From 9408fee5b56937c1bb1bedff9a4cdeb3061baee5 Mon Sep 17 00:00:00 2001 From: Gus Brodman Date: Thu, 28 May 2026 13:06:54 -0400 Subject: [PATCH] Forbid SHA-1 digests as part of RFC 9904 changes We can't change digest types that are already in the database but that's fine (since we just store them as integers). But we forbid them as part of domain creates/updates. --- .../flows/domain/DomainFlowUtils.java | 19 ++- .../registry/model/common/FeatureFlag.java | 5 +- .../google/registry/tools/DigestType.java | 18 ++- .../java/google/registry/tools/DsRecord.java | 2 +- .../flows/domain/DomainCreateFlowTest.java | 41 +++++- .../flows/domain/DomainUpdateFlowTest.java | 117 ++++++++++-------- .../tools/CreateDomainCommandTest.java | 20 ++- .../google/registry/tools/DigestTypeTest.java | 48 +++++++ .../UniformRapidSuspensionCommandTest.java | 8 +- .../tools/UpdateDomainCommandTest.java | 44 ++++--- .../domain/domain_create_dsdata_8_records.xml | 32 ++--- .../domain_create_dsdata_no_maxsiglife.xml | 4 +- .../domain/domain_create_dsdata_sha1.xml | 32 +++++ .../domain/domain_update_dsdata_add_rem.xml | 8 +- .../flows/domain/domain_update_dsdata_rem.xml | 4 +- .../flows/domain_update_dsdata_add.xml | 4 +- .../flows/domain_update_dsdata_rem.xml | 4 +- .../tools/server/domain_create_complete.xml | 4 +- .../tools/server/domain_create_sha1.xml | 32 +++++ .../tools/server/domain_update_add.xml | 4 +- .../tools/server/domain_update_complete.xml | 8 +- .../server/domain_update_complete_abc.xml | 8 +- .../tools/server/domain_update_remove.xml | 4 +- .../server/domain_update_set_ds_records.xml | 4 +- .../tools/server/domain_update_sha1.xml | 31 +++++ .../tools/server/uniform_rapid_suspension.xml | 4 +- ...form_rapid_suspension_with_client_hold.xml | 4 +- ...rm_rapid_suspension_with_forbid_delete.xml | 4 +- 28 files changed, 368 insertions(+), 149 deletions(-) create mode 100644 core/src/test/java/google/registry/tools/DigestTypeTest.java create mode 100644 core/src/test/resources/google/registry/flows/domain/domain_create_dsdata_sha1.xml create mode 100644 core/src/test/resources/google/registry/tools/server/domain_create_sha1.xml create mode 100644 core/src/test/resources/google/registry/tools/server/domain_update_sha1.xml diff --git a/core/src/main/java/google/registry/flows/domain/DomainFlowUtils.java b/core/src/main/java/google/registry/flows/domain/DomainFlowUtils.java index 935ee3de6d4..a44a9d39b12 100644 --- a/core/src/main/java/google/registry/flows/domain/DomainFlowUtils.java +++ b/core/src/main/java/google/registry/flows/domain/DomainFlowUtils.java @@ -23,6 +23,7 @@ import static com.google.common.collect.Sets.intersection; import static com.google.common.collect.Sets.union; import static google.registry.bsa.persistence.BsaLabelUtils.isLabelBlocked; +import static google.registry.model.common.FeatureFlag.FeatureName.FORBID_INSECURE_ALGORITHMS_RFC_9904; import static google.registry.model.domain.Domain.MAX_REGISTRATION_YEARS; import static google.registry.model.domain.token.AllocationToken.TokenType.REGISTER_BSA; import static google.registry.model.tld.Tld.TldState.GENERAL_AVAILABILITY; @@ -73,6 +74,7 @@ import google.registry.model.billing.BillingBase.Flag; import google.registry.model.billing.BillingBase.Reason; import google.registry.model.billing.BillingRecurrence; +import google.registry.model.common.FeatureFlag; import google.registry.model.domain.Domain; import google.registry.model.domain.DomainCommand.Create; import google.registry.model.domain.DomainCommand.CreateOrUpdate; @@ -341,7 +343,7 @@ static void validateDsData(Set dsData) throws EppException { } ImmutableList invalidAlgorithms = dsData.stream() - .filter(ds -> !validateAlgorithm(ds.getAlgorithm())) + .filter(ds -> algorithmIsInvalid(ds.getAlgorithm())) .collect(toImmutableList()); if (!invalidAlgorithms.isEmpty()) { throw new InvalidDsRecordException( @@ -349,9 +351,16 @@ static void validateDsData(Set dsData) throws EppException { "Domain contains DS record(s) with an invalid algorithm wire value: %s", invalidAlgorithms)); } + boolean forbidInsecureTypes = FeatureFlag.isActiveNow(FORBID_INSECURE_ALGORITHMS_RFC_9904); ImmutableList invalidDigestTypes = dsData.stream() - .filter(ds -> DigestType.fromWireValue(ds.getDigestType()).isEmpty()) + .filter( + ds -> { + Optional digestType = DigestType.fromWireValue(ds.getDigestType()); + return digestType + .map(type -> forbidInsecureTypes && !type.isAllowedInRfc9904()) + .orElse(true); + }) .collect(toImmutableList()); if (!invalidDigestTypes.isEmpty()) { throw new InvalidDsRecordException( @@ -376,14 +385,14 @@ static void validateDsData(Set dsData) throws EppException { } } - public static boolean validateAlgorithm(int alg) { + public static boolean algorithmIsInvalid(int alg) { if (alg > 255 || alg < 0) { - return false; + return true; } // Algorithms that are reserved or unassigned will just return a string representation of their // integer wire value. String algorithm = Algorithm.string(alg); - return !algorithm.equals(Integer.toString(alg)); + return algorithm.equals(Integer.toString(alg)); } /** We only allow specifying years in a period. */ diff --git a/core/src/main/java/google/registry/model/common/FeatureFlag.java b/core/src/main/java/google/registry/model/common/FeatureFlag.java index 49ef44a1a38..2569e59f659 100644 --- a/core/src/main/java/google/registry/model/common/FeatureFlag.java +++ b/core/src/main/java/google/registry/model/common/FeatureFlag.java @@ -84,7 +84,10 @@ public enum FeatureName { INCLUDE_PENDING_DELETE_DATE_FOR_DOMAINS(FeatureStatus.INACTIVE), /** If we're prohibiting the inclusion of the contact object URI on login. */ - PROHIBIT_CONTACT_OBJECTS_ON_LOGIN(FeatureStatus.INACTIVE); + PROHIBIT_CONTACT_OBJECTS_ON_LOGIN(FeatureStatus.INACTIVE), + + /** If we're prohibiting insecure algorithms as detailed by RFC 9904. */ + FORBID_INSECURE_ALGORITHMS_RFC_9904(FeatureStatus.INACTIVE); private final FeatureStatus defaultStatus; diff --git a/core/src/main/java/google/registry/tools/DigestType.java b/core/src/main/java/google/registry/tools/DigestType.java index 8723868fd98..cda758c8bc3 100644 --- a/core/src/main/java/google/registry/tools/DigestType.java +++ b/core/src/main/java/google/registry/tools/DigestType.java @@ -29,21 +29,26 @@ * https://www.iana.org/assignments/ds-rr-types/ds-rr-types.xhtml */ public enum DigestType { - SHA1(1, 20), - SHA256(2, 32), + // Algorithm number 1 is SHA-1 and will be is deliberately NOT SUPPORTED. + // RFC 9904 specifies that this algorithm MUST NOT be used for DNSSEC delegations. + // This prohibition is gated behind a feature flag. + SHA1(1, 20, false), + SHA256(2, 32, true), // Algorithm number 3 is GOST R 34.11-94 and is deliberately NOT SUPPORTED. // This algorithm was reviewed by ise-crypto and deemed academically broken (b/207029800). // In addition, RFC 8624 specifies that this algorithm MUST NOT be used for DNSSEC delegations. // TODO(sarhabot@): Add note in Cloud DNS code to notify the Registry of any new changes to // supported digest types. - SHA384(4, 48); + SHA384(4, 48, true); private final int wireValue; private final int bytes; + private final boolean allowedInRfc9904; - DigestType(int wireValue, int bytes) { + DigestType(int wireValue, int bytes, boolean allowedInRfc9904) { this.wireValue = wireValue; this.bytes = bytes; + this.allowedInRfc9904 = allowedInRfc9904; } private static final ImmutableMap WIRE_VALUE_TO_DIGEST_TYPE = @@ -63,4 +68,9 @@ public int getWireValue() { public int getBytes() { return bytes; } + + /** Whether this digest type is supported as of RFC 9904. */ + public boolean isAllowedInRfc9904() { + return allowedInRfc9904; + } } diff --git a/core/src/main/java/google/registry/tools/DsRecord.java b/core/src/main/java/google/registry/tools/DsRecord.java index caa4c9ead20..5d4b943ddfe 100644 --- a/core/src/main/java/google/registry/tools/DsRecord.java +++ b/core/src/main/java/google/registry/tools/DsRecord.java @@ -46,7 +46,7 @@ private static DsRecord create(int keyTag, int alg, int digestType, String diges String.format("DS record has an invalid digest length: %s", digest)); } - if (!DomainFlowUtils.validateAlgorithm(alg)) { + if (DomainFlowUtils.algorithmIsInvalid(alg)) { throw new IllegalArgumentException( String.format("DS record uses an unrecognized algorithm: %d", alg)); } diff --git a/core/src/test/java/google/registry/flows/domain/DomainCreateFlowTest.java b/core/src/test/java/google/registry/flows/domain/DomainCreateFlowTest.java index 8015a6fd777..9e4147a9fd4 100644 --- a/core/src/test/java/google/registry/flows/domain/DomainCreateFlowTest.java +++ b/core/src/test/java/google/registry/flows/domain/DomainCreateFlowTest.java @@ -24,6 +24,7 @@ import static google.registry.model.billing.BillingBase.Flag.SUNRISE; import static google.registry.model.billing.BillingBase.RenewalPriceBehavior.NONPREMIUM; import static google.registry.model.billing.BillingBase.RenewalPriceBehavior.SPECIFIED; +import static google.registry.model.common.FeatureFlag.FeatureName.FORBID_INSECURE_ALGORITHMS_RFC_9904; import static google.registry.model.domain.fee.Fee.FEE_EXTENSION_URIS; import static google.registry.model.domain.token.AllocationToken.TokenType.BULK_PRICING; import static google.registry.model.domain.token.AllocationToken.TokenType.DEFAULT_PROMO; @@ -150,6 +151,8 @@ import google.registry.model.billing.BillingBase.RenewalPriceBehavior; import google.registry.model.billing.BillingEvent; import google.registry.model.billing.BillingRecurrence; +import google.registry.model.common.FeatureFlag; +import google.registry.model.common.FeatureFlag.FeatureStatus; import google.registry.model.domain.Domain; import google.registry.model.domain.DomainHistory; import google.registry.model.domain.GracePeriod; @@ -794,7 +797,11 @@ void testSuccess_secDns() throws Exception { .that(domain) .hasExactlyDsData( DomainDsData.create( - 12345, 3, 1, base16().decode("A94A8FE5CCB19BA61C4C0873D391E987982FBBD3")) + 12345, + 3, + 2, + base16() + .decode("D4B7D520E7BB5F0F67674A0CCEB1E3E0614B93C4F9E99B8383F6A1E4469DA50A")) .cloneWithDomainRepoId(domain.getRepoId())); } @@ -957,6 +964,38 @@ void testFailure_secDnsInvalidDigestType() throws Exception { assertAboutEppExceptions().that(thrown).marshalsToXml(); } + @Test + void testFailure_secDnsSha1DigestType() throws Exception { + setEppInput("domain_create_dsdata_sha1.xml"); + persistHosts(); + DatabaseHelper.persistResource( + new FeatureFlag.Builder() + .setFeatureName(FORBID_INSECURE_ALGORITHMS_RFC_9904) + .setStatusMap(ImmutableSortedMap.of(START_INSTANT, FeatureStatus.ACTIVE)) + .build()); + EppException thrown = assertThrows(InvalidDsRecordException.class, this::runFlow); + assertAboutEppExceptions().that(thrown).marshalsToXml(); + } + + @Test + void testSuccess_secDnsSha1_flagInactive() throws Exception { + setEppInput("domain_create_dsdata_sha1.xml"); + persistHosts(); + DatabaseHelper.persistResource( + new FeatureFlag.Builder() + .setFeatureName(FORBID_INSECURE_ALGORITHMS_RFC_9904) + .setStatusMap(ImmutableSortedMap.of(START_INSTANT, FeatureStatus.INACTIVE)) + .build()); + doSuccessfulTest("tld"); + Domain domain = reloadResourceByForeignKey(); + assertAboutDomains() + .that(domain) + .hasExactlyDsData( + DomainDsData.create( + 12345, 3, 1, base16().decode("49FD46E6C4B45C55D4AC49FD46E6C4B45C55D4AC")) + .cloneWithDomainRepoId(domain.getRepoId())); + } + @Test void testFailure_secDnsInvalidAlgorithm() throws Exception { setEppInput("domain_create_dsdata_bad_algorithms.xml"); diff --git a/core/src/test/java/google/registry/flows/domain/DomainUpdateFlowTest.java b/core/src/test/java/google/registry/flows/domain/DomainUpdateFlowTest.java index a0be022ca4a..b49b6b7c4e4 100644 --- a/core/src/test/java/google/registry/flows/domain/DomainUpdateFlowTest.java +++ b/core/src/test/java/google/registry/flows/domain/DomainUpdateFlowTest.java @@ -19,6 +19,7 @@ import static com.google.common.io.BaseEncoding.base16; import static com.google.common.truth.Truth.assertThat; import static google.registry.model.ForeignKeyUtils.loadResource; +import static google.registry.model.common.FeatureFlag.FeatureName.FORBID_INSECURE_ALGORITHMS_RFC_9904; import static google.registry.model.eppcommon.StatusValue.CLIENT_DELETE_PROHIBITED; import static google.registry.model.eppcommon.StatusValue.CLIENT_HOLD; import static google.registry.model.eppcommon.StatusValue.CLIENT_RENEW_PROHIBITED; @@ -94,6 +95,8 @@ import google.registry.model.ImmutableObject; import google.registry.model.billing.BillingBase.Reason; import google.registry.model.billing.BillingEvent; +import google.registry.model.common.FeatureFlag; +import google.registry.model.common.FeatureFlag.FeatureStatus; import google.registry.model.domain.Domain; import google.registry.model.domain.DomainAuthInfo; import google.registry.model.domain.DomainHistory; @@ -115,6 +118,9 @@ /** Unit tests for {@link DomainUpdateFlow}. */ class DomainUpdateFlowTest extends ResourceFlowTestCase { + private static final String SHA_256_DIGEST = + "D4B7D520E7BB5F0F67674A0CCEB1E3E0614B93C4F9E99B8383F6A1E4469DA50A"; + private static final DomainDsData SOME_DSDATA = DomainDsData.create( 1, @@ -125,8 +131,8 @@ class DomainUpdateFlowTest extends ResourceFlowTestCase runCommandForced( - "--client=NewRegistrar", - "--ds_records=1 2 1 abcd", - "example.tld")); + "--client=NewRegistrar", "--ds_records=1 2 2 abcd", "example.tld")); assertThat(thrown).hasMessageThat().isEqualTo("DS record has an invalid digest length: ABCD"); } diff --git a/core/src/test/java/google/registry/tools/DigestTypeTest.java b/core/src/test/java/google/registry/tools/DigestTypeTest.java new file mode 100644 index 00000000000..817190eea9e --- /dev/null +++ b/core/src/test/java/google/registry/tools/DigestTypeTest.java @@ -0,0 +1,48 @@ +// Copyright 2026 The Nomulus Authors. All Rights Reserved. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package google.registry.tools; + +import static com.google.common.truth.Truth.assertThat; + +import org.junit.jupiter.api.Test; + +/** Unit tests for {@link DigestType}. */ +class DigestTypeTest { + + @Test + void testFromWireValue_sha1_returnsSha1() { + assertThat(DigestType.fromWireValue(1)).hasValue(DigestType.SHA1); + } + + @Test + void testFromWireValue_sha256_returnsSha256() { + assertThat(DigestType.fromWireValue(2)).hasValue(DigestType.SHA256); + } + + @Test + void testFromWireValue_gost_returnsEmpty() { + assertThat(DigestType.fromWireValue(3)).isEmpty(); + } + + @Test + void testFromWireValue_sha384_returnsSha384() { + assertThat(DigestType.fromWireValue(4)).hasValue(DigestType.SHA384); + } + + @Test + void testFromWireValue_invalid_returnsEmpty() { + assertThat(DigestType.fromWireValue(5)).isEmpty(); + } +} diff --git a/core/src/test/java/google/registry/tools/UniformRapidSuspensionCommandTest.java b/core/src/test/java/google/registry/tools/UniformRapidSuspensionCommandTest.java index e6f0d71c869..ff3cc0b7254 100644 --- a/core/src/test/java/google/registry/tools/UniformRapidSuspensionCommandTest.java +++ b/core/src/test/java/google/registry/tools/UniformRapidSuspensionCommandTest.java @@ -79,7 +79,7 @@ void testCommand_addsLocksReplacesHostsAndDsDataPrintsUndo() throws Exception { runCommandForced( "--domain_name=evil.tld", "--hosts=urs1.example.com,urs2.example.com", - "--dsdata=1 1 1 A94A8FE5CCB19BA61C4C0873D391E987982FBBD3", + "--dsdata=1 1 2 D4B7D520E7BB5F0F67674A0CCEB1E3E0614B93C4F9E99B8383F6A1E4469DA50A", "--renew_one_year=false"); eppVerifier .expectRegistrarId("CharlestonRoad") @@ -107,7 +107,7 @@ void testCommand_respectExistingStatuses() throws Exception { runCommandForced( "--domain_name=evil.tld", "--hosts=urs1.example.com,urs2.example.com", - "--dsdata=1 1 1 A94A8FE5CCB19BA61C4C0873D391E987982FBBD3", + "--dsdata=1 1 2 D4B7D520E7BB5F0F67674A0CCEB1E3E0614B93C4F9E99B8383F6A1E4469DA50A", "--renew_one_year=false"); eppVerifier .expectRegistrarId("CharlestonRoad") @@ -179,7 +179,7 @@ void testCommand_removeClientHold() throws Exception { runCommandForced( "--domain_name=evil.tld", "--hosts=urs1.example.com,urs2.example.com", - "--dsdata=1 1 1 A94A8FE5CCB19BA61C4C0873D391E987982FBBD3", + "--dsdata=1 1 2 D4B7D520E7BB5F0F67674A0CCEB1E3E0614B93C4F9E99B8383F6A1E4469DA50A", "--renew_one_year=false"); eppVerifier .expectRegistrarId("CharlestonRoad") @@ -198,7 +198,7 @@ void testCommand_bracketNameserverNotationWithCanonicalization() throws Exceptio runCommandForced( "--domain_name=evil.tld", "--hosts=URS[1-2].example.com", - "--dsdata=1 1 1 A94A8FE5CCB19BA61C4C0873D391E987982FBBD3", + "--dsdata=1 1 2 D4B7D520E7BB5F0F67674A0CCEB1E3E0614B93C4F9E99B8383F6A1E4469DA50A", "--renew_one_year=false"); eppVerifier .expectRegistrarId("CharlestonRoad") diff --git a/core/src/test/java/google/registry/tools/UpdateDomainCommandTest.java b/core/src/test/java/google/registry/tools/UpdateDomainCommandTest.java index a73e333b3cf..8511def829f 100644 --- a/core/src/test/java/google/registry/tools/UpdateDomainCommandTest.java +++ b/core/src/test/java/google/registry/tools/UpdateDomainCommandTest.java @@ -76,10 +76,11 @@ void testSuccess_complete() throws Exception { "--add_nameservers=ns1.zdns.google,ns2.zdns.google", "--add_statuses=serverDeleteProhibited", "--add_ds_records=1 2 2 9F86D081884C7D659A2FEAA0C55AD015A3BF4F1B2B0B822CD15D6C15B0F00A08,4" - + " 5 1 A94A8FE5CCB19BA61C4C0873D391E987982FBBD3", + + " 5 2 D4B7D520E7BB5F0F67674A0CCEB1E3E0614B93C4F9E99B8383F6A1E4469DA50A", "--remove_nameservers=ns3.zdns.google,ns4.zdns.google", "--remove_statuses=serverHold", - "--remove_ds_records=7 8 1 A94A8FE5CCB19BA61C4C0873D391E987982FBBD3,6 5 4" + "--remove_ds_records=7 8 2" + + " D4B7D520E7BB5F0F67674A0CCEB1E3E0614B93C4F9E99B8383F6A1E4469DA50A,6 5 4" + " 768412320F7B0AA5812FCE428DC4706B3CAE50E02A64CAA16A782249BFE8EFC4B7EF1CCB126255D196047DFEDF17A0A9", "--password=2fooBAR", "example.tld"); @@ -93,10 +94,11 @@ void testSuccess_completeWithSquareBracketsAndCanonicalization() throws Exceptio "--add_nameservers=NS[1-2].zdns.google", "--add_statuses=serverDeleteProhibited", "--add_ds_records=1 2 2 9F86D081884C7D659A2FEAA0C55AD015A3BF4F1B2B0B822CD15D6C15B0F00A08,4" - + " 5 1 A94A8FE5CCB19BA61C4C0873D391E987982FBBD3", + + " 5 2 D4B7D520E7BB5F0F67674A0CCEB1E3E0614B93C4F9E99B8383F6A1E4469DA50A", "--remove_nameservers=ns[3-4].zdns.google", "--remove_statuses=serverHold", - "--remove_ds_records=7 8 1 A94A8FE5CCB19BA61C4C0873D391E987982FBBD3,6 5 4" + "--remove_ds_records=7 8 2" + + " D4B7D520E7BB5F0F67674A0CCEB1E3E0614B93C4F9E99B8383F6A1E4469DA50A,6 5 4" + " 768412320F7B0AA5812FCE428DC4706B3CAE50E02A64CAA16A782249BFE8EFC4B7EF1CCB126255D196047DFEDF17A0A9", "--password=2fooBAR", "example.tld"); @@ -112,10 +114,11 @@ void testSuccess_multipleDomains() throws Exception { "--add_nameservers=ns1.zdns.google,ns2.zdns.google", "--add_statuses=serverDeleteProhibited", "--add_ds_records=1 2 2 9F86D081884C7D659A2FEAA0C55AD015A3BF4F1B2B0B822CD15D6C15B0F00A08,4" - + " 5 1 A94A8FE5CCB19BA61C4C0873D391E987982FBBD3", + + " 5 2 D4B7D520E7BB5F0F67674A0CCEB1E3E0614B93C4F9E99B8383F6A1E4469DA50A", "--remove_nameservers=ns[3-4].zdns.google", "--remove_statuses=serverHold", - "--remove_ds_records=7 8 1 A94A8FE5CCB19BA61C4C0873D391E987982FBBD3,6 5 4" + "--remove_ds_records=7 8 2" + + " D4B7D520E7BB5F0F67674A0CCEB1E3E0614B93C4F9E99B8383F6A1E4469DA50A,6 5 4" + " 768412320F7B0AA5812FCE428DC4706B3CAE50E02A64CAA16A782249BFE8EFC4B7EF1CCB126255D196047DFEDF17A0A9", "--password=2fooBAR", "example.tld", @@ -163,7 +166,7 @@ void testSuccess_add() throws Exception { "--add_nameservers=ns2.zdns.google,ns3.zdns.google", "--add_statuses=serverDeleteProhibited", "--add_ds_records=1 2 2 D4B7D520E7BB5F0F67674A0CCEB1E3E0614B93C4F9E99B8383F6A1E4469DA50A,4" - + " 5 1 A94A8FE5CCB19BA61C4C0873D391E987982FBBD3", + + " 5 2 D4B7D520E7BB5F0F67674A0CCEB1E3E0614B93C4F9E99B8383F6A1E4469DA50A", "example.tld"); eppVerifier.verifySent("domain_update_add.xml"); } @@ -174,7 +177,8 @@ void testSuccess_remove() throws Exception { "--client=NewRegistrar", "--remove_nameservers=ns4.zdns.google", "--remove_statuses=serverHold", - "--remove_ds_records=7 8 1 A94A8FE5CCB19BA61C4C0873D391E987982FBBD3,6 5 4" + "--remove_ds_records=7 8 2" + + " D4B7D520E7BB5F0F67674A0CCEB1E3E0614B93C4F9E99B8383F6A1E4469DA50A,6 5 4" + " 768412320F7B0AA5812FCE428DC4706B3CAE50E02A64CAA16A782249BFE8EFC4B7EF1CCB126255D196047DFEDF17A0A9", "example.tld"); eppVerifier.verifySent("domain_update_remove.xml"); @@ -230,8 +234,8 @@ void testSuccess_setStatuses() throws Exception { void testSuccess_setDsRecords() throws Exception { runCommandForced( "--client=NewRegistrar", - "--ds_records=1 2 2 D4B7D520E7BB5F0F67674A0CCEB1E3E0614B93C4F9E99B8383F6A1E4469DA50A,4 5 1" - + " A94A8FE5CCB19BA61C4C0873D391E987982FBBD3", + "--ds_records=1 2 2 D4B7D520E7BB5F0F67674A0CCEB1E3E0614B93C4F9E99B8383F6A1E4469DA50A,4 5 2" + + " D4B7D520E7BB5F0F67674A0CCEB1E3E0614B93C4F9E99B8383F6A1E4469DA50A", "example.tld"); eppVerifier.verifySent("domain_update_set_ds_records.xml"); } @@ -240,8 +244,8 @@ void testSuccess_setDsRecords() throws Exception { void testSuccess_setDsRecords_withUnneededClear() throws Exception { runCommandForced( "--client=NewRegistrar", - "--ds_records=1 2 2 D4B7D520E7BB5F0F67674A0CCEB1E3E0614B93C4F9E99B8383F6A1E4469DA50A,4 5 1" - + " A94A8FE5CCB19BA61C4C0873D391E987982FBBD3", + "--ds_records=1 2 2 D4B7D520E7BB5F0F67674A0CCEB1E3E0614B93C4F9E99B8383F6A1E4469DA50A,4 5 2" + + " D4B7D520E7BB5F0F67674A0CCEB1E3E0614B93C4F9E99B8383F6A1E4469DA50A", "--clear_ds_records", "example.tld"); eppVerifier.verifySent("domain_update_set_ds_records.xml"); @@ -538,9 +542,7 @@ void testFailure_invalidDigestLength() { IllegalArgumentException.class, () -> runCommandForced( - "--client=NewRegistrar", - "--ds_records=1 2 1 abcd", - "example.tld")); + "--client=NewRegistrar", "--ds_records=1 2 2 abcd", "example.tld")); assertThat(thrown).hasMessageThat().isEqualTo("DS record has an invalid digest length: ABCD"); } @@ -554,7 +556,8 @@ void testFailure_provideDsRecordsAndAddDsRecords() { "--client=NewRegistrar", "--add_ds_records=1 2 2" + " D4B7D520E7BB5F0F67674A0CCEB1E3E0614B93C4F9E99B8383F6A1E4469DA50A", - "--ds_records=4 5 1 A94A8FE5CCB19BA61C4C0873D391E987982FBBD3", + "--ds_records=4 5 2" + + " D4B7D520E7BB5F0F67674A0CCEB1E3E0614B93C4F9E99B8383F6A1E4469DA50A", "example.tld")); assertThat(thrown) .hasMessageThat() @@ -571,8 +574,10 @@ void testFailure_provideDsRecordsAndRemoveDsRecords() { () -> runCommandForced( "--client=NewRegistrar", - "--remove_ds_records=7 8 1 A94A8FE5CCB19BA61C4C0873D391E987982FBBD3", - "--ds_records=4 5 1 A94A8FE5CCB19BA61C4C0873D391E987982FBBD3", + "--remove_ds_records=7 8 2" + + " D4B7D520E7BB5F0F67674A0CCEB1E3E0614B93C4F9E99B8383F6A1E4469DA50A", + "--ds_records=4 5 2" + + " D4B7D520E7BB5F0F67674A0CCEB1E3E0614B93C4F9E99B8383F6A1E4469DA50A", "example.tld")); assertThat(thrown) .hasMessageThat() @@ -608,7 +613,8 @@ void testFailure_clearDsRecordsAndRemoveDsRecords() { () -> runCommandForced( "--client=NewRegistrar", - "--remove_ds_records=7 8 1 A94A8FE5CCB19BA61C4C0873D391E987982FBBD3", + "--remove_ds_records=7 8 2" + + " D4B7D520E7BB5F0F67674A0CCEB1E3E0614B93C4F9E99B8383F6A1E4469DA50A", "--clear_ds_records", "example.tld")); assertThat(thrown) diff --git a/core/src/test/resources/google/registry/flows/domain/domain_create_dsdata_8_records.xml b/core/src/test/resources/google/registry/flows/domain/domain_create_dsdata_8_records.xml index ce291ff9745..637f559265e 100644 --- a/core/src/test/resources/google/registry/flows/domain/domain_create_dsdata_8_records.xml +++ b/core/src/test/resources/google/registry/flows/domain/domain_create_dsdata_8_records.xml @@ -22,50 +22,50 @@ 12345 3 - 1 - A94A8FE5CCB19BA61C4C0873D391E987982FBBD3 + 2 + D4B7D520E7BB5F0F67674A0CCEB1E3E0614B93C4F9E99B8383F6A1E4469DA50A 12346 3 - 1 - A94A8FE5CCB19BA61C4C0873D391E987982FBBD3 + 2 + D4B7D520E7BB5F0F67674A0CCEB1E3E0614B93C4F9E99B8383F6A1E4469DA50A 12347 3 - 1 - A94A8FE5CCB19BA61C4C0873D391E987982FBBD3 + 2 + D4B7D520E7BB5F0F67674A0CCEB1E3E0614B93C4F9E99B8383F6A1E4469DA50A 12348 3 - 1 - A94A8FE5CCB19BA61C4C0873D391E987982FBBD3 + 2 + D4B7D520E7BB5F0F67674A0CCEB1E3E0614B93C4F9E99B8383F6A1E4469DA50A 12349 3 - 1 - A94A8FE5CCB19BA61C4C0873D391E987982FBBD3 + 2 + D4B7D520E7BB5F0F67674A0CCEB1E3E0614B93C4F9E99B8383F6A1E4469DA50A 12350 3 - 1 - A94A8FE5CCB19BA61C4C0873D391E987982FBBD3 + 2 + D4B7D520E7BB5F0F67674A0CCEB1E3E0614B93C4F9E99B8383F6A1E4469DA50A 12351 3 - 1 - A94A8FE5CCB19BA61C4C0873D391E987982FBBD3 + 2 + D4B7D520E7BB5F0F67674A0CCEB1E3E0614B93C4F9E99B8383F6A1E4469DA50A 12352 3 - 1 - A94A8FE5CCB19BA61C4C0873D391E987982FBBD3 + 2 + D4B7D520E7BB5F0F67674A0CCEB1E3E0614B93C4F9E99B8383F6A1E4469DA50A diff --git a/core/src/test/resources/google/registry/flows/domain/domain_create_dsdata_no_maxsiglife.xml b/core/src/test/resources/google/registry/flows/domain/domain_create_dsdata_no_maxsiglife.xml index f074622a1a1..94ee4229bac 100644 --- a/core/src/test/resources/google/registry/flows/domain/domain_create_dsdata_no_maxsiglife.xml +++ b/core/src/test/resources/google/registry/flows/domain/domain_create_dsdata_no_maxsiglife.xml @@ -22,8 +22,8 @@ 12345 3 - 1 - A94A8FE5CCB19BA61C4C0873D391E987982FBBD3 + 2 + D4B7D520E7BB5F0F67674A0CCEB1E3E0614B93C4F9E99B8383F6A1E4469DA50A diff --git a/core/src/test/resources/google/registry/flows/domain/domain_create_dsdata_sha1.xml b/core/src/test/resources/google/registry/flows/domain/domain_create_dsdata_sha1.xml new file mode 100644 index 00000000000..c796aa5ff0c --- /dev/null +++ b/core/src/test/resources/google/registry/flows/domain/domain_create_dsdata_sha1.xml @@ -0,0 +1,32 @@ + + + + + + example.tld + 2 + + ns1.example.net + ns2.example.net + + + 2fooBAR + + + + + + + 12345 + 3 + 1 + 49FD46E6C4B45C55D4AC49FD46E6C4B45C55D4AC + + + + ABC-12345 + + diff --git a/core/src/test/resources/google/registry/flows/domain/domain_update_dsdata_add_rem.xml b/core/src/test/resources/google/registry/flows/domain/domain_update_dsdata_add_rem.xml index dae4d973e1d..1863c839694 100644 --- a/core/src/test/resources/google/registry/flows/domain/domain_update_dsdata_add_rem.xml +++ b/core/src/test/resources/google/registry/flows/domain/domain_update_dsdata_add_rem.xml @@ -15,16 +15,16 @@ 12345 3 - 1 - A94A8FE5CCB19BA61C4C0873D391E987982FBBD3 + 2 + D4B7D520E7BB5F0F67674A0CCEB1E3E0614B93C4F9E99B8383F6A1E4469DA50A 12346 3 - 1 - A94A8FE5CCB19BA61C4C0873D391E987982FBBD3 + 2 + D4B7D520E7BB5F0F67674A0CCEB1E3E0614B93C4F9E99B8383F6A1E4469DA50A diff --git a/core/src/test/resources/google/registry/flows/domain/domain_update_dsdata_rem.xml b/core/src/test/resources/google/registry/flows/domain/domain_update_dsdata_rem.xml index 47a6c4c101b..8178fb13da8 100644 --- a/core/src/test/resources/google/registry/flows/domain/domain_update_dsdata_rem.xml +++ b/core/src/test/resources/google/registry/flows/domain/domain_update_dsdata_rem.xml @@ -15,8 +15,8 @@ 12346 3 - 1 - A94A8FE5CCB19BA61C4C0873D391E987982FBBD3 + 2 + D4B7D520E7BB5F0F67674A0CCEB1E3E0614B93C4F9E99B8383F6A1E4469DA50A diff --git a/core/src/test/resources/google/registry/flows/domain_update_dsdata_add.xml b/core/src/test/resources/google/registry/flows/domain_update_dsdata_add.xml index 4efd89f77b1..f6468061a43 100644 --- a/core/src/test/resources/google/registry/flows/domain_update_dsdata_add.xml +++ b/core/src/test/resources/google/registry/flows/domain_update_dsdata_add.xml @@ -15,8 +15,8 @@ 12346 3 - 1 - A94A8FE5CCB19BA61C4C0873D391E987982FBBD3 + 2 + D4B7D520E7BB5F0F67674A0CCEB1E3E0614B93C4F9E99B8383F6A1E4469DA50A diff --git a/core/src/test/resources/google/registry/flows/domain_update_dsdata_rem.xml b/core/src/test/resources/google/registry/flows/domain_update_dsdata_rem.xml index 47a6c4c101b..8178fb13da8 100644 --- a/core/src/test/resources/google/registry/flows/domain_update_dsdata_rem.xml +++ b/core/src/test/resources/google/registry/flows/domain_update_dsdata_rem.xml @@ -15,8 +15,8 @@ 12346 3 - 1 - A94A8FE5CCB19BA61C4C0873D391E987982FBBD3 + 2 + D4B7D520E7BB5F0F67674A0CCEB1E3E0614B93C4F9E99B8383F6A1E4469DA50A diff --git a/core/src/test/resources/google/registry/tools/server/domain_create_complete.xml b/core/src/test/resources/google/registry/tools/server/domain_create_complete.xml index c238af552bc..f2e1e724280 100644 --- a/core/src/test/resources/google/registry/tools/server/domain_create_complete.xml +++ b/core/src/test/resources/google/registry/tools/server/domain_create_complete.xml @@ -28,8 +28,8 @@ 4 5 - 1 - A94A8FE5CCB19BA61C4C0873D391E987982FBBD3 + 2 + D4B7D520E7BB5F0F67674A0CCEB1E3E0614B93C4F9E99B8383F6A1E4469DA50A 60485 diff --git a/core/src/test/resources/google/registry/tools/server/domain_create_sha1.xml b/core/src/test/resources/google/registry/tools/server/domain_create_sha1.xml new file mode 100644 index 00000000000..ff95da1d161 --- /dev/null +++ b/core/src/test/resources/google/registry/tools/server/domain_create_sha1.xml @@ -0,0 +1,32 @@ + + + + + + example.tld + 1 + + ns1.zdns.google + ns2.zdns.google + ns3.zdns.google + ns4.zdns.google + + + 2fooBAR + + + + + + + 1 + 2 + 1 + A94A8FE5CCB19BA61C4C0873D391E987982FBBD3 + + + + RegistryTool + + diff --git a/core/src/test/resources/google/registry/tools/server/domain_update_add.xml b/core/src/test/resources/google/registry/tools/server/domain_update_add.xml index 1ccc192f3e7..c32919f08ce 100644 --- a/core/src/test/resources/google/registry/tools/server/domain_update_add.xml +++ b/core/src/test/resources/google/registry/tools/server/domain_update_add.xml @@ -26,8 +26,8 @@ 4 5 - 1 - A94A8FE5CCB19BA61C4C0873D391E987982FBBD3 + 2 + D4B7D520E7BB5F0F67674A0CCEB1E3E0614B93C4F9E99B8383F6A1E4469DA50A diff --git a/core/src/test/resources/google/registry/tools/server/domain_update_complete.xml b/core/src/test/resources/google/registry/tools/server/domain_update_complete.xml index 4162427d87e..30010c5214a 100644 --- a/core/src/test/resources/google/registry/tools/server/domain_update_complete.xml +++ b/core/src/test/resources/google/registry/tools/server/domain_update_complete.xml @@ -32,8 +32,8 @@ 7 8 - 1 - A94A8FE5CCB19BA61C4C0873D391E987982FBBD3 + 2 + D4B7D520E7BB5F0F67674A0CCEB1E3E0614B93C4F9E99B8383F6A1E4469DA50A 6 @@ -52,8 +52,8 @@ 4 5 - 1 - A94A8FE5CCB19BA61C4C0873D391E987982FBBD3 + 2 + D4B7D520E7BB5F0F67674A0CCEB1E3E0614B93C4F9E99B8383F6A1E4469DA50A diff --git a/core/src/test/resources/google/registry/tools/server/domain_update_complete_abc.xml b/core/src/test/resources/google/registry/tools/server/domain_update_complete_abc.xml index 73cbbc4638f..de37653789a 100644 --- a/core/src/test/resources/google/registry/tools/server/domain_update_complete_abc.xml +++ b/core/src/test/resources/google/registry/tools/server/domain_update_complete_abc.xml @@ -32,8 +32,8 @@ 7 8 - 1 - A94A8FE5CCB19BA61C4C0873D391E987982FBBD3 + 2 + D4B7D520E7BB5F0F67674A0CCEB1E3E0614B93C4F9E99B8383F6A1E4469DA50A 6 @@ -52,8 +52,8 @@ 4 5 - 1 - A94A8FE5CCB19BA61C4C0873D391E987982FBBD3 + 2 + D4B7D520E7BB5F0F67674A0CCEB1E3E0614B93C4F9E99B8383F6A1E4469DA50A diff --git a/core/src/test/resources/google/registry/tools/server/domain_update_remove.xml b/core/src/test/resources/google/registry/tools/server/domain_update_remove.xml index f6df25f3dde..d4e4fc733a4 100644 --- a/core/src/test/resources/google/registry/tools/server/domain_update_remove.xml +++ b/core/src/test/resources/google/registry/tools/server/domain_update_remove.xml @@ -19,8 +19,8 @@ 7 8 - 1 - A94A8FE5CCB19BA61C4C0873D391E987982FBBD3 + 2 + D4B7D520E7BB5F0F67674A0CCEB1E3E0614B93C4F9E99B8383F6A1E4469DA50A 6 diff --git a/core/src/test/resources/google/registry/tools/server/domain_update_set_ds_records.xml b/core/src/test/resources/google/registry/tools/server/domain_update_set_ds_records.xml index d8c6000f38b..6e2d26cdde4 100644 --- a/core/src/test/resources/google/registry/tools/server/domain_update_set_ds_records.xml +++ b/core/src/test/resources/google/registry/tools/server/domain_update_set_ds_records.xml @@ -22,8 +22,8 @@ 4 5 - 1 - A94A8FE5CCB19BA61C4C0873D391E987982FBBD3 + 2 + D4B7D520E7BB5F0F67674A0CCEB1E3E0614B93C4F9E99B8383F6A1E4469DA50A diff --git a/core/src/test/resources/google/registry/tools/server/domain_update_sha1.xml b/core/src/test/resources/google/registry/tools/server/domain_update_sha1.xml new file mode 100644 index 00000000000..bdb8dbe0c98 --- /dev/null +++ b/core/src/test/resources/google/registry/tools/server/domain_update_sha1.xml @@ -0,0 +1,31 @@ + + + + + + example.tld + + + ns2.zdns.google + ns3.zdns.google + + + + + + + + + + 1 + 2 + 1 + A94A8FE5CCB19BA61C4C0873D391E987982FBBD3 + + + + + RegistryTool + + diff --git a/core/src/test/resources/google/registry/tools/server/uniform_rapid_suspension.xml b/core/src/test/resources/google/registry/tools/server/uniform_rapid_suspension.xml index 99536a3ad6f..9468796722f 100644 --- a/core/src/test/resources/google/registry/tools/server/uniform_rapid_suspension.xml +++ b/core/src/test/resources/google/registry/tools/server/uniform_rapid_suspension.xml @@ -30,8 +30,8 @@ 1 1 - 1 - A94A8FE5CCB19BA61C4C0873D391E987982FBBD3 + 2 + D4B7D520E7BB5F0F67674A0CCEB1E3E0614B93C4F9E99B8383F6A1E4469DA50A diff --git a/core/src/test/resources/google/registry/tools/server/uniform_rapid_suspension_with_client_hold.xml b/core/src/test/resources/google/registry/tools/server/uniform_rapid_suspension_with_client_hold.xml index 3ef3a255969..858008073f9 100644 --- a/core/src/test/resources/google/registry/tools/server/uniform_rapid_suspension_with_client_hold.xml +++ b/core/src/test/resources/google/registry/tools/server/uniform_rapid_suspension_with_client_hold.xml @@ -31,8 +31,8 @@ 1 1 - 1 - A94A8FE5CCB19BA61C4C0873D391E987982FBBD3 + 2 + D4B7D520E7BB5F0F67674A0CCEB1E3E0614B93C4F9E99B8383F6A1E4469DA50A diff --git a/core/src/test/resources/google/registry/tools/server/uniform_rapid_suspension_with_forbid_delete.xml b/core/src/test/resources/google/registry/tools/server/uniform_rapid_suspension_with_forbid_delete.xml index 47aea12a98d..f94a005dc9a 100644 --- a/core/src/test/resources/google/registry/tools/server/uniform_rapid_suspension_with_forbid_delete.xml +++ b/core/src/test/resources/google/registry/tools/server/uniform_rapid_suspension_with_forbid_delete.xml @@ -29,8 +29,8 @@ 1 1 - 1 - A94A8FE5CCB19BA61C4C0873D391E987982FBBD3 + 2 + D4B7D520E7BB5F0F67674A0CCEB1E3E0614B93C4F9E99B8383F6A1E4469DA50A