*
*/
-package se.rfc.unbound.validator;
+package se.rfc.unbound;
import java.util.*;
import java.io.*;
import java.security.*;
-import org.apache.log4j.Logger;
import org.xbill.DNS.*;
import org.xbill.DNS.security.*;
/**
* A class for performing basic DNSSEC verification. The DNSJAVA package
- * contains a similar class. This is a reimplementation that allows us to have
+ * contains a similar class. This is a re-implementation that allows us to have
* finer control over the validation process.
- *
- * @author davidb
- * @version $Revision$
*/
public class DnsSecVerifier
{
*/
private HashMap mAlgorithmMap;
- private Logger log = Logger.getLogger(this.getClass());
-
private static class AlgEntry
{
public String jcaName;
if (!mAlgorithmMap.containsKey(alg_orig))
{
- log.warn("Unable to alias " + alg_alias + " to unknown algorithm "
- + alg_orig);
+// log.warn("Unable to alias " + alg_alias + " to unknown algorithm "
+// + alg_orig);
continue;
}
if (mAlgorithmMap.containsKey(alg_alias))
{
- log.warn("Algorithm alias " + alg_alias
- + " is already defined and cannot be redefined");
+// log.warn("Algorithm alias " + alg_alias
+// + " is already defined and cannot be redefined");
continue;
}
{
Integer alg = (Integer) i.next();
AlgEntry entry = (AlgEntry) mAlgorithmMap.get(alg);
- if (entry == null)
- log.warn("DNSSEC alg " + alg + " has a null entry!");
- else
- log.debug("DNSSEC alg " + alg + " maps to " + entry.jcaName
- + " (" + entry.dnssecAlg + ")");
+// if (entry == null)
+// log.warn("DNSSEC alg " + alg + " has a null entry!");
+// else
+// log.debug("DNSSEC alg " + alg + " maps to " + entry.jcaName
+// + " (" + entry.dnssecAlg + ")");
}
}
{
if (!signature.getSigner().equals(dnskey_rrset.getName()))
{
- log.trace("findKey: could not find appropriate key because "
- + "incorrect keyset was supplied. Wanted: " + signature.getSigner()
- + ", got: " + dnskey_rrset.getName());
+// log.trace("findKey: could not find appropriate key because "
+// + "incorrect keyset was supplied. Wanted: " + signature.getSigner()
+// + ", got: " + dnskey_rrset.getName());
return null;
}
if (res.size() == 0)
{
- log.trace("findKey: could not find a key matching "
- + "the algorithm and footprint in supplied keyset. ");
+// log.trace("findKey: could not find a key matching "
+// + "the algorithm and footprint in supplied keyset. ");
return null;
}
return res;
if (rrset == null || sigrec == null) return DNSSEC.Failed;
if (!rrset.getName().equals(sigrec.getName()))
{
- log.debug("Signature name does not match RRset name");
+// log.debug("Signature name does not match RRset name");
return SecurityStatus.BOGUS;
}
if (rrset.getType() != sigrec.getTypeCovered())
{
- log.debug("Signature type does not match RRset type");
+// log.debug("Signature type does not match RRset type");
return SecurityStatus.BOGUS;
}
Date expire = sigrec.getExpire();
if (now.before(start))
{
- log.debug("Signature is not yet valid");
+// log.debug("Signature is not yet valid");
return SecurityStatus.BOGUS;
}
if (now.after(expire))
{
- log.debug("Signature has expired (now = " + now + ", sig expires = "
- + expire);
+// log.debug("Signature has expired (now = " + now + ", sig expires = "
+// + expire);
return SecurityStatus.BOGUS;
}
if (pk == null)
{
- log.warn("Could not convert DNSKEY record to a JCA public key: "
- + key);
+// log.warn("Could not convert DNSKEY record to a JCA public key: "
+// + key);
return SecurityStatus.UNCHECKED;
}
}
if (!signer.verify(sig))
{
- log.info("Signature failed to verify cryptographically");
- log.debug("Failed signature: " + sigrec);
+// log.info("Signature failed to verify cryptographically");
+// log.debug("Failed signature: " + sigrec);
return SecurityStatus.BOGUS;
}
- log.trace("Signature verified: " + sigrec);
+// log.trace("Signature verified: " + sigrec);
return SecurityStatus.SECURE;
}
catch (IOException e)
{
- log.error("I/O error", e);
+// log.error("I/O error", e);
}
catch (GeneralSecurityException e)
{
- log.error("Security error", e);
+// log.error("Security error", e);
}
// FIXME: Since I'm not sure what would cause an exception here (failure
if (keys == null)
{
- log.trace("could not find appropriate key");
+// log.trace("could not find appropriate key");
return SecurityStatus.BOGUS;
}
if (!i.hasNext())
{
- log.info("RRset failed to verify due to lack of signatures");
+// log.info("RRset failed to verify due to lack of signatures");
return SecurityStatus.BOGUS;
}
if (res == SecurityStatus.SECURE) return res;
}
- log.info("RRset failed to verify: all signatures were BOGUS");
+// log.info("RRset failed to verify: all signatures were BOGUS");
return SecurityStatus.BOGUS;
}
Iterator i = rrset.sigs();
if (!i.hasNext())
{
- log.info("RRset failed to verify due to lack of signatures");
+// log.info("RRset failed to verify due to lack of signatures");
return SecurityStatus.BOGUS;
}
if (res == SecurityStatus.SECURE) return res;
}
- log.info("RRset failed to verify: all signatures were BOGUS");
+// log.info("RRset failed to verify: all signatures were BOGUS");
return SecurityStatus.BOGUS;
}
AlgEntry entry = (AlgEntry) mAlgorithmMap.get(new Integer(algorithm));
if (entry == null)
{
- log.info("DNSSEC algorithm " + algorithm + " not recognized.");
+// log.info("DNSSEC algorithm " + algorithm + " not recognized.");
return null;
}
// TODO: should we cache the instance?
}
catch (NoSuchAlgorithmException e)
{
- log.error("error getting Signature object", e);
+// log.error("error getting Signature object", e);
}
return s;