X-Git-Url: https://blacka.com/cgi-bin/gitweb.cgi?p=captive-validator.git;a=blobdiff_plain;f=src%2Fcom%2Fverisign%2Ftat%2Fdnssec%2FNSEC3ValUtils.java;fp=src%2Fcom%2Fverisign%2Ftat%2Fdnssec%2FNSEC3ValUtils.java;h=adb2ee4c201b5dbb8d642e7fb8f5d3ac7bcfb199;hp=0678c5a0525c285b11362a05ce39eef555b695c7;hb=ecbb43bf6ccadf516a3fe4ef07446bdd21003da0;hpb=46951e729d9d16c20218fe292cd6abafc87cdff9 diff --git a/src/com/verisign/tat/dnssec/NSEC3ValUtils.java b/src/com/verisign/tat/dnssec/NSEC3ValUtils.java index 0678c5a..adb2ee4 100644 --- a/src/com/verisign/tat/dnssec/NSEC3ValUtils.java +++ b/src/com/verisign/tat/dnssec/NSEC3ValUtils.java @@ -35,15 +35,16 @@ import java.security.NoSuchAlgorithmException; import java.util.*; public class NSEC3ValUtils { - // FIXME: should probably refactor to handle different NSEC3 parameters more - // efficiently. + // FIXME: should probably refactor to handle different NSEC3 + // parameters more efficiently. // Given a list of NSEC3 RRs, they should be grouped according to - // parameters. The idea is to hash and compare for each group independently, - // instead of having to skip NSEC3 RRs with the wrong parameters. - private static Name asterisk_label = Name.fromConstantString("*"); - private static Logger st_log = Logger.getLogger(NSEC3ValUtils.class); - private static final base32 b32 = new base32(base32.Alphabet.BASE32HEX, - false, false); + // parameters. The idea is to hash and compare for each group + // independently, instead of having to skip NSEC3 RRs with the + // wrong parameters. + private static Name asterisk_label = Name.fromConstantString("*"); + private static Logger st_log = Logger.getLogger(NSEC3ValUtils.class); + private static final base32 b32 = new base32(base32.Alphabet.BASE32HEX, + false, false); public static boolean supportsHashAlgorithm(int alg) { if (alg == NSEC3Record.SHA1_DIGEST_ID) { @@ -72,24 +73,24 @@ public class NSEC3ValUtils { } /** - * Given a list of NSEC3Records that are part of a message, determine the - * NSEC3 parameters (hash algorithm, iterations, and salt) present. If there - * is more than one distinct grouping, return null; - * + * Given a list of NSEC3Records that are part of a message, + * determine the NSEC3 parameters (hash algorithm, iterations, and + * salt) present. If there is more than one distinct grouping, + * return null; + * * @param nsec3s * A list of NSEC3Record object. - * @return A set containing a number of objects (NSEC3Parameter objects) - * that correspond to each distinct set of parameters, or null if - * the nsec3s list was empty. + * @return A set containing a number of objects (NSEC3Parameter + * objects) that correspond to each distinct set of + * parameters, or null if the nsec3s list was empty. */ public static NSEC3Parameters nsec3Parameters(List nsec3s) { if ((nsec3s == null) || (nsec3s.size() == 0)) { return null; } - NSEC3Parameters params = new NSEC3Parameters((NSEC3Record) nsec3s - .get(0)); - ByteArrayComparator bac = new ByteArrayComparator(); + NSEC3Parameters params = new NSEC3Parameters((NSEC3Record) nsec3s.get(0)); + ByteArrayComparator bac = new ByteArrayComparator(); for (NSEC3Record nsec3 : nsec3s) { if (!params.match(nsec3, bac)) { @@ -102,7 +103,7 @@ public class NSEC3ValUtils { /** * Given a hash and an a zone name, construct an NSEC3 ownername. - * + * * @param hash * The hash of an original name. * @param zonename @@ -120,7 +121,7 @@ public class NSEC3ValUtils { /** * Given a set of NSEC3 parameters, hash a name. - * + * * @param name * The name to hash. * @param params @@ -132,14 +133,13 @@ public class NSEC3ValUtils { return params.hash(name); } catch (NoSuchAlgorithmException e) { st_log.warn("Did not recognize hash algorithm: " + params.alg); - return null; } } /** * Given the name of a closest encloser, return the name *.closest_encloser. - * + * * @param closestEncloser * The name to start with. * @return The wildcard name. @@ -155,10 +155,11 @@ public class NSEC3ValUtils { } /** - * Given a qname and its proven closest encloser, calculate the "next - * closest" name. Basically, this is the name that is one label longer than - * the closest encloser that is still a subdomain of qname. - * + * Given a qname and its proven closest encloser, calculate the + * "next closest" name. Basically, this is the name that is one + * label longer than the closest encloser that is still a + * subdomain of qname. + * * @param qname * The qname. * @param closestEncloser @@ -173,7 +174,7 @@ public class NSEC3ValUtils { /** * Find the NSEC3Record that matches a hash of a name. - * + * * @param hash * The pre-calculated hash of a name. * @param zonename @@ -185,12 +186,14 @@ public class NSEC3ValUtils { * @param bac * An already allocated ByteArrayComparator, for reuse. This may * be null. - * + * * @return The matching NSEC3Record, if one is present. */ - private static NSEC3Record findMatchingNSEC3(byte[] hash, Name zonename, - List nsec3s, NSEC3Parameters params, - ByteArrayComparator bac) { + private static NSEC3Record findMatchingNSEC3(byte[] hash, + Name zonename, + List nsec3s, + NSEC3Parameters params, + ByteArrayComparator bac) { Name n = hashName(hash, zonename); for (NSEC3Record nsec3 : nsec3s) { @@ -208,10 +211,11 @@ public class NSEC3ValUtils { } /** - * Given a hash and a candidate NSEC3Record, determine if that NSEC3Record - * covers the hash. Covers specifically means that the hash is in between - * the owner and next hashes and does not equal either. - * + * Given a hash and a candidate NSEC3Record, determine if that + * NSEC3Record covers the hash. Covers specifically means that the + * hash is in between the owner and next hashes and does not equal + * either. + * * @param nsec3 * The candidate NSEC3Record. * @param hash @@ -220,11 +224,12 @@ public class NSEC3ValUtils { * An already allocated comparator. This may be null. * @return True if the NSEC3Record covers the hash. */ - private static boolean nsec3Covers(NSEC3Record nsec3, byte [] hash, - ByteArrayComparator bac) { + private static boolean nsec3Covers(NSEC3Record nsec3, + byte[] hash, + ByteArrayComparator bac) { Name ownerName = nsec3.getName(); - byte [] owner = b32.fromString(ownerName.getLabelString(0)); - byte [] next = nsec3.getNext(); + byte[] owner = b32.fromString(ownerName.getLabelString(0)); + byte[] next = nsec3.getNext(); // This is the "normal case: owner < next and owner < hash < next if ((bac.compare(owner, hash) < 0) && (bac.compare(hash, next) < 0)) { @@ -232,8 +237,8 @@ public class NSEC3ValUtils { } // this is the end of zone case: next < owner && hash > owner || hash < // next - if ((bac.compare(next, owner) <= 0) - && ((bac.compare(hash, next) < 0) || (bac.compare(owner, hash) < 0))) { + if ((bac.compare(next, owner) <= 0) && + ((bac.compare(hash, next) < 0) || (bac.compare(owner, hash) < 0))) { return true; } @@ -242,9 +247,9 @@ public class NSEC3ValUtils { } /** - * Given a pre-hashed name, find a covering NSEC3 from among a list of - * NSEC3s. - * + * Given a pre-hashed name, find a covering NSEC3 from among a + * list of NSEC3s. + * * @param hash * The hash to consider. * @param zonename @@ -254,12 +259,14 @@ public class NSEC3ValUtils { * @param params * The NSEC3 parameters used to generate the hash -- NSEC3s that * do not use those parameters will be skipped. - * + * * @return A covering NSEC3 if one is present, null otherwise. */ - private static NSEC3Record findCoveringNSEC3(byte[] hash, Name zonename, - List nsec3s, NSEC3Parameters params, - ByteArrayComparator bac) { + private static NSEC3Record findCoveringNSEC3(byte[] hash, + Name zonename, + List nsec3s, + NSEC3Parameters params, + ByteArrayComparator bac) { ByteArrayComparator comparator = new ByteArrayComparator(); for (NSEC3Record nsec3 : nsec3s) { @@ -276,10 +283,10 @@ public class NSEC3ValUtils { } /** - * Given a name and a list of NSEC3s, find the candidate closest encloser. - * This will be the first ancestor of 'name' (including itself) to have a - * matching NSEC3 RR. - * + * Given a name and a list of NSEC3s, find the candidate closest + * encloser. This will be the first ancestor of 'name' (including + * itself) to have a matching NSEC3 RR. + * * @param name * The name the start with. * @param zonename @@ -290,13 +297,15 @@ public class NSEC3ValUtils { * The NSEC3 parameters. * @param bac * A pre-allocated comparator. May be null. - * + * * @return A CEResponse containing the closest encloser name and the NSEC3 * RR that matched it, or null if there wasn't one. */ - private static CEResponse findClosestEncloser(Name name, Name zonename, - List nsec3s, NSEC3Parameters params, - ByteArrayComparator bac) { + private static CEResponse findClosestEncloser(Name name, + Name zonename, + List nsec3s, + NSEC3Parameters params, + ByteArrayComparator bac) { Name n = name; NSEC3Record nsec3; @@ -306,8 +315,7 @@ public class NSEC3ValUtils { // FIXME: modify so that the NSEC3 matching the zone apex need not be // present. while (n.labels() >= zonename.labels()) { - nsec3 = findMatchingNSEC3(hash(n, params), zonename, - nsec3s, params, bac); + nsec3 = findMatchingNSEC3(hash(n, params), zonename, nsec3s, params, bac); if (nsec3 != null) { return new CEResponse(n, nsec3); @@ -320,35 +328,40 @@ public class NSEC3ValUtils { } /** - * Given a List of nsec3 RRs, find and prove the closest encloser to qname. - * + * Given a List of nsec3 RRs, find and prove the closest encloser + * to qname. + * * @param qname * The qname in question. * @param zonename * The name of the zone that the NSEC3 RRs come from. * @param nsec3s - * The list of NSEC3s found the this response (already verified). + * The list of NSEC3s found the this response (already + * verified). * @param params * The NSEC3 parameters found in the response. * @param bac * A pre-allocated comparator. May be null. * @param proveDoesNotExist - * If true, then if the closest encloser turns out to be qname, - * then null is returned. - * @return null if the proof isn't completed. Otherwise, return a CEResponse - * object which contains the closest encloser name and the NSEC3 - * that matches it. + * If true, then if the closest encloser turns out to + * be qname, then null is returned. + * @return null if the proof isn't completed. Otherwise, return a + * CEResponse object which contains the closest encloser + * name and the NSEC3 that matches it. */ - private static CEResponse proveClosestEncloser(Name qname, Name zonename, - List nsec3s, NSEC3Parameters params, - ByteArrayComparator bac, boolean proveDoesNotExist, List errorList) { - CEResponse candidate = findClosestEncloser(qname, zonename, nsec3s, - params, bac); + private static CEResponse proveClosestEncloser(Name qname, + Name zonename, + List nsec3s, + NSEC3Parameters params, + ByteArrayComparator bac, + boolean proveDoesNotExist, + List errorList) { + CEResponse candidate = findClosestEncloser(qname, zonename, nsec3s, params, bac); if (candidate == null) { errorList.add("Could not find a candidate for the closest encloser"); st_log.debug("proveClosestEncloser: could not find a " + - "candidate for the closest encloser."); + "candidate for the closest encloser."); return null; } @@ -361,17 +374,15 @@ public class NSEC3ValUtils { return null; } - // otherwise, we need to nothing else to prove that qname is its own - // closest encloser. + // otherwise, we need to nothing else to prove that qname + // is its own closest encloser. return candidate; } - // If the closest encloser is actually a delegation, then the response - // should have been a referral. If it is a DNAME, then it should have - // been - // a DNAME response. - if (candidate.ce_nsec3.hasType(Type.NS) && - !candidate.ce_nsec3.hasType(Type.SOA)) { + // If the closest encloser is actually a delegation, then the + // response should have been a referral. If it is a DNAME, + // then it should have been a DNAME response. + if (candidate.ce_nsec3.hasType(Type.NS) && !candidate.ce_nsec3.hasType(Type.SOA)) { errorList.add("Proven closest encloser was a delegation"); st_log.debug("proveClosestEncloser: closest encloser " + "was a delegation!"); @@ -390,8 +401,7 @@ public class NSEC3ValUtils { Name nextClosest = nextClosest(qname, candidate.closestEncloser); byte[] nc_hash = hash(nextClosest, params); - candidate.nc_nsec3 = findCoveringNSEC3(nc_hash, zonename, nsec3s, - params, bac); + candidate.nc_nsec3 = findCoveringNSEC3(nc_hash, zonename, nsec3s, params, bac); if (candidate.nc_nsec3 == null) { errorList.add("Could not find proof that the closest encloser was the closest encloser"); @@ -449,15 +459,17 @@ public class NSEC3ValUtils { @SuppressWarnings("rawtypes") private static boolean validIterations(NSEC3Parameters nsec3params, - RRset dnskey_rrset, DnsSecVerifier verifier) { - // for now, we return the maximum iterations based simply on the key - // algorithms that may have been used to sign the NSEC3 RRsets. + RRset dnskey_rrset, + DnsSecVerifier verifier) { + // for now, we return the maximum iterations based simply on + // the key algorithms that may have been used to sign the + // NSEC3 RRsets. int max_iterations = 0; for (Iterator i = dnskey_rrset.rrs(); i.hasNext();) { - DNSKEYRecord dnskey = (DNSKEYRecord) i.next(); - int baseAlg = verifier.baseAlgorithm(dnskey.getAlgorithm()); - int iters = maxIterations(baseAlg, 0); + DNSKEYRecord dnskey = (DNSKEYRecord) i.next(); + int baseAlg = verifier.baseAlgorithm(dnskey.getAlgorithm()); + int iters = maxIterations(baseAlg, 0); max_iterations = (max_iterations < iters) ? iters : max_iterations; } @@ -469,22 +481,25 @@ public class NSEC3ValUtils { } /** - * Determine if all of the NSEC3s in a response are legally ignoreable - * (i.e., their presence should lead to an INSECURE result). Currently, this - * is solely based on iterations. - * + * Determine if all of the NSEC3s in a response are legally + * ignoreable (i.e., their presence should lead to an INSECURE + * result). Currently, this is solely based on iterations. + * * @param nsec3s - * The list of NSEC3s. If there is more than one set of NSEC3 - * parameters present, this test will not be performed. + * The list of NSEC3s. If there is more than one set of + * NSEC3 parameters present, this test will not be + * performed. * @param dnskey_rrset * The set of validating DNSKEYs. * @param verifier - * The verifier used to verify the NSEC3 RRsets. This is solely - * used to map algorithm aliases. - * @return true if all of the NSEC3s can be legally ignored, false if not. + * The verifier used to verify the NSEC3 RRsets. This + * is solely used to map algorithm aliases. + * @return true if all of the NSEC3s can be legally ignored, false + * if not. */ public static boolean allNSEC3sIgnoreable(List nsec3s, - RRset dnskey_rrset, DnsSecVerifier verifier) { + RRset dnskey_rrset, + DnsSecVerifier verifier) { NSEC3Parameters params = nsec3Parameters(nsec3s); if (params == null) { @@ -495,25 +510,29 @@ public class NSEC3ValUtils { } /** - * Determine if the set of NSEC3 records provided with a response prove NAME - * ERROR. This means that the NSEC3s prove a) the closest encloser exists, - * b) the direct child of the closest encloser towards qname doesn't exist, - * and c) *.closest encloser does not exist. - * + * Determine if the set of NSEC3 records provided with a response + * prove NAME ERROR. This means that the NSEC3s prove a) the + * closest encloser exists, b) the direct child of the closest + * encloser towards qname doesn't exist, and c) *.closest encloser + * does not exist. + * * @param nsec3s * The list of NSEC3s. * @param qname * The query name to check against. * @param zonename - * This is the name of the zone that the NSEC3s belong to. This - * may be discovered in any number of ways. A good one is to use - * the signerName from the NSEC3 record's RRSIG. - * @return SecurityStatus.SECURE of the Name Error is proven by the NSEC3 - * RRs, BOGUS if not, INSECURE if all of the NSEC3s could be validly - * ignored. + * This is the name of the zone that the NSEC3s belong + * to. This may be discovered in any number of ways. A + * good one is to use the signerName from the NSEC3 + * record's RRSIG. + * @return SecurityStatus.SECURE of the Name Error is proven by + * the NSEC3 RRs, BOGUS if not, INSECURE if all of the + * NSEC3s could be validly ignored. */ - public static boolean proveNameError(List nsec3s, Name qname, - Name zonename, List errorList) { + public static boolean proveNameError(List nsec3s, + Name qname, + Name zonename, + List errorList) { if ((nsec3s == null) || (nsec3s.size() == 0)) { return false; } @@ -523,7 +542,7 @@ public class NSEC3ValUtils { if (nsec3params == null) { errorList.add("Could not find a single set of NSEC3 parameters (multiple parameters present"); st_log.debug("Could not find a single set of " + - "NSEC3 parameters (multiple parameters present)."); + "NSEC3 parameters (multiple parameters present)."); return false; } @@ -533,7 +552,7 @@ public class NSEC3ValUtils { // First locate and prove the closest encloser to qname. We will use the // variant that fails if the closest encloser turns out to be qname. CEResponse ce = proveClosestEncloser(qname, zonename, nsec3s, - nsec3params, bac, true, errorList); + nsec3params, bac, true, errorList); if (ce == null) { errorList.add("Failed to find the closest encloser as part of the NSEC3 proof"); @@ -545,15 +564,15 @@ public class NSEC3ValUtils { // At this point, we know that qname does not exist. Now we need to // prove // that the wildcard does not exist. - Name wc = ceWildcard(ce.closestEncloser); - byte[] wc_hash = hash(wc, nsec3params); + Name wc = ceWildcard(ce.closestEncloser); + byte[] wc_hash = hash(wc, nsec3params); NSEC3Record nsec3 = findCoveringNSEC3(wc_hash, zonename, nsec3s, - nsec3params, bac); + nsec3params, bac); if (nsec3 == null) { errorList.add("Failed to prove that the applicable wildcard did not exist"); st_log.debug("proveNameError: could not prove that the " + - "applicable wildcard did not exist."); + "applicable wildcard did not exist."); return false; } @@ -562,25 +581,26 @@ public class NSEC3ValUtils { } /** - * Determine if the NSEC3s provided in a response prove the NOERROR/NODATA - * status. There are a number of different variants to this: - * + * Determine if the NSEC3s provided in a response prove the + * NOERROR/NODATA status. There are a number of different variants + * to this: + * * 1) Normal NODATA -- qname is matched to an NSEC3 record, type is not * present. - * + * * 2) ENT NODATA -- because there must be NSEC3 record for * empty-non-terminals, this is the same as #1. - * + * * 3) NSEC3 ownername NODATA -- qname matched an existing, lone NSEC3 * ownername, but qtype was not NSEC3. NOTE: as of nsec-05, this case no * longer exists. - * + * * 4) Wildcard NODATA -- A wildcard matched the name, but not the type. - * + * * 5) Opt-In DS NODATA -- the qname is covered by an opt-in span and qtype * == DS. (or maybe some future record with the same parent-side-only * property) - * + * * @param nsec3s * The NSEC3Records to consider. * @param qname @@ -591,8 +611,11 @@ public class NSEC3ValUtils { * The name of the zone that the NSEC3s came from. * @return true if the NSEC3s prove the proposition. */ - public static boolean proveNodata(List nsec3s, Name qname, - int qtype, Name zonename, List errorList) { + public static boolean proveNodata(List nsec3s, + Name qname, + int qtype, + Name zonename, + List errorList) { if ((nsec3s == null) || (nsec3s.size() == 0)) { return false; } @@ -600,8 +623,8 @@ public class NSEC3ValUtils { NSEC3Parameters nsec3params = nsec3Parameters(nsec3s); if (nsec3params == null) { - st_log.debug("could not find a single set of " - + "NSEC3 parameters (multiple parameters present)"); + st_log.debug("could not find a single set of " + + "NSEC3 parameters (multiple parameters present)"); return false; } @@ -609,20 +632,19 @@ public class NSEC3ValUtils { ByteArrayComparator bac = new ByteArrayComparator(); NSEC3Record nsec3 = findMatchingNSEC3(hash(qname, nsec3params), - zonename, nsec3s, nsec3params, bac); + zonename, nsec3s, nsec3params, bac); // Cases 1 & 2. if (nsec3 != null) { if (nsec3.hasType(qtype)) { - st_log - .debug("proveNodata: Matching NSEC3 proved that type existed!"); + st_log.debug("proveNodata: Matching NSEC3 proved that type existed!"); return false; } if (nsec3.hasType(Type.CNAME)) { - st_log.debug("proveNodata: Matching NSEC3 proved " - + "that a CNAME existed!"); + st_log.debug("proveNodata: Matching NSEC3 proved " + + "that a CNAME existed!"); return false; } @@ -634,13 +656,13 @@ public class NSEC3ValUtils { // match qname. Although, at this point, we know that it won't since we // just checked that. CEResponse ce = proveClosestEncloser(qname, zonename, nsec3s, - nsec3params, bac, true, errorList); + nsec3params, bac, true, errorList); // At this point, not finding a match or a proven closest encloser is a // problem. if (ce == null) { - st_log.debug("proveNodata: did not match qname, " - + "nor found a proven closest encloser."); + st_log.debug("proveNodata: did not match qname, " + + "nor found a proven closest encloser."); return false; } @@ -650,7 +672,7 @@ public class NSEC3ValUtils { // Case 4: Name wc = ceWildcard(ce.closestEncloser); nsec3 = findMatchingNSEC3(hash(wc, nsec3params), zonename, nsec3s, - nsec3params, bac); + nsec3params, bac); if (nsec3 != null) { if (nsec3.hasType(qtype)) { @@ -664,17 +686,16 @@ public class NSEC3ValUtils { // Case 5. if (qtype != Type.DS) { - st_log - .debug("proveNodata: could not find matching NSEC3, " - + "nor matching wildcard, and qtype is not DS -- no more options."); + st_log.debug("proveNodata: could not find matching NSEC3, " + + "nor matching wildcard, and qtype is not DS -- no more options."); return false; } // We need to make sure that the covering NSEC3 is opt-in. if (!isOptOut(ce.nc_nsec3)) { - st_log.debug("proveNodata: covering NSEC3 was not " - + "opt-in in an opt-in DS NOERROR/NODATA case."); + st_log.debug("proveNodata: covering NSEC3 was not " + + "opt-in in an opt-in DS NOERROR/NODATA case."); return false; } @@ -683,9 +704,9 @@ public class NSEC3ValUtils { } /** - * Prove that a positive wildcard match was appropriate (no direct match - * RRset). - * + * Prove that a positive wildcard match was appropriate (no direct + * match RRset). + * * @param nsec3s * The NSEC3 records to work with. * @param qname @@ -696,8 +717,11 @@ public class NSEC3ValUtils { * The purported wildcard that matched. * @return true if the NSEC3 records prove this case. */ - public static boolean proveWildcard(List nsec3s, Name qname, - Name zonename, Name wildcard, List errorList) { + public static boolean proveWildcard(List nsec3s, + Name qname, + Name zonename, + Name wildcard, + List errorList) { if ((nsec3s == null) || (nsec3s.size() == 0)) { return false; } @@ -710,8 +734,7 @@ public class NSEC3ValUtils { if (nsec3params == null) { errorList.add("Could not find a single set of NSEC3 parameters (multiple parameters present)"); - st_log.debug( - "couldn't find a single set of NSEC3 parameters (multiple parameters present)."); + st_log.debug("Couldn't find a single set of NSEC3 parameters (multiple parameters present)."); return false; } @@ -727,16 +750,16 @@ public class NSEC3ValUtils { // Otherwise, we need to show that the next closer name is covered. Name nextClosest = nextClosest(qname, candidate.closestEncloser); candidate.nc_nsec3 = findCoveringNSEC3(hash(nextClosest, nsec3params), - zonename, nsec3s, nsec3params, bac); + zonename, nsec3s, nsec3params, bac); if (candidate.nc_nsec3 == null) { errorList.add("Did not find a NSEC3 that covered the next closer name to '" + qname + "' from '" + candidate.closestEncloser + "' (derived from the wildcard: " + wildcard + ")"); st_log.debug("proveWildcard: did not find a covering NSEC3 " + - "that covered the next closer name to " + qname + " from " + - candidate.closestEncloser + " (derived from wildcard " + - wildcard + ")"); + "that covered the next closer name to " + qname + " from " + + candidate.closestEncloser + " (derived from wildcard " + + wildcard + ")"); return false; } @@ -746,25 +769,29 @@ public class NSEC3ValUtils { /** * Prove that a DS response either had no DS, or wasn't a delegation point. - * - * Fundamentally there are two cases here: normal NODATA and Opt-In NODATA. - * + * + * Fundamentally there are two cases here: normal NODATA and + * Opt-In NODATA. + * * @param nsec3s * The NSEC3 RRs to examine. * @param qname * The name of the DS in question. * @param zonename * The name of the zone that the NSEC3 RRs come from. - * - * @return SecurityStatus.SECURE if it was proven that there is no DS in a - * secure (i.e., not opt-in) way, SecurityStatus.INSECURE if there - * was no DS in an insecure (i.e., opt-in) way, - * SecurityStatus.INDETERMINATE if it was clear that this wasn't a - * delegation point, and SecurityStatus.BOGUS if the proofs don't - * work out. + * + * @return SecurityStatus.SECURE if it was proven that there is no + * DS in a secure (i.e., not opt-in) way, + * SecurityStatus.INSECURE if there was no DS in an + * insecure (i.e., opt-in) way, + * SecurityStatus.INDETERMINATE if it was clear that this + * wasn't a delegation point, and SecurityStatus.BOGUS if + * the proofs don't work out. */ - public static byte proveNoDS(List nsec3s, Name qname, - Name zonename, List errorList) { + public static byte proveNoDS(List nsec3s, + Name qname, + Name zonename, + List errorList) { if ((nsec3s == null) || (nsec3s.size() == 0)) { return SecurityStatus.BOGUS; } @@ -774,7 +801,7 @@ public class NSEC3ValUtils { if (nsec3params == null) { errorList.add("Could not find a single set of NSEC3 parameters (multiple parameters present)"); st_log.debug("couldn't find a single set of " + - "NSEC3 parameters (multiple parameters present)."); + "NSEC3 parameters (multiple parameters present)."); return SecurityStatus.BOGUS; } @@ -783,14 +810,15 @@ public class NSEC3ValUtils { // Look for a matching NSEC3 to qname -- this is the normal NODATA case. NSEC3Record nsec3 = findMatchingNSEC3(hash(qname, nsec3params), - zonename, nsec3s, nsec3params, bac); + zonename, nsec3s, nsec3params, bac); if (nsec3 != null) { // If the matching NSEC3 has the SOA bit set, it is from the wrong // zone (the child instead of the parent). If it has the DS bit set, // then we were lied to. if (nsec3.hasType(Type.SOA) || nsec3.hasType(Type.DS)) { - errorList.add("Matching NSEC3 is incorrectly from the child instead of the parent (SOA or DS bit set)"); + errorList.add("Matching NSEC3 is incorrectly from the child " + + "instead of the parent (SOA or DS bit set)"); return SecurityStatus.BOGUS; } @@ -806,7 +834,7 @@ public class NSEC3ValUtils { // Otherwise, we are probably in the opt-in case. CEResponse ce = proveClosestEncloser(qname, zonename, nsec3s, - nsec3params, bac, true, errorList); + nsec3params, bac, true, errorList); if (ce == null) { errorList.add("Failed to prove the closest encloser as part of a 'No DS' proof"); @@ -829,18 +857,18 @@ public class NSEC3ValUtils { * algorithm, iterations, and salt. */ private static class NSEC3Parameters { - public int alg; - public byte[] salt; - public int iterations; + public int alg; + public byte[] salt; + public int iterations; private NSEC3PARAMRecord nsec3paramrec; public NSEC3Parameters(NSEC3Record r) { - alg = r.getHashAlgorithm(); - salt = r.getSalt(); + alg = r.getHashAlgorithm(); + salt = r.getSalt(); iterations = r.getIterations(); nsec3paramrec = new NSEC3PARAMRecord(Name.root, DClass.IN, 0, alg, - 0, iterations, salt); + 0, iterations, salt); } public boolean match(NSEC3Record r, ByteArrayComparator bac) { @@ -877,13 +905,13 @@ public class NSEC3ValUtils { * encloser proof. */ private static class CEResponse { - public Name closestEncloser; + public Name closestEncloser; public NSEC3Record ce_nsec3; public NSEC3Record nc_nsec3; public CEResponse(Name ce, NSEC3Record nsec3) { this.closestEncloser = ce; - this.ce_nsec3 = nsec3; + this.ce_nsec3 = nsec3; } } }