import java.security.NoSuchAlgorithmException;
import java.util.*;
-import org.apache.log4j.Logger;
import org.xbill.DNS.*;
import org.xbill.DNS.utils.base32;
-import se.rfc.unbound.validator.DnsSecVerifier;
-import se.rfc.unbound.validator.SignUtils;
-import se.rfc.unbound.validator.SignUtils.ByteArrayComparator;
+import se.rfc.unbound.SignUtils.ByteArrayComparator;
+
public class NSEC3ValUtils
{
// parameters. The idea is to hash and compare for each group independently,
// instead of having to skip NSEC3 RRs with the wrong parameters.
- // The logger to use in static methods.
- private static Logger st_log = Logger.getLogger(NSEC3ValUtils.class);
private static Name asterisk_label = Name.fromConstantString("*");
}
catch (NoSuchAlgorithmException e)
{
- st_log.debug("Did not recognize hash algorithm: " + params.alg);
+// st_log.debug("Did not recognize hash algorithm: " + params.alg);
return null;
}
}
if (candidate == null)
{
- st_log.debug("proveClosestEncloser: could not find a "
- + "candidate for the closest encloser.");
+// st_log.debug("proveClosestEncloser: could not find a "
+// + "candidate for the closest encloser.");
return null;
}
{
if (proveDoesNotExist)
{
- st_log.debug("proveClosestEncloser: proved that qname existed!");
+// st_log.debug("proveClosestEncloser: proved that qname existed!");
return null;
}
// otherwise, we need to nothing else to prove that qname is its own
if (candidate.ce_nsec3.hasType(Type.NS)
&& !candidate.ce_nsec3.hasType(Type.SOA))
{
- st_log.debug("proveClosestEncloser: closest encloser "
- + "was a delegation!");
+// st_log.debug("proveClosestEncloser: closest encloser "
+// + "was a delegation!");
return null;
}
if (candidate.ce_nsec3.hasType(Type.DNAME))
{
- st_log.debug("proveClosestEncloser: closest encloser was a DNAME!");
+// st_log.debug("proveClosestEncloser: closest encloser was a DNAME!");
return null;
}
bac);
if (candidate.nc_nsec3 == null)
{
- st_log.debug("Could not find proof that the "
- + "closest encloser was the closest encloser");
+// st_log.debug("Could not find proof that the "
+// + "closest encloser was the closest encloser");
return null;
}
NSEC3Parameters nsec3params = nsec3Parameters(nsec3s);
if (nsec3params == null)
{
- st_log.debug("Could not find a single set of " +
- "NSEC3 parameters (multiple parameters present).");
+// st_log.debug("Could not find a single set of " +
+// "NSEC3 parameters (multiple parameters present).");
return false;
}
if (ce == null)
{
- st_log.debug("proveNameError: failed to prove a closest encloser.");
+// st_log.debug("proveNameError: failed to prove a closest encloser.");
return false;
}
bac);
if (nsec3 == null)
{
- st_log.debug("proveNameError: could not prove that the "
- + "applicable wildcard did not exist.");
+// st_log.debug("proveNameError: could not prove that the "
+// + "applicable wildcard did not exist.");
return false;
}
NSEC3Parameters nsec3params = nsec3Parameters(nsec3s);
if (nsec3params == null)
{
- st_log.debug("could not find a single set of "
- + "NSEC3 parameters (multiple parameters present)");
+// st_log.debug("could not find a single set of "
+// + "NSEC3 parameters (multiple parameters present)");
return false;
}
ByteArrayComparator bac = new ByteArrayComparator();
{
if (nsec3.hasType(qtype))
{
- st_log.debug("proveNodata: Matching NSEC3 proved that type existed!");
+// st_log.debug("proveNodata: Matching NSEC3 proved that type existed!");
return false;
}
if (nsec3.hasType(Type.CNAME))
{
- st_log.debug("proveNodata: Matching NSEC3 proved "
- + "that a CNAME existed!");
+// st_log.debug("proveNodata: Matching NSEC3 proved "
+// + "that a CNAME existed!");
return false;
}
return true;
// problem.
if (ce == null)
{
- st_log.debug("proveNodata: did not match qname, "
- + "nor found a proven closest encloser.");
+// st_log.debug("proveNodata: did not match qname, "
+// + "nor found a proven closest encloser.");
return false;
}
{
if (nsec3.hasType(qtype))
{
- st_log.debug("proveNodata: matching wildcard had qtype!");
+// st_log.debug("proveNodata: matching wildcard had qtype!");
return false;
}
return true;
// Case 5.
if (qtype != Type.DS)
{
- st_log.debug("proveNodata: could not find matching NSEC3, "
- + "nor matching wildcard, and qtype is not DS -- no more options.");
+// st_log.debug("proveNodata: could not find matching NSEC3, "
+// + "nor matching wildcard, and qtype is not DS -- no more options.");
return false;
}
// We need to make sure that the covering NSEC3 is opt-in.
if (!ce.nc_nsec3.getOptInFlag())
{
- st_log.debug("proveNodata: covering NSEC3 was not "
- + "opt-in in an opt-in DS NOERROR/NODATA case.");
+// st_log.debug("proveNodata: covering NSEC3 was not "
+// + "opt-in in an opt-in DS NOERROR/NODATA case.");
return false;
}
NSEC3Parameters nsec3params = nsec3Parameters(nsec3s);
if (nsec3params == null)
{
- st_log.debug("couldn't find a single set of NSEC3 parameters (multiple parameters present).");
+// st_log.debug("couldn't find a single set of NSEC3 parameters (multiple parameters present).");
return false;
}
if (candidate.nc_nsec3 == null)
{
- st_log.debug("proveWildcard: did not find a covering NSEC3 "
- + "that covered the next closer name to " + qname + " from "
- + candidate.closestEncloser + " (derived from wildcard " + wildcard
- + ")");
+// st_log.debug("proveWildcard: did not find a covering NSEC3 "
+// + "that covered the next closer name to " + qname + " from "
+// + candidate.closestEncloser + " (derived from wildcard " + wildcard
+// + ")");
return false;
}
NSEC3Parameters nsec3params = nsec3Parameters(nsec3s);
if (nsec3params == null)
{
- st_log.debug("couldn't find a single set of " +
- "NSEC3 parameters (multiple parameters present).");
+// st_log.debug("couldn't find a single set of " +
+// "NSEC3 parameters (multiple parameters present).");
return SecurityStatus.BOGUS;
}
ByteArrayComparator bac = new ByteArrayComparator();
git://blacka.com / captive-validator.git / blobdiff