package org.minidns.dnssec;

import java.io.IOException;
import java.lang.reflect.Field;
import java.net.InetAddress;
import java.security.PrivateKey;
import java.util.Date;
import java.util.List;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.Test;
import org.minidns.DnsWorld;
import org.minidns.cache.LruCache;
import org.minidns.constants.DnssecConstants;
import org.minidns.dnsmessage.DnsMessage;
import org.minidns.dnsname.DnsName;
import org.minidns.dnssec.DnssecUnverifiedReason;
import org.minidns.dnssec.DnssecValidationFailedException;
import org.minidns.dnssec.DnssecWorld;
import org.minidns.iterative.ReliableDnsClient;
import org.minidns.record.DNSKEY;
import org.minidns.record.Data;
import org.minidns.record.RRSIG;
import org.minidns.record.Record;

/* loaded from: input_file:org/minidns/dnssec/DnssecClientTest.class */
public class DnssecClientTest {
    private static DnssecConstants.SignatureAlgorithm algorithm = DnssecConstants.SignatureAlgorithm.RSASHA256;
    private static DnssecConstants.DigestAlgorithm digestType = DnssecConstants.DigestAlgorithm.SHA1;
    private static PrivateKey rootPrivateKSK;
    private static DNSKEY rootKSK;
    private static PrivateKey rootPrivateZSK;
    private static DNSKEY rootZSK;
    private static DNSKEY comKSK;
    private static DNSKEY comZSK;
    private static PrivateKey comPrivateZSK;
    private static PrivateKey comPrivateKSK;

    public static DnssecClient constructDnssecClient() {
        DnssecClient dnssecClient = new DnssecClient(new LruCache(0));
        dnssecClient.addSecureEntryPoint(DnsName.ROOT, rootKSK.getKey());
        dnssecClient.setMode(ReliableDnsClient.Mode.iterativeOnly);
        return dnssecClient;
    }

    void checkCorrectExampleMessage(DnsMessage dnsMessage) {
        List list = dnsMessage.answerSection;
        Assertions.assertEquals(1, list.size());
        Assertions.assertEquals(Record.TYPE.A, ((Record) list.get(0)).type);
        Assertions.assertArrayEquals(new byte[]{1, 1, 1, 2}, ((Record) list.get(0)).payloadData.getIp());
    }

    @Test
    public void testBasicValid() throws IOException {
        DnssecClient constructDnssecClient = constructDnssecClient();
        DnsWorld.applyZones(constructDnssecClient, new DnsWorld.Zone[]{DnssecWorld.signedRootZone(DnssecWorld.sign(rootKSK, "", rootPrivateKSK, algorithm, (Record<? extends Data>[]) new Record[]{DnsWorld.record("", rootKSK), DnsWorld.record("", rootZSK)}), DnssecWorld.sign(rootZSK, "", rootPrivateZSK, algorithm, (Record<? extends Data>[]) new Record[]{DnsWorld.record("com", DnssecWorld.ds("com", digestType, comKSK))}), DnssecWorld.sign(rootZSK, "", rootPrivateZSK, algorithm, (Record<? extends Data>[]) new Record[]{DnsWorld.record("com", DnsWorld.ns("ns.com"))}), DnssecWorld.sign(rootZSK, "", rootPrivateZSK, algorithm, (Record<? extends Data>[]) new Record[]{DnsWorld.record("ns.com", DnsWorld.a("1.1.1.1"))})), DnssecWorld.signedZone("com", "ns.com", "1.1.1.1", DnssecWorld.sign(comKSK, "com", comPrivateKSK, algorithm, (Record<? extends Data>[]) new Record[]{DnsWorld.record("com", comKSK), DnsWorld.record("com", comZSK)}), DnssecWorld.sign(comZSK, "com", comPrivateZSK, algorithm, (Record<? extends Data>[]) new Record[]{DnsWorld.record("example.com", DnsWorld.a("1.1.1.2"))}))});
        DnssecQueryResult queryDnssec = constructDnssecClient.queryDnssec("example.com", Record.TYPE.A);
        Assertions.assertTrue(queryDnssec.isAuthenticData());
        checkCorrectExampleMessage(queryDnssec.synthesizedResponse);
    }

    @Test
    public void testNoSEPAtKSK() throws IOException {
        DnssecClient constructDnssecClient = constructDnssecClient();
        DNSKEY dnskey = DnsWorld.dnskey(256, algorithm, DnssecWorld.publicKey(algorithm, comPrivateKSK));
        DnsWorld.applyZones(constructDnssecClient, new DnsWorld.Zone[]{DnssecWorld.signedRootZone(DnssecWorld.sign(rootKSK, "", rootPrivateKSK, algorithm, (Record<? extends Data>[]) new Record[]{DnsWorld.record("", rootKSK), DnsWorld.record("", rootZSK)}), DnssecWorld.sign(rootZSK, "", rootPrivateZSK, algorithm, (Record<? extends Data>[]) new Record[]{DnsWorld.record("com", DnssecWorld.ds("com", digestType, dnskey))}), DnssecWorld.sign(rootZSK, "", rootPrivateZSK, algorithm, (Record<? extends Data>[]) new Record[]{DnsWorld.record("com", DnsWorld.ns("ns.com"))}), DnssecWorld.sign(rootZSK, "", rootPrivateZSK, algorithm, (Record<? extends Data>[]) new Record[]{DnsWorld.record("ns.com", DnsWorld.a("1.1.1.1"))})), DnssecWorld.signedZone("com", "ns.com", "1.1.1.1", DnssecWorld.sign(dnskey, "com", comPrivateKSK, algorithm, (Record<? extends Data>[]) new Record[]{DnsWorld.record("com", dnskey), DnsWorld.record("com", comZSK)}), DnssecWorld.sign(comZSK, "com", comPrivateZSK, algorithm, (Record<? extends Data>[]) new Record[]{DnsWorld.record("example.com", DnsWorld.a("1.1.1.2"))}))});
        DnssecQueryResult queryDnssec = constructDnssecClient.queryDnssec("example.com", Record.TYPE.A);
        Assertions.assertTrue(queryDnssec.isAuthenticData());
        checkCorrectExampleMessage(queryDnssec.synthesizedResponse);
    }

    @Test
    public void testSingleZSK() throws IOException {
        DnssecClient constructDnssecClient = constructDnssecClient();
        DnsWorld.applyZones(constructDnssecClient, new DnsWorld.Zone[]{DnssecWorld.signedRootZone(DnssecWorld.sign(rootKSK, "", rootPrivateKSK, algorithm, (Record<? extends Data>[]) new Record[]{DnsWorld.record("", rootKSK), DnsWorld.record("", rootZSK)}), DnssecWorld.sign(rootZSK, "", rootPrivateZSK, algorithm, (Record<? extends Data>[]) new Record[]{DnsWorld.record("com", DnssecWorld.ds("com", digestType, comKSK))}), DnssecWorld.sign(rootZSK, "", rootPrivateZSK, algorithm, (Record<? extends Data>[]) new Record[]{DnsWorld.record("com", DnsWorld.ns("ns.com"))}), DnssecWorld.sign(rootZSK, "", rootPrivateZSK, algorithm, (Record<? extends Data>[]) new Record[]{DnsWorld.record("ns.com", DnsWorld.a("1.1.1.1"))})), DnssecWorld.signedZone("com", "ns.com", "1.1.1.1", DnssecWorld.sign(comKSK, "com", comPrivateKSK, algorithm, (Record<? extends Data>[]) new Record[]{DnsWorld.record("com", comKSK)}), DnssecWorld.sign(comKSK, "com", comPrivateKSK, algorithm, (Record<? extends Data>[]) new Record[]{DnsWorld.record("example.com", DnsWorld.a("1.1.1.2"))}))});
        DnssecQueryResult queryDnssec = constructDnssecClient.queryDnssec("example.com", Record.TYPE.A);
        Assertions.assertTrue(queryDnssec.isAuthenticData());
        checkCorrectExampleMessage(queryDnssec.synthesizedResponse);
    }

    @Test
    public void testMissingDelegation() throws IOException {
        DnssecClient constructDnssecClient = constructDnssecClient();
        DnsWorld.applyZones(constructDnssecClient, new DnsWorld.Zone[]{DnssecWorld.signedRootZone(DnssecWorld.sign(rootKSK, "", rootPrivateKSK, algorithm, (Record<? extends Data>[]) new Record[]{DnsWorld.record("", rootKSK), DnsWorld.record("", rootZSK)}), DnssecWorld.sign(rootZSK, "", rootPrivateZSK, algorithm, (Record<? extends Data>[]) new Record[]{DnsWorld.record("com", DnsWorld.ns("ns.com"))}), DnssecWorld.sign(rootZSK, "", rootPrivateZSK, algorithm, (Record<? extends Data>[]) new Record[]{DnsWorld.record("ns.com", DnsWorld.a("1.1.1.1"))})), DnssecWorld.signedZone("com", "ns.com", "1.1.1.1", DnssecWorld.sign(comKSK, "com", comPrivateKSK, algorithm, (Record<? extends Data>[]) new Record[]{DnsWorld.record("com", comKSK), DnsWorld.record("com", comZSK)}), DnssecWorld.sign(comZSK, "com", comPrivateZSK, algorithm, (Record<? extends Data>[]) new Record[]{DnsWorld.record("example.com", DnsWorld.a("1.1.1.2"))}))});
        Assertions.assertThrows(DnssecValidationFailedException.AuthorityDoesNotContainSoa.class, () -> {
            constructDnssecClient.queryDnssec("example.com", Record.TYPE.A);
        });
    }

    @Test
    public void testUnsignedRoot() throws IOException {
        DnssecClient constructDnssecClient = constructDnssecClient();
        DnsWorld.applyZones(constructDnssecClient, new DnsWorld.Zone[]{DnsWorld.rootZone(new Record[]{DnsWorld.record("com", DnssecWorld.ds("com", digestType, comKSK)), DnsWorld.record("com", DnsWorld.ns("ns.com")), DnsWorld.record("ns.com", DnsWorld.a("1.1.1.1"))}), DnssecWorld.signedZone("com", "ns.com", "1.1.1.1", DnssecWorld.sign(comKSK, "com", comPrivateKSK, algorithm, (Record<? extends Data>[]) new Record[]{DnsWorld.record("com", comKSK), DnsWorld.record("com", comZSK)}), DnssecWorld.sign(comZSK, "com", comPrivateZSK, algorithm, (Record<? extends Data>[]) new Record[]{DnsWorld.record("example.com", DnsWorld.a("1.1.1.2"))}))});
        DnssecQueryResult queryDnssec = constructDnssecClient.queryDnssec("example.com", Record.TYPE.A);
        Assertions.assertFalse(queryDnssec.isAuthenticData());
        checkCorrectExampleMessage(queryDnssec.synthesizedResponse);
    }

    @Test
    public void testNoRootSecureEntryPoint() throws IOException {
        DnssecClient constructDnssecClient = constructDnssecClient();
        constructDnssecClient.clearSecureEntryPoints();
        DnsWorld.applyZones(constructDnssecClient, new DnsWorld.Zone[]{DnssecWorld.signedRootZone(DnssecWorld.sign(rootKSK, "", rootPrivateKSK, algorithm, (Record<? extends Data>[]) new Record[]{DnsWorld.record("", rootKSK), DnsWorld.record("", rootZSK)}), DnssecWorld.sign(rootZSK, "", rootPrivateZSK, algorithm, (Record<? extends Data>[]) new Record[]{DnsWorld.record("com", DnssecWorld.ds("com", digestType, comKSK))}), DnssecWorld.sign(rootZSK, "", rootPrivateZSK, algorithm, (Record<? extends Data>[]) new Record[]{DnsWorld.record("com", DnsWorld.ns("ns.com"))}), DnssecWorld.sign(rootZSK, "", rootPrivateZSK, algorithm, (Record<? extends Data>[]) new Record[]{DnsWorld.record("ns.com", DnsWorld.a("1.1.1.1"))})), DnssecWorld.signedZone("com", "ns.com", "1.1.1.1", DnssecWorld.sign(comKSK, "com", comPrivateKSK, algorithm, (Record<? extends Data>[]) new Record[]{DnsWorld.record("com", comKSK), DnsWorld.record("com", comZSK)}), DnssecWorld.sign(comZSK, "com", comPrivateZSK, algorithm, (Record<? extends Data>[]) new Record[]{DnsWorld.record("example.com", DnsWorld.a("1.1.1.2"))}))});
        DnssecQueryResult queryDnssec = constructDnssecClient.queryDnssec("example.com", Record.TYPE.A);
        Assertions.assertFalse(queryDnssec.isAuthenticData());
        checkCorrectExampleMessage(queryDnssec.synthesizedResponse);
        Assertions.assertEquals(1, queryDnssec.getUnverifiedReasons().size());
        Assertions.assertTrue(queryDnssec.getUnverifiedReasons().iterator().next() instanceof DnssecUnverifiedReason.NoRootSecureEntryPointReason);
    }

    @Test
    public void testUnsignedZone() throws IOException {
        DnssecClient constructDnssecClient = constructDnssecClient();
        DnsWorld.applyZones(constructDnssecClient, new DnsWorld.Zone[]{DnssecWorld.signedRootZone(DnssecWorld.sign(rootKSK, "", rootPrivateKSK, algorithm, (Record<? extends Data>[]) new Record[]{DnsWorld.record("", rootKSK), DnsWorld.record("", rootZSK)}), DnssecWorld.sign(rootZSK, "", rootPrivateZSK, algorithm, (Record<? extends Data>[]) new Record[]{DnsWorld.record("com", DnssecWorld.ds("com", digestType, comKSK))}), DnssecWorld.sign(rootZSK, "", rootPrivateZSK, algorithm, (Record<? extends Data>[]) new Record[]{DnsWorld.record("com", DnsWorld.ns("ns.com"))}), DnssecWorld.sign(rootZSK, "", rootPrivateZSK, algorithm, (Record<? extends Data>[]) new Record[]{DnsWorld.record("ns.com", DnsWorld.a("1.1.1.1"))})), DnsWorld.zone("com", "ns.com", "1.1.1.1", new Record[]{DnsWorld.record("example.com", DnsWorld.a("1.1.1.2"))})});
        DnssecQueryResult queryDnssec = constructDnssecClient.queryDnssec("example.com", Record.TYPE.A);
        Assertions.assertFalse(queryDnssec.isAuthenticData());
        checkCorrectExampleMessage(queryDnssec.dnsQueryResult.response);
    }

    @Test
    public void testInvalidDNSKEY() throws IOException {
        DnssecClient constructDnssecClient = constructDnssecClient();
        DnsWorld.applyZones(constructDnssecClient, new DnsWorld.Zone[]{DnssecWorld.signedRootZone(DnssecWorld.sign(rootKSK, "", rootPrivateKSK, algorithm, (Record<? extends Data>[]) new Record[]{DnsWorld.record("", rootKSK), DnsWorld.record("", rootZSK)}), DnssecWorld.sign(rootZSK, "", rootPrivateZSK, algorithm, (Record<? extends Data>[]) new Record[]{DnsWorld.record("com", DnssecWorld.ds("com", digestType, comKSK))}), DnssecWorld.sign(rootZSK, "", rootPrivateZSK, algorithm, (Record<? extends Data>[]) new Record[]{DnsWorld.record("com", DnsWorld.ns("ns.com"))}), DnssecWorld.sign(rootZSK, "", rootPrivateZSK, algorithm, (Record<? extends Data>[]) new Record[]{DnsWorld.record("ns.com", DnsWorld.a("1.1.1.1"))})), DnssecWorld.signedZone("com", "ns.com", "1.1.1.1", DnssecWorld.sign(comKSK, "com", comPrivateKSK, algorithm, (Record<? extends Data>[]) new Record[]{DnsWorld.record("com", comKSK)}), DnssecWorld.sign(comZSK, "com", comPrivateZSK, algorithm, (Record<? extends Data>[]) new Record[]{DnsWorld.record("example.com", DnsWorld.a("1.1.1.2"))}))});
        Assertions.assertThrows(DnssecValidationFailedException.class, () -> {
            constructDnssecClient.query("example.com", Record.TYPE.A);
        });
    }

    @Test
    public void testNoDNSKEY() throws IOException {
        DnssecClient constructDnssecClient = constructDnssecClient();
        DnsWorld.applyZones(constructDnssecClient, new DnsWorld.Zone[]{DnssecWorld.signedRootZone(DnssecWorld.sign(rootKSK, "", rootPrivateKSK, algorithm, (Record<? extends Data>[]) new Record[]{DnsWorld.record("", rootKSK), DnsWorld.record("", rootZSK)}), DnssecWorld.sign(rootZSK, "", rootPrivateZSK, algorithm, (Record<? extends Data>[]) new Record[]{DnsWorld.record("com", DnssecWorld.ds("com", digestType, comKSK))}), DnssecWorld.sign(rootZSK, "", rootPrivateZSK, algorithm, (Record<? extends Data>[]) new Record[]{DnsWorld.record("com", DnsWorld.ns("ns.com"))}), DnssecWorld.sign(rootZSK, "", rootPrivateZSK, algorithm, (Record<? extends Data>[]) new Record[]{DnsWorld.record("ns.com", DnsWorld.a("1.1.1.1"))})), DnssecWorld.signedZone("com", "ns.com", "1.1.1.1", DnssecWorld.sign(comZSK, "com", comPrivateZSK, algorithm, (Record<? extends Data>[]) new Record[]{DnsWorld.record("example.com", DnsWorld.a("1.1.1.2"))}))});
        Assertions.assertThrows(DnssecValidationFailedException.class, () -> {
            constructDnssecClient.query("example.com", Record.TYPE.A);
        });
    }

    @Test
    public void testInvalidRRSIG() throws IOException, NoSuchFieldException, SecurityException, IllegalArgumentException, IllegalAccessException {
        DnssecClient constructDnssecClient = constructDnssecClient();
        Record<RRSIG> rrsigRecord = DnssecWorld.rrsigRecord(comZSK, "com", comPrivateZSK, algorithm, (Record<? extends Data>[]) new Record[]{DnsWorld.record("example.com", DnsWorld.a("1.1.1.2"))});
        RRSIG rrsig = rrsigRecord.payloadData;
        Field declaredField = rrsig.getClass().getDeclaredField("signature");
        declaredField.setAccessible(true);
        byte[] bArr = (byte[]) declaredField.get(rrsig);
        int length = bArr.length / 2;
        bArr[length] = (byte) (bArr[length] + 1);
        DnsWorld.applyZones(constructDnssecClient, new DnsWorld.Zone[]{DnssecWorld.signedRootZone(DnssecWorld.sign(rootKSK, "", rootPrivateKSK, algorithm, (Record<? extends Data>[]) new Record[]{DnsWorld.record("", rootKSK), DnsWorld.record("", rootZSK)}), DnssecWorld.sign(rootZSK, "", rootPrivateZSK, algorithm, (Record<? extends Data>[]) new Record[]{DnsWorld.record("com", DnssecWorld.ds("com", digestType, comKSK))}), DnssecWorld.sign(rootZSK, "", rootPrivateZSK, algorithm, (Record<? extends Data>[]) new Record[]{DnsWorld.record("com", DnsWorld.ns("ns.com"))}), DnssecWorld.sign(rootZSK, "", rootPrivateZSK, algorithm, (Record<? extends Data>[]) new Record[]{DnsWorld.record("ns.com", DnsWorld.a("1.1.1.1"))})), DnsWorld.zone("com", "ns.com", "1.1.1.1", new Record[]{DnsWorld.record("com", comKSK), DnsWorld.record("com", comZSK), DnsWorld.record("example.com", DnsWorld.a("1.1.1.2")), rrsigRecord})});
        Assertions.assertThrows(DnssecValidationFailedException.class, () -> {
            constructDnssecClient.query("example.com", Record.TYPE.A);
        });
    }

    @Test
    public void testUnknownAlgorithm() throws IOException {
        DnssecClient constructDnssecClient = constructDnssecClient();
        DnsWorld.applyZones(constructDnssecClient, new DnsWorld.Zone[]{DnssecWorld.signedRootZone(DnssecWorld.sign(rootKSK, "", rootPrivateKSK, algorithm, (Record<? extends Data>[]) new Record[]{DnsWorld.record("", rootKSK), DnsWorld.record("", rootZSK)}), DnssecWorld.sign(rootZSK, "", rootPrivateZSK, algorithm, (Record<? extends Data>[]) new Record[]{DnsWorld.record("com", DnssecWorld.ds("com", digestType, comKSK))}), DnssecWorld.sign(rootZSK, "", rootPrivateZSK, algorithm, (Record<? extends Data>[]) new Record[]{DnsWorld.record("com", DnsWorld.ns("ns.com"))}), DnssecWorld.sign(rootZSK, "", rootPrivateZSK, algorithm, (Record<? extends Data>[]) new Record[]{DnsWorld.record("ns.com", DnsWorld.a("1.1.1.1"))})), DnsWorld.zone("com", "ns.com", "1.1.1.1", new Record[]{DnsWorld.record("com", comKSK), DnsWorld.record("com", comZSK), DnsWorld.record("example.com", DnsWorld.a("1.1.1.2")), DnsWorld.record("example.com", DnsWorld.rrsig(Record.TYPE.A, 213, 2, 3600L, new Date(System.currentTimeMillis() + 1209600000), new Date(System.currentTimeMillis() - 1209600000), comZSK.getKeyTag(), "com", new byte[0]))})});
        DnssecQueryResult queryDnssec = constructDnssecClient.queryDnssec("example.com", Record.TYPE.A);
        Assertions.assertFalse(queryDnssec.isAuthenticData());
        checkCorrectExampleMessage(queryDnssec.synthesizedResponse);
    }

    @Test
    public void testInvalidDelegation() throws IOException {
        DnssecClient constructDnssecClient = constructDnssecClient();
        DnsWorld.applyZones(constructDnssecClient, new DnsWorld.Zone[]{DnssecWorld.signedRootZone(DnssecWorld.sign(rootKSK, "", rootPrivateKSK, algorithm, (Record<? extends Data>[]) new Record[]{DnsWorld.record("", rootKSK), DnsWorld.record("", rootZSK)}), DnssecWorld.sign(rootZSK, "", rootPrivateZSK, algorithm, (Record<? extends Data>[]) new Record[]{DnsWorld.record("com", DnssecWorld.ds(comKSK.getKeyTag(), algorithm, digestType, new byte[0]))}), DnssecWorld.sign(rootZSK, "", rootPrivateZSK, algorithm, (Record<? extends Data>[]) new Record[]{DnsWorld.record("com", DnsWorld.ns("ns.com"))}), DnssecWorld.sign(rootZSK, "", rootPrivateZSK, algorithm, (Record<? extends Data>[]) new Record[]{DnsWorld.record("ns.com", DnsWorld.a("1.1.1.1"))})), DnssecWorld.signedZone("com", "ns.com", "1.1.1.1", DnssecWorld.sign(comKSK, "com", comPrivateKSK, algorithm, (Record<? extends Data>[]) new Record[]{DnsWorld.record("com", comKSK), DnsWorld.record("com", comZSK)}), DnssecWorld.sign(comZSK, "com", comPrivateZSK, algorithm, (Record<? extends Data>[]) new Record[]{DnsWorld.record("example.com", DnsWorld.a("1.1.1.2"))}))});
        Assertions.assertThrows(DnssecValidationFailedException.class, () -> {
            constructDnssecClient.query("example.com", Record.TYPE.A);
        });
    }

    @Test
    public void testUnknownDelegationDigestType() throws IOException {
        DnssecClient constructDnssecClient = constructDnssecClient();
        DnsWorld.applyZones(constructDnssecClient, new DnsWorld.Zone[]{DnssecWorld.signedRootZone(DnssecWorld.sign(rootKSK, "", rootPrivateKSK, algorithm, (Record<? extends Data>[]) new Record[]{DnsWorld.record("", rootKSK), DnsWorld.record("", rootZSK)}), DnssecWorld.sign(rootZSK, "", rootPrivateZSK, algorithm, (Record<? extends Data>[]) new Record[]{DnsWorld.record("com", DnssecWorld.ds(comKSK.getKeyTag(), algorithm, (byte) -43, new byte[0]))}), DnssecWorld.sign(rootZSK, "", rootPrivateZSK, algorithm, (Record<? extends Data>[]) new Record[]{DnsWorld.record("com", DnsWorld.ns("ns.com"))}), DnssecWorld.sign(rootZSK, "", rootPrivateZSK, algorithm, (Record<? extends Data>[]) new Record[]{DnsWorld.record("ns.com", DnsWorld.a("1.1.1.1"))})), DnssecWorld.signedZone("com", "ns.com", "1.1.1.1", DnssecWorld.sign(comKSK, "com", comPrivateKSK, algorithm, (Record<? extends Data>[]) new Record[]{DnsWorld.record("com", comKSK), DnsWorld.record("com", comZSK)}), DnssecWorld.sign(comZSK, "com", comPrivateZSK, algorithm, (Record<? extends Data>[]) new Record[]{DnsWorld.record("example.com", DnsWorld.a("1.1.1.2"))}))});
        DnssecQueryResult queryDnssec = constructDnssecClient.queryDnssec("example.com", Record.TYPE.A);
        Assertions.assertFalse(queryDnssec.isAuthenticData());
        checkCorrectExampleMessage(queryDnssec.synthesizedResponse);
    }

    @Test
    public void testSignatureOutOfDate() throws IOException {
        DnssecClient constructDnssecClient = constructDnssecClient();
        DnsWorld.applyZones(constructDnssecClient, new DnsWorld.Zone[]{DnssecWorld.signedRootZone(DnssecWorld.sign(rootKSK, "", rootPrivateKSK, algorithm, (Record<? extends Data>[]) new Record[]{DnsWorld.record("", rootKSK), DnsWorld.record("", rootZSK)}), DnssecWorld.sign(rootZSK, "", rootPrivateZSK, algorithm, (Record<? extends Data>[]) new Record[]{DnsWorld.record("com", DnssecWorld.ds("com", digestType, comKSK))}), DnssecWorld.sign(rootZSK, "", rootPrivateZSK, algorithm, (Record<? extends Data>[]) new Record[]{DnsWorld.record("com", DnsWorld.ns("ns.com"))}), DnssecWorld.sign(rootZSK, "", rootPrivateZSK, algorithm, (Record<? extends Data>[]) new Record[]{DnsWorld.record("ns.com", DnsWorld.a("1.1.1.1"))})), DnssecWorld.signedZone("com", "ns.com", "1.1.1.1", DnssecWorld.sign(comKSK, "com", comPrivateKSK, algorithm, (Record<? extends Data>[]) new Record[]{DnsWorld.record("com", comKSK), DnsWorld.record("com", comZSK)}), DnssecWorld.sign(comPrivateZSK, DnsWorld.rrsig(Record.TYPE.A, algorithm, 2, 3600L, new Date(System.currentTimeMillis() - 1209600000), new Date(System.currentTimeMillis() - 2419200000L), comZSK.getKeyTag(), "com", new byte[0]), (Record<? extends Data>[]) new Record[]{DnsWorld.record("example.com", DnsWorld.a("1.1.1.2"))}))});
        DnssecQueryResult queryDnssec = constructDnssecClient.queryDnssec("example.com", Record.TYPE.A);
        Assertions.assertFalse(queryDnssec.isAuthenticData());
        checkCorrectExampleMessage(queryDnssec.synthesizedResponse);
    }

    @Test
    public void testSignatureInFuture() throws IOException {
        DnssecClient constructDnssecClient = constructDnssecClient();
        DnsWorld.applyZones(constructDnssecClient, new DnsWorld.Zone[]{DnssecWorld.signedRootZone(DnssecWorld.sign(rootKSK, "", rootPrivateKSK, algorithm, (Record<? extends Data>[]) new Record[]{DnsWorld.record("", rootKSK), DnsWorld.record("", rootZSK)}), DnssecWorld.sign(rootZSK, "", rootPrivateZSK, algorithm, (Record<? extends Data>[]) new Record[]{DnsWorld.record("com", DnssecWorld.ds("com", digestType, comKSK))}), DnssecWorld.sign(rootZSK, "", rootPrivateZSK, algorithm, (Record<? extends Data>[]) new Record[]{DnsWorld.record("com", DnsWorld.ns("ns.com"))}), DnssecWorld.sign(rootZSK, "", rootPrivateZSK, algorithm, (Record<? extends Data>[]) new Record[]{DnsWorld.record("ns.com", DnsWorld.a("1.1.1.1"))})), DnssecWorld.signedZone("com", "ns.com", "1.1.1.1", DnssecWorld.sign(comKSK, "com", comPrivateKSK, algorithm, (Record<? extends Data>[]) new Record[]{DnsWorld.record("com", comKSK), DnsWorld.record("com", comZSK)}), DnssecWorld.sign(comPrivateZSK, DnsWorld.rrsig(Record.TYPE.A, algorithm, 2, 3600L, new Date(System.currentTimeMillis() + 2419200000L), new Date(System.currentTimeMillis() + 1209600000), comZSK.getKeyTag(), "com", new byte[0]), (Record<? extends Data>[]) new Record[]{DnsWorld.record("example.com", DnsWorld.a("1.1.1.2"))}))});
        DnssecQueryResult queryDnssec = constructDnssecClient.queryDnssec("example.com", Record.TYPE.A);
        Assertions.assertFalse(queryDnssec.isAuthenticData());
        checkCorrectExampleMessage(queryDnssec.synthesizedResponse);
    }

    @Test
    public void testValidNSEC() throws Exception {
        DnssecClient constructDnssecClient = constructDnssecClient();
        DnsWorld applyZones = DnsWorld.applyZones(constructDnssecClient, new DnsWorld.Zone[]{DnssecWorld.signedRootZone(DnssecWorld.sign(rootKSK, "", rootPrivateKSK, algorithm, (Record<? extends Data>[]) new Record[]{DnsWorld.record("", rootKSK), DnsWorld.record("", rootZSK)}), DnssecWorld.sign(rootZSK, "", rootPrivateZSK, algorithm, (Record<? extends Data>[]) new Record[]{DnsWorld.record("com", DnssecWorld.ds("com", digestType, comKSK))}), DnssecWorld.sign(rootZSK, "", rootPrivateZSK, algorithm, (Record<? extends Data>[]) new Record[]{DnsWorld.record("com", DnsWorld.ns("ns.com"))}), DnssecWorld.sign(rootZSK, "", rootPrivateZSK, algorithm, (Record<? extends Data>[]) new Record[]{DnsWorld.record("ns.com", DnsWorld.a("1.1.1.1"))})), DnssecWorld.signedZone("com", "ns.com", "1.1.1.1", DnssecWorld.sign(comKSK, "com", comPrivateKSK, algorithm, (Record<? extends Data>[]) new Record[]{DnsWorld.record("com", comKSK), DnsWorld.record("com", comZSK)}), DnssecWorld.sign(comZSK, "com", comPrivateZSK, algorithm, (Record<? extends Data>[]) new Record[]{DnsWorld.record("example.com", DnsWorld.a("1.1.1.2"))}))});
        DnsMessage.Builder builder = DnsMessage.builder();
        builder.setNameserverRecords(DnssecWorld.merge(DnssecWorld.sign(comZSK, "com", comPrivateZSK, algorithm, (Record<? extends Data>[]) new Record[]{DnsWorld.record("example.com", DnsWorld.nsec("www.example.com", new Record.TYPE[]{Record.TYPE.A}))}), DnssecWorld.sign(comZSK, "com", comPrivateZSK, algorithm, (Record<? extends Data>[]) new Record[]{DnsWorld.record("example.com", DnsWorld.soa("sns.dns.icann.org", "noc.dns.icann.org", 2015081265L, 7200, 3600, 1209600, 3600L))})));
        builder.setAuthoritativeAnswer(true);
        applyZones.addPreparedResponse(new DnssecWorld.AddressedNsecResponse(InetAddress.getByAddress("ns.com", new byte[]{1, 1, 1, 1}), builder.build()));
        DnssecQueryResult queryDnssec = constructDnssecClient.queryDnssec("nsec.example.com", Record.TYPE.A);
        constructDnssecClient.setStripSignatureRecords(false);
        DnsMessage dnsMessage = queryDnssec.synthesizedResponse;
        Assertions.assertEquals(0, dnsMessage.answerSection.size());
        Assertions.assertTrue(dnsMessage.authenticData);
    }

    @Test
    public void testValidDLV() throws IOException {
        DnssecClient constructDnssecClient = constructDnssecClient();
        DnssecWorld.addNsec(DnsWorld.applyZones(constructDnssecClient, new DnsWorld.Zone[]{DnssecWorld.signedRootZone(DnssecWorld.selfSignDnskeyRrSet(""), DnssecWorld.sign("", (Record<? extends Data>[]) new Record[]{DnssecWorld.ds("dlv")}), DnssecWorld.sign("", (Record<? extends Data>[]) new Record[]{DnsWorld.record("dlv", DnsWorld.ns("ns.com"))}), DnssecWorld.sign("", (Record<? extends Data>[]) new Record[]{DnsWorld.record("com", DnsWorld.ns("ns.com"))}), DnssecWorld.sign("", (Record<? extends Data>[]) new Record[]{DnsWorld.record("ns.com", DnsWorld.a("1.1.1.1"))})), DnssecWorld.signedZone("com", "ns.com", "1.1.1.1", DnssecWorld.selfSignDnskeyRrSet("com"), DnssecWorld.sign("com", (Record<? extends Data>[]) new Record[]{DnsWorld.record("example.com", DnsWorld.a("1.1.1.2"))})), DnssecWorld.signedZone("dlv", "ns.com", "1.1.1.1", DnssecWorld.selfSignDnskeyRrSet("dlv"), DnssecWorld.sign("dlv", (Record<? extends Data>[]) new Record[]{DnsWorld.record("com.dlv", DnssecWorld.dlv("com", digestType, comKSK))}))}), "", "a.root-servers.net", "com", "dlv", Record.TYPE.NS);
        constructDnssecClient.configureLookasideValidation(DnsName.from("dlv"));
        DnssecQueryResult queryDnssec = constructDnssecClient.queryDnssec("example.com", Record.TYPE.A);
        Assertions.assertTrue(queryDnssec.isAuthenticData());
        checkCorrectExampleMessage(queryDnssec.synthesizedResponse);
        constructDnssecClient.disableLookasideValidation();
        DnssecQueryResult queryDnssec2 = constructDnssecClient.queryDnssec("example.com", Record.TYPE.A);
        Assertions.assertFalse(queryDnssec2.isAuthenticData());
        checkCorrectExampleMessage(queryDnssec2.synthesizedResponse);
    }

    static {
        DnssecWorld.DnssecData dnssecDataFor = DnssecWorld.getDnssecDataFor("");
        rootPrivateKSK = dnssecDataFor.privateKsk;
        rootKSK = dnssecDataFor.ksk;
        rootPrivateZSK = dnssecDataFor.privateZsk;
        rootZSK = dnssecDataFor.zsk;
        DnssecWorld.DnssecData dnssecDataFor2 = DnssecWorld.getDnssecDataFor("com");
        comPrivateKSK = dnssecDataFor2.privateKsk;
        comKSK = dnssecDataFor2.ksk;
        comPrivateZSK = dnssecDataFor2.privateZsk;
        comZSK = dnssecDataFor2.zsk;
    }
}
