sync with external work.
This commit is contained in:
parent
bc7e5dae8e
commit
657c073cc5
@ -1,38 +1,37 @@
|
|||||||
/*
|
/***************************** -*- Java -*- ********************************\
|
||||||
* Copyright (c) 2009 VeriSign, Inc. All rights reserved.
|
* *
|
||||||
*
|
* Copyright (c) 2009 VeriSign, Inc. All rights reserved. *
|
||||||
* Redistribution and use in source and binary forms, with or without
|
* *
|
||||||
* modification, are permitted provided that the following conditions
|
* This software is provided solely in connection with the terms of the *
|
||||||
* are met:
|
* license agreement. Any other use without the prior express written *
|
||||||
*
|
* permission of VeriSign is completely prohibited. The software and *
|
||||||
* 1. Redistributions of source code must retain the above copyright
|
* documentation are "Commercial Items", as that term is defined in 48 *
|
||||||
* notice, this list of conditions and the following disclaimer.
|
* C.F.R. section 2.101, consisting of "Commercial Computer Software" and *
|
||||||
* 2. Redistributions in binary form must reproduce the above copyright
|
* "Commercial Computer Software Documentation" as such terms are defined *
|
||||||
* notice, this list of conditions and the following disclaimer in the
|
* in 48 C.F.R. section 252.227-7014(a)(5) and 48 C.F.R. section *
|
||||||
* documentation and/or other materials provided with the distribution.
|
* 252.227-7014(a)(1), and used in 48 C.F.R. section 12.212 and 48 C.F.R. *
|
||||||
* 3. The name of the author may not be used to endorse or promote products
|
* section 227.7202, as applicable. Pursuant to the above and other *
|
||||||
* derived from this software without specific prior written permission.
|
* relevant sections of the Code of Federal Regulations, as applicable, *
|
||||||
*
|
* VeriSign's publications, commercial computer software, and commercial *
|
||||||
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
* computer software documentation are distributed and licensed to United *
|
||||||
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
* States Government end users with only those rights as granted to all *
|
||||||
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
* other end users, according to the terms and conditions contained in the *
|
||||||
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
* license agreement(s) that accompany the products and software *
|
||||||
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
* documentation. *
|
||||||
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
* *
|
||||||
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
\***************************************************************************/
|
||||||
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
|
||||||
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
|
||||||
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
||||||
*
|
|
||||||
*/
|
|
||||||
|
|
||||||
package com.versign.tat.dnssec;
|
package com.verisign.tat.dnssec;
|
||||||
|
|
||||||
import java.io.IOException;
|
import org.apache.log4j.Logger;
|
||||||
import java.util.*;
|
|
||||||
|
|
||||||
import org.xbill.DNS.*;
|
import org.xbill.DNS.*;
|
||||||
|
|
||||||
|
import java.io.IOException;
|
||||||
|
|
||||||
|
import java.util.*;
|
||||||
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* This resolver module implements a "captive" DNSSEC validator. The captive
|
* This resolver module implements a "captive" DNSSEC validator. The captive
|
||||||
* validator does not have direct access to the Internet and DNS system --
|
* validator does not have direct access to the Internet and DNS system --
|
||||||
@ -40,9 +39,7 @@ import org.xbill.DNS.*;
|
|||||||
* This is useful for determining if responses coming from a given authoritative
|
* This is useful for determining if responses coming from a given authoritative
|
||||||
* server will validate independent of the normal chain of trust.
|
* server will validate independent of the normal chain of trust.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
public class CaptiveValidator {
|
public class CaptiveValidator {
|
||||||
|
|
||||||
// A data structure holding all all of our trusted keys.
|
// A data structure holding all all of our trusted keys.
|
||||||
private TrustAnchorStore mTrustedKeys;
|
private TrustAnchorStore mTrustedKeys;
|
||||||
|
|
||||||
@ -51,6 +48,7 @@ public class CaptiveValidator {
|
|||||||
|
|
||||||
// The local verification utility.
|
// The local verification utility.
|
||||||
private DnsSecVerifier mVerifier;
|
private DnsSecVerifier mVerifier;
|
||||||
|
private Logger log = Logger.getLogger(this.getClass());
|
||||||
|
|
||||||
public CaptiveValidator() {
|
public CaptiveValidator() {
|
||||||
mVerifier = new DnsSecVerifier();
|
mVerifier = new DnsSecVerifier();
|
||||||
@ -69,7 +67,8 @@ public class CaptiveValidator {
|
|||||||
* @throws IOException
|
* @throws IOException
|
||||||
*/
|
*/
|
||||||
@SuppressWarnings("unchecked")
|
@SuppressWarnings("unchecked")
|
||||||
public void addTrustedKeysFromFile(String filename) throws IOException {
|
public void addTrustedKeysFromFile(String filename)
|
||||||
|
throws IOException {
|
||||||
// First read in the whole trust anchor file.
|
// First read in the whole trust anchor file.
|
||||||
Master master = new Master(filename, Name.root, 0);
|
Master master = new Master(filename, Name.root, 0);
|
||||||
ArrayList<Record> records = new ArrayList<Record>();
|
ArrayList<Record> records = new ArrayList<Record>();
|
||||||
@ -85,21 +84,27 @@ public class CaptiveValidator {
|
|||||||
Collections.sort(records);
|
Collections.sort(records);
|
||||||
|
|
||||||
SRRset cur_rrset = new SRRset();
|
SRRset cur_rrset = new SRRset();
|
||||||
|
|
||||||
for (Record rec : records) {
|
for (Record rec : records) {
|
||||||
// Skip RR types that cannot be used as trusted keys. I.e.,
|
// Skip RR types that cannot be used as trusted keys. I.e.,
|
||||||
// everything not a key :)
|
// everything not a key :)
|
||||||
if (rec.getType() != Type.DNSKEY) continue;
|
if (rec.getType() != Type.DNSKEY) {
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
// If our cur_rrset is empty, we can just add it.
|
// If our cur_rrset is empty, we can just add it.
|
||||||
if (cur_rrset.size() == 0) {
|
if (cur_rrset.size() == 0) {
|
||||||
cur_rrset.addRR(rec);
|
cur_rrset.addRR(rec);
|
||||||
|
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
|
|
||||||
// If this record matches our current RRset, we can just add it.
|
// If this record matches our current RRset, we can just add it.
|
||||||
if (cur_rrset.getName().equals(rec.getName())
|
if (cur_rrset.getName().equals(rec.getName()) &&
|
||||||
&& cur_rrset.getType() == rec.getType()
|
(cur_rrset.getType() == rec.getType()) &&
|
||||||
&& cur_rrset.getDClass() == rec.getDClass()) {
|
(cur_rrset.getDClass() == rec.getDClass())) {
|
||||||
cur_rrset.addRR(rec);
|
cur_rrset.addRR(rec);
|
||||||
|
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -117,6 +122,7 @@ public class CaptiveValidator {
|
|||||||
|
|
||||||
public void addTrustedKeysFromResponse(Message m) {
|
public void addTrustedKeysFromResponse(Message m) {
|
||||||
RRset [] rrsets = m.getSectionRRsets(Section.ANSWER);
|
RRset [] rrsets = m.getSectionRRsets(Section.ANSWER);
|
||||||
|
|
||||||
for (int i = 0; i < rrsets.length; ++i) {
|
for (int i = 0; i < rrsets.length; ++i) {
|
||||||
if (rrsets[i].getType() == Type.DNSKEY) {
|
if (rrsets[i].getType() == Type.DNSKEY) {
|
||||||
SRRset srrset = new SRRset(rrsets[i]);
|
SRRset srrset = new SRRset(rrsets[i]);
|
||||||
@ -135,9 +141,12 @@ public class CaptiveValidator {
|
|||||||
* @param response
|
* @param response
|
||||||
*/
|
*/
|
||||||
private SMessage normalize(SMessage m) {
|
private SMessage normalize(SMessage m) {
|
||||||
if (m == null) return m;
|
if (m == null) {
|
||||||
|
return m;
|
||||||
|
}
|
||||||
|
|
||||||
if (m.getRcode() != Rcode.NOERROR && m.getRcode() != Rcode.NXDOMAIN) {
|
if ((m.getRcode() != Rcode.NOERROR) &&
|
||||||
|
(m.getRcode() != Rcode.NXDOMAIN)) {
|
||||||
return m;
|
return m;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -159,17 +168,20 @@ public class CaptiveValidator {
|
|||||||
|
|
||||||
// Handle DNAME synthesis; DNAME synthesis does not occur at the
|
// Handle DNAME synthesis; DNAME synthesis does not occur at the
|
||||||
// DNAME name itself.
|
// DNAME name itself.
|
||||||
if (type == Type.DNAME && ValUtils.strictSubdomain(sname, n)) {
|
if ((type == Type.DNAME) && ValUtils.strictSubdomain(sname, n)) {
|
||||||
if (rrset.size() > 1) {
|
if (rrset.size() > 1) {
|
||||||
// log.debug("Found DNAME rrset with size > 1: " + rrset);
|
log.debug("Found DNAME rrset with size > 1: " + rrset);
|
||||||
// return Util.errorMessage(m, Rcode.SERVFAIL);
|
m.setStatus(SecurityStatus.INVALID);
|
||||||
return null; // FIXME
|
|
||||||
|
return m;
|
||||||
}
|
}
|
||||||
|
|
||||||
DNAMERecord dname = (DNAMERecord) rrset.first();
|
DNAMERecord dname = (DNAMERecord) rrset.first();
|
||||||
|
|
||||||
try {
|
try {
|
||||||
Name cname_alias = sname.fromDNAME(dname);
|
Name cname_alias = sname.fromDNAME(dname);
|
||||||
// Note that synthesized CNAMEs should have a TTL of zero.
|
|
||||||
|
|
||||||
|
// Note that synthesized CNAMEs should have a TTL of zero.
|
||||||
CNAMERecord cname = new CNAMERecord(sname,
|
CNAMERecord cname = new CNAMERecord(sname,
|
||||||
dname.getDClass(), 0, cname_alias);
|
dname.getDClass(), 0, cname_alias);
|
||||||
SRRset cname_rrset = new SRRset();
|
SRRset cname_rrset = new SRRset();
|
||||||
@ -178,35 +190,39 @@ public class CaptiveValidator {
|
|||||||
|
|
||||||
sname = cname_alias;
|
sname = cname_alias;
|
||||||
} catch (NameTooLongException e) {
|
} catch (NameTooLongException e) {
|
||||||
// log.debug("not adding synthesized CNAME -- "
|
log.debug("not adding synthesized CNAME -- " +
|
||||||
// + "generated name is too long", e);
|
"generated name is too long", e);
|
||||||
}
|
}
|
||||||
|
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
|
|
||||||
// The only records in the ANSWER section not allowed to
|
// The only records in the ANSWER section not allowed to
|
||||||
if (!n.equals(sname)) {
|
if (!n.equals(sname)) {
|
||||||
// log.debug("normalize: removing irrelevant rrset: " + rrset);
|
log.debug("normalize: removing irrelevant rrset: " + rrset);
|
||||||
i.remove();
|
i.remove();
|
||||||
|
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
|
|
||||||
// Follow the CNAME chain.
|
// Follow the CNAME chain.
|
||||||
if (type == Type.CNAME) {
|
if (type == Type.CNAME) {
|
||||||
if (rrset.size() > 1) {
|
if (rrset.size() > 1) {
|
||||||
// log.debug("Found CNAME rrset with size > 1: " + rrset);
|
log.debug("Found CNAME rrset with size > 1: " + rrset);
|
||||||
// return Util.errorMessage(m, Rcode.SERVFAIL);
|
m.setStatus(SecurityStatus.INVALID);
|
||||||
return null; // FIXME
|
|
||||||
|
return m;
|
||||||
}
|
}
|
||||||
|
|
||||||
CNAMERecord cname = (CNAMERecord) rrset.first();
|
CNAMERecord cname = (CNAMERecord) rrset.first();
|
||||||
sname = cname.getAlias();
|
sname = cname.getAlias();
|
||||||
|
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
|
|
||||||
// Otherwise, make sure that the RRset matches the qtype.
|
// Otherwise, make sure that the RRset matches the qtype.
|
||||||
if (qtype != Type.ANY && qtype != type) {
|
if ((qtype != Type.ANY) && (qtype != type)) {
|
||||||
// log.debug("normalize: removing irrelevant rrset: " + rrset);
|
log.debug("normalize: removing irrelevant rrset: " + rrset);
|
||||||
i.remove();
|
i.remove();
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -216,6 +232,7 @@ public class CaptiveValidator {
|
|||||||
|
|
||||||
// Get additional names from AUTHORITY
|
// Get additional names from AUTHORITY
|
||||||
rrset_list = m.getSectionList(Section.AUTHORITY);
|
rrset_list = m.getSectionList(Section.AUTHORITY);
|
||||||
|
|
||||||
for (SRRset rrset : rrset_list) {
|
for (SRRset rrset : rrset_list) {
|
||||||
rrsetAdditionalNames(additional_names, rrset);
|
rrsetAdditionalNames(additional_names, rrset);
|
||||||
}
|
}
|
||||||
@ -224,14 +241,15 @@ public class CaptiveValidator {
|
|||||||
// address record and not in the collection of additional names found in
|
// address record and not in the collection of additional names found in
|
||||||
// ANSWER and AUTHORITY.
|
// ANSWER and AUTHORITY.
|
||||||
rrset_list = m.getSectionList(Section.ADDITIONAL);
|
rrset_list = m.getSectionList(Section.ADDITIONAL);
|
||||||
|
|
||||||
for (Iterator<SRRset> i = rrset_list.iterator(); i.hasNext();) {
|
for (Iterator<SRRset> i = rrset_list.iterator(); i.hasNext();) {
|
||||||
SRRset rrset = i.next();
|
SRRset rrset = i.next();
|
||||||
int type = rrset.getType();
|
int type = rrset.getType();
|
||||||
if ((type == Type.A || type == Type.AAAA)
|
|
||||||
&& !additional_names.contains(rrset.getName())) {
|
if (((type == Type.A) || (type == Type.AAAA)) &&
|
||||||
|
!additional_names.contains(rrset.getName())) {
|
||||||
i.remove();
|
i.remove();
|
||||||
}
|
}
|
||||||
// FIXME: what about other types?
|
|
||||||
}
|
}
|
||||||
|
|
||||||
return m;
|
return m;
|
||||||
@ -246,11 +264,14 @@ public class CaptiveValidator {
|
|||||||
* The rrset to extract from.
|
* The rrset to extract from.
|
||||||
*/
|
*/
|
||||||
private void rrsetAdditionalNames(Set<Name> additional_names, SRRset rrset) {
|
private void rrsetAdditionalNames(Set<Name> additional_names, SRRset rrset) {
|
||||||
if (rrset == null) return;
|
if (rrset == null) {
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
for (Iterator<Record> i = rrset.rrs(); i.hasNext();) {
|
for (Iterator<Record> i = rrset.rrs(); i.hasNext();) {
|
||||||
Record r = i.next();
|
Record r = i.next();
|
||||||
Name add_name = r.getAdditionalName();
|
Name add_name = r.getAdditionalName();
|
||||||
|
|
||||||
if (add_name != null) {
|
if (add_name != null) {
|
||||||
additional_names.add(add_name);
|
additional_names.add(add_name);
|
||||||
}
|
}
|
||||||
@ -282,15 +303,18 @@ public class CaptiveValidator {
|
|||||||
private boolean needsValidation(SMessage message) {
|
private boolean needsValidation(SMessage message) {
|
||||||
int rcode = message.getRcode();
|
int rcode = message.getRcode();
|
||||||
|
|
||||||
if (rcode != Rcode.NOERROR && rcode != Rcode.NXDOMAIN) {
|
if ((rcode != Rcode.NOERROR) && (rcode != Rcode.NXDOMAIN)) {
|
||||||
// log.debug("cannot validate non-answer.");
|
log.debug("cannot validate non-answer.");
|
||||||
// log.trace("non-answer: " + response);
|
log.trace("non-answer: " + message);
|
||||||
|
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!mTrustedKeys.isBelowTrustAnchor(message.getQName(), message.getQClass())) {
|
if (!mTrustedKeys.isBelowTrustAnchor(message.getQName(),
|
||||||
|
message.getQClass())) {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -330,28 +354,32 @@ public class CaptiveValidator {
|
|||||||
// Because of the normalization routines in NameserverClient, there
|
// Because of the normalization routines in NameserverClient, there
|
||||||
// will always be an unsigned CNAME following a DNAME (unless
|
// will always be an unsigned CNAME following a DNAME (unless
|
||||||
// qtype=DNAME).
|
// qtype=DNAME).
|
||||||
if (dname && rrsets[i].getType() == Type.CNAME) {
|
if (dname && (rrsets[i].getType() == Type.CNAME)) {
|
||||||
dname = false;
|
dname = false;
|
||||||
|
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
|
|
||||||
// Verify the answer rrset.
|
// Verify the answer rrset.
|
||||||
int status = mValUtils.verifySRRset(rrsets[i], key_rrset);
|
int status = mValUtils.verifySRRset(rrsets[i], key_rrset);
|
||||||
|
|
||||||
// If the (answer) rrset failed to validate, then this message is
|
// If the (answer) rrset failed to validate, then this message is
|
||||||
// BAD.
|
// BAD.
|
||||||
if (status != SecurityStatus.SECURE) {
|
if (status != SecurityStatus.SECURE) {
|
||||||
// log.debug("Positive response has failed ANSWER rrset: "
|
log.debug("Positive response has failed ANSWER rrset: " +
|
||||||
// + rrsets[i]);
|
rrsets[i]);
|
||||||
m.setStatus(SecurityStatus.BOGUS);
|
m.setStatus(SecurityStatus.BOGUS);
|
||||||
|
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
// Check to see if the rrset is the result of a wildcard expansion.
|
// Check to see if the rrset is the result of a wildcard expansion.
|
||||||
// If so, an additional check will need to be made in the authority
|
// If so, an additional check will need to be made in the authority
|
||||||
// section.
|
// section.
|
||||||
wc = ValUtils.rrsetWildcard(rrsets[i]);
|
wc = ValUtils.rrsetWildcard(rrsets[i]);
|
||||||
|
|
||||||
// Notice a DNAME that should be followed by an unsigned CNAME.
|
// Notice a DNAME that should be followed by an unsigned CNAME.
|
||||||
if (qtype != Type.DNAME && rrsets[i].getType() == Type.DNAME) {
|
if ((qtype != Type.DNAME) && (rrsets[i].getType() == Type.DNAME)) {
|
||||||
dname = true;
|
dname = true;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -359,41 +387,50 @@ public class CaptiveValidator {
|
|||||||
// validate the AUTHORITY section as well - this will generally be the
|
// validate the AUTHORITY section as well - this will generally be the
|
||||||
// NS rrset (which could be missing, no problem)
|
// NS rrset (which could be missing, no problem)
|
||||||
rrsets = m.getSectionRRsets(Section.AUTHORITY);
|
rrsets = m.getSectionRRsets(Section.AUTHORITY);
|
||||||
|
|
||||||
for (int i = 0; i < rrsets.length; i++) {
|
for (int i = 0; i < rrsets.length; i++) {
|
||||||
int status = mValUtils.verifySRRset(rrsets[i], key_rrset);
|
int status = mValUtils.verifySRRset(rrsets[i], key_rrset);
|
||||||
|
|
||||||
// If anything in the authority section fails to be secure, we have
|
// If anything in the authority section fails to be secure, we have
|
||||||
// a
|
// a
|
||||||
// bad message.
|
// bad message.
|
||||||
if (status != SecurityStatus.SECURE) {
|
if (status != SecurityStatus.SECURE) {
|
||||||
// log.debug("Positive response has failed AUTHORITY rrset: "
|
log.debug("Positive response has failed AUTHORITY rrset: " +
|
||||||
// + rrsets[i]);
|
rrsets[i]);
|
||||||
m.setStatus(SecurityStatus.BOGUS);
|
m.setStatus(SecurityStatus.BOGUS);
|
||||||
|
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
// If this is a positive wildcard response, and we have a (just
|
// If this is a positive wildcard response, and we have a (just
|
||||||
// verified) NSEC record, try to use it to 1) prove that qname
|
// verified) NSEC record, try to use it to 1) prove that qname
|
||||||
// doesn't exist and 2) that the correct wildcard was used.
|
// doesn't exist and 2) that the correct wildcard was used.
|
||||||
if (wc != null && rrsets[i].getType() == Type.NSEC) {
|
if ((wc != null) && (rrsets[i].getType() == Type.NSEC)) {
|
||||||
NSECRecord nsec = (NSECRecord) rrsets[i].first();
|
NSECRecord nsec = (NSECRecord) rrsets[i].first();
|
||||||
|
|
||||||
if (ValUtils.nsecProvesNameError(nsec, qname,
|
if (ValUtils.nsecProvesNameError(nsec, qname,
|
||||||
key_rrset.getName())) {
|
key_rrset.getName())) {
|
||||||
Name nsec_wc = ValUtils.nsecWildcard(qname, nsec);
|
Name nsec_wc = ValUtils.nsecWildcard(qname, nsec);
|
||||||
|
|
||||||
if (!wc.equals(nsec_wc)) {
|
if (!wc.equals(nsec_wc)) {
|
||||||
// log.debug("Positive wildcard response wasn't generated "
|
// log.debug("Positive wildcard response wasn't generated "
|
||||||
// + "by the correct wildcard");
|
// + "by the correct wildcard");
|
||||||
m.setStatus(SecurityStatus.BOGUS);
|
m.setStatus(SecurityStatus.BOGUS);
|
||||||
|
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
wcNSEC_ok = true;
|
wcNSEC_ok = true;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// Otherwise, if this is a positive wildcard response and we have
|
// Otherwise, if this is a positive wildcard response and we have
|
||||||
// NSEC3 records, collect them.
|
// NSEC3 records, collect them.
|
||||||
if (wc != null && rrsets[i].getType() == Type.NSEC3) {
|
if ((wc != null) && (rrsets[i].getType() == Type.NSEC3)) {
|
||||||
if (nsec3s == null) nsec3s = new ArrayList<NSEC3Record>();
|
if (nsec3s == null) {
|
||||||
|
nsec3s = new ArrayList<NSEC3Record>();
|
||||||
|
}
|
||||||
|
|
||||||
nsec3s.add((NSEC3Record) rrsets[i].first());
|
nsec3s.add((NSEC3Record) rrsets[i].first());
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -401,7 +438,7 @@ public class CaptiveValidator {
|
|||||||
// If this was a positive wildcard response that we haven't already
|
// If this was a positive wildcard response that we haven't already
|
||||||
// proven, and we have NSEC3 records, try to prove it using the NSEC3
|
// proven, and we have NSEC3 records, try to prove it using the NSEC3
|
||||||
// records.
|
// records.
|
||||||
if (wc != null && !wcNSEC_ok && nsec3s != null) {
|
if ((wc != null) && !wcNSEC_ok && (nsec3s != null)) {
|
||||||
if (NSEC3ValUtils.proveWildcard(nsec3s, qname, key_rrset.getName(),
|
if (NSEC3ValUtils.proveWildcard(nsec3s, qname, key_rrset.getName(),
|
||||||
wc)) {
|
wc)) {
|
||||||
wcNSEC_ok = true;
|
wcNSEC_ok = true;
|
||||||
@ -410,14 +447,15 @@ public class CaptiveValidator {
|
|||||||
|
|
||||||
// If after all this, we still haven't proven the positive wildcard
|
// If after all this, we still haven't proven the positive wildcard
|
||||||
// response, fail.
|
// response, fail.
|
||||||
if (wc != null && !wcNSEC_ok) {
|
if ((wc != null) && !wcNSEC_ok) {
|
||||||
// log.debug("positive response was wildcard expansion and "
|
// log.debug("positive response was wildcard expansion and "
|
||||||
// + "did not prove original data did not exist");
|
// + "did not prove original data did not exist");
|
||||||
m.setStatus(SecurityStatus.BOGUS);
|
m.setStatus(SecurityStatus.BOGUS);
|
||||||
|
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
// log.trace("Successfully validated positive response");
|
log.trace("Successfully validated positive response");
|
||||||
m.setStatus(SecurityStatus.SECURE);
|
m.setStatus(SecurityStatus.SECURE);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -425,7 +463,9 @@ public class CaptiveValidator {
|
|||||||
SMessage m = message;
|
SMessage m = message;
|
||||||
|
|
||||||
if (m.getCount(Section.ANSWER) > 0) {
|
if (m.getCount(Section.ANSWER) > 0) {
|
||||||
// FIXME: fail somehow.
|
m.setStatus(SecurityStatus.INVALID);
|
||||||
|
|
||||||
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
// validate the AUTHORITY section.
|
// validate the AUTHORITY section.
|
||||||
@ -440,36 +480,60 @@ public class CaptiveValidator {
|
|||||||
// validate the AUTHORITY section as well - this will generally be the
|
// validate the AUTHORITY section as well - this will generally be the
|
||||||
// NS rrset, plus proof of a secure delegation or not
|
// NS rrset, plus proof of a secure delegation or not
|
||||||
rrsets = m.getSectionRRsets(Section.AUTHORITY);
|
rrsets = m.getSectionRRsets(Section.AUTHORITY);
|
||||||
|
|
||||||
for (int i = 0; i < rrsets.length; i++) {
|
for (int i = 0; i < rrsets.length; i++) {
|
||||||
|
int type = rrsets[i].getType();
|
||||||
|
|
||||||
|
// The NS RRset won't be signed, but everything else should be.
|
||||||
|
if (type != Type.NS) {
|
||||||
int status = mValUtils.verifySRRset(rrsets[i], key_rrset);
|
int status = mValUtils.verifySRRset(rrsets[i], key_rrset);
|
||||||
// If anything in the authority section fails to be secure, we have
|
|
||||||
|
// If anything in the authority section fails to be secure, we
|
||||||
|
// have
|
||||||
// a bad message.
|
// a bad message.
|
||||||
if (status != SecurityStatus.SECURE) {
|
if (status != SecurityStatus.SECURE) {
|
||||||
// log.debug("Positive response has failed AUTHORITY rrset: "
|
log.debug("Positive response has failed AUTHORITY rrset: " +
|
||||||
// + rrsets[i]);
|
rrsets[i]);
|
||||||
m.setStatus(SecurityStatus.BOGUS);
|
m.setStatus(SecurityStatus.BOGUS);
|
||||||
|
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
int type = rrsets[i].getType();
|
|
||||||
switch (type) {
|
switch (type) {
|
||||||
case Type.DS:
|
case Type.DS:
|
||||||
secure_delegation = true;
|
secure_delegation = true;
|
||||||
|
|
||||||
break;
|
break;
|
||||||
|
|
||||||
case Type.NS:
|
case Type.NS:
|
||||||
delegation = rrsets[i].getName();
|
delegation = rrsets[i].getName();
|
||||||
|
|
||||||
break;
|
break;
|
||||||
|
|
||||||
case Type.NSEC:
|
case Type.NSEC:
|
||||||
nsec = (NSECRecord) rrsets[i].first();
|
nsec = (NSECRecord) rrsets[i].first();
|
||||||
|
|
||||||
break;
|
break;
|
||||||
|
|
||||||
case Type.NSEC3:
|
case Type.NSEC3:
|
||||||
if (nsec3s == null) nsec3s = new ArrayList<NSEC3Record>();
|
|
||||||
|
if (nsec3s == null) {
|
||||||
|
nsec3s = new ArrayList<NSEC3Record>();
|
||||||
|
}
|
||||||
|
|
||||||
NSEC3Record nsec3 = (NSEC3Record) rrsets[i].first();
|
NSEC3Record nsec3 = (NSEC3Record) rrsets[i].first();
|
||||||
nsec3s.add(nsec3);
|
nsec3s.add(nsec3);
|
||||||
nsec3zone = rrsets[i].getSignerName(); // this is a hack of sorts.
|
nsec3zone = rrsets[i].getSignerName(); // this is a hack of
|
||||||
|
// sorts.
|
||||||
|
|
||||||
break;
|
break;
|
||||||
|
|
||||||
default:
|
default:
|
||||||
// FIXME: should probably whine if we see something else.
|
log.warn(
|
||||||
|
"Encountered unexpected type in a REFERRAL response: " +
|
||||||
|
Type.string(type));
|
||||||
|
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -479,40 +543,54 @@ public class CaptiveValidator {
|
|||||||
if (delegation == null) {
|
if (delegation == null) {
|
||||||
// somehow we have a referral without an NS rrset.
|
// somehow we have a referral without an NS rrset.
|
||||||
m.setStatus(SecurityStatus.BOGUS);
|
m.setStatus(SecurityStatus.BOGUS);
|
||||||
|
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (secure_delegation) {
|
if (secure_delegation) {
|
||||||
if (nsec != null || nsec3s.size() > 0) {
|
if ((nsec != null) || ((nsec3s != null) && (nsec3s.size() > 0))) {
|
||||||
// we found both a DS rrset *and* NSEC/NSEC3 rrsets!
|
// we found both a DS rrset *and* NSEC/NSEC3 rrsets!
|
||||||
m.setStatus(SecurityStatus.BOGUS);
|
m.setStatus(SecurityStatus.BOGUS);
|
||||||
|
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
// otherwise, we are done.
|
// otherwise, we are done.
|
||||||
m.setStatus(SecurityStatus.SECURE);
|
m.setStatus(SecurityStatus.SECURE);
|
||||||
|
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
// Note: not going to care if both NSEC and NSEC3 rrsets were present.
|
// Note: not going to care if both NSEC and NSEC3 rrsets were present.
|
||||||
if (nsec != null) {
|
if (nsec != null) {
|
||||||
byte status = ValUtils.nsecProvesNoDS(nsec, delegation);
|
byte status = ValUtils.nsecProvesNoDS(nsec, delegation);
|
||||||
|
|
||||||
if (status != SecurityStatus.SECURE) {
|
if (status != SecurityStatus.SECURE) {
|
||||||
// The NSEC *must* prove that there was no DS record. The INSECURE state here is still bogus.
|
// The NSEC *must* prove that there was no DS record. The
|
||||||
|
// INSECURE state here is still bogus.
|
||||||
m.setStatus(SecurityStatus.BOGUS);
|
m.setStatus(SecurityStatus.BOGUS);
|
||||||
|
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
m.setStatus(SecurityStatus.SECURE);
|
m.setStatus(SecurityStatus.SECURE);
|
||||||
|
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (nsec3s.size() > 0) {
|
if (nsec3s.size() > 0) {
|
||||||
byte status = NSEC3ValUtils.proveNoDS(nsec3s, delegation, nsec3zone);
|
byte status = NSEC3ValUtils.proveNoDS(nsec3s, delegation, nsec3zone);
|
||||||
|
|
||||||
if (status != SecurityStatus.SECURE) {
|
if (status != SecurityStatus.SECURE) {
|
||||||
// the NSEC3 RRs MUST prove no DS, so the INDETERMINATE state is actually bogus
|
// the NSEC3 RRs MUST prove no DS, so the INDETERMINATE state is
|
||||||
|
// actually bogus
|
||||||
m.setStatus(SecurityStatus.BOGUS);
|
m.setStatus(SecurityStatus.BOGUS);
|
||||||
|
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
m.setStatus(SecurityStatus.SECURE);
|
m.setStatus(SecurityStatus.SECURE);
|
||||||
|
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -520,9 +598,7 @@ public class CaptiveValidator {
|
|||||||
m.setStatus(SecurityStatus.BOGUS);
|
m.setStatus(SecurityStatus.BOGUS);
|
||||||
}
|
}
|
||||||
|
|
||||||
private void validateCNAMEResponse(SMessage message, SRRset key_rrset) {
|
private void validateCNAMEResponse(SMessage message, SRRset key_rrset) {}
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Given an "ANY" response -- a response that contains an answer to a
|
* Given an "ANY" response -- a response that contains an answer to a
|
||||||
@ -550,22 +626,26 @@ public class CaptiveValidator {
|
|||||||
private void validateAnyResponse(SMessage message, SRRset key_rrset) {
|
private void validateAnyResponse(SMessage message, SRRset key_rrset) {
|
||||||
int qtype = message.getQType();
|
int qtype = message.getQType();
|
||||||
|
|
||||||
if (qtype != Type.ANY)
|
if (qtype != Type.ANY) {
|
||||||
throw new IllegalArgumentException(
|
throw new IllegalArgumentException(
|
||||||
"ANY validation called on non-ANY response.");
|
"ANY validation called on non-ANY response.");
|
||||||
|
}
|
||||||
|
|
||||||
SMessage m = message;
|
SMessage m = message;
|
||||||
|
|
||||||
// validate the ANSWER section.
|
// validate the ANSWER section.
|
||||||
SRRset [] rrsets = m.getSectionRRsets(Section.ANSWER);
|
SRRset [] rrsets = m.getSectionRRsets(Section.ANSWER);
|
||||||
|
|
||||||
for (int i = 0; i < rrsets.length; i++) {
|
for (int i = 0; i < rrsets.length; i++) {
|
||||||
int status = mValUtils.verifySRRset(rrsets[i], key_rrset);
|
int status = mValUtils.verifySRRset(rrsets[i], key_rrset);
|
||||||
|
|
||||||
// If the (answer) rrset failed to validate, then this message is
|
// If the (answer) rrset failed to validate, then this message is
|
||||||
// BAD.
|
// BAD.
|
||||||
if (status != SecurityStatus.SECURE) {
|
if (status != SecurityStatus.SECURE) {
|
||||||
// log.debug("Positive response has failed ANSWER rrset: "
|
log.debug("Positive response has failed ANSWER rrset: " +
|
||||||
// + rrsets[i]);
|
rrsets[i]);
|
||||||
m.setStatus(SecurityStatus.BOGUS);
|
m.setStatus(SecurityStatus.BOGUS);
|
||||||
|
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -573,20 +653,23 @@ public class CaptiveValidator {
|
|||||||
// validate the AUTHORITY section as well - this will be the NS rrset
|
// validate the AUTHORITY section as well - this will be the NS rrset
|
||||||
// (which could be missing, no problem)
|
// (which could be missing, no problem)
|
||||||
rrsets = m.getSectionRRsets(Section.AUTHORITY);
|
rrsets = m.getSectionRRsets(Section.AUTHORITY);
|
||||||
|
|
||||||
for (int i = 0; i < rrsets.length; i++) {
|
for (int i = 0; i < rrsets.length; i++) {
|
||||||
int status = mValUtils.verifySRRset(rrsets[i], key_rrset);
|
int status = mValUtils.verifySRRset(rrsets[i], key_rrset);
|
||||||
|
|
||||||
// If anything in the authority section fails to be secure, we have
|
// If anything in the authority section fails to be secure, we have
|
||||||
// a
|
// a
|
||||||
// bad message.
|
// bad message.
|
||||||
if (status != SecurityStatus.SECURE) {
|
if (status != SecurityStatus.SECURE) {
|
||||||
// log.debug("Positive response has failed AUTHORITY rrset: "
|
log.debug("Positive response has failed AUTHORITY rrset: " +
|
||||||
// + rrsets[i]);
|
rrsets[i]);
|
||||||
m.setStatus(SecurityStatus.BOGUS);
|
m.setStatus(SecurityStatus.BOGUS);
|
||||||
|
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// log.trace("Successfully validated positive ANY response");
|
log.trace("Successfully validated positive ANY response");
|
||||||
m.setStatus(SecurityStatus.SECURE);
|
m.setStatus(SecurityStatus.SECURE);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -624,20 +707,27 @@ public class CaptiveValidator {
|
|||||||
|
|
||||||
boolean hasValidNSEC = false; // If true, then the NODATA has been
|
boolean hasValidNSEC = false; // If true, then the NODATA has been
|
||||||
// proven.
|
// proven.
|
||||||
|
|
||||||
Name ce = null; // for wildcard NODATA responses. This is the proven
|
Name ce = null; // for wildcard NODATA responses. This is the proven
|
||||||
// closest encloser.
|
// closest encloser.
|
||||||
|
|
||||||
NSECRecord wc = null; // for wildcard NODATA responses. This is the
|
NSECRecord wc = null; // for wildcard NODATA responses. This is the
|
||||||
// wildcard NSEC.
|
// wildcard NSEC.
|
||||||
List<NSEC3Record> nsec3s = null; // A collection of NSEC3 RRs found in the authority
|
|
||||||
|
List<NSEC3Record> nsec3s = null; // A collection of NSEC3 RRs found in
|
||||||
|
// the authority
|
||||||
// section.
|
// section.
|
||||||
|
|
||||||
Name nsec3Signer = null; // The RRSIG signer field for the NSEC3 RRs.
|
Name nsec3Signer = null; // The RRSIG signer field for the NSEC3 RRs.
|
||||||
|
|
||||||
for (int i = 0; i < rrsets.length; i++) {
|
for (int i = 0; i < rrsets.length; i++) {
|
||||||
int status = mValUtils.verifySRRset(rrsets[i], key_rrset);
|
int status = mValUtils.verifySRRset(rrsets[i], key_rrset);
|
||||||
|
|
||||||
if (status != SecurityStatus.SECURE) {
|
if (status != SecurityStatus.SECURE) {
|
||||||
// log.debug("NODATA response has failed AUTHORITY rrset: "
|
log.debug("NODATA response has failed AUTHORITY rrset: " +
|
||||||
// + rrsets[i]);
|
rrsets[i]);
|
||||||
m.setStatus(SecurityStatus.BOGUS);
|
m.setStatus(SecurityStatus.BOGUS);
|
||||||
|
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -645,12 +735,14 @@ public class CaptiveValidator {
|
|||||||
// This needs to handle the ENT NODATA case.
|
// This needs to handle the ENT NODATA case.
|
||||||
if (rrsets[i].getType() == Type.NSEC) {
|
if (rrsets[i].getType() == Type.NSEC) {
|
||||||
NSECRecord nsec = (NSECRecord) rrsets[i].first();
|
NSECRecord nsec = (NSECRecord) rrsets[i].first();
|
||||||
|
|
||||||
if (ValUtils.nsecProvesNodata(nsec, qname, qtype)) {
|
if (ValUtils.nsecProvesNodata(nsec, qname, qtype)) {
|
||||||
hasValidNSEC = true;
|
hasValidNSEC = true;
|
||||||
if (nsec.getName().isWild()) wc = nsec;
|
|
||||||
} else if (ValUtils.nsecProvesNameError(
|
if (nsec.getName().isWild()) {
|
||||||
nsec,
|
wc = nsec;
|
||||||
qname,
|
}
|
||||||
|
} else if (ValUtils.nsecProvesNameError(nsec, qname,
|
||||||
rrsets[i].getSignerName())) {
|
rrsets[i].getSignerName())) {
|
||||||
ce = ValUtils.closestEncloser(qname, nsec);
|
ce = ValUtils.closestEncloser(qname, nsec);
|
||||||
}
|
}
|
||||||
@ -658,7 +750,10 @@ public class CaptiveValidator {
|
|||||||
|
|
||||||
// Collect any NSEC3 records present.
|
// Collect any NSEC3 records present.
|
||||||
if (rrsets[i].getType() == Type.NSEC3) {
|
if (rrsets[i].getType() == Type.NSEC3) {
|
||||||
if (nsec3s == null) nsec3s = new ArrayList<NSEC3Record>();
|
if (nsec3s == null) {
|
||||||
|
nsec3s = new ArrayList<NSEC3Record>();
|
||||||
|
}
|
||||||
|
|
||||||
nsec3s.add((NSEC3Record) rrsets[i].first());
|
nsec3s.add((NSEC3Record) rrsets[i].first());
|
||||||
nsec3Signer = rrsets[i].getSignerName();
|
nsec3Signer = rrsets[i].getSignerName();
|
||||||
}
|
}
|
||||||
@ -669,33 +764,36 @@ public class CaptiveValidator {
|
|||||||
// The wildcard NODATA is 1 NSEC proving that qname does not exists (and
|
// The wildcard NODATA is 1 NSEC proving that qname does not exists (and
|
||||||
// also proving what the closest encloser is), and 1 NSEC showing the
|
// also proving what the closest encloser is), and 1 NSEC showing the
|
||||||
// matching wildcard, which must be *.closest_encloser.
|
// matching wildcard, which must be *.closest_encloser.
|
||||||
if (ce != null || wc != null) {
|
if ((ce != null) || (wc != null)) {
|
||||||
try {
|
try {
|
||||||
Name wc_name = new Name("*", ce);
|
Name wc_name = new Name("*", ce);
|
||||||
|
|
||||||
if (!wc_name.equals(wc.getName())) {
|
if (!wc_name.equals(wc.getName())) {
|
||||||
hasValidNSEC = false;
|
hasValidNSEC = false;
|
||||||
}
|
}
|
||||||
} catch (TextParseException e) {
|
} catch (TextParseException e) {
|
||||||
// log.error(e);
|
log.error(e);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
NSEC3ValUtils.stripUnknownAlgNSEC3s(nsec3s);
|
NSEC3ValUtils.stripUnknownAlgNSEC3s(nsec3s);
|
||||||
|
|
||||||
if (!hasValidNSEC && nsec3s != null && nsec3s.size() > 0) {
|
if (!hasValidNSEC && (nsec3s != null) && (nsec3s.size() > 0)) {
|
||||||
// try to prove NODATA with our NSEC3 record(s)
|
// try to prove NODATA with our NSEC3 record(s)
|
||||||
hasValidNSEC = NSEC3ValUtils.proveNodata(nsec3s, qname, qtype,
|
hasValidNSEC = NSEC3ValUtils.proveNodata(nsec3s, qname, qtype,
|
||||||
nsec3Signer);
|
nsec3Signer);
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!hasValidNSEC) {
|
if (!hasValidNSEC) {
|
||||||
// log.debug("NODATA response failed to prove NODATA "
|
log.debug("NODATA response failed to prove NODATA " +
|
||||||
// + "status with NSEC/NSEC3");
|
"status with NSEC/NSEC3");
|
||||||
// log.trace("Failed NODATA:\n" + m);
|
log.trace("Failed NODATA:\n" + m);
|
||||||
m.setStatus(SecurityStatus.BOGUS);
|
m.setStatus(SecurityStatus.BOGUS);
|
||||||
|
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
// log.trace("successfully validated NODATA response.");
|
|
||||||
|
log.trace("successfully validated NODATA response.");
|
||||||
m.setStatus(SecurityStatus.SECURE);
|
m.setStatus(SecurityStatus.SECURE);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -721,13 +819,17 @@ public class CaptiveValidator {
|
|||||||
|
|
||||||
SMessage m = message;
|
SMessage m = message;
|
||||||
|
|
||||||
// FIXME: should we check to see if there is anything in the answer
|
if (message.getCount(Section.ANSWER) > 0) {
|
||||||
// section? if so, what should the result be?
|
log.warn(
|
||||||
|
"NAME ERROR response contained records in the ANSWER SECTION");
|
||||||
|
message.setStatus(SecurityStatus.INVALID);
|
||||||
|
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
// Validate the authority section -- all RRsets in the authority section
|
// Validate the authority section -- all RRsets in the authority section
|
||||||
// must be signed and valid.
|
// must be signed and valid.
|
||||||
// In addition, the NSEC record(s) must prove the NXDOMAIN condition.
|
// In addition, the NSEC record(s) must prove the NXDOMAIN condition.
|
||||||
|
|
||||||
boolean hasValidNSEC = false;
|
boolean hasValidNSEC = false;
|
||||||
boolean hasValidWCNSEC = false;
|
boolean hasValidWCNSEC = false;
|
||||||
SRRset [] rrsets = m.getSectionRRsets(Section.AUTHORITY);
|
SRRset [] rrsets = m.getSectionRRsets(Section.AUTHORITY);
|
||||||
@ -736,12 +838,15 @@ public class CaptiveValidator {
|
|||||||
|
|
||||||
for (int i = 0; i < rrsets.length; i++) {
|
for (int i = 0; i < rrsets.length; i++) {
|
||||||
int status = mValUtils.verifySRRset(rrsets[i], key_rrset);
|
int status = mValUtils.verifySRRset(rrsets[i], key_rrset);
|
||||||
|
|
||||||
if (status != SecurityStatus.SECURE) {
|
if (status != SecurityStatus.SECURE) {
|
||||||
// log.debug("NameError response has failed AUTHORITY rrset: "
|
log.debug("NameError response has failed AUTHORITY rrset: " +
|
||||||
// + rrsets[i]);
|
rrsets[i]);
|
||||||
m.setStatus(SecurityStatus.BOGUS);
|
m.setStatus(SecurityStatus.BOGUS);
|
||||||
|
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (rrsets[i].getType() == Type.NSEC) {
|
if (rrsets[i].getType() == Type.NSEC) {
|
||||||
NSECRecord nsec = (NSECRecord) rrsets[i].first();
|
NSECRecord nsec = (NSECRecord) rrsets[i].first();
|
||||||
|
|
||||||
@ -749,13 +854,18 @@ public class CaptiveValidator {
|
|||||||
rrsets[i].getSignerName())) {
|
rrsets[i].getSignerName())) {
|
||||||
hasValidNSEC = true;
|
hasValidNSEC = true;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (ValUtils.nsecProvesNoWC(nsec, qname,
|
if (ValUtils.nsecProvesNoWC(nsec, qname,
|
||||||
rrsets[i].getSignerName())) {
|
rrsets[i].getSignerName())) {
|
||||||
hasValidWCNSEC = true;
|
hasValidWCNSEC = true;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if (rrsets[i].getType() == Type.NSEC3) {
|
if (rrsets[i].getType() == Type.NSEC3) {
|
||||||
if (nsec3s == null) nsec3s = new ArrayList<NSEC3Record>();
|
if (nsec3s == null) {
|
||||||
|
nsec3s = new ArrayList<NSEC3Record>();
|
||||||
|
}
|
||||||
|
|
||||||
nsec3s.add((NSEC3Record) rrsets[i].first());
|
nsec3s.add((NSEC3Record) rrsets[i].first());
|
||||||
nsec3Signer = rrsets[i].getSignerName();
|
nsec3Signer = rrsets[i].getSignerName();
|
||||||
}
|
}
|
||||||
@ -763,13 +873,14 @@ public class CaptiveValidator {
|
|||||||
|
|
||||||
NSEC3ValUtils.stripUnknownAlgNSEC3s(nsec3s);
|
NSEC3ValUtils.stripUnknownAlgNSEC3s(nsec3s);
|
||||||
|
|
||||||
if (nsec3s != null && nsec3s.size() > 0) {
|
if ((nsec3s != null) && (nsec3s.size() > 0)) {
|
||||||
// log.debug("Validating nxdomain: using NSEC3 records");
|
log.debug("Validating nxdomain: using NSEC3 records");
|
||||||
// Attempt to prove name error with nsec3 records.
|
|
||||||
|
|
||||||
|
// Attempt to prove name error with nsec3 records.
|
||||||
if (NSEC3ValUtils.allNSEC3sIgnoreable(nsec3s, key_rrset, mVerifier)) {
|
if (NSEC3ValUtils.allNSEC3sIgnoreable(nsec3s, key_rrset, mVerifier)) {
|
||||||
// log.debug("all NSEC3s were validated but ignored.");
|
// log.debug("all NSEC3s were validated but ignored.");
|
||||||
m.setStatus(SecurityStatus.INSECURE);
|
m.setStatus(SecurityStatus.INSECURE);
|
||||||
|
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -783,25 +894,36 @@ public class CaptiveValidator {
|
|||||||
|
|
||||||
// If the message fails to prove either condition, it is bogus.
|
// If the message fails to prove either condition, it is bogus.
|
||||||
if (!hasValidNSEC) {
|
if (!hasValidNSEC) {
|
||||||
// log.debug("NameError response has failed to prove: "
|
log.debug("NameError response has failed to prove: " +
|
||||||
// + "qname does not exist");
|
"qname does not exist");
|
||||||
m.setStatus(SecurityStatus.BOGUS);
|
m.setStatus(SecurityStatus.BOGUS);
|
||||||
|
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!hasValidWCNSEC) {
|
if (!hasValidWCNSEC) {
|
||||||
// log.debug("NameError response has failed to prove: "
|
log.debug("NameError response has failed to prove: " +
|
||||||
// + "covering wildcard does not exist");
|
"covering wildcard does not exist");
|
||||||
m.setStatus(SecurityStatus.BOGUS);
|
m.setStatus(SecurityStatus.BOGUS);
|
||||||
|
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
// Otherwise, we consider the message secure.
|
// Otherwise, we consider the message secure.
|
||||||
// log.trace("successfully validated NAME ERROR response.");
|
log.trace("successfully validated NAME ERROR response.");
|
||||||
m.setStatus(SecurityStatus.SECURE);
|
m.setStatus(SecurityStatus.SECURE);
|
||||||
}
|
}
|
||||||
|
|
||||||
public byte validateMessage(SMessage message, Name zone) {
|
public byte validateMessage(SMessage message, Name zone) {
|
||||||
|
if (!zone.isAbsolute()) {
|
||||||
|
try {
|
||||||
|
zone = Name.concatenate(zone, Name.root);
|
||||||
|
} catch (NameTooLongException e) {
|
||||||
|
log.error(e);
|
||||||
|
|
||||||
|
return SecurityStatus.UNCHECKED;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
// FIXME: it is unclear if we should actually normalize our responses
|
// FIXME: it is unclear if we should actually normalize our responses
|
||||||
// Instead, maybe we should just fail if they are not normal?
|
// Instead, maybe we should just fail if they are not normal?
|
||||||
@ -812,6 +934,7 @@ public class CaptiveValidator {
|
|||||||
}
|
}
|
||||||
|
|
||||||
SRRset key_rrset = findKeys(message);
|
SRRset key_rrset = findKeys(message);
|
||||||
|
|
||||||
if (key_rrset == null) {
|
if (key_rrset == null) {
|
||||||
return SecurityStatus.BOGUS;
|
return SecurityStatus.BOGUS;
|
||||||
}
|
}
|
||||||
@ -820,35 +943,56 @@ public class CaptiveValidator {
|
|||||||
|
|
||||||
switch (subtype) {
|
switch (subtype) {
|
||||||
case POSITIVE:
|
case POSITIVE:
|
||||||
// log.trace("Validating a positive response");
|
log.trace("Validating a positive response");
|
||||||
validatePositiveResponse(message, key_rrset);
|
validatePositiveResponse(message, key_rrset);
|
||||||
|
|
||||||
break;
|
break;
|
||||||
|
|
||||||
case REFERRAL:
|
case REFERRAL:
|
||||||
validateReferral(message, key_rrset);
|
validateReferral(message, key_rrset);
|
||||||
|
|
||||||
break;
|
break;
|
||||||
|
|
||||||
case NODATA:
|
case NODATA:
|
||||||
// log.trace("Validating a NODATA response");
|
log.trace("Validating a NODATA response");
|
||||||
validateNodataResponse(message, key_rrset);
|
validateNodataResponse(message, key_rrset);
|
||||||
|
|
||||||
break;
|
break;
|
||||||
|
|
||||||
case NAMEERROR:
|
case NAMEERROR:
|
||||||
// log.trace("Validating a NXDOMAIN response");
|
log.trace("Validating a NXDOMAIN response");
|
||||||
validateNameErrorResponse(message, key_rrset);
|
validateNameErrorResponse(message, key_rrset);
|
||||||
|
|
||||||
break;
|
break;
|
||||||
|
|
||||||
case CNAME:
|
case CNAME:
|
||||||
// log.trace("Validating a CNAME response");
|
log.trace("Validating a CNAME response");
|
||||||
// forward on to the special CNAME state for this.
|
|
||||||
// state.state = ValEventState.CNAME_STATE;
|
|
||||||
validateCNAMEResponse(message, key_rrset);
|
validateCNAMEResponse(message, key_rrset);
|
||||||
|
|
||||||
break;
|
break;
|
||||||
|
|
||||||
case ANY:
|
case ANY:
|
||||||
// log.trace("Validating a positive ANY response");
|
log.trace("Validating a positive ANY response");
|
||||||
validateAnyResponse(message, key_rrset);
|
validateAnyResponse(message, key_rrset);
|
||||||
|
|
||||||
break;
|
break;
|
||||||
|
|
||||||
default:
|
default:
|
||||||
// log.error("unhandled response subtype: " + subtype);
|
log.error("unhandled response subtype: " + subtype);
|
||||||
}
|
}
|
||||||
|
|
||||||
return message.getSecurityStatus().getStatus();
|
return message.getSecurityStatus().getStatus();
|
||||||
|
}
|
||||||
|
|
||||||
|
public byte validateMessage(Message message, String zone)
|
||||||
|
throws TextParseException {
|
||||||
|
SMessage sm = new SMessage(message);
|
||||||
|
Name z = Name.fromString(zone);
|
||||||
|
|
||||||
|
return validateMessage(sm, z);
|
||||||
|
}
|
||||||
|
|
||||||
|
public List<String> listTrustedKeys() {
|
||||||
|
return mTrustedKeys.listTrustAnchors();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -1,42 +1,38 @@
|
|||||||
/*
|
/***************************** -*- Java -*- ********************************\
|
||||||
* Copyright (c) 2009 VeriSign, Inc. All rights reserved.
|
* *
|
||||||
*
|
* Copyright (c) 2009 VeriSign, Inc. All rights reserved. *
|
||||||
* Redistribution and use in source and binary forms, with or without
|
* *
|
||||||
* modification, are permitted provided that the following conditions
|
* This software is provided solely in connection with the terms of the *
|
||||||
* are met:
|
* license agreement. Any other use without the prior express written *
|
||||||
*
|
* permission of VeriSign is completely prohibited. The software and *
|
||||||
* 1. Redistributions of source code must retain the above copyright
|
* documentation are "Commercial Items", as that term is defined in 48 *
|
||||||
* notice, this list of conditions and the following disclaimer.
|
* C.F.R. section 2.101, consisting of "Commercial Computer Software" and *
|
||||||
* 2. Redistributions in binary form must reproduce the above copyright
|
* "Commercial Computer Software Documentation" as such terms are defined *
|
||||||
* notice, this list of conditions and the following disclaimer in the
|
* in 48 C.F.R. section 252.227-7014(a)(5) and 48 C.F.R. section *
|
||||||
* documentation and/or other materials provided with the distribution.
|
* 252.227-7014(a)(1), and used in 48 C.F.R. section 12.212 and 48 C.F.R. *
|
||||||
* 3. The name of the author may not be used to endorse or promote products
|
* section 227.7202, as applicable. Pursuant to the above and other *
|
||||||
* derived from this software without specific prior written permission.
|
* relevant sections of the Code of Federal Regulations, as applicable, *
|
||||||
*
|
* VeriSign's publications, commercial computer software, and commercial *
|
||||||
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
* computer software documentation are distributed and licensed to United *
|
||||||
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
* States Government end users with only those rights as granted to all *
|
||||||
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
* other end users, according to the terms and conditions contained in the *
|
||||||
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
* license agreement(s) that accompany the products and software *
|
||||||
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
* documentation. *
|
||||||
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
* *
|
||||||
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
\***************************************************************************/
|
||||||
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
|
||||||
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
|
||||||
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
||||||
*
|
|
||||||
*/
|
|
||||||
|
|
||||||
package com.versign.tat.dnssec;
|
package com.verisign.tat.dnssec;
|
||||||
|
|
||||||
import java.util.*;
|
import org.apache.log4j.Logger;
|
||||||
import java.io.*;
|
|
||||||
import java.security.*;
|
|
||||||
|
|
||||||
import org.xbill.DNS.*;
|
import org.xbill.DNS.*;
|
||||||
import org.xbill.DNS.security.*;
|
import org.xbill.DNS.security.*;
|
||||||
|
|
||||||
import com.versign.tat.dnssec.SecurityStatus;
|
import java.io.*;
|
||||||
import com.versign.tat.dnssec.Util;
|
|
||||||
|
import java.security.*;
|
||||||
|
|
||||||
|
import java.util.*;
|
||||||
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@ -44,11 +40,11 @@ import com.versign.tat.dnssec.Util;
|
|||||||
* contains a similar class. This is a re-implementation that allows us to have
|
* contains a similar class. This is a re-implementation that allows us to have
|
||||||
* finer control over the validation process.
|
* finer control over the validation process.
|
||||||
*/
|
*/
|
||||||
public class DnsSecVerifier
|
public class DnsSecVerifier {
|
||||||
{
|
|
||||||
public static final int UNKNOWN = 0;
|
public static final int UNKNOWN = 0;
|
||||||
public static final int RSA = 1;
|
public static final int RSA = 1;
|
||||||
public static final int DSA = 2;
|
public static final int DSA = 2;
|
||||||
|
private Logger log = Logger.getLogger(this.getClass());
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* This is a mapping of DNSSEC algorithm numbers/private identifiers to JCA
|
* This is a mapping of DNSSEC algorithm numbers/private identifiers to JCA
|
||||||
@ -56,70 +52,76 @@ public class DnsSecVerifier
|
|||||||
*/
|
*/
|
||||||
private HashMap<Integer, AlgEntry> mAlgorithmMap;
|
private HashMap<Integer, AlgEntry> mAlgorithmMap;
|
||||||
|
|
||||||
private static class AlgEntry
|
public DnsSecVerifier() {
|
||||||
{
|
|
||||||
public String jcaName;
|
|
||||||
public boolean isDSA;
|
|
||||||
public int dnssecAlg;
|
|
||||||
|
|
||||||
public AlgEntry(String name, int dnssecAlg, boolean isDSA)
|
|
||||||
{
|
|
||||||
jcaName = name;
|
|
||||||
this.dnssecAlg = dnssecAlg;
|
|
||||||
this.isDSA = isDSA;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
public DnsSecVerifier()
|
|
||||||
{
|
|
||||||
mAlgorithmMap = new HashMap<Integer, AlgEntry>();
|
mAlgorithmMap = new HashMap<Integer, AlgEntry>();
|
||||||
|
|
||||||
// set the default algorithm map.
|
// set the default algorithm map.
|
||||||
mAlgorithmMap.put(new Integer(DNSSEC.RSAMD5), new AlgEntry("MD5withRSA",
|
mAlgorithmMap.put(new Integer(DNSSEC.RSAMD5),
|
||||||
DNSSEC.RSAMD5, false));
|
new AlgEntry("MD5withRSA", DNSSEC.RSAMD5, false));
|
||||||
mAlgorithmMap.put(new Integer(DNSSEC.DSA), new AlgEntry("SHA1withDSA", DNSSEC.DSA,
|
mAlgorithmMap.put(new Integer(DNSSEC.DSA),
|
||||||
true));
|
new AlgEntry("SHA1withDSA", DNSSEC.DSA, true));
|
||||||
mAlgorithmMap.put(new Integer(DNSSEC.RSASHA1), new AlgEntry(
|
mAlgorithmMap.put(new Integer(DNSSEC.RSASHA1),
|
||||||
"SHA1withRSA", DNSSEC.RSASHA1, false));
|
new AlgEntry("SHA1withRSA", DNSSEC.RSASHA1, false));
|
||||||
|
mAlgorithmMap.put(new Integer(DNSSEC.DSA_NSEC3_SHA1),
|
||||||
|
new AlgEntry("SHA1withDSA", DNSSEC.DSA, true));
|
||||||
|
mAlgorithmMap.put(new Integer(DNSSEC.RSA_NSEC3_SHA1),
|
||||||
|
new AlgEntry("SHA1withRSA", DNSSEC.RSASHA1, false));
|
||||||
|
mAlgorithmMap.put(new Integer(DNSSEC.RSASHA256),
|
||||||
|
new AlgEntry("SHA256withRSA", DNSSEC.RSASHA256, false));
|
||||||
|
mAlgorithmMap.put(new Integer(DNSSEC.RSASHA512),
|
||||||
|
new AlgEntry("SHA512withRSA", DNSSEC.RSASHA512, false));
|
||||||
}
|
}
|
||||||
|
|
||||||
private boolean isDSA(int algorithm)
|
private boolean isDSA(int algorithm) {
|
||||||
{
|
|
||||||
// shortcut the standard algorithms
|
// shortcut the standard algorithms
|
||||||
if (algorithm == DNSSEC.DSA) return true;
|
if (algorithm == DNSSEC.DSA) {
|
||||||
if (algorithm == DNSSEC.RSASHA1) return false;
|
return true;
|
||||||
if (algorithm == DNSSEC.RSAMD5) return false;
|
}
|
||||||
|
|
||||||
AlgEntry entry = (AlgEntry) mAlgorithmMap.get(new Integer(algorithm));
|
if (algorithm == DNSSEC.RSASHA1) {
|
||||||
if (entry != null) return entry.isDSA;
|
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
public void init(Properties config)
|
if (algorithm == DNSSEC.RSAMD5) {
|
||||||
{
|
return false;
|
||||||
if (config == null) return;
|
}
|
||||||
|
|
||||||
|
AlgEntry entry = (AlgEntry) mAlgorithmMap.get(new Integer(algorithm));
|
||||||
|
|
||||||
|
if (entry != null) {
|
||||||
|
return entry.isDSA;
|
||||||
|
}
|
||||||
|
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
public void init(Properties config) {
|
||||||
|
if (config == null) {
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
// Algorithm configuration
|
// Algorithm configuration
|
||||||
|
|
||||||
// For now, we just accept new identifiers for existing algoirthms.
|
// For now, we just accept new identifiers for existing algorithms.
|
||||||
// FIXME: handle private identifiers.
|
// FIXME: handle private identifiers.
|
||||||
List<Util.ConfigEntry> aliases = Util.parseConfigPrefix(config, "dns.algorithm.");
|
List<Util.ConfigEntry> aliases = Util.parseConfigPrefix(config,
|
||||||
|
"dns.algorithm.");
|
||||||
|
|
||||||
for (Util.ConfigEntry entry : aliases) {
|
for (Util.ConfigEntry entry : aliases) {
|
||||||
Integer alg_alias = new Integer(Util.parseInt(entry.key, -1));
|
Integer alg_alias = new Integer(Util.parseInt(entry.key, -1));
|
||||||
Integer alg_orig = new Integer(Util.parseInt(entry.value, -1));
|
Integer alg_orig = new Integer(Util.parseInt(entry.value, -1));
|
||||||
|
|
||||||
if (!mAlgorithmMap.containsKey(alg_orig))
|
if (!mAlgorithmMap.containsKey(alg_orig)) {
|
||||||
{
|
log.warn("Unable to alias " + alg_alias +
|
||||||
// log.warn("Unable to alias " + alg_alias + " to unknown algorithm "
|
" to unknown algorithm " + alg_orig);
|
||||||
// + alg_orig);
|
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (mAlgorithmMap.containsKey(alg_alias))
|
if (mAlgorithmMap.containsKey(alg_alias)) {
|
||||||
{
|
log.warn("Algorithm alias " + alg_alias +
|
||||||
// log.warn("Algorithm alias " + alg_alias
|
" is already defined and cannot be redefined");
|
||||||
// + " is already defined and cannot be redefined");
|
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -127,14 +129,16 @@ public class DnsSecVerifier
|
|||||||
}
|
}
|
||||||
|
|
||||||
// for debugging purposes, log the entire algorithm map table.
|
// for debugging purposes, log the entire algorithm map table.
|
||||||
// for (Integer alg : mAlgorithmMap.keySet()) {
|
for (Integer alg : mAlgorithmMap.keySet()) {
|
||||||
// AlgEntry entry = mAlgorithmMap.get(alg);
|
AlgEntry entry = mAlgorithmMap.get(alg);
|
||||||
// if (entry == null)
|
|
||||||
// log.warn("DNSSEC alg " + alg + " has a null entry!");
|
if (entry == null) {
|
||||||
// else
|
log.warn("DNSSEC alg " + alg + " has a null entry!");
|
||||||
// log.debug("DNSSEC alg " + alg + " maps to " + entry.jcaName
|
} else {
|
||||||
// + " (" + entry.dnssecAlg + ")");
|
log.debug("DNSSEC alg " + alg + " maps to " + entry.jcaName +
|
||||||
// }
|
" (" + entry.dnssecAlg + ")");
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@ -142,19 +146,20 @@ public class DnsSecVerifier
|
|||||||
* this will only return one DNSKEY. It can return more than one, since
|
* this will only return one DNSKEY. It can return more than one, since
|
||||||
* KeyID/Footprints are not guaranteed to be unique.
|
* KeyID/Footprints are not guaranteed to be unique.
|
||||||
*
|
*
|
||||||
* @param dnskey_rrset The DNSKEY rrset to search.
|
* @param dnskey_rrset
|
||||||
* @param signature The RRSIG to match against.
|
* The DNSKEY rrset to search.
|
||||||
|
* @param signature
|
||||||
|
* The RRSIG to match against.
|
||||||
* @return A List contains a one or more DNSKEYRecord objects, or null if a
|
* @return A List contains a one or more DNSKEYRecord objects, or null if a
|
||||||
* matching DNSKEY could not be found.
|
* matching DNSKEY could not be found.
|
||||||
*/
|
*/
|
||||||
@SuppressWarnings("unchecked")
|
@SuppressWarnings("unchecked")
|
||||||
private List<DNSKEYRecord> findKey(RRset dnskey_rrset, RRSIGRecord signature)
|
private List<DNSKEYRecord> findKey(RRset dnskey_rrset, RRSIGRecord signature) {
|
||||||
{
|
if (!signature.getSigner().equals(dnskey_rrset.getName())) {
|
||||||
if (!signature.getSigner().equals(dnskey_rrset.getName()))
|
log.trace("findKey: could not find appropriate key because " +
|
||||||
{
|
"incorrect keyset was supplied. Wanted: " +
|
||||||
// log.trace("findKey: could not find appropriate key because "
|
signature.getSigner() + ", got: " + dnskey_rrset.getName());
|
||||||
// + "incorrect keyset was supplied. Wanted: " + signature.getSigner()
|
|
||||||
// + ", got: " + dnskey_rrset.getName());
|
|
||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -163,21 +168,21 @@ private List<DNSKEYRecord> findKey(RRset dnskey_rrset, RRSIGRecord signature)
|
|||||||
|
|
||||||
List<DNSKEYRecord> res = new ArrayList<DNSKEYRecord>(dnskey_rrset.size());
|
List<DNSKEYRecord> res = new ArrayList<DNSKEYRecord>(dnskey_rrset.size());
|
||||||
|
|
||||||
for (Iterator i = dnskey_rrset.rrs(); i.hasNext();)
|
for (Iterator i = dnskey_rrset.rrs(); i.hasNext();) {
|
||||||
{
|
|
||||||
DNSKEYRecord r = (DNSKEYRecord) i.next();
|
DNSKEYRecord r = (DNSKEYRecord) i.next();
|
||||||
if (r.getAlgorithm() == alg && r.getFootprint() == keyid)
|
|
||||||
{
|
if ((r.getAlgorithm() == alg) && (r.getFootprint() == keyid)) {
|
||||||
res.add(r);
|
res.add(r);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if (res.size() == 0)
|
if (res.size() == 0) {
|
||||||
{
|
log.trace("findKey: could not find a key matching " +
|
||||||
// log.trace("findKey: could not find a key matching "
|
"the algorithm and footprint in supplied keyset. ");
|
||||||
// + "the algorithm and footprint in supplied keyset. ");
|
|
||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
|
|
||||||
return res;
|
return res;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -185,91 +190,98 @@ private List<DNSKEYRecord> findKey(RRset dnskey_rrset, RRSIGRecord signature)
|
|||||||
* Check to see if a signature looks valid (i.e., matches the rrset in
|
* Check to see if a signature looks valid (i.e., matches the rrset in
|
||||||
* question, in the validity period, etc.)
|
* question, in the validity period, etc.)
|
||||||
*
|
*
|
||||||
* @param rrset The rrset that the signature belongs to.
|
* @param rrset
|
||||||
* @param sigrec The signature record to check.
|
* The rrset that the signature belongs to.
|
||||||
|
* @param sigrec
|
||||||
|
* The signature record to check.
|
||||||
* @return A value of DNSSEC.Secure if it looks OK, DNSSEC.Faile if it looks
|
* @return A value of DNSSEC.Secure if it looks OK, DNSSEC.Faile if it looks
|
||||||
* bad.
|
* bad.
|
||||||
*/
|
*/
|
||||||
private byte checkSignature(RRset rrset, RRSIGRecord sigrec)
|
private byte checkSignature(RRset rrset, RRSIGRecord sigrec) {
|
||||||
{
|
if ((rrset == null) || (sigrec == null)) {
|
||||||
if (rrset == null || sigrec == null) return DNSSEC.Failed;
|
return DNSSEC.Failed;
|
||||||
if (!rrset.getName().equals(sigrec.getName()))
|
}
|
||||||
{
|
|
||||||
// log.debug("Signature name does not match RRset name");
|
if (!rrset.getName().equals(sigrec.getName())) {
|
||||||
|
log.debug("Signature name does not match RRset name");
|
||||||
|
|
||||||
return SecurityStatus.BOGUS;
|
return SecurityStatus.BOGUS;
|
||||||
}
|
}
|
||||||
if (rrset.getType() != sigrec.getTypeCovered())
|
|
||||||
{
|
if (rrset.getType() != sigrec.getTypeCovered()) {
|
||||||
// log.debug("Signature type does not match RRset type");
|
log.debug("Signature type does not match RRset type");
|
||||||
|
|
||||||
return SecurityStatus.BOGUS;
|
return SecurityStatus.BOGUS;
|
||||||
}
|
}
|
||||||
|
|
||||||
Date now = new Date();
|
Date now = new Date();
|
||||||
Date start = sigrec.getTimeSigned();
|
Date start = sigrec.getTimeSigned();
|
||||||
Date expire = sigrec.getExpire();
|
Date expire = sigrec.getExpire();
|
||||||
if (now.before(start))
|
|
||||||
{
|
if (now.before(start)) {
|
||||||
// log.debug("Signature is not yet valid");
|
log.debug("Signature is not yet valid");
|
||||||
|
|
||||||
return SecurityStatus.BOGUS;
|
return SecurityStatus.BOGUS;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (now.after(expire))
|
if (now.after(expire)) {
|
||||||
{
|
log.debug("Signature has expired (now = " + now +
|
||||||
// log.debug("Signature has expired (now = " + now + ", sig expires = "
|
", sig expires = " + expire);
|
||||||
// + expire);
|
|
||||||
return SecurityStatus.BOGUS;
|
return SecurityStatus.BOGUS;
|
||||||
}
|
}
|
||||||
|
|
||||||
return SecurityStatus.SECURE;
|
return SecurityStatus.SECURE;
|
||||||
}
|
}
|
||||||
|
|
||||||
public PublicKey parseDNSKEY(DNSKEYRecord key)
|
public PublicKey parseDNSKEY(DNSKEYRecord key) {
|
||||||
{
|
AlgEntry ae = (AlgEntry) mAlgorithmMap.get(new Integer(
|
||||||
AlgEntry ae = (AlgEntry) mAlgorithmMap
|
key.getAlgorithm()));
|
||||||
.get(new Integer(key.getAlgorithm()));
|
|
||||||
if (key.getAlgorithm() != ae.dnssecAlg)
|
|
||||||
{
|
|
||||||
// Recast the DNSKEYRecord in question as one using the offical
|
|
||||||
// algorithm, to work around the lack of alias support in the underlying
|
|
||||||
// KEYConverter class from DNSjava
|
|
||||||
|
|
||||||
key = new DNSKEYRecord(key.getName(), key.getDClass(), key.getTTL(),
|
if (key.getAlgorithm() != ae.dnssecAlg) {
|
||||||
key.getFlags(), key.getProtocol(), ae.dnssecAlg, key.getKey());
|
// Recast the DNSKEYRecord in question as one using the offical
|
||||||
|
// algorithm, to work around the lack of alias support in the
|
||||||
|
// underlying
|
||||||
|
// KEYConverter class from DNSjava
|
||||||
|
key = new DNSKEYRecord(key.getName(), key.getDClass(),
|
||||||
|
key.getTTL(), key.getFlags(), key.getProtocol(),
|
||||||
|
ae.dnssecAlg, key.getKey());
|
||||||
}
|
}
|
||||||
|
|
||||||
return KEYConverter.parseRecord(key);
|
return KEYConverter.parseRecord(key);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Actually cryptographically verify a signature over the rrset. The RRSIG
|
* Actually cryptographically verify a signature over the rrset. The RRSIG
|
||||||
* record must match the rrset being verified (see checkSignature).
|
* record must match the rrset being verified (see checkSignature).
|
||||||
*
|
*
|
||||||
* @param rrset The rrset to verify.
|
* @param rrset
|
||||||
* @param sigrec The signature to verify with.
|
* The rrset to verify.
|
||||||
* @param key The (public) key associated with the RRSIG record.
|
* @param sigrec
|
||||||
|
* The signature to verify with.
|
||||||
|
* @param key
|
||||||
|
* The (public) key associated with the RRSIG record.
|
||||||
* @return A security status code: SECURE if it worked, BOGUS if not,
|
* @return A security status code: SECURE if it worked, BOGUS if not,
|
||||||
* UNCHECKED if we just couldn't actually do the function.
|
* UNCHECKED if we just couldn't actually do the function.
|
||||||
*/
|
*/
|
||||||
public byte verifySignature(RRset rrset, RRSIGRecord sigrec,
|
public byte verifySignature(RRset rrset, RRSIGRecord sigrec,
|
||||||
DNSKEYRecord key)
|
DNSKEYRecord key) {
|
||||||
{
|
try {
|
||||||
try
|
|
||||||
{
|
|
||||||
PublicKey pk = parseDNSKEY(key);
|
PublicKey pk = parseDNSKEY(key);
|
||||||
|
|
||||||
if (pk == null)
|
if (pk == null) {
|
||||||
{
|
log.warn(
|
||||||
// log.warn("Could not convert DNSKEY record to a JCA public key: "
|
"Could not convert DNSKEY record to a JCA public key: " +
|
||||||
// + key);
|
key);
|
||||||
|
|
||||||
return SecurityStatus.UNCHECKED;
|
return SecurityStatus.UNCHECKED;
|
||||||
}
|
}
|
||||||
|
|
||||||
byte [] data = SignUtils.generateSigData(rrset, sigrec);
|
byte [] data = SignUtils.generateSigData(rrset, sigrec);
|
||||||
|
|
||||||
Signature signer = getSignature(sigrec.getAlgorithm());
|
Signature signer = getSignature(sigrec.getAlgorithm());
|
||||||
if (signer == null)
|
|
||||||
{
|
if (signer == null) {
|
||||||
return SecurityStatus.BOGUS;
|
return SecurityStatus.BOGUS;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -277,33 +289,31 @@ private List<DNSKEYRecord> findKey(RRset dnskey_rrset, RRSIGRecord signature)
|
|||||||
signer.update(data);
|
signer.update(data);
|
||||||
|
|
||||||
byte [] sig = sigrec.getSignature();
|
byte [] sig = sigrec.getSignature();
|
||||||
if (isDSA(sigrec.getAlgorithm()))
|
|
||||||
{
|
if (isDSA(sigrec.getAlgorithm())) {
|
||||||
sig = SignUtils.convertDSASignature(sig);
|
sig = SignUtils.convertDSASignature(sig);
|
||||||
}
|
}
|
||||||
if (!signer.verify(sig))
|
|
||||||
{
|
if (!signer.verify(sig)) {
|
||||||
// log.info("Signature failed to verify cryptographically");
|
log.info("Signature failed to verify cryptographically");
|
||||||
// log.debug("Failed signature: " + sigrec);
|
log.debug("Failed signature: " + sigrec);
|
||||||
|
|
||||||
return SecurityStatus.BOGUS;
|
return SecurityStatus.BOGUS;
|
||||||
}
|
}
|
||||||
// log.trace("Signature verified: " + sigrec);
|
|
||||||
|
log.trace("Signature verified: " + sigrec);
|
||||||
|
|
||||||
return SecurityStatus.SECURE;
|
return SecurityStatus.SECURE;
|
||||||
}
|
} catch (IOException e) {
|
||||||
catch (IOException e)
|
log.error("I/O error", e);
|
||||||
{
|
} catch (GeneralSecurityException e) {
|
||||||
// log.error("I/O error", e);
|
log.error("Security error", e);
|
||||||
}
|
|
||||||
catch (GeneralSecurityException e)
|
|
||||||
{
|
|
||||||
// log.error("Security error", e);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// FIXME: Since I'm not sure what would cause an exception here (failure
|
// FIXME: Since I'm not sure what would cause an exception here (failure
|
||||||
// to have the required crypto?)
|
// to have the required crypto?)
|
||||||
// We default to UNCHECKED instead of BOGUS. This could be wrong.
|
// We default to UNCHECKED instead of BOGUS. This could be wrong.
|
||||||
return SecurityStatus.UNCHECKED;
|
return SecurityStatus.UNCHECKED;
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@ -314,16 +324,18 @@ private List<DNSKEYRecord> findKey(RRset dnskey_rrset, RRSIGRecord signature)
|
|||||||
* could not be completed (usually because the public key was not
|
* could not be completed (usually because the public key was not
|
||||||
* available).
|
* available).
|
||||||
*/
|
*/
|
||||||
public byte verifySignature(RRset rrset, RRSIGRecord sigrec, RRset key_rrset)
|
public byte verifySignature(RRset rrset, RRSIGRecord sigrec, RRset key_rrset) {
|
||||||
{
|
|
||||||
byte result = checkSignature(rrset, sigrec);
|
byte result = checkSignature(rrset, sigrec);
|
||||||
if (result != SecurityStatus.SECURE) return result;
|
|
||||||
|
if (result != SecurityStatus.SECURE) {
|
||||||
|
return result;
|
||||||
|
}
|
||||||
|
|
||||||
List<DNSKEYRecord> keys = findKey(key_rrset, sigrec);
|
List<DNSKEYRecord> keys = findKey(key_rrset, sigrec);
|
||||||
|
|
||||||
if (keys == null)
|
if (keys == null) {
|
||||||
{
|
log.trace("could not find appropriate key");
|
||||||
// log.trace("could not find appropriate key");
|
|
||||||
return SecurityStatus.BOGUS;
|
return SecurityStatus.BOGUS;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -332,7 +344,9 @@ private List<DNSKEYRecord> findKey(RRset dnskey_rrset, RRSIGRecord signature)
|
|||||||
for (DNSKEYRecord key : keys) {
|
for (DNSKEYRecord key : keys) {
|
||||||
status = verifySignature(rrset, sigrec, key);
|
status = verifySignature(rrset, sigrec, key);
|
||||||
|
|
||||||
if (status == SecurityStatus.SECURE) break;
|
if (status == SecurityStatus.SECURE) {
|
||||||
|
break;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
return status;
|
return status;
|
||||||
@ -347,26 +361,27 @@ private List<DNSKEYRecord> findKey(RRset dnskey_rrset, RRSIGRecord signature)
|
|||||||
* SecurityStatus.BOGUS otherwise.
|
* SecurityStatus.BOGUS otherwise.
|
||||||
*/
|
*/
|
||||||
@SuppressWarnings("unchecked")
|
@SuppressWarnings("unchecked")
|
||||||
public byte verify(RRset rrset, RRset key_rrset)
|
public byte verify(RRset rrset, RRset key_rrset) {
|
||||||
{
|
|
||||||
Iterator i = rrset.sigs();
|
Iterator i = rrset.sigs();
|
||||||
|
|
||||||
if (!i.hasNext())
|
if (!i.hasNext()) {
|
||||||
{
|
log.info("RRset failed to verify due to lack of signatures");
|
||||||
// log.info("RRset failed to verify due to lack of signatures");
|
|
||||||
return SecurityStatus.BOGUS;
|
return SecurityStatus.BOGUS;
|
||||||
}
|
}
|
||||||
|
|
||||||
while (i.hasNext())
|
while (i.hasNext()) {
|
||||||
{
|
|
||||||
RRSIGRecord sigrec = (RRSIGRecord) i.next();
|
RRSIGRecord sigrec = (RRSIGRecord) i.next();
|
||||||
|
|
||||||
byte res = verifySignature(rrset, sigrec, key_rrset);
|
byte res = verifySignature(rrset, sigrec, key_rrset);
|
||||||
|
|
||||||
if (res == SecurityStatus.SECURE) return res;
|
if (res == SecurityStatus.SECURE) {
|
||||||
|
return res;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// log.info("RRset failed to verify: all signatures were BOGUS");
|
log.info("RRset failed to verify: all signatures were BOGUS");
|
||||||
|
|
||||||
return SecurityStatus.BOGUS;
|
return SecurityStatus.BOGUS;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -375,89 +390,108 @@ public byte verify(RRset rrset, RRset key_rrset)
|
|||||||
* certain that an RRset signed and verifies with a particular DNSKEY (as
|
* certain that an RRset signed and verifies with a particular DNSKEY (as
|
||||||
* opposed to a particular DNSKEY rrset).
|
* opposed to a particular DNSKEY rrset).
|
||||||
*
|
*
|
||||||
* @param rrset The rrset to verify.
|
* @param rrset
|
||||||
* @param dnskey The DNSKEY to verify with.
|
* The rrset to verify.
|
||||||
|
* @param dnskey
|
||||||
|
* The DNSKEY to verify with.
|
||||||
* @return SecurityStatus.SECURE if the rrset verified, BOGUS otherwise.
|
* @return SecurityStatus.SECURE if the rrset verified, BOGUS otherwise.
|
||||||
*/
|
*/
|
||||||
@SuppressWarnings("unchecked")
|
@SuppressWarnings("unchecked")
|
||||||
public byte verify(RRset rrset, DNSKEYRecord dnskey)
|
public byte verify(RRset rrset, DNSKEYRecord dnskey) {
|
||||||
{
|
|
||||||
// Iterate over RRSIGS
|
// Iterate over RRSIGS
|
||||||
|
|
||||||
Iterator i = rrset.sigs();
|
Iterator i = rrset.sigs();
|
||||||
if (!i.hasNext())
|
|
||||||
{
|
if (!i.hasNext()) {
|
||||||
// log.info("RRset failed to verify due to lack of signatures");
|
log.info("RRset failed to verify due to lack of signatures");
|
||||||
|
|
||||||
return SecurityStatus.BOGUS;
|
return SecurityStatus.BOGUS;
|
||||||
}
|
}
|
||||||
|
|
||||||
while (i.hasNext())
|
while (i.hasNext()) {
|
||||||
{
|
|
||||||
RRSIGRecord sigrec = (RRSIGRecord) i.next();
|
RRSIGRecord sigrec = (RRSIGRecord) i.next();
|
||||||
|
|
||||||
// Skip RRSIGs that do not match our given key's footprint.
|
// Skip RRSIGs that do not match our given key's footprint.
|
||||||
if (sigrec.getFootprint() != dnskey.getFootprint()) continue;
|
if (sigrec.getFootprint() != dnskey.getFootprint()) {
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
byte res = verifySignature(rrset, sigrec, dnskey);
|
byte res = verifySignature(rrset, sigrec, dnskey);
|
||||||
|
|
||||||
if (res == SecurityStatus.SECURE) return res;
|
if (res == SecurityStatus.SECURE) {
|
||||||
|
return res;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// log.info("RRset failed to verify: all signatures were BOGUS");
|
log.info("RRset failed to verify: all signatures were BOGUS");
|
||||||
|
|
||||||
return SecurityStatus.BOGUS;
|
return SecurityStatus.BOGUS;
|
||||||
}
|
}
|
||||||
|
|
||||||
public boolean supportsAlgorithm(int algorithm)
|
public boolean supportsAlgorithm(int algorithm) {
|
||||||
{
|
|
||||||
return mAlgorithmMap.containsKey(new Integer(algorithm));
|
return mAlgorithmMap.containsKey(new Integer(algorithm));
|
||||||
}
|
}
|
||||||
|
|
||||||
public boolean supportsAlgorithm(Name private_id)
|
public boolean supportsAlgorithm(Name private_id) {
|
||||||
{
|
|
||||||
return mAlgorithmMap.containsKey(private_id);
|
return mAlgorithmMap.containsKey(private_id);
|
||||||
}
|
}
|
||||||
|
|
||||||
public int baseAlgorithm(int algorithm)
|
public int baseAlgorithm(int algorithm) {
|
||||||
{
|
switch (algorithm) {
|
||||||
switch (algorithm)
|
|
||||||
{
|
|
||||||
case DNSSEC.RSAMD5:
|
case DNSSEC.RSAMD5:
|
||||||
case DNSSEC.RSASHA1:
|
case DNSSEC.RSASHA1:
|
||||||
return RSA;
|
return RSA;
|
||||||
|
|
||||||
case DNSSEC.DSA:
|
case DNSSEC.DSA:
|
||||||
return DSA;
|
return DSA;
|
||||||
}
|
}
|
||||||
|
|
||||||
AlgEntry entry = (AlgEntry) mAlgorithmMap.get(new Integer(algorithm));
|
AlgEntry entry = (AlgEntry) mAlgorithmMap.get(new Integer(algorithm));
|
||||||
if (entry == null) return UNKNOWN;
|
|
||||||
if (entry.isDSA) return DSA;
|
if (entry == null) {
|
||||||
|
return UNKNOWN;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (entry.isDSA) {
|
||||||
|
return DSA;
|
||||||
|
}
|
||||||
|
|
||||||
return RSA;
|
return RSA;
|
||||||
}
|
}
|
||||||
|
|
||||||
/** @return the appropriate Signature object for this keypair. */
|
/** @return the appropriate Signature object for this keypair. */
|
||||||
private Signature getSignature(int algorithm)
|
private Signature getSignature(int algorithm) {
|
||||||
{
|
|
||||||
Signature s = null;
|
Signature s = null;
|
||||||
|
|
||||||
|
try {
|
||||||
try
|
|
||||||
{
|
|
||||||
AlgEntry entry = (AlgEntry) mAlgorithmMap.get(new Integer(algorithm));
|
AlgEntry entry = (AlgEntry) mAlgorithmMap.get(new Integer(algorithm));
|
||||||
if (entry == null)
|
|
||||||
{
|
if (entry == null) {
|
||||||
// log.info("DNSSEC algorithm " + algorithm + " not recognized.");
|
log.info("DNSSEC algorithm " + algorithm + " not recognized.");
|
||||||
|
|
||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
|
|
||||||
// TODO: should we cache the instance?
|
// TODO: should we cache the instance?
|
||||||
s = Signature.getInstance(entry.jcaName);
|
s = Signature.getInstance(entry.jcaName);
|
||||||
}
|
} catch (NoSuchAlgorithmException e) {
|
||||||
catch (NoSuchAlgorithmException e)
|
log.error("error getting Signature object", e);
|
||||||
{
|
|
||||||
// log.error("error getting Signature object", e);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
return s;
|
return s;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
private static class AlgEntry {
|
||||||
|
public String jcaName;
|
||||||
|
public boolean isDSA;
|
||||||
|
public int dnssecAlg;
|
||||||
|
|
||||||
|
public AlgEntry(String name, int dnssecAlg, boolean isDSA) {
|
||||||
|
jcaName = name;
|
||||||
|
this.dnssecAlg = dnssecAlg;
|
||||||
|
this.isDSA = isDSA;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
// TODO: enable private algorithm support in dnsjava.
|
// TODO: enable private algorithm support in dnsjava.
|
||||||
// Right now, this cannot be used because the DNSKEYRecord object doesn't
|
// Right now, this cannot be used because the DNSKEYRecord object doesn't
|
||||||
// give us
|
// give us
|
||||||
|
@ -1,108 +1,77 @@
|
|||||||
/*
|
/***************************** -*- Java -*- ********************************\
|
||||||
* $Id$
|
* *
|
||||||
*
|
* Copyright (c) 2009 VeriSign, Inc. All rights reserved. *
|
||||||
* Copyright (c) 2006 VeriSign. All rights reserved.
|
* *
|
||||||
*
|
* This software is provided solely in connection with the terms of the *
|
||||||
* Redistribution and use in source and binary forms, with or without
|
* license agreement. Any other use without the prior express written *
|
||||||
* modification, are permitted provided that the following conditions are met:
|
* permission of VeriSign is completely prohibited. The software and *
|
||||||
*
|
* documentation are "Commercial Items", as that term is defined in 48 *
|
||||||
* 1. Redistributions of source code must retain the above copyright notice,
|
* C.F.R. section 2.101, consisting of "Commercial Computer Software" and *
|
||||||
* this list of conditions and the following disclaimer. 2. Redistributions in
|
* "Commercial Computer Software Documentation" as such terms are defined *
|
||||||
* binary form must reproduce the above copyright notice, this list of
|
* in 48 C.F.R. section 252.227-7014(a)(5) and 48 C.F.R. section *
|
||||||
* conditions and the following disclaimer in the documentation and/or other
|
* 252.227-7014(a)(1), and used in 48 C.F.R. section 12.212 and 48 C.F.R. *
|
||||||
* materials provided with the distribution. 3. The name of the author may not
|
* section 227.7202, as applicable. Pursuant to the above and other *
|
||||||
* be used to endorse or promote products derived from this software without
|
* relevant sections of the Code of Federal Regulations, as applicable, *
|
||||||
* specific prior written permission.
|
* VeriSign's publications, commercial computer software, and commercial *
|
||||||
*
|
* computer software documentation are distributed and licensed to United *
|
||||||
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
* States Government end users with only those rights as granted to all *
|
||||||
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
* other end users, according to the terms and conditions contained in the *
|
||||||
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN
|
* license agreement(s) that accompany the products and software *
|
||||||
* NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
* documentation. *
|
||||||
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
|
* *
|
||||||
* TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
|
\***************************************************************************/
|
||||||
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
|
|
||||||
* LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
|
|
||||||
* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
|
|
||||||
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
||||||
*
|
|
||||||
*/
|
|
||||||
|
|
||||||
package com.versign.tat.dnssec;
|
package com.verisign.tat.dnssec;
|
||||||
|
|
||||||
import java.security.NoSuchAlgorithmException;
|
import com.verisign.tat.dnssec.SignUtils.ByteArrayComparator;
|
||||||
import java.util.*;
|
|
||||||
|
import org.apache.log4j.Logger;
|
||||||
|
|
||||||
import org.xbill.DNS.*;
|
import org.xbill.DNS.*;
|
||||||
import org.xbill.DNS.utils.base32;
|
import org.xbill.DNS.utils.base32;
|
||||||
|
|
||||||
import com.versign.tat.dnssec.SignUtils.ByteArrayComparator;
|
import java.security.NoSuchAlgorithmException;
|
||||||
|
|
||||||
|
import java.util.*;
|
||||||
|
|
||||||
|
|
||||||
public class NSEC3ValUtils {
|
public class NSEC3ValUtils {
|
||||||
|
|
||||||
// FIXME: should probably refactor to handle different NSEC3 parameters more
|
// FIXME: should probably refactor to handle different NSEC3 parameters more
|
||||||
// efficiently.
|
// efficiently.
|
||||||
// Given a list of NSEC3 RRs, they should be grouped according to
|
// Given a list of NSEC3 RRs, they should be grouped according to
|
||||||
// parameters. The idea is to hash and compare for each group independently,
|
// parameters. The idea is to hash and compare for each group independently,
|
||||||
// instead of having to skip NSEC3 RRs with the wrong parameters.
|
// instead of having to skip NSEC3 RRs with the wrong parameters.
|
||||||
|
|
||||||
private static Name asterisk_label = Name.fromConstantString("*");
|
private static Name asterisk_label = Name.fromConstantString("*");
|
||||||
|
private static Logger st_log = Logger.getLogger(NSEC3ValUtils.class);
|
||||||
/**
|
private static final base32 b32 = new base32(base32.Alphabet.BASE32HEX,
|
||||||
* This is a class to encapsulate a unique set of NSEC3 parameters:
|
false, false);
|
||||||
* algorithm, iterations, and salt.
|
|
||||||
*/
|
|
||||||
private static class NSEC3Parameters {
|
|
||||||
public byte alg;
|
|
||||||
public byte[] salt;
|
|
||||||
public int iterations;
|
|
||||||
|
|
||||||
public NSEC3Parameters(NSEC3Record r) {
|
|
||||||
alg = r.getHashAlgorithm();
|
|
||||||
salt = r.getSalt();
|
|
||||||
iterations = r.getIterations();
|
|
||||||
}
|
|
||||||
|
|
||||||
public boolean match(NSEC3Record r, ByteArrayComparator bac) {
|
|
||||||
if (r.getHashAlgorithm() != alg) return false;
|
|
||||||
if (r.getIterations() != iterations) return false;
|
|
||||||
|
|
||||||
if (salt == null && r.getSalt() != null) return false;
|
|
||||||
|
|
||||||
if (bac == null) bac = new ByteArrayComparator();
|
|
||||||
return bac.compare(r.getSalt(), salt) == 0;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* This is just a simple class to encapsulate the response to a closest
|
|
||||||
* encloser proof.
|
|
||||||
*/
|
|
||||||
private static class CEResponse {
|
|
||||||
public Name closestEncloser;
|
|
||||||
public NSEC3Record ce_nsec3;
|
|
||||||
public NSEC3Record nc_nsec3;
|
|
||||||
|
|
||||||
public CEResponse(Name ce, NSEC3Record nsec3) {
|
|
||||||
this.closestEncloser = ce;
|
|
||||||
this.ce_nsec3 = nsec3;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
public static boolean supportsHashAlgorithm(int alg) {
|
public static boolean supportsHashAlgorithm(int alg) {
|
||||||
if (alg == NSEC3Record.SHA1_DIGEST_ID) return true;
|
if (alg == NSEC3Record.SHA1_DIGEST_ID) {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
public static void stripUnknownAlgNSEC3s(List<NSEC3Record> nsec3s) {
|
public static void stripUnknownAlgNSEC3s(List<NSEC3Record> nsec3s) {
|
||||||
if (nsec3s == null) return;
|
if (nsec3s == null) {
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
for (ListIterator<NSEC3Record> i = nsec3s.listIterator(); i.hasNext();) {
|
for (ListIterator<NSEC3Record> i = nsec3s.listIterator(); i.hasNext();) {
|
||||||
NSEC3Record nsec3 = i.next();
|
NSEC3Record nsec3 = i.next();
|
||||||
|
|
||||||
if (!supportsHashAlgorithm(nsec3.getHashAlgorithm())) {
|
if (!supportsHashAlgorithm(nsec3.getHashAlgorithm())) {
|
||||||
i.remove();
|
i.remove();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public static boolean isOptOut(NSEC3Record nsec3) {
|
||||||
|
return (nsec3.getFlags() & NSEC3Record.Flags.OPT_OUT) == NSEC3Record.Flags.OPT_OUT;
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Given a list of NSEC3Records that are part of a message, determine the
|
* Given a list of NSEC3Records that are part of a message, determine the
|
||||||
* NSEC3 parameters (hash algorithm, iterations, and salt) present. If there
|
* NSEC3 parameters (hash algorithm, iterations, and salt) present. If there
|
||||||
@ -115,20 +84,23 @@ public class NSEC3ValUtils {
|
|||||||
* the nsec3s list was empty.
|
* the nsec3s list was empty.
|
||||||
*/
|
*/
|
||||||
public static NSEC3Parameters nsec3Parameters(List<NSEC3Record> nsec3s) {
|
public static NSEC3Parameters nsec3Parameters(List<NSEC3Record> nsec3s) {
|
||||||
if (nsec3s == null || nsec3s.size() == 0) return null;
|
if ((nsec3s == null) || (nsec3s.size() == 0)) {
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
|
||||||
NSEC3Parameters params = new NSEC3Parameters(
|
NSEC3Parameters params = new NSEC3Parameters((NSEC3Record) nsec3s.get(
|
||||||
(NSEC3Record) nsec3s.get(0));
|
0));
|
||||||
ByteArrayComparator bac = new ByteArrayComparator();
|
ByteArrayComparator bac = new ByteArrayComparator();
|
||||||
|
|
||||||
for (NSEC3Record nsec3 : nsec3s) {
|
for (NSEC3Record nsec3 : nsec3s) {
|
||||||
if (!params.match(nsec3, bac)) return null;
|
if (!params.match(nsec3, bac)) {
|
||||||
|
return null;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
return params;
|
return params;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Given a hash and an a zone name, construct an NSEC3 ownername.
|
* Given a hash and an a zone name, construct an NSEC3 ownername.
|
||||||
*
|
*
|
||||||
@ -140,7 +112,7 @@ public class NSEC3ValUtils {
|
|||||||
*/
|
*/
|
||||||
private static Name hashName(byte [] hash, Name zonename) {
|
private static Name hashName(byte [] hash, Name zonename) {
|
||||||
try {
|
try {
|
||||||
return new Name(base32.toString(hash).toLowerCase(), zonename);
|
return new Name(b32.toString(hash).toLowerCase(), zonename);
|
||||||
} catch (TextParseException e) {
|
} catch (TextParseException e) {
|
||||||
// Note, this should never happen.
|
// Note, this should never happen.
|
||||||
return null;
|
return null;
|
||||||
@ -158,10 +130,20 @@ public class NSEC3ValUtils {
|
|||||||
*/
|
*/
|
||||||
private static byte [] hash(Name name, NSEC3Parameters params) {
|
private static byte [] hash(Name name, NSEC3Parameters params) {
|
||||||
try {
|
try {
|
||||||
return NSEC3Record.hash(name, params.alg, params.iterations,
|
return params.hash(name);
|
||||||
params.salt);
|
|
||||||
} catch (NoSuchAlgorithmException e) {
|
} catch (NoSuchAlgorithmException e) {
|
||||||
// st_log.debug("Did not recognize hash algorithm: " + params.alg);
|
st_log.warn("Did not recognize hash algorithm: " + params.alg);
|
||||||
|
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
private static byte[] hash(Name name, NSEC3Record nsec3) {
|
||||||
|
try {
|
||||||
|
return nsec3.hashName(name);
|
||||||
|
} catch (NoSuchAlgorithmException e) {
|
||||||
|
st_log.warn("Did not recognize hash algorithm: " + nsec3.getHashAlgorithm());
|
||||||
|
|
||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -176,6 +158,7 @@ public class NSEC3ValUtils {
|
|||||||
private static Name ceWildcard(Name closestEncloser) {
|
private static Name ceWildcard(Name closestEncloser) {
|
||||||
try {
|
try {
|
||||||
Name wc = Name.concatenate(asterisk_label, closestEncloser);
|
Name wc = Name.concatenate(asterisk_label, closestEncloser);
|
||||||
|
|
||||||
return wc;
|
return wc;
|
||||||
} catch (NameTooLongException e) {
|
} catch (NameTooLongException e) {
|
||||||
return null;
|
return null;
|
||||||
@ -195,6 +178,7 @@ public class NSEC3ValUtils {
|
|||||||
*/
|
*/
|
||||||
private static Name nextClosest(Name qname, Name closestEncloser) {
|
private static Name nextClosest(Name qname, Name closestEncloser) {
|
||||||
int strip = qname.labels() - closestEncloser.labels() - 1;
|
int strip = qname.labels() - closestEncloser.labels() - 1;
|
||||||
|
|
||||||
return (strip > 0) ? new Name(qname, strip) : qname;
|
return (strip > 0) ? new Name(qname, strip) : qname;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -216,16 +200,21 @@ public class NSEC3ValUtils {
|
|||||||
* @return The matching NSEC3Record, if one is present.
|
* @return The matching NSEC3Record, if one is present.
|
||||||
*/
|
*/
|
||||||
private static NSEC3Record findMatchingNSEC3(byte [] hash, Name zonename,
|
private static NSEC3Record findMatchingNSEC3(byte [] hash, Name zonename,
|
||||||
List<NSEC3Record> nsec3s,
|
List<NSEC3Record> nsec3s, NSEC3Parameters params,
|
||||||
NSEC3Parameters params,
|
|
||||||
ByteArrayComparator bac) {
|
ByteArrayComparator bac) {
|
||||||
Name n = hashName(hash, zonename);
|
Name n = hashName(hash, zonename);
|
||||||
|
|
||||||
for (NSEC3Record nsec3 : nsec3s) {
|
for (NSEC3Record nsec3 : nsec3s) {
|
||||||
// Skip nsec3 records that are using different parameters.
|
// Skip nsec3 records that are using different parameters.
|
||||||
if (!params.match(nsec3, bac)) continue;
|
if (!params.match(nsec3, bac)) {
|
||||||
if (n.equals(nsec3.getName())) return nsec3;
|
continue;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (n.equals(nsec3.getName())) {
|
||||||
|
return nsec3;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -244,18 +233,21 @@ public class NSEC3ValUtils {
|
|||||||
*/
|
*/
|
||||||
private static boolean nsec3Covers(NSEC3Record nsec3, byte [] hash,
|
private static boolean nsec3Covers(NSEC3Record nsec3, byte [] hash,
|
||||||
ByteArrayComparator bac) {
|
ByteArrayComparator bac) {
|
||||||
byte[] owner = nsec3.getOwner();
|
byte [] owner = hash(nsec3.getName(), nsec3);
|
||||||
byte [] next = nsec3.getNext();
|
byte [] next = nsec3.getNext();
|
||||||
|
|
||||||
// This is the "normal case: owner < next and owner < hash < next
|
// This is the "normal case: owner < next and owner < hash < next
|
||||||
if (bac.compare(owner, hash) < 0 && bac.compare(hash, next) < 0)
|
if ((bac.compare(owner, hash) < 0) && (bac.compare(hash, next) < 0)) {
|
||||||
return true;
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
// this is the end of zone case: next < owner && hash > owner || hash <
|
// this is the end of zone case: next < owner && hash > owner || hash <
|
||||||
// next
|
// next
|
||||||
if (bac.compare(next, owner) <= 0
|
if ((bac.compare(next, owner) <= 0) &&
|
||||||
&& (bac.compare(hash, next) < 0 || bac.compare(owner, hash) < 0))
|
((bac.compare(hash, next) < 0) ||
|
||||||
|
(bac.compare(owner, hash) < 0))) {
|
||||||
return true;
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
// Otherwise, the NSEC3 does not cover the hash.
|
// Otherwise, the NSEC3 does not cover the hash.
|
||||||
return false;
|
return false;
|
||||||
@ -278,14 +270,18 @@ public class NSEC3ValUtils {
|
|||||||
* @return A covering NSEC3 if one is present, null otherwise.
|
* @return A covering NSEC3 if one is present, null otherwise.
|
||||||
*/
|
*/
|
||||||
private static NSEC3Record findCoveringNSEC3(byte [] hash, Name zonename,
|
private static NSEC3Record findCoveringNSEC3(byte [] hash, Name zonename,
|
||||||
List<NSEC3Record> nsec3s,
|
List<NSEC3Record> nsec3s, NSEC3Parameters params,
|
||||||
NSEC3Parameters params,
|
|
||||||
ByteArrayComparator bac) {
|
ByteArrayComparator bac) {
|
||||||
ByteArrayComparator comparator = new ByteArrayComparator();
|
ByteArrayComparator comparator = new ByteArrayComparator();
|
||||||
|
|
||||||
for (NSEC3Record nsec3 : nsec3s) {
|
for (NSEC3Record nsec3 : nsec3s) {
|
||||||
if (!params.match(nsec3, bac)) continue;
|
if (!params.match(nsec3, bac)) {
|
||||||
if (nsec3Covers(nsec3, hash, comparator)) return nsec3;
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (nsec3Covers(nsec3, hash, comparator)) {
|
||||||
|
return nsec3;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
return null;
|
return null;
|
||||||
@ -311,22 +307,24 @@ public class NSEC3ValUtils {
|
|||||||
* RR that matched it, or null if there wasn't one.
|
* RR that matched it, or null if there wasn't one.
|
||||||
*/
|
*/
|
||||||
private static CEResponse findClosestEncloser(Name name, Name zonename,
|
private static CEResponse findClosestEncloser(Name name, Name zonename,
|
||||||
List<NSEC3Record> nsec3s,
|
List<NSEC3Record> nsec3s, NSEC3Parameters params,
|
||||||
NSEC3Parameters params,
|
|
||||||
ByteArrayComparator bac) {
|
ByteArrayComparator bac) {
|
||||||
Name n = name;
|
Name n = name;
|
||||||
|
|
||||||
NSEC3Record nsec3;
|
NSEC3Record nsec3;
|
||||||
|
|
||||||
// This scans from longest name to shortest, so the first match we find
|
// This scans from longest name to shortest, so the first match we find
|
||||||
// is
|
// is the only viable candidate.
|
||||||
// the only viable candidate.
|
|
||||||
// FIXME: modify so that the NSEC3 matching the zone apex need not be
|
// FIXME: modify so that the NSEC3 matching the zone apex need not be
|
||||||
// present.
|
// present.
|
||||||
while (n.labels() >= zonename.labels()) {
|
while (n.labels() >= zonename.labels()) {
|
||||||
nsec3 = findMatchingNSEC3(hash(n, params), zonename, nsec3s,
|
nsec3 = findMatchingNSEC3(hash(n, params), zonename,
|
||||||
params, bac);
|
nsec3s, params, bac);
|
||||||
if (nsec3 != null) return new CEResponse(n, nsec3);
|
|
||||||
|
if (nsec3 != null) {
|
||||||
|
return new CEResponse(n, nsec3);
|
||||||
|
}
|
||||||
|
|
||||||
n = new Name(n, 1);
|
n = new Name(n, 1);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -354,24 +352,25 @@ public class NSEC3ValUtils {
|
|||||||
* that matches it.
|
* that matches it.
|
||||||
*/
|
*/
|
||||||
private static CEResponse proveClosestEncloser(Name qname, Name zonename,
|
private static CEResponse proveClosestEncloser(Name qname, Name zonename,
|
||||||
List<NSEC3Record> nsec3s,
|
List<NSEC3Record> nsec3s, NSEC3Parameters params,
|
||||||
NSEC3Parameters params,
|
ByteArrayComparator bac, boolean proveDoesNotExist) {
|
||||||
ByteArrayComparator bac,
|
|
||||||
boolean proveDoesNotExist) {
|
|
||||||
CEResponse candidate = findClosestEncloser(qname, zonename, nsec3s,
|
CEResponse candidate = findClosestEncloser(qname, zonename, nsec3s,
|
||||||
params, bac);
|
params, bac);
|
||||||
|
|
||||||
if (candidate == null) {
|
if (candidate == null) {
|
||||||
// st_log.debug("proveClosestEncloser: could not find a "
|
st_log.debug("proveClosestEncloser: could not find a " +
|
||||||
// + "candidate for the closest encloser.");
|
"candidate for the closest encloser.");
|
||||||
|
|
||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (candidate.closestEncloser.equals(qname)) {
|
if (candidate.closestEncloser.equals(qname)) {
|
||||||
if (proveDoesNotExist) {
|
if (proveDoesNotExist) {
|
||||||
// st_log.debug("proveClosestEncloser: proved that qname existed!");
|
st_log.debug("proveClosestEncloser: proved that qname existed!");
|
||||||
|
|
||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
|
|
||||||
// otherwise, we need to nothing else to prove that qname is its own
|
// otherwise, we need to nothing else to prove that qname is its own
|
||||||
// closest encloser.
|
// closest encloser.
|
||||||
return candidate;
|
return candidate;
|
||||||
@ -381,14 +380,17 @@ public class NSEC3ValUtils {
|
|||||||
// should have been a referral. If it is a DNAME, then it should have
|
// should have been a referral. If it is a DNAME, then it should have
|
||||||
// been
|
// been
|
||||||
// a DNAME response.
|
// a DNAME response.
|
||||||
if (candidate.ce_nsec3.hasType(Type.NS)
|
if (candidate.ce_nsec3.hasType(Type.NS) &&
|
||||||
&& !candidate.ce_nsec3.hasType(Type.SOA)) {
|
!candidate.ce_nsec3.hasType(Type.SOA)) {
|
||||||
// st_log.debug("proveClosestEncloser: closest encloser "
|
st_log.debug("proveClosestEncloser: closest encloser " +
|
||||||
// + "was a delegation!");
|
"was a delegation!");
|
||||||
|
|
||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (candidate.ce_nsec3.hasType(Type.DNAME)) {
|
if (candidate.ce_nsec3.hasType(Type.DNAME)) {
|
||||||
// st_log.debug("proveClosestEncloser: closest encloser was a DNAME!");
|
st_log.debug("proveClosestEncloser: closest encloser was a DNAME!");
|
||||||
|
|
||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -398,9 +400,11 @@ public class NSEC3ValUtils {
|
|||||||
byte [] nc_hash = hash(nextClosest, params);
|
byte [] nc_hash = hash(nextClosest, params);
|
||||||
candidate.nc_nsec3 = findCoveringNSEC3(nc_hash, zonename, nsec3s,
|
candidate.nc_nsec3 = findCoveringNSEC3(nc_hash, zonename, nsec3s,
|
||||||
params, bac);
|
params, bac);
|
||||||
|
|
||||||
if (candidate.nc_nsec3 == null) {
|
if (candidate.nc_nsec3 == null) {
|
||||||
// st_log.debug("Could not find proof that the "
|
st_log.debug("Could not find proof that the " +
|
||||||
// + "closest encloser was the closest encloser");
|
"closest encloser was the closest encloser");
|
||||||
|
|
||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -410,36 +414,63 @@ public class NSEC3ValUtils {
|
|||||||
private static int maxIterations(int baseAlg, int keysize) {
|
private static int maxIterations(int baseAlg, int keysize) {
|
||||||
switch (baseAlg) {
|
switch (baseAlg) {
|
||||||
case DnsSecVerifier.RSA:
|
case DnsSecVerifier.RSA:
|
||||||
if (keysize == 0) return 2500; // the max at 4096
|
|
||||||
if (keysize > 2048) return 2500;
|
if (keysize == 0) {
|
||||||
if (keysize > 1024) return 500;
|
return 2500; // the max at 4096
|
||||||
if (keysize > 0) return 150;
|
}
|
||||||
|
|
||||||
|
if (keysize > 2048) {
|
||||||
|
return 2500;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (keysize > 1024) {
|
||||||
|
return 500;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (keysize > 0) {
|
||||||
|
return 150;
|
||||||
|
}
|
||||||
|
|
||||||
break;
|
break;
|
||||||
|
|
||||||
case DnsSecVerifier.DSA:
|
case DnsSecVerifier.DSA:
|
||||||
if (keysize == 0) return 5000; // the max at 2048;
|
|
||||||
if (keysize > 1024) return 5000;
|
if (keysize == 0) {
|
||||||
if (keysize > 0) return 1500;
|
return 5000; // the max at 2048;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (keysize > 1024) {
|
||||||
|
return 5000;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (keysize > 0) {
|
||||||
|
return 1500;
|
||||||
|
}
|
||||||
|
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
@SuppressWarnings("unchecked")
|
@SuppressWarnings("unchecked")
|
||||||
private static boolean validIterations(NSEC3Parameters nsec3params,
|
private static boolean validIterations(NSEC3Parameters nsec3params,
|
||||||
RRset dnskey_rrset,
|
RRset dnskey_rrset, DnsSecVerifier verifier) {
|
||||||
DnsSecVerifier verifier) {
|
|
||||||
// for now, we return the maximum iterations based simply on the key
|
// for now, we return the maximum iterations based simply on the key
|
||||||
// algorithms that may have been used to sign the NSEC3 RRsets.
|
// algorithms that may have been used to sign the NSEC3 RRsets.
|
||||||
|
|
||||||
int max_iterations = 0;
|
int max_iterations = 0;
|
||||||
|
|
||||||
for (Iterator i = dnskey_rrset.rrs(); i.hasNext();) {
|
for (Iterator i = dnskey_rrset.rrs(); i.hasNext();) {
|
||||||
DNSKEYRecord dnskey = (DNSKEYRecord) i.next();
|
DNSKEYRecord dnskey = (DNSKEYRecord) i.next();
|
||||||
int baseAlg = verifier.baseAlgorithm(dnskey.getAlgorithm());
|
int baseAlg = verifier.baseAlgorithm(dnskey.getAlgorithm());
|
||||||
int iters = maxIterations(baseAlg, 0);
|
int iters = maxIterations(baseAlg, 0);
|
||||||
max_iterations = max_iterations < iters ? iters : max_iterations;
|
max_iterations = (max_iterations < iters) ? iters
|
||||||
|
: max_iterations;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (nsec3params.iterations > max_iterations) return false;
|
if (nsec3params.iterations > max_iterations) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
@ -460,10 +491,12 @@ public class NSEC3ValUtils {
|
|||||||
* @return true if all of the NSEC3s can be legally ignored, false if not.
|
* @return true if all of the NSEC3s can be legally ignored, false if not.
|
||||||
*/
|
*/
|
||||||
public static boolean allNSEC3sIgnoreable(List<NSEC3Record> nsec3s,
|
public static boolean allNSEC3sIgnoreable(List<NSEC3Record> nsec3s,
|
||||||
RRset dnskey_rrset,
|
RRset dnskey_rrset, DnsSecVerifier verifier) {
|
||||||
DnsSecVerifier verifier) {
|
|
||||||
NSEC3Parameters params = nsec3Parameters(nsec3s);
|
NSEC3Parameters params = nsec3Parameters(nsec3s);
|
||||||
if (params == null) return false;
|
|
||||||
|
if (params == null) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
return !validIterations(params, dnskey_rrset, verifier);
|
return !validIterations(params, dnskey_rrset, verifier);
|
||||||
}
|
}
|
||||||
@ -488,12 +521,16 @@ public class NSEC3ValUtils {
|
|||||||
*/
|
*/
|
||||||
public static boolean proveNameError(List<NSEC3Record> nsec3s, Name qname,
|
public static boolean proveNameError(List<NSEC3Record> nsec3s, Name qname,
|
||||||
Name zonename) {
|
Name zonename) {
|
||||||
if (nsec3s == null || nsec3s.size() == 0) return false;
|
if ((nsec3s == null) || (nsec3s.size() == 0)) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
NSEC3Parameters nsec3params = nsec3Parameters(nsec3s);
|
NSEC3Parameters nsec3params = nsec3Parameters(nsec3s);
|
||||||
|
|
||||||
if (nsec3params == null) {
|
if (nsec3params == null) {
|
||||||
// st_log.debug("Could not find a single set of " +
|
st_log.debug("Could not find a single set of " +
|
||||||
// "NSEC3 parameters (multiple parameters present).");
|
"NSEC3 parameters (multiple parameters present).");
|
||||||
|
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -505,7 +542,8 @@ public class NSEC3ValUtils {
|
|||||||
nsec3params, bac, true);
|
nsec3params, bac, true);
|
||||||
|
|
||||||
if (ce == null) {
|
if (ce == null) {
|
||||||
// st_log.debug("proveNameError: failed to prove a closest encloser.");
|
st_log.debug("proveNameError: failed to prove a closest encloser.");
|
||||||
|
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -516,16 +554,17 @@ public class NSEC3ValUtils {
|
|||||||
byte [] wc_hash = hash(wc, nsec3params);
|
byte [] wc_hash = hash(wc, nsec3params);
|
||||||
NSEC3Record nsec3 = findCoveringNSEC3(wc_hash, zonename, nsec3s,
|
NSEC3Record nsec3 = findCoveringNSEC3(wc_hash, zonename, nsec3s,
|
||||||
nsec3params, bac);
|
nsec3params, bac);
|
||||||
|
|
||||||
if (nsec3 == null) {
|
if (nsec3 == null) {
|
||||||
// st_log.debug("proveNameError: could not prove that the "
|
st_log.debug("proveNameError: could not prove that the " +
|
||||||
// + "applicable wildcard did not exist.");
|
"applicable wildcard did not exist.");
|
||||||
|
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Determine if the NSEC3s provided in a response prove the NOERROR/NODATA
|
* Determine if the NSEC3s provided in a response prove the NOERROR/NODATA
|
||||||
* status. There are a number of different variants to this:
|
* status. There are a number of different variants to this:
|
||||||
@ -558,30 +597,40 @@ public class NSEC3ValUtils {
|
|||||||
*/
|
*/
|
||||||
public static boolean proveNodata(List<NSEC3Record> nsec3s, Name qname,
|
public static boolean proveNodata(List<NSEC3Record> nsec3s, Name qname,
|
||||||
int qtype, Name zonename) {
|
int qtype, Name zonename) {
|
||||||
if (nsec3s == null || nsec3s.size() == 0) return false;
|
if ((nsec3s == null) || (nsec3s.size() == 0)) {
|
||||||
|
|
||||||
NSEC3Parameters nsec3params = nsec3Parameters(nsec3s);
|
|
||||||
if (nsec3params == null) {
|
|
||||||
// st_log.debug("could not find a single set of "
|
|
||||||
// + "NSEC3 parameters (multiple parameters present)");
|
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
NSEC3Parameters nsec3params = nsec3Parameters(nsec3s);
|
||||||
|
|
||||||
|
if (nsec3params == null) {
|
||||||
|
st_log.debug("could not find a single set of " +
|
||||||
|
"NSEC3 parameters (multiple parameters present)");
|
||||||
|
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
ByteArrayComparator bac = new ByteArrayComparator();
|
ByteArrayComparator bac = new ByteArrayComparator();
|
||||||
|
|
||||||
NSEC3Record nsec3 = findMatchingNSEC3(hash(qname, nsec3params),
|
NSEC3Record nsec3 = findMatchingNSEC3(hash(qname, nsec3params),
|
||||||
zonename, nsec3s, nsec3params,
|
zonename, nsec3s, nsec3params, bac);
|
||||||
bac);
|
|
||||||
// Cases 1 & 2.
|
// Cases 1 & 2.
|
||||||
if (nsec3 != null) {
|
if (nsec3 != null) {
|
||||||
if (nsec3.hasType(qtype)) {
|
if (nsec3.hasType(qtype)) {
|
||||||
// st_log.debug("proveNodata: Matching NSEC3 proved that type existed!");
|
st_log.debug(
|
||||||
|
"proveNodata: Matching NSEC3 proved that type existed!");
|
||||||
|
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (nsec3.hasType(Type.CNAME)) {
|
if (nsec3.hasType(Type.CNAME)) {
|
||||||
// st_log.debug("proveNodata: Matching NSEC3 proved "
|
st_log.debug("proveNodata: Matching NSEC3 proved " +
|
||||||
// + "that a CNAME existed!");
|
"that a CNAME existed!");
|
||||||
|
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -594,8 +643,9 @@ public class NSEC3ValUtils {
|
|||||||
// At this point, not finding a match or a proven closest encloser is a
|
// At this point, not finding a match or a proven closest encloser is a
|
||||||
// problem.
|
// problem.
|
||||||
if (ce == null) {
|
if (ce == null) {
|
||||||
// st_log.debug("proveNodata: did not match qname, "
|
st_log.debug("proveNodata: did not match qname, " +
|
||||||
// + "nor found a proven closest encloser.");
|
"nor found a proven closest encloser.");
|
||||||
|
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -608,24 +658,27 @@ public class NSEC3ValUtils {
|
|||||||
|
|
||||||
if (nsec3 != null) {
|
if (nsec3 != null) {
|
||||||
if (nsec3.hasType(qtype)) {
|
if (nsec3.hasType(qtype)) {
|
||||||
// st_log.debug("proveNodata: matching wildcard had qtype!");
|
st_log.debug("proveNodata: matching wildcard had qtype!");
|
||||||
|
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
// Case 5.
|
// Case 5.
|
||||||
if (qtype != Type.DS) {
|
if (qtype != Type.DS) {
|
||||||
// st_log.debug("proveNodata: could not find matching NSEC3, "
|
st_log.debug("proveNodata: could not find matching NSEC3, " +
|
||||||
// +
|
"nor matching wildcard, and qtype is not DS -- no more options.");
|
||||||
// "nor matching wildcard, and qtype is not DS -- no more options.");
|
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
// We need to make sure that the covering NSEC3 is opt-in.
|
// We need to make sure that the covering NSEC3 is opt-in.
|
||||||
if (!ce.nc_nsec3.getOptInFlag()) {
|
if (!isOptOut(ce.nc_nsec3)) {
|
||||||
// st_log.debug("proveNodata: covering NSEC3 was not "
|
st_log.debug("proveNodata: covering NSEC3 was not " +
|
||||||
// + "opt-in in an opt-in DS NOERROR/NODATA case.");
|
"opt-in in an opt-in DS NOERROR/NODATA case.");
|
||||||
|
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -648,12 +701,20 @@ public class NSEC3ValUtils {
|
|||||||
*/
|
*/
|
||||||
public static boolean proveWildcard(List<NSEC3Record> nsec3s, Name qname,
|
public static boolean proveWildcard(List<NSEC3Record> nsec3s, Name qname,
|
||||||
Name zonename, Name wildcard) {
|
Name zonename, Name wildcard) {
|
||||||
if (nsec3s == null || nsec3s.size() == 0) return false;
|
if ((nsec3s == null) || (nsec3s.size() == 0)) {
|
||||||
if (qname == null || wildcard == null) return false;
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
if ((qname == null) || (wildcard == null)) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
NSEC3Parameters nsec3params = nsec3Parameters(nsec3s);
|
NSEC3Parameters nsec3params = nsec3Parameters(nsec3s);
|
||||||
|
|
||||||
if (nsec3params == null) {
|
if (nsec3params == null) {
|
||||||
// st_log.debug("couldn't find a single set of NSEC3 parameters (multiple parameters present).");
|
st_log.debug(
|
||||||
|
"couldn't find a single set of NSEC3 parameters (multiple parameters present).");
|
||||||
|
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -668,15 +729,14 @@ public class NSEC3ValUtils {
|
|||||||
// Otherwise, we need to show that the next closer name is covered.
|
// Otherwise, we need to show that the next closer name is covered.
|
||||||
Name nextClosest = nextClosest(qname, candidate.closestEncloser);
|
Name nextClosest = nextClosest(qname, candidate.closestEncloser);
|
||||||
candidate.nc_nsec3 = findCoveringNSEC3(hash(nextClosest, nsec3params),
|
candidate.nc_nsec3 = findCoveringNSEC3(hash(nextClosest, nsec3params),
|
||||||
zonename, nsec3s, nsec3params,
|
zonename, nsec3s, nsec3params, bac);
|
||||||
bac);
|
|
||||||
|
|
||||||
if (candidate.nc_nsec3 == null) {
|
if (candidate.nc_nsec3 == null) {
|
||||||
// st_log.debug("proveWildcard: did not find a covering NSEC3 "
|
st_log.debug("proveWildcard: did not find a covering NSEC3 " +
|
||||||
// + "that covered the next closer name to " + qname + " from "
|
"that covered the next closer name to " + qname + " from " +
|
||||||
// + candidate.closestEncloser + " (derived from wildcard " +
|
candidate.closestEncloser + " (derived from wildcard " +
|
||||||
// wildcard
|
wildcard + ")");
|
||||||
// + ")");
|
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -704,33 +764,38 @@ public class NSEC3ValUtils {
|
|||||||
*/
|
*/
|
||||||
public static byte proveNoDS(List<NSEC3Record> nsec3s, Name qname,
|
public static byte proveNoDS(List<NSEC3Record> nsec3s, Name qname,
|
||||||
Name zonename) {
|
Name zonename) {
|
||||||
if (nsec3s == null || nsec3s.size() == 0) return SecurityStatus.BOGUS;
|
if ((nsec3s == null) || (nsec3s.size() == 0)) {
|
||||||
|
|
||||||
NSEC3Parameters nsec3params = nsec3Parameters(nsec3s);
|
|
||||||
if (nsec3params == null) {
|
|
||||||
// st_log.debug("couldn't find a single set of " +
|
|
||||||
// "NSEC3 parameters (multiple parameters present).");
|
|
||||||
return SecurityStatus.BOGUS;
|
return SecurityStatus.BOGUS;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
NSEC3Parameters nsec3params = nsec3Parameters(nsec3s);
|
||||||
|
|
||||||
|
if (nsec3params == null) {
|
||||||
|
st_log.debug("couldn't find a single set of " +
|
||||||
|
"NSEC3 parameters (multiple parameters present).");
|
||||||
|
|
||||||
|
return SecurityStatus.BOGUS;
|
||||||
|
}
|
||||||
|
|
||||||
ByteArrayComparator bac = new ByteArrayComparator();
|
ByteArrayComparator bac = new ByteArrayComparator();
|
||||||
|
|
||||||
// Look for a matching NSEC3 to qname -- this is the normal NODATA case.
|
// Look for a matching NSEC3 to qname -- this is the normal NODATA case.
|
||||||
NSEC3Record nsec3 = findMatchingNSEC3(hash(qname, nsec3params),
|
NSEC3Record nsec3 = findMatchingNSEC3(hash(qname, nsec3params),
|
||||||
zonename, nsec3s, nsec3params,
|
zonename, nsec3s, nsec3params, bac);
|
||||||
bac);
|
|
||||||
|
|
||||||
if (nsec3 != null) {
|
if (nsec3 != null) {
|
||||||
// If the matching NSEC3 has the SOA bit set, it is from the wrong
|
// If the matching NSEC3 has the SOA bit set, it is from the wrong
|
||||||
// zone
|
// zone (the child instead of the parent). If it has the DS bit set,
|
||||||
// (the child instead of the parent). If it has the DS bit set, then
|
// then we were lied to.
|
||||||
// we
|
|
||||||
// were lied to.
|
|
||||||
if (nsec3.hasType(Type.SOA) || nsec3.hasType(Type.DS)) {
|
if (nsec3.hasType(Type.SOA) || nsec3.hasType(Type.DS)) {
|
||||||
return SecurityStatus.BOGUS;
|
return SecurityStatus.BOGUS;
|
||||||
}
|
}
|
||||||
|
|
||||||
// If the NSEC3 RR doesn't have the NS bit set, then this wasn't a
|
// If the NSEC3 RR doesn't have the NS bit set, then this wasn't a
|
||||||
// delegation point.
|
// delegation point.
|
||||||
if (!nsec3.hasType(Type.NS)) return SecurityStatus.INDETERMINATE;
|
if (!nsec3.hasType(Type.NS)) {
|
||||||
|
return SecurityStatus.INDETERMINATE;
|
||||||
|
}
|
||||||
|
|
||||||
// Otherwise, this proves no DS.
|
// Otherwise, this proves no DS.
|
||||||
return SecurityStatus.SECURE;
|
return SecurityStatus.SECURE;
|
||||||
@ -739,6 +804,7 @@ public class NSEC3ValUtils {
|
|||||||
// Otherwise, we are probably in the opt-in case.
|
// Otherwise, we are probably in the opt-in case.
|
||||||
CEResponse ce = proveClosestEncloser(qname, zonename, nsec3s,
|
CEResponse ce = proveClosestEncloser(qname, zonename, nsec3s,
|
||||||
nsec3params, bac, true);
|
nsec3params, bac, true);
|
||||||
|
|
||||||
if (ce == null) {
|
if (ce == null) {
|
||||||
return SecurityStatus.BOGUS;
|
return SecurityStatus.BOGUS;
|
||||||
}
|
}
|
||||||
@ -746,11 +812,73 @@ public class NSEC3ValUtils {
|
|||||||
// If we had the closest encloser proof, then we need to check that the
|
// If we had the closest encloser proof, then we need to check that the
|
||||||
// covering NSEC3 was opt-in -- the proveClosestEncloser step already
|
// covering NSEC3 was opt-in -- the proveClosestEncloser step already
|
||||||
// checked to see if the closest encloser was a delegation or DNAME.
|
// checked to see if the closest encloser was a delegation or DNAME.
|
||||||
if (ce.nc_nsec3.getOptInFlag()) {
|
if (isOptOut(ce.nc_nsec3)) {
|
||||||
return SecurityStatus.SECURE;
|
return SecurityStatus.SECURE;
|
||||||
}
|
}
|
||||||
|
|
||||||
return SecurityStatus.BOGUS;
|
return SecurityStatus.BOGUS;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* This is a class to encapsulate a unique set of NSEC3 parameters:
|
||||||
|
* algorithm, iterations, and salt.
|
||||||
|
*/
|
||||||
|
private static class NSEC3Parameters {
|
||||||
|
public int alg;
|
||||||
|
public byte [] salt;
|
||||||
|
public int iterations;
|
||||||
|
private NSEC3PARAMRecord nsec3paramrec;
|
||||||
|
|
||||||
|
public NSEC3Parameters(NSEC3Record r) {
|
||||||
|
alg = r.getHashAlgorithm();
|
||||||
|
salt = r.getSalt();
|
||||||
|
iterations = r.getIterations();
|
||||||
|
|
||||||
|
nsec3paramrec = new NSEC3PARAMRecord(Name.root, DClass.IN, 0,
|
||||||
|
alg, 0, iterations, salt);
|
||||||
|
}
|
||||||
|
|
||||||
|
public boolean match(NSEC3Record r, ByteArrayComparator bac) {
|
||||||
|
if (r.getHashAlgorithm() != alg) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (r.getIterations() != iterations) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
if ((salt == null) && (r.getSalt() != null)) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (salt == null) {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (bac == null) {
|
||||||
|
bac = new ByteArrayComparator();
|
||||||
|
}
|
||||||
|
|
||||||
|
return bac.compare(r.getSalt(), salt) == 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
public byte[] hash(Name name) throws NoSuchAlgorithmException {
|
||||||
|
return nsec3paramrec.hashName(name);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* This is just a simple class to encapsulate the response to a closest
|
||||||
|
* encloser proof.
|
||||||
|
*/
|
||||||
|
private static class CEResponse {
|
||||||
|
public Name closestEncloser;
|
||||||
|
public NSEC3Record ce_nsec3;
|
||||||
|
public NSEC3Record nc_nsec3;
|
||||||
|
|
||||||
|
public CEResponse(Name ce, NSEC3Record nsec3) {
|
||||||
|
this.closestEncloser = ce;
|
||||||
|
this.ce_nsec3 = nsec3;
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
@ -1,51 +1,44 @@
|
|||||||
/*
|
/***************************** -*- Java -*- ********************************\
|
||||||
* $Id$
|
* *
|
||||||
*
|
* Copyright (c) 2009 VeriSign, Inc. All rights reserved. *
|
||||||
* Copyright (c) 2005 VeriSign. All rights reserved.
|
* *
|
||||||
*
|
* This software is provided solely in connection with the terms of the *
|
||||||
* Redistribution and use in source and binary forms, with or without
|
* license agreement. Any other use without the prior express written *
|
||||||
* modification, are permitted provided that the following conditions are met:
|
* permission of VeriSign is completely prohibited. The software and *
|
||||||
*
|
* documentation are "Commercial Items", as that term is defined in 48 *
|
||||||
* 1. Redistributions of source code must retain the above copyright notice,
|
* C.F.R. section 2.101, consisting of "Commercial Computer Software" and *
|
||||||
* this list of conditions and the following disclaimer. 2. Redistributions in
|
* "Commercial Computer Software Documentation" as such terms are defined *
|
||||||
* binary form must reproduce the above copyright notice, this list of
|
* in 48 C.F.R. section 252.227-7014(a)(5) and 48 C.F.R. section *
|
||||||
* conditions and the following disclaimer in the documentation and/or other
|
* 252.227-7014(a)(1), and used in 48 C.F.R. section 12.212 and 48 C.F.R. *
|
||||||
* materials provided with the distribution. 3. The name of the author may not
|
* section 227.7202, as applicable. Pursuant to the above and other *
|
||||||
* be used to endorse or promote products derived from this software without
|
* relevant sections of the Code of Federal Regulations, as applicable, *
|
||||||
* specific prior written permission.
|
* VeriSign's publications, commercial computer software, and commercial *
|
||||||
*
|
* computer software documentation are distributed and licensed to United *
|
||||||
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
* States Government end users with only those rights as granted to all *
|
||||||
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
* other end users, according to the terms and conditions contained in the *
|
||||||
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN
|
* license agreement(s) that accompany the products and software *
|
||||||
* NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
* documentation. *
|
||||||
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
|
* *
|
||||||
* TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
|
\***************************************************************************/
|
||||||
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
|
|
||||||
* LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
|
|
||||||
* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
|
|
||||||
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
||||||
*
|
|
||||||
*/
|
|
||||||
|
|
||||||
package com.versign.tat.dnssec;
|
package com.verisign.tat.dnssec;
|
||||||
|
|
||||||
|
import org.xbill.DNS.*;
|
||||||
|
|
||||||
import java.util.*;
|
import java.util.*;
|
||||||
|
|
||||||
import org.xbill.DNS.*;
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* This class represents a DNS message with resolver/validator state.
|
* This class represents a DNS message with resolver/validator state.
|
||||||
*/
|
*/
|
||||||
public class SMessage {
|
public class SMessage {
|
||||||
|
private static SRRset [] empty_srrset_array = new SRRset[0];
|
||||||
private Header mHeader;
|
private Header mHeader;
|
||||||
|
|
||||||
private Record mQuestion;
|
private Record mQuestion;
|
||||||
private OPTRecord mOPTRecord;
|
private OPTRecord mOPTRecord;
|
||||||
private List<SRRset> [] mSection;
|
private List<SRRset> [] mSection;
|
||||||
private SecurityStatus mSecurityStatus;
|
private SecurityStatus mSecurityStatus;
|
||||||
|
|
||||||
private static SRRset[] empty_srrset_array = new SRRset[0];
|
|
||||||
|
|
||||||
@SuppressWarnings("unchecked")
|
@SuppressWarnings("unchecked")
|
||||||
public SMessage(Header h) {
|
public SMessage(Header h) {
|
||||||
mSection = (List<SRRset> []) new List[3];
|
mSection = (List<SRRset> []) new List[3];
|
||||||
@ -112,8 +105,9 @@ public class SMessage {
|
|||||||
}
|
}
|
||||||
|
|
||||||
public List<SRRset> getSectionList(int section) {
|
public List<SRRset> getSectionList(int section) {
|
||||||
if (section <= Section.QUESTION || section > Section.ADDITIONAL)
|
if ((section <= Section.QUESTION) || (section > Section.ADDITIONAL)) {
|
||||||
throw new IllegalArgumentException("Invalid section.");
|
throw new IllegalArgumentException("Invalid section.");
|
||||||
|
}
|
||||||
|
|
||||||
if (mSection[section - 1] == null) {
|
if (mSection[section - 1] == null) {
|
||||||
mSection[section - 1] = new LinkedList<SRRset>();
|
mSection[section - 1] = new LinkedList<SRRset>();
|
||||||
@ -123,11 +117,13 @@ public class SMessage {
|
|||||||
}
|
}
|
||||||
|
|
||||||
public void addRRset(SRRset srrset, int section) {
|
public void addRRset(SRRset srrset, int section) {
|
||||||
if (section <= Section.QUESTION || section > Section.ADDITIONAL)
|
if ((section <= Section.QUESTION) || (section > Section.ADDITIONAL)) {
|
||||||
throw new IllegalArgumentException("Invalid section");
|
throw new IllegalArgumentException("Invalid section");
|
||||||
|
}
|
||||||
|
|
||||||
if (srrset.getType() == Type.OPT) {
|
if (srrset.getType() == Type.OPT) {
|
||||||
mOPTRecord = (OPTRecord) srrset.first();
|
mOPTRecord = (OPTRecord) srrset.first();
|
||||||
|
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -138,6 +134,7 @@ public class SMessage {
|
|||||||
public void addRRset(RRset rrset, int section) {
|
public void addRRset(RRset rrset, int section) {
|
||||||
if (rrset instanceof SRRset) {
|
if (rrset instanceof SRRset) {
|
||||||
addRRset((SRRset) rrset, section);
|
addRRset((SRRset) rrset, section);
|
||||||
|
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -146,8 +143,9 @@ public class SMessage {
|
|||||||
}
|
}
|
||||||
|
|
||||||
public void prependRRsets(List<SRRset> rrsets, int section) {
|
public void prependRRsets(List<SRRset> rrsets, int section) {
|
||||||
if (section <= Section.QUESTION || section > Section.ADDITIONAL)
|
if ((section <= Section.QUESTION) || (section > Section.ADDITIONAL)) {
|
||||||
throw new IllegalArgumentException("Invalid section");
|
throw new IllegalArgumentException("Invalid section");
|
||||||
|
}
|
||||||
|
|
||||||
List<SRRset> sectionList = getSectionList(section);
|
List<SRRset> sectionList = getSectionList(section);
|
||||||
sectionList.addAll(0, rrsets);
|
sectionList.addAll(0, rrsets);
|
||||||
@ -162,11 +160,16 @@ public class SMessage {
|
|||||||
public SRRset [] getSectionRRsets(int section, int qtype) {
|
public SRRset [] getSectionRRsets(int section, int qtype) {
|
||||||
List<SRRset> slist = getSectionList(section);
|
List<SRRset> slist = getSectionList(section);
|
||||||
|
|
||||||
if (slist.size() == 0) return new SRRset[0];
|
if (slist.size() == 0) {
|
||||||
|
return new SRRset[0];
|
||||||
|
}
|
||||||
|
|
||||||
ArrayList<SRRset> result = new ArrayList<SRRset>(slist.size());
|
ArrayList<SRRset> result = new ArrayList<SRRset>(slist.size());
|
||||||
|
|
||||||
for (SRRset rrset : slist) {
|
for (SRRset rrset : slist) {
|
||||||
if (rrset.getType() == qtype) result.add(rrset);
|
if (rrset.getType() == qtype) {
|
||||||
|
result.add(rrset);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
return (SRRset []) result.toArray(empty_srrset_array);
|
return (SRRset []) result.toArray(empty_srrset_array);
|
||||||
@ -175,19 +178,24 @@ public class SMessage {
|
|||||||
public void deleteRRset(SRRset rrset, int section) {
|
public void deleteRRset(SRRset rrset, int section) {
|
||||||
List<SRRset> slist = getSectionList(section);
|
List<SRRset> slist = getSectionList(section);
|
||||||
|
|
||||||
if (slist.size() == 0) return;
|
if (slist.size() == 0) {
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
slist.remove(rrset);
|
slist.remove(rrset);
|
||||||
}
|
}
|
||||||
|
|
||||||
public void clear(int section) {
|
public void clear(int section) {
|
||||||
if (section < Section.QUESTION || section > Section.ADDITIONAL)
|
if ((section < Section.QUESTION) || (section > Section.ADDITIONAL)) {
|
||||||
throw new IllegalArgumentException("Invalid section.");
|
throw new IllegalArgumentException("Invalid section.");
|
||||||
|
}
|
||||||
|
|
||||||
if (section == Section.QUESTION) {
|
if (section == Section.QUESTION) {
|
||||||
mQuestion = null;
|
mQuestion = null;
|
||||||
|
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (section == Section.ADDITIONAL) {
|
if (section == Section.ADDITIONAL) {
|
||||||
mOPTRecord = null;
|
mOPTRecord = null;
|
||||||
}
|
}
|
||||||
@ -219,7 +227,10 @@ public class SMessage {
|
|||||||
}
|
}
|
||||||
|
|
||||||
public void setSecurityStatus(SecurityStatus s) {
|
public void setSecurityStatus(SecurityStatus s) {
|
||||||
if (s == null) return;
|
if (s == null) {
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
mSecurityStatus = s;
|
mSecurityStatus = s;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -235,6 +246,7 @@ public class SMessage {
|
|||||||
Header h = m.getHeader();
|
Header h = m.getHeader();
|
||||||
h.setOpcode(mHeader.getOpcode());
|
h.setOpcode(mHeader.getOpcode());
|
||||||
h.setRcode(mHeader.getRcode());
|
h.setRcode(mHeader.getRcode());
|
||||||
|
|
||||||
for (int i = 0; i < 16; i++) {
|
for (int i = 0; i < 16; i++) {
|
||||||
if (Flags.isFlag(i)) {
|
if (Flags.isFlag(i)) {
|
||||||
if (mHeader.getFlag(i)) {
|
if (mHeader.getFlag(i)) {
|
||||||
@ -247,17 +259,18 @@ public class SMessage {
|
|||||||
|
|
||||||
// Add all the records. -- this will set the counts correctly in the
|
// Add all the records. -- this will set the counts correctly in the
|
||||||
// message header.
|
// message header.
|
||||||
|
|
||||||
if (mQuestion != null) {
|
if (mQuestion != null) {
|
||||||
m.addRecord(mQuestion, Section.QUESTION);
|
m.addRecord(mQuestion, Section.QUESTION);
|
||||||
}
|
}
|
||||||
|
|
||||||
for (int sec = Section.ANSWER; sec <= Section.ADDITIONAL; sec++) {
|
for (int sec = Section.ANSWER; sec <= Section.ADDITIONAL; sec++) {
|
||||||
List<SRRset> slist = getSectionList(sec);
|
List<SRRset> slist = getSectionList(sec);
|
||||||
|
|
||||||
for (SRRset rrset : slist) {
|
for (SRRset rrset : slist) {
|
||||||
for (Iterator<Record> j = rrset.rrs(); j.hasNext();) {
|
for (Iterator<Record> j = rrset.rrs(); j.hasNext();) {
|
||||||
m.addRecord(j.next(), sec);
|
m.addRecord(j.next(), sec);
|
||||||
}
|
}
|
||||||
|
|
||||||
for (Iterator<RRSIGRecord> j = rrset.sigs(); j.hasNext();) {
|
for (Iterator<RRSIGRecord> j = rrset.sigs(); j.hasNext();) {
|
||||||
m.addRecord(j.next(), sec);
|
m.addRecord(j.next(), sec);
|
||||||
}
|
}
|
||||||
@ -273,13 +286,21 @@ public class SMessage {
|
|||||||
|
|
||||||
public int getCount(int section) {
|
public int getCount(int section) {
|
||||||
if (section == Section.QUESTION) {
|
if (section == Section.QUESTION) {
|
||||||
return mQuestion == null ? 0 : 1;
|
return (mQuestion == null) ? 0 : 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
List<SRRset> sectionList = getSectionList(section);
|
List<SRRset> sectionList = getSectionList(section);
|
||||||
if (sectionList == null) return 0;
|
|
||||||
if (sectionList.size() == 0) return 0;
|
if (sectionList == null) {
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (sectionList.size() == 0) {
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
int count = 0;
|
int count = 0;
|
||||||
|
|
||||||
for (SRRset sr : sectionList) {
|
for (SRRset sr : sectionList) {
|
||||||
count += sr.totalSize();
|
count += sr.totalSize();
|
||||||
}
|
}
|
||||||
@ -306,14 +327,16 @@ public class SMessage {
|
|||||||
* @return The SRRset if found, null otherwise.
|
* @return The SRRset if found, null otherwise.
|
||||||
*/
|
*/
|
||||||
public SRRset findRRset(Name name, int type, int dclass, int section) {
|
public SRRset findRRset(Name name, int type, int dclass, int section) {
|
||||||
if (section <= Section.QUESTION || section > Section.ADDITIONAL)
|
if ((section <= Section.QUESTION) || (section > Section.ADDITIONAL)) {
|
||||||
throw new IllegalArgumentException("Invalid section.");
|
throw new IllegalArgumentException("Invalid section.");
|
||||||
|
}
|
||||||
|
|
||||||
SRRset [] rrsets = getSectionRRsets(section);
|
SRRset [] rrsets = getSectionRRsets(section);
|
||||||
|
|
||||||
for (int i = 0; i < rrsets.length; i++) {
|
for (int i = 0; i < rrsets.length; i++) {
|
||||||
if (rrsets[i].getName().equals(name) && rrsets[i].getType() == type
|
if (rrsets[i].getName().equals(name) &&
|
||||||
&& rrsets[i].getDClass() == dclass) {
|
(rrsets[i].getType() == type) &&
|
||||||
|
(rrsets[i].getDClass() == dclass)) {
|
||||||
return rrsets[i];
|
return rrsets[i];
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -339,21 +362,21 @@ public class SMessage {
|
|||||||
SRRset [] srrsets = getSectionRRsets(Section.ANSWER);
|
SRRset [] srrsets = getSectionRRsets(Section.ANSWER);
|
||||||
|
|
||||||
for (int i = 0; i < srrsets.length; i++) {
|
for (int i = 0; i < srrsets.length; i++) {
|
||||||
if (srrsets[i].getName().equals(qname)
|
if (srrsets[i].getName().equals(qname) &&
|
||||||
&& srrsets[i].getType() == Type.CNAME) {
|
(srrsets[i].getType() == Type.CNAME)) {
|
||||||
CNAMERecord cname = (CNAMERecord) srrsets[i].first();
|
CNAMERecord cname = (CNAMERecord) srrsets[i].first();
|
||||||
qname = cname.getTarget();
|
qname = cname.getTarget();
|
||||||
|
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (srrsets[i].getName().equals(qname)
|
if (srrsets[i].getName().equals(qname) &&
|
||||||
&& srrsets[i].getType() == qtype
|
(srrsets[i].getType() == qtype) &&
|
||||||
&& srrsets[i].getDClass() == qclass) {
|
(srrsets[i].getDClass() == qclass)) {
|
||||||
return srrsets[i];
|
return srrsets[i];
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
@ -1,35 +1,32 @@
|
|||||||
/*
|
/***************************** -*- Java -*- ********************************\
|
||||||
* Copyright (c) 2009 VeriSign. All rights reserved.
|
* *
|
||||||
*
|
* Copyright (c) 2009 VeriSign, Inc. All rights reserved. *
|
||||||
* Redistribution and use in source and binary forms, with or without
|
* *
|
||||||
* modification, are permitted provided that the following conditions are met:
|
* This software is provided solely in connection with the terms of the *
|
||||||
*
|
* license agreement. Any other use without the prior express written *
|
||||||
* 1. Redistributions of source code must retain the above copyright notice,
|
* permission of VeriSign is completely prohibited. The software and *
|
||||||
* this list of conditions and the following disclaimer. 2. Redistributions in
|
* documentation are "Commercial Items", as that term is defined in 48 *
|
||||||
* binary form must reproduce the above copyright notice, this list of
|
* C.F.R. section 2.101, consisting of "Commercial Computer Software" and *
|
||||||
* conditions and the following disclaimer in the documentation and/or other
|
* "Commercial Computer Software Documentation" as such terms are defined *
|
||||||
* materials provided with the distribution. 3. The name of the author may not
|
* in 48 C.F.R. section 252.227-7014(a)(5) and 48 C.F.R. section *
|
||||||
* be used to endorse or promote products derived from this software without
|
* 252.227-7014(a)(1), and used in 48 C.F.R. section 12.212 and 48 C.F.R. *
|
||||||
* specific prior written permission.
|
* section 227.7202, as applicable. Pursuant to the above and other *
|
||||||
*
|
* relevant sections of the Code of Federal Regulations, as applicable, *
|
||||||
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
* VeriSign's publications, commercial computer software, and commercial *
|
||||||
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
* computer software documentation are distributed and licensed to United *
|
||||||
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN
|
* States Government end users with only those rights as granted to all *
|
||||||
* NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
* other end users, according to the terms and conditions contained in the *
|
||||||
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
|
* license agreement(s) that accompany the products and software *
|
||||||
* TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
|
* documentation. *
|
||||||
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
|
* *
|
||||||
* LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
|
\***************************************************************************/
|
||||||
* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
|
|
||||||
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
||||||
*
|
|
||||||
*/
|
|
||||||
|
|
||||||
package com.versign.tat.dnssec;
|
package com.verisign.tat.dnssec;
|
||||||
|
|
||||||
|
import org.xbill.DNS.*;
|
||||||
|
|
||||||
import java.util.*;
|
import java.util.*;
|
||||||
|
|
||||||
import org.xbill.DNS.*;
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* A version of the RRset class overrides the standard security status.
|
* A version of the RRset class overrides the standard security status.
|
||||||
@ -43,13 +40,11 @@ public class SRRset extends RRset {
|
|||||||
mSecurityStatus = new SecurityStatus();
|
mSecurityStatus = new SecurityStatus();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Create a new SRRset from an existing RRset. This SRRset will contain that
|
* Create a new SRRset from an existing RRset. This SRRset will contain that
|
||||||
* same internal Record objects as the original RRset.
|
* same internal Record objects as the original RRset.
|
||||||
*/
|
*/
|
||||||
@SuppressWarnings("unchecked")
|
@SuppressWarnings("unchecked")
|
||||||
// org.xbill.DNS.RRset isn't typesafe-aware.
|
|
||||||
public SRRset(RRset r) {
|
public SRRset(RRset r) {
|
||||||
this();
|
this();
|
||||||
|
|
||||||
@ -86,19 +81,24 @@ public class SRRset extends RRset {
|
|||||||
mSecurityStatus.setStatus(status);
|
mSecurityStatus.setStatus(status);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@SuppressWarnings("unchecked")
|
||||||
public Iterator<Record> rrs() {
|
public Iterator<Record> rrs() {
|
||||||
return (Iterator<Record>) rrs();
|
return (Iterator<Record>) super.rrs();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@SuppressWarnings("unchecked")
|
||||||
public Iterator<RRSIGRecord> sigs() {
|
public Iterator<RRSIGRecord> sigs() {
|
||||||
return (Iterator<RRSIGRecord>) sigs();
|
return (Iterator<RRSIGRecord>) super.sigs();
|
||||||
}
|
}
|
||||||
|
|
||||||
public int totalSize() {
|
public int totalSize() {
|
||||||
int num_sigs = 0;
|
int num_sigs = 0;
|
||||||
|
|
||||||
for (Iterator<RRSIGRecord> i = sigs(); i.hasNext();) {
|
for (Iterator<RRSIGRecord> i = sigs(); i.hasNext();) {
|
||||||
num_sigs++;
|
num_sigs++;
|
||||||
|
i.next();
|
||||||
}
|
}
|
||||||
|
|
||||||
return size() + num_sigs;
|
return size() + num_sigs;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -113,6 +113,7 @@ public class SRRset extends RRset {
|
|||||||
for (Iterator<RRSIGRecord> i = sigs(); i.hasNext();) {
|
for (Iterator<RRSIGRecord> i = sigs(); i.hasNext();) {
|
||||||
return i.next();
|
return i.next();
|
||||||
}
|
}
|
||||||
|
|
||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -121,7 +122,10 @@ public class SRRset extends RRset {
|
|||||||
* (i.e., RRSIG SRRsets return false)
|
* (i.e., RRSIG SRRsets return false)
|
||||||
*/
|
*/
|
||||||
public boolean isSigned() {
|
public boolean isSigned() {
|
||||||
if (getType() == Type.RRSIG) return false;
|
if (getType() == Type.RRSIG) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
return firstSig() != null;
|
return firstSig() != null;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -130,7 +134,11 @@ public class SRRset extends RRset {
|
|||||||
*/
|
*/
|
||||||
public Name getSignerName() {
|
public Name getSignerName() {
|
||||||
RRSIGRecord sig = (RRSIGRecord) firstSig();
|
RRSIGRecord sig = (RRSIGRecord) firstSig();
|
||||||
if (sig == null) return null;
|
|
||||||
|
if (sig == null) {
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
|
||||||
return sig.getSigner();
|
return sig.getSigner();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -1,112 +1,112 @@
|
|||||||
/*
|
/***************************** -*- Java -*- ********************************\
|
||||||
* $Id$
|
* *
|
||||||
*
|
* Copyright (c) 2009 VeriSign, Inc. All rights reserved. *
|
||||||
* Copyright (c) 2005 VeriSign. All rights reserved.
|
* *
|
||||||
*
|
* This software is provided solely in connection with the terms of the *
|
||||||
* Redistribution and use in source and binary forms, with or without
|
* license agreement. Any other use without the prior express written *
|
||||||
* modification, are permitted provided that the following conditions are met:
|
* permission of VeriSign is completely prohibited. The software and *
|
||||||
*
|
* documentation are "Commercial Items", as that term is defined in 48 *
|
||||||
* 1. Redistributions of source code must retain the above copyright notice,
|
* C.F.R. section 2.101, consisting of "Commercial Computer Software" and *
|
||||||
* this list of conditions and the following disclaimer. 2. Redistributions in
|
* "Commercial Computer Software Documentation" as such terms are defined *
|
||||||
* binary form must reproduce the above copyright notice, this list of
|
* in 48 C.F.R. section 252.227-7014(a)(5) and 48 C.F.R. section *
|
||||||
* conditions and the following disclaimer in the documentation and/or other
|
* 252.227-7014(a)(1), and used in 48 C.F.R. section 12.212 and 48 C.F.R. *
|
||||||
* materials provided with the distribution. 3. The name of the author may not
|
* section 227.7202, as applicable. Pursuant to the above and other *
|
||||||
* be used to endorse or promote products derived from this software without
|
* relevant sections of the Code of Federal Regulations, as applicable, *
|
||||||
* specific prior written permission.
|
* VeriSign's publications, commercial computer software, and commercial *
|
||||||
*
|
* computer software documentation are distributed and licensed to United *
|
||||||
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
* States Government end users with only those rights as granted to all *
|
||||||
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
* other end users, according to the terms and conditions contained in the *
|
||||||
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN
|
* license agreement(s) that accompany the products and software *
|
||||||
* NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
* documentation. *
|
||||||
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
|
* *
|
||||||
* TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
|
\***************************************************************************/
|
||||||
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
|
|
||||||
* LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
|
package com.verisign.tat.dnssec;
|
||||||
* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
|
|
||||||
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
||||||
*
|
|
||||||
*/
|
|
||||||
|
|
||||||
package com.versign.tat.dnssec;
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Codes for DNSSEC security statuses.
|
* Codes for DNSSEC security statuses.
|
||||||
*
|
*
|
||||||
* @author davidb
|
* @author davidb
|
||||||
*/
|
*/
|
||||||
public class SecurityStatus
|
public class SecurityStatus {
|
||||||
{
|
public static final byte INVALID = -1;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* UNCHECKED means that object has yet to be validated.
|
* UNCHECKED means that object has yet to be validated.
|
||||||
*/
|
*/
|
||||||
public static final byte UNCHECKED = 0;
|
public static final byte UNCHECKED = 0;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* BOGUS means that the object (RRset or message) failed to validate
|
* BOGUS means that the object (RRset or message) failed to validate
|
||||||
* (according to local policy), but should have validated.
|
* (according to local policy), but should have validated.
|
||||||
*/
|
*/
|
||||||
public static final byte BOGUS = 1;
|
public static final byte BOGUS = 1;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* BAD is a synonym for BOGUS.
|
* BAD is a synonym for BOGUS.
|
||||||
*/
|
*/
|
||||||
public static final byte BAD = BOGUS;
|
public static final byte BAD = BOGUS;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* INDTERMINATE means that the object is insecure, but not authoritatively
|
* INDTERMINATE means that the object is insecure, but not authoritatively
|
||||||
* so. Generally this means that the RRset is not below a configured trust
|
* so. Generally this means that the RRset is not below a configured trust
|
||||||
* anchor.
|
* anchor.
|
||||||
*/
|
*/
|
||||||
public static final byte INDETERMINATE = 2;
|
public static final byte INDETERMINATE = 2;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* INSECURE means that the object is authoritatively known to be insecure.
|
* INSECURE means that the object is authoritatively known to be insecure.
|
||||||
* Generally this means that this RRset is below a trust anchor, but also
|
* Generally this means that this RRset is below a trust anchor, but also
|
||||||
* below a verified, insecure delegation.
|
* below a verified, insecure delegation.
|
||||||
*/
|
*/
|
||||||
public static final byte INSECURE = 3;
|
public static final byte INSECURE = 3;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* SECURE means that the object (RRset or message) validated according to
|
* SECURE means that the object (RRset or message) validated according to
|
||||||
* local policy.
|
* local policy.
|
||||||
*/
|
*/
|
||||||
public static final byte SECURE = 4;
|
public static final byte SECURE = 4;
|
||||||
|
|
||||||
private byte status;
|
private byte status;
|
||||||
|
|
||||||
public static String string(int status)
|
public SecurityStatus() {
|
||||||
{
|
status = UNCHECKED;
|
||||||
switch (status)
|
}
|
||||||
{
|
|
||||||
|
public SecurityStatus(byte status) {
|
||||||
|
setStatus(status);
|
||||||
|
}
|
||||||
|
|
||||||
|
public static String string(int status) {
|
||||||
|
switch (status) {
|
||||||
|
case INVALID:
|
||||||
|
return "Invalid";
|
||||||
|
|
||||||
case BOGUS:
|
case BOGUS:
|
||||||
return "Bogus";
|
return "Bogus";
|
||||||
|
|
||||||
case SECURE:
|
case SECURE:
|
||||||
return "Secure";
|
return "Secure";
|
||||||
|
|
||||||
case INSECURE:
|
case INSECURE:
|
||||||
return "Insecure";
|
return "Insecure";
|
||||||
|
|
||||||
case INDETERMINATE:
|
case INDETERMINATE:
|
||||||
return "Indeterminate";
|
return "Indeterminate";
|
||||||
|
|
||||||
case UNCHECKED:
|
case UNCHECKED:
|
||||||
return "Unchecked";
|
return "Unchecked";
|
||||||
|
|
||||||
default:
|
default:
|
||||||
return "UNKNOWN";
|
return "UNKNOWN";
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
public SecurityStatus()
|
public byte getStatus() {
|
||||||
{
|
|
||||||
status = UNCHECKED;
|
|
||||||
}
|
|
||||||
|
|
||||||
public SecurityStatus(byte status)
|
|
||||||
{
|
|
||||||
setStatus(status);
|
|
||||||
}
|
|
||||||
|
|
||||||
public byte getStatus()
|
|
||||||
{
|
|
||||||
return status;
|
return status;
|
||||||
}
|
}
|
||||||
|
|
||||||
public void setStatus(byte status)
|
public void setStatus(byte status) {
|
||||||
{
|
|
||||||
this.status = status;
|
this.status = status;
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
@ -1,45 +1,29 @@
|
|||||||
/*
|
/***************************** -*- Java -*- ********************************\
|
||||||
* $Id$
|
* *
|
||||||
*
|
* Copyright (c) 2009 VeriSign, Inc. All rights reserved. *
|
||||||
* Copyright (c) 2005 VeriSign, Inc. All rights reserved.
|
* *
|
||||||
*
|
* This software is provided solely in connection with the terms of the *
|
||||||
* Redistribution and use in source and binary forms, with or without
|
* license agreement. Any other use without the prior express written *
|
||||||
* modification, are permitted provided that the following conditions
|
* permission of VeriSign is completely prohibited. The software and *
|
||||||
* are met:
|
* documentation are "Commercial Items", as that term is defined in 48 *
|
||||||
*
|
* C.F.R. section 2.101, consisting of "Commercial Computer Software" and *
|
||||||
* 1. Redistributions of source code must retain the above copyright
|
* "Commercial Computer Software Documentation" as such terms are defined *
|
||||||
* notice, this list of conditions and the following disclaimer.
|
* in 48 C.F.R. section 252.227-7014(a)(5) and 48 C.F.R. section *
|
||||||
* 2. Redistributions in binary form must reproduce the above copyright
|
* 252.227-7014(a)(1), and used in 48 C.F.R. section 12.212 and 48 C.F.R. *
|
||||||
* notice, this list of conditions and the following disclaimer in the
|
* section 227.7202, as applicable. Pursuant to the above and other *
|
||||||
* documentation and/or other materials provided with the distribution.
|
* relevant sections of the Code of Federal Regulations, as applicable, *
|
||||||
* 3. The name of the author may not be used to endorse or promote products
|
* VeriSign's publications, commercial computer software, and commercial *
|
||||||
* derived from this software without specific prior written permission.
|
* computer software documentation are distributed and licensed to United *
|
||||||
*
|
* States Government end users with only those rights as granted to all *
|
||||||
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
* other end users, according to the terms and conditions contained in the *
|
||||||
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
* license agreement(s) that accompany the products and software *
|
||||||
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
* documentation. *
|
||||||
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
* *
|
||||||
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
\***************************************************************************/
|
||||||
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
|
||||||
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
|
||||||
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
|
||||||
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
|
||||||
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
||||||
*
|
|
||||||
*/
|
|
||||||
|
|
||||||
package com.versign.tat.dnssec;
|
package com.verisign.tat.dnssec;
|
||||||
|
|
||||||
import java.io.ByteArrayOutputStream;
|
import org.apache.log4j.Logger;
|
||||||
import java.io.IOException;
|
|
||||||
import java.security.SignatureException;
|
|
||||||
import java.security.interfaces.DSAParams;
|
|
||||||
import java.util.ArrayList;
|
|
||||||
import java.util.Arrays;
|
|
||||||
import java.util.Collections;
|
|
||||||
import java.util.Comparator;
|
|
||||||
import java.util.Date;
|
|
||||||
import java.util.Iterator;
|
|
||||||
|
|
||||||
import org.xbill.DNS.DNSKEYRecord;
|
import org.xbill.DNS.DNSKEYRecord;
|
||||||
import org.xbill.DNS.DNSOutput;
|
import org.xbill.DNS.DNSOutput;
|
||||||
@ -47,55 +31,35 @@ import org.xbill.DNS.Name;
|
|||||||
import org.xbill.DNS.RRSIGRecord;
|
import org.xbill.DNS.RRSIGRecord;
|
||||||
import org.xbill.DNS.RRset;
|
import org.xbill.DNS.RRset;
|
||||||
import org.xbill.DNS.Record;
|
import org.xbill.DNS.Record;
|
||||||
|
import org.xbill.DNS.utils.base64;
|
||||||
|
|
||||||
|
import java.io.ByteArrayOutputStream;
|
||||||
|
import java.io.IOException;
|
||||||
|
|
||||||
|
import java.security.SignatureException;
|
||||||
|
import java.security.interfaces.DSAParams;
|
||||||
|
|
||||||
|
import java.util.ArrayList;
|
||||||
|
import java.util.Arrays;
|
||||||
|
import java.util.Collections;
|
||||||
|
import java.util.Comparator;
|
||||||
|
import java.util.Date;
|
||||||
|
import java.util.Iterator;
|
||||||
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* This class contains a bunch of utility methods that are generally useful in
|
* This class contains a bunch of utility methods that are generally useful in
|
||||||
* signing and verifying rrsets.
|
* signing and verifying rrsets.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
public class SignUtils {
|
public class SignUtils {
|
||||||
|
|
||||||
/**
|
|
||||||
* This class implements a basic comparator for byte arrays. It is primarily
|
|
||||||
* useful for comparing RDATA portions of DNS records in doing DNSSEC
|
|
||||||
* canonical ordering.
|
|
||||||
*/
|
|
||||||
public static class ByteArrayComparator implements Comparator<byte[]> {
|
|
||||||
private int mOffset = 0;
|
|
||||||
private boolean mDebug = false;
|
|
||||||
|
|
||||||
public ByteArrayComparator() {
|
|
||||||
}
|
|
||||||
|
|
||||||
public ByteArrayComparator(int offset, boolean debug) {
|
|
||||||
mOffset = offset;
|
|
||||||
mDebug = debug;
|
|
||||||
}
|
|
||||||
|
|
||||||
public int compare(byte[] b1, byte[] b2) throws ClassCastException {
|
|
||||||
for (int i = mOffset; i < b1.length && i < b2.length; i++) {
|
|
||||||
if (b1[i] != b2[i]) {
|
|
||||||
if (mDebug) {
|
|
||||||
System.out.println("offset " + i + " differs (this is "
|
|
||||||
+ (i - mOffset)
|
|
||||||
+ " bytes in from our offset.)");
|
|
||||||
}
|
|
||||||
return (b1[i] & 0xFF) - (b2[i] & 0xFF);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
return b1.length - b2.length;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
// private static final int DSA_SIGNATURE_LENGTH = 20;
|
// private static final int DSA_SIGNATURE_LENGTH = 20;
|
||||||
private static final int ASN1_INT = 0x02;
|
private static final int ASN1_INT = 0x02;
|
||||||
private static final int ASN1_SEQ = 0x30;
|
private static final int ASN1_SEQ = 0x30;
|
||||||
|
|
||||||
public static final int RR_NORMAL = 0;
|
public static final int RR_NORMAL = 0;
|
||||||
public static final int RR_DELEGATION = 1;
|
public static final int RR_DELEGATION = 1;
|
||||||
public static final int RR_GLUE = 2;
|
public static final int RR_GLUE = 2;
|
||||||
public static final int RR_INVALID = 3;
|
public static final int RR_INVALID = 3;
|
||||||
|
private static Logger log = Logger.getLogger(SignUtils.class);
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Generate from some basic information a prototype SIG RR containing
|
* Generate from some basic information a prototype SIG RR containing
|
||||||
@ -118,11 +82,10 @@ public class SignUtils {
|
|||||||
* @return a prototype signature based on the RRset and key information.
|
* @return a prototype signature based on the RRset and key information.
|
||||||
*/
|
*/
|
||||||
public static RRSIGRecord generatePreRRSIG(RRset rrset, Name signer,
|
public static RRSIGRecord generatePreRRSIG(RRset rrset, Name signer,
|
||||||
int alg, int keyid, Date start,
|
int alg, int keyid, Date start, Date expire, long sig_ttl) {
|
||||||
Date expire, long sig_ttl) {
|
|
||||||
return new RRSIGRecord(rrset.getName(), rrset.getDClass(), sig_ttl,
|
return new RRSIGRecord(rrset.getName(), rrset.getDClass(), sig_ttl,
|
||||||
rrset.getType(), alg, rrset.getTTL(), expire, start, keyid,
|
rrset.getType(), alg, rrset.getTTL(), expire, start, keyid, signer,
|
||||||
signer, null);
|
null);
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@ -143,8 +106,7 @@ public class SignUtils {
|
|||||||
* @return a prototype signature based on the RRset and key information.
|
* @return a prototype signature based on the RRset and key information.
|
||||||
*/
|
*/
|
||||||
public static RRSIGRecord generatePreRRSIG(RRset rrset, DNSKEYRecord key,
|
public static RRSIGRecord generatePreRRSIG(RRset rrset, DNSKEYRecord key,
|
||||||
Date start, Date expire,
|
Date start, Date expire, long sig_ttl) {
|
||||||
long sig_ttl) {
|
|
||||||
return generatePreRRSIG(rrset, key.getName(), key.getAlgorithm(),
|
return generatePreRRSIG(rrset, key.getName(), key.getAlgorithm(),
|
||||||
key.getFootprint(), start, expire, sig_ttl);
|
key.getFootprint(), start, expire, sig_ttl);
|
||||||
}
|
}
|
||||||
@ -166,8 +128,7 @@ public class SignUtils {
|
|||||||
* @return a prototype signature based on the Record and key information.
|
* @return a prototype signature based on the Record and key information.
|
||||||
*/
|
*/
|
||||||
public static RRSIGRecord generatePreRRSIG(Record rec, DNSKEYRecord key,
|
public static RRSIGRecord generatePreRRSIG(Record rec, DNSKEYRecord key,
|
||||||
Date start, Date expire,
|
Date start, Date expire, long sig_ttl) {
|
||||||
long sig_ttl) {
|
|
||||||
return new RRSIGRecord(rec.getName(), rec.getDClass(), sig_ttl,
|
return new RRSIGRecord(rec.getName(), rec.getDClass(), sig_ttl,
|
||||||
rec.getType(), key.getAlgorithm(), rec.getTTL(), expire, start,
|
rec.getType(), key.getAlgorithm(), rec.getTTL(), expire, start,
|
||||||
key.getFootprint(), key.getName(), null);
|
key.getFootprint(), key.getName(), null);
|
||||||
@ -223,28 +184,36 @@ public class SignUtils {
|
|||||||
int labels) {
|
int labels) {
|
||||||
DNSOutput image = new DNSOutput();
|
DNSOutput image = new DNSOutput();
|
||||||
|
|
||||||
if (ttl == 0) ttl = rrset.getTTL();
|
if (ttl == 0) {
|
||||||
|
ttl = rrset.getTTL();
|
||||||
|
}
|
||||||
|
|
||||||
Name n = rrset.getName();
|
Name n = rrset.getName();
|
||||||
|
|
||||||
if (labels == 0) {
|
if (labels == 0) {
|
||||||
labels = n.labels();
|
labels = n.labels();
|
||||||
} else {
|
} else {
|
||||||
// correct for Name()'s conception of label count.
|
// correct for Name()'s conception of label count.
|
||||||
labels++;
|
labels++;
|
||||||
}
|
}
|
||||||
|
|
||||||
boolean wildcardName = false;
|
boolean wildcardName = false;
|
||||||
|
|
||||||
if (n.labels() != labels) {
|
if (n.labels() != labels) {
|
||||||
n = n.wild(n.labels() - labels);
|
n = n.wild(n.labels() - labels);
|
||||||
wildcardName = true;
|
wildcardName = true;
|
||||||
// log.trace("Detected wildcard expansion: " + rrset.getName() +
|
log.trace("Detected wildcard expansion: " + rrset.getName() +
|
||||||
// " changed to " + n);
|
" changed to " + n);
|
||||||
}
|
}
|
||||||
|
|
||||||
// now convert the wire format records in the RRset into a
|
// now convert the wire format records in the RRset into a
|
||||||
// list of byte arrays.
|
// list of byte arrays.
|
||||||
ArrayList<byte []> canonical_rrs = new ArrayList<byte []>();
|
ArrayList<byte []> canonical_rrs = new ArrayList<byte []>();
|
||||||
|
|
||||||
for (Iterator i = rrset.rrs(); i.hasNext();) {
|
for (Iterator i = rrset.rrs(); i.hasNext();) {
|
||||||
Record r = (Record) i.next();
|
Record r = (Record) i.next();
|
||||||
if (r.getTTL() != ttl || wildcardName) {
|
|
||||||
|
if ((r.getTTL() != ttl) || wildcardName) {
|
||||||
// If necessary, we need to create a new record with a new ttl
|
// If necessary, we need to create a new record with a new ttl
|
||||||
// or ownername.
|
// or ownername.
|
||||||
// In the TTL case, this avoids changing the ttl in the
|
// In the TTL case, this avoids changing the ttl in the
|
||||||
@ -252,6 +221,7 @@ public class SignUtils {
|
|||||||
r = Record.newRecord(n, r.getType(), r.getDClass(), ttl,
|
r = Record.newRecord(n, r.getType(), r.getDClass(), ttl,
|
||||||
r.rdataToWireCanonical());
|
r.rdataToWireCanonical());
|
||||||
}
|
}
|
||||||
|
|
||||||
byte [] wire_fmt = r.toWireCanonical();
|
byte [] wire_fmt = r.toWireCanonical();
|
||||||
canonical_rrs.add(wire_fmt);
|
canonical_rrs.add(wire_fmt);
|
||||||
}
|
}
|
||||||
@ -259,8 +229,8 @@ public class SignUtils {
|
|||||||
// put the records into the correct ordering.
|
// put the records into the correct ordering.
|
||||||
// Calculate the offset where the RDATA begins (we have to skip
|
// Calculate the offset where the RDATA begins (we have to skip
|
||||||
// past the length byte)
|
// past the length byte)
|
||||||
|
int offset = rrset.getName().toWireCanonical().length +
|
||||||
int offset = rrset.getName().toWireCanonical().length + 10;
|
10;
|
||||||
ByteArrayComparator bac = new ByteArrayComparator(offset, false);
|
ByteArrayComparator bac = new ByteArrayComparator(offset, false);
|
||||||
|
|
||||||
Collections.sort(canonical_rrs, bac);
|
Collections.sort(canonical_rrs, bac);
|
||||||
@ -286,8 +256,7 @@ public class SignUtils {
|
|||||||
public static byte [] generateSigData(RRset rrset, RRSIGRecord presig)
|
public static byte [] generateSigData(RRset rrset, RRSIGRecord presig)
|
||||||
throws IOException {
|
throws IOException {
|
||||||
byte [] rrset_data = generateCanonicalRRsetData(rrset,
|
byte [] rrset_data = generateCanonicalRRsetData(rrset,
|
||||||
presig.getOrigTTL(),
|
presig.getOrigTTL(), presig.getLabels());
|
||||||
presig.getLabels());
|
|
||||||
|
|
||||||
return generateSigData(rrset_data, presig);
|
return generateSigData(rrset_data, presig);
|
||||||
}
|
}
|
||||||
@ -308,8 +277,8 @@ public class SignUtils {
|
|||||||
throws IOException {
|
throws IOException {
|
||||||
byte [] sig_rdata = generatePreSigRdata(presig);
|
byte [] sig_rdata = generatePreSigRdata(presig);
|
||||||
|
|
||||||
ByteArrayOutputStream image = new ByteArrayOutputStream(
|
ByteArrayOutputStream image = new ByteArrayOutputStream(sig_rdata.length +
|
||||||
sig_rdata.length + rrset_data.length);
|
rrset_data.length);
|
||||||
|
|
||||||
image.write(sig_rdata);
|
image.write(sig_rdata);
|
||||||
image.write(rrset_data);
|
image.write(rrset_data);
|
||||||
@ -327,12 +296,12 @@ public class SignUtils {
|
|||||||
* the prototype RRSIG RR to add the signature to.
|
* the prototype RRSIG RR to add the signature to.
|
||||||
* @return the fully formed RRSIG RR.
|
* @return the fully formed RRSIG RR.
|
||||||
*/
|
*/
|
||||||
public static RRSIGRecord generateRRSIG(byte[] signature, RRSIGRecord presig) {
|
public static RRSIGRecord generateRRSIG(byte [] signature,
|
||||||
|
RRSIGRecord presig) {
|
||||||
return new RRSIGRecord(presig.getName(), presig.getDClass(),
|
return new RRSIGRecord(presig.getName(), presig.getDClass(),
|
||||||
presig.getTTL(), presig.getTypeCovered(),
|
presig.getTTL(), presig.getTypeCovered(), presig.getAlgorithm(),
|
||||||
presig.getAlgorithm(), presig.getOrigTTL(), presig.getExpire(),
|
presig.getOrigTTL(), presig.getExpire(), presig.getTimeSigned(),
|
||||||
presig.getTimeSigned(), presig.getFootprint(),
|
presig.getFootprint(), presig.getSigner(), signature);
|
||||||
presig.getSigner(), signature);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@ -356,23 +325,29 @@ public class SignUtils {
|
|||||||
*/
|
*/
|
||||||
public static byte [] convertDSASignature(byte [] signature)
|
public static byte [] convertDSASignature(byte [] signature)
|
||||||
throws SignatureException {
|
throws SignatureException {
|
||||||
if (signature.length != 41)
|
if (signature.length != 41) {
|
||||||
throw new SignatureException(
|
throw new SignatureException(
|
||||||
"RFC 2536 signature not expected length.");
|
"RFC 2536 signature not expected length.");
|
||||||
|
}
|
||||||
|
|
||||||
byte r_pad = 0;
|
byte r_pad = 0;
|
||||||
byte s_pad = 0;
|
byte s_pad = 0;
|
||||||
|
|
||||||
// handle initial null byte padding.
|
// handle initial null byte padding.
|
||||||
if (signature[1] < 0) r_pad++;
|
if (signature[1] < 0) {
|
||||||
if (signature[21] < 0) s_pad++;
|
r_pad++;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (signature[21] < 0) {
|
||||||
|
s_pad++;
|
||||||
|
}
|
||||||
|
|
||||||
// ASN.1 length = R length + S length + (2 + 2 + 2), where each 2
|
// ASN.1 length = R length + S length + (2 + 2 + 2), where each 2
|
||||||
// is for a ASN.1 type-length byte pair of which there are three
|
// is for a ASN.1 type-length byte pair of which there are three
|
||||||
// (SEQ, INT, INT).
|
// (SEQ, INT, INT).
|
||||||
byte sig_length = (byte) (40 + r_pad + s_pad + 6);
|
byte sig_length = (byte) (40 + r_pad + s_pad + 6);
|
||||||
|
|
||||||
byte sig[] = new byte[sig_length];
|
byte [] sig = new byte[sig_length];
|
||||||
byte pos = 0;
|
byte pos = 0;
|
||||||
|
|
||||||
sig[pos++] = ASN1_SEQ;
|
sig[pos++] = ASN1_SEQ;
|
||||||
@ -381,7 +356,9 @@ public class SignUtils {
|
|||||||
sig[pos++] = (byte) (20 + r_pad);
|
sig[pos++] = (byte) (20 + r_pad);
|
||||||
|
|
||||||
// copy the value of R, leaving a null byte if necessary
|
// copy the value of R, leaving a null byte if necessary
|
||||||
if (r_pad == 1) sig[pos++] = 0;
|
if (r_pad == 1) {
|
||||||
|
sig[pos++] = 0;
|
||||||
|
}
|
||||||
|
|
||||||
System.arraycopy(signature, 1, sig, pos, 20);
|
System.arraycopy(signature, 1, sig, pos, 20);
|
||||||
pos += 20;
|
pos += 20;
|
||||||
@ -390,7 +367,9 @@ public class SignUtils {
|
|||||||
sig[pos++] = (byte) (20 + s_pad);
|
sig[pos++] = (byte) (20 + s_pad);
|
||||||
|
|
||||||
// copy the value of S, leaving a null byte if necessary
|
// copy the value of S, leaving a null byte if necessary
|
||||||
if (s_pad == 1) sig[pos++] = 0;
|
if (s_pad == 1) {
|
||||||
|
sig[pos++] = 0;
|
||||||
|
}
|
||||||
|
|
||||||
System.arraycopy(signature, 21, sig, pos, 20);
|
System.arraycopy(signature, 21, sig, pos, 20);
|
||||||
|
|
||||||
@ -418,9 +397,9 @@ public class SignUtils {
|
|||||||
* @throws SignatureException
|
* @throws SignatureException
|
||||||
* if something is wrong with the ASN.1 format.
|
* if something is wrong with the ASN.1 format.
|
||||||
*/
|
*/
|
||||||
public static byte[] convertDSASignature(DSAParams params, byte[] signature)
|
public static byte [] convertDSASignature(DSAParams params,
|
||||||
throws SignatureException {
|
byte [] signature) throws SignatureException {
|
||||||
if (signature[0] != ASN1_SEQ || signature[2] != ASN1_INT) {
|
if ((signature[0] != ASN1_SEQ) || (signature[2] != ASN1_INT)) {
|
||||||
throw new SignatureException(
|
throw new SignatureException(
|
||||||
"Invalid ASN.1 signature format: expected SEQ, INT");
|
"Invalid ASN.1 signature format: expected SEQ, INT");
|
||||||
}
|
}
|
||||||
@ -432,7 +411,7 @@ public class SignUtils {
|
|||||||
"Invalid ASN.1 signature format: expected SEQ, INT, INT");
|
"Invalid ASN.1 signature format: expected SEQ, INT, INT");
|
||||||
}
|
}
|
||||||
|
|
||||||
// log.trace("(start) ASN.1 DSA Sig:\n" + base64.toString(signature));
|
log.trace("(start) ASN.1 DSA Sig:\n" + base64.toString(signature));
|
||||||
|
|
||||||
byte s_pad = (byte) (signature[25 + r_pad] - 20);
|
byte s_pad = (byte) (signature[25 + r_pad] - 20);
|
||||||
|
|
||||||
@ -458,19 +437,50 @@ public class SignUtils {
|
|||||||
// S is shorter than 20 bytes, so right justify the number
|
// S is shorter than 20 bytes, so right justify the number
|
||||||
// (s_pad is negative here).
|
// (s_pad is negative here).
|
||||||
Arrays.fill(sig, 21, 21 - s_pad, (byte) 0);
|
Arrays.fill(sig, 21, 21 - s_pad, (byte) 0);
|
||||||
System.arraycopy(signature, 26 + r_pad, sig, 21 - s_pad, 20 + s_pad);
|
System.arraycopy(signature, 26 + r_pad, sig, 21 - s_pad, 20 +
|
||||||
|
s_pad);
|
||||||
}
|
}
|
||||||
|
|
||||||
// if (r_pad < 0 || s_pad < 0)
|
if ((r_pad < 0) || (s_pad < 0)) {
|
||||||
// {
|
log.trace("(finish ***) RFC 2536 DSA Sig:\n" +
|
||||||
// log.trace("(finish ***) RFC 2536 DSA Sig:\n" + base64.toString(sig));
|
base64.toString(sig));
|
||||||
//
|
} else {
|
||||||
// }
|
log.trace("(finish) RFC 2536 DSA Sig:\n" + base64.toString(sig));
|
||||||
// else
|
}
|
||||||
// {
|
|
||||||
// log.trace("(finish) RFC 2536 DSA Sig:\n" + base64.toString(sig));
|
|
||||||
// }
|
|
||||||
|
|
||||||
return sig;
|
return sig;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* This class implements a basic comparator for byte arrays. It is primarily
|
||||||
|
* useful for comparing RDATA portions of DNS records in doing DNSSEC
|
||||||
|
* canonical ordering.
|
||||||
|
*/
|
||||||
|
public static class ByteArrayComparator implements Comparator<byte []> {
|
||||||
|
private int mOffset = 0;
|
||||||
|
private boolean mDebug = false;
|
||||||
|
|
||||||
|
public ByteArrayComparator() {}
|
||||||
|
|
||||||
|
public ByteArrayComparator(int offset, boolean debug) {
|
||||||
|
mOffset = offset;
|
||||||
|
mDebug = debug;
|
||||||
|
}
|
||||||
|
|
||||||
|
public int compare(byte [] b1, byte [] b2) throws ClassCastException {
|
||||||
|
for (int i = mOffset; (i < b1.length) && (i < b2.length); i++) {
|
||||||
|
if (b1[i] != b2[i]) {
|
||||||
|
if (mDebug) {
|
||||||
|
System.out.println("offset " + i +
|
||||||
|
" differs (this is " + (i - mOffset) +
|
||||||
|
" bytes in from our offset.)");
|
||||||
|
}
|
||||||
|
|
||||||
|
return (b1[i] & 0xFF) - (b2[i] & 0xFF);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return b1.length - b2.length;
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
@ -1,37 +1,32 @@
|
|||||||
/*
|
/***************************** -*- Java -*- ********************************\
|
||||||
* Copyright (c) 2009 VeriSign, Inc. All rights reserved.
|
* *
|
||||||
*
|
* Copyright (c) 2009 VeriSign, Inc. All rights reserved. *
|
||||||
* Redistribution and use in source and binary forms, with or without
|
* *
|
||||||
* modification, are permitted provided that the following conditions
|
* This software is provided solely in connection with the terms of the *
|
||||||
* are met:
|
* license agreement. Any other use without the prior express written *
|
||||||
*
|
* permission of VeriSign is completely prohibited. The software and *
|
||||||
* 1. Redistributions of source code must retain the above copyright
|
* documentation are "Commercial Items", as that term is defined in 48 *
|
||||||
* notice, this list of conditions and the following disclaimer.
|
* C.F.R. section 2.101, consisting of "Commercial Computer Software" and *
|
||||||
* 2. Redistributions in binary form must reproduce the above copyright
|
* "Commercial Computer Software Documentation" as such terms are defined *
|
||||||
* notice, this list of conditions and the following disclaimer in the
|
* in 48 C.F.R. section 252.227-7014(a)(5) and 48 C.F.R. section *
|
||||||
* documentation and/or other materials provided with the distribution.
|
* 252.227-7014(a)(1), and used in 48 C.F.R. section 12.212 and 48 C.F.R. *
|
||||||
* 3. The name of the author may not be used to endorse or promote products
|
* section 227.7202, as applicable. Pursuant to the above and other *
|
||||||
* derived from this software without specific prior written permission.
|
* relevant sections of the Code of Federal Regulations, as applicable, *
|
||||||
*
|
* VeriSign's publications, commercial computer software, and commercial *
|
||||||
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
* computer software documentation are distributed and licensed to United *
|
||||||
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
* States Government end users with only those rights as granted to all *
|
||||||
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
* other end users, according to the terms and conditions contained in the *
|
||||||
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
* license agreement(s) that accompany the products and software *
|
||||||
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
* documentation. *
|
||||||
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
* *
|
||||||
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
\***************************************************************************/
|
||||||
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
|
||||||
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
|
||||||
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
||||||
*
|
|
||||||
*/
|
|
||||||
|
|
||||||
package com.versign.tat.dnssec;
|
package com.verisign.tat.dnssec;
|
||||||
|
|
||||||
import java.util.HashMap;
|
import org.xbill.DNS.*;
|
||||||
import java.util.Map;
|
|
||||||
|
import java.util.*;
|
||||||
|
|
||||||
import org.xbill.DNS.Name;
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
*
|
*
|
||||||
@ -51,6 +46,7 @@ public class TrustAnchorStore {
|
|||||||
if (mMap == null) {
|
if (mMap == null) {
|
||||||
mMap = new HashMap<String, SRRset>();
|
mMap = new HashMap<String, SRRset>();
|
||||||
}
|
}
|
||||||
|
|
||||||
String k = key(rrset.getName(), rrset.getDClass());
|
String k = key(rrset.getName(), rrset.getDClass());
|
||||||
rrset.setSecurityStatus(SecurityStatus.SECURE);
|
rrset.setSecurityStatus(SecurityStatus.SECURE);
|
||||||
|
|
||||||
@ -58,17 +54,26 @@ public class TrustAnchorStore {
|
|||||||
}
|
}
|
||||||
|
|
||||||
private SRRset lookup(String key) {
|
private SRRset lookup(String key) {
|
||||||
if (mMap == null) return null;
|
if (mMap == null) {
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
|
||||||
return mMap.get(key);
|
return mMap.get(key);
|
||||||
}
|
}
|
||||||
|
|
||||||
public SRRset find(Name n, int dclass) {
|
public SRRset find(Name n, int dclass) {
|
||||||
if (mMap == null) return null;
|
if (mMap == null) {
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
|
||||||
while (n.labels() > 0) {
|
while (n.labels() > 0) {
|
||||||
String k = key(n, dclass);
|
String k = key(n, dclass);
|
||||||
SRRset r = lookup(k);
|
SRRset r = lookup(k);
|
||||||
if (r != null) return r;
|
|
||||||
|
if (r != null) {
|
||||||
|
return r;
|
||||||
|
}
|
||||||
|
|
||||||
n = new Name(n, 1);
|
n = new Name(n, 1);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -79,4 +84,19 @@ public class TrustAnchorStore {
|
|||||||
return find(n, dclass) != null;
|
return find(n, dclass) != null;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public List<String> listTrustAnchors() {
|
||||||
|
List<String> res = new ArrayList<String>();
|
||||||
|
|
||||||
|
for (Map.Entry<String, SRRset> entry : mMap.entrySet()) {
|
||||||
|
for (Iterator<Record> i = entry.getValue().rrs(); i.hasNext();) {
|
||||||
|
DNSKEYRecord r = (DNSKEYRecord) i.next();
|
||||||
|
String key_desc = r.getName().toString() + "/" +
|
||||||
|
DNSSEC.Algorithm.string(r.getAlgorithm()) + "/" +
|
||||||
|
r.getFootprint();
|
||||||
|
res.add(key_desc);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return res;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
@ -1,44 +1,37 @@
|
|||||||
/*
|
/***************************** -*- Java -*- ********************************\
|
||||||
* $Id$
|
* *
|
||||||
*
|
* Copyright (c) 2009 VeriSign, Inc. All rights reserved. *
|
||||||
* Copyright (c) 2005 VeriSign. All rights reserved.
|
* *
|
||||||
*
|
* This software is provided solely in connection with the terms of the *
|
||||||
* Redistribution and use in source and binary forms, with or without
|
* license agreement. Any other use without the prior express written *
|
||||||
* modification, are permitted provided that the following conditions are met:
|
* permission of VeriSign is completely prohibited. The software and *
|
||||||
*
|
* documentation are "Commercial Items", as that term is defined in 48 *
|
||||||
* 1. Redistributions of source code must retain the above copyright notice,
|
* C.F.R. section 2.101, consisting of "Commercial Computer Software" and *
|
||||||
* this list of conditions and the following disclaimer. 2. Redistributions in
|
* "Commercial Computer Software Documentation" as such terms are defined *
|
||||||
* binary form must reproduce the above copyright notice, this list of
|
* in 48 C.F.R. section 252.227-7014(a)(5) and 48 C.F.R. section *
|
||||||
* conditions and the following disclaimer in the documentation and/or other
|
* 252.227-7014(a)(1), and used in 48 C.F.R. section 12.212 and 48 C.F.R. *
|
||||||
* materials provided with the distribution. 3. The name of the author may not
|
* section 227.7202, as applicable. Pursuant to the above and other *
|
||||||
* be used to endorse or promote products derived from this software without
|
* relevant sections of the Code of Federal Regulations, as applicable, *
|
||||||
* specific prior written permission.
|
* VeriSign's publications, commercial computer software, and commercial *
|
||||||
*
|
* computer software documentation are distributed and licensed to United *
|
||||||
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
* States Government end users with only those rights as granted to all *
|
||||||
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
* other end users, according to the terms and conditions contained in the *
|
||||||
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN
|
* license agreement(s) that accompany the products and software *
|
||||||
* NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
* documentation. *
|
||||||
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
|
* *
|
||||||
* TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
|
\***************************************************************************/
|
||||||
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
|
|
||||||
* LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
|
|
||||||
* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
|
|
||||||
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
||||||
*
|
|
||||||
*/
|
|
||||||
|
|
||||||
package com.versign.tat.dnssec;
|
package com.verisign.tat.dnssec;
|
||||||
|
|
||||||
|
import org.xbill.DNS.Name;
|
||||||
|
|
||||||
import java.util.*;
|
import java.util.*;
|
||||||
|
|
||||||
import org.xbill.DNS.Name;
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Some basic utility functions.
|
* Some basic utility functions.
|
||||||
*/
|
*/
|
||||||
public class Util
|
public class Util {
|
||||||
{
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Convert a DNS name into a string suitable for use as a cache key.
|
* Convert a DNS name into a string suitable for use as a cache key.
|
||||||
*
|
*
|
||||||
@ -46,57 +39,47 @@ public class Util
|
|||||||
* @return A string representing the name. This isn't ever meant to be
|
* @return A string representing the name. This isn't ever meant to be
|
||||||
* converted back into a DNS name.
|
* converted back into a DNS name.
|
||||||
*/
|
*/
|
||||||
public static String nameToString(Name name)
|
public static String nameToString(Name name) {
|
||||||
{
|
if (name.equals(Name.root)) {
|
||||||
if (name.equals(Name.root)) return ".";
|
return ".";
|
||||||
|
}
|
||||||
|
|
||||||
String n = name.toString().toLowerCase();
|
String n = name.toString().toLowerCase();
|
||||||
if (n.endsWith(".")) n = n.substring(0, n.length() - 1);
|
|
||||||
|
if (n.endsWith(".")) {
|
||||||
|
n = n.substring(0, n.length() - 1);
|
||||||
|
}
|
||||||
|
|
||||||
return n;
|
return n;
|
||||||
}
|
}
|
||||||
|
|
||||||
public static int parseInt(String s, int def)
|
public static int parseInt(String s, int def) {
|
||||||
{
|
if (s == null) {
|
||||||
if (s == null) return def;
|
return def;
|
||||||
try
|
}
|
||||||
{
|
|
||||||
|
try {
|
||||||
return Integer.parseInt(s);
|
return Integer.parseInt(s);
|
||||||
}
|
} catch (NumberFormatException e) {
|
||||||
catch (NumberFormatException e)
|
|
||||||
{
|
|
||||||
return def;
|
return def;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
public static long parseLong(String s, long def)
|
public static long parseLong(String s, long def) {
|
||||||
{
|
if (s == null) {
|
||||||
if (s == null) return def;
|
return def;
|
||||||
try
|
}
|
||||||
{
|
|
||||||
|
try {
|
||||||
return Long.parseLong(s);
|
return Long.parseLong(s);
|
||||||
}
|
} catch (NumberFormatException e) {
|
||||||
catch (NumberFormatException e)
|
|
||||||
{
|
|
||||||
return def;
|
return def;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
public static class ConfigEntry
|
public static List<ConfigEntry> parseConfigPrefix(Properties config,
|
||||||
{
|
String prefix) {
|
||||||
public String key;
|
if (!prefix.endsWith(".")) {
|
||||||
public String value;
|
|
||||||
|
|
||||||
public ConfigEntry(String key, String value)
|
|
||||||
{
|
|
||||||
this.key = key; this.value = value;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
public static List<ConfigEntry> parseConfigPrefix(Properties config, String prefix)
|
|
||||||
{
|
|
||||||
if (! prefix.endsWith("."))
|
|
||||||
{
|
|
||||||
prefix = prefix + ".";
|
prefix = prefix + ".";
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -104,6 +87,7 @@ public class Util
|
|||||||
|
|
||||||
for (Map.Entry<Object, Object> entry : config.entrySet()) {
|
for (Map.Entry<Object, Object> entry : config.entrySet()) {
|
||||||
String key = (String) entry.getKey();
|
String key = (String) entry.getKey();
|
||||||
|
|
||||||
if (key.startsWith(prefix)) {
|
if (key.startsWith(prefix)) {
|
||||||
key = key.substring(prefix.length());
|
key = key.substring(prefix.length());
|
||||||
res.add(new ConfigEntry(key, (String) entry.getValue()));
|
res.add(new ConfigEntry(key, (String) entry.getValue()));
|
||||||
@ -112,4 +96,14 @@ public class Util
|
|||||||
|
|
||||||
return res;
|
return res;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public static class ConfigEntry {
|
||||||
|
public String key;
|
||||||
|
public String value;
|
||||||
|
|
||||||
|
public ConfigEntry(String key, String value) {
|
||||||
|
this.key = key;
|
||||||
|
this.value = value;
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
@ -1,63 +1,45 @@
|
|||||||
/*
|
/***************************** -*- Java -*- ********************************\
|
||||||
* Copyright (c) 2009 VeriSign, Inc. All rights reserved.
|
* *
|
||||||
*
|
* Copyright (c) 2009 VeriSign, Inc. All rights reserved. *
|
||||||
* Redistribution and use in source and binary forms, with or without
|
* *
|
||||||
* modification, are permitted provided that the following conditions
|
* This software is provided solely in connection with the terms of the *
|
||||||
* are met:
|
* license agreement. Any other use without the prior express written *
|
||||||
*
|
* permission of VeriSign is completely prohibited. The software and *
|
||||||
* 1. Redistributions of source code must retain the above copyright
|
* documentation are "Commercial Items", as that term is defined in 48 *
|
||||||
* notice, this list of conditions and the following disclaimer.
|
* C.F.R. section 2.101, consisting of "Commercial Computer Software" and *
|
||||||
* 2. Redistributions in binary form must reproduce the above copyright
|
* "Commercial Computer Software Documentation" as such terms are defined *
|
||||||
* notice, this list of conditions and the following disclaimer in the
|
* in 48 C.F.R. section 252.227-7014(a)(5) and 48 C.F.R. section *
|
||||||
* documentation and/or other materials provided with the distribution.
|
* 252.227-7014(a)(1), and used in 48 C.F.R. section 12.212 and 48 C.F.R. *
|
||||||
* 3. The name of the author may not be used to endorse or promote products
|
* section 227.7202, as applicable. Pursuant to the above and other *
|
||||||
* derived from this software without specific prior written permission.
|
* relevant sections of the Code of Federal Regulations, as applicable, *
|
||||||
*
|
* VeriSign's publications, commercial computer software, and commercial *
|
||||||
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
* computer software documentation are distributed and licensed to United *
|
||||||
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
* States Government end users with only those rights as granted to all *
|
||||||
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
* other end users, according to the terms and conditions contained in the *
|
||||||
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
* license agreement(s) that accompany the products and software *
|
||||||
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
* documentation. *
|
||||||
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
* *
|
||||||
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
\***************************************************************************/
|
||||||
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
|
||||||
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
|
||||||
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
||||||
*
|
|
||||||
*/
|
|
||||||
|
|
||||||
package com.versign.tat.dnssec;
|
package com.verisign.tat.dnssec;
|
||||||
|
|
||||||
|
import org.apache.log4j.Logger;
|
||||||
|
|
||||||
|
import org.xbill.DNS.*;
|
||||||
|
|
||||||
import java.security.MessageDigest;
|
import java.security.MessageDigest;
|
||||||
import java.security.NoSuchAlgorithmException;
|
import java.security.NoSuchAlgorithmException;
|
||||||
|
|
||||||
import java.util.Iterator;
|
import java.util.Iterator;
|
||||||
|
|
||||||
import org.xbill.DNS.*;
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* This is a collection of routines encompassing the logic of validating
|
* This is a collection of routines encompassing the logic of validating
|
||||||
* different message types.
|
* different message types.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
public class ValUtils {
|
public class ValUtils {
|
||||||
|
private static Logger st_log = Logger.getLogger(ValUtils.class);
|
||||||
// These are response subtypes. They are necessary for determining the
|
private Logger log = Logger.getLogger(this.getClass());
|
||||||
// validation strategy. They have no bearing on the iterative resolution
|
|
||||||
// algorithm, so they are confined here.
|
|
||||||
|
|
||||||
public enum ResponseType {
|
|
||||||
UNTYPED, // not sub typed yet
|
|
||||||
UNKNOWN, // not a recognized sub type
|
|
||||||
POSITIVE, // a positive response (no CNAME/DNAME chain)
|
|
||||||
CNAME, // a positive response with a CNAME/DNAME chain.
|
|
||||||
NODATA, // a NOERROR/NODATA response
|
|
||||||
NAMEERROR, // a NXDOMAIN response
|
|
||||||
ANY, // a response to a qtype=ANY query
|
|
||||||
REFERRAL,
|
|
||||||
// a referral response
|
|
||||||
THROWAWAY
|
|
||||||
// a throwaway response (i.e., an error)
|
|
||||||
}
|
|
||||||
|
|
||||||
/** A local copy of the verifier object. */
|
/** A local copy of the verifier object. */
|
||||||
private DnsSecVerifier mVerifier;
|
private DnsSecVerifier mVerifier;
|
||||||
@ -75,11 +57,12 @@ public class ValUtils {
|
|||||||
* @return A subtype ranging from UNKNOWN to NAMEERROR.
|
* @return A subtype ranging from UNKNOWN to NAMEERROR.
|
||||||
*/
|
*/
|
||||||
public static ResponseType classifyResponse(SMessage m, Name zone) {
|
public static ResponseType classifyResponse(SMessage m, Name zone) {
|
||||||
|
|
||||||
SRRset [] rrsets;
|
SRRset [] rrsets;
|
||||||
|
|
||||||
// Normal Name Error's are easy to detect -- but don't mistake a CNAME
|
// Normal Name Error's are easy to detect -- but don't mistake a CNAME
|
||||||
// chain ending in NXDOMAIN.
|
// chain ending in NXDOMAIN.
|
||||||
if (m.getRcode() == Rcode.NXDOMAIN && m.getCount(Section.ANSWER) == 0) {
|
if ((m.getRcode() == Rcode.NXDOMAIN) &&
|
||||||
|
(m.getCount(Section.ANSWER) == 0)) {
|
||||||
return ResponseType.NAMEERROR;
|
return ResponseType.NAMEERROR;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -92,12 +75,13 @@ public class ValUtils {
|
|||||||
// 1) nothing in the ANSWER section
|
// 1) nothing in the ANSWER section
|
||||||
// 2) an NS RRset in the AUTHORITY section that is a strict subdomain of
|
// 2) an NS RRset in the AUTHORITY section that is a strict subdomain of
|
||||||
// 'zone' (the presumed queried zone).
|
// 'zone' (the presumed queried zone).
|
||||||
if (zone != null && m.getCount(Section.ANSWER) == 0
|
if ((zone != null) && (m.getCount(Section.ANSWER) == 0) &&
|
||||||
&& m.getCount(Section.AUTHORITY) > 0) {
|
(m.getCount(Section.AUTHORITY) > 0)) {
|
||||||
rrsets = m.getSectionRRsets(Section.AUTHORITY);
|
rrsets = m.getSectionRRsets(Section.AUTHORITY);
|
||||||
|
|
||||||
for (int i = 0; i < rrsets.length; ++i) {
|
for (int i = 0; i < rrsets.length; ++i) {
|
||||||
if (rrsets[i].getType() == Type.NS
|
if ((rrsets[i].getType() == Type.NS) &&
|
||||||
&& strictSubdomain(rrsets[i].getName(), zone)) {
|
strictSubdomain(rrsets[i].getName(), zone)) {
|
||||||
return ResponseType.REFERRAL;
|
return ResponseType.REFERRAL;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -123,11 +107,17 @@ public class ValUtils {
|
|||||||
// Note that DNAMEs will be ignored here, unless qtype=DNAME. Unless
|
// Note that DNAMEs will be ignored here, unless qtype=DNAME. Unless
|
||||||
// qtype=CNAME, this will yield a CNAME response.
|
// qtype=CNAME, this will yield a CNAME response.
|
||||||
for (int i = 0; i < rrsets.length; i++) {
|
for (int i = 0; i < rrsets.length; i++) {
|
||||||
if (rrsets[i].getType() == qtype) return ResponseType.POSITIVE;
|
if (rrsets[i].getType() == qtype) {
|
||||||
if (rrsets[i].getType() == Type.CNAME) return ResponseType.CNAME;
|
return ResponseType.POSITIVE;
|
||||||
}
|
}
|
||||||
|
|
||||||
// st_log.warn("Failed to classify response message:\n" + m);
|
if (rrsets[i].getType() == Type.CNAME) {
|
||||||
|
return ResponseType.CNAME;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
st_log.warn("Failed to classify response message:\n" + m);
|
||||||
|
|
||||||
return ResponseType.UNKNOWN;
|
return ResponseType.UNKNOWN;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -145,17 +135,21 @@ public class ValUtils {
|
|||||||
// FIXME: this used to classify the message, then look in the pertinent
|
// FIXME: this used to classify the message, then look in the pertinent
|
||||||
// section. Now we just find the first RRSIG in the ANSWER and AUTHORIY
|
// section. Now we just find the first RRSIG in the ANSWER and AUTHORIY
|
||||||
// sections.
|
// sections.
|
||||||
|
for (int section = Section.ANSWER; section < Section.ADDITIONAL;
|
||||||
for (int section = Section.ANSWER; section < Section.ADDITIONAL; ++section) {
|
++section) {
|
||||||
SRRset [] rrsets = m.getSectionRRsets(section);
|
SRRset [] rrsets = m.getSectionRRsets(section);
|
||||||
|
|
||||||
for (int i = 0; i < rrsets.length; ++i) {
|
for (int i = 0; i < rrsets.length; ++i) {
|
||||||
Name signerName = rrsets[i].getSignerName();
|
Name signerName = rrsets[i].getSignerName();
|
||||||
if (signerName != null) return signerName;
|
|
||||||
|
if (signerName != null) {
|
||||||
|
return signerName;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
return null;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Given a DNSKEY record, generate the DS record from it.
|
* Given a DNSKEY record, generate the DS record from it.
|
||||||
@ -174,27 +168,39 @@ public class ValUtils {
|
|||||||
|
|
||||||
try {
|
try {
|
||||||
MessageDigest md = null;
|
MessageDigest md = null;
|
||||||
|
|
||||||
switch (ds_alg) {
|
switch (ds_alg) {
|
||||||
case DSRecord.SHA1_DIGEST_ID:
|
case DSRecord.SHA1_DIGEST_ID:
|
||||||
md = MessageDigest.getInstance("SHA");
|
md = MessageDigest.getInstance("SHA");
|
||||||
|
|
||||||
return md.digest(os.toByteArray());
|
return md.digest(os.toByteArray());
|
||||||
|
|
||||||
case DSRecord.SHA256_DIGEST_ID:
|
case DSRecord.SHA256_DIGEST_ID:
|
||||||
md = MessageDigest.getInstance("SHA256");
|
md = MessageDigest.getInstance("SHA256");
|
||||||
|
|
||||||
return md.digest(os.toByteArray());
|
return md.digest(os.toByteArray());
|
||||||
|
|
||||||
default:
|
default:
|
||||||
// st_log.warn("Unknown DS algorithm: " + ds_alg);
|
st_log.warn("Unknown DS algorithm: " + ds_alg);
|
||||||
|
|
||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
|
|
||||||
} catch (NoSuchAlgorithmException e) {
|
} catch (NoSuchAlgorithmException e) {
|
||||||
// st_log.error("Error using DS algorithm: " + ds_alg, e);
|
st_log.error("Error using DS algorithm: " + ds_alg, e);
|
||||||
|
|
||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
public static boolean supportsDigestID(int digest_id) {
|
public static boolean supportsDigestID(int digest_id) {
|
||||||
if (digest_id == DSRecord.SHA1_DIGEST_ID) return true;
|
if (digest_id == DSRecord.SHA1_DIGEST_ID) {
|
||||||
if (digest_id == DSRecord.SHA256_DIGEST_ID) return true;
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (digest_id == DSRecord.SHA256_DIGEST_ID) {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -214,6 +220,7 @@ public class ValUtils {
|
|||||||
case Type.RRSIG:
|
case Type.RRSIG:
|
||||||
case Type.NSEC3:
|
case Type.NSEC3:
|
||||||
return true;
|
return true;
|
||||||
|
|
||||||
default:
|
default:
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
@ -229,10 +236,13 @@ public class ValUtils {
|
|||||||
* The security status.
|
* The security status.
|
||||||
*/
|
*/
|
||||||
public static void setRRsetSecurity(SRRset rrset, byte security) {
|
public static void setRRsetSecurity(SRRset rrset, byte security) {
|
||||||
if (rrset == null) return;
|
if (rrset == null) {
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
int cur_sec = rrset.getSecurityStatus();
|
int cur_sec = rrset.getSecurityStatus();
|
||||||
if (cur_sec == SecurityStatus.UNCHECKED || security > cur_sec) {
|
|
||||||
|
if ((cur_sec == SecurityStatus.UNCHECKED) || (security > cur_sec)) {
|
||||||
rrset.setSecurityStatus(security);
|
rrset.setSecurityStatus(security);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -254,15 +264,20 @@ public class ValUtils {
|
|||||||
* return; } key_rrset = ke.getRRset();
|
* return; } key_rrset = ke.getRRset();
|
||||||
*/
|
*/
|
||||||
public static void setMessageSecurity(SMessage m, byte security) {
|
public static void setMessageSecurity(SMessage m, byte security) {
|
||||||
if (m == null) return;
|
if (m == null) {
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
int cur_sec = m.getStatus();
|
int cur_sec = m.getStatus();
|
||||||
if (cur_sec == SecurityStatus.UNCHECKED || security > cur_sec) {
|
|
||||||
|
if ((cur_sec == SecurityStatus.UNCHECKED) || (security > cur_sec)) {
|
||||||
m.setStatus(security);
|
m.setStatus(security);
|
||||||
}
|
}
|
||||||
|
|
||||||
for (int section = Section.ANSWER; section <= Section.ADDITIONAL; section++) {
|
for (int section = Section.ANSWER; section <= Section.ADDITIONAL;
|
||||||
|
section++) {
|
||||||
SRRset [] rrsets = m.getSectionRRsets(section);
|
SRRset [] rrsets = m.getSectionRRsets(section);
|
||||||
|
|
||||||
for (int i = 0; i < rrsets.length; i++) {
|
for (int i = 0; i < rrsets.length; i++) {
|
||||||
setRRsetSecurity(rrsets[i], security);
|
setRRsetSecurity(rrsets[i], security);
|
||||||
}
|
}
|
||||||
@ -281,29 +296,30 @@ public class ValUtils {
|
|||||||
* @return The status (BOGUS or SECURE).
|
* @return The status (BOGUS or SECURE).
|
||||||
*/
|
*/
|
||||||
public byte verifySRRset(SRRset rrset, SRRset key_rrset) {
|
public byte verifySRRset(SRRset rrset, SRRset key_rrset) {
|
||||||
// String rrset_name = rrset.getName() + "/"
|
String rrset_name = rrset.getName() + "/" +
|
||||||
// + Type.string(rrset.getType()) + "/"
|
Type.string(rrset.getType()) + "/" +
|
||||||
// + DClass.string(rrset.getDClass());
|
DClass.string(rrset.getDClass());
|
||||||
|
|
||||||
if (rrset.getSecurityStatus() == SecurityStatus.SECURE) {
|
if (rrset.getSecurityStatus() == SecurityStatus.SECURE) {
|
||||||
// log.trace("verifySRRset: rrset <" + rrset_name
|
log.trace("verifySRRset: rrset <" + rrset_name +
|
||||||
// + "> previously found to be SECURE");
|
"> previously found to be SECURE");
|
||||||
|
|
||||||
return SecurityStatus.SECURE;
|
return SecurityStatus.SECURE;
|
||||||
}
|
}
|
||||||
|
|
||||||
byte status = mVerifier.verify(rrset, key_rrset);
|
byte status = mVerifier.verify(rrset, key_rrset);
|
||||||
|
|
||||||
if (status != SecurityStatus.SECURE) {
|
if (status != SecurityStatus.SECURE) {
|
||||||
// log.debug("verifySRRset: rrset <" + rrset_name +
|
log.debug("verifySRRset: rrset <" + rrset_name +
|
||||||
// "> found to be BAD");
|
"> found to be BAD");
|
||||||
status = SecurityStatus.BOGUS;
|
status = SecurityStatus.BOGUS;
|
||||||
|
} else {
|
||||||
|
log.trace("verifySRRset: rrset <" + rrset_name +
|
||||||
|
"> found to be SECURE");
|
||||||
}
|
}
|
||||||
// else
|
|
||||||
// {
|
|
||||||
// log.trace("verifySRRset: rrset <" + rrset_name +
|
|
||||||
// "> found to be SECURE");
|
|
||||||
// }
|
|
||||||
|
|
||||||
rrset.setSecurityStatus(status);
|
rrset.setSecurityStatus(status);
|
||||||
|
|
||||||
return status;
|
return status;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -318,8 +334,11 @@ public class ValUtils {
|
|||||||
*/
|
*/
|
||||||
public static boolean typeMapHasType(int [] types, int type) {
|
public static boolean typeMapHasType(int [] types, int type) {
|
||||||
for (int i = 0; i < types.length; i++) {
|
for (int i = 0; i < types.length; i++) {
|
||||||
if (types[i] == type) return true;
|
if (types[i] == type) {
|
||||||
|
return true;
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -328,6 +347,7 @@ public class ValUtils {
|
|||||||
for (Iterator i = rrset.sigs(); i.hasNext();) {
|
for (Iterator i = rrset.sigs(); i.hasNext();) {
|
||||||
return (RRSIGRecord) i.next();
|
return (RRSIGRecord) i.next();
|
||||||
}
|
}
|
||||||
|
|
||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -339,17 +359,21 @@ public class ValUtils {
|
|||||||
* @return
|
* @return
|
||||||
*/
|
*/
|
||||||
public static Name longestCommonName(Name domain1, Name domain2) {
|
public static Name longestCommonName(Name domain1, Name domain2) {
|
||||||
if (domain1 == null || domain2 == null) return null;
|
if ((domain1 == null) || (domain2 == null)) {
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
|
||||||
// for now, do this in a a fairly brute force way
|
// for now, do this in a a fairly brute force way
|
||||||
// FIXME: convert this to direct operations on the byte[]
|
// FIXME: convert this to direct operations on the byte[]
|
||||||
|
|
||||||
int d1_labels = domain1.labels();
|
int d1_labels = domain1.labels();
|
||||||
int d2_labels = domain2.labels();
|
int d2_labels = domain2.labels();
|
||||||
|
|
||||||
int l = (d1_labels < d2_labels) ? d1_labels : d2_labels;
|
int l = (d1_labels < d2_labels) ? d1_labels : d2_labels;
|
||||||
|
|
||||||
for (int i = l; i > 0; i--) {
|
for (int i = l; i > 0; i--) {
|
||||||
Name n1 = new Name(domain1, d1_labels - i);
|
Name n1 = new Name(domain1, d1_labels - i);
|
||||||
Name n2 = new Name(domain2, d2_labels - i);
|
Name n2 = new Name(domain2, d2_labels - i);
|
||||||
|
|
||||||
if (n1.equals(n2)) {
|
if (n1.equals(n2)) {
|
||||||
return n1;
|
return n1;
|
||||||
}
|
}
|
||||||
@ -361,9 +385,13 @@ public class ValUtils {
|
|||||||
public static boolean strictSubdomain(Name child, Name parent) {
|
public static boolean strictSubdomain(Name child, Name parent) {
|
||||||
int clabels = child.labels();
|
int clabels = child.labels();
|
||||||
int plabels = parent.labels();
|
int plabels = parent.labels();
|
||||||
if (plabels >= clabels) return false;
|
|
||||||
|
if (plabels >= clabels) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
Name n = new Name(child, clabels - plabels);
|
Name n = new Name(child, clabels - plabels);
|
||||||
|
|
||||||
return parent.equals(n);
|
return parent.equals(n);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -377,10 +405,13 @@ public class ValUtils {
|
|||||||
* for all unsigned rrsets.
|
* for all unsigned rrsets.
|
||||||
*/
|
*/
|
||||||
public static boolean rrsetIsWildcardExpansion(RRset rrset) {
|
public static boolean rrsetIsWildcardExpansion(RRset rrset) {
|
||||||
if (rrset == null) return false;
|
if (rrset == null) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
RRSIGRecord rrsig = rrsetFirstSig(rrset);
|
RRSIGRecord rrsig = rrsetFirstSig(rrset);
|
||||||
|
|
||||||
if (rrset.getName().labels() - 1 > rrsig.getLabels()) {
|
if ((rrset.getName().labels() - 1) > rrsig.getLabels()) {
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -398,16 +429,21 @@ public class ValUtils {
|
|||||||
* null if not.
|
* null if not.
|
||||||
*/
|
*/
|
||||||
public static Name rrsetWildcard(RRset rrset) {
|
public static Name rrsetWildcard(RRset rrset) {
|
||||||
if (rrset == null) return null;
|
if (rrset == null) {
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
|
||||||
RRSIGRecord rrsig = rrsetFirstSig(rrset);
|
RRSIGRecord rrsig = rrsetFirstSig(rrset);
|
||||||
|
|
||||||
// if the RRSIG label count is shorter than the number of actual labels,
|
// if the RRSIG label count is shorter than the number of actual labels,
|
||||||
// then this rrset was synthesized from a wildcard.
|
// then this rrset was synthesized from a wildcard.
|
||||||
// Note that the RRSIG label count doesn't count the root label.
|
// Note that the RRSIG label count doesn't count the root label.
|
||||||
int label_diff = (rrset.getName().labels() - 1) - rrsig.getLabels();
|
int label_diff = (rrset.getName().labels() - 1) - rrsig.getLabels();
|
||||||
|
|
||||||
if (label_diff > 0) {
|
if (label_diff > 0) {
|
||||||
return rrset.getName().wild(label_diff);
|
return rrset.getName().wild(label_diff);
|
||||||
}
|
}
|
||||||
|
|
||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -454,17 +490,19 @@ public class ValUtils {
|
|||||||
// If NSEC is a parent of qname, we need to check the type map
|
// If NSEC is a parent of qname, we need to check the type map
|
||||||
// If the parent name has a DNAME or is a delegation point, then this
|
// If the parent name has a DNAME or is a delegation point, then this
|
||||||
// NSEC is being misused.
|
// NSEC is being misused.
|
||||||
boolean hasBadType = typeMapHasType(nsec.getTypes(), Type.DNAME)
|
boolean hasBadType = typeMapHasType(nsec.getTypes(), Type.DNAME) ||
|
||||||
|| (typeMapHasType(nsec.getTypes(), Type.NS) && !typeMapHasType(nsec.getTypes(),
|
(typeMapHasType(nsec.getTypes(), Type.NS) &&
|
||||||
Type.SOA));
|
!typeMapHasType(nsec.getTypes(), Type.SOA));
|
||||||
|
|
||||||
if (qname.subdomain(owner) && hasBadType) {
|
if (qname.subdomain(owner) && hasBadType) {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (qname.compareTo(owner) > 0 && (qname.compareTo(next) < 0)
|
if (((qname.compareTo(owner) > 0) && (qname.compareTo(next) < 0)) ||
|
||||||
|| signerName.equals(next)) {
|
signerName.equals(next)) {
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -490,8 +528,9 @@ public class ValUtils {
|
|||||||
|
|
||||||
for (int i = qname_labels - signer_labels; i > 0; i--) {
|
for (int i = qname_labels - signer_labels; i > 0; i--) {
|
||||||
Name wc_name = qname.wild(i);
|
Name wc_name = qname.wild(i);
|
||||||
if (wc_name.compareTo(owner) > 0
|
|
||||||
&& (wc_name.compareTo(next) < 0 || signerName.equals(next))) {
|
if ((wc_name.compareTo(owner) > 0) &&
|
||||||
|
((wc_name.compareTo(next) < 0) || signerName.equals(next))) {
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -532,10 +571,11 @@ public class ValUtils {
|
|||||||
// The qname must be a strict subdomain of the closest encloser,
|
// The qname must be a strict subdomain of the closest encloser,
|
||||||
// and
|
// and
|
||||||
// the qtype must be absent from the type map.
|
// the qtype must be absent from the type map.
|
||||||
if (!strictSubdomain(qname, ce)
|
if (!strictSubdomain(qname, ce) ||
|
||||||
|| typeMapHasType(nsec.getTypes(), qtype)) {
|
typeMapHasType(nsec.getTypes(), qtype)) {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -545,10 +585,11 @@ public class ValUtils {
|
|||||||
// be
|
// be
|
||||||
// less than qname, and the next name will be a child domain of the
|
// less than qname, and the next name will be a child domain of the
|
||||||
// qname.
|
// qname.
|
||||||
if (strictSubdomain(nsec.getNext(), qname)
|
if (strictSubdomain(nsec.getNext(), qname) &&
|
||||||
&& qname.compareTo(nsec.getName()) > 0) {
|
(qname.compareTo(nsec.getName()) > 0)) {
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
// Otherwise, this NSEC does not prove ENT, so it does not prove
|
// Otherwise, this NSEC does not prove ENT, so it does not prove
|
||||||
// NODATA.
|
// NODATA.
|
||||||
return false;
|
return false;
|
||||||
@ -569,8 +610,8 @@ public class ValUtils {
|
|||||||
// not a zone apex), then we should have gotten a referral (or we just
|
// not a zone apex), then we should have gotten a referral (or we just
|
||||||
// got
|
// got
|
||||||
// the wrong NSEC).
|
// the wrong NSEC).
|
||||||
if (typeMapHasType(nsec.getTypes(), Type.NS)
|
if (typeMapHasType(nsec.getTypes(), Type.NS) &&
|
||||||
&& !typeMapHasType(nsec.getTypes(), Type.SOA)) {
|
!typeMapHasType(nsec.getTypes(), Type.SOA)) {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -580,6 +621,7 @@ public class ValUtils {
|
|||||||
public static byte nsecProvesNoDS(NSECRecord nsec, Name qname) {
|
public static byte nsecProvesNoDS(NSECRecord nsec, Name qname) {
|
||||||
// Could check to make sure the qname is a subdomain of nsec
|
// Could check to make sure the qname is a subdomain of nsec
|
||||||
int [] types = nsec.getTypes();
|
int [] types = nsec.getTypes();
|
||||||
|
|
||||||
if (typeMapHasType(types, Type.SOA) || typeMapHasType(types, Type.DS)) {
|
if (typeMapHasType(types, Type.SOA) || typeMapHasType(types, Type.DS)) {
|
||||||
// SOA present means that this is the NSEC from the child, not the
|
// SOA present means that this is the NSEC from the child, not the
|
||||||
// parent (so it is the wrong one)
|
// parent (so it is the wrong one)
|
||||||
@ -594,8 +636,18 @@ public class ValUtils {
|
|||||||
// anything one way or the other.
|
// anything one way or the other.
|
||||||
return SecurityStatus.INSECURE;
|
return SecurityStatus.INSECURE;
|
||||||
}
|
}
|
||||||
|
|
||||||
// Otherwise, this proves no DS.
|
// Otherwise, this proves no DS.
|
||||||
return SecurityStatus.SECURE;
|
return SecurityStatus.SECURE;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// These are response subtypes. They are necessary for determining the
|
||||||
|
// validation strategy. They have no bearing on the iterative resolution
|
||||||
|
// algorithm, so they are confined here.
|
||||||
|
public enum ResponseType {UNTYPED, UNKNOWN, POSITIVE, CNAME, NODATA,
|
||||||
|
NAMEERROR, ANY, REFERRAL,
|
||||||
|
// a referral response
|
||||||
|
THROWAWAY;
|
||||||
|
// a throwaway response (i.e., an error)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user