1 /*
2 * testcode/unitzonemd.c - unit test for zonemd.
3 *
4 * Copyright (c) 2020, NLnet Labs. All rights reserved.
5 *
6 * This software is open source.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * Redistributions of source code must retain the above copyright notice,
13 * this list of conditions and the following disclaimer.
14 *
15 * Redistributions in binary form must reproduce the above copyright notice,
16 * this list of conditions and the following disclaimer in the documentation
17 * and/or other materials provided with the distribution.
18 *
19 * Neither the name of the NLNET LABS nor the names of its contributors may
20 * be used to endorse or promote products derived from this software without
21 * specific prior written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
26 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
27 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
34 *
35 */
36 /**
37 * \file
38 * Unit tests for ZONEMD functionality.
39 */
40
41 #include "config.h"
42 #include <ctype.h>
43 #include "util/log.h"
44 #include "testcode/unitmain.h"
45 #include "sldns/str2wire.h"
46 #include "services/authzone.h"
47 #include "util/data/dname.h"
48 #include "util/regional.h"
49 #include "validator/val_anchor.h"
50
51 #define xstr(s) str(s)
52 #define str(s) #s
53 #define SRCDIRSTR xstr(SRCDIR)
54
55 /** Add zone from file for testing */
56 struct auth_zone* authtest_addzone(struct auth_zones* az, const char* name,
57 char* fname);
58
59 /** zonemd unit test, generate a zonemd digest and check if correct */
zonemd_generate_test(const char * zname,char * zfile,int scheme,int hashalgo,const char * digest)60 static void zonemd_generate_test(const char* zname, char* zfile,
61 int scheme, int hashalgo, const char* digest)
62 {
63 uint8_t zonemd_hash[512];
64 size_t hashlen = 0;
65 char output[1024+1];
66 size_t i;
67 struct auth_zones* az;
68 struct auth_zone* z;
69 int result;
70 struct regional* region = NULL;
71 struct sldns_buffer* buf = NULL;
72 char* reason = NULL;
73 char* digestdup;
74
75 if(!zonemd_hashalgo_supported(hashalgo))
76 return; /* cannot test unsupported algo */
77
78 /* setup environment */
79 az = auth_zones_create();
80 unit_assert(az);
81 region = regional_create();
82 unit_assert(region);
83 buf = sldns_buffer_new(65535);
84 unit_assert(buf);
85
86 /* read file */
87 z = authtest_addzone(az, zname, zfile);
88 unit_assert(z);
89 lock_rw_wrlock(&z->lock);
90 z->zonemd_check = 1;
91 lock_rw_unlock(&z->lock);
92
93 /* create zonemd digest */
94 result = auth_zone_generate_zonemd_hash(z, scheme, hashalgo,
95 zonemd_hash, sizeof(zonemd_hash), &hashlen, region, buf,
96 &reason);
97 if(reason) printf("zonemd failure reason: %s\n", reason);
98 unit_assert(result);
99
100 /* check digest */
101 unit_assert(hashlen*2+1 <= sizeof(output));
102 for(i=0; i<hashlen; i++) {
103 const char* hexl = "0123456789ABCDEF";
104 output[i*2] = hexl[(zonemd_hash[i]&0xf0)>>4];
105 output[i*2+1] = hexl[zonemd_hash[i]&0xf];
106 }
107 output[hashlen*2] = 0;
108 digestdup = strdup(digest);
109 unit_assert(digestdup);
110 for(i=0; i<strlen(digestdup); i++) {
111 digestdup[i] = toupper(digestdup[i]);
112 }
113 if(verbosity >= VERB_ALGO) {
114 char zname[255+1];
115 dname_str(z->name, zname);
116 printf("zonemd generated for %s in %s with "
117 "scheme=%d hashalgo=%d\n", zname, z->zonefile,
118 scheme, hashalgo);
119 printf("digest %s\n", output);
120 printf("wanted %s\n", digestdup);
121 }
122 unit_assert(strcmp(output, digestdup) == 0);
123
124 /* delete environment */
125 free(digestdup);
126 auth_zones_delete(az);
127 regional_destroy(region);
128 sldns_buffer_free(buf);
129
130 if(verbosity >= VERB_ALGO) {
131 printf("\n");
132 }
133 }
134
135 /** loop over files and test generated zonemd digest */
zonemd_generate_tests(void)136 static void zonemd_generate_tests(void)
137 {
138 unit_show_func("services/authzone.c", "auth_zone_generate_zonemd_hash");
139 zonemd_generate_test("example.org", SRCDIRSTR "/testdata/zonemd.example1.zone",
140 1, 2, "20564D10F50A0CEBEC856C64032B7DFB53D3C449A421A5BC7A21F7627B4ACEA4DF29F2C6FE82ED9C23ADF6F4D420D5DD63EF6E6349D60FDAB910B65DF8D481B7");
141
142 /* https://tools.ietf.org/html/draft-ietf-dnsop-dns-zone-digest-12
143 * from section A.1 */
144 zonemd_generate_test("example", SRCDIRSTR "/testdata/zonemd.example_a1.zone",
145 1, 1, "c68090d90a7aed716bc459f9340e3d7c1370d4d24b7e2fc3a1ddc0b9a87153b9a9713b3c9ae5cc27777f98b8e730044c");
146
147 /* https://tools.ietf.org/html/draft-ietf-dnsop-dns-zone-digest-12
148 * from section A.2 */
149 zonemd_generate_test("example", SRCDIRSTR "/testdata/zonemd.example_a2.zone",
150 1, 1, "31cefb03814f5062ad12fa951ba0ef5f8da6ae354a415767246f7dc932ceb1e742a2108f529db6a33a11c01493de358d");
151
152 /* https://tools.ietf.org/html/draft-ietf-dnsop-dns-zone-digest-12
153 * from section A.3 SHA384 digest */
154 zonemd_generate_test("example", SRCDIRSTR "/testdata/zonemd.example_a3.zone",
155 1, 1, "62e6cf51b02e54b9b5f967d547ce43136792901f9f88e637493daaf401c92c279dd10f0edb1c56f8080211f8480ee306");
156
157 /* https://tools.ietf.org/html/draft-ietf-dnsop-dns-zone-digest-12
158 * from section A.3 SHA512 digest*/
159 zonemd_generate_test("example", SRCDIRSTR "/testdata/zonemd.example_a3.zone",
160 1, 2, "08cfa1115c7b948c4163a901270395ea226a930cd2cbcf2fa9a5e6eb85f37c8a4e114d884e66f176eab121cb02db7d652e0cc4827e7a3204f166b47e5613fd27");
161
162 /* https://tools.ietf.org/html/draft-ietf-dnsop-dns-zone-digest-12
163 * from section A.4 */
164 zonemd_generate_test("uri.arpa", SRCDIRSTR "/testdata/zonemd.example_a4.zone",
165 1, 1, "1291b78ddf7669b1a39d014d87626b709b55774c5d7d58fadc556439889a10eaf6f11d615900a4f996bd46279514e473");
166
167 /* https://tools.ietf.org/html/draft-ietf-dnsop-dns-zone-digest-12
168 * from section A.5 */
169 zonemd_generate_test("root-servers.net", SRCDIRSTR "/testdata/zonemd.example_a5.zone",
170 1, 1, "f1ca0ccd91bd5573d9f431c00ee0101b2545c97602be0a978a3b11dbfc1c776d5b3e86ae3d973d6b5349ba7f04340f79");
171 }
172
173 /** test the zonemd check routine */
zonemd_check_test(void)174 static void zonemd_check_test(void)
175 {
176 const char* zname = "example.org";
177 char* zfile = SRCDIRSTR "/testdata/zonemd.example1.zone";
178 int scheme = 1;
179 int hashalgo = 2;
180 const char* digest = "20564D10F50A0CEBEC856C64032B7DFB53D3C449A421A5BC7A21F7627B4ACEA4DF29F2C6FE82ED9C23ADF6F4D420D5DD63EF6E6349D60FDAB910B65DF8D481B7";
181 const char* digestwrong = "20564D10F50A0CEBEC856C64032B7DFB53D3C449A421A5BC7A21F7627B4ACEA4DF29F2C6FE82ED9C23ADF6F4D420D5DD63EF6E6349D60FDAB910B65DF8D48100";
182 uint8_t hash[512], hashwrong[512];
183 size_t hashlen = 0, hashwronglen = 0;
184 struct auth_zones* az;
185 struct auth_zone* z;
186 int result;
187 struct regional* region = NULL;
188 struct sldns_buffer* buf = NULL;
189 char* reason = NULL;
190
191 if(!zonemd_hashalgo_supported(hashalgo))
192 return; /* cannot test unsupported algo */
193 unit_show_func("services/authzone.c", "auth_zone_generate_zonemd_check");
194
195 /* setup environment */
196 az = auth_zones_create();
197 unit_assert(az);
198 region = regional_create();
199 unit_assert(region);
200 buf = sldns_buffer_new(65535);
201 unit_assert(buf);
202
203 /* read file */
204 z = authtest_addzone(az, zname, zfile);
205 unit_assert(z);
206 lock_rw_wrlock(&z->lock);
207 z->zonemd_check = 1;
208 lock_rw_unlock(&z->lock);
209 hashlen = sizeof(hash);
210 if(sldns_str2wire_hex_buf(digest, hash, &hashlen) != 0) {
211 unit_assert(0); /* parse failure */
212 }
213 hashwronglen = sizeof(hashwrong);
214 if(sldns_str2wire_hex_buf(digestwrong, hashwrong, &hashwronglen) != 0) {
215 unit_assert(0); /* parse failure */
216 }
217
218 /* check return values of the check routine */
219 result = auth_zone_generate_zonemd_check(z, scheme, hashalgo,
220 hash, hashlen, region, buf, &reason);
221 unit_assert(result && reason == NULL);
222 result = auth_zone_generate_zonemd_check(z, 241, hashalgo,
223 hash, hashlen, region, buf, &reason);
224 unit_assert(result && strcmp(reason, "unsupported scheme")==0);
225 result = auth_zone_generate_zonemd_check(z, scheme, 242,
226 hash, hashlen, region, buf, &reason);
227 unit_assert(result && strcmp(reason, "unsupported algorithm")==0);
228 result = auth_zone_generate_zonemd_check(z, scheme, hashalgo,
229 hash, 2, region, buf, &reason);
230 unit_assert(!result && strcmp(reason, "digest length too small, less than 12")==0);
231 result = auth_zone_generate_zonemd_check(z, scheme, hashalgo,
232 hashwrong, hashwronglen, region, buf, &reason);
233 unit_assert(!result && strcmp(reason, "incorrect digest")==0);
234 result = auth_zone_generate_zonemd_check(z, scheme, hashalgo,
235 hashwrong, hashwronglen-3, region, buf, &reason);
236 unit_assert(!result && strcmp(reason, "incorrect digest length")==0);
237
238 /* delete environment */
239 auth_zones_delete(az);
240 regional_destroy(region);
241 sldns_buffer_free(buf);
242
243 if(verbosity >= VERB_ALGO) {
244 printf("\n");
245 }
246 }
247
248 /** zonemd test verify */
zonemd_verify_test(char * zname,char * zfile,char * tastr,char * date_override,char * result_wanted)249 static void zonemd_verify_test(char* zname, char* zfile, char* tastr,
250 char* date_override, char* result_wanted)
251 {
252 time_t now = 0;
253 struct module_stack mods;
254 struct module_env env;
255 char* result = NULL;
256 struct auth_zone* z;
257
258 /* setup test harness */
259 memset(&mods, 0, sizeof(mods));
260 memset(&env, 0, sizeof(env));
261 env.scratch = regional_create();
262 if(!env.scratch)
263 fatal_exit("out of memory");
264 env.scratch_buffer = sldns_buffer_new(65553);
265 if(!env.scratch_buffer)
266 fatal_exit("out of memory");
267 env.cfg = config_create();
268 if(!env.cfg)
269 fatal_exit("out of memory");
270 env.now = &now;
271 env.cfg->val_date_override = cfg_convert_timeval(date_override);
272 if(!env.cfg->val_date_override)
273 fatal_exit("could not parse datetime %s", date_override);
274 if(env.cfg->module_conf)
275 free(env.cfg->module_conf);
276 env.cfg->module_conf = strdup("validator iterator");
277 if(!env.cfg->module_conf)
278 fatal_exit("out of memory");
279 if(tastr) {
280 if(!cfg_strlist_insert(&env.cfg->trust_anchor_list,
281 strdup(tastr)))
282 fatal_exit("out of memory");
283 }
284 env.anchors = anchors_create();
285 if(!env.anchors)
286 fatal_exit("out of memory");
287 env.auth_zones = auth_zones_create();
288 if(!env.auth_zones)
289 fatal_exit("out of memory");
290 modstack_init(&mods);
291 if(!modstack_setup(&mods, env.cfg->module_conf, &env))
292 fatal_exit("could not modstack_setup");
293 env.mesh = mesh_create(&mods, &env);
294 if(!env.mesh)
295 fatal_exit("out of memory");
296
297 /* load data */
298 z = authtest_addzone(env.auth_zones, zname, zfile);
299 if(!z)
300 fatal_exit("could not addzone %s %s", zname, zfile);
301
302 /* test */
303 lock_rw_wrlock(&z->lock);
304 z->zonemd_check = 1;
305 auth_zone_verify_zonemd(z, &env, &mods, &result, 1, 0);
306 lock_rw_unlock(&z->lock);
307 if(verbosity >= VERB_ALGO) {
308 printf("auth zone %s: ZONEMD verification %s: %s\n", zname,
309 (strcmp(result, "ZONEMD verification successful")==0?"successful":"failed"),
310 result);
311 }
312 if(!result)
313 fatal_exit("out of memory");
314 unit_assert(strcmp(result, result_wanted) == 0);
315 if(strcmp(result, "ZONEMD verification successful") == 0 ||
316 strcmp(result, "DNSSEC verified nonexistence of ZONEMD") == 0 ||
317 strcmp(result, "no ZONEMD present") == 0) {
318 lock_rw_rdlock(&z->lock);
319 unit_assert(!z->zone_expired);
320 lock_rw_unlock(&z->lock);
321 } else {
322 lock_rw_rdlock(&z->lock);
323 unit_assert(z->zone_expired);
324 lock_rw_unlock(&z->lock);
325 }
326 free(result);
327
328 /* desetup test harness */
329 mesh_delete(env.mesh);
330 modstack_desetup(&mods, &env);
331 auth_zones_delete(env.auth_zones);
332 anchors_delete(env.anchors);
333 config_delete(env.cfg);
334 regional_destroy(env.scratch);
335 sldns_buffer_free(env.scratch_buffer);
336
337 if(verbosity >= VERB_ALGO) {
338 printf("\n");
339 }
340 }
341
342 /** zonemd test verify suite */
zonemd_verify_tests(void)343 static void zonemd_verify_tests(void)
344 {
345 unit_show_func("services/authzone.c", "auth_zone_verify_zonemd");
346 /* give trustanchor for unsigned zone, should fail */
347 zonemd_verify_test("example.org",
348 SRCDIRSTR "/testdata/zonemd.example1.zone",
349 "example.org. IN DS 55566 8 2 9c148338951ce1c3b5cd3da532f3d90dfcf92595148022f2c2fd98e5deee90af",
350 "20180302005009",
351 "verify DNSKEY RRset with trust anchor failed: have trust anchor, but zone has no DNSKEY");
352 /* unsigned zone without ZONEMD in it */
353 zonemd_verify_test("example.org",
354 SRCDIRSTR "/testdata/zonemd.example1.zone",
355 NULL,
356 "20180302005009",
357 "no ZONEMD present");
358 /* no trust anchor, so it succeeds for zone with a correct ZONEMD */
359 zonemd_verify_test("example.com",
360 SRCDIRSTR "/testdata/zonemd.example2.zone",
361 NULL,
362 "20180302005009",
363 "ZONEMD verification successful");
364 /* trust anchor for another zone, so it is indeterminate */
365 zonemd_verify_test("example.com",
366 SRCDIRSTR "/testdata/zonemd.example2.zone",
367 "example.org. IN DS 55566 8 2 9c148338951ce1c3b5cd3da532f3d90dfcf92595148022f2c2fd98e5deee90af",
368 "20180302005009",
369 "ZONEMD verification successful");
370
371 /* load a DNSSEC signed zone, but no trust anchor */
372 /* this zonefile has an incorrect ZONEMD digest, with correct
373 * DNSSEC signature. */
374 zonemd_verify_test("example.com",
375 SRCDIRSTR "/testdata/zonemd.example3.zone",
376 NULL,
377 "20180302005009",
378 "incorrect digest");
379 /* load a DNSSEC zone with NSEC3, but no trust anchor */
380 /* this zonefile has an incorrect ZONEMD digest, with correct
381 * DNSSEC signature. */
382 zonemd_verify_test("example.com",
383 SRCDIRSTR "/testdata/zonemd.example4.zone",
384 NULL,
385 "20180302005009",
386 "incorrect digest");
387 /* valid zonemd, in dnssec signed zone, no trust anchor*/
388 /* this zonefile has a correct ZONEMD digest and
389 * correct DNSSEC signature */
390 zonemd_verify_test("example.com",
391 SRCDIRSTR "/testdata/zonemd.example5.zone",
392 NULL,
393 "20180302005009",
394 "ZONEMD verification successful");
395 /* valid zonemd, in dnssec NSEC3 zone, no trust anchor*/
396 zonemd_verify_test("example.com",
397 SRCDIRSTR "/testdata/zonemd.example6.zone",
398 NULL,
399 "20180302005009",
400 "ZONEMD verification successful");
401
402 /* load a DNSSEC signed zone with a trust anchor, valid ZONEMD */
403 zonemd_verify_test("example.com",
404 SRCDIRSTR "/testdata/zonemd.example5.zone",
405 "example.com. IN DS 55566 8 2 9c148338951ce1c3b5cd3da532f3d90dfcf92595148022f2c2fd98e5deee90af",
406 "20201020135527",
407 "ZONEMD verification successful");
408 /* load a DNSSEC NSEC3 signed zone with a trust anchor, valid ZONEMD */
409 zonemd_verify_test("example.com",
410 SRCDIRSTR "/testdata/zonemd.example6.zone",
411 "example.com. IN DS 55566 8 2 9c148338951ce1c3b5cd3da532f3d90dfcf92595148022f2c2fd98e5deee90af",
412 "20201020135527",
413 "ZONEMD verification successful");
414
415 /* load a DNSSEC NSEC zone without ZONEMD */
416 zonemd_verify_test("example.com",
417 SRCDIRSTR "/testdata/zonemd.example7.zone",
418 "example.com. IN DS 55566 8 2 9c148338951ce1c3b5cd3da532f3d90dfcf92595148022f2c2fd98e5deee90af",
419 "20201020135527",
420 "DNSSEC verified nonexistence of ZONEMD");
421 /* load a DNSSEC NSEC3 zone without ZONEMD */
422 zonemd_verify_test("example.com",
423 SRCDIRSTR "/testdata/zonemd.example8.zone",
424 "example.com. IN DS 55566 8 2 9c148338951ce1c3b5cd3da532f3d90dfcf92595148022f2c2fd98e5deee90af",
425 "20201020135527",
426 "DNSSEC verified nonexistence of ZONEMD");
427
428 /* load DNSSEC zone but RRSIG on ZONEMD is wrong */
429 zonemd_verify_test("example.com",
430 SRCDIRSTR "/testdata/zonemd.example9.zone",
431 "example.com. IN DS 55566 8 2 9c148338951ce1c3b5cd3da532f3d90dfcf92595148022f2c2fd98e5deee90af",
432 "20201020135527",
433 #ifdef HAVE_SSL
434 "DNSSEC verify failed for ZONEMD RRset: signature crypto failed"
435 #else /* HAVE_NETTLE */
436 "DNSSEC verify failed for ZONEMD RRset: RSA signature verification failed"
437 #endif
438 );
439 /* load DNSSEC zone but RRSIG on SOA is wrong */
440 zonemd_verify_test("example.com",
441 SRCDIRSTR "/testdata/zonemd.example10.zone",
442 "example.com. IN DS 55566 8 2 9c148338951ce1c3b5cd3da532f3d90dfcf92595148022f2c2fd98e5deee90af",
443 "20201020135527",
444 #ifdef HAVE_SSL
445 "DNSSEC verify failed for SOA RRset: signature crypto failed"
446 #else /* HAVE_NETTLE */
447 "DNSSEC verify failed for SOA RRset: RSA signature verification failed"
448 #endif
449 );
450
451 /* load DNSSEC zone without ZONEMD, but NSEC bitmap says it exists */
452 zonemd_verify_test("example.com",
453 SRCDIRSTR "/testdata/zonemd.example11.zone",
454 "example.com. IN DS 55566 8 2 9c148338951ce1c3b5cd3da532f3d90dfcf92595148022f2c2fd98e5deee90af",
455 "20201020135527",
456 "DNSSEC NSEC bitmap says type ZONEMD exists");
457 /* load DNSSEC zone without ZONEMD, but NSEC3 bitmap says it exists */
458 zonemd_verify_test("example.com",
459 SRCDIRSTR "/testdata/zonemd.example12.zone",
460 "example.com. IN DS 55566 8 2 9c148338951ce1c3b5cd3da532f3d90dfcf92595148022f2c2fd98e5deee90af",
461 "20201020135527",
462 "DNSSEC NSEC3 bitmap says type ZONEMD exists");
463
464 /* load DNSSEC zone without ZONEMD, but RRSIG on NSEC not okay */
465 zonemd_verify_test("example.com",
466 SRCDIRSTR "/testdata/zonemd.example13.zone",
467 "example.com. IN DS 55566 8 2 9c148338951ce1c3b5cd3da532f3d90dfcf92595148022f2c2fd98e5deee90af",
468 "20201020135527",
469 #ifdef HAVE_SSL
470 "DNSSEC verify failed for NSEC RRset: signature crypto failed"
471 #else /* HAVE_NETTLE */
472 "DNSSEC verify failed for NSEC RRset: RSA signature verification failed"
473 #endif
474 );
475 /* load DNSSEC zone without ZONEMD, but RRSIG on NSEC3 not okay */
476 zonemd_verify_test("example.com",
477 SRCDIRSTR "/testdata/zonemd.example14.zone",
478 "example.com. IN DS 55566 8 2 9c148338951ce1c3b5cd3da532f3d90dfcf92595148022f2c2fd98e5deee90af",
479 "20201020135527",
480 #ifdef HAVE_SSL
481 "DNSSEC verify failed for NSEC3 RRset: signature crypto failed"
482 #else /* HAVE_NETTLE */
483 "DNSSEC verify failed for NSEC3 RRset: RSA signature verification failed"
484 #endif
485 );
486
487 /* load DNSSEC zone, with ZONEMD, but DNSKEY RRSIG is not okay. */
488 zonemd_verify_test("example.com",
489 SRCDIRSTR "/testdata/zonemd.example15.zone",
490 "example.com. IN DS 55566 8 2 9c148338951ce1c3b5cd3da532f3d90dfcf92595148022f2c2fd98e5deee90af",
491 "20201020135527",
492 #ifdef HAVE_SSL
493 "verify DNSKEY RRset with trust anchor failed: signature crypto failed"
494 #else /* HAVE_NETTLE */
495 "verify DNSKEY RRset with trust anchor failed: RSA signature verification failed"
496 #endif
497 );
498 /* load DNSSEC zone, but trust anchor mismatches DNSKEY */
499 zonemd_verify_test("example.com",
500 SRCDIRSTR "/testdata/zonemd.example5.zone",
501 /* okay anchor is
502 "example.com. IN DS 55566 8 2 9c148338951ce1c3b5cd3da532f3d90dfcf92595148022f2c2fd98e5deee90af", */
503 "example.com. IN DS 55566 8 2 0000000000111111222223333444444dfcf92595148022f2c2fd98e5deee90af",
504 "20201020135527",
505 "verify DNSKEY RRset with trust anchor failed: DS hash mismatches key");
506 /* load DNSSEC zone, but trust anchor fails because the zone
507 * has expired signatures. We set the date for it */
508 zonemd_verify_test("example.com",
509 SRCDIRSTR "/testdata/zonemd.example5.zone",
510 "example.com. IN DS 55566 8 2 9c148338951ce1c3b5cd3da532f3d90dfcf92595148022f2c2fd98e5deee90af",
511 /* okay date: "20201020135527", */
512 "20221020135527",
513 "verify DNSKEY RRset with trust anchor failed: signature expired");
514
515 /* duplicate zonemd with same scheme and algorithm */
516 zonemd_verify_test("example.com",
517 SRCDIRSTR "/testdata/zonemd.example16.zone",
518 NULL,
519 "20180302005009",
520 "ZONEMD RRSet contains more than one RR with the same scheme and hash algorithm");
521 /* different capitalisation of ns name and owner names, should
522 * be canonicalized. */
523 zonemd_verify_test("example.com",
524 SRCDIRSTR "/testdata/zonemd.example17.zone",
525 NULL,
526 "20180302005009",
527 "ZONEMD verification successful");
528 }
529
530 /** zonemd unit tests */
zonemd_test(void)531 void zonemd_test(void)
532 {
533 unit_show_feature("zonemd");
534 zonemd_generate_tests();
535 zonemd_check_test();
536 zonemd_verify_tests();
537 }
538