import java.util.*;
/**
- * A class for performing basic DNSSEC verification. The DNSJAVA package
- * contains a similar class. This is a re-implementation that allows us to have
- * finer control over the validation process.
+ * A class for performing basic DNSSEC verification. The DNSJAVA
+ * package contains a similar class. This is a re-implementation that
+ * allows us to have finer control over the validation process.
*/
public class DnsSecVerifier {
public static final int UNKNOWN = 0;
- public static final int RSA = 1;
- public static final int DSA = 2;
+ public static final int RSA = 1;
+ public static final int DSA = 2;
private Logger log = Logger.getLogger(this.getClass());
/**
private HashMap<Integer, AlgEntry> mAlgorithmMap;
/**
- * This is a mapping of DNSSEC private (DNS name) identifiers to JCA
- * algorithm identifiers.
+ * This is a mapping of DNSSEC private (DNS name) identifiers to
+ * JCA algorithm identifiers.
*/
private HashMap<Name, AlgEntry> mPrivateAlgorithmMap;
// For now, we just accept new identifiers for existing algorithms.
// FIXME: handle private identifiers.
- List<Util.ConfigEntry> aliases = Util.parseConfigPrefix(config,
- "dns.algorithm.");
+ List<Util.ConfigEntry> aliases = Util.parseConfigPrefix(config, "dns.algorithm.");
for (Util.ConfigEntry entry : aliases) {
Integer alg_alias = Integer.valueOf(Util.parseInt(entry.key, -1));
- Integer alg_orig = Integer.valueOf(Util.parseInt(entry.value, -1));
+ Integer alg_orig = Integer.valueOf(Util.parseInt(entry.value, -1));
if (!mAlgorithmMap.containsKey(alg_orig)) {
- log.warn("Unable to alias " + alg_alias
- + " to unknown algorithm " + alg_orig);
-
+ log.warn("Unable to alias " + alg_alias + " to unknown algorithm " + alg_orig);
continue;
}
if (mAlgorithmMap.containsKey(alg_alias)) {
- log.warn("Algorithm alias " + alg_alias
- + " is already defined and cannot be redefined");
-
+ log.warn("Algorithm alias " + alg_alias + " is already defined and cannot be redefined");
continue;
}
log.warn("DNSSEC alg " + alg + " has a null entry!");
} else {
log.debug("DNSSEC alg " + alg + " maps to " + entry.jcaName
- + " (" + entry.dnssecAlg + ")");
+ + " (" + entry.dnssecAlg + ")");
}
}
}
/**
- * Find the matching DNSKEY(s) to an RRSIG within a DNSKEY rrset. Normally
- * this will only return one DNSKEY. It can return more than one, since
- * KeyID/Footprints are not guaranteed to be unique.
- *
+ * Find the matching DNSKEY(s) to an RRSIG within a DNSKEY
+ * rrset. Normally this will only return one DNSKEY. It can return
+ * more than one, since KeyID/Footprints are not guaranteed to be
+ * unique.
+ *
* @param dnskey_rrset
* The DNSKEY rrset to search.
* @param signature
private List<DNSKEYRecord> findKey(RRset dnskey_rrset, RRSIGRecord signature) {
if (!signature.getSigner().equals(dnskey_rrset.getName())) {
log.trace("findKey: could not find appropriate key because "
- + "incorrect keyset was supplied. Wanted: "
- + signature.getSigner() + ", got: "
- + dnskey_rrset.getName());
+ + "incorrect keyset was supplied. Wanted: "
+ + signature.getSigner() + ", got: "
+ + dnskey_rrset.getName());
return null;
}
int keyid = signature.getFootprint();
- int alg = signature.getAlgorithm();
+ int alg = signature.getAlgorithm();
- List<DNSKEYRecord> res = new ArrayList<DNSKEYRecord>(dnskey_rrset
- .size());
+ List<DNSKEYRecord> res = new ArrayList<DNSKEYRecord>(dnskey_rrset.size());
for (Iterator i = dnskey_rrset.rrs(); i.hasNext();) {
DNSKEYRecord r = (DNSKEYRecord) i.next();
}
if (res.size() == 0) {
- log.trace("findKey: could not find a key matching "
- + "the algorithm and footprint in supplied keyset. ");
+ log.trace("findKey: could not find a key matching " +
+ "the algorithm and footprint in supplied keyset.");
return null;
}
}
/**
- * Check to see if a signature looks valid (i.e., matches the rrset in
- * question, in the validity period, etc.)
- *
+ * Check to see if a signature looks valid (i.e., matches the
+ * rrset in question, in the validity period, etc.)
+ *
* @param rrset
* The rrset that the signature belongs to.
* @param sigrec
* The signature record to check.
- * @return A value of SecurityStatus.SECURE if it looks OK, SecurityStatus.BOGUS if it looks
- * bad.
+ * @return A value of SecurityStatus.SECURE if it looks OK,
+ * SecurityStatus.BOGUS if it looks bad.
*/
private byte checkSignature(RRset rrset, RRSIGRecord sigrec) {
if ((rrset == null) || (sigrec == null)) {
return SecurityStatus.BOGUS;
}
- Date now = new Date();
- Date start = sigrec.getTimeSigned();
+ Date now = new Date();
+ Date start = sigrec.getTimeSigned();
Date expire = sigrec.getExpire();
if (now.before(start)) {
}
if (now.after(expire)) {
- log.debug("Signature has expired (now = " + now
- + ", sig expires = " + expire);
+ log.debug("Signature has expired (now = " + now +
+ ", sig expires = " + expire);
return SecurityStatus.BOGUS;
}
}
public PublicKey parseDNSKEY(DNSKEYRecord key) {
- AlgEntry ae = (AlgEntry) mAlgorithmMap.get(Integer.valueOf(key
- .getAlgorithm()));
+ AlgEntry ae = (AlgEntry) mAlgorithmMap.get(Integer.valueOf(key.getAlgorithm()));
if (key.getAlgorithm() != ae.dnssecAlg) {
// Recast the DNSKEYRecord in question as one using the offical
// underlying
// KEYConverter class from DNSjava
key = new DNSKEYRecord(key.getName(), key.getDClass(),
- key.getTTL(), key.getFlags(), key.getProtocol(),
- ae.dnssecAlg, key.getKey());
+ key.getTTL(), key.getFlags(), key.getProtocol(),
+ ae.dnssecAlg, key.getKey());
}
return KEYConverter.parseRecord(key);
}
/**
- * Actually cryptographically verify a signature over the rrset. The RRSIG
- * record must match the rrset being verified (see checkSignature).
- *
+ * Actually cryptographically verify a signature over the
+ * rrset. The RRSIG record must match the rrset being verified
+ * (see checkSignature).
+ *
* @param rrset
* The rrset to verify.
* @param sigrec
* UNCHECKED if we just couldn't actually do the function.
*/
public byte verifySignature(RRset rrset, RRSIGRecord sigrec,
- DNSKEYRecord key) {
+ DNSKEYRecord key) {
try {
PublicKey pk = parseDNSKEY(key);
if (pk == null) {
- log
- .warn("Could not convert DNSKEY record to a JCA public key: "
- + key);
-
+ log.warn("Could not convert DNSKEY record to a JCA public key: " + key);
return SecurityStatus.UNCHECKED;
}
/**
* Verify an RRset against a particular signature.
- *
- * @return DNSSEC.Secure if the signature verfied, DNSSEC.Failed if it did
- * not verify (for any reason), and DNSSEC.Insecure if verification
- * could not be completed (usually because the public key was not
- * available).
+ *
+ * @return DNSSEC.Secure if the signature verfied, DNSSEC.Failed
+ * if it did not verify (for any reason), and
+ * DNSSEC.Insecure if verification could not be completed
+ * (usually because the public key was not available).
*/
public byte verifySignature(RRset rrset, RRSIGRecord sigrec, RRset key_rrset) {
byte result = checkSignature(rrset, sigrec);
if (keys == null) {
log.trace("could not find appropriate key");
-
return SecurityStatus.BOGUS;
}
}
/**
- * Verifies an RRset. This routine does not modify the RRset. This RRset is
- * presumed to be verifiable, and the correct DNSKEY rrset is presumed to
- * have been found.
- *
+ * Verifies an RRset. This routine does not modify the RRset. This
+ * RRset is presumed to be verifiable, and the correct DNSKEY
+ * rrset is presumed to have been found.
+ *
* @return SecurityStatus.SECURE if the rrest verified positively,
* SecurityStatus.BOGUS otherwise.
*/
}
/**
- * Verify an RRset against a single DNSKEY. Use this when you must be
- * certain that an RRset signed and verifies with a particular DNSKEY (as
- * opposed to a particular DNSKEY rrset).
- *
+ * Verify an RRset against a single DNSKEY. Use this when you must
+ * be certain that an RRset signed and verifies with a particular
+ * DNSKEY (as opposed to a particular DNSKEY rrset).
+ *
* @param rrset
* The rrset to verify.
* @param dnskey
Signature s = null;
try {
- AlgEntry entry = (AlgEntry) mAlgorithmMap
- .get(Integer.valueOf(algorithm));
+ AlgEntry entry = (AlgEntry) mAlgorithmMap.get(Integer.valueOf(algorithm));
if (entry == null) {
log.info("DNSSEC algorithm " + algorithm + " not recognized.");
-
return null;
}
}
private static class AlgEntry {
- public String jcaName;
+ public String jcaName;
public boolean isDSA;
- public int dnssecAlg;
+ public int dnssecAlg;
public AlgEntry(String name, int dnssecAlg, boolean isDSA) {
jcaName = name;
this.isDSA = isDSA;
}
}
-
- // TODO: enable private algorithm support in dnsjava.
- // Right now, this cannot be used because the DNSKEYRecord object doesn't
- // give us
- // the private key name.
- // private Signature getSignature(Name private_alg)
- // {
- // Signature s = null;
- //
- // try
- // {
- // String alg_id = (String) mAlgorithmMap.get(private_alg);
- // if (alg_id == null)
- // {
- // log.debug("DNSSEC private algorithm '" + private_alg
- // + "' not recognized.");
- // return null;
- // }
- //
- // s = Signature.getInstance(alg_id);
- // }
- // catch (NoSuchAlgorithmException e)
- // {
- // log.error("error getting Signature object", e);
- // }
- //
- // return s;
- // }
}