remove some warnings by using java 5 features
This commit is contained in:
parent
c43169bc24
commit
1f647e3c77
@ -298,6 +298,14 @@ public class CaptiveValidator {
|
||||
m.setStatus(SecurityStatus.SECURE);
|
||||
}
|
||||
|
||||
private void validateReferral(SMessage message, SRRset key_rrset) {
|
||||
|
||||
}
|
||||
|
||||
private void validateCNAMEResponse(SMessage message, SRRset key_rrset) {
|
||||
|
||||
}
|
||||
|
||||
/**
|
||||
* Given an "ANY" response -- a response that contains an answer to a
|
||||
* qtype==ANY question, with answers. This consists of simply verifying all
|
||||
@ -675,34 +683,38 @@ public class CaptiveValidator {
|
||||
// }
|
||||
|
||||
|
||||
public byte validateMessage(SMessage message) {
|
||||
public byte validateMessage(SMessage message, Name zone) {
|
||||
|
||||
SRRset key_rrset = findKeys(message);
|
||||
if (key_rrset == null) {
|
||||
return SecurityStatus.BOGUS;
|
||||
}
|
||||
|
||||
int subtype = ValUtils.classifyResponse(message);
|
||||
ValUtils.ResponseType subtype = ValUtils.classifyResponse(message, zone);
|
||||
|
||||
switch (subtype) {
|
||||
case ValUtils.POSITIVE:
|
||||
case POSITIVE:
|
||||
// log.trace("Validating a positive response");
|
||||
validatePositiveResponse(message, key_rrset);
|
||||
break;
|
||||
case ValUtils.NODATA:
|
||||
case REFERRAL:
|
||||
validateReferral(message, key_rrset);
|
||||
break;
|
||||
case NODATA:
|
||||
// log.trace("Validating a nodata response");
|
||||
validateNodataResponse(message, key_rrset);
|
||||
break;
|
||||
case ValUtils.NAMEERROR:
|
||||
case NAMEERROR:
|
||||
// log.trace("Validating a nxdomain response");
|
||||
validateNameErrorResponse(message, key_rrset);
|
||||
break;
|
||||
case ValUtils.CNAME:
|
||||
case CNAME:
|
||||
// log.trace("Validating a cname response");
|
||||
// forward on to the special CNAME state for this.
|
||||
// state.state = ValEventState.CNAME_STATE;
|
||||
validateCNAMEResponse(message, key_rrset);
|
||||
break;
|
||||
case ValUtils.ANY:
|
||||
case ANY:
|
||||
// log.trace("Validating a postive ANY response");
|
||||
validateAnyResponse(message, key_rrset);
|
||||
break;
|
||||
|
@ -1,7 +1,5 @@
|
||||
/*
|
||||
* $Id$
|
||||
*
|
||||
* Copyright (c) 2005 VeriSign, Inc. All rights reserved.
|
||||
* Copyright (c) 2009 VeriSign, Inc. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
@ -56,7 +54,7 @@ public class DnsSecVerifier
|
||||
* This is a mapping of DNSSEC algorithm numbers/private identifiers to JCA
|
||||
* algorithm identifiers.
|
||||
*/
|
||||
private HashMap mAlgorithmMap;
|
||||
private HashMap<Integer, AlgEntry> mAlgorithmMap;
|
||||
|
||||
private static class AlgEntry
|
||||
{
|
||||
@ -74,7 +72,7 @@ public class DnsSecVerifier
|
||||
|
||||
public DnsSecVerifier()
|
||||
{
|
||||
mAlgorithmMap = new HashMap();
|
||||
mAlgorithmMap = new HashMap<Integer, AlgEntry>();
|
||||
|
||||
// set the default algorithm map.
|
||||
mAlgorithmMap.put(new Integer(DNSSEC.RSAMD5), new AlgEntry("MD5withRSA",
|
||||
@ -105,12 +103,9 @@ public class DnsSecVerifier
|
||||
|
||||
// For now, we just accept new identifiers for existing algoirthms.
|
||||
// FIXME: handle private identifiers.
|
||||
List aliases = Util.parseConfigPrefix(config, "dns.algorithm.");
|
||||
|
||||
for (Iterator i = aliases.iterator(); i.hasNext();)
|
||||
{
|
||||
Util.ConfigEntry entry = (Util.ConfigEntry) i.next();
|
||||
List<Util.ConfigEntry> aliases = Util.parseConfigPrefix(config, "dns.algorithm.");
|
||||
|
||||
for (Util.ConfigEntry entry : aliases) {
|
||||
Integer alg_alias = new Integer(Util.parseInt(entry.key, -1));
|
||||
Integer alg_orig = new Integer(Util.parseInt(entry.value, -1));
|
||||
|
||||
@ -132,16 +127,14 @@ public class DnsSecVerifier
|
||||
}
|
||||
|
||||
// for debugging purposes, log the entire algorithm map table.
|
||||
for (Iterator i = mAlgorithmMap.keySet().iterator(); i.hasNext(); )
|
||||
{
|
||||
Integer alg = (Integer) i.next();
|
||||
AlgEntry entry = (AlgEntry) mAlgorithmMap.get(alg);
|
||||
// for (Integer alg : mAlgorithmMap.keySet()) {
|
||||
// AlgEntry entry = mAlgorithmMap.get(alg);
|
||||
// if (entry == null)
|
||||
// log.warn("DNSSEC alg " + alg + " has a null entry!");
|
||||
// else
|
||||
// log.debug("DNSSEC alg " + alg + " maps to " + entry.jcaName
|
||||
// + " (" + entry.dnssecAlg + ")");
|
||||
}
|
||||
// }
|
||||
}
|
||||
|
||||
/**
|
||||
@ -154,7 +147,8 @@ public class DnsSecVerifier
|
||||
* @return A List contains a one or more DNSKEYRecord objects, or null if a
|
||||
* matching DNSKEY could not be found.
|
||||
*/
|
||||
private List findKey(RRset dnskey_rrset, RRSIGRecord signature)
|
||||
@SuppressWarnings("unchecked")
|
||||
private List<DNSKEYRecord> findKey(RRset dnskey_rrset, RRSIGRecord signature)
|
||||
{
|
||||
if (!signature.getSigner().equals(dnskey_rrset.getName()))
|
||||
{
|
||||
@ -167,7 +161,7 @@ public class DnsSecVerifier
|
||||
int keyid = signature.getFootprint();
|
||||
int alg = signature.getAlgorithm();
|
||||
|
||||
List res = new ArrayList(dnskey_rrset.size());
|
||||
List<DNSKEYRecord> res = new ArrayList<DNSKEYRecord>(dnskey_rrset.size());
|
||||
|
||||
for (Iterator i = dnskey_rrset.rrs(); i.hasNext();)
|
||||
{
|
||||
@ -325,7 +319,7 @@ public class DnsSecVerifier
|
||||
byte result = checkSignature(rrset, sigrec);
|
||||
if (result != SecurityStatus.SECURE) return result;
|
||||
|
||||
List keys = findKey(key_rrset, sigrec);
|
||||
List<DNSKEYRecord> keys = findKey(key_rrset, sigrec);
|
||||
|
||||
if (keys == null)
|
||||
{
|
||||
@ -335,9 +329,7 @@ public class DnsSecVerifier
|
||||
|
||||
byte status = SecurityStatus.UNCHECKED;
|
||||
|
||||
for (Iterator i = keys.iterator(); i.hasNext();)
|
||||
{
|
||||
DNSKEYRecord key = (DNSKEYRecord) i.next();
|
||||
for (DNSKEYRecord key : keys) {
|
||||
status = verifySignature(rrset, sigrec, key);
|
||||
|
||||
if (status == SecurityStatus.SECURE) break;
|
||||
@ -354,7 +346,8 @@ public class DnsSecVerifier
|
||||
* @return SecurityStatus.SECURE if the rrest verified positively,
|
||||
* SecurityStatus.BOGUS otherwise.
|
||||
*/
|
||||
public byte verify(RRset rrset, RRset key_rrset)
|
||||
@SuppressWarnings("unchecked")
|
||||
public byte verify(RRset rrset, RRset key_rrset)
|
||||
{
|
||||
Iterator i = rrset.sigs();
|
||||
|
||||
@ -386,7 +379,8 @@ public class DnsSecVerifier
|
||||
* @param dnskey The DNSKEY to verify with.
|
||||
* @return SecurityStatus.SECURE if the rrset verified, BOGUS otherwise.
|
||||
*/
|
||||
public byte verify(RRset rrset, DNSKEYRecord dnskey)
|
||||
@SuppressWarnings("unchecked")
|
||||
public byte verify(RRset rrset, DNSKEYRecord dnskey)
|
||||
{
|
||||
// Iterate over RRSIGS
|
||||
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -36,369 +36,324 @@ import org.xbill.DNS.*;
|
||||
/**
|
||||
* This class represents a DNS message with resolver/validator state.
|
||||
*/
|
||||
public class SMessage
|
||||
{
|
||||
private Header mHeader;
|
||||
public class SMessage {
|
||||
private Header mHeader;
|
||||
|
||||
private Record mQuestion;
|
||||
private OPTRecord mOPTRecord;
|
||||
private List[] mSection;
|
||||
private SecurityStatus mSecurityStatus;
|
||||
private Record mQuestion;
|
||||
private OPTRecord mOPTRecord;
|
||||
private List<SRRset>[] mSection;
|
||||
private SecurityStatus mSecurityStatus;
|
||||
|
||||
private static SRRset[] empty_srrset_array = new SRRset[0];
|
||||
private static SRRset[] empty_srrset_array = new SRRset[0];
|
||||
|
||||
public SMessage(Header h)
|
||||
{
|
||||
mSection = new List[3];
|
||||
mHeader = h;
|
||||
mSecurityStatus = new SecurityStatus();
|
||||
}
|
||||
|
||||
public SMessage(int id)
|
||||
{
|
||||
this(new Header(id));
|
||||
}
|
||||
|
||||
public SMessage()
|
||||
{
|
||||
this(new Header(0));
|
||||
}
|
||||
|
||||
public SMessage(Message m)
|
||||
{
|
||||
this(m.getHeader());
|
||||
mQuestion = m.getQuestion();
|
||||
mOPTRecord = m.getOPT();
|
||||
|
||||
for (int i = Section.ANSWER; i <= Section.ADDITIONAL; i++)
|
||||
{
|
||||
RRset[] rrsets = m.getSectionRRsets(i);
|
||||
|
||||
for (int j = 0; j < rrsets.length; j++)
|
||||
{
|
||||
addRRset(rrsets[j], i);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
public Header getHeader()
|
||||
{
|
||||
return mHeader;
|
||||
}
|
||||
|
||||
public void setHeader(Header h)
|
||||
{
|
||||
mHeader = h;
|
||||
}
|
||||
|
||||
public void setQuestion(Record r)
|
||||
{
|
||||
mQuestion = r;
|
||||
}
|
||||
|
||||
public Record getQuestion()
|
||||
{
|
||||
return mQuestion;
|
||||
}
|
||||
|
||||
public Name getQName() {
|
||||
return getQuestion().getName();
|
||||
}
|
||||
|
||||
public int getQType() {
|
||||
return getQuestion().getType();
|
||||
}
|
||||
|
||||
public int getQClass() {
|
||||
return getQuestion().getDClass();
|
||||
}
|
||||
|
||||
public void setOPT(OPTRecord r)
|
||||
{
|
||||
mOPTRecord = r;
|
||||
}
|
||||
|
||||
public OPTRecord getOPT()
|
||||
{
|
||||
return mOPTRecord;
|
||||
}
|
||||
|
||||
public List getSectionList(int section)
|
||||
{
|
||||
if (section <= Section.QUESTION || section > Section.ADDITIONAL)
|
||||
throw new IllegalArgumentException("Invalid section.");
|
||||
|
||||
if (mSection[section - 1] == null)
|
||||
{
|
||||
mSection[section - 1] = new LinkedList();
|
||||
@SuppressWarnings("unchecked")
|
||||
public SMessage(Header h) {
|
||||
mSection = (List<SRRset>[]) new List[3];
|
||||
mHeader = h;
|
||||
mSecurityStatus = new SecurityStatus();
|
||||
}
|
||||
|
||||
return mSection[section - 1];
|
||||
}
|
||||
|
||||
public void addRRset(SRRset srrset, int section)
|
||||
{
|
||||
if (section <= Section.QUESTION || section > Section.ADDITIONAL)
|
||||
throw new IllegalArgumentException("Invalid section");
|
||||
|
||||
if (srrset.getType() == Type.OPT)
|
||||
{
|
||||
mOPTRecord = (OPTRecord) srrset.first();
|
||||
return;
|
||||
public SMessage(int id) {
|
||||
this(new Header(id));
|
||||
}
|
||||
|
||||
List sectionList = getSectionList(section);
|
||||
sectionList.add(srrset);
|
||||
}
|
||||
|
||||
public void addRRset(RRset rrset, int section)
|
||||
{
|
||||
if (rrset instanceof SRRset)
|
||||
{
|
||||
addRRset((SRRset) rrset, section);
|
||||
return;
|
||||
public SMessage() {
|
||||
this(new Header(0));
|
||||
}
|
||||
|
||||
SRRset srrset = new SRRset(rrset);
|
||||
addRRset(srrset, section);
|
||||
}
|
||||
public SMessage(Message m) {
|
||||
this(m.getHeader());
|
||||
mQuestion = m.getQuestion();
|
||||
mOPTRecord = m.getOPT();
|
||||
|
||||
public void prependRRsets(List rrsets, int section)
|
||||
{
|
||||
if (section <= Section.QUESTION || section > Section.ADDITIONAL)
|
||||
throw new IllegalArgumentException("Invalid section");
|
||||
for (int i = Section.ANSWER; i <= Section.ADDITIONAL; i++) {
|
||||
RRset[] rrsets = m.getSectionRRsets(i);
|
||||
|
||||
List sectionList = getSectionList(section);
|
||||
sectionList.addAll(0, rrsets);
|
||||
}
|
||||
|
||||
public SRRset[] getSectionRRsets(int section)
|
||||
{
|
||||
List slist = getSectionList(section);
|
||||
|
||||
return (SRRset[]) slist.toArray(empty_srrset_array);
|
||||
}
|
||||
|
||||
public SRRset[] getSectionRRsets(int section, int qtype)
|
||||
{
|
||||
List slist = getSectionList(section);
|
||||
|
||||
if (slist.size() == 0) return new SRRset[0];
|
||||
|
||||
ArrayList result = new ArrayList(slist.size());
|
||||
for (Iterator i = slist.iterator(); i.hasNext();)
|
||||
{
|
||||
SRRset rrset = (SRRset) i.next();
|
||||
if (rrset.getType() == qtype) result.add(rrset);
|
||||
}
|
||||
|
||||
return (SRRset[]) result.toArray(empty_srrset_array);
|
||||
}
|
||||
|
||||
public void deleteRRset(SRRset rrset, int section)
|
||||
{
|
||||
List slist = getSectionList(section);
|
||||
|
||||
if (slist.size() == 0) return;
|
||||
|
||||
slist.remove(rrset);
|
||||
}
|
||||
|
||||
public void clear(int section)
|
||||
{
|
||||
if (section < Section.QUESTION || section > Section.ADDITIONAL)
|
||||
throw new IllegalArgumentException("Invalid section.");
|
||||
|
||||
if (section == Section.QUESTION)
|
||||
{
|
||||
mQuestion = null;
|
||||
return;
|
||||
}
|
||||
if (section == Section.ADDITIONAL)
|
||||
{
|
||||
mOPTRecord = null;
|
||||
}
|
||||
|
||||
mSection[section - 1] = null;
|
||||
}
|
||||
|
||||
public void clear()
|
||||
{
|
||||
for (int s = Section.QUESTION; s <= Section.ADDITIONAL; s++)
|
||||
{
|
||||
clear(s);
|
||||
}
|
||||
}
|
||||
|
||||
public int getRcode()
|
||||
{
|
||||
// FIXME: might want to do what Message does and handle extended rcodes.
|
||||
return mHeader.getRcode();
|
||||
}
|
||||
|
||||
public int getStatus()
|
||||
{
|
||||
return mSecurityStatus.getStatus();
|
||||
}
|
||||
|
||||
public void setStatus(byte status)
|
||||
{
|
||||
mSecurityStatus.setStatus(status);
|
||||
}
|
||||
|
||||
public SecurityStatus getSecurityStatus()
|
||||
{
|
||||
return mSecurityStatus;
|
||||
}
|
||||
public void setSecurityStatus(SecurityStatus s)
|
||||
{
|
||||
if (s == null) return;
|
||||
mSecurityStatus = s;
|
||||
}
|
||||
|
||||
public Message getMessage()
|
||||
{
|
||||
// Generate our new message.
|
||||
Message m = new Message(mHeader.getID());
|
||||
|
||||
// Convert the header
|
||||
// We do this for two reasons: 1) setCount() is package scope, so we can't
|
||||
// do that, and 2) setting the header on a message after creating the
|
||||
// message frequently gets stuff out of sync, leading to malformed wire
|
||||
// format messages.
|
||||
Header h = m.getHeader();
|
||||
h.setOpcode(mHeader.getOpcode());
|
||||
h.setRcode(mHeader.getRcode());
|
||||
for (int i = 0; i < 16; i++)
|
||||
{
|
||||
if (Flags.isFlag(i)) {
|
||||
if (mHeader.getFlag(i)) {
|
||||
h.setFlag(i);
|
||||
} else {
|
||||
h.unsetFlag(i);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// Add all the records. -- this will set the counts correctly in the
|
||||
// message header.
|
||||
|
||||
if (mQuestion != null)
|
||||
{
|
||||
m.addRecord(mQuestion, Section.QUESTION);
|
||||
}
|
||||
|
||||
for (int sec = Section.ANSWER; sec <= Section.ADDITIONAL; sec++)
|
||||
{
|
||||
List slist = getSectionList(sec);
|
||||
for (Iterator i = slist.iterator(); i.hasNext();)
|
||||
{
|
||||
SRRset rrset = (SRRset) i.next();
|
||||
for (Iterator j = rrset.rrs(); j.hasNext();)
|
||||
{
|
||||
m.addRecord((Record) j.next(), sec);
|
||||
for (int j = 0; j < rrsets.length; j++) {
|
||||
addRRset(rrsets[j], i);
|
||||
}
|
||||
}
|
||||
for (Iterator j = rrset.sigs(); j.hasNext();)
|
||||
{
|
||||
m.addRecord((Record) j.next(), sec);
|
||||
}
|
||||
|
||||
public Header getHeader() {
|
||||
return mHeader;
|
||||
}
|
||||
|
||||
public void setHeader(Header h) {
|
||||
mHeader = h;
|
||||
}
|
||||
|
||||
public void setQuestion(Record r) {
|
||||
mQuestion = r;
|
||||
}
|
||||
|
||||
public Record getQuestion() {
|
||||
return mQuestion;
|
||||
}
|
||||
|
||||
public Name getQName() {
|
||||
return getQuestion().getName();
|
||||
}
|
||||
|
||||
public int getQType() {
|
||||
return getQuestion().getType();
|
||||
}
|
||||
|
||||
public int getQClass() {
|
||||
return getQuestion().getDClass();
|
||||
}
|
||||
|
||||
public void setOPT(OPTRecord r) {
|
||||
mOPTRecord = r;
|
||||
}
|
||||
|
||||
public OPTRecord getOPT() {
|
||||
return mOPTRecord;
|
||||
}
|
||||
|
||||
public List<SRRset> getSectionList(int section) {
|
||||
if (section <= Section.QUESTION || section > Section.ADDITIONAL)
|
||||
throw new IllegalArgumentException("Invalid section.");
|
||||
|
||||
if (mSection[section - 1] == null) {
|
||||
mSection[section - 1] = new LinkedList<SRRset>();
|
||||
}
|
||||
}
|
||||
|
||||
return (List<SRRset>) mSection[section - 1];
|
||||
}
|
||||
|
||||
if (mOPTRecord != null)
|
||||
{
|
||||
m.addRecord(mOPTRecord, Section.ADDITIONAL);
|
||||
public void addRRset(SRRset srrset, int section) {
|
||||
if (section <= Section.QUESTION || section > Section.ADDITIONAL)
|
||||
throw new IllegalArgumentException("Invalid section");
|
||||
|
||||
if (srrset.getType() == Type.OPT) {
|
||||
mOPTRecord = (OPTRecord) srrset.first();
|
||||
return;
|
||||
}
|
||||
|
||||
List<SRRset> sectionList = getSectionList(section);
|
||||
sectionList.add(srrset);
|
||||
}
|
||||
|
||||
return m;
|
||||
}
|
||||
public void addRRset(RRset rrset, int section) {
|
||||
if (rrset instanceof SRRset) {
|
||||
addRRset((SRRset) rrset, section);
|
||||
return;
|
||||
}
|
||||
|
||||
public int getCount(int section)
|
||||
{
|
||||
if (section == Section.QUESTION)
|
||||
{
|
||||
return mQuestion == null ? 0 : 1;
|
||||
}
|
||||
List sectionList = getSectionList(section);
|
||||
if (sectionList == null) return 0;
|
||||
if (sectionList.size() == 0) return 0;
|
||||
|
||||
int count = 0;
|
||||
for (Iterator i = sectionList.iterator(); i.hasNext(); )
|
||||
{
|
||||
SRRset sr = (SRRset) i.next();
|
||||
count += sr.totalSize();
|
||||
}
|
||||
return count;
|
||||
}
|
||||
|
||||
public String toString()
|
||||
{
|
||||
return getMessage().toString();
|
||||
}
|
||||
|
||||
/**
|
||||
* Find a specific (S)RRset in a given section.
|
||||
*
|
||||
* @param name the name of the RRset.
|
||||
* @param type the type of the RRset.
|
||||
* @param dclass the class of the RRset.
|
||||
* @param section the section to look in (ANSWER -> ADDITIONAL)
|
||||
*
|
||||
* @return The SRRset if found, null otherwise.
|
||||
*/
|
||||
public SRRset findRRset(Name name, int type, int dclass, int section)
|
||||
{
|
||||
if (section <= Section.QUESTION || section > Section.ADDITIONAL)
|
||||
throw new IllegalArgumentException("Invalid section.");
|
||||
|
||||
SRRset[] rrsets = getSectionRRsets(section);
|
||||
|
||||
for (int i = 0; i < rrsets.length; i++)
|
||||
{
|
||||
if (rrsets[i].getName().equals(name) && rrsets[i].getType() == type
|
||||
&& rrsets[i].getDClass() == dclass)
|
||||
{
|
||||
return rrsets[i];
|
||||
}
|
||||
SRRset srrset = new SRRset(rrset);
|
||||
addRRset(srrset, section);
|
||||
}
|
||||
|
||||
return null;
|
||||
}
|
||||
public void prependRRsets(List<SRRset> rrsets, int section) {
|
||||
if (section <= Section.QUESTION || section > Section.ADDITIONAL)
|
||||
throw new IllegalArgumentException("Invalid section");
|
||||
|
||||
/**
|
||||
* Find an "answer" RRset. This will look for RRsets in the ANSWER section
|
||||
* that match the <qname,qtype,qclass>, taking into consideration CNAMEs.
|
||||
*
|
||||
* @param qname The starting search name.
|
||||
* @param qtype The search type.
|
||||
* @param qclass The search class.
|
||||
*
|
||||
* @return a SRRset matching the query. This SRRset may have a different
|
||||
* name from qname, due to following a CNAME chain.
|
||||
*/
|
||||
public SRRset findAnswerRRset(Name qname, int qtype, int qclass)
|
||||
{
|
||||
SRRset[] srrsets = getSectionRRsets(Section.ANSWER);
|
||||
|
||||
for (int i = 0; i < srrsets.length; i++)
|
||||
{
|
||||
if (srrsets[i].getName().equals(qname)
|
||||
&& srrsets[i].getType() == Type.CNAME)
|
||||
{
|
||||
CNAMERecord cname = (CNAMERecord) srrsets[i].first();
|
||||
qname = cname.getTarget();
|
||||
continue;
|
||||
}
|
||||
|
||||
if (srrsets[i].getName().equals(qname) && srrsets[i].getType() == qtype
|
||||
&& srrsets[i].getDClass() == qclass)
|
||||
{
|
||||
return srrsets[i];
|
||||
}
|
||||
List<SRRset> sectionList = getSectionList(section);
|
||||
sectionList.addAll(0, rrsets);
|
||||
}
|
||||
|
||||
return null;
|
||||
}
|
||||
public SRRset[] getSectionRRsets(int section) {
|
||||
List<SRRset> slist = getSectionList(section);
|
||||
|
||||
return (SRRset[]) slist.toArray(empty_srrset_array);
|
||||
}
|
||||
|
||||
public SRRset[] getSectionRRsets(int section, int qtype) {
|
||||
List<SRRset> slist = getSectionList(section);
|
||||
|
||||
if (slist.size() == 0) return new SRRset[0];
|
||||
|
||||
ArrayList<SRRset> result = new ArrayList<SRRset>(slist.size());
|
||||
for (SRRset rrset : slist) {
|
||||
if (rrset.getType() == qtype) result.add(rrset);
|
||||
}
|
||||
|
||||
return (SRRset[]) result.toArray(empty_srrset_array);
|
||||
}
|
||||
|
||||
public void deleteRRset(SRRset rrset, int section) {
|
||||
List<SRRset> slist = getSectionList(section);
|
||||
|
||||
if (slist.size() == 0) return;
|
||||
|
||||
slist.remove(rrset);
|
||||
}
|
||||
|
||||
public void clear(int section) {
|
||||
if (section < Section.QUESTION || section > Section.ADDITIONAL)
|
||||
throw new IllegalArgumentException("Invalid section.");
|
||||
|
||||
if (section == Section.QUESTION) {
|
||||
mQuestion = null;
|
||||
return;
|
||||
}
|
||||
if (section == Section.ADDITIONAL) {
|
||||
mOPTRecord = null;
|
||||
}
|
||||
|
||||
mSection[section - 1] = null;
|
||||
}
|
||||
|
||||
public void clear() {
|
||||
for (int s = Section.QUESTION; s <= Section.ADDITIONAL; s++) {
|
||||
clear(s);
|
||||
}
|
||||
}
|
||||
|
||||
public int getRcode() {
|
||||
// FIXME: might want to do what Message does and handle extended rcodes.
|
||||
return mHeader.getRcode();
|
||||
}
|
||||
|
||||
public int getStatus() {
|
||||
return mSecurityStatus.getStatus();
|
||||
}
|
||||
|
||||
public void setStatus(byte status) {
|
||||
mSecurityStatus.setStatus(status);
|
||||
}
|
||||
|
||||
public SecurityStatus getSecurityStatus() {
|
||||
return mSecurityStatus;
|
||||
}
|
||||
|
||||
public void setSecurityStatus(SecurityStatus s) {
|
||||
if (s == null) return;
|
||||
mSecurityStatus = s;
|
||||
}
|
||||
|
||||
public Message getMessage() {
|
||||
// Generate our new message.
|
||||
Message m = new Message(mHeader.getID());
|
||||
|
||||
// Convert the header
|
||||
// We do this for two reasons: 1) setCount() is package scope, so we
|
||||
// can't do that, and 2) setting the header on a message after creating
|
||||
// the message frequently gets stuff out of sync, leading to malformed
|
||||
// wire format messages.
|
||||
Header h = m.getHeader();
|
||||
h.setOpcode(mHeader.getOpcode());
|
||||
h.setRcode(mHeader.getRcode());
|
||||
for (int i = 0; i < 16; i++) {
|
||||
if (Flags.isFlag(i)) {
|
||||
if (mHeader.getFlag(i)) {
|
||||
h.setFlag(i);
|
||||
} else {
|
||||
h.unsetFlag(i);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// Add all the records. -- this will set the counts correctly in the
|
||||
// message header.
|
||||
|
||||
if (mQuestion != null) {
|
||||
m.addRecord(mQuestion, Section.QUESTION);
|
||||
}
|
||||
|
||||
for (int sec = Section.ANSWER; sec <= Section.ADDITIONAL; sec++) {
|
||||
List<SRRset> slist = getSectionList(sec);
|
||||
for (SRRset rrset : slist) {
|
||||
for (Iterator<Record> j = rrset.rrs(); j.hasNext(); ) {
|
||||
m.addRecord(j.next(), sec);
|
||||
}
|
||||
for (Iterator<RRSIGRecord> j = rrset.sigs(); j.hasNext(); ) {
|
||||
m.addRecord(j.next(), sec);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if (mOPTRecord != null) {
|
||||
m.addRecord(mOPTRecord, Section.ADDITIONAL);
|
||||
}
|
||||
|
||||
return m;
|
||||
}
|
||||
|
||||
public int getCount(int section) {
|
||||
if (section == Section.QUESTION) {
|
||||
return mQuestion == null ? 0 : 1;
|
||||
}
|
||||
List<SRRset> sectionList = getSectionList(section);
|
||||
if (sectionList == null) return 0;
|
||||
if (sectionList.size() == 0) return 0;
|
||||
|
||||
int count = 0;
|
||||
for (SRRset sr : sectionList) {
|
||||
count += sr.totalSize();
|
||||
}
|
||||
|
||||
return count;
|
||||
}
|
||||
|
||||
public String toString() {
|
||||
return getMessage().toString();
|
||||
}
|
||||
|
||||
/**
|
||||
* Find a specific (S)RRset in a given section.
|
||||
*
|
||||
* @param name
|
||||
* the name of the RRset.
|
||||
* @param type
|
||||
* the type of the RRset.
|
||||
* @param dclass
|
||||
* the class of the RRset.
|
||||
* @param section
|
||||
* the section to look in (ANSWER -> ADDITIONAL)
|
||||
*
|
||||
* @return The SRRset if found, null otherwise.
|
||||
*/
|
||||
public SRRset findRRset(Name name, int type, int dclass, int section) {
|
||||
if (section <= Section.QUESTION || section > Section.ADDITIONAL)
|
||||
throw new IllegalArgumentException("Invalid section.");
|
||||
|
||||
SRRset[] rrsets = getSectionRRsets(section);
|
||||
|
||||
for (int i = 0; i < rrsets.length; i++) {
|
||||
if (rrsets[i].getName().equals(name) && rrsets[i].getType() == type
|
||||
&& rrsets[i].getDClass() == dclass) {
|
||||
return rrsets[i];
|
||||
}
|
||||
}
|
||||
|
||||
return null;
|
||||
}
|
||||
|
||||
/**
|
||||
* Find an "answer" RRset. This will look for RRsets in the ANSWER section
|
||||
* that match the <qname,qtype,qclass>, taking into consideration CNAMEs.
|
||||
*
|
||||
* @param qname
|
||||
* The starting search name.
|
||||
* @param qtype
|
||||
* The search type.
|
||||
* @param qclass
|
||||
* The search class.
|
||||
*
|
||||
* @return a SRRset matching the query. This SRRset may have a different
|
||||
* name from qname, due to following a CNAME chain.
|
||||
*/
|
||||
public SRRset findAnswerRRset(Name qname, int qtype, int qclass) {
|
||||
SRRset[] srrsets = getSectionRRsets(Section.ANSWER);
|
||||
|
||||
for (int i = 0; i < srrsets.length; i++) {
|
||||
if (srrsets[i].getName().equals(qname)
|
||||
&& srrsets[i].getType() == Type.CNAME) {
|
||||
CNAMERecord cname = (CNAMERecord) srrsets[i].first();
|
||||
qname = cname.getTarget();
|
||||
continue;
|
||||
}
|
||||
|
||||
if (srrsets[i].getName().equals(qname)
|
||||
&& srrsets[i].getType() == qtype
|
||||
&& srrsets[i].getDClass() == qclass) {
|
||||
return srrsets[i];
|
||||
}
|
||||
}
|
||||
|
||||
return null;
|
||||
}
|
||||
|
||||
}
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright (c) 2005 VeriSign. All rights reserved.
|
||||
* Copyright (c) 2009 VeriSign. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions are met:
|
||||
@ -34,152 +34,103 @@ import org.xbill.DNS.*;
|
||||
/**
|
||||
* A version of the RRset class overrides the standard security status.
|
||||
*/
|
||||
public class SRRset extends RRset
|
||||
{
|
||||
private SecurityStatus mSecurityStatus;
|
||||
public class SRRset extends RRset {
|
||||
private SecurityStatus mSecurityStatus;
|
||||
|
||||
/** Create a new, blank SRRset. */
|
||||
public SRRset()
|
||||
{
|
||||
super();
|
||||
mSecurityStatus = new SecurityStatus();
|
||||
}
|
||||
|
||||
/**
|
||||
* Create a new SRRset from an existing RRset. This SRRset will contain that
|
||||
* same internal Record objects as the original RRset.
|
||||
*/
|
||||
@SuppressWarnings("unchecked") // org.xbill.DNS.RRset isn't typesafe-aware.
|
||||
public SRRset(RRset r)
|
||||
{
|
||||
this();
|
||||
|
||||
for (Iterator i = r.rrs(); i.hasNext();)
|
||||
{
|
||||
addRR((Record) i.next());
|
||||
/** Create a new, blank SRRset. */
|
||||
public SRRset() {
|
||||
super();
|
||||
mSecurityStatus = new SecurityStatus();
|
||||
}
|
||||
|
||||
for (Iterator i = r.sigs(); i.hasNext();)
|
||||
{
|
||||
addRR((Record) i.next());
|
||||
|
||||
/**
|
||||
* Create a new SRRset from an existing RRset. This SRRset will contain that
|
||||
* same internal Record objects as the original RRset.
|
||||
*/
|
||||
@SuppressWarnings("unchecked")
|
||||
// org.xbill.DNS.RRset isn't typesafe-aware.
|
||||
public SRRset(RRset r) {
|
||||
this();
|
||||
|
||||
for (Iterator i = r.rrs(); i.hasNext();) {
|
||||
addRR((Record) i.next());
|
||||
}
|
||||
|
||||
for (Iterator i = r.sigs(); i.hasNext();) {
|
||||
addRR((Record) i.next());
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Clone this SRRset, giving the copy a new TTL. The copy is independent
|
||||
* from the original except for the security status.
|
||||
*
|
||||
* @param withNewTTL The new TTL to apply to the RRset. This applies to
|
||||
* contained RRsig records as well.
|
||||
* @return The cloned SRRset.
|
||||
*/
|
||||
// public SRRset cloneSRRset(long withNewTTL)
|
||||
// {
|
||||
// SRRset nr = new SRRset();
|
||||
//
|
||||
// for (Iterator i = rrs(); i.hasNext();)
|
||||
// {
|
||||
// nr.addRR(((Record) i.next()).withTTL(withNewTTL));
|
||||
// }
|
||||
// for (Iterator i = sigs(); i.hasNext();)
|
||||
// {
|
||||
// nr.addRR(((Record) i.next()).withTTL(withNewTTL));
|
||||
// }
|
||||
//
|
||||
// nr.mSecurityStatus = mSecurityStatus;
|
||||
//
|
||||
// return nr;
|
||||
// }
|
||||
|
||||
public SRRset cloneSRRsetNoSigs()
|
||||
{
|
||||
SRRset nr = new SRRset();
|
||||
for (Iterator i = rrs(); i.hasNext();)
|
||||
{
|
||||
// NOTE: should this clone the records as well?
|
||||
nr.addRR((Record) i.next());
|
||||
/**
|
||||
* Return the current security status (generally: UNCHECKED, BOGUS, or
|
||||
* SECURE).
|
||||
*/
|
||||
public int getSecurity() {
|
||||
return getSecurityStatus();
|
||||
}
|
||||
// Do not copy the SecurityStatus reference
|
||||
|
||||
return nr;
|
||||
}
|
||||
/**
|
||||
* Return the current security status (generally: UNCHECKED, BOGUS, or
|
||||
* SECURE).
|
||||
*/
|
||||
public byte getSecurityStatus() {
|
||||
return mSecurityStatus.getStatus();
|
||||
}
|
||||
|
||||
/**
|
||||
* Set the current security status for this SRRset. This status will be
|
||||
* shared amongst all copies of this SRRset (created with cloneSRRset())
|
||||
*/
|
||||
public void setSecurityStatus(byte status) {
|
||||
mSecurityStatus.setStatus(status);
|
||||
}
|
||||
|
||||
/**
|
||||
* Return the current security status (generally: UNCHECKED, BOGUS, or
|
||||
* SECURE).
|
||||
*/
|
||||
public int getSecurity()
|
||||
{
|
||||
return getSecurityStatus();
|
||||
}
|
||||
public Iterator<Record> rrs() {
|
||||
return (Iterator<Record>) rrs();
|
||||
}
|
||||
|
||||
/**
|
||||
* Return the current security status (generally: UNCHECKED, BOGUS, or
|
||||
* SECURE).
|
||||
*/
|
||||
public int getSecurityStatus()
|
||||
{
|
||||
return mSecurityStatus.getStatus();
|
||||
}
|
||||
public Iterator<RRSIGRecord> sigs() {
|
||||
return (Iterator<RRSIGRecord>) sigs();
|
||||
}
|
||||
|
||||
/**
|
||||
* Set the current security status for this SRRset. This status will be
|
||||
* shared amongst all copies of this SRRset (created with cloneSRRset())
|
||||
*/
|
||||
public void setSecurityStatus(byte status)
|
||||
{
|
||||
mSecurityStatus.setStatus(status);
|
||||
}
|
||||
public int totalSize() {
|
||||
int num_sigs = 0;
|
||||
for (Iterator<RRSIGRecord> i = sigs(); i.hasNext();) {
|
||||
num_sigs++;
|
||||
}
|
||||
return size() + num_sigs;
|
||||
}
|
||||
|
||||
public int totalSize() {
|
||||
int num_sigs = 0;
|
||||
for (Iterator i = sigs(); i.hasNext(); ) {
|
||||
num_sigs++;
|
||||
}
|
||||
return size() + num_sigs;
|
||||
}
|
||||
/**
|
||||
* @return The total number of records (data + sigs) in the SRRset.
|
||||
*/
|
||||
public int getNumRecords() {
|
||||
return totalSize();
|
||||
}
|
||||
|
||||
/**
|
||||
* @return The total number of records (data + sigs) in the SRRset.
|
||||
*/
|
||||
public int getNumRecords()
|
||||
{
|
||||
return totalSize();
|
||||
}
|
||||
public RRSIGRecord firstSig() {
|
||||
for (Iterator<RRSIGRecord> i = sigs(); i.hasNext();) {
|
||||
return i.next();
|
||||
}
|
||||
return null;
|
||||
}
|
||||
|
||||
public RRSIGRecord firstSig() {
|
||||
for (Iterator i = sigs(); i.hasNext(); ) {
|
||||
return (RRSIGRecord) i.next();
|
||||
}
|
||||
return null;
|
||||
}
|
||||
/**
|
||||
* @return true if this RRset has RRSIG records that cover data records.
|
||||
* (i.e., RRSIG SRRsets return false)
|
||||
*/
|
||||
public boolean isSigned()
|
||||
{
|
||||
if (getType() == Type.RRSIG) return false;
|
||||
return firstSig() != null;
|
||||
}
|
||||
/**
|
||||
* @return true if this RRset has RRSIG records that cover data records.
|
||||
* (i.e., RRSIG SRRsets return false)
|
||||
*/
|
||||
public boolean isSigned() {
|
||||
if (getType() == Type.RRSIG) return false;
|
||||
return firstSig() != null;
|
||||
}
|
||||
|
||||
/**
|
||||
* @return The "signer" name for this SRRset, if signed, or null if not.
|
||||
*/
|
||||
public Name getSignerName()
|
||||
{
|
||||
RRSIGRecord sig = (RRSIGRecord) firstSig();
|
||||
if (sig == null) return null;
|
||||
return sig.getSigner();
|
||||
}
|
||||
|
||||
// public void setTTL(long ttl)
|
||||
// {
|
||||
// if (ttl < 0)
|
||||
// {
|
||||
// throw new IllegalArgumentException("ttl can't be less than zero, stupid! was " + ttl);
|
||||
// }
|
||||
// super.setTTL(ttl);
|
||||
// }
|
||||
/**
|
||||
* @return The "signer" name for this SRRset, if signed, or null if not.
|
||||
*/
|
||||
public Name getSignerName() {
|
||||
RRSIGRecord sig = (RRSIGRecord) firstSig();
|
||||
if (sig == null) return null;
|
||||
return sig.getSigner();
|
||||
}
|
||||
}
|
||||
|
@ -47,428 +47,430 @@ import org.xbill.DNS.Name;
|
||||
import org.xbill.DNS.RRSIGRecord;
|
||||
import org.xbill.DNS.RRset;
|
||||
import org.xbill.DNS.Record;
|
||||
import org.xbill.DNS.utils.base64;
|
||||
|
||||
/**
|
||||
* This class contains a bunch of utility methods that are generally useful in
|
||||
* signing and verifying rrsets.
|
||||
*
|
||||
* @author David Blacka (original)
|
||||
* @author $Author$
|
||||
* @version $Revision$
|
||||
*/
|
||||
|
||||
public class SignUtils
|
||||
{
|
||||
public class SignUtils {
|
||||
|
||||
/**
|
||||
* This class implements a basic comparitor for byte arrays. It is primarily
|
||||
* useful for comparing RDATA portions of DNS records in doing DNSSEC
|
||||
* canonical ordering.
|
||||
*
|
||||
* @author David Blacka (original)
|
||||
*/
|
||||
public static class ByteArrayComparator implements Comparator
|
||||
{
|
||||
private int mOffset = 0;
|
||||
private boolean mDebug = false;
|
||||
/**
|
||||
* This class implements a basic comparator for byte arrays. It is primarily
|
||||
* useful for comparing RDATA portions of DNS records in doing DNSSEC
|
||||
* canonical ordering.
|
||||
*/
|
||||
public static class ByteArrayComparator implements Comparator<byte[]> {
|
||||
private int mOffset = 0;
|
||||
private boolean mDebug = false;
|
||||
|
||||
public ByteArrayComparator()
|
||||
{
|
||||
}
|
||||
|
||||
public ByteArrayComparator(int offset, boolean debug)
|
||||
{
|
||||
mOffset = offset;
|
||||
mDebug = debug;
|
||||
}
|
||||
|
||||
public int compare(Object o1, Object o2) throws ClassCastException
|
||||
{
|
||||
byte[] b1 = (byte[]) o1;
|
||||
byte[] b2 = (byte[]) o2;
|
||||
|
||||
for (int i = mOffset; i < b1.length && i < b2.length; i++)
|
||||
{
|
||||
if (b1[i] != b2[i])
|
||||
{
|
||||
if (mDebug)
|
||||
{
|
||||
System.out.println("offset " + i + " differs (this is "
|
||||
+ (i - mOffset) + " bytes in from our offset.)");
|
||||
}
|
||||
return (b1[i] & 0xFF) - (b2[i] & 0xFF);
|
||||
public ByteArrayComparator() {
|
||||
}
|
||||
}
|
||||
|
||||
return b1.length - b2.length;
|
||||
}
|
||||
}
|
||||
public ByteArrayComparator(int offset, boolean debug) {
|
||||
mOffset = offset;
|
||||
mDebug = debug;
|
||||
}
|
||||
|
||||
// private static final int DSA_SIGNATURE_LENGTH = 20;
|
||||
private static final int ASN1_INT = 0x02;
|
||||
private static final int ASN1_SEQ = 0x30;
|
||||
public int compare(byte[] b1, byte[] b2) throws ClassCastException {
|
||||
for (int i = mOffset; i < b1.length && i < b2.length; i++) {
|
||||
if (b1[i] != b2[i]) {
|
||||
if (mDebug) {
|
||||
System.out.println("offset " + i + " differs (this is "
|
||||
+ (i - mOffset)
|
||||
+ " bytes in from our offset.)");
|
||||
}
|
||||
return (b1[i] & 0xFF) - (b2[i] & 0xFF);
|
||||
}
|
||||
}
|
||||
|
||||
public static final int RR_NORMAL = 0;
|
||||
public static final int RR_DELEGATION = 1;
|
||||
public static final int RR_GLUE = 2;
|
||||
public static final int RR_INVALID = 3;
|
||||
|
||||
/**
|
||||
* Generate from some basic information a prototype SIG RR containing
|
||||
* everything but the actual signature itself.
|
||||
*
|
||||
* @param rrset the RRset being signed.
|
||||
* @param signer the name of the signing key
|
||||
* @param alg the algorithm of the signing key
|
||||
* @param keyid the keyid (or footprint) of the signing key
|
||||
* @param start the SIG inception time.
|
||||
* @param expire the SIG expiration time.
|
||||
* @param sig_ttl the TTL of the resulting SIG record.
|
||||
* @return a prototype signature based on the RRset and key information.
|
||||
*/
|
||||
public static RRSIGRecord generatePreRRSIG(RRset rrset, Name signer,
|
||||
int alg, int keyid, Date start, Date expire, long sig_ttl)
|
||||
{
|
||||
return new RRSIGRecord(rrset.getName(), rrset.getDClass(), sig_ttl, rrset
|
||||
.getType(), alg, rrset.getTTL(), expire, start, keyid, signer, null);
|
||||
}
|
||||
|
||||
/**
|
||||
* Generate from some basic information a prototype SIG RR containing
|
||||
* everything but the actual signature itself.
|
||||
*
|
||||
* @param rrset the RRset being signed.
|
||||
* @param key the public KEY RR counterpart to the key being used to sign
|
||||
* the RRset
|
||||
* @param start the SIG inception time.
|
||||
* @param expire the SIG expiration time.
|
||||
* @param sig_ttl the TTL of the resulting SIG record.
|
||||
* @return a prototype signature based on the RRset and key information.
|
||||
*/
|
||||
public static RRSIGRecord generatePreRRSIG(RRset rrset, DNSKEYRecord key,
|
||||
Date start, Date expire, long sig_ttl)
|
||||
{
|
||||
return generatePreRRSIG(rrset, key.getName(), key.getAlgorithm(), key
|
||||
.getFootprint(), start, expire, sig_ttl);
|
||||
}
|
||||
|
||||
/**
|
||||
* Generate from some basic information a prototype SIG RR containing
|
||||
* everything but the actual signature itself.
|
||||
*
|
||||
* @param rec the DNS record being signed (forming an entire RRset).
|
||||
* @param key the public KEY RR counterpart to the key signing the record.
|
||||
* @param start the SIG inception time.
|
||||
* @param expire the SIG expiration time.
|
||||
* @param sig_ttl the TTL of the result SIG record.
|
||||
* @return a prototype signature based on the Record and key information.
|
||||
*/
|
||||
public static RRSIGRecord generatePreRRSIG(Record rec, DNSKEYRecord key,
|
||||
Date start, Date expire, long sig_ttl)
|
||||
{
|
||||
return new RRSIGRecord(rec.getName(), rec.getDClass(), sig_ttl, rec
|
||||
.getType(), key.getAlgorithm(), rec.getTTL(), expire, start, key
|
||||
.getFootprint(), key.getName(), null);
|
||||
}
|
||||
|
||||
/**
|
||||
* Generate the binary image of the prototype SIG RR.
|
||||
*
|
||||
* @param presig the SIG RR prototype.
|
||||
* @return the RDATA portion of the prototype SIG record. This forms the
|
||||
* first part of the data to be signed.
|
||||
*/
|
||||
private static byte[] generatePreSigRdata(RRSIGRecord presig)
|
||||
{
|
||||
// Generate the binary image;
|
||||
DNSOutput image = new DNSOutput();
|
||||
|
||||
// precalc some things
|
||||
int start_time = (int) (presig.getTimeSigned().getTime() / 1000);
|
||||
int expire_time = (int) (presig.getExpire().getTime() / 1000);
|
||||
Name signer = presig.getSigner();
|
||||
|
||||
// first write out the partial SIG record (this is the SIG RDATA
|
||||
// minus the actual signature.
|
||||
image.writeU16(presig.getTypeCovered());
|
||||
image.writeU8(presig.getAlgorithm());
|
||||
image.writeU8(presig.getLabels());
|
||||
image.writeU32((int) presig.getOrigTTL());
|
||||
image.writeU32(expire_time);
|
||||
image.writeU32(start_time);
|
||||
image.writeU16(presig.getFootprint());
|
||||
image.writeByteArray(signer.toWireCanonical());
|
||||
|
||||
return image.toByteArray();
|
||||
}
|
||||
|
||||
/**
|
||||
* Calculate the canonical wire line format of the RRset.
|
||||
*
|
||||
* @param rrset the RRset to convert.
|
||||
* @param ttl the TTL to use when canonicalizing -- this is generally the
|
||||
* TTL of the signature if there is a pre-existing signature. If
|
||||
* not it is just the ttl of the rrset itself.
|
||||
* @param labels the labels field of the signature, or 0.
|
||||
* @return the canonical wire line format of the rrset. This is the second
|
||||
* part of data to be signed.
|
||||
*/
|
||||
public static byte[] generateCanonicalRRsetData(RRset rrset, long ttl,
|
||||
int labels)
|
||||
{
|
||||
DNSOutput image = new DNSOutput();
|
||||
|
||||
if (ttl == 0) ttl = rrset.getTTL();
|
||||
Name n = rrset.getName();
|
||||
if (labels == 0)
|
||||
{
|
||||
labels = n.labels();
|
||||
}
|
||||
else
|
||||
{
|
||||
// correct for Name()'s conception of label count.
|
||||
labels++;
|
||||
}
|
||||
boolean wildcardName = false;
|
||||
if (n.labels() != labels)
|
||||
{
|
||||
n = n.wild(n.labels() - labels);
|
||||
wildcardName = true;
|
||||
// log.trace("Detected wildcard expansion: " + rrset.getName() + " changed to " + n);
|
||||
return b1.length - b2.length;
|
||||
}
|
||||
}
|
||||
|
||||
// now convert load the wire format records in the RRset into a
|
||||
// list of byte arrays.
|
||||
ArrayList canonical_rrs = new ArrayList();
|
||||
for (Iterator i = rrset.rrs(); i.hasNext();)
|
||||
{
|
||||
Record r = (Record) i.next();
|
||||
if (r.getTTL() != ttl || wildcardName)
|
||||
{
|
||||
// If necessary, we need to create a new record with a new ttl or ownername.
|
||||
// In the TTL case, this avoids changing the ttl in the response.
|
||||
r = Record.newRecord(n, r.getType(), r.getDClass(), ttl, r
|
||||
.rdataToWireCanonical());
|
||||
}
|
||||
byte[] wire_fmt = r.toWireCanonical();
|
||||
canonical_rrs.add(wire_fmt);
|
||||
// private static final int DSA_SIGNATURE_LENGTH = 20;
|
||||
private static final int ASN1_INT = 0x02;
|
||||
private static final int ASN1_SEQ = 0x30;
|
||||
|
||||
public static final int RR_NORMAL = 0;
|
||||
public static final int RR_DELEGATION = 1;
|
||||
public static final int RR_GLUE = 2;
|
||||
public static final int RR_INVALID = 3;
|
||||
|
||||
/**
|
||||
* Generate from some basic information a prototype SIG RR containing
|
||||
* everything but the actual signature itself.
|
||||
*
|
||||
* @param rrset
|
||||
* the RRset being signed.
|
||||
* @param signer
|
||||
* the name of the signing key
|
||||
* @param alg
|
||||
* the algorithm of the signing key
|
||||
* @param keyid
|
||||
* the keyid (or footprint) of the signing key
|
||||
* @param start
|
||||
* the SIG inception time.
|
||||
* @param expire
|
||||
* the SIG expiration time.
|
||||
* @param sig_ttl
|
||||
* the TTL of the resulting SIG record.
|
||||
* @return a prototype signature based on the RRset and key information.
|
||||
*/
|
||||
public static RRSIGRecord generatePreRRSIG(RRset rrset, Name signer,
|
||||
int alg, int keyid, Date start,
|
||||
Date expire, long sig_ttl) {
|
||||
return new RRSIGRecord(rrset.getName(), rrset.getDClass(), sig_ttl,
|
||||
rrset.getType(), alg, rrset.getTTL(), expire, start, keyid,
|
||||
signer, null);
|
||||
}
|
||||
|
||||
// put the records into the correct ordering.
|
||||
// Caculate the offset where the RDATA begins (we have to skip
|
||||
// past the length byte)
|
||||
|
||||
int offset = rrset.getName().toWireCanonical().length + 10;
|
||||
ByteArrayComparator bac = new ByteArrayComparator(offset, false);
|
||||
|
||||
Collections.sort(canonical_rrs, bac);
|
||||
|
||||
for (Iterator i = canonical_rrs.iterator(); i.hasNext();)
|
||||
{
|
||||
byte[] wire_fmt_rec = (byte[]) i.next();
|
||||
image.writeByteArray(wire_fmt_rec);
|
||||
/**
|
||||
* Generate from some basic information a prototype SIG RR containing
|
||||
* everything but the actual signature itself.
|
||||
*
|
||||
* @param rrset
|
||||
* the RRset being signed.
|
||||
* @param key
|
||||
* the public KEY RR counterpart to the key being used to sign
|
||||
* the RRset
|
||||
* @param start
|
||||
* the SIG inception time.
|
||||
* @param expire
|
||||
* the SIG expiration time.
|
||||
* @param sig_ttl
|
||||
* the TTL of the resulting SIG record.
|
||||
* @return a prototype signature based on the RRset and key information.
|
||||
*/
|
||||
public static RRSIGRecord generatePreRRSIG(RRset rrset, DNSKEYRecord key,
|
||||
Date start, Date expire,
|
||||
long sig_ttl) {
|
||||
return generatePreRRSIG(rrset, key.getName(), key.getAlgorithm(),
|
||||
key.getFootprint(), start, expire, sig_ttl);
|
||||
}
|
||||
|
||||
return image.toByteArray();
|
||||
}
|
||||
|
||||
/**
|
||||
* Given an RRset and the prototype signature, generate the canonical data
|
||||
* that is to be signed.
|
||||
*
|
||||
* @param rrset the RRset to be signed.
|
||||
* @param presig a prototype SIG RR created using the same RRset.
|
||||
* @return a block of data ready to be signed.
|
||||
*/
|
||||
public static byte[] generateSigData(RRset rrset, RRSIGRecord presig)
|
||||
throws IOException
|
||||
{
|
||||
byte[] rrset_data = generateCanonicalRRsetData(rrset, presig.getOrigTTL(), presig.getLabels());
|
||||
|
||||
return generateSigData(rrset_data, presig);
|
||||
}
|
||||
|
||||
/**
|
||||
* Given an RRset and the prototype signature, generate the canonical data
|
||||
* that is to be signed.
|
||||
*
|
||||
* @param rrset_data the RRset converted into canonical wire line format (as
|
||||
* per the canonicalization rules in RFC 2535).
|
||||
* @param presig the prototype signature based on the same RRset represented
|
||||
* in <code>rrset_data</code>.
|
||||
* @return a block of data ready to be signed.
|
||||
*/
|
||||
public static byte[] generateSigData(byte[] rrset_data, RRSIGRecord presig)
|
||||
throws IOException
|
||||
{
|
||||
byte[] sig_rdata = generatePreSigRdata(presig);
|
||||
|
||||
ByteArrayOutputStream image = new ByteArrayOutputStream(sig_rdata.length
|
||||
+ rrset_data.length);
|
||||
|
||||
image.write(sig_rdata);
|
||||
image.write(rrset_data);
|
||||
|
||||
return image.toByteArray();
|
||||
}
|
||||
|
||||
/**
|
||||
* Given the acutal signature an the prototype signature, combine them and
|
||||
* return the fully formed SIGRecord.
|
||||
*
|
||||
* @param signature the cryptographic signature, in DNSSEC format.
|
||||
* @param presig the prototype SIG RR to add the signature to.
|
||||
* @return the fully formed SIG RR.
|
||||
*/
|
||||
public static RRSIGRecord generateRRSIG(byte[] signature, RRSIGRecord presig)
|
||||
{
|
||||
return new RRSIGRecord(presig.getName(), presig.getDClass(), presig
|
||||
.getTTL(), presig.getTypeCovered(), presig.getAlgorithm(), presig
|
||||
.getOrigTTL(), presig.getExpire(), presig.getTimeSigned(), presig
|
||||
.getFootprint(), presig.getSigner(), signature);
|
||||
}
|
||||
|
||||
/**
|
||||
* Converts from a RFC 2536 formatted DSA signature to a JCE (ASN.1)
|
||||
* formatted signature.
|
||||
*
|
||||
* <p>
|
||||
* ASN.1 format = ASN1_SEQ . seq_length . ASN1_INT . Rlength . R . ANS1_INT .
|
||||
* Slength . S
|
||||
* </p>
|
||||
*
|
||||
* The integers R and S may have a leading null byte to force the integer
|
||||
* positive.
|
||||
*
|
||||
* @param signature the RFC 2536 formatted DSA signature.
|
||||
* @return The ASN.1 formatted DSA signature.
|
||||
* @throws SignatureException if there was something wrong with the RFC 2536
|
||||
* formatted signature.
|
||||
*/
|
||||
public static byte[] convertDSASignature(byte[] signature)
|
||||
throws SignatureException
|
||||
{
|
||||
if (signature.length != 41)
|
||||
throw new SignatureException("RFC 2536 signature not expected length.");
|
||||
|
||||
byte r_pad = 0;
|
||||
byte s_pad = 0;
|
||||
|
||||
// handle initial null byte padding.
|
||||
if (signature[1] < 0) r_pad++;
|
||||
if (signature[21] < 0) s_pad++;
|
||||
|
||||
// ASN.1 length = R length + S length + (2 + 2 + 2), where each 2
|
||||
// is for a ASN.1 type-length byte pair of which there are three
|
||||
// (SEQ, INT, INT).
|
||||
byte sig_length = (byte) (40 + r_pad + s_pad + 6);
|
||||
|
||||
byte sig[] = new byte[sig_length];
|
||||
byte pos = 0;
|
||||
|
||||
sig[pos++] = ASN1_SEQ;
|
||||
sig[pos++] = (byte) (sig_length - 2); // all but the SEQ type+length.
|
||||
sig[pos++] = ASN1_INT;
|
||||
sig[pos++] = (byte) (20 + r_pad);
|
||||
|
||||
// copy the value of R, leaving a null byte if necessary
|
||||
if (r_pad == 1) sig[pos++] = 0;
|
||||
|
||||
System.arraycopy(signature, 1, sig, pos, 20);
|
||||
pos += 20;
|
||||
|
||||
sig[pos++] = ASN1_INT;
|
||||
sig[pos++] = (byte) (20 + s_pad);
|
||||
|
||||
// copy the value of S, leaving a null byte if necessary
|
||||
if (s_pad == 1) sig[pos++] = 0;
|
||||
|
||||
System.arraycopy(signature, 21, sig, pos, 20);
|
||||
|
||||
return sig;
|
||||
}
|
||||
|
||||
/**
|
||||
* Converts from a JCE (ASN.1) formatted DSA signature to a RFC 2536
|
||||
* compliant signature.
|
||||
*
|
||||
* <p>
|
||||
* rfc2536 format = T . R . S
|
||||
* </p>
|
||||
*
|
||||
* where T is a number between 0 and 8, which is based on the DSA key
|
||||
* length, and R & S are formatted to be exactly 20 bytes each (no leading
|
||||
* null bytes).
|
||||
*
|
||||
* @param params the DSA parameters associated with the DSA key used to
|
||||
* generate the signature.
|
||||
* @param signature the ASN.1 formatted DSA signature.
|
||||
* @return a RFC 2536 formatted DSA signature.
|
||||
* @throws SignatureException if something is wrong with the ASN.1 format.
|
||||
*/
|
||||
public static byte[] convertDSASignature(DSAParams params, byte[] signature)
|
||||
throws SignatureException
|
||||
{
|
||||
if (signature[0] != ASN1_SEQ || signature[2] != ASN1_INT)
|
||||
{
|
||||
throw new SignatureException(
|
||||
"Invalid ASN.1 signature format: expected SEQ, INT");
|
||||
/**
|
||||
* Generate from some basic information a prototype SIG RR containing
|
||||
* everything but the actual signature itself.
|
||||
*
|
||||
* @param rec
|
||||
* the DNS record being signed (forming an entire RRset).
|
||||
* @param key
|
||||
* the public KEY RR counterpart to the key signing the record.
|
||||
* @param start
|
||||
* the SIG inception time.
|
||||
* @param expire
|
||||
* the SIG expiration time.
|
||||
* @param sig_ttl
|
||||
* the TTL of the result SIG record.
|
||||
* @return a prototype signature based on the Record and key information.
|
||||
*/
|
||||
public static RRSIGRecord generatePreRRSIG(Record rec, DNSKEYRecord key,
|
||||
Date start, Date expire,
|
||||
long sig_ttl) {
|
||||
return new RRSIGRecord(rec.getName(), rec.getDClass(), sig_ttl,
|
||||
rec.getType(), key.getAlgorithm(), rec.getTTL(), expire, start,
|
||||
key.getFootprint(), key.getName(), null);
|
||||
}
|
||||
|
||||
byte r_pad = (byte) (signature[3] - 20);
|
||||
/**
|
||||
* Generate the binary image of the prototype SIG RR.
|
||||
*
|
||||
* @param presig
|
||||
* the SIG RR prototype.
|
||||
* @return the RDATA portion of the prototype SIG record. This forms the
|
||||
* first part of the data to be signed.
|
||||
*/
|
||||
private static byte[] generatePreSigRdata(RRSIGRecord presig) {
|
||||
// Generate the binary image;
|
||||
DNSOutput image = new DNSOutput();
|
||||
|
||||
if (signature[24 + r_pad] != ASN1_INT)
|
||||
{
|
||||
throw new SignatureException(
|
||||
"Invalid ASN.1 signature format: expected SEQ, INT, INT");
|
||||
// precalculate some things
|
||||
int start_time = (int) (presig.getTimeSigned().getTime() / 1000);
|
||||
int expire_time = (int) (presig.getExpire().getTime() / 1000);
|
||||
Name signer = presig.getSigner();
|
||||
|
||||
// first write out the partial SIG record (this is the SIG RDATA
|
||||
// minus the actual signature.
|
||||
image.writeU16(presig.getTypeCovered());
|
||||
image.writeU8(presig.getAlgorithm());
|
||||
image.writeU8(presig.getLabels());
|
||||
image.writeU32((int) presig.getOrigTTL());
|
||||
image.writeU32(expire_time);
|
||||
image.writeU32(start_time);
|
||||
image.writeU16(presig.getFootprint());
|
||||
image.writeByteArray(signer.toWireCanonical());
|
||||
|
||||
return image.toByteArray();
|
||||
}
|
||||
|
||||
// log.trace("(start) ASN.1 DSA Sig:\n" + base64.toString(signature));
|
||||
/**
|
||||
* Calculate the canonical wire line format of the RRset.
|
||||
*
|
||||
* @param rrset
|
||||
* the RRset to convert.
|
||||
* @param ttl
|
||||
* the TTL to use when canonicalizing -- this is generally the
|
||||
* TTL of the signature if there is a pre-existing signature. If
|
||||
* not it is just the ttl of the rrset itself.
|
||||
* @param labels
|
||||
* the labels field of the signature, or 0.
|
||||
* @return the canonical wire line format of the rrset. This is the second
|
||||
* part of data to be signed.
|
||||
*/
|
||||
@SuppressWarnings("unchecked")
|
||||
public static byte[] generateCanonicalRRsetData(RRset rrset, long ttl,
|
||||
int labels) {
|
||||
DNSOutput image = new DNSOutput();
|
||||
|
||||
byte s_pad = (byte) (signature[25 + r_pad] - 20);
|
||||
if (ttl == 0) ttl = rrset.getTTL();
|
||||
Name n = rrset.getName();
|
||||
if (labels == 0) {
|
||||
labels = n.labels();
|
||||
} else {
|
||||
// correct for Name()'s conception of label count.
|
||||
labels++;
|
||||
}
|
||||
boolean wildcardName = false;
|
||||
if (n.labels() != labels) {
|
||||
n = n.wild(n.labels() - labels);
|
||||
wildcardName = true;
|
||||
// log.trace("Detected wildcard expansion: " + rrset.getName() +
|
||||
// " changed to " + n);
|
||||
}
|
||||
|
||||
byte[] sig = new byte[41]; // all rfc2536 signatures are 41 bytes.
|
||||
// now convert the wire format records in the RRset into a
|
||||
// list of byte arrays.
|
||||
ArrayList<byte[]> canonical_rrs = new ArrayList<byte[]>();
|
||||
for (Iterator i = rrset.rrs(); i.hasNext();) {
|
||||
Record r = (Record) i.next();
|
||||
if (r.getTTL() != ttl || wildcardName) {
|
||||
// If necessary, we need to create a new record with a new ttl
|
||||
// or ownername.
|
||||
// In the TTL case, this avoids changing the ttl in the
|
||||
// response.
|
||||
r = Record.newRecord(n, r.getType(), r.getDClass(), ttl,
|
||||
r.rdataToWireCanonical());
|
||||
}
|
||||
byte[] wire_fmt = r.toWireCanonical();
|
||||
canonical_rrs.add(wire_fmt);
|
||||
}
|
||||
|
||||
// Calculate T:
|
||||
sig[0] = (byte) ((params.getP().bitLength() - 512) / 64);
|
||||
// put the records into the correct ordering.
|
||||
// Calculate the offset where the RDATA begins (we have to skip
|
||||
// past the length byte)
|
||||
|
||||
// copy R value
|
||||
if (r_pad >= 0)
|
||||
{
|
||||
System.arraycopy(signature, 4 + r_pad, sig, 1, 20);
|
||||
}
|
||||
else
|
||||
{
|
||||
// R is shorter than 20 bytes, so right justify the number
|
||||
// (r_pad is negative here, remember?).
|
||||
Arrays.fill(sig, 1, 1 - r_pad, (byte) 0);
|
||||
System.arraycopy(signature, 4, sig, 1 - r_pad, 20 + r_pad);
|
||||
int offset = rrset.getName().toWireCanonical().length + 10;
|
||||
ByteArrayComparator bac = new ByteArrayComparator(offset, false);
|
||||
|
||||
Collections.sort(canonical_rrs, bac);
|
||||
|
||||
for (Iterator<byte[]> i = canonical_rrs.iterator(); i.hasNext();) {
|
||||
byte[] wire_fmt_rec = i.next();
|
||||
image.writeByteArray(wire_fmt_rec);
|
||||
}
|
||||
|
||||
return image.toByteArray();
|
||||
}
|
||||
|
||||
// copy S value
|
||||
if (s_pad >= 0)
|
||||
{
|
||||
System.arraycopy(signature, 26 + r_pad + s_pad, sig, 21, 20);
|
||||
}
|
||||
else
|
||||
{
|
||||
// S is shorter than 20 bytes, so right justify the number
|
||||
// (s_pad is negative here).
|
||||
Arrays.fill(sig, 21, 21 - s_pad, (byte) 0);
|
||||
System.arraycopy(signature, 26 + r_pad, sig, 21 - s_pad, 20 + s_pad);
|
||||
/**
|
||||
* Given an RRset and the prototype signature, generate the canonical data
|
||||
* that is to be signed.
|
||||
*
|
||||
* @param rrset
|
||||
* the RRset to be signed.
|
||||
* @param presig
|
||||
* a prototype SIG RR created using the same RRset.
|
||||
* @return a block of data ready to be signed.
|
||||
*/
|
||||
public static byte[] generateSigData(RRset rrset, RRSIGRecord presig)
|
||||
throws IOException {
|
||||
byte[] rrset_data = generateCanonicalRRsetData(rrset,
|
||||
presig.getOrigTTL(),
|
||||
presig.getLabels());
|
||||
|
||||
return generateSigData(rrset_data, presig);
|
||||
}
|
||||
|
||||
// if (r_pad < 0 || s_pad < 0)
|
||||
// {
|
||||
// log.trace("(finish ***) RFC 2536 DSA Sig:\n" + base64.toString(sig));
|
||||
//
|
||||
// }
|
||||
// else
|
||||
// {
|
||||
// log.trace("(finish) RFC 2536 DSA Sig:\n" + base64.toString(sig));
|
||||
// }
|
||||
/**
|
||||
* Given an RRset and the prototype signature, generate the canonical data
|
||||
* that is to be signed.
|
||||
*
|
||||
* @param rrset_data
|
||||
* the RRset converted into canonical wire line format (as per
|
||||
* the canonicalization rules in RFC 2535).
|
||||
* @param presig
|
||||
* the prototype signature based on the same RRset represented in
|
||||
* <code>rrset_data</code>.
|
||||
* @return a block of data ready to be signed.
|
||||
*/
|
||||
public static byte[] generateSigData(byte[] rrset_data, RRSIGRecord presig)
|
||||
throws IOException {
|
||||
byte[] sig_rdata = generatePreSigRdata(presig);
|
||||
|
||||
return sig;
|
||||
}
|
||||
ByteArrayOutputStream image = new ByteArrayOutputStream(
|
||||
sig_rdata.length + rrset_data.length);
|
||||
|
||||
image.write(sig_rdata);
|
||||
image.write(rrset_data);
|
||||
|
||||
return image.toByteArray();
|
||||
}
|
||||
|
||||
/**
|
||||
* Given the actual signature and the prototype signature, combine them and
|
||||
* return the fully formed RRSIGRecord.
|
||||
*
|
||||
* @param signature
|
||||
* the cryptographic signature, in DNSSEC format.
|
||||
* @param presig
|
||||
* the prototype RRSIG RR to add the signature to.
|
||||
* @return the fully formed RRSIG RR.
|
||||
*/
|
||||
public static RRSIGRecord generateRRSIG(byte[] signature, RRSIGRecord presig) {
|
||||
return new RRSIGRecord(presig.getName(), presig.getDClass(),
|
||||
presig.getTTL(), presig.getTypeCovered(),
|
||||
presig.getAlgorithm(), presig.getOrigTTL(), presig.getExpire(),
|
||||
presig.getTimeSigned(), presig.getFootprint(),
|
||||
presig.getSigner(), signature);
|
||||
}
|
||||
|
||||
/**
|
||||
* Converts from a RFC 2536 formatted DSA signature to a JCE (ASN.1)
|
||||
* formatted signature.
|
||||
*
|
||||
* <p>
|
||||
* ASN.1 format = ASN1_SEQ . seq_length . ASN1_INT . Rlength . R . ANS1_INT
|
||||
* . Slength . S
|
||||
* </p>
|
||||
*
|
||||
* The integers R and S may have a leading null byte to force the integer
|
||||
* positive.
|
||||
*
|
||||
* @param signature
|
||||
* the RFC 2536 formatted DSA signature.
|
||||
* @return The ASN.1 formatted DSA signature.
|
||||
* @throws SignatureException
|
||||
* if there was something wrong with the RFC 2536 formatted
|
||||
* signature.
|
||||
*/
|
||||
public static byte[] convertDSASignature(byte[] signature)
|
||||
throws SignatureException {
|
||||
if (signature.length != 41)
|
||||
throw new SignatureException(
|
||||
"RFC 2536 signature not expected length.");
|
||||
|
||||
byte r_pad = 0;
|
||||
byte s_pad = 0;
|
||||
|
||||
// handle initial null byte padding.
|
||||
if (signature[1] < 0) r_pad++;
|
||||
if (signature[21] < 0) s_pad++;
|
||||
|
||||
// ASN.1 length = R length + S length + (2 + 2 + 2), where each 2
|
||||
// is for a ASN.1 type-length byte pair of which there are three
|
||||
// (SEQ, INT, INT).
|
||||
byte sig_length = (byte) (40 + r_pad + s_pad + 6);
|
||||
|
||||
byte sig[] = new byte[sig_length];
|
||||
byte pos = 0;
|
||||
|
||||
sig[pos++] = ASN1_SEQ;
|
||||
sig[pos++] = (byte) (sig_length - 2); // all but the SEQ type+length.
|
||||
sig[pos++] = ASN1_INT;
|
||||
sig[pos++] = (byte) (20 + r_pad);
|
||||
|
||||
// copy the value of R, leaving a null byte if necessary
|
||||
if (r_pad == 1) sig[pos++] = 0;
|
||||
|
||||
System.arraycopy(signature, 1, sig, pos, 20);
|
||||
pos += 20;
|
||||
|
||||
sig[pos++] = ASN1_INT;
|
||||
sig[pos++] = (byte) (20 + s_pad);
|
||||
|
||||
// copy the value of S, leaving a null byte if necessary
|
||||
if (s_pad == 1) sig[pos++] = 0;
|
||||
|
||||
System.arraycopy(signature, 21, sig, pos, 20);
|
||||
|
||||
return sig;
|
||||
}
|
||||
|
||||
/**
|
||||
* Converts from a JCE (ASN.1) formatted DSA signature to a RFC 2536
|
||||
* compliant signature.
|
||||
*
|
||||
* <p>
|
||||
* rfc2536 format = T . R . S
|
||||
* </p>
|
||||
*
|
||||
* where T is a number between 0 and 8, which is based on the DSA key
|
||||
* length, and R & S are formatted to be exactly 20 bytes each (no leading
|
||||
* null bytes).
|
||||
*
|
||||
* @param params
|
||||
* the DSA parameters associated with the DSA key used to
|
||||
* generate the signature.
|
||||
* @param signature
|
||||
* the ASN.1 formatted DSA signature.
|
||||
* @return a RFC 2536 formatted DSA signature.
|
||||
* @throws SignatureException
|
||||
* if something is wrong with the ASN.1 format.
|
||||
*/
|
||||
public static byte[] convertDSASignature(DSAParams params, byte[] signature)
|
||||
throws SignatureException {
|
||||
if (signature[0] != ASN1_SEQ || signature[2] != ASN1_INT) {
|
||||
throw new SignatureException(
|
||||
"Invalid ASN.1 signature format: expected SEQ, INT");
|
||||
}
|
||||
|
||||
byte r_pad = (byte) (signature[3] - 20);
|
||||
|
||||
if (signature[24 + r_pad] != ASN1_INT) {
|
||||
throw new SignatureException(
|
||||
"Invalid ASN.1 signature format: expected SEQ, INT, INT");
|
||||
}
|
||||
|
||||
// log.trace("(start) ASN.1 DSA Sig:\n" + base64.toString(signature));
|
||||
|
||||
byte s_pad = (byte) (signature[25 + r_pad] - 20);
|
||||
|
||||
byte[] sig = new byte[41]; // all rfc2536 signatures are 41 bytes.
|
||||
|
||||
// Calculate T:
|
||||
sig[0] = (byte) ((params.getP().bitLength() - 512) / 64);
|
||||
|
||||
// copy R value
|
||||
if (r_pad >= 0) {
|
||||
System.arraycopy(signature, 4 + r_pad, sig, 1, 20);
|
||||
} else {
|
||||
// R is shorter than 20 bytes, so right justify the number
|
||||
// (r_pad is negative here, remember?).
|
||||
Arrays.fill(sig, 1, 1 - r_pad, (byte) 0);
|
||||
System.arraycopy(signature, 4, sig, 1 - r_pad, 20 + r_pad);
|
||||
}
|
||||
|
||||
// copy S value
|
||||
if (s_pad >= 0) {
|
||||
System.arraycopy(signature, 26 + r_pad + s_pad, sig, 21, 20);
|
||||
} else {
|
||||
// S is shorter than 20 bytes, so right justify the number
|
||||
// (s_pad is negative here).
|
||||
Arrays.fill(sig, 21, 21 - s_pad, (byte) 0);
|
||||
System.arraycopy(signature, 26 + r_pad, sig, 21 - s_pad, 20 + s_pad);
|
||||
}
|
||||
|
||||
// if (r_pad < 0 || s_pad < 0)
|
||||
// {
|
||||
// log.trace("(finish ***) RFC 2536 DSA Sig:\n" + base64.toString(sig));
|
||||
//
|
||||
// }
|
||||
// else
|
||||
// {
|
||||
// log.trace("(finish) RFC 2536 DSA Sig:\n" + base64.toString(sig));
|
||||
// }
|
||||
|
||||
return sig;
|
||||
}
|
||||
}
|
||||
|
@ -33,16 +33,12 @@ import java.util.Map;
|
||||
|
||||
import org.xbill.DNS.Name;
|
||||
|
||||
import com.versign.tat.dnssec.SRRset;
|
||||
import com.versign.tat.dnssec.SecurityStatus;
|
||||
|
||||
|
||||
/**
|
||||
*
|
||||
*/
|
||||
public class TrustAnchorStore
|
||||
{
|
||||
private Map mMap;
|
||||
private Map<String, SRRset> mMap;
|
||||
|
||||
public TrustAnchorStore()
|
||||
{
|
||||
@ -59,7 +55,7 @@ public class TrustAnchorStore
|
||||
{
|
||||
if (mMap == null)
|
||||
{
|
||||
mMap = new HashMap();
|
||||
mMap = new HashMap<String, SRRset>();
|
||||
}
|
||||
String k = key(rrset.getName(), rrset.getDClass());
|
||||
rrset.setSecurityStatus(SecurityStatus.SECURE);
|
||||
@ -70,7 +66,7 @@ public class TrustAnchorStore
|
||||
private SRRset lookup(String key)
|
||||
{
|
||||
if (mMap == null) return null;
|
||||
return (SRRset) mMap.get(key);
|
||||
return mMap.get(key);
|
||||
}
|
||||
|
||||
public SRRset find(Name n, int dclass)
|
||||
|
@ -31,15 +31,10 @@ package com.versign.tat.dnssec;
|
||||
|
||||
import java.util.*;
|
||||
|
||||
import org.xbill.DNS.Flags;
|
||||
import org.xbill.DNS.Header;
|
||||
import org.xbill.DNS.Name;
|
||||
|
||||
/**
|
||||
* Some basic utility functions.
|
||||
*
|
||||
* @author davidb
|
||||
* @version $Revision$
|
||||
*/
|
||||
public class Util
|
||||
{
|
||||
@ -61,31 +56,6 @@ public class Util
|
||||
return n;
|
||||
}
|
||||
|
||||
// public static SMessage errorMessage(Request request, int rcode)
|
||||
// {
|
||||
// SMessage m = new SMessage(request.getID());
|
||||
// Header h = m.getHeader();
|
||||
// h.setRcode(rcode);
|
||||
// h.setFlag(Flags.QR);
|
||||
// m.setQuestion(request.getQuestion());
|
||||
// m.setOPT(request.getOPT());
|
||||
//
|
||||
// return m;
|
||||
// }
|
||||
//
|
||||
// public static SMessage errorMessage(SMessage message, int rcode)
|
||||
// {
|
||||
// Header h = message.getHeader();
|
||||
// SMessage m = new SMessage(h.getID());
|
||||
// h = m.getHeader();
|
||||
// h.setRcode(rcode);
|
||||
// h.setFlag(Flags.QR);
|
||||
// m.setQuestion(message.getQuestion());
|
||||
// m.setOPT(message.getOPT());
|
||||
//
|
||||
// return m;
|
||||
// }
|
||||
|
||||
public static int parseInt(String s, int def)
|
||||
{
|
||||
if (s == null) return def;
|
||||
@ -123,25 +93,21 @@ public class Util
|
||||
}
|
||||
}
|
||||
|
||||
public static List parseConfigPrefix(Properties config, String prefix)
|
||||
public static List<ConfigEntry> parseConfigPrefix(Properties config, String prefix)
|
||||
{
|
||||
if (! prefix.endsWith("."))
|
||||
{
|
||||
prefix = prefix + ".";
|
||||
}
|
||||
|
||||
List res = new ArrayList();
|
||||
List<ConfigEntry> res = new ArrayList<ConfigEntry>();
|
||||
|
||||
for (Iterator i = config.entrySet().iterator(); i.hasNext(); )
|
||||
{
|
||||
Map.Entry entry = (Map.Entry) i.next();
|
||||
String key = (String) entry.getKey();
|
||||
if (key.startsWith(prefix))
|
||||
{
|
||||
key = key.substring(prefix.length());
|
||||
|
||||
res.add(new ConfigEntry(key, (String) entry.getValue()));
|
||||
}
|
||||
for (Map.Entry<Object, Object> entry : config.entrySet()) {
|
||||
String key = (String) entry.getKey();
|
||||
if (key.startsWith(prefix)) {
|
||||
key = key.substring(prefix.length());
|
||||
res.add(new ConfigEntry(key, (String) entry.getValue()));
|
||||
}
|
||||
}
|
||||
|
||||
return res;
|
||||
|
@ -45,26 +45,40 @@ public class ValUtils {
|
||||
// validation strategy. They have no bearing on the iterative resolution
|
||||
// algorithm, so they are confined here.
|
||||
|
||||
/** Not subtyped yet. */
|
||||
public static final int UNTYPED = 0;
|
||||
public enum ResponseType {
|
||||
UNTYPED, // not sub typed yet
|
||||
UNKNOWN, // not a recognized sub type
|
||||
POSITIVE, // a positive response (no CNAME/DNAME chain)
|
||||
CNAME, // a positive response with a CNAME/DNAME chain.
|
||||
NODATA, // a NOERROR/NODATA response
|
||||
NAMEERROR, // a NXDOMAIN response
|
||||
ANY, // a response to a qtype=ANY query
|
||||
REFERRAL,
|
||||
// a referral response
|
||||
THROWAWAY
|
||||
// a throwaway response (i.e., an error)
|
||||
}
|
||||
|
||||
/** Not a recognized subtype. */
|
||||
public static final int UNKNOWN = 1;
|
||||
|
||||
/** A postive, direct, response. */
|
||||
public static final int POSITIVE = 2;
|
||||
|
||||
/** A postive response, with a CNAME/DNAME chain. */
|
||||
public static final int CNAME = 3;
|
||||
|
||||
/** A NOERROR/NODATA response. */
|
||||
public static final int NODATA = 4;
|
||||
|
||||
/** A NXDOMAIN response. */
|
||||
public static final int NAMEERROR = 5;
|
||||
|
||||
/** A response to a qtype=ANY query. */
|
||||
public static final int ANY = 6;
|
||||
// /** Not subtyped yet. */
|
||||
// public static final int UNTYPED = 0;
|
||||
//
|
||||
// /** Not a recognized subtype. */
|
||||
// public static final int UNKNOWN = 1;
|
||||
//
|
||||
// /** A postive, direct, response. */
|
||||
// public static final int POSITIVE = 2;
|
||||
//
|
||||
// /** A postive response, with a CNAME/DNAME chain. */
|
||||
// public static final int CNAME = 3;
|
||||
//
|
||||
// /** A NOERROR/NODATA response. */
|
||||
// public static final int NODATA = 4;
|
||||
//
|
||||
// /** A NXDOMAIN response. */
|
||||
// public static final int NAMEERROR = 5;
|
||||
//
|
||||
// /** A response to a qtype=ANY query. */
|
||||
// public static final int ANY = 6;
|
||||
|
||||
/** A local copy of the verifier object. */
|
||||
private DnsSecVerifier mVerifier;
|
||||
@ -81,18 +95,38 @@ public class ValUtils {
|
||||
*
|
||||
* @return A subtype ranging from UNKNOWN to NAMEERROR.
|
||||
*/
|
||||
public static int classifyResponse(SMessage m) {
|
||||
public static ResponseType classifyResponse(SMessage m, Name zone) {
|
||||
|
||||
SRRset[] rrsets;
|
||||
// Normal Name Error's are easy to detect -- but don't mistake a CNAME
|
||||
// chain ending in NXDOMAIN.
|
||||
if (m.getRcode() == Rcode.NXDOMAIN && m.getCount(Section.ANSWER) == 0) {
|
||||
return NAMEERROR;
|
||||
return ResponseType.NAMEERROR;
|
||||
}
|
||||
|
||||
// If rcode isn't NXDOMAIN or NOERROR, it is a throwaway response.
|
||||
if (m.getRcode() != Rcode.NOERROR) {
|
||||
return ResponseType.THROWAWAY;
|
||||
}
|
||||
|
||||
// Next is REFERRAL. These are distinguished by having:
|
||||
// 1) nothing in the ANSWER section
|
||||
// 2) an NS RRset in the AUTHORITY section that is a strict subdomain of
|
||||
// 'zone' (the presumed queried zone).
|
||||
if (zone != null && m.getCount(Section.ANSWER) == 0
|
||||
&& m.getCount(Section.AUTHORITY) > 0) {
|
||||
rrsets = m.getSectionRRsets(Section.AUTHORITY);
|
||||
for (int i = 0; i < rrsets.length; ++i) {
|
||||
if (rrsets[i].getType() == Type.NS
|
||||
&& strictSubdomain(rrsets[i].getName(), zone)) {
|
||||
return ResponseType.REFERRAL;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// Next is NODATA
|
||||
// st_log.debug("classifyResponse: ancount = " +
|
||||
// m.getCount(Section.ANSWER));
|
||||
if (m.getCount(Section.ANSWER) == 0) {
|
||||
return NODATA;
|
||||
return ResponseType.NODATA;
|
||||
}
|
||||
|
||||
// We distinguish between CNAME response and other positive/negative
|
||||
@ -100,23 +134,22 @@ public class ValUtils {
|
||||
int qtype = m.getQuestion().getType();
|
||||
|
||||
// We distinguish between ANY and CNAME or POSITIVE because ANY
|
||||
// responses
|
||||
// are validated differently.
|
||||
// responses are validated differently.
|
||||
if (qtype == Type.ANY) {
|
||||
return ANY;
|
||||
return ResponseType.ANY;
|
||||
}
|
||||
|
||||
SRRset[] rrsets = m.getSectionRRsets(Section.ANSWER);
|
||||
rrsets = m.getSectionRRsets(Section.ANSWER);
|
||||
|
||||
// Note that DNAMEs will be ignored here, unless qtype=DNAME. Unless
|
||||
// qtype=CNAME, this will yield a CNAME response.
|
||||
for (int i = 0; i < rrsets.length; i++) {
|
||||
if (rrsets[i].getType() == qtype) return POSITIVE;
|
||||
if (rrsets[i].getType() == Type.CNAME) return CNAME;
|
||||
if (rrsets[i].getType() == qtype) return ResponseType.POSITIVE;
|
||||
if (rrsets[i].getType() == Type.CNAME) return ResponseType.CNAME;
|
||||
}
|
||||
|
||||
// st_log.warn("Failed to classify response message:\n" + m);
|
||||
return UNKNOWN;
|
||||
return ResponseType.UNKNOWN;
|
||||
}
|
||||
|
||||
/**
|
||||
@ -126,162 +159,25 @@ public class ValUtils {
|
||||
*
|
||||
* @param m
|
||||
* The response to analyze.
|
||||
* @param request
|
||||
* The request that generated the response.
|
||||
* @return a signer name, if the response is signed (even partially), or
|
||||
* null if the response isn't signed.
|
||||
*/
|
||||
public Name findSigner(SMessage m) {
|
||||
int subtype = classifyResponse(m);
|
||||
Name qname = m.getQName();
|
||||
// FIXME: this used to classify the message, then look in the pertinent
|
||||
// section. Now we just find the first RRSIG in the ANSWER and AUTHORIY
|
||||
// sections.
|
||||
|
||||
SRRset[] rrsets;
|
||||
|
||||
switch (subtype) {
|
||||
case POSITIVE:
|
||||
case CNAME:
|
||||
case ANY:
|
||||
// Check to see if the ANSWER section RRset
|
||||
rrsets = m.getSectionRRsets(Section.ANSWER);
|
||||
for (int i = 0; i < rrsets.length; i++) {
|
||||
if (rrsets[i].getName().equals(qname)) {
|
||||
return rrsets[i].getSignerName();
|
||||
}
|
||||
}
|
||||
return null;
|
||||
|
||||
case NAMEERROR:
|
||||
case NODATA:
|
||||
// Check to see if the AUTH section NSEC record(s) have rrsigs
|
||||
rrsets = m.getSectionRRsets(Section.AUTHORITY);
|
||||
for (int i = 0; i < rrsets.length; i++) {
|
||||
if (rrsets[i].getType() == Type.NSEC
|
||||
|| rrsets[i].getType() == Type.NSEC3) {
|
||||
return rrsets[i].getSignerName();
|
||||
}
|
||||
}
|
||||
return null;
|
||||
default:
|
||||
// log.debug("findSigner: could not find signer name "
|
||||
// + "for unknown type response.");
|
||||
return null;
|
||||
}
|
||||
}
|
||||
|
||||
public boolean dssetIsUsable(SRRset ds_rrset) {
|
||||
for (Iterator i = ds_rrset.rrs(); i.hasNext();) {
|
||||
DSRecord ds = (DSRecord) i.next();
|
||||
if (supportsDigestID(ds.getDigestID())
|
||||
&& mVerifier.supportsAlgorithm(ds.getAlgorithm())) {
|
||||
return true;
|
||||
for (int section = Section.ANSWER; section < Section.ADDITIONAL; ++section) {
|
||||
SRRset[] rrsets = m.getSectionRRsets(section);
|
||||
for (int i = 0; i < rrsets.length; ++i) {
|
||||
Name signerName = rrsets[i].getSignerName();
|
||||
if (signerName != null) return signerName;
|
||||
}
|
||||
}
|
||||
|
||||
return false;
|
||||
return null;
|
||||
}
|
||||
|
||||
/**
|
||||
* Given a DS rrset and a DNSKEY rrset, match the DS to a DNSKEY and verify
|
||||
* the DNSKEY rrset with that key.
|
||||
*
|
||||
* @param dnskey_rrset
|
||||
* The DNSKEY rrset to match against. The security status of this
|
||||
* rrset will be updated on a successful verification.
|
||||
* @param ds_rrset
|
||||
* The DS rrset to match with. This rrset must already be
|
||||
* trusted.
|
||||
*
|
||||
* @return a KeyEntry. This will either contain the now trusted
|
||||
* dnskey_rrset, a "null" key entry indicating that this DS
|
||||
* rrset/DNSKEY pair indicate an secure end to the island of trust
|
||||
* (i.e., unknown algorithms), or a "bad" KeyEntry if the dnskey
|
||||
* rrset fails to verify. Note that the "null" response should
|
||||
* generally only occur in a private algorithm scenario: normally
|
||||
* this sort of thing is checked before fetching the matching DNSKEY
|
||||
* rrset.
|
||||
*/
|
||||
// public KeyEntry verifyNewDNSKEYs(SRRset dnskey_rrset, SRRset ds_rrset)
|
||||
// {
|
||||
// if (!dnskey_rrset.getName().equals(ds_rrset.getName()))
|
||||
// {
|
||||
// // log.debug("DNSKEY RRset did not match DS RRset by name!");
|
||||
// return KeyEntry
|
||||
// .newBadKeyEntry(ds_rrset.getName(), ds_rrset.getDClass());
|
||||
// }
|
||||
//
|
||||
// // as long as this is false, we can consider this DS rrset to be
|
||||
// // equivalent to no DS rrset.
|
||||
// boolean hasUsefulDS = false;
|
||||
//
|
||||
// for (Iterator i = ds_rrset.rrs(); i.hasNext();)
|
||||
// {
|
||||
// DSRecord ds = (DSRecord) i.next();
|
||||
//
|
||||
// // Check to see if we can understand this DS.
|
||||
// if (!supportsDigestID(ds.getDigestID())
|
||||
// || !mVerifier.supportsAlgorithm(ds.getAlgorithm()))
|
||||
// {
|
||||
// continue;
|
||||
// }
|
||||
//
|
||||
// // Once we see a single DS with a known digestID and algorithm, we
|
||||
// // cannot return INSECURE (with a "null" KeyEntry).
|
||||
// hasUsefulDS = true;
|
||||
//
|
||||
// DNSKEY : for (Iterator j = dnskey_rrset.rrs(); j.hasNext();)
|
||||
// {
|
||||
// DNSKEYRecord dnskey = (DNSKEYRecord) j.next();
|
||||
//
|
||||
// // Skip DNSKEYs that don't match the basic criteria.
|
||||
// if (ds.getFootprint() != dnskey.getFootprint()
|
||||
// || ds.getAlgorithm() != dnskey.getAlgorithm())
|
||||
// {
|
||||
// continue;
|
||||
// }
|
||||
//
|
||||
// // Convert the candidate DNSKEY into a hash using the same DS hash
|
||||
// // algorithm.
|
||||
// byte[] key_hash = calculateDSHash(dnskey, ds.getDigestID());
|
||||
// byte[] ds_hash = ds.getDigest();
|
||||
//
|
||||
// // see if there is a length mismatch (unlikely)
|
||||
// if (key_hash.length != ds_hash.length)
|
||||
// {
|
||||
// continue DNSKEY;
|
||||
// }
|
||||
//
|
||||
// for (int k = 0; k < key_hash.length; k++)
|
||||
// {
|
||||
// if (key_hash[k] != ds_hash[k]) continue DNSKEY;
|
||||
// }
|
||||
//
|
||||
// // Otherwise, we have a match! Make sure that the DNSKEY verifies
|
||||
// // *with this key*.
|
||||
// byte res = mVerifier.verify(dnskey_rrset, dnskey);
|
||||
// if (res == SecurityStatus.SECURE)
|
||||
// {
|
||||
// // log.trace("DS matched DNSKEY.");
|
||||
// dnskey_rrset.setSecurityStatus(SecurityStatus.SECURE);
|
||||
// return KeyEntry.newKeyEntry(dnskey_rrset);
|
||||
// }
|
||||
// // If it didn't validate with the DNSKEY, try the next one!
|
||||
// }
|
||||
// }
|
||||
//
|
||||
// // None of the DS's worked out.
|
||||
//
|
||||
// // If no DSs were understandable, then this is OK.
|
||||
// if (!hasUsefulDS)
|
||||
// {
|
||||
// //
|
||||
// log.debug("No usuable DS records were found -- treating as insecure.");
|
||||
// return KeyEntry.newNullKeyEntry(ds_rrset.getName(), ds_rrset
|
||||
// .getDClass(), ds_rrset.getTTL());
|
||||
// }
|
||||
// // If any were understandable, then it is bad.
|
||||
// // log.debug("Failed to match any usable DS to a DNSKEY.");
|
||||
// return KeyEntry.newBadKeyEntry(ds_rrset.getName(), ds_rrset.getDClass());
|
||||
// }
|
||||
|
||||
/**
|
||||
* Given a DNSKEY record, generate the DS record from it.
|
||||
*
|
||||
@ -406,9 +302,9 @@ public class ValUtils {
|
||||
* @return The status (BOGUS or SECURE).
|
||||
*/
|
||||
public byte verifySRRset(SRRset rrset, SRRset key_rrset) {
|
||||
String rrset_name = rrset.getName() + "/"
|
||||
+ Type.string(rrset.getType()) + "/"
|
||||
+ DClass.string(rrset.getDClass());
|
||||
// String rrset_name = rrset.getName() + "/"
|
||||
// + Type.string(rrset.getType()) + "/"
|
||||
// + DClass.string(rrset.getDClass());
|
||||
|
||||
if (rrset.getSecurityStatus() == SecurityStatus.SECURE) {
|
||||
// log.trace("verifySRRset: rrset <" + rrset_name
|
||||
@ -433,7 +329,7 @@ public class ValUtils {
|
||||
}
|
||||
|
||||
/**
|
||||
* Determine if a given type map has a given typ.
|
||||
* Determine if a given type map has a given type.
|
||||
*
|
||||
* @param types
|
||||
* The type map from the NSEC record.
|
||||
@ -448,6 +344,7 @@ public class ValUtils {
|
||||
return false;
|
||||
}
|
||||
|
||||
@SuppressWarnings("unchecked")
|
||||
public static RRSIGRecord rrsetFirstSig(RRset rrset) {
|
||||
for (Iterator i = rrset.sigs(); i.hasNext();) {
|
||||
return (RRSIGRecord) i.next();
|
||||
@ -517,7 +414,7 @@ public class ValUtils {
|
||||
* generating wildcard.
|
||||
*
|
||||
* @param rrset
|
||||
* The rrset to chedck.
|
||||
* The rrset to check.
|
||||
* @return the wildcard name, if the rrset was synthesized from a wildcard.
|
||||
* null if not.
|
||||
*/
|
||||
@ -577,14 +474,11 @@ public class ValUtils {
|
||||
|
||||
// If NSEC is a parent of qname, we need to check the type map
|
||||
// If the parent name has a DNAME or is a delegation point, then this
|
||||
// NSEC
|
||||
// is being misused.
|
||||
if (qname.subdomain(owner)
|
||||
&& (typeMapHasType(nsec.getTypes(), Type.DNAME) || (typeMapHasType(
|
||||
nsec.getTypes(),
|
||||
Type.NS) && !typeMapHasType(
|
||||
nsec.getTypes(),
|
||||
Type.SOA)))) {
|
||||
// NSEC is being misused.
|
||||
boolean hasBadType = typeMapHasType(nsec.getTypes(), Type.DNAME)
|
||||
|| (typeMapHasType(nsec.getTypes(), Type.NS) && !typeMapHasType(nsec.getTypes(),
|
||||
Type.SOA));
|
||||
if (qname.subdomain(owner) && hasBadType) {
|
||||
return false;
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user