1 /*
2 * testcode/unitzonemd.c - unit test for zonemd.
3 *
4 * Copyright (c) 2020, NLnet Labs. All rights reserved.
5 *
6 * This software is open source.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * Redistributions of source code must retain the above copyright notice,
13 * this list of conditions and the following disclaimer.
14 *
15 * Redistributions in binary form must reproduce the above copyright notice,
16 * this list of conditions and the following disclaimer in the documentation
17 * and/or other materials provided with the distribution.
18 *
19 * Neither the name of the NLNET LABS nor the names of its contributors may
20 * be used to endorse or promote products derived from this software without
21 * specific prior written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
26 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
27 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
34 *
35 */
36 /**
37 * \file
38 * Unit tests for ZONEMD functionality.
39 */
40
41 #include "config.h"
42 #include <ctype.h>
43 #include "util/log.h"
44 #include "testcode/unitmain.h"
45 #include "sldns/str2wire.h"
46 #include "services/authzone.h"
47 #include "util/data/dname.h"
48 #include "util/regional.h"
49 #include "validator/val_anchor.h"
50
51 #define xstr(s) str(s)
52 #define str(s) #s
53 #define SRCDIRSTR xstr(SRCDIR)
54
55 /** Add zone from file for testing */
56 struct auth_zone* authtest_addzone(struct auth_zones* az, const char* name,
57 char* fname);
58
59 /** zonemd unit test, generate a zonemd digest and check if correct */
zonemd_generate_test(const char * zname,char * zfile,int scheme,int hashalgo,const char * digest)60 static void zonemd_generate_test(const char* zname, char* zfile,
61 int scheme, int hashalgo, const char* digest)
62 {
63 uint8_t zonemd_hash[512];
64 size_t hashlen = 0;
65 char output[1024+1];
66 size_t i;
67 struct auth_zones* az;
68 struct auth_zone* z;
69 int result;
70 struct regional* region = NULL;
71 struct sldns_buffer* buf = NULL;
72 char* reason = NULL;
73 char* digestdup;
74
75 if(!zonemd_hashalgo_supported(hashalgo))
76 return; /* cannot test unsupported algo */
77
78 /* setup environment */
79 az = auth_zones_create();
80 unit_assert(az);
81 region = regional_create();
82 unit_assert(region);
83 buf = sldns_buffer_new(65535);
84 unit_assert(buf);
85
86 /* read file */
87 z = authtest_addzone(az, zname, zfile);
88 unit_assert(z);
89 lock_rw_wrlock(&z->lock);
90 z->zonemd_check = 1;
91 lock_rw_unlock(&z->lock);
92
93 /* create zonemd digest */
94 result = auth_zone_generate_zonemd_hash(z, scheme, hashalgo,
95 zonemd_hash, sizeof(zonemd_hash), &hashlen, region, buf,
96 &reason);
97 if(reason) printf("zonemd failure reason: %s\n", reason);
98 unit_assert(result);
99
100 /* check digest */
101 unit_assert(hashlen*2+1 <= sizeof(output));
102 for(i=0; i<hashlen; i++) {
103 const char* hexl = "0123456789ABCDEF";
104 output[i*2] = hexl[(zonemd_hash[i]&0xf0)>>4];
105 output[i*2+1] = hexl[zonemd_hash[i]&0xf];
106 }
107 output[hashlen*2] = 0;
108 digestdup = strdup(digest);
109 unit_assert(digestdup);
110 for(i=0; i<strlen(digestdup); i++) {
111 digestdup[i] = toupper(digestdup[i]);
112 }
113 if(verbosity >= VERB_ALGO) {
114 char zname[255+1];
115 dname_str(z->name, zname);
116 printf("zonemd generated for %s in %s with "
117 "scheme=%d hashalgo=%d\n", zname, z->zonefile,
118 scheme, hashalgo);
119 printf("digest %s\n", output);
120 printf("wanted %s\n", digestdup);
121 }
122 unit_assert(strcmp(output, digestdup) == 0);
123
124 /* delete environment */
125 free(digestdup);
126 auth_zones_delete(az);
127 regional_destroy(region);
128 sldns_buffer_free(buf);
129
130 if(verbosity >= VERB_ALGO) {
131 printf("\n");
132 }
133 }
134
135 /** loop over files and test generated zonemd digest */
zonemd_generate_tests(void)136 static void zonemd_generate_tests(void)
137 {
138 unit_show_func("services/authzone.c", "auth_zone_generate_zonemd_hash");
139 zonemd_generate_test("example.org", SRCDIRSTR "/testdata/zonemd.example1.zone",
140 1, 2, "20564D10F50A0CEBEC856C64032B7DFB53D3C449A421A5BC7A21F7627B4ACEA4DF29F2C6FE82ED9C23ADF6F4D420D5DD63EF6E6349D60FDAB910B65DF8D481B7");
141
142 /* https://tools.ietf.org/html/draft-ietf-dnsop-dns-zone-digest-12
143 * from section A.1 */
144 zonemd_generate_test("example", SRCDIRSTR "/testdata/zonemd.example_a1.zone",
145 1, 1, "c68090d90a7aed716bc459f9340e3d7c1370d4d24b7e2fc3a1ddc0b9a87153b9a9713b3c9ae5cc27777f98b8e730044c");
146
147 /* https://tools.ietf.org/html/draft-ietf-dnsop-dns-zone-digest-12
148 * from section A.2 */
149 zonemd_generate_test("example", SRCDIRSTR "/testdata/zonemd.example_a2.zone",
150 1, 1, "31cefb03814f5062ad12fa951ba0ef5f8da6ae354a415767246f7dc932ceb1e742a2108f529db6a33a11c01493de358d");
151
152 /* https://tools.ietf.org/html/draft-ietf-dnsop-dns-zone-digest-12
153 * from section A.3 SHA384 digest */
154 zonemd_generate_test("example", SRCDIRSTR "/testdata/zonemd.example_a3.zone",
155 1, 1, "62e6cf51b02e54b9b5f967d547ce43136792901f9f88e637493daaf401c92c279dd10f0edb1c56f8080211f8480ee306");
156
157 /* https://tools.ietf.org/html/draft-ietf-dnsop-dns-zone-digest-12
158 * from section A.3 SHA512 digest*/
159 zonemd_generate_test("example", SRCDIRSTR "/testdata/zonemd.example_a3.zone",
160 1, 2, "08cfa1115c7b948c4163a901270395ea226a930cd2cbcf2fa9a5e6eb85f37c8a4e114d884e66f176eab121cb02db7d652e0cc4827e7a3204f166b47e5613fd27");
161
162 /* https://tools.ietf.org/html/draft-ietf-dnsop-dns-zone-digest-12
163 * from section A.4 */
164 zonemd_generate_test("uri.arpa", SRCDIRSTR "/testdata/zonemd.example_a4.zone",
165 1, 1, "1291b78ddf7669b1a39d014d87626b709b55774c5d7d58fadc556439889a10eaf6f11d615900a4f996bd46279514e473");
166
167 /* https://tools.ietf.org/html/draft-ietf-dnsop-dns-zone-digest-12
168 * from section A.5 */
169 zonemd_generate_test("root-servers.net", SRCDIRSTR "/testdata/zonemd.example_a5.zone",
170 1, 1, "f1ca0ccd91bd5573d9f431c00ee0101b2545c97602be0a978a3b11dbfc1c776d5b3e86ae3d973d6b5349ba7f04340f79");
171 }
172
173 /** test the zonemd check routine */
zonemd_check_test(void)174 static void zonemd_check_test(void)
175 {
176 const char* zname = "example.org";
177 char* zfile = SRCDIRSTR "/testdata/zonemd.example1.zone";
178 int scheme = 1;
179 int hashalgo = 2;
180 const char* digest = "20564D10F50A0CEBEC856C64032B7DFB53D3C449A421A5BC7A21F7627B4ACEA4DF29F2C6FE82ED9C23ADF6F4D420D5DD63EF6E6349D60FDAB910B65DF8D481B7";
181 const char* digestwrong = "20564D10F50A0CEBEC856C64032B7DFB53D3C449A421A5BC7A21F7627B4ACEA4DF29F2C6FE82ED9C23ADF6F4D420D5DD63EF6E6349D60FDAB910B65DF8D48100";
182 uint8_t hash[512], hashwrong[512];
183 size_t hashlen = 0, hashwronglen = 0;
184 struct auth_zones* az;
185 struct auth_zone* z;
186 int result;
187 struct regional* region = NULL;
188 struct sldns_buffer* buf = NULL;
189 char* reason = NULL;
190
191 if(!zonemd_hashalgo_supported(hashalgo))
192 return; /* cannot test unsupported algo */
193 unit_show_func("services/authzone.c", "auth_zone_generate_zonemd_check");
194
195 /* setup environment */
196 az = auth_zones_create();
197 unit_assert(az);
198 region = regional_create();
199 unit_assert(region);
200 buf = sldns_buffer_new(65535);
201 unit_assert(buf);
202
203 /* read file */
204 z = authtest_addzone(az, zname, zfile);
205 unit_assert(z);
206 lock_rw_wrlock(&z->lock);
207 z->zonemd_check = 1;
208 lock_rw_unlock(&z->lock);
209 hashlen = sizeof(hash);
210 if(sldns_str2wire_hex_buf(digest, hash, &hashlen) != 0) {
211 unit_assert(0); /* parse failure */
212 }
213 hashwronglen = sizeof(hashwrong);
214 if(sldns_str2wire_hex_buf(digestwrong, hashwrong, &hashwronglen) != 0) {
215 unit_assert(0); /* parse failure */
216 }
217
218 /* check return values of the check routine */
219 result = auth_zone_generate_zonemd_check(z, scheme, hashalgo,
220 hash, hashlen, region, buf, &reason);
221 unit_assert(result && reason == NULL);
222 result = auth_zone_generate_zonemd_check(z, 241, hashalgo,
223 hash, hashlen, region, buf, &reason);
224 unit_assert(result && strcmp(reason, "unsupported scheme")==0);
225 result = auth_zone_generate_zonemd_check(z, scheme, 242,
226 hash, hashlen, region, buf, &reason);
227 unit_assert(result && strcmp(reason, "unsupported algorithm")==0);
228 result = auth_zone_generate_zonemd_check(z, scheme, hashalgo,
229 hash, 2, region, buf, &reason);
230 unit_assert(!result && strcmp(reason, "digest length too small, less than 12")==0);
231 result = auth_zone_generate_zonemd_check(z, scheme, hashalgo,
232 hashwrong, hashwronglen, region, buf, &reason);
233 unit_assert(!result && strcmp(reason, "incorrect digest")==0);
234 result = auth_zone_generate_zonemd_check(z, scheme, hashalgo,
235 hashwrong, hashwronglen-3, region, buf, &reason);
236 unit_assert(!result && strcmp(reason, "incorrect digest length")==0);
237
238 /* delete environment */
239 auth_zones_delete(az);
240 regional_destroy(region);
241 sldns_buffer_free(buf);
242
243 if(verbosity >= VERB_ALGO) {
244 printf("\n");
245 }
246 }
247
248 /** zonemd test verify */
zonemd_verify_test(char * zname,char * zfile,char * tastr,char * date_override,char * result_wanted)249 static void zonemd_verify_test(char* zname, char* zfile, char* tastr,
250 char* date_override, char* result_wanted)
251 {
252 time_t now = 0;
253 struct module_stack mods;
254 struct module_env env;
255 char* result = NULL;
256 struct auth_zone* z;
257
258 /* setup test harness */
259 memset(&env, 0, sizeof(env));
260 env.scratch = regional_create();
261 if(!env.scratch)
262 fatal_exit("out of memory");
263 env.scratch_buffer = sldns_buffer_new(65553);
264 if(!env.scratch_buffer)
265 fatal_exit("out of memory");
266 env.cfg = config_create();
267 if(!env.cfg)
268 fatal_exit("out of memory");
269 env.now = &now;
270 env.cfg->val_date_override = cfg_convert_timeval(date_override);
271 if(!env.cfg->val_date_override)
272 fatal_exit("could not parse datetime %s", date_override);
273 if(env.cfg->module_conf)
274 free(env.cfg->module_conf);
275 env.cfg->module_conf = strdup("validator iterator");
276 if(!env.cfg->module_conf)
277 fatal_exit("out of memory");
278 if(tastr) {
279 if(!cfg_strlist_insert(&env.cfg->trust_anchor_list,
280 strdup(tastr)))
281 fatal_exit("out of memory");
282 }
283 env.anchors = anchors_create();
284 if(!env.anchors)
285 fatal_exit("out of memory");
286 env.auth_zones = auth_zones_create();
287 if(!env.auth_zones)
288 fatal_exit("out of memory");
289 modstack_init(&mods);
290 if(!modstack_call_startup(&mods, env.cfg->module_conf, &env))
291 fatal_exit("could not modstack_startup");
292 if(!modstack_call_init(&mods, env.cfg->module_conf, &env))
293 fatal_exit("could not modstack_call_init");
294 env.mesh = mesh_create(&mods, &env);
295 if(!env.mesh)
296 fatal_exit("out of memory");
297
298 /* load data */
299 z = authtest_addzone(env.auth_zones, zname, zfile);
300 if(!z)
301 fatal_exit("could not addzone %s %s", zname, zfile);
302
303 /* test */
304 lock_rw_wrlock(&z->lock);
305 z->zonemd_check = 1;
306 auth_zone_verify_zonemd(z, &env, &mods, &result, 1, 0);
307 lock_rw_unlock(&z->lock);
308 if(verbosity >= VERB_ALGO) {
309 printf("auth zone %s: ZONEMD verification %s: %s\n", zname,
310 (strcmp(result, "ZONEMD verification successful")==0?"successful":"failed"),
311 result);
312 }
313 if(!result)
314 fatal_exit("out of memory");
315 unit_assert(strcmp(result, result_wanted) == 0);
316 if(strcmp(result, "ZONEMD verification successful") == 0 ||
317 strcmp(result, "DNSSEC verified nonexistence of ZONEMD") == 0 ||
318 strcmp(result, "no ZONEMD present") == 0) {
319 lock_rw_rdlock(&z->lock);
320 unit_assert(!z->zone_expired);
321 lock_rw_unlock(&z->lock);
322 } else {
323 lock_rw_rdlock(&z->lock);
324 unit_assert(z->zone_expired);
325 lock_rw_unlock(&z->lock);
326 }
327 free(result);
328
329 /* desetup test harness */
330 mesh_delete(env.mesh);
331 modstack_call_deinit(&mods, &env);
332 modstack_call_destartup(&mods, &env);
333 modstack_free(&mods);
334 auth_zones_delete(env.auth_zones);
335 anchors_delete(env.anchors);
336 config_delete(env.cfg);
337 regional_destroy(env.scratch);
338 sldns_buffer_free(env.scratch_buffer);
339
340 if(verbosity >= VERB_ALGO) {
341 printf("\n");
342 }
343 }
344
345 /** zonemd test verify suite */
zonemd_verify_tests(void)346 static void zonemd_verify_tests(void)
347 {
348 unit_show_func("services/authzone.c", "auth_zone_verify_zonemd");
349 /* give trustanchor for unsigned zone, should fail */
350 zonemd_verify_test("example.org",
351 SRCDIRSTR "/testdata/zonemd.example1.zone",
352 "example.org. IN DS 55566 8 2 9c148338951ce1c3b5cd3da532f3d90dfcf92595148022f2c2fd98e5deee90af",
353 "20180302005009",
354 "verify DNSKEY RRset with trust anchor failed: have trust anchor, but zone has no DNSKEY");
355 /* unsigned zone without ZONEMD in it */
356 zonemd_verify_test("example.org",
357 SRCDIRSTR "/testdata/zonemd.example1.zone",
358 NULL,
359 "20180302005009",
360 "no ZONEMD present");
361 /* no trust anchor, so it succeeds for zone with a correct ZONEMD */
362 zonemd_verify_test("example.com",
363 SRCDIRSTR "/testdata/zonemd.example2.zone",
364 NULL,
365 "20180302005009",
366 "ZONEMD verification successful");
367 /* trust anchor for another zone, so it is indeterminate */
368 zonemd_verify_test("example.com",
369 SRCDIRSTR "/testdata/zonemd.example2.zone",
370 "example.org. IN DS 55566 8 2 9c148338951ce1c3b5cd3da532f3d90dfcf92595148022f2c2fd98e5deee90af",
371 "20180302005009",
372 "ZONEMD verification successful");
373
374 /* load a DNSSEC signed zone, but no trust anchor */
375 /* this zonefile has an incorrect ZONEMD digest, with correct
376 * DNSSEC signature. */
377 zonemd_verify_test("example.com",
378 SRCDIRSTR "/testdata/zonemd.example3.zone",
379 NULL,
380 "20180302005009",
381 "incorrect digest");
382 /* load a DNSSEC zone with NSEC3, but no trust anchor */
383 /* this zonefile has an incorrect ZONEMD digest, with correct
384 * DNSSEC signature. */
385 zonemd_verify_test("example.com",
386 SRCDIRSTR "/testdata/zonemd.example4.zone",
387 NULL,
388 "20180302005009",
389 "incorrect digest");
390 /* valid zonemd, in dnssec signed zone, no trust anchor*/
391 /* this zonefile has a correct ZONEMD digest and
392 * correct DNSSEC signature */
393 zonemd_verify_test("example.com",
394 SRCDIRSTR "/testdata/zonemd.example5.zone",
395 NULL,
396 "20180302005009",
397 "ZONEMD verification successful");
398 /* valid zonemd, in dnssec NSEC3 zone, no trust anchor*/
399 zonemd_verify_test("example.com",
400 SRCDIRSTR "/testdata/zonemd.example6.zone",
401 NULL,
402 "20180302005009",
403 "ZONEMD verification successful");
404
405 /* load a DNSSEC signed zone with a trust anchor, valid ZONEMD */
406 zonemd_verify_test("example.com",
407 SRCDIRSTR "/testdata/zonemd.example5.zone",
408 "example.com. IN DS 55566 8 2 9c148338951ce1c3b5cd3da532f3d90dfcf92595148022f2c2fd98e5deee90af",
409 "20201020135527",
410 "ZONEMD verification successful");
411 /* load a DNSSEC NSEC3 signed zone with a trust anchor, valid ZONEMD */
412 zonemd_verify_test("example.com",
413 SRCDIRSTR "/testdata/zonemd.example6.zone",
414 "example.com. IN DS 55566 8 2 9c148338951ce1c3b5cd3da532f3d90dfcf92595148022f2c2fd98e5deee90af",
415 "20201020135527",
416 "ZONEMD verification successful");
417
418 /* load a DNSSEC NSEC zone without ZONEMD */
419 zonemd_verify_test("example.com",
420 SRCDIRSTR "/testdata/zonemd.example7.zone",
421 "example.com. IN DS 55566 8 2 9c148338951ce1c3b5cd3da532f3d90dfcf92595148022f2c2fd98e5deee90af",
422 "20201020135527",
423 "DNSSEC verified nonexistence of ZONEMD");
424 /* load a DNSSEC NSEC3 zone without ZONEMD */
425 zonemd_verify_test("example.com",
426 SRCDIRSTR "/testdata/zonemd.example8.zone",
427 "example.com. IN DS 55566 8 2 9c148338951ce1c3b5cd3da532f3d90dfcf92595148022f2c2fd98e5deee90af",
428 "20201020135527",
429 "DNSSEC verified nonexistence of ZONEMD");
430
431 /* load DNSSEC zone but RRSIG on ZONEMD is wrong */
432 zonemd_verify_test("example.com",
433 SRCDIRSTR "/testdata/zonemd.example9.zone",
434 "example.com. IN DS 55566 8 2 9c148338951ce1c3b5cd3da532f3d90dfcf92595148022f2c2fd98e5deee90af",
435 "20201020135527",
436 #ifdef HAVE_SSL
437 "DNSSEC verify failed for ZONEMD RRset: signature crypto failed"
438 #else /* HAVE_NETTLE */
439 "DNSSEC verify failed for ZONEMD RRset: RSA signature verification failed"
440 #endif
441 );
442 /* load DNSSEC zone but RRSIG on SOA is wrong */
443 zonemd_verify_test("example.com",
444 SRCDIRSTR "/testdata/zonemd.example10.zone",
445 "example.com. IN DS 55566 8 2 9c148338951ce1c3b5cd3da532f3d90dfcf92595148022f2c2fd98e5deee90af",
446 "20201020135527",
447 #ifdef HAVE_SSL
448 "DNSSEC verify failed for SOA RRset: signature crypto failed"
449 #else /* HAVE_NETTLE */
450 "DNSSEC verify failed for SOA RRset: RSA signature verification failed"
451 #endif
452 );
453
454 /* load DNSSEC zone without ZONEMD, but NSEC bitmap says it exists */
455 zonemd_verify_test("example.com",
456 SRCDIRSTR "/testdata/zonemd.example11.zone",
457 "example.com. IN DS 55566 8 2 9c148338951ce1c3b5cd3da532f3d90dfcf92595148022f2c2fd98e5deee90af",
458 "20201020135527",
459 "DNSSEC NSEC bitmap says type ZONEMD exists");
460 /* load DNSSEC zone without ZONEMD, but NSEC3 bitmap says it exists */
461 zonemd_verify_test("example.com",
462 SRCDIRSTR "/testdata/zonemd.example12.zone",
463 "example.com. IN DS 55566 8 2 9c148338951ce1c3b5cd3da532f3d90dfcf92595148022f2c2fd98e5deee90af",
464 "20201020135527",
465 "DNSSEC NSEC3 bitmap says type ZONEMD exists");
466
467 /* load DNSSEC zone without ZONEMD, but RRSIG on NSEC not okay */
468 zonemd_verify_test("example.com",
469 SRCDIRSTR "/testdata/zonemd.example13.zone",
470 "example.com. IN DS 55566 8 2 9c148338951ce1c3b5cd3da532f3d90dfcf92595148022f2c2fd98e5deee90af",
471 "20201020135527",
472 #ifdef HAVE_SSL
473 "DNSSEC verify failed for NSEC RRset: signature crypto failed"
474 #else /* HAVE_NETTLE */
475 "DNSSEC verify failed for NSEC RRset: RSA signature verification failed"
476 #endif
477 );
478 /* load DNSSEC zone without ZONEMD, but RRSIG on NSEC3 not okay */
479 zonemd_verify_test("example.com",
480 SRCDIRSTR "/testdata/zonemd.example14.zone",
481 "example.com. IN DS 55566 8 2 9c148338951ce1c3b5cd3da532f3d90dfcf92595148022f2c2fd98e5deee90af",
482 "20201020135527",
483 #ifdef HAVE_SSL
484 "DNSSEC verify failed for NSEC3 RRset: signature crypto failed"
485 #else /* HAVE_NETTLE */
486 "DNSSEC verify failed for NSEC3 RRset: RSA signature verification failed"
487 #endif
488 );
489
490 /* load DNSSEC zone, with ZONEMD, but DNSKEY RRSIG is not okay. */
491 zonemd_verify_test("example.com",
492 SRCDIRSTR "/testdata/zonemd.example15.zone",
493 "example.com. IN DS 55566 8 2 9c148338951ce1c3b5cd3da532f3d90dfcf92595148022f2c2fd98e5deee90af",
494 "20201020135527",
495 #ifdef HAVE_SSL
496 "verify DNSKEY RRset with trust anchor failed: signature crypto failed"
497 #else /* HAVE_NETTLE */
498 "verify DNSKEY RRset with trust anchor failed: RSA signature verification failed"
499 #endif
500 );
501 /* load DNSSEC zone, but trust anchor mismatches DNSKEY */
502 zonemd_verify_test("example.com",
503 SRCDIRSTR "/testdata/zonemd.example5.zone",
504 /* okay anchor is
505 "example.com. IN DS 55566 8 2 9c148338951ce1c3b5cd3da532f3d90dfcf92595148022f2c2fd98e5deee90af", */
506 "example.com. IN DS 55566 8 2 0000000000111111222223333444444dfcf92595148022f2c2fd98e5deee90af",
507 "20201020135527",
508 "verify DNSKEY RRset with trust anchor failed: DS hash mismatches key");
509 /* load DNSSEC zone, but trust anchor fails because the zone
510 * has expired signatures. We set the date for it */
511 zonemd_verify_test("example.com",
512 SRCDIRSTR "/testdata/zonemd.example5.zone",
513 "example.com. IN DS 55566 8 2 9c148338951ce1c3b5cd3da532f3d90dfcf92595148022f2c2fd98e5deee90af",
514 /* okay date: "20201020135527", */
515 "20221020135527",
516 "verify DNSKEY RRset with trust anchor failed: signature expired");
517
518 /* duplicate zonemd with same scheme and algorithm */
519 zonemd_verify_test("example.com",
520 SRCDIRSTR "/testdata/zonemd.example16.zone",
521 NULL,
522 "20180302005009",
523 "ZONEMD RRSet contains more than one RR with the same scheme and hash algorithm");
524 /* different capitalisation of ns name and owner names, should
525 * be canonicalized. */
526 zonemd_verify_test("example.com",
527 SRCDIRSTR "/testdata/zonemd.example17.zone",
528 NULL,
529 "20180302005009",
530 "ZONEMD verification successful");
531 }
532
533 /** zonemd unit tests */
zonemd_test(void)534 void zonemd_test(void)
535 {
536 unit_show_feature("zonemd");
537 zonemd_generate_tests();
538 zonemd_check_test();
539 zonemd_verify_tests();
540 }
541