1 /*
2 * testcode/unitzonemd.c - unit test for zonemd.
3 *
4 * Copyright (c) 2020, NLnet Labs. All rights reserved.
5 *
6 * This software is open source.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * Redistributions of source code must retain the above copyright notice,
13 * this list of conditions and the following disclaimer.
14 *
15 * Redistributions in binary form must reproduce the above copyright notice,
16 * this list of conditions and the following disclaimer in the documentation
17 * and/or other materials provided with the distribution.
18 *
19 * Neither the name of the NLNET LABS nor the names of its contributors may
20 * be used to endorse or promote products derived from this software without
21 * specific prior written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
26 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
27 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
34 *
35 */
36 /**
37 * \file
38 * Unit tests for ZONEMD functionality.
39 */
40
41 #include "config.h"
42 #include <ctype.h>
43 #include "util/log.h"
44 #include "testcode/unitmain.h"
45 #include "sldns/str2wire.h"
46 #include "services/authzone.h"
47 #include "util/data/dname.h"
48 #include "util/regional.h"
49 #include "validator/val_anchor.h"
50
51 #define xstr(s) str(s)
52 #define str(s) #s
53 #define SRCDIRSTR xstr(SRCDIR)
54
55 /** Add zone from file for testing */
56 struct auth_zone* authtest_addzone(struct auth_zones* az, const char* name,
57 char* fname);
58
59 /** zonemd unit test, generate a zonemd digest and check if correct */
zonemd_generate_test(const char * zname,char * zfile,int scheme,int hashalgo,const char * digest)60 static void zonemd_generate_test(const char* zname, char* zfile,
61 int scheme, int hashalgo, const char* digest)
62 {
63 uint8_t zonemd_hash[512];
64 size_t hashlen = 0;
65 char output[1024+1];
66 size_t i;
67 struct auth_zones* az;
68 struct auth_zone* z;
69 int result;
70 struct regional* region = NULL;
71 struct sldns_buffer* buf = NULL;
72 char* reason = NULL;
73 char* digestdup;
74
75 if(!zonemd_hashalgo_supported(hashalgo))
76 return; /* cannot test unsupported algo */
77
78 /* setup environment */
79 az = auth_zones_create();
80 unit_assert(az);
81 region = regional_create();
82 unit_assert(region);
83 buf = sldns_buffer_new(65535);
84 unit_assert(buf);
85
86 /* read file */
87 z = authtest_addzone(az, zname, zfile);
88 unit_assert(z);
89 lock_rw_wrlock(&z->lock);
90 z->zonemd_check = 1;
91 lock_rw_unlock(&z->lock);
92
93 /* create zonemd digest */
94 result = auth_zone_generate_zonemd_hash(z, scheme, hashalgo,
95 zonemd_hash, sizeof(zonemd_hash), &hashlen, region, buf,
96 &reason);
97 if(reason) printf("zonemd failure reason: %s\n", reason);
98 unit_assert(result);
99
100 /* check digest */
101 unit_assert(hashlen*2+1 <= sizeof(output));
102 for(i=0; i<hashlen; i++) {
103 const char* hexl = "0123456789ABCDEF";
104 output[i*2] = hexl[(zonemd_hash[i]&0xf0)>>4];
105 output[i*2+1] = hexl[zonemd_hash[i]&0xf];
106 }
107 output[hashlen*2] = 0;
108 digestdup = strdup(digest);
109 unit_assert(digestdup);
110 for(i=0; i<strlen(digestdup); i++) {
111 digestdup[i] = toupper((unsigned char)digestdup[i]);
112 }
113 if(verbosity >= VERB_ALGO) {
114 char zname[LDNS_MAX_DOMAINLEN];
115 dname_str(z->name, zname);
116 printf("zonemd generated for %s in %s with "
117 "scheme=%d hashalgo=%d\n", zname, z->zonefile,
118 scheme, hashalgo);
119 printf("digest %s\n", output);
120 printf("wanted %s\n", digestdup);
121 }
122 unit_assert(strcmp(output, digestdup) == 0);
123
124 /* delete environment */
125 free(digestdup);
126 auth_zones_delete(az);
127 regional_destroy(region);
128 sldns_buffer_free(buf);
129
130 if(verbosity >= VERB_ALGO) {
131 printf("\n");
132 }
133 }
134
135 /** loop over files and test generated zonemd digest */
zonemd_generate_tests(void)136 static void zonemd_generate_tests(void)
137 {
138 unit_show_func("services/authzone.c", "auth_zone_generate_zonemd_hash");
139 zonemd_generate_test("example.org", SRCDIRSTR "/testdata/zonemd.example1.zone",
140 1, 2, "20564D10F50A0CEBEC856C64032B7DFB53D3C449A421A5BC7A21F7627B4ACEA4DF29F2C6FE82ED9C23ADF6F4D420D5DD63EF6E6349D60FDAB910B65DF8D481B7");
141
142 /* https://tools.ietf.org/html/draft-ietf-dnsop-dns-zone-digest-12
143 * from section A.1 */
144 zonemd_generate_test("example", SRCDIRSTR "/testdata/zonemd.example_a1.zone",
145 1, 1, "c68090d90a7aed716bc459f9340e3d7c1370d4d24b7e2fc3a1ddc0b9a87153b9a9713b3c9ae5cc27777f98b8e730044c");
146
147 /* https://tools.ietf.org/html/draft-ietf-dnsop-dns-zone-digest-12
148 * from section A.2 */
149 zonemd_generate_test("example", SRCDIRSTR "/testdata/zonemd.example_a2.zone",
150 1, 1, "31cefb03814f5062ad12fa951ba0ef5f8da6ae354a415767246f7dc932ceb1e742a2108f529db6a33a11c01493de358d");
151
152 /* https://tools.ietf.org/html/draft-ietf-dnsop-dns-zone-digest-12
153 * from section A.3 SHA384 digest */
154 zonemd_generate_test("example", SRCDIRSTR "/testdata/zonemd.example_a3.zone",
155 1, 1, "62e6cf51b02e54b9b5f967d547ce43136792901f9f88e637493daaf401c92c279dd10f0edb1c56f8080211f8480ee306");
156
157 /* https://tools.ietf.org/html/draft-ietf-dnsop-dns-zone-digest-12
158 * from section A.3 SHA512 digest*/
159 zonemd_generate_test("example", SRCDIRSTR "/testdata/zonemd.example_a3.zone",
160 1, 2, "08cfa1115c7b948c4163a901270395ea226a930cd2cbcf2fa9a5e6eb85f37c8a4e114d884e66f176eab121cb02db7d652e0cc4827e7a3204f166b47e5613fd27");
161
162 /* https://tools.ietf.org/html/draft-ietf-dnsop-dns-zone-digest-12
163 * from section A.4 */
164 zonemd_generate_test("uri.arpa", SRCDIRSTR "/testdata/zonemd.example_a4.zone",
165 1, 1, "1291b78ddf7669b1a39d014d87626b709b55774c5d7d58fadc556439889a10eaf6f11d615900a4f996bd46279514e473");
166
167 /* https://tools.ietf.org/html/draft-ietf-dnsop-dns-zone-digest-12
168 * from section A.5.
169 * Adjusted with renumbered B.root. */
170 zonemd_generate_test("root-servers.net", SRCDIRSTR "/testdata/zonemd.example_a5.zone",
171 1, 1, "5a9521d88984ee123d9626191e2a327a43a16fd4339dd4ecc13d8672d5bae527d066d33645e35778677800005247d199");
172 }
173
174 /** test the zonemd check routine */
zonemd_check_test(void)175 static void zonemd_check_test(void)
176 {
177 const char* zname = "example.org";
178 char* zfile = SRCDIRSTR "/testdata/zonemd.example1.zone";
179 int scheme = 1;
180 int hashalgo = 2;
181 const char* digest = "20564D10F50A0CEBEC856C64032B7DFB53D3C449A421A5BC7A21F7627B4ACEA4DF29F2C6FE82ED9C23ADF6F4D420D5DD63EF6E6349D60FDAB910B65DF8D481B7";
182 const char* digestwrong = "20564D10F50A0CEBEC856C64032B7DFB53D3C449A421A5BC7A21F7627B4ACEA4DF29F2C6FE82ED9C23ADF6F4D420D5DD63EF6E6349D60FDAB910B65DF8D48100";
183 uint8_t hash[512], hashwrong[512];
184 size_t hashlen = 0, hashwronglen = 0;
185 struct auth_zones* az;
186 struct auth_zone* z;
187 int result;
188 struct regional* region = NULL;
189 struct sldns_buffer* buf = NULL;
190 char* reason = NULL;
191
192 if(!zonemd_hashalgo_supported(hashalgo))
193 return; /* cannot test unsupported algo */
194 unit_show_func("services/authzone.c", "auth_zone_generate_zonemd_check");
195
196 /* setup environment */
197 az = auth_zones_create();
198 unit_assert(az);
199 region = regional_create();
200 unit_assert(region);
201 buf = sldns_buffer_new(65535);
202 unit_assert(buf);
203
204 /* read file */
205 z = authtest_addzone(az, zname, zfile);
206 unit_assert(z);
207 lock_rw_wrlock(&z->lock);
208 z->zonemd_check = 1;
209 lock_rw_unlock(&z->lock);
210 hashlen = sizeof(hash);
211 if(sldns_str2wire_hex_buf(digest, hash, &hashlen) != 0) {
212 unit_assert(0); /* parse failure */
213 }
214 hashwronglen = sizeof(hashwrong);
215 if(sldns_str2wire_hex_buf(digestwrong, hashwrong, &hashwronglen) != 0) {
216 unit_assert(0); /* parse failure */
217 }
218
219 /* check return values of the check routine */
220 result = auth_zone_generate_zonemd_check(z, scheme, hashalgo,
221 hash, hashlen, region, buf, &reason);
222 unit_assert(result && reason == NULL);
223 result = auth_zone_generate_zonemd_check(z, 241, hashalgo,
224 hash, hashlen, region, buf, &reason);
225 unit_assert(result && strcmp(reason, "unsupported scheme")==0);
226 result = auth_zone_generate_zonemd_check(z, scheme, 242,
227 hash, hashlen, region, buf, &reason);
228 unit_assert(result && strcmp(reason, "unsupported algorithm")==0);
229 result = auth_zone_generate_zonemd_check(z, scheme, hashalgo,
230 hash, 2, region, buf, &reason);
231 unit_assert(!result && strcmp(reason, "digest length too small, less than 12")==0);
232 result = auth_zone_generate_zonemd_check(z, scheme, hashalgo,
233 hashwrong, hashwronglen, region, buf, &reason);
234 unit_assert(!result && strcmp(reason, "incorrect digest")==0);
235 result = auth_zone_generate_zonemd_check(z, scheme, hashalgo,
236 hashwrong, hashwronglen-3, region, buf, &reason);
237 unit_assert(!result && strcmp(reason, "incorrect digest length")==0);
238
239 /* delete environment */
240 auth_zones_delete(az);
241 regional_destroy(region);
242 sldns_buffer_free(buf);
243
244 if(verbosity >= VERB_ALGO) {
245 printf("\n");
246 }
247 }
248
249 /** zonemd test verify */
zonemd_verify_test(char * zname,char * zfile,char * tastr,char * date_override,char * result_wanted)250 static void zonemd_verify_test(char* zname, char* zfile, char* tastr,
251 char* date_override, char* result_wanted)
252 {
253 time_t now = 0;
254 struct module_stack mods;
255 struct module_env env;
256 char* result = NULL;
257 struct auth_zone* z;
258
259 /* setup test harness */
260 memset(&env, 0, sizeof(env));
261 env.scratch = regional_create();
262 if(!env.scratch)
263 fatal_exit("out of memory");
264 env.scratch_buffer = sldns_buffer_new(65553);
265 if(!env.scratch_buffer)
266 fatal_exit("out of memory");
267 env.cfg = config_create();
268 if(!env.cfg)
269 fatal_exit("out of memory");
270 config_auto_slab_values(env.cfg);
271 env.now = &now;
272 env.cfg->val_date_override = cfg_convert_timeval(date_override);
273 if(!env.cfg->val_date_override)
274 fatal_exit("could not parse datetime %s", date_override);
275 if(env.cfg->module_conf)
276 free(env.cfg->module_conf);
277 env.cfg->module_conf = strdup("validator iterator");
278 if(!env.cfg->module_conf)
279 fatal_exit("out of memory");
280 if(tastr) {
281 if(!cfg_strlist_insert(&env.cfg->trust_anchor_list,
282 strdup(tastr)))
283 fatal_exit("out of memory");
284 }
285 env.anchors = anchors_create();
286 if(!env.anchors)
287 fatal_exit("out of memory");
288 env.auth_zones = auth_zones_create();
289 if(!env.auth_zones)
290 fatal_exit("out of memory");
291 modstack_init(&mods);
292 if(!modstack_call_startup(&mods, env.cfg->module_conf, &env))
293 fatal_exit("could not modstack_startup");
294 if(!modstack_call_init(&mods, env.cfg->module_conf, &env))
295 fatal_exit("could not modstack_call_init");
296 env.mesh = mesh_create(&mods, &env);
297 if(!env.mesh)
298 fatal_exit("out of memory");
299
300 /* load data */
301 z = authtest_addzone(env.auth_zones, zname, zfile);
302 if(!z)
303 fatal_exit("could not addzone %s %s", zname, zfile);
304
305 /* test */
306 lock_rw_wrlock(&z->lock);
307 z->zonemd_check = 1;
308 auth_zone_verify_zonemd(z, &env, &mods, &result, 1, 0);
309 lock_rw_unlock(&z->lock);
310 if(verbosity >= VERB_ALGO) {
311 printf("auth zone %s: ZONEMD verification %s: %s\n", zname,
312 (strcmp(result, "ZONEMD verification successful")==0?"successful":"failed"),
313 result);
314 }
315 if(!result)
316 fatal_exit("out of memory");
317 unit_assert(strcmp(result, result_wanted) == 0);
318 if(strcmp(result, "ZONEMD verification successful") == 0 ||
319 strcmp(result, "DNSSEC verified nonexistence of ZONEMD") == 0 ||
320 strcmp(result, "no ZONEMD present") == 0) {
321 lock_rw_rdlock(&z->lock);
322 unit_assert(!z->zone_expired);
323 lock_rw_unlock(&z->lock);
324 } else {
325 lock_rw_rdlock(&z->lock);
326 unit_assert(z->zone_expired);
327 lock_rw_unlock(&z->lock);
328 }
329 free(result);
330
331 /* desetup test harness */
332 mesh_delete(env.mesh);
333 modstack_call_deinit(&mods, &env);
334 modstack_call_destartup(&mods, &env);
335 modstack_free(&mods);
336 auth_zones_delete(env.auth_zones);
337 anchors_delete(env.anchors);
338 config_delete(env.cfg);
339 regional_destroy(env.scratch);
340 sldns_buffer_free(env.scratch_buffer);
341
342 if(verbosity >= VERB_ALGO) {
343 printf("\n");
344 }
345 }
346
347 /** zonemd test verify suite */
zonemd_verify_tests(void)348 static void zonemd_verify_tests(void)
349 {
350 unit_show_func("services/authzone.c", "auth_zone_verify_zonemd");
351 /* give trustanchor for unsigned zone, should fail */
352 zonemd_verify_test("example.org",
353 SRCDIRSTR "/testdata/zonemd.example1.zone",
354 "example.org. IN DS 55566 8 2 9c148338951ce1c3b5cd3da532f3d90dfcf92595148022f2c2fd98e5deee90af",
355 "20180302005009",
356 "verify DNSKEY RRset with trust anchor failed: have trust anchor, but zone has no DNSKEY");
357 /* unsigned zone without ZONEMD in it */
358 zonemd_verify_test("example.org",
359 SRCDIRSTR "/testdata/zonemd.example1.zone",
360 NULL,
361 "20180302005009",
362 "no ZONEMD present");
363 /* no trust anchor, so it succeeds for zone with a correct ZONEMD */
364 zonemd_verify_test("example.com",
365 SRCDIRSTR "/testdata/zonemd.example2.zone",
366 NULL,
367 "20180302005009",
368 "ZONEMD verification successful");
369 /* trust anchor for another zone, so it is indeterminate */
370 zonemd_verify_test("example.com",
371 SRCDIRSTR "/testdata/zonemd.example2.zone",
372 "example.org. IN DS 55566 8 2 9c148338951ce1c3b5cd3da532f3d90dfcf92595148022f2c2fd98e5deee90af",
373 "20180302005009",
374 "ZONEMD verification successful");
375
376 /* load a DNSSEC signed zone, but no trust anchor */
377 /* this zonefile has an incorrect ZONEMD digest, with correct
378 * DNSSEC signature. */
379 zonemd_verify_test("example.com",
380 SRCDIRSTR "/testdata/zonemd.example3.zone",
381 NULL,
382 "20180302005009",
383 "incorrect digest");
384 /* load a DNSSEC zone with NSEC3, but no trust anchor */
385 /* this zonefile has an incorrect ZONEMD digest, with correct
386 * DNSSEC signature. */
387 zonemd_verify_test("example.com",
388 SRCDIRSTR "/testdata/zonemd.example4.zone",
389 NULL,
390 "20180302005009",
391 "incorrect digest");
392 /* valid zonemd, in dnssec signed zone, no trust anchor*/
393 /* this zonefile has a correct ZONEMD digest and
394 * correct DNSSEC signature */
395 zonemd_verify_test("example.com",
396 SRCDIRSTR "/testdata/zonemd.example5.zone",
397 NULL,
398 "20180302005009",
399 "ZONEMD verification successful");
400 /* valid zonemd, in dnssec NSEC3 zone, no trust anchor*/
401 zonemd_verify_test("example.com",
402 SRCDIRSTR "/testdata/zonemd.example6.zone",
403 NULL,
404 "20180302005009",
405 "ZONEMD verification successful");
406
407 /* load a DNSSEC signed zone with a trust anchor, valid ZONEMD */
408 zonemd_verify_test("example.com",
409 SRCDIRSTR "/testdata/zonemd.example5.zone",
410 "example.com. IN DS 55566 8 2 9c148338951ce1c3b5cd3da532f3d90dfcf92595148022f2c2fd98e5deee90af",
411 "20201020135527",
412 "ZONEMD verification successful");
413 /* load a DNSSEC NSEC3 signed zone with a trust anchor, valid ZONEMD */
414 zonemd_verify_test("example.com",
415 SRCDIRSTR "/testdata/zonemd.example6.zone",
416 "example.com. IN DS 55566 8 2 9c148338951ce1c3b5cd3da532f3d90dfcf92595148022f2c2fd98e5deee90af",
417 "20201020135527",
418 "ZONEMD verification successful");
419
420 /* load a DNSSEC NSEC zone without ZONEMD */
421 zonemd_verify_test("example.com",
422 SRCDIRSTR "/testdata/zonemd.example7.zone",
423 "example.com. IN DS 55566 8 2 9c148338951ce1c3b5cd3da532f3d90dfcf92595148022f2c2fd98e5deee90af",
424 "20201020135527",
425 "DNSSEC verified nonexistence of ZONEMD");
426 /* load a DNSSEC NSEC3 zone without ZONEMD */
427 zonemd_verify_test("example.com",
428 SRCDIRSTR "/testdata/zonemd.example8.zone",
429 "example.com. IN DS 55566 8 2 9c148338951ce1c3b5cd3da532f3d90dfcf92595148022f2c2fd98e5deee90af",
430 "20201020135527",
431 "DNSSEC verified nonexistence of ZONEMD");
432
433 /* load DNSSEC zone but RRSIG on ZONEMD is wrong */
434 zonemd_verify_test("example.com",
435 SRCDIRSTR "/testdata/zonemd.example9.zone",
436 "example.com. IN DS 55566 8 2 9c148338951ce1c3b5cd3da532f3d90dfcf92595148022f2c2fd98e5deee90af",
437 "20201020135527",
438 #ifdef HAVE_SSL
439 "DNSSEC verify failed for ZONEMD RRset: signature crypto failed"
440 #else /* HAVE_NETTLE */
441 "DNSSEC verify failed for ZONEMD RRset: RSA signature verification failed"
442 #endif
443 );
444 /* load DNSSEC zone but RRSIG on SOA is wrong */
445 zonemd_verify_test("example.com",
446 SRCDIRSTR "/testdata/zonemd.example10.zone",
447 "example.com. IN DS 55566 8 2 9c148338951ce1c3b5cd3da532f3d90dfcf92595148022f2c2fd98e5deee90af",
448 "20201020135527",
449 #ifdef HAVE_SSL
450 "DNSSEC verify failed for SOA RRset: signature crypto failed"
451 #else /* HAVE_NETTLE */
452 "DNSSEC verify failed for SOA RRset: RSA signature verification failed"
453 #endif
454 );
455
456 /* load DNSSEC zone without ZONEMD, but NSEC bitmap says it exists */
457 zonemd_verify_test("example.com",
458 SRCDIRSTR "/testdata/zonemd.example11.zone",
459 "example.com. IN DS 55566 8 2 9c148338951ce1c3b5cd3da532f3d90dfcf92595148022f2c2fd98e5deee90af",
460 "20201020135527",
461 "DNSSEC NSEC bitmap says type ZONEMD exists");
462 /* load DNSSEC zone without ZONEMD, but NSEC3 bitmap says it exists */
463 zonemd_verify_test("example.com",
464 SRCDIRSTR "/testdata/zonemd.example12.zone",
465 "example.com. IN DS 55566 8 2 9c148338951ce1c3b5cd3da532f3d90dfcf92595148022f2c2fd98e5deee90af",
466 "20201020135527",
467 "DNSSEC NSEC3 bitmap says type ZONEMD exists");
468
469 /* load DNSSEC zone without ZONEMD, but RRSIG on NSEC not okay */
470 zonemd_verify_test("example.com",
471 SRCDIRSTR "/testdata/zonemd.example13.zone",
472 "example.com. IN DS 55566 8 2 9c148338951ce1c3b5cd3da532f3d90dfcf92595148022f2c2fd98e5deee90af",
473 "20201020135527",
474 #ifdef HAVE_SSL
475 "DNSSEC verify failed for NSEC RRset: signature crypto failed"
476 #else /* HAVE_NETTLE */
477 "DNSSEC verify failed for NSEC RRset: RSA signature verification failed"
478 #endif
479 );
480 /* load DNSSEC zone without ZONEMD, but RRSIG on NSEC3 not okay */
481 zonemd_verify_test("example.com",
482 SRCDIRSTR "/testdata/zonemd.example14.zone",
483 "example.com. IN DS 55566 8 2 9c148338951ce1c3b5cd3da532f3d90dfcf92595148022f2c2fd98e5deee90af",
484 "20201020135527",
485 #ifdef HAVE_SSL
486 "DNSSEC verify failed for NSEC3 RRset: signature crypto failed"
487 #else /* HAVE_NETTLE */
488 "DNSSEC verify failed for NSEC3 RRset: RSA signature verification failed"
489 #endif
490 );
491
492 /* load DNSSEC zone, with ZONEMD, but DNSKEY RRSIG is not okay. */
493 zonemd_verify_test("example.com",
494 SRCDIRSTR "/testdata/zonemd.example15.zone",
495 "example.com. IN DS 55566 8 2 9c148338951ce1c3b5cd3da532f3d90dfcf92595148022f2c2fd98e5deee90af",
496 "20201020135527",
497 #ifdef HAVE_SSL
498 "verify DNSKEY RRset with trust anchor failed: signature crypto failed"
499 #else /* HAVE_NETTLE */
500 "verify DNSKEY RRset with trust anchor failed: RSA signature verification failed"
501 #endif
502 );
503 /* load DNSSEC zone, but trust anchor mismatches DNSKEY */
504 zonemd_verify_test("example.com",
505 SRCDIRSTR "/testdata/zonemd.example5.zone",
506 /* okay anchor is
507 "example.com. IN DS 55566 8 2 9c148338951ce1c3b5cd3da532f3d90dfcf92595148022f2c2fd98e5deee90af", */
508 "example.com. IN DS 55566 8 2 0000000000111111222223333444444dfcf92595148022f2c2fd98e5deee90af",
509 "20201020135527",
510 "verify DNSKEY RRset with trust anchor failed: DS hash mismatches key");
511 /* load DNSSEC zone, but trust anchor fails because the zone
512 * has expired signatures. We set the date for it */
513 zonemd_verify_test("example.com",
514 SRCDIRSTR "/testdata/zonemd.example5.zone",
515 "example.com. IN DS 55566 8 2 9c148338951ce1c3b5cd3da532f3d90dfcf92595148022f2c2fd98e5deee90af",
516 /* okay date: "20201020135527", */
517 "20221020135527",
518 "verify DNSKEY RRset with trust anchor failed: signature expired");
519
520 /* duplicate zonemd with same scheme and algorithm */
521 zonemd_verify_test("example.com",
522 SRCDIRSTR "/testdata/zonemd.example16.zone",
523 NULL,
524 "20180302005009",
525 "ZONEMD RRSet contains more than one RR with the same scheme and hash algorithm");
526 /* different capitalisation of ns name and owner names, should
527 * be canonicalized. */
528 zonemd_verify_test("example.com",
529 SRCDIRSTR "/testdata/zonemd.example17.zone",
530 NULL,
531 "20180302005009",
532 "ZONEMD verification successful");
533 }
534
535 /** zonemd unit tests */
zonemd_test(void)536 void zonemd_test(void)
537 {
538 unit_show_feature("zonemd");
539 zonemd_generate_tests();
540 zonemd_check_test();
541 zonemd_verify_tests();
542 }
543