]> git.bitcoin.ninja Git - dnssec-prover/blob - src/lib.rs
Return the time bounds on validated RR sets
[dnssec-prover] / src / lib.rs
1 //! The DNS provides a single, global, hierarchical namespace with (when DNSSEC is used)
2 //! cryptographic guarantees on all of its data.
3 //!
4 //! This makes it incredibly powerful for resolving human-readable names into arbitrary, secured
5 //! data.
6 //!
7 //! Unlike TLS, this cryptographic security provides transferable proofs which can convince an
8 //! offline device, using simple cryptographic primitives and a single root trusted key, of the
9 //! validity of DNS data.
10 //!
11 //! This crate implements the creation and validation of such proofs, using the format from RFC
12 //! 9102 to create transferable proofs of DNS entries.
13 //!
14 //! It is no-std (but requires `alloc`) and seeks to have minimal dependencies and a reasonably
15 //! conservative MSRV policy, allowing it to be used in as many places as possible.
16
17 #![deny(missing_docs)]
18
19 #![cfg_attr(not(feature = "std"), no_std)]
20 extern crate alloc;
21
22 use alloc::vec::Vec;
23 use alloc::vec;
24 use core::cmp;
25
26 use ring::signature;
27
28 pub mod rr;
29 use rr::*;
30
31 mod ser;
32 use ser::{bytes_to_rsa_pk, parse_rr, write_name};
33
34 #[cfg(feature = "std")]
35 pub mod query;
36
37 /// Gets the trusted root anchors
38 ///
39 /// These are available at <https://data.iana.org/root-anchors/root-anchors.xml>
40 pub fn root_hints() -> Vec<DS> {
41         #[allow(unused_mut)]
42         let mut res = vec![DS {
43                 name: ".".try_into().unwrap(), key_tag: 19036, alg: 8, digest_type: 2,
44                 digest: hex_lit::hex!("49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5").to_vec(),
45         }, DS {
46                 name: ".".try_into().unwrap(), key_tag: 20326, alg: 8, digest_type: 2,
47                 digest: hex_lit::hex!("E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D").to_vec(),
48         }];
49         // In tests, add the trust anchor from RFC 9102
50         #[cfg(test)]
51         res.push(DS {
52                 name: ".".try_into().unwrap(), key_tag: 47005, alg: 13, digest_type: 2,
53                 digest: hex_lit::hex!("2eb6e9f2480126691594d649a5a613de3052e37861634641bb568746f2ffc4d4").to_vec(),
54         });
55         res
56 }
57
58 /// Parse a stream of [`RR`]s from the format described in [RFC 9102](https://www.rfc-editor.org/rfc/rfc9102.html).
59 ///
60 /// Note that this is only the series of `AuthenticationChain` records, and does not read the
61 /// `ExtSupportLifetime` field at the start of a `DnssecChainExtension`.
62 pub fn parse_rr_stream(mut inp: &[u8]) -> Result<Vec<RR>, ()> {
63         let mut res = Vec::with_capacity(32);
64         while !inp.is_empty() {
65                 res.push(parse_rr(&mut inp)?);
66         }
67         Ok(res)
68 }
69
70 /// Writes the given resource record in its wire encoding to the given `Vec`.
71 ///
72 /// An [RFC 9102](https://www.rfc-editor.org/rfc/rfc9102.html) `AuthenticationChain` is simply a
73 /// series of such records with no additional bytes in between.
74 pub fn write_rr<RR: Record>(rr: &RR, ttl: u32, out: &mut Vec<u8>) {
75         write_name(out, rr.name());
76         out.extend_from_slice(&rr.ty().to_be_bytes());
77         out.extend_from_slice(&1u16.to_be_bytes()); // The INternet class
78         out.extend_from_slice(&ttl.to_be_bytes());
79         rr.write_u16_len_prefixed_data(out);
80 }
81
82 #[derive(Debug, PartialEq)]
83 /// An error when validating DNSSEC signatures or other data
84 pub enum ValidationError {
85         /// An algorithm used in signing was not supported.
86         ///
87         /// In general DNS usage the resulting data should be used anyway, as we were able to verify
88         /// that a zone wished to use the unsupported algorithm.
89         ///
90         /// However, in cases where signing is mandatory, this can be treated as an error.
91         UnsupportedAlgorithm,
92         /// The provided data was invalid or signatures did not validate.
93         Invalid,
94 }
95
96 fn verify_rrsig<'a, RR: Record, Keys>(sig: &RRSig, dnskeys: Keys, mut records: Vec<&RR>)
97 -> Result<(), ValidationError>
98 where Keys: IntoIterator<Item = &'a DnsKey> {
99         for record in records.iter() {
100                 if sig.ty != record.ty() { return Err(ValidationError::Invalid); }
101         }
102         for dnskey in dnskeys.into_iter() {
103                 if dnskey.key_tag() == sig.key_tag {
104                         // Protocol must be 3, otherwise its not DNSSEC
105                         if dnskey.protocol != 3 { continue; }
106                         // The ZONE flag must be set if we're going to validate RRs with this key.
107                         if dnskey.flags & 0b1_0000_0000 == 0 { continue; }
108                         if dnskey.alg != sig.alg { continue; }
109
110                         let mut signed_data = Vec::with_capacity(2048);
111                         signed_data.extend_from_slice(&sig.ty.to_be_bytes());
112                         signed_data.extend_from_slice(&sig.alg.to_be_bytes());
113                         signed_data.extend_from_slice(&sig.labels.to_be_bytes());
114                         signed_data.extend_from_slice(&sig.orig_ttl.to_be_bytes());
115                         signed_data.extend_from_slice(&sig.expiration.to_be_bytes());
116                         signed_data.extend_from_slice(&sig.inception.to_be_bytes());
117                         signed_data.extend_from_slice(&sig.key_tag.to_be_bytes());
118                         write_name(&mut signed_data, &sig.key_name);
119
120                         records.sort();
121
122                         for record in records.iter() {
123                                 let periods = record.name().as_str().chars().filter(|c| *c == '.').count();
124                                 let labels = sig.labels.into();
125                                 if periods != 1 && periods != labels {
126                                         if periods < labels { return Err(ValidationError::Invalid); }
127                                         let signed_name = record.name().as_str().splitn(periods - labels + 1, ".").last();
128                                         debug_assert!(signed_name.is_some());
129                                         if let Some(name) = signed_name {
130                                                 signed_data.extend_from_slice(b"\x01*");
131                                                 write_name(&mut signed_data, name);
132                                         } else { return Err(ValidationError::Invalid); }
133                                 } else {
134                                         write_name(&mut signed_data, record.name());
135                                 }
136                                 signed_data.extend_from_slice(&record.ty().to_be_bytes());
137                                 signed_data.extend_from_slice(&1u16.to_be_bytes()); // The INternet class
138                                 signed_data.extend_from_slice(&sig.orig_ttl.to_be_bytes());
139                                 record.write_u16_len_prefixed_data(&mut signed_data);
140                         }
141
142                         match sig.alg {
143                                 8|10 => {
144                                         let alg = if sig.alg == 8 {
145                                                 &signature::RSA_PKCS1_1024_8192_SHA256_FOR_LEGACY_USE_ONLY
146                                         } else {
147                                                 &signature::RSA_PKCS1_1024_8192_SHA512_FOR_LEGACY_USE_ONLY
148                                         };
149                                         bytes_to_rsa_pk(&dnskey.pubkey).map_err(|_| ValidationError::Invalid)?
150                                                 .verify(alg, &signed_data, &sig.signature)
151                                                 .map_err(|_| ValidationError::Invalid)?;
152                                 },
153                                 13|14 => {
154                                         let alg = if sig.alg == 13 {
155                                                 &signature::ECDSA_P256_SHA256_FIXED
156                                         } else {
157                                                 &signature::ECDSA_P384_SHA384_FIXED
158                                         };
159
160                                         // Add 0x4 identifier to the ECDSA pubkey as expected by ring.
161                                         let mut key = Vec::with_capacity(dnskey.pubkey.len() + 1);
162                                         key.push(0x4);
163                                         key.extend_from_slice(&dnskey.pubkey);
164
165                                         signature::UnparsedPublicKey::new(alg, &key)
166                                                 .verify(&signed_data, &sig.signature)
167                                                 .map_err(|_| ValidationError::Invalid)?;
168                                 },
169                                 15 => {
170                                         signature::UnparsedPublicKey::new(&signature::ED25519, &dnskey.pubkey)
171                                                 .verify(&signed_data, &sig.signature)
172                                                 .map_err(|_| ValidationError::Invalid)?;
173                                 },
174                                 _ => return Err(ValidationError::UnsupportedAlgorithm),
175                         }
176
177                         return Ok(());
178                 }
179         }
180         Err(ValidationError::Invalid)
181 }
182
183 fn verify_dnskey_rrsig<'a, T, I>(sig: &RRSig, dses: T, records: Vec<&DnsKey>)
184 -> Result<(), ValidationError>
185 where T: IntoIterator<IntoIter = I>, I: Iterator<Item = &'a DS> + Clone {
186         let mut validated_dnskeys = Vec::with_capacity(records.len());
187         let dses = dses.into_iter();
188
189         let mut had_known_digest_type = false;
190         let mut had_ds = false;
191         for ds in dses.clone() {
192                 had_ds = true;
193                 if ds.digest_type == 2 || ds.digest_type == 4 {
194                         had_known_digest_type = true;
195                         break;
196                 }
197         }
198         if !had_ds { return Err(ValidationError::Invalid); }
199         if !had_known_digest_type { return Err(ValidationError::UnsupportedAlgorithm); }
200
201         for dnskey in records.iter() {
202                 for ds in dses.clone() {
203                         if ds.digest_type != 2 && ds.digest_type != 4 { continue; }
204                         if ds.alg != dnskey.alg { continue; }
205                         if dnskey.key_tag() == ds.key_tag {
206                                 let alg = match ds.digest_type {
207                                         2 => &ring::digest::SHA256,
208                                         4 => &ring::digest::SHA384,
209                                         _ => continue,
210                                 };
211                                 let mut ctx = ring::digest::Context::new(alg);
212                                 write_name(&mut ctx, &dnskey.name);
213                                 ctx.update(&dnskey.flags.to_be_bytes());
214                                 ctx.update(&dnskey.protocol.to_be_bytes());
215                                 ctx.update(&dnskey.alg.to_be_bytes());
216                                 ctx.update(&dnskey.pubkey);
217                                 let hash = ctx.finish();
218                                 if hash.as_ref() == &ds.digest {
219                                         validated_dnskeys.push(*dnskey);
220                                         break;
221                                 }
222                         }
223                 }
224         }
225         verify_rrsig(sig, validated_dnskeys.iter().map(|k| *k), records)
226 }
227
228 /// Given a set of [`RR`]s, [`verify_rr_stream`] checks what it can and returns the set of
229 /// non-[`RRSig`]/[`DnsKey`]/[`DS`] records which it was able to verify using this struct.
230 ///
231 /// It also contains
232 pub struct VerifiedRRStream<'a> {
233         /// The set of verified [`RR`]s.
234         ///
235         /// These are not valid unless the current UNIX time is between [`Self::valid_from`] and
236         /// [`Self::expiration`].
237         pub verified_rrs: Vec<&'a RR>,
238         /// The latest [`RRSig::inception`] of all the [`RRSig`]s validated to verify
239         /// [`Self::verified_rrs`].
240         ///
241         /// Any records in [`Self::verified_rrs`] should not be considered valid unless this is before
242         /// the current UNIX time.
243         pub valid_from: u32,
244         /// The earliest [`RRSig::expiration`] of all the [`RRSig`]s validated to verify
245         /// [`Self::verified_rrs`].
246         ///
247         /// Any records in [`Self::verified_rrs`] should not be considered valid unless this is after
248         /// the current UNIX time.
249         pub expires: u32,
250         /// The minimum [`RRSig::orig_ttl`] of all the [`RRSig`]s validated to verify
251         /// [`Self::verified_rrs`].
252         ///
253         /// Any caching of [`Self::verified_rrs`] must not last longer than this value, in seconds.
254         pub max_cache_ttl: u32,
255 }
256
257 /// Verifies the given set of resource records.
258 ///
259 /// Given a set of arbitrary records, this attempts to validate DNSSEC data from the [`root_hints`]
260 /// through to any supported non-DNSSEC record types.
261 ///
262 /// All records which could be validated are returned, though if an error is found validating any
263 /// contained record, only `Err` will be returned.
264 ///
265 /// You MUST check that the current UNIX time is between [`VerifiedRRStream::latest_inception`] and
266 /// [`VerifiedRRStream::earliest_expiry`].
267 pub fn verify_rr_stream<'a>(inp: &'a [RR]) -> Result<VerifiedRRStream<'a>, ValidationError> {
268         let mut zone = ".";
269         let mut res = Vec::new();
270         let mut pending_ds_sets = Vec::with_capacity(1);
271         let mut latest_inception = 0;
272         let mut earliest_expiry = u32::MAX;
273         let mut min_ttl = u32::MAX;
274         'next_zone: while zone == "." || !pending_ds_sets.is_empty() {
275                 let mut found_unsupported_alg = false;
276                 let next_ds_set;
277                 if let Some((next_zone, ds_set)) = pending_ds_sets.pop() {
278                         next_ds_set = Some(ds_set);
279                         zone = next_zone;
280                 } else {
281                         debug_assert_eq!(zone, ".");
282                         next_ds_set = None;
283                 }
284
285                 for rrsig in inp.iter()
286                         .filter_map(|rr| if let RR::RRSig(sig) = rr { Some(sig) } else { None })
287                         .filter(|rrsig| rrsig.name.as_str() == zone && rrsig.ty == DnsKey::TYPE)
288                 {
289                         let dnskeys = inp.iter()
290                                 .filter_map(|rr| if let RR::DnsKey(dnskey) = rr { Some(dnskey) } else { None })
291                                 .filter(move |dnskey| dnskey.name.as_str() == zone);
292                         let dnskeys_verified = if zone == "." {
293                                 verify_dnskey_rrsig(rrsig, &root_hints(), dnskeys.clone().collect())
294                         } else {
295                                 debug_assert!(next_ds_set.is_some());
296                                 if next_ds_set.is_none() { break 'next_zone; }
297                                 verify_dnskey_rrsig(rrsig, next_ds_set.clone().unwrap(), dnskeys.clone().collect())
298                         };
299                         if dnskeys_verified.is_ok() {
300                                 latest_inception = cmp::max(latest_inception, rrsig.inception);
301                                 earliest_expiry = cmp::min(earliest_expiry, rrsig.expiration);
302                                 min_ttl = cmp::min(min_ttl, rrsig.orig_ttl);
303                                 for rrsig in inp.iter()
304                                         .filter_map(|rr| if let RR::RRSig(sig) = rr { Some(sig) } else { None })
305                                         .filter(move |rrsig| rrsig.key_name.as_str() == zone && rrsig.name.as_str() != zone)
306                                 {
307                                         if !rrsig.name.ends_with(zone) { return Err(ValidationError::Invalid); }
308                                         let signed_records = inp.iter()
309                                                 .filter(|rr| rr.name() == &rrsig.name && rr.ty() == rrsig.ty);
310                                         verify_rrsig(rrsig, dnskeys.clone(), signed_records.clone().collect())?;
311                                         latest_inception = cmp::max(latest_inception, rrsig.inception);
312                                         earliest_expiry = cmp::min(earliest_expiry, rrsig.expiration);
313                                         min_ttl = cmp::min(min_ttl, rrsig.orig_ttl);
314                                         match rrsig.ty {
315                                                 // RRSigs shouldn't cover child `DnsKey`s or other `RRSig`s
316                                                 RRSig::TYPE|DnsKey::TYPE => return Err(ValidationError::Invalid),
317                                                 DS::TYPE => {
318                                                         if !pending_ds_sets.iter().any(|(pending_zone, _)| pending_zone == &rrsig.name.as_str()) {
319                                                                 pending_ds_sets.push((
320                                                                         &rrsig.name,
321                                                                         signed_records.filter_map(|rr|
322                                                                                 if let RR::DS(ds) = rr { Some(ds) }
323                                                                                 else { debug_assert!(false, "We already filtered by type"); None })
324                                                                 ));
325                                                         }
326                                                 },
327                                                 _ => {
328                                                         for record in signed_records {
329                                                                 if !res.contains(&record) { res.push(record); }
330                                                         }
331                                                 },
332                                         }
333                                 }
334                                 continue 'next_zone;
335                         } else if dnskeys_verified == Err(ValidationError::UnsupportedAlgorithm) {
336                                 // There may be redundant signatures by different keys, where one we don't supprt
337                                 // and another we do. Ignore ones we don't support, but if there are no more,
338                                 // return UnsupportedAlgorithm
339                                 found_unsupported_alg = true;
340                         } else {
341                                 // We don't explicitly handle invalid signatures here, instead we move on to the
342                                 // next RRSig (if there is one) and return `Invalid` if no `RRSig`s match.
343                         }
344                 }
345                 // No RRSigs were able to verify our DnsKey set
346                 if found_unsupported_alg {
347                         return Err(ValidationError::UnsupportedAlgorithm);
348                 } else {
349                         return Err(ValidationError::Invalid);
350                 }
351         }
352         if res.is_empty() { Err(ValidationError::Invalid) }
353         else if latest_inception >= earliest_expiry { Err(ValidationError::Invalid) }
354         else {
355                 Ok(VerifiedRRStream {
356                         verified_rrs: res, valid_from: latest_inception, expires: earliest_expiry,
357                         max_cache_ttl: min_ttl,
358                 })
359         }
360 }
361
362 #[cfg(test)]
363 mod tests {
364         #![allow(deprecated)]
365
366         use super::*;
367
368         use alloc::borrow::ToOwned;
369
370         use hex_conservative::FromHex;
371         use rand::seq::SliceRandom;
372
373         fn root_dnskey() -> (Vec<DnsKey>, Vec<RR>) {
374                 let dnskeys = vec![DnsKey {
375                         name: ".".try_into().unwrap(), flags: 256, protocol: 3, alg: 8,
376                         pubkey: base64::decode("AwEAAentCcIEndLh2QSK+pHFq/PkKCwioxt75d7qNOUuTPMo0Fcte/NbwDPbocvbZ/eNb5RV/xQdapaJASQ/oDLsqzD0H1+JkHNuuKc2JLtpMxg4glSE4CnRXT2CnFTW5IwOREL+zeqZHy68OXy5ngW5KALbevRYRg/q2qFezRtCSQ0knmyPwgFsghVYLKwi116oxwEU5yZ6W7npWMxt5Z+Qs8diPNWrS5aXLgJtrWUGIIuFfuZwXYziGRP/z3o1EfMo9zZU19KLopkoLXX7Ls/diCXdSEdJXTtFA8w0/OKQviuJebfKscoElCTswukVZ1VX5gbaFEo2xWhHJ9Uo63wYaTk=").unwrap(),
377                 }, DnsKey {
378                         name: ".".try_into().unwrap(), flags: 257, protocol: 3, alg: 8,
379                         pubkey: base64::decode("AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=").unwrap(),
380                 }];
381                 let dnskey_rrsig = RRSig {
382                         name: ".".try_into().unwrap(), ty: DnsKey::TYPE, alg: 8, labels: 0, orig_ttl: 172800,
383                         expiration: 1708473600, inception: 1706659200, key_tag: 20326, key_name: ".".try_into().unwrap(),
384                         signature: base64::decode("ZO8LbjtwAiVkkBzOnGbiI/3ilGUPmmJpagsLSBVbIZRG6o/8a+hUZpIPTvk5ERZ1rAW4x0YxKAU8qtaHQpKIp3qYA6u97DYytVD7RdtXKHmGYAvR6QbD5eVTkCw1Sz705rJxbwt6+YM5OBweSUAy5Glo6JSQPDQwRDwj/bV2fLRhJbvfsBgxqaXJA0SaE/ceyvK8gB2NIaguTJNrztr2TENrHxi86OKOuHYDHthOW0TFoPfr19qj/P2eEC6dYniTVovUwHT7e+Hqrb05dJF4mI4ZjaIb5mFf8i5RehT1aRlnb3CLiwJ01bEjrRBo3xUn5I3PkCnglHhx3EvkO73OzA==").unwrap(),
385                 };
386                 let root_hints = root_hints();
387                 verify_dnskey_rrsig(&dnskey_rrsig, &root_hints, dnskeys.iter().collect()).unwrap();
388                 let rrs = vec![dnskeys[0].clone().into(), dnskeys[1].clone().into(), dnskey_rrsig.into()];
389                 (dnskeys, rrs)
390         }
391
392         fn com_dnskey() -> (Vec<DnsKey>, Vec<RR>) {
393                 let root_dnskeys = root_dnskey().0;
394                 let mut com_ds = vec![DS {
395                         name: "com.".try_into().unwrap(), key_tag: 19718, alg: 13, digest_type: 2,
396                         digest: Vec::from_hex("8ACBB0CD28F41250A80A491389424D341522D946B0DA0C0291F2D3D771D7805A").unwrap(),
397                 }];
398                 let ds_rrsig = RRSig {
399                         name: "com.".try_into().unwrap(), ty: DS::TYPE, alg: 8, labels: 1, orig_ttl: 86400,
400                         expiration: 1708189200, inception: 1707062400, key_tag: 30903, key_name: ".".try_into().unwrap(),
401                         signature: base64::decode("vwMOBBwqRBdlmGZB+0FKfyMSignEtpYW9sD4TzPW2E+wdbF7O7epR5cmKmvcv0RUJdM0dGC/QmhCfgf/yqw1Xp7TpmPaYzaruW70hjGXZJO2nY3G6stUVe4S7lM2CzHL7nbbpaB5B+iSu6Ua9dZ+nyKrxfB7855HBLCLrHrkMGxWQiEPTallXXS8tEM1Y2XrsuzAQu2vZ2D2ClhFspFbPwwOdw+G6+NsZ8PnIfTkCj6DuKcgbdxjmGaYmw/6hVt9OU3kGCOBaJaEy4LrD8Kwzfu4S7axMwTKP4y4c5Y/E4k/mVAW0cuUtv549HaDfD2V0CvW1bDl6PqRkOiVsqM/lA==").unwrap(),
402                 };
403                 verify_rrsig(&ds_rrsig, &root_dnskeys, com_ds.iter().collect()).unwrap();
404                 let dnskeys = vec![DnsKey {
405                         name: "com.".try_into().unwrap(), flags: 256, protocol: 3, alg: 13,
406                         pubkey: base64::decode("5i9qjJgyH+9MBz7VO269/srLQB/xRRllyUoVq8oLBZshPe4CGzDSFGnXAM3L/QPzB9ULpJuuy7jcxmBZ5Ebo7A==").unwrap(),
407                 }, DnsKey {
408                         name: "com.".try_into().unwrap(), flags: 257, protocol: 3, alg: 13,
409                         pubkey: base64::decode("tx8EZRAd2+K/DJRV0S+hbBzaRPS/G6JVNBitHzqpsGlz8huE61Ms9ANe6NSDLKJtiTBqfTJWDAywEp1FCsEINQ==").unwrap(),
410                 }];
411                 let dnskey_rrsig = RRSig {
412                         name: "com.".try_into().unwrap(), ty: DnsKey::TYPE, alg: 13, labels: 1, orig_ttl: 86400,
413                         expiration: 1707750155, inception: 1706453855, key_tag: 19718, key_name: "com.".try_into().unwrap(),
414                         signature: base64::decode("ZFGChM7QfJt0QSqVWerWnG5pMjpL1pXyJAmuHe8dHI/olmaNCxm+mqNHv9i3AploFY6JoNtiHmeBiC6zuFj/ZQ==").unwrap(),
415                 };
416                 verify_dnskey_rrsig(&dnskey_rrsig, &com_ds, dnskeys.iter().collect()).unwrap();
417                 let rrs = vec![com_ds.pop().unwrap().into(), ds_rrsig.into(),
418                         dnskeys[0].clone().into(), dnskeys[1].clone().into(), dnskey_rrsig.into()];
419                 (dnskeys, rrs)
420         }
421
422         fn mattcorallo_dnskey() -> (Vec<DnsKey>, Vec<RR>) {
423                 let com_dnskeys = com_dnskey().0;
424                 let mut mattcorallo_ds = vec![DS {
425                         name: "mattcorallo.com.".try_into().unwrap(), key_tag: 25630, alg: 13, digest_type: 2,
426                         digest: Vec::from_hex("DC608CA62BE89B3B9DB1593F9A59930D24FBA79D486E19C88A7792711EC00735").unwrap(),
427                 }];
428                 let ds_rrsig = RRSig {
429                         name: "mattcorallo.com.".try_into().unwrap(), ty: DS::TYPE, alg: 13, labels: 2, orig_ttl: 86400,
430                         expiration: 1707631252, inception: 1707022252, key_tag: 4534, key_name: "com.".try_into().unwrap(),
431                         signature: base64::decode("M7Fk+CjfLz6hRsY5iSuw5bwc2OqlS3XtKH8FDs7lcbhEiR63n+DzOF0I8L+3k06SXFnE89uuofQECzWmAyef6Q==").unwrap(),
432                 };
433                 verify_rrsig(&ds_rrsig, &com_dnskeys, mattcorallo_ds.iter().collect()).unwrap();
434                 let dnskeys = vec![DnsKey {
435                         name: "mattcorallo.com.".try_into().unwrap(), flags: 257, protocol: 3, alg: 13,
436                         pubkey: base64::decode("8BP51Etiu4V6cHvGCYqwNqCip4pvHChjEgkgG4zpdDvO9YRcTGuV/p71hAUut2/qEdxqXfUOT/082BJ/Z089DA==").unwrap(),
437                 }, DnsKey {
438                         name: "mattcorallo.com.".try_into().unwrap(), flags: 256, protocol: 3, alg: 13,
439                         pubkey: base64::decode("AhUlQ8qk7413R0m4zKfTDHb/FQRlKag+ncGXxNxT+qTzSZTb9E5IGjo9VCEp6+IMqqpkd4GrXpN9AzDvlcU9Ig==").unwrap(),
440                 }];
441                 let dnskey_rrsig = RRSig {
442                         name: "mattcorallo.com.".try_into().unwrap(), ty: DnsKey::TYPE, alg: 13, labels: 2, orig_ttl: 604800,
443                         expiration: 1708278650, inception: 1707063650, key_tag: 25630, key_name: "mattcorallo.com.".try_into().unwrap(),
444                         signature: base64::decode("nyVDwG+la8d5dyWgB7m+H3BQwCvTWLQ/kAqNruMzdLmn9B3VC9u/rvM/ortEu0WPbA1FZWJbRKpF1Ohkj3ltNw==").unwrap(),
445                 };
446                 verify_dnskey_rrsig(&dnskey_rrsig, &mattcorallo_ds, dnskeys.iter().collect()).unwrap();
447                 let rrs = vec![mattcorallo_ds.pop().unwrap().into(), ds_rrsig.into(),
448                         dnskeys[0].clone().into(), dnskeys[1].clone().into(), dnskey_rrsig.into()];
449                 (dnskeys, rrs)
450         }
451
452         fn mattcorallo_txt_record() -> (Txt, RRSig) {
453                 let txt_resp = Txt {
454                         name: "matt.user._bitcoin-payment.mattcorallo.com.".try_into().unwrap(),
455                         data: "bitcoin:?b12=lno1qsgqmqvgm96frzdg8m0gc6nzeqffvzsqzrxqy32afmr3jn9ggkwg3egfwch2hy0l6jut6vfd8vpsc3h89l6u3dm4q2d6nuamav3w27xvdmv3lpgklhg7l5teypqz9l53hj7zvuaenh34xqsz2sa967yzqkylfu9xtcd5ymcmfp32h083e805y7jfd236w9afhavqqvl8uyma7x77yun4ehe9pnhu2gekjguexmxpqjcr2j822xr7q34p078gzslf9wpwz5y57alxu99s0z2ql0kfqvwhzycqq45ehh58xnfpuek80hw6spvwrvttjrrq9pphh0dpydh06qqspp5uq4gpyt6n9mwexde44qv7lstzzq60nr40ff38u27un6y53aypmx0p4qruk2tf9mjwqlhxak4znvna5y".to_owned().into_bytes(),
456                 };
457                 let txt_rrsig = RRSig {
458                         name: "matt.user._bitcoin-payment.mattcorallo.com.".try_into().unwrap(),
459                         ty: Txt::TYPE, alg: 13, labels: 5, orig_ttl: 3600, expiration: 1708123318,
460                         inception: 1706908318, key_tag: 47959, key_name: "mattcorallo.com.".try_into().unwrap(),
461                         signature: base64::decode("mgU6iwyMWO0w9nj2Gmt1+RmaIJIU3KO7DWVZiCD1bmU9e9zNefXCtnWOC2HtwjUsn/QYkWluvuSfYpBrt1IjpQ==").unwrap(),
462                 };
463                 (txt_resp, txt_rrsig)
464         }
465
466         fn matcorallo_dnskey() -> (Vec<DnsKey>, Vec<RR>) {
467                 let com_dnskeys = com_dnskey().0;
468                 let mut matcorallo_ds = vec![DS {
469                         name: "matcorallo.com.".try_into().unwrap(), key_tag: 24930, alg: 13, digest_type: 2,
470                         digest: Vec::from_hex("693E990CBB1CE1095E387092D3C04BCE907C008891F32A88D41D3ECB129E5E23").unwrap(),
471                 }];
472                 let ds_rrsig = RRSig {
473                         name: "matcorallo.com.".try_into().unwrap(), ty: DS::TYPE, alg: 13, labels: 2, orig_ttl: 86400,
474                         expiration: 1707628636, inception: 1707019636, key_tag: 4534, key_name: "com.".try_into().unwrap(),
475                         signature: base64::decode("l9b+DhtnJSIzR6y4Bwx+0L9kep77UNCBoTg74RTSL6oMrQd8w4OobHxzwDyXqnLfyxVP18V+AnQp4DdJ2nUW1g==").unwrap(),
476                 };
477                 verify_rrsig(&ds_rrsig, &com_dnskeys, matcorallo_ds.iter().collect()).unwrap();
478                 let dnskeys = vec![DnsKey {
479                         name: "matcorallo.com.".try_into().unwrap(), flags: 257, protocol: 3, alg: 13,
480                         pubkey: base64::decode("pfO3ow3SrKhLS7AMEi3b5W9P28nCOB9vryxfSXhqMcXFP1x9V4xAt0/JLr0zNodsqRD/8d9Yhu4Wf3hnSlaavw==").unwrap(),
481                 }, DnsKey {
482                         name: "matcorallo.com.".try_into().unwrap(), flags: 256, protocol: 3, alg: 13,
483                         pubkey: base64::decode("OO6LQTV1mnRsFgn6YQoyeo/SDqS3eajfVv8WGQVnuSYO/bTS9St1tJiox2fgU6wRWDU3chhjz1Pj0unKUAQKig==").unwrap(),
484                 }];
485                 let dnskey_rrsig = RRSig {
486                         name: "matcorallo.com.".try_into().unwrap(), ty: DnsKey::TYPE, alg: 13, labels: 2, orig_ttl: 604800,
487                         expiration: 1708309135, inception: 1707094135, key_tag: 24930, key_name: "matcorallo.com.".try_into().unwrap(),
488                         signature: base64::decode("2MKg3bTn9zf4ThwCoKRFadqD6l1D6SuLksRieKxFC0QQnzUOCRgZSK2/IlT0DMEoM0+mGrJZo7UG79UILMGUyg==").unwrap(),
489                 };
490                 verify_dnskey_rrsig(&dnskey_rrsig, &matcorallo_ds, dnskeys.iter().collect()).unwrap();
491                 let rrs = vec![matcorallo_ds.pop().unwrap().into(), ds_rrsig.into(),
492                         dnskeys[0].clone().into(), dnskeys[1].clone().into(), dnskey_rrsig.into()];
493                 (dnskeys, rrs)
494         }
495
496         fn matcorallo_txt_record() -> (Txt, RRSig) {
497                 let txt_resp = Txt {
498                         name: "txt_test.matcorallo.com.".try_into().unwrap(),
499                         data: "dnssec_prover_test".to_owned().into_bytes(),
500                 };
501                 let txt_rrsig = RRSig {
502                         name: "txt_test.matcorallo.com.".try_into().unwrap(),
503                         ty: Txt::TYPE, alg: 13, labels: 3, orig_ttl: 30, expiration: 1708319203,
504                         inception: 1707104203, key_tag: 34530, key_name: "matcorallo.com.".try_into().unwrap(),
505                         signature: base64::decode("4vaE5Jex2VvIT39JpuMNT7Ds7O0OfzTik5f8WcRRxO0IJnGAO16syAsNUkNkNqsMYknnjHDF0lI4agszgzdpsw==").unwrap(),
506                 };
507                 (txt_resp, txt_rrsig)
508         }
509
510         fn matcorallo_cname_record() -> (CName, RRSig) {
511                 let cname_resp = CName {
512                         name: "cname_test.matcorallo.com.".try_into().unwrap(),
513                         canonical_name: "txt_test.matcorallo.com.".try_into().unwrap(),
514                 };
515                 let cname_rrsig = RRSig {
516                         name: "cname_test.matcorallo.com.".try_into().unwrap(),
517                         ty: CName::TYPE, alg: 13, labels: 3, orig_ttl: 30, expiration: 1708319203,
518                         inception: 1707104203, key_tag: 34530, key_name: "matcorallo.com.".try_into().unwrap(),
519                         signature: base64::decode("5HIrmEotbVb95umE6SX3NrPboKsthdcY8b7DdaYQZzm0Nj5m2VgcfOmEPJYS8o1xE4GvGGF4sdfSy3Uw7TibBg==").unwrap(),
520                 };
521                 (cname_resp, cname_rrsig)
522         }
523
524         fn matcorallo_wildcard_record() -> (Txt, RRSig) {
525                 let txt_resp = Txt {
526                         name: "test.wildcard_test.matcorallo.com.".try_into().unwrap(),
527                         data: "wildcard_test".to_owned().into_bytes(),
528                 };
529                 let txt_rrsig = RRSig {
530                         name: "test.wildcard_test.matcorallo.com.".try_into().unwrap(),
531                         ty: Txt::TYPE, alg: 13, labels: 3, orig_ttl: 30, expiration: 1708321778,
532                         inception: 1707106778, key_tag: 34530, key_name: "matcorallo.com.".try_into().unwrap(),
533                         signature: base64::decode("vdnXunPY4CnbW/BL8VOOR9o33+dqyKA/4h+u5VM7NjB30Shp8L8gL5UwE0k7TKRNgHC8j3TqEPEmNMIHz87Z4Q==").unwrap(),
534                 };
535                 (txt_resp, txt_rrsig)
536         }
537
538         fn matcorallo_cname_wildcard_record() -> (CName, RRSig, Txt, RRSig) {
539                 let cname_resp = CName {
540                         name: "test.cname_wildcard_test.matcorallo.com.".try_into().unwrap(),
541                         canonical_name: "cname.wildcard_test.matcorallo.com.".try_into().unwrap(),
542                 };
543                 let txt_resp = Txt {
544                         name: "cname.wildcard_test.matcorallo.com.".try_into().unwrap(),
545                         data: "wildcard_test".to_owned().into_bytes(),
546                 };
547                 let cname_rrsig = RRSig {
548                         name: "test.cname_wildcard_test.matcorallo.com.".try_into().unwrap(),
549                         ty: CName::TYPE, alg: 13, labels: 3, orig_ttl: 30, expiration: 1708322050,
550                         inception: 1707107050, key_tag: 34530, key_name: "matcorallo.com.".try_into().unwrap(),
551                         signature: base64::decode("JfJuSemF5dtQYxEw6eKL4IRP8BaDt6FtbtdpZ6HjODTDflhKQRhBEbwT7kwceKPAq18q5sWHFV1bMTqE/F3WLw==").unwrap(),
552                 };
553                 let txt_rrsig = RRSig {
554                         name: "cname.wildcard_test.matcorallo.com.".try_into().unwrap(),
555                         ty: Txt::TYPE, alg: 13, labels: 3, orig_ttl: 30, expiration: 1708321778,
556                         inception: 1707106778, key_tag: 34530, key_name: "matcorallo.com.".try_into().unwrap(),
557                         signature: base64::decode("vdnXunPY4CnbW/BL8VOOR9o33+dqyKA/4h+u5VM7NjB30Shp8L8gL5UwE0k7TKRNgHC8j3TqEPEmNMIHz87Z4Q==").unwrap(),
558                 };
559                 (cname_resp, cname_rrsig, txt_resp, txt_rrsig)
560         }
561
562         #[test]
563         fn check_txt_record_a() {
564                 let dnskeys = mattcorallo_dnskey().0;
565                 let (txt, txt_rrsig) = mattcorallo_txt_record();
566                 let txt_resp = [txt];
567                 verify_rrsig(&txt_rrsig, &dnskeys, txt_resp.iter().collect()).unwrap();
568         }
569
570         #[test]
571         fn check_single_txt_proof() {
572                 let mut rr_stream = Vec::new();
573                 for rr in root_dnskey().1 { write_rr(&rr, 1, &mut rr_stream); }
574                 for rr in com_dnskey().1 { write_rr(&rr, 1, &mut rr_stream); }
575                 for rr in mattcorallo_dnskey().1 { write_rr(&rr, 1, &mut rr_stream); }
576                 let (txt, txt_rrsig) = mattcorallo_txt_record();
577                 for rr in [RR::Txt(txt), RR::RRSig(txt_rrsig)] { write_rr(&rr, 1, &mut rr_stream); }
578
579                 let mut rrs = parse_rr_stream(&rr_stream).unwrap();
580                 rrs.shuffle(&mut rand::rngs::OsRng);
581                 let verified_rrs = verify_rr_stream(&rrs).unwrap();
582                 assert_eq!(verified_rrs.verified_rrs.len(), 1);
583                 if let RR::Txt(txt) = &verified_rrs.verified_rrs[0] {
584                         assert_eq!(txt.name.as_str(), "matt.user._bitcoin-payment.mattcorallo.com.");
585                         assert_eq!(txt.data, b"bitcoin:?b12=lno1qsgqmqvgm96frzdg8m0gc6nzeqffvzsqzrxqy32afmr3jn9ggkwg3egfwch2hy0l6jut6vfd8vpsc3h89l6u3dm4q2d6nuamav3w27xvdmv3lpgklhg7l5teypqz9l53hj7zvuaenh34xqsz2sa967yzqkylfu9xtcd5ymcmfp32h083e805y7jfd236w9afhavqqvl8uyma7x77yun4ehe9pnhu2gekjguexmxpqjcr2j822xr7q34p078gzslf9wpwz5y57alxu99s0z2ql0kfqvwhzycqq45ehh58xnfpuek80hw6spvwrvttjrrq9pphh0dpydh06qqspp5uq4gpyt6n9mwexde44qv7lstzzq60nr40ff38u27un6y53aypmx0p4qruk2tf9mjwqlhxak4znvna5y");
586                 } else { panic!(); }
587                 assert_eq!(verified_rrs.valid_from, 1707063650); // The TXT record RRSig was created last
588                 assert_eq!(verified_rrs.expires, 1707631252); // The mattcorallo.com DS RRSig expires first
589                 assert_eq!(verified_rrs.max_cache_ttl, 3600); // The TXT record had the shortest TTL
590         }
591
592         #[test]
593         fn check_txt_record_b() {
594                 let dnskeys = matcorallo_dnskey().0;
595                 let (txt, txt_rrsig) = matcorallo_txt_record();
596                 let txt_resp = [txt];
597                 verify_rrsig(&txt_rrsig, &dnskeys, txt_resp.iter().collect()).unwrap();
598         }
599
600         #[test]
601         fn check_cname_record() {
602                 let dnskeys = matcorallo_dnskey().0;
603                 let (cname, cname_rrsig) = matcorallo_cname_record();
604                 let cname_resp = [cname];
605                 verify_rrsig(&cname_rrsig, &dnskeys, cname_resp.iter().collect()).unwrap();
606         }
607
608         #[test]
609         fn check_multi_zone_proof() {
610                 let mut rr_stream = Vec::new();
611                 for rr in root_dnskey().1 { write_rr(&rr, 1, &mut rr_stream); }
612                 for rr in com_dnskey().1 { write_rr(&rr, 1, &mut rr_stream); }
613                 for rr in mattcorallo_dnskey().1 { write_rr(&rr, 1, &mut rr_stream); }
614                 let (txt, txt_rrsig) = mattcorallo_txt_record();
615                 for rr in [RR::Txt(txt), RR::RRSig(txt_rrsig)] { write_rr(&rr, 1, &mut rr_stream); }
616                 for rr in matcorallo_dnskey().1 { write_rr(&rr, 1, &mut rr_stream); }
617                 let (txt, txt_rrsig) = matcorallo_txt_record();
618                 for rr in [RR::Txt(txt), RR::RRSig(txt_rrsig)] { write_rr(&rr, 1, &mut rr_stream); }
619                 let (cname, cname_rrsig) = matcorallo_cname_record();
620                 for rr in [RR::CName(cname), RR::RRSig(cname_rrsig)] { write_rr(&rr, 1, &mut rr_stream); }
621
622                 let mut rrs = parse_rr_stream(&rr_stream).unwrap();
623                 rrs.shuffle(&mut rand::rngs::OsRng);
624                 let mut verified_rrs = verify_rr_stream(&rrs).unwrap();
625                 verified_rrs.verified_rrs.sort();
626                 assert_eq!(verified_rrs.verified_rrs.len(), 3);
627                 if let RR::Txt(txt) = &verified_rrs.verified_rrs[0] {
628                         assert_eq!(txt.name.as_str(), "matt.user._bitcoin-payment.mattcorallo.com.");
629                         assert_eq!(txt.data, b"bitcoin:?b12=lno1qsgqmqvgm96frzdg8m0gc6nzeqffvzsqzrxqy32afmr3jn9ggkwg3egfwch2hy0l6jut6vfd8vpsc3h89l6u3dm4q2d6nuamav3w27xvdmv3lpgklhg7l5teypqz9l53hj7zvuaenh34xqsz2sa967yzqkylfu9xtcd5ymcmfp32h083e805y7jfd236w9afhavqqvl8uyma7x77yun4ehe9pnhu2gekjguexmxpqjcr2j822xr7q34p078gzslf9wpwz5y57alxu99s0z2ql0kfqvwhzycqq45ehh58xnfpuek80hw6spvwrvttjrrq9pphh0dpydh06qqspp5uq4gpyt6n9mwexde44qv7lstzzq60nr40ff38u27un6y53aypmx0p4qruk2tf9mjwqlhxak4znvna5y");
630                 } else { panic!(); }
631                 if let RR::Txt(txt) = &verified_rrs.verified_rrs[1] {
632                         assert_eq!(txt.name.as_str(), "txt_test.matcorallo.com.");
633                         assert_eq!(txt.data, b"dnssec_prover_test");
634                 } else { panic!(); }
635                 if let RR::CName(cname) = &verified_rrs.verified_rrs[2] {
636                         assert_eq!(cname.name.as_str(), "cname_test.matcorallo.com.");
637                         assert_eq!(cname.canonical_name.as_str(), "txt_test.matcorallo.com.");
638                 } else { panic!(); }
639         }
640
641         #[test]
642         fn check_wildcard_record() {
643                 let dnskeys = matcorallo_dnskey().0;
644                 let (txt, txt_rrsig) = matcorallo_wildcard_record();
645                 let txt_resp = [txt];
646                 verify_rrsig(&txt_rrsig, &dnskeys, txt_resp.iter().collect()).unwrap();
647         }
648
649         #[test]
650         fn check_wildcard_proof() {
651                 let mut rr_stream = Vec::new();
652                 for rr in root_dnskey().1 { write_rr(&rr, 1, &mut rr_stream); }
653                 for rr in com_dnskey().1 { write_rr(&rr, 1, &mut rr_stream); }
654                 for rr in matcorallo_dnskey().1 { write_rr(&rr, 1, &mut rr_stream); }
655                 let (cname, cname_rrsig, txt, txt_rrsig) = matcorallo_cname_wildcard_record();
656                 for rr in [RR::CName(cname), RR::RRSig(cname_rrsig)] { write_rr(&rr, 1, &mut rr_stream); }
657                 for rr in [RR::Txt(txt), RR::RRSig(txt_rrsig)] { write_rr(&rr, 1, &mut rr_stream); }
658
659                 let mut rrs = parse_rr_stream(&rr_stream).unwrap();
660                 rrs.shuffle(&mut rand::rngs::OsRng);
661                 let mut verified_rrs = verify_rr_stream(&rrs).unwrap();
662                 verified_rrs.verified_rrs.sort();
663                 assert_eq!(verified_rrs.verified_rrs.len(), 2);
664                 if let RR::Txt(txt) = &verified_rrs.verified_rrs[0] {
665                         assert_eq!(txt.name.as_str(), "cname.wildcard_test.matcorallo.com.");
666                         assert_eq!(txt.data, b"wildcard_test");
667                 } else { panic!(); }
668                 if let RR::CName(cname) = &verified_rrs.verified_rrs[1] {
669                         assert_eq!(cname.name.as_str(), "test.cname_wildcard_test.matcorallo.com.");
670                         assert_eq!(cname.canonical_name.as_str(), "cname.wildcard_test.matcorallo.com.");
671                 } else { panic!(); }
672         }
673
674         #[test]
675         fn rfc9102_parse_test() {
676                 // Note that this is the `AuthenticationChain` field only, and ignores the
677                 // `ExtSupportLifetime` field (stripping the top two 0 bytes from the front).
678 let rfc9102_test_vector = Vec::from_hex("045f343433045f74637003777777076578616d706c6503636f6d000034000100000e1000230301018bd1da95272f7fa4ffb24137fc0ed03aae67e5c4d8b3c50734e1050a7920b922045f343433045f74637003777777076578616d706c6503636f6d00002e000100000e10005f00340d0500000e105fc6d9005bfdda80074e076578616d706c6503636f6d00ce1d3adeb7dc7cee656d61cfb472c5977c8c9caeae9b765155c518fb107b6a1fe0355fbaaf753c192832fa621fa73a8b85ed79d374117387598fcc812e1ef3fb076578616d706c6503636f6d000030000100000e1000440101030d2670355e0c894d9cfea6c5af6eb7d458b57a50ba88272512d8241d8541fd54adf96ec956789a51ceb971094b3bb3f4ec49f64c686595be5b2e89e8799c7717cc076578616d706c6503636f6d00002e000100000e10005f00300d0200000e105fc6d9005bfdda80074e076578616d706c6503636f6d004628383075b8e34b743a209b27ae148d110d4e1a246138a91083249cb4a12a2d9bc4c2d7ab5eb3afb9f5d1037e4d5da8339c162a9298e9be180741a8ca74accc076578616d706c6503636f6d00002b00010002a3000024074e0d02e9b533a049798e900b5c29c90cd25a986e8a44f319ac3cd302bafc08f5b81e16076578616d706c6503636f6d00002e00010002a3000057002b0d020002a3005fc6d9005bfdda80861703636f6d00a203e704a6facbeb13fc9384fdd6de6b50de5659271f38ce81498684e6363172d47e2319fdb4a22a58a231edc2f1ff4fb2811a1807be72cb5241aa26fdaee03903636f6d00003000010002a30000440100030dec8204e43a25f2348c52a1d3bce3a265aa5d11b43dc2a471162ff341c49db9f50a2e1a41caf2e9cd20104ea0968f7511219f0bdc56b68012cc3995336751900b03636f6d00003000010002a30000440101030d45b91c3bef7a5d99a7a7c8d822e33896bc80a777a04234a605a4a8880ec7efa4e6d112c73cd3d4c65564fa74347c873723cc5f643370f166b43dedff836400ff03636f6d00003000010002a30000440101030db3373b6e22e8e49e0e1e591a9f5bd9ac5e1a0f86187fe34703f180a9d36c958f71c4af48ce0ebc5c792a724e11b43895937ee53404268129476eb1aed323939003636f6d00002e00010002a300005700300d010002a3005fc6d9005bfdda8049f303636f6d0018a948eb23d44f80abc99238fcb43c5a18debe57004f7343593f6deb6ed71e04654a433f7aa1972130d9bd921c73dcf63fcf665f2f05a0aaebafb059dc12c96503636f6d00002e00010002a300005700300d010002a3005fc6d9005bfdda80708903636f6d006170e6959bd9ed6e575837b6f580bd99dbd24a44682b0a359626a246b1812f5f9096b75e157e77848f068ae0085e1a609fc19298c33b736863fbccd4d81f5eb203636f6d00002b000100015180002449f30d0220f7a9db42d0e2042fbbb9f9ea015941202f9eabb94487e658c188e7bcb5211503636f6d00002b000100015180002470890d02ad66b3276f796223aa45eda773e92c6d98e70643bbde681db342a9e5cf2bb38003636f6d00002e0001000151800053002b0d01000151805fc6d9005bfdda807cae00122e276d45d9e9816f7922ad6ea2e73e82d26fce0a4b718625f314531ac92f8ae82418df9b898f989d32e80bc4deaba7c4a7c8f172adb57ced7fb5e77a784b0700003000010001518000440100030dccacfe0c25a4340fefba17a254f706aac1f8d14f38299025acc448ca8ce3f561f37fc3ec169fe847c8fcbe68e358ff7c71bb5ee1df0dbe518bc736d4ce8dfe1400003000010001518000440100030df303196789731ddc8a6787eff24cacfeddd032582f11a75bb1bcaa5ab321c1d7525c2658191aec01b3e98ab7915b16d571dd55b4eae51417110cc4cdd11d171100003000010001518000440101030dcaf5fe54d4d48f16621afb6bd3ad2155bacf57d1faad5bac42d17d948c421736d9389c4c4011666ea95cf17725bd0fa00ce5e714e4ec82cfdfacc9b1c863ad4600002e000100015180005300300d00000151805fc6d9005bfdda80b79d00de7a6740eeecba4bda1e5c2dd4899b2c965893f3786ce747f41e50d9de8c0a72df82560dfb48d714de3283ae99a49c0fcb50d3aaadb1a3fc62ee3a8a0988b6be").unwrap();
679
680                 let mut rrs = parse_rr_stream(&rfc9102_test_vector).unwrap();
681                 rrs.shuffle(&mut rand::rngs::OsRng);
682                 let verified_rrs = verify_rr_stream(&rrs).unwrap();
683                 assert_eq!(verified_rrs.verified_rrs.len(), 1);
684                 if let RR::TLSA(tlsa) = &verified_rrs.verified_rrs[0] {
685                         assert_eq!(tlsa.cert_usage, 3);
686                         assert_eq!(tlsa.selector, 1);
687                         assert_eq!(tlsa.data_ty, 1);
688                         assert_eq!(tlsa.data, Vec::from_hex("8bd1da95272f7fa4ffb24137fc0ed03aae67e5c4d8b3c50734e1050a7920b922").unwrap());
689                 } else { panic!(); }
690         }
691 }