49, 0x35, 0x25, 0x3a, 0x14, 0x1a, 0x45, 0x20, 0xeb, 0x31, 0xaf, 0x92, 0xba,
	78	0x20, 0xd3, 0xcd, 0xa7, 0x13, 0x44, 0xdc, 0xcf, 0xf0, 0x27, 0x34, 0xb9, 0xe7, 0x24, 0x6f, 0x73,
	79	0xe7, 0xea, 0x77, 0x03,
a3db237b LP	80	};
a3db237b LP	81
1691cfd8	82	_cleanup_(dns_resource_record_unrefp) DnsResourceRecord dnskey = NULL, ds1 = NULL, *ds2 = NULL;
a3db237b	83
1691cfd8 ZJS	84	/* The two DS RRs in effect for nasa.gov on 2015-12-01. */
	85	ds1 = dns_resource_record_new_full(DNS_CLASS_IN, DNS_TYPE_DS, "nasa.gov");
	86	assert_se(ds1);
a3db237b	87
1691cfd8 ZJS	88	ds1->ds.key_tag = 47857;
	89	ds1->ds.algorithm = DNSSEC_ALGORITHM_RSASHA256;
	90	ds1->ds.digest_type = DNSSEC_DIGEST_SHA1;
	91	ds1->ds.digest_size = sizeof(ds1_fprint);
	92	ds1->ds.digest = memdup(ds1_fprint, ds1->ds.digest_size);
	93	assert_se(ds1->ds.digest);
a3db237b	94
1691cfd8	95	log_info("DS1: %s", strna(dns_resource_record_to_string(ds1)));
a3db237b	96
1691cfd8 ZJS	97	ds2 = dns_resource_record_new_full(DNS_CLASS_IN, DNS_TYPE_DS, "NASA.GOV");
1691cfd8 ZJS	98	assert_se(ds2);
a3db237b	99
1691cfd8 ZJS	100	ds2->ds.key_tag = 47857;
	101	ds2->ds.algorithm = DNSSEC_ALGORITHM_RSASHA256;
	102	ds2->ds.digest_type = DNSSEC_DIGEST_SHA256;
	103	ds2->ds.digest_size = sizeof(ds2_fprint);
	104	ds2->ds.digest = memdup(ds2_fprint, ds2->ds.digest_size);
	105	assert_se(ds2->ds.digest);
a3db237b	106
1691cfd8	107	log_info("DS2: %s", strna(dns_resource_record_to_string(ds2)));
a3db237b	108
1691cfd8	109	dnskey = dns_resource_record_new_full(DNS_CLASS_IN, DNS_TYPE_DNSKEY, "nasa.GOV");
a3db237b LP	110	assert_se(dnskey);
a3db237b LP	111
1691cfd8	112	dnskey->dnskey.flags = 257;
a3db237b LP	113	dnskey->dnskey.protocol = 3;
	114	dnskey->dnskey.algorithm = DNSSEC_ALGORITHM_RSASHA256;
	115	dnskey->dnskey.key_size = sizeof(dnskey_blob);
	116	dnskey->dnskey.key = memdup(dnskey_blob, sizeof(dnskey_blob));
	117	assert_se(dnskey->dnskey.key);
	118
7b50eb2e	119	log_info("DNSKEY: %s", strna(dns_resource_record_to_string(dnskey)));
0c857028	120	log_info("DNSKEY keytag: %u", dnssec_keytag(dnskey, false));
a3db237b	121
1691cfd8 ZJS	122	assert_se(dnssec_verify_dnskey_by_ds(dnskey, ds1, false) > 0);
1691cfd8 ZJS	123	assert_se(dnssec_verify_dnskey_by_ds(dnskey, ds2, false) > 0);
a3db237b LP	124	}
a3db237b LP	125
2b442ac8 LP	126	static void test_dnssec_verify_rrset(void) {
	127
	128	static const uint8_t signature_blob[] = {
	129	0x7f, 0x79, 0xdd, 0x5e, 0x89, 0x79, 0x18, 0xd0, 0x34, 0x86, 0x8c, 0x72, 0x77, 0x75, 0x48, 0x4d,
	130	0xc3, 0x7d, 0x38, 0x04, 0xab, 0xcd, 0x9e, 0x4c, 0x82, 0xb0, 0x92, 0xca, 0xe9, 0x66, 0xe9, 0x6e,
	131	0x47, 0xc7, 0x68, 0x8c, 0x94, 0xf6, 0x69, 0xcb, 0x75, 0x94, 0xe6, 0x30, 0xa6, 0xfb, 0x68, 0x64,
	132	0x96, 0x1a, 0x84, 0xe1, 0xdc, 0x16, 0x4c, 0x83, 0x6c, 0x44, 0xf2, 0x74, 0x4d, 0x74, 0x79, 0x8f,
	133	0xf3, 0xf4, 0x63, 0x0d, 0xef, 0x5a, 0xe7, 0xe2, 0xfd, 0xf2, 0x2b, 0x38, 0x7c, 0x28, 0x96, 0x9d,
	134	0xb6, 0xcd, 0x5c, 0x3b, 0x57, 0xe2, 0x24, 0x78, 0x65, 0xd0, 0x9e, 0x77, 0x83, 0x09, 0x6c, 0xff,
	135	0x3d, 0x52, 0x3f, 0x6e, 0xd1, 0xed, 0x2e, 0xf9, 0xee, 0x8e, 0xa6, 0xbe, 0x9a, 0xa8, 0x87, 0x76,
	136	0xd8, 0x77, 0xcc, 0x96, 0xa0, 0x98, 0xa1, 0xd1, 0x68, 0x09, 0x43, 0xcf, 0x56, 0xd9, 0xd1, 0x66,
	137	};
	138
	139	static const uint8_t dnskey_blob[] = {
	140	0x03, 0x01, 0x00, 0x01, 0x9b, 0x49, 0x9b, 0xc1, 0xf9, 0x9a, 0xe0, 0x4e, 0xcf, 0xcb, 0x14, 0x45,
	141	0x2e, 0xc9, 0xf9, 0x74, 0xa7, 0x18, 0xb5, 0xf3, 0xde, 0x39, 0x49, 0xdf, 0x63, 0x33, 0x97, 0x52,
	142	0xe0, 0x8e, 0xac, 0x50, 0x30, 0x8e, 0x09, 0xd5, 0x24, 0x3d, 0x26, 0xa4, 0x49, 0x37, 0x2b, 0xb0,
	143	0x6b, 0x1b, 0xdf, 0xde, 0x85, 0x83, 0xcb, 0x22, 0x4e, 0x60, 0x0a, 0x91, 0x1a, 0x1f, 0xc5, 0x40,
	144	0xb1, 0xc3, 0x15, 0xc1, 0x54, 0x77, 0x86, 0x65, 0x53, 0xec, 0x10, 0x90, 0x0c, 0x91, 0x00, 0x5e,
	145	0x15, 0xdc, 0x08, 0x02, 0x4c, 0x8c, 0x0d, 0xc0, 0xac, 0x6e, 0xc4, 0x3e, 0x1b, 0x80, 0x19, 0xe4,
	146	0xf7, 0x5f, 0x77, 0x51, 0x06, 0x87, 0x61, 0xde, 0xa2, 0x18, 0x0f, 0x40, 0x8b, 0x79, 0x72, 0xfa,
	147	0x8d, 0x1a, 0x44, 0x47, 0x0d, 0x8e, 0x3a, 0x2d, 0xc7, 0x39, 0xbf, 0x56, 0x28, 0x97, 0xd9, 0x20,
	148	0x4f, 0x00, 0x51, 0x3b,
	149	};
	150
	151	_cleanup_(dns_resource_record_unrefp) DnsResourceRecord a = NULL, rrsig = NULL, *dnskey = NULL;
	152	_cleanup_(dns_answer_unrefp) DnsAnswer *answer = NULL;
547973de	153	DnssecResult result;
2b442ac8 LP	154
	155	a = dns_resource_record_new_full(DNS_CLASS_IN, DNS_TYPE_A, "nAsA.gov");
	156	assert_se(a);
	157
	158	a->a.in_addr.s_addr = inet_addr("52.0.14.116");
	159
7b50eb2e	160	log_info("A: %s", strna(dns_resource_record_to_string(a)));
2b442ac8 LP	161
	162	rrsig = dns_resource_record_new_full(DNS_CLASS_IN, DNS_TYPE_RRSIG, "NaSa.GOV.");
	163	assert_se(rrsig);
	164
	165	rrsig->rrsig.type_covered = DNS_TYPE_A;
	166	rrsig->rrsig.algorithm = DNSSEC_ALGORITHM_RSASHA256;
	167	rrsig->rrsig.labels = 2;
	168	rrsig->rrsig.original_ttl = 600;
	169	rrsig->rrsig.expiration = 0x5683135c;
	170	rrsig->rrsig.inception = 0x565b7da8;
	171	rrsig->rrsig.key_tag = 63876;
	172	rrsig->rrsig.signer = strdup("Nasa.Gov.");
	173	assert_se(rrsig->rrsig.signer);
	174	rrsig->rrsig.signature_size = sizeof(signature_blob);
	175	rrsig->rrsig.signature = memdup(signature_blob, rrsig->rrsig.signature_size);
	176	assert_se(rrsig->rrsig.signature);
	177
7b50eb2e	178	log_info("RRSIG: %s", strna(dns_resource_record_to_string(rrsig)));
2b442ac8 LP	179
	180	dnskey = dns_resource_record_new_full(DNS_CLASS_IN, DNS_TYPE_DNSKEY, "nASA.gOV");
	181	assert_se(dnskey);
	182
	183	dnskey->dnskey.flags = 256;
	184	dnskey->dnskey.protocol = 3;
	185	dnskey->dnskey.algorithm = DNSSEC_ALGORITHM_RSASHA256;
	186	dnskey->dnskey.key_size = sizeof(dnskey_blob);
	187	dnskey->dnskey.key = memdup(dnskey_blob, sizeof(dnskey_blob));
	188	assert_se(dnskey->dnskey.key);
	189
7b50eb2e	190	log_info("DNSKEY: %s", strna(dns_resource_record_to_string(dnskey)));
0c857028	191	log_info("DNSKEY keytag: %u", dnssec_keytag(dnskey, false));
2b442ac8 LP	192
2b442ac8 LP	193	assert_se(dnssec_key_match_rrsig(a->key, rrsig) > 0);
0c857028	194	assert_se(dnssec_rrsig_match_dnskey(rrsig, dnskey, false) > 0);
2b442ac8 LP	195
	196	answer = dns_answer_new(1);
	197	assert_se(answer);
105e1512	198	assert_se(dns_answer_add(answer, a, 0, DNS_ANSWER_AUTHENTICATED) >= 0);
2b442ac8	199
2a326321	200	/* Validate the RR as it if was 2015-12-2 today */
547973de LP	201	assert_se(dnssec_verify_rrset(answer, a->key, rrsig, dnskey, 1449092754*USEC_PER_SEC, &result) >= 0);
547973de LP	202	assert_se(result == DNSSEC_VALIDATED);
2b442ac8 LP	203	}
2b442ac8 LP	204
1691cfd8	205	static void test_dnssec_verify_rrset2(void) {
2b442ac8	206
1691cfd8 ZJS	207	static const uint8_t signature_blob[] = {
	208	0x48, 0x45, 0xc8, 0x8b, 0xc0, 0x14, 0x92, 0xf5, 0x15, 0xc6, 0x84, 0x9d, 0x2f, 0xe3, 0x32, 0x11,
	209	0x7d, 0xf1, 0xe6, 0x87, 0xb9, 0x42, 0xd3, 0x8b, 0x9e, 0xaf, 0x92, 0x31, 0x0a, 0x53, 0xad, 0x8b,
	210	0xa7, 0x5c, 0x83, 0x39, 0x8c, 0x28, 0xac, 0xce, 0x6e, 0x9c, 0x18, 0xe3, 0x31, 0x16, 0x6e, 0xca,
	211	0x38, 0x31, 0xaf, 0xd9, 0x94, 0xf1, 0x84, 0xb1, 0xdf, 0x5a, 0xc2, 0x73, 0x22, 0xf6, 0xcb, 0xa2,
	212	0xe7, 0x8c, 0x77, 0x0c, 0x74, 0x2f, 0xc2, 0x13, 0xb0, 0x93, 0x51, 0xa9, 0x4f, 0xae, 0x0a, 0xda,
	213	0x45, 0xcc, 0xfd, 0x43, 0x99, 0x36, 0x9a, 0x0d, 0x21, 0xe0, 0xeb, 0x30, 0x65, 0xd4, 0xa0, 0x27,
	214	0x37, 0x3b, 0xe4, 0xc1, 0xc5, 0xa1, 0x2a, 0xd1, 0x76, 0xc4, 0x7e, 0x64, 0x0e, 0x5a, 0xa6, 0x50,
	215	0x24, 0xd5, 0x2c, 0xcc, 0x6d, 0xe5, 0x37, 0xea, 0xbd, 0x09, 0x34, 0xed, 0x24, 0x06, 0xa1, 0x22,
2b442ac8	216	};
1691cfd8	217
2b442ac8	218	static const uint8_t dnskey_blob[] = {
1691cfd8 ZJS	219	0x03, 0x01, 0x00, 0x01, 0xc3, 0x7f, 0x1d, 0xd1, 0x1c, 0x97, 0xb1, 0x13, 0x34, 0x3a, 0x9a, 0xea,
	220	0xee, 0xd9, 0x5a, 0x11, 0x1b, 0x17, 0xc7, 0xe3, 0xd4, 0xda, 0x20, 0xbc, 0x5d, 0xba, 0x74, 0xe3,
	221	0x37, 0x99, 0xec, 0x25, 0xce, 0x93, 0x7f, 0xbd, 0x22, 0x73, 0x7e, 0x14, 0x71, 0xe0, 0x60, 0x07,
	222	0xd4, 0x39, 0x8b, 0x5e, 0xe9, 0xba, 0x25, 0xe8, 0x49, 0xe9, 0x34, 0xef, 0xfe, 0x04, 0x5c, 0xa5,
	223	0x27, 0xcd, 0xa9, 0xda, 0x70, 0x05, 0x21, 0xab, 0x15, 0x82, 0x24, 0xc3, 0x94, 0xf5, 0xd7, 0xb7,
	224	0xc4, 0x66, 0xcb, 0x32, 0x6e, 0x60, 0x2b, 0x55, 0x59, 0x28, 0x89, 0x8a, 0x72, 0xde, 0x88, 0x56,
	225	0x27, 0x95, 0xd9, 0xac, 0x88, 0x4f, 0x65, 0x2b, 0x68, 0xfc, 0xe6, 0x41, 0xc1, 0x1b, 0xef, 0x4e,
	226	0xd6, 0xc2, 0x0f, 0x64, 0x88, 0x95, 0x5e, 0xdd, 0x3a, 0x02, 0x07, 0x50, 0xa9, 0xda, 0xa4, 0x49,
	227	0x74, 0x62, 0xfe, 0xd7,
2b442ac8 LP	228	};
2b442ac8 LP	229
1691cfd8 ZJS	230	_cleanup_(dns_resource_record_unrefp) DnsResourceRecord nsec = NULL, rrsig = NULL, *dnskey = NULL;
	231	_cleanup_(dns_answer_unrefp) DnsAnswer *answer = NULL;
	232	DnssecResult result;
2b442ac8	233
1691cfd8 ZJS	234	nsec = dns_resource_record_new_full(DNS_CLASS_IN, DNS_TYPE_NSEC, "nasa.gov");
1691cfd8 ZJS	235	assert_se(nsec);
2b442ac8	236
1691cfd8 ZJS	237	nsec->nsec.next_domain_name = strdup("3D-Printing.nasa.gov");
1691cfd8 ZJS	238	assert_se(nsec->nsec.next_domain_name);
2b442ac8	239
1691cfd8 ZJS	240	nsec->nsec.types = bitmap_new();
	241	assert_se(nsec->nsec.types);
	242	assert_se(bitmap_set(nsec->nsec.types, DNS_TYPE_A) >= 0);
	243	assert_se(bitmap_set(nsec->nsec.types, DNS_TYPE_NS) >= 0);
	244	assert_se(bitmap_set(nsec->nsec.types, DNS_TYPE_SOA) >= 0);
	245	assert_se(bitmap_set(nsec->nsec.types, DNS_TYPE_MX) >= 0);
	246	assert_se(bitmap_set(nsec->nsec.types, DNS_TYPE_TXT) >= 0);
	247	assert_se(bitmap_set(nsec->nsec.types, DNS_TYPE_RRSIG) >= 0);
	248	assert_se(bitmap_set(nsec->nsec.types, DNS_TYPE_NSEC) >= 0);
	249	assert_se(bitmap_set(nsec->nsec.types, DNS_TYPE_DNSKEY) >= 0);
	250	assert_se(bitmap_set(nsec->nsec.types, 65534) >= 0);
2b442ac8	251
1691cfd8	252	log_info("NSEC: %s", strna(dns_resource_record_to_string(nsec)));
2b442ac8	253
1691cfd8 ZJS	254	rrsig = dns_resource_record_new_full(DNS_CLASS_IN, DNS_TYPE_RRSIG, "NaSa.GOV.");
1691cfd8 ZJS	255	assert_se(rrsig);
2b442ac8	256
1691cfd8 ZJS	257	rrsig->rrsig.type_covered = DNS_TYPE_NSEC;
	258	rrsig->rrsig.algorithm = DNSSEC_ALGORITHM_RSASHA256;
	259	rrsig->rrsig.labels = 2;
	260	rrsig->rrsig.original_ttl = 300;
	261	rrsig->rrsig.expiration = 0x5689002f;
	262	rrsig->rrsig.inception = 0x56617230;
	263	rrsig->rrsig.key_tag = 30390;
	264	rrsig->rrsig.signer = strdup("Nasa.Gov.");
	265	assert_se(rrsig->rrsig.signer);
	266	rrsig->rrsig.signature_size = sizeof(signature_blob);
	267	rrsig->rrsig.signature = memdup(signature_blob, rrsig->rrsig.signature_size);
	268	assert_se(rrsig->rrsig.signature);
2b442ac8	269
1691cfd8 ZJS	270	log_info("RRSIG: %s", strna(dns_resource_record_to_string(rrsig)));
	271
	272	dnskey = dns_resource_record_new_full(DNS_CLASS_IN, DNS_TYPE_DNSKEY, "nASA.gOV");
2b442ac8 LP	273	assert_se(dnskey);
2b442ac8 LP	274
1691cfd8	275	dnskey->dnskey.flags = 256;
2b442ac8 LP	276	dnskey->dnskey.protocol = 3;
	277	dnskey->dnskey.algorithm = DNSSEC_ALGORITHM_RSASHA256;
	278	dnskey->dnskey.key_size = sizeof(dnskey_blob);
	279	dnskey->dnskey.key = memdup(dnskey_blob, sizeof(dnskey_blob));
	280	assert_se(dnskey->dnskey.key);
	281
7b50eb2e	282	log_info("DNSKEY: %s", strna(dns_resource_record_to_string(dnskey)));
0c857028	283	log_info("DNSKEY keytag: %u", dnssec_keytag(dnskey, false));
2b442ac8	284
1691cfd8 ZJS	285	assert_se(dnssec_key_match_rrsig(nsec->key, rrsig) > 0);
1691cfd8 ZJS	286	assert_se(dnssec_rrsig_match_dnskey(rrsig, dnskey, false) > 0);
2b442ac8	287
1691cfd8 ZJS	288	answer = dns_answer_new(1);
	289	assert_se(answer);
	290	assert_se(dns_answer_add(answer, nsec, 0, DNS_ANSWER_AUTHENTICATED) >= 0);
2b442ac8	291
1691cfd8 ZJS	292	/* Validate the RR as it if was 2015-12-11 today */
	293	assert_se(dnssec_verify_rrset(answer, nsec->key, rrsig, dnskey, 1449849318*USEC_PER_SEC, &result) >= 0);
	294	assert_se(result == DNSSEC_VALIDATED);
2b442ac8 LP	295	}
2b442ac8 LP	296
72667f08 LP	297	static void test_dnssec_nsec3_hash(void) {
	298	static const uint8_t salt[] = { 0xB0, 0x1D, 0xFA, 0xCE };
	299	static const uint8_t next_hashed_name[] = { 0x84, 0x10, 0x26, 0x53, 0xc9, 0xfa, 0x4d, 0x85, 0x6c, 0x97, 0x82, 0xe2, 0x8f, 0xdf, 0x2d, 0x5e, 0x87, 0x69, 0xc4, 0x52 };
	300	_cleanup_(dns_resource_record_unrefp) DnsResourceRecord *rr = NULL;
72667f08	301	uint8_t h[DNSSEC_HASH_SIZE_MAX];
7b50eb2e	302	_cleanup_free_ char *b = NULL;
72667f08 LP	303	int k;
	304
	305	/* The NSEC3 RR for eurid.eu on 2015-12-14. */
	306	rr = dns_resource_record_new_full(DNS_CLASS_IN, DNS_TYPE_NSEC3, "PJ8S08RR45VIQDAQGE7EN3VHKNROTBMM.eurid.eu.");
	307	assert_se(rr);
	308
	309	rr->nsec3.algorithm = DNSSEC_DIGEST_SHA1;
	310	rr->nsec3.flags = 1;
	311	rr->nsec3.iterations = 1;
	312	rr->nsec3.salt = memdup(salt, sizeof(salt));
	313	assert_se(rr->nsec3.salt);
	314	rr->nsec3.salt_size = sizeof(salt);
	315	rr->nsec3.next_hashed_name = memdup(next_hashed_name, sizeof(next_hashed_name));
	316	assert_se(rr->nsec3.next_hashed_name);
	317	rr->nsec3.next_hashed_name_size = sizeof(next_hashed_name);
	318
7b50eb2e	319	log_info("NSEC3: %s", strna(dns_resource_record_to_string(rr)));
72667f08 LP	320
	321	k = dnssec_nsec3_hash(rr, "eurid.eu", &h);
	322	assert_se(k >= 0);
	323
	324	b = base32hexmem(h, k, false);
	325	assert_se(b);
	326	assert_se(strcasecmp(b, "PJ8S08RR45VIQDAQGE7EN3VHKNROTBMM") == 0);
	327	}
	328
1691cfd8 ZJS	329	#endif
1691cfd8 ZJS	330
2b442ac8 LP	331	int main(int argc, char*argv[]) {
	332
	333	test_dnssec_canonicalize();
1691cfd8	334
349cc4a5	335	#if HAVE_GCRYPT
2b442ac8 LP	336	test_dnssec_verify_dns_key();
2b442ac8 LP	337	test_dnssec_verify_rrset();
a3db237b	338	test_dnssec_verify_rrset2();
72667f08	339	test_dnssec_nsec3_hash();
a915abf3	340	#endif
2b442ac8 LP	341
	342	return 0;
	343	}