davidb/captive-validator
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

somewhat gratutious reformatting by eclipse

Browse Source
This commit is contained in:
David Blacka 2010-05-31 12:16:14 -04:00
parent 85f7635d43
commit ab60743341
10 changed files with 624 additions and 627 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

317
src/com/verisign/tat/dnssec/CaptiveValidator.java
View File

@ -31,7 +31,6 @@ import java.io.IOException;
import java.util.*; import java.util.*;
/** /**
* This resolver module implements a "captive" DNSSEC validator. The captive * This resolver module implements a "captive" DNSSEC validator. The captive
* validator does not have direct access to the Internet and DNS system -- * validator does not have direct access to the Internet and DNS system --
@ -48,12 +47,12 @@ public class CaptiveValidator {
// The local verification utility. // The local verification utility.
private DnsSecVerifier mVerifier; private DnsSecVerifier mVerifier;
private Logger log = Logger.getLogger(this.getClass()); private Logger log = Logger.getLogger(this.getClass());
public CaptiveValidator() { public CaptiveValidator() {
mVerifier = new DnsSecVerifier(); mVerifier = new DnsSecVerifier();
mValUtils = new ValUtils(mVerifier); mValUtils = new ValUtils(mVerifier);
mTrustedKeys = new TrustAnchorStore(); mTrustedKeys = new TrustAnchorStore();
} }
// ---------------- Module Initialization ------------------- // ---------------- Module Initialization -------------------
@ -67,12 +66,11 @@ public class CaptiveValidator {
* @throws IOException * @throws IOException
*/ */
@SuppressWarnings("unchecked") @SuppressWarnings("unchecked")
public void addTrustedKeysFromFile(String filename) public void addTrustedKeysFromFile(String filename) throws IOException {
throws IOException {
// First read in the whole trust anchor file. // First read in the whole trust anchor file.
Master master = new Master(filename, Name.root, 0); Master master = new Master(filename, Name.root, 0);
ArrayList<Record> records = new ArrayList<Record>(); ArrayList<Record> records = new ArrayList<Record>();
Record r = null; Record r = null;
while ((r = master.nextRecord()) != null) { while ((r = master.nextRecord()) != null) {
records.add(r); records.add(r);
@ -100,9 +98,9 @@ public class CaptiveValidator {
} }
// If this record matches our current RRset, we can just add it. // If this record matches our current RRset, we can just add it.
if (cur_rrset.getName().equals(rec.getName()) && if (cur_rrset.getName().equals(rec.getName())
(cur_rrset.getType() == rec.getType()) && && (cur_rrset.getType() == rec.getType())
(cur_rrset.getDClass() == rec.getDClass())) { && (cur_rrset.getDClass() == rec.getDClass())) {
cur_rrset.addRR(rec); cur_rrset.addRR(rec);
continue; continue;
@ -121,7 +119,7 @@ public class CaptiveValidator {
} }
public void addTrustedKeysFromResponse(Message m) { public void addTrustedKeysFromResponse(Message m) {
RRset [] rrsets = m.getSectionRRsets(Section.ANSWER); RRset[] rrsets = m.getSectionRRsets(Section.ANSWER);
for (int i = 0; i < rrsets.length; ++i) { for (int i = 0; i < rrsets.length; ++i) {
if (rrsets[i].getType() == Type.DNSKEY) { if (rrsets[i].getType() == Type.DNSKEY) {
@ -145,26 +143,25 @@ public class CaptiveValidator {
return m; return m;
} }
if ((m.getRcode() != Rcode.NOERROR) && if ((m.getRcode() != Rcode.NOERROR) && (m.getRcode() != Rcode.NXDOMAIN)) {
(m.getRcode() != Rcode.NXDOMAIN)) {
return m; return m;
} }
Name qname = m.getQuestion().getName(); Name qname = m.getQuestion().getName();
int qtype = m.getQuestion().getType(); int qtype = m.getQuestion().getType();
Name sname = qname; Name sname = qname;
// For the ANSWER section, remove all "irrelevant" records and add // For the ANSWER section, remove all "irrelevant" records and add
// synthesized CNAMEs from DNAMEs // synthesized CNAMEs from DNAMEs
// This will strip out-of-order CNAMEs as well. // This will strip out-of-order CNAMEs as well.
List<SRRset> rrset_list = m.getSectionList(Section.ANSWER); List<SRRset> rrset_list = m.getSectionList(Section.ANSWER);
Set<Name> additional_names = new HashSet<Name>(); Set<Name> additional_names = new HashSet<Name>();
for (ListIterator<SRRset> i = rrset_list.listIterator(); i.hasNext();) { for (ListIterator<SRRset> i = rrset_list.listIterator(); i.hasNext();) {
SRRset rrset = i.next(); SRRset rrset = i.next();
int type = rrset.getType(); int type = rrset.getType();
Name n = rrset.getName(); Name n = rrset.getName();
// Handle DNAME synthesis; DNAME synthesis does not occur at the // Handle DNAME synthesis; DNAME synthesis does not occur at the
// DNAME name itself. // DNAME name itself.
@ -182,16 +179,16 @@ public class CaptiveValidator {
Name cname_alias = sname.fromDNAME(dname); Name cname_alias = sname.fromDNAME(dname);
// Note that synthesized CNAMEs should have a TTL of zero. // Note that synthesized CNAMEs should have a TTL of zero.
CNAMERecord cname = new CNAMERecord(sname, CNAMERecord cname = new CNAMERecord(sname, dname
dname.getDClass(), 0, cname_alias); .getDClass(), 0, cname_alias);
SRRset cname_rrset = new SRRset(); SRRset cname_rrset = new SRRset();
cname_rrset.addRR(cname); cname_rrset.addRR(cname);
i.add(cname_rrset); i.add(cname_rrset);
sname = cname_alias; sname = cname_alias;
} catch (NameTooLongException e) { } catch (NameTooLongException e) {
log.debug("not adding synthesized CNAME -- " + log.debug("not adding synthesized CNAME -- "
"generated name is too long", e); + "generated name is too long", e);
} }
continue; continue;
@ -244,10 +241,10 @@ public class CaptiveValidator {
for (Iterator<SRRset> i = rrset_list.iterator(); i.hasNext();) { for (Iterator<SRRset> i = rrset_list.iterator(); i.hasNext();) {
SRRset rrset = i.next(); SRRset rrset = i.next();
int type = rrset.getType(); int type = rrset.getType();
if (((type == Type.A) || (type == Type.AAAA)) && if (((type == Type.A) || (type == Type.AAAA))
!additional_names.contains(rrset.getName())) { && !additional_names.contains(rrset.getName())) {
i.remove(); i.remove();
} }
} }
@ -269,8 +266,8 @@ public class CaptiveValidator {
} }
for (Iterator<Record> i = rrset.rrs(); i.hasNext();) { for (Iterator<Record> i = rrset.rrs(); i.hasNext();) {
Record r = i.next(); Record r = i.next();
Name add_name = r.getAdditionalName(); Name add_name = r.getAdditionalName();
if (add_name != null) { if (add_name != null) {
additional_names.add(add_name); additional_names.add(add_name);
@ -279,8 +276,8 @@ public class CaptiveValidator {
} }
private SRRset findKeys(SMessage message) { private SRRset findKeys(SMessage message) {
Name qname = message.getQName(); Name qname = message.getQName();
int qclass = message.getQClass(); int qclass = message.getQClass();
return mTrustedKeys.find(qname, qclass); return mTrustedKeys.find(qname, qclass);
} }
@ -310,8 +307,8 @@ public class CaptiveValidator {
return false; return false;
} }
if (!mTrustedKeys.isBelowTrustAnchor(message.getQName(), if (!mTrustedKeys.isBelowTrustAnchor(message.getQName(), message
message.getQClass())) { .getQClass())) {
return false; return false;
} }
@ -336,18 +333,18 @@ public class CaptiveValidator {
* answer. * answer.
*/ */
private void validatePositiveResponse(SMessage message, SRRset key_rrset) { private void validatePositiveResponse(SMessage message, SRRset key_rrset) {
Name qname = message.getQName(); Name qname = message.getQName();
int qtype = message.getQType(); int qtype = message.getQType();
SMessage m = message; SMessage m = message;
// validate the ANSWER section - this will be the answer itself // validate the ANSWER section - this will be the answer itself
SRRset [] rrsets = m.getSectionRRsets(Section.ANSWER); SRRset[] rrsets = m.getSectionRRsets(Section.ANSWER);
Name wc = null; Name wc = null;
boolean wcNSEC_ok = false; boolean wcNSEC_ok = false;
boolean dname = false; boolean dname = false;
List<NSEC3Record> nsec3s = null; List<NSEC3Record> nsec3s = null;
for (int i = 0; i < rrsets.length; i++) { for (int i = 0; i < rrsets.length; i++) {
// Skip the CNAME following a (validated) DNAME. // Skip the CNAME following a (validated) DNAME.
@ -366,8 +363,8 @@ public class CaptiveValidator {
// If the (answer) rrset failed to validate, then this message is // If the (answer) rrset failed to validate, then this message is
// BAD. // BAD.
if (status != SecurityStatus.SECURE) { if (status != SecurityStatus.SECURE) {
log.debug("Positive response has failed ANSWER rrset: " + log.debug("Positive response has failed ANSWER rrset: "
rrsets[i]); + rrsets[i]);
m.setStatus(SecurityStatus.BOGUS); m.setStatus(SecurityStatus.BOGUS);
return; return;
@ -395,8 +392,8 @@ public class CaptiveValidator {
// a // a
// bad message. // bad message.
if (status != SecurityStatus.SECURE) { if (status != SecurityStatus.SECURE) {
log.debug("Positive response has failed AUTHORITY rrset: " + log.debug("Positive response has failed AUTHORITY rrset: "
rrsets[i]); + rrsets[i]);
m.setStatus(SecurityStatus.BOGUS); m.setStatus(SecurityStatus.BOGUS);
return; return;
@ -408,8 +405,8 @@ public class CaptiveValidator {
if ((wc != null) && (rrsets[i].getType() == Type.NSEC)) { if ((wc != null) && (rrsets[i].getType() == Type.NSEC)) {
NSECRecord nsec = (NSECRecord) rrsets[i].first(); NSECRecord nsec = (NSECRecord) rrsets[i].first();
if (ValUtils.nsecProvesNameError(nsec, qname, if (ValUtils.nsecProvesNameError(nsec, qname, key_rrset
key_rrset.getName())) { .getName())) {
Name nsec_wc = ValUtils.nsecWildcard(qname, nsec); Name nsec_wc = ValUtils.nsecWildcard(qname, nsec);
if (!wc.equals(nsec_wc)) { if (!wc.equals(nsec_wc)) {
@ -440,7 +437,7 @@ public class CaptiveValidator {
// records. // records.
if ((wc != null) && !wcNSEC_ok && (nsec3s != null)) { if ((wc != null) && !wcNSEC_ok && (nsec3s != null)) {
if (NSEC3ValUtils.proveWildcard(nsec3s, qname, key_rrset.getName(), if (NSEC3ValUtils.proveWildcard(nsec3s, qname, key_rrset.getName(),
wc)) { wc)) {
wcNSEC_ok = true; wcNSEC_ok = true;
} }
} }
@ -469,13 +466,13 @@ public class CaptiveValidator {
} }
// validate the AUTHORITY section. // validate the AUTHORITY section.
SRRset [] rrsets = m.getSectionRRsets(Section.AUTHORITY); SRRset[] rrsets = m.getSectionRRsets(Section.AUTHORITY);
boolean secure_delegation = false; boolean secure_delegation = false;
Name delegation = null; Name delegation = null;
Name nsec3zone = null; Name nsec3zone = null;
NSECRecord nsec = null; NSECRecord nsec = null;
List<NSEC3Record> nsec3s = null; List<NSEC3Record> nsec3s = null;
// validate the AUTHORITY section as well - this will generally be the // validate the AUTHORITY section as well - this will generally be the
// NS rrset, plus proof of a secure delegation or not // NS rrset, plus proof of a secure delegation or not
@ -492,8 +489,8 @@ public class CaptiveValidator {
// have // have
// a bad message. // a bad message.
if (status != SecurityStatus.SECURE) { if (status != SecurityStatus.SECURE) {
log.debug("Positive response has failed AUTHORITY rrset: " + log.debug("Positive response has failed AUTHORITY rrset: "
rrsets[i]); + rrsets[i]);
m.setStatus(SecurityStatus.BOGUS); m.setStatus(SecurityStatus.BOGUS);
return; return;
@ -501,40 +498,39 @@ public class CaptiveValidator {
} }
switch (type) { switch (type) {
case Type.DS: case Type.DS:
secure_delegation = true; secure_delegation = true;
break; break;
case Type.NS: case Type.NS:
delegation = rrsets[i].getName(); delegation = rrsets[i].getName();
break; break;
case Type.NSEC: case Type.NSEC:
nsec = (NSECRecord) rrsets[i].first(); nsec = (NSECRecord) rrsets[i].first();
break; break;
case Type.NSEC3: case Type.NSEC3:
if (nsec3s == null) { if (nsec3s == null) {
nsec3s = new ArrayList<NSEC3Record>(); nsec3s = new ArrayList<NSEC3Record>();
} }
NSEC3Record nsec3 = (NSEC3Record) rrsets[i].first(); NSEC3Record nsec3 = (NSEC3Record) rrsets[i].first();
nsec3s.add(nsec3); nsec3s.add(nsec3);
nsec3zone = rrsets[i].getSignerName(); // this is a hack of nsec3zone = rrsets[i].getSignerName(); // this is a hack of
// sorts. // sorts.
break; break;
default: default:
log.warn( log.warn("Encountered unexpected type in a REFERRAL response: "
"Encountered unexpected type in a REFERRAL response: " + + Type.string(type));
Type.string(type));
break; break;
} }
} }
@ -579,7 +575,8 @@ public class CaptiveValidator {
} }
if (nsec3s.size() > 0) { if (nsec3s.size() > 0) {
byte status = NSEC3ValUtils.proveNoDS(nsec3s, delegation, nsec3zone); byte status = NSEC3ValUtils
.proveNoDS(nsec3s, delegation, nsec3zone);
if (status != SecurityStatus.SECURE) { if (status != SecurityStatus.SECURE) {
// the NSEC3 RRs MUST prove no DS, so the INDETERMINATE state is // the NSEC3 RRs MUST prove no DS, so the INDETERMINATE state is
@ -598,7 +595,8 @@ public class CaptiveValidator {
m.setStatus(SecurityStatus.BOGUS); m.setStatus(SecurityStatus.BOGUS);
} }
private void validateCNAMEResponse(SMessage message, SRRset key_rrset) {} private void validateCNAMEResponse(SMessage message, SRRset key_rrset) {
}
/** /**
* Given an "ANY" response -- a response that contains an answer to a * Given an "ANY" response -- a response that contains an answer to a
@ -628,13 +626,13 @@ public class CaptiveValidator {
if (qtype != Type.ANY) { if (qtype != Type.ANY) {
throw new IllegalArgumentException( throw new IllegalArgumentException(
"ANY validation called on non-ANY response."); "ANY validation called on non-ANY response.");
} }
SMessage m = message; SMessage m = message;
// validate the ANSWER section. // validate the ANSWER section.
SRRset [] rrsets = m.getSectionRRsets(Section.ANSWER); SRRset[] rrsets = m.getSectionRRsets(Section.ANSWER);
for (int i = 0; i < rrsets.length; i++) { for (int i = 0; i < rrsets.length; i++) {
int status = mValUtils.verifySRRset(rrsets[i], key_rrset); int status = mValUtils.verifySRRset(rrsets[i], key_rrset);
@ -642,8 +640,8 @@ public class CaptiveValidator {
// If the (answer) rrset failed to validate, then this message is // If the (answer) rrset failed to validate, then this message is
// BAD. // BAD.
if (status != SecurityStatus.SECURE) { if (status != SecurityStatus.SECURE) {
log.debug("Positive response has failed ANSWER rrset: " + log.debug("Positive response has failed ANSWER rrset: "
rrsets[i]); + rrsets[i]);
m.setStatus(SecurityStatus.BOGUS); m.setStatus(SecurityStatus.BOGUS);
return; return;
@ -661,8 +659,8 @@ public class CaptiveValidator {
// a // a
// bad message. // bad message.
if (status != SecurityStatus.SECURE) { if (status != SecurityStatus.SECURE) {
log.debug("Positive response has failed AUTHORITY rrset: " + log.debug("Positive response has failed AUTHORITY rrset: "
rrsets[i]); + rrsets[i]);
m.setStatus(SecurityStatus.BOGUS); m.setStatus(SecurityStatus.BOGUS);
return; return;
@ -692,10 +690,10 @@ public class CaptiveValidator {
* The trusted DNSKEY rrset that signs this response. * The trusted DNSKEY rrset that signs this response.
*/ */
private void validateNodataResponse(SMessage message, SRRset key_rrset) { private void validateNodataResponse(SMessage message, SRRset key_rrset) {
Name qname = message.getQName(); Name qname = message.getQName();
int qtype = message.getQType(); int qtype = message.getQType();
SMessage m = message; SMessage m = message;
// Since we are here, there must be nothing in the ANSWER section to // Since we are here, there must be nothing in the ANSWER section to
// validate. (Note: CNAME/DNAME responses will not directly get here -- // validate. (Note: CNAME/DNAME responses will not directly get here --
@ -703,29 +701,29 @@ public class CaptiveValidator {
// responses.) // responses.)
// validate the AUTHORITY section // validate the AUTHORITY section
SRRset [] rrsets = m.getSectionRRsets(Section.AUTHORITY); SRRset[] rrsets = m.getSectionRRsets(Section.AUTHORITY);
boolean hasValidNSEC = false; // If true, then the NODATA has been boolean hasValidNSEC = false; // If true, then the NODATA has been
// proven. // proven.
Name ce = null; // for wildcard NODATA responses. This is the proven Name ce = null; // for wildcard NODATA responses. This is the proven
// closest encloser. // closest encloser.
NSECRecord wc = null; // for wildcard NODATA responses. This is the NSECRecord wc = null; // for wildcard NODATA responses. This is the
// wildcard NSEC. // wildcard NSEC.
List<NSEC3Record> nsec3s = null; // A collection of NSEC3 RRs found in List<NSEC3Record> nsec3s = null; // A collection of NSEC3 RRs found in
// the authority // the authority
// section. // section.
Name nsec3Signer = null; // The RRSIG signer field for the NSEC3 RRs. Name nsec3Signer = null; // The RRSIG signer field for the NSEC3 RRs.
for (int i = 0; i < rrsets.length; i++) { for (int i = 0; i < rrsets.length; i++) {
int status = mValUtils.verifySRRset(rrsets[i], key_rrset); int status = mValUtils.verifySRRset(rrsets[i], key_rrset);
if (status != SecurityStatus.SECURE) { if (status != SecurityStatus.SECURE) {
log.debug("NODATA response has failed AUTHORITY rrset: " + log.debug("NODATA response has failed AUTHORITY rrset: "
rrsets[i]); + rrsets[i]);
m.setStatus(SecurityStatus.BOGUS); m.setStatus(SecurityStatus.BOGUS);
return; return;
@ -742,8 +740,8 @@ public class CaptiveValidator {
if (nsec.getName().isWild()) { if (nsec.getName().isWild()) {
wc = nsec; wc = nsec;
} }
} else if (ValUtils.nsecProvesNameError(nsec, qname, } else if (ValUtils.nsecProvesNameError(nsec, qname, rrsets[i]
rrsets[i].getSignerName())) { .getSignerName())) {
ce = ValUtils.closestEncloser(qname, nsec); ce = ValUtils.closestEncloser(qname, nsec);
} }
} }
@ -785,8 +783,8 @@ public class CaptiveValidator {
} }
if (!hasValidNSEC) { if (!hasValidNSEC) {
log.debug("NODATA response failed to prove NODATA " + log.debug("NODATA response failed to prove NODATA "
"status with NSEC/NSEC3"); + "status with NSEC/NSEC3");
log.trace("Failed NODATA:\n" + m); log.trace("Failed NODATA:\n" + m);
m.setStatus(SecurityStatus.BOGUS); m.setStatus(SecurityStatus.BOGUS);
@ -815,13 +813,13 @@ public class CaptiveValidator {
* The trusted DNSKEY rrset that signs this response. * The trusted DNSKEY rrset that signs this response.
*/ */
private void validateNameErrorResponse(SMessage message, SRRset key_rrset) { private void validateNameErrorResponse(SMessage message, SRRset key_rrset) {
Name qname = message.getQName(); Name qname = message.getQName();
SMessage m = message; SMessage m = message;
if (message.getCount(Section.ANSWER) > 0) { if (message.getCount(Section.ANSWER) > 0) {
log.warn( log
"NAME ERROR response contained records in the ANSWER SECTION"); .warn("NAME ERROR response contained records in the ANSWER SECTION");
message.setStatus(SecurityStatus.INVALID); message.setStatus(SecurityStatus.INVALID);
return; return;
@ -830,18 +828,18 @@ public class CaptiveValidator {
// Validate the authority section -- all RRsets in the authority section // Validate the authority section -- all RRsets in the authority section
// must be signed and valid. // must be signed and valid.
// In addition, the NSEC record(s) must prove the NXDOMAIN condition. // In addition, the NSEC record(s) must prove the NXDOMAIN condition.
boolean hasValidNSEC = false; boolean hasValidNSEC = false;
boolean hasValidWCNSEC = false; boolean hasValidWCNSEC = false;
SRRset [] rrsets = m.getSectionRRsets(Section.AUTHORITY); SRRset[] rrsets = m.getSectionRRsets(Section.AUTHORITY);
List<NSEC3Record> nsec3s = null; List<NSEC3Record> nsec3s = null;
Name nsec3Signer = null; Name nsec3Signer = null;
for (int i = 0; i < rrsets.length; i++) { for (int i = 0; i < rrsets.length; i++) {
int status = mValUtils.verifySRRset(rrsets[i], key_rrset); int status = mValUtils.verifySRRset(rrsets[i], key_rrset);
if (status != SecurityStatus.SECURE) { if (status != SecurityStatus.SECURE) {
log.debug("NameError response has failed AUTHORITY rrset: " + log.debug("NameError response has failed AUTHORITY rrset: "
rrsets[i]); + rrsets[i]);
m.setStatus(SecurityStatus.BOGUS); m.setStatus(SecurityStatus.BOGUS);
return; return;
@ -850,13 +848,13 @@ public class CaptiveValidator {
if (rrsets[i].getType() == Type.NSEC) { if (rrsets[i].getType() == Type.NSEC) {
NSECRecord nsec = (NSECRecord) rrsets[i].first(); NSECRecord nsec = (NSECRecord) rrsets[i].first();
if (ValUtils.nsecProvesNameError(nsec, qname, if (ValUtils.nsecProvesNameError(nsec, qname, rrsets[i]
rrsets[i].getSignerName())) { .getSignerName())) {
hasValidNSEC = true; hasValidNSEC = true;
} }
if (ValUtils.nsecProvesNoWC(nsec, qname, if (ValUtils.nsecProvesNoWC(nsec, qname, rrsets[i]
rrsets[i].getSignerName())) { .getSignerName())) {
hasValidWCNSEC = true; hasValidWCNSEC = true;
} }
} }
@ -884,26 +882,26 @@ public class CaptiveValidator {
return; return;
} }
hasValidNSEC = NSEC3ValUtils.proveNameError(nsec3s, qname, hasValidNSEC = NSEC3ValUtils.proveNameError(nsec3s, qname,
nsec3Signer); nsec3Signer);
// Note that we assume that the NSEC3ValUtils proofs encompass the // Note that we assume that the NSEC3ValUtils proofs encompass the
// wildcard part of the proof. // wildcard part of the proof.
hasValidWCNSEC = hasValidNSEC; hasValidWCNSEC = hasValidNSEC;
} }
// If the message fails to prove either condition, it is bogus. // If the message fails to prove either condition, it is bogus.
if (!hasValidNSEC) { if (!hasValidNSEC) {
log.debug("NameError response has failed to prove: " + log.debug("NameError response has failed to prove: "
"qname does not exist"); + "qname does not exist");
m.setStatus(SecurityStatus.BOGUS); m.setStatus(SecurityStatus.BOGUS);
return; return;
} }
if (!hasValidWCNSEC) { if (!hasValidWCNSEC) {
log.debug("NameError response has failed to prove: " + log.debug("NameError response has failed to prove: "
"covering wildcard does not exist"); + "covering wildcard does not exist");
m.setStatus(SecurityStatus.BOGUS); m.setStatus(SecurityStatus.BOGUS);
return; return;
@ -939,55 +937,56 @@ public class CaptiveValidator {
return SecurityStatus.BOGUS; return SecurityStatus.BOGUS;
} }
ValUtils.ResponseType subtype = ValUtils.classifyResponse(message, zone); ValUtils.ResponseType subtype = ValUtils
.classifyResponse(message, zone);
switch (subtype) { switch (subtype) {
case POSITIVE: case POSITIVE:
log.trace("Validating a positive response"); log.trace("Validating a positive response");
validatePositiveResponse(message, key_rrset); validatePositiveResponse(message, key_rrset);
break; break;
case REFERRAL: case REFERRAL:
validateReferral(message, key_rrset); validateReferral(message, key_rrset);
break; break;
case NODATA: case NODATA:
log.trace("Validating a NODATA response"); log.trace("Validating a NODATA response");
validateNodataResponse(message, key_rrset); validateNodataResponse(message, key_rrset);
break; break;
case NAMEERROR: case NAMEERROR:
log.trace("Validating a NXDOMAIN response"); log.trace("Validating a NXDOMAIN response");
validateNameErrorResponse(message, key_rrset); validateNameErrorResponse(message, key_rrset);
break; break;
case CNAME: case CNAME:
log.trace("Validating a CNAME response"); log.trace("Validating a CNAME response");
validateCNAMEResponse(message, key_rrset); validateCNAMEResponse(message, key_rrset);
break; break;
case ANY: case ANY:
log.trace("Validating a positive ANY response"); log.trace("Validating a positive ANY response");
validateAnyResponse(message, key_rrset); validateAnyResponse(message, key_rrset);
break; break;
default: default:
log.error("unhandled response subtype: " + subtype); log.error("unhandled response subtype: " + subtype);
} }
return message.getSecurityStatus().getStatus(); return message.getSecurityStatus().getStatus();
} }
public byte validateMessage(Message message, String zone) public byte validateMessage(Message message, String zone)
throws TextParseException { throws TextParseException {
SMessage sm = new SMessage(message); SMessage sm = new SMessage(message);
Name z = Name.fromString(zone); Name z = Name.fromString(zone);
return validateMessage(sm, z); return validateMessage(sm, z);
} }

116
src/com/verisign/tat/dnssec/DnsSecVerifier.java
View File

@ -34,7 +34,6 @@ import java.security.*;
import java.util.*; import java.util.*;
/** /**
* A class for performing basic DNSSEC verification. The DNSJAVA package * A class for performing basic DNSSEC verification. The DNSJAVA package
* contains a similar class. This is a re-implementation that allows us to have * contains a similar class. This is a re-implementation that allows us to have
@ -42,9 +41,9 @@ import java.util.*;
*/ */
public class DnsSecVerifier { public class DnsSecVerifier {
public static final int UNKNOWN = 0; public static final int UNKNOWN = 0;
public static final int RSA = 1; public static final int RSA = 1;
public static final int DSA = 2; public static final int DSA = 2;
private Logger log = Logger.getLogger(this.getClass()); private Logger log = Logger.getLogger(this.getClass());
/** /**
* This is a mapping of DNSSEC algorithm numbers/private identifiers to JCA * This is a mapping of DNSSEC algorithm numbers/private identifiers to JCA
@ -56,20 +55,20 @@ public class DnsSecVerifier {
mAlgorithmMap = new HashMap<Integer, AlgEntry>(); mAlgorithmMap = new HashMap<Integer, AlgEntry>();
// set the default algorithm map. // set the default algorithm map.
mAlgorithmMap.put(new Integer(DNSSEC.RSAMD5), mAlgorithmMap.put(new Integer(DNSSEC.RSAMD5), new AlgEntry(
new AlgEntry("MD5withRSA", DNSSEC.RSAMD5, false)); "MD5withRSA", DNSSEC.RSAMD5, false));
mAlgorithmMap.put(new Integer(DNSSEC.DSA), mAlgorithmMap.put(new Integer(DNSSEC.DSA), new AlgEntry("SHA1withDSA",
new AlgEntry("SHA1withDSA", DNSSEC.DSA, true)); DNSSEC.DSA, true));
mAlgorithmMap.put(new Integer(DNSSEC.RSASHA1), mAlgorithmMap.put(new Integer(DNSSEC.RSASHA1), new AlgEntry(
new AlgEntry("SHA1withRSA", DNSSEC.RSASHA1, false)); "SHA1withRSA", DNSSEC.RSASHA1, false));
mAlgorithmMap.put(new Integer(DNSSEC.DSA_NSEC3_SHA1), mAlgorithmMap.put(new Integer(DNSSEC.DSA_NSEC3_SHA1), new AlgEntry(
new AlgEntry("SHA1withDSA", DNSSEC.DSA, true)); "SHA1withDSA", DNSSEC.DSA, true));
mAlgorithmMap.put(new Integer(DNSSEC.RSA_NSEC3_SHA1), mAlgorithmMap.put(new Integer(DNSSEC.RSA_NSEC3_SHA1), new AlgEntry(
new AlgEntry("SHA1withRSA", DNSSEC.RSASHA1, false)); "SHA1withRSA", DNSSEC.RSASHA1, false));
mAlgorithmMap.put(new Integer(DNSSEC.RSASHA256), mAlgorithmMap.put(new Integer(DNSSEC.RSASHA256), new AlgEntry(
new AlgEntry("SHA256withRSA", DNSSEC.RSASHA256, false)); "SHA256withRSA", DNSSEC.RSASHA256, false));
mAlgorithmMap.put(new Integer(DNSSEC.RSASHA512), mAlgorithmMap.put(new Integer(DNSSEC.RSASHA512), new AlgEntry(
new AlgEntry("SHA512withRSA", DNSSEC.RSASHA512, false)); "SHA512withRSA", DNSSEC.RSASHA512, false));
} }
private boolean isDSA(int algorithm) { private boolean isDSA(int algorithm) {
@ -109,18 +108,18 @@ public class DnsSecVerifier {
for (Util.ConfigEntry entry : aliases) { for (Util.ConfigEntry entry : aliases) {
Integer alg_alias = new Integer(Util.parseInt(entry.key, -1)); Integer alg_alias = new Integer(Util.parseInt(entry.key, -1));
Integer alg_orig = new Integer(Util.parseInt(entry.value, -1)); Integer alg_orig = new Integer(Util.parseInt(entry.value, -1));
if (!mAlgorithmMap.containsKey(alg_orig)) { if (!mAlgorithmMap.containsKey(alg_orig)) {
log.warn("Unable to alias " + alg_alias + log.warn("Unable to alias " + alg_alias
" to unknown algorithm " + alg_orig); + " to unknown algorithm " + alg_orig);
continue; continue;
} }
if (mAlgorithmMap.containsKey(alg_alias)) { if (mAlgorithmMap.containsKey(alg_alias)) {
log.warn("Algorithm alias " + alg_alias + log.warn("Algorithm alias " + alg_alias
" is already defined and cannot be redefined"); + " is already defined and cannot be redefined");
continue; continue;
} }
@ -135,8 +134,8 @@ public class DnsSecVerifier {
if (entry == null) { if (entry == null) {
log.warn("DNSSEC alg " + alg + " has a null entry!"); log.warn("DNSSEC alg " + alg + " has a null entry!");
} else { } else {
log.debug("DNSSEC alg " + alg + " maps to " + entry.jcaName + log.debug("DNSSEC alg " + alg + " maps to " + entry.jcaName
" (" + entry.dnssecAlg + ")"); + " (" + entry.dnssecAlg + ")");
} }
} }
} }
@ -156,17 +155,19 @@ public class DnsSecVerifier {
@SuppressWarnings("unchecked") @SuppressWarnings("unchecked")
private List<DNSKEYRecord> findKey(RRset dnskey_rrset, RRSIGRecord signature) { private List<DNSKEYRecord> findKey(RRset dnskey_rrset, RRSIGRecord signature) {
if (!signature.getSigner().equals(dnskey_rrset.getName())) { if (!signature.getSigner().equals(dnskey_rrset.getName())) {
log.trace("findKey: could not find appropriate key because " + log.trace("findKey: could not find appropriate key because "
"incorrect keyset was supplied. Wanted: " + + "incorrect keyset was supplied. Wanted: "
signature.getSigner() + ", got: " + dnskey_rrset.getName()); + signature.getSigner() + ", got: "
+ dnskey_rrset.getName());
return null; return null;
} }
int keyid = signature.getFootprint(); int keyid = signature.getFootprint();
int alg = signature.getAlgorithm(); int alg = signature.getAlgorithm();
List<DNSKEYRecord> res = new ArrayList<DNSKEYRecord>(dnskey_rrset.size()); List<DNSKEYRecord> res = new ArrayList<DNSKEYRecord>(dnskey_rrset
.size());
for (Iterator i = dnskey_rrset.rrs(); i.hasNext();) { for (Iterator i = dnskey_rrset.rrs(); i.hasNext();) {
DNSKEYRecord r = (DNSKEYRecord) i.next(); DNSKEYRecord r = (DNSKEYRecord) i.next();
@ -177,8 +178,8 @@ public class DnsSecVerifier {
} }
if (res.size() == 0) { if (res.size() == 0) {
log.trace("findKey: could not find a key matching " + log.trace("findKey: could not find a key matching "
"the algorithm and footprint in supplied keyset. "); + "the algorithm and footprint in supplied keyset. ");
return null; return null;
} }
@ -214,8 +215,8 @@ public class DnsSecVerifier {
return SecurityStatus.BOGUS; return SecurityStatus.BOGUS;
} }
Date now = new Date(); Date now = new Date();
Date start = sigrec.getTimeSigned(); Date start = sigrec.getTimeSigned();
Date expire = sigrec.getExpire(); Date expire = sigrec.getExpire();
if (now.before(start)) { if (now.before(start)) {
@ -225,8 +226,8 @@ public class DnsSecVerifier {
} }
if (now.after(expire)) { if (now.after(expire)) {
log.debug("Signature has expired (now = " + now + log.debug("Signature has expired (now = " + now
", sig expires = " + expire); + ", sig expires = " + expire);
return SecurityStatus.BOGUS; return SecurityStatus.BOGUS;
} }
@ -235,8 +236,8 @@ public class DnsSecVerifier {
} }
public PublicKey parseDNSKEY(DNSKEYRecord key) { public PublicKey parseDNSKEY(DNSKEYRecord key) {
AlgEntry ae = (AlgEntry) mAlgorithmMap.get(new Integer( AlgEntry ae = (AlgEntry) mAlgorithmMap.get(new Integer(key
key.getAlgorithm())); .getAlgorithm()));
if (key.getAlgorithm() != ae.dnssecAlg) { if (key.getAlgorithm() != ae.dnssecAlg) {
// Recast the DNSKEYRecord in question as one using the offical // Recast the DNSKEYRecord in question as one using the offical
@ -265,19 +266,19 @@ public class DnsSecVerifier {
* UNCHECKED if we just couldn't actually do the function. * UNCHECKED if we just couldn't actually do the function.
*/ */
public byte verifySignature(RRset rrset, RRSIGRecord sigrec, public byte verifySignature(RRset rrset, RRSIGRecord sigrec,
DNSKEYRecord key) { DNSKEYRecord key) {
try { try {
PublicKey pk = parseDNSKEY(key); PublicKey pk = parseDNSKEY(key);
if (pk == null) { if (pk == null) {
log.warn( log
"Could not convert DNSKEY record to a JCA public key: " + .warn("Could not convert DNSKEY record to a JCA public key: "
key); + key);
return SecurityStatus.UNCHECKED; return SecurityStatus.UNCHECKED;
} }
byte [] data = SignUtils.generateSigData(rrset, sigrec); byte[] data = SignUtils.generateSigData(rrset, sigrec);
Signature signer = getSignature(sigrec.getAlgorithm()); Signature signer = getSignature(sigrec.getAlgorithm());
@ -288,7 +289,7 @@ public class DnsSecVerifier {
signer.initVerify(pk); signer.initVerify(pk);
signer.update(data); signer.update(data);
byte [] sig = sigrec.getSignature(); byte[] sig = sigrec.getSignature();
if (isDSA(sigrec.getAlgorithm())) { if (isDSA(sigrec.getAlgorithm())) {
sig = SignUtils.convertDSASignature(sig); sig = SignUtils.convertDSASignature(sig);
@ -373,7 +374,7 @@ public class DnsSecVerifier {
while (i.hasNext()) { while (i.hasNext()) {
RRSIGRecord sigrec = (RRSIGRecord) i.next(); RRSIGRecord sigrec = (RRSIGRecord) i.next();
byte res = verifySignature(rrset, sigrec, key_rrset); byte res = verifySignature(rrset, sigrec, key_rrset);
if (res == SecurityStatus.SECURE) { if (res == SecurityStatus.SECURE) {
return res; return res;
@ -437,12 +438,12 @@ public class DnsSecVerifier {
public int baseAlgorithm(int algorithm) { public int baseAlgorithm(int algorithm) {
switch (algorithm) { switch (algorithm) {
case DNSSEC.RSAMD5: case DNSSEC.RSAMD5:
case DNSSEC.RSASHA1: case DNSSEC.RSASHA1:
return RSA; return RSA;
case DNSSEC.DSA: case DNSSEC.DSA:
return DSA; return DSA;
} }
AlgEntry entry = (AlgEntry) mAlgorithmMap.get(new Integer(algorithm)); AlgEntry entry = (AlgEntry) mAlgorithmMap.get(new Integer(algorithm));
@ -463,7 +464,8 @@ public class DnsSecVerifier {
Signature s = null; Signature s = null;
try { try {
AlgEntry entry = (AlgEntry) mAlgorithmMap.get(new Integer(algorithm)); AlgEntry entry = (AlgEntry) mAlgorithmMap
.get(new Integer(algorithm));
if (entry == null) { if (entry == null) {
log.info("DNSSEC algorithm " + algorithm + " not recognized."); log.info("DNSSEC algorithm " + algorithm + " not recognized.");
@ -481,14 +483,14 @@ public class DnsSecVerifier {
} }
private static class AlgEntry { private static class AlgEntry {
public String jcaName; public String jcaName;
public boolean isDSA; public boolean isDSA;
public int dnssecAlg; public int dnssecAlg;
public AlgEntry(String name, int dnssecAlg, boolean isDSA) { public AlgEntry(String name, int dnssecAlg, boolean isDSA) {
jcaName = name; jcaName = name;
this.dnssecAlg = dnssecAlg; this.dnssecAlg = dnssecAlg;
this.isDSA = isDSA; this.isDSA = isDSA;
} }
} }

238
src/com/verisign/tat/dnssec/NSEC3ValUtils.java
View File

@ -34,17 +34,16 @@ import java.security.NoSuchAlgorithmException;
import java.util.*; import java.util.*;
public class NSEC3ValUtils { public class NSEC3ValUtils {
// FIXME: should probably refactor to handle different NSEC3 parameters more // FIXME: should probably refactor to handle different NSEC3 parameters more
// efficiently. // efficiently.
// Given a list of NSEC3 RRs, they should be grouped according to // Given a list of NSEC3 RRs, they should be grouped according to
// parameters. The idea is to hash and compare for each group independently, // parameters. The idea is to hash and compare for each group independently,
// instead of having to skip NSEC3 RRs with the wrong parameters. // instead of having to skip NSEC3 RRs with the wrong parameters.
private static Name asterisk_label = Name.fromConstantString("*"); private static Name asterisk_label = Name.fromConstantString("*");
private static Logger st_log = Logger.getLogger(NSEC3ValUtils.class); private static Logger st_log = Logger.getLogger(NSEC3ValUtils.class);
private static final base32 b32 = new base32(base32.Alphabet.BASE32HEX, private static final base32 b32 = new base32(base32.Alphabet.BASE32HEX,
false, false); false, false);
public static boolean supportsHashAlgorithm(int alg) { public static boolean supportsHashAlgorithm(int alg) {
if (alg == NSEC3Record.SHA1_DIGEST_ID) { if (alg == NSEC3Record.SHA1_DIGEST_ID) {
@ -88,9 +87,9 @@ public class NSEC3ValUtils {
return null; return null;
} }
NSEC3Parameters params = new NSEC3Parameters((NSEC3Record) nsec3s.get( NSEC3Parameters params = new NSEC3Parameters((NSEC3Record) nsec3s
0)); .get(0));
ByteArrayComparator bac = new ByteArrayComparator(); ByteArrayComparator bac = new ByteArrayComparator();
for (NSEC3Record nsec3 : nsec3s) { for (NSEC3Record nsec3 : nsec3s) {
if (!params.match(nsec3, bac)) { if (!params.match(nsec3, bac)) {
@ -110,7 +109,7 @@ public class NSEC3ValUtils {
* The zone to use in constructing the NSEC3 name. * The zone to use in constructing the NSEC3 name.
* @return The NSEC3 name. * @return The NSEC3 name.
*/ */
private static Name hashName(byte [] hash, Name zonename) { private static Name hashName(byte[] hash, Name zonename) {
try { try {
return new Name(b32.toString(hash).toLowerCase(), zonename); return new Name(b32.toString(hash).toLowerCase(), zonename);
} catch (TextParseException e) { } catch (TextParseException e) {
@ -128,7 +127,7 @@ public class NSEC3ValUtils {
* The parameters to hash with. * The parameters to hash with.
* @return The hash. * @return The hash.
*/ */
private static byte [] hash(Name name, NSEC3Parameters params) { private static byte[] hash(Name name, NSEC3Parameters params) {
try { try {
return params.hash(name); return params.hash(name);
} catch (NoSuchAlgorithmException e) { } catch (NoSuchAlgorithmException e) {
@ -142,7 +141,8 @@ public class NSEC3ValUtils {
try { try {
return nsec3.hashName(name); return nsec3.hashName(name);
} catch (NoSuchAlgorithmException e) { } catch (NoSuchAlgorithmException e) {
st_log.warn("Did not recognize hash algorithm: " + nsec3.getHashAlgorithm()); st_log.warn("Did not recognize hash algorithm: "
+ nsec3.getHashAlgorithm());
return null; return null;
} }
@ -199,9 +199,9 @@ public class NSEC3ValUtils {
* *
* @return The matching NSEC3Record, if one is present. * @return The matching NSEC3Record, if one is present.
*/ */
private static NSEC3Record findMatchingNSEC3(byte [] hash, Name zonename, private static NSEC3Record findMatchingNSEC3(byte[] hash, Name zonename,
List<NSEC3Record> nsec3s, NSEC3Parameters params, List<NSEC3Record> nsec3s, NSEC3Parameters params,
ByteArrayComparator bac) { ByteArrayComparator bac) {
Name n = hashName(hash, zonename); Name n = hashName(hash, zonename);
for (NSEC3Record nsec3 : nsec3s) { for (NSEC3Record nsec3 : nsec3s) {
@ -231,10 +231,10 @@ public class NSEC3ValUtils {
* An already allocated comparator. This may be null. * An already allocated comparator. This may be null.
* @return True if the NSEC3Record covers the hash. * @return True if the NSEC3Record covers the hash.
*/ */
private static boolean nsec3Covers(NSEC3Record nsec3, byte [] hash, private static boolean nsec3Covers(NSEC3Record nsec3, byte[] hash,
ByteArrayComparator bac) { ByteArrayComparator bac) {
byte [] owner = hash(nsec3.getName(), nsec3); byte[] owner = hash(nsec3.getName(), nsec3);
byte [] next = nsec3.getNext(); byte[] next = nsec3.getNext();
// This is the "normal case: owner < next and owner < hash < next // This is the "normal case: owner < next and owner < hash < next
if ((bac.compare(owner, hash) < 0) && (bac.compare(hash, next) < 0)) { if ((bac.compare(owner, hash) < 0) && (bac.compare(hash, next) < 0)) {
@ -243,9 +243,8 @@ public class NSEC3ValUtils {
// this is the end of zone case: next < owner && hash > owner || hash < // this is the end of zone case: next < owner && hash > owner || hash <
// next // next
if ((bac.compare(next, owner) <= 0) && if ((bac.compare(next, owner) <= 0)
((bac.compare(hash, next) < 0) || && ((bac.compare(hash, next) < 0) || (bac.compare(owner, hash) < 0))) {
(bac.compare(owner, hash) < 0))) {
return true; return true;
} }
@ -269,9 +268,9 @@ public class NSEC3ValUtils {
* *
* @return A covering NSEC3 if one is present, null otherwise. * @return A covering NSEC3 if one is present, null otherwise.
*/ */
private static NSEC3Record findCoveringNSEC3(byte [] hash, Name zonename, private static NSEC3Record findCoveringNSEC3(byte[] hash, Name zonename,
List<NSEC3Record> nsec3s, NSEC3Parameters params, List<NSEC3Record> nsec3s, NSEC3Parameters params,
ByteArrayComparator bac) { ByteArrayComparator bac) {
ByteArrayComparator comparator = new ByteArrayComparator(); ByteArrayComparator comparator = new ByteArrayComparator();
for (NSEC3Record nsec3 : nsec3s) { for (NSEC3Record nsec3 : nsec3s) {
@ -307,9 +306,9 @@ public class NSEC3ValUtils {
* RR that matched it, or null if there wasn't one. * RR that matched it, or null if there wasn't one.
*/ */
private static CEResponse findClosestEncloser(Name name, Name zonename, private static CEResponse findClosestEncloser(Name name, Name zonename,
List<NSEC3Record> nsec3s, NSEC3Parameters params, List<NSEC3Record> nsec3s, NSEC3Parameters params,
ByteArrayComparator bac) { ByteArrayComparator bac) {
Name n = name; Name n = name;
NSEC3Record nsec3; NSEC3Record nsec3;
@ -318,8 +317,8 @@ public class NSEC3ValUtils {
// FIXME: modify so that the NSEC3 matching the zone apex need not be // FIXME: modify so that the NSEC3 matching the zone apex need not be
// present. // present.
while (n.labels() >= zonename.labels()) { while (n.labels() >= zonename.labels()) {
nsec3 = findMatchingNSEC3(hash(n, params), zonename, nsec3 = findMatchingNSEC3(hash(n, params), zonename, nsec3s,
nsec3s, params, bac); params, bac);
if (nsec3 != null) { if (nsec3 != null) {
return new CEResponse(n, nsec3); return new CEResponse(n, nsec3);
@ -352,21 +351,22 @@ public class NSEC3ValUtils {
* that matches it. * that matches it.
*/ */
private static CEResponse proveClosestEncloser(Name qname, Name zonename, private static CEResponse proveClosestEncloser(Name qname, Name zonename,
List<NSEC3Record> nsec3s, NSEC3Parameters params, List<NSEC3Record> nsec3s, NSEC3Parameters params,
ByteArrayComparator bac, boolean proveDoesNotExist) { ByteArrayComparator bac, boolean proveDoesNotExist) {
CEResponse candidate = findClosestEncloser(qname, zonename, nsec3s, CEResponse candidate = findClosestEncloser(qname, zonename, nsec3s,
params, bac); params, bac);
if (candidate == null) { if (candidate == null) {
st_log.debug("proveClosestEncloser: could not find a " + st_log.debug("proveClosestEncloser: could not find a "
"candidate for the closest encloser."); + "candidate for the closest encloser.");
return null; return null;
} }
if (candidate.closestEncloser.equals(qname)) { if (candidate.closestEncloser.equals(qname)) {
if (proveDoesNotExist) { if (proveDoesNotExist) {
st_log.debug("proveClosestEncloser: proved that qname existed!"); st_log
.debug("proveClosestEncloser: proved that qname existed!");
return null; return null;
} }
@ -380,10 +380,10 @@ public class NSEC3ValUtils {
// should have been a referral. If it is a DNAME, then it should have // should have been a referral. If it is a DNAME, then it should have
// been // been
// a DNAME response. // a DNAME response.
if (candidate.ce_nsec3.hasType(Type.NS) && if (candidate.ce_nsec3.hasType(Type.NS)
!candidate.ce_nsec3.hasType(Type.SOA)) { && !candidate.ce_nsec3.hasType(Type.SOA)) {
st_log.debug("proveClosestEncloser: closest encloser " + st_log.debug("proveClosestEncloser: closest encloser "
"was a delegation!"); + "was a delegation!");
return null; return null;
} }
@ -395,15 +395,15 @@ public class NSEC3ValUtils {
} }
// Otherwise, we need to show that the next closer name is covered. // Otherwise, we need to show that the next closer name is covered.
Name nextClosest = nextClosest(qname, candidate.closestEncloser); Name nextClosest = nextClosest(qname, candidate.closestEncloser);
byte [] nc_hash = hash(nextClosest, params); byte[] nc_hash = hash(nextClosest, params);
candidate.nc_nsec3 = findCoveringNSEC3(nc_hash, zonename, nsec3s, candidate.nc_nsec3 = findCoveringNSEC3(nc_hash, zonename, nsec3s,
params, bac); params, bac);
if (candidate.nc_nsec3 == null) { if (candidate.nc_nsec3 == null) {
st_log.debug("Could not find proof that the " + st_log.debug("Could not find proof that the "
"closest encloser was the closest encloser"); + "closest encloser was the closest encloser");
return null; return null;
} }
@ -413,41 +413,41 @@ public class NSEC3ValUtils {
private static int maxIterations(int baseAlg, int keysize) { private static int maxIterations(int baseAlg, int keysize) {
switch (baseAlg) { switch (baseAlg) {
case DnsSecVerifier.RSA: case DnsSecVerifier.RSA:
if (keysize == 0) { if (keysize == 0) {
return 2500; // the max at 4096 return 2500; // the max at 4096
} }
if (keysize > 2048) { if (keysize > 2048) {
return 2500; return 2500;
} }
if (keysize > 1024) { if (keysize > 1024) {
return 500; return 500;
} }
if (keysize > 0) { if (keysize > 0) {
return 150; return 150;
} }
break; break;
case DnsSecVerifier.DSA: case DnsSecVerifier.DSA:
if (keysize == 0) { if (keysize == 0) {
return 5000; // the max at 2048; return 5000; // the max at 2048;
} }
if (keysize > 1024) { if (keysize > 1024) {
return 5000; return 5000;
} }
if (keysize > 0) { if (keysize > 0) {
return 1500; return 1500;
} }
break; break;
} }
return -1; return -1;
@ -455,17 +455,16 @@ public class NSEC3ValUtils {
@SuppressWarnings("unchecked") @SuppressWarnings("unchecked")
private static boolean validIterations(NSEC3Parameters nsec3params, private static boolean validIterations(NSEC3Parameters nsec3params,
RRset dnskey_rrset, DnsSecVerifier verifier) { RRset dnskey_rrset, DnsSecVerifier verifier) {
// for now, we return the maximum iterations based simply on the key // for now, we return the maximum iterations based simply on the key
// algorithms that may have been used to sign the NSEC3 RRsets. // algorithms that may have been used to sign the NSEC3 RRsets.
int max_iterations = 0; int max_iterations = 0;
for (Iterator i = dnskey_rrset.rrs(); i.hasNext();) { for (Iterator i = dnskey_rrset.rrs(); i.hasNext();) {
DNSKEYRecord dnskey = (DNSKEYRecord) i.next(); DNSKEYRecord dnskey = (DNSKEYRecord) i.next();
int baseAlg = verifier.baseAlgorithm(dnskey.getAlgorithm()); int baseAlg = verifier.baseAlgorithm(dnskey.getAlgorithm());
int iters = maxIterations(baseAlg, 0); int iters = maxIterations(baseAlg, 0);
max_iterations = (max_iterations < iters) ? iters max_iterations = (max_iterations < iters) ? iters : max_iterations;
: max_iterations;
} }
if (nsec3params.iterations > max_iterations) { if (nsec3params.iterations > max_iterations) {
@ -491,7 +490,7 @@ public class NSEC3ValUtils {
* @return true if all of the NSEC3s can be legally ignored, false if not. * @return true if all of the NSEC3s can be legally ignored, false if not.
*/ */
public static boolean allNSEC3sIgnoreable(List<NSEC3Record> nsec3s, public static boolean allNSEC3sIgnoreable(List<NSEC3Record> nsec3s,
RRset dnskey_rrset, DnsSecVerifier verifier) { RRset dnskey_rrset, DnsSecVerifier verifier) {
NSEC3Parameters params = nsec3Parameters(nsec3s); NSEC3Parameters params = nsec3Parameters(nsec3s);
if (params == null) { if (params == null) {
@ -520,7 +519,7 @@ public class NSEC3ValUtils {
* ignored. * ignored.
*/ */
public static boolean proveNameError(List<NSEC3Record> nsec3s, Name qname, public static boolean proveNameError(List<NSEC3Record> nsec3s, Name qname,
Name zonename) { Name zonename) {
if ((nsec3s == null) || (nsec3s.size() == 0)) { if ((nsec3s == null) || (nsec3s.size() == 0)) {
return false; return false;
} }
@ -528,8 +527,8 @@ public class NSEC3ValUtils {
NSEC3Parameters nsec3params = nsec3Parameters(nsec3s); NSEC3Parameters nsec3params = nsec3Parameters(nsec3s);
if (nsec3params == null) { if (nsec3params == null) {
st_log.debug("Could not find a single set of " + st_log.debug("Could not find a single set of "
"NSEC3 parameters (multiple parameters present)."); + "NSEC3 parameters (multiple parameters present).");
return false; return false;
} }
@ -550,14 +549,14 @@ public class NSEC3ValUtils {
// At this point, we know that qname does not exist. Now we need to // At this point, we know that qname does not exist. Now we need to
// prove // prove
// that the wildcard does not exist. // that the wildcard does not exist.
Name wc = ceWildcard(ce.closestEncloser); Name wc = ceWildcard(ce.closestEncloser);
byte [] wc_hash = hash(wc, nsec3params); byte[] wc_hash = hash(wc, nsec3params);
NSEC3Record nsec3 = findCoveringNSEC3(wc_hash, zonename, nsec3s, NSEC3Record nsec3 = findCoveringNSEC3(wc_hash, zonename, nsec3s,
nsec3params, bac); nsec3params, bac);
if (nsec3 == null) { if (nsec3 == null) {
st_log.debug("proveNameError: could not prove that the " + st_log.debug("proveNameError: could not prove that the "
"applicable wildcard did not exist."); + "applicable wildcard did not exist.");
return false; return false;
} }
@ -596,7 +595,7 @@ public class NSEC3ValUtils {
* @return true if the NSEC3s prove the proposition. * @return true if the NSEC3s prove the proposition.
*/ */
public static boolean proveNodata(List<NSEC3Record> nsec3s, Name qname, public static boolean proveNodata(List<NSEC3Record> nsec3s, Name qname,
int qtype, Name zonename) { int qtype, Name zonename) {
if ((nsec3s == null) || (nsec3s.size() == 0)) { if ((nsec3s == null) || (nsec3s.size() == 0)) {
return false; return false;
} }
@ -604,29 +603,29 @@ public class NSEC3ValUtils {
NSEC3Parameters nsec3params = nsec3Parameters(nsec3s); NSEC3Parameters nsec3params = nsec3Parameters(nsec3s);
if (nsec3params == null) { if (nsec3params == null) {
st_log.debug("could not find a single set of " + st_log.debug("could not find a single set of "
"NSEC3 parameters (multiple parameters present)"); + "NSEC3 parameters (multiple parameters present)");
return false; return false;
} }
ByteArrayComparator bac = new ByteArrayComparator(); ByteArrayComparator bac = new ByteArrayComparator();
NSEC3Record nsec3 = findMatchingNSEC3(hash(qname, nsec3params), NSEC3Record nsec3 = findMatchingNSEC3(hash(qname, nsec3params),
zonename, nsec3s, nsec3params, bac); zonename, nsec3s, nsec3params, bac);
// Cases 1 & 2. // Cases 1 & 2.
if (nsec3 != null) { if (nsec3 != null) {
if (nsec3.hasType(qtype)) { if (nsec3.hasType(qtype)) {
st_log.debug( st_log
"proveNodata: Matching NSEC3 proved that type existed!"); .debug("proveNodata: Matching NSEC3 proved that type existed!");
return false; return false;
} }
if (nsec3.hasType(Type.CNAME)) { if (nsec3.hasType(Type.CNAME)) {
st_log.debug("proveNodata: Matching NSEC3 proved " + st_log.debug("proveNodata: Matching NSEC3 proved "
"that a CNAME existed!"); + "that a CNAME existed!");
return false; return false;
} }
@ -643,8 +642,8 @@ public class NSEC3ValUtils {
// At this point, not finding a match or a proven closest encloser is a // At this point, not finding a match or a proven closest encloser is a
// problem. // problem.
if (ce == null) { if (ce == null) {
st_log.debug("proveNodata: did not match qname, " + st_log.debug("proveNodata: did not match qname, "
"nor found a proven closest encloser."); + "nor found a proven closest encloser.");
return false; return false;
} }
@ -668,16 +667,17 @@ public class NSEC3ValUtils {
// Case 5. // Case 5.
if (qtype != Type.DS) { if (qtype != Type.DS) {
st_log.debug("proveNodata: could not find matching NSEC3, " + st_log
"nor matching wildcard, and qtype is not DS -- no more options."); .debug("proveNodata: could not find matching NSEC3, "
+ "nor matching wildcard, and qtype is not DS -- no more options.");
return false; return false;
} }
// We need to make sure that the covering NSEC3 is opt-in. // We need to make sure that the covering NSEC3 is opt-in.
if (!isOptOut(ce.nc_nsec3)) { if (!isOptOut(ce.nc_nsec3)) {
st_log.debug("proveNodata: covering NSEC3 was not " + st_log.debug("proveNodata: covering NSEC3 was not "
"opt-in in an opt-in DS NOERROR/NODATA case."); + "opt-in in an opt-in DS NOERROR/NODATA case.");
return false; return false;
} }
@ -700,7 +700,7 @@ public class NSEC3ValUtils {
* @return true if the NSEC3 records prove this case. * @return true if the NSEC3 records prove this case.
*/ */
public static boolean proveWildcard(List<NSEC3Record> nsec3s, Name qname, public static boolean proveWildcard(List<NSEC3Record> nsec3s, Name qname,
Name zonename, Name wildcard) { Name zonename, Name wildcard) {
if ((nsec3s == null) || (nsec3s.size() == 0)) { if ((nsec3s == null) || (nsec3s.size() == 0)) {
return false; return false;
} }
@ -712,8 +712,8 @@ public class NSEC3ValUtils {
NSEC3Parameters nsec3params = nsec3Parameters(nsec3s); NSEC3Parameters nsec3params = nsec3Parameters(nsec3s);
if (nsec3params == null) { if (nsec3params == null) {
st_log.debug( st_log
"couldn't find a single set of NSEC3 parameters (multiple parameters present)."); .debug("couldn't find a single set of NSEC3 parameters (multiple parameters present).");
return false; return false;
} }
@ -732,10 +732,10 @@ public class NSEC3ValUtils {
zonename, nsec3s, nsec3params, bac); zonename, nsec3s, nsec3params, bac);
if (candidate.nc_nsec3 == null) { if (candidate.nc_nsec3 == null) {
st_log.debug("proveWildcard: did not find a covering NSEC3 " + st_log.debug("proveWildcard: did not find a covering NSEC3 "
"that covered the next closer name to " + qname + " from " + + "that covered the next closer name to " + qname
candidate.closestEncloser + " (derived from wildcard " + + " from " + candidate.closestEncloser
wildcard + ")"); + " (derived from wildcard " + wildcard + ")");
return false; return false;
} }
@ -763,7 +763,7 @@ public class NSEC3ValUtils {
* work out. * work out.
*/ */
public static byte proveNoDS(List<NSEC3Record> nsec3s, Name qname, public static byte proveNoDS(List<NSEC3Record> nsec3s, Name qname,
Name zonename) { Name zonename) {
if ((nsec3s == null) || (nsec3s.size() == 0)) { if ((nsec3s == null) || (nsec3s.size() == 0)) {
return SecurityStatus.BOGUS; return SecurityStatus.BOGUS;
} }
@ -771,8 +771,8 @@ public class NSEC3ValUtils {
NSEC3Parameters nsec3params = nsec3Parameters(nsec3s); NSEC3Parameters nsec3params = nsec3Parameters(nsec3s);
if (nsec3params == null) { if (nsec3params == null) {
st_log.debug("couldn't find a single set of " + st_log.debug("couldn't find a single set of "
"NSEC3 parameters (multiple parameters present)."); + "NSEC3 parameters (multiple parameters present).");
return SecurityStatus.BOGUS; return SecurityStatus.BOGUS;
} }
@ -824,18 +824,18 @@ public class NSEC3ValUtils {
* algorithm, iterations, and salt. * algorithm, iterations, and salt.
*/ */
private static class NSEC3Parameters { private static class NSEC3Parameters {
public int alg; public int alg;
public byte [] salt; public byte[] salt;
public int iterations; public int iterations;
private NSEC3PARAMRecord nsec3paramrec; private NSEC3PARAMRecord nsec3paramrec;
public NSEC3Parameters(NSEC3Record r) { public NSEC3Parameters(NSEC3Record r) {
alg = r.getHashAlgorithm(); alg = r.getHashAlgorithm();
salt = r.getSalt(); salt = r.getSalt();
iterations = r.getIterations(); iterations = r.getIterations();
nsec3paramrec = new NSEC3PARAMRecord(Name.root, DClass.IN, 0, nsec3paramrec = new NSEC3PARAMRecord(Name.root, DClass.IN, 0, alg,
alg, 0, iterations, salt); 0, iterations, salt);
} }
public boolean match(NSEC3Record r, ByteArrayComparator bac) { public boolean match(NSEC3Record r, ByteArrayComparator bac) {
@ -872,13 +872,13 @@ public class NSEC3ValUtils {
* encloser proof. * encloser proof.
*/ */
private static class CEResponse { private static class CEResponse {
public Name closestEncloser; public Name closestEncloser;
public NSEC3Record ce_nsec3; public NSEC3Record ce_nsec3;
public NSEC3Record nc_nsec3; public NSEC3Record nc_nsec3;
public CEResponse(Name ce, NSEC3Record nsec3) { public CEResponse(Name ce, NSEC3Record nsec3) {
this.closestEncloser = ce; this.closestEncloser = ce;
this.ce_nsec3 = nsec3; this.ce_nsec3 = nsec3;
} }
} }
} }

53
src/com/verisign/tat/dnssec/SMessage.java
View File

@ -27,23 +27,22 @@ import org.xbill.DNS.*;
import java.util.*; import java.util.*;
/** /**
* This class represents a DNS message with resolver/validator state. * This class represents a DNS message with resolver/validator state.
*/ */
public class SMessage { public class SMessage {
private static SRRset [] empty_srrset_array = new SRRset[0]; private static SRRset[] empty_srrset_array = new SRRset[0];
private Header mHeader; private Header mHeader;
private Record mQuestion; private Record mQuestion;
private OPTRecord mOPTRecord; private OPTRecord mOPTRecord;
private List<SRRset> [] mSection; private List<SRRset>[] mSection;
private SecurityStatus mSecurityStatus; private SecurityStatus mSecurityStatus;
@SuppressWarnings("unchecked") @SuppressWarnings("unchecked")
public SMessage(Header h) { public SMessage(Header h) {
mSection = (List<SRRset> []) new List[3]; mSection = (List<SRRset>[]) new List[3];
mHeader = h; mHeader = h;
mSecurityStatus = new SecurityStatus(); mSecurityStatus = new SecurityStatus();
} }
public SMessage(int id) { public SMessage(int id) {
@ -56,11 +55,11 @@ public class SMessage {
public SMessage(Message m) { public SMessage(Message m) {
this(m.getHeader()); this(m.getHeader());
mQuestion = m.getQuestion(); mQuestion = m.getQuestion();
mOPTRecord = m.getOPT(); mOPTRecord = m.getOPT();
for (int i = Section.ANSWER; i <= Section.ADDITIONAL; i++) { for (int i = Section.ANSWER; i <= Section.ADDITIONAL; i++) {
RRset [] rrsets = m.getSectionRRsets(i); RRset[] rrsets = m.getSectionRRsets(i);
for (int j = 0; j < rrsets.length; j++) { for (int j = 0; j < rrsets.length; j++) {
addRRset(rrsets[j], i); addRRset(rrsets[j], i);
@ -151,13 +150,13 @@ public class SMessage {
sectionList.addAll(0, rrsets); sectionList.addAll(0, rrsets);
} }
public SRRset [] getSectionRRsets(int section) { public SRRset[] getSectionRRsets(int section) {
List<SRRset> slist = getSectionList(section); List<SRRset> slist = getSectionList(section);
return (SRRset []) slist.toArray(empty_srrset_array); return (SRRset[]) slist.toArray(empty_srrset_array);
} }
public SRRset [] getSectionRRsets(int section, int qtype) { public SRRset[] getSectionRRsets(int section, int qtype) {
List<SRRset> slist = getSectionList(section); List<SRRset> slist = getSectionList(section);
if (slist.size() == 0) { if (slist.size() == 0) {
@ -172,7 +171,7 @@ public class SMessage {
} }
} }
return (SRRset []) result.toArray(empty_srrset_array); return (SRRset[]) result.toArray(empty_srrset_array);
} }
public void deleteRRset(SRRset rrset, int section) { public void deleteRRset(SRRset rrset, int section) {
@ -331,12 +330,12 @@ public class SMessage {
throw new IllegalArgumentException("Invalid section."); throw new IllegalArgumentException("Invalid section.");
} }
SRRset [] rrsets = getSectionRRsets(section); SRRset[] rrsets = getSectionRRsets(section);
for (int i = 0; i < rrsets.length; i++) { for (int i = 0; i < rrsets.length; i++) {
if (rrsets[i].getName().equals(name) && if (rrsets[i].getName().equals(name)
(rrsets[i].getType() == type) && && (rrsets[i].getType() == type)
(rrsets[i].getDClass() == dclass)) { && (rrsets[i].getDClass() == dclass)) {
return rrsets[i]; return rrsets[i];
} }
} }
@ -359,20 +358,20 @@ public class SMessage {
* name from qname, due to following a CNAME chain. * name from qname, due to following a CNAME chain.
*/ */
public SRRset findAnswerRRset(Name qname, int qtype, int qclass) { public SRRset findAnswerRRset(Name qname, int qtype, int qclass) {
SRRset [] srrsets = getSectionRRsets(Section.ANSWER); SRRset[] srrsets = getSectionRRsets(Section.ANSWER);
for (int i = 0; i < srrsets.length; i++) { for (int i = 0; i < srrsets.length; i++) {
if (srrsets[i].getName().equals(qname) && if (srrsets[i].getName().equals(qname)
(srrsets[i].getType() == Type.CNAME)) { && (srrsets[i].getType() == Type.CNAME)) {
CNAMERecord cname = (CNAMERecord) srrsets[i].first(); CNAMERecord cname = (CNAMERecord) srrsets[i].first();
qname = cname.getTarget(); qname = cname.getTarget();
continue; continue;
} }
if (srrsets[i].getName().equals(qname) && if (srrsets[i].getName().equals(qname)
(srrsets[i].getType() == qtype) && && (srrsets[i].getType() == qtype)
(srrsets[i].getDClass() == qclass)) { && (srrsets[i].getDClass() == qclass)) {
return srrsets[i]; return srrsets[i];
} }
} }

1
src/com/verisign/tat/dnssec/SRRset.java
View File

@ -27,7 +27,6 @@ import org.xbill.DNS.*;
import java.util.*; import java.util.*;
/** /**
* A version of the RRset class overrides the standard security status. * A version of the RRset class overrides the standard security status.
*/ */

31
src/com/verisign/tat/dnssec/SecurityStatus.java
View File

@ -23,7 +23,6 @@
package com.verisign.tat.dnssec; package com.verisign.tat.dnssec;
/** /**
* Codes for DNSSEC security statuses. * Codes for DNSSEC security statuses.
* *
@ -70,7 +69,7 @@ public class SecurityStatus {
private byte status; private byte status;
public SecurityStatus() { public SecurityStatus() {
status = UNCHECKED; status = UNCHECKED;
} }
public SecurityStatus(byte status) { public SecurityStatus(byte status) {
@ -79,26 +78,26 @@ public class SecurityStatus {
public static String string(int status) { public static String string(int status) {
switch (status) { switch (status) {
case INVALID: case INVALID:
return "Invalid"; return "Invalid";
case BOGUS: case BOGUS:
return "Bogus"; return "Bogus";
case SECURE: case SECURE:
return "Secure"; return "Secure";
case INSECURE: case INSECURE:
return "Insecure"; return "Insecure";
case INDETERMINATE: case INDETERMINATE:
return "Indeterminate"; return "Indeterminate";
case UNCHECKED: case UNCHECKED:
return "Unchecked"; return "Unchecked";
default: default:
return "UNKNOWN"; return "UNKNOWN";
} }
} }

174
src/com/verisign/tat/dnssec/SignUtils.java
View File

@ -46,20 +46,19 @@ import java.util.Comparator;
import java.util.Date; import java.util.Date;
import java.util.Iterator; import java.util.Iterator;
/** /**
* This class contains a bunch of utility methods that are generally useful in * This class contains a bunch of utility methods that are generally useful in
* signing and verifying rrsets. * signing and verifying rrsets.
*/ */
public class SignUtils { public class SignUtils {
// private static final int DSA_SIGNATURE_LENGTH = 20; // private static final int DSA_SIGNATURE_LENGTH = 20;
private static final int ASN1_INT = 0x02; private static final int ASN1_INT = 0x02;
private static final int ASN1_SEQ = 0x30; private static final int ASN1_SEQ = 0x30;
public static final int RR_NORMAL = 0; public static final int RR_NORMAL = 0;
public static final int RR_DELEGATION = 1; public static final int RR_DELEGATION = 1;
public static final int RR_GLUE = 2; public static final int RR_GLUE = 2;
public static final int RR_INVALID = 3; public static final int RR_INVALID = 3;
private static Logger log = Logger.getLogger(SignUtils.class); private static Logger log = Logger.getLogger(SignUtils.class);
/** /**
* Generate from some basic information a prototype SIG RR containing * Generate from some basic information a prototype SIG RR containing
@ -82,10 +81,10 @@ public class SignUtils {
* @return a prototype signature based on the RRset and key information. * @return a prototype signature based on the RRset and key information.
*/ */
public static RRSIGRecord generatePreRRSIG(RRset rrset, Name signer, public static RRSIGRecord generatePreRRSIG(RRset rrset, Name signer,
int alg, int keyid, Date start, Date expire, long sig_ttl) { int alg, int keyid, Date start, Date expire, long sig_ttl) {
return new RRSIGRecord(rrset.getName(), rrset.getDClass(), sig_ttl, return new RRSIGRecord(rrset.getName(), rrset.getDClass(), sig_ttl,
rrset.getType(), alg, rrset.getTTL(), expire, start, keyid, signer, rrset.getType(), alg, rrset.getTTL(), expire, start, keyid,
null); signer, null);
} }
/** /**
@ -106,9 +105,9 @@ public class SignUtils {
* @return a prototype signature based on the RRset and key information. * @return a prototype signature based on the RRset and key information.
*/ */
public static RRSIGRecord generatePreRRSIG(RRset rrset, DNSKEYRecord key, public static RRSIGRecord generatePreRRSIG(RRset rrset, DNSKEYRecord key,
Date start, Date expire, long sig_ttl) { Date start, Date expire, long sig_ttl) {
return generatePreRRSIG(rrset, key.getName(), key.getAlgorithm(), return generatePreRRSIG(rrset, key.getName(), key.getAlgorithm(), key
key.getFootprint(), start, expire, sig_ttl); .getFootprint(), start, expire, sig_ttl);
} }
/** /**
@ -128,10 +127,10 @@ public class SignUtils {
* @return a prototype signature based on the Record and key information. * @return a prototype signature based on the Record and key information.
*/ */
public static RRSIGRecord generatePreRRSIG(Record rec, DNSKEYRecord key, public static RRSIGRecord generatePreRRSIG(Record rec, DNSKEYRecord key,
Date start, Date expire, long sig_ttl) { Date start, Date expire, long sig_ttl) {
return new RRSIGRecord(rec.getName(), rec.getDClass(), sig_ttl, return new RRSIGRecord(rec.getName(), rec.getDClass(), sig_ttl, rec
rec.getType(), key.getAlgorithm(), rec.getTTL(), expire, start, .getType(), key.getAlgorithm(), rec.getTTL(), expire, start,
key.getFootprint(), key.getName(), null); key.getFootprint(), key.getName(), null);
} }
/** /**
@ -142,14 +141,14 @@ public class SignUtils {
* @return the RDATA portion of the prototype SIG record. This forms the * @return the RDATA portion of the prototype SIG record. This forms the
* first part of the data to be signed. * first part of the data to be signed.
*/ */
private static byte [] generatePreSigRdata(RRSIGRecord presig) { private static byte[] generatePreSigRdata(RRSIGRecord presig) {
// Generate the binary image; // Generate the binary image;
DNSOutput image = new DNSOutput(); DNSOutput image = new DNSOutput();
// precalculate some things // precalculate some things
int start_time = (int) (presig.getTimeSigned().getTime() / 1000); int start_time = (int) (presig.getTimeSigned().getTime() / 1000);
int expire_time = (int) (presig.getExpire().getTime() / 1000); int expire_time = (int) (presig.getExpire().getTime() / 1000);
Name signer = presig.getSigner(); Name signer = presig.getSigner();
// first write out the partial SIG record (this is the SIG RDATA // first write out the partial SIG record (this is the SIG RDATA
// minus the actual signature. // minus the actual signature.
@ -180,8 +179,8 @@ public class SignUtils {
* part of data to be signed. * part of data to be signed.
*/ */
@SuppressWarnings("unchecked") @SuppressWarnings("unchecked")
public static byte [] generateCanonicalRRsetData(RRset rrset, long ttl, public static byte[] generateCanonicalRRsetData(RRset rrset, long ttl,
int labels) { int labels) {
DNSOutput image = new DNSOutput(); DNSOutput image = new DNSOutput();
if (ttl == 0) { if (ttl == 0) {
@ -200,15 +199,15 @@ public class SignUtils {
boolean wildcardName = false; boolean wildcardName = false;
if (n.labels() != labels) { if (n.labels() != labels) {
n = n.wild(n.labels() - labels); n = n.wild(n.labels() - labels);
wildcardName = true; wildcardName = true;
log.trace("Detected wildcard expansion: " + rrset.getName() + log.trace("Detected wildcard expansion: " + rrset.getName()
" changed to " + n); + " changed to " + n);
} }
// now convert the wire format records in the RRset into a // now convert the wire format records in the RRset into a
// list of byte arrays. // list of byte arrays.
ArrayList<byte []> canonical_rrs = new ArrayList<byte []>(); ArrayList<byte[]> canonical_rrs = new ArrayList<byte[]>();
for (Iterator i = rrset.rrs(); i.hasNext();) { for (Iterator i = rrset.rrs(); i.hasNext();) {
Record r = (Record) i.next(); Record r = (Record) i.next();
@ -218,25 +217,24 @@ public class SignUtils {
// or ownername. // or ownername.
// In the TTL case, this avoids changing the ttl in the // In the TTL case, this avoids changing the ttl in the
// response. // response.
r = Record.newRecord(n, r.getType(), r.getDClass(), ttl, r = Record.newRecord(n, r.getType(), r.getDClass(), ttl, r
r.rdataToWireCanonical()); .rdataToWireCanonical());
} }
byte [] wire_fmt = r.toWireCanonical(); byte[] wire_fmt = r.toWireCanonical();
canonical_rrs.add(wire_fmt); canonical_rrs.add(wire_fmt);
} }
// put the records into the correct ordering. // put the records into the correct ordering.
// Calculate the offset where the RDATA begins (we have to skip // Calculate the offset where the RDATA begins (we have to skip
// past the length byte) // past the length byte)
int offset = rrset.getName().toWireCanonical().length + int offset = rrset.getName().toWireCanonical().length + 10;
10; ByteArrayComparator bac = new ByteArrayComparator(offset, false);
ByteArrayComparator bac = new ByteArrayComparator(offset, false);
Collections.sort(canonical_rrs, bac); Collections.sort(canonical_rrs, bac);
for (Iterator<byte []> i = canonical_rrs.iterator(); i.hasNext();) { for (Iterator<byte[]> i = canonical_rrs.iterator(); i.hasNext();) {
byte [] wire_fmt_rec = i.next(); byte[] wire_fmt_rec = i.next();
image.writeByteArray(wire_fmt_rec); image.writeByteArray(wire_fmt_rec);
} }
@ -253,10 +251,10 @@ public class SignUtils {
* a prototype SIG RR created using the same RRset. * a prototype SIG RR created using the same RRset.
* @return a block of data ready to be signed. * @return a block of data ready to be signed.
*/ */
public static byte [] generateSigData(RRset rrset, RRSIGRecord presig) public static byte[] generateSigData(RRset rrset, RRSIGRecord presig)
throws IOException { throws IOException {
byte [] rrset_data = generateCanonicalRRsetData(rrset, byte[] rrset_data = generateCanonicalRRsetData(rrset, presig
presig.getOrigTTL(), presig.getLabels()); .getOrigTTL(), presig.getLabels());
return generateSigData(rrset_data, presig); return generateSigData(rrset_data, presig);
} }
@ -273,12 +271,12 @@ public class SignUtils {
* <code>rrset_data</code>. * <code>rrset_data</code>.
* @return a block of data ready to be signed. * @return a block of data ready to be signed.
*/ */
public static byte [] generateSigData(byte [] rrset_data, RRSIGRecord presig) public static byte[] generateSigData(byte[] rrset_data, RRSIGRecord presig)
throws IOException { throws IOException {
byte [] sig_rdata = generatePreSigRdata(presig); byte[] sig_rdata = generatePreSigRdata(presig);
ByteArrayOutputStream image = new ByteArrayOutputStream(sig_rdata.length + ByteArrayOutputStream image = new ByteArrayOutputStream(
rrset_data.length); sig_rdata.length + rrset_data.length);
image.write(sig_rdata); image.write(sig_rdata);
image.write(rrset_data); image.write(rrset_data);
@ -296,12 +294,12 @@ public class SignUtils {
* the prototype RRSIG RR to add the signature to. * the prototype RRSIG RR to add the signature to.
* @return the fully formed RRSIG RR. * @return the fully formed RRSIG RR.
*/ */
public static RRSIGRecord generateRRSIG(byte [] signature, public static RRSIGRecord generateRRSIG(byte[] signature, RRSIGRecord presig) {
RRSIGRecord presig) { return new RRSIGRecord(presig.getName(), presig.getDClass(), presig
return new RRSIGRecord(presig.getName(), presig.getDClass(), .getTTL(), presig.getTypeCovered(), presig.getAlgorithm(),
presig.getTTL(), presig.getTypeCovered(), presig.getAlgorithm(), presig.getOrigTTL(), presig.getExpire(),
presig.getOrigTTL(), presig.getExpire(), presig.getTimeSigned(), presig.getTimeSigned(), presig.getFootprint(), presig
presig.getFootprint(), presig.getSigner(), signature); .getSigner(), signature);
} }
/** /**
@ -323,11 +321,11 @@ public class SignUtils {
* if there was something wrong with the RFC 2536 formatted * if there was something wrong with the RFC 2536 formatted
* signature. * signature.
*/ */
public static byte [] convertDSASignature(byte [] signature) public static byte[] convertDSASignature(byte[] signature)
throws SignatureException { throws SignatureException {
if (signature.length != 41) { if (signature.length != 41) {
throw new SignatureException( throw new SignatureException(
"RFC 2536 signature not expected length."); "RFC 2536 signature not expected length.");
} }
byte r_pad = 0; byte r_pad = 0;
@ -345,15 +343,15 @@ public class SignUtils {
// ASN.1 length = R length + S length + (2 + 2 + 2), where each 2 // ASN.1 length = R length + S length + (2 + 2 + 2), where each 2
// is for a ASN.1 type-length byte pair of which there are three // is for a ASN.1 type-length byte pair of which there are three
// (SEQ, INT, INT). // (SEQ, INT, INT).
byte sig_length = (byte) (40 + r_pad + s_pad + 6); byte sig_length = (byte) (40 + r_pad + s_pad + 6);
byte [] sig = new byte[sig_length]; byte[] sig = new byte[sig_length];
byte pos = 0; byte pos = 0;
sig[pos++] = ASN1_SEQ; sig[pos++] = ASN1_SEQ;
sig[pos++] = (byte) (sig_length - 2); // all but the SEQ type+length. sig[pos++] = (byte) (sig_length - 2); // all but the SEQ type+length.
sig[pos++] = ASN1_INT; sig[pos++] = ASN1_INT;
sig[pos++] = (byte) (20 + r_pad); sig[pos++] = (byte) (20 + r_pad);
// copy the value of R, leaving a null byte if necessary // copy the value of R, leaving a null byte if necessary
if (r_pad == 1) { if (r_pad == 1) {
@ -363,8 +361,8 @@ public class SignUtils {
System.arraycopy(signature, 1, sig, pos, 20); System.arraycopy(signature, 1, sig, pos, 20);
pos += 20; pos += 20;
sig[pos++] = ASN1_INT; sig[pos++] = ASN1_INT;
sig[pos++] = (byte) (20 + s_pad); sig[pos++] = (byte) (20 + s_pad);
// copy the value of S, leaving a null byte if necessary // copy the value of S, leaving a null byte if necessary
if (s_pad == 1) { if (s_pad == 1) {
@ -397,25 +395,25 @@ public class SignUtils {
* @throws SignatureException * @throws SignatureException
* if something is wrong with the ASN.1 format. * if something is wrong with the ASN.1 format.
*/ */
public static byte [] convertDSASignature(DSAParams params, public static byte[] convertDSASignature(DSAParams params, byte[] signature)
byte [] signature) throws SignatureException { throws SignatureException {
if ((signature[0] != ASN1_SEQ) || (signature[2] != ASN1_INT)) { if ((signature[0] != ASN1_SEQ) || (signature[2] != ASN1_INT)) {
throw new SignatureException( throw new SignatureException(
"Invalid ASN.1 signature format: expected SEQ, INT"); "Invalid ASN.1 signature format: expected SEQ, INT");
} }
byte r_pad = (byte) (signature[3] - 20); byte r_pad = (byte) (signature[3] - 20);
if (signature[24 + r_pad] != ASN1_INT) { if (signature[24 + r_pad] != ASN1_INT) {
throw new SignatureException( throw new SignatureException(
"Invalid ASN.1 signature format: expected SEQ, INT, INT"); "Invalid ASN.1 signature format: expected SEQ, INT, INT");
} }
log.trace("(start) ASN.1 DSA Sig:\n" + base64.toString(signature)); log.trace("(start) ASN.1 DSA Sig:\n" + base64.toString(signature));
byte s_pad = (byte) (signature[25 + r_pad] - 20); byte s_pad = (byte) (signature[25 + r_pad] - 20);
byte [] sig = new byte[41]; // all rfc2536 signatures are 41 bytes. byte[] sig = new byte[41]; // all rfc2536 signatures are 41 bytes.
// Calculate T: // Calculate T:
sig[0] = (byte) ((params.getP().bitLength() - 512) / 64); sig[0] = (byte) ((params.getP().bitLength() - 512) / 64);
@ -437,13 +435,15 @@ public class SignUtils {
// S is shorter than 20 bytes, so right justify the number // S is shorter than 20 bytes, so right justify the number
// (s_pad is negative here). // (s_pad is negative here).
Arrays.fill(sig, 21, 21 - s_pad, (byte) 0); Arrays.fill(sig, 21, 21 - s_pad, (byte) 0);
System.arraycopy(signature, 26 + r_pad, sig, 21 - s_pad, 20 + System
s_pad); .arraycopy(signature, 26 + r_pad, sig, 21 - s_pad,
20 + s_pad);
} }
if ((r_pad < 0) || (s_pad < 0)) { if ((r_pad < 0) || (s_pad < 0)) {
log.trace("(finish ***) RFC 2536 DSA Sig:\n" + log
base64.toString(sig)); .trace("(finish ***) RFC 2536 DSA Sig:\n"
+ base64.toString(sig));
} else { } else {
log.trace("(finish) RFC 2536 DSA Sig:\n" + base64.toString(sig)); log.trace("(finish) RFC 2536 DSA Sig:\n" + base64.toString(sig));
} }
@ -456,24 +456,26 @@ public class SignUtils {
* useful for comparing RDATA portions of DNS records in doing DNSSEC * useful for comparing RDATA portions of DNS records in doing DNSSEC
* canonical ordering. * canonical ordering.
*/ */
public static class ByteArrayComparator implements Comparator<byte []> { public static class ByteArrayComparator implements Comparator<byte[]> {
private int mOffset = 0; private int mOffset = 0;
private boolean mDebug = false; private boolean mDebug = false;
public ByteArrayComparator() {} public ByteArrayComparator() {
public ByteArrayComparator(int offset, boolean debug) {
mOffset = offset;
mDebug = debug;
} }
public int compare(byte [] b1, byte [] b2) throws ClassCastException { public ByteArrayComparator(int offset, boolean debug) {
mOffset = offset;
mDebug = debug;
}
public int compare(byte[] b1, byte[] b2) throws ClassCastException {
for (int i = mOffset; (i < b1.length) && (i < b2.length); i++) { for (int i = mOffset; (i < b1.length) && (i < b2.length); i++) {
if (b1[i] != b2[i]) { if (b1[i] != b2[i]) {
if (mDebug) { if (mDebug) {
System.out.println("offset " + i + System.out
" differs (this is " + (i - mOffset) + .println("offset " + i + " differs (this is "
" bytes in from our offset.)"); + (i - mOffset)
+ " bytes in from our offset.)");
} }
return (b1[i] & 0xFF) - (b2[i] & 0xFF); return (b1[i] & 0xFF) - (b2[i] & 0xFF);

9
src/com/verisign/tat/dnssec/TrustAnchorStore.java
View File

@ -27,7 +27,6 @@ import org.xbill.DNS.*;
import java.util.*; import java.util.*;
/** /**
* *
*/ */
@ -89,10 +88,10 @@ public class TrustAnchorStore {
for (Map.Entry<String, SRRset> entry : mMap.entrySet()) { for (Map.Entry<String, SRRset> entry : mMap.entrySet()) {
for (Iterator<Record> i = entry.getValue().rrs(); i.hasNext();) { for (Iterator<Record> i = entry.getValue().rrs(); i.hasNext();) {
DNSKEYRecord r = (DNSKEYRecord) i.next(); DNSKEYRecord r = (DNSKEYRecord) i.next();
String key_desc = r.getName().toString() + "/" + String key_desc = r.getName().toString() + "/"
DNSSEC.Algorithm.string(r.getAlgorithm()) + "/" + + DNSSEC.Algorithm.string(r.getAlgorithm()) + "/"
r.getFootprint(); + r.getFootprint();
res.add(key_desc); res.add(key_desc);
} }
} }

10
src/com/verisign/tat/dnssec/Util.java
View File

@ -27,7 +27,6 @@ import org.xbill.DNS.Name;
import java.util.*; import java.util.*;
/** /**
* Some basic utility functions. * Some basic utility functions.
*/ */
@ -35,7 +34,8 @@ public class Util {
/** /**
* Convert a DNS name into a string suitable for use as a cache key. * Convert a DNS name into a string suitable for use as a cache key.
* *
* @param name The name to convert. * @param name
* The name to convert.
* @return A string representing the name. This isn't ever meant to be * @return A string representing the name. This isn't ever meant to be
* converted back into a DNS name. * converted back into a DNS name.
*/ */
@ -78,7 +78,7 @@ public class Util {
} }
public static List<ConfigEntry> parseConfigPrefix(Properties config, public static List<ConfigEntry> parseConfigPrefix(Properties config,
String prefix) { String prefix) {
if (!prefix.endsWith(".")) { if (!prefix.endsWith(".")) {
prefix = prefix + "."; prefix = prefix + ".";
} }
@ -102,8 +102,8 @@ public class Util {
public String value; public String value;
public ConfigEntry(String key, String value) { public ConfigEntry(String key, String value) {
this.key = key; this.key = key;
this.value = value; this.value = value;
} }
} }
} }

134
src/com/verisign/tat/dnssec/ValUtils.java
View File

@ -32,14 +32,13 @@ import java.security.NoSuchAlgorithmException;
import java.util.Iterator; import java.util.Iterator;
/** /**
* This is a collection of routines encompassing the logic of validating * This is a collection of routines encompassing the logic of validating
* different message types. * different message types.
*/ */
public class ValUtils { public class ValUtils {
private static Logger st_log = Logger.getLogger(ValUtils.class); private static Logger st_log = Logger.getLogger(ValUtils.class);
private Logger log = Logger.getLogger(this.getClass()); private Logger log = Logger.getLogger(this.getClass());
/** A local copy of the verifier object. */ /** A local copy of the verifier object. */
private DnsSecVerifier mVerifier; private DnsSecVerifier mVerifier;
@ -57,12 +56,12 @@ public class ValUtils {
* @return A subtype ranging from UNKNOWN to NAMEERROR. * @return A subtype ranging from UNKNOWN to NAMEERROR.
*/ */
public static ResponseType classifyResponse(SMessage m, Name zone) { public static ResponseType classifyResponse(SMessage m, Name zone) {
SRRset [] rrsets; SRRset[] rrsets;
// Normal Name Error's are easy to detect -- but don't mistake a CNAME // Normal Name Error's are easy to detect -- but don't mistake a CNAME
// chain ending in NXDOMAIN. // chain ending in NXDOMAIN.
if ((m.getRcode() == Rcode.NXDOMAIN) && if ((m.getRcode() == Rcode.NXDOMAIN)
(m.getCount(Section.ANSWER) == 0)) { && (m.getCount(Section.ANSWER) == 0)) {
return ResponseType.NAMEERROR; return ResponseType.NAMEERROR;
} }
@ -75,13 +74,13 @@ public class ValUtils {
// 1) nothing in the ANSWER section // 1) nothing in the ANSWER section
// 2) an NS RRset in the AUTHORITY section that is a strict subdomain of // 2) an NS RRset in the AUTHORITY section that is a strict subdomain of
// 'zone' (the presumed queried zone). // 'zone' (the presumed queried zone).
if ((zone != null) && (m.getCount(Section.ANSWER) == 0) && if ((zone != null) && (m.getCount(Section.ANSWER) == 0)
(m.getCount(Section.AUTHORITY) > 0)) { && (m.getCount(Section.AUTHORITY) > 0)) {
rrsets = m.getSectionRRsets(Section.AUTHORITY); rrsets = m.getSectionRRsets(Section.AUTHORITY);
for (int i = 0; i < rrsets.length; ++i) { for (int i = 0; i < rrsets.length; ++i) {
if ((rrsets[i].getType() == Type.NS) && if ((rrsets[i].getType() == Type.NS)
strictSubdomain(rrsets[i].getName(), zone)) { && strictSubdomain(rrsets[i].getName(), zone)) {
return ResponseType.REFERRAL; return ResponseType.REFERRAL;
} }
} }
@ -135,9 +134,8 @@ public class ValUtils {
// FIXME: this used to classify the message, then look in the pertinent // FIXME: this used to classify the message, then look in the pertinent
// section. Now we just find the first RRSIG in the ANSWER and AUTHORIY // section. Now we just find the first RRSIG in the ANSWER and AUTHORIY
// sections. // sections.
for (int section = Section.ANSWER; section < Section.ADDITIONAL; for (int section = Section.ANSWER; section < Section.ADDITIONAL; ++section) {
++section) { SRRset[] rrsets = m.getSectionRRsets(section);
SRRset [] rrsets = m.getSectionRRsets(section);
for (int i = 0; i < rrsets.length; ++i) { for (int i = 0; i < rrsets.length; ++i) {
Name signerName = rrsets[i].getSignerName(); Name signerName = rrsets[i].getSignerName();
@ -160,7 +158,7 @@ public class ValUtils {
* The DS digest algorithm in use. * The DS digest algorithm in use.
* @return the corresponding {@link org.xbill.DNS.DSRecord} * @return the corresponding {@link org.xbill.DNS.DSRecord}
*/ */
public static byte [] calculateDSHash(DNSKEYRecord keyrec, int ds_alg) { public static byte[] calculateDSHash(DNSKEYRecord keyrec, int ds_alg) {
DNSOutput os = new DNSOutput(); DNSOutput os = new DNSOutput();
os.writeByteArray(keyrec.getName().toWireCanonical()); os.writeByteArray(keyrec.getName().toWireCanonical());
@ -170,20 +168,20 @@ public class ValUtils {
MessageDigest md = null; MessageDigest md = null;
switch (ds_alg) { switch (ds_alg) {
case DSRecord.SHA1_DIGEST_ID: case DSRecord.SHA1_DIGEST_ID:
md = MessageDigest.getInstance("SHA"); md = MessageDigest.getInstance("SHA");
return md.digest(os.toByteArray()); return md.digest(os.toByteArray());
case DSRecord.SHA256_DIGEST_ID: case DSRecord.SHA256_DIGEST_ID:
md = MessageDigest.getInstance("SHA256"); md = MessageDigest.getInstance("SHA256");
return md.digest(os.toByteArray()); return md.digest(os.toByteArray());
default: default:
st_log.warn("Unknown DS algorithm: " + ds_alg); st_log.warn("Unknown DS algorithm: " + ds_alg);
return null; return null;
} }
} catch (NoSuchAlgorithmException e) { } catch (NoSuchAlgorithmException e) {
st_log.error("Error using DS algorithm: " + ds_alg, e); st_log.error("Error using DS algorithm: " + ds_alg, e);
@ -214,15 +212,15 @@ public class ValUtils {
*/ */
public static boolean isDNSSECType(int type) { public static boolean isDNSSECType(int type) {
switch (type) { switch (type) {
case Type.DNSKEY: case Type.DNSKEY:
case Type.NSEC: case Type.NSEC:
case Type.DS: case Type.DS:
case Type.RRSIG: case Type.RRSIG:
case Type.NSEC3: case Type.NSEC3:
return true; return true;
default: default:
return false; return false;
} }
} }
@ -274,9 +272,8 @@ public class ValUtils {
m.setStatus(security); m.setStatus(security);
} }
for (int section = Section.ANSWER; section <= Section.ADDITIONAL; for (int section = Section.ANSWER; section <= Section.ADDITIONAL; section++) {
section++) { SRRset[] rrsets = m.getSectionRRsets(section);
SRRset [] rrsets = m.getSectionRRsets(section);
for (int i = 0; i < rrsets.length; i++) { for (int i = 0; i < rrsets.length; i++) {
setRRsetSecurity(rrsets[i], security); setRRsetSecurity(rrsets[i], security);
@ -296,13 +293,13 @@ public class ValUtils {
* @return The status (BOGUS or SECURE). * @return The status (BOGUS or SECURE).
*/ */
public byte verifySRRset(SRRset rrset, SRRset key_rrset) { public byte verifySRRset(SRRset rrset, SRRset key_rrset) {
String rrset_name = rrset.getName() + "/" + String rrset_name = rrset.getName() + "/"
Type.string(rrset.getType()) + "/" + + Type.string(rrset.getType()) + "/"
DClass.string(rrset.getDClass()); + DClass.string(rrset.getDClass());
if (rrset.getSecurityStatus() == SecurityStatus.SECURE) { if (rrset.getSecurityStatus() == SecurityStatus.SECURE) {
log.trace("verifySRRset: rrset <" + rrset_name + log.trace("verifySRRset: rrset <" + rrset_name
"> previously found to be SECURE"); + "> previously found to be SECURE");
return SecurityStatus.SECURE; return SecurityStatus.SECURE;
} }
@ -310,12 +307,12 @@ public class ValUtils {
byte status = mVerifier.verify(rrset, key_rrset); byte status = mVerifier.verify(rrset, key_rrset);
if (status != SecurityStatus.SECURE) { if (status != SecurityStatus.SECURE) {
log.debug("verifySRRset: rrset <" + rrset_name + log.debug("verifySRRset: rrset <" + rrset_name
"> found to be BAD"); + "> found to be BAD");
status = SecurityStatus.BOGUS; status = SecurityStatus.BOGUS;
} else { } else {
log.trace("verifySRRset: rrset <" + rrset_name + log.trace("verifySRRset: rrset <" + rrset_name
"> found to be SECURE"); + "> found to be SECURE");
} }
rrset.setSecurityStatus(status); rrset.setSecurityStatus(status);
@ -332,7 +329,7 @@ public class ValUtils {
* The type to look for. * The type to look for.
* @return true if the type is present in the type map, false otherwise. * @return true if the type is present in the type map, false otherwise.
*/ */
public static boolean typeMapHasType(int [] types, int type) { public static boolean typeMapHasType(int[] types, int type) {
for (int i = 0; i < types.length; i++) { for (int i = 0; i < types.length; i++) {
if (types[i] == type) { if (types[i] == type) {
return true; return true;
@ -368,7 +365,7 @@ public class ValUtils {
int d1_labels = domain1.labels(); int d1_labels = domain1.labels();
int d2_labels = domain2.labels(); int d2_labels = domain2.labels();
int l = (d1_labels < d2_labels) ? d1_labels : d2_labels; int l = (d1_labels < d2_labels) ? d1_labels : d2_labels;
for (int i = l; i > 0; i--) { for (int i = l; i > 0; i--) {
Name n1 = new Name(domain1, d1_labels - i); Name n1 = new Name(domain1, d1_labels - i);
@ -478,9 +475,9 @@ public class ValUtils {
* @return true if the NSEC proves the condition. * @return true if the NSEC proves the condition.
*/ */
public static boolean nsecProvesNameError(NSECRecord nsec, Name qname, public static boolean nsecProvesNameError(NSECRecord nsec, Name qname,
Name signerName) { Name signerName) {
Name owner = nsec.getName(); Name owner = nsec.getName();
Name next = nsec.getNext(); Name next = nsec.getNext();
// If NSEC owner == qname, then this NSEC proves that qname exists. // If NSEC owner == qname, then this NSEC proves that qname exists.
if (qname.equals(owner)) { if (qname.equals(owner)) {
@ -490,16 +487,16 @@ public class ValUtils {
// If NSEC is a parent of qname, we need to check the type map // If NSEC is a parent of qname, we need to check the type map
// If the parent name has a DNAME or is a delegation point, then this // If the parent name has a DNAME or is a delegation point, then this
// NSEC is being misused. // NSEC is being misused.
boolean hasBadType = typeMapHasType(nsec.getTypes(), Type.DNAME) || boolean hasBadType = typeMapHasType(nsec.getTypes(), Type.DNAME)
(typeMapHasType(nsec.getTypes(), Type.NS) && || (typeMapHasType(nsec.getTypes(), Type.NS) && !typeMapHasType(
!typeMapHasType(nsec.getTypes(), Type.SOA)); nsec.getTypes(), Type.SOA));
if (qname.subdomain(owner) && hasBadType) { if (qname.subdomain(owner) && hasBadType) {
return false; return false;
} }
if (((qname.compareTo(owner) > 0) && (qname.compareTo(next) < 0)) || if (((qname.compareTo(owner) > 0) && (qname.compareTo(next) < 0))
signerName.equals(next)) { || signerName.equals(next)) {
return true; return true;
} }
@ -519,18 +516,19 @@ public class ValUtils {
* @return true if the NSEC proves the condition. * @return true if the NSEC proves the condition.
*/ */
public static boolean nsecProvesNoWC(NSECRecord nsec, Name qname, public static boolean nsecProvesNoWC(NSECRecord nsec, Name qname,
Name signerName) { Name signerName) {
Name owner = nsec.getName(); Name owner = nsec.getName();
Name next = nsec.getNext(); Name next = nsec.getNext();
int qname_labels = qname.labels(); int qname_labels = qname.labels();
int signer_labels = signerName.labels(); int signer_labels = signerName.labels();
for (int i = qname_labels - signer_labels; i > 0; i--) { for (int i = qname_labels - signer_labels; i > 0; i--) {
Name wc_name = qname.wild(i); Name wc_name = qname.wild(i);
if ((wc_name.compareTo(owner) > 0) && if ((wc_name.compareTo(owner) > 0)
((wc_name.compareTo(next) < 0) || signerName.equals(next))) { && ((wc_name.compareTo(next) < 0) || signerName
.equals(next))) {
return true; return true;
} }
} }
@ -554,7 +552,7 @@ public class ValUtils {
* @return true if the NSEC proves the condition. * @return true if the NSEC proves the condition.
*/ */
public static boolean nsecProvesNodata(NSECRecord nsec, Name qname, public static boolean nsecProvesNodata(NSECRecord nsec, Name qname,
int qtype) { int qtype) {
if (!nsec.getName().equals(qname)) { if (!nsec.getName().equals(qname)) {
// wildcard checking. // wildcard checking.
@ -571,8 +569,8 @@ public class ValUtils {
// The qname must be a strict subdomain of the closest encloser, // The qname must be a strict subdomain of the closest encloser,
// and // and
// the qtype must be absent from the type map. // the qtype must be absent from the type map.
if (!strictSubdomain(qname, ce) || if (!strictSubdomain(qname, ce)
typeMapHasType(nsec.getTypes(), qtype)) { || typeMapHasType(nsec.getTypes(), qtype)) {
return false; return false;
} }
@ -585,8 +583,8 @@ public class ValUtils {
// be // be
// less than qname, and the next name will be a child domain of the // less than qname, and the next name will be a child domain of the
// qname. // qname.
if (strictSubdomain(nsec.getNext(), qname) && if (strictSubdomain(nsec.getNext(), qname)
(qname.compareTo(nsec.getName()) > 0)) { && (qname.compareTo(nsec.getName()) > 0)) {
return true; return true;
} }
@ -610,8 +608,8 @@ public class ValUtils {
// not a zone apex), then we should have gotten a referral (or we just // not a zone apex), then we should have gotten a referral (or we just
// got // got
// the wrong NSEC). // the wrong NSEC).
if (typeMapHasType(nsec.getTypes(), Type.NS) && if (typeMapHasType(nsec.getTypes(), Type.NS)
!typeMapHasType(nsec.getTypes(), Type.SOA)) { && !typeMapHasType(nsec.getTypes(), Type.SOA)) {
return false; return false;
} }
@ -620,7 +618,7 @@ public class ValUtils {
public static byte nsecProvesNoDS(NSECRecord nsec, Name qname) { public static byte nsecProvesNoDS(NSECRecord nsec, Name qname) {
// Could check to make sure the qname is a subdomain of nsec // Could check to make sure the qname is a subdomain of nsec
int [] types = nsec.getTypes(); int[] types = nsec.getTypes();
if (typeMapHasType(types, Type.SOA) || typeMapHasType(types, Type.DS)) { if (typeMapHasType(types, Type.SOA) || typeMapHasType(types, Type.DS)) {
// SOA present means that this is the NSEC from the child, not the // SOA present means that this is the NSEC from the child, not the
@ -644,8 +642,8 @@ public class ValUtils {
// These are response subtypes. They are necessary for determining the // These are response subtypes. They are necessary for determining the
// validation strategy. They have no bearing on the iterative resolution // validation strategy. They have no bearing on the iterative resolution
// algorithm, so they are confined here. // algorithm, so they are confined here.
public enum ResponseType {UNTYPED, UNKNOWN, POSITIVE, CNAME, NODATA, public enum ResponseType {
NAMEERROR, ANY, REFERRAL, UNTYPED, UNKNOWN, POSITIVE, CNAME, NODATA, NAMEERROR, ANY, REFERRAL,
// a referral response // a referral response
THROWAWAY; THROWAWAY;
// a throwaway response (i.e., an error) // a throwaway response (i.e., an error)