Add validatechain.c and move some code to common.c.

dns-net2wire.c is nothing but an ugly hack on top of getdns_query.c
making it save answer, validation_chain and trust anchors to three
separate files. Used for testing purposes.

validatechain takes the above mentioned three files as input and
performs DNSSEC validation.

1 files changed, 110 insertions, 0 deletions

diff --git a/tools/dnssec/validatechain.c b/tools/dnssec/validatechain.c
new file mode 100644
index 0000000..1ecf5f7
--- /dev/null
+++ b/tools/dnssec/validatechain.c
@@ -0,0 +1,110 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <assert.h>
+#include <time.h>
+#include <getdns/getdns.h>
+#include <getdns/getdns_extra.h>
+#include "common.h"
+
+static getdns_return_t
+validate(const uint8_t *records_buf, size_t records_len,
+         const uint8_t *support_buf, size_t support_len,
+         const uint8_t *trust_anchors_buf, size_t trust_anchors_len,
+         time_t validation_time, uint32_t skew)
+{
+  getdns_return_t r = GETDNS_DNSSEC_INDETERMINATE;
+
+  getdns_list *to_validate = NULL;
+  if ((r = wire_rrs2list(records_buf, records_len, &to_validate)))
+    goto out;
+
+  getdns_list *support_records = NULL;
+  if ((r = wire_rrs2list(support_buf, support_len, &support_records)))
+    goto out;
+
+  getdns_list *trust_anchors = NULL;
+  if ((r = wire_rrs2list(trust_anchors_buf, trust_anchors_len, &trust_anchors)))
+    goto out;
+
+  /*
+    to_validate: The DS and an RRSIG for that DS.
+
+    support_records: DS's and DNSKEY's with accompanying RRSIG's.
+
+    trust_anchors: DNSKEY's (or DS?).
+   */
+
+  r = getdns_validate_dnssec2(to_validate,
+                              support_records,
+                              trust_anchors,
+                              validation_time,
+                              skew);
+
+out:
+  if (to_validate)
+    getdns_list_destroy(to_validate);
+  if (support_records)
+    getdns_list_destroy(support_records);
+  if (trust_anchors)
+    getdns_list_destroy(trust_anchors);
+
+  return r;
+}
+
+static void
+usage()
+{
+  fprintf(stderr, "usage: dns-validatechain to-validate-file "
+          "support-records-file [trust-anchors-file]\n");
+}
+
+static int
+read_file(const char *filename, uint8_t **out, size_t *out_len)
+{
+  FILE *fp = fopen(filename, "r");
+
+  if (fp == NULL)
+    return errno;
+  *out_len = read_buffer(fp, out, *out_len);
+  if (fclose(fp)) assert(0);
+
+  return 0;
+}
+
+int
+main(int argc, char *argv[])
+{
+  if (argc < 4) {
+    usage();
+    exit(1);
+  }
+
+  uint8_t *tv = NULL;
+  size_t tv_len = 8 * 1024;
+  if (read_file(argv[1], &tv, &tv_len))
+    assert(0);
+
+  uint8_t *sup = NULL;
+  size_t sup_len = 64 * 1024;
+  if (read_file(argv[2], &sup, &sup_len))
+    assert(0);
+
+  uint8_t *ta = NULL;
+  size_t ta_len = 4 * 1024;
+  if (read_file(argv[3], &ta, &ta_len))
+    assert(0);
+
+  getdns_return_t r = 0;
+  if ((r = validate(tv, tv_len,
+                    sup, sup_len,
+                    ta, ta_len,
+                    time(NULL), 5)) != GETDNS_DNSSEC_SECURE) {
+    fprintf(stderr, "validation failed: %d (%s)\n",
+            r, getdns_get_errorstr_by_id(r));
+    return r;
+  }
+
+  return 0;
+}