2b442ac87838be7c326c984d8751c96dee7258abLennart Poettering This file is part of systemd.
2b442ac87838be7c326c984d8751c96dee7258abLennart Poettering Copyright 2015 Lennart Poettering
2b442ac87838be7c326c984d8751c96dee7258abLennart Poettering systemd is free software; you can redistribute it and/or modify it
2b442ac87838be7c326c984d8751c96dee7258abLennart Poettering under the terms of the GNU Lesser General Public License as published by
2b442ac87838be7c326c984d8751c96dee7258abLennart Poettering the Free Software Foundation; either version 2.1 of the License, or
2b442ac87838be7c326c984d8751c96dee7258abLennart Poettering (at your option) any later version.
2b442ac87838be7c326c984d8751c96dee7258abLennart Poettering systemd is distributed in the hope that it will be useful, but
2b442ac87838be7c326c984d8751c96dee7258abLennart Poettering WITHOUT ANY WARRANTY; without even the implied warranty of
2b442ac87838be7c326c984d8751c96dee7258abLennart Poettering MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
2b442ac87838be7c326c984d8751c96dee7258abLennart Poettering Lesser General Public License for more details.
2b442ac87838be7c326c984d8751c96dee7258abLennart Poettering You should have received a copy of the GNU Lesser General Public License
2b442ac87838be7c326c984d8751c96dee7258abLennart Poettering along with systemd; If not, see <http://www.gnu.org/licenses/>.
a3db237b8f1b97867395e1419f39b8ba5749b777Lennart Poetteringstatic void test_dnssec_verify_rrset2(void) {
111befce5514d590e9b334a547559bd0ecf8df8dThomas Hindoe Paaboel Andersen static const uint8_t signature_blob[] = {
111befce5514d590e9b334a547559bd0ecf8df8dThomas Hindoe Paaboel Andersen 0x48, 0x45, 0xc8, 0x8b, 0xc0, 0x14, 0x92, 0xf5, 0x15, 0xc6, 0x84, 0x9d, 0x2f, 0xe3, 0x32, 0x11,
111befce5514d590e9b334a547559bd0ecf8df8dThomas Hindoe Paaboel Andersen 0x7d, 0xf1, 0xe6, 0x87, 0xb9, 0x42, 0xd3, 0x8b, 0x9e, 0xaf, 0x92, 0x31, 0x0a, 0x53, 0xad, 0x8b,
111befce5514d590e9b334a547559bd0ecf8df8dThomas Hindoe Paaboel Andersen 0xa7, 0x5c, 0x83, 0x39, 0x8c, 0x28, 0xac, 0xce, 0x6e, 0x9c, 0x18, 0xe3, 0x31, 0x16, 0x6e, 0xca,
111befce5514d590e9b334a547559bd0ecf8df8dThomas Hindoe Paaboel Andersen 0x38, 0x31, 0xaf, 0xd9, 0x94, 0xf1, 0x84, 0xb1, 0xdf, 0x5a, 0xc2, 0x73, 0x22, 0xf6, 0xcb, 0xa2,
111befce5514d590e9b334a547559bd0ecf8df8dThomas Hindoe Paaboel Andersen 0xe7, 0x8c, 0x77, 0x0c, 0x74, 0x2f, 0xc2, 0x13, 0xb0, 0x93, 0x51, 0xa9, 0x4f, 0xae, 0x0a, 0xda,
111befce5514d590e9b334a547559bd0ecf8df8dThomas Hindoe Paaboel Andersen 0x45, 0xcc, 0xfd, 0x43, 0x99, 0x36, 0x9a, 0x0d, 0x21, 0xe0, 0xeb, 0x30, 0x65, 0xd4, 0xa0, 0x27,
111befce5514d590e9b334a547559bd0ecf8df8dThomas Hindoe Paaboel Andersen 0x37, 0x3b, 0xe4, 0xc1, 0xc5, 0xa1, 0x2a, 0xd1, 0x76, 0xc4, 0x7e, 0x64, 0x0e, 0x5a, 0xa6, 0x50,
111befce5514d590e9b334a547559bd0ecf8df8dThomas Hindoe Paaboel Andersen 0x24, 0xd5, 0x2c, 0xcc, 0x6d, 0xe5, 0x37, 0xea, 0xbd, 0x09, 0x34, 0xed, 0x24, 0x06, 0xa1, 0x22,
a3db237b8f1b97867395e1419f39b8ba5749b777Lennart Poettering 0x03, 0x01, 0x00, 0x01, 0xc3, 0x7f, 0x1d, 0xd1, 0x1c, 0x97, 0xb1, 0x13, 0x34, 0x3a, 0x9a, 0xea,
a3db237b8f1b97867395e1419f39b8ba5749b777Lennart Poettering 0xee, 0xd9, 0x5a, 0x11, 0x1b, 0x17, 0xc7, 0xe3, 0xd4, 0xda, 0x20, 0xbc, 0x5d, 0xba, 0x74, 0xe3,
a3db237b8f1b97867395e1419f39b8ba5749b777Lennart Poettering 0x37, 0x99, 0xec, 0x25, 0xce, 0x93, 0x7f, 0xbd, 0x22, 0x73, 0x7e, 0x14, 0x71, 0xe0, 0x60, 0x07,
a3db237b8f1b97867395e1419f39b8ba5749b777Lennart Poettering 0xd4, 0x39, 0x8b, 0x5e, 0xe9, 0xba, 0x25, 0xe8, 0x49, 0xe9, 0x34, 0xef, 0xfe, 0x04, 0x5c, 0xa5,
a3db237b8f1b97867395e1419f39b8ba5749b777Lennart Poettering 0x27, 0xcd, 0xa9, 0xda, 0x70, 0x05, 0x21, 0xab, 0x15, 0x82, 0x24, 0xc3, 0x94, 0xf5, 0xd7, 0xb7,
a3db237b8f1b97867395e1419f39b8ba5749b777Lennart Poettering 0xc4, 0x66, 0xcb, 0x32, 0x6e, 0x60, 0x2b, 0x55, 0x59, 0x28, 0x89, 0x8a, 0x72, 0xde, 0x88, 0x56,
a3db237b8f1b97867395e1419f39b8ba5749b777Lennart Poettering 0x27, 0x95, 0xd9, 0xac, 0x88, 0x4f, 0x65, 0x2b, 0x68, 0xfc, 0xe6, 0x41, 0xc1, 0x1b, 0xef, 0x4e,
a3db237b8f1b97867395e1419f39b8ba5749b777Lennart Poettering 0xd6, 0xc2, 0x0f, 0x64, 0x88, 0x95, 0x5e, 0xdd, 0x3a, 0x02, 0x07, 0x50, 0xa9, 0xda, 0xa4, 0x49,
a3db237b8f1b97867395e1419f39b8ba5749b777Lennart Poettering _cleanup_(dns_resource_record_unrefp) DnsResourceRecord *nsec = NULL, *rrsig = NULL, *dnskey = NULL;
a3db237b8f1b97867395e1419f39b8ba5749b777Lennart Poettering _cleanup_(dns_answer_unrefp) DnsAnswer *answer = NULL;
a3db237b8f1b97867395e1419f39b8ba5749b777Lennart Poettering nsec = dns_resource_record_new_full(DNS_CLASS_IN, DNS_TYPE_NSEC, "nasa.gov");
a3db237b8f1b97867395e1419f39b8ba5749b777Lennart Poettering nsec->nsec.next_domain_name = strdup("3D-Printing.nasa.gov");
a3db237b8f1b97867395e1419f39b8ba5749b777Lennart Poettering assert_se(bitmap_set(nsec->nsec.types, DNS_TYPE_A) >= 0);
a3db237b8f1b97867395e1419f39b8ba5749b777Lennart Poettering assert_se(bitmap_set(nsec->nsec.types, DNS_TYPE_NS) >= 0);
a3db237b8f1b97867395e1419f39b8ba5749b777Lennart Poettering assert_se(bitmap_set(nsec->nsec.types, DNS_TYPE_SOA) >= 0);
a3db237b8f1b97867395e1419f39b8ba5749b777Lennart Poettering assert_se(bitmap_set(nsec->nsec.types, DNS_TYPE_MX) >= 0);
a3db237b8f1b97867395e1419f39b8ba5749b777Lennart Poettering assert_se(bitmap_set(nsec->nsec.types, DNS_TYPE_TXT) >= 0);
a3db237b8f1b97867395e1419f39b8ba5749b777Lennart Poettering assert_se(bitmap_set(nsec->nsec.types, DNS_TYPE_RRSIG) >= 0);
a3db237b8f1b97867395e1419f39b8ba5749b777Lennart Poettering assert_se(bitmap_set(nsec->nsec.types, DNS_TYPE_NSEC) >= 0);
a3db237b8f1b97867395e1419f39b8ba5749b777Lennart Poettering assert_se(bitmap_set(nsec->nsec.types, DNS_TYPE_DNSKEY) >= 0);
a3db237b8f1b97867395e1419f39b8ba5749b777Lennart Poettering assert_se(bitmap_set(nsec->nsec.types, 65534) >= 0);
7b50eb2efa122200e39646c19a29abab302f7d24Lennart Poettering log_info("NSEC: %s", strna(dns_resource_record_to_string(nsec)));
a3db237b8f1b97867395e1419f39b8ba5749b777Lennart Poettering rrsig = dns_resource_record_new_full(DNS_CLASS_IN, DNS_TYPE_RRSIG, "NaSa.GOV.");
a3db237b8f1b97867395e1419f39b8ba5749b777Lennart Poettering rrsig->rrsig.type_covered = DNS_TYPE_NSEC;
a3db237b8f1b97867395e1419f39b8ba5749b777Lennart Poettering rrsig->rrsig.algorithm = DNSSEC_ALGORITHM_RSASHA256;
a3db237b8f1b97867395e1419f39b8ba5749b777Lennart Poettering rrsig->rrsig.signer = strdup("Nasa.Gov.");
a3db237b8f1b97867395e1419f39b8ba5749b777Lennart Poettering rrsig->rrsig.signature_size = sizeof(signature_blob);
a3db237b8f1b97867395e1419f39b8ba5749b777Lennart Poettering rrsig->rrsig.signature = memdup(signature_blob, rrsig->rrsig.signature_size);
7b50eb2efa122200e39646c19a29abab302f7d24Lennart Poettering log_info("RRSIG: %s", strna(dns_resource_record_to_string(rrsig)));
a3db237b8f1b97867395e1419f39b8ba5749b777Lennart Poettering dnskey = dns_resource_record_new_full(DNS_CLASS_IN, DNS_TYPE_DNSKEY, "nASA.gOV");
a3db237b8f1b97867395e1419f39b8ba5749b777Lennart Poettering dnskey->dnskey.algorithm = DNSSEC_ALGORITHM_RSASHA256;
a3db237b8f1b97867395e1419f39b8ba5749b777Lennart Poettering dnskey->dnskey.key_size = sizeof(dnskey_blob);
a3db237b8f1b97867395e1419f39b8ba5749b777Lennart Poettering dnskey->dnskey.key = memdup(dnskey_blob, sizeof(dnskey_blob));
7b50eb2efa122200e39646c19a29abab302f7d24Lennart Poettering log_info("DNSKEY: %s", strna(dns_resource_record_to_string(dnskey)));
0c8570287400ba57d3705a2f62dd26039121ea6fLennart Poettering log_info("DNSKEY keytag: %u", dnssec_keytag(dnskey, false));
a3db237b8f1b97867395e1419f39b8ba5749b777Lennart Poettering assert_se(dnssec_key_match_rrsig(nsec->key, rrsig) > 0);
0c8570287400ba57d3705a2f62dd26039121ea6fLennart Poettering assert_se(dnssec_rrsig_match_dnskey(rrsig, dnskey, false) > 0);
105e151299dc1208855380be2b22d0db2d66ebc6Lennart Poettering assert_se(dns_answer_add(answer, nsec, 0, DNS_ANSWER_AUTHENTICATED) >= 0);
a3db237b8f1b97867395e1419f39b8ba5749b777Lennart Poettering /* Validate the RR as it if was 2015-12-11 today */
a3db237b8f1b97867395e1419f39b8ba5749b777Lennart Poettering assert_se(dnssec_verify_rrset(answer, nsec->key, rrsig, dnskey, 1449849318*USEC_PER_SEC, &result) >= 0);
2b442ac87838be7c326c984d8751c96dee7258abLennart Poetteringstatic void test_dnssec_verify_rrset(void) {
2b442ac87838be7c326c984d8751c96dee7258abLennart Poettering static const uint8_t signature_blob[] = {
2b442ac87838be7c326c984d8751c96dee7258abLennart Poettering 0x7f, 0x79, 0xdd, 0x5e, 0x89, 0x79, 0x18, 0xd0, 0x34, 0x86, 0x8c, 0x72, 0x77, 0x75, 0x48, 0x4d,
2b442ac87838be7c326c984d8751c96dee7258abLennart Poettering 0xc3, 0x7d, 0x38, 0x04, 0xab, 0xcd, 0x9e, 0x4c, 0x82, 0xb0, 0x92, 0xca, 0xe9, 0x66, 0xe9, 0x6e,
2b442ac87838be7c326c984d8751c96dee7258abLennart Poettering 0x47, 0xc7, 0x68, 0x8c, 0x94, 0xf6, 0x69, 0xcb, 0x75, 0x94, 0xe6, 0x30, 0xa6, 0xfb, 0x68, 0x64,
2b442ac87838be7c326c984d8751c96dee7258abLennart Poettering 0x96, 0x1a, 0x84, 0xe1, 0xdc, 0x16, 0x4c, 0x83, 0x6c, 0x44, 0xf2, 0x74, 0x4d, 0x74, 0x79, 0x8f,
2b442ac87838be7c326c984d8751c96dee7258abLennart Poettering 0xf3, 0xf4, 0x63, 0x0d, 0xef, 0x5a, 0xe7, 0xe2, 0xfd, 0xf2, 0x2b, 0x38, 0x7c, 0x28, 0x96, 0x9d,
2b442ac87838be7c326c984d8751c96dee7258abLennart Poettering 0xb6, 0xcd, 0x5c, 0x3b, 0x57, 0xe2, 0x24, 0x78, 0x65, 0xd0, 0x9e, 0x77, 0x83, 0x09, 0x6c, 0xff,
2b442ac87838be7c326c984d8751c96dee7258abLennart Poettering 0x3d, 0x52, 0x3f, 0x6e, 0xd1, 0xed, 0x2e, 0xf9, 0xee, 0x8e, 0xa6, 0xbe, 0x9a, 0xa8, 0x87, 0x76,
2b442ac87838be7c326c984d8751c96dee7258abLennart Poettering 0xd8, 0x77, 0xcc, 0x96, 0xa0, 0x98, 0xa1, 0xd1, 0x68, 0x09, 0x43, 0xcf, 0x56, 0xd9, 0xd1, 0x66,
2b442ac87838be7c326c984d8751c96dee7258abLennart Poettering 0x03, 0x01, 0x00, 0x01, 0x9b, 0x49, 0x9b, 0xc1, 0xf9, 0x9a, 0xe0, 0x4e, 0xcf, 0xcb, 0x14, 0x45,
2b442ac87838be7c326c984d8751c96dee7258abLennart Poettering 0x2e, 0xc9, 0xf9, 0x74, 0xa7, 0x18, 0xb5, 0xf3, 0xde, 0x39, 0x49, 0xdf, 0x63, 0x33, 0x97, 0x52,
2b442ac87838be7c326c984d8751c96dee7258abLennart Poettering 0xe0, 0x8e, 0xac, 0x50, 0x30, 0x8e, 0x09, 0xd5, 0x24, 0x3d, 0x26, 0xa4, 0x49, 0x37, 0x2b, 0xb0,
2b442ac87838be7c326c984d8751c96dee7258abLennart Poettering 0x6b, 0x1b, 0xdf, 0xde, 0x85, 0x83, 0xcb, 0x22, 0x4e, 0x60, 0x0a, 0x91, 0x1a, 0x1f, 0xc5, 0x40,
2b442ac87838be7c326c984d8751c96dee7258abLennart Poettering 0xb1, 0xc3, 0x15, 0xc1, 0x54, 0x77, 0x86, 0x65, 0x53, 0xec, 0x10, 0x90, 0x0c, 0x91, 0x00, 0x5e,
2b442ac87838be7c326c984d8751c96dee7258abLennart Poettering 0x15, 0xdc, 0x08, 0x02, 0x4c, 0x8c, 0x0d, 0xc0, 0xac, 0x6e, 0xc4, 0x3e, 0x1b, 0x80, 0x19, 0xe4,
2b442ac87838be7c326c984d8751c96dee7258abLennart Poettering 0xf7, 0x5f, 0x77, 0x51, 0x06, 0x87, 0x61, 0xde, 0xa2, 0x18, 0x0f, 0x40, 0x8b, 0x79, 0x72, 0xfa,
2b442ac87838be7c326c984d8751c96dee7258abLennart Poettering 0x8d, 0x1a, 0x44, 0x47, 0x0d, 0x8e, 0x3a, 0x2d, 0xc7, 0x39, 0xbf, 0x56, 0x28, 0x97, 0xd9, 0x20,
2b442ac87838be7c326c984d8751c96dee7258abLennart Poettering _cleanup_(dns_resource_record_unrefp) DnsResourceRecord *a = NULL, *rrsig = NULL, *dnskey = NULL;
2b442ac87838be7c326c984d8751c96dee7258abLennart Poettering _cleanup_(dns_answer_unrefp) DnsAnswer *answer = NULL;
2b442ac87838be7c326c984d8751c96dee7258abLennart Poettering a = dns_resource_record_new_full(DNS_CLASS_IN, DNS_TYPE_A, "nAsA.gov");
2b442ac87838be7c326c984d8751c96dee7258abLennart Poettering a->a.in_addr.s_addr = inet_addr("52.0.14.116");
7b50eb2efa122200e39646c19a29abab302f7d24Lennart Poettering log_info("A: %s", strna(dns_resource_record_to_string(a)));
2b442ac87838be7c326c984d8751c96dee7258abLennart Poettering rrsig = dns_resource_record_new_full(DNS_CLASS_IN, DNS_TYPE_RRSIG, "NaSa.GOV.");
2b442ac87838be7c326c984d8751c96dee7258abLennart Poettering rrsig->rrsig.algorithm = DNSSEC_ALGORITHM_RSASHA256;
2b442ac87838be7c326c984d8751c96dee7258abLennart Poettering rrsig->rrsig.signer = strdup("Nasa.Gov.");
2b442ac87838be7c326c984d8751c96dee7258abLennart Poettering rrsig->rrsig.signature_size = sizeof(signature_blob);
2b442ac87838be7c326c984d8751c96dee7258abLennart Poettering rrsig->rrsig.signature = memdup(signature_blob, rrsig->rrsig.signature_size);
7b50eb2efa122200e39646c19a29abab302f7d24Lennart Poettering log_info("RRSIG: %s", strna(dns_resource_record_to_string(rrsig)));
2b442ac87838be7c326c984d8751c96dee7258abLennart Poettering dnskey = dns_resource_record_new_full(DNS_CLASS_IN, DNS_TYPE_DNSKEY, "nASA.gOV");
2b442ac87838be7c326c984d8751c96dee7258abLennart Poettering dnskey->dnskey.algorithm = DNSSEC_ALGORITHM_RSASHA256;
2b442ac87838be7c326c984d8751c96dee7258abLennart Poettering dnskey->dnskey.key_size = sizeof(dnskey_blob);
2b442ac87838be7c326c984d8751c96dee7258abLennart Poettering dnskey->dnskey.key = memdup(dnskey_blob, sizeof(dnskey_blob));
7b50eb2efa122200e39646c19a29abab302f7d24Lennart Poettering log_info("DNSKEY: %s", strna(dns_resource_record_to_string(dnskey)));
0c8570287400ba57d3705a2f62dd26039121ea6fLennart Poettering log_info("DNSKEY keytag: %u", dnssec_keytag(dnskey, false));
2b442ac87838be7c326c984d8751c96dee7258abLennart Poettering assert_se(dnssec_key_match_rrsig(a->key, rrsig) > 0);
0c8570287400ba57d3705a2f62dd26039121ea6fLennart Poettering assert_se(dnssec_rrsig_match_dnskey(rrsig, dnskey, false) > 0);
105e151299dc1208855380be2b22d0db2d66ebc6Lennart Poettering assert_se(dns_answer_add(answer, a, 0, DNS_ANSWER_AUTHENTICATED) >= 0);
2a326321594f752b73a5aec0eb73e5bf59f76b3cLennart Poettering /* Validate the RR as it if was 2015-12-2 today */
547973dea7abd6c124ff6c79fe2bbe322a7314aeLennart Poettering assert_se(dnssec_verify_rrset(answer, a->key, rrsig, dnskey, 1449092754*USEC_PER_SEC, &result) >= 0);
2b442ac87838be7c326c984d8751c96dee7258abLennart Poetteringstatic void test_dnssec_verify_dns_key(void) {
2b442ac87838be7c326c984d8751c96dee7258abLennart Poettering 0x46, 0x8B, 0xC8, 0xDD, 0xC7, 0xE8, 0x27, 0x03, 0x40, 0xBB, 0x8A, 0x1F, 0x3B, 0x2E, 0x45, 0x9D,
2b442ac87838be7c326c984d8751c96dee7258abLennart Poettering 0x8A, 0xEE, 0x80, 0x47, 0x05, 0x5F, 0x83, 0xD1, 0x48, 0xBA, 0x8F, 0xF6, 0xDD, 0xA7, 0x60, 0xCE,
2b442ac87838be7c326c984d8751c96dee7258abLennart Poettering 0x94, 0xF7, 0xC7, 0x5E, 0x52, 0x4C, 0xF2, 0xE9, 0x50, 0xB9, 0x2E, 0xCB, 0xEF, 0x96, 0xB9, 0x98,
2b442ac87838be7c326c984d8751c96dee7258abLennart Poettering 0x03, 0x01, 0x00, 0x01, 0xa8, 0x12, 0xda, 0x4f, 0xd2, 0x7d, 0x54, 0x14, 0x0e, 0xcc, 0x5b, 0x5e,
2b442ac87838be7c326c984d8751c96dee7258abLennart Poettering 0x45, 0x9c, 0x96, 0x98, 0xc0, 0xc0, 0x85, 0x81, 0xb1, 0x47, 0x8c, 0x7d, 0xe8, 0x39, 0x50, 0xcc,
2b442ac87838be7c326c984d8751c96dee7258abLennart Poettering 0xc5, 0xd0, 0xf2, 0x00, 0x81, 0x67, 0x79, 0xf6, 0xcc, 0x9d, 0xad, 0x6c, 0xbb, 0x7b, 0x6f, 0x48,
2b442ac87838be7c326c984d8751c96dee7258abLennart Poettering 0x97, 0x15, 0x1c, 0xfd, 0x0b, 0xfe, 0xd3, 0xd7, 0x7d, 0x9f, 0x81, 0x26, 0xd3, 0xc5, 0x65, 0x49,
2b442ac87838be7c326c984d8751c96dee7258abLennart Poettering 0xcf, 0x46, 0x62, 0xb0, 0x55, 0x6e, 0x47, 0xc7, 0x30, 0xef, 0x51, 0xfb, 0x3e, 0xc6, 0xef, 0xde,
2b442ac87838be7c326c984d8751c96dee7258abLennart Poettering 0x27, 0x3f, 0xfa, 0x57, 0x2d, 0xa7, 0x1d, 0x80, 0x46, 0x9a, 0x5f, 0x14, 0xb3, 0xb0, 0x2c, 0xbe,
2b442ac87838be7c326c984d8751c96dee7258abLennart Poettering 0x72, 0xca, 0xdf, 0xb2, 0xff, 0x36, 0x5b, 0x4f, 0xec, 0x58, 0x8e, 0x8d, 0x01, 0xe9, 0xa9, 0xdf,
2b442ac87838be7c326c984d8751c96dee7258abLennart Poettering 0xb5, 0x60, 0xad, 0x52, 0x4d, 0xfc, 0xa9, 0x3e, 0x8d, 0x35, 0x95, 0xb3, 0x4e, 0x0f, 0xca, 0x45,
2b442ac87838be7c326c984d8751c96dee7258abLennart Poettering 0x1b, 0xf7, 0xef, 0x3a, 0x88, 0x25, 0x08, 0xc7, 0x4e, 0x06, 0xc1, 0x62, 0x1a, 0xce, 0xd8, 0x77,
2b442ac87838be7c326c984d8751c96dee7258abLennart Poettering 0xbd, 0x02, 0x65, 0xf8, 0x49, 0xfb, 0xce, 0xf6, 0xa8, 0x09, 0xfc, 0xde, 0xb2, 0x09, 0x9d, 0x39,
2b442ac87838be7c326c984d8751c96dee7258abLennart Poettering 0xf8, 0x63, 0x9c, 0x32, 0x42, 0x7c, 0xa0, 0x30, 0x86, 0x72, 0x7a, 0x4a, 0xc6, 0xd4, 0xb3, 0x2d,
2b442ac87838be7c326c984d8751c96dee7258abLennart Poettering 0x24, 0xef, 0x96, 0x3f, 0xc2, 0xda, 0xd3, 0xf2, 0x15, 0x6f, 0xda, 0x65, 0x4b, 0x81, 0x28, 0x68,
2b442ac87838be7c326c984d8751c96dee7258abLennart Poettering 0xf4, 0xfe, 0x3e, 0x71, 0x4f, 0x50, 0x96, 0x72, 0x58, 0xa1, 0x89, 0xdd, 0x01, 0x61, 0x39, 0x39,
2b442ac87838be7c326c984d8751c96dee7258abLennart Poettering 0xc6, 0x76, 0xa4, 0xda, 0x02, 0x70, 0x3d, 0xc0, 0xdc, 0x8d, 0x70, 0x72, 0x04, 0x90, 0x79, 0xd4,
2b442ac87838be7c326c984d8751c96dee7258abLennart Poettering 0xec, 0x65, 0xcf, 0x49, 0x35, 0x25, 0x3a, 0x14, 0x1a, 0x45, 0x20, 0xeb, 0x31, 0xaf, 0x92, 0xba,
2b442ac87838be7c326c984d8751c96dee7258abLennart Poettering 0x20, 0xd3, 0xcd, 0xa7, 0x13, 0x44, 0xdc, 0xcf, 0xf0, 0x27, 0x34, 0xb9, 0xe7, 0x24, 0x6f, 0x73,
2b442ac87838be7c326c984d8751c96dee7258abLennart Poettering _cleanup_(dns_resource_record_unrefp) DnsResourceRecord *dnskey = NULL, *ds1 = NULL, *ds2 = NULL;
2b442ac87838be7c326c984d8751c96dee7258abLennart Poettering /* The two DS RRs in effect for nasa.gov on 2015-12-01. */
2b442ac87838be7c326c984d8751c96dee7258abLennart Poettering ds1 = dns_resource_record_new_full(DNS_CLASS_IN, DNS_TYPE_DS, "nasa.gov");
2b442ac87838be7c326c984d8751c96dee7258abLennart Poettering ds1->ds.algorithm = DNSSEC_ALGORITHM_RSASHA256;
2b442ac87838be7c326c984d8751c96dee7258abLennart Poettering ds1->ds.digest_type = DNSSEC_DIGEST_SHA1;
2b442ac87838be7c326c984d8751c96dee7258abLennart Poettering ds1->ds.digest_size = sizeof(ds1_fprint);
2b442ac87838be7c326c984d8751c96dee7258abLennart Poettering ds1->ds.digest = memdup(ds1_fprint, ds1->ds.digest_size);
7b50eb2efa122200e39646c19a29abab302f7d24Lennart Poettering log_info("DS1: %s", strna(dns_resource_record_to_string(ds1)));
2b442ac87838be7c326c984d8751c96dee7258abLennart Poettering ds2 = dns_resource_record_new_full(DNS_CLASS_IN, DNS_TYPE_DS, "NASA.GOV");
2b442ac87838be7c326c984d8751c96dee7258abLennart Poettering ds2->ds.algorithm = DNSSEC_ALGORITHM_RSASHA256;
2b442ac87838be7c326c984d8751c96dee7258abLennart Poettering ds2->ds.digest_type = DNSSEC_DIGEST_SHA256;
2b442ac87838be7c326c984d8751c96dee7258abLennart Poettering ds2->ds.digest_size = sizeof(ds2_fprint);
2b442ac87838be7c326c984d8751c96dee7258abLennart Poettering ds2->ds.digest = memdup(ds2_fprint, ds2->ds.digest_size);
7b50eb2efa122200e39646c19a29abab302f7d24Lennart Poettering log_info("DS2: %s", strna(dns_resource_record_to_string(ds2)));
2b442ac87838be7c326c984d8751c96dee7258abLennart Poettering dnskey = dns_resource_record_new_full(DNS_CLASS_IN, DNS_TYPE_DNSKEY, "nasa.GOV");
2b442ac87838be7c326c984d8751c96dee7258abLennart Poettering dnskey->dnskey.algorithm = DNSSEC_ALGORITHM_RSASHA256;
2b442ac87838be7c326c984d8751c96dee7258abLennart Poettering dnskey->dnskey.key_size = sizeof(dnskey_blob);
2b442ac87838be7c326c984d8751c96dee7258abLennart Poettering dnskey->dnskey.key = memdup(dnskey_blob, sizeof(dnskey_blob));
7b50eb2efa122200e39646c19a29abab302f7d24Lennart Poettering log_info("DNSKEY: %s", strna(dns_resource_record_to_string(dnskey)));
0c8570287400ba57d3705a2f62dd26039121ea6fLennart Poettering log_info("DNSKEY keytag: %u", dnssec_keytag(dnskey, false));
96bb76734d8e1c8520a2456901079610813eac6dLennart Poettering assert_se(dnssec_verify_dnskey_by_ds(dnskey, ds1, false) > 0);
96bb76734d8e1c8520a2456901079610813eac6dLennart Poettering assert_se(dnssec_verify_dnskey_by_ds(dnskey, ds2, false) > 0);
2b442ac87838be7c326c984d8751c96dee7258abLennart Poetteringstatic void test_dnssec_canonicalize_one(const char *original, const char *canonical, int r) {
2b442ac87838be7c326c984d8751c96dee7258abLennart Poettering char canonicalized[DNSSEC_CANONICAL_HOSTNAME_MAX];
2b442ac87838be7c326c984d8751c96dee7258abLennart Poettering assert_se(dnssec_canonicalize(original, canonicalized, sizeof(canonicalized)) == r);
2b442ac87838be7c326c984d8751c96dee7258abLennart Poettering assert_se(streq(canonicalized, canonical));
2b442ac87838be7c326c984d8751c96dee7258abLennart Poetteringstatic void test_dnssec_canonicalize(void) {
2b442ac87838be7c326c984d8751c96dee7258abLennart Poettering test_dnssec_canonicalize_one("", ".", 1);
2b442ac87838be7c326c984d8751c96dee7258abLennart Poettering test_dnssec_canonicalize_one(".", ".", 1);
2b442ac87838be7c326c984d8751c96dee7258abLennart Poettering test_dnssec_canonicalize_one("foo", "foo.", 4);
2b442ac87838be7c326c984d8751c96dee7258abLennart Poettering test_dnssec_canonicalize_one("foo.", "foo.", 4);
2b442ac87838be7c326c984d8751c96dee7258abLennart Poettering test_dnssec_canonicalize_one("FOO.", "foo.", 4);
2b442ac87838be7c326c984d8751c96dee7258abLennart Poettering test_dnssec_canonicalize_one("FOO.bar.", "foo.bar.", 8);
2b442ac87838be7c326c984d8751c96dee7258abLennart Poettering test_dnssec_canonicalize_one("FOO..bar.", NULL, -EINVAL);
72667f0890372a952a7c5b8cc498ec3cf9440973Lennart Poetteringstatic void test_dnssec_nsec3_hash(void) {
72667f0890372a952a7c5b8cc498ec3cf9440973Lennart Poettering static const uint8_t salt[] = { 0xB0, 0x1D, 0xFA, 0xCE };
72667f0890372a952a7c5b8cc498ec3cf9440973Lennart Poettering static const uint8_t next_hashed_name[] = { 0x84, 0x10, 0x26, 0x53, 0xc9, 0xfa, 0x4d, 0x85, 0x6c, 0x97, 0x82, 0xe2, 0x8f, 0xdf, 0x2d, 0x5e, 0x87, 0x69, 0xc4, 0x52 };
72667f0890372a952a7c5b8cc498ec3cf9440973Lennart Poettering _cleanup_(dns_resource_record_unrefp) DnsResourceRecord *rr = NULL;
72667f0890372a952a7c5b8cc498ec3cf9440973Lennart Poettering /* The NSEC3 RR for eurid.eu on 2015-12-14. */
72667f0890372a952a7c5b8cc498ec3cf9440973Lennart Poettering rr = dns_resource_record_new_full(DNS_CLASS_IN, DNS_TYPE_NSEC3, "PJ8S08RR45VIQDAQGE7EN3VHKNROTBMM.eurid.eu.");
72667f0890372a952a7c5b8cc498ec3cf9440973Lennart Poettering rr->nsec3.algorithm = DNSSEC_DIGEST_SHA1;
72667f0890372a952a7c5b8cc498ec3cf9440973Lennart Poettering rr->nsec3.salt = memdup(salt, sizeof(salt));
72667f0890372a952a7c5b8cc498ec3cf9440973Lennart Poettering rr->nsec3.next_hashed_name = memdup(next_hashed_name, sizeof(next_hashed_name));
72667f0890372a952a7c5b8cc498ec3cf9440973Lennart Poettering rr->nsec3.next_hashed_name_size = sizeof(next_hashed_name);
7b50eb2efa122200e39646c19a29abab302f7d24Lennart Poettering log_info("NSEC3: %s", strna(dns_resource_record_to_string(rr)));
72667f0890372a952a7c5b8cc498ec3cf9440973Lennart Poettering k = dnssec_nsec3_hash(rr, "eurid.eu", &h);
72667f0890372a952a7c5b8cc498ec3cf9440973Lennart Poettering b = base32hexmem(h, k, false);
72667f0890372a952a7c5b8cc498ec3cf9440973Lennart Poettering assert_se(strcasecmp(b, "PJ8S08RR45VIQDAQGE7EN3VHKNROTBMM") == 0);