davidb/captive-validator
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

remove some warnings by using java 5 features

Browse Source
This commit is contained in:
David Blacka 2009-04-19 17:12:48 -04:00
parent c43169bc24
commit 1f647e3c77
9 changed files with 1571 additions and 1910 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
src/com/versign/tat/dnssec/CaptiveValidator.java
View File

@ -298,6 +298,14 @@ public class CaptiveValidator {
m.setStatus(SecurityStatus.SECURE); m.setStatus(SecurityStatus.SECURE);
} }
private void validateReferral(SMessage message, SRRset key_rrset) {
}
private void validateCNAMEResponse(SMessage message, SRRset key_rrset) {
}
/** /**
* Given an "ANY" response -- a response that contains an answer to a * Given an "ANY" response -- a response that contains an answer to a
* qtype==ANY question, with answers. This consists of simply verifying all * qtype==ANY question, with answers. This consists of simply verifying all
@ -675,34 +683,38 @@ public class CaptiveValidator {
// } // }
public byte validateMessage(SMessage message) { public byte validateMessage(SMessage message, Name zone) {
SRRset key_rrset = findKeys(message); SRRset key_rrset = findKeys(message);
if (key_rrset == null) { if (key_rrset == null) {
return SecurityStatus.BOGUS; return SecurityStatus.BOGUS;
} }
int subtype = ValUtils.classifyResponse(message); ValUtils.ResponseType subtype = ValUtils.classifyResponse(message, zone);
switch (subtype) { switch (subtype) {
case ValUtils.POSITIVE: case POSITIVE:
// log.trace("Validating a positive response"); // log.trace("Validating a positive response");
validatePositiveResponse(message, key_rrset); validatePositiveResponse(message, key_rrset);
break; break;
case ValUtils.NODATA: case REFERRAL:
validateReferral(message, key_rrset);
break;
case NODATA:
// log.trace("Validating a nodata response"); // log.trace("Validating a nodata response");
validateNodataResponse(message, key_rrset); validateNodataResponse(message, key_rrset);
break; break;
case ValUtils.NAMEERROR: case NAMEERROR:
// log.trace("Validating a nxdomain response"); // log.trace("Validating a nxdomain response");
validateNameErrorResponse(message, key_rrset); validateNameErrorResponse(message, key_rrset);
break; break;
case ValUtils.CNAME: case CNAME:
// log.trace("Validating a cname response"); // log.trace("Validating a cname response");
// forward on to the special CNAME state for this. // forward on to the special CNAME state for this.
// state.state = ValEventState.CNAME_STATE; // state.state = ValEventState.CNAME_STATE;
validateCNAMEResponse(message, key_rrset);
break; break;
case ValUtils.ANY: case ANY:
// log.trace("Validating a postive ANY response"); // log.trace("Validating a postive ANY response");
validateAnyResponse(message, key_rrset); validateAnyResponse(message, key_rrset);
break; break;

40
src/com/versign/tat/dnssec/DnsSecVerifier.java
View File

@ -1,7 +1,5 @@
/* /*
* $Id$ * Copyright (c) 2009 VeriSign, Inc. All rights reserved.
*
* Copyright (c) 2005 VeriSign, Inc. All rights reserved.
* *
* Redistribution and use in source and binary forms, with or without * Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions * modification, are permitted provided that the following conditions
@ -56,7 +54,7 @@ public class DnsSecVerifier
* This is a mapping of DNSSEC algorithm numbers/private identifiers to JCA * This is a mapping of DNSSEC algorithm numbers/private identifiers to JCA
* algorithm identifiers. * algorithm identifiers.
*/ */
private HashMap mAlgorithmMap; private HashMap<Integer, AlgEntry> mAlgorithmMap;
private static class AlgEntry private static class AlgEntry
{ {
@ -74,7 +72,7 @@ public class DnsSecVerifier
public DnsSecVerifier() public DnsSecVerifier()
{ {
mAlgorithmMap = new HashMap(); mAlgorithmMap = new HashMap<Integer, AlgEntry>();
// set the default algorithm map. // set the default algorithm map.
mAlgorithmMap.put(new Integer(DNSSEC.RSAMD5), new AlgEntry("MD5withRSA", mAlgorithmMap.put(new Integer(DNSSEC.RSAMD5), new AlgEntry("MD5withRSA",
@ -105,12 +103,9 @@ public class DnsSecVerifier
// For now, we just accept new identifiers for existing algoirthms. // For now, we just accept new identifiers for existing algoirthms.
// FIXME: handle private identifiers. // FIXME: handle private identifiers.
List aliases = Util.parseConfigPrefix(config, "dns.algorithm."); List<Util.ConfigEntry> aliases = Util.parseConfigPrefix(config, "dns.algorithm.");
for (Iterator i = aliases.iterator(); i.hasNext();)
{
Util.ConfigEntry entry = (Util.ConfigEntry) i.next();
for (Util.ConfigEntry entry : aliases) {
Integer alg_alias = new Integer(Util.parseInt(entry.key, -1)); Integer alg_alias = new Integer(Util.parseInt(entry.key, -1));
Integer alg_orig = new Integer(Util.parseInt(entry.value, -1)); Integer alg_orig = new Integer(Util.parseInt(entry.value, -1));
@ -132,16 +127,14 @@ public class DnsSecVerifier
} }
// for debugging purposes, log the entire algorithm map table. // for debugging purposes, log the entire algorithm map table.
for (Iterator i = mAlgorithmMap.keySet().iterator(); i.hasNext(); ) // for (Integer alg : mAlgorithmMap.keySet()) {
{ // AlgEntry entry = mAlgorithmMap.get(alg);
Integer alg = (Integer) i.next();
AlgEntry entry = (AlgEntry) mAlgorithmMap.get(alg);
// if (entry == null) // if (entry == null)
// log.warn("DNSSEC alg " + alg + " has a null entry!"); // log.warn("DNSSEC alg " + alg + " has a null entry!");
// else // else
// log.debug("DNSSEC alg " + alg + " maps to " + entry.jcaName // log.debug("DNSSEC alg " + alg + " maps to " + entry.jcaName
// + " (" + entry.dnssecAlg + ")"); // + " (" + entry.dnssecAlg + ")");
} // }
} }
/** /**
@ -154,7 +147,8 @@ public class DnsSecVerifier
* @return A List contains a one or more DNSKEYRecord objects, or null if a * @return A List contains a one or more DNSKEYRecord objects, or null if a
* matching DNSKEY could not be found. * matching DNSKEY could not be found.
*/ */
private List findKey(RRset dnskey_rrset, RRSIGRecord signature) @SuppressWarnings("unchecked")
private List<DNSKEYRecord> findKey(RRset dnskey_rrset, RRSIGRecord signature)
{ {
if (!signature.getSigner().equals(dnskey_rrset.getName())) if (!signature.getSigner().equals(dnskey_rrset.getName()))
{ {
@ -167,7 +161,7 @@ public class DnsSecVerifier
int keyid = signature.getFootprint(); int keyid = signature.getFootprint();
int alg = signature.getAlgorithm(); int alg = signature.getAlgorithm();
List res = new ArrayList(dnskey_rrset.size()); List<DNSKEYRecord> res = new ArrayList<DNSKEYRecord>(dnskey_rrset.size());
for (Iterator i = dnskey_rrset.rrs(); i.hasNext();) for (Iterator i = dnskey_rrset.rrs(); i.hasNext();)
{ {
@ -325,7 +319,7 @@ public class DnsSecVerifier
byte result = checkSignature(rrset, sigrec); byte result = checkSignature(rrset, sigrec);
if (result != SecurityStatus.SECURE) return result; if (result != SecurityStatus.SECURE) return result;
List keys = findKey(key_rrset, sigrec); List<DNSKEYRecord> keys = findKey(key_rrset, sigrec);
if (keys == null) if (keys == null)
{ {
@ -335,9 +329,7 @@ public class DnsSecVerifier
byte status = SecurityStatus.UNCHECKED; byte status = SecurityStatus.UNCHECKED;
for (Iterator i = keys.iterator(); i.hasNext();) for (DNSKEYRecord key : keys) {
{
DNSKEYRecord key = (DNSKEYRecord) i.next();
status = verifySignature(rrset, sigrec, key); status = verifySignature(rrset, sigrec, key);
if (status == SecurityStatus.SECURE) break; if (status == SecurityStatus.SECURE) break;
@ -354,7 +346,8 @@ public class DnsSecVerifier
* @return SecurityStatus.SECURE if the rrest verified positively, * @return SecurityStatus.SECURE if the rrest verified positively,
* SecurityStatus.BOGUS otherwise. * SecurityStatus.BOGUS otherwise.
*/ */
public byte verify(RRset rrset, RRset key_rrset) @SuppressWarnings("unchecked")
public byte verify(RRset rrset, RRset key_rrset)
{ {
Iterator i = rrset.sigs(); Iterator i = rrset.sigs();
@ -386,7 +379,8 @@ public class DnsSecVerifier
* @param dnskey The DNSKEY to verify with. * @param dnskey The DNSKEY to verify with.
* @return SecurityStatus.SECURE if the rrset verified, BOGUS otherwise. * @return SecurityStatus.SECURE if the rrset verified, BOGUS otherwise.
*/ */
public byte verify(RRset rrset, DNSKEYRecord dnskey) @SuppressWarnings("unchecked")
public byte verify(RRset rrset, DNSKEYRecord dnskey)
{ {
// Iterate over RRSIGS // Iterate over RRSIGS

629
src/com/versign/tat/dnssec/NSEC3ValUtils.java
View File

@ -37,10 +37,7 @@ import org.xbill.DNS.utils.base32;
import com.versign.tat.dnssec.SignUtils.ByteArrayComparator; import com.versign.tat.dnssec.SignUtils.ByteArrayComparator;
public class NSEC3ValUtils {
public class NSEC3ValUtils
{
// FIXME: should probably refactor to handle different NSEC3 parameters more // FIXME: should probably refactor to handle different NSEC3 parameters more
// efficiently. // efficiently.
@ -48,28 +45,24 @@ public class NSEC3ValUtils
// parameters. The idea is to hash and compare for each group independently, // parameters. The idea is to hash and compare for each group independently,
// instead of having to skip NSEC3 RRs with the wrong parameters. // instead of having to skip NSEC3 RRs with the wrong parameters.
private static Name asterisk_label = Name.fromConstantString("*"); private static Name asterisk_label = Name.fromConstantString("*");
/** /**
* This is a class to encapsulate a unique set of NSEC3 parameters: * This is a class to encapsulate a unique set of NSEC3 parameters:
* algorithm, iterations, and salt. * algorithm, iterations, and salt.
*/ */
private static class NSEC3Parameters private static class NSEC3Parameters {
{
public byte alg; public byte alg;
public byte[] salt; public byte[] salt;
public int iterations; public int iterations;
public NSEC3Parameters(NSEC3Record r) public NSEC3Parameters(NSEC3Record r) {
{
alg = r.getHashAlgorithm(); alg = r.getHashAlgorithm();
salt = r.getSalt(); salt = r.getSalt();
iterations = r.getIterations(); iterations = r.getIterations();
} }
public boolean match(NSEC3Record r, ByteArrayComparator bac) public boolean match(NSEC3Record r, ByteArrayComparator bac) {
{
if (r.getHashAlgorithm() != alg) return false; if (r.getHashAlgorithm() != alg) return false;
if (r.getIterations() != iterations) return false; if (r.getIterations() != iterations) return false;
@ -81,36 +74,30 @@ public class NSEC3ValUtils
} }
/** /**
* This is just a simple class to enapsulate the response to a closest * This is just a simple class to encapsulate the response to a closest
* encloser proof. * encloser proof.
*/ */
private static class CEResponse private static class CEResponse {
{
public Name closestEncloser; public Name closestEncloser;
public NSEC3Record ce_nsec3; public NSEC3Record ce_nsec3;
public NSEC3Record nc_nsec3; public NSEC3Record nc_nsec3;
public CEResponse(Name ce, NSEC3Record nsec3) public CEResponse(Name ce, NSEC3Record nsec3) {
{
this.closestEncloser = ce; this.closestEncloser = ce;
this.ce_nsec3 = nsec3; this.ce_nsec3 = nsec3;
} }
} }
public static boolean supportsHashAlgorithm(int alg) public static boolean supportsHashAlgorithm(int alg) {
{
if (alg == NSEC3Record.SHA1_DIGEST_ID) return true; if (alg == NSEC3Record.SHA1_DIGEST_ID) return true;
return false; return false;
} }
public static void stripUnknownAlgNSEC3s(List nsec3s) public static void stripUnknownAlgNSEC3s(List<NSEC3Record> nsec3s) {
{
if (nsec3s == null) return; if (nsec3s == null) return;
for (ListIterator i = nsec3s.listIterator(); i.hasNext(); ) for (ListIterator<NSEC3Record> i = nsec3s.listIterator(); i.hasNext();) {
{ NSEC3Record nsec3 = i.next();
NSEC3Record nsec3 = (NSEC3Record) i.next(); if (!supportsHashAlgorithm(nsec3.getHashAlgorithm())) {
if (!supportsHashAlgorithm(nsec3.getHashAlgorithm()))
{
i.remove(); i.remove();
} }
} }
@ -121,63 +108,40 @@ public class NSEC3ValUtils
* NSEC3 parameters (hash algorithm, iterations, and salt) present. If there * NSEC3 parameters (hash algorithm, iterations, and salt) present. If there
* is more than one distinct grouping, return null; * is more than one distinct grouping, return null;
* *
* @param nsec3s A list of NSEC3Record object. * @param nsec3s
* A list of NSEC3Record object.
* @return A set containing a number of objects (NSEC3Parameter objects) * @return A set containing a number of objects (NSEC3Parameter objects)
* that correspond to each distinct set of parameters, or null if * that correspond to each distinct set of parameters, or null if
* the nsec3s list was empty. * the nsec3s list was empty.
*/ */
public static NSEC3Parameters nsec3Parameters(List nsec3s) public static NSEC3Parameters nsec3Parameters(List<NSEC3Record> nsec3s) {
{
if (nsec3s == null || nsec3s.size() == 0) return null; if (nsec3s == null || nsec3s.size() == 0) return null;
NSEC3Parameters params = new NSEC3Parameters((NSEC3Record) nsec3s.get(0)); NSEC3Parameters params = new NSEC3Parameters(
(NSEC3Record) nsec3s.get(0));
ByteArrayComparator bac = new ByteArrayComparator(); ByteArrayComparator bac = new ByteArrayComparator();
for (Iterator i = nsec3s.iterator(); i.hasNext();) for (NSEC3Record nsec3 : nsec3s) {
{ if (!params.match(nsec3, bac)) return null;
if (! params.match((NSEC3Record) i.next(), bac))
{
return null;
}
} }
return params; return params;
} }
/**
* In a list of NSEC3Record object pulled from a given message, find the
* NSEC3 that directly matches a given name, without hashing.
*
* @param n The name in question.
* @param nsec3s A list of NSEC3Records from a given message.
* @return The matching NSEC3Record, or null if there wasn't one.
*/
// private static NSEC3Record findDirectMatchingNSEC3(Name n, List nsec3s)
// {
// if (n == null || nsec3s == null) return null;
//
// for (Iterator i = nsec3s.iterator(); i.hasNext();)
// {
// NSEC3Record nsec3 = (NSEC3Record) i.next();
// if (n.equals(nsec3.getName())) return nsec3;
// }
//
// return null;
// }
/** /**
* Given a hash and an a zone name, construct an NSEC3 ownername. * Given a hash and an a zone name, construct an NSEC3 ownername.
* *
* @param hash The hash of an original name. * @param hash
* @param zonename The zone to use in constructing the NSEC3 name. * The hash of an original name.
* @param zonename
* The zone to use in constructing the NSEC3 name.
* @return The NSEC3 name. * @return The NSEC3 name.
*/ */
private static Name hashName(byte[] hash, Name zonename) private static Name hashName(byte[] hash, Name zonename) {
{ try {
try
{
return new Name(base32.toString(hash).toLowerCase(), zonename); return new Name(base32.toString(hash).toLowerCase(), zonename);
} } catch (TextParseException e) {
catch (TextParseException e)
{
// Note, this should never happen. // Note, this should never happen.
return null; return null;
} }
@ -186,22 +150,18 @@ public class NSEC3ValUtils
/** /**
* Given a set of NSEC3 parameters, hash a name. * Given a set of NSEC3 parameters, hash a name.
* *
* @param name The name to hash. * @param name
* @param params The parameters to hash with. * The name to hash.
* @param params
* The parameters to hash with.
* @return The hash. * @return The hash.
*/ */
private static byte[] hash(Name name, NSEC3Parameters params) private static byte[] hash(Name name, NSEC3Parameters params) {
{ try {
try return NSEC3Record.hash(name, params.alg, params.iterations,
{
return NSEC3Record.hash(name,
params.alg,
params.iterations,
params.salt); params.salt);
} } catch (NoSuchAlgorithmException e) {
catch (NoSuchAlgorithmException e) // st_log.debug("Did not recognize hash algorithm: " + params.alg);
{
// st_log.debug("Did not recognize hash algorithm: " + params.alg);
return null; return null;
} }
} }
@ -209,18 +169,15 @@ public class NSEC3ValUtils
/** /**
* Given the name of a closest encloser, return the name *.closest_encloser. * Given the name of a closest encloser, return the name *.closest_encloser.
* *
* @param closestEncloser The name to start with. * @param closestEncloser
* The name to start with.
* @return The wildcard name. * @return The wildcard name.
*/ */
private static Name ceWildcard(Name closestEncloser) private static Name ceWildcard(Name closestEncloser) {
{ try {
try
{
Name wc = Name.concatenate(asterisk_label, closestEncloser); Name wc = Name.concatenate(asterisk_label, closestEncloser);
return wc; return wc;
} } catch (NameTooLongException e) {
catch (NameTooLongException e)
{
return null; return null;
} }
} }
@ -230,12 +187,13 @@ public class NSEC3ValUtils
* closest" name. Basically, this is the name that is one label longer than * closest" name. Basically, this is the name that is one label longer than
* the closest encloser that is still a subdomain of qname. * the closest encloser that is still a subdomain of qname.
* *
* @param qname The qname. * @param qname
* @param closestEncloser The closest encloser name. * The qname.
* @param closestEncloser
* The closest encloser name.
* @return The next closer name. * @return The next closer name.
*/ */
private static Name nextClosest(Name qname, Name closestEncloser) private static Name nextClosest(Name qname, Name closestEncloser) {
{
int strip = qname.labels() - closestEncloser.labels() - 1; int strip = qname.labels() - closestEncloser.labels() - 1;
return (strip > 0) ? new Name(qname, strip) : qname; return (strip > 0) ? new Name(qname, strip) : qname;
} }
@ -243,23 +201,27 @@ public class NSEC3ValUtils
/** /**
* Find the NSEC3Record that matches a hash of a name. * Find the NSEC3Record that matches a hash of a name.
* *
* @param hash The pre-calculated hash of a name. * @param hash
* @param zonename The name of the zone that the NSEC3s are from. * The pre-calculated hash of a name.
* @param nsec3s A list of NSEC3Records from a given message. * @param zonename
* @param params The parameters used for calculating the hash. * The name of the zone that the NSEC3s are from.
* @param bac An already allocated ByteArrayComparator, for reuse. This may * @param nsec3s
* A list of NSEC3Records from a given message.
* @param params
* The parameters used for calculating the hash.
* @param bac
* An already allocated ByteArrayComparator, for reuse. This may
* be null. * be null.
* *
* @return The matching NSEC3Record, if one is present. * @return The matching NSEC3Record, if one is present.
*/ */
private static NSEC3Record findMatchingNSEC3(byte[] hash, Name zonename, private static NSEC3Record findMatchingNSEC3(byte[] hash, Name zonename,
List nsec3s, NSEC3Parameters params, ByteArrayComparator bac) List<NSEC3Record> nsec3s,
{ NSEC3Parameters params,
ByteArrayComparator bac) {
Name n = hashName(hash, zonename); Name n = hashName(hash, zonename);
for (Iterator i = nsec3s.iterator(); i.hasNext();) for (NSEC3Record nsec3 : nsec3s) {
{
NSEC3Record nsec3 = (NSEC3Record) i.next();
// Skip nsec3 records that are using different parameters. // Skip nsec3 records that are using different parameters.
if (!params.match(nsec3, bac)) continue; if (!params.match(nsec3, bac)) continue;
if (n.equals(nsec3.getName())) return nsec3; if (n.equals(nsec3.getName())) return nsec3;
@ -272,14 +234,16 @@ public class NSEC3ValUtils
* covers the hash. Covers specifically means that the hash is in between * covers the hash. Covers specifically means that the hash is in between
* the owner and next hashes and does not equal either. * the owner and next hashes and does not equal either.
* *
* @param nsec3 The candidate NSEC3Record. * @param nsec3
* @param hash The precalculated hash. * The candidate NSEC3Record.
* @param bac An already allocated comparator. This may be null. * @param hash
* The precalculated hash.
* @param bac
* An already allocated comparator. This may be null.
* @return True if the NSEC3Record covers the hash. * @return True if the NSEC3Record covers the hash.
*/ */
private static boolean nsec3Covers(NSEC3Record nsec3, byte[] hash, private static boolean nsec3Covers(NSEC3Record nsec3, byte[] hash,
ByteArrayComparator bac) ByteArrayComparator bac) {
{
byte[] owner = nsec3.getOwner(); byte[] owner = nsec3.getOwner();
byte[] next = nsec3.getNext(); byte[] next = nsec3.getNext();
@ -301,59 +265,67 @@ public class NSEC3ValUtils
* Given a pre-hashed name, find a covering NSEC3 from among a list of * Given a pre-hashed name, find a covering NSEC3 from among a list of
* NSEC3s. * NSEC3s.
* *
* @param hash The hash to consider. * @param hash
* @param zonename The name of the zone. * The hash to consider.
* @param nsec3s The list of NSEC3s present in a message. * @param zonename
* @param params The NSEC3 parameters used to generate the hash -- NSEC3s * The name of the zone.
* that do not use those parameters will be skipped. * @param nsec3s
* The list of NSEC3s present in a message.
* @param params
* The NSEC3 parameters used to generate the hash -- NSEC3s that
* do not use those parameters will be skipped.
* *
* @return A covering NSEC3 if one is present, null otherwise. * @return A covering NSEC3 if one is present, null otherwise.
*/ */
private static NSEC3Record findCoveringNSEC3(byte[] hash, Name zonename, private static NSEC3Record findCoveringNSEC3(byte[] hash, Name zonename,
List nsec3s, NSEC3Parameters params, ByteArrayComparator bac) List<NSEC3Record> nsec3s,
{ NSEC3Parameters params,
ByteArrayComparator bac) {
ByteArrayComparator comparator = new ByteArrayComparator(); ByteArrayComparator comparator = new ByteArrayComparator();
for (Iterator i = nsec3s.iterator(); i.hasNext();) for (NSEC3Record nsec3 : nsec3s) {
{
NSEC3Record nsec3 = (NSEC3Record) i.next();
if (!params.match(nsec3, bac)) continue; if (!params.match(nsec3, bac)) continue;
if (nsec3Covers(nsec3, hash, comparator)) return nsec3; if (nsec3Covers(nsec3, hash, comparator)) return nsec3;
} }
return null; return null;
} }
/** /**
* Given a name and a list of NSEC3s, find the candidate closest encloser. * Given a name and a list of NSEC3s, find the candidate closest encloser.
* This will be the first ancestor of 'name' (including itself) to have a * This will be the first ancestor of 'name' (including itself) to have a
* matching NSEC3 RR. * matching NSEC3 RR.
* *
* @param name The name the start with. * @param name
* @param zonename The name of the zone that the NSEC3s came from. * The name the start with.
* @param nsec3s The list of NSEC3s. * @param zonename
* @param nsec3params The NSEC3 parameters. * The name of the zone that the NSEC3s came from.
* @param bac A pre-allocated comparator. May be null. * @param nsec3s
* The list of NSEC3s.
* @param nsec3params
* The NSEC3 parameters.
* @param bac
* A pre-allocated comparator. May be null.
* *
* @return A CEResponse containing the closest encloser name and the NSEC3 * @return A CEResponse containing the closest encloser name and the NSEC3
* RR that matched it, or null if there wasn't one. * RR that matched it, or null if there wasn't one.
*/ */
private static CEResponse findClosestEncloser(Name name, Name zonename, private static CEResponse findClosestEncloser(Name name, Name zonename,
List nsec3s, NSEC3Parameters params, ByteArrayComparator bac) List<NSEC3Record> nsec3s,
{ NSEC3Parameters params,
ByteArrayComparator bac) {
Name n = name; Name n = name;
NSEC3Record nsec3; NSEC3Record nsec3;
// This scans from longest name to shortest, so the first match we find is // This scans from longest name to shortest, so the first match we find
// is
// the only viable candidate. // the only viable candidate.
// FIXME: modify so that the NSEC3 matching the zone apex need not be // FIXME: modify so that the NSEC3 matching the zone apex need not be
// present. // present.
while (n.labels() >= zonename.labels()) while (n.labels() >= zonename.labels()) {
{ nsec3 = findMatchingNSEC3(hash(n, params), zonename, nsec3s,
nsec3 = findMatchingNSEC3(hash(n, params), zonename, nsec3s, params, bac); params, bac);
if (nsec3 != null) return new CEResponse(n, nsec3); if (nsec3 != null) return new CEResponse(n, nsec3);
n = new Name(n, 1); n = new Name(n, 1);
} }
@ -364,40 +336,40 @@ public class NSEC3ValUtils
/** /**
* Given a List of nsec3 RRs, find and prove the closest encloser to qname. * Given a List of nsec3 RRs, find and prove the closest encloser to qname.
* *
* @param qname The qname in question. * @param qname
* @param zonename The name of the zone that the NSEC3 RRs come from. * The qname in question.
* @param nsec3s The list of NSEC3s found the this response (already * @param zonename
* verified). * The name of the zone that the NSEC3 RRs come from.
* @param params The NSEC3 parameters found in the response. * @param nsec3s
* @param bac A pre-allocated comparator. May be null. * The list of NSEC3s found the this response (already verified).
* @param proveDoesNotExist If true, then if the closest encloser turns out * @param params
* to be qname, then null is returned. * The NSEC3 parameters found in the response.
* @param bac
* A pre-allocated comparator. May be null.
* @param proveDoesNotExist
* If true, then if the closest encloser turns out to be qname,
* then null is returned.
* @return null if the proof isn't completed. Otherwise, return a CEResponse * @return null if the proof isn't completed. Otherwise, return a CEResponse
* object which contains the closest encloser name and the NSEC3 * object which contains the closest encloser name and the NSEC3
* that matches it. * that matches it.
*/ */
private static CEResponse proveClosestEncloser(Name qname, Name zonename, private static CEResponse proveClosestEncloser(Name qname, Name zonename,
List nsec3s, NSEC3Parameters params, ByteArrayComparator bac, List<NSEC3Record> nsec3s,
boolean proveDoesNotExist) NSEC3Parameters params,
{ ByteArrayComparator bac,
CEResponse candidate = findClosestEncloser(qname, boolean proveDoesNotExist) {
zonename, CEResponse candidate = findClosestEncloser(qname, zonename, nsec3s,
nsec3s, params, bac);
params,
bac);
if (candidate == null) if (candidate == null) {
{ // st_log.debug("proveClosestEncloser: could not find a "
// st_log.debug("proveClosestEncloser: could not find a " // + "candidate for the closest encloser.");
// + "candidate for the closest encloser.");
return null; return null;
} }
if (candidate.closestEncloser.equals(qname)) if (candidate.closestEncloser.equals(qname)) {
{ if (proveDoesNotExist) {
if (proveDoesNotExist) // st_log.debug("proveClosestEncloser: proved that qname existed!");
{
// st_log.debug("proveClosestEncloser: proved that qname existed!");
return null; return null;
} }
// otherwise, we need to nothing else to prove that qname is its own // otherwise, we need to nothing else to prove that qname is its own
@ -406,18 +378,17 @@ public class NSEC3ValUtils
} }
// If the closest encloser is actually a delegation, then the response // If the closest encloser is actually a delegation, then the response
// should have been a referral. If it is a DNAME, then it should have been // should have been a referral. If it is a DNAME, then it should have
// been
// a DNAME response. // a DNAME response.
if (candidate.ce_nsec3.hasType(Type.NS) if (candidate.ce_nsec3.hasType(Type.NS)
&& !candidate.ce_nsec3.hasType(Type.SOA)) && !candidate.ce_nsec3.hasType(Type.SOA)) {
{ // st_log.debug("proveClosestEncloser: closest encloser "
// st_log.debug("proveClosestEncloser: closest encloser " // + "was a delegation!");
// + "was a delegation!");
return null; return null;
} }
if (candidate.ce_nsec3.hasType(Type.DNAME)) if (candidate.ce_nsec3.hasType(Type.DNAME)) {
{ // st_log.debug("proveClosestEncloser: closest encloser was a DNAME!");
// st_log.debug("proveClosestEncloser: closest encloser was a DNAME!");
return null; return null;
} }
@ -425,25 +396,19 @@ public class NSEC3ValUtils
Name nextClosest = nextClosest(qname, candidate.closestEncloser); Name nextClosest = nextClosest(qname, candidate.closestEncloser);
byte[] nc_hash = hash(nextClosest, params); byte[] nc_hash = hash(nextClosest, params);
candidate.nc_nsec3 = findCoveringNSEC3(nc_hash, candidate.nc_nsec3 = findCoveringNSEC3(nc_hash, zonename, nsec3s,
zonename, params, bac);
nsec3s, if (candidate.nc_nsec3 == null) {
params, // st_log.debug("Could not find proof that the "
bac); // + "closest encloser was the closest encloser");
if (candidate.nc_nsec3 == null)
{
// st_log.debug("Could not find proof that the "
// + "closest encloser was the closest encloser");
return null; return null;
} }
return candidate; return candidate;
} }
private static int maxIterations(int baseAlg, int keysize) private static int maxIterations(int baseAlg, int keysize) {
{ switch (baseAlg) {
switch (baseAlg)
{
case DnsSecVerifier.RSA: case DnsSecVerifier.RSA:
if (keysize == 0) return 2500; // the max at 4096 if (keysize == 0) return 2500; // the max at 4096
if (keysize > 2048) return 2500; if (keysize > 2048) return 2500;
@ -459,15 +424,15 @@ public class NSEC3ValUtils
return -1; return -1;
} }
@SuppressWarnings("unchecked")
private static boolean validIterations(NSEC3Parameters nsec3params, private static boolean validIterations(NSEC3Parameters nsec3params,
RRset dnskey_rrset, DnsSecVerifier verifier) RRset dnskey_rrset,
{ DnsSecVerifier verifier) {
// for now, we return the maximum iterations based simply on the key // for now, we return the maximum iterations based simply on the key
// algorithms that may have been used to sign the NSEC3 RRsets. // algorithms that may have been used to sign the NSEC3 RRsets.
int max_iterations = 0; int max_iterations = 0;
for (Iterator i = dnskey_rrset.rrs(); i.hasNext();) for (Iterator i = dnskey_rrset.rrs(); i.hasNext();) {
{
DNSKEYRecord dnskey = (DNSKEYRecord) i.next(); DNSKEYRecord dnskey = (DNSKEYRecord) i.next();
int baseAlg = verifier.baseAlgorithm(dnskey.getAlgorithm()); int baseAlg = verifier.baseAlgorithm(dnskey.getAlgorithm());
int iters = maxIterations(baseAlg, 0); int iters = maxIterations(baseAlg, 0);
@ -484,15 +449,19 @@ public class NSEC3ValUtils
* (i.e., their presence should lead to an INSECURE result). Currently, this * (i.e., their presence should lead to an INSECURE result). Currently, this
* is solely based on iterations. * is solely based on iterations.
* *
* @param nsec3s The list of NSEC3s. If there is more than one set of NSEC3 * @param nsec3s
* The list of NSEC3s. If there is more than one set of NSEC3
* parameters present, this test will not be performed. * parameters present, this test will not be performed.
* @param dnskey_rrset The set of validating DNSKEYs. * @param dnskey_rrset
* @param verifier The verifier used to verify the NSEC3 RRsets. This is * The set of validating DNSKEYs.
* solely used to map algorithm aliases. * @param verifier
* The verifier used to verify the NSEC3 RRsets. This is solely
* used to map algorithm aliases.
* @return true if all of the NSEC3s can be legally ignored, false if not. * @return true if all of the NSEC3s can be legally ignored, false if not.
*/ */
public static boolean allNSEC3sIgnoreable(List nsec3s, RRset dnskey_rrset, DnsSecVerifier verifier) public static boolean allNSEC3sIgnoreable(List<NSEC3Record> nsec3s,
{ RRset dnskey_rrset,
DnsSecVerifier verifier) {
NSEC3Parameters params = nsec3Parameters(nsec3s); NSEC3Parameters params = nsec3Parameters(nsec3s);
if (params == null) return false; if (params == null) return false;
@ -505,24 +474,26 @@ public class NSEC3ValUtils
* b) the direct child of the closest encloser towards qname doesn't exist, * b) the direct child of the closest encloser towards qname doesn't exist,
* and c) *.closest encloser does not exist. * and c) *.closest encloser does not exist.
* *
* @param nsec3s The list of NSEC3s. * @param nsec3s
* @param qname The query name to check against. * The list of NSEC3s.
* @param zonename This is the name of the zone that the NSEC3s belong to. * @param qname
* This may be discovered in any number of ways. A good one is to * The query name to check against.
* use the signerName from the NSEC3 record's RRSIG. * @param zonename
* This is the name of the zone that the NSEC3s belong to. This
* may be discovered in any number of ways. A good one is to use
* the signerName from the NSEC3 record's RRSIG.
* @return SecurityStatus.SECURE of the Name Error is proven by the NSEC3 * @return SecurityStatus.SECURE of the Name Error is proven by the NSEC3
* RRs, BOGUS if not, INSECURE if all of the NSEC3s could be validly * RRs, BOGUS if not, INSECURE if all of the NSEC3s could be validly
* ignored. * ignored.
*/ */
public static boolean proveNameError(List nsec3s, Name qname, Name zonename) public static boolean proveNameError(List<NSEC3Record> nsec3s, Name qname,
{ Name zonename) {
if (nsec3s == null || nsec3s.size() == 0) return false; if (nsec3s == null || nsec3s.size() == 0) return false;
NSEC3Parameters nsec3params = nsec3Parameters(nsec3s); NSEC3Parameters nsec3params = nsec3Parameters(nsec3s);
if (nsec3params == null) if (nsec3params == null) {
{ // st_log.debug("Could not find a single set of " +
// st_log.debug("Could not find a single set of " + // "NSEC3 parameters (multiple parameters present).");
// "NSEC3 parameters (multiple parameters present).");
return false; return false;
} }
@ -530,93 +501,31 @@ public class NSEC3ValUtils
// First locate and prove the closest encloser to qname. We will use the // First locate and prove the closest encloser to qname. We will use the
// variant that fails if the closest encloser turns out to be qname. // variant that fails if the closest encloser turns out to be qname.
CEResponse ce = proveClosestEncloser(qname, CEResponse ce = proveClosestEncloser(qname, zonename, nsec3s,
zonename, nsec3params, bac, true);
nsec3s,
nsec3params,
bac,
true);
if (ce == null) if (ce == null) {
{ // st_log.debug("proveNameError: failed to prove a closest encloser.");
// st_log.debug("proveNameError: failed to prove a closest encloser.");
return false; return false;
} }
// At this point, we know that qname does not exist. Now we need to prove // At this point, we know that qname does not exist. Now we need to
// prove
// that the wildcard does not exist. // that the wildcard does not exist.
Name wc = ceWildcard(ce.closestEncloser); Name wc = ceWildcard(ce.closestEncloser);
byte[] wc_hash = hash(wc, nsec3params); byte[] wc_hash = hash(wc, nsec3params);
NSEC3Record nsec3 = findCoveringNSEC3(wc_hash, NSEC3Record nsec3 = findCoveringNSEC3(wc_hash, zonename, nsec3s,
zonename, nsec3params, bac);
nsec3s, if (nsec3 == null) {
nsec3params, // st_log.debug("proveNameError: could not prove that the "
bac); // + "applicable wildcard did not exist.");
if (nsec3 == null)
{
// st_log.debug("proveNameError: could not prove that the "
// + "applicable wildcard did not exist.");
return false; return false;
} }
return true; return true;
} }
/**
* Determine if the set of NSEC3 records provided with a response prove NAME
* ERROR when qtype = NSEC3. This is a special case, and (currently anyway)
* it suffices to simply prove that the NSEC3 RRset itself does not exist,
* without proving that no wildcard could have generated it, etc..
*
* @param nsec3s The list of NSEC3s.
* @param qname The query name to check against.
* @param zonename This is the name of the zone that the NSEC3s belong to.
* This may be discovered in any number of ways. A good one is to
* use the signerName from the NSEC3 record's RRSIG.
* @return true of the Name Error is proven by the NSEC3 RRs, false if not.
*/
// public static boolean proveNSEC3NameError(List nsec3s, Name qname,
// Name zonename)
// {
// if (nsec3s == null || nsec3s.size() == 0) return false;
//
// for (Iterator i = nsec3s.iterator(); i.hasNext(); )
// {
// NSEC3Record nsec3 = (NSEC3Record) i.next();
//
// // Convert owner and next into Names.
// Name owner = nsec3.getName();
// Name next = null;
// try
// {
// next = new Name(base32.toString(nsec3.getNext()), zonename);
// }
// catch (TextParseException e)
// {
// continue;
// }
//
// // Now see if qname is covered by the NSEC3.
//
// // normal case, owner < qname < next.
// if (owner.compareTo(next) < 0 && owner.compareTo(qname) < 0 &&
// next.compareTo(qname) > 0)
// {
// st_log.debug("proveNSEC3NameError: found a covering NSEC3: " + nsec3);
// return true;
// }
// // end-of-zone case: next < owner and qname > owner || qname < next.
// if (owner.compareTo(next) > 0 && (owner.compareTo(qname) < 0 ||
// next.compareTo(qname) > 0))
// {
// st_log.debug("proveNSEC3NameError: found a covering NSEC3: " + nsec3);
// return true;
// }
// }
//
// st_log.debug("proveNSEC3NameError: did not find a covering NSEC3");
// return false;
// }
/** /**
* Determine if the NSEC3s provided in a response prove the NOERROR/NODATA * Determine if the NSEC3s provided in a response prove the NOERROR/NODATA
* status. There are a number of different variants to this: * status. There are a number of different variants to this:
@ -633,46 +542,44 @@ public class NSEC3ValUtils
* *
* 4) Wildcard NODATA -- A wildcard matched the name, but not the type. * 4) Wildcard NODATA -- A wildcard matched the name, but not the type.
* *
* 5) Opt-In DS NODATA -- the qname is covered by an opt-in span and qtype == * 5) Opt-In DS NODATA -- the qname is covered by an opt-in span and qtype
* DS. (or maybe some future record with the same parent-side-only property) * == DS. (or maybe some future record with the same parent-side-only
* property)
* *
* @param nsec3s The NSEC3Records to consider. * @param nsec3s
* @param qname The qname in question. * The NSEC3Records to consider.
* @param qtype The qtype in question. * @param qname
* @param zonename The name of the zone that the NSEC3s came from. * The qname in question.
* @param qtype
* The qtype in question.
* @param zonename
* The name of the zone that the NSEC3s came from.
* @return true if the NSEC3s prove the proposition. * @return true if the NSEC3s prove the proposition.
*/ */
public static boolean proveNodata(List nsec3s, Name qname, int qtype, public static boolean proveNodata(List<NSEC3Record> nsec3s, Name qname,
Name zonename) int qtype, Name zonename) {
{
if (nsec3s == null || nsec3s.size() == 0) return false; if (nsec3s == null || nsec3s.size() == 0) return false;
NSEC3Parameters nsec3params = nsec3Parameters(nsec3s); NSEC3Parameters nsec3params = nsec3Parameters(nsec3s);
if (nsec3params == null) if (nsec3params == null) {
{ // st_log.debug("could not find a single set of "
// st_log.debug("could not find a single set of " // + "NSEC3 parameters (multiple parameters present)");
// + "NSEC3 parameters (multiple parameters present)");
return false; return false;
} }
ByteArrayComparator bac = new ByteArrayComparator(); ByteArrayComparator bac = new ByteArrayComparator();
NSEC3Record nsec3 = findMatchingNSEC3(hash(qname, nsec3params), NSEC3Record nsec3 = findMatchingNSEC3(hash(qname, nsec3params),
zonename, zonename, nsec3s, nsec3params,
nsec3s,
nsec3params,
bac); bac);
// Cases 1 & 2. // Cases 1 & 2.
if (nsec3 != null) if (nsec3 != null) {
{ if (nsec3.hasType(qtype)) {
if (nsec3.hasType(qtype)) // st_log.debug("proveNodata: Matching NSEC3 proved that type existed!");
{
// st_log.debug("proveNodata: Matching NSEC3 proved that type existed!");
return false; return false;
} }
if (nsec3.hasType(Type.CNAME)) if (nsec3.hasType(Type.CNAME)) {
{ // st_log.debug("proveNodata: Matching NSEC3 proved "
// st_log.debug("proveNodata: Matching NSEC3 proved " // + "that a CNAME existed!");
// + "that a CNAME existed!");
return false; return false;
} }
return true; return true;
@ -681,19 +588,14 @@ public class NSEC3ValUtils
// For cases 3 - 5, we need the proven closest encloser, and it can't // For cases 3 - 5, we need the proven closest encloser, and it can't
// match qname. Although, at this point, we know that it won't since we // match qname. Although, at this point, we know that it won't since we
// just checked that. // just checked that.
CEResponse ce = proveClosestEncloser(qname, CEResponse ce = proveClosestEncloser(qname, zonename, nsec3s,
zonename, nsec3params, bac, true);
nsec3s,
nsec3params,
bac,
true);
// At this point, not finding a match or a proven closest encloser is a // At this point, not finding a match or a proven closest encloser is a
// problem. // problem.
if (ce == null) if (ce == null) {
{ // st_log.debug("proveNodata: did not match qname, "
// st_log.debug("proveNodata: did not match qname, " // + "nor found a proven closest encloser.");
// + "nor found a proven closest encloser.");
return false; return false;
} }
@ -701,35 +603,29 @@ public class NSEC3ValUtils
// Case 4: // Case 4:
Name wc = ceWildcard(ce.closestEncloser); Name wc = ceWildcard(ce.closestEncloser);
nsec3 = findMatchingNSEC3(hash(wc, nsec3params), nsec3 = findMatchingNSEC3(hash(wc, nsec3params), zonename, nsec3s,
zonename, nsec3params, bac);
nsec3s,
nsec3params,
bac);
if (nsec3 != null) if (nsec3 != null) {
{ if (nsec3.hasType(qtype)) {
if (nsec3.hasType(qtype)) // st_log.debug("proveNodata: matching wildcard had qtype!");
{
// st_log.debug("proveNodata: matching wildcard had qtype!");
return false; return false;
} }
return true; return true;
} }
// Case 5. // Case 5.
if (qtype != Type.DS) if (qtype != Type.DS) {
{ // st_log.debug("proveNodata: could not find matching NSEC3, "
// st_log.debug("proveNodata: could not find matching NSEC3, " // +
// + "nor matching wildcard, and qtype is not DS -- no more options."); // "nor matching wildcard, and qtype is not DS -- no more options.");
return false; return false;
} }
// We need to make sure that the covering NSEC3 is opt-in. // We need to make sure that the covering NSEC3 is opt-in.
if (!ce.nc_nsec3.getOptInFlag()) if (!ce.nc_nsec3.getOptInFlag()) {
{ // st_log.debug("proveNodata: covering NSEC3 was not "
// st_log.debug("proveNodata: covering NSEC3 was not " // + "opt-in in an opt-in DS NOERROR/NODATA case.");
// + "opt-in in an opt-in DS NOERROR/NODATA case.");
return false; return false;
} }
@ -740,28 +636,31 @@ public class NSEC3ValUtils
* Prove that a positive wildcard match was appropriate (no direct match * Prove that a positive wildcard match was appropriate (no direct match
* RRset). * RRset).
* *
* @param nsec3s The NSEC3 records to work with. * @param nsec3s
* @param qname The qname that was matched to the wildard * The NSEC3 records to work with.
* @param zonename The name of the zone that the NSEC3s come from. * @param qname
* @param wildcard The purported wildcard that matched. * The qname that was matched to the wildcard
* @param zonename
* The name of the zone that the NSEC3s come from.
* @param wildcard
* The purported wildcard that matched.
* @return true if the NSEC3 records prove this case. * @return true if the NSEC3 records prove this case.
*/ */
public static boolean proveWildcard(List nsec3s, Name qname, Name zonename, public static boolean proveWildcard(List<NSEC3Record> nsec3s, Name qname,
Name wildcard) Name zonename, Name wildcard) {
{
if (nsec3s == null || nsec3s.size() == 0) return false; if (nsec3s == null || nsec3s.size() == 0) return false;
if (qname == null || wildcard == null) return false; if (qname == null || wildcard == null) return false;
NSEC3Parameters nsec3params = nsec3Parameters(nsec3s); NSEC3Parameters nsec3params = nsec3Parameters(nsec3s);
if (nsec3params == null) if (nsec3params == null) {
{ // st_log.debug("couldn't find a single set of NSEC3 parameters (multiple parameters present).");
// st_log.debug("couldn't find a single set of NSEC3 parameters (multiple parameters present).");
return false; return false;
} }
ByteArrayComparator bac = new ByteArrayComparator(); ByteArrayComparator bac = new ByteArrayComparator();
// We know what the (purported) closest encloser is by just looking at the // We know what the (purported) closest encloser is by just looking at
// the
// supposed generating wildcard. // supposed generating wildcard.
CEResponse candidate = new CEResponse(new Name(wildcard, 1), null); CEResponse candidate = new CEResponse(new Name(wildcard, 1), null);
@ -769,17 +668,15 @@ public class NSEC3ValUtils
// Otherwise, we need to show that the next closer name is covered. // Otherwise, we need to show that the next closer name is covered.
Name nextClosest = nextClosest(qname, candidate.closestEncloser); Name nextClosest = nextClosest(qname, candidate.closestEncloser);
candidate.nc_nsec3 = findCoveringNSEC3(hash(nextClosest, nsec3params), candidate.nc_nsec3 = findCoveringNSEC3(hash(nextClosest, nsec3params),
zonename, zonename, nsec3s, nsec3params,
nsec3s,
nsec3params,
bac); bac);
if (candidate.nc_nsec3 == null) if (candidate.nc_nsec3 == null) {
{ // st_log.debug("proveWildcard: did not find a covering NSEC3 "
// st_log.debug("proveWildcard: did not find a covering NSEC3 " // + "that covered the next closer name to " + qname + " from "
// + "that covered the next closer name to " + qname + " from " // + candidate.closestEncloser + " (derived from wildcard " +
// + candidate.closestEncloser + " (derived from wildcard " + wildcard // wildcard
// + ")"); // + ")");
return false; return false;
} }
@ -791,9 +688,12 @@ public class NSEC3ValUtils
* *
* Fundamentally there are two cases here: normal NODATA and Opt-In NODATA. * Fundamentally there are two cases here: normal NODATA and Opt-In NODATA.
* *
* @param nsec3s The NSEC3 RRs to examine. * @param nsec3s
* @param qname The name of the DS in question. * The NSEC3 RRs to examine.
* @param zonename The name of the zone that the NSEC3 RRs come from. * @param qname
* The name of the DS in question.
* @param zonename
* The name of the zone that the NSEC3 RRs come from.
* *
* @return SecurityStatus.SECURE if it was proven that there is no DS in a * @return SecurityStatus.SECURE if it was proven that there is no DS in a
* secure (i.e., not opt-in) way, SecurityStatus.INSECURE if there * secure (i.e., not opt-in) way, SecurityStatus.INSECURE if there
@ -802,33 +702,30 @@ public class NSEC3ValUtils
* delegation point, and SecurityStatus.BOGUS if the proofs don't * delegation point, and SecurityStatus.BOGUS if the proofs don't
* work out. * work out.
*/ */
public static int proveNoDS(List nsec3s, Name qname, Name zonename) public static int proveNoDS(List<NSEC3Record> nsec3s, Name qname,
{ Name zonename) {
if (nsec3s == null || nsec3s.size() == 0) return SecurityStatus.BOGUS; if (nsec3s == null || nsec3s.size() == 0) return SecurityStatus.BOGUS;
NSEC3Parameters nsec3params = nsec3Parameters(nsec3s); NSEC3Parameters nsec3params = nsec3Parameters(nsec3s);
if (nsec3params == null) if (nsec3params == null) {
{ // st_log.debug("couldn't find a single set of " +
// st_log.debug("couldn't find a single set of " + // "NSEC3 parameters (multiple parameters present).");
// "NSEC3 parameters (multiple parameters present).");
return SecurityStatus.BOGUS; return SecurityStatus.BOGUS;
} }
ByteArrayComparator bac = new ByteArrayComparator(); ByteArrayComparator bac = new ByteArrayComparator();
// Look for a matching NSEC3 to qname -- this is the normal NODATA case. // Look for a matching NSEC3 to qname -- this is the normal NODATA case.
NSEC3Record nsec3 = findMatchingNSEC3(hash(qname, nsec3params), NSEC3Record nsec3 = findMatchingNSEC3(hash(qname, nsec3params),
zonename, zonename, nsec3s, nsec3params,
nsec3s,
nsec3params,
bac); bac);
if (nsec3 != null) if (nsec3 != null) {
{ // If the matching NSEC3 has the SOA bit set, it is from the wrong
// If the matching NSEC3 has the SOA bit set, it is from the wrong zone // zone
// (the child instead of the parent). If it has the DS bit set, then we // (the child instead of the parent). If it has the DS bit set, then
// we
// were lied to. // were lied to.
if (nsec3.hasType(Type.SOA) || nsec3.hasType(Type.DS)) if (nsec3.hasType(Type.SOA) || nsec3.hasType(Type.DS)) {
{
return SecurityStatus.BOGUS; return SecurityStatus.BOGUS;
} }
// If the NSEC3 RR doesn't have the NS bit set, then this wasn't a // If the NSEC3 RR doesn't have the NS bit set, then this wasn't a
@ -840,22 +737,16 @@ public class NSEC3ValUtils
} }
// Otherwise, we are probably in the opt-in case. // Otherwise, we are probably in the opt-in case.
CEResponse ce = proveClosestEncloser(qname, CEResponse ce = proveClosestEncloser(qname, zonename, nsec3s,
zonename, nsec3params, bac, true);
nsec3s, if (ce == null) {
nsec3params,
bac,
true);
if (ce == null)
{
return SecurityStatus.BOGUS; return SecurityStatus.BOGUS;
} }
// If we had the closest encloser proof, then we need to check that the // If we had the closest encloser proof, then we need to check that the
// covering NSEC3 was opt-in -- the proveClosestEncloser step already // covering NSEC3 was opt-in -- the proveClosestEncloser step already
// checked to see if the closest encloser was a delegation or DNAME. // checked to see if the closest encloser was a delegation or DNAME.
if (ce.nc_nsec3.getOptInFlag()) if (ce.nc_nsec3.getOptInFlag()) {
{
return SecurityStatus.SECURE; return SecurityStatus.SECURE;
} }

225
src/com/versign/tat/dnssec/SMessage.java
View File

@ -36,68 +36,58 @@ import org.xbill.DNS.*;
/** /**
* This class represents a DNS message with resolver/validator state. * This class represents a DNS message with resolver/validator state.
*/ */
public class SMessage public class SMessage {
{
private Header mHeader; private Header mHeader;
private Record mQuestion; private Record mQuestion;
private OPTRecord mOPTRecord; private OPTRecord mOPTRecord;
private List[] mSection; private List<SRRset>[] mSection;
private SecurityStatus mSecurityStatus; private SecurityStatus mSecurityStatus;
private static SRRset[] empty_srrset_array = new SRRset[0]; private static SRRset[] empty_srrset_array = new SRRset[0];
public SMessage(Header h) @SuppressWarnings("unchecked")
{ public SMessage(Header h) {
mSection = new List[3]; mSection = (List<SRRset>[]) new List[3];
mHeader = h; mHeader = h;
mSecurityStatus = new SecurityStatus(); mSecurityStatus = new SecurityStatus();
} }
public SMessage(int id) public SMessage(int id) {
{
this(new Header(id)); this(new Header(id));
} }
public SMessage() public SMessage() {
{
this(new Header(0)); this(new Header(0));
} }
public SMessage(Message m) public SMessage(Message m) {
{
this(m.getHeader()); this(m.getHeader());
mQuestion = m.getQuestion(); mQuestion = m.getQuestion();
mOPTRecord = m.getOPT(); mOPTRecord = m.getOPT();
for (int i = Section.ANSWER; i <= Section.ADDITIONAL; i++) for (int i = Section.ANSWER; i <= Section.ADDITIONAL; i++) {
{
RRset[] rrsets = m.getSectionRRsets(i); RRset[] rrsets = m.getSectionRRsets(i);
for (int j = 0; j < rrsets.length; j++) for (int j = 0; j < rrsets.length; j++) {
{
addRRset(rrsets[j], i); addRRset(rrsets[j], i);
} }
} }
} }
public Header getHeader() public Header getHeader() {
{
return mHeader; return mHeader;
} }
public void setHeader(Header h) public void setHeader(Header h) {
{
mHeader = h; mHeader = h;
} }
public void setQuestion(Record r) public void setQuestion(Record r) {
{
mQuestion = r; mQuestion = r;
} }
public Record getQuestion() public Record getQuestion() {
{
return mQuestion; return mQuestion;
} }
@ -113,48 +103,40 @@ public class SMessage
return getQuestion().getDClass(); return getQuestion().getDClass();
} }
public void setOPT(OPTRecord r) public void setOPT(OPTRecord r) {
{
mOPTRecord = r; mOPTRecord = r;
} }
public OPTRecord getOPT() public OPTRecord getOPT() {
{
return mOPTRecord; return mOPTRecord;
} }
public List getSectionList(int section) public List<SRRset> getSectionList(int section) {
{
if (section <= Section.QUESTION || section > Section.ADDITIONAL) if (section <= Section.QUESTION || section > Section.ADDITIONAL)
throw new IllegalArgumentException("Invalid section."); throw new IllegalArgumentException("Invalid section.");
if (mSection[section - 1] == null) if (mSection[section - 1] == null) {
{ mSection[section - 1] = new LinkedList<SRRset>();
mSection[section - 1] = new LinkedList();
} }
return mSection[section - 1]; return (List<SRRset>) mSection[section - 1];
} }
public void addRRset(SRRset srrset, int section) public void addRRset(SRRset srrset, int section) {
{
if (section <= Section.QUESTION || section > Section.ADDITIONAL) if (section <= Section.QUESTION || section > Section.ADDITIONAL)
throw new IllegalArgumentException("Invalid section"); throw new IllegalArgumentException("Invalid section");
if (srrset.getType() == Type.OPT) if (srrset.getType() == Type.OPT) {
{
mOPTRecord = (OPTRecord) srrset.first(); mOPTRecord = (OPTRecord) srrset.first();
return; return;
} }
List sectionList = getSectionList(section); List<SRRset> sectionList = getSectionList(section);
sectionList.add(srrset); sectionList.add(srrset);
} }
public void addRRset(RRset rrset, int section) public void addRRset(RRset rrset, int section) {
{ if (rrset instanceof SRRset) {
if (rrset instanceof SRRset)
{
addRRset((SRRset) rrset, section); addRRset((SRRset) rrset, section);
return; return;
} }
@ -163,114 +145,97 @@ public class SMessage
addRRset(srrset, section); addRRset(srrset, section);
} }
public void prependRRsets(List rrsets, int section) public void prependRRsets(List<SRRset> rrsets, int section) {
{
if (section <= Section.QUESTION || section > Section.ADDITIONAL) if (section <= Section.QUESTION || section > Section.ADDITIONAL)
throw new IllegalArgumentException("Invalid section"); throw new IllegalArgumentException("Invalid section");
List sectionList = getSectionList(section); List<SRRset> sectionList = getSectionList(section);
sectionList.addAll(0, rrsets); sectionList.addAll(0, rrsets);
} }
public SRRset[] getSectionRRsets(int section) public SRRset[] getSectionRRsets(int section) {
{ List<SRRset> slist = getSectionList(section);
List slist = getSectionList(section);
return (SRRset[]) slist.toArray(empty_srrset_array); return (SRRset[]) slist.toArray(empty_srrset_array);
} }
public SRRset[] getSectionRRsets(int section, int qtype) public SRRset[] getSectionRRsets(int section, int qtype) {
{ List<SRRset> slist = getSectionList(section);
List slist = getSectionList(section);
if (slist.size() == 0) return new SRRset[0]; if (slist.size() == 0) return new SRRset[0];
ArrayList result = new ArrayList(slist.size()); ArrayList<SRRset> result = new ArrayList<SRRset>(slist.size());
for (Iterator i = slist.iterator(); i.hasNext();) for (SRRset rrset : slist) {
{
SRRset rrset = (SRRset) i.next();
if (rrset.getType() == qtype) result.add(rrset); if (rrset.getType() == qtype) result.add(rrset);
} }
return (SRRset[]) result.toArray(empty_srrset_array); return (SRRset[]) result.toArray(empty_srrset_array);
} }
public void deleteRRset(SRRset rrset, int section) public void deleteRRset(SRRset rrset, int section) {
{ List<SRRset> slist = getSectionList(section);
List slist = getSectionList(section);
if (slist.size() == 0) return; if (slist.size() == 0) return;
slist.remove(rrset); slist.remove(rrset);
} }
public void clear(int section) public void clear(int section) {
{
if (section < Section.QUESTION || section > Section.ADDITIONAL) if (section < Section.QUESTION || section > Section.ADDITIONAL)
throw new IllegalArgumentException("Invalid section."); throw new IllegalArgumentException("Invalid section.");
if (section == Section.QUESTION) if (section == Section.QUESTION) {
{
mQuestion = null; mQuestion = null;
return; return;
} }
if (section == Section.ADDITIONAL) if (section == Section.ADDITIONAL) {
{
mOPTRecord = null; mOPTRecord = null;
} }
mSection[section - 1] = null; mSection[section - 1] = null;
} }
public void clear() public void clear() {
{ for (int s = Section.QUESTION; s <= Section.ADDITIONAL; s++) {
for (int s = Section.QUESTION; s <= Section.ADDITIONAL; s++)
{
clear(s); clear(s);
} }
} }
public int getRcode() public int getRcode() {
{
// FIXME: might want to do what Message does and handle extended rcodes. // FIXME: might want to do what Message does and handle extended rcodes.
return mHeader.getRcode(); return mHeader.getRcode();
} }
public int getStatus() public int getStatus() {
{
return mSecurityStatus.getStatus(); return mSecurityStatus.getStatus();
} }
public void setStatus(byte status) public void setStatus(byte status) {
{
mSecurityStatus.setStatus(status); mSecurityStatus.setStatus(status);
} }
public SecurityStatus getSecurityStatus() public SecurityStatus getSecurityStatus() {
{
return mSecurityStatus; return mSecurityStatus;
} }
public void setSecurityStatus(SecurityStatus s)
{ public void setSecurityStatus(SecurityStatus s) {
if (s == null) return; if (s == null) return;
mSecurityStatus = s; mSecurityStatus = s;
} }
public Message getMessage() public Message getMessage() {
{
// Generate our new message. // Generate our new message.
Message m = new Message(mHeader.getID()); Message m = new Message(mHeader.getID());
// Convert the header // Convert the header
// We do this for two reasons: 1) setCount() is package scope, so we can't // We do this for two reasons: 1) setCount() is package scope, so we
// do that, and 2) setting the header on a message after creating the // can't do that, and 2) setting the header on a message after creating
// message frequently gets stuff out of sync, leading to malformed wire // the message frequently gets stuff out of sync, leading to malformed
// format messages. // wire format messages.
Header h = m.getHeader(); Header h = m.getHeader();
h.setOpcode(mHeader.getOpcode()); h.setOpcode(mHeader.getOpcode());
h.setRcode(mHeader.getRcode()); h.setRcode(mHeader.getRcode());
for (int i = 0; i < 16; i++) for (int i = 0; i < 16; i++) {
{
if (Flags.isFlag(i)) { if (Flags.isFlag(i)) {
if (mHeader.getFlag(i)) { if (mHeader.getFlag(i)) {
h.setFlag(i); h.setFlag(i);
@ -283,82 +248,72 @@ public class SMessage
// Add all the records. -- this will set the counts correctly in the // Add all the records. -- this will set the counts correctly in the
// message header. // message header.
if (mQuestion != null) if (mQuestion != null) {
{
m.addRecord(mQuestion, Section.QUESTION); m.addRecord(mQuestion, Section.QUESTION);
} }
for (int sec = Section.ANSWER; sec <= Section.ADDITIONAL; sec++) for (int sec = Section.ANSWER; sec <= Section.ADDITIONAL; sec++) {
{ List<SRRset> slist = getSectionList(sec);
List slist = getSectionList(sec); for (SRRset rrset : slist) {
for (Iterator i = slist.iterator(); i.hasNext();) for (Iterator<Record> j = rrset.rrs(); j.hasNext(); ) {
{ m.addRecord(j.next(), sec);
SRRset rrset = (SRRset) i.next();
for (Iterator j = rrset.rrs(); j.hasNext();)
{
m.addRecord((Record) j.next(), sec);
} }
for (Iterator j = rrset.sigs(); j.hasNext();) for (Iterator<RRSIGRecord> j = rrset.sigs(); j.hasNext(); ) {
{ m.addRecord(j.next(), sec);
m.addRecord((Record) j.next(), sec);
} }
} }
} }
if (mOPTRecord != null) if (mOPTRecord != null) {
{
m.addRecord(mOPTRecord, Section.ADDITIONAL); m.addRecord(mOPTRecord, Section.ADDITIONAL);
} }
return m; return m;
} }
public int getCount(int section) public int getCount(int section) {
{ if (section == Section.QUESTION) {
if (section == Section.QUESTION)
{
return mQuestion == null ? 0 : 1; return mQuestion == null ? 0 : 1;
} }
List sectionList = getSectionList(section); List<SRRset> sectionList = getSectionList(section);
if (sectionList == null) return 0; if (sectionList == null) return 0;
if (sectionList.size() == 0) return 0; if (sectionList.size() == 0) return 0;
int count = 0; int count = 0;
for (Iterator i = sectionList.iterator(); i.hasNext(); ) for (SRRset sr : sectionList) {
{
SRRset sr = (SRRset) i.next();
count += sr.totalSize(); count += sr.totalSize();
} }
return count; return count;
} }
public String toString() public String toString() {
{
return getMessage().toString(); return getMessage().toString();
} }
/** /**
* Find a specific (S)RRset in a given section. * Find a specific (S)RRset in a given section.
* *
* @param name the name of the RRset. * @param name
* @param type the type of the RRset. * the name of the RRset.
* @param dclass the class of the RRset. * @param type
* @param section the section to look in (ANSWER -> ADDITIONAL) * the type of the RRset.
* @param dclass
* the class of the RRset.
* @param section
* the section to look in (ANSWER -> ADDITIONAL)
* *
* @return The SRRset if found, null otherwise. * @return The SRRset if found, null otherwise.
*/ */
public SRRset findRRset(Name name, int type, int dclass, int section) public SRRset findRRset(Name name, int type, int dclass, int section) {
{
if (section <= Section.QUESTION || section > Section.ADDITIONAL) if (section <= Section.QUESTION || section > Section.ADDITIONAL)
throw new IllegalArgumentException("Invalid section."); throw new IllegalArgumentException("Invalid section.");
SRRset[] rrsets = getSectionRRsets(section); SRRset[] rrsets = getSectionRRsets(section);
for (int i = 0; i < rrsets.length; i++) for (int i = 0; i < rrsets.length; i++) {
{
if (rrsets[i].getName().equals(name) && rrsets[i].getType() == type if (rrsets[i].getName().equals(name) && rrsets[i].getType() == type
&& rrsets[i].getDClass() == dclass) && rrsets[i].getDClass() == dclass) {
{
return rrsets[i]; return rrsets[i];
} }
} }
@ -370,30 +325,30 @@ public class SMessage
* Find an "answer" RRset. This will look for RRsets in the ANSWER section * Find an "answer" RRset. This will look for RRsets in the ANSWER section
* that match the <qname,qtype,qclass>, taking into consideration CNAMEs. * that match the <qname,qtype,qclass>, taking into consideration CNAMEs.
* *
* @param qname The starting search name. * @param qname
* @param qtype The search type. * The starting search name.
* @param qclass The search class. * @param qtype
* The search type.
* @param qclass
* The search class.
* *
* @return a SRRset matching the query. This SRRset may have a different * @return a SRRset matching the query. This SRRset may have a different
* name from qname, due to following a CNAME chain. * name from qname, due to following a CNAME chain.
*/ */
public SRRset findAnswerRRset(Name qname, int qtype, int qclass) public SRRset findAnswerRRset(Name qname, int qtype, int qclass) {
{
SRRset[] srrsets = getSectionRRsets(Section.ANSWER); SRRset[] srrsets = getSectionRRsets(Section.ANSWER);
for (int i = 0; i < srrsets.length; i++) for (int i = 0; i < srrsets.length; i++) {
{
if (srrsets[i].getName().equals(qname) if (srrsets[i].getName().equals(qname)
&& srrsets[i].getType() == Type.CNAME) && srrsets[i].getType() == Type.CNAME) {
{
CNAMERecord cname = (CNAMERecord) srrsets[i].first(); CNAMERecord cname = (CNAMERecord) srrsets[i].first();
qname = cname.getTarget(); qname = cname.getTarget();
continue; continue;
} }
if (srrsets[i].getName().equals(qname) && srrsets[i].getType() == qtype if (srrsets[i].getName().equals(qname)
&& srrsets[i].getDClass() == qclass) && srrsets[i].getType() == qtype
{ && srrsets[i].getDClass() == qclass) {
return srrsets[i]; return srrsets[i];
} }
} }

103
src/com/versign/tat/dnssec/SRRset.java
View File

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2005 VeriSign. All rights reserved. * Copyright (c) 2009 VeriSign. All rights reserved.
* *
* Redistribution and use in source and binary forms, with or without * Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met: * modification, are permitted provided that the following conditions are met:
@ -34,83 +34,39 @@ import org.xbill.DNS.*;
/** /**
* A version of the RRset class overrides the standard security status. * A version of the RRset class overrides the standard security status.
*/ */
public class SRRset extends RRset public class SRRset extends RRset {
{
private SecurityStatus mSecurityStatus; private SecurityStatus mSecurityStatus;
/** Create a new, blank SRRset. */ /** Create a new, blank SRRset. */
public SRRset() public SRRset() {
{
super(); super();
mSecurityStatus = new SecurityStatus(); mSecurityStatus = new SecurityStatus();
} }
/** /**
* Create a new SRRset from an existing RRset. This SRRset will contain that * Create a new SRRset from an existing RRset. This SRRset will contain that
* same internal Record objects as the original RRset. * same internal Record objects as the original RRset.
*/ */
@SuppressWarnings("unchecked") // org.xbill.DNS.RRset isn't typesafe-aware. @SuppressWarnings("unchecked")
public SRRset(RRset r) // org.xbill.DNS.RRset isn't typesafe-aware.
{ public SRRset(RRset r) {
this(); this();
for (Iterator i = r.rrs(); i.hasNext();) for (Iterator i = r.rrs(); i.hasNext();) {
{
addRR((Record) i.next()); addRR((Record) i.next());
} }
for (Iterator i = r.sigs(); i.hasNext();) for (Iterator i = r.sigs(); i.hasNext();) {
{
addRR((Record) i.next()); addRR((Record) i.next());
} }
} }
/**
* Clone this SRRset, giving the copy a new TTL. The copy is independent
* from the original except for the security status.
*
* @param withNewTTL The new TTL to apply to the RRset. This applies to
* contained RRsig records as well.
* @return The cloned SRRset.
*/
// public SRRset cloneSRRset(long withNewTTL)
// {
// SRRset nr = new SRRset();
//
// for (Iterator i = rrs(); i.hasNext();)
// {
// nr.addRR(((Record) i.next()).withTTL(withNewTTL));
// }
// for (Iterator i = sigs(); i.hasNext();)
// {
// nr.addRR(((Record) i.next()).withTTL(withNewTTL));
// }
//
// nr.mSecurityStatus = mSecurityStatus;
//
// return nr;
// }
public SRRset cloneSRRsetNoSigs()
{
SRRset nr = new SRRset();
for (Iterator i = rrs(); i.hasNext();)
{
// NOTE: should this clone the records as well?
nr.addRR((Record) i.next());
}
// Do not copy the SecurityStatus reference
return nr;
}
/** /**
* Return the current security status (generally: UNCHECKED, BOGUS, or * Return the current security status (generally: UNCHECKED, BOGUS, or
* SECURE). * SECURE).
*/ */
public int getSecurity() public int getSecurity() {
{
return getSecurityStatus(); return getSecurityStatus();
} }
@ -118,8 +74,7 @@ public SRRset(RRset r)
* Return the current security status (generally: UNCHECKED, BOGUS, or * Return the current security status (generally: UNCHECKED, BOGUS, or
* SECURE). * SECURE).
*/ */
public int getSecurityStatus() public byte getSecurityStatus() {
{
return mSecurityStatus.getStatus(); return mSecurityStatus.getStatus();
} }
@ -127,14 +82,21 @@ public SRRset(RRset r)
* Set the current security status for this SRRset. This status will be * Set the current security status for this SRRset. This status will be
* shared amongst all copies of this SRRset (created with cloneSRRset()) * shared amongst all copies of this SRRset (created with cloneSRRset())
*/ */
public void setSecurityStatus(byte status) public void setSecurityStatus(byte status) {
{
mSecurityStatus.setStatus(status); mSecurityStatus.setStatus(status);
} }
public Iterator<Record> rrs() {
return (Iterator<Record>) rrs();
}
public Iterator<RRSIGRecord> sigs() {
return (Iterator<RRSIGRecord>) sigs();
}
public int totalSize() { public int totalSize() {
int num_sigs = 0; int num_sigs = 0;
for (Iterator i = sigs(); i.hasNext(); ) { for (Iterator<RRSIGRecord> i = sigs(); i.hasNext();) {
num_sigs++; num_sigs++;
} }
return size() + num_sigs; return size() + num_sigs;
@ -143,23 +105,22 @@ public SRRset(RRset r)
/** /**
* @return The total number of records (data + sigs) in the SRRset. * @return The total number of records (data + sigs) in the SRRset.
*/ */
public int getNumRecords() public int getNumRecords() {
{
return totalSize(); return totalSize();
} }
public RRSIGRecord firstSig() { public RRSIGRecord firstSig() {
for (Iterator i = sigs(); i.hasNext(); ) { for (Iterator<RRSIGRecord> i = sigs(); i.hasNext();) {
return (RRSIGRecord) i.next(); return i.next();
} }
return null; return null;
} }
/** /**
* @return true if this RRset has RRSIG records that cover data records. * @return true if this RRset has RRSIG records that cover data records.
* (i.e., RRSIG SRRsets return false) * (i.e., RRSIG SRRsets return false)
*/ */
public boolean isSigned() public boolean isSigned() {
{
if (getType() == Type.RRSIG) return false; if (getType() == Type.RRSIG) return false;
return firstSig() != null; return firstSig() != null;
} }
@ -167,19 +128,9 @@ public SRRset(RRset r)
/** /**
* @return The "signer" name for this SRRset, if signed, or null if not. * @return The "signer" name for this SRRset, if signed, or null if not.
*/ */
public Name getSignerName() public Name getSignerName() {
{
RRSIGRecord sig = (RRSIGRecord) firstSig(); RRSIGRecord sig = (RRSIGRecord) firstSig();
if (sig == null) return null; if (sig == null) return null;
return sig.getSigner(); return sig.getSigner();
} }
// public void setTTL(long ttl)
// {
// if (ttl < 0)
// {
// throw new IllegalArgumentException("ttl can't be less than zero, stupid! was " + ttl);
// }
// super.setTTL(ttl);
// }
} }

302
src/com/versign/tat/dnssec/SignUtils.java
View File

@ -47,55 +47,38 @@ import org.xbill.DNS.Name;
import org.xbill.DNS.RRSIGRecord; import org.xbill.DNS.RRSIGRecord;
import org.xbill.DNS.RRset; import org.xbill.DNS.RRset;
import org.xbill.DNS.Record; import org.xbill.DNS.Record;
import org.xbill.DNS.utils.base64;
/** /**
* This class contains a bunch of utility methods that are generally useful in * This class contains a bunch of utility methods that are generally useful in
* signing and verifying rrsets. * signing and verifying rrsets.
*
* @author David Blacka (original)
* @author $Author$
* @version $Revision$
*/ */
public class SignUtils public class SignUtils {
{
/** /**
* This class implements a basic comparitor for byte arrays. It is primarily * This class implements a basic comparator for byte arrays. It is primarily
* useful for comparing RDATA portions of DNS records in doing DNSSEC * useful for comparing RDATA portions of DNS records in doing DNSSEC
* canonical ordering. * canonical ordering.
*
* @author David Blacka (original)
*/ */
public static class ByteArrayComparator implements Comparator public static class ByteArrayComparator implements Comparator<byte[]> {
{
private int mOffset = 0; private int mOffset = 0;
private boolean mDebug = false; private boolean mDebug = false;
public ByteArrayComparator() public ByteArrayComparator() {
{
} }
public ByteArrayComparator(int offset, boolean debug) public ByteArrayComparator(int offset, boolean debug) {
{
mOffset = offset; mOffset = offset;
mDebug = debug; mDebug = debug;
} }
public int compare(Object o1, Object o2) throws ClassCastException public int compare(byte[] b1, byte[] b2) throws ClassCastException {
{ for (int i = mOffset; i < b1.length && i < b2.length; i++) {
byte[] b1 = (byte[]) o1; if (b1[i] != b2[i]) {
byte[] b2 = (byte[]) o2; if (mDebug) {
for (int i = mOffset; i < b1.length && i < b2.length; i++)
{
if (b1[i] != b2[i])
{
if (mDebug)
{
System.out.println("offset " + i + " differs (this is " System.out.println("offset " + i + " differs (this is "
+ (i - mOffset) + " bytes in from our offset.)"); + (i - mOffset)
+ " bytes in from our offset.)");
} }
return (b1[i] & 0xFF) - (b2[i] & 0xFF); return (b1[i] & 0xFF) - (b2[i] & 0xFF);
} }
@ -118,73 +101,91 @@ public class SignUtils
* Generate from some basic information a prototype SIG RR containing * Generate from some basic information a prototype SIG RR containing
* everything but the actual signature itself. * everything but the actual signature itself.
* *
* @param rrset the RRset being signed. * @param rrset
* @param signer the name of the signing key * the RRset being signed.
* @param alg the algorithm of the signing key * @param signer
* @param keyid the keyid (or footprint) of the signing key * the name of the signing key
* @param start the SIG inception time. * @param alg
* @param expire the SIG expiration time. * the algorithm of the signing key
* @param sig_ttl the TTL of the resulting SIG record. * @param keyid
* the keyid (or footprint) of the signing key
* @param start
* the SIG inception time.
* @param expire
* the SIG expiration time.
* @param sig_ttl
* the TTL of the resulting SIG record.
* @return a prototype signature based on the RRset and key information. * @return a prototype signature based on the RRset and key information.
*/ */
public static RRSIGRecord generatePreRRSIG(RRset rrset, Name signer, public static RRSIGRecord generatePreRRSIG(RRset rrset, Name signer,
int alg, int keyid, Date start, Date expire, long sig_ttl) int alg, int keyid, Date start,
{ Date expire, long sig_ttl) {
return new RRSIGRecord(rrset.getName(), rrset.getDClass(), sig_ttl, rrset return new RRSIGRecord(rrset.getName(), rrset.getDClass(), sig_ttl,
.getType(), alg, rrset.getTTL(), expire, start, keyid, signer, null); rrset.getType(), alg, rrset.getTTL(), expire, start, keyid,
signer, null);
} }
/** /**
* Generate from some basic information a prototype SIG RR containing * Generate from some basic information a prototype SIG RR containing
* everything but the actual signature itself. * everything but the actual signature itself.
* *
* @param rrset the RRset being signed. * @param rrset
* @param key the public KEY RR counterpart to the key being used to sign * the RRset being signed.
* @param key
* the public KEY RR counterpart to the key being used to sign
* the RRset * the RRset
* @param start the SIG inception time. * @param start
* @param expire the SIG expiration time. * the SIG inception time.
* @param sig_ttl the TTL of the resulting SIG record. * @param expire
* the SIG expiration time.
* @param sig_ttl
* the TTL of the resulting SIG record.
* @return a prototype signature based on the RRset and key information. * @return a prototype signature based on the RRset and key information.
*/ */
public static RRSIGRecord generatePreRRSIG(RRset rrset, DNSKEYRecord key, public static RRSIGRecord generatePreRRSIG(RRset rrset, DNSKEYRecord key,
Date start, Date expire, long sig_ttl) Date start, Date expire,
{ long sig_ttl) {
return generatePreRRSIG(rrset, key.getName(), key.getAlgorithm(), key return generatePreRRSIG(rrset, key.getName(), key.getAlgorithm(),
.getFootprint(), start, expire, sig_ttl); key.getFootprint(), start, expire, sig_ttl);
} }
/** /**
* Generate from some basic information a prototype SIG RR containing * Generate from some basic information a prototype SIG RR containing
* everything but the actual signature itself. * everything but the actual signature itself.
* *
* @param rec the DNS record being signed (forming an entire RRset). * @param rec
* @param key the public KEY RR counterpart to the key signing the record. * the DNS record being signed (forming an entire RRset).
* @param start the SIG inception time. * @param key
* @param expire the SIG expiration time. * the public KEY RR counterpart to the key signing the record.
* @param sig_ttl the TTL of the result SIG record. * @param start
* the SIG inception time.
* @param expire
* the SIG expiration time.
* @param sig_ttl
* the TTL of the result SIG record.
* @return a prototype signature based on the Record and key information. * @return a prototype signature based on the Record and key information.
*/ */
public static RRSIGRecord generatePreRRSIG(Record rec, DNSKEYRecord key, public static RRSIGRecord generatePreRRSIG(Record rec, DNSKEYRecord key,
Date start, Date expire, long sig_ttl) Date start, Date expire,
{ long sig_ttl) {
return new RRSIGRecord(rec.getName(), rec.getDClass(), sig_ttl, rec return new RRSIGRecord(rec.getName(), rec.getDClass(), sig_ttl,
.getType(), key.getAlgorithm(), rec.getTTL(), expire, start, key rec.getType(), key.getAlgorithm(), rec.getTTL(), expire, start,
.getFootprint(), key.getName(), null); key.getFootprint(), key.getName(), null);
} }
/** /**
* Generate the binary image of the prototype SIG RR. * Generate the binary image of the prototype SIG RR.
* *
* @param presig the SIG RR prototype. * @param presig
* the SIG RR prototype.
* @return the RDATA portion of the prototype SIG record. This forms the * @return the RDATA portion of the prototype SIG record. This forms the
* first part of the data to be signed. * first part of the data to be signed.
*/ */
private static byte[] generatePreSigRdata(RRSIGRecord presig) private static byte[] generatePreSigRdata(RRSIGRecord presig) {
{
// Generate the binary image; // Generate the binary image;
DNSOutput image = new DNSOutput(); DNSOutput image = new DNSOutput();
// precalc some things // precalculate some things
int start_time = (int) (presig.getTimeSigned().getTime() / 1000); int start_time = (int) (presig.getTimeSigned().getTime() / 1000);
int expire_time = (int) (presig.getExpire().getTime() / 1000); int expire_time = (int) (presig.getExpire().getTime() / 1000);
Name signer = presig.getSigner(); Name signer = presig.getSigner();
@ -206,57 +207,57 @@ public class SignUtils
/** /**
* Calculate the canonical wire line format of the RRset. * Calculate the canonical wire line format of the RRset.
* *
* @param rrset the RRset to convert. * @param rrset
* @param ttl the TTL to use when canonicalizing -- this is generally the * the RRset to convert.
* @param ttl
* the TTL to use when canonicalizing -- this is generally the
* TTL of the signature if there is a pre-existing signature. If * TTL of the signature if there is a pre-existing signature. If
* not it is just the ttl of the rrset itself. * not it is just the ttl of the rrset itself.
* @param labels the labels field of the signature, or 0. * @param labels
* the labels field of the signature, or 0.
* @return the canonical wire line format of the rrset. This is the second * @return the canonical wire line format of the rrset. This is the second
* part of data to be signed. * part of data to be signed.
*/ */
@SuppressWarnings("unchecked")
public static byte[] generateCanonicalRRsetData(RRset rrset, long ttl, public static byte[] generateCanonicalRRsetData(RRset rrset, long ttl,
int labels) int labels) {
{
DNSOutput image = new DNSOutput(); DNSOutput image = new DNSOutput();
if (ttl == 0) ttl = rrset.getTTL(); if (ttl == 0) ttl = rrset.getTTL();
Name n = rrset.getName(); Name n = rrset.getName();
if (labels == 0) if (labels == 0) {
{
labels = n.labels(); labels = n.labels();
} } else {
else
{
// correct for Name()'s conception of label count. // correct for Name()'s conception of label count.
labels++; labels++;
} }
boolean wildcardName = false; boolean wildcardName = false;
if (n.labels() != labels) if (n.labels() != labels) {
{
n = n.wild(n.labels() - labels); n = n.wild(n.labels() - labels);
wildcardName = true; wildcardName = true;
// log.trace("Detected wildcard expansion: " + rrset.getName() + " changed to " + n); // log.trace("Detected wildcard expansion: " + rrset.getName() +
// " changed to " + n);
} }
// now convert load the wire format records in the RRset into a // now convert the wire format records in the RRset into a
// list of byte arrays. // list of byte arrays.
ArrayList canonical_rrs = new ArrayList(); ArrayList<byte[]> canonical_rrs = new ArrayList<byte[]>();
for (Iterator i = rrset.rrs(); i.hasNext();) for (Iterator i = rrset.rrs(); i.hasNext();) {
{
Record r = (Record) i.next(); Record r = (Record) i.next();
if (r.getTTL() != ttl || wildcardName) if (r.getTTL() != ttl || wildcardName) {
{ // If necessary, we need to create a new record with a new ttl
// If necessary, we need to create a new record with a new ttl or ownername. // or ownername.
// In the TTL case, this avoids changing the ttl in the response. // In the TTL case, this avoids changing the ttl in the
r = Record.newRecord(n, r.getType(), r.getDClass(), ttl, r // response.
.rdataToWireCanonical()); r = Record.newRecord(n, r.getType(), r.getDClass(), ttl,
r.rdataToWireCanonical());
} }
byte[] wire_fmt = r.toWireCanonical(); byte[] wire_fmt = r.toWireCanonical();
canonical_rrs.add(wire_fmt); canonical_rrs.add(wire_fmt);
} }
// put the records into the correct ordering. // put the records into the correct ordering.
// Caculate the offset where the RDATA begins (we have to skip // Calculate the offset where the RDATA begins (we have to skip
// past the length byte) // past the length byte)
int offset = rrset.getName().toWireCanonical().length + 10; int offset = rrset.getName().toWireCanonical().length + 10;
@ -264,9 +265,8 @@ public class SignUtils
Collections.sort(canonical_rrs, bac); Collections.sort(canonical_rrs, bac);
for (Iterator i = canonical_rrs.iterator(); i.hasNext();) for (Iterator<byte[]> i = canonical_rrs.iterator(); i.hasNext();) {
{ byte[] wire_fmt_rec = i.next();
byte[] wire_fmt_rec = (byte[]) i.next();
image.writeByteArray(wire_fmt_rec); image.writeByteArray(wire_fmt_rec);
} }
@ -277,14 +277,17 @@ public class SignUtils
* Given an RRset and the prototype signature, generate the canonical data * Given an RRset and the prototype signature, generate the canonical data
* that is to be signed. * that is to be signed.
* *
* @param rrset the RRset to be signed. * @param rrset
* @param presig a prototype SIG RR created using the same RRset. * the RRset to be signed.
* @param presig
* a prototype SIG RR created using the same RRset.
* @return a block of data ready to be signed. * @return a block of data ready to be signed.
*/ */
public static byte[] generateSigData(RRset rrset, RRSIGRecord presig) public static byte[] generateSigData(RRset rrset, RRSIGRecord presig)
throws IOException throws IOException {
{ byte[] rrset_data = generateCanonicalRRsetData(rrset,
byte[] rrset_data = generateCanonicalRRsetData(rrset, presig.getOrigTTL(), presig.getLabels()); presig.getOrigTTL(),
presig.getLabels());
return generateSigData(rrset_data, presig); return generateSigData(rrset_data, presig);
} }
@ -293,19 +296,20 @@ public class SignUtils
* Given an RRset and the prototype signature, generate the canonical data * Given an RRset and the prototype signature, generate the canonical data
* that is to be signed. * that is to be signed.
* *
* @param rrset_data the RRset converted into canonical wire line format (as * @param rrset_data
* per the canonicalization rules in RFC 2535). * the RRset converted into canonical wire line format (as per
* @param presig the prototype signature based on the same RRset represented * the canonicalization rules in RFC 2535).
* in <code>rrset_data</code>. * @param presig
* the prototype signature based on the same RRset represented in
* <code>rrset_data</code>.
* @return a block of data ready to be signed. * @return a block of data ready to be signed.
*/ */
public static byte[] generateSigData(byte[] rrset_data, RRSIGRecord presig) public static byte[] generateSigData(byte[] rrset_data, RRSIGRecord presig)
throws IOException throws IOException {
{
byte[] sig_rdata = generatePreSigRdata(presig); byte[] sig_rdata = generatePreSigRdata(presig);
ByteArrayOutputStream image = new ByteArrayOutputStream(sig_rdata.length ByteArrayOutputStream image = new ByteArrayOutputStream(
+ rrset_data.length); sig_rdata.length + rrset_data.length);
image.write(sig_rdata); image.write(sig_rdata);
image.write(rrset_data); image.write(rrset_data);
@ -314,19 +318,21 @@ public class SignUtils
} }
/** /**
* Given the acutal signature an the prototype signature, combine them and * Given the actual signature and the prototype signature, combine them and
* return the fully formed SIGRecord. * return the fully formed RRSIGRecord.
* *
* @param signature the cryptographic signature, in DNSSEC format. * @param signature
* @param presig the prototype SIG RR to add the signature to. * the cryptographic signature, in DNSSEC format.
* @return the fully formed SIG RR. * @param presig
* the prototype RRSIG RR to add the signature to.
* @return the fully formed RRSIG RR.
*/ */
public static RRSIGRecord generateRRSIG(byte[] signature, RRSIGRecord presig) public static RRSIGRecord generateRRSIG(byte[] signature, RRSIGRecord presig) {
{ return new RRSIGRecord(presig.getName(), presig.getDClass(),
return new RRSIGRecord(presig.getName(), presig.getDClass(), presig presig.getTTL(), presig.getTypeCovered(),
.getTTL(), presig.getTypeCovered(), presig.getAlgorithm(), presig presig.getAlgorithm(), presig.getOrigTTL(), presig.getExpire(),
.getOrigTTL(), presig.getExpire(), presig.getTimeSigned(), presig presig.getTimeSigned(), presig.getFootprint(),
.getFootprint(), presig.getSigner(), signature); presig.getSigner(), signature);
} }
/** /**
@ -334,23 +340,25 @@ public class SignUtils
* formatted signature. * formatted signature.
* *
* <p> * <p>
* ASN.1 format = ASN1_SEQ . seq_length . ASN1_INT . Rlength . R . ANS1_INT . * ASN.1 format = ASN1_SEQ . seq_length . ASN1_INT . Rlength . R . ANS1_INT
* Slength . S * . Slength . S
* </p> * </p>
* *
* The integers R and S may have a leading null byte to force the integer * The integers R and S may have a leading null byte to force the integer
* positive. * positive.
* *
* @param signature the RFC 2536 formatted DSA signature. * @param signature
* the RFC 2536 formatted DSA signature.
* @return The ASN.1 formatted DSA signature. * @return The ASN.1 formatted DSA signature.
* @throws SignatureException if there was something wrong with the RFC 2536 * @throws SignatureException
* formatted signature. * if there was something wrong with the RFC 2536 formatted
* signature.
*/ */
public static byte[] convertDSASignature(byte[] signature) public static byte[] convertDSASignature(byte[] signature)
throws SignatureException throws SignatureException {
{
if (signature.length != 41) if (signature.length != 41)
throw new SignatureException("RFC 2536 signature not expected length."); throw new SignatureException(
"RFC 2536 signature not expected length.");
byte r_pad = 0; byte r_pad = 0;
byte s_pad = 0; byte s_pad = 0;
@ -401,30 +409,30 @@ public class SignUtils
* length, and R & S are formatted to be exactly 20 bytes each (no leading * length, and R & S are formatted to be exactly 20 bytes each (no leading
* null bytes). * null bytes).
* *
* @param params the DSA parameters associated with the DSA key used to * @param params
* the DSA parameters associated with the DSA key used to
* generate the signature. * generate the signature.
* @param signature the ASN.1 formatted DSA signature. * @param signature
* the ASN.1 formatted DSA signature.
* @return a RFC 2536 formatted DSA signature. * @return a RFC 2536 formatted DSA signature.
* @throws SignatureException if something is wrong with the ASN.1 format. * @throws SignatureException
* if something is wrong with the ASN.1 format.
*/ */
public static byte[] convertDSASignature(DSAParams params, byte[] signature) public static byte[] convertDSASignature(DSAParams params, byte[] signature)
throws SignatureException throws SignatureException {
{ if (signature[0] != ASN1_SEQ || signature[2] != ASN1_INT) {
if (signature[0] != ASN1_SEQ || signature[2] != ASN1_INT)
{
throw new SignatureException( throw new SignatureException(
"Invalid ASN.1 signature format: expected SEQ, INT"); "Invalid ASN.1 signature format: expected SEQ, INT");
} }
byte r_pad = (byte) (signature[3] - 20); byte r_pad = (byte) (signature[3] - 20);
if (signature[24 + r_pad] != ASN1_INT) if (signature[24 + r_pad] != ASN1_INT) {
{
throw new SignatureException( throw new SignatureException(
"Invalid ASN.1 signature format: expected SEQ, INT, INT"); "Invalid ASN.1 signature format: expected SEQ, INT, INT");
} }
// log.trace("(start) ASN.1 DSA Sig:\n" + base64.toString(signature)); // log.trace("(start) ASN.1 DSA Sig:\n" + base64.toString(signature));
byte s_pad = (byte) (signature[25 + r_pad] - 20); byte s_pad = (byte) (signature[25 + r_pad] - 20);
@ -434,12 +442,9 @@ public class SignUtils
sig[0] = (byte) ((params.getP().bitLength() - 512) / 64); sig[0] = (byte) ((params.getP().bitLength() - 512) / 64);
// copy R value // copy R value
if (r_pad >= 0) if (r_pad >= 0) {
{
System.arraycopy(signature, 4 + r_pad, sig, 1, 20); System.arraycopy(signature, 4 + r_pad, sig, 1, 20);
} } else {
else
{
// R is shorter than 20 bytes, so right justify the number // R is shorter than 20 bytes, so right justify the number
// (r_pad is negative here, remember?). // (r_pad is negative here, remember?).
Arrays.fill(sig, 1, 1 - r_pad, (byte) 0); Arrays.fill(sig, 1, 1 - r_pad, (byte) 0);
@ -447,27 +452,24 @@ public class SignUtils
} }
// copy S value // copy S value
if (s_pad >= 0) if (s_pad >= 0) {
{
System.arraycopy(signature, 26 + r_pad + s_pad, sig, 21, 20); System.arraycopy(signature, 26 + r_pad + s_pad, sig, 21, 20);
} } else {
else
{
// S is shorter than 20 bytes, so right justify the number // S is shorter than 20 bytes, so right justify the number
// (s_pad is negative here). // (s_pad is negative here).
Arrays.fill(sig, 21, 21 - s_pad, (byte) 0); Arrays.fill(sig, 21, 21 - s_pad, (byte) 0);
System.arraycopy(signature, 26 + r_pad, sig, 21 - s_pad, 20 + s_pad); System.arraycopy(signature, 26 + r_pad, sig, 21 - s_pad, 20 + s_pad);
} }
// if (r_pad < 0 || s_pad < 0) // if (r_pad < 0 || s_pad < 0)
// { // {
// log.trace("(finish ***) RFC 2536 DSA Sig:\n" + base64.toString(sig)); // log.trace("(finish ***) RFC 2536 DSA Sig:\n" + base64.toString(sig));
// //
// } // }
// else // else
// { // {
// log.trace("(finish) RFC 2536 DSA Sig:\n" + base64.toString(sig)); // log.trace("(finish) RFC 2536 DSA Sig:\n" + base64.toString(sig));
// } // }
return sig; return sig;
} }

10
src/com/versign/tat/dnssec/TrustAnchorStore.java
View File

@ -33,16 +33,12 @@ import java.util.Map;
import org.xbill.DNS.Name; import org.xbill.DNS.Name;
import com.versign.tat.dnssec.SRRset;
import com.versign.tat.dnssec.SecurityStatus;
/** /**
* *
*/ */
public class TrustAnchorStore public class TrustAnchorStore
{ {
private Map mMap; private Map<String, SRRset> mMap;
public TrustAnchorStore() public TrustAnchorStore()
{ {
@ -59,7 +55,7 @@ public class TrustAnchorStore
{ {
if (mMap == null) if (mMap == null)
{ {
mMap = new HashMap(); mMap = new HashMap<String, SRRset>();
} }
String k = key(rrset.getName(), rrset.getDClass()); String k = key(rrset.getName(), rrset.getDClass());
rrset.setSecurityStatus(SecurityStatus.SECURE); rrset.setSecurityStatus(SecurityStatus.SECURE);
@ -70,7 +66,7 @@ public class TrustAnchorStore
private SRRset lookup(String key) private SRRset lookup(String key)
{ {
if (mMap == null) return null; if (mMap == null) return null;
return (SRRset) mMap.get(key); return mMap.get(key);
} }
public SRRset find(Name n, int dclass) public SRRset find(Name n, int dclass)

42
src/com/versign/tat/dnssec/Util.java
View File

@ -31,15 +31,10 @@ package com.versign.tat.dnssec;
import java.util.*; import java.util.*;
import org.xbill.DNS.Flags;
import org.xbill.DNS.Header;
import org.xbill.DNS.Name; import org.xbill.DNS.Name;
/** /**
* Some basic utility functions. * Some basic utility functions.
*
* @author davidb
* @version $Revision$
*/ */
public class Util public class Util
{ {
@ -61,31 +56,6 @@ public class Util
return n; return n;
} }
// public static SMessage errorMessage(Request request, int rcode)
// {
// SMessage m = new SMessage(request.getID());
// Header h = m.getHeader();
// h.setRcode(rcode);
// h.setFlag(Flags.QR);
// m.setQuestion(request.getQuestion());
// m.setOPT(request.getOPT());
//
// return m;
// }
//
// public static SMessage errorMessage(SMessage message, int rcode)
// {
// Header h = message.getHeader();
// SMessage m = new SMessage(h.getID());
// h = m.getHeader();
// h.setRcode(rcode);
// h.setFlag(Flags.QR);
// m.setQuestion(message.getQuestion());
// m.setOPT(message.getOPT());
//
// return m;
// }
public static int parseInt(String s, int def) public static int parseInt(String s, int def)
{ {
if (s == null) return def; if (s == null) return def;
@ -123,23 +93,19 @@ public class Util
} }
} }
public static List parseConfigPrefix(Properties config, String prefix) public static List<ConfigEntry> parseConfigPrefix(Properties config, String prefix)
{ {
if (! prefix.endsWith(".")) if (! prefix.endsWith("."))
{ {
prefix = prefix + "."; prefix = prefix + ".";
} }
List res = new ArrayList(); List<ConfigEntry> res = new ArrayList<ConfigEntry>();
for (Iterator i = config.entrySet().iterator(); i.hasNext(); ) for (Map.Entry<Object, Object> entry : config.entrySet()) {
{
Map.Entry entry = (Map.Entry) i.next();
String key = (String) entry.getKey(); String key = (String) entry.getKey();
if (key.startsWith(prefix)) if (key.startsWith(prefix)) {
{
key = key.substring(prefix.length()); key = key.substring(prefix.length());
res.add(new ConfigEntry(key, (String) entry.getValue())); res.add(new ConfigEntry(key, (String) entry.getValue()));
} }
} }

272
src/com/versign/tat/dnssec/ValUtils.java
View File

@ -45,26 +45,40 @@ public class ValUtils {
// validation strategy. They have no bearing on the iterative resolution // validation strategy. They have no bearing on the iterative resolution
// algorithm, so they are confined here. // algorithm, so they are confined here.
/** Not subtyped yet. */ public enum ResponseType {
public static final int UNTYPED = 0; UNTYPED, // not sub typed yet
UNKNOWN, // not a recognized sub type
POSITIVE, // a positive response (no CNAME/DNAME chain)
CNAME, // a positive response with a CNAME/DNAME chain.
NODATA, // a NOERROR/NODATA response
NAMEERROR, // a NXDOMAIN response
ANY, // a response to a qtype=ANY query
REFERRAL,
// a referral response
THROWAWAY
// a throwaway response (i.e., an error)
}
/** Not a recognized subtype. */ // /** Not subtyped yet. */
public static final int UNKNOWN = 1; // public static final int UNTYPED = 0;
//
/** A postive, direct, response. */ // /** Not a recognized subtype. */
public static final int POSITIVE = 2; // public static final int UNKNOWN = 1;
//
/** A postive response, with a CNAME/DNAME chain. */ // /** A postive, direct, response. */
public static final int CNAME = 3; // public static final int POSITIVE = 2;
//
/** A NOERROR/NODATA response. */ // /** A postive response, with a CNAME/DNAME chain. */
public static final int NODATA = 4; // public static final int CNAME = 3;
//
/** A NXDOMAIN response. */ // /** A NOERROR/NODATA response. */
public static final int NAMEERROR = 5; // public static final int NODATA = 4;
//
/** A response to a qtype=ANY query. */ // /** A NXDOMAIN response. */
public static final int ANY = 6; // public static final int NAMEERROR = 5;
//
// /** A response to a qtype=ANY query. */
// public static final int ANY = 6;
/** A local copy of the verifier object. */ /** A local copy of the verifier object. */
private DnsSecVerifier mVerifier; private DnsSecVerifier mVerifier;
@ -81,18 +95,38 @@ public class ValUtils {
* *
* @return A subtype ranging from UNKNOWN to NAMEERROR. * @return A subtype ranging from UNKNOWN to NAMEERROR.
*/ */
public static int classifyResponse(SMessage m) { public static ResponseType classifyResponse(SMessage m, Name zone) {
SRRset[] rrsets;
// Normal Name Error's are easy to detect -- but don't mistake a CNAME // Normal Name Error's are easy to detect -- but don't mistake a CNAME
// chain ending in NXDOMAIN. // chain ending in NXDOMAIN.
if (m.getRcode() == Rcode.NXDOMAIN && m.getCount(Section.ANSWER) == 0) { if (m.getRcode() == Rcode.NXDOMAIN && m.getCount(Section.ANSWER) == 0) {
return NAMEERROR; return ResponseType.NAMEERROR;
}
// If rcode isn't NXDOMAIN or NOERROR, it is a throwaway response.
if (m.getRcode() != Rcode.NOERROR) {
return ResponseType.THROWAWAY;
}
// Next is REFERRAL. These are distinguished by having:
// 1) nothing in the ANSWER section
// 2) an NS RRset in the AUTHORITY section that is a strict subdomain of
// 'zone' (the presumed queried zone).
if (zone != null && m.getCount(Section.ANSWER) == 0
&& m.getCount(Section.AUTHORITY) > 0) {
rrsets = m.getSectionRRsets(Section.AUTHORITY);
for (int i = 0; i < rrsets.length; ++i) {
if (rrsets[i].getType() == Type.NS
&& strictSubdomain(rrsets[i].getName(), zone)) {
return ResponseType.REFERRAL;
}
}
} }
// Next is NODATA // Next is NODATA
// st_log.debug("classifyResponse: ancount = " +
// m.getCount(Section.ANSWER));
if (m.getCount(Section.ANSWER) == 0) { if (m.getCount(Section.ANSWER) == 0) {
return NODATA; return ResponseType.NODATA;
} }
// We distinguish between CNAME response and other positive/negative // We distinguish between CNAME response and other positive/negative
@ -100,23 +134,22 @@ public class ValUtils {
int qtype = m.getQuestion().getType(); int qtype = m.getQuestion().getType();
// We distinguish between ANY and CNAME or POSITIVE because ANY // We distinguish between ANY and CNAME or POSITIVE because ANY
// responses // responses are validated differently.
// are validated differently.
if (qtype == Type.ANY) { if (qtype == Type.ANY) {
return ANY; return ResponseType.ANY;
} }
SRRset[] rrsets = m.getSectionRRsets(Section.ANSWER); rrsets = m.getSectionRRsets(Section.ANSWER);
// Note that DNAMEs will be ignored here, unless qtype=DNAME. Unless // Note that DNAMEs will be ignored here, unless qtype=DNAME. Unless
// qtype=CNAME, this will yield a CNAME response. // qtype=CNAME, this will yield a CNAME response.
for (int i = 0; i < rrsets.length; i++) { for (int i = 0; i < rrsets.length; i++) {
if (rrsets[i].getType() == qtype) return POSITIVE; if (rrsets[i].getType() == qtype) return ResponseType.POSITIVE;
if (rrsets[i].getType() == Type.CNAME) return CNAME; if (rrsets[i].getType() == Type.CNAME) return ResponseType.CNAME;
} }
// st_log.warn("Failed to classify response message:\n" + m); // st_log.warn("Failed to classify response message:\n" + m);
return UNKNOWN; return ResponseType.UNKNOWN;
} }
/** /**
@ -126,162 +159,25 @@ public class ValUtils {
* *
* @param m * @param m
* The response to analyze. * The response to analyze.
* @param request
* The request that generated the response.
* @return a signer name, if the response is signed (even partially), or * @return a signer name, if the response is signed (even partially), or
* null if the response isn't signed. * null if the response isn't signed.
*/ */
public Name findSigner(SMessage m) { public Name findSigner(SMessage m) {
int subtype = classifyResponse(m); // FIXME: this used to classify the message, then look in the pertinent
Name qname = m.getQName(); // section. Now we just find the first RRSIG in the ANSWER and AUTHORIY
// sections.
SRRset[] rrsets; for (int section = Section.ANSWER; section < Section.ADDITIONAL; ++section) {
SRRset[] rrsets = m.getSectionRRsets(section);
switch (subtype) { for (int i = 0; i < rrsets.length; ++i) {
case POSITIVE: Name signerName = rrsets[i].getSignerName();
case CNAME: if (signerName != null) return signerName;
case ANY:
// Check to see if the ANSWER section RRset
rrsets = m.getSectionRRsets(Section.ANSWER);
for (int i = 0; i < rrsets.length; i++) {
if (rrsets[i].getName().equals(qname)) {
return rrsets[i].getSignerName();
} }
} }
return null; return null;
case NAMEERROR:
case NODATA:
// Check to see if the AUTH section NSEC record(s) have rrsigs
rrsets = m.getSectionRRsets(Section.AUTHORITY);
for (int i = 0; i < rrsets.length; i++) {
if (rrsets[i].getType() == Type.NSEC
|| rrsets[i].getType() == Type.NSEC3) {
return rrsets[i].getSignerName();
}
}
return null;
default:
// log.debug("findSigner: could not find signer name "
// + "for unknown type response.");
return null;
}
} }
public boolean dssetIsUsable(SRRset ds_rrset) {
for (Iterator i = ds_rrset.rrs(); i.hasNext();) {
DSRecord ds = (DSRecord) i.next();
if (supportsDigestID(ds.getDigestID())
&& mVerifier.supportsAlgorithm(ds.getAlgorithm())) {
return true;
}
}
return false;
}
/**
* Given a DS rrset and a DNSKEY rrset, match the DS to a DNSKEY and verify
* the DNSKEY rrset with that key.
*
* @param dnskey_rrset
* The DNSKEY rrset to match against. The security status of this
* rrset will be updated on a successful verification.
* @param ds_rrset
* The DS rrset to match with. This rrset must already be
* trusted.
*
* @return a KeyEntry. This will either contain the now trusted
* dnskey_rrset, a "null" key entry indicating that this DS
* rrset/DNSKEY pair indicate an secure end to the island of trust
* (i.e., unknown algorithms), or a "bad" KeyEntry if the dnskey
* rrset fails to verify. Note that the "null" response should
* generally only occur in a private algorithm scenario: normally
* this sort of thing is checked before fetching the matching DNSKEY
* rrset.
*/
// public KeyEntry verifyNewDNSKEYs(SRRset dnskey_rrset, SRRset ds_rrset)
// {
// if (!dnskey_rrset.getName().equals(ds_rrset.getName()))
// {
// // log.debug("DNSKEY RRset did not match DS RRset by name!");
// return KeyEntry
// .newBadKeyEntry(ds_rrset.getName(), ds_rrset.getDClass());
// }
//
// // as long as this is false, we can consider this DS rrset to be
// // equivalent to no DS rrset.
// boolean hasUsefulDS = false;
//
// for (Iterator i = ds_rrset.rrs(); i.hasNext();)
// {
// DSRecord ds = (DSRecord) i.next();
//
// // Check to see if we can understand this DS.
// if (!supportsDigestID(ds.getDigestID())
// || !mVerifier.supportsAlgorithm(ds.getAlgorithm()))
// {
// continue;
// }
//
// // Once we see a single DS with a known digestID and algorithm, we
// // cannot return INSECURE (with a "null" KeyEntry).
// hasUsefulDS = true;
//
// DNSKEY : for (Iterator j = dnskey_rrset.rrs(); j.hasNext();)
// {
// DNSKEYRecord dnskey = (DNSKEYRecord) j.next();
//
// // Skip DNSKEYs that don't match the basic criteria.
// if (ds.getFootprint() != dnskey.getFootprint()
// || ds.getAlgorithm() != dnskey.getAlgorithm())
// {
// continue;
// }
//
// // Convert the candidate DNSKEY into a hash using the same DS hash
// // algorithm.
// byte[] key_hash = calculateDSHash(dnskey, ds.getDigestID());
// byte[] ds_hash = ds.getDigest();
//
// // see if there is a length mismatch (unlikely)
// if (key_hash.length != ds_hash.length)
// {
// continue DNSKEY;
// }
//
// for (int k = 0; k < key_hash.length; k++)
// {
// if (key_hash[k] != ds_hash[k]) continue DNSKEY;
// }
//
// // Otherwise, we have a match! Make sure that the DNSKEY verifies
// // *with this key*.
// byte res = mVerifier.verify(dnskey_rrset, dnskey);
// if (res == SecurityStatus.SECURE)
// {
// // log.trace("DS matched DNSKEY.");
// dnskey_rrset.setSecurityStatus(SecurityStatus.SECURE);
// return KeyEntry.newKeyEntry(dnskey_rrset);
// }
// // If it didn't validate with the DNSKEY, try the next one!
// }
// }
//
// // None of the DS's worked out.
//
// // If no DSs were understandable, then this is OK.
// if (!hasUsefulDS)
// {
// //
// log.debug("No usuable DS records were found -- treating as insecure.");
// return KeyEntry.newNullKeyEntry(ds_rrset.getName(), ds_rrset
// .getDClass(), ds_rrset.getTTL());
// }
// // If any were understandable, then it is bad.
// // log.debug("Failed to match any usable DS to a DNSKEY.");
// return KeyEntry.newBadKeyEntry(ds_rrset.getName(), ds_rrset.getDClass());
// }
/** /**
* Given a DNSKEY record, generate the DS record from it. * Given a DNSKEY record, generate the DS record from it.
* *
@ -406,9 +302,9 @@ public class ValUtils {
* @return The status (BOGUS or SECURE). * @return The status (BOGUS or SECURE).
*/ */
public byte verifySRRset(SRRset rrset, SRRset key_rrset) { public byte verifySRRset(SRRset rrset, SRRset key_rrset) {
String rrset_name = rrset.getName() + "/" // String rrset_name = rrset.getName() + "/"
+ Type.string(rrset.getType()) + "/" // + Type.string(rrset.getType()) + "/"
+ DClass.string(rrset.getDClass()); // + DClass.string(rrset.getDClass());
if (rrset.getSecurityStatus() == SecurityStatus.SECURE) { if (rrset.getSecurityStatus() == SecurityStatus.SECURE) {
// log.trace("verifySRRset: rrset <" + rrset_name // log.trace("verifySRRset: rrset <" + rrset_name
@ -433,7 +329,7 @@ public class ValUtils {
} }
/** /**
* Determine if a given type map has a given typ. * Determine if a given type map has a given type.
* *
* @param types * @param types
* The type map from the NSEC record. * The type map from the NSEC record.
@ -448,6 +344,7 @@ public class ValUtils {
return false; return false;
} }
@SuppressWarnings("unchecked")
public static RRSIGRecord rrsetFirstSig(RRset rrset) { public static RRSIGRecord rrsetFirstSig(RRset rrset) {
for (Iterator i = rrset.sigs(); i.hasNext();) { for (Iterator i = rrset.sigs(); i.hasNext();) {
return (RRSIGRecord) i.next(); return (RRSIGRecord) i.next();
@ -517,7 +414,7 @@ public class ValUtils {
* generating wildcard. * generating wildcard.
* *
* @param rrset * @param rrset
* The rrset to chedck. * The rrset to check.
* @return the wildcard name, if the rrset was synthesized from a wildcard. * @return the wildcard name, if the rrset was synthesized from a wildcard.
* null if not. * null if not.
*/ */
@ -577,14 +474,11 @@ public class ValUtils {
// If NSEC is a parent of qname, we need to check the type map // If NSEC is a parent of qname, we need to check the type map
// If the parent name has a DNAME or is a delegation point, then this // If the parent name has a DNAME or is a delegation point, then this
// NSEC // NSEC is being misused.
// is being misused. boolean hasBadType = typeMapHasType(nsec.getTypes(), Type.DNAME)
if (qname.subdomain(owner) || (typeMapHasType(nsec.getTypes(), Type.NS) && !typeMapHasType(nsec.getTypes(),
&& (typeMapHasType(nsec.getTypes(), Type.DNAME) || (typeMapHasType( Type.SOA));
nsec.getTypes(), if (qname.subdomain(owner) && hasBadType) {
Type.NS) && !typeMapHasType(
nsec.getTypes(),
Type.SOA)))) {
return false; return false;
} }