davidb/jdnssec-tools
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 1 Wiki Activity

add verbose signing mode to signzone; some comment fixes, some unused vars and imports removed

Browse Source 
git-svn-id: https://svn.verisignlabs.com/jdnssec/tools/trunk@217 4cbd57fe-54e5-0310-bd9a-f30fe5ea5e6e
This commit is contained in:
David Blacka 2010-12-05 23:08:13 +00:00
parent 51d4ca0333
commit 14ea619299
9 changed files with 155 additions and 121 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
ChangeLog
View File

@ -1,3 +1,12 @@
2010-12-05 David Blacka <davidb@verisignlabs.com>
* jdnssec-signzone: add a "verbose signing" option. This will
cause the pre-signed bytes and the raw signature bytes to be
output when signing.
* Other fixes: some minor tweaks and comment fixes.
Unfortunately, also a lot of rewrapping and whitespace changes due
to Eclipse. Sigh.
2010-01-14 David Blacka <davidb@verisignlabs.com> 2010-01-14 David Blacka <davidb@verisignlabs.com>
* Released version 0.9.6 * Released version 0.9.6

1
src/com/verisignlabs/dnssec/cl/SignKeyset.java
View File

@ -74,7 +74,6 @@ public class SignKeyset {
private Options opts; private Options opts;
private File keyDirectory = null; private File keyDirectory = null;
public String[] keyFiles = null; public String[] keyFiles = null;
public String keysetFile = null;
public Date start = null; public Date start = null;
public Date expire = null; public Date expire = null;
public String inputfile = null; public String inputfile = null;

49
src/com/verisignlabs/dnssec/cl/SignZone.java
View File

@ -89,7 +89,6 @@ public class SignZone
public Date expire = null; public Date expire = null;
public String outputfile = null; public String outputfile = null;
public boolean verifySigs = false; public boolean verifySigs = false;
public boolean selfSignKeys = true;
public boolean useOptOut = false; public boolean useOptOut = false;
public boolean fullySignKeyset = false; public boolean fullySignKeyset = false;
public List includeNames = null; public List includeNames = null;
@ -98,6 +97,7 @@ public class SignZone
public int iterations = 0; public int iterations = 0;
public int digest_id = DSRecord.SHA1_DIGEST_ID; public int digest_id = DSRecord.SHA1_DIGEST_ID;
public long nsec3paramttl = -1; public long nsec3paramttl = -1;
public boolean verboseSigning = false;
public CLIState() public CLIState()
{ {
@ -118,6 +118,7 @@ public class SignZone
opts.addOption("a", "verify", false, "verify generated signatures>"); opts.addOption("a", "verify", false, "verify generated signatures>");
opts.addOption("F", "fully-sign-keyset", false, opts.addOption("F", "fully-sign-keyset", false,
"sign the zone apex keyset with all available keys."); "sign the zone apex keyset with all available keys.");
opts.addOption("V", "verbose-signing", false, "Display verbose signing activity.");
OptionBuilder.hasOptionalArg(); OptionBuilder.hasOptionalArg();
OptionBuilder.withLongOpt("verbose"); OptionBuilder.withLongOpt("verbose");
@ -210,8 +211,7 @@ public class SignZone
} }
public void parseCommandLine(String[] args) public void parseCommandLine(String[] args)
throws org.apache.commons.cli.ParseException, ParseException, throws org.apache.commons.cli.ParseException, ParseException, IOException
IOException
{ {
CommandLineParser cli_parser = new PosixParser(); CommandLineParser cli_parser = new PosixParser();
CommandLine cli = cli_parser.parse(opts, args); CommandLine cli = cli_parser.parse(opts, args);
@ -250,6 +250,7 @@ public class SignZone
if (cli.hasOption('a')) verifySigs = true; if (cli.hasOption('a')) verifySigs = true;
if (cli.hasOption('3')) useNsec3 = true; if (cli.hasOption('3')) useNsec3 = true;
if (cli.hasOption('O')) useOptOut = true; if (cli.hasOption('O')) useOptOut = true;
if (cli.hasOption('V')) verboseSigning = true;
if (useOptOut && !useNsec3) if (useOptOut && !useNsec3)
{ {
@ -406,10 +407,8 @@ public class SignZone
PrintWriter out = new PrintWriter(System.err); PrintWriter out = new PrintWriter(System.err);
// print our own usage statement: // print our own usage statement:
out.println("usage: jdnssec-signzone [..options..] " out.println("usage: jdnssec-signzone [..options..] " + "zone_file [key_file ...] ");
+ "zone_file [key_file ...] "); f.printHelp(out, 75, "signZone.sh", null, opts, HelpFormatter.DEFAULT_LEFT_PAD,
f.printHelp(out, 75, "signZone.sh", null, opts,
HelpFormatter.DEFAULT_LEFT_PAD,
HelpFormatter.DEFAULT_DESC_PAD, HelpFormatter.DEFAULT_DESC_PAD,
"\ntime/offset = YYYYMMDDHHmmss|+offset|\"now\"+offset\n"); "\ntime/offset = YYYYMMDDHHmmss|+offset|\"now\"+offset\n");
@ -451,8 +450,7 @@ public class SignZone
* a list of keypairs used the sign the zone. * a list of keypairs used the sign the zone.
* @return true if all of the signatures validated. * @return true if all of the signatures validated.
*/ */
private static boolean verifyZoneSigs(Name zonename, List records, private static boolean verifyZoneSigs(Name zonename, List records, List keypairs)
List keypairs)
{ {
boolean secure = true; boolean secure = true;
@ -478,8 +476,7 @@ public class SignZone
if (result != DNSSEC.Secure) if (result != DNSSEC.Secure)
{ {
log.fine("Signatures did not verify for RRset: (" + result + "): " log.fine("Signatures did not verify for RRset: (" + result + "): " + rrset);
+ rrset);
secure = false; secure = false;
} }
} }
@ -500,8 +497,8 @@ public class SignZone
* the directory to look in (may be null). * the directory to look in (may be null).
* @return a list of keypair objects. * @return a list of keypair objects.
*/ */
private static List getKeys(String[] keyfiles, int start_index, private static List getKeys(String[] keyfiles, int start_index, File inDirectory)
File inDirectory) throws IOException throws IOException
{ {
if (keyfiles == null) return null; if (keyfiles == null) return null;
@ -519,8 +516,7 @@ public class SignZone
return keys; return keys;
} }
private static List getKeys(List dnskeyrrs, File inDirectory) private static List getKeys(List dnskeyrrs, File inDirectory) throws IOException
throws IOException
{ {
List res = new ArrayList(); List res = new ArrayList();
for (Iterator i = dnskeyrrs.iterator(); i.hasNext();) for (Iterator i = dnskeyrrs.iterator(); i.hasNext();)
@ -558,8 +554,7 @@ public class SignZone
} }
} }
private static List findZoneKeys(File inDirectory, Name zonename) private static List findZoneKeys(File inDirectory, Name zonename) throws IOException
throws IOException
{ {
if (inDirectory == null) if (inDirectory == null)
{ {
@ -608,8 +603,7 @@ public class SignZone
* do not belong in the zone. * do not belong in the zone.
* @return a list of {@link org.xbill.DNS.Record}s found in the keyset files. * @return a list of {@link org.xbill.DNS.Record}s found in the keyset files.
*/ */
private static List getKeysets(File inDirectory, Name zonename) private static List getKeysets(File inDirectory, Name zonename) throws IOException
throws IOException
{ {
if (inDirectory == null) if (inDirectory == null)
{ {
@ -686,8 +680,7 @@ public class SignZone
* the time/offset string to parse. * the time/offset string to parse.
* @return the calculated time. * @return the calculated time.
*/ */
private static Date convertDuration(Date start, String duration) private static Date convertDuration(Date start, String duration) throws ParseException
throws ParseException
{ {
if (start == null) start = new Date(); if (start == null) start = new Date();
if (duration.startsWith("now")) if (duration.startsWith("now"))
@ -854,18 +847,16 @@ public class SignZone
records.addAll(keysetrecs); records.addAll(keysetrecs);
} }
JCEDnsSecSigner signer = new JCEDnsSecSigner(); JCEDnsSecSigner signer = new JCEDnsSecSigner(state.verboseSigning);
// Sign the zone. // Sign the zone.
List signed_records; List signed_records;
if (state.useNsec3) if (state.useNsec3)
{ {
signed_records = signer.signZoneNSEC3(zonename, records, kskpairs, signed_records = signer.signZoneNSEC3(zonename, records, kskpairs, keypairs,
keypairs, state.start, state.start, state.expire,
state.expire, state.fullySignKeyset, state.useOptOut,
state.fullySignKeyset,
state.useOptOut,
state.includeNames, state.salt, state.includeNames, state.salt,
state.iterations, state.digest_id, state.iterations, state.digest_id,
state.nsec3paramttl); state.nsec3paramttl);
@ -873,8 +864,8 @@ public class SignZone
else else
{ {
signed_records = signer.signZone(zonename, records, kskpairs, keypairs, signed_records = signer.signZone(zonename, records, kskpairs, keypairs,
state.start, state.expire, state.start, state.expire, state.fullySignKeyset,
state.fullySignKeyset, state.digest_id); state.digest_id);
} }
// write out the signed zone // write out the signed zone

5
src/com/verisignlabs/dnssec/security/DnsKeyAlgorithm.java
View File

@ -41,7 +41,7 @@ import java.util.logging.Logger;
import org.xbill.DNS.DNSSEC; import org.xbill.DNS.DNSSEC;
/** /**
* This class handles translated DNS signing algorithm identifiers into various * This class handles translating DNS signing algorithm identifiers into various
* usable java implementations. * usable java implementations.
* *
* Besides centralizing the logic surrounding matching a DNSKEY algorithm * Besides centralizing the logic surrounding matching a DNSKEY algorithm
@ -93,8 +93,7 @@ public class DnsKeyAlgorithm
/** This is a cache key pair generator for DSA keys. */ /** This is a cache key pair generator for DSA keys. */
private KeyPairGenerator mDSAKeyGenerator; private KeyPairGenerator mDSAKeyGenerator;
private Logger log = Logger.getLogger(this.getClass() private Logger log = Logger.getLogger(this.getClass().toString());
.toString());
/** This is the global instance for this class. */ /** This is the global instance for this class. */
private static DnsKeyAlgorithm mInstance = null; private static DnsKeyAlgorithm mInstance = null;

1
src/com/verisignlabs/dnssec/security/DnsKeyConverter.java
View File

@ -44,7 +44,6 @@ import javax.crypto.spec.DHParameterSpec;
import javax.crypto.spec.DHPrivateKeySpec; import javax.crypto.spec.DHPrivateKeySpec;
import org.xbill.DNS.DNSKEYRecord; import org.xbill.DNS.DNSKEYRecord;
import org.xbill.DNS.KEYRecord;
import org.xbill.DNS.Name; import org.xbill.DNS.Name;
import org.xbill.DNS.Record; import org.xbill.DNS.Record;
import org.xbill.DNS.Type; import org.xbill.DNS.Type;

143
src/com/verisignlabs/dnssec/security/JCEDnsSecSigner.java
View File

@ -38,6 +38,7 @@ import org.xbill.DNS.RRSIGRecord;
import org.xbill.DNS.RRset; import org.xbill.DNS.RRset;
import org.xbill.DNS.Record; import org.xbill.DNS.Record;
import org.xbill.DNS.Type; import org.xbill.DNS.Type;
import org.xbill.DNS.utils.hexdump;
/** /**
* This class contains routines for signing DNS zones. * This class contains routines for signing DNS zones.
@ -54,6 +55,19 @@ import org.xbill.DNS.Type;
public class JCEDnsSecSigner public class JCEDnsSecSigner
{ {
private DnsKeyConverter mKeyConverter; private DnsKeyConverter mKeyConverter;
private boolean mVerboseSigning = false;
public JCEDnsSecSigner()
{
this.mKeyConverter = null;
this.mVerboseSigning = false;
}
public JCEDnsSecSigner(boolean verboseSigning)
{
this.mKeyConverter = null;
this.mVerboseSigning = verboseSigning;
}
/** /**
* Cryptographically generate a new DNSSEC key. * Cryptographically generate a new DNSSEC key.
@ -74,27 +88,23 @@ public class JCEDnsSecSigner
* if generating an RSA key, use the large exponent. * if generating an RSA key, use the large exponent.
* @return a DnsKeyPair with the public and private keys populated. * @return a DnsKeyPair with the public and private keys populated.
*/ */
public DnsKeyPair generateKey(Name owner, long ttl, int dclass, public DnsKeyPair generateKey(Name owner, long ttl, int dclass, int algorithm,
int algorithm, int flags, int keysize, int flags, int keysize, boolean useLargeExponent)
boolean useLargeExponent)
throws NoSuchAlgorithmException throws NoSuchAlgorithmException
{ {
DnsKeyAlgorithm algorithms = DnsKeyAlgorithm.getInstance(); DnsKeyAlgorithm algorithms = DnsKeyAlgorithm.getInstance();
if (ttl < 0) ttl = 86400; // set to a reasonable default. if (ttl < 0) ttl = 86400; // set to a reasonable default.
KeyPair pair = algorithms.generateKeyPair(algorithm, keysize, KeyPair pair = algorithms.generateKeyPair(algorithm, keysize, useLargeExponent);
useLargeExponent);
if (mKeyConverter == null) if (mKeyConverter == null)
{ {
mKeyConverter = new DnsKeyConverter(); mKeyConverter = new DnsKeyConverter();
} }
DNSKEYRecord keyrec = mKeyConverter.generateDNSKEYRecord(owner, dclass, DNSKEYRecord keyrec = mKeyConverter.generateDNSKEYRecord(owner, dclass, ttl, flags,
ttl, flags, algorithm, pair.getPublic());
algorithm,
pair.getPublic());
DnsKeyPair dnspair = new DnsKeyPair(); DnsKeyPair dnspair = new DnsKeyPair();
dnspair.setDNSKEYRecord(keyrec); dnspair.setDNSKEYRecord(keyrec);
@ -127,6 +137,12 @@ public class JCEDnsSecSigner
if (expire == null) expire = new Date(start.getTime() + 1000L); if (expire == null) expire = new Date(start.getTime() + 1000L);
if (keypairs.size() == 0) return null; if (keypairs.size() == 0) return null;
if (mVerboseSigning)
{
System.out.println("Signing RRset:");
System.out.println(ZoneUtils.rrsetToString(rrset, false));
}
// first, pre-calculate the RRset bytes. // first, pre-calculate the RRset bytes.
byte[] rrset_data = SignUtils.generateCanonicalRRsetData(rrset, 0, 0); byte[] rrset_data = SignUtils.generateCanonicalRRsetData(rrset, 0, 0);
@ -139,10 +155,17 @@ public class JCEDnsSecSigner
DNSKEYRecord keyrec = pair.getDNSKEYRecord(); DNSKEYRecord keyrec = pair.getDNSKEYRecord();
if (keyrec == null) continue; if (keyrec == null) continue;
RRSIGRecord presig = SignUtils.generatePreRRSIG(rrset, keyrec, start, RRSIGRecord presig = SignUtils.generatePreRRSIG(rrset, keyrec, start, expire,
expire, rrset.getTTL()); rrset.getTTL());
byte[] sign_data = SignUtils.generateSigData(rrset_data, presig); byte[] sign_data = SignUtils.generateSigData(rrset_data, presig);
if (mVerboseSigning)
{
System.out.println("Canonical pre-signature data to sign with key " + keyrec.getName().toString() + "/"
+ keyrec.getAlgorithm() + "/" + keyrec.getFootprint() + ":");
System.out.println(hexdump.dump(null, sign_data));
}
Signature signer = pair.getSigner(); Signature signer = pair.getSigner();
if (signer == null) if (signer == null)
@ -150,23 +173,33 @@ public class JCEDnsSecSigner
// debug // debug
System.out.println("missing private key that goes with:\n" System.out.println("missing private key that goes with:\n"
+ pair.getDNSKEYRecord()); + pair.getDNSKEYRecord());
throw new GeneralSecurityException( throw new GeneralSecurityException("cannot sign without a valid Signer "
"cannot sign without a valid Signer (probably missing private key)"); + "(probably missing private key)");
} }
// sign the data. // sign the data.
signer.update(sign_data); signer.update(sign_data);
byte[] sig = signer.sign(); byte[] sig = signer.sign();
if (mVerboseSigning)
{
System.out.println("Raw Signature:");
System.out.println(hexdump.dump(null, sig));
}
DnsKeyAlgorithm algs = DnsKeyAlgorithm.getInstance(); DnsKeyAlgorithm algs = DnsKeyAlgorithm.getInstance();
// Convert to RFC 2536 format, if necessary. // Convert to RFC 2536 format, if necessary.
if (algs.baseType(pair.getDNSKEYAlgorithm()) == DnsKeyAlgorithm.DSA) if (algs.baseType(pair.getDNSKEYAlgorithm()) == DnsKeyAlgorithm.DSA)
{ {
sig = SignUtils.convertDSASignature( DSAPublicKey pk = (DSAPublicKey) pair.getPublic();
((DSAPublicKey) pair.getPublic()).getParams(), sig = SignUtils.convertDSASignature(pk.getParams(), sig);
sig);
} }
RRSIGRecord sigrec = SignUtils.generateRRSIG(sig, presig); RRSIGRecord sigrec = SignUtils.generateRRSIG(sig, presig);
if (mVerboseSigning)
{
System.out.println("RRSIG:\n" + sigrec);
System.out.println();
}
sigs.add(sigrec); sigs.add(sigrec);
} }
@ -184,8 +217,8 @@ public class JCEDnsSecSigner
* the RRSIG expiration time. * the RRSIG expiration time.
* @return a signed RRset. * @return a signed RRset.
*/ */
public RRset makeKeySet(List keypairs, Date start, Date expire) public RRset makeKeySet(List keypairs, Date start, Date expire) throws IOException,
throws IOException, GeneralSecurityException GeneralSecurityException
{ {
// Generate a KEY RR set to sign. // Generate a KEY RR set to sign.
@ -232,9 +265,8 @@ public class JCEDnsSecSigner
* @return the name of the new last_cut. * @return the name of the new last_cut.
*/ */
private Name addRRset(List toList, Name zonename, RRset rrset, List kskpairs, private Name addRRset(List toList, Name zonename, RRset rrset, List kskpairs,
List zskpairs, Date start, Date expire, List zskpairs, Date start, Date expire, boolean fullySignKeyset,
boolean fullySignKeyset, Name last_cut) Name last_cut) throws IOException, GeneralSecurityException
throws IOException, GeneralSecurityException
{ {
// add the records themselves // add the records themselves
for (Iterator i = rrset.rrs(); i.hasNext();) for (Iterator i = rrset.rrs(); i.hasNext();)
@ -242,8 +274,8 @@ public class JCEDnsSecSigner
toList.add(i.next()); toList.add(i.next());
} }
int type = SignUtils.recordSecType(zonename, rrset.getName(), int type = SignUtils.recordSecType(zonename, rrset.getName(), rrset.getType(),
rrset.getType(), last_cut); last_cut);
// we don't sign non-normal sets (delegations, glue, invalid). // we don't sign non-normal sets (delegations, glue, invalid).
if (type == SignUtils.RR_DELEGATION) if (type == SignUtils.RR_DELEGATION)
@ -331,11 +363,10 @@ public class JCEDnsSecSigner
* @throws IOException * @throws IOException
* @throws GeneralSecurityException * @throws GeneralSecurityException
*/ */
private List signZone(Name zonename, List records, List kskpairs, private List signZone(Name zonename, List records, List kskpairs, List zskpairs,
List zskpairs, Date start, Date expire, Date start, Date expire, boolean fullySignKeyset,
boolean fullySignKeyset, int ds_digest_alg, int mode, int ds_digest_alg, int mode, List includedNames, byte[] salt,
List includedNames, byte[] salt, int iterations, int iterations, long nsec3paramttl, boolean beConservative)
long nsec3paramttl, boolean beConservative)
throws IOException, GeneralSecurityException throws IOException, GeneralSecurityException
{ {
// Remove any existing generated DNSSEC records (NSEC, NSEC3, NSEC3PARAM, // Remove any existing generated DNSSEC records (NSEC, NSEC3, NSEC3PARAM,
@ -360,12 +391,11 @@ public class JCEDnsSecSigner
SignUtils.generateNSECRecords(zonename, records); SignUtils.generateNSECRecords(zonename, records);
break; break;
case NSEC3_MODE: case NSEC3_MODE:
SignUtils.generateNSEC3Records(zonename, records, salt, iterations, SignUtils.generateNSEC3Records(zonename, records, salt, iterations, nsec3paramttl);
nsec3paramttl);
break; break;
case NSEC3_OPTOUT_MODE: case NSEC3_OPTOUT_MODE:
SignUtils.generateOptOutNSEC3Records(zonename, records, includedNames, SignUtils.generateOptOutNSEC3Records(zonename, records, includedNames, salt,
salt, iterations, nsec3paramttl); iterations, nsec3paramttl);
break; break;
case NSEC_EXP_OPT_IN: case NSEC_EXP_OPT_IN:
SignUtils.generateOptInNSECRecords(zonename, records, includedNames, SignUtils.generateOptInNSECRecords(zonename, records, includedNames,
@ -393,8 +423,7 @@ public class JCEDnsSecSigner
} }
// Current record is part of the current RRset. // Current record is part of the current RRset.
if (rrset.getName().equals(r.getName()) if (rrset.getName().equals(r.getName()) && rrset.getDClass() == r.getDClass()
&& rrset.getDClass() == r.getDClass()
&& rrset.getType() == r.getType()) && rrset.getType() == r.getType())
{ {
rrset.addRR(r); rrset.addRR(r);
@ -406,16 +435,16 @@ public class JCEDnsSecSigner
// add the RRset to the list of signed_records, regardless of // add the RRset to the list of signed_records, regardless of
// whether or not we actually end up signing the set. // whether or not we actually end up signing the set.
last_cut = addRRset(signed_records, zonename, rrset, kskpairs, zskpairs, last_cut = addRRset(signed_records, zonename, rrset, kskpairs, zskpairs, start,
start, expire, fullySignKeyset, last_cut); expire, fullySignKeyset, last_cut);
rrset.clear(); rrset.clear();
rrset.addRR(r); rrset.addRR(r);
} }
// add the last RR set // add the last RR set
addRRset(signed_records, zonename, rrset, kskpairs, zskpairs, start, addRRset(signed_records, zonename, rrset, kskpairs, zskpairs, start, expire,
expire, fullySignKeyset, last_cut); fullySignKeyset, last_cut);
return signed_records; return signed_records;
} }
@ -445,14 +474,12 @@ public class JCEDnsSecSigner
* @return an ordered list of {@link org.xbill.DNS.Record} objects, * @return an ordered list of {@link org.xbill.DNS.Record} objects,
* representing the signed zone. * representing the signed zone.
*/ */
public List signZone(Name zonename, List records, List kskpairs, public List signZone(Name zonename, List records, List kskpairs, List zskpairs,
List zskpairs, Date start, Date expire, Date start, Date expire, boolean fullySignKeyset, int ds_digest_alg)
boolean fullySignKeyset, int ds_digest_alg)
throws IOException, GeneralSecurityException throws IOException, GeneralSecurityException
{ {
return signZone(zonename, records, kskpairs, zskpairs, start, expire, return signZone(zonename, records, kskpairs, zskpairs, start, expire,
fullySignKeyset, ds_digest_alg, NSEC_MODE, null, null, 0, fullySignKeyset, ds_digest_alg, NSEC_MODE, null, null, 0, 0, false);
0, false);
} }
/** /**
@ -496,24 +523,23 @@ public class JCEDnsSecSigner
* @throws IOException * @throws IOException
* @throws GeneralSecurityException * @throws GeneralSecurityException
*/ */
public List signZoneNSEC3(Name zonename, List records, List kskpairs, public List signZoneNSEC3(Name zonename, List records, List kskpairs, List zskpairs,
List zskpairs, Date start, Date expire, Date start, Date expire, boolean fullySignKeyset,
boolean fullySignKeyset, boolean useOptOut, boolean useOptOut, List includedNames, byte[] salt,
List includedNames, byte[] salt, int iterations, int iterations, int ds_digest_alg, long nsec3paramttl)
int ds_digest_alg, long nsec3paramttl)
throws IOException, GeneralSecurityException throws IOException, GeneralSecurityException
{ {
if (useOptOut) if (useOptOut)
{ {
return signZone(zonename, records, kskpairs, zskpairs, start, expire, return signZone(zonename, records, kskpairs, zskpairs, start, expire,
fullySignKeyset, ds_digest_alg, NSEC3_OPTOUT_MODE, fullySignKeyset, ds_digest_alg, NSEC3_OPTOUT_MODE, includedNames,
includedNames, salt, iterations, nsec3paramttl, false); salt, iterations, nsec3paramttl, false);
} }
else else
{ {
return signZone(zonename, records, kskpairs, zskpairs, start, expire, return signZone(zonename, records, kskpairs, zskpairs, start, expire,
fullySignKeyset, ds_digest_alg, NSEC3_MODE, null, salt, fullySignKeyset, ds_digest_alg, NSEC3_MODE, null, salt, iterations,
iterations, nsec3paramttl, false); nsec3paramttl, false);
} }
} }
@ -547,16 +573,15 @@ public class JCEDnsSecSigner
* @return an ordered list of {@link org.xbill.DNS.Record} objects, * @return an ordered list of {@link org.xbill.DNS.Record} objects,
* representing the signed zone. * representing the signed zone.
*/ */
public List signZoneOptIn(Name zonename, List records, List kskpairs, public List signZoneOptIn(Name zonename, List records, List kskpairs, List zskpairs,
List zskpairs, Date start, Date expire, Date start, Date expire, boolean useConservativeOptIn,
boolean useConservativeOptIn,
boolean fullySignKeyset, List NSECIncludeNames, boolean fullySignKeyset, List NSECIncludeNames,
int ds_digest_alg) int ds_digest_alg) throws IOException,
throws IOException, GeneralSecurityException GeneralSecurityException
{ {
return signZone(zonename, records, kskpairs, zskpairs, start, expire, return signZone(zonename, records, kskpairs, zskpairs, start, expire,
fullySignKeyset, ds_digest_alg, NSEC_EXP_OPT_IN, fullySignKeyset, ds_digest_alg, NSEC_EXP_OPT_IN, NSECIncludeNames,
NSECIncludeNames, null, 0, 0, useConservativeOptIn); null, 0, 0, useConservativeOptIn);
} }
} }

59
src/com/verisignlabs/dnssec/security/ProtoNSEC3.java
View File

@ -33,28 +33,38 @@ import org.xbill.DNS.*;
import org.xbill.DNS.utils.base16; import org.xbill.DNS.utils.base16;
import org.xbill.DNS.utils.base32; import org.xbill.DNS.utils.base32;
/**
* This is a class representing a "prototype NSEC3" resource record. These are
* used as an intermediate stage (in zone signing) between determining the list
* of NSEC3 records and forming them into a viable chain.
*
* @author David Blacka (original)
* @author $Author: davidb $
* @version $Revision: 183 $
*/
public class ProtoNSEC3 public class ProtoNSEC3
{ {
private Name originalOwner; private Name originalOwner;
private byte hashAlg; private byte hashAlg;
private byte flags; private byte flags;
private int iterations; private int iterations;
private byte[] salt; private byte[] salt;
private byte[] next; private byte[] next;
private byte[] owner; // cached numerical owner value. private byte[] owner; // cached numerical owner value.
private TypeMap typemap; private TypeMap typemap;
private Name zone; private Name zone;
private Name name; private Name name;
private int dclass; private int dclass;
private long ttl; private long ttl;
private static final base32 b32 = new base32(base32.Alphabet.BASE32HEX, false, false); private static final base32 b32 = new base32(base32.Alphabet.BASE32HEX, false, false);
/** /**
* Creates an NSEC3 Record from the given data. * Creates an NSEC3 Record from the given data.
*/ */
public ProtoNSEC3(byte[] owner, Name originalOwner, Name zone, int dclass, public ProtoNSEC3(byte[] owner, Name originalOwner, Name zone, int dclass, long ttl,
long ttl, byte hashAlg, byte flags, int iterations, byte[] salt, byte hashAlg, byte flags, int iterations, byte[] salt, byte[] next,
byte[] next, TypeMap typemap) TypeMap typemap)
{ {
this.zone = zone; this.zone = zone;
this.owner = owner; this.owner = owner;
@ -69,12 +79,12 @@ public class ProtoNSEC3
this.originalOwner = originalOwner; this.originalOwner = originalOwner;
} }
public ProtoNSEC3(byte[] owner, Name originalOwner, Name zone, int dclass, public ProtoNSEC3(byte[] owner, Name originalOwner, Name zone, int dclass, long ttl,
long ttl, byte hashAlg, byte flags, int iterations, byte[] salt, byte hashAlg, byte flags, int iterations, byte[] salt, byte[] next,
byte[] next, int[] types) int[] types)
{ {
this(owner, originalOwner, zone, dclass, ttl, hashAlg, flags, iterations, this(owner, originalOwner, zone, dclass, ttl, hashAlg, flags, iterations, salt, next,
salt, next, TypeMap.fromTypes(types)); TypeMap.fromTypes(types));
} }
private String hashToString(byte[] hash) private String hashToString(byte[] hash)
@ -122,7 +132,8 @@ public class ProtoNSEC3
public void setOptOutFlag(boolean optOutFlag) public void setOptOutFlag(boolean optOutFlag)
{ {
if (optOutFlag) this.flags |= NSEC3Record.Flags.OPT_OUT; if (optOutFlag)
this.flags |= NSEC3Record.Flags.OPT_OUT;
else else
this.flags &= ~NSEC3Record.Flags.OPT_OUT; this.flags &= ~NSEC3Record.Flags.OPT_OUT;
} }
@ -185,9 +196,9 @@ public class ProtoNSEC3
public NSEC3Record getNSEC3Record() public NSEC3Record getNSEC3Record()
{ {
String comment = (originalOwner == null) ? "(unknown original ownername)" String comment = (originalOwner == null) ? "(unknown original ownername)"
: originalOwner.toString(); : originalOwner.toString();
return new NSEC3Record(getName(), dclass, ttl, hashAlg, flags, iterations, return new NSEC3Record(getName(), dclass, ttl, hashAlg, flags, iterations, salt,
salt, next, getTypes(), comment); next, getTypes(), comment);
} }
public void mergeTypes(TypeMap new_types) public void mergeTypes(TypeMap new_types)

3
src/com/verisignlabs/dnssec/security/TypeMap.java
View File

@ -14,7 +14,8 @@ import org.xbill.DNS.Type;
/** /**
* This class represents the multiple type maps of the NSEC record. Currently it * This class represents the multiple type maps of the NSEC record. Currently it
* is just used to convert the wire format type map to the int array that * is just used to convert the wire format type map to the int array that
* org.xbill.DNS.NSECRecord uses. * org.xbill.DNS.NSECRecord uses. Note that there is now a very similar class in
* DNSjava: {@link org.xbill.DNS.TypeBitmap}.
*/ */
public class TypeMap public class TypeMap

2
src/com/verisignlabs/dnssec/security/ZoneUtils.java
View File

@ -109,7 +109,7 @@ public class ZoneUtils
* @param records * @param records
* a list of {@link org.xbill.DNS.Record} or * a list of {@link org.xbill.DNS.Record} or
* {@link org.xbill.DNS.RRset} objects. * {@link org.xbill.DNS.RRset} objects.
* @return the zone name, if found. null if one couldn't be found.q * @return the zone name, if found. null if one couldn't be found.
*/ */
public static Name findZoneName(List records) public static Name findZoneName(List records)
{ {