import java.util.*;
-
/**
* A class for performing basic DNSSEC verification. The DNSJAVA package
* contains a similar class. This is a re-implementation that allows us to have
*/
public class DnsSecVerifier {
public static final int UNKNOWN = 0;
- public static final int RSA = 1;
- public static final int DSA = 2;
- private Logger log = Logger.getLogger(this.getClass());
+ public static final int RSA = 1;
+ public static final int DSA = 2;
+ private Logger log = Logger.getLogger(this.getClass());
/**
* This is a mapping of DNSSEC algorithm numbers/private identifiers to JCA
mAlgorithmMap = new HashMap<Integer, AlgEntry>();
// set the default algorithm map.
- mAlgorithmMap.put(new Integer(DNSSEC.RSAMD5),
- new AlgEntry("MD5withRSA", DNSSEC.RSAMD5, false));
- mAlgorithmMap.put(new Integer(DNSSEC.DSA),
- new AlgEntry("SHA1withDSA", DNSSEC.DSA, true));
- mAlgorithmMap.put(new Integer(DNSSEC.RSASHA1),
- new AlgEntry("SHA1withRSA", DNSSEC.RSASHA1, false));
- mAlgorithmMap.put(new Integer(DNSSEC.DSA_NSEC3_SHA1),
- new AlgEntry("SHA1withDSA", DNSSEC.DSA, true));
- mAlgorithmMap.put(new Integer(DNSSEC.RSA_NSEC3_SHA1),
- new AlgEntry("SHA1withRSA", DNSSEC.RSASHA1, false));
- mAlgorithmMap.put(new Integer(DNSSEC.RSASHA256),
- new AlgEntry("SHA256withRSA", DNSSEC.RSASHA256, false));
- mAlgorithmMap.put(new Integer(DNSSEC.RSASHA512),
- new AlgEntry("SHA512withRSA", DNSSEC.RSASHA512, false));
+ mAlgorithmMap.put(new Integer(DNSSEC.RSAMD5), new AlgEntry(
+ "MD5withRSA", DNSSEC.RSAMD5, false));
+ mAlgorithmMap.put(new Integer(DNSSEC.DSA), new AlgEntry("SHA1withDSA",
+ DNSSEC.DSA, true));
+ mAlgorithmMap.put(new Integer(DNSSEC.RSASHA1), new AlgEntry(
+ "SHA1withRSA", DNSSEC.RSASHA1, false));
+ mAlgorithmMap.put(new Integer(DNSSEC.DSA_NSEC3_SHA1), new AlgEntry(
+ "SHA1withDSA", DNSSEC.DSA, true));
+ mAlgorithmMap.put(new Integer(DNSSEC.RSA_NSEC3_SHA1), new AlgEntry(
+ "SHA1withRSA", DNSSEC.RSASHA1, false));
+ mAlgorithmMap.put(new Integer(DNSSEC.RSASHA256), new AlgEntry(
+ "SHA256withRSA", DNSSEC.RSASHA256, false));
+ mAlgorithmMap.put(new Integer(DNSSEC.RSASHA512), new AlgEntry(
+ "SHA512withRSA", DNSSEC.RSASHA512, false));
}
private boolean isDSA(int algorithm) {
for (Util.ConfigEntry entry : aliases) {
Integer alg_alias = new Integer(Util.parseInt(entry.key, -1));
- Integer alg_orig = new Integer(Util.parseInt(entry.value, -1));
+ Integer alg_orig = new Integer(Util.parseInt(entry.value, -1));
if (!mAlgorithmMap.containsKey(alg_orig)) {
- log.warn("Unable to alias " + alg_alias +
- " to unknown algorithm " + alg_orig);
+ log.warn("Unable to alias " + alg_alias
+ + " to unknown algorithm " + alg_orig);
continue;
}
if (mAlgorithmMap.containsKey(alg_alias)) {
- log.warn("Algorithm alias " + alg_alias +
- " is already defined and cannot be redefined");
+ log.warn("Algorithm alias " + alg_alias
+ + " is already defined and cannot be redefined");
continue;
}
if (entry == null) {
log.warn("DNSSEC alg " + alg + " has a null entry!");
} else {
- log.debug("DNSSEC alg " + alg + " maps to " + entry.jcaName +
- " (" + entry.dnssecAlg + ")");
+ log.debug("DNSSEC alg " + alg + " maps to " + entry.jcaName
+ + " (" + entry.dnssecAlg + ")");
}
}
}
* Find the matching DNSKEY(s) to an RRSIG within a DNSKEY rrset. Normally
* this will only return one DNSKEY. It can return more than one, since
* KeyID/Footprints are not guaranteed to be unique.
- *
+ *
* @param dnskey_rrset
* The DNSKEY rrset to search.
* @param signature
@SuppressWarnings("unchecked")
private List<DNSKEYRecord> findKey(RRset dnskey_rrset, RRSIGRecord signature) {
if (!signature.getSigner().equals(dnskey_rrset.getName())) {
- log.trace("findKey: could not find appropriate key because " +
- "incorrect keyset was supplied. Wanted: " +
- signature.getSigner() + ", got: " + dnskey_rrset.getName());
+ log.trace("findKey: could not find appropriate key because "
+ + "incorrect keyset was supplied. Wanted: "
+ + signature.getSigner() + ", got: "
+ + dnskey_rrset.getName());
return null;
}
- int keyid = signature.getFootprint();
- int alg = signature.getAlgorithm();
+ int keyid = signature.getFootprint();
+ int alg = signature.getAlgorithm();
- List<DNSKEYRecord> res = new ArrayList<DNSKEYRecord>(dnskey_rrset.size());
+ List<DNSKEYRecord> res = new ArrayList<DNSKEYRecord>(dnskey_rrset
+ .size());
for (Iterator i = dnskey_rrset.rrs(); i.hasNext();) {
DNSKEYRecord r = (DNSKEYRecord) i.next();
}
if (res.size() == 0) {
- log.trace("findKey: could not find a key matching " +
- "the algorithm and footprint in supplied keyset. ");
+ log.trace("findKey: could not find a key matching "
+ + "the algorithm and footprint in supplied keyset. ");
return null;
}
/**
* Check to see if a signature looks valid (i.e., matches the rrset in
* question, in the validity period, etc.)
- *
+ *
* @param rrset
* The rrset that the signature belongs to.
* @param sigrec
return SecurityStatus.BOGUS;
}
- Date now = new Date();
- Date start = sigrec.getTimeSigned();
+ Date now = new Date();
+ Date start = sigrec.getTimeSigned();
Date expire = sigrec.getExpire();
if (now.before(start)) {
}
if (now.after(expire)) {
- log.debug("Signature has expired (now = " + now +
- ", sig expires = " + expire);
+ log.debug("Signature has expired (now = " + now
+ + ", sig expires = " + expire);
return SecurityStatus.BOGUS;
}
}
public PublicKey parseDNSKEY(DNSKEYRecord key) {
- AlgEntry ae = (AlgEntry) mAlgorithmMap.get(new Integer(
- key.getAlgorithm()));
+ AlgEntry ae = (AlgEntry) mAlgorithmMap.get(new Integer(key
+ .getAlgorithm()));
if (key.getAlgorithm() != ae.dnssecAlg) {
// Recast the DNSKEYRecord in question as one using the offical
/**
* Actually cryptographically verify a signature over the rrset. The RRSIG
* record must match the rrset being verified (see checkSignature).
- *
+ *
* @param rrset
* The rrset to verify.
* @param sigrec
* UNCHECKED if we just couldn't actually do the function.
*/
public byte verifySignature(RRset rrset, RRSIGRecord sigrec,
- DNSKEYRecord key) {
+ DNSKEYRecord key) {
try {
PublicKey pk = parseDNSKEY(key);
if (pk == null) {
- log.warn(
- "Could not convert DNSKEY record to a JCA public key: " +
- key);
+ log
+ .warn("Could not convert DNSKEY record to a JCA public key: "
+ + key);
return SecurityStatus.UNCHECKED;
}
- byte [] data = SignUtils.generateSigData(rrset, sigrec);
+ byte[] data = SignUtils.generateSigData(rrset, sigrec);
Signature signer = getSignature(sigrec.getAlgorithm());
signer.initVerify(pk);
signer.update(data);
- byte [] sig = sigrec.getSignature();
+ byte[] sig = sigrec.getSignature();
if (isDSA(sigrec.getAlgorithm())) {
sig = SignUtils.convertDSASignature(sig);
/**
* Verify an RRset against a particular signature.
- *
+ *
* @return DNSSEC.Secure if the signature verfied, DNSSEC.Failed if it did
* not verify (for any reason), and DNSSEC.Insecure if verification
* could not be completed (usually because the public key was not
* Verifies an RRset. This routine does not modify the RRset. This RRset is
* presumed to be verifiable, and the correct DNSKEY rrset is presumed to
* have been found.
- *
+ *
* @return SecurityStatus.SECURE if the rrest verified positively,
* SecurityStatus.BOGUS otherwise.
*/
while (i.hasNext()) {
RRSIGRecord sigrec = (RRSIGRecord) i.next();
- byte res = verifySignature(rrset, sigrec, key_rrset);
+ byte res = verifySignature(rrset, sigrec, key_rrset);
if (res == SecurityStatus.SECURE) {
return res;
* Verify an RRset against a single DNSKEY. Use this when you must be
* certain that an RRset signed and verifies with a particular DNSKEY (as
* opposed to a particular DNSKEY rrset).
- *
+ *
* @param rrset
* The rrset to verify.
* @param dnskey
public int baseAlgorithm(int algorithm) {
switch (algorithm) {
- case DNSSEC.RSAMD5:
- case DNSSEC.RSASHA1:
- return RSA;
+ case DNSSEC.RSAMD5:
+ case DNSSEC.RSASHA1:
+ return RSA;
- case DNSSEC.DSA:
- return DSA;
+ case DNSSEC.DSA:
+ return DSA;
}
AlgEntry entry = (AlgEntry) mAlgorithmMap.get(new Integer(algorithm));
Signature s = null;
try {
- AlgEntry entry = (AlgEntry) mAlgorithmMap.get(new Integer(algorithm));
+ AlgEntry entry = (AlgEntry) mAlgorithmMap
+ .get(new Integer(algorithm));
if (entry == null) {
log.info("DNSSEC algorithm " + algorithm + " not recognized.");
}
private static class AlgEntry {
- public String jcaName;
+ public String jcaName;
public boolean isDSA;
- public int dnssecAlg;
+ public int dnssecAlg;
public AlgEntry(String name, int dnssecAlg, boolean isDSA) {
- jcaName = name;
- this.dnssecAlg = dnssecAlg;
- this.isDSA = isDSA;
+ jcaName = name;
+ this.dnssecAlg = dnssecAlg;
+ this.isDSA = isDSA;
}
}
git://blacka.com / captive-validator.git / blobdiff