add verbose signing mode to signzone; some comment fixes, some unused vars and imports removed
git-svn-id: https://svn.verisignlabs.com/jdnssec/tools/trunk@217 4cbd57fe-54e5-0310-bd9a-f30fe5ea5e6e
This commit is contained in:
parent
51d4ca0333
commit
14ea619299
@ -1,3 +1,12 @@
|
||||
2010-12-05 David Blacka <davidb@verisignlabs.com>
|
||||
|
||||
* jdnssec-signzone: add a "verbose signing" option. This will
|
||||
cause the pre-signed bytes and the raw signature bytes to be
|
||||
output when signing.
|
||||
* Other fixes: some minor tweaks and comment fixes.
|
||||
Unfortunately, also a lot of rewrapping and whitespace changes due
|
||||
to Eclipse. Sigh.
|
||||
|
||||
2010-01-14 David Blacka <davidb@verisignlabs.com>
|
||||
|
||||
* Released version 0.9.6
|
||||
|
@ -74,7 +74,6 @@ public class SignKeyset {
|
||||
private Options opts;
|
||||
private File keyDirectory = null;
|
||||
public String[] keyFiles = null;
|
||||
public String keysetFile = null;
|
||||
public Date start = null;
|
||||
public Date expire = null;
|
||||
public String inputfile = null;
|
||||
|
@ -89,7 +89,6 @@ public class SignZone
|
||||
public Date expire = null;
|
||||
public String outputfile = null;
|
||||
public boolean verifySigs = false;
|
||||
public boolean selfSignKeys = true;
|
||||
public boolean useOptOut = false;
|
||||
public boolean fullySignKeyset = false;
|
||||
public List includeNames = null;
|
||||
@ -98,6 +97,7 @@ public class SignZone
|
||||
public int iterations = 0;
|
||||
public int digest_id = DSRecord.SHA1_DIGEST_ID;
|
||||
public long nsec3paramttl = -1;
|
||||
public boolean verboseSigning = false;
|
||||
|
||||
public CLIState()
|
||||
{
|
||||
@ -118,6 +118,7 @@ public class SignZone
|
||||
opts.addOption("a", "verify", false, "verify generated signatures>");
|
||||
opts.addOption("F", "fully-sign-keyset", false,
|
||||
"sign the zone apex keyset with all available keys.");
|
||||
opts.addOption("V", "verbose-signing", false, "Display verbose signing activity.");
|
||||
|
||||
OptionBuilder.hasOptionalArg();
|
||||
OptionBuilder.withLongOpt("verbose");
|
||||
@ -210,8 +211,7 @@ public class SignZone
|
||||
}
|
||||
|
||||
public void parseCommandLine(String[] args)
|
||||
throws org.apache.commons.cli.ParseException, ParseException,
|
||||
IOException
|
||||
throws org.apache.commons.cli.ParseException, ParseException, IOException
|
||||
{
|
||||
CommandLineParser cli_parser = new PosixParser();
|
||||
CommandLine cli = cli_parser.parse(opts, args);
|
||||
@ -250,6 +250,7 @@ public class SignZone
|
||||
if (cli.hasOption('a')) verifySigs = true;
|
||||
if (cli.hasOption('3')) useNsec3 = true;
|
||||
if (cli.hasOption('O')) useOptOut = true;
|
||||
if (cli.hasOption('V')) verboseSigning = true;
|
||||
|
||||
if (useOptOut && !useNsec3)
|
||||
{
|
||||
@ -406,10 +407,8 @@ public class SignZone
|
||||
PrintWriter out = new PrintWriter(System.err);
|
||||
|
||||
// print our own usage statement:
|
||||
out.println("usage: jdnssec-signzone [..options..] "
|
||||
+ "zone_file [key_file ...] ");
|
||||
f.printHelp(out, 75, "signZone.sh", null, opts,
|
||||
HelpFormatter.DEFAULT_LEFT_PAD,
|
||||
out.println("usage: jdnssec-signzone [..options..] " + "zone_file [key_file ...] ");
|
||||
f.printHelp(out, 75, "signZone.sh", null, opts, HelpFormatter.DEFAULT_LEFT_PAD,
|
||||
HelpFormatter.DEFAULT_DESC_PAD,
|
||||
"\ntime/offset = YYYYMMDDHHmmss|+offset|\"now\"+offset\n");
|
||||
|
||||
@ -451,8 +450,7 @@ public class SignZone
|
||||
* a list of keypairs used the sign the zone.
|
||||
* @return true if all of the signatures validated.
|
||||
*/
|
||||
private static boolean verifyZoneSigs(Name zonename, List records,
|
||||
List keypairs)
|
||||
private static boolean verifyZoneSigs(Name zonename, List records, List keypairs)
|
||||
{
|
||||
boolean secure = true;
|
||||
|
||||
@ -478,8 +476,7 @@ public class SignZone
|
||||
|
||||
if (result != DNSSEC.Secure)
|
||||
{
|
||||
log.fine("Signatures did not verify for RRset: (" + result + "): "
|
||||
+ rrset);
|
||||
log.fine("Signatures did not verify for RRset: (" + result + "): " + rrset);
|
||||
secure = false;
|
||||
}
|
||||
}
|
||||
@ -500,8 +497,8 @@ public class SignZone
|
||||
* the directory to look in (may be null).
|
||||
* @return a list of keypair objects.
|
||||
*/
|
||||
private static List getKeys(String[] keyfiles, int start_index,
|
||||
File inDirectory) throws IOException
|
||||
private static List getKeys(String[] keyfiles, int start_index, File inDirectory)
|
||||
throws IOException
|
||||
{
|
||||
if (keyfiles == null) return null;
|
||||
|
||||
@ -519,8 +516,7 @@ public class SignZone
|
||||
return keys;
|
||||
}
|
||||
|
||||
private static List getKeys(List dnskeyrrs, File inDirectory)
|
||||
throws IOException
|
||||
private static List getKeys(List dnskeyrrs, File inDirectory) throws IOException
|
||||
{
|
||||
List res = new ArrayList();
|
||||
for (Iterator i = dnskeyrrs.iterator(); i.hasNext();)
|
||||
@ -558,8 +554,7 @@ public class SignZone
|
||||
}
|
||||
}
|
||||
|
||||
private static List findZoneKeys(File inDirectory, Name zonename)
|
||||
throws IOException
|
||||
private static List findZoneKeys(File inDirectory, Name zonename) throws IOException
|
||||
{
|
||||
if (inDirectory == null)
|
||||
{
|
||||
@ -608,8 +603,7 @@ public class SignZone
|
||||
* do not belong in the zone.
|
||||
* @return a list of {@link org.xbill.DNS.Record}s found in the keyset files.
|
||||
*/
|
||||
private static List getKeysets(File inDirectory, Name zonename)
|
||||
throws IOException
|
||||
private static List getKeysets(File inDirectory, Name zonename) throws IOException
|
||||
{
|
||||
if (inDirectory == null)
|
||||
{
|
||||
@ -686,8 +680,7 @@ public class SignZone
|
||||
* the time/offset string to parse.
|
||||
* @return the calculated time.
|
||||
*/
|
||||
private static Date convertDuration(Date start, String duration)
|
||||
throws ParseException
|
||||
private static Date convertDuration(Date start, String duration) throws ParseException
|
||||
{
|
||||
if (start == null) start = new Date();
|
||||
if (duration.startsWith("now"))
|
||||
@ -854,18 +847,16 @@ public class SignZone
|
||||
records.addAll(keysetrecs);
|
||||
}
|
||||
|
||||
JCEDnsSecSigner signer = new JCEDnsSecSigner();
|
||||
JCEDnsSecSigner signer = new JCEDnsSecSigner(state.verboseSigning);
|
||||
|
||||
// Sign the zone.
|
||||
List signed_records;
|
||||
|
||||
if (state.useNsec3)
|
||||
{
|
||||
signed_records = signer.signZoneNSEC3(zonename, records, kskpairs,
|
||||
keypairs, state.start,
|
||||
state.expire,
|
||||
state.fullySignKeyset,
|
||||
state.useOptOut,
|
||||
signed_records = signer.signZoneNSEC3(zonename, records, kskpairs, keypairs,
|
||||
state.start, state.expire,
|
||||
state.fullySignKeyset, state.useOptOut,
|
||||
state.includeNames, state.salt,
|
||||
state.iterations, state.digest_id,
|
||||
state.nsec3paramttl);
|
||||
@ -873,8 +864,8 @@ public class SignZone
|
||||
else
|
||||
{
|
||||
signed_records = signer.signZone(zonename, records, kskpairs, keypairs,
|
||||
state.start, state.expire,
|
||||
state.fullySignKeyset, state.digest_id);
|
||||
state.start, state.expire, state.fullySignKeyset,
|
||||
state.digest_id);
|
||||
}
|
||||
|
||||
// write out the signed zone
|
||||
|
@ -41,7 +41,7 @@ import java.util.logging.Logger;
|
||||
import org.xbill.DNS.DNSSEC;
|
||||
|
||||
/**
|
||||
* This class handles translated DNS signing algorithm identifiers into various
|
||||
* This class handles translating DNS signing algorithm identifiers into various
|
||||
* usable java implementations.
|
||||
*
|
||||
* Besides centralizing the logic surrounding matching a DNSKEY algorithm
|
||||
@ -93,8 +93,7 @@ public class DnsKeyAlgorithm
|
||||
/** This is a cache key pair generator for DSA keys. */
|
||||
private KeyPairGenerator mDSAKeyGenerator;
|
||||
|
||||
private Logger log = Logger.getLogger(this.getClass()
|
||||
.toString());
|
||||
private Logger log = Logger.getLogger(this.getClass().toString());
|
||||
|
||||
/** This is the global instance for this class. */
|
||||
private static DnsKeyAlgorithm mInstance = null;
|
||||
|
@ -44,7 +44,6 @@ import javax.crypto.spec.DHParameterSpec;
|
||||
import javax.crypto.spec.DHPrivateKeySpec;
|
||||
|
||||
import org.xbill.DNS.DNSKEYRecord;
|
||||
import org.xbill.DNS.KEYRecord;
|
||||
import org.xbill.DNS.Name;
|
||||
import org.xbill.DNS.Record;
|
||||
import org.xbill.DNS.Type;
|
||||
|
@ -38,6 +38,7 @@ import org.xbill.DNS.RRSIGRecord;
|
||||
import org.xbill.DNS.RRset;
|
||||
import org.xbill.DNS.Record;
|
||||
import org.xbill.DNS.Type;
|
||||
import org.xbill.DNS.utils.hexdump;
|
||||
|
||||
/**
|
||||
* This class contains routines for signing DNS zones.
|
||||
@ -54,6 +55,19 @@ import org.xbill.DNS.Type;
|
||||
public class JCEDnsSecSigner
|
||||
{
|
||||
private DnsKeyConverter mKeyConverter;
|
||||
private boolean mVerboseSigning = false;
|
||||
|
||||
public JCEDnsSecSigner()
|
||||
{
|
||||
this.mKeyConverter = null;
|
||||
this.mVerboseSigning = false;
|
||||
}
|
||||
|
||||
public JCEDnsSecSigner(boolean verboseSigning)
|
||||
{
|
||||
this.mKeyConverter = null;
|
||||
this.mVerboseSigning = verboseSigning;
|
||||
}
|
||||
|
||||
/**
|
||||
* Cryptographically generate a new DNSSEC key.
|
||||
@ -74,27 +88,23 @@ public class JCEDnsSecSigner
|
||||
* if generating an RSA key, use the large exponent.
|
||||
* @return a DnsKeyPair with the public and private keys populated.
|
||||
*/
|
||||
public DnsKeyPair generateKey(Name owner, long ttl, int dclass,
|
||||
int algorithm, int flags, int keysize,
|
||||
boolean useLargeExponent)
|
||||
public DnsKeyPair generateKey(Name owner, long ttl, int dclass, int algorithm,
|
||||
int flags, int keysize, boolean useLargeExponent)
|
||||
throws NoSuchAlgorithmException
|
||||
{
|
||||
DnsKeyAlgorithm algorithms = DnsKeyAlgorithm.getInstance();
|
||||
|
||||
if (ttl < 0) ttl = 86400; // set to a reasonable default.
|
||||
|
||||
KeyPair pair = algorithms.generateKeyPair(algorithm, keysize,
|
||||
useLargeExponent);
|
||||
KeyPair pair = algorithms.generateKeyPair(algorithm, keysize, useLargeExponent);
|
||||
|
||||
if (mKeyConverter == null)
|
||||
{
|
||||
mKeyConverter = new DnsKeyConverter();
|
||||
}
|
||||
|
||||
DNSKEYRecord keyrec = mKeyConverter.generateDNSKEYRecord(owner, dclass,
|
||||
ttl, flags,
|
||||
algorithm,
|
||||
pair.getPublic());
|
||||
DNSKEYRecord keyrec = mKeyConverter.generateDNSKEYRecord(owner, dclass, ttl, flags,
|
||||
algorithm, pair.getPublic());
|
||||
|
||||
DnsKeyPair dnspair = new DnsKeyPair();
|
||||
dnspair.setDNSKEYRecord(keyrec);
|
||||
@ -127,6 +137,12 @@ public class JCEDnsSecSigner
|
||||
if (expire == null) expire = new Date(start.getTime() + 1000L);
|
||||
if (keypairs.size() == 0) return null;
|
||||
|
||||
if (mVerboseSigning)
|
||||
{
|
||||
System.out.println("Signing RRset:");
|
||||
System.out.println(ZoneUtils.rrsetToString(rrset, false));
|
||||
}
|
||||
|
||||
// first, pre-calculate the RRset bytes.
|
||||
byte[] rrset_data = SignUtils.generateCanonicalRRsetData(rrset, 0, 0);
|
||||
|
||||
@ -139,10 +155,17 @@ public class JCEDnsSecSigner
|
||||
DNSKEYRecord keyrec = pair.getDNSKEYRecord();
|
||||
if (keyrec == null) continue;
|
||||
|
||||
RRSIGRecord presig = SignUtils.generatePreRRSIG(rrset, keyrec, start,
|
||||
expire, rrset.getTTL());
|
||||
RRSIGRecord presig = SignUtils.generatePreRRSIG(rrset, keyrec, start, expire,
|
||||
rrset.getTTL());
|
||||
byte[] sign_data = SignUtils.generateSigData(rrset_data, presig);
|
||||
|
||||
if (mVerboseSigning)
|
||||
{
|
||||
System.out.println("Canonical pre-signature data to sign with key " + keyrec.getName().toString() + "/"
|
||||
+ keyrec.getAlgorithm() + "/" + keyrec.getFootprint() + ":");
|
||||
System.out.println(hexdump.dump(null, sign_data));
|
||||
}
|
||||
|
||||
Signature signer = pair.getSigner();
|
||||
|
||||
if (signer == null)
|
||||
@ -150,23 +173,33 @@ public class JCEDnsSecSigner
|
||||
// debug
|
||||
System.out.println("missing private key that goes with:\n"
|
||||
+ pair.getDNSKEYRecord());
|
||||
throw new GeneralSecurityException(
|
||||
"cannot sign without a valid Signer (probably missing private key)");
|
||||
throw new GeneralSecurityException("cannot sign without a valid Signer "
|
||||
+ "(probably missing private key)");
|
||||
}
|
||||
|
||||
// sign the data.
|
||||
signer.update(sign_data);
|
||||
byte[] sig = signer.sign();
|
||||
|
||||
if (mVerboseSigning)
|
||||
{
|
||||
System.out.println("Raw Signature:");
|
||||
System.out.println(hexdump.dump(null, sig));
|
||||
}
|
||||
|
||||
DnsKeyAlgorithm algs = DnsKeyAlgorithm.getInstance();
|
||||
// Convert to RFC 2536 format, if necessary.
|
||||
if (algs.baseType(pair.getDNSKEYAlgorithm()) == DnsKeyAlgorithm.DSA)
|
||||
{
|
||||
sig = SignUtils.convertDSASignature(
|
||||
((DSAPublicKey) pair.getPublic()).getParams(),
|
||||
sig);
|
||||
DSAPublicKey pk = (DSAPublicKey) pair.getPublic();
|
||||
sig = SignUtils.convertDSASignature(pk.getParams(), sig);
|
||||
}
|
||||
RRSIGRecord sigrec = SignUtils.generateRRSIG(sig, presig);
|
||||
if (mVerboseSigning)
|
||||
{
|
||||
System.out.println("RRSIG:\n" + sigrec);
|
||||
System.out.println();
|
||||
}
|
||||
sigs.add(sigrec);
|
||||
}
|
||||
|
||||
@ -184,8 +217,8 @@ public class JCEDnsSecSigner
|
||||
* the RRSIG expiration time.
|
||||
* @return a signed RRset.
|
||||
*/
|
||||
public RRset makeKeySet(List keypairs, Date start, Date expire)
|
||||
throws IOException, GeneralSecurityException
|
||||
public RRset makeKeySet(List keypairs, Date start, Date expire) throws IOException,
|
||||
GeneralSecurityException
|
||||
{
|
||||
// Generate a KEY RR set to sign.
|
||||
|
||||
@ -232,9 +265,8 @@ public class JCEDnsSecSigner
|
||||
* @return the name of the new last_cut.
|
||||
*/
|
||||
private Name addRRset(List toList, Name zonename, RRset rrset, List kskpairs,
|
||||
List zskpairs, Date start, Date expire,
|
||||
boolean fullySignKeyset, Name last_cut)
|
||||
throws IOException, GeneralSecurityException
|
||||
List zskpairs, Date start, Date expire, boolean fullySignKeyset,
|
||||
Name last_cut) throws IOException, GeneralSecurityException
|
||||
{
|
||||
// add the records themselves
|
||||
for (Iterator i = rrset.rrs(); i.hasNext();)
|
||||
@ -242,8 +274,8 @@ public class JCEDnsSecSigner
|
||||
toList.add(i.next());
|
||||
}
|
||||
|
||||
int type = SignUtils.recordSecType(zonename, rrset.getName(),
|
||||
rrset.getType(), last_cut);
|
||||
int type = SignUtils.recordSecType(zonename, rrset.getName(), rrset.getType(),
|
||||
last_cut);
|
||||
|
||||
// we don't sign non-normal sets (delegations, glue, invalid).
|
||||
if (type == SignUtils.RR_DELEGATION)
|
||||
@ -331,11 +363,10 @@ public class JCEDnsSecSigner
|
||||
* @throws IOException
|
||||
* @throws GeneralSecurityException
|
||||
*/
|
||||
private List signZone(Name zonename, List records, List kskpairs,
|
||||
List zskpairs, Date start, Date expire,
|
||||
boolean fullySignKeyset, int ds_digest_alg, int mode,
|
||||
List includedNames, byte[] salt, int iterations,
|
||||
long nsec3paramttl, boolean beConservative)
|
||||
private List signZone(Name zonename, List records, List kskpairs, List zskpairs,
|
||||
Date start, Date expire, boolean fullySignKeyset,
|
||||
int ds_digest_alg, int mode, List includedNames, byte[] salt,
|
||||
int iterations, long nsec3paramttl, boolean beConservative)
|
||||
throws IOException, GeneralSecurityException
|
||||
{
|
||||
// Remove any existing generated DNSSEC records (NSEC, NSEC3, NSEC3PARAM,
|
||||
@ -360,12 +391,11 @@ public class JCEDnsSecSigner
|
||||
SignUtils.generateNSECRecords(zonename, records);
|
||||
break;
|
||||
case NSEC3_MODE:
|
||||
SignUtils.generateNSEC3Records(zonename, records, salt, iterations,
|
||||
nsec3paramttl);
|
||||
SignUtils.generateNSEC3Records(zonename, records, salt, iterations, nsec3paramttl);
|
||||
break;
|
||||
case NSEC3_OPTOUT_MODE:
|
||||
SignUtils.generateOptOutNSEC3Records(zonename, records, includedNames,
|
||||
salt, iterations, nsec3paramttl);
|
||||
SignUtils.generateOptOutNSEC3Records(zonename, records, includedNames, salt,
|
||||
iterations, nsec3paramttl);
|
||||
break;
|
||||
case NSEC_EXP_OPT_IN:
|
||||
SignUtils.generateOptInNSECRecords(zonename, records, includedNames,
|
||||
@ -393,8 +423,7 @@ public class JCEDnsSecSigner
|
||||
}
|
||||
|
||||
// Current record is part of the current RRset.
|
||||
if (rrset.getName().equals(r.getName())
|
||||
&& rrset.getDClass() == r.getDClass()
|
||||
if (rrset.getName().equals(r.getName()) && rrset.getDClass() == r.getDClass()
|
||||
&& rrset.getType() == r.getType())
|
||||
{
|
||||
rrset.addRR(r);
|
||||
@ -406,16 +435,16 @@ public class JCEDnsSecSigner
|
||||
|
||||
// add the RRset to the list of signed_records, regardless of
|
||||
// whether or not we actually end up signing the set.
|
||||
last_cut = addRRset(signed_records, zonename, rrset, kskpairs, zskpairs,
|
||||
start, expire, fullySignKeyset, last_cut);
|
||||
last_cut = addRRset(signed_records, zonename, rrset, kskpairs, zskpairs, start,
|
||||
expire, fullySignKeyset, last_cut);
|
||||
|
||||
rrset.clear();
|
||||
rrset.addRR(r);
|
||||
}
|
||||
|
||||
// add the last RR set
|
||||
addRRset(signed_records, zonename, rrset, kskpairs, zskpairs, start,
|
||||
expire, fullySignKeyset, last_cut);
|
||||
addRRset(signed_records, zonename, rrset, kskpairs, zskpairs, start, expire,
|
||||
fullySignKeyset, last_cut);
|
||||
|
||||
return signed_records;
|
||||
}
|
||||
@ -445,14 +474,12 @@ public class JCEDnsSecSigner
|
||||
* @return an ordered list of {@link org.xbill.DNS.Record} objects,
|
||||
* representing the signed zone.
|
||||
*/
|
||||
public List signZone(Name zonename, List records, List kskpairs,
|
||||
List zskpairs, Date start, Date expire,
|
||||
boolean fullySignKeyset, int ds_digest_alg)
|
||||
public List signZone(Name zonename, List records, List kskpairs, List zskpairs,
|
||||
Date start, Date expire, boolean fullySignKeyset, int ds_digest_alg)
|
||||
throws IOException, GeneralSecurityException
|
||||
{
|
||||
return signZone(zonename, records, kskpairs, zskpairs, start, expire,
|
||||
fullySignKeyset, ds_digest_alg, NSEC_MODE, null, null, 0,
|
||||
0, false);
|
||||
fullySignKeyset, ds_digest_alg, NSEC_MODE, null, null, 0, 0, false);
|
||||
}
|
||||
|
||||
/**
|
||||
@ -496,24 +523,23 @@ public class JCEDnsSecSigner
|
||||
* @throws IOException
|
||||
* @throws GeneralSecurityException
|
||||
*/
|
||||
public List signZoneNSEC3(Name zonename, List records, List kskpairs,
|
||||
List zskpairs, Date start, Date expire,
|
||||
boolean fullySignKeyset, boolean useOptOut,
|
||||
List includedNames, byte[] salt, int iterations,
|
||||
int ds_digest_alg, long nsec3paramttl)
|
||||
public List signZoneNSEC3(Name zonename, List records, List kskpairs, List zskpairs,
|
||||
Date start, Date expire, boolean fullySignKeyset,
|
||||
boolean useOptOut, List includedNames, byte[] salt,
|
||||
int iterations, int ds_digest_alg, long nsec3paramttl)
|
||||
throws IOException, GeneralSecurityException
|
||||
{
|
||||
if (useOptOut)
|
||||
{
|
||||
return signZone(zonename, records, kskpairs, zskpairs, start, expire,
|
||||
fullySignKeyset, ds_digest_alg, NSEC3_OPTOUT_MODE,
|
||||
includedNames, salt, iterations, nsec3paramttl, false);
|
||||
fullySignKeyset, ds_digest_alg, NSEC3_OPTOUT_MODE, includedNames,
|
||||
salt, iterations, nsec3paramttl, false);
|
||||
}
|
||||
else
|
||||
{
|
||||
return signZone(zonename, records, kskpairs, zskpairs, start, expire,
|
||||
fullySignKeyset, ds_digest_alg, NSEC3_MODE, null, salt,
|
||||
iterations, nsec3paramttl, false);
|
||||
fullySignKeyset, ds_digest_alg, NSEC3_MODE, null, salt, iterations,
|
||||
nsec3paramttl, false);
|
||||
}
|
||||
}
|
||||
|
||||
@ -547,16 +573,15 @@ public class JCEDnsSecSigner
|
||||
* @return an ordered list of {@link org.xbill.DNS.Record} objects,
|
||||
* representing the signed zone.
|
||||
*/
|
||||
public List signZoneOptIn(Name zonename, List records, List kskpairs,
|
||||
List zskpairs, Date start, Date expire,
|
||||
boolean useConservativeOptIn,
|
||||
public List signZoneOptIn(Name zonename, List records, List kskpairs, List zskpairs,
|
||||
Date start, Date expire, boolean useConservativeOptIn,
|
||||
boolean fullySignKeyset, List NSECIncludeNames,
|
||||
int ds_digest_alg)
|
||||
throws IOException, GeneralSecurityException
|
||||
int ds_digest_alg) throws IOException,
|
||||
GeneralSecurityException
|
||||
{
|
||||
|
||||
return signZone(zonename, records, kskpairs, zskpairs, start, expire,
|
||||
fullySignKeyset, ds_digest_alg, NSEC_EXP_OPT_IN,
|
||||
NSECIncludeNames, null, 0, 0, useConservativeOptIn);
|
||||
fullySignKeyset, ds_digest_alg, NSEC_EXP_OPT_IN, NSECIncludeNames,
|
||||
null, 0, 0, useConservativeOptIn);
|
||||
}
|
||||
}
|
||||
|
@ -33,6 +33,15 @@ import org.xbill.DNS.*;
|
||||
import org.xbill.DNS.utils.base16;
|
||||
import org.xbill.DNS.utils.base32;
|
||||
|
||||
/**
|
||||
* This is a class representing a "prototype NSEC3" resource record. These are
|
||||
* used as an intermediate stage (in zone signing) between determining the list
|
||||
* of NSEC3 records and forming them into a viable chain.
|
||||
*
|
||||
* @author David Blacka (original)
|
||||
* @author $Author: davidb $
|
||||
* @version $Revision: 183 $
|
||||
*/
|
||||
public class ProtoNSEC3
|
||||
{
|
||||
private Name originalOwner;
|
||||
@ -49,12 +58,13 @@ public class ProtoNSEC3
|
||||
private long ttl;
|
||||
|
||||
private static final base32 b32 = new base32(base32.Alphabet.BASE32HEX, false, false);
|
||||
|
||||
/**
|
||||
* Creates an NSEC3 Record from the given data.
|
||||
*/
|
||||
public ProtoNSEC3(byte[] owner, Name originalOwner, Name zone, int dclass,
|
||||
long ttl, byte hashAlg, byte flags, int iterations, byte[] salt,
|
||||
byte[] next, TypeMap typemap)
|
||||
public ProtoNSEC3(byte[] owner, Name originalOwner, Name zone, int dclass, long ttl,
|
||||
byte hashAlg, byte flags, int iterations, byte[] salt, byte[] next,
|
||||
TypeMap typemap)
|
||||
{
|
||||
this.zone = zone;
|
||||
this.owner = owner;
|
||||
@ -69,12 +79,12 @@ public class ProtoNSEC3
|
||||
this.originalOwner = originalOwner;
|
||||
}
|
||||
|
||||
public ProtoNSEC3(byte[] owner, Name originalOwner, Name zone, int dclass,
|
||||
long ttl, byte hashAlg, byte flags, int iterations, byte[] salt,
|
||||
byte[] next, int[] types)
|
||||
public ProtoNSEC3(byte[] owner, Name originalOwner, Name zone, int dclass, long ttl,
|
||||
byte hashAlg, byte flags, int iterations, byte[] salt, byte[] next,
|
||||
int[] types)
|
||||
{
|
||||
this(owner, originalOwner, zone, dclass, ttl, hashAlg, flags, iterations,
|
||||
salt, next, TypeMap.fromTypes(types));
|
||||
this(owner, originalOwner, zone, dclass, ttl, hashAlg, flags, iterations, salt, next,
|
||||
TypeMap.fromTypes(types));
|
||||
}
|
||||
|
||||
private String hashToString(byte[] hash)
|
||||
@ -122,7 +132,8 @@ public class ProtoNSEC3
|
||||
|
||||
public void setOptOutFlag(boolean optOutFlag)
|
||||
{
|
||||
if (optOutFlag) this.flags |= NSEC3Record.Flags.OPT_OUT;
|
||||
if (optOutFlag)
|
||||
this.flags |= NSEC3Record.Flags.OPT_OUT;
|
||||
else
|
||||
this.flags &= ~NSEC3Record.Flags.OPT_OUT;
|
||||
}
|
||||
@ -186,8 +197,8 @@ public class ProtoNSEC3
|
||||
{
|
||||
String comment = (originalOwner == null) ? "(unknown original ownername)"
|
||||
: originalOwner.toString();
|
||||
return new NSEC3Record(getName(), dclass, ttl, hashAlg, flags, iterations,
|
||||
salt, next, getTypes(), comment);
|
||||
return new NSEC3Record(getName(), dclass, ttl, hashAlg, flags, iterations, salt,
|
||||
next, getTypes(), comment);
|
||||
}
|
||||
|
||||
public void mergeTypes(TypeMap new_types)
|
||||
|
@ -14,7 +14,8 @@ import org.xbill.DNS.Type;
|
||||
/**
|
||||
* This class represents the multiple type maps of the NSEC record. Currently it
|
||||
* is just used to convert the wire format type map to the int array that
|
||||
* org.xbill.DNS.NSECRecord uses.
|
||||
* org.xbill.DNS.NSECRecord uses. Note that there is now a very similar class in
|
||||
* DNSjava: {@link org.xbill.DNS.TypeBitmap}.
|
||||
*/
|
||||
|
||||
public class TypeMap
|
||||
|
@ -109,7 +109,7 @@ public class ZoneUtils
|
||||
* @param records
|
||||
* a list of {@link org.xbill.DNS.Record} or
|
||||
* {@link org.xbill.DNS.RRset} objects.
|
||||
* @return the zone name, if found. null if one couldn't be found.q
|
||||
* @return the zone name, if found. null if one couldn't be found.
|
||||
*/
|
||||
public static Name findZoneName(List records)
|
||||
{
|
||||
|
Loading…
Reference in New Issue
Block a user