remove some warnings by using java 5 features
This commit is contained in:
parent
c43169bc24
commit
1f647e3c77
@ -298,6 +298,14 @@ public class CaptiveValidator {
|
|||||||
m.setStatus(SecurityStatus.SECURE);
|
m.setStatus(SecurityStatus.SECURE);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
private void validateReferral(SMessage message, SRRset key_rrset) {
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
private void validateCNAMEResponse(SMessage message, SRRset key_rrset) {
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Given an "ANY" response -- a response that contains an answer to a
|
* Given an "ANY" response -- a response that contains an answer to a
|
||||||
* qtype==ANY question, with answers. This consists of simply verifying all
|
* qtype==ANY question, with answers. This consists of simply verifying all
|
||||||
@ -675,34 +683,38 @@ public class CaptiveValidator {
|
|||||||
// }
|
// }
|
||||||
|
|
||||||
|
|
||||||
public byte validateMessage(SMessage message) {
|
public byte validateMessage(SMessage message, Name zone) {
|
||||||
|
|
||||||
SRRset key_rrset = findKeys(message);
|
SRRset key_rrset = findKeys(message);
|
||||||
if (key_rrset == null) {
|
if (key_rrset == null) {
|
||||||
return SecurityStatus.BOGUS;
|
return SecurityStatus.BOGUS;
|
||||||
}
|
}
|
||||||
|
|
||||||
int subtype = ValUtils.classifyResponse(message);
|
ValUtils.ResponseType subtype = ValUtils.classifyResponse(message, zone);
|
||||||
|
|
||||||
switch (subtype) {
|
switch (subtype) {
|
||||||
case ValUtils.POSITIVE:
|
case POSITIVE:
|
||||||
// log.trace("Validating a positive response");
|
// log.trace("Validating a positive response");
|
||||||
validatePositiveResponse(message, key_rrset);
|
validatePositiveResponse(message, key_rrset);
|
||||||
break;
|
break;
|
||||||
case ValUtils.NODATA:
|
case REFERRAL:
|
||||||
|
validateReferral(message, key_rrset);
|
||||||
|
break;
|
||||||
|
case NODATA:
|
||||||
// log.trace("Validating a nodata response");
|
// log.trace("Validating a nodata response");
|
||||||
validateNodataResponse(message, key_rrset);
|
validateNodataResponse(message, key_rrset);
|
||||||
break;
|
break;
|
||||||
case ValUtils.NAMEERROR:
|
case NAMEERROR:
|
||||||
// log.trace("Validating a nxdomain response");
|
// log.trace("Validating a nxdomain response");
|
||||||
validateNameErrorResponse(message, key_rrset);
|
validateNameErrorResponse(message, key_rrset);
|
||||||
break;
|
break;
|
||||||
case ValUtils.CNAME:
|
case CNAME:
|
||||||
// log.trace("Validating a cname response");
|
// log.trace("Validating a cname response");
|
||||||
// forward on to the special CNAME state for this.
|
// forward on to the special CNAME state for this.
|
||||||
// state.state = ValEventState.CNAME_STATE;
|
// state.state = ValEventState.CNAME_STATE;
|
||||||
|
validateCNAMEResponse(message, key_rrset);
|
||||||
break;
|
break;
|
||||||
case ValUtils.ANY:
|
case ANY:
|
||||||
// log.trace("Validating a postive ANY response");
|
// log.trace("Validating a postive ANY response");
|
||||||
validateAnyResponse(message, key_rrset);
|
validateAnyResponse(message, key_rrset);
|
||||||
break;
|
break;
|
||||||
|
@ -1,7 +1,5 @@
|
|||||||
/*
|
/*
|
||||||
* $Id$
|
* Copyright (c) 2009 VeriSign, Inc. All rights reserved.
|
||||||
*
|
|
||||||
* Copyright (c) 2005 VeriSign, Inc. All rights reserved.
|
|
||||||
*
|
*
|
||||||
* Redistribution and use in source and binary forms, with or without
|
* Redistribution and use in source and binary forms, with or without
|
||||||
* modification, are permitted provided that the following conditions
|
* modification, are permitted provided that the following conditions
|
||||||
@ -56,7 +54,7 @@ public class DnsSecVerifier
|
|||||||
* This is a mapping of DNSSEC algorithm numbers/private identifiers to JCA
|
* This is a mapping of DNSSEC algorithm numbers/private identifiers to JCA
|
||||||
* algorithm identifiers.
|
* algorithm identifiers.
|
||||||
*/
|
*/
|
||||||
private HashMap mAlgorithmMap;
|
private HashMap<Integer, AlgEntry> mAlgorithmMap;
|
||||||
|
|
||||||
private static class AlgEntry
|
private static class AlgEntry
|
||||||
{
|
{
|
||||||
@ -74,7 +72,7 @@ public class DnsSecVerifier
|
|||||||
|
|
||||||
public DnsSecVerifier()
|
public DnsSecVerifier()
|
||||||
{
|
{
|
||||||
mAlgorithmMap = new HashMap();
|
mAlgorithmMap = new HashMap<Integer, AlgEntry>();
|
||||||
|
|
||||||
// set the default algorithm map.
|
// set the default algorithm map.
|
||||||
mAlgorithmMap.put(new Integer(DNSSEC.RSAMD5), new AlgEntry("MD5withRSA",
|
mAlgorithmMap.put(new Integer(DNSSEC.RSAMD5), new AlgEntry("MD5withRSA",
|
||||||
@ -105,12 +103,9 @@ public class DnsSecVerifier
|
|||||||
|
|
||||||
// For now, we just accept new identifiers for existing algoirthms.
|
// For now, we just accept new identifiers for existing algoirthms.
|
||||||
// FIXME: handle private identifiers.
|
// FIXME: handle private identifiers.
|
||||||
List aliases = Util.parseConfigPrefix(config, "dns.algorithm.");
|
List<Util.ConfigEntry> aliases = Util.parseConfigPrefix(config, "dns.algorithm.");
|
||||||
|
|
||||||
for (Iterator i = aliases.iterator(); i.hasNext();)
|
|
||||||
{
|
|
||||||
Util.ConfigEntry entry = (Util.ConfigEntry) i.next();
|
|
||||||
|
|
||||||
|
for (Util.ConfigEntry entry : aliases) {
|
||||||
Integer alg_alias = new Integer(Util.parseInt(entry.key, -1));
|
Integer alg_alias = new Integer(Util.parseInt(entry.key, -1));
|
||||||
Integer alg_orig = new Integer(Util.parseInt(entry.value, -1));
|
Integer alg_orig = new Integer(Util.parseInt(entry.value, -1));
|
||||||
|
|
||||||
@ -132,16 +127,14 @@ public class DnsSecVerifier
|
|||||||
}
|
}
|
||||||
|
|
||||||
// for debugging purposes, log the entire algorithm map table.
|
// for debugging purposes, log the entire algorithm map table.
|
||||||
for (Iterator i = mAlgorithmMap.keySet().iterator(); i.hasNext(); )
|
// for (Integer alg : mAlgorithmMap.keySet()) {
|
||||||
{
|
// AlgEntry entry = mAlgorithmMap.get(alg);
|
||||||
Integer alg = (Integer) i.next();
|
|
||||||
AlgEntry entry = (AlgEntry) mAlgorithmMap.get(alg);
|
|
||||||
// if (entry == null)
|
// if (entry == null)
|
||||||
// log.warn("DNSSEC alg " + alg + " has a null entry!");
|
// log.warn("DNSSEC alg " + alg + " has a null entry!");
|
||||||
// else
|
// else
|
||||||
// log.debug("DNSSEC alg " + alg + " maps to " + entry.jcaName
|
// log.debug("DNSSEC alg " + alg + " maps to " + entry.jcaName
|
||||||
// + " (" + entry.dnssecAlg + ")");
|
// + " (" + entry.dnssecAlg + ")");
|
||||||
}
|
// }
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@ -154,7 +147,8 @@ public class DnsSecVerifier
|
|||||||
* @return A List contains a one or more DNSKEYRecord objects, or null if a
|
* @return A List contains a one or more DNSKEYRecord objects, or null if a
|
||||||
* matching DNSKEY could not be found.
|
* matching DNSKEY could not be found.
|
||||||
*/
|
*/
|
||||||
private List findKey(RRset dnskey_rrset, RRSIGRecord signature)
|
@SuppressWarnings("unchecked")
|
||||||
|
private List<DNSKEYRecord> findKey(RRset dnskey_rrset, RRSIGRecord signature)
|
||||||
{
|
{
|
||||||
if (!signature.getSigner().equals(dnskey_rrset.getName()))
|
if (!signature.getSigner().equals(dnskey_rrset.getName()))
|
||||||
{
|
{
|
||||||
@ -167,7 +161,7 @@ public class DnsSecVerifier
|
|||||||
int keyid = signature.getFootprint();
|
int keyid = signature.getFootprint();
|
||||||
int alg = signature.getAlgorithm();
|
int alg = signature.getAlgorithm();
|
||||||
|
|
||||||
List res = new ArrayList(dnskey_rrset.size());
|
List<DNSKEYRecord> res = new ArrayList<DNSKEYRecord>(dnskey_rrset.size());
|
||||||
|
|
||||||
for (Iterator i = dnskey_rrset.rrs(); i.hasNext();)
|
for (Iterator i = dnskey_rrset.rrs(); i.hasNext();)
|
||||||
{
|
{
|
||||||
@ -325,7 +319,7 @@ public class DnsSecVerifier
|
|||||||
byte result = checkSignature(rrset, sigrec);
|
byte result = checkSignature(rrset, sigrec);
|
||||||
if (result != SecurityStatus.SECURE) return result;
|
if (result != SecurityStatus.SECURE) return result;
|
||||||
|
|
||||||
List keys = findKey(key_rrset, sigrec);
|
List<DNSKEYRecord> keys = findKey(key_rrset, sigrec);
|
||||||
|
|
||||||
if (keys == null)
|
if (keys == null)
|
||||||
{
|
{
|
||||||
@ -335,9 +329,7 @@ public class DnsSecVerifier
|
|||||||
|
|
||||||
byte status = SecurityStatus.UNCHECKED;
|
byte status = SecurityStatus.UNCHECKED;
|
||||||
|
|
||||||
for (Iterator i = keys.iterator(); i.hasNext();)
|
for (DNSKEYRecord key : keys) {
|
||||||
{
|
|
||||||
DNSKEYRecord key = (DNSKEYRecord) i.next();
|
|
||||||
status = verifySignature(rrset, sigrec, key);
|
status = verifySignature(rrset, sigrec, key);
|
||||||
|
|
||||||
if (status == SecurityStatus.SECURE) break;
|
if (status == SecurityStatus.SECURE) break;
|
||||||
@ -354,7 +346,8 @@ public class DnsSecVerifier
|
|||||||
* @return SecurityStatus.SECURE if the rrest verified positively,
|
* @return SecurityStatus.SECURE if the rrest verified positively,
|
||||||
* SecurityStatus.BOGUS otherwise.
|
* SecurityStatus.BOGUS otherwise.
|
||||||
*/
|
*/
|
||||||
public byte verify(RRset rrset, RRset key_rrset)
|
@SuppressWarnings("unchecked")
|
||||||
|
public byte verify(RRset rrset, RRset key_rrset)
|
||||||
{
|
{
|
||||||
Iterator i = rrset.sigs();
|
Iterator i = rrset.sigs();
|
||||||
|
|
||||||
@ -386,7 +379,8 @@ public class DnsSecVerifier
|
|||||||
* @param dnskey The DNSKEY to verify with.
|
* @param dnskey The DNSKEY to verify with.
|
||||||
* @return SecurityStatus.SECURE if the rrset verified, BOGUS otherwise.
|
* @return SecurityStatus.SECURE if the rrset verified, BOGUS otherwise.
|
||||||
*/
|
*/
|
||||||
public byte verify(RRset rrset, DNSKEYRecord dnskey)
|
@SuppressWarnings("unchecked")
|
||||||
|
public byte verify(RRset rrset, DNSKEYRecord dnskey)
|
||||||
{
|
{
|
||||||
// Iterate over RRSIGS
|
// Iterate over RRSIGS
|
||||||
|
|
||||||
|
File diff suppressed because it is too large
Load Diff
@ -36,369 +36,324 @@ import org.xbill.DNS.*;
|
|||||||
/**
|
/**
|
||||||
* This class represents a DNS message with resolver/validator state.
|
* This class represents a DNS message with resolver/validator state.
|
||||||
*/
|
*/
|
||||||
public class SMessage
|
public class SMessage {
|
||||||
{
|
private Header mHeader;
|
||||||
private Header mHeader;
|
|
||||||
|
|
||||||
private Record mQuestion;
|
private Record mQuestion;
|
||||||
private OPTRecord mOPTRecord;
|
private OPTRecord mOPTRecord;
|
||||||
private List[] mSection;
|
private List<SRRset>[] mSection;
|
||||||
private SecurityStatus mSecurityStatus;
|
private SecurityStatus mSecurityStatus;
|
||||||
|
|
||||||
private static SRRset[] empty_srrset_array = new SRRset[0];
|
private static SRRset[] empty_srrset_array = new SRRset[0];
|
||||||
|
|
||||||
public SMessage(Header h)
|
@SuppressWarnings("unchecked")
|
||||||
{
|
public SMessage(Header h) {
|
||||||
mSection = new List[3];
|
mSection = (List<SRRset>[]) new List[3];
|
||||||
mHeader = h;
|
mHeader = h;
|
||||||
mSecurityStatus = new SecurityStatus();
|
mSecurityStatus = new SecurityStatus();
|
||||||
}
|
|
||||||
|
|
||||||
public SMessage(int id)
|
|
||||||
{
|
|
||||||
this(new Header(id));
|
|
||||||
}
|
|
||||||
|
|
||||||
public SMessage()
|
|
||||||
{
|
|
||||||
this(new Header(0));
|
|
||||||
}
|
|
||||||
|
|
||||||
public SMessage(Message m)
|
|
||||||
{
|
|
||||||
this(m.getHeader());
|
|
||||||
mQuestion = m.getQuestion();
|
|
||||||
mOPTRecord = m.getOPT();
|
|
||||||
|
|
||||||
for (int i = Section.ANSWER; i <= Section.ADDITIONAL; i++)
|
|
||||||
{
|
|
||||||
RRset[] rrsets = m.getSectionRRsets(i);
|
|
||||||
|
|
||||||
for (int j = 0; j < rrsets.length; j++)
|
|
||||||
{
|
|
||||||
addRRset(rrsets[j], i);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
public Header getHeader()
|
|
||||||
{
|
|
||||||
return mHeader;
|
|
||||||
}
|
|
||||||
|
|
||||||
public void setHeader(Header h)
|
|
||||||
{
|
|
||||||
mHeader = h;
|
|
||||||
}
|
|
||||||
|
|
||||||
public void setQuestion(Record r)
|
|
||||||
{
|
|
||||||
mQuestion = r;
|
|
||||||
}
|
|
||||||
|
|
||||||
public Record getQuestion()
|
|
||||||
{
|
|
||||||
return mQuestion;
|
|
||||||
}
|
|
||||||
|
|
||||||
public Name getQName() {
|
|
||||||
return getQuestion().getName();
|
|
||||||
}
|
|
||||||
|
|
||||||
public int getQType() {
|
|
||||||
return getQuestion().getType();
|
|
||||||
}
|
|
||||||
|
|
||||||
public int getQClass() {
|
|
||||||
return getQuestion().getDClass();
|
|
||||||
}
|
|
||||||
|
|
||||||
public void setOPT(OPTRecord r)
|
|
||||||
{
|
|
||||||
mOPTRecord = r;
|
|
||||||
}
|
|
||||||
|
|
||||||
public OPTRecord getOPT()
|
|
||||||
{
|
|
||||||
return mOPTRecord;
|
|
||||||
}
|
|
||||||
|
|
||||||
public List getSectionList(int section)
|
|
||||||
{
|
|
||||||
if (section <= Section.QUESTION || section > Section.ADDITIONAL)
|
|
||||||
throw new IllegalArgumentException("Invalid section.");
|
|
||||||
|
|
||||||
if (mSection[section - 1] == null)
|
|
||||||
{
|
|
||||||
mSection[section - 1] = new LinkedList();
|
|
||||||
}
|
}
|
||||||
|
|
||||||
return mSection[section - 1];
|
public SMessage(int id) {
|
||||||
}
|
this(new Header(id));
|
||||||
|
|
||||||
public void addRRset(SRRset srrset, int section)
|
|
||||||
{
|
|
||||||
if (section <= Section.QUESTION || section > Section.ADDITIONAL)
|
|
||||||
throw new IllegalArgumentException("Invalid section");
|
|
||||||
|
|
||||||
if (srrset.getType() == Type.OPT)
|
|
||||||
{
|
|
||||||
mOPTRecord = (OPTRecord) srrset.first();
|
|
||||||
return;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
List sectionList = getSectionList(section);
|
public SMessage() {
|
||||||
sectionList.add(srrset);
|
this(new Header(0));
|
||||||
}
|
|
||||||
|
|
||||||
public void addRRset(RRset rrset, int section)
|
|
||||||
{
|
|
||||||
if (rrset instanceof SRRset)
|
|
||||||
{
|
|
||||||
addRRset((SRRset) rrset, section);
|
|
||||||
return;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
SRRset srrset = new SRRset(rrset);
|
public SMessage(Message m) {
|
||||||
addRRset(srrset, section);
|
this(m.getHeader());
|
||||||
}
|
mQuestion = m.getQuestion();
|
||||||
|
mOPTRecord = m.getOPT();
|
||||||
|
|
||||||
public void prependRRsets(List rrsets, int section)
|
for (int i = Section.ANSWER; i <= Section.ADDITIONAL; i++) {
|
||||||
{
|
RRset[] rrsets = m.getSectionRRsets(i);
|
||||||
if (section <= Section.QUESTION || section > Section.ADDITIONAL)
|
|
||||||
throw new IllegalArgumentException("Invalid section");
|
|
||||||
|
|
||||||
List sectionList = getSectionList(section);
|
for (int j = 0; j < rrsets.length; j++) {
|
||||||
sectionList.addAll(0, rrsets);
|
addRRset(rrsets[j], i);
|
||||||
}
|
}
|
||||||
|
|
||||||
public SRRset[] getSectionRRsets(int section)
|
|
||||||
{
|
|
||||||
List slist = getSectionList(section);
|
|
||||||
|
|
||||||
return (SRRset[]) slist.toArray(empty_srrset_array);
|
|
||||||
}
|
|
||||||
|
|
||||||
public SRRset[] getSectionRRsets(int section, int qtype)
|
|
||||||
{
|
|
||||||
List slist = getSectionList(section);
|
|
||||||
|
|
||||||
if (slist.size() == 0) return new SRRset[0];
|
|
||||||
|
|
||||||
ArrayList result = new ArrayList(slist.size());
|
|
||||||
for (Iterator i = slist.iterator(); i.hasNext();)
|
|
||||||
{
|
|
||||||
SRRset rrset = (SRRset) i.next();
|
|
||||||
if (rrset.getType() == qtype) result.add(rrset);
|
|
||||||
}
|
|
||||||
|
|
||||||
return (SRRset[]) result.toArray(empty_srrset_array);
|
|
||||||
}
|
|
||||||
|
|
||||||
public void deleteRRset(SRRset rrset, int section)
|
|
||||||
{
|
|
||||||
List slist = getSectionList(section);
|
|
||||||
|
|
||||||
if (slist.size() == 0) return;
|
|
||||||
|
|
||||||
slist.remove(rrset);
|
|
||||||
}
|
|
||||||
|
|
||||||
public void clear(int section)
|
|
||||||
{
|
|
||||||
if (section < Section.QUESTION || section > Section.ADDITIONAL)
|
|
||||||
throw new IllegalArgumentException("Invalid section.");
|
|
||||||
|
|
||||||
if (section == Section.QUESTION)
|
|
||||||
{
|
|
||||||
mQuestion = null;
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
if (section == Section.ADDITIONAL)
|
|
||||||
{
|
|
||||||
mOPTRecord = null;
|
|
||||||
}
|
|
||||||
|
|
||||||
mSection[section - 1] = null;
|
|
||||||
}
|
|
||||||
|
|
||||||
public void clear()
|
|
||||||
{
|
|
||||||
for (int s = Section.QUESTION; s <= Section.ADDITIONAL; s++)
|
|
||||||
{
|
|
||||||
clear(s);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
public int getRcode()
|
|
||||||
{
|
|
||||||
// FIXME: might want to do what Message does and handle extended rcodes.
|
|
||||||
return mHeader.getRcode();
|
|
||||||
}
|
|
||||||
|
|
||||||
public int getStatus()
|
|
||||||
{
|
|
||||||
return mSecurityStatus.getStatus();
|
|
||||||
}
|
|
||||||
|
|
||||||
public void setStatus(byte status)
|
|
||||||
{
|
|
||||||
mSecurityStatus.setStatus(status);
|
|
||||||
}
|
|
||||||
|
|
||||||
public SecurityStatus getSecurityStatus()
|
|
||||||
{
|
|
||||||
return mSecurityStatus;
|
|
||||||
}
|
|
||||||
public void setSecurityStatus(SecurityStatus s)
|
|
||||||
{
|
|
||||||
if (s == null) return;
|
|
||||||
mSecurityStatus = s;
|
|
||||||
}
|
|
||||||
|
|
||||||
public Message getMessage()
|
|
||||||
{
|
|
||||||
// Generate our new message.
|
|
||||||
Message m = new Message(mHeader.getID());
|
|
||||||
|
|
||||||
// Convert the header
|
|
||||||
// We do this for two reasons: 1) setCount() is package scope, so we can't
|
|
||||||
// do that, and 2) setting the header on a message after creating the
|
|
||||||
// message frequently gets stuff out of sync, leading to malformed wire
|
|
||||||
// format messages.
|
|
||||||
Header h = m.getHeader();
|
|
||||||
h.setOpcode(mHeader.getOpcode());
|
|
||||||
h.setRcode(mHeader.getRcode());
|
|
||||||
for (int i = 0; i < 16; i++)
|
|
||||||
{
|
|
||||||
if (Flags.isFlag(i)) {
|
|
||||||
if (mHeader.getFlag(i)) {
|
|
||||||
h.setFlag(i);
|
|
||||||
} else {
|
|
||||||
h.unsetFlag(i);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
// Add all the records. -- this will set the counts correctly in the
|
|
||||||
// message header.
|
|
||||||
|
|
||||||
if (mQuestion != null)
|
|
||||||
{
|
|
||||||
m.addRecord(mQuestion, Section.QUESTION);
|
|
||||||
}
|
|
||||||
|
|
||||||
for (int sec = Section.ANSWER; sec <= Section.ADDITIONAL; sec++)
|
|
||||||
{
|
|
||||||
List slist = getSectionList(sec);
|
|
||||||
for (Iterator i = slist.iterator(); i.hasNext();)
|
|
||||||
{
|
|
||||||
SRRset rrset = (SRRset) i.next();
|
|
||||||
for (Iterator j = rrset.rrs(); j.hasNext();)
|
|
||||||
{
|
|
||||||
m.addRecord((Record) j.next(), sec);
|
|
||||||
}
|
}
|
||||||
for (Iterator j = rrset.sigs(); j.hasNext();)
|
}
|
||||||
{
|
|
||||||
m.addRecord((Record) j.next(), sec);
|
public Header getHeader() {
|
||||||
|
return mHeader;
|
||||||
|
}
|
||||||
|
|
||||||
|
public void setHeader(Header h) {
|
||||||
|
mHeader = h;
|
||||||
|
}
|
||||||
|
|
||||||
|
public void setQuestion(Record r) {
|
||||||
|
mQuestion = r;
|
||||||
|
}
|
||||||
|
|
||||||
|
public Record getQuestion() {
|
||||||
|
return mQuestion;
|
||||||
|
}
|
||||||
|
|
||||||
|
public Name getQName() {
|
||||||
|
return getQuestion().getName();
|
||||||
|
}
|
||||||
|
|
||||||
|
public int getQType() {
|
||||||
|
return getQuestion().getType();
|
||||||
|
}
|
||||||
|
|
||||||
|
public int getQClass() {
|
||||||
|
return getQuestion().getDClass();
|
||||||
|
}
|
||||||
|
|
||||||
|
public void setOPT(OPTRecord r) {
|
||||||
|
mOPTRecord = r;
|
||||||
|
}
|
||||||
|
|
||||||
|
public OPTRecord getOPT() {
|
||||||
|
return mOPTRecord;
|
||||||
|
}
|
||||||
|
|
||||||
|
public List<SRRset> getSectionList(int section) {
|
||||||
|
if (section <= Section.QUESTION || section > Section.ADDITIONAL)
|
||||||
|
throw new IllegalArgumentException("Invalid section.");
|
||||||
|
|
||||||
|
if (mSection[section - 1] == null) {
|
||||||
|
mSection[section - 1] = new LinkedList<SRRset>();
|
||||||
}
|
}
|
||||||
}
|
|
||||||
|
return (List<SRRset>) mSection[section - 1];
|
||||||
}
|
}
|
||||||
|
|
||||||
if (mOPTRecord != null)
|
public void addRRset(SRRset srrset, int section) {
|
||||||
{
|
if (section <= Section.QUESTION || section > Section.ADDITIONAL)
|
||||||
m.addRecord(mOPTRecord, Section.ADDITIONAL);
|
throw new IllegalArgumentException("Invalid section");
|
||||||
|
|
||||||
|
if (srrset.getType() == Type.OPT) {
|
||||||
|
mOPTRecord = (OPTRecord) srrset.first();
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
List<SRRset> sectionList = getSectionList(section);
|
||||||
|
sectionList.add(srrset);
|
||||||
}
|
}
|
||||||
|
|
||||||
return m;
|
public void addRRset(RRset rrset, int section) {
|
||||||
}
|
if (rrset instanceof SRRset) {
|
||||||
|
addRRset((SRRset) rrset, section);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
public int getCount(int section)
|
SRRset srrset = new SRRset(rrset);
|
||||||
{
|
addRRset(srrset, section);
|
||||||
if (section == Section.QUESTION)
|
|
||||||
{
|
|
||||||
return mQuestion == null ? 0 : 1;
|
|
||||||
}
|
|
||||||
List sectionList = getSectionList(section);
|
|
||||||
if (sectionList == null) return 0;
|
|
||||||
if (sectionList.size() == 0) return 0;
|
|
||||||
|
|
||||||
int count = 0;
|
|
||||||
for (Iterator i = sectionList.iterator(); i.hasNext(); )
|
|
||||||
{
|
|
||||||
SRRset sr = (SRRset) i.next();
|
|
||||||
count += sr.totalSize();
|
|
||||||
}
|
|
||||||
return count;
|
|
||||||
}
|
|
||||||
|
|
||||||
public String toString()
|
|
||||||
{
|
|
||||||
return getMessage().toString();
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Find a specific (S)RRset in a given section.
|
|
||||||
*
|
|
||||||
* @param name the name of the RRset.
|
|
||||||
* @param type the type of the RRset.
|
|
||||||
* @param dclass the class of the RRset.
|
|
||||||
* @param section the section to look in (ANSWER -> ADDITIONAL)
|
|
||||||
*
|
|
||||||
* @return The SRRset if found, null otherwise.
|
|
||||||
*/
|
|
||||||
public SRRset findRRset(Name name, int type, int dclass, int section)
|
|
||||||
{
|
|
||||||
if (section <= Section.QUESTION || section > Section.ADDITIONAL)
|
|
||||||
throw new IllegalArgumentException("Invalid section.");
|
|
||||||
|
|
||||||
SRRset[] rrsets = getSectionRRsets(section);
|
|
||||||
|
|
||||||
for (int i = 0; i < rrsets.length; i++)
|
|
||||||
{
|
|
||||||
if (rrsets[i].getName().equals(name) && rrsets[i].getType() == type
|
|
||||||
&& rrsets[i].getDClass() == dclass)
|
|
||||||
{
|
|
||||||
return rrsets[i];
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
return null;
|
public void prependRRsets(List<SRRset> rrsets, int section) {
|
||||||
}
|
if (section <= Section.QUESTION || section > Section.ADDITIONAL)
|
||||||
|
throw new IllegalArgumentException("Invalid section");
|
||||||
|
|
||||||
/**
|
List<SRRset> sectionList = getSectionList(section);
|
||||||
* Find an "answer" RRset. This will look for RRsets in the ANSWER section
|
sectionList.addAll(0, rrsets);
|
||||||
* that match the <qname,qtype,qclass>, taking into consideration CNAMEs.
|
|
||||||
*
|
|
||||||
* @param qname The starting search name.
|
|
||||||
* @param qtype The search type.
|
|
||||||
* @param qclass The search class.
|
|
||||||
*
|
|
||||||
* @return a SRRset matching the query. This SRRset may have a different
|
|
||||||
* name from qname, due to following a CNAME chain.
|
|
||||||
*/
|
|
||||||
public SRRset findAnswerRRset(Name qname, int qtype, int qclass)
|
|
||||||
{
|
|
||||||
SRRset[] srrsets = getSectionRRsets(Section.ANSWER);
|
|
||||||
|
|
||||||
for (int i = 0; i < srrsets.length; i++)
|
|
||||||
{
|
|
||||||
if (srrsets[i].getName().equals(qname)
|
|
||||||
&& srrsets[i].getType() == Type.CNAME)
|
|
||||||
{
|
|
||||||
CNAMERecord cname = (CNAMERecord) srrsets[i].first();
|
|
||||||
qname = cname.getTarget();
|
|
||||||
continue;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (srrsets[i].getName().equals(qname) && srrsets[i].getType() == qtype
|
|
||||||
&& srrsets[i].getDClass() == qclass)
|
|
||||||
{
|
|
||||||
return srrsets[i];
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
return null;
|
public SRRset[] getSectionRRsets(int section) {
|
||||||
}
|
List<SRRset> slist = getSectionList(section);
|
||||||
|
|
||||||
|
return (SRRset[]) slist.toArray(empty_srrset_array);
|
||||||
|
}
|
||||||
|
|
||||||
|
public SRRset[] getSectionRRsets(int section, int qtype) {
|
||||||
|
List<SRRset> slist = getSectionList(section);
|
||||||
|
|
||||||
|
if (slist.size() == 0) return new SRRset[0];
|
||||||
|
|
||||||
|
ArrayList<SRRset> result = new ArrayList<SRRset>(slist.size());
|
||||||
|
for (SRRset rrset : slist) {
|
||||||
|
if (rrset.getType() == qtype) result.add(rrset);
|
||||||
|
}
|
||||||
|
|
||||||
|
return (SRRset[]) result.toArray(empty_srrset_array);
|
||||||
|
}
|
||||||
|
|
||||||
|
public void deleteRRset(SRRset rrset, int section) {
|
||||||
|
List<SRRset> slist = getSectionList(section);
|
||||||
|
|
||||||
|
if (slist.size() == 0) return;
|
||||||
|
|
||||||
|
slist.remove(rrset);
|
||||||
|
}
|
||||||
|
|
||||||
|
public void clear(int section) {
|
||||||
|
if (section < Section.QUESTION || section > Section.ADDITIONAL)
|
||||||
|
throw new IllegalArgumentException("Invalid section.");
|
||||||
|
|
||||||
|
if (section == Section.QUESTION) {
|
||||||
|
mQuestion = null;
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
if (section == Section.ADDITIONAL) {
|
||||||
|
mOPTRecord = null;
|
||||||
|
}
|
||||||
|
|
||||||
|
mSection[section - 1] = null;
|
||||||
|
}
|
||||||
|
|
||||||
|
public void clear() {
|
||||||
|
for (int s = Section.QUESTION; s <= Section.ADDITIONAL; s++) {
|
||||||
|
clear(s);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
public int getRcode() {
|
||||||
|
// FIXME: might want to do what Message does and handle extended rcodes.
|
||||||
|
return mHeader.getRcode();
|
||||||
|
}
|
||||||
|
|
||||||
|
public int getStatus() {
|
||||||
|
return mSecurityStatus.getStatus();
|
||||||
|
}
|
||||||
|
|
||||||
|
public void setStatus(byte status) {
|
||||||
|
mSecurityStatus.setStatus(status);
|
||||||
|
}
|
||||||
|
|
||||||
|
public SecurityStatus getSecurityStatus() {
|
||||||
|
return mSecurityStatus;
|
||||||
|
}
|
||||||
|
|
||||||
|
public void setSecurityStatus(SecurityStatus s) {
|
||||||
|
if (s == null) return;
|
||||||
|
mSecurityStatus = s;
|
||||||
|
}
|
||||||
|
|
||||||
|
public Message getMessage() {
|
||||||
|
// Generate our new message.
|
||||||
|
Message m = new Message(mHeader.getID());
|
||||||
|
|
||||||
|
// Convert the header
|
||||||
|
// We do this for two reasons: 1) setCount() is package scope, so we
|
||||||
|
// can't do that, and 2) setting the header on a message after creating
|
||||||
|
// the message frequently gets stuff out of sync, leading to malformed
|
||||||
|
// wire format messages.
|
||||||
|
Header h = m.getHeader();
|
||||||
|
h.setOpcode(mHeader.getOpcode());
|
||||||
|
h.setRcode(mHeader.getRcode());
|
||||||
|
for (int i = 0; i < 16; i++) {
|
||||||
|
if (Flags.isFlag(i)) {
|
||||||
|
if (mHeader.getFlag(i)) {
|
||||||
|
h.setFlag(i);
|
||||||
|
} else {
|
||||||
|
h.unsetFlag(i);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// Add all the records. -- this will set the counts correctly in the
|
||||||
|
// message header.
|
||||||
|
|
||||||
|
if (mQuestion != null) {
|
||||||
|
m.addRecord(mQuestion, Section.QUESTION);
|
||||||
|
}
|
||||||
|
|
||||||
|
for (int sec = Section.ANSWER; sec <= Section.ADDITIONAL; sec++) {
|
||||||
|
List<SRRset> slist = getSectionList(sec);
|
||||||
|
for (SRRset rrset : slist) {
|
||||||
|
for (Iterator<Record> j = rrset.rrs(); j.hasNext(); ) {
|
||||||
|
m.addRecord(j.next(), sec);
|
||||||
|
}
|
||||||
|
for (Iterator<RRSIGRecord> j = rrset.sigs(); j.hasNext(); ) {
|
||||||
|
m.addRecord(j.next(), sec);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if (mOPTRecord != null) {
|
||||||
|
m.addRecord(mOPTRecord, Section.ADDITIONAL);
|
||||||
|
}
|
||||||
|
|
||||||
|
return m;
|
||||||
|
}
|
||||||
|
|
||||||
|
public int getCount(int section) {
|
||||||
|
if (section == Section.QUESTION) {
|
||||||
|
return mQuestion == null ? 0 : 1;
|
||||||
|
}
|
||||||
|
List<SRRset> sectionList = getSectionList(section);
|
||||||
|
if (sectionList == null) return 0;
|
||||||
|
if (sectionList.size() == 0) return 0;
|
||||||
|
|
||||||
|
int count = 0;
|
||||||
|
for (SRRset sr : sectionList) {
|
||||||
|
count += sr.totalSize();
|
||||||
|
}
|
||||||
|
|
||||||
|
return count;
|
||||||
|
}
|
||||||
|
|
||||||
|
public String toString() {
|
||||||
|
return getMessage().toString();
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Find a specific (S)RRset in a given section.
|
||||||
|
*
|
||||||
|
* @param name
|
||||||
|
* the name of the RRset.
|
||||||
|
* @param type
|
||||||
|
* the type of the RRset.
|
||||||
|
* @param dclass
|
||||||
|
* the class of the RRset.
|
||||||
|
* @param section
|
||||||
|
* the section to look in (ANSWER -> ADDITIONAL)
|
||||||
|
*
|
||||||
|
* @return The SRRset if found, null otherwise.
|
||||||
|
*/
|
||||||
|
public SRRset findRRset(Name name, int type, int dclass, int section) {
|
||||||
|
if (section <= Section.QUESTION || section > Section.ADDITIONAL)
|
||||||
|
throw new IllegalArgumentException("Invalid section.");
|
||||||
|
|
||||||
|
SRRset[] rrsets = getSectionRRsets(section);
|
||||||
|
|
||||||
|
for (int i = 0; i < rrsets.length; i++) {
|
||||||
|
if (rrsets[i].getName().equals(name) && rrsets[i].getType() == type
|
||||||
|
&& rrsets[i].getDClass() == dclass) {
|
||||||
|
return rrsets[i];
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Find an "answer" RRset. This will look for RRsets in the ANSWER section
|
||||||
|
* that match the <qname,qtype,qclass>, taking into consideration CNAMEs.
|
||||||
|
*
|
||||||
|
* @param qname
|
||||||
|
* The starting search name.
|
||||||
|
* @param qtype
|
||||||
|
* The search type.
|
||||||
|
* @param qclass
|
||||||
|
* The search class.
|
||||||
|
*
|
||||||
|
* @return a SRRset matching the query. This SRRset may have a different
|
||||||
|
* name from qname, due to following a CNAME chain.
|
||||||
|
*/
|
||||||
|
public SRRset findAnswerRRset(Name qname, int qtype, int qclass) {
|
||||||
|
SRRset[] srrsets = getSectionRRsets(Section.ANSWER);
|
||||||
|
|
||||||
|
for (int i = 0; i < srrsets.length; i++) {
|
||||||
|
if (srrsets[i].getName().equals(qname)
|
||||||
|
&& srrsets[i].getType() == Type.CNAME) {
|
||||||
|
CNAMERecord cname = (CNAMERecord) srrsets[i].first();
|
||||||
|
qname = cname.getTarget();
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (srrsets[i].getName().equals(qname)
|
||||||
|
&& srrsets[i].getType() == qtype
|
||||||
|
&& srrsets[i].getDClass() == qclass) {
|
||||||
|
return srrsets[i];
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
|
||||||
}
|
}
|
@ -1,5 +1,5 @@
|
|||||||
/*
|
/*
|
||||||
* Copyright (c) 2005 VeriSign. All rights reserved.
|
* Copyright (c) 2009 VeriSign. All rights reserved.
|
||||||
*
|
*
|
||||||
* Redistribution and use in source and binary forms, with or without
|
* Redistribution and use in source and binary forms, with or without
|
||||||
* modification, are permitted provided that the following conditions are met:
|
* modification, are permitted provided that the following conditions are met:
|
||||||
@ -34,152 +34,103 @@ import org.xbill.DNS.*;
|
|||||||
/**
|
/**
|
||||||
* A version of the RRset class overrides the standard security status.
|
* A version of the RRset class overrides the standard security status.
|
||||||
*/
|
*/
|
||||||
public class SRRset extends RRset
|
public class SRRset extends RRset {
|
||||||
{
|
private SecurityStatus mSecurityStatus;
|
||||||
private SecurityStatus mSecurityStatus;
|
|
||||||
|
|
||||||
/** Create a new, blank SRRset. */
|
|
||||||
public SRRset()
|
|
||||||
{
|
|
||||||
super();
|
|
||||||
mSecurityStatus = new SecurityStatus();
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
/** Create a new, blank SRRset. */
|
||||||
* Create a new SRRset from an existing RRset. This SRRset will contain that
|
public SRRset() {
|
||||||
* same internal Record objects as the original RRset.
|
super();
|
||||||
*/
|
mSecurityStatus = new SecurityStatus();
|
||||||
@SuppressWarnings("unchecked") // org.xbill.DNS.RRset isn't typesafe-aware.
|
|
||||||
public SRRset(RRset r)
|
|
||||||
{
|
|
||||||
this();
|
|
||||||
|
|
||||||
for (Iterator i = r.rrs(); i.hasNext();)
|
|
||||||
{
|
|
||||||
addRR((Record) i.next());
|
|
||||||
}
|
}
|
||||||
|
|
||||||
for (Iterator i = r.sigs(); i.hasNext();)
|
|
||||||
{
|
|
||||||
addRR((Record) i.next());
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Clone this SRRset, giving the copy a new TTL. The copy is independent
|
|
||||||
* from the original except for the security status.
|
|
||||||
*
|
|
||||||
* @param withNewTTL The new TTL to apply to the RRset. This applies to
|
|
||||||
* contained RRsig records as well.
|
|
||||||
* @return The cloned SRRset.
|
|
||||||
*/
|
|
||||||
// public SRRset cloneSRRset(long withNewTTL)
|
|
||||||
// {
|
|
||||||
// SRRset nr = new SRRset();
|
|
||||||
//
|
|
||||||
// for (Iterator i = rrs(); i.hasNext();)
|
|
||||||
// {
|
|
||||||
// nr.addRR(((Record) i.next()).withTTL(withNewTTL));
|
|
||||||
// }
|
|
||||||
// for (Iterator i = sigs(); i.hasNext();)
|
|
||||||
// {
|
|
||||||
// nr.addRR(((Record) i.next()).withTTL(withNewTTL));
|
|
||||||
// }
|
|
||||||
//
|
|
||||||
// nr.mSecurityStatus = mSecurityStatus;
|
|
||||||
//
|
|
||||||
// return nr;
|
|
||||||
// }
|
|
||||||
|
|
||||||
public SRRset cloneSRRsetNoSigs()
|
|
||||||
{
|
|
||||||
SRRset nr = new SRRset();
|
|
||||||
for (Iterator i = rrs(); i.hasNext();)
|
|
||||||
{
|
|
||||||
// NOTE: should this clone the records as well?
|
|
||||||
nr.addRR((Record) i.next());
|
|
||||||
}
|
|
||||||
// Do not copy the SecurityStatus reference
|
|
||||||
|
|
||||||
return nr;
|
/**
|
||||||
}
|
* Create a new SRRset from an existing RRset. This SRRset will contain that
|
||||||
|
* same internal Record objects as the original RRset.
|
||||||
|
*/
|
||||||
/**
|
@SuppressWarnings("unchecked")
|
||||||
* Return the current security status (generally: UNCHECKED, BOGUS, or
|
// org.xbill.DNS.RRset isn't typesafe-aware.
|
||||||
* SECURE).
|
public SRRset(RRset r) {
|
||||||
*/
|
this();
|
||||||
public int getSecurity()
|
|
||||||
{
|
|
||||||
return getSecurityStatus();
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
for (Iterator i = r.rrs(); i.hasNext();) {
|
||||||
* Return the current security status (generally: UNCHECKED, BOGUS, or
|
addRR((Record) i.next());
|
||||||
* SECURE).
|
}
|
||||||
*/
|
|
||||||
public int getSecurityStatus()
|
|
||||||
{
|
|
||||||
return mSecurityStatus.getStatus();
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
for (Iterator i = r.sigs(); i.hasNext();) {
|
||||||
* Set the current security status for this SRRset. This status will be
|
addRR((Record) i.next());
|
||||||
* shared amongst all copies of this SRRset (created with cloneSRRset())
|
}
|
||||||
*/
|
}
|
||||||
public void setSecurityStatus(byte status)
|
|
||||||
{
|
|
||||||
mSecurityStatus.setStatus(status);
|
|
||||||
}
|
|
||||||
|
|
||||||
public int totalSize() {
|
/**
|
||||||
int num_sigs = 0;
|
* Return the current security status (generally: UNCHECKED, BOGUS, or
|
||||||
for (Iterator i = sigs(); i.hasNext(); ) {
|
* SECURE).
|
||||||
num_sigs++;
|
*/
|
||||||
}
|
public int getSecurity() {
|
||||||
return size() + num_sigs;
|
return getSecurityStatus();
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
|
||||||
* @return The total number of records (data + sigs) in the SRRset.
|
|
||||||
*/
|
|
||||||
public int getNumRecords()
|
|
||||||
{
|
|
||||||
return totalSize();
|
|
||||||
}
|
|
||||||
|
|
||||||
public RRSIGRecord firstSig() {
|
/**
|
||||||
for (Iterator i = sigs(); i.hasNext(); ) {
|
* Return the current security status (generally: UNCHECKED, BOGUS, or
|
||||||
return (RRSIGRecord) i.next();
|
* SECURE).
|
||||||
}
|
*/
|
||||||
return null;
|
public byte getSecurityStatus() {
|
||||||
}
|
return mSecurityStatus.getStatus();
|
||||||
/**
|
}
|
||||||
* @return true if this RRset has RRSIG records that cover data records.
|
|
||||||
* (i.e., RRSIG SRRsets return false)
|
|
||||||
*/
|
|
||||||
public boolean isSigned()
|
|
||||||
{
|
|
||||||
if (getType() == Type.RRSIG) return false;
|
|
||||||
return firstSig() != null;
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @return The "signer" name for this SRRset, if signed, or null if not.
|
* Set the current security status for this SRRset. This status will be
|
||||||
*/
|
* shared amongst all copies of this SRRset (created with cloneSRRset())
|
||||||
public Name getSignerName()
|
*/
|
||||||
{
|
public void setSecurityStatus(byte status) {
|
||||||
RRSIGRecord sig = (RRSIGRecord) firstSig();
|
mSecurityStatus.setStatus(status);
|
||||||
if (sig == null) return null;
|
}
|
||||||
return sig.getSigner();
|
|
||||||
}
|
public Iterator<Record> rrs() {
|
||||||
|
return (Iterator<Record>) rrs();
|
||||||
// public void setTTL(long ttl)
|
}
|
||||||
// {
|
|
||||||
// if (ttl < 0)
|
public Iterator<RRSIGRecord> sigs() {
|
||||||
// {
|
return (Iterator<RRSIGRecord>) sigs();
|
||||||
// throw new IllegalArgumentException("ttl can't be less than zero, stupid! was " + ttl);
|
}
|
||||||
// }
|
|
||||||
// super.setTTL(ttl);
|
public int totalSize() {
|
||||||
// }
|
int num_sigs = 0;
|
||||||
|
for (Iterator<RRSIGRecord> i = sigs(); i.hasNext();) {
|
||||||
|
num_sigs++;
|
||||||
|
}
|
||||||
|
return size() + num_sigs;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @return The total number of records (data + sigs) in the SRRset.
|
||||||
|
*/
|
||||||
|
public int getNumRecords() {
|
||||||
|
return totalSize();
|
||||||
|
}
|
||||||
|
|
||||||
|
public RRSIGRecord firstSig() {
|
||||||
|
for (Iterator<RRSIGRecord> i = sigs(); i.hasNext();) {
|
||||||
|
return i.next();
|
||||||
|
}
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @return true if this RRset has RRSIG records that cover data records.
|
||||||
|
* (i.e., RRSIG SRRsets return false)
|
||||||
|
*/
|
||||||
|
public boolean isSigned() {
|
||||||
|
if (getType() == Type.RRSIG) return false;
|
||||||
|
return firstSig() != null;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @return The "signer" name for this SRRset, if signed, or null if not.
|
||||||
|
*/
|
||||||
|
public Name getSignerName() {
|
||||||
|
RRSIGRecord sig = (RRSIGRecord) firstSig();
|
||||||
|
if (sig == null) return null;
|
||||||
|
return sig.getSigner();
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
@ -47,428 +47,430 @@ import org.xbill.DNS.Name;
|
|||||||
import org.xbill.DNS.RRSIGRecord;
|
import org.xbill.DNS.RRSIGRecord;
|
||||||
import org.xbill.DNS.RRset;
|
import org.xbill.DNS.RRset;
|
||||||
import org.xbill.DNS.Record;
|
import org.xbill.DNS.Record;
|
||||||
import org.xbill.DNS.utils.base64;
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* This class contains a bunch of utility methods that are generally useful in
|
* This class contains a bunch of utility methods that are generally useful in
|
||||||
* signing and verifying rrsets.
|
* signing and verifying rrsets.
|
||||||
*
|
|
||||||
* @author David Blacka (original)
|
|
||||||
* @author $Author$
|
|
||||||
* @version $Revision$
|
|
||||||
*/
|
*/
|
||||||
|
|
||||||
public class SignUtils
|
public class SignUtils {
|
||||||
{
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* This class implements a basic comparitor for byte arrays. It is primarily
|
* This class implements a basic comparator for byte arrays. It is primarily
|
||||||
* useful for comparing RDATA portions of DNS records in doing DNSSEC
|
* useful for comparing RDATA portions of DNS records in doing DNSSEC
|
||||||
* canonical ordering.
|
* canonical ordering.
|
||||||
*
|
*/
|
||||||
* @author David Blacka (original)
|
public static class ByteArrayComparator implements Comparator<byte[]> {
|
||||||
*/
|
private int mOffset = 0;
|
||||||
public static class ByteArrayComparator implements Comparator
|
private boolean mDebug = false;
|
||||||
{
|
|
||||||
private int mOffset = 0;
|
|
||||||
private boolean mDebug = false;
|
|
||||||
|
|
||||||
public ByteArrayComparator()
|
public ByteArrayComparator() {
|
||||||
{
|
|
||||||
}
|
|
||||||
|
|
||||||
public ByteArrayComparator(int offset, boolean debug)
|
|
||||||
{
|
|
||||||
mOffset = offset;
|
|
||||||
mDebug = debug;
|
|
||||||
}
|
|
||||||
|
|
||||||
public int compare(Object o1, Object o2) throws ClassCastException
|
|
||||||
{
|
|
||||||
byte[] b1 = (byte[]) o1;
|
|
||||||
byte[] b2 = (byte[]) o2;
|
|
||||||
|
|
||||||
for (int i = mOffset; i < b1.length && i < b2.length; i++)
|
|
||||||
{
|
|
||||||
if (b1[i] != b2[i])
|
|
||||||
{
|
|
||||||
if (mDebug)
|
|
||||||
{
|
|
||||||
System.out.println("offset " + i + " differs (this is "
|
|
||||||
+ (i - mOffset) + " bytes in from our offset.)");
|
|
||||||
}
|
|
||||||
return (b1[i] & 0xFF) - (b2[i] & 0xFF);
|
|
||||||
}
|
}
|
||||||
}
|
|
||||||
|
|
||||||
return b1.length - b2.length;
|
public ByteArrayComparator(int offset, boolean debug) {
|
||||||
}
|
mOffset = offset;
|
||||||
}
|
mDebug = debug;
|
||||||
|
}
|
||||||
|
|
||||||
// private static final int DSA_SIGNATURE_LENGTH = 20;
|
public int compare(byte[] b1, byte[] b2) throws ClassCastException {
|
||||||
private static final int ASN1_INT = 0x02;
|
for (int i = mOffset; i < b1.length && i < b2.length; i++) {
|
||||||
private static final int ASN1_SEQ = 0x30;
|
if (b1[i] != b2[i]) {
|
||||||
|
if (mDebug) {
|
||||||
|
System.out.println("offset " + i + " differs (this is "
|
||||||
|
+ (i - mOffset)
|
||||||
|
+ " bytes in from our offset.)");
|
||||||
|
}
|
||||||
|
return (b1[i] & 0xFF) - (b2[i] & 0xFF);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
public static final int RR_NORMAL = 0;
|
return b1.length - b2.length;
|
||||||
public static final int RR_DELEGATION = 1;
|
}
|
||||||
public static final int RR_GLUE = 2;
|
|
||||||
public static final int RR_INVALID = 3;
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Generate from some basic information a prototype SIG RR containing
|
|
||||||
* everything but the actual signature itself.
|
|
||||||
*
|
|
||||||
* @param rrset the RRset being signed.
|
|
||||||
* @param signer the name of the signing key
|
|
||||||
* @param alg the algorithm of the signing key
|
|
||||||
* @param keyid the keyid (or footprint) of the signing key
|
|
||||||
* @param start the SIG inception time.
|
|
||||||
* @param expire the SIG expiration time.
|
|
||||||
* @param sig_ttl the TTL of the resulting SIG record.
|
|
||||||
* @return a prototype signature based on the RRset and key information.
|
|
||||||
*/
|
|
||||||
public static RRSIGRecord generatePreRRSIG(RRset rrset, Name signer,
|
|
||||||
int alg, int keyid, Date start, Date expire, long sig_ttl)
|
|
||||||
{
|
|
||||||
return new RRSIGRecord(rrset.getName(), rrset.getDClass(), sig_ttl, rrset
|
|
||||||
.getType(), alg, rrset.getTTL(), expire, start, keyid, signer, null);
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Generate from some basic information a prototype SIG RR containing
|
|
||||||
* everything but the actual signature itself.
|
|
||||||
*
|
|
||||||
* @param rrset the RRset being signed.
|
|
||||||
* @param key the public KEY RR counterpart to the key being used to sign
|
|
||||||
* the RRset
|
|
||||||
* @param start the SIG inception time.
|
|
||||||
* @param expire the SIG expiration time.
|
|
||||||
* @param sig_ttl the TTL of the resulting SIG record.
|
|
||||||
* @return a prototype signature based on the RRset and key information.
|
|
||||||
*/
|
|
||||||
public static RRSIGRecord generatePreRRSIG(RRset rrset, DNSKEYRecord key,
|
|
||||||
Date start, Date expire, long sig_ttl)
|
|
||||||
{
|
|
||||||
return generatePreRRSIG(rrset, key.getName(), key.getAlgorithm(), key
|
|
||||||
.getFootprint(), start, expire, sig_ttl);
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Generate from some basic information a prototype SIG RR containing
|
|
||||||
* everything but the actual signature itself.
|
|
||||||
*
|
|
||||||
* @param rec the DNS record being signed (forming an entire RRset).
|
|
||||||
* @param key the public KEY RR counterpart to the key signing the record.
|
|
||||||
* @param start the SIG inception time.
|
|
||||||
* @param expire the SIG expiration time.
|
|
||||||
* @param sig_ttl the TTL of the result SIG record.
|
|
||||||
* @return a prototype signature based on the Record and key information.
|
|
||||||
*/
|
|
||||||
public static RRSIGRecord generatePreRRSIG(Record rec, DNSKEYRecord key,
|
|
||||||
Date start, Date expire, long sig_ttl)
|
|
||||||
{
|
|
||||||
return new RRSIGRecord(rec.getName(), rec.getDClass(), sig_ttl, rec
|
|
||||||
.getType(), key.getAlgorithm(), rec.getTTL(), expire, start, key
|
|
||||||
.getFootprint(), key.getName(), null);
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Generate the binary image of the prototype SIG RR.
|
|
||||||
*
|
|
||||||
* @param presig the SIG RR prototype.
|
|
||||||
* @return the RDATA portion of the prototype SIG record. This forms the
|
|
||||||
* first part of the data to be signed.
|
|
||||||
*/
|
|
||||||
private static byte[] generatePreSigRdata(RRSIGRecord presig)
|
|
||||||
{
|
|
||||||
// Generate the binary image;
|
|
||||||
DNSOutput image = new DNSOutput();
|
|
||||||
|
|
||||||
// precalc some things
|
|
||||||
int start_time = (int) (presig.getTimeSigned().getTime() / 1000);
|
|
||||||
int expire_time = (int) (presig.getExpire().getTime() / 1000);
|
|
||||||
Name signer = presig.getSigner();
|
|
||||||
|
|
||||||
// first write out the partial SIG record (this is the SIG RDATA
|
|
||||||
// minus the actual signature.
|
|
||||||
image.writeU16(presig.getTypeCovered());
|
|
||||||
image.writeU8(presig.getAlgorithm());
|
|
||||||
image.writeU8(presig.getLabels());
|
|
||||||
image.writeU32((int) presig.getOrigTTL());
|
|
||||||
image.writeU32(expire_time);
|
|
||||||
image.writeU32(start_time);
|
|
||||||
image.writeU16(presig.getFootprint());
|
|
||||||
image.writeByteArray(signer.toWireCanonical());
|
|
||||||
|
|
||||||
return image.toByteArray();
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Calculate the canonical wire line format of the RRset.
|
|
||||||
*
|
|
||||||
* @param rrset the RRset to convert.
|
|
||||||
* @param ttl the TTL to use when canonicalizing -- this is generally the
|
|
||||||
* TTL of the signature if there is a pre-existing signature. If
|
|
||||||
* not it is just the ttl of the rrset itself.
|
|
||||||
* @param labels the labels field of the signature, or 0.
|
|
||||||
* @return the canonical wire line format of the rrset. This is the second
|
|
||||||
* part of data to be signed.
|
|
||||||
*/
|
|
||||||
public static byte[] generateCanonicalRRsetData(RRset rrset, long ttl,
|
|
||||||
int labels)
|
|
||||||
{
|
|
||||||
DNSOutput image = new DNSOutput();
|
|
||||||
|
|
||||||
if (ttl == 0) ttl = rrset.getTTL();
|
|
||||||
Name n = rrset.getName();
|
|
||||||
if (labels == 0)
|
|
||||||
{
|
|
||||||
labels = n.labels();
|
|
||||||
}
|
|
||||||
else
|
|
||||||
{
|
|
||||||
// correct for Name()'s conception of label count.
|
|
||||||
labels++;
|
|
||||||
}
|
|
||||||
boolean wildcardName = false;
|
|
||||||
if (n.labels() != labels)
|
|
||||||
{
|
|
||||||
n = n.wild(n.labels() - labels);
|
|
||||||
wildcardName = true;
|
|
||||||
// log.trace("Detected wildcard expansion: " + rrset.getName() + " changed to " + n);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// now convert load the wire format records in the RRset into a
|
// private static final int DSA_SIGNATURE_LENGTH = 20;
|
||||||
// list of byte arrays.
|
private static final int ASN1_INT = 0x02;
|
||||||
ArrayList canonical_rrs = new ArrayList();
|
private static final int ASN1_SEQ = 0x30;
|
||||||
for (Iterator i = rrset.rrs(); i.hasNext();)
|
|
||||||
{
|
public static final int RR_NORMAL = 0;
|
||||||
Record r = (Record) i.next();
|
public static final int RR_DELEGATION = 1;
|
||||||
if (r.getTTL() != ttl || wildcardName)
|
public static final int RR_GLUE = 2;
|
||||||
{
|
public static final int RR_INVALID = 3;
|
||||||
// If necessary, we need to create a new record with a new ttl or ownername.
|
|
||||||
// In the TTL case, this avoids changing the ttl in the response.
|
/**
|
||||||
r = Record.newRecord(n, r.getType(), r.getDClass(), ttl, r
|
* Generate from some basic information a prototype SIG RR containing
|
||||||
.rdataToWireCanonical());
|
* everything but the actual signature itself.
|
||||||
}
|
*
|
||||||
byte[] wire_fmt = r.toWireCanonical();
|
* @param rrset
|
||||||
canonical_rrs.add(wire_fmt);
|
* the RRset being signed.
|
||||||
|
* @param signer
|
||||||
|
* the name of the signing key
|
||||||
|
* @param alg
|
||||||
|
* the algorithm of the signing key
|
||||||
|
* @param keyid
|
||||||
|
* the keyid (or footprint) of the signing key
|
||||||
|
* @param start
|
||||||
|
* the SIG inception time.
|
||||||
|
* @param expire
|
||||||
|
* the SIG expiration time.
|
||||||
|
* @param sig_ttl
|
||||||
|
* the TTL of the resulting SIG record.
|
||||||
|
* @return a prototype signature based on the RRset and key information.
|
||||||
|
*/
|
||||||
|
public static RRSIGRecord generatePreRRSIG(RRset rrset, Name signer,
|
||||||
|
int alg, int keyid, Date start,
|
||||||
|
Date expire, long sig_ttl) {
|
||||||
|
return new RRSIGRecord(rrset.getName(), rrset.getDClass(), sig_ttl,
|
||||||
|
rrset.getType(), alg, rrset.getTTL(), expire, start, keyid,
|
||||||
|
signer, null);
|
||||||
}
|
}
|
||||||
|
|
||||||
// put the records into the correct ordering.
|
/**
|
||||||
// Caculate the offset where the RDATA begins (we have to skip
|
* Generate from some basic information a prototype SIG RR containing
|
||||||
// past the length byte)
|
* everything but the actual signature itself.
|
||||||
|
*
|
||||||
int offset = rrset.getName().toWireCanonical().length + 10;
|
* @param rrset
|
||||||
ByteArrayComparator bac = new ByteArrayComparator(offset, false);
|
* the RRset being signed.
|
||||||
|
* @param key
|
||||||
Collections.sort(canonical_rrs, bac);
|
* the public KEY RR counterpart to the key being used to sign
|
||||||
|
* the RRset
|
||||||
for (Iterator i = canonical_rrs.iterator(); i.hasNext();)
|
* @param start
|
||||||
{
|
* the SIG inception time.
|
||||||
byte[] wire_fmt_rec = (byte[]) i.next();
|
* @param expire
|
||||||
image.writeByteArray(wire_fmt_rec);
|
* the SIG expiration time.
|
||||||
|
* @param sig_ttl
|
||||||
|
* the TTL of the resulting SIG record.
|
||||||
|
* @return a prototype signature based on the RRset and key information.
|
||||||
|
*/
|
||||||
|
public static RRSIGRecord generatePreRRSIG(RRset rrset, DNSKEYRecord key,
|
||||||
|
Date start, Date expire,
|
||||||
|
long sig_ttl) {
|
||||||
|
return generatePreRRSIG(rrset, key.getName(), key.getAlgorithm(),
|
||||||
|
key.getFootprint(), start, expire, sig_ttl);
|
||||||
}
|
}
|
||||||
|
|
||||||
return image.toByteArray();
|
/**
|
||||||
}
|
* Generate from some basic information a prototype SIG RR containing
|
||||||
|
* everything but the actual signature itself.
|
||||||
/**
|
*
|
||||||
* Given an RRset and the prototype signature, generate the canonical data
|
* @param rec
|
||||||
* that is to be signed.
|
* the DNS record being signed (forming an entire RRset).
|
||||||
*
|
* @param key
|
||||||
* @param rrset the RRset to be signed.
|
* the public KEY RR counterpart to the key signing the record.
|
||||||
* @param presig a prototype SIG RR created using the same RRset.
|
* @param start
|
||||||
* @return a block of data ready to be signed.
|
* the SIG inception time.
|
||||||
*/
|
* @param expire
|
||||||
public static byte[] generateSigData(RRset rrset, RRSIGRecord presig)
|
* the SIG expiration time.
|
||||||
throws IOException
|
* @param sig_ttl
|
||||||
{
|
* the TTL of the result SIG record.
|
||||||
byte[] rrset_data = generateCanonicalRRsetData(rrset, presig.getOrigTTL(), presig.getLabels());
|
* @return a prototype signature based on the Record and key information.
|
||||||
|
*/
|
||||||
return generateSigData(rrset_data, presig);
|
public static RRSIGRecord generatePreRRSIG(Record rec, DNSKEYRecord key,
|
||||||
}
|
Date start, Date expire,
|
||||||
|
long sig_ttl) {
|
||||||
/**
|
return new RRSIGRecord(rec.getName(), rec.getDClass(), sig_ttl,
|
||||||
* Given an RRset and the prototype signature, generate the canonical data
|
rec.getType(), key.getAlgorithm(), rec.getTTL(), expire, start,
|
||||||
* that is to be signed.
|
key.getFootprint(), key.getName(), null);
|
||||||
*
|
|
||||||
* @param rrset_data the RRset converted into canonical wire line format (as
|
|
||||||
* per the canonicalization rules in RFC 2535).
|
|
||||||
* @param presig the prototype signature based on the same RRset represented
|
|
||||||
* in <code>rrset_data</code>.
|
|
||||||
* @return a block of data ready to be signed.
|
|
||||||
*/
|
|
||||||
public static byte[] generateSigData(byte[] rrset_data, RRSIGRecord presig)
|
|
||||||
throws IOException
|
|
||||||
{
|
|
||||||
byte[] sig_rdata = generatePreSigRdata(presig);
|
|
||||||
|
|
||||||
ByteArrayOutputStream image = new ByteArrayOutputStream(sig_rdata.length
|
|
||||||
+ rrset_data.length);
|
|
||||||
|
|
||||||
image.write(sig_rdata);
|
|
||||||
image.write(rrset_data);
|
|
||||||
|
|
||||||
return image.toByteArray();
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Given the acutal signature an the prototype signature, combine them and
|
|
||||||
* return the fully formed SIGRecord.
|
|
||||||
*
|
|
||||||
* @param signature the cryptographic signature, in DNSSEC format.
|
|
||||||
* @param presig the prototype SIG RR to add the signature to.
|
|
||||||
* @return the fully formed SIG RR.
|
|
||||||
*/
|
|
||||||
public static RRSIGRecord generateRRSIG(byte[] signature, RRSIGRecord presig)
|
|
||||||
{
|
|
||||||
return new RRSIGRecord(presig.getName(), presig.getDClass(), presig
|
|
||||||
.getTTL(), presig.getTypeCovered(), presig.getAlgorithm(), presig
|
|
||||||
.getOrigTTL(), presig.getExpire(), presig.getTimeSigned(), presig
|
|
||||||
.getFootprint(), presig.getSigner(), signature);
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Converts from a RFC 2536 formatted DSA signature to a JCE (ASN.1)
|
|
||||||
* formatted signature.
|
|
||||||
*
|
|
||||||
* <p>
|
|
||||||
* ASN.1 format = ASN1_SEQ . seq_length . ASN1_INT . Rlength . R . ANS1_INT .
|
|
||||||
* Slength . S
|
|
||||||
* </p>
|
|
||||||
*
|
|
||||||
* The integers R and S may have a leading null byte to force the integer
|
|
||||||
* positive.
|
|
||||||
*
|
|
||||||
* @param signature the RFC 2536 formatted DSA signature.
|
|
||||||
* @return The ASN.1 formatted DSA signature.
|
|
||||||
* @throws SignatureException if there was something wrong with the RFC 2536
|
|
||||||
* formatted signature.
|
|
||||||
*/
|
|
||||||
public static byte[] convertDSASignature(byte[] signature)
|
|
||||||
throws SignatureException
|
|
||||||
{
|
|
||||||
if (signature.length != 41)
|
|
||||||
throw new SignatureException("RFC 2536 signature not expected length.");
|
|
||||||
|
|
||||||
byte r_pad = 0;
|
|
||||||
byte s_pad = 0;
|
|
||||||
|
|
||||||
// handle initial null byte padding.
|
|
||||||
if (signature[1] < 0) r_pad++;
|
|
||||||
if (signature[21] < 0) s_pad++;
|
|
||||||
|
|
||||||
// ASN.1 length = R length + S length + (2 + 2 + 2), where each 2
|
|
||||||
// is for a ASN.1 type-length byte pair of which there are three
|
|
||||||
// (SEQ, INT, INT).
|
|
||||||
byte sig_length = (byte) (40 + r_pad + s_pad + 6);
|
|
||||||
|
|
||||||
byte sig[] = new byte[sig_length];
|
|
||||||
byte pos = 0;
|
|
||||||
|
|
||||||
sig[pos++] = ASN1_SEQ;
|
|
||||||
sig[pos++] = (byte) (sig_length - 2); // all but the SEQ type+length.
|
|
||||||
sig[pos++] = ASN1_INT;
|
|
||||||
sig[pos++] = (byte) (20 + r_pad);
|
|
||||||
|
|
||||||
// copy the value of R, leaving a null byte if necessary
|
|
||||||
if (r_pad == 1) sig[pos++] = 0;
|
|
||||||
|
|
||||||
System.arraycopy(signature, 1, sig, pos, 20);
|
|
||||||
pos += 20;
|
|
||||||
|
|
||||||
sig[pos++] = ASN1_INT;
|
|
||||||
sig[pos++] = (byte) (20 + s_pad);
|
|
||||||
|
|
||||||
// copy the value of S, leaving a null byte if necessary
|
|
||||||
if (s_pad == 1) sig[pos++] = 0;
|
|
||||||
|
|
||||||
System.arraycopy(signature, 21, sig, pos, 20);
|
|
||||||
|
|
||||||
return sig;
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Converts from a JCE (ASN.1) formatted DSA signature to a RFC 2536
|
|
||||||
* compliant signature.
|
|
||||||
*
|
|
||||||
* <p>
|
|
||||||
* rfc2536 format = T . R . S
|
|
||||||
* </p>
|
|
||||||
*
|
|
||||||
* where T is a number between 0 and 8, which is based on the DSA key
|
|
||||||
* length, and R & S are formatted to be exactly 20 bytes each (no leading
|
|
||||||
* null bytes).
|
|
||||||
*
|
|
||||||
* @param params the DSA parameters associated with the DSA key used to
|
|
||||||
* generate the signature.
|
|
||||||
* @param signature the ASN.1 formatted DSA signature.
|
|
||||||
* @return a RFC 2536 formatted DSA signature.
|
|
||||||
* @throws SignatureException if something is wrong with the ASN.1 format.
|
|
||||||
*/
|
|
||||||
public static byte[] convertDSASignature(DSAParams params, byte[] signature)
|
|
||||||
throws SignatureException
|
|
||||||
{
|
|
||||||
if (signature[0] != ASN1_SEQ || signature[2] != ASN1_INT)
|
|
||||||
{
|
|
||||||
throw new SignatureException(
|
|
||||||
"Invalid ASN.1 signature format: expected SEQ, INT");
|
|
||||||
}
|
}
|
||||||
|
|
||||||
byte r_pad = (byte) (signature[3] - 20);
|
/**
|
||||||
|
* Generate the binary image of the prototype SIG RR.
|
||||||
|
*
|
||||||
|
* @param presig
|
||||||
|
* the SIG RR prototype.
|
||||||
|
* @return the RDATA portion of the prototype SIG record. This forms the
|
||||||
|
* first part of the data to be signed.
|
||||||
|
*/
|
||||||
|
private static byte[] generatePreSigRdata(RRSIGRecord presig) {
|
||||||
|
// Generate the binary image;
|
||||||
|
DNSOutput image = new DNSOutput();
|
||||||
|
|
||||||
if (signature[24 + r_pad] != ASN1_INT)
|
// precalculate some things
|
||||||
{
|
int start_time = (int) (presig.getTimeSigned().getTime() / 1000);
|
||||||
throw new SignatureException(
|
int expire_time = (int) (presig.getExpire().getTime() / 1000);
|
||||||
"Invalid ASN.1 signature format: expected SEQ, INT, INT");
|
Name signer = presig.getSigner();
|
||||||
|
|
||||||
|
// first write out the partial SIG record (this is the SIG RDATA
|
||||||
|
// minus the actual signature.
|
||||||
|
image.writeU16(presig.getTypeCovered());
|
||||||
|
image.writeU8(presig.getAlgorithm());
|
||||||
|
image.writeU8(presig.getLabels());
|
||||||
|
image.writeU32((int) presig.getOrigTTL());
|
||||||
|
image.writeU32(expire_time);
|
||||||
|
image.writeU32(start_time);
|
||||||
|
image.writeU16(presig.getFootprint());
|
||||||
|
image.writeByteArray(signer.toWireCanonical());
|
||||||
|
|
||||||
|
return image.toByteArray();
|
||||||
}
|
}
|
||||||
|
|
||||||
// log.trace("(start) ASN.1 DSA Sig:\n" + base64.toString(signature));
|
/**
|
||||||
|
* Calculate the canonical wire line format of the RRset.
|
||||||
|
*
|
||||||
|
* @param rrset
|
||||||
|
* the RRset to convert.
|
||||||
|
* @param ttl
|
||||||
|
* the TTL to use when canonicalizing -- this is generally the
|
||||||
|
* TTL of the signature if there is a pre-existing signature. If
|
||||||
|
* not it is just the ttl of the rrset itself.
|
||||||
|
* @param labels
|
||||||
|
* the labels field of the signature, or 0.
|
||||||
|
* @return the canonical wire line format of the rrset. This is the second
|
||||||
|
* part of data to be signed.
|
||||||
|
*/
|
||||||
|
@SuppressWarnings("unchecked")
|
||||||
|
public static byte[] generateCanonicalRRsetData(RRset rrset, long ttl,
|
||||||
|
int labels) {
|
||||||
|
DNSOutput image = new DNSOutput();
|
||||||
|
|
||||||
byte s_pad = (byte) (signature[25 + r_pad] - 20);
|
if (ttl == 0) ttl = rrset.getTTL();
|
||||||
|
Name n = rrset.getName();
|
||||||
|
if (labels == 0) {
|
||||||
|
labels = n.labels();
|
||||||
|
} else {
|
||||||
|
// correct for Name()'s conception of label count.
|
||||||
|
labels++;
|
||||||
|
}
|
||||||
|
boolean wildcardName = false;
|
||||||
|
if (n.labels() != labels) {
|
||||||
|
n = n.wild(n.labels() - labels);
|
||||||
|
wildcardName = true;
|
||||||
|
// log.trace("Detected wildcard expansion: " + rrset.getName() +
|
||||||
|
// " changed to " + n);
|
||||||
|
}
|
||||||
|
|
||||||
byte[] sig = new byte[41]; // all rfc2536 signatures are 41 bytes.
|
// now convert the wire format records in the RRset into a
|
||||||
|
// list of byte arrays.
|
||||||
|
ArrayList<byte[]> canonical_rrs = new ArrayList<byte[]>();
|
||||||
|
for (Iterator i = rrset.rrs(); i.hasNext();) {
|
||||||
|
Record r = (Record) i.next();
|
||||||
|
if (r.getTTL() != ttl || wildcardName) {
|
||||||
|
// If necessary, we need to create a new record with a new ttl
|
||||||
|
// or ownername.
|
||||||
|
// In the TTL case, this avoids changing the ttl in the
|
||||||
|
// response.
|
||||||
|
r = Record.newRecord(n, r.getType(), r.getDClass(), ttl,
|
||||||
|
r.rdataToWireCanonical());
|
||||||
|
}
|
||||||
|
byte[] wire_fmt = r.toWireCanonical();
|
||||||
|
canonical_rrs.add(wire_fmt);
|
||||||
|
}
|
||||||
|
|
||||||
// Calculate T:
|
// put the records into the correct ordering.
|
||||||
sig[0] = (byte) ((params.getP().bitLength() - 512) / 64);
|
// Calculate the offset where the RDATA begins (we have to skip
|
||||||
|
// past the length byte)
|
||||||
|
|
||||||
// copy R value
|
int offset = rrset.getName().toWireCanonical().length + 10;
|
||||||
if (r_pad >= 0)
|
ByteArrayComparator bac = new ByteArrayComparator(offset, false);
|
||||||
{
|
|
||||||
System.arraycopy(signature, 4 + r_pad, sig, 1, 20);
|
Collections.sort(canonical_rrs, bac);
|
||||||
}
|
|
||||||
else
|
for (Iterator<byte[]> i = canonical_rrs.iterator(); i.hasNext();) {
|
||||||
{
|
byte[] wire_fmt_rec = i.next();
|
||||||
// R is shorter than 20 bytes, so right justify the number
|
image.writeByteArray(wire_fmt_rec);
|
||||||
// (r_pad is negative here, remember?).
|
}
|
||||||
Arrays.fill(sig, 1, 1 - r_pad, (byte) 0);
|
|
||||||
System.arraycopy(signature, 4, sig, 1 - r_pad, 20 + r_pad);
|
return image.toByteArray();
|
||||||
}
|
}
|
||||||
|
|
||||||
// copy S value
|
/**
|
||||||
if (s_pad >= 0)
|
* Given an RRset and the prototype signature, generate the canonical data
|
||||||
{
|
* that is to be signed.
|
||||||
System.arraycopy(signature, 26 + r_pad + s_pad, sig, 21, 20);
|
*
|
||||||
}
|
* @param rrset
|
||||||
else
|
* the RRset to be signed.
|
||||||
{
|
* @param presig
|
||||||
// S is shorter than 20 bytes, so right justify the number
|
* a prototype SIG RR created using the same RRset.
|
||||||
// (s_pad is negative here).
|
* @return a block of data ready to be signed.
|
||||||
Arrays.fill(sig, 21, 21 - s_pad, (byte) 0);
|
*/
|
||||||
System.arraycopy(signature, 26 + r_pad, sig, 21 - s_pad, 20 + s_pad);
|
public static byte[] generateSigData(RRset rrset, RRSIGRecord presig)
|
||||||
|
throws IOException {
|
||||||
|
byte[] rrset_data = generateCanonicalRRsetData(rrset,
|
||||||
|
presig.getOrigTTL(),
|
||||||
|
presig.getLabels());
|
||||||
|
|
||||||
|
return generateSigData(rrset_data, presig);
|
||||||
}
|
}
|
||||||
|
|
||||||
// if (r_pad < 0 || s_pad < 0)
|
/**
|
||||||
// {
|
* Given an RRset and the prototype signature, generate the canonical data
|
||||||
// log.trace("(finish ***) RFC 2536 DSA Sig:\n" + base64.toString(sig));
|
* that is to be signed.
|
||||||
//
|
*
|
||||||
// }
|
* @param rrset_data
|
||||||
// else
|
* the RRset converted into canonical wire line format (as per
|
||||||
// {
|
* the canonicalization rules in RFC 2535).
|
||||||
// log.trace("(finish) RFC 2536 DSA Sig:\n" + base64.toString(sig));
|
* @param presig
|
||||||
// }
|
* the prototype signature based on the same RRset represented in
|
||||||
|
* <code>rrset_data</code>.
|
||||||
|
* @return a block of data ready to be signed.
|
||||||
|
*/
|
||||||
|
public static byte[] generateSigData(byte[] rrset_data, RRSIGRecord presig)
|
||||||
|
throws IOException {
|
||||||
|
byte[] sig_rdata = generatePreSigRdata(presig);
|
||||||
|
|
||||||
return sig;
|
ByteArrayOutputStream image = new ByteArrayOutputStream(
|
||||||
}
|
sig_rdata.length + rrset_data.length);
|
||||||
|
|
||||||
|
image.write(sig_rdata);
|
||||||
|
image.write(rrset_data);
|
||||||
|
|
||||||
|
return image.toByteArray();
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Given the actual signature and the prototype signature, combine them and
|
||||||
|
* return the fully formed RRSIGRecord.
|
||||||
|
*
|
||||||
|
* @param signature
|
||||||
|
* the cryptographic signature, in DNSSEC format.
|
||||||
|
* @param presig
|
||||||
|
* the prototype RRSIG RR to add the signature to.
|
||||||
|
* @return the fully formed RRSIG RR.
|
||||||
|
*/
|
||||||
|
public static RRSIGRecord generateRRSIG(byte[] signature, RRSIGRecord presig) {
|
||||||
|
return new RRSIGRecord(presig.getName(), presig.getDClass(),
|
||||||
|
presig.getTTL(), presig.getTypeCovered(),
|
||||||
|
presig.getAlgorithm(), presig.getOrigTTL(), presig.getExpire(),
|
||||||
|
presig.getTimeSigned(), presig.getFootprint(),
|
||||||
|
presig.getSigner(), signature);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Converts from a RFC 2536 formatted DSA signature to a JCE (ASN.1)
|
||||||
|
* formatted signature.
|
||||||
|
*
|
||||||
|
* <p>
|
||||||
|
* ASN.1 format = ASN1_SEQ . seq_length . ASN1_INT . Rlength . R . ANS1_INT
|
||||||
|
* . Slength . S
|
||||||
|
* </p>
|
||||||
|
*
|
||||||
|
* The integers R and S may have a leading null byte to force the integer
|
||||||
|
* positive.
|
||||||
|
*
|
||||||
|
* @param signature
|
||||||
|
* the RFC 2536 formatted DSA signature.
|
||||||
|
* @return The ASN.1 formatted DSA signature.
|
||||||
|
* @throws SignatureException
|
||||||
|
* if there was something wrong with the RFC 2536 formatted
|
||||||
|
* signature.
|
||||||
|
*/
|
||||||
|
public static byte[] convertDSASignature(byte[] signature)
|
||||||
|
throws SignatureException {
|
||||||
|
if (signature.length != 41)
|
||||||
|
throw new SignatureException(
|
||||||
|
"RFC 2536 signature not expected length.");
|
||||||
|
|
||||||
|
byte r_pad = 0;
|
||||||
|
byte s_pad = 0;
|
||||||
|
|
||||||
|
// handle initial null byte padding.
|
||||||
|
if (signature[1] < 0) r_pad++;
|
||||||
|
if (signature[21] < 0) s_pad++;
|
||||||
|
|
||||||
|
// ASN.1 length = R length + S length + (2 + 2 + 2), where each 2
|
||||||
|
// is for a ASN.1 type-length byte pair of which there are three
|
||||||
|
// (SEQ, INT, INT).
|
||||||
|
byte sig_length = (byte) (40 + r_pad + s_pad + 6);
|
||||||
|
|
||||||
|
byte sig[] = new byte[sig_length];
|
||||||
|
byte pos = 0;
|
||||||
|
|
||||||
|
sig[pos++] = ASN1_SEQ;
|
||||||
|
sig[pos++] = (byte) (sig_length - 2); // all but the SEQ type+length.
|
||||||
|
sig[pos++] = ASN1_INT;
|
||||||
|
sig[pos++] = (byte) (20 + r_pad);
|
||||||
|
|
||||||
|
// copy the value of R, leaving a null byte if necessary
|
||||||
|
if (r_pad == 1) sig[pos++] = 0;
|
||||||
|
|
||||||
|
System.arraycopy(signature, 1, sig, pos, 20);
|
||||||
|
pos += 20;
|
||||||
|
|
||||||
|
sig[pos++] = ASN1_INT;
|
||||||
|
sig[pos++] = (byte) (20 + s_pad);
|
||||||
|
|
||||||
|
// copy the value of S, leaving a null byte if necessary
|
||||||
|
if (s_pad == 1) sig[pos++] = 0;
|
||||||
|
|
||||||
|
System.arraycopy(signature, 21, sig, pos, 20);
|
||||||
|
|
||||||
|
return sig;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Converts from a JCE (ASN.1) formatted DSA signature to a RFC 2536
|
||||||
|
* compliant signature.
|
||||||
|
*
|
||||||
|
* <p>
|
||||||
|
* rfc2536 format = T . R . S
|
||||||
|
* </p>
|
||||||
|
*
|
||||||
|
* where T is a number between 0 and 8, which is based on the DSA key
|
||||||
|
* length, and R & S are formatted to be exactly 20 bytes each (no leading
|
||||||
|
* null bytes).
|
||||||
|
*
|
||||||
|
* @param params
|
||||||
|
* the DSA parameters associated with the DSA key used to
|
||||||
|
* generate the signature.
|
||||||
|
* @param signature
|
||||||
|
* the ASN.1 formatted DSA signature.
|
||||||
|
* @return a RFC 2536 formatted DSA signature.
|
||||||
|
* @throws SignatureException
|
||||||
|
* if something is wrong with the ASN.1 format.
|
||||||
|
*/
|
||||||
|
public static byte[] convertDSASignature(DSAParams params, byte[] signature)
|
||||||
|
throws SignatureException {
|
||||||
|
if (signature[0] != ASN1_SEQ || signature[2] != ASN1_INT) {
|
||||||
|
throw new SignatureException(
|
||||||
|
"Invalid ASN.1 signature format: expected SEQ, INT");
|
||||||
|
}
|
||||||
|
|
||||||
|
byte r_pad = (byte) (signature[3] - 20);
|
||||||
|
|
||||||
|
if (signature[24 + r_pad] != ASN1_INT) {
|
||||||
|
throw new SignatureException(
|
||||||
|
"Invalid ASN.1 signature format: expected SEQ, INT, INT");
|
||||||
|
}
|
||||||
|
|
||||||
|
// log.trace("(start) ASN.1 DSA Sig:\n" + base64.toString(signature));
|
||||||
|
|
||||||
|
byte s_pad = (byte) (signature[25 + r_pad] - 20);
|
||||||
|
|
||||||
|
byte[] sig = new byte[41]; // all rfc2536 signatures are 41 bytes.
|
||||||
|
|
||||||
|
// Calculate T:
|
||||||
|
sig[0] = (byte) ((params.getP().bitLength() - 512) / 64);
|
||||||
|
|
||||||
|
// copy R value
|
||||||
|
if (r_pad >= 0) {
|
||||||
|
System.arraycopy(signature, 4 + r_pad, sig, 1, 20);
|
||||||
|
} else {
|
||||||
|
// R is shorter than 20 bytes, so right justify the number
|
||||||
|
// (r_pad is negative here, remember?).
|
||||||
|
Arrays.fill(sig, 1, 1 - r_pad, (byte) 0);
|
||||||
|
System.arraycopy(signature, 4, sig, 1 - r_pad, 20 + r_pad);
|
||||||
|
}
|
||||||
|
|
||||||
|
// copy S value
|
||||||
|
if (s_pad >= 0) {
|
||||||
|
System.arraycopy(signature, 26 + r_pad + s_pad, sig, 21, 20);
|
||||||
|
} else {
|
||||||
|
// S is shorter than 20 bytes, so right justify the number
|
||||||
|
// (s_pad is negative here).
|
||||||
|
Arrays.fill(sig, 21, 21 - s_pad, (byte) 0);
|
||||||
|
System.arraycopy(signature, 26 + r_pad, sig, 21 - s_pad, 20 + s_pad);
|
||||||
|
}
|
||||||
|
|
||||||
|
// if (r_pad < 0 || s_pad < 0)
|
||||||
|
// {
|
||||||
|
// log.trace("(finish ***) RFC 2536 DSA Sig:\n" + base64.toString(sig));
|
||||||
|
//
|
||||||
|
// }
|
||||||
|
// else
|
||||||
|
// {
|
||||||
|
// log.trace("(finish) RFC 2536 DSA Sig:\n" + base64.toString(sig));
|
||||||
|
// }
|
||||||
|
|
||||||
|
return sig;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
@ -33,16 +33,12 @@ import java.util.Map;
|
|||||||
|
|
||||||
import org.xbill.DNS.Name;
|
import org.xbill.DNS.Name;
|
||||||
|
|
||||||
import com.versign.tat.dnssec.SRRset;
|
|
||||||
import com.versign.tat.dnssec.SecurityStatus;
|
|
||||||
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
*
|
*
|
||||||
*/
|
*/
|
||||||
public class TrustAnchorStore
|
public class TrustAnchorStore
|
||||||
{
|
{
|
||||||
private Map mMap;
|
private Map<String, SRRset> mMap;
|
||||||
|
|
||||||
public TrustAnchorStore()
|
public TrustAnchorStore()
|
||||||
{
|
{
|
||||||
@ -59,7 +55,7 @@ public class TrustAnchorStore
|
|||||||
{
|
{
|
||||||
if (mMap == null)
|
if (mMap == null)
|
||||||
{
|
{
|
||||||
mMap = new HashMap();
|
mMap = new HashMap<String, SRRset>();
|
||||||
}
|
}
|
||||||
String k = key(rrset.getName(), rrset.getDClass());
|
String k = key(rrset.getName(), rrset.getDClass());
|
||||||
rrset.setSecurityStatus(SecurityStatus.SECURE);
|
rrset.setSecurityStatus(SecurityStatus.SECURE);
|
||||||
@ -70,7 +66,7 @@ public class TrustAnchorStore
|
|||||||
private SRRset lookup(String key)
|
private SRRset lookup(String key)
|
||||||
{
|
{
|
||||||
if (mMap == null) return null;
|
if (mMap == null) return null;
|
||||||
return (SRRset) mMap.get(key);
|
return mMap.get(key);
|
||||||
}
|
}
|
||||||
|
|
||||||
public SRRset find(Name n, int dclass)
|
public SRRset find(Name n, int dclass)
|
||||||
|
@ -31,15 +31,10 @@ package com.versign.tat.dnssec;
|
|||||||
|
|
||||||
import java.util.*;
|
import java.util.*;
|
||||||
|
|
||||||
import org.xbill.DNS.Flags;
|
|
||||||
import org.xbill.DNS.Header;
|
|
||||||
import org.xbill.DNS.Name;
|
import org.xbill.DNS.Name;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Some basic utility functions.
|
* Some basic utility functions.
|
||||||
*
|
|
||||||
* @author davidb
|
|
||||||
* @version $Revision$
|
|
||||||
*/
|
*/
|
||||||
public class Util
|
public class Util
|
||||||
{
|
{
|
||||||
@ -61,31 +56,6 @@ public class Util
|
|||||||
return n;
|
return n;
|
||||||
}
|
}
|
||||||
|
|
||||||
// public static SMessage errorMessage(Request request, int rcode)
|
|
||||||
// {
|
|
||||||
// SMessage m = new SMessage(request.getID());
|
|
||||||
// Header h = m.getHeader();
|
|
||||||
// h.setRcode(rcode);
|
|
||||||
// h.setFlag(Flags.QR);
|
|
||||||
// m.setQuestion(request.getQuestion());
|
|
||||||
// m.setOPT(request.getOPT());
|
|
||||||
//
|
|
||||||
// return m;
|
|
||||||
// }
|
|
||||||
//
|
|
||||||
// public static SMessage errorMessage(SMessage message, int rcode)
|
|
||||||
// {
|
|
||||||
// Header h = message.getHeader();
|
|
||||||
// SMessage m = new SMessage(h.getID());
|
|
||||||
// h = m.getHeader();
|
|
||||||
// h.setRcode(rcode);
|
|
||||||
// h.setFlag(Flags.QR);
|
|
||||||
// m.setQuestion(message.getQuestion());
|
|
||||||
// m.setOPT(message.getOPT());
|
|
||||||
//
|
|
||||||
// return m;
|
|
||||||
// }
|
|
||||||
|
|
||||||
public static int parseInt(String s, int def)
|
public static int parseInt(String s, int def)
|
||||||
{
|
{
|
||||||
if (s == null) return def;
|
if (s == null) return def;
|
||||||
@ -123,25 +93,21 @@ public class Util
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
public static List parseConfigPrefix(Properties config, String prefix)
|
public static List<ConfigEntry> parseConfigPrefix(Properties config, String prefix)
|
||||||
{
|
{
|
||||||
if (! prefix.endsWith("."))
|
if (! prefix.endsWith("."))
|
||||||
{
|
{
|
||||||
prefix = prefix + ".";
|
prefix = prefix + ".";
|
||||||
}
|
}
|
||||||
|
|
||||||
List res = new ArrayList();
|
List<ConfigEntry> res = new ArrayList<ConfigEntry>();
|
||||||
|
|
||||||
for (Iterator i = config.entrySet().iterator(); i.hasNext(); )
|
for (Map.Entry<Object, Object> entry : config.entrySet()) {
|
||||||
{
|
String key = (String) entry.getKey();
|
||||||
Map.Entry entry = (Map.Entry) i.next();
|
if (key.startsWith(prefix)) {
|
||||||
String key = (String) entry.getKey();
|
key = key.substring(prefix.length());
|
||||||
if (key.startsWith(prefix))
|
res.add(new ConfigEntry(key, (String) entry.getValue()));
|
||||||
{
|
}
|
||||||
key = key.substring(prefix.length());
|
|
||||||
|
|
||||||
res.add(new ConfigEntry(key, (String) entry.getValue()));
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
return res;
|
return res;
|
||||||
|
@ -45,26 +45,40 @@ public class ValUtils {
|
|||||||
// validation strategy. They have no bearing on the iterative resolution
|
// validation strategy. They have no bearing on the iterative resolution
|
||||||
// algorithm, so they are confined here.
|
// algorithm, so they are confined here.
|
||||||
|
|
||||||
/** Not subtyped yet. */
|
public enum ResponseType {
|
||||||
public static final int UNTYPED = 0;
|
UNTYPED, // not sub typed yet
|
||||||
|
UNKNOWN, // not a recognized sub type
|
||||||
/** Not a recognized subtype. */
|
POSITIVE, // a positive response (no CNAME/DNAME chain)
|
||||||
public static final int UNKNOWN = 1;
|
CNAME, // a positive response with a CNAME/DNAME chain.
|
||||||
|
NODATA, // a NOERROR/NODATA response
|
||||||
/** A postive, direct, response. */
|
NAMEERROR, // a NXDOMAIN response
|
||||||
public static final int POSITIVE = 2;
|
ANY, // a response to a qtype=ANY query
|
||||||
|
REFERRAL,
|
||||||
/** A postive response, with a CNAME/DNAME chain. */
|
// a referral response
|
||||||
public static final int CNAME = 3;
|
THROWAWAY
|
||||||
|
// a throwaway response (i.e., an error)
|
||||||
/** A NOERROR/NODATA response. */
|
}
|
||||||
public static final int NODATA = 4;
|
|
||||||
|
// /** Not subtyped yet. */
|
||||||
/** A NXDOMAIN response. */
|
// public static final int UNTYPED = 0;
|
||||||
public static final int NAMEERROR = 5;
|
//
|
||||||
|
// /** Not a recognized subtype. */
|
||||||
/** A response to a qtype=ANY query. */
|
// public static final int UNKNOWN = 1;
|
||||||
public static final int ANY = 6;
|
//
|
||||||
|
// /** A postive, direct, response. */
|
||||||
|
// public static final int POSITIVE = 2;
|
||||||
|
//
|
||||||
|
// /** A postive response, with a CNAME/DNAME chain. */
|
||||||
|
// public static final int CNAME = 3;
|
||||||
|
//
|
||||||
|
// /** A NOERROR/NODATA response. */
|
||||||
|
// public static final int NODATA = 4;
|
||||||
|
//
|
||||||
|
// /** A NXDOMAIN response. */
|
||||||
|
// public static final int NAMEERROR = 5;
|
||||||
|
//
|
||||||
|
// /** A response to a qtype=ANY query. */
|
||||||
|
// public static final int ANY = 6;
|
||||||
|
|
||||||
/** A local copy of the verifier object. */
|
/** A local copy of the verifier object. */
|
||||||
private DnsSecVerifier mVerifier;
|
private DnsSecVerifier mVerifier;
|
||||||
@ -81,18 +95,38 @@ public class ValUtils {
|
|||||||
*
|
*
|
||||||
* @return A subtype ranging from UNKNOWN to NAMEERROR.
|
* @return A subtype ranging from UNKNOWN to NAMEERROR.
|
||||||
*/
|
*/
|
||||||
public static int classifyResponse(SMessage m) {
|
public static ResponseType classifyResponse(SMessage m, Name zone) {
|
||||||
|
|
||||||
|
SRRset[] rrsets;
|
||||||
// Normal Name Error's are easy to detect -- but don't mistake a CNAME
|
// Normal Name Error's are easy to detect -- but don't mistake a CNAME
|
||||||
// chain ending in NXDOMAIN.
|
// chain ending in NXDOMAIN.
|
||||||
if (m.getRcode() == Rcode.NXDOMAIN && m.getCount(Section.ANSWER) == 0) {
|
if (m.getRcode() == Rcode.NXDOMAIN && m.getCount(Section.ANSWER) == 0) {
|
||||||
return NAMEERROR;
|
return ResponseType.NAMEERROR;
|
||||||
|
}
|
||||||
|
|
||||||
|
// If rcode isn't NXDOMAIN or NOERROR, it is a throwaway response.
|
||||||
|
if (m.getRcode() != Rcode.NOERROR) {
|
||||||
|
return ResponseType.THROWAWAY;
|
||||||
|
}
|
||||||
|
|
||||||
|
// Next is REFERRAL. These are distinguished by having:
|
||||||
|
// 1) nothing in the ANSWER section
|
||||||
|
// 2) an NS RRset in the AUTHORITY section that is a strict subdomain of
|
||||||
|
// 'zone' (the presumed queried zone).
|
||||||
|
if (zone != null && m.getCount(Section.ANSWER) == 0
|
||||||
|
&& m.getCount(Section.AUTHORITY) > 0) {
|
||||||
|
rrsets = m.getSectionRRsets(Section.AUTHORITY);
|
||||||
|
for (int i = 0; i < rrsets.length; ++i) {
|
||||||
|
if (rrsets[i].getType() == Type.NS
|
||||||
|
&& strictSubdomain(rrsets[i].getName(), zone)) {
|
||||||
|
return ResponseType.REFERRAL;
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// Next is NODATA
|
// Next is NODATA
|
||||||
// st_log.debug("classifyResponse: ancount = " +
|
|
||||||
// m.getCount(Section.ANSWER));
|
|
||||||
if (m.getCount(Section.ANSWER) == 0) {
|
if (m.getCount(Section.ANSWER) == 0) {
|
||||||
return NODATA;
|
return ResponseType.NODATA;
|
||||||
}
|
}
|
||||||
|
|
||||||
// We distinguish between CNAME response and other positive/negative
|
// We distinguish between CNAME response and other positive/negative
|
||||||
@ -100,23 +134,22 @@ public class ValUtils {
|
|||||||
int qtype = m.getQuestion().getType();
|
int qtype = m.getQuestion().getType();
|
||||||
|
|
||||||
// We distinguish between ANY and CNAME or POSITIVE because ANY
|
// We distinguish between ANY and CNAME or POSITIVE because ANY
|
||||||
// responses
|
// responses are validated differently.
|
||||||
// are validated differently.
|
|
||||||
if (qtype == Type.ANY) {
|
if (qtype == Type.ANY) {
|
||||||
return ANY;
|
return ResponseType.ANY;
|
||||||
}
|
}
|
||||||
|
|
||||||
SRRset[] rrsets = m.getSectionRRsets(Section.ANSWER);
|
rrsets = m.getSectionRRsets(Section.ANSWER);
|
||||||
|
|
||||||
// Note that DNAMEs will be ignored here, unless qtype=DNAME. Unless
|
// Note that DNAMEs will be ignored here, unless qtype=DNAME. Unless
|
||||||
// qtype=CNAME, this will yield a CNAME response.
|
// qtype=CNAME, this will yield a CNAME response.
|
||||||
for (int i = 0; i < rrsets.length; i++) {
|
for (int i = 0; i < rrsets.length; i++) {
|
||||||
if (rrsets[i].getType() == qtype) return POSITIVE;
|
if (rrsets[i].getType() == qtype) return ResponseType.POSITIVE;
|
||||||
if (rrsets[i].getType() == Type.CNAME) return CNAME;
|
if (rrsets[i].getType() == Type.CNAME) return ResponseType.CNAME;
|
||||||
}
|
}
|
||||||
|
|
||||||
// st_log.warn("Failed to classify response message:\n" + m);
|
// st_log.warn("Failed to classify response message:\n" + m);
|
||||||
return UNKNOWN;
|
return ResponseType.UNKNOWN;
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@ -126,162 +159,25 @@ public class ValUtils {
|
|||||||
*
|
*
|
||||||
* @param m
|
* @param m
|
||||||
* The response to analyze.
|
* The response to analyze.
|
||||||
* @param request
|
|
||||||
* The request that generated the response.
|
|
||||||
* @return a signer name, if the response is signed (even partially), or
|
* @return a signer name, if the response is signed (even partially), or
|
||||||
* null if the response isn't signed.
|
* null if the response isn't signed.
|
||||||
*/
|
*/
|
||||||
public Name findSigner(SMessage m) {
|
public Name findSigner(SMessage m) {
|
||||||
int subtype = classifyResponse(m);
|
// FIXME: this used to classify the message, then look in the pertinent
|
||||||
Name qname = m.getQName();
|
// section. Now we just find the first RRSIG in the ANSWER and AUTHORIY
|
||||||
|
// sections.
|
||||||
|
|
||||||
SRRset[] rrsets;
|
for (int section = Section.ANSWER; section < Section.ADDITIONAL; ++section) {
|
||||||
|
SRRset[] rrsets = m.getSectionRRsets(section);
|
||||||
switch (subtype) {
|
for (int i = 0; i < rrsets.length; ++i) {
|
||||||
case POSITIVE:
|
Name signerName = rrsets[i].getSignerName();
|
||||||
case CNAME:
|
if (signerName != null) return signerName;
|
||||||
case ANY:
|
|
||||||
// Check to see if the ANSWER section RRset
|
|
||||||
rrsets = m.getSectionRRsets(Section.ANSWER);
|
|
||||||
for (int i = 0; i < rrsets.length; i++) {
|
|
||||||
if (rrsets[i].getName().equals(qname)) {
|
|
||||||
return rrsets[i].getSignerName();
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return null;
|
|
||||||
|
|
||||||
case NAMEERROR:
|
|
||||||
case NODATA:
|
|
||||||
// Check to see if the AUTH section NSEC record(s) have rrsigs
|
|
||||||
rrsets = m.getSectionRRsets(Section.AUTHORITY);
|
|
||||||
for (int i = 0; i < rrsets.length; i++) {
|
|
||||||
if (rrsets[i].getType() == Type.NSEC
|
|
||||||
|| rrsets[i].getType() == Type.NSEC3) {
|
|
||||||
return rrsets[i].getSignerName();
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return null;
|
|
||||||
default:
|
|
||||||
// log.debug("findSigner: could not find signer name "
|
|
||||||
// + "for unknown type response.");
|
|
||||||
return null;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
public boolean dssetIsUsable(SRRset ds_rrset) {
|
|
||||||
for (Iterator i = ds_rrset.rrs(); i.hasNext();) {
|
|
||||||
DSRecord ds = (DSRecord) i.next();
|
|
||||||
if (supportsDigestID(ds.getDigestID())
|
|
||||||
&& mVerifier.supportsAlgorithm(ds.getAlgorithm())) {
|
|
||||||
return true;
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
return null;
|
||||||
return false;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
|
||||||
* Given a DS rrset and a DNSKEY rrset, match the DS to a DNSKEY and verify
|
|
||||||
* the DNSKEY rrset with that key.
|
|
||||||
*
|
|
||||||
* @param dnskey_rrset
|
|
||||||
* The DNSKEY rrset to match against. The security status of this
|
|
||||||
* rrset will be updated on a successful verification.
|
|
||||||
* @param ds_rrset
|
|
||||||
* The DS rrset to match with. This rrset must already be
|
|
||||||
* trusted.
|
|
||||||
*
|
|
||||||
* @return a KeyEntry. This will either contain the now trusted
|
|
||||||
* dnskey_rrset, a "null" key entry indicating that this DS
|
|
||||||
* rrset/DNSKEY pair indicate an secure end to the island of trust
|
|
||||||
* (i.e., unknown algorithms), or a "bad" KeyEntry if the dnskey
|
|
||||||
* rrset fails to verify. Note that the "null" response should
|
|
||||||
* generally only occur in a private algorithm scenario: normally
|
|
||||||
* this sort of thing is checked before fetching the matching DNSKEY
|
|
||||||
* rrset.
|
|
||||||
*/
|
|
||||||
// public KeyEntry verifyNewDNSKEYs(SRRset dnskey_rrset, SRRset ds_rrset)
|
|
||||||
// {
|
|
||||||
// if (!dnskey_rrset.getName().equals(ds_rrset.getName()))
|
|
||||||
// {
|
|
||||||
// // log.debug("DNSKEY RRset did not match DS RRset by name!");
|
|
||||||
// return KeyEntry
|
|
||||||
// .newBadKeyEntry(ds_rrset.getName(), ds_rrset.getDClass());
|
|
||||||
// }
|
|
||||||
//
|
|
||||||
// // as long as this is false, we can consider this DS rrset to be
|
|
||||||
// // equivalent to no DS rrset.
|
|
||||||
// boolean hasUsefulDS = false;
|
|
||||||
//
|
|
||||||
// for (Iterator i = ds_rrset.rrs(); i.hasNext();)
|
|
||||||
// {
|
|
||||||
// DSRecord ds = (DSRecord) i.next();
|
|
||||||
//
|
|
||||||
// // Check to see if we can understand this DS.
|
|
||||||
// if (!supportsDigestID(ds.getDigestID())
|
|
||||||
// || !mVerifier.supportsAlgorithm(ds.getAlgorithm()))
|
|
||||||
// {
|
|
||||||
// continue;
|
|
||||||
// }
|
|
||||||
//
|
|
||||||
// // Once we see a single DS with a known digestID and algorithm, we
|
|
||||||
// // cannot return INSECURE (with a "null" KeyEntry).
|
|
||||||
// hasUsefulDS = true;
|
|
||||||
//
|
|
||||||
// DNSKEY : for (Iterator j = dnskey_rrset.rrs(); j.hasNext();)
|
|
||||||
// {
|
|
||||||
// DNSKEYRecord dnskey = (DNSKEYRecord) j.next();
|
|
||||||
//
|
|
||||||
// // Skip DNSKEYs that don't match the basic criteria.
|
|
||||||
// if (ds.getFootprint() != dnskey.getFootprint()
|
|
||||||
// || ds.getAlgorithm() != dnskey.getAlgorithm())
|
|
||||||
// {
|
|
||||||
// continue;
|
|
||||||
// }
|
|
||||||
//
|
|
||||||
// // Convert the candidate DNSKEY into a hash using the same DS hash
|
|
||||||
// // algorithm.
|
|
||||||
// byte[] key_hash = calculateDSHash(dnskey, ds.getDigestID());
|
|
||||||
// byte[] ds_hash = ds.getDigest();
|
|
||||||
//
|
|
||||||
// // see if there is a length mismatch (unlikely)
|
|
||||||
// if (key_hash.length != ds_hash.length)
|
|
||||||
// {
|
|
||||||
// continue DNSKEY;
|
|
||||||
// }
|
|
||||||
//
|
|
||||||
// for (int k = 0; k < key_hash.length; k++)
|
|
||||||
// {
|
|
||||||
// if (key_hash[k] != ds_hash[k]) continue DNSKEY;
|
|
||||||
// }
|
|
||||||
//
|
|
||||||
// // Otherwise, we have a match! Make sure that the DNSKEY verifies
|
|
||||||
// // *with this key*.
|
|
||||||
// byte res = mVerifier.verify(dnskey_rrset, dnskey);
|
|
||||||
// if (res == SecurityStatus.SECURE)
|
|
||||||
// {
|
|
||||||
// // log.trace("DS matched DNSKEY.");
|
|
||||||
// dnskey_rrset.setSecurityStatus(SecurityStatus.SECURE);
|
|
||||||
// return KeyEntry.newKeyEntry(dnskey_rrset);
|
|
||||||
// }
|
|
||||||
// // If it didn't validate with the DNSKEY, try the next one!
|
|
||||||
// }
|
|
||||||
// }
|
|
||||||
//
|
|
||||||
// // None of the DS's worked out.
|
|
||||||
//
|
|
||||||
// // If no DSs were understandable, then this is OK.
|
|
||||||
// if (!hasUsefulDS)
|
|
||||||
// {
|
|
||||||
// //
|
|
||||||
// log.debug("No usuable DS records were found -- treating as insecure.");
|
|
||||||
// return KeyEntry.newNullKeyEntry(ds_rrset.getName(), ds_rrset
|
|
||||||
// .getDClass(), ds_rrset.getTTL());
|
|
||||||
// }
|
|
||||||
// // If any were understandable, then it is bad.
|
|
||||||
// // log.debug("Failed to match any usable DS to a DNSKEY.");
|
|
||||||
// return KeyEntry.newBadKeyEntry(ds_rrset.getName(), ds_rrset.getDClass());
|
|
||||||
// }
|
|
||||||
/**
|
/**
|
||||||
* Given a DNSKEY record, generate the DS record from it.
|
* Given a DNSKEY record, generate the DS record from it.
|
||||||
*
|
*
|
||||||
@ -406,9 +302,9 @@ public class ValUtils {
|
|||||||
* @return The status (BOGUS or SECURE).
|
* @return The status (BOGUS or SECURE).
|
||||||
*/
|
*/
|
||||||
public byte verifySRRset(SRRset rrset, SRRset key_rrset) {
|
public byte verifySRRset(SRRset rrset, SRRset key_rrset) {
|
||||||
String rrset_name = rrset.getName() + "/"
|
// String rrset_name = rrset.getName() + "/"
|
||||||
+ Type.string(rrset.getType()) + "/"
|
// + Type.string(rrset.getType()) + "/"
|
||||||
+ DClass.string(rrset.getDClass());
|
// + DClass.string(rrset.getDClass());
|
||||||
|
|
||||||
if (rrset.getSecurityStatus() == SecurityStatus.SECURE) {
|
if (rrset.getSecurityStatus() == SecurityStatus.SECURE) {
|
||||||
// log.trace("verifySRRset: rrset <" + rrset_name
|
// log.trace("verifySRRset: rrset <" + rrset_name
|
||||||
@ -433,7 +329,7 @@ public class ValUtils {
|
|||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Determine if a given type map has a given typ.
|
* Determine if a given type map has a given type.
|
||||||
*
|
*
|
||||||
* @param types
|
* @param types
|
||||||
* The type map from the NSEC record.
|
* The type map from the NSEC record.
|
||||||
@ -448,6 +344,7 @@ public class ValUtils {
|
|||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@SuppressWarnings("unchecked")
|
||||||
public static RRSIGRecord rrsetFirstSig(RRset rrset) {
|
public static RRSIGRecord rrsetFirstSig(RRset rrset) {
|
||||||
for (Iterator i = rrset.sigs(); i.hasNext();) {
|
for (Iterator i = rrset.sigs(); i.hasNext();) {
|
||||||
return (RRSIGRecord) i.next();
|
return (RRSIGRecord) i.next();
|
||||||
@ -517,7 +414,7 @@ public class ValUtils {
|
|||||||
* generating wildcard.
|
* generating wildcard.
|
||||||
*
|
*
|
||||||
* @param rrset
|
* @param rrset
|
||||||
* The rrset to chedck.
|
* The rrset to check.
|
||||||
* @return the wildcard name, if the rrset was synthesized from a wildcard.
|
* @return the wildcard name, if the rrset was synthesized from a wildcard.
|
||||||
* null if not.
|
* null if not.
|
||||||
*/
|
*/
|
||||||
@ -577,14 +474,11 @@ public class ValUtils {
|
|||||||
|
|
||||||
// If NSEC is a parent of qname, we need to check the type map
|
// If NSEC is a parent of qname, we need to check the type map
|
||||||
// If the parent name has a DNAME or is a delegation point, then this
|
// If the parent name has a DNAME or is a delegation point, then this
|
||||||
// NSEC
|
// NSEC is being misused.
|
||||||
// is being misused.
|
boolean hasBadType = typeMapHasType(nsec.getTypes(), Type.DNAME)
|
||||||
if (qname.subdomain(owner)
|
|| (typeMapHasType(nsec.getTypes(), Type.NS) && !typeMapHasType(nsec.getTypes(),
|
||||||
&& (typeMapHasType(nsec.getTypes(), Type.DNAME) || (typeMapHasType(
|
Type.SOA));
|
||||||
nsec.getTypes(),
|
if (qname.subdomain(owner) && hasBadType) {
|
||||||
Type.NS) && !typeMapHasType(
|
|
||||||
nsec.getTypes(),
|
|
||||||
Type.SOA)))) {
|
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user