davidb
/
captive-validator
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

sync with external work.

This commit is contained in:
davidb 2010-05-30 18:34:04 -04:00
parent bc7e5dae8e
commit 657c073cc5
10 changed files with 2027 additions and 1614 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

668
src/com/versign/tat/dnssec/CaptiveValidator.java
View File

File diff suppressed because it is too large Load Diff

894
src/com/versign/tat/dnssec/DnsSecVerifier.java
View File

@ -1,42 +1,38 @@
/* /***************************** -*- Java -*- ********************************\
* Copyright (c) 2009 VeriSign, Inc. All rights reserved. * *
* * Copyright (c) 2009 VeriSign, Inc. All rights reserved. *
* Redistribution and use in source and binary forms, with or without * *
* modification, are permitted provided that the following conditions * This software is provided solely in connection with the terms of the *
* are met: * license agreement. Any other use without the prior express written *
* * permission of VeriSign is completely prohibited. The software and *
* 1. Redistributions of source code must retain the above copyright * documentation are "Commercial Items", as that term is defined in 48 *
* notice, this list of conditions and the following disclaimer. * C.F.R. section 2.101, consisting of "Commercial Computer Software" and *
* 2. Redistributions in binary form must reproduce the above copyright * "Commercial Computer Software Documentation" as such terms are defined *
* notice, this list of conditions and the following disclaimer in the * in 48 C.F.R. section 252.227-7014(a)(5) and 48 C.F.R. section *
* documentation and/or other materials provided with the distribution. * 252.227-7014(a)(1), and used in 48 C.F.R. section 12.212 and 48 C.F.R. *
* 3. The name of the author may not be used to endorse or promote products * section 227.7202, as applicable. Pursuant to the above and other *
* derived from this software without specific prior written permission. * relevant sections of the Code of Federal Regulations, as applicable, *
* * VeriSign's publications, commercial computer software, and commercial *
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR * computer software documentation are distributed and licensed to United *
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES * States Government end users with only those rights as granted to all *
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. * other end users, according to the terms and conditions contained in the *
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, * license agreement(s) that accompany the products and software *
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * documentation. *
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, * *
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY \***************************************************************************/
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
*/
package com.versign.tat.dnssec; package com.verisign.tat.dnssec;
import java.util.*; import org.apache.log4j.Logger;
import java.io.*;
import java.security.*;
import org.xbill.DNS.*; import org.xbill.DNS.*;
import org.xbill.DNS.security.*; import org.xbill.DNS.security.*;
import com.versign.tat.dnssec.SecurityStatus; import java.io.*;
import com.versign.tat.dnssec.Util;
import java.security.*;
import java.util.*;
/** /**
@ -44,445 +40,483 @@ import com.versign.tat.dnssec.Util;
* contains a similar class. This is a re-implementation that allows us to have * contains a similar class. This is a re-implementation that allows us to have
* finer control over the validation process. * finer control over the validation process.
*/ */
public class DnsSecVerifier public class DnsSecVerifier {
{ public static final int UNKNOWN = 0;
public static final int UNKNOWN = 0; public static final int RSA = 1;
public static final int RSA = 1; public static final int DSA = 2;
public static final int DSA = 2; private Logger log = Logger.getLogger(this.getClass());
/** /**
* This is a mapping of DNSSEC algorithm numbers/private identifiers to JCA * This is a mapping of DNSSEC algorithm numbers/private identifiers to JCA
* algorithm identifiers. * algorithm identifiers.
*/ */
private HashMap<Integer, AlgEntry> mAlgorithmMap; private HashMap<Integer, AlgEntry> mAlgorithmMap;
private static class AlgEntry public DnsSecVerifier() {
{ mAlgorithmMap = new HashMap<Integer, AlgEntry>();
public String jcaName;
public boolean isDSA;
public int dnssecAlg;
public AlgEntry(String name, int dnssecAlg, boolean isDSA) // set the default algorithm map.
{ mAlgorithmMap.put(new Integer(DNSSEC.RSAMD5),
jcaName = name; new AlgEntry("MD5withRSA", DNSSEC.RSAMD5, false));
this.dnssecAlg = dnssecAlg; mAlgorithmMap.put(new Integer(DNSSEC.DSA),
this.isDSA = isDSA; new AlgEntry("SHA1withDSA", DNSSEC.DSA, true));
} mAlgorithmMap.put(new Integer(DNSSEC.RSASHA1),
} new AlgEntry("SHA1withRSA", DNSSEC.RSASHA1, false));
mAlgorithmMap.put(new Integer(DNSSEC.DSA_NSEC3_SHA1),
public DnsSecVerifier() new AlgEntry("SHA1withDSA", DNSSEC.DSA, true));
{ mAlgorithmMap.put(new Integer(DNSSEC.RSA_NSEC3_SHA1),
mAlgorithmMap = new HashMap<Integer, AlgEntry>(); new AlgEntry("SHA1withRSA", DNSSEC.RSASHA1, false));
mAlgorithmMap.put(new Integer(DNSSEC.RSASHA256),
// set the default algorithm map. new AlgEntry("SHA256withRSA", DNSSEC.RSASHA256, false));
mAlgorithmMap.put(new Integer(DNSSEC.RSAMD5), new AlgEntry("MD5withRSA", mAlgorithmMap.put(new Integer(DNSSEC.RSASHA512),
DNSSEC.RSAMD5, false)); new AlgEntry("SHA512withRSA", DNSSEC.RSASHA512, false));
mAlgorithmMap.put(new Integer(DNSSEC.DSA), new AlgEntry("SHA1withDSA", DNSSEC.DSA,
true));
mAlgorithmMap.put(new Integer(DNSSEC.RSASHA1), new AlgEntry(
"SHA1withRSA", DNSSEC.RSASHA1, false));
}
private boolean isDSA(int algorithm)
{
// shortcut the standard algorithms
if (algorithm == DNSSEC.DSA) return true;
if (algorithm == DNSSEC.RSASHA1) return false;
if (algorithm == DNSSEC.RSAMD5) return false;
AlgEntry entry = (AlgEntry) mAlgorithmMap.get(new Integer(algorithm));
if (entry != null) return entry.isDSA;
return false;
}
public void init(Properties config)
{
if (config == null) return;
// Algorithm configuration
// For now, we just accept new identifiers for existing algoirthms.
// FIXME: handle private identifiers.
List<Util.ConfigEntry> aliases = Util.parseConfigPrefix(config, "dns.algorithm.");
for (Util.ConfigEntry entry : aliases) {
Integer alg_alias = new Integer(Util.parseInt(entry.key, -1));
Integer alg_orig = new Integer(Util.parseInt(entry.value, -1));
if (!mAlgorithmMap.containsKey(alg_orig))
{
// log.warn("Unable to alias " + alg_alias + " to unknown algorithm "
// + alg_orig);
continue;
}
if (mAlgorithmMap.containsKey(alg_alias))
{
// log.warn("Algorithm alias " + alg_alias
// + " is already defined and cannot be redefined");
continue;
}
mAlgorithmMap.put(alg_alias, mAlgorithmMap.get(alg_orig));
} }
// for debugging purposes, log the entire algorithm map table. private boolean isDSA(int algorithm) {
// for (Integer alg : mAlgorithmMap.keySet()) { // shortcut the standard algorithms
// AlgEntry entry = mAlgorithmMap.get(alg); if (algorithm == DNSSEC.DSA) {
// if (entry == null) return true;
// log.warn("DNSSEC alg " + alg + " has a null entry!"); }
// else
// log.debug("DNSSEC alg " + alg + " maps to " + entry.jcaName
// + " (" + entry.dnssecAlg + ")");
// }
}
/** if (algorithm == DNSSEC.RSASHA1) {
* Find the matching DNSKEY(s) to an RRSIG within a DNSKEY rrset. Normally return false;
* this will only return one DNSKEY. It can return more than one, since }
* KeyID/Footprints are not guaranteed to be unique.
* if (algorithm == DNSSEC.RSAMD5) {
* @param dnskey_rrset The DNSKEY rrset to search. return false;
* @param signature The RRSIG to match against. }
* @return A List contains a one or more DNSKEYRecord objects, or null if a
* matching DNSKEY could not be found. AlgEntry entry = (AlgEntry) mAlgorithmMap.get(new Integer(algorithm));
*/
@SuppressWarnings("unchecked") if (entry != null) {
private List<DNSKEYRecord> findKey(RRset dnskey_rrset, RRSIGRecord signature) return entry.isDSA;
{ }
if (!signature.getSigner().equals(dnskey_rrset.getName()))
{ return false;
// log.trace("findKey: could not find appropriate key because "
// + "incorrect keyset was supplied. Wanted: " + signature.getSigner()
// + ", got: " + dnskey_rrset.getName());
return null;
} }
int keyid = signature.getFootprint(); public void init(Properties config) {
int alg = signature.getAlgorithm(); if (config == null) {
return;
}
List<DNSKEYRecord> res = new ArrayList<DNSKEYRecord>(dnskey_rrset.size()); // Algorithm configuration
for (Iterator i = dnskey_rrset.rrs(); i.hasNext();) // For now, we just accept new identifiers for existing algorithms.
{ // FIXME: handle private identifiers.
DNSKEYRecord r = (DNSKEYRecord) i.next(); List<Util.ConfigEntry> aliases = Util.parseConfigPrefix(config,
if (r.getAlgorithm() == alg && r.getFootprint() == keyid) "dns.algorithm.");
{
res.add(r); for (Util.ConfigEntry entry : aliases) {
} Integer alg_alias = new Integer(Util.parseInt(entry.key, -1));
Integer alg_orig = new Integer(Util.parseInt(entry.value, -1));
if (!mAlgorithmMap.containsKey(alg_orig)) {
log.warn("Unable to alias " + alg_alias +
" to unknown algorithm " + alg_orig);
continue;
}
if (mAlgorithmMap.containsKey(alg_alias)) {
log.warn("Algorithm alias " + alg_alias +
" is already defined and cannot be redefined");
continue;
}
mAlgorithmMap.put(alg_alias, mAlgorithmMap.get(alg_orig));
}
// for debugging purposes, log the entire algorithm map table.
for (Integer alg : mAlgorithmMap.keySet()) {
AlgEntry entry = mAlgorithmMap.get(alg);
if (entry == null) {
log.warn("DNSSEC alg " + alg + " has a null entry!");
} else {
log.debug("DNSSEC alg " + alg + " maps to " + entry.jcaName +
" (" + entry.dnssecAlg + ")");
}
}
} }
if (res.size() == 0) /**
{ * Find the matching DNSKEY(s) to an RRSIG within a DNSKEY rrset. Normally
// log.trace("findKey: could not find a key matching " * this will only return one DNSKEY. It can return more than one, since
// + "the algorithm and footprint in supplied keyset. "); * KeyID/Footprints are not guaranteed to be unique.
return null; *
} * @param dnskey_rrset
return res; * The DNSKEY rrset to search.
} * @param signature
* The RRSIG to match against.
* @return A List contains a one or more DNSKEYRecord objects, or null if a
* matching DNSKEY could not be found.
*/
@SuppressWarnings("unchecked")
private List<DNSKEYRecord> findKey(RRset dnskey_rrset, RRSIGRecord signature) {
if (!signature.getSigner().equals(dnskey_rrset.getName())) {
log.trace("findKey: could not find appropriate key because " +
"incorrect keyset was supplied. Wanted: " +
signature.getSigner() + ", got: " + dnskey_rrset.getName());
/** return null;
* Check to see if a signature looks valid (i.e., matches the rrset in }
* question, in the validity period, etc.)
* int keyid = signature.getFootprint();
* @param rrset The rrset that the signature belongs to. int alg = signature.getAlgorithm();
* @param sigrec The signature record to check.
* @return A value of DNSSEC.Secure if it looks OK, DNSSEC.Faile if it looks List<DNSKEYRecord> res = new ArrayList<DNSKEYRecord>(dnskey_rrset.size());
* bad.
*/ for (Iterator i = dnskey_rrset.rrs(); i.hasNext();) {
private byte checkSignature(RRset rrset, RRSIGRecord sigrec) DNSKEYRecord r = (DNSKEYRecord) i.next();
{
if (rrset == null || sigrec == null) return DNSSEC.Failed; if ((r.getAlgorithm() == alg) && (r.getFootprint() == keyid)) {
if (!rrset.getName().equals(sigrec.getName())) res.add(r);
{ }
// log.debug("Signature name does not match RRset name"); }
return SecurityStatus.BOGUS;
} if (res.size() == 0) {
if (rrset.getType() != sigrec.getTypeCovered()) log.trace("findKey: could not find a key matching " +
{ "the algorithm and footprint in supplied keyset. ");
// log.debug("Signature type does not match RRset type");
return SecurityStatus.BOGUS; return null;
}
return res;
} }
Date now = new Date(); /**
Date start = sigrec.getTimeSigned(); * Check to see if a signature looks valid (i.e., matches the rrset in
Date expire = sigrec.getExpire(); * question, in the validity period, etc.)
if (now.before(start)) *
{ * @param rrset
// log.debug("Signature is not yet valid"); * The rrset that the signature belongs to.
return SecurityStatus.BOGUS; * @param sigrec
* The signature record to check.
* @return A value of DNSSEC.Secure if it looks OK, DNSSEC.Faile if it looks
* bad.
*/
private byte checkSignature(RRset rrset, RRSIGRecord sigrec) {
if ((rrset == null) || (sigrec == null)) {
return DNSSEC.Failed;
}
if (!rrset.getName().equals(sigrec.getName())) {
log.debug("Signature name does not match RRset name");
return SecurityStatus.BOGUS;
}
if (rrset.getType() != sigrec.getTypeCovered()) {
log.debug("Signature type does not match RRset type");
return SecurityStatus.BOGUS;
}
Date now = new Date();
Date start = sigrec.getTimeSigned();
Date expire = sigrec.getExpire();
if (now.before(start)) {
log.debug("Signature is not yet valid");
return SecurityStatus.BOGUS;
}
if (now.after(expire)) {
log.debug("Signature has expired (now = " + now +
", sig expires = " + expire);
return SecurityStatus.BOGUS;
}
return SecurityStatus.SECURE;
} }
if (now.after(expire)) public PublicKey parseDNSKEY(DNSKEYRecord key) {
{ AlgEntry ae = (AlgEntry) mAlgorithmMap.get(new Integer(
// log.debug("Signature has expired (now = " + now + ", sig expires = " key.getAlgorithm()));
// + expire);
return SecurityStatus.BOGUS; if (key.getAlgorithm() != ae.dnssecAlg) {
// Recast the DNSKEYRecord in question as one using the offical
// algorithm, to work around the lack of alias support in the
// underlying
// KEYConverter class from DNSjava
key = new DNSKEYRecord(key.getName(), key.getDClass(),
key.getTTL(), key.getFlags(), key.getProtocol(),
ae.dnssecAlg, key.getKey());
}
return KEYConverter.parseRecord(key);
} }
return SecurityStatus.SECURE; /**
} * Actually cryptographically verify a signature over the rrset. The RRSIG
* record must match the rrset being verified (see checkSignature).
*
* @param rrset
* The rrset to verify.
* @param sigrec
* The signature to verify with.
* @param key
* The (public) key associated with the RRSIG record.
* @return A security status code: SECURE if it worked, BOGUS if not,
* UNCHECKED if we just couldn't actually do the function.
*/
public byte verifySignature(RRset rrset, RRSIGRecord sigrec,
DNSKEYRecord key) {
try {
PublicKey pk = parseDNSKEY(key);
public PublicKey parseDNSKEY(DNSKEYRecord key) if (pk == null) {
{ log.warn(
AlgEntry ae = (AlgEntry) mAlgorithmMap "Could not convert DNSKEY record to a JCA public key: " +
.get(new Integer(key.getAlgorithm())); key);
if (key.getAlgorithm() != ae.dnssecAlg)
{
// Recast the DNSKEYRecord in question as one using the offical
// algorithm, to work around the lack of alias support in the underlying
// KEYConverter class from DNSjava
key = new DNSKEYRecord(key.getName(), key.getDClass(), key.getTTL(), return SecurityStatus.UNCHECKED;
key.getFlags(), key.getProtocol(), ae.dnssecAlg, key.getKey()); }
}
return KEYConverter.parseRecord(key); byte [] data = SignUtils.generateSigData(rrset, sigrec);
}
/**
* Actually cryptographically verify a signature over the rrset. The RRSIG
* record must match the rrset being verified (see checkSignature).
*
* @param rrset The rrset to verify.
* @param sigrec The signature to verify with.
* @param key The (public) key associated with the RRSIG record.
* @return A security status code: SECURE if it worked, BOGUS if not,
* UNCHECKED if we just couldn't actually do the function.
*/
public byte verifySignature(RRset rrset, RRSIGRecord sigrec,
DNSKEYRecord key)
{
try
{
PublicKey pk = parseDNSKEY(key);
if (pk == null) Signature signer = getSignature(sigrec.getAlgorithm());
{
// log.warn("Could not convert DNSKEY record to a JCA public key: " if (signer == null) {
// + key); return SecurityStatus.BOGUS;
}
signer.initVerify(pk);
signer.update(data);
byte [] sig = sigrec.getSignature();
if (isDSA(sigrec.getAlgorithm())) {
sig = SignUtils.convertDSASignature(sig);
}
if (!signer.verify(sig)) {
log.info("Signature failed to verify cryptographically");
log.debug("Failed signature: " + sigrec);
return SecurityStatus.BOGUS;
}
log.trace("Signature verified: " + sigrec);
return SecurityStatus.SECURE;
} catch (IOException e) {
log.error("I/O error", e);
} catch (GeneralSecurityException e) {
log.error("Security error", e);
}
// FIXME: Since I'm not sure what would cause an exception here (failure
// to have the required crypto?)
// We default to UNCHECKED instead of BOGUS. This could be wrong.
return SecurityStatus.UNCHECKED; return SecurityStatus.UNCHECKED;
} }
byte[] data = SignUtils.generateSigData(rrset, sigrec); /**
* Verify an RRset against a particular signature.
*
* @return DNSSEC.Secure if the signature verfied, DNSSEC.Failed if it did
* not verify (for any reason), and DNSSEC.Insecure if verification
* could not be completed (usually because the public key was not
* available).
*/
public byte verifySignature(RRset rrset, RRSIGRecord sigrec, RRset key_rrset) {
byte result = checkSignature(rrset, sigrec);
if (result != SecurityStatus.SECURE) {
return result;
}
List<DNSKEYRecord> keys = findKey(key_rrset, sigrec);
if (keys == null) {
log.trace("could not find appropriate key");
return SecurityStatus.BOGUS;
}
byte status = SecurityStatus.UNCHECKED;
for (DNSKEYRecord key : keys) {
status = verifySignature(rrset, sigrec, key);
if (status == SecurityStatus.SECURE) {
break;
}
}
return status;
}
/**
* Verifies an RRset. This routine does not modify the RRset. This RRset is
* presumed to be verifiable, and the correct DNSKEY rrset is presumed to
* have been found.
*
* @return SecurityStatus.SECURE if the rrest verified positively,
* SecurityStatus.BOGUS otherwise.
*/
@SuppressWarnings("unchecked")
public byte verify(RRset rrset, RRset key_rrset) {
Iterator i = rrset.sigs();
if (!i.hasNext()) {
log.info("RRset failed to verify due to lack of signatures");
return SecurityStatus.BOGUS;
}
while (i.hasNext()) {
RRSIGRecord sigrec = (RRSIGRecord) i.next();
byte res = verifySignature(rrset, sigrec, key_rrset);
if (res == SecurityStatus.SECURE) {
return res;
}
}
log.info("RRset failed to verify: all signatures were BOGUS");
Signature signer = getSignature(sigrec.getAlgorithm());
if (signer == null)
{
return SecurityStatus.BOGUS; return SecurityStatus.BOGUS;
} }
signer.initVerify(pk); /**
signer.update(data); * Verify an RRset against a single DNSKEY. Use this when you must be
* certain that an RRset signed and verifies with a particular DNSKEY (as
* opposed to a particular DNSKEY rrset).
*
* @param rrset
* The rrset to verify.
* @param dnskey
* The DNSKEY to verify with.
* @return SecurityStatus.SECURE if the rrset verified, BOGUS otherwise.
*/
@SuppressWarnings("unchecked")
public byte verify(RRset rrset, DNSKEYRecord dnskey) {
// Iterate over RRSIGS
Iterator i = rrset.sigs();
if (!i.hasNext()) {
log.info("RRset failed to verify due to lack of signatures");
return SecurityStatus.BOGUS;
}
while (i.hasNext()) {
RRSIGRecord sigrec = (RRSIGRecord) i.next();
// Skip RRSIGs that do not match our given key's footprint.
if (sigrec.getFootprint() != dnskey.getFootprint()) {
continue;
}
byte res = verifySignature(rrset, sigrec, dnskey);
if (res == SecurityStatus.SECURE) {
return res;
}
}
log.info("RRset failed to verify: all signatures were BOGUS");
byte[] sig = sigrec.getSignature();
if (isDSA(sigrec.getAlgorithm()))
{
sig = SignUtils.convertDSASignature(sig);
}
if (!signer.verify(sig))
{
// log.info("Signature failed to verify cryptographically");
// log.debug("Failed signature: " + sigrec);
return SecurityStatus.BOGUS; return SecurityStatus.BOGUS;
}
// log.trace("Signature verified: " + sigrec);
return SecurityStatus.SECURE;
}
catch (IOException e)
{
// log.error("I/O error", e);
}
catch (GeneralSecurityException e)
{
// log.error("Security error", e);
} }
// FIXME: Since I'm not sure what would cause an exception here (failure public boolean supportsAlgorithm(int algorithm) {
// to have the required crypto?) return mAlgorithmMap.containsKey(new Integer(algorithm));
// We default to UNCHECKED instead of BOGUS. This could be wrong.
return SecurityStatus.UNCHECKED;
}
/**
* Verify an RRset against a particular signature.
*
* @return DNSSEC.Secure if the signature verfied, DNSSEC.Failed if it did
* not verify (for any reason), and DNSSEC.Insecure if verification
* could not be completed (usually because the public key was not
* available).
*/
public byte verifySignature(RRset rrset, RRSIGRecord sigrec, RRset key_rrset)
{
byte result = checkSignature(rrset, sigrec);
if (result != SecurityStatus.SECURE) return result;
List<DNSKEYRecord> keys = findKey(key_rrset, sigrec);
if (keys == null)
{
// log.trace("could not find appropriate key");
return SecurityStatus.BOGUS;
} }
byte status = SecurityStatus.UNCHECKED; public boolean supportsAlgorithm(Name private_id) {
return mAlgorithmMap.containsKey(private_id);
for (DNSKEYRecord key : keys) {
status = verifySignature(rrset, sigrec, key);
if (status == SecurityStatus.SECURE) break;
} }
return status; public int baseAlgorithm(int algorithm) {
} switch (algorithm) {
case DNSSEC.RSAMD5:
case DNSSEC.RSASHA1:
return RSA;
/** case DNSSEC.DSA:
* Verifies an RRset. This routine does not modify the RRset. This RRset is return DSA;
* presumed to be verifiable, and the correct DNSKEY rrset is presumed to }
* have been found.
*
* @return SecurityStatus.SECURE if the rrest verified positively,
* SecurityStatus.BOGUS otherwise.
*/
@SuppressWarnings("unchecked")
public byte verify(RRset rrset, RRset key_rrset)
{
Iterator i = rrset.sigs();
if (!i.hasNext()) AlgEntry entry = (AlgEntry) mAlgorithmMap.get(new Integer(algorithm));
{
// log.info("RRset failed to verify due to lack of signatures");
return SecurityStatus.BOGUS;
}
while (i.hasNext()) if (entry == null) {
{ return UNKNOWN;
RRSIGRecord sigrec = (RRSIGRecord) i.next(); }
byte res = verifySignature(rrset, sigrec, key_rrset); if (entry.isDSA) {
return DSA;
}
if (res == SecurityStatus.SECURE) return res;
}
// log.info("RRset failed to verify: all signatures were BOGUS");
return SecurityStatus.BOGUS;
}
/**
* Verify an RRset against a single DNSKEY. Use this when you must be
* certain that an RRset signed and verifies with a particular DNSKEY (as
* opposed to a particular DNSKEY rrset).
*
* @param rrset The rrset to verify.
* @param dnskey The DNSKEY to verify with.
* @return SecurityStatus.SECURE if the rrset verified, BOGUS otherwise.
*/
@SuppressWarnings("unchecked")
public byte verify(RRset rrset, DNSKEYRecord dnskey)
{
// Iterate over RRSIGS
Iterator i = rrset.sigs();
if (!i.hasNext())
{
// log.info("RRset failed to verify due to lack of signatures");
return SecurityStatus.BOGUS;
}
while (i.hasNext())
{
RRSIGRecord sigrec = (RRSIGRecord) i.next();
// Skip RRSIGs that do not match our given key's footprint.
if (sigrec.getFootprint() != dnskey.getFootprint()) continue;
byte res = verifySignature(rrset, sigrec, dnskey);
if (res == SecurityStatus.SECURE) return res;
}
// log.info("RRset failed to verify: all signatures were BOGUS");
return SecurityStatus.BOGUS;
}
public boolean supportsAlgorithm(int algorithm)
{
return mAlgorithmMap.containsKey(new Integer(algorithm));
}
public boolean supportsAlgorithm(Name private_id)
{
return mAlgorithmMap.containsKey(private_id);
}
public int baseAlgorithm(int algorithm)
{
switch (algorithm)
{
case DNSSEC.RSAMD5:
case DNSSEC.RSASHA1:
return RSA; return RSA;
case DNSSEC.DSA:
return DSA;
}
AlgEntry entry = (AlgEntry) mAlgorithmMap.get(new Integer(algorithm));
if (entry == null) return UNKNOWN;
if (entry.isDSA) return DSA;
return RSA;
}
/** @return the appropriate Signature object for this keypair. */
private Signature getSignature(int algorithm)
{
Signature s = null;
try
{
AlgEntry entry = (AlgEntry) mAlgorithmMap.get(new Integer(algorithm));
if (entry == null)
{
// log.info("DNSSEC algorithm " + algorithm + " not recognized.");
return null;
}
// TODO: should we cache the instance?
s = Signature.getInstance(entry.jcaName);
}
catch (NoSuchAlgorithmException e)
{
// log.error("error getting Signature object", e);
} }
return s; /** @return the appropriate Signature object for this keypair. */
} private Signature getSignature(int algorithm) {
Signature s = null;
// TODO: enable private algorithm support in dnsjava. try {
// Right now, this cannot be used because the DNSKEYRecord object doesn't AlgEntry entry = (AlgEntry) mAlgorithmMap.get(new Integer(algorithm));
// give us
// the private key name. if (entry == null) {
// private Signature getSignature(Name private_alg) log.info("DNSSEC algorithm " + algorithm + " not recognized.");
// {
// Signature s = null; return null;
// }
// try
// { // TODO: should we cache the instance?
// String alg_id = (String) mAlgorithmMap.get(private_alg); s = Signature.getInstance(entry.jcaName);
// if (alg_id == null) } catch (NoSuchAlgorithmException e) {
// { log.error("error getting Signature object", e);
// log.debug("DNSSEC private algorithm '" + private_alg }
// + "' not recognized.");
// return null; return s;
// } }
//
// s = Signature.getInstance(alg_id); private static class AlgEntry {
// } public String jcaName;
// catch (NoSuchAlgorithmException e) public boolean isDSA;
// { public int dnssecAlg;
// log.error("error getting Signature object", e);
// } public AlgEntry(String name, int dnssecAlg, boolean isDSA) {
// jcaName = name;
// return s; this.dnssecAlg = dnssecAlg;
// } this.isDSA = isDSA;
}
}
// TODO: enable private algorithm support in dnsjava.
// Right now, this cannot be used because the DNSKEYRecord object doesn't
// give us
// the private key name.
// private Signature getSignature(Name private_alg)
// {
// Signature s = null;
//
// try
// {
// String alg_id = (String) mAlgorithmMap.get(private_alg);
// if (alg_id == null)
// {
// log.debug("DNSSEC private algorithm '" + private_alg
// + "' not recognized.");
// return null;
// }
//
// s = Signature.getInstance(alg_id);
// }
// catch (NoSuchAlgorithmException e)
// {
// log.error("error getting Signature object", e);
// }
//
// return s;
// }
} }

626
src/com/versign/tat/dnssec/NSEC3ValUtils.java
View File

File diff suppressed because it is too large Load Diff

185
src/com/versign/tat/dnssec/SMessage.java
View File

@ -1,56 +1,49 @@
/* /***************************** -*- Java -*- ********************************\
* $Id$ * *
* * Copyright (c) 2009 VeriSign, Inc. All rights reserved. *
* Copyright (c) 2005 VeriSign. All rights reserved. * *
* * This software is provided solely in connection with the terms of the *
* Redistribution and use in source and binary forms, with or without * license agreement. Any other use without the prior express written *
* modification, are permitted provided that the following conditions are met: * permission of VeriSign is completely prohibited. The software and *
* * documentation are "Commercial Items", as that term is defined in 48 *
* 1. Redistributions of source code must retain the above copyright notice, * C.F.R. section 2.101, consisting of "Commercial Computer Software" and *
* this list of conditions and the following disclaimer. 2. Redistributions in * "Commercial Computer Software Documentation" as such terms are defined *
* binary form must reproduce the above copyright notice, this list of * in 48 C.F.R. section 252.227-7014(a)(5) and 48 C.F.R. section *
* conditions and the following disclaimer in the documentation and/or other * 252.227-7014(a)(1), and used in 48 C.F.R. section 12.212 and 48 C.F.R. *
* materials provided with the distribution. 3. The name of the author may not * section 227.7202, as applicable. Pursuant to the above and other *
* be used to endorse or promote products derived from this software without * relevant sections of the Code of Federal Regulations, as applicable, *
* specific prior written permission. * VeriSign's publications, commercial computer software, and commercial *
* * computer software documentation are distributed and licensed to United *
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR * States Government end users with only those rights as granted to all *
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES * other end users, according to the terms and conditions contained in the *
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN * license agreement(s) that accompany the products and software *
* NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * documentation. *
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED * *
* TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR \***************************************************************************/
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
* LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
*/
package com.versign.tat.dnssec; package com.verisign.tat.dnssec;
import org.xbill.DNS.*;
import java.util.*; import java.util.*;
import org.xbill.DNS.*;
/** /**
* This class represents a DNS message with resolver/validator state. * This class represents a DNS message with resolver/validator state.
*/ */
public class SMessage { public class SMessage {
private Header mHeader; private static SRRset [] empty_srrset_array = new SRRset[0];
private Header mHeader;
private Record mQuestion; private Record mQuestion;
private OPTRecord mOPTRecord; private OPTRecord mOPTRecord;
private List<SRRset>[] mSection; private List<SRRset> [] mSection;
private SecurityStatus mSecurityStatus; private SecurityStatus mSecurityStatus;
private static SRRset[] empty_srrset_array = new SRRset[0];
@SuppressWarnings("unchecked") @SuppressWarnings("unchecked")
public SMessage(Header h) { public SMessage(Header h) {
mSection = (List<SRRset>[]) new List[3]; mSection = (List<SRRset> []) new List[3];
mHeader = h; mHeader = h;
mSecurityStatus = new SecurityStatus(); mSecurityStatus = new SecurityStatus();
} }
public SMessage(int id) { public SMessage(int id) {
@ -63,11 +56,11 @@ public class SMessage {
public SMessage(Message m) { public SMessage(Message m) {
this(m.getHeader()); this(m.getHeader());
mQuestion = m.getQuestion(); mQuestion = m.getQuestion();
mOPTRecord = m.getOPT(); mOPTRecord = m.getOPT();
for (int i = Section.ANSWER; i <= Section.ADDITIONAL; i++) { for (int i = Section.ANSWER; i <= Section.ADDITIONAL; i++) {
RRset[] rrsets = m.getSectionRRsets(i); RRset [] rrsets = m.getSectionRRsets(i);
for (int j = 0; j < rrsets.length; j++) { for (int j = 0; j < rrsets.length; j++) {
addRRset(rrsets[j], i); addRRset(rrsets[j], i);
@ -112,8 +105,9 @@ public class SMessage {
} }
public List<SRRset> getSectionList(int section) { public List<SRRset> getSectionList(int section) {
if (section <= Section.QUESTION || section > Section.ADDITIONAL) if ((section <= Section.QUESTION) || (section > Section.ADDITIONAL)) {
throw new IllegalArgumentException("Invalid section."); throw new IllegalArgumentException("Invalid section.");
}
if (mSection[section - 1] == null) { if (mSection[section - 1] == null) {
mSection[section - 1] = new LinkedList<SRRset>(); mSection[section - 1] = new LinkedList<SRRset>();
@ -123,11 +117,13 @@ public class SMessage {
} }
public void addRRset(SRRset srrset, int section) { public void addRRset(SRRset srrset, int section) {
if (section <= Section.QUESTION || section > Section.ADDITIONAL) if ((section <= Section.QUESTION) || (section > Section.ADDITIONAL)) {
throw new IllegalArgumentException("Invalid section"); throw new IllegalArgumentException("Invalid section");
}
if (srrset.getType() == Type.OPT) { if (srrset.getType() == Type.OPT) {
mOPTRecord = (OPTRecord) srrset.first(); mOPTRecord = (OPTRecord) srrset.first();
return; return;
} }
@ -138,6 +134,7 @@ public class SMessage {
public void addRRset(RRset rrset, int section) { public void addRRset(RRset rrset, int section) {
if (rrset instanceof SRRset) { if (rrset instanceof SRRset) {
addRRset((SRRset) rrset, section); addRRset((SRRset) rrset, section);
return; return;
} }
@ -146,48 +143,59 @@ public class SMessage {
} }
public void prependRRsets(List<SRRset> rrsets, int section) { public void prependRRsets(List<SRRset> rrsets, int section) {
if (section <= Section.QUESTION || section > Section.ADDITIONAL) if ((section <= Section.QUESTION) || (section > Section.ADDITIONAL)) {
throw new IllegalArgumentException("Invalid section"); throw new IllegalArgumentException("Invalid section");
}
List<SRRset> sectionList = getSectionList(section); List<SRRset> sectionList = getSectionList(section);
sectionList.addAll(0, rrsets); sectionList.addAll(0, rrsets);
} }
public SRRset[] getSectionRRsets(int section) { public SRRset [] getSectionRRsets(int section) {
List<SRRset> slist = getSectionList(section); List<SRRset> slist = getSectionList(section);
return (SRRset[]) slist.toArray(empty_srrset_array); return (SRRset []) slist.toArray(empty_srrset_array);
} }
public SRRset[] getSectionRRsets(int section, int qtype) { public SRRset [] getSectionRRsets(int section, int qtype) {
List<SRRset> slist = getSectionList(section); List<SRRset> slist = getSectionList(section);
if (slist.size() == 0) return new SRRset[0]; if (slist.size() == 0) {
return new SRRset[0];
ArrayList<SRRset> result = new ArrayList<SRRset>(slist.size());
for (SRRset rrset : slist) {
if (rrset.getType() == qtype) result.add(rrset);
} }
return (SRRset[]) result.toArray(empty_srrset_array); ArrayList<SRRset> result = new ArrayList<SRRset>(slist.size());
for (SRRset rrset : slist) {
if (rrset.getType() == qtype) {
result.add(rrset);
}
}
return (SRRset []) result.toArray(empty_srrset_array);
} }
public void deleteRRset(SRRset rrset, int section) { public void deleteRRset(SRRset rrset, int section) {
List<SRRset> slist = getSectionList(section); List<SRRset> slist = getSectionList(section);
if (slist.size() == 0) return; if (slist.size() == 0) {
return;
}
slist.remove(rrset); slist.remove(rrset);
} }
public void clear(int section) { public void clear(int section) {
if (section < Section.QUESTION || section > Section.ADDITIONAL) if ((section < Section.QUESTION) || (section > Section.ADDITIONAL)) {
throw new IllegalArgumentException("Invalid section."); throw new IllegalArgumentException("Invalid section.");
}
if (section == Section.QUESTION) { if (section == Section.QUESTION) {
mQuestion = null; mQuestion = null;
return; return;
} }
if (section == Section.ADDITIONAL) { if (section == Section.ADDITIONAL) {
mOPTRecord = null; mOPTRecord = null;
} }
@ -219,7 +227,10 @@ public class SMessage {
} }
public void setSecurityStatus(SecurityStatus s) { public void setSecurityStatus(SecurityStatus s) {
if (s == null) return; if (s == null) {
return;
}
mSecurityStatus = s; mSecurityStatus = s;
} }
@ -235,6 +246,7 @@ public class SMessage {
Header h = m.getHeader(); Header h = m.getHeader();
h.setOpcode(mHeader.getOpcode()); h.setOpcode(mHeader.getOpcode());
h.setRcode(mHeader.getRcode()); h.setRcode(mHeader.getRcode());
for (int i = 0; i < 16; i++) { for (int i = 0; i < 16; i++) {
if (Flags.isFlag(i)) { if (Flags.isFlag(i)) {
if (mHeader.getFlag(i)) { if (mHeader.getFlag(i)) {
@ -247,18 +259,19 @@ public class SMessage {
// Add all the records. -- this will set the counts correctly in the // Add all the records. -- this will set the counts correctly in the
// message header. // message header.
if (mQuestion != null) { if (mQuestion != null) {
m.addRecord(mQuestion, Section.QUESTION); m.addRecord(mQuestion, Section.QUESTION);
} }
for (int sec = Section.ANSWER; sec <= Section.ADDITIONAL; sec++) { for (int sec = Section.ANSWER; sec <= Section.ADDITIONAL; sec++) {
List<SRRset> slist = getSectionList(sec); List<SRRset> slist = getSectionList(sec);
for (SRRset rrset : slist) { for (SRRset rrset : slist) {
for (Iterator<Record> j = rrset.rrs(); j.hasNext(); ) { for (Iterator<Record> j = rrset.rrs(); j.hasNext();) {
m.addRecord(j.next(), sec); m.addRecord(j.next(), sec);
} }
for (Iterator<RRSIGRecord> j = rrset.sigs(); j.hasNext(); ) {
for (Iterator<RRSIGRecord> j = rrset.sigs(); j.hasNext();) {
m.addRecord(j.next(), sec); m.addRecord(j.next(), sec);
} }
} }
@ -273,13 +286,21 @@ public class SMessage {
public int getCount(int section) { public int getCount(int section) {
if (section == Section.QUESTION) { if (section == Section.QUESTION) {
return mQuestion == null ? 0 : 1; return (mQuestion == null) ? 0 : 1;
} }
List<SRRset> sectionList = getSectionList(section); List<SRRset> sectionList = getSectionList(section);
if (sectionList == null) return 0;
if (sectionList.size() == 0) return 0; if (sectionList == null) {
return 0;
}
if (sectionList.size() == 0) {
return 0;
}
int count = 0; int count = 0;
for (SRRset sr : sectionList) { for (SRRset sr : sectionList) {
count += sr.totalSize(); count += sr.totalSize();
} }
@ -293,7 +314,7 @@ public class SMessage {
/** /**
* Find a specific (S)RRset in a given section. * Find a specific (S)RRset in a given section.
* *
* @param name * @param name
* the name of the RRset. * the name of the RRset.
* @param type * @param type
@ -302,18 +323,20 @@ public class SMessage {
* the class of the RRset. * the class of the RRset.
* @param section * @param section
* the section to look in (ANSWER -> ADDITIONAL) * the section to look in (ANSWER -> ADDITIONAL)
* *
* @return The SRRset if found, null otherwise. * @return The SRRset if found, null otherwise.
*/ */
public SRRset findRRset(Name name, int type, int dclass, int section) { public SRRset findRRset(Name name, int type, int dclass, int section) {
if (section <= Section.QUESTION || section > Section.ADDITIONAL) if ((section <= Section.QUESTION) || (section > Section.ADDITIONAL)) {
throw new IllegalArgumentException("Invalid section."); throw new IllegalArgumentException("Invalid section.");
}
SRRset[] rrsets = getSectionRRsets(section); SRRset [] rrsets = getSectionRRsets(section);
for (int i = 0; i < rrsets.length; i++) { for (int i = 0; i < rrsets.length; i++) {
if (rrsets[i].getName().equals(name) && rrsets[i].getType() == type if (rrsets[i].getName().equals(name) &&
&& rrsets[i].getDClass() == dclass) { (rrsets[i].getType() == type) &&
(rrsets[i].getDClass() == dclass)) {
return rrsets[i]; return rrsets[i];
} }
} }
@ -324,36 +347,36 @@ public class SMessage {
/** /**
* Find an "answer" RRset. This will look for RRsets in the ANSWER section * Find an "answer" RRset. This will look for RRsets in the ANSWER section
* that match the <qname,qtype,qclass>, taking into consideration CNAMEs. * that match the <qname,qtype,qclass>, taking into consideration CNAMEs.
* *
* @param qname * @param qname
* The starting search name. * The starting search name.
* @param qtype * @param qtype
* The search type. * The search type.
* @param qclass * @param qclass
* The search class. * The search class.
* *
* @return a SRRset matching the query. This SRRset may have a different * @return a SRRset matching the query. This SRRset may have a different
* name from qname, due to following a CNAME chain. * name from qname, due to following a CNAME chain.
*/ */
public SRRset findAnswerRRset(Name qname, int qtype, int qclass) { public SRRset findAnswerRRset(Name qname, int qtype, int qclass) {
SRRset[] srrsets = getSectionRRsets(Section.ANSWER); SRRset [] srrsets = getSectionRRsets(Section.ANSWER);
for (int i = 0; i < srrsets.length; i++) { for (int i = 0; i < srrsets.length; i++) {
if (srrsets[i].getName().equals(qname) if (srrsets[i].getName().equals(qname) &&
&& srrsets[i].getType() == Type.CNAME) { (srrsets[i].getType() == Type.CNAME)) {
CNAMERecord cname = (CNAMERecord) srrsets[i].first(); CNAMERecord cname = (CNAMERecord) srrsets[i].first();
qname = cname.getTarget(); qname = cname.getTarget();
continue; continue;
} }
if (srrsets[i].getName().equals(qname) if (srrsets[i].getName().equals(qname) &&
&& srrsets[i].getType() == qtype (srrsets[i].getType() == qtype) &&
&& srrsets[i].getDClass() == qclass) { (srrsets[i].getDClass() == qclass)) {
return srrsets[i]; return srrsets[i];
} }
} }
return null; return null;
} }
}
}

80
src/com/versign/tat/dnssec/SRRset.java
View File

@ -1,35 +1,32 @@
/* /***************************** -*- Java -*- ********************************\
* Copyright (c) 2009 VeriSign. All rights reserved. * *
* * Copyright (c) 2009 VeriSign, Inc. All rights reserved. *
* Redistribution and use in source and binary forms, with or without * *
* modification, are permitted provided that the following conditions are met: * This software is provided solely in connection with the terms of the *
* * license agreement. Any other use without the prior express written *
* 1. Redistributions of source code must retain the above copyright notice, * permission of VeriSign is completely prohibited. The software and *
* this list of conditions and the following disclaimer. 2. Redistributions in * documentation are "Commercial Items", as that term is defined in 48 *
* binary form must reproduce the above copyright notice, this list of * C.F.R. section 2.101, consisting of "Commercial Computer Software" and *
* conditions and the following disclaimer in the documentation and/or other * "Commercial Computer Software Documentation" as such terms are defined *
* materials provided with the distribution. 3. The name of the author may not * in 48 C.F.R. section 252.227-7014(a)(5) and 48 C.F.R. section *
* be used to endorse or promote products derived from this software without * 252.227-7014(a)(1), and used in 48 C.F.R. section 12.212 and 48 C.F.R. *
* specific prior written permission. * section 227.7202, as applicable. Pursuant to the above and other *
* * relevant sections of the Code of Federal Regulations, as applicable, *
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR * VeriSign's publications, commercial computer software, and commercial *
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES * computer software documentation are distributed and licensed to United *
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN * States Government end users with only those rights as granted to all *
* NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * other end users, according to the terms and conditions contained in the *
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED * license agreement(s) that accompany the products and software *
* TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR * documentation. *
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF * *
* LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING \***************************************************************************/
* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
*/
package com.versign.tat.dnssec; package com.verisign.tat.dnssec;
import org.xbill.DNS.*;
import java.util.*; import java.util.*;
import org.xbill.DNS.*;
/** /**
* A version of the RRset class overrides the standard security status. * A version of the RRset class overrides the standard security status.
@ -43,13 +40,11 @@ public class SRRset extends RRset {
mSecurityStatus = new SecurityStatus(); mSecurityStatus = new SecurityStatus();
} }
/** /**
* Create a new SRRset from an existing RRset. This SRRset will contain that * Create a new SRRset from an existing RRset. This SRRset will contain that
* same internal Record objects as the original RRset. * same internal Record objects as the original RRset.
*/ */
@SuppressWarnings("unchecked") @SuppressWarnings("unchecked")
// org.xbill.DNS.RRset isn't typesafe-aware.
public SRRset(RRset r) { public SRRset(RRset r) {
this(); this();
@ -86,19 +81,24 @@ public class SRRset extends RRset {
mSecurityStatus.setStatus(status); mSecurityStatus.setStatus(status);
} }
@SuppressWarnings("unchecked")
public Iterator<Record> rrs() { public Iterator<Record> rrs() {
return (Iterator<Record>) rrs(); return (Iterator<Record>) super.rrs();
} }
@SuppressWarnings("unchecked")
public Iterator<RRSIGRecord> sigs() { public Iterator<RRSIGRecord> sigs() {
return (Iterator<RRSIGRecord>) sigs(); return (Iterator<RRSIGRecord>) super.sigs();
} }
public int totalSize() { public int totalSize() {
int num_sigs = 0; int num_sigs = 0;
for (Iterator<RRSIGRecord> i = sigs(); i.hasNext();) { for (Iterator<RRSIGRecord> i = sigs(); i.hasNext();) {
num_sigs++; num_sigs++;
i.next();
} }
return size() + num_sigs; return size() + num_sigs;
} }
@ -113,6 +113,7 @@ public class SRRset extends RRset {
for (Iterator<RRSIGRecord> i = sigs(); i.hasNext();) { for (Iterator<RRSIGRecord> i = sigs(); i.hasNext();) {
return i.next(); return i.next();
} }
return null; return null;
} }
@ -121,7 +122,10 @@ public class SRRset extends RRset {
* (i.e., RRSIG SRRsets return false) * (i.e., RRSIG SRRsets return false)
*/ */
public boolean isSigned() { public boolean isSigned() {
if (getType() == Type.RRSIG) return false; if (getType() == Type.RRSIG) {
return false;
}
return firstSig() != null; return firstSig() != null;
} }
@ -130,7 +134,11 @@ public class SRRset extends RRset {
*/ */
public Name getSignerName() { public Name getSignerName() {
RRSIGRecord sig = (RRSIGRecord) firstSig(); RRSIGRecord sig = (RRSIGRecord) firstSig();
if (sig == null) return null;
if (sig == null) {
return null;
}
return sig.getSigner(); return sig.getSigner();
} }
} }

196
src/com/versign/tat/dnssec/SecurityStatus.java
View File

@ -1,112 +1,112 @@
/* /***************************** -*- Java -*- ********************************\
* $Id$ * *
* * Copyright (c) 2009 VeriSign, Inc. All rights reserved. *
* Copyright (c) 2005 VeriSign. All rights reserved. * *
* * This software is provided solely in connection with the terms of the *
* Redistribution and use in source and binary forms, with or without * license agreement. Any other use without the prior express written *
* modification, are permitted provided that the following conditions are met: * permission of VeriSign is completely prohibited. The software and *
* * documentation are "Commercial Items", as that term is defined in 48 *
* 1. Redistributions of source code must retain the above copyright notice, * C.F.R. section 2.101, consisting of "Commercial Computer Software" and *
* this list of conditions and the following disclaimer. 2. Redistributions in * "Commercial Computer Software Documentation" as such terms are defined *
* binary form must reproduce the above copyright notice, this list of * in 48 C.F.R. section 252.227-7014(a)(5) and 48 C.F.R. section *
* conditions and the following disclaimer in the documentation and/or other * 252.227-7014(a)(1), and used in 48 C.F.R. section 12.212 and 48 C.F.R. *
* materials provided with the distribution. 3. The name of the author may not * section 227.7202, as applicable. Pursuant to the above and other *
* be used to endorse or promote products derived from this software without * relevant sections of the Code of Federal Regulations, as applicable, *
* specific prior written permission. * VeriSign's publications, commercial computer software, and commercial *
* * computer software documentation are distributed and licensed to United *
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR * States Government end users with only those rights as granted to all *
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES * other end users, according to the terms and conditions contained in the *
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN * license agreement(s) that accompany the products and software *
* NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * documentation. *
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED * *
* TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR \***************************************************************************/
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
* LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING package com.verisign.tat.dnssec;
* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
*/
package com.versign.tat.dnssec;
/** /**
* Codes for DNSSEC security statuses. * Codes for DNSSEC security statuses.
* *
* @author davidb * @author davidb
*/ */
public class SecurityStatus public class SecurityStatus {
{ public static final byte INVALID = -1;
/** /**
* UNCHECKED means that object has yet to be validated. * UNCHECKED means that object has yet to be validated.
*/ */
public static final byte UNCHECKED = 0; public static final byte UNCHECKED = 0;
/**
* BOGUS means that the object (RRset or message) failed to validate
* (according to local policy), but should have validated.
*/
public static final byte BOGUS = 1;
/**
* BAD is a synonym for BOGUS.
*/
public static final byte BAD = BOGUS;
/**
* INDTERMINATE means that the object is insecure, but not authoritatively
* so. Generally this means that the RRset is not below a configured trust
* anchor.
*/
public static final byte INDETERMINATE = 2;
/**
* INSECURE means that the object is authoritatively known to be insecure.
* Generally this means that this RRset is below a trust anchor, but also
* below a verified, insecure delegation.
*/
public static final byte INSECURE = 3;
/**
* SECURE means that the object (RRset or message) validated according to
* local policy.
*/
public static final byte SECURE = 4;
private byte status; /**
* BOGUS means that the object (RRset or message) failed to validate
* (according to local policy), but should have validated.
*/
public static final byte BOGUS = 1;
public static String string(int status) /**
{ * BAD is a synonym for BOGUS.
switch (status) */
{ public static final byte BAD = BOGUS;
case BOGUS :
return "Bogus"; /**
case SECURE : * INDTERMINATE means that the object is insecure, but not authoritatively
return "Secure"; * so. Generally this means that the RRset is not below a configured trust
case INSECURE : * anchor.
return "Insecure"; */
case INDETERMINATE : public static final byte INDETERMINATE = 2;
return "Indeterminate";
case UNCHECKED : /**
return "Unchecked"; * INSECURE means that the object is authoritatively known to be insecure.
default : * Generally this means that this RRset is below a trust anchor, but also
return "UNKNOWN"; * below a verified, insecure delegation.
*/
public static final byte INSECURE = 3;
/**
* SECURE means that the object (RRset or message) validated according to
* local policy.
*/
public static final byte SECURE = 4;
private byte status;
public SecurityStatus() {
status = UNCHECKED;
} }
}
public SecurityStatus() public SecurityStatus(byte status) {
{ setStatus(status);
status = UNCHECKED; }
}
public SecurityStatus(byte status)
{
setStatus(status);
}
public byte getStatus()
{
return status;
}
public void setStatus(byte status) public static String string(int status) {
{ switch (status) {
this.status = status; case INVALID:
} return "Invalid";
case BOGUS:
return "Bogus";
case SECURE:
return "Secure";
case INSECURE:
return "Insecure";
case INDETERMINATE:
return "Indeterminate";
case UNCHECKED:
return "Unchecked";
default:
return "UNKNOWN";
}
}
public byte getStatus() {
return status;
}
public void setStatus(byte status) {
this.status = status;
}
} }

352
src/com/versign/tat/dnssec/SignUtils.java
View File

@ -1,45 +1,29 @@
/* /***************************** -*- Java -*- ********************************\
* $Id$ * *
* * Copyright (c) 2009 VeriSign, Inc. All rights reserved. *
* Copyright (c) 2005 VeriSign, Inc. All rights reserved. * *
* * This software is provided solely in connection with the terms of the *
* Redistribution and use in source and binary forms, with or without * license agreement. Any other use without the prior express written *
* modification, are permitted provided that the following conditions * permission of VeriSign is completely prohibited. The software and *
* are met: * documentation are "Commercial Items", as that term is defined in 48 *
* * C.F.R. section 2.101, consisting of "Commercial Computer Software" and *
* 1. Redistributions of source code must retain the above copyright * "Commercial Computer Software Documentation" as such terms are defined *
* notice, this list of conditions and the following disclaimer. * in 48 C.F.R. section 252.227-7014(a)(5) and 48 C.F.R. section *
* 2. Redistributions in binary form must reproduce the above copyright * 252.227-7014(a)(1), and used in 48 C.F.R. section 12.212 and 48 C.F.R. *
* notice, this list of conditions and the following disclaimer in the * section 227.7202, as applicable. Pursuant to the above and other *
* documentation and/or other materials provided with the distribution. * relevant sections of the Code of Federal Regulations, as applicable, *
* 3. The name of the author may not be used to endorse or promote products * VeriSign's publications, commercial computer software, and commercial *
* derived from this software without specific prior written permission. * computer software documentation are distributed and licensed to United *
* * States Government end users with only those rights as granted to all *
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR * other end users, according to the terms and conditions contained in the *
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES * license agreement(s) that accompany the products and software *
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. * documentation. *
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, * *
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT \***************************************************************************/
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
*/
package com.versign.tat.dnssec; package com.verisign.tat.dnssec;
import java.io.ByteArrayOutputStream; import org.apache.log4j.Logger;
import java.io.IOException;
import java.security.SignatureException;
import java.security.interfaces.DSAParams;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.Comparator;
import java.util.Date;
import java.util.Iterator;
import org.xbill.DNS.DNSKEYRecord; import org.xbill.DNS.DNSKEYRecord;
import org.xbill.DNS.DNSOutput; import org.xbill.DNS.DNSOutput;
@ -47,60 +31,40 @@ import org.xbill.DNS.Name;
import org.xbill.DNS.RRSIGRecord; import org.xbill.DNS.RRSIGRecord;
import org.xbill.DNS.RRset; import org.xbill.DNS.RRset;
import org.xbill.DNS.Record; import org.xbill.DNS.Record;
import org.xbill.DNS.utils.base64;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.security.SignatureException;
import java.security.interfaces.DSAParams;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.Comparator;
import java.util.Date;
import java.util.Iterator;
/** /**
* This class contains a bunch of utility methods that are generally useful in * This class contains a bunch of utility methods that are generally useful in
* signing and verifying rrsets. * signing and verifying rrsets.
*/ */
public class SignUtils { public class SignUtils {
/**
* This class implements a basic comparator for byte arrays. It is primarily
* useful for comparing RDATA portions of DNS records in doing DNSSEC
* canonical ordering.
*/
public static class ByteArrayComparator implements Comparator<byte[]> {
private int mOffset = 0;
private boolean mDebug = false;
public ByteArrayComparator() {
}
public ByteArrayComparator(int offset, boolean debug) {
mOffset = offset;
mDebug = debug;
}
public int compare(byte[] b1, byte[] b2) throws ClassCastException {
for (int i = mOffset; i < b1.length && i < b2.length; i++) {
if (b1[i] != b2[i]) {
if (mDebug) {
System.out.println("offset " + i + " differs (this is "
+ (i - mOffset)
+ " bytes in from our offset.)");
}
return (b1[i] & 0xFF) - (b2[i] & 0xFF);
}
}
return b1.length - b2.length;
}
}
// private static final int DSA_SIGNATURE_LENGTH = 20; // private static final int DSA_SIGNATURE_LENGTH = 20;
private static final int ASN1_INT = 0x02; private static final int ASN1_INT = 0x02;
private static final int ASN1_SEQ = 0x30; private static final int ASN1_SEQ = 0x30;
public static final int RR_NORMAL = 0; public static final int RR_NORMAL = 0;
public static final int RR_DELEGATION = 1; public static final int RR_DELEGATION = 1;
public static final int RR_GLUE = 2; public static final int RR_GLUE = 2;
public static final int RR_INVALID = 3; public static final int RR_INVALID = 3;
private static Logger log = Logger.getLogger(SignUtils.class);
/** /**
* Generate from some basic information a prototype SIG RR containing * Generate from some basic information a prototype SIG RR containing
* everything but the actual signature itself. * everything but the actual signature itself.
* *
* @param rrset * @param rrset
* the RRset being signed. * the RRset being signed.
* @param signer * @param signer
@ -118,17 +82,16 @@ public class SignUtils {
* @return a prototype signature based on the RRset and key information. * @return a prototype signature based on the RRset and key information.
*/ */
public static RRSIGRecord generatePreRRSIG(RRset rrset, Name signer, public static RRSIGRecord generatePreRRSIG(RRset rrset, Name signer,
int alg, int keyid, Date start, int alg, int keyid, Date start, Date expire, long sig_ttl) {
Date expire, long sig_ttl) {
return new RRSIGRecord(rrset.getName(), rrset.getDClass(), sig_ttl, return new RRSIGRecord(rrset.getName(), rrset.getDClass(), sig_ttl,
rrset.getType(), alg, rrset.getTTL(), expire, start, keyid, rrset.getType(), alg, rrset.getTTL(), expire, start, keyid, signer,
signer, null); null);
} }
/** /**
* Generate from some basic information a prototype SIG RR containing * Generate from some basic information a prototype SIG RR containing
* everything but the actual signature itself. * everything but the actual signature itself.
* *
* @param rrset * @param rrset
* the RRset being signed. * the RRset being signed.
* @param key * @param key
@ -143,16 +106,15 @@ public class SignUtils {
* @return a prototype signature based on the RRset and key information. * @return a prototype signature based on the RRset and key information.
*/ */
public static RRSIGRecord generatePreRRSIG(RRset rrset, DNSKEYRecord key, public static RRSIGRecord generatePreRRSIG(RRset rrset, DNSKEYRecord key,
Date start, Date expire, Date start, Date expire, long sig_ttl) {
long sig_ttl) {
return generatePreRRSIG(rrset, key.getName(), key.getAlgorithm(), return generatePreRRSIG(rrset, key.getName(), key.getAlgorithm(),
key.getFootprint(), start, expire, sig_ttl); key.getFootprint(), start, expire, sig_ttl);
} }
/** /**
* Generate from some basic information a prototype SIG RR containing * Generate from some basic information a prototype SIG RR containing
* everything but the actual signature itself. * everything but the actual signature itself.
* *
* @param rec * @param rec
* the DNS record being signed (forming an entire RRset). * the DNS record being signed (forming an entire RRset).
* @param key * @param key
@ -166,29 +128,28 @@ public class SignUtils {
* @return a prototype signature based on the Record and key information. * @return a prototype signature based on the Record and key information.
*/ */
public static RRSIGRecord generatePreRRSIG(Record rec, DNSKEYRecord key, public static RRSIGRecord generatePreRRSIG(Record rec, DNSKEYRecord key,
Date start, Date expire, Date start, Date expire, long sig_ttl) {
long sig_ttl) {
return new RRSIGRecord(rec.getName(), rec.getDClass(), sig_ttl, return new RRSIGRecord(rec.getName(), rec.getDClass(), sig_ttl,
rec.getType(), key.getAlgorithm(), rec.getTTL(), expire, start, rec.getType(), key.getAlgorithm(), rec.getTTL(), expire, start,
key.getFootprint(), key.getName(), null); key.getFootprint(), key.getName(), null);
} }
/** /**
* Generate the binary image of the prototype SIG RR. * Generate the binary image of the prototype SIG RR.
* *
* @param presig * @param presig
* the SIG RR prototype. * the SIG RR prototype.
* @return the RDATA portion of the prototype SIG record. This forms the * @return the RDATA portion of the prototype SIG record. This forms the
* first part of the data to be signed. * first part of the data to be signed.
*/ */
private static byte[] generatePreSigRdata(RRSIGRecord presig) { private static byte [] generatePreSigRdata(RRSIGRecord presig) {
// Generate the binary image; // Generate the binary image;
DNSOutput image = new DNSOutput(); DNSOutput image = new DNSOutput();
// precalculate some things // precalculate some things
int start_time = (int) (presig.getTimeSigned().getTime() / 1000); int start_time = (int) (presig.getTimeSigned().getTime() / 1000);
int expire_time = (int) (presig.getExpire().getTime() / 1000); int expire_time = (int) (presig.getExpire().getTime() / 1000);
Name signer = presig.getSigner(); Name signer = presig.getSigner();
// first write out the partial SIG record (this is the SIG RDATA // first write out the partial SIG record (this is the SIG RDATA
// minus the actual signature. // minus the actual signature.
@ -206,7 +167,7 @@ public class SignUtils {
/** /**
* Calculate the canonical wire line format of the RRset. * Calculate the canonical wire line format of the RRset.
* *
* @param rrset * @param rrset
* the RRset to convert. * the RRset to convert.
* @param ttl * @param ttl
@ -219,54 +180,63 @@ public class SignUtils {
* part of data to be signed. * part of data to be signed.
*/ */
@SuppressWarnings("unchecked") @SuppressWarnings("unchecked")
public static byte[] generateCanonicalRRsetData(RRset rrset, long ttl, public static byte [] generateCanonicalRRsetData(RRset rrset, long ttl,
int labels) { int labels) {
DNSOutput image = new DNSOutput(); DNSOutput image = new DNSOutput();
if (ttl == 0) ttl = rrset.getTTL(); if (ttl == 0) {
ttl = rrset.getTTL();
}
Name n = rrset.getName(); Name n = rrset.getName();
if (labels == 0) { if (labels == 0) {
labels = n.labels(); labels = n.labels();
} else { } else {
// correct for Name()'s conception of label count. // correct for Name()'s conception of label count.
labels++; labels++;
} }
boolean wildcardName = false; boolean wildcardName = false;
if (n.labels() != labels) { if (n.labels() != labels) {
n = n.wild(n.labels() - labels); n = n.wild(n.labels() - labels);
wildcardName = true; wildcardName = true;
// log.trace("Detected wildcard expansion: " + rrset.getName() + log.trace("Detected wildcard expansion: " + rrset.getName() +
// " changed to " + n); " changed to " + n);
} }
// now convert the wire format records in the RRset into a // now convert the wire format records in the RRset into a
// list of byte arrays. // list of byte arrays.
ArrayList<byte[]> canonical_rrs = new ArrayList<byte[]>(); ArrayList<byte []> canonical_rrs = new ArrayList<byte []>();
for (Iterator i = rrset.rrs(); i.hasNext();) { for (Iterator i = rrset.rrs(); i.hasNext();) {
Record r = (Record) i.next(); Record r = (Record) i.next();
if (r.getTTL() != ttl || wildcardName) {
if ((r.getTTL() != ttl) || wildcardName) {
// If necessary, we need to create a new record with a new ttl // If necessary, we need to create a new record with a new ttl
// or ownername. // or ownername.
// In the TTL case, this avoids changing the ttl in the // In the TTL case, this avoids changing the ttl in the
// response. // response.
r = Record.newRecord(n, r.getType(), r.getDClass(), ttl, r = Record.newRecord(n, r.getType(), r.getDClass(), ttl,
r.rdataToWireCanonical()); r.rdataToWireCanonical());
} }
byte[] wire_fmt = r.toWireCanonical();
byte [] wire_fmt = r.toWireCanonical();
canonical_rrs.add(wire_fmt); canonical_rrs.add(wire_fmt);
} }
// put the records into the correct ordering. // put the records into the correct ordering.
// Calculate the offset where the RDATA begins (we have to skip // Calculate the offset where the RDATA begins (we have to skip
// past the length byte) // past the length byte)
int offset = rrset.getName().toWireCanonical().length +
int offset = rrset.getName().toWireCanonical().length + 10; 10;
ByteArrayComparator bac = new ByteArrayComparator(offset, false); ByteArrayComparator bac = new ByteArrayComparator(offset, false);
Collections.sort(canonical_rrs, bac); Collections.sort(canonical_rrs, bac);
for (Iterator<byte[]> i = canonical_rrs.iterator(); i.hasNext();) { for (Iterator<byte []> i = canonical_rrs.iterator(); i.hasNext();) {
byte[] wire_fmt_rec = i.next(); byte [] wire_fmt_rec = i.next();
image.writeByteArray(wire_fmt_rec); image.writeByteArray(wire_fmt_rec);
} }
@ -276,18 +246,17 @@ public class SignUtils {
/** /**
* Given an RRset and the prototype signature, generate the canonical data * Given an RRset and the prototype signature, generate the canonical data
* that is to be signed. * that is to be signed.
* *
* @param rrset * @param rrset
* the RRset to be signed. * the RRset to be signed.
* @param presig * @param presig
* a prototype SIG RR created using the same RRset. * a prototype SIG RR created using the same RRset.
* @return a block of data ready to be signed. * @return a block of data ready to be signed.
*/ */
public static byte[] generateSigData(RRset rrset, RRSIGRecord presig) public static byte [] generateSigData(RRset rrset, RRSIGRecord presig)
throws IOException { throws IOException {
byte[] rrset_data = generateCanonicalRRsetData(rrset, byte [] rrset_data = generateCanonicalRRsetData(rrset,
presig.getOrigTTL(), presig.getOrigTTL(), presig.getLabels());
presig.getLabels());
return generateSigData(rrset_data, presig); return generateSigData(rrset_data, presig);
} }
@ -295,7 +264,7 @@ public class SignUtils {
/** /**
* Given an RRset and the prototype signature, generate the canonical data * Given an RRset and the prototype signature, generate the canonical data
* that is to be signed. * that is to be signed.
* *
* @param rrset_data * @param rrset_data
* the RRset converted into canonical wire line format (as per * the RRset converted into canonical wire line format (as per
* the canonicalization rules in RFC 2535). * the canonicalization rules in RFC 2535).
@ -304,12 +273,12 @@ public class SignUtils {
* <code>rrset_data</code>. * <code>rrset_data</code>.
* @return a block of data ready to be signed. * @return a block of data ready to be signed.
*/ */
public static byte[] generateSigData(byte[] rrset_data, RRSIGRecord presig) public static byte [] generateSigData(byte [] rrset_data, RRSIGRecord presig)
throws IOException { throws IOException {
byte[] sig_rdata = generatePreSigRdata(presig); byte [] sig_rdata = generatePreSigRdata(presig);
ByteArrayOutputStream image = new ByteArrayOutputStream( ByteArrayOutputStream image = new ByteArrayOutputStream(sig_rdata.length +
sig_rdata.length + rrset_data.length); rrset_data.length);
image.write(sig_rdata); image.write(sig_rdata);
image.write(rrset_data); image.write(rrset_data);
@ -320,33 +289,33 @@ public class SignUtils {
/** /**
* Given the actual signature and the prototype signature, combine them and * Given the actual signature and the prototype signature, combine them and
* return the fully formed RRSIGRecord. * return the fully formed RRSIGRecord.
* *
* @param signature * @param signature
* the cryptographic signature, in DNSSEC format. * the cryptographic signature, in DNSSEC format.
* @param presig * @param presig
* the prototype RRSIG RR to add the signature to. * the prototype RRSIG RR to add the signature to.
* @return the fully formed RRSIG RR. * @return the fully formed RRSIG RR.
*/ */
public static RRSIGRecord generateRRSIG(byte[] signature, RRSIGRecord presig) { public static RRSIGRecord generateRRSIG(byte [] signature,
RRSIGRecord presig) {
return new RRSIGRecord(presig.getName(), presig.getDClass(), return new RRSIGRecord(presig.getName(), presig.getDClass(),
presig.getTTL(), presig.getTypeCovered(), presig.getTTL(), presig.getTypeCovered(), presig.getAlgorithm(),
presig.getAlgorithm(), presig.getOrigTTL(), presig.getExpire(), presig.getOrigTTL(), presig.getExpire(), presig.getTimeSigned(),
presig.getTimeSigned(), presig.getFootprint(), presig.getFootprint(), presig.getSigner(), signature);
presig.getSigner(), signature);
} }
/** /**
* Converts from a RFC 2536 formatted DSA signature to a JCE (ASN.1) * Converts from a RFC 2536 formatted DSA signature to a JCE (ASN.1)
* formatted signature. * formatted signature.
* *
* <p> * <p>
* ASN.1 format = ASN1_SEQ . seq_length . ASN1_INT . Rlength . R . ANS1_INT * ASN.1 format = ASN1_SEQ . seq_length . ASN1_INT . Rlength . R . ANS1_INT
* . Slength . S * . Slength . S
* </p> * </p>
* *
* The integers R and S may have a leading null byte to force the integer * The integers R and S may have a leading null byte to force the integer
* positive. * positive.
* *
* @param signature * @param signature
* the RFC 2536 formatted DSA signature. * the RFC 2536 formatted DSA signature.
* @return The ASN.1 formatted DSA signature. * @return The ASN.1 formatted DSA signature.
@ -354,43 +323,53 @@ public class SignUtils {
* if there was something wrong with the RFC 2536 formatted * if there was something wrong with the RFC 2536 formatted
* signature. * signature.
*/ */
public static byte[] convertDSASignature(byte[] signature) public static byte [] convertDSASignature(byte [] signature)
throws SignatureException { throws SignatureException {
if (signature.length != 41) if (signature.length != 41) {
throw new SignatureException( throw new SignatureException(
"RFC 2536 signature not expected length."); "RFC 2536 signature not expected length.");
}
byte r_pad = 0; byte r_pad = 0;
byte s_pad = 0; byte s_pad = 0;
// handle initial null byte padding. // handle initial null byte padding.
if (signature[1] < 0) r_pad++; if (signature[1] < 0) {
if (signature[21] < 0) s_pad++; r_pad++;
}
if (signature[21] < 0) {
s_pad++;
}
// ASN.1 length = R length + S length + (2 + 2 + 2), where each 2 // ASN.1 length = R length + S length + (2 + 2 + 2), where each 2
// is for a ASN.1 type-length byte pair of which there are three // is for a ASN.1 type-length byte pair of which there are three
// (SEQ, INT, INT). // (SEQ, INT, INT).
byte sig_length = (byte) (40 + r_pad + s_pad + 6); byte sig_length = (byte) (40 + r_pad + s_pad + 6);
byte sig[] = new byte[sig_length]; byte [] sig = new byte[sig_length];
byte pos = 0; byte pos = 0;
sig[pos++] = ASN1_SEQ; sig[pos++] = ASN1_SEQ;
sig[pos++] = (byte) (sig_length - 2); // all but the SEQ type+length. sig[pos++] = (byte) (sig_length - 2); // all but the SEQ type+length.
sig[pos++] = ASN1_INT; sig[pos++] = ASN1_INT;
sig[pos++] = (byte) (20 + r_pad); sig[pos++] = (byte) (20 + r_pad);
// copy the value of R, leaving a null byte if necessary // copy the value of R, leaving a null byte if necessary
if (r_pad == 1) sig[pos++] = 0; if (r_pad == 1) {
sig[pos++] = 0;
}
System.arraycopy(signature, 1, sig, pos, 20); System.arraycopy(signature, 1, sig, pos, 20);
pos += 20; pos += 20;
sig[pos++] = ASN1_INT; sig[pos++] = ASN1_INT;
sig[pos++] = (byte) (20 + s_pad); sig[pos++] = (byte) (20 + s_pad);
// copy the value of S, leaving a null byte if necessary // copy the value of S, leaving a null byte if necessary
if (s_pad == 1) sig[pos++] = 0; if (s_pad == 1) {
sig[pos++] = 0;
}
System.arraycopy(signature, 21, sig, pos, 20); System.arraycopy(signature, 21, sig, pos, 20);
@ -400,15 +379,15 @@ public class SignUtils {
/** /**
* Converts from a JCE (ASN.1) formatted DSA signature to a RFC 2536 * Converts from a JCE (ASN.1) formatted DSA signature to a RFC 2536
* compliant signature. * compliant signature.
* *
* <p> * <p>
* rfc2536 format = T . R . S * rfc2536 format = T . R . S
* </p> * </p>
* *
* where T is a number between 0 and 8, which is based on the DSA key * where T is a number between 0 and 8, which is based on the DSA key
* length, and R & S are formatted to be exactly 20 bytes each (no leading * length, and R & S are formatted to be exactly 20 bytes each (no leading
* null bytes). * null bytes).
* *
* @param params * @param params
* the DSA parameters associated with the DSA key used to * the DSA parameters associated with the DSA key used to
* generate the signature. * generate the signature.
@ -418,25 +397,25 @@ public class SignUtils {
* @throws SignatureException * @throws SignatureException
* if something is wrong with the ASN.1 format. * if something is wrong with the ASN.1 format.
*/ */
public static byte[] convertDSASignature(DSAParams params, byte[] signature) public static byte [] convertDSASignature(DSAParams params,
throws SignatureException { byte [] signature) throws SignatureException {
if (signature[0] != ASN1_SEQ || signature[2] != ASN1_INT) { if ((signature[0] != ASN1_SEQ) || (signature[2] != ASN1_INT)) {
throw new SignatureException( throw new SignatureException(
"Invalid ASN.1 signature format: expected SEQ, INT"); "Invalid ASN.1 signature format: expected SEQ, INT");
} }
byte r_pad = (byte) (signature[3] - 20); byte r_pad = (byte) (signature[3] - 20);
if (signature[24 + r_pad] != ASN1_INT) { if (signature[24 + r_pad] != ASN1_INT) {
throw new SignatureException( throw new SignatureException(
"Invalid ASN.1 signature format: expected SEQ, INT, INT"); "Invalid ASN.1 signature format: expected SEQ, INT, INT");
} }
// log.trace("(start) ASN.1 DSA Sig:\n" + base64.toString(signature)); log.trace("(start) ASN.1 DSA Sig:\n" + base64.toString(signature));
byte s_pad = (byte) (signature[25 + r_pad] - 20); byte s_pad = (byte) (signature[25 + r_pad] - 20);
byte[] sig = new byte[41]; // all rfc2536 signatures are 41 bytes. byte [] sig = new byte[41]; // all rfc2536 signatures are 41 bytes.
// Calculate T: // Calculate T:
sig[0] = (byte) ((params.getP().bitLength() - 512) / 64); sig[0] = (byte) ((params.getP().bitLength() - 512) / 64);
@ -458,19 +437,50 @@ public class SignUtils {
// S is shorter than 20 bytes, so right justify the number // S is shorter than 20 bytes, so right justify the number
// (s_pad is negative here). // (s_pad is negative here).
Arrays.fill(sig, 21, 21 - s_pad, (byte) 0); Arrays.fill(sig, 21, 21 - s_pad, (byte) 0);
System.arraycopy(signature, 26 + r_pad, sig, 21 - s_pad, 20 + s_pad); System.arraycopy(signature, 26 + r_pad, sig, 21 - s_pad, 20 +
s_pad);
} }
// if (r_pad < 0 || s_pad < 0) if ((r_pad < 0) || (s_pad < 0)) {
// { log.trace("(finish ***) RFC 2536 DSA Sig:\n" +
// log.trace("(finish ***) RFC 2536 DSA Sig:\n" + base64.toString(sig)); base64.toString(sig));
// } else {
// } log.trace("(finish) RFC 2536 DSA Sig:\n" + base64.toString(sig));
// else }
// {
// log.trace("(finish) RFC 2536 DSA Sig:\n" + base64.toString(sig));
// }
return sig; return sig;
} }
/**
* This class implements a basic comparator for byte arrays. It is primarily
* useful for comparing RDATA portions of DNS records in doing DNSSEC
* canonical ordering.
*/
public static class ByteArrayComparator implements Comparator<byte []> {
private int mOffset = 0;
private boolean mDebug = false;
public ByteArrayComparator() {}
public ByteArrayComparator(int offset, boolean debug) {
mOffset = offset;
mDebug = debug;
}
public int compare(byte [] b1, byte [] b2) throws ClassCastException {
for (int i = mOffset; (i < b1.length) && (i < b2.length); i++) {
if (b1[i] != b2[i]) {
if (mDebug) {
System.out.println("offset " + i +
" differs (this is " + (i - mOffset) +
" bytes in from our offset.)");
}
return (b1[i] & 0xFF) - (b2[i] & 0xFF);
}
}
return b1.length - b2.length;
}
}
} }

90
src/com/versign/tat/dnssec/TrustAnchorStore.java
View File

@ -1,37 +1,32 @@
/* /***************************** -*- Java -*- ********************************\
* Copyright (c) 2009 VeriSign, Inc. All rights reserved. * *
* * Copyright (c) 2009 VeriSign, Inc. All rights reserved. *
* Redistribution and use in source and binary forms, with or without * *
* modification, are permitted provided that the following conditions * This software is provided solely in connection with the terms of the *
* are met: * license agreement. Any other use without the prior express written *
* * permission of VeriSign is completely prohibited. The software and *
* 1. Redistributions of source code must retain the above copyright * documentation are "Commercial Items", as that term is defined in 48 *
* notice, this list of conditions and the following disclaimer. * C.F.R. section 2.101, consisting of "Commercial Computer Software" and *
* 2. Redistributions in binary form must reproduce the above copyright * "Commercial Computer Software Documentation" as such terms are defined *
* notice, this list of conditions and the following disclaimer in the * in 48 C.F.R. section 252.227-7014(a)(5) and 48 C.F.R. section *
* documentation and/or other materials provided with the distribution. * 252.227-7014(a)(1), and used in 48 C.F.R. section 12.212 and 48 C.F.R. *
* 3. The name of the author may not be used to endorse or promote products * section 227.7202, as applicable. Pursuant to the above and other *
* derived from this software without specific prior written permission. * relevant sections of the Code of Federal Regulations, as applicable, *
* * VeriSign's publications, commercial computer software, and commercial *
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR * computer software documentation are distributed and licensed to United *
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES * States Government end users with only those rights as granted to all *
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. * other end users, according to the terms and conditions contained in the *
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, * license agreement(s) that accompany the products and software *
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * documentation. *
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, * *
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY \***************************************************************************/
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
*/
package com.versign.tat.dnssec; package com.verisign.tat.dnssec;
import java.util.HashMap; import org.xbill.DNS.*;
import java.util.Map;
import java.util.*;
import org.xbill.DNS.Name;
/** /**
* *
@ -51,6 +46,7 @@ public class TrustAnchorStore {
if (mMap == null) { if (mMap == null) {
mMap = new HashMap<String, SRRset>(); mMap = new HashMap<String, SRRset>();
} }
String k = key(rrset.getName(), rrset.getDClass()); String k = key(rrset.getName(), rrset.getDClass());
rrset.setSecurityStatus(SecurityStatus.SECURE); rrset.setSecurityStatus(SecurityStatus.SECURE);
@ -58,25 +54,49 @@ public class TrustAnchorStore {
} }
private SRRset lookup(String key) { private SRRset lookup(String key) {
if (mMap == null) return null; if (mMap == null) {
return null;
}
return mMap.get(key); return mMap.get(key);
} }
public SRRset find(Name n, int dclass) { public SRRset find(Name n, int dclass) {
if (mMap == null) return null; if (mMap == null) {
return null;
}
while (n.labels() > 0) { while (n.labels() > 0) {
String k = key(n, dclass); String k = key(n, dclass);
SRRset r = lookup(k); SRRset r = lookup(k);
if (r != null) return r;
if (r != null) {
return r;
}
n = new Name(n, 1); n = new Name(n, 1);
} }
return null; return null;
} }
public boolean isBelowTrustAnchor(Name n, int dclass) { public boolean isBelowTrustAnchor(Name n, int dclass) {
return find(n, dclass) != null; return find(n, dclass) != null;
} }
public List<String> listTrustAnchors() {
List<String> res = new ArrayList<String>();
for (Map.Entry<String, SRRset> entry : mMap.entrySet()) {
for (Iterator<Record> i = entry.getValue().rrs(); i.hasNext();) {
DNSKEYRecord r = (DNSKEYRecord) i.next();
String key_desc = r.getName().toString() + "/" +
DNSSEC.Algorithm.string(r.getAlgorithm()) + "/" +
r.getFootprint();
res.add(key_desc);
}
}
return res;
}
} }

192
src/com/versign/tat/dnssec/Util.java
View File

@ -1,115 +1,109 @@
/* /***************************** -*- Java -*- ********************************\
* $Id$ * *
* * Copyright (c) 2009 VeriSign, Inc. All rights reserved. *
* Copyright (c) 2005 VeriSign. All rights reserved. * *
* * This software is provided solely in connection with the terms of the *
* Redistribution and use in source and binary forms, with or without * license agreement. Any other use without the prior express written *
* modification, are permitted provided that the following conditions are met: * permission of VeriSign is completely prohibited. The software and *
* * documentation are "Commercial Items", as that term is defined in 48 *
* 1. Redistributions of source code must retain the above copyright notice, * C.F.R. section 2.101, consisting of "Commercial Computer Software" and *
* this list of conditions and the following disclaimer. 2. Redistributions in * "Commercial Computer Software Documentation" as such terms are defined *
* binary form must reproduce the above copyright notice, this list of * in 48 C.F.R. section 252.227-7014(a)(5) and 48 C.F.R. section *
* conditions and the following disclaimer in the documentation and/or other * 252.227-7014(a)(1), and used in 48 C.F.R. section 12.212 and 48 C.F.R. *
* materials provided with the distribution. 3. The name of the author may not * section 227.7202, as applicable. Pursuant to the above and other *
* be used to endorse or promote products derived from this software without * relevant sections of the Code of Federal Regulations, as applicable, *
* specific prior written permission. * VeriSign's publications, commercial computer software, and commercial *
* * computer software documentation are distributed and licensed to United *
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR * States Government end users with only those rights as granted to all *
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES * other end users, according to the terms and conditions contained in the *
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN * license agreement(s) that accompany the products and software *
* NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * documentation. *
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED * *
* TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR \***************************************************************************/
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
* LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
*/
package com.versign.tat.dnssec; package com.verisign.tat.dnssec;
import org.xbill.DNS.Name;
import java.util.*; import java.util.*;
import org.xbill.DNS.Name;
/** /**
* Some basic utility functions. * Some basic utility functions.
*/ */
public class Util public class Util {
{ /**
* Convert a DNS name into a string suitable for use as a cache key.
*
* @param name The name to convert.
* @return A string representing the name. This isn't ever meant to be
* converted back into a DNS name.
*/
public static String nameToString(Name name) {
if (name.equals(Name.root)) {
return ".";
}
/** String n = name.toString().toLowerCase();
* Convert a DNS name into a string suitable for use as a cache key.
*
* @param name The name to convert.
* @return A string representing the name. This isn't ever meant to be
* converted back into a DNS name.
*/
public static String nameToString(Name name)
{
if (name.equals(Name.root)) return ".";
String n = name.toString().toLowerCase(); if (n.endsWith(".")) {
if (n.endsWith(".")) n = n.substring(0, n.length() - 1); n = n.substring(0, n.length() - 1);
}
return n; return n;
} }
public static int parseInt(String s, int def) public static int parseInt(String s, int def) {
{ if (s == null) {
if (s == null) return def; return def;
try }
{
return Integer.parseInt(s);
}
catch (NumberFormatException e)
{
return def;
}
}
public static long parseLong(String s, long def) try {
{ return Integer.parseInt(s);
if (s == null) return def; } catch (NumberFormatException e) {
try return def;
{ }
return Long.parseLong(s); }
}
catch (NumberFormatException e) public static long parseLong(String s, long def) {
{ if (s == null) {
return def; return def;
} }
}
try {
public static class ConfigEntry return Long.parseLong(s);
{ } catch (NumberFormatException e) {
public String key; return def;
public String value; }
}
public ConfigEntry(String key, String value)
{ public static List<ConfigEntry> parseConfigPrefix(Properties config,
this.key = key; this.value = value; String prefix) {
} if (!prefix.endsWith(".")) {
} prefix = prefix + ".";
}
public static List<ConfigEntry> parseConfigPrefix(Properties config, String prefix)
{ List<ConfigEntry> res = new ArrayList<ConfigEntry>();
if (! prefix.endsWith("."))
{ for (Map.Entry<Object, Object> entry : config.entrySet()) {
prefix = prefix + "."; String key = (String) entry.getKey();
}
if (key.startsWith(prefix)) {
List<ConfigEntry> res = new ArrayList<ConfigEntry>(); key = key.substring(prefix.length());
res.add(new ConfigEntry(key, (String) entry.getValue()));
for (Map.Entry<Object, Object> entry : config.entrySet()) { }
String key = (String) entry.getKey(); }
if (key.startsWith(prefix)) {
key = key.substring(prefix.length()); return res;
res.add(new ConfigEntry(key, (String) entry.getValue())); }
public static class ConfigEntry {
public String key;
public String value;
public ConfigEntry(String key, String value) {
this.key = key;
this.value = value;
} }
} }
return res;
}
} }

358
src/com/versign/tat/dnssec/ValUtils.java
View File

@ -1,66 +1,48 @@
/* /***************************** -*- Java -*- ********************************\
* Copyright (c) 2009 VeriSign, Inc. All rights reserved. * *
* * Copyright (c) 2009 VeriSign, Inc. All rights reserved. *
* Redistribution and use in source and binary forms, with or without * *
* modification, are permitted provided that the following conditions * This software is provided solely in connection with the terms of the *
* are met: * license agreement. Any other use without the prior express written *
* * permission of VeriSign is completely prohibited. The software and *
* 1. Redistributions of source code must retain the above copyright * documentation are "Commercial Items", as that term is defined in 48 *
* notice, this list of conditions and the following disclaimer. * C.F.R. section 2.101, consisting of "Commercial Computer Software" and *
* 2. Redistributions in binary form must reproduce the above copyright * "Commercial Computer Software Documentation" as such terms are defined *
* notice, this list of conditions and the following disclaimer in the * in 48 C.F.R. section 252.227-7014(a)(5) and 48 C.F.R. section *
* documentation and/or other materials provided with the distribution. * 252.227-7014(a)(1), and used in 48 C.F.R. section 12.212 and 48 C.F.R. *
* 3. The name of the author may not be used to endorse or promote products * section 227.7202, as applicable. Pursuant to the above and other *
* derived from this software without specific prior written permission. * relevant sections of the Code of Federal Regulations, as applicable, *
* * VeriSign's publications, commercial computer software, and commercial *
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR * computer software documentation are distributed and licensed to United *
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES * States Government end users with only those rights as granted to all *
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. * other end users, according to the terms and conditions contained in the *
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, * license agreement(s) that accompany the products and software *
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * documentation. *
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, * *
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY \***************************************************************************/
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
*/
package com.versign.tat.dnssec; package com.verisign.tat.dnssec;
import org.apache.log4j.Logger;
import org.xbill.DNS.*;
import java.security.MessageDigest; import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException; import java.security.NoSuchAlgorithmException;
import java.util.Iterator; import java.util.Iterator;
import org.xbill.DNS.*;
/** /**
* This is a collection of routines encompassing the logic of validating * This is a collection of routines encompassing the logic of validating
* different message types. * different message types.
*/ */
public class ValUtils { public class ValUtils {
private static Logger st_log = Logger.getLogger(ValUtils.class);
// These are response subtypes. They are necessary for determining the private Logger log = Logger.getLogger(this.getClass());
// validation strategy. They have no bearing on the iterative resolution
// algorithm, so they are confined here.
public enum ResponseType {
UNTYPED, // not sub typed yet
UNKNOWN, // not a recognized sub type
POSITIVE, // a positive response (no CNAME/DNAME chain)
CNAME, // a positive response with a CNAME/DNAME chain.
NODATA, // a NOERROR/NODATA response
NAMEERROR, // a NXDOMAIN response
ANY, // a response to a qtype=ANY query
REFERRAL,
// a referral response
THROWAWAY
// a throwaway response (i.e., an error)
}
/** A local copy of the verifier object. */ /** A local copy of the verifier object. */
private DnsSecVerifier mVerifier; private DnsSecVerifier mVerifier;
public ValUtils(DnsSecVerifier verifier) { public ValUtils(DnsSecVerifier verifier) {
mVerifier = verifier; mVerifier = verifier;
@ -68,18 +50,19 @@ public class ValUtils {
/** /**
* Given a response, classify ANSWER responses into a subtype. * Given a response, classify ANSWER responses into a subtype.
* *
* @param m * @param m
* The response to classify. * The response to classify.
* *
* @return A subtype ranging from UNKNOWN to NAMEERROR. * @return A subtype ranging from UNKNOWN to NAMEERROR.
*/ */
public static ResponseType classifyResponse(SMessage m, Name zone) { public static ResponseType classifyResponse(SMessage m, Name zone) {
SRRset [] rrsets;
SRRset[] rrsets;
// Normal Name Error's are easy to detect -- but don't mistake a CNAME // Normal Name Error's are easy to detect -- but don't mistake a CNAME
// chain ending in NXDOMAIN. // chain ending in NXDOMAIN.
if (m.getRcode() == Rcode.NXDOMAIN && m.getCount(Section.ANSWER) == 0) { if ((m.getRcode() == Rcode.NXDOMAIN) &&
(m.getCount(Section.ANSWER) == 0)) {
return ResponseType.NAMEERROR; return ResponseType.NAMEERROR;
} }
@ -92,12 +75,13 @@ public class ValUtils {
// 1) nothing in the ANSWER section // 1) nothing in the ANSWER section
// 2) an NS RRset in the AUTHORITY section that is a strict subdomain of // 2) an NS RRset in the AUTHORITY section that is a strict subdomain of
// 'zone' (the presumed queried zone). // 'zone' (the presumed queried zone).
if (zone != null && m.getCount(Section.ANSWER) == 0 if ((zone != null) && (m.getCount(Section.ANSWER) == 0) &&
&& m.getCount(Section.AUTHORITY) > 0) { (m.getCount(Section.AUTHORITY) > 0)) {
rrsets = m.getSectionRRsets(Section.AUTHORITY); rrsets = m.getSectionRRsets(Section.AUTHORITY);
for (int i = 0; i < rrsets.length; ++i) { for (int i = 0; i < rrsets.length; ++i) {
if (rrsets[i].getType() == Type.NS if ((rrsets[i].getType() == Type.NS) &&
&& strictSubdomain(rrsets[i].getName(), zone)) { strictSubdomain(rrsets[i].getName(), zone)) {
return ResponseType.REFERRAL; return ResponseType.REFERRAL;
} }
} }
@ -123,11 +107,17 @@ public class ValUtils {
// Note that DNAMEs will be ignored here, unless qtype=DNAME. Unless // Note that DNAMEs will be ignored here, unless qtype=DNAME. Unless
// qtype=CNAME, this will yield a CNAME response. // qtype=CNAME, this will yield a CNAME response.
for (int i = 0; i < rrsets.length; i++) { for (int i = 0; i < rrsets.length; i++) {
if (rrsets[i].getType() == qtype) return ResponseType.POSITIVE; if (rrsets[i].getType() == qtype) {
if (rrsets[i].getType() == Type.CNAME) return ResponseType.CNAME; return ResponseType.POSITIVE;
}
if (rrsets[i].getType() == Type.CNAME) {
return ResponseType.CNAME;
}
} }
// st_log.warn("Failed to classify response message:\n" + m); st_log.warn("Failed to classify response message:\n" + m);
return ResponseType.UNKNOWN; return ResponseType.UNKNOWN;
} }
@ -135,7 +125,7 @@ public class ValUtils {
* Given a response, determine the name of the "signer". This is primarily * Given a response, determine the name of the "signer". This is primarily
* to determine if the response is, in fact, signed at all, and, if so, what * to determine if the response is, in fact, signed at all, and, if so, what
* is the name of the most pertinent keyset. * is the name of the most pertinent keyset.
* *
* @param m * @param m
* The response to analyze. * The response to analyze.
* @return a signer name, if the response is signed (even partially), or * @return a signer name, if the response is signed (even partially), or
@ -145,28 +135,32 @@ public class ValUtils {
// FIXME: this used to classify the message, then look in the pertinent // FIXME: this used to classify the message, then look in the pertinent
// section. Now we just find the first RRSIG in the ANSWER and AUTHORIY // section. Now we just find the first RRSIG in the ANSWER and AUTHORIY
// sections. // sections.
for (int section = Section.ANSWER; section < Section.ADDITIONAL;
++section) {
SRRset [] rrsets = m.getSectionRRsets(section);
for (int section = Section.ANSWER; section < Section.ADDITIONAL; ++section) {
SRRset[] rrsets = m.getSectionRRsets(section);
for (int i = 0; i < rrsets.length; ++i) { for (int i = 0; i < rrsets.length; ++i) {
Name signerName = rrsets[i].getSignerName(); Name signerName = rrsets[i].getSignerName();
if (signerName != null) return signerName;
if (signerName != null) {
return signerName;
}
} }
} }
return null; return null;
} }
/** /**
* Given a DNSKEY record, generate the DS record from it. * Given a DNSKEY record, generate the DS record from it.
* *
* @param keyrec * @param keyrec
* the DNSKEY record in question. * the DNSKEY record in question.
* @param ds_alg * @param ds_alg
* The DS digest algorithm in use. * The DS digest algorithm in use.
* @return the corresponding {@link org.xbill.DNS.DSRecord} * @return the corresponding {@link org.xbill.DNS.DSRecord}
*/ */
public static byte[] calculateDSHash(DNSKEYRecord keyrec, int ds_alg) { public static byte [] calculateDSHash(DNSKEYRecord keyrec, int ds_alg) {
DNSOutput os = new DNSOutput(); DNSOutput os = new DNSOutput();
os.writeByteArray(keyrec.getName().toWireCanonical()); os.writeByteArray(keyrec.getName().toWireCanonical());
@ -174,65 +168,81 @@ public class ValUtils {
try { try {
MessageDigest md = null; MessageDigest md = null;
switch (ds_alg) {
case DSRecord.SHA1_DIGEST_ID:
md = MessageDigest.getInstance("SHA");
return md.digest(os.toByteArray());
case DSRecord.SHA256_DIGEST_ID:
md = MessageDigest.getInstance("SHA256");
return md.digest(os.toByteArray());
default:
// st_log.warn("Unknown DS algorithm: " + ds_alg);
return null;
}
switch (ds_alg) {
case DSRecord.SHA1_DIGEST_ID:
md = MessageDigest.getInstance("SHA");
return md.digest(os.toByteArray());
case DSRecord.SHA256_DIGEST_ID:
md = MessageDigest.getInstance("SHA256");
return md.digest(os.toByteArray());
default:
st_log.warn("Unknown DS algorithm: " + ds_alg);
return null;
}
} catch (NoSuchAlgorithmException e) { } catch (NoSuchAlgorithmException e) {
// st_log.error("Error using DS algorithm: " + ds_alg, e); st_log.error("Error using DS algorithm: " + ds_alg, e);
return null; return null;
} }
} }
public static boolean supportsDigestID(int digest_id) { public static boolean supportsDigestID(int digest_id) {
if (digest_id == DSRecord.SHA1_DIGEST_ID) return true; if (digest_id == DSRecord.SHA1_DIGEST_ID) {
if (digest_id == DSRecord.SHA256_DIGEST_ID) return true; return true;
}
if (digest_id == DSRecord.SHA256_DIGEST_ID) {
return true;
}
return false; return false;
} }
/** /**
* Check to see if a type is a special DNSSEC type. * Check to see if a type is a special DNSSEC type.
* *
* @param type * @param type
* The type. * The type.
* *
* @return true if the type is one of the special DNSSEC types. * @return true if the type is one of the special DNSSEC types.
*/ */
public static boolean isDNSSECType(int type) { public static boolean isDNSSECType(int type) {
switch (type) { switch (type) {
case Type.DNSKEY: case Type.DNSKEY:
case Type.NSEC: case Type.NSEC:
case Type.DS: case Type.DS:
case Type.RRSIG: case Type.RRSIG:
case Type.NSEC3: case Type.NSEC3:
return true; return true;
default:
return false; default:
return false;
} }
} }
/** /**
* Set the security status of a particular RRset. This will only upgrade the * Set the security status of a particular RRset. This will only upgrade the
* security status. * security status.
* *
* @param rrset * @param rrset
* The SRRset to update. * The SRRset to update.
* @param security * @param security
* The security status. * The security status.
*/ */
public static void setRRsetSecurity(SRRset rrset, byte security) { public static void setRRsetSecurity(SRRset rrset, byte security) {
if (rrset == null) return; if (rrset == null) {
return;
}
int cur_sec = rrset.getSecurityStatus(); int cur_sec = rrset.getSecurityStatus();
if (cur_sec == SecurityStatus.UNCHECKED || security > cur_sec) {
if ((cur_sec == SecurityStatus.UNCHECKED) || (security > cur_sec)) {
rrset.setSecurityStatus(security); rrset.setSecurityStatus(security);
} }
} }
@ -241,28 +251,33 @@ public class ValUtils {
* Set the security status of a message and all of its RRsets. This will * Set the security status of a message and all of its RRsets. This will
* only upgrade the status of the message (i.e., set to more secure, not * only upgrade the status of the message (i.e., set to more secure, not
* less) and all of the RRsets. * less) and all of the RRsets.
* *
* @param m * @param m
* @param security * @param security
* KeyEntry ke; * KeyEntry ke;
* *
* SMessage m = response.getSMessage(); SRRset ans_rrset = * SMessage m = response.getSMessage(); SRRset ans_rrset =
* m.findAnswerRRset(qname, qtype, qclass); * m.findAnswerRRset(qname, qtype, qclass);
* *
* ke = verifySRRset(ans_rrset, key_rrset); if * ke = verifySRRset(ans_rrset, key_rrset); if
* (ans_rrset.getSecurityStatus() != SecurityStatus.SECURE) { * (ans_rrset.getSecurityStatus() != SecurityStatus.SECURE) {
* return; } key_rrset = ke.getRRset(); * return; } key_rrset = ke.getRRset();
*/ */
public static void setMessageSecurity(SMessage m, byte security) { public static void setMessageSecurity(SMessage m, byte security) {
if (m == null) return; if (m == null) {
return;
}
int cur_sec = m.getStatus(); int cur_sec = m.getStatus();
if (cur_sec == SecurityStatus.UNCHECKED || security > cur_sec) {
if ((cur_sec == SecurityStatus.UNCHECKED) || (security > cur_sec)) {
m.setStatus(security); m.setStatus(security);
} }
for (int section = Section.ANSWER; section <= Section.ADDITIONAL; section++) { for (int section = Section.ANSWER; section <= Section.ADDITIONAL;
SRRset[] rrsets = m.getSectionRRsets(section); section++) {
SRRset [] rrsets = m.getSectionRRsets(section);
for (int i = 0; i < rrsets.length; i++) { for (int i = 0; i < rrsets.length; i++) {
setRRsetSecurity(rrsets[i], security); setRRsetSecurity(rrsets[i], security);
} }
@ -273,7 +288,7 @@ public class ValUtils {
* Given an SRRset that is signed by a DNSKEY found in the key_rrset, verify * Given an SRRset that is signed by a DNSKEY found in the key_rrset, verify
* it. This will return the status (either BOGUS or SECURE) and set that * it. This will return the status (either BOGUS or SECURE) and set that
* status in rrset. * status in rrset.
* *
* @param rrset * @param rrset
* The SRRset to verify. * The SRRset to verify.
* @param key_rrset * @param key_rrset
@ -281,45 +296,49 @@ public class ValUtils {
* @return The status (BOGUS or SECURE). * @return The status (BOGUS or SECURE).
*/ */
public byte verifySRRset(SRRset rrset, SRRset key_rrset) { public byte verifySRRset(SRRset rrset, SRRset key_rrset) {
// String rrset_name = rrset.getName() + "/" String rrset_name = rrset.getName() + "/" +
// + Type.string(rrset.getType()) + "/" Type.string(rrset.getType()) + "/" +
// + DClass.string(rrset.getDClass()); DClass.string(rrset.getDClass());
if (rrset.getSecurityStatus() == SecurityStatus.SECURE) { if (rrset.getSecurityStatus() == SecurityStatus.SECURE) {
// log.trace("verifySRRset: rrset <" + rrset_name log.trace("verifySRRset: rrset <" + rrset_name +
// + "> previously found to be SECURE"); "> previously found to be SECURE");
return SecurityStatus.SECURE; return SecurityStatus.SECURE;
} }
byte status = mVerifier.verify(rrset, key_rrset); byte status = mVerifier.verify(rrset, key_rrset);
if (status != SecurityStatus.SECURE) { if (status != SecurityStatus.SECURE) {
// log.debug("verifySRRset: rrset <" + rrset_name + log.debug("verifySRRset: rrset <" + rrset_name +
// "> found to be BAD"); "> found to be BAD");
status = SecurityStatus.BOGUS; status = SecurityStatus.BOGUS;
} else {
log.trace("verifySRRset: rrset <" + rrset_name +
"> found to be SECURE");
} }
// else
// {
// log.trace("verifySRRset: rrset <" + rrset_name +
// "> found to be SECURE");
// }
rrset.setSecurityStatus(status); rrset.setSecurityStatus(status);
return status; return status;
} }
/** /**
* Determine if a given type map has a given type. * Determine if a given type map has a given type.
* *
* @param types * @param types
* The type map from the NSEC record. * The type map from the NSEC record.
* @param type * @param type
* The type to look for. * The type to look for.
* @return true if the type is present in the type map, false otherwise. * @return true if the type is present in the type map, false otherwise.
*/ */
public static boolean typeMapHasType(int[] types, int type) { public static boolean typeMapHasType(int [] types, int type) {
for (int i = 0; i < types.length; i++) { for (int i = 0; i < types.length; i++) {
if (types[i] == type) return true; if (types[i] == type) {
return true;
}
} }
return false; return false;
} }
@ -328,28 +347,33 @@ public class ValUtils {
for (Iterator i = rrset.sigs(); i.hasNext();) { for (Iterator i = rrset.sigs(); i.hasNext();) {
return (RRSIGRecord) i.next(); return (RRSIGRecord) i.next();
} }
return null; return null;
} }
/** /**
* Finds the longest common name between two domain names. * Finds the longest common name between two domain names.
* *
* @param domain1 * @param domain1
* @param domain2 * @param domain2
* @return * @return
*/ */
public static Name longestCommonName(Name domain1, Name domain2) { public static Name longestCommonName(Name domain1, Name domain2) {
if (domain1 == null || domain2 == null) return null; if ((domain1 == null) || (domain2 == null)) {
return null;
}
// for now, do this in a a fairly brute force way // for now, do this in a a fairly brute force way
// FIXME: convert this to direct operations on the byte[] // FIXME: convert this to direct operations on the byte[]
int d1_labels = domain1.labels(); int d1_labels = domain1.labels();
int d2_labels = domain2.labels(); int d2_labels = domain2.labels();
int l = (d1_labels < d2_labels) ? d1_labels : d2_labels; int l = (d1_labels < d2_labels) ? d1_labels : d2_labels;
for (int i = l; i > 0; i--) { for (int i = l; i > 0; i--) {
Name n1 = new Name(domain1, d1_labels - i); Name n1 = new Name(domain1, d1_labels - i);
Name n2 = new Name(domain2, d2_labels - i); Name n2 = new Name(domain2, d2_labels - i);
if (n1.equals(n2)) { if (n1.equals(n2)) {
return n1; return n1;
} }
@ -361,26 +385,33 @@ public class ValUtils {
public static boolean strictSubdomain(Name child, Name parent) { public static boolean strictSubdomain(Name child, Name parent) {
int clabels = child.labels(); int clabels = child.labels();
int plabels = parent.labels(); int plabels = parent.labels();
if (plabels >= clabels) return false;
if (plabels >= clabels) {
return false;
}
Name n = new Name(child, clabels - plabels); Name n = new Name(child, clabels - plabels);
return parent.equals(n); return parent.equals(n);
} }
/** /**
* Determine by looking at a signed RRset whether or not the rrset name was * Determine by looking at a signed RRset whether or not the rrset name was
* the result of a wildcard expansion. * the result of a wildcard expansion.
* *
* @param rrset * @param rrset
* The rrset to examine. * The rrset to examine.
* @return true if the rrset is a wildcard expansion. This will return false * @return true if the rrset is a wildcard expansion. This will return false
* for all unsigned rrsets. * for all unsigned rrsets.
*/ */
public static boolean rrsetIsWildcardExpansion(RRset rrset) { public static boolean rrsetIsWildcardExpansion(RRset rrset) {
if (rrset == null) return false; if (rrset == null) {
return false;
}
RRSIGRecord rrsig = rrsetFirstSig(rrset); RRSIGRecord rrsig = rrsetFirstSig(rrset);
if (rrset.getName().labels() - 1 > rrsig.getLabels()) { if ((rrset.getName().labels() - 1) > rrsig.getLabels()) {
return true; return true;
} }
@ -391,23 +422,28 @@ public class ValUtils {
* Determine by looking at a signed RRset whether or not the RRset name was * Determine by looking at a signed RRset whether or not the RRset name was
* the result of a wildcard expansion. If so, return the name of the * the result of a wildcard expansion. If so, return the name of the
* generating wildcard. * generating wildcard.
* *
* @param rrset * @param rrset
* The rrset to check. * The rrset to check.
* @return the wildcard name, if the rrset was synthesized from a wildcard. * @return the wildcard name, if the rrset was synthesized from a wildcard.
* null if not. * null if not.
*/ */
public static Name rrsetWildcard(RRset rrset) { public static Name rrsetWildcard(RRset rrset) {
if (rrset == null) return null; if (rrset == null) {
return null;
}
RRSIGRecord rrsig = rrsetFirstSig(rrset); RRSIGRecord rrsig = rrsetFirstSig(rrset);
// if the RRSIG label count is shorter than the number of actual labels, // if the RRSIG label count is shorter than the number of actual labels,
// then this rrset was synthesized from a wildcard. // then this rrset was synthesized from a wildcard.
// Note that the RRSIG label count doesn't count the root label. // Note that the RRSIG label count doesn't count the root label.
int label_diff = (rrset.getName().labels() - 1) - rrsig.getLabels(); int label_diff = (rrset.getName().labels() - 1) - rrsig.getLabels();
if (label_diff > 0) { if (label_diff > 0) {
return rrset.getName().wild(label_diff); return rrset.getName().wild(label_diff);
} }
return null; return null;
} }
@ -430,7 +466,7 @@ public class ValUtils {
/** /**
* Determine if the given NSEC proves a NameError (NXDOMAIN) for a given * Determine if the given NSEC proves a NameError (NXDOMAIN) for a given
* qname. * qname.
* *
* @param nsec * @param nsec
* The NSEC to check. * The NSEC to check.
* @param qname * @param qname
@ -442,9 +478,9 @@ public class ValUtils {
* @return true if the NSEC proves the condition. * @return true if the NSEC proves the condition.
*/ */
public static boolean nsecProvesNameError(NSECRecord nsec, Name qname, public static boolean nsecProvesNameError(NSECRecord nsec, Name qname,
Name signerName) { Name signerName) {
Name owner = nsec.getName(); Name owner = nsec.getName();
Name next = nsec.getNext(); Name next = nsec.getNext();
// If NSEC owner == qname, then this NSEC proves that qname exists. // If NSEC owner == qname, then this NSEC proves that qname exists.
if (qname.equals(owner)) { if (qname.equals(owner)) {
@ -454,24 +490,26 @@ public class ValUtils {
// If NSEC is a parent of qname, we need to check the type map // If NSEC is a parent of qname, we need to check the type map
// If the parent name has a DNAME or is a delegation point, then this // If the parent name has a DNAME or is a delegation point, then this
// NSEC is being misused. // NSEC is being misused.
boolean hasBadType = typeMapHasType(nsec.getTypes(), Type.DNAME) boolean hasBadType = typeMapHasType(nsec.getTypes(), Type.DNAME) ||
|| (typeMapHasType(nsec.getTypes(), Type.NS) && !typeMapHasType(nsec.getTypes(), (typeMapHasType(nsec.getTypes(), Type.NS) &&
Type.SOA)); !typeMapHasType(nsec.getTypes(), Type.SOA));
if (qname.subdomain(owner) && hasBadType) { if (qname.subdomain(owner) && hasBadType) {
return false; return false;
} }
if (qname.compareTo(owner) > 0 && (qname.compareTo(next) < 0) if (((qname.compareTo(owner) > 0) && (qname.compareTo(next) < 0)) ||
|| signerName.equals(next)) { signerName.equals(next)) {
return true; return true;
} }
return false; return false;
} }
/** /**
* Determine if a NSEC record proves the non-existence of a wildcard that * Determine if a NSEC record proves the non-existence of a wildcard that
* could have produced qname. * could have produced qname.
* *
* @param nsec * @param nsec
* The nsec to check. * The nsec to check.
* @param qname * @param qname
@ -481,17 +519,18 @@ public class ValUtils {
* @return true if the NSEC proves the condition. * @return true if the NSEC proves the condition.
*/ */
public static boolean nsecProvesNoWC(NSECRecord nsec, Name qname, public static boolean nsecProvesNoWC(NSECRecord nsec, Name qname,
Name signerName) { Name signerName) {
Name owner = nsec.getName(); Name owner = nsec.getName();
Name next = nsec.getNext(); Name next = nsec.getNext();
int qname_labels = qname.labels(); int qname_labels = qname.labels();
int signer_labels = signerName.labels(); int signer_labels = signerName.labels();
for (int i = qname_labels - signer_labels; i > 0; i--) { for (int i = qname_labels - signer_labels; i > 0; i--) {
Name wc_name = qname.wild(i); Name wc_name = qname.wild(i);
if (wc_name.compareTo(owner) > 0
&& (wc_name.compareTo(next) < 0 || signerName.equals(next))) { if ((wc_name.compareTo(owner) > 0) &&
((wc_name.compareTo(next) < 0) || signerName.equals(next))) {
return true; return true;
} }
} }
@ -505,7 +544,7 @@ public class ValUtils {
* wildcard case. If the ownername of 'nsec' is a wildcard, the validator * wildcard case. If the ownername of 'nsec' is a wildcard, the validator
* must still be provided proof that qname did not directly exist and that * must still be provided proof that qname did not directly exist and that
* the wildcard is, in fact, *.closest_encloser. * the wildcard is, in fact, *.closest_encloser.
* *
* @param nsec * @param nsec
* The NSEC to check * The NSEC to check
* @param qname * @param qname
@ -515,7 +554,7 @@ public class ValUtils {
* @return true if the NSEC proves the condition. * @return true if the NSEC proves the condition.
*/ */
public static boolean nsecProvesNodata(NSECRecord nsec, Name qname, public static boolean nsecProvesNodata(NSECRecord nsec, Name qname,
int qtype) { int qtype) {
if (!nsec.getName().equals(qname)) { if (!nsec.getName().equals(qname)) {
// wildcard checking. // wildcard checking.
@ -532,10 +571,11 @@ public class ValUtils {
// The qname must be a strict subdomain of the closest encloser, // The qname must be a strict subdomain of the closest encloser,
// and // and
// the qtype must be absent from the type map. // the qtype must be absent from the type map.
if (!strictSubdomain(qname, ce) if (!strictSubdomain(qname, ce) ||
|| typeMapHasType(nsec.getTypes(), qtype)) { typeMapHasType(nsec.getTypes(), qtype)) {
return false; return false;
} }
return true; return true;
} }
@ -545,10 +585,11 @@ public class ValUtils {
// be // be
// less than qname, and the next name will be a child domain of the // less than qname, and the next name will be a child domain of the
// qname. // qname.
if (strictSubdomain(nsec.getNext(), qname) if (strictSubdomain(nsec.getNext(), qname) &&
&& qname.compareTo(nsec.getName()) > 0) { (qname.compareTo(nsec.getName()) > 0)) {
return true; return true;
} }
// Otherwise, this NSEC does not prove ENT, so it does not prove // Otherwise, this NSEC does not prove ENT, so it does not prove
// NODATA. // NODATA.
return false; return false;
@ -569,8 +610,8 @@ public class ValUtils {
// not a zone apex), then we should have gotten a referral (or we just // not a zone apex), then we should have gotten a referral (or we just
// got // got
// the wrong NSEC). // the wrong NSEC).
if (typeMapHasType(nsec.getTypes(), Type.NS) if (typeMapHasType(nsec.getTypes(), Type.NS) &&
&& !typeMapHasType(nsec.getTypes(), Type.SOA)) { !typeMapHasType(nsec.getTypes(), Type.SOA)) {
return false; return false;
} }
@ -579,7 +620,8 @@ public class ValUtils {
public static byte nsecProvesNoDS(NSECRecord nsec, Name qname) { public static byte nsecProvesNoDS(NSECRecord nsec, Name qname) {
// Could check to make sure the qname is a subdomain of nsec // Could check to make sure the qname is a subdomain of nsec
int[] types = nsec.getTypes(); int [] types = nsec.getTypes();
if (typeMapHasType(types, Type.SOA) || typeMapHasType(types, Type.DS)) { if (typeMapHasType(types, Type.SOA) || typeMapHasType(types, Type.DS)) {
// SOA present means that this is the NSEC from the child, not the // SOA present means that this is the NSEC from the child, not the
// parent (so it is the wrong one) // parent (so it is the wrong one)
@ -594,8 +636,18 @@ public class ValUtils {
// anything one way or the other. // anything one way or the other.
return SecurityStatus.INSECURE; return SecurityStatus.INSECURE;
} }
// Otherwise, this proves no DS. // Otherwise, this proves no DS.
return SecurityStatus.SECURE; return SecurityStatus.SECURE;
} }
// These are response subtypes. They are necessary for determining the
// validation strategy. They have no bearing on the iterative resolution
// algorithm, so they are confined here.
public enum ResponseType {UNTYPED, UNKNOWN, POSITIVE, CNAME, NODATA,
NAMEERROR, ANY, REFERRAL,
// a referral response
THROWAWAY;
// a throwaway response (i.e., an error)
}
} }