From 781201c780419377005f358b20017ba9d6edc288 Mon Sep 17 00:00:00 2001 From: Linus Nordberg Date: Wed, 30 Mar 2016 21:35:31 +0200 Subject: Add validatechain.c and move some code to common.c. dns-net2wire.c is nothing but an ugly hack on top of getdns_query.c making it save answer, validation_chain and trust anchors to three separate files. Used for testing purposes. validatechain takes the above mentioned three files as input and performs DNSSEC validation. --- tools/dnssec/validatechain.c | 110 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 110 insertions(+) create mode 100644 tools/dnssec/validatechain.c (limited to 'tools/dnssec/validatechain.c') diff --git a/tools/dnssec/validatechain.c b/tools/dnssec/validatechain.c new file mode 100644 index 0000000..1ecf5f7 --- /dev/null +++ b/tools/dnssec/validatechain.c @@ -0,0 +1,110 @@ +#include +#include +#include +#include +#include +#include +#include +#include +#include "common.h" + +static getdns_return_t +validate(const uint8_t *records_buf, size_t records_len, + const uint8_t *support_buf, size_t support_len, + const uint8_t *trust_anchors_buf, size_t trust_anchors_len, + time_t validation_time, uint32_t skew) +{ + getdns_return_t r = GETDNS_DNSSEC_INDETERMINATE; + + getdns_list *to_validate = NULL; + if ((r = wire_rrs2list(records_buf, records_len, &to_validate))) + goto out; + + getdns_list *support_records = NULL; + if ((r = wire_rrs2list(support_buf, support_len, &support_records))) + goto out; + + getdns_list *trust_anchors = NULL; + if ((r = wire_rrs2list(trust_anchors_buf, trust_anchors_len, &trust_anchors))) + goto out; + + /* + to_validate: The DS and an RRSIG for that DS. + + support_records: DS's and DNSKEY's with accompanying RRSIG's. + + trust_anchors: DNSKEY's (or DS?). + */ + + r = getdns_validate_dnssec2(to_validate, + support_records, + trust_anchors, + validation_time, + skew); + +out: + if (to_validate) + getdns_list_destroy(to_validate); + if (support_records) + getdns_list_destroy(support_records); + if (trust_anchors) + getdns_list_destroy(trust_anchors); + + return r; +} + +static void +usage() +{ + fprintf(stderr, "usage: dns-validatechain to-validate-file " + "support-records-file [trust-anchors-file]\n"); +} + +static int +read_file(const char *filename, uint8_t **out, size_t *out_len) +{ + FILE *fp = fopen(filename, "r"); + + if (fp == NULL) + return errno; + *out_len = read_buffer(fp, out, *out_len); + if (fclose(fp)) assert(0); + + return 0; +} + +int +main(int argc, char *argv[]) +{ + if (argc < 4) { + usage(); + exit(1); + } + + uint8_t *tv = NULL; + size_t tv_len = 8 * 1024; + if (read_file(argv[1], &tv, &tv_len)) + assert(0); + + uint8_t *sup = NULL; + size_t sup_len = 64 * 1024; + if (read_file(argv[2], &sup, &sup_len)) + assert(0); + + uint8_t *ta = NULL; + size_t ta_len = 4 * 1024; + if (read_file(argv[3], &ta, &ta_len)) + assert(0); + + getdns_return_t r = 0; + if ((r = validate(tv, tv_len, + sup, sup_len, + ta, ta_len, + time(NULL), 5)) != GETDNS_DNSSEC_SECURE) { + fprintf(stderr, "validation failed: %d (%s)\n", + r, getdns_get_errorstr_by_id(r)); + return r; + } + + return 0; +} -- cgit v1.1