davidb/captive-validator
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

somewhat gratutious reformatting by eclipse

Browse Source
This commit is contained in:
David Blacka 2010-05-31 12:16:14 -04:00
parent 85f7635d43
commit ab60743341
10 changed files with 624 additions and 627 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

115
src/com/verisign/tat/dnssec/CaptiveValidator.java
View File

@ -31,7 +31,6 @@ import java.io.IOException;
import java.util.*;
/**
* This resolver module implements a "captive" DNSSEC validator. The captive
* validator does not have direct access to the Internet and DNS system --
@ -67,8 +66,7 @@ public class CaptiveValidator {
* @throws IOException
*/
@SuppressWarnings("unchecked")
public void addTrustedKeysFromFile(String filename)
throws IOException {
public void addTrustedKeysFromFile(String filename) throws IOException {
// First read in the whole trust anchor file.
Master master = new Master(filename, Name.root, 0);
ArrayList<Record> records = new ArrayList<Record>();
@ -100,9 +98,9 @@ public class CaptiveValidator {
}
// If this record matches our current RRset, we can just add it.
if (cur_rrset.getName().equals(rec.getName()) &&
(cur_rrset.getType() == rec.getType()) &&
(cur_rrset.getDClass() == rec.getDClass())) {
if (cur_rrset.getName().equals(rec.getName())
&& (cur_rrset.getType() == rec.getType())
&& (cur_rrset.getDClass() == rec.getDClass())) {
cur_rrset.addRR(rec);
continue;
@ -121,7 +119,7 @@ public class CaptiveValidator {
}
public void addTrustedKeysFromResponse(Message m) {
RRset [] rrsets = m.getSectionRRsets(Section.ANSWER);
RRset[] rrsets = m.getSectionRRsets(Section.ANSWER);
for (int i = 0; i < rrsets.length; ++i) {
if (rrsets[i].getType() == Type.DNSKEY) {
@ -145,8 +143,7 @@ public class CaptiveValidator {
return m;
}
if ((m.getRcode() != Rcode.NOERROR) &&
(m.getRcode() != Rcode.NXDOMAIN)) {
if ((m.getRcode() != Rcode.NOERROR) && (m.getRcode() != Rcode.NXDOMAIN)) {
return m;
}
@ -182,16 +179,16 @@ public class CaptiveValidator {
Name cname_alias = sname.fromDNAME(dname);
// Note that synthesized CNAMEs should have a TTL of zero.
CNAMERecord cname = new CNAMERecord(sname,
dname.getDClass(), 0, cname_alias);
CNAMERecord cname = new CNAMERecord(sname, dname
.getDClass(), 0, cname_alias);
SRRset cname_rrset = new SRRset();
cname_rrset.addRR(cname);
i.add(cname_rrset);
sname = cname_alias;
} catch (NameTooLongException e) {
log.debug("not adding synthesized CNAME -- " +
"generated name is too long", e);
log.debug("not adding synthesized CNAME -- "
+ "generated name is too long", e);
}
continue;
@ -246,8 +243,8 @@ public class CaptiveValidator {
SRRset rrset = i.next();
int type = rrset.getType();
if (((type == Type.A) || (type == Type.AAAA)) &&
!additional_names.contains(rrset.getName())) {
if (((type == Type.A) || (type == Type.AAAA))
&& !additional_names.contains(rrset.getName())) {
i.remove();
}
}
@ -310,8 +307,8 @@ public class CaptiveValidator {
return false;
}
if (!mTrustedKeys.isBelowTrustAnchor(message.getQName(),
message.getQClass())) {
if (!mTrustedKeys.isBelowTrustAnchor(message.getQName(), message
.getQClass())) {
return false;
}
@ -342,7 +339,7 @@ public class CaptiveValidator {
SMessage m = message;
// validate the ANSWER section - this will be the answer itself
SRRset [] rrsets = m.getSectionRRsets(Section.ANSWER);
SRRset[] rrsets = m.getSectionRRsets(Section.ANSWER);
Name wc = null;
boolean wcNSEC_ok = false;
@ -366,8 +363,8 @@ public class CaptiveValidator {
// If the (answer) rrset failed to validate, then this message is
// BAD.
if (status != SecurityStatus.SECURE) {
log.debug("Positive response has failed ANSWER rrset: " +
rrsets[i]);
log.debug("Positive response has failed ANSWER rrset: "
+ rrsets[i]);
m.setStatus(SecurityStatus.BOGUS);
return;
@ -395,8 +392,8 @@ public class CaptiveValidator {
// a
// bad message.
if (status != SecurityStatus.SECURE) {
log.debug("Positive response has failed AUTHORITY rrset: " +
rrsets[i]);
log.debug("Positive response has failed AUTHORITY rrset: "
+ rrsets[i]);
m.setStatus(SecurityStatus.BOGUS);
return;
@ -408,8 +405,8 @@ public class CaptiveValidator {
if ((wc != null) && (rrsets[i].getType() == Type.NSEC)) {
NSECRecord nsec = (NSECRecord) rrsets[i].first();
if (ValUtils.nsecProvesNameError(nsec, qname,
key_rrset.getName())) {
if (ValUtils.nsecProvesNameError(nsec, qname, key_rrset
.getName())) {
Name nsec_wc = ValUtils.nsecWildcard(qname, nsec);
if (!wc.equals(nsec_wc)) {
@ -469,7 +466,7 @@ public class CaptiveValidator {
}
// validate the AUTHORITY section.
SRRset [] rrsets = m.getSectionRRsets(Section.AUTHORITY);
SRRset[] rrsets = m.getSectionRRsets(Section.AUTHORITY);
boolean secure_delegation = false;
Name delegation = null;
@ -492,8 +489,8 @@ public class CaptiveValidator {
// have
// a bad message.
if (status != SecurityStatus.SECURE) {
log.debug("Positive response has failed AUTHORITY rrset: " +
rrsets[i]);
log.debug("Positive response has failed AUTHORITY rrset: "
+ rrsets[i]);
m.setStatus(SecurityStatus.BOGUS);
return;
@ -530,9 +527,8 @@ public class CaptiveValidator {
break;
default:
log.warn(
"Encountered unexpected type in a REFERRAL response: " +
Type.string(type));
log.warn("Encountered unexpected type in a REFERRAL response: "
+ Type.string(type));
break;
}
@ -579,7 +575,8 @@ public class CaptiveValidator {
}
if (nsec3s.size() > 0) {
byte status = NSEC3ValUtils.proveNoDS(nsec3s, delegation, nsec3zone);
byte status = NSEC3ValUtils
.proveNoDS(nsec3s, delegation, nsec3zone);
if (status != SecurityStatus.SECURE) {
// the NSEC3 RRs MUST prove no DS, so the INDETERMINATE state is
@ -598,7 +595,8 @@ public class CaptiveValidator {
m.setStatus(SecurityStatus.BOGUS);
}
private void validateCNAMEResponse(SMessage message, SRRset key_rrset) {}
private void validateCNAMEResponse(SMessage message, SRRset key_rrset) {
}
/**
* Given an "ANY" response -- a response that contains an answer to a
@ -634,7 +632,7 @@ public class CaptiveValidator {
SMessage m = message;
// validate the ANSWER section.
SRRset [] rrsets = m.getSectionRRsets(Section.ANSWER);
SRRset[] rrsets = m.getSectionRRsets(Section.ANSWER);
for (int i = 0; i < rrsets.length; i++) {
int status = mValUtils.verifySRRset(rrsets[i], key_rrset);
@ -642,8 +640,8 @@ public class CaptiveValidator {
// If the (answer) rrset failed to validate, then this message is
// BAD.
if (status != SecurityStatus.SECURE) {
log.debug("Positive response has failed ANSWER rrset: " +
rrsets[i]);
log.debug("Positive response has failed ANSWER rrset: "
+ rrsets[i]);
m.setStatus(SecurityStatus.BOGUS);
return;
@ -661,8 +659,8 @@ public class CaptiveValidator {
// a
// bad message.
if (status != SecurityStatus.SECURE) {
log.debug("Positive response has failed AUTHORITY rrset: " +
rrsets[i]);
log.debug("Positive response has failed AUTHORITY rrset: "
+ rrsets[i]);
m.setStatus(SecurityStatus.BOGUS);
return;
@ -703,7 +701,7 @@ public class CaptiveValidator {
// responses.)
// validate the AUTHORITY section
SRRset [] rrsets = m.getSectionRRsets(Section.AUTHORITY);
SRRset[] rrsets = m.getSectionRRsets(Section.AUTHORITY);
boolean hasValidNSEC = false; // If true, then the NODATA has been
// proven.
@ -724,8 +722,8 @@ public class CaptiveValidator {
int status = mValUtils.verifySRRset(rrsets[i], key_rrset);
if (status != SecurityStatus.SECURE) {
log.debug("NODATA response has failed AUTHORITY rrset: " +
rrsets[i]);
log.debug("NODATA response has failed AUTHORITY rrset: "
+ rrsets[i]);
m.setStatus(SecurityStatus.BOGUS);
return;
@ -742,8 +740,8 @@ public class CaptiveValidator {
if (nsec.getName().isWild()) {
wc = nsec;
}
} else if (ValUtils.nsecProvesNameError(nsec, qname,
rrsets[i].getSignerName())) {
} else if (ValUtils.nsecProvesNameError(nsec, qname, rrsets[i]
.getSignerName())) {
ce = ValUtils.closestEncloser(qname, nsec);
}
}
@ -785,8 +783,8 @@ public class CaptiveValidator {
}
if (!hasValidNSEC) {
log.debug("NODATA response failed to prove NODATA " +
"status with NSEC/NSEC3");
log.debug("NODATA response failed to prove NODATA "
+ "status with NSEC/NSEC3");
log.trace("Failed NODATA:\n" + m);
m.setStatus(SecurityStatus.BOGUS);
@ -820,8 +818,8 @@ public class CaptiveValidator {
SMessage m = message;
if (message.getCount(Section.ANSWER) > 0) {
log.warn(
"NAME ERROR response contained records in the ANSWER SECTION");
log
.warn("NAME ERROR response contained records in the ANSWER SECTION");
message.setStatus(SecurityStatus.INVALID);
return;
@ -832,7 +830,7 @@ public class CaptiveValidator {
// In addition, the NSEC record(s) must prove the NXDOMAIN condition.
boolean hasValidNSEC = false;
boolean hasValidWCNSEC = false;
SRRset [] rrsets = m.getSectionRRsets(Section.AUTHORITY);
SRRset[] rrsets = m.getSectionRRsets(Section.AUTHORITY);
List<NSEC3Record> nsec3s = null;
Name nsec3Signer = null;
@ -840,8 +838,8 @@ public class CaptiveValidator {
int status = mValUtils.verifySRRset(rrsets[i], key_rrset);
if (status != SecurityStatus.SECURE) {
log.debug("NameError response has failed AUTHORITY rrset: " +
rrsets[i]);
log.debug("NameError response has failed AUTHORITY rrset: "
+ rrsets[i]);
m.setStatus(SecurityStatus.BOGUS);
return;
@ -850,13 +848,13 @@ public class CaptiveValidator {
if (rrsets[i].getType() == Type.NSEC) {
NSECRecord nsec = (NSECRecord) rrsets[i].first();
if (ValUtils.nsecProvesNameError(nsec, qname,
rrsets[i].getSignerName())) {
if (ValUtils.nsecProvesNameError(nsec, qname, rrsets[i]
.getSignerName())) {
hasValidNSEC = true;
}
if (ValUtils.nsecProvesNoWC(nsec, qname,
rrsets[i].getSignerName())) {
if (ValUtils.nsecProvesNoWC(nsec, qname, rrsets[i]
.getSignerName())) {
hasValidWCNSEC = true;
}
}
@ -894,16 +892,16 @@ public class CaptiveValidator {
// If the message fails to prove either condition, it is bogus.
if (!hasValidNSEC) {
log.debug("NameError response has failed to prove: " +
"qname does not exist");
log.debug("NameError response has failed to prove: "
+ "qname does not exist");
m.setStatus(SecurityStatus.BOGUS);
return;
}
if (!hasValidWCNSEC) {
log.debug("NameError response has failed to prove: " +
"covering wildcard does not exist");
log.debug("NameError response has failed to prove: "
+ "covering wildcard does not exist");
m.setStatus(SecurityStatus.BOGUS);
return;
@ -939,7 +937,8 @@ public class CaptiveValidator {
return SecurityStatus.BOGUS;
}
ValUtils.ResponseType subtype = ValUtils.classifyResponse(message, zone);
ValUtils.ResponseType subtype = ValUtils
.classifyResponse(message, zone);
switch (subtype) {
case POSITIVE:

76
src/com/verisign/tat/dnssec/DnsSecVerifier.java
View File

@ -34,7 +34,6 @@ import java.security.*;
import java.util.*;
/**
* A class for performing basic DNSSEC verification. The DNSJAVA package
* contains a similar class. This is a re-implementation that allows us to have
@ -56,20 +55,20 @@ public class DnsSecVerifier {
mAlgorithmMap = new HashMap<Integer, AlgEntry>();
// set the default algorithm map.
mAlgorithmMap.put(new Integer(DNSSEC.RSAMD5),
new AlgEntry("MD5withRSA", DNSSEC.RSAMD5, false));
mAlgorithmMap.put(new Integer(DNSSEC.DSA),
new AlgEntry("SHA1withDSA", DNSSEC.DSA, true));
mAlgorithmMap.put(new Integer(DNSSEC.RSASHA1),
new AlgEntry("SHA1withRSA", DNSSEC.RSASHA1, false));
mAlgorithmMap.put(new Integer(DNSSEC.DSA_NSEC3_SHA1),
new AlgEntry("SHA1withDSA", DNSSEC.DSA, true));
mAlgorithmMap.put(new Integer(DNSSEC.RSA_NSEC3_SHA1),
new AlgEntry("SHA1withRSA", DNSSEC.RSASHA1, false));
mAlgorithmMap.put(new Integer(DNSSEC.RSASHA256),
new AlgEntry("SHA256withRSA", DNSSEC.RSASHA256, false));
mAlgorithmMap.put(new Integer(DNSSEC.RSASHA512),
new AlgEntry("SHA512withRSA", DNSSEC.RSASHA512, false));
mAlgorithmMap.put(new Integer(DNSSEC.RSAMD5), new AlgEntry(
"MD5withRSA", DNSSEC.RSAMD5, false));
mAlgorithmMap.put(new Integer(DNSSEC.DSA), new AlgEntry("SHA1withDSA",
DNSSEC.DSA, true));
mAlgorithmMap.put(new Integer(DNSSEC.RSASHA1), new AlgEntry(
"SHA1withRSA", DNSSEC.RSASHA1, false));
mAlgorithmMap.put(new Integer(DNSSEC.DSA_NSEC3_SHA1), new AlgEntry(
"SHA1withDSA", DNSSEC.DSA, true));
mAlgorithmMap.put(new Integer(DNSSEC.RSA_NSEC3_SHA1), new AlgEntry(
"SHA1withRSA", DNSSEC.RSASHA1, false));
mAlgorithmMap.put(new Integer(DNSSEC.RSASHA256), new AlgEntry(
"SHA256withRSA", DNSSEC.RSASHA256, false));
mAlgorithmMap.put(new Integer(DNSSEC.RSASHA512), new AlgEntry(
"SHA512withRSA", DNSSEC.RSASHA512, false));
}
private boolean isDSA(int algorithm) {
@ -112,15 +111,15 @@ public class DnsSecVerifier {
Integer alg_orig = new Integer(Util.parseInt(entry.value, -1));
if (!mAlgorithmMap.containsKey(alg_orig)) {
log.warn("Unable to alias " + alg_alias +
" to unknown algorithm " + alg_orig);
log.warn("Unable to alias " + alg_alias
+ " to unknown algorithm " + alg_orig);
continue;
}
if (mAlgorithmMap.containsKey(alg_alias)) {
log.warn("Algorithm alias " + alg_alias +
" is already defined and cannot be redefined");
log.warn("Algorithm alias " + alg_alias
+ " is already defined and cannot be redefined");
continue;
}
@ -135,8 +134,8 @@ public class DnsSecVerifier {
if (entry == null) {
log.warn("DNSSEC alg " + alg + " has a null entry!");
} else {
log.debug("DNSSEC alg " + alg + " maps to " + entry.jcaName +
" (" + entry.dnssecAlg + ")");
log.debug("DNSSEC alg " + alg + " maps to " + entry.jcaName
+ " (" + entry.dnssecAlg + ")");
}
}
}
@ -156,9 +155,10 @@ public class DnsSecVerifier {
@SuppressWarnings("unchecked")
private List<DNSKEYRecord> findKey(RRset dnskey_rrset, RRSIGRecord signature) {
if (!signature.getSigner().equals(dnskey_rrset.getName())) {
log.trace("findKey: could not find appropriate key because " +
"incorrect keyset was supplied. Wanted: " +
signature.getSigner() + ", got: " + dnskey_rrset.getName());
log.trace("findKey: could not find appropriate key because "
+ "incorrect keyset was supplied. Wanted: "
+ signature.getSigner() + ", got: "
+ dnskey_rrset.getName());
return null;
}
@ -166,7 +166,8 @@ public class DnsSecVerifier {
int keyid = signature.getFootprint();
int alg = signature.getAlgorithm();
List<DNSKEYRecord> res = new ArrayList<DNSKEYRecord>(dnskey_rrset.size());
List<DNSKEYRecord> res = new ArrayList<DNSKEYRecord>(dnskey_rrset
.size());
for (Iterator i = dnskey_rrset.rrs(); i.hasNext();) {
DNSKEYRecord r = (DNSKEYRecord) i.next();
@ -177,8 +178,8 @@ public class DnsSecVerifier {
}
if (res.size() == 0) {
log.trace("findKey: could not find a key matching " +
"the algorithm and footprint in supplied keyset. ");
log.trace("findKey: could not find a key matching "
+ "the algorithm and footprint in supplied keyset. ");
return null;
}
@ -225,8 +226,8 @@ public class DnsSecVerifier {
}
if (now.after(expire)) {
log.debug("Signature has expired (now = " + now +
", sig expires = " + expire);
log.debug("Signature has expired (now = " + now
+ ", sig expires = " + expire);
return SecurityStatus.BOGUS;
}
@ -235,8 +236,8 @@ public class DnsSecVerifier {
}
public PublicKey parseDNSKEY(DNSKEYRecord key) {
AlgEntry ae = (AlgEntry) mAlgorithmMap.get(new Integer(
key.getAlgorithm()));
AlgEntry ae = (AlgEntry) mAlgorithmMap.get(new Integer(key
.getAlgorithm()));
if (key.getAlgorithm() != ae.dnssecAlg) {
// Recast the DNSKEYRecord in question as one using the offical
@ -270,14 +271,14 @@ public class DnsSecVerifier {
PublicKey pk = parseDNSKEY(key);
if (pk == null) {
log.warn(
"Could not convert DNSKEY record to a JCA public key: " +
key);
log
.warn("Could not convert DNSKEY record to a JCA public key: "
+ key);
return SecurityStatus.UNCHECKED;
}
byte [] data = SignUtils.generateSigData(rrset, sigrec);
byte[] data = SignUtils.generateSigData(rrset, sigrec);
Signature signer = getSignature(sigrec.getAlgorithm());
@ -288,7 +289,7 @@ public class DnsSecVerifier {
signer.initVerify(pk);
signer.update(data);
byte [] sig = sigrec.getSignature();
byte[] sig = sigrec.getSignature();
if (isDSA(sigrec.getAlgorithm())) {
sig = SignUtils.convertDSASignature(sig);
@ -463,7 +464,8 @@ public class DnsSecVerifier {
Signature s = null;
try {
AlgEntry entry = (AlgEntry) mAlgorithmMap.get(new Integer(algorithm));
AlgEntry entry = (AlgEntry) mAlgorithmMap
.get(new Integer(algorithm));
if (entry == null) {
log.info("DNSSEC algorithm " + algorithm + " not recognized.");

112
src/com/verisign/tat/dnssec/NSEC3ValUtils.java
View File

@ -34,7 +34,6 @@ import java.security.NoSuchAlgorithmException;
import java.util.*;
public class NSEC3ValUtils {
// FIXME: should probably refactor to handle different NSEC3 parameters more
// efficiently.
@ -88,8 +87,8 @@ public class NSEC3ValUtils {
return null;
}
NSEC3Parameters params = new NSEC3Parameters((NSEC3Record) nsec3s.get(
0));
NSEC3Parameters params = new NSEC3Parameters((NSEC3Record) nsec3s
.get(0));
ByteArrayComparator bac = new ByteArrayComparator();
for (NSEC3Record nsec3 : nsec3s) {
@ -110,7 +109,7 @@ public class NSEC3ValUtils {
* The zone to use in constructing the NSEC3 name.
* @return The NSEC3 name.
*/
private static Name hashName(byte [] hash, Name zonename) {
private static Name hashName(byte[] hash, Name zonename) {
try {
return new Name(b32.toString(hash).toLowerCase(), zonename);
} catch (TextParseException e) {
@ -128,7 +127,7 @@ public class NSEC3ValUtils {
* The parameters to hash with.
* @return The hash.
*/
private static byte [] hash(Name name, NSEC3Parameters params) {
private static byte[] hash(Name name, NSEC3Parameters params) {
try {
return params.hash(name);
} catch (NoSuchAlgorithmException e) {
@ -142,7 +141,8 @@ public class NSEC3ValUtils {
try {
return nsec3.hashName(name);
} catch (NoSuchAlgorithmException e) {
st_log.warn("Did not recognize hash algorithm: " + nsec3.getHashAlgorithm());
st_log.warn("Did not recognize hash algorithm: "
+ nsec3.getHashAlgorithm());
return null;
}
@ -199,7 +199,7 @@ public class NSEC3ValUtils {
*
* @return The matching NSEC3Record, if one is present.
*/
private static NSEC3Record findMatchingNSEC3(byte [] hash, Name zonename,
private static NSEC3Record findMatchingNSEC3(byte[] hash, Name zonename,
List<NSEC3Record> nsec3s, NSEC3Parameters params,
ByteArrayComparator bac) {
Name n = hashName(hash, zonename);
@ -231,10 +231,10 @@ public class NSEC3ValUtils {
* An already allocated comparator. This may be null.
* @return True if the NSEC3Record covers the hash.
*/
private static boolean nsec3Covers(NSEC3Record nsec3, byte [] hash,
private static boolean nsec3Covers(NSEC3Record nsec3, byte[] hash,
ByteArrayComparator bac) {
byte [] owner = hash(nsec3.getName(), nsec3);
byte [] next = nsec3.getNext();
byte[] owner = hash(nsec3.getName(), nsec3);
byte[] next = nsec3.getNext();
// This is the "normal case: owner < next and owner < hash < next
if ((bac.compare(owner, hash) < 0) && (bac.compare(hash, next) < 0)) {
@ -243,9 +243,8 @@ public class NSEC3ValUtils {
// this is the end of zone case: next < owner && hash > owner || hash <
// next
if ((bac.compare(next, owner) <= 0) &&
((bac.compare(hash, next) < 0) ||
(bac.compare(owner, hash) < 0))) {
if ((bac.compare(next, owner) <= 0)
&& ((bac.compare(hash, next) < 0) || (bac.compare(owner, hash) < 0))) {
return true;
}
@ -269,7 +268,7 @@ public class NSEC3ValUtils {
*
* @return A covering NSEC3 if one is present, null otherwise.
*/
private static NSEC3Record findCoveringNSEC3(byte [] hash, Name zonename,
private static NSEC3Record findCoveringNSEC3(byte[] hash, Name zonename,
List<NSEC3Record> nsec3s, NSEC3Parameters params,
ByteArrayComparator bac) {
ByteArrayComparator comparator = new ByteArrayComparator();
@ -318,8 +317,8 @@ public class NSEC3ValUtils {
// FIXME: modify so that the NSEC3 matching the zone apex need not be
// present.
while (n.labels() >= zonename.labels()) {
nsec3 = findMatchingNSEC3(hash(n, params), zonename,
nsec3s, params, bac);
nsec3 = findMatchingNSEC3(hash(n, params), zonename, nsec3s,
params, bac);
if (nsec3 != null) {
return new CEResponse(n, nsec3);
@ -358,15 +357,16 @@ public class NSEC3ValUtils {
params, bac);
if (candidate == null) {
st_log.debug("proveClosestEncloser: could not find a " +
"candidate for the closest encloser.");
st_log.debug("proveClosestEncloser: could not find a "
+ "candidate for the closest encloser.");
return null;
}
if (candidate.closestEncloser.equals(qname)) {
if (proveDoesNotExist) {
st_log.debug("proveClosestEncloser: proved that qname existed!");
st_log
.debug("proveClosestEncloser: proved that qname existed!");
return null;
}
@ -380,10 +380,10 @@ public class NSEC3ValUtils {
// should have been a referral. If it is a DNAME, then it should have
// been
// a DNAME response.
if (candidate.ce_nsec3.hasType(Type.NS) &&
!candidate.ce_nsec3.hasType(Type.SOA)) {
st_log.debug("proveClosestEncloser: closest encloser " +
"was a delegation!");
if (candidate.ce_nsec3.hasType(Type.NS)
&& !candidate.ce_nsec3.hasType(Type.SOA)) {
st_log.debug("proveClosestEncloser: closest encloser "
+ "was a delegation!");
return null;
}
@ -397,13 +397,13 @@ public class NSEC3ValUtils {
// Otherwise, we need to show that the next closer name is covered.
Name nextClosest = nextClosest(qname, candidate.closestEncloser);
byte [] nc_hash = hash(nextClosest, params);
byte[] nc_hash = hash(nextClosest, params);
candidate.nc_nsec3 = findCoveringNSEC3(nc_hash, zonename, nsec3s,
params, bac);
if (candidate.nc_nsec3 == null) {
st_log.debug("Could not find proof that the " +
"closest encloser was the closest encloser");
st_log.debug("Could not find proof that the "
+ "closest encloser was the closest encloser");
return null;
}
@ -464,8 +464,7 @@ public class NSEC3ValUtils {
DNSKEYRecord dnskey = (DNSKEYRecord) i.next();
int baseAlg = verifier.baseAlgorithm(dnskey.getAlgorithm());
int iters = maxIterations(baseAlg, 0);
max_iterations = (max_iterations < iters) ? iters
: max_iterations;
max_iterations = (max_iterations < iters) ? iters : max_iterations;
}
if (nsec3params.iterations > max_iterations) {
@ -528,8 +527,8 @@ public class NSEC3ValUtils {
NSEC3Parameters nsec3params = nsec3Parameters(nsec3s);
if (nsec3params == null) {
st_log.debug("Could not find a single set of " +
"NSEC3 parameters (multiple parameters present).");
st_log.debug("Could not find a single set of "
+ "NSEC3 parameters (multiple parameters present).");
return false;
}
@ -551,13 +550,13 @@ public class NSEC3ValUtils {
// prove
// that the wildcard does not exist.
Name wc = ceWildcard(ce.closestEncloser);
byte [] wc_hash = hash(wc, nsec3params);
byte[] wc_hash = hash(wc, nsec3params);
NSEC3Record nsec3 = findCoveringNSEC3(wc_hash, zonename, nsec3s,
nsec3params, bac);
if (nsec3 == null) {
st_log.debug("proveNameError: could not prove that the " +
"applicable wildcard did not exist.");
st_log.debug("proveNameError: could not prove that the "
+ "applicable wildcard did not exist.");
return false;
}
@ -604,8 +603,8 @@ public class NSEC3ValUtils {
NSEC3Parameters nsec3params = nsec3Parameters(nsec3s);
if (nsec3params == null) {
st_log.debug("could not find a single set of " +
"NSEC3 parameters (multiple parameters present)");
st_log.debug("could not find a single set of "
+ "NSEC3 parameters (multiple parameters present)");
return false;
}
@ -618,15 +617,15 @@ public class NSEC3ValUtils {
// Cases 1 & 2.
if (nsec3 != null) {
if (nsec3.hasType(qtype)) {
st_log.debug(
"proveNodata: Matching NSEC3 proved that type existed!");
st_log
.debug("proveNodata: Matching NSEC3 proved that type existed!");
return false;
}
if (nsec3.hasType(Type.CNAME)) {
st_log.debug("proveNodata: Matching NSEC3 proved " +
"that a CNAME existed!");
st_log.debug("proveNodata: Matching NSEC3 proved "
+ "that a CNAME existed!");
return false;
}
@ -643,8 +642,8 @@ public class NSEC3ValUtils {
// At this point, not finding a match or a proven closest encloser is a
// problem.
if (ce == null) {
st_log.debug("proveNodata: did not match qname, " +
"nor found a proven closest encloser.");
st_log.debug("proveNodata: did not match qname, "
+ "nor found a proven closest encloser.");
return false;
}
@ -668,16 +667,17 @@ public class NSEC3ValUtils {
// Case 5.
if (qtype != Type.DS) {
st_log.debug("proveNodata: could not find matching NSEC3, " +
"nor matching wildcard, and qtype is not DS -- no more options.");
st_log
.debug("proveNodata: could not find matching NSEC3, "
+ "nor matching wildcard, and qtype is not DS -- no more options.");
return false;
}
// We need to make sure that the covering NSEC3 is opt-in.
if (!isOptOut(ce.nc_nsec3)) {
st_log.debug("proveNodata: covering NSEC3 was not " +
"opt-in in an opt-in DS NOERROR/NODATA case.");
st_log.debug("proveNodata: covering NSEC3 was not "
+ "opt-in in an opt-in DS NOERROR/NODATA case.");
return false;
}
@ -712,8 +712,8 @@ public class NSEC3ValUtils {
NSEC3Parameters nsec3params = nsec3Parameters(nsec3s);
if (nsec3params == null) {
st_log.debug(
"couldn't find a single set of NSEC3 parameters (multiple parameters present).");
st_log
.debug("couldn't find a single set of NSEC3 parameters (multiple parameters present).");
return false;
}
@ -732,10 +732,10 @@ public class NSEC3ValUtils {
zonename, nsec3s, nsec3params, bac);
if (candidate.nc_nsec3 == null) {
st_log.debug("proveWildcard: did not find a covering NSEC3 " +
"that covered the next closer name to " + qname + " from " +
candidate.closestEncloser + " (derived from wildcard " +
wildcard + ")");
st_log.debug("proveWildcard: did not find a covering NSEC3 "
+ "that covered the next closer name to " + qname
+ " from " + candidate.closestEncloser
+ " (derived from wildcard " + wildcard + ")");
return false;
}
@ -771,8 +771,8 @@ public class NSEC3ValUtils {
NSEC3Parameters nsec3params = nsec3Parameters(nsec3s);
if (nsec3params == null) {
st_log.debug("couldn't find a single set of " +
"NSEC3 parameters (multiple parameters present).");
st_log.debug("couldn't find a single set of "
+ "NSEC3 parameters (multiple parameters present).");
return SecurityStatus.BOGUS;
}
@ -825,7 +825,7 @@ public class NSEC3ValUtils {
*/
private static class NSEC3Parameters {
public int alg;
public byte [] salt;
public byte[] salt;
public int iterations;
private NSEC3PARAMRecord nsec3paramrec;
@ -834,8 +834,8 @@ public class NSEC3ValUtils {
salt = r.getSalt();
iterations = r.getIterations();
nsec3paramrec = new NSEC3PARAMRecord(Name.root, DClass.IN, 0,
alg, 0, iterations, salt);
nsec3paramrec = new NSEC3PARAMRecord(Name.root, DClass.IN, 0, alg,
0, iterations, salt);
}
public boolean match(NSEC3Record r, ByteArrayComparator bac) {

37
src/com/verisign/tat/dnssec/SMessage.java
View File

@ -27,21 +27,20 @@ import org.xbill.DNS.*;
import java.util.*;
/**
* This class represents a DNS message with resolver/validator state.
*/
public class SMessage {
private static SRRset [] empty_srrset_array = new SRRset[0];
private static SRRset[] empty_srrset_array = new SRRset[0];
private Header mHeader;
private Record mQuestion;
private OPTRecord mOPTRecord;
private List<SRRset> [] mSection;
private List<SRRset>[] mSection;
private SecurityStatus mSecurityStatus;
@SuppressWarnings("unchecked")
public SMessage(Header h) {
mSection = (List<SRRset> []) new List[3];
mSection = (List<SRRset>[]) new List[3];
mHeader = h;
mSecurityStatus = new SecurityStatus();
}
@ -60,7 +59,7 @@ public class SMessage {
mOPTRecord = m.getOPT();
for (int i = Section.ANSWER; i <= Section.ADDITIONAL; i++) {
RRset [] rrsets = m.getSectionRRsets(i);
RRset[] rrsets = m.getSectionRRsets(i);
for (int j = 0; j < rrsets.length; j++) {
addRRset(rrsets[j], i);
@ -151,13 +150,13 @@ public class SMessage {
sectionList.addAll(0, rrsets);
}
public SRRset [] getSectionRRsets(int section) {
public SRRset[] getSectionRRsets(int section) {
List<SRRset> slist = getSectionList(section);
return (SRRset []) slist.toArray(empty_srrset_array);
return (SRRset[]) slist.toArray(empty_srrset_array);
}
public SRRset [] getSectionRRsets(int section, int qtype) {
public SRRset[] getSectionRRsets(int section, int qtype) {
List<SRRset> slist = getSectionList(section);
if (slist.size() == 0) {
@ -172,7 +171,7 @@ public class SMessage {
}
}
return (SRRset []) result.toArray(empty_srrset_array);
return (SRRset[]) result.toArray(empty_srrset_array);
}
public void deleteRRset(SRRset rrset, int section) {
@ -331,12 +330,12 @@ public class SMessage {
throw new IllegalArgumentException("Invalid section.");
}
SRRset [] rrsets = getSectionRRsets(section);
SRRset[] rrsets = getSectionRRsets(section);
for (int i = 0; i < rrsets.length; i++) {
if (rrsets[i].getName().equals(name) &&
(rrsets[i].getType() == type) &&
(rrsets[i].getDClass() == dclass)) {
if (rrsets[i].getName().equals(name)
&& (rrsets[i].getType() == type)
&& (rrsets[i].getDClass() == dclass)) {
return rrsets[i];
}
}
@ -359,20 +358,20 @@ public class SMessage {
* name from qname, due to following a CNAME chain.
*/
public SRRset findAnswerRRset(Name qname, int qtype, int qclass) {
SRRset [] srrsets = getSectionRRsets(Section.ANSWER);
SRRset[] srrsets = getSectionRRsets(Section.ANSWER);
for (int i = 0; i < srrsets.length; i++) {
if (srrsets[i].getName().equals(qname) &&
(srrsets[i].getType() == Type.CNAME)) {
if (srrsets[i].getName().equals(qname)
&& (srrsets[i].getType() == Type.CNAME)) {
CNAMERecord cname = (CNAMERecord) srrsets[i].first();
qname = cname.getTarget();
continue;
}
if (srrsets[i].getName().equals(qname) &&
(srrsets[i].getType() == qtype) &&
(srrsets[i].getDClass() == qclass)) {
if (srrsets[i].getName().equals(qname)
&& (srrsets[i].getType() == qtype)
&& (srrsets[i].getDClass() == qclass)) {
return srrsets[i];
}
}

1
src/com/verisign/tat/dnssec/SRRset.java
View File

@ -27,7 +27,6 @@ import org.xbill.DNS.*;
import java.util.*;
/**
* A version of the RRset class overrides the standard security status.
*/

1
src/com/verisign/tat/dnssec/SecurityStatus.java
View File

@ -23,7 +23,6 @@
package com.verisign.tat.dnssec;
/**
* Codes for DNSSEC security statuses.
*

96
src/com/verisign/tat/dnssec/SignUtils.java
View File

@ -46,7 +46,6 @@ import java.util.Comparator;
import java.util.Date;
import java.util.Iterator;
/**
* This class contains a bunch of utility methods that are generally useful in
* signing and verifying rrsets.
@ -84,8 +83,8 @@ public class SignUtils {
public static RRSIGRecord generatePreRRSIG(RRset rrset, Name signer,
int alg, int keyid, Date start, Date expire, long sig_ttl) {
return new RRSIGRecord(rrset.getName(), rrset.getDClass(), sig_ttl,
rrset.getType(), alg, rrset.getTTL(), expire, start, keyid, signer,
null);
rrset.getType(), alg, rrset.getTTL(), expire, start, keyid,
signer, null);
}
/**
@ -107,8 +106,8 @@ public class SignUtils {
*/
public static RRSIGRecord generatePreRRSIG(RRset rrset, DNSKEYRecord key,
Date start, Date expire, long sig_ttl) {
return generatePreRRSIG(rrset, key.getName(), key.getAlgorithm(),
key.getFootprint(), start, expire, sig_ttl);
return generatePreRRSIG(rrset, key.getName(), key.getAlgorithm(), key
.getFootprint(), start, expire, sig_ttl);
}
/**
@ -129,8 +128,8 @@ public class SignUtils {
*/
public static RRSIGRecord generatePreRRSIG(Record rec, DNSKEYRecord key,
Date start, Date expire, long sig_ttl) {
return new RRSIGRecord(rec.getName(), rec.getDClass(), sig_ttl,
rec.getType(), key.getAlgorithm(), rec.getTTL(), expire, start,
return new RRSIGRecord(rec.getName(), rec.getDClass(), sig_ttl, rec
.getType(), key.getAlgorithm(), rec.getTTL(), expire, start,
key.getFootprint(), key.getName(), null);
}
@ -142,7 +141,7 @@ public class SignUtils {
* @return the RDATA portion of the prototype SIG record. This forms the
* first part of the data to be signed.
*/
private static byte [] generatePreSigRdata(RRSIGRecord presig) {
private static byte[] generatePreSigRdata(RRSIGRecord presig) {
// Generate the binary image;
DNSOutput image = new DNSOutput();
@ -180,7 +179,7 @@ public class SignUtils {
* part of data to be signed.
*/
@SuppressWarnings("unchecked")
public static byte [] generateCanonicalRRsetData(RRset rrset, long ttl,
public static byte[] generateCanonicalRRsetData(RRset rrset, long ttl,
int labels) {
DNSOutput image = new DNSOutput();
@ -202,13 +201,13 @@ public class SignUtils {
if (n.labels() != labels) {
n = n.wild(n.labels() - labels);
wildcardName = true;
log.trace("Detected wildcard expansion: " + rrset.getName() +
" changed to " + n);
log.trace("Detected wildcard expansion: " + rrset.getName()
+ " changed to " + n);
}
// now convert the wire format records in the RRset into a
// list of byte arrays.
ArrayList<byte []> canonical_rrs = new ArrayList<byte []>();
ArrayList<byte[]> canonical_rrs = new ArrayList<byte[]>();
for (Iterator i = rrset.rrs(); i.hasNext();) {
Record r = (Record) i.next();
@ -218,25 +217,24 @@ public class SignUtils {
// or ownername.
// In the TTL case, this avoids changing the ttl in the
// response.
r = Record.newRecord(n, r.getType(), r.getDClass(), ttl,
r.rdataToWireCanonical());
r = Record.newRecord(n, r.getType(), r.getDClass(), ttl, r
.rdataToWireCanonical());
}
byte [] wire_fmt = r.toWireCanonical();
byte[] wire_fmt = r.toWireCanonical();
canonical_rrs.add(wire_fmt);
}
// put the records into the correct ordering.
// Calculate the offset where the RDATA begins (we have to skip
// past the length byte)
int offset = rrset.getName().toWireCanonical().length +
10;
int offset = rrset.getName().toWireCanonical().length + 10;
ByteArrayComparator bac = new ByteArrayComparator(offset, false);
Collections.sort(canonical_rrs, bac);
for (Iterator<byte []> i = canonical_rrs.iterator(); i.hasNext();) {
byte [] wire_fmt_rec = i.next();
for (Iterator<byte[]> i = canonical_rrs.iterator(); i.hasNext();) {
byte[] wire_fmt_rec = i.next();
image.writeByteArray(wire_fmt_rec);
}
@ -253,10 +251,10 @@ public class SignUtils {
* a prototype SIG RR created using the same RRset.
* @return a block of data ready to be signed.
*/
public static byte [] generateSigData(RRset rrset, RRSIGRecord presig)
public static byte[] generateSigData(RRset rrset, RRSIGRecord presig)
throws IOException {
byte [] rrset_data = generateCanonicalRRsetData(rrset,
presig.getOrigTTL(), presig.getLabels());
byte[] rrset_data = generateCanonicalRRsetData(rrset, presig
.getOrigTTL(), presig.getLabels());
return generateSigData(rrset_data, presig);
}
@ -273,12 +271,12 @@ public class SignUtils {
* <code>rrset_data</code>.
* @return a block of data ready to be signed.
*/
public static byte [] generateSigData(byte [] rrset_data, RRSIGRecord presig)
public static byte[] generateSigData(byte[] rrset_data, RRSIGRecord presig)
throws IOException {
byte [] sig_rdata = generatePreSigRdata(presig);
byte[] sig_rdata = generatePreSigRdata(presig);
ByteArrayOutputStream image = new ByteArrayOutputStream(sig_rdata.length +
rrset_data.length);
ByteArrayOutputStream image = new ByteArrayOutputStream(
sig_rdata.length + rrset_data.length);
image.write(sig_rdata);
image.write(rrset_data);
@ -296,12 +294,12 @@ public class SignUtils {
* the prototype RRSIG RR to add the signature to.
* @return the fully formed RRSIG RR.
*/
public static RRSIGRecord generateRRSIG(byte [] signature,
RRSIGRecord presig) {
return new RRSIGRecord(presig.getName(), presig.getDClass(),
presig.getTTL(), presig.getTypeCovered(), presig.getAlgorithm(),
presig.getOrigTTL(), presig.getExpire(), presig.getTimeSigned(),
presig.getFootprint(), presig.getSigner(), signature);
public static RRSIGRecord generateRRSIG(byte[] signature, RRSIGRecord presig) {
return new RRSIGRecord(presig.getName(), presig.getDClass(), presig
.getTTL(), presig.getTypeCovered(), presig.getAlgorithm(),
presig.getOrigTTL(), presig.getExpire(),
presig.getTimeSigned(), presig.getFootprint(), presig
.getSigner(), signature);
}
/**
@ -323,7 +321,7 @@ public class SignUtils {
* if there was something wrong with the RFC 2536 formatted
* signature.
*/
public static byte [] convertDSASignature(byte [] signature)
public static byte[] convertDSASignature(byte[] signature)
throws SignatureException {
if (signature.length != 41) {
throw new SignatureException(
@ -347,7 +345,7 @@ public class SignUtils {
// (SEQ, INT, INT).
byte sig_length = (byte) (40 + r_pad + s_pad + 6);
byte [] sig = new byte[sig_length];
byte[] sig = new byte[sig_length];
byte pos = 0;
sig[pos++] = ASN1_SEQ;
@ -397,8 +395,8 @@ public class SignUtils {
* @throws SignatureException
* if something is wrong with the ASN.1 format.
*/
public static byte [] convertDSASignature(DSAParams params,
byte [] signature) throws SignatureException {
public static byte[] convertDSASignature(DSAParams params, byte[] signature)
throws SignatureException {
if ((signature[0] != ASN1_SEQ) || (signature[2] != ASN1_INT)) {
throw new SignatureException(
"Invalid ASN.1 signature format: expected SEQ, INT");
@ -415,7 +413,7 @@ public class SignUtils {
byte s_pad = (byte) (signature[25 + r_pad] - 20);
byte [] sig = new byte[41]; // all rfc2536 signatures are 41 bytes.
byte[] sig = new byte[41]; // all rfc2536 signatures are 41 bytes.
// Calculate T:
sig[0] = (byte) ((params.getP().bitLength() - 512) / 64);
@ -437,13 +435,15 @@ public class SignUtils {
// S is shorter than 20 bytes, so right justify the number
// (s_pad is negative here).
Arrays.fill(sig, 21, 21 - s_pad, (byte) 0);
System.arraycopy(signature, 26 + r_pad, sig, 21 - s_pad, 20 +
s_pad);
System
.arraycopy(signature, 26 + r_pad, sig, 21 - s_pad,
20 + s_pad);
}
if ((r_pad < 0) || (s_pad < 0)) {
log.trace("(finish ***) RFC 2536 DSA Sig:\n" +
base64.toString(sig));
log
.trace("(finish ***) RFC 2536 DSA Sig:\n"
+ base64.toString(sig));
} else {
log.trace("(finish) RFC 2536 DSA Sig:\n" + base64.toString(sig));
}
@ -456,24 +456,26 @@ public class SignUtils {
* useful for comparing RDATA portions of DNS records in doing DNSSEC
* canonical ordering.
*/
public static class ByteArrayComparator implements Comparator<byte []> {
public static class ByteArrayComparator implements Comparator<byte[]> {
private int mOffset = 0;
private boolean mDebug = false;
public ByteArrayComparator() {}
public ByteArrayComparator() {
}
public ByteArrayComparator(int offset, boolean debug) {
mOffset = offset;
mDebug = debug;
}
public int compare(byte [] b1, byte [] b2) throws ClassCastException {
public int compare(byte[] b1, byte[] b2) throws ClassCastException {
for (int i = mOffset; (i < b1.length) && (i < b2.length); i++) {
if (b1[i] != b2[i]) {
if (mDebug) {
System.out.println("offset " + i +
" differs (this is " + (i - mOffset) +
" bytes in from our offset.)");
System.out
.println("offset " + i + " differs (this is "
+ (i - mOffset)
+ " bytes in from our offset.)");
}
return (b1[i] & 0xFF) - (b2[i] & 0xFF);

7
src/com/verisign/tat/dnssec/TrustAnchorStore.java
View File

@ -27,7 +27,6 @@ import org.xbill.DNS.*;
import java.util.*;
/**
*
*/
@ -90,9 +89,9 @@ public class TrustAnchorStore {
for (Map.Entry<String, SRRset> entry : mMap.entrySet()) {
for (Iterator<Record> i = entry.getValue().rrs(); i.hasNext();) {
DNSKEYRecord r = (DNSKEYRecord) i.next();
String key_desc = r.getName().toString() + "/" +
DNSSEC.Algorithm.string(r.getAlgorithm()) + "/" +
r.getFootprint();
String key_desc = r.getName().toString() + "/"
+ DNSSEC.Algorithm.string(r.getAlgorithm()) + "/"
+ r.getFootprint();
res.add(key_desc);
}
}

4
src/com/verisign/tat/dnssec/Util.java
View File

@ -27,7 +27,6 @@ import org.xbill.DNS.Name;
import java.util.*;
/**
* Some basic utility functions.
*/
@ -35,7 +34,8 @@ public class Util {
/**
* Convert a DNS name into a string suitable for use as a cache key.
*
* @param name The name to convert.
* @param name
* The name to convert.
* @return A string representing the name. This isn't ever meant to be
* converted back into a DNS name.
*/

80
src/com/verisign/tat/dnssec/ValUtils.java
View File

@ -32,7 +32,6 @@ import java.security.NoSuchAlgorithmException;
import java.util.Iterator;
/**
* This is a collection of routines encompassing the logic of validating
* different message types.
@ -57,12 +56,12 @@ public class ValUtils {
* @return A subtype ranging from UNKNOWN to NAMEERROR.
*/
public static ResponseType classifyResponse(SMessage m, Name zone) {
SRRset [] rrsets;
SRRset[] rrsets;
// Normal Name Error's are easy to detect -- but don't mistake a CNAME
// chain ending in NXDOMAIN.
if ((m.getRcode() == Rcode.NXDOMAIN) &&
(m.getCount(Section.ANSWER) == 0)) {
if ((m.getRcode() == Rcode.NXDOMAIN)
&& (m.getCount(Section.ANSWER) == 0)) {
return ResponseType.NAMEERROR;
}
@ -75,13 +74,13 @@ public class ValUtils {
// 1) nothing in the ANSWER section
// 2) an NS RRset in the AUTHORITY section that is a strict subdomain of
// 'zone' (the presumed queried zone).
if ((zone != null) && (m.getCount(Section.ANSWER) == 0) &&
(m.getCount(Section.AUTHORITY) > 0)) {
if ((zone != null) && (m.getCount(Section.ANSWER) == 0)
&& (m.getCount(Section.AUTHORITY) > 0)) {
rrsets = m.getSectionRRsets(Section.AUTHORITY);
for (int i = 0; i < rrsets.length; ++i) {
if ((rrsets[i].getType() == Type.NS) &&
strictSubdomain(rrsets[i].getName(), zone)) {
if ((rrsets[i].getType() == Type.NS)
&& strictSubdomain(rrsets[i].getName(), zone)) {
return ResponseType.REFERRAL;
}
}
@ -135,9 +134,8 @@ public class ValUtils {
// FIXME: this used to classify the message, then look in the pertinent
// section. Now we just find the first RRSIG in the ANSWER and AUTHORIY
// sections.
for (int section = Section.ANSWER; section < Section.ADDITIONAL;
++section) {
SRRset [] rrsets = m.getSectionRRsets(section);
for (int section = Section.ANSWER; section < Section.ADDITIONAL; ++section) {
SRRset[] rrsets = m.getSectionRRsets(section);
for (int i = 0; i < rrsets.length; ++i) {
Name signerName = rrsets[i].getSignerName();
@ -160,7 +158,7 @@ public class ValUtils {
* The DS digest algorithm in use.
* @return the corresponding {@link org.xbill.DNS.DSRecord}
*/
public static byte [] calculateDSHash(DNSKEYRecord keyrec, int ds_alg) {
public static byte[] calculateDSHash(DNSKEYRecord keyrec, int ds_alg) {
DNSOutput os = new DNSOutput();
os.writeByteArray(keyrec.getName().toWireCanonical());
@ -274,9 +272,8 @@ public class ValUtils {
m.setStatus(security);
}
for (int section = Section.ANSWER; section <= Section.ADDITIONAL;
section++) {
SRRset [] rrsets = m.getSectionRRsets(section);
for (int section = Section.ANSWER; section <= Section.ADDITIONAL; section++) {
SRRset[] rrsets = m.getSectionRRsets(section);
for (int i = 0; i < rrsets.length; i++) {
setRRsetSecurity(rrsets[i], security);
@ -296,13 +293,13 @@ public class ValUtils {
* @return The status (BOGUS or SECURE).
*/
public byte verifySRRset(SRRset rrset, SRRset key_rrset) {
String rrset_name = rrset.getName() + "/" +
Type.string(rrset.getType()) + "/" +
DClass.string(rrset.getDClass());
String rrset_name = rrset.getName() + "/"
+ Type.string(rrset.getType()) + "/"
+ DClass.string(rrset.getDClass());
if (rrset.getSecurityStatus() == SecurityStatus.SECURE) {
log.trace("verifySRRset: rrset <" + rrset_name +
"> previously found to be SECURE");
log.trace("verifySRRset: rrset <" + rrset_name
+ "> previously found to be SECURE");
return SecurityStatus.SECURE;
}
@ -310,12 +307,12 @@ public class ValUtils {
byte status = mVerifier.verify(rrset, key_rrset);
if (status != SecurityStatus.SECURE) {
log.debug("verifySRRset: rrset <" + rrset_name +
"> found to be BAD");
log.debug("verifySRRset: rrset <" + rrset_name
+ "> found to be BAD");
status = SecurityStatus.BOGUS;
} else {
log.trace("verifySRRset: rrset <" + rrset_name +
"> found to be SECURE");
log.trace("verifySRRset: rrset <" + rrset_name
+ "> found to be SECURE");
}
rrset.setSecurityStatus(status);
@ -332,7 +329,7 @@ public class ValUtils {
* The type to look for.
* @return true if the type is present in the type map, false otherwise.
*/
public static boolean typeMapHasType(int [] types, int type) {
public static boolean typeMapHasType(int[] types, int type) {
for (int i = 0; i < types.length; i++) {
if (types[i] == type) {
return true;
@ -490,16 +487,16 @@ public class ValUtils {
// If NSEC is a parent of qname, we need to check the type map
// If the parent name has a DNAME or is a delegation point, then this
// NSEC is being misused.
boolean hasBadType = typeMapHasType(nsec.getTypes(), Type.DNAME) ||
(typeMapHasType(nsec.getTypes(), Type.NS) &&
!typeMapHasType(nsec.getTypes(), Type.SOA));
boolean hasBadType = typeMapHasType(nsec.getTypes(), Type.DNAME)
|| (typeMapHasType(nsec.getTypes(), Type.NS) && !typeMapHasType(
nsec.getTypes(), Type.SOA));
if (qname.subdomain(owner) && hasBadType) {
return false;
}
if (((qname.compareTo(owner) > 0) && (qname.compareTo(next) < 0)) ||
signerName.equals(next)) {
if (((qname.compareTo(owner) > 0) && (qname.compareTo(next) < 0))
|| signerName.equals(next)) {
return true;
}
@ -529,8 +526,9 @@ public class ValUtils {
for (int i = qname_labels - signer_labels; i > 0; i--) {
Name wc_name = qname.wild(i);
if ((wc_name.compareTo(owner) > 0) &&
((wc_name.compareTo(next) < 0) || signerName.equals(next))) {
if ((wc_name.compareTo(owner) > 0)
&& ((wc_name.compareTo(next) < 0) || signerName
.equals(next))) {
return true;
}
}
@ -571,8 +569,8 @@ public class ValUtils {
// The qname must be a strict subdomain of the closest encloser,
// and
// the qtype must be absent from the type map.
if (!strictSubdomain(qname, ce) ||
typeMapHasType(nsec.getTypes(), qtype)) {
if (!strictSubdomain(qname, ce)
|| typeMapHasType(nsec.getTypes(), qtype)) {
return false;
}
@ -585,8 +583,8 @@ public class ValUtils {
// be
// less than qname, and the next name will be a child domain of the
// qname.
if (strictSubdomain(nsec.getNext(), qname) &&
(qname.compareTo(nsec.getName()) > 0)) {
if (strictSubdomain(nsec.getNext(), qname)
&& (qname.compareTo(nsec.getName()) > 0)) {
return true;
}
@ -610,8 +608,8 @@ public class ValUtils {
// not a zone apex), then we should have gotten a referral (or we just
// got
// the wrong NSEC).
if (typeMapHasType(nsec.getTypes(), Type.NS) &&
!typeMapHasType(nsec.getTypes(), Type.SOA)) {
if (typeMapHasType(nsec.getTypes(), Type.NS)
&& !typeMapHasType(nsec.getTypes(), Type.SOA)) {
return false;
}
@ -620,7 +618,7 @@ public class ValUtils {
public static byte nsecProvesNoDS(NSECRecord nsec, Name qname) {
// Could check to make sure the qname is a subdomain of nsec
int [] types = nsec.getTypes();
int[] types = nsec.getTypes();
if (typeMapHasType(types, Type.SOA) || typeMapHasType(types, Type.DS)) {
// SOA present means that this is the NSEC from the child, not the
@ -644,8 +642,8 @@ public class ValUtils {
// These are response subtypes. They are necessary for determining the
// validation strategy. They have no bearing on the iterative resolution
// algorithm, so they are confined here.
public enum ResponseType {UNTYPED, UNKNOWN, POSITIVE, CNAME, NODATA,
NAMEERROR, ANY, REFERRAL,
public enum ResponseType {
UNTYPED, UNKNOWN, POSITIVE, CNAME, NODATA, NAMEERROR, ANY, REFERRAL,
// a referral response
THROWAWAY;
// a throwaway response (i.e., an error)