Cli improvements (#17)
* add config file processing, refactor CLIBase some * fix algorithm aliases with key generation * Refactor to remove CLIState et al, move CLI common statics to new Utils * only use usage() for help, otherwise fail() * add a universal command line client, build a one-jar to use it. * bump the version * update ChangeLog, README, README.TODO, minor fixes * undo overzealous find/replace. sigh. * fix use_large_exponent logic in KeyGen * more fixes, minor improvements
This commit is contained in:
parent
2876649a4e
commit
1727d7c7d8
1
.gitignore
vendored
1
.gitignore
vendored
@ -1,5 +1,6 @@
|
|||||||
build
|
build
|
||||||
bin/main
|
bin/main
|
||||||
|
dist/
|
||||||
.classpath
|
.classpath
|
||||||
.project
|
.project
|
||||||
.gradle
|
.gradle
|
||||||
|
15
ChangeLog
15
ChangeLog
@ -1,3 +1,18 @@
|
|||||||
|
2024-04-07 David Blacka <david@blacka.com>
|
||||||
|
|
||||||
|
* Released version 0.20
|
||||||
|
* Removed support for Gradle builds since the gradle config was
|
||||||
|
out-of-date
|
||||||
|
* Requires Java 15 or later for EdDSA support
|
||||||
|
* Supports DNSSEC algorithm 16 using the SunEC provider
|
||||||
|
* Supports a java properties-formatted config file. See
|
||||||
|
jdnssec-tools.properties.example for an example
|
||||||
|
* Updated to dnsjava 3.5.3
|
||||||
|
* Updated to commons-cli 1.6.0
|
||||||
|
* Added a "one-jar" distribution method, and a "univeral" CLI to
|
||||||
|
use with it.
|
||||||
|
* Formatting and linter suggestions
|
||||||
|
|
||||||
2024-03-25 David Blacka <davidb@verisign.com>
|
2024-03-25 David Blacka <davidb@verisign.com>
|
||||||
|
|
||||||
* Released version 0.19
|
* Released version 0.19
|
||||||
|
@ -11,5 +11,3 @@ This bit of code has been around since approximately 2005, and has been in "mini
|
|||||||
* allowing for an external sort once the data is shown to be larger than X, and/or
|
* allowing for an external sort once the data is shown to be larger than X, and/or
|
||||||
* allowing for a memory-constrained internal sort that uses disk, and/or,
|
* allowing for a memory-constrained internal sort that uses disk, and/or,
|
||||||
* figuring out how to let the JVM use *a lot* of memory.
|
* figuring out how to let the JVM use *a lot* of memory.
|
||||||
* Add support for algorithm 16, perhaps refactor algorithm 15 support using bouncycastle.
|
|
||||||
* Note that our current dnsjava version, 3.5.1 has some support, although it isn't clear if it has sign/verify support.
|
|
||||||
|
32
README.md
32
README.md
@ -8,9 +8,13 @@ This is a collection of DNSSEC tools written in Java. They are intended to be a
|
|||||||
|
|
||||||
These tools depend upon DNSjava (<https://github.com/dnsjava/dnsjava>), the Jakarta Commons CLI and Logging libraries (<https://commons.apache.org/proper/commons-cli>), slf4j (<https://www.slf4j.org>), and Sun's Java Cryptography extensions. A copy of each of these libraries is included in the distribution.
|
These tools depend upon DNSjava (<https://github.com/dnsjava/dnsjava>), the Jakarta Commons CLI and Logging libraries (<https://commons.apache.org/proper/commons-cli>), slf4j (<https://www.slf4j.org>), and Sun's Java Cryptography extensions. A copy of each of these libraries is included in the distribution.
|
||||||
|
|
||||||
See the "licenses" directory for the licensing information of this package and the other packages that are distributed with it.
|
See the "[licenses](https://github.com/dblacka/jdnssec-tools/tree/master/licenses)" directory for the licensing information of this package and the other packages that are distributed with it.
|
||||||
|
|
||||||
Getting started:
|
## Getting Started
|
||||||
|
|
||||||
|
### Using the binary distribution
|
||||||
|
|
||||||
|
The binary distributions can be downloaded from the [releases](https://github.com/dblacka/jdnssec-tools/releases) page. To use it;
|
||||||
|
|
||||||
1. Unpack the binary distribution:
|
1. Unpack the binary distribution:
|
||||||
|
|
||||||
@ -21,9 +25,11 @@ Getting started:
|
|||||||
cd java-dnssec-tools-x.x.x
|
cd java-dnssec-tools-x.x.x
|
||||||
./bin/jdnssec-signzone -h
|
./bin/jdnssec-signzone -h
|
||||||
|
|
||||||
Building from source:
|
### Building from source
|
||||||
|
|
||||||
1. Unpack the source distribution, preferably into the same directory that the binary distribution was unpacked.
|
There is a source distribution also downloadable from the [releases](https://github.com/dblacka/jdnssec-tools/releases) page, but this should work with a clone of this repo.
|
||||||
|
|
||||||
|
1. (If downloaded) Unpack the source distribution, preferably into the same directory that the binary distribution was unpacked.
|
||||||
|
|
||||||
tar zxvf java-dnssec-tools-x.x.x-src.tar.gz
|
tar zxvf java-dnssec-tools-x.x.x-src.tar.gz
|
||||||
|
|
||||||
@ -32,17 +38,19 @@ Building from source:
|
|||||||
|
|
||||||
ant
|
ant
|
||||||
|
|
||||||
4. You can build the distribution tarballs with 'ant dist'. You can run the tools directly from the build area (without building the jdnssec-tools.jar file) by using the ./bin/\_jdnssec_* wrappers.
|
4. You can build the distribution tarballs with 'ant dist', although the main `ant` build command will have built the primary jar file.
|
||||||
|
|
||||||
5. Alternatively, build the project using gradle:
|
|
||||||
|
|
||||||
gradlew clean
|
|
||||||
gradlew assemble -i
|
|
||||||
|
|
||||||
The resulting jar file gets generated in build/libs.
|
|
||||||
|
|
||||||
The source for this project is available in git on github: <https://github.com/dblacka/jdnssec-tools>
|
The source for this project is available in git on github: <https://github.com/dblacka/jdnssec-tools>
|
||||||
|
|
||||||
|
### Using the one-jar distribution
|
||||||
|
|
||||||
|
As of version 0.20, there is a one-jar (aka an executable jar) as part of the distribution. It can also be downloaded from the [releases](https://github.com/dblacka/jdnssec-tools/releases) page.
|
||||||
|
|
||||||
|
1. Fetch the one-jar distribution.
|
||||||
|
2. Invoke with `java -jar jdnssec-tools-x.x.x.jar`
|
||||||
|
|
||||||
|
java -jar jdnssec-tools-x.x.x.jar signzone -h
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
Questions or comments may be directed to the author (<mailto:davidb@verisign.com>), or by creating issues in the [github issue tracker](https://github.com/dblacka/jdnssec-tools/issues).
|
Questions or comments may be directed to the author (<mailto:davidb@verisign.com>), or by creating issues in the [github issue tracker](https://github.com/dblacka/jdnssec-tools/issues).
|
||||||
|
@ -1,19 +0,0 @@
|
|||||||
#! /bin/sh
|
|
||||||
|
|
||||||
thisdir=`dirname $0`
|
|
||||||
basedir=`cd $thisdir/..; pwd`
|
|
||||||
|
|
||||||
ulimit_max=`ulimit -H -n`
|
|
||||||
if [ $ulimit_max != "unlimited" ]; then
|
|
||||||
ulimit -n $ulimit_max
|
|
||||||
fi
|
|
||||||
|
|
||||||
# set the classpath
|
|
||||||
CLASSPATH=$CLASSPATH:$basedir/build/classes
|
|
||||||
|
|
||||||
for i in $basedir/lib/*.jar $basedir/lib/*.zip; do
|
|
||||||
CLASSPATH="$CLASSPATH":"$i"
|
|
||||||
done
|
|
||||||
export CLASSPATH
|
|
||||||
|
|
||||||
exec java com.verisignlabs.dnssec.cl.DSTool "$@"
|
|
@ -1,19 +0,0 @@
|
|||||||
#! /bin/sh
|
|
||||||
|
|
||||||
thisdir=`dirname $0`
|
|
||||||
basedir=`cd $thisdir/..; pwd`
|
|
||||||
|
|
||||||
ulimit_max=`ulimit -H -n`
|
|
||||||
if [ $ulimit_max != "unlimited" ]; then
|
|
||||||
ulimit -n $ulimit_max
|
|
||||||
fi
|
|
||||||
|
|
||||||
# set the classpath
|
|
||||||
CLASSPATH=$CLASSPATH:$basedir/build/classes
|
|
||||||
|
|
||||||
for i in $basedir/lib/*.jar $basedir/lib/*.zip; do
|
|
||||||
CLASSPATH="$CLASSPATH":"$i"
|
|
||||||
done
|
|
||||||
export CLASSPATH
|
|
||||||
|
|
||||||
exec java com.verisignlabs.dnssec.cl.KeyGen "$@"
|
|
@ -1,19 +0,0 @@
|
|||||||
#! /bin/sh
|
|
||||||
|
|
||||||
thisdir=`dirname $0`
|
|
||||||
basedir=`cd $thisdir/..; pwd`
|
|
||||||
|
|
||||||
ulimit_max=`ulimit -H -n`
|
|
||||||
if [ $ulimit_max != "unlimited" ]; then
|
|
||||||
ulimit -n $ulimit_max
|
|
||||||
fi
|
|
||||||
|
|
||||||
# set the classpath
|
|
||||||
CLASSPATH=$CLASSPATH:$basedir/build/classes
|
|
||||||
|
|
||||||
for i in $basedir/lib/*.jar $basedir/lib/*.zip; do
|
|
||||||
CLASSPATH="$CLASSPATH":"$i"
|
|
||||||
done
|
|
||||||
export CLASSPATH
|
|
||||||
|
|
||||||
exec java com.verisignlabs.dnssec.cl.KeyInfoTool "$@"
|
|
@ -1,19 +0,0 @@
|
|||||||
#! /bin/sh
|
|
||||||
|
|
||||||
thisdir=`dirname $0`
|
|
||||||
basedir=`cd $thisdir/..; pwd`
|
|
||||||
|
|
||||||
ulimit_max=`ulimit -H -n`
|
|
||||||
if [ $ulimit_max != "unlimited" ]; then
|
|
||||||
ulimit -n $ulimit_max
|
|
||||||
fi
|
|
||||||
|
|
||||||
# set the classpath
|
|
||||||
CLASSPATH=$CLASSPATH:$basedir/build/classes
|
|
||||||
|
|
||||||
for i in $basedir/lib/*.jar $basedir/lib/*.zip; do
|
|
||||||
CLASSPATH="$CLASSPATH":"$i"
|
|
||||||
done
|
|
||||||
export CLASSPATH
|
|
||||||
|
|
||||||
exec java com.verisignlabs.dnssec.cl.SignKeyset "$@"
|
|
@ -1,19 +0,0 @@
|
|||||||
#! /bin/sh
|
|
||||||
|
|
||||||
thisdir=`dirname $0`
|
|
||||||
basedir=`cd $thisdir/..; pwd`
|
|
||||||
|
|
||||||
ulimit_max=`ulimit -H -n`
|
|
||||||
if [ $ulimit_max != "unlimited" ]; then
|
|
||||||
ulimit -n $ulimit_max
|
|
||||||
fi
|
|
||||||
|
|
||||||
# set the classpath
|
|
||||||
CLASSPATH=$CLASSPATH:$basedir/build/classes
|
|
||||||
|
|
||||||
for i in $basedir/lib/*.jar $basedir/lib/*.zip; do
|
|
||||||
CLASSPATH="$CLASSPATH":"$i"
|
|
||||||
done
|
|
||||||
export CLASSPATH
|
|
||||||
|
|
||||||
exec java com.verisignlabs.dnssec.cl.SignZone "$@"
|
|
@ -1,19 +0,0 @@
|
|||||||
#! /bin/sh
|
|
||||||
|
|
||||||
thisdir=`dirname $0`
|
|
||||||
basedir=`cd $thisdir/..; pwd`
|
|
||||||
|
|
||||||
ulimit_max=`ulimit -H -n`
|
|
||||||
if [ $ulimit_max != "unlimited" ]; then
|
|
||||||
ulimit -n $ulimit_max
|
|
||||||
fi
|
|
||||||
|
|
||||||
# set the classpath
|
|
||||||
CLASSPATH=$CLASSPATH:$basedir/build/classes
|
|
||||||
|
|
||||||
for i in $basedir/lib/*.jar $basedir/lib/*.zip; do
|
|
||||||
CLASSPATH="$CLASSPATH":"$i"
|
|
||||||
done
|
|
||||||
export CLASSPATH
|
|
||||||
|
|
||||||
exec java com.verisignlabs.dnssec.cl.VerifyZone "$@"
|
|
@ -1,19 +0,0 @@
|
|||||||
#! /bin/sh
|
|
||||||
|
|
||||||
thisdir=`dirname $0`
|
|
||||||
basedir=`cd $thisdir/..; pwd`
|
|
||||||
|
|
||||||
ulimit_max=`ulimit -H -n`
|
|
||||||
if [ $ulimit_max != "unlimited" ]; then
|
|
||||||
ulimit -n $ulimit_max
|
|
||||||
fi
|
|
||||||
|
|
||||||
# set the classpath
|
|
||||||
CLASSPATH=$CLASSPATH:$basedir/build/classes
|
|
||||||
|
|
||||||
for i in $basedir/lib/*.jar $basedir/lib/*.zip; do
|
|
||||||
CLASSPATH="$CLASSPATH":"$i"
|
|
||||||
done
|
|
||||||
export CLASSPATH
|
|
||||||
|
|
||||||
exec java com.verisignlabs.dnssec.cl.ZoneFormat "$@"
|
|
22
bin/jdnssec-tools
Executable file
22
bin/jdnssec-tools
Executable file
@ -0,0 +1,22 @@
|
|||||||
|
#! /bin/sh
|
||||||
|
|
||||||
|
thisdir=$(dirname $0)
|
||||||
|
basedir=$(cd $thisdir/.. || exit; pwd)
|
||||||
|
|
||||||
|
ulimit_max=$(ulimit -H -n)
|
||||||
|
if [ $ulimit_max != "unlimited" ]; then
|
||||||
|
ulimit -n $ulimit_max
|
||||||
|
fi
|
||||||
|
|
||||||
|
# set the classpath
|
||||||
|
for i in "$basedir"/lib/*.jar "$basedir"/lib/*.zip "$basedir"/build/libs/*.jar; do
|
||||||
|
if ! [ -f $i ]; then continue; fi
|
||||||
|
if [ -z "$CLASSPATH" ]; then
|
||||||
|
CLASSPATH=$i
|
||||||
|
else
|
||||||
|
CLASSPATH="$CLASSPATH":"$i"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
export CLASSPATH
|
||||||
|
|
||||||
|
exec java com.verisignlabs.dnssec.cl.CLI "$@"
|
87
build.xml
87
build.xml
@ -10,18 +10,20 @@
|
|||||||
|
|
||||||
-->
|
-->
|
||||||
|
|
||||||
<project default="compile" basedir=".">
|
<project default="build" basedir=".">
|
||||||
|
|
||||||
<property file="build.properties" />
|
<property file="build.properties" />
|
||||||
<property file="VERSION" />
|
<property file="VERSION" />
|
||||||
|
|
||||||
<property name="sectools-distname" value="jdnssec-tools-${version}" />
|
|
||||||
|
|
||||||
<property name="build.dir" value="build" />
|
<property name="build.dir" value="build" />
|
||||||
<property name="build.dest" value="${build.dir}/classes" />
|
<property name="build.dest" value="${build.dir}/classes" />
|
||||||
<property name="build.lib.dest" value="${build.dir}/libs" />
|
<property name="build.lib.dest" value="${build.dir}/libs" />
|
||||||
<property name="build.src" value="src/main/java" />
|
<property name="build.src" value="src/main/java" />
|
||||||
|
|
||||||
|
<property name="dist.dir" value="dist"/>
|
||||||
|
<property name="dist.name" value="jdnssec-tools-${version}" />
|
||||||
|
|
||||||
<property name="packages" value="com.verisignlabs.dnssec.*" />
|
<property name="packages" value="com.verisignlabs.dnssec.*" />
|
||||||
<property name="doc.dir" value="docs" />
|
<property name="doc.dir" value="docs" />
|
||||||
<property name="javadoc.dest" value="${doc.dir}/javadoc" />
|
<property name="javadoc.dest" value="${doc.dir}/javadoc" />
|
||||||
@ -33,6 +35,7 @@
|
|||||||
<pathelement location="${build.dest}" />
|
<pathelement location="${build.dest}" />
|
||||||
<fileset dir="${lib.dir}" includes="*.jar,*.zip" />
|
<fileset dir="${lib.dir}" includes="*.jar,*.zip" />
|
||||||
</path>
|
</path>
|
||||||
|
|
||||||
<property name="project.classpath" refid="project.classpath" />
|
<property name="project.classpath" refid="project.classpath" />
|
||||||
|
|
||||||
<target name="prepare-src">
|
<target name="prepare-src">
|
||||||
@ -40,7 +43,7 @@
|
|||||||
<mkdir dir="${build.lib.dest}" />
|
<mkdir dir="${build.lib.dest}" />
|
||||||
</target>
|
</target>
|
||||||
|
|
||||||
<target name="sectools" depends="prepare-src" >
|
<target name="compile" depends="prepare-src" >
|
||||||
<javac srcdir="${build.src}"
|
<javac srcdir="${build.src}"
|
||||||
destdir="${build.dest}"
|
destdir="${build.dest}"
|
||||||
classpathref="project.classpath"
|
classpathref="project.classpath"
|
||||||
@ -51,14 +54,29 @@
|
|||||||
release="${build.java_version}" />
|
release="${build.java_version}" />
|
||||||
</target>
|
</target>
|
||||||
|
|
||||||
<target name="sectools-jar" depends="usage,sectools">
|
<target name="build-jar" depends="usage, compile">
|
||||||
<jar jarfile="${build.lib.dest}/jdnssec-tools.jar"
|
<jar jarfile="${build.lib.dest}/jdnssec-tools.jar"
|
||||||
basedir="${build.dest}"
|
basedir="${build.dest}"
|
||||||
includes="com/verisignlabs/dnssec/" />
|
includes="com/verisignlabs/dnssec/" />
|
||||||
</target>
|
</target>
|
||||||
|
|
||||||
<target name="compile"
|
<target name="build"
|
||||||
depends="usage,sectools-jar">
|
depends="usage,build-jar">
|
||||||
|
</target>
|
||||||
|
|
||||||
|
<target name="build-onejar" depends="compile">
|
||||||
|
<jar destfile="${dist.dir}/${dist.name}.jar">
|
||||||
|
<zipfileset dir="${build.dest}" includes="**/*.class" />
|
||||||
|
|
||||||
|
<zipfileset src="${lib.dir}/dnsjava-3.5.3.jar" />
|
||||||
|
<zipfileset src="${lib.dir}/commons-cli-1.6.0.jar" />
|
||||||
|
<zipfileset src="${lib.dir}/slf4j-api-1.7.36.jar" />
|
||||||
|
<zipfileset src="${lib.dir}/slf4j-simple-1.7.36.jar" />
|
||||||
|
<manifest>
|
||||||
|
<attribute name="Main-Class"
|
||||||
|
value="com.verisignlabs.dnssec.cl.CLI" />
|
||||||
|
</manifest>
|
||||||
|
</jar>
|
||||||
</target>
|
</target>
|
||||||
|
|
||||||
<target name="javadoc" depends="usage">
|
<target name="javadoc" depends="usage">
|
||||||
@ -75,16 +93,21 @@
|
|||||||
</javadoc>
|
</javadoc>
|
||||||
</target>
|
</target>
|
||||||
|
|
||||||
|
|
||||||
<target name="clean" depends="usage">
|
<target name="clean" depends="usage">
|
||||||
<delete dir="${build.dest}" />
|
<delete dir="${build.dest}" />
|
||||||
<delete dir="${build.lib.dest}" />
|
<delete dir="${build.lib.dest}" />
|
||||||
|
<delete dir="${dist.dir}" />
|
||||||
</target>
|
</target>
|
||||||
|
|
||||||
<target name="sectools-dist-prepare" depends="usage, compile, javadoc">
|
<target name="dist-clean" depends="usage">
|
||||||
<mkdir dir="${sectools-distname}" />
|
<delete dir="${dist.name}" />
|
||||||
|
</target>
|
||||||
|
|
||||||
<copy todir="${sectools-distname}">
|
<target name="dist-prepare" depends="usage, build, javadoc">
|
||||||
|
<mkdir dir="${dist.dir}" />
|
||||||
|
<mkdir dir="${dist.name}" />
|
||||||
|
|
||||||
|
<copy todir="${dist.name}">
|
||||||
<fileset dir=".">
|
<fileset dir=".">
|
||||||
<include name="bin/jdnssec-*" />
|
<include name="bin/jdnssec-*" />
|
||||||
<include name="lib/*.jar" />
|
<include name="lib/*.jar" />
|
||||||
@ -99,37 +122,33 @@
|
|||||||
</fileset>
|
</fileset>
|
||||||
</copy>
|
</copy>
|
||||||
|
|
||||||
<copy todir="${sectools-distname}/lib">
|
<copy todir="${dist.name}/lib">
|
||||||
<fileset dir="${build.lib.dest}">
|
<fileset dir="${build.lib.dest}">
|
||||||
<include name="*.jar" />
|
<include name="*.jar" />
|
||||||
</fileset>
|
</fileset>
|
||||||
</copy>
|
</copy>
|
||||||
</target>
|
</target>
|
||||||
|
|
||||||
<target name="sectools-dist-clean">
|
|
||||||
<delete dir="${sectools-distname}" />
|
|
||||||
</target>
|
|
||||||
|
|
||||||
<patternset id="exec.files">
|
<patternset id="exec.files">
|
||||||
<include name="${sectools-distname}/bin/jdnssec-*" />
|
<include name="${dist.name}/bin/jdnssec-*" />
|
||||||
</patternset>
|
</patternset>
|
||||||
|
|
||||||
<patternset id="src.files">
|
<patternset id="src.files">
|
||||||
<include name="${sectools-distname}/src/" />
|
<include name="${dist.name}/src/" />
|
||||||
<include name="${sectools-distname}/build.xml" />
|
<include name="${dist.name}/build.xml" />
|
||||||
<include name="${sectools-distname}/build.properties" />
|
<include name="${dist.name}/build.properties" />
|
||||||
</patternset>
|
</patternset>
|
||||||
|
|
||||||
<patternset id="bin.files">
|
<patternset id="bin.files">
|
||||||
<include name="${sectools-distname}/doc/" />
|
<include name="${dist.name}/doc/" />
|
||||||
<include name="${sectools-distname}/lib/" />
|
<include name="${dist.name}/lib/" />
|
||||||
<include name="${sectools-distname}/licenses/" />
|
<include name="${dist.name}/licenses/" />
|
||||||
<include name="${sectools-distname}/VERSION" />
|
<include name="${dist.name}/VERSION" />
|
||||||
<include name="${sectools-distname}/README" />
|
<include name="${dist.name}/README" />
|
||||||
</patternset>
|
</patternset>
|
||||||
|
|
||||||
<target name="sectools-bin-dist" depends="sectools-dist-prepare">
|
<target name="bin-dist" depends="dist-prepare">
|
||||||
<tar destfile="${sectools-distname}.tar.gz" compression="gzip">
|
<tar destfile="${dist.dir}/${dist.name}.tar.gz" compression="gzip">
|
||||||
<tarfileset mode="755" dir=".">
|
<tarfileset mode="755" dir=".">
|
||||||
<patternset refid="exec.files" />
|
<patternset refid="exec.files" />
|
||||||
</tarfileset>
|
</tarfileset>
|
||||||
@ -139,21 +158,16 @@
|
|||||||
</tar>
|
</tar>
|
||||||
</target>
|
</target>
|
||||||
|
|
||||||
<target name="sectools-src-dist" depends="sectools-dist-prepare">
|
<target name="src-dist" depends="dist-prepare">
|
||||||
<tar destfile="${sectools-distname}-src.tar.gz"
|
<tar destfile="${dist.dir}/${dist.name}-src.tar.gz" compression="gzip">
|
||||||
compression="gzip">
|
|
||||||
<tarfileset dir=".">
|
<tarfileset dir=".">
|
||||||
<patternset refid="src.files" />
|
<patternset refid="src.files" />
|
||||||
</tarfileset>
|
</tarfileset>
|
||||||
</tar>
|
</tar>
|
||||||
</target>
|
</target>
|
||||||
|
|
||||||
<target name="sectools-dist"
|
<target name="dist"
|
||||||
depends="sectools-bin-dist,sectools-src-dist, sectools-dist-clean">
|
depends="bin-dist, src-dist, build-onejar, dist-clean">
|
||||||
</target>
|
|
||||||
|
|
||||||
|
|
||||||
<target name="dist" depends="sectools-dist">
|
|
||||||
</target>
|
</target>
|
||||||
|
|
||||||
<target name="usage">
|
<target name="usage">
|
||||||
@ -161,10 +175,11 @@
|
|||||||
<echo message="jdnssec-tools v. ${version} Build System" />
|
<echo message="jdnssec-tools v. ${version} Build System" />
|
||||||
<echo message="--------------------------------" />
|
<echo message="--------------------------------" />
|
||||||
<echo message="Available Targets:" />
|
<echo message="Available Targets:" />
|
||||||
<echo message=" compile (default) - compiles the source code, creates jar" />
|
<echo message=" build (default) - compiles the source code, creates main jar" />
|
||||||
<echo message=" javadoc - create javadoc from source" />
|
<echo message=" javadoc - create javadoc from source" />
|
||||||
<echo message=" clean - delete class files" />
|
<echo message=" clean - delete class files" />
|
||||||
<echo message=" dist - package it up" />
|
<echo message=" dist - package it up" />
|
||||||
|
<echo message=" onejar - build the executable jar" />
|
||||||
<echo message=" usage - this help message" />
|
<echo message=" usage - this help message" />
|
||||||
<echo message=" " />
|
<echo message=" " />
|
||||||
</target>
|
</target>
|
||||||
|
93
jdnssec-tools.properties.example
Normal file
93
jdnssec-tools.properties.example
Normal file
@ -0,0 +1,93 @@
|
|||||||
|
# An example properties file for jdnssec-tools
|
||||||
|
# Properties may be be scoped by the tool name, which is the name minus "jdnssec-"
|
||||||
|
# If unscoped, the same named property will be used by multiple tools
|
||||||
|
|
||||||
|
# Common properties
|
||||||
|
|
||||||
|
# log_level = warning
|
||||||
|
# verbose = true # same as log_level = fine (true) or log_level = warning (false)
|
||||||
|
# multiline = false
|
||||||
|
|
||||||
|
# algorithm aliasing is <scope>.alias.<new-mnemonic> = <orig-alg-id>:<alias-alg-id>
|
||||||
|
# alias.NEWALG = 8:100
|
||||||
|
|
||||||
|
# jdnssec-dstool properties
|
||||||
|
|
||||||
|
## These are all equivalent. Unscoped properties might apply to other tools
|
||||||
|
# dstool.digest_algorithm = 4
|
||||||
|
# digest_algorithm = 4 # applies to jdnssec-signzone, too
|
||||||
|
# dstool.digest_id = 4
|
||||||
|
|
||||||
|
# jdnssec-keygen properties
|
||||||
|
|
||||||
|
# keygen.use_large_exponent = true
|
||||||
|
# keygen.key_directory = .
|
||||||
|
# key_directory = /path/to/dnskey_files # applies to jdnssec-sign*
|
||||||
|
# keygen.algorithm = ED448
|
||||||
|
# keygen.keylength = 2048
|
||||||
|
# keygen.keylen = 2048 # same thing
|
||||||
|
# keygen.ttl = 3600
|
||||||
|
|
||||||
|
# jdnssec-keyinfotool
|
||||||
|
|
||||||
|
# no additional keys
|
||||||
|
|
||||||
|
# jdnssec-signkeyset
|
||||||
|
|
||||||
|
# signkeyset.verify = false
|
||||||
|
# signkeyset.key_directory = .
|
||||||
|
# signkeyset.start = -300
|
||||||
|
# signkeyset.inception = 1712424863
|
||||||
|
# signkeyset.expire = +604800
|
||||||
|
|
||||||
|
# jdnssec-signrrset
|
||||||
|
|
||||||
|
# signrrset.verify_signatures = false
|
||||||
|
# signrrset.verify = false # same thing
|
||||||
|
# signrrset.key_directory = .
|
||||||
|
# signrrset.start = now
|
||||||
|
# signrrset.inception = now # same thing
|
||||||
|
# signrrset.expire = now+3600
|
||||||
|
|
||||||
|
# jdnssec-signzone
|
||||||
|
|
||||||
|
# signzone.verify_signatures = false
|
||||||
|
# signzone.verify = false # same thing
|
||||||
|
# signzone.use_nsec3 = false
|
||||||
|
# signzone.nsec3 = false # same thing
|
||||||
|
# signzone.use_opt_out = false
|
||||||
|
# signzone.opt_out = false # same thing
|
||||||
|
# signzone.verbose_signing = false
|
||||||
|
# signzone.fully_sign_keyset = false
|
||||||
|
# signzone.fully_sign = false # same thing
|
||||||
|
# signzone.key_directory = .
|
||||||
|
# signzone.keydir = . # same thing
|
||||||
|
# signzone.start = now
|
||||||
|
# signzone.inception = now
|
||||||
|
# signzone.expire = now+3600
|
||||||
|
# signzone.nsec3_salt = DEADBEEF
|
||||||
|
# signzone.salt = DEADBEEF # same thing
|
||||||
|
# signzone.nsec3_random_salt_length = 6
|
||||||
|
# signzone.nsec3_salt_length = 6 # same thing
|
||||||
|
# signzone.random_salt_length = 6 # same thing
|
||||||
|
# signzone.nsec3_iterations = 0
|
||||||
|
# signzone.iterations = 0 # same thing
|
||||||
|
# signzone.digest_algorithm = 4
|
||||||
|
# signzone.digest_id = 4 # same thing
|
||||||
|
# signzone.nsec3param_ttl = 86400
|
||||||
|
# signzone.include_names_file = /path/to/include-names
|
||||||
|
# signzone.include_names = /path/to/include-names # same thing
|
||||||
|
|
||||||
|
# jdnssec-verifyzone
|
||||||
|
|
||||||
|
# verifyzone.ignore_time = false
|
||||||
|
# verifyzone.ignore_duplicate_rrs = false
|
||||||
|
# verifyzone.ignore_duplicates = false # same thing
|
||||||
|
# verifyzone.start_fudge = 0
|
||||||
|
# verifyzone.expire_fudge = 0
|
||||||
|
# verifyzone.current_time = now
|
||||||
|
|
||||||
|
# jdnssec-zoneformat
|
||||||
|
|
||||||
|
# zoneformat.assign_nsec3_owners = false
|
||||||
|
# zoneformat.assign_owners = false # same thing
|
@ -17,11 +17,11 @@
|
|||||||
|
|
||||||
package com.verisignlabs.dnssec.cl;
|
package com.verisignlabs.dnssec.cl;
|
||||||
|
|
||||||
|
import java.io.File;
|
||||||
|
import java.io.FileInputStream;
|
||||||
|
import java.io.IOException;
|
||||||
import java.io.PrintWriter;
|
import java.io.PrintWriter;
|
||||||
import java.text.SimpleDateFormat;
|
import java.util.Properties;
|
||||||
import java.time.Instant;
|
|
||||||
import java.util.Date;
|
|
||||||
import java.util.TimeZone;
|
|
||||||
import java.util.logging.Formatter;
|
import java.util.logging.Formatter;
|
||||||
import java.util.logging.Handler;
|
import java.util.logging.Handler;
|
||||||
import java.util.logging.Level;
|
import java.util.logging.Level;
|
||||||
@ -48,8 +48,19 @@ import com.verisignlabs.dnssec.security.DnsKeyAlgorithm;
|
|||||||
* subclass variant of the CLIState and call run().
|
* subclass variant of the CLIState and call run().
|
||||||
*/
|
*/
|
||||||
public abstract class CLBase {
|
public abstract class CLBase {
|
||||||
protected static Logger staticLog = Logger.getLogger(CLBase.class.getName());
|
protected Logger log = Logger.getLogger(this.getClass().toString());
|
||||||
protected Logger log;
|
protected Options opts;
|
||||||
|
protected String name;
|
||||||
|
protected String usageStr;
|
||||||
|
protected Properties props;
|
||||||
|
protected CommandLine cli;
|
||||||
|
|
||||||
|
protected CLBase(String name, String usageStr) {
|
||||||
|
this.name = name;
|
||||||
|
this.usageStr = usageStr;
|
||||||
|
|
||||||
|
setup();
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* This is a very simple log formatter that simply outputs the log level and
|
* This is a very simple log formatter that simply outputs the log level and
|
||||||
@ -70,136 +81,151 @@ public abstract class CLBase {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
|
||||||
* This is a base class for command line parsing state. Subclasses should
|
|
||||||
* override setupOptions and processOptions.
|
|
||||||
*/
|
|
||||||
public static class CLIStateBase {
|
|
||||||
protected Options opts;
|
|
||||||
protected String usageStr;
|
|
||||||
|
|
||||||
/**
|
|
||||||
* The base constructor. This will setup the command line options.
|
|
||||||
*
|
|
||||||
* @param usage
|
|
||||||
* The command line usage string (e.g.,
|
|
||||||
* "jdnssec-foo [..options..] zonefile")
|
|
||||||
*/
|
|
||||||
public CLIStateBase(String usage) {
|
|
||||||
usageStr = usage;
|
|
||||||
setup();
|
|
||||||
}
|
|
||||||
|
|
||||||
/** This is the base set of command line options provided to all subclasses. */
|
/** This is the base set of command line options provided to all subclasses. */
|
||||||
private void setup() {
|
private void setupCommonOptions() {
|
||||||
// Set up the standard set of options that all jdnssec command line tools will
|
// Set up the standard set of options that all jdnssec command line tools will
|
||||||
// implement.
|
// implement.
|
||||||
opts = new Options();
|
|
||||||
|
|
||||||
// boolean options
|
// boolean options
|
||||||
opts.addOption("h", "help", false, "Print this message.");
|
opts.addOption("h", "help", false, "Print this message.");
|
||||||
opts.addOption("m", "multiline", false,
|
opts.addOption("m", "multiline", false,
|
||||||
"Output DNS records using 'multiline' format");
|
"Output DNS records using 'multiline' format");
|
||||||
|
|
||||||
opts.addOption(Option.builder("v").longOpt("verbose").argName("level").hasArg().desc(
|
opts.addOption(Option.builder("l").longOpt("log-level").argName("level").hasArg()
|
||||||
"verbosity level -- 0: silence, 1: error, 2: warning, 3: info, 4/5: fine, 6: finest; default: 2 (warning)")
|
.desc("set the logging level with either java.util.logging levels, or 0-6").build());
|
||||||
.build());
|
opts.addOption(Option.builder("v").longOpt("verbose").desc(
|
||||||
|
"set as verbose (log-level = fine)").build());
|
||||||
|
|
||||||
|
opts.addOption(Option.builder("c").longOpt("config").argName("file").hasArg()
|
||||||
|
.desc("configuration file (format: java properties)").build());
|
||||||
|
|
||||||
opts.addOption(Option.builder("A").hasArg().argName("alias:original:mnemonic").longOpt("alg-alias")
|
opts.addOption(Option.builder("A").hasArg().argName("alias:original:mnemonic").longOpt("alg-alias")
|
||||||
.desc("Define an alias for an algorithm").build());
|
.desc("Define an alias for an algorithm").build());
|
||||||
|
|
||||||
setupOptions(opts);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* This is an overridable method for subclasses to add their own command
|
* This is an overridable method for subclasses to add their own command line
|
||||||
* line options.
|
|
||||||
*
|
|
||||||
* @param opts
|
|
||||||
* the options object to add (via OptionBuilder, typically) new
|
|
||||||
* options to.
|
|
||||||
*/
|
|
||||||
protected void setupOptions(Options opts) {
|
|
||||||
// Subclasses generally override this.
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* This is the main method for parsing the command line arguments.
|
|
||||||
* Subclasses generally override processOptions() rather than this method.
|
|
||||||
* This method create the parsing objects and processes the standard
|
|
||||||
* options.
|
* options.
|
||||||
*
|
|
||||||
* @param args
|
|
||||||
* The command line arguments.
|
|
||||||
* @throws ParseException
|
|
||||||
*/
|
*/
|
||||||
public void parseCommandLine(String[] args) throws ParseException {
|
protected abstract void setupOptions();
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Initialize the command line options
|
||||||
|
*/
|
||||||
|
public void setup() {
|
||||||
|
opts = new Options();
|
||||||
|
setupCommonOptions();
|
||||||
|
setupOptions();
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* This is the main method for parsing the command line arguments. Subclasses
|
||||||
|
* generally override processOptions() rather than this method. This method
|
||||||
|
* creates the parsing objects and processes the common options.
|
||||||
|
*
|
||||||
|
* @param args The command line arguments.
|
||||||
|
*/
|
||||||
|
public void parseCommandLine(String[] args) {
|
||||||
|
String[] logLevelOptionKeys = { "log_level", "log-level" };
|
||||||
|
String[] multilineOptionKeys = { "multiline" };
|
||||||
CommandLineParser parser = new DefaultParser();
|
CommandLineParser parser = new DefaultParser();
|
||||||
CommandLine cli = parser.parse(opts, args);
|
|
||||||
|
try {
|
||||||
|
cli = parser.parse(opts, args);
|
||||||
|
} catch (UnrecognizedOptionException e) {
|
||||||
|
fail("unknown option encountered: " + e.getMessage());
|
||||||
|
} catch (AlreadySelectedException e) {
|
||||||
|
fail("mutually exclusive options have been selected:\n " + e.getMessage());
|
||||||
|
} catch (ParseException e) {
|
||||||
|
fail("unable to parse command line: " + e);
|
||||||
|
}
|
||||||
|
|
||||||
if (cli.hasOption('h')) {
|
if (cli.hasOption('h')) {
|
||||||
usage();
|
usage();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
String loadedConfig = loadConfig(cli.getOptionValue('c'));
|
||||||
|
|
||||||
Logger rootLogger = Logger.getLogger("");
|
Logger rootLogger = Logger.getLogger("");
|
||||||
int value = parseInt(cli.getOptionValue('v'), -1);
|
|
||||||
|
|
||||||
switch (value) {
|
// we set log level with both --log-level and -v/--verbose.
|
||||||
case 0:
|
String logLevel = cliOption("log-level", logLevelOptionKeys, null);
|
||||||
rootLogger.setLevel(Level.OFF);
|
if (logLevel == null) {
|
||||||
break;
|
logLevel = cli.hasOption("v") ? "fine" : "warning";
|
||||||
case 1:
|
|
||||||
rootLogger.setLevel(Level.SEVERE);
|
|
||||||
break;
|
|
||||||
case 2:
|
|
||||||
default:
|
|
||||||
rootLogger.setLevel(Level.WARNING);
|
|
||||||
break;
|
|
||||||
case 3:
|
|
||||||
rootLogger.setLevel(Level.INFO);
|
|
||||||
break;
|
|
||||||
case 4:
|
|
||||||
rootLogger.setLevel(Level.CONFIG);
|
|
||||||
case 5:
|
|
||||||
rootLogger.setLevel(Level.FINE);
|
|
||||||
break;
|
|
||||||
case 6:
|
|
||||||
rootLogger.setLevel(Level.ALL);
|
|
||||||
break;
|
|
||||||
}
|
}
|
||||||
|
setLogLevel(rootLogger, logLevel);
|
||||||
|
|
||||||
// I hate java.util.logging, btw.
|
|
||||||
for (Handler h : rootLogger.getHandlers()) {
|
for (Handler h : rootLogger.getHandlers()) {
|
||||||
h.setLevel(rootLogger.getLevel());
|
h.setLevel(rootLogger.getLevel());
|
||||||
h.setFormatter(new BareLogFormatter());
|
h.setFormatter(new BareLogFormatter());
|
||||||
}
|
}
|
||||||
|
|
||||||
if (cli.hasOption('m')) {
|
if (loadedConfig != null) {
|
||||||
|
log.info("Loaded config file: " + loadedConfig);
|
||||||
|
}
|
||||||
|
|
||||||
|
if (cliBooleanOption("m", multilineOptionKeys, false)) {
|
||||||
org.xbill.DNS.Options.set("multiline");
|
org.xbill.DNS.Options.set("multiline");
|
||||||
}
|
}
|
||||||
|
|
||||||
String[] optstrs = null;
|
processAliasOptions();
|
||||||
if ((optstrs = cli.getOptionValues('A')) != null) {
|
|
||||||
for (int i = 0; i < optstrs.length; i++) {
|
|
||||||
addArgAlias(optstrs[i]);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
processOptions(cli);
|
processOptions();
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Process additional tool-specific options. Subclasses generally override
|
* Process additional tool-specific options. Subclasses generally override
|
||||||
* this.
|
* this.
|
||||||
*
|
|
||||||
* @param cli
|
|
||||||
* The {@link CommandLine} object containing the parsed command
|
|
||||||
* line state.
|
|
||||||
*/
|
*/
|
||||||
protected void processOptions(CommandLine cli) throws ParseException {
|
protected abstract void processOptions();
|
||||||
// Subclasses generally override this.
|
|
||||||
|
/**
|
||||||
|
* Load a configuration (java properties) file for jdnssec-tools. Returns
|
||||||
|
* the path of the loaded file.
|
||||||
|
*
|
||||||
|
* @param configFile a given path to a config file. This will be considered
|
||||||
|
* first.
|
||||||
|
* @return The path of the file that was actually loaded, or null if no config
|
||||||
|
* file was loaded.
|
||||||
|
*/
|
||||||
|
protected String loadConfig(String configFile) {
|
||||||
|
// Do not load config files twice
|
||||||
|
if (props != null) {
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
props = new Properties();
|
||||||
|
String[] configFiles = { configFile, "jdnssec-tools.properties", ".jdnssec-tools.properties",
|
||||||
|
System.getProperty("user.home") + "/.jdnssec-tools.properties" };
|
||||||
|
|
||||||
|
File f = null;
|
||||||
|
|
||||||
|
for (String fname : configFiles) {
|
||||||
|
if (fname == null) {
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
f = new File(fname);
|
||||||
|
if (!f.canRead()) {
|
||||||
|
continue;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
try (FileInputStream stream = new FileInputStream(f)) {
|
||||||
|
props.load(stream);
|
||||||
|
break; // load the first config file found in our list
|
||||||
|
} catch (IOException e) {
|
||||||
|
log.warning("Could not read config file " + f.getName() + ": " + e);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if (f != null) {
|
||||||
|
return f.getPath();
|
||||||
|
}
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
|
||||||
|
protected void fail(String errorMessage) {
|
||||||
|
log.severe(errorMessage);
|
||||||
|
System.exit(64);
|
||||||
|
}
|
||||||
/** Print out the usage and help statements, then quit. */
|
/** Print out the usage and help statements, then quit. */
|
||||||
public void usage() {
|
public void usage() {
|
||||||
HelpFormatter f = new HelpFormatter();
|
HelpFormatter f = new HelpFormatter();
|
||||||
@ -207,116 +233,167 @@ public abstract class CLBase {
|
|||||||
PrintWriter out = new PrintWriter(System.err);
|
PrintWriter out = new PrintWriter(System.err);
|
||||||
|
|
||||||
// print our own usage statement:
|
// print our own usage statement:
|
||||||
f.printHelp(out, 75, usageStr, null, opts, HelpFormatter.DEFAULT_LEFT_PAD,
|
f.printHelp(out, 120, usageStr, null, opts, HelpFormatter.DEFAULT_LEFT_PAD,
|
||||||
HelpFormatter.DEFAULT_DESC_PAD, null);
|
HelpFormatter.DEFAULT_DESC_PAD, null);
|
||||||
|
|
||||||
out.flush();
|
out.flush();
|
||||||
System.exit(64);
|
System.exit(0);
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
protected void addArgAlias(String s) {
|
/**
|
||||||
if (s == null)
|
* Set the logging level based on a string value
|
||||||
return;
|
*
|
||||||
|
* @param logger The logger to set -- usually the rootLogger
|
||||||
|
* @param levelStr A level string that is either an integer from 0 to 6, or a
|
||||||
|
* java.util.logging log level string (severe, warning, info,
|
||||||
|
* fine, finer,
|
||||||
|
* finest).
|
||||||
|
*/
|
||||||
|
private void setLogLevel(Logger logger, String levelStr) {
|
||||||
|
Level level;
|
||||||
|
int internalLogLevel = Utils.parseInt(levelStr, -1);
|
||||||
|
if (internalLogLevel != -1) {
|
||||||
|
switch (internalLogLevel) {
|
||||||
|
case 0:
|
||||||
|
level = Level.OFF;
|
||||||
|
break;
|
||||||
|
case 1:
|
||||||
|
level = Level.SEVERE;
|
||||||
|
break;
|
||||||
|
case 2:
|
||||||
|
default:
|
||||||
|
level = Level.WARNING;
|
||||||
|
break;
|
||||||
|
case 3:
|
||||||
|
level = Level.INFO;
|
||||||
|
break;
|
||||||
|
case 4:
|
||||||
|
level = Level.FINE;
|
||||||
|
break;
|
||||||
|
case 5:
|
||||||
|
case 6:
|
||||||
|
level = Level.ALL;
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
try {
|
||||||
|
level = Level.parse(levelStr.toUpperCase());
|
||||||
|
} catch (IllegalArgumentException e) {
|
||||||
|
System.err.println("Verbosity level '" + levelStr + "' not recognized");
|
||||||
|
level = Level.WARNING;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
logger.setLevel(level);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Process both property file based alias definitions and command line alias
|
||||||
|
* definitions
|
||||||
|
*/
|
||||||
|
protected void processAliasOptions() {
|
||||||
DnsKeyAlgorithm algs = DnsKeyAlgorithm.getInstance();
|
DnsKeyAlgorithm algs = DnsKeyAlgorithm.getInstance();
|
||||||
|
// First parse any command line options
|
||||||
|
// those look like '-A <alias-num>:<orig-num>:<mnemonic>', e.g., '-A
|
||||||
|
// 21:13:ECDSAP256-NSEC6'
|
||||||
|
String[] optstrs = null;
|
||||||
|
if ((optstrs = cli.getOptionValues('A')) != null) {
|
||||||
|
for (String value : optstrs) {
|
||||||
|
String[] valueComponents = value.split(":");
|
||||||
|
int aliasAlg = Utils.parseInt(valueComponents[0], -1);
|
||||||
|
int origAlg = Utils.parseInt(valueComponents[1], -1);
|
||||||
|
String mnemonic = valueComponents[2];
|
||||||
|
|
||||||
String[] v = s.split(":");
|
if (mnemonic != null && origAlg >= 0 && aliasAlg >= 0) {
|
||||||
if (v.length < 2)
|
algs.addAlias(aliasAlg, mnemonic, origAlg);
|
||||||
return;
|
}
|
||||||
|
|
||||||
int alias = parseInt(v[0], -1);
|
|
||||||
if (alias <= 0)
|
|
||||||
return;
|
|
||||||
int orig = parseInt(v[1], -1);
|
|
||||||
if (orig <= 0)
|
|
||||||
return;
|
|
||||||
String mn = null;
|
|
||||||
if (v.length > 2)
|
|
||||||
mn = v[2];
|
|
||||||
|
|
||||||
algs.addAlias(alias, mn, orig);
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
public static int parseInt(String s, int def) {
|
// Next see if we have any alias options in properties
|
||||||
try {
|
// Those look like 'signzone.alias.<alias-mnemonic> =
|
||||||
return Integer.parseInt(s);
|
// <orig-alg-num>:<alias-alg-num>'
|
||||||
} catch (NumberFormatException e) {
|
for (String key : props.stringPropertyNames()) {
|
||||||
return def;
|
if (key.startsWith(name + ".alias.") || key.startsWith("alias.")) {
|
||||||
}
|
String[] keyComponents = key.split("\\.");
|
||||||
}
|
String mnemonic = keyComponents[keyComponents.length - 1];
|
||||||
|
String[] valueComponents = props.getProperty(key).split(":");
|
||||||
|
int origAlg = Utils.parseInt(valueComponents[0], -1);
|
||||||
|
int aliasAlg = Utils.parseInt(valueComponents[1], -1);
|
||||||
|
|
||||||
public static long parseLong(String s, long def) {
|
if (mnemonic != null && origAlg >= 0 && aliasAlg >= 0) {
|
||||||
try {
|
algs.addAlias(aliasAlg, mnemonic, origAlg);
|
||||||
return Long.parseLong(s);
|
}
|
||||||
} catch (NumberFormatException e) {
|
}
|
||||||
return def;
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Calculate a date/time from a command line time/offset duration string.
|
* Given a parsed command line, option, and list of possible config
|
||||||
|
* properties, and a default value, determine value for the option
|
||||||
*
|
*
|
||||||
* @param start
|
* @param option The option name
|
||||||
* the start time to calculate offsets from.
|
* @param properties A list of configuration parameters that we would like
|
||||||
* @param duration
|
* to use for this option, from most preferred to least.
|
||||||
* the time/offset string to parse.
|
* @param defaultValue A default value to return if either the option or
|
||||||
* @return the calculated time.
|
* config value cannot be parsed, or neither are present.
|
||||||
|
* @return The found value, or the default value.
|
||||||
*/
|
*/
|
||||||
public static Instant convertDuration(Instant start, String duration) throws ParseException {
|
protected String cliOption(String option, String[] properties, String defaultValue) {
|
||||||
if (start == null) {
|
if (cli.hasOption(option)) {
|
||||||
start = Instant.now();
|
return cli.getOptionValue(option);
|
||||||
|
}
|
||||||
|
for (String property : properties) {
|
||||||
|
// first look up the scoped version of the property
|
||||||
|
String value = props.getProperty(name + "." + property);
|
||||||
|
if (value != null) {
|
||||||
|
return value;
|
||||||
|
}
|
||||||
|
value = props.getProperty(property);
|
||||||
|
if (value != null) {
|
||||||
|
return value;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return defaultValue;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (duration.startsWith("now")) {
|
/**
|
||||||
start = Instant.now();
|
* Given a parsed command line, option, and list of possible config
|
||||||
if (duration.indexOf("+") < 0)
|
* properties, determine the value for the option, converting the value to
|
||||||
return start;
|
* long.
|
||||||
|
*/
|
||||||
duration = duration.substring(3);
|
protected long cliLongOption(String option, String[] properties, long defaultValue) {
|
||||||
|
String value = cliOption(option, properties, Long.toString(defaultValue));
|
||||||
|
return Utils.parseLong(value, defaultValue);
|
||||||
}
|
}
|
||||||
|
|
||||||
if (duration.startsWith("+")) {
|
/**
|
||||||
long offset = parseLong(duration.substring(1), 0);
|
* Given a parsed command line, option, and list of possible config
|
||||||
return start.plusSeconds(offset);
|
* properties, determine the value for the option, converting the value to
|
||||||
|
* int.
|
||||||
|
*/
|
||||||
|
protected int cliIntOption(String option, String[] properties, int defaultValue) {
|
||||||
|
String value = cliOption(option, properties, Integer.toString(defaultValue));
|
||||||
|
return Utils.parseInt(value, defaultValue);
|
||||||
}
|
}
|
||||||
|
|
||||||
// This is a heuristic to distinguish UNIX epoch times from the zone file
|
/**
|
||||||
// format standard (which is length == 14)
|
* Given a parsed command line, option, and list of possible config
|
||||||
if (duration.length() <= 10) {
|
* properties, determine the value for the option, converting the value to
|
||||||
long epoch = parseLong(duration, 0);
|
* a boolean.
|
||||||
return Instant.ofEpochSecond(epoch);
|
*/
|
||||||
}
|
protected boolean cliBooleanOption(String option, String[] properties, boolean defaultValue) {
|
||||||
|
if (cli.hasOption(option)) {
|
||||||
SimpleDateFormat dateFormatter = new SimpleDateFormat("yyyyMMddHHmmss");
|
return true;
|
||||||
dateFormatter.setTimeZone(TimeZone.getTimeZone("GMT"));
|
|
||||||
try {
|
|
||||||
Date parsedDate = dateFormatter.parse(duration);
|
|
||||||
return parsedDate.toInstant();
|
|
||||||
} catch (java.text.ParseException e) {
|
|
||||||
throw new ParseException(e.getMessage());
|
|
||||||
}
|
}
|
||||||
|
String value = cliOption(option, properties, Boolean.toString(defaultValue));
|
||||||
|
return Boolean.parseBoolean(value);
|
||||||
}
|
}
|
||||||
|
|
||||||
public abstract void execute() throws Exception;
|
public abstract void execute() throws Exception;
|
||||||
|
|
||||||
public void run(CLIStateBase state, String[] args) {
|
public void run(String[] args) {
|
||||||
try {
|
|
||||||
state.parseCommandLine(args);
|
|
||||||
} catch (UnrecognizedOptionException e) {
|
|
||||||
System.err.println("error: unknown option encountered: " + e.getMessage());
|
|
||||||
state.usage();
|
|
||||||
} catch (AlreadySelectedException e) {
|
|
||||||
System.err.println("error: mutually exclusive options have "
|
|
||||||
+ "been selected:\n " + e.getMessage());
|
|
||||||
state.usage();
|
|
||||||
} catch (Exception e) {
|
|
||||||
System.err.println("error: unknown command line parsing exception:");
|
|
||||||
e.printStackTrace();
|
|
||||||
state.usage();
|
|
||||||
}
|
|
||||||
|
|
||||||
|
parseCommandLine(args);
|
||||||
log = Logger.getLogger(this.getClass().toString());
|
log = Logger.getLogger(this.getClass().toString());
|
||||||
|
|
||||||
try {
|
try {
|
||||||
|
84
src/main/java/com/verisignlabs/dnssec/cl/CLI.java
Normal file
84
src/main/java/com/verisignlabs/dnssec/cl/CLI.java
Normal file
@ -0,0 +1,84 @@
|
|||||||
|
package com.verisignlabs.dnssec.cl;
|
||||||
|
|
||||||
|
public class CLI {
|
||||||
|
private SubCommandType subCommand = null;
|
||||||
|
private String commandSetStr = null;
|
||||||
|
|
||||||
|
enum SubCommandType {
|
||||||
|
DSTOOL, KEYGEN, KEYINFO, SIGNKEYSET, SIGNRRSET, SIGNZONE, VERIFYZONE, ZONEFORMAT;
|
||||||
|
}
|
||||||
|
|
||||||
|
public CLI(String name, String usageStr) {
|
||||||
|
StringBuilder sb = new StringBuilder();
|
||||||
|
for (SubCommandType type : SubCommandType.class.getEnumConstants()) {
|
||||||
|
sb.append(type.toString().toLowerCase());
|
||||||
|
sb.append(" ");
|
||||||
|
}
|
||||||
|
commandSetStr = sb.toString().trim();
|
||||||
|
}
|
||||||
|
|
||||||
|
private void fail(String errorMessage){
|
||||||
|
System.err.println("ERROR: " + errorMessage);
|
||||||
|
System.exit(2);
|
||||||
|
}
|
||||||
|
|
||||||
|
public void run(String[] args) {
|
||||||
|
String[] subCommandArgs = null;
|
||||||
|
if (args.length < 1) {
|
||||||
|
fail("missing command: must be one of: " + commandSetStr);
|
||||||
|
}
|
||||||
|
|
||||||
|
String command = args[0];
|
||||||
|
if (command.equals("-h")) {
|
||||||
|
System.err.println("usage: jdnssec-tools <command> <command args..>");
|
||||||
|
System.err.println(" <command> is one of: " + commandSetStr);
|
||||||
|
System.exit(0);
|
||||||
|
}
|
||||||
|
|
||||||
|
try {
|
||||||
|
subCommand = SubCommandType.valueOf(command.toUpperCase());
|
||||||
|
} catch (IllegalArgumentException e) {
|
||||||
|
fail("unrecognized command '" + command + "': must be one of: " + commandSetStr);
|
||||||
|
}
|
||||||
|
subCommandArgs = new String[args.length - 1];
|
||||||
|
System.arraycopy(args, 1, subCommandArgs, 0, args.length - 1);
|
||||||
|
|
||||||
|
CLBase cmd = null;
|
||||||
|
|
||||||
|
switch(subCommand) {
|
||||||
|
case DSTOOL:
|
||||||
|
cmd = new DSTool("dstool", "jdnssec-tools dstool [..options..] keyfile [keyfile..]");
|
||||||
|
break;
|
||||||
|
case KEYGEN:
|
||||||
|
cmd = new KeyGen("keygen", "jdnssec-tools keygen [..options..] zonename");
|
||||||
|
break;
|
||||||
|
case KEYINFO:
|
||||||
|
cmd = new KeyInfoTool("keyinfotool", "jdnssec-tools keyinfo [..options..] keyfile");
|
||||||
|
break;
|
||||||
|
case SIGNKEYSET:
|
||||||
|
cmd = new SignKeyset("signkeyset", "jdnssec-tools signkeyset [..options..] dnskeyset_file [key_file ...]");
|
||||||
|
break;
|
||||||
|
case SIGNRRSET:
|
||||||
|
cmd = new SignRRset("signrrset", "jdnssec-tools signrrset [..options..] rrset_file key_file [key_file ...]");
|
||||||
|
break;
|
||||||
|
case SIGNZONE:
|
||||||
|
cmd = new SignZone("signzone", "jdnssec-tools signzone [..options..] zone_file [key_file ...]");
|
||||||
|
break;
|
||||||
|
case VERIFYZONE:
|
||||||
|
cmd = new VerifyZone("verifyzone", "jdnssec-tools verifyzone [..options..] zonefile");
|
||||||
|
break;
|
||||||
|
case ZONEFORMAT:
|
||||||
|
cmd = new ZoneFormat("zoneformat", "jdnssec-tools zoneformat [..options..] zonefile");
|
||||||
|
break;
|
||||||
|
default:
|
||||||
|
fail("commmand " + command + " has not been implemented.");
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
cmd.run(subCommandArgs);
|
||||||
|
}
|
||||||
|
|
||||||
|
public static void main(String[] args) {
|
||||||
|
CLI cli = new CLI("cli", "jdnssec-tools <command> [..args..]");
|
||||||
|
cli.run(args);
|
||||||
|
}
|
||||||
|
}
|
@ -18,11 +18,10 @@
|
|||||||
package com.verisignlabs.dnssec.cl;
|
package com.verisignlabs.dnssec.cl;
|
||||||
|
|
||||||
import java.io.FileWriter;
|
import java.io.FileWriter;
|
||||||
|
import java.io.IOException;
|
||||||
import java.io.PrintWriter;
|
import java.io.PrintWriter;
|
||||||
|
|
||||||
import org.apache.commons.cli.CommandLine;
|
|
||||||
import org.apache.commons.cli.Option;
|
import org.apache.commons.cli.Option;
|
||||||
import org.apache.commons.cli.Options;
|
|
||||||
import org.xbill.DNS.CDSRecord;
|
import org.xbill.DNS.CDSRecord;
|
||||||
import org.xbill.DNS.DLVRecord;
|
import org.xbill.DNS.DLVRecord;
|
||||||
import org.xbill.DNS.DNSKEYRecord;
|
import org.xbill.DNS.DNSKEYRecord;
|
||||||
@ -40,7 +39,15 @@ import com.verisignlabs.dnssec.security.SignUtils;
|
|||||||
* @author David Blacka
|
* @author David Blacka
|
||||||
*/
|
*/
|
||||||
public class DSTool extends CLBase {
|
public class DSTool extends CLBase {
|
||||||
private CLIState state;
|
private dsType createType = dsType.DS;
|
||||||
|
private String outputfile = null;
|
||||||
|
private String[] keynames = null;
|
||||||
|
private int digestId = DNSSEC.Digest.SHA256;
|
||||||
|
private long dsTTL = -1;
|
||||||
|
|
||||||
|
public DSTool(String name, String usageStr) {
|
||||||
|
super(name, usageStr);
|
||||||
|
}
|
||||||
|
|
||||||
/** There are several records that are based on DS. */
|
/** There are several records that are based on DS. */
|
||||||
protected enum dsType {
|
protected enum dsType {
|
||||||
@ -52,80 +59,77 @@ public class DSTool extends CLBase {
|
|||||||
* state.
|
* state.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
protected static class CLIState extends CLIStateBase {
|
|
||||||
public dsType createType = dsType.DS;
|
|
||||||
public String outputfile = null;
|
|
||||||
public String keyname = null;
|
|
||||||
public int digestId = DNSSEC.Digest.SHA256;
|
|
||||||
|
|
||||||
public CLIState() {
|
|
||||||
super("jdnssec-dstool [..options..] keyfile");
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Set up the command line options.
|
* Set up the command line options.
|
||||||
*
|
*
|
||||||
* @return a set of command line options.
|
* @return a set of command line options.
|
||||||
*/
|
*/
|
||||||
@Override
|
protected void setupOptions() {
|
||||||
protected void setupOptions(Options opts) {
|
|
||||||
opts.addOption(Option.builder("D").longOpt("dlv").desc("Generate a DLV record instead.").build());
|
opts.addOption(Option.builder("D").longOpt("dlv").desc("Generate a DLV record instead.").build());
|
||||||
opts.addOption(Option.builder("C").longOpt("cds").desc("Generate a CDS record instead").build());
|
opts.addOption(Option.builder("C").longOpt("cds").desc("Generate a CDS record instead").build());
|
||||||
opts.addOption(
|
opts.addOption(
|
||||||
Option.builder("d").hasArg().argName("id").longOpt("digest").desc("The digest algorithm to use").build());
|
Option.builder("d").hasArg().argName("id").longOpt("digest").desc("The digest algorithm to use").build());
|
||||||
opts.addOption(Option.builder("f").hasArg().argName("file").longOpt("output").desc("output to file").build());
|
opts.addOption(Option.builder("f").hasArg().argName("file").longOpt("output").desc("output to file").build());
|
||||||
|
opts.addOption(Option.builder("T").longOpt("ttl").hasArg().desc("TTL to use for generated DS/CDS record").build());
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
protected void processOptions() {
|
||||||
protected void processOptions(CommandLine cli)
|
String[] digestAlgOptionKeys = { "digest_algorithm", "digest_id" };
|
||||||
throws org.apache.commons.cli.ParseException {
|
String[] dsTTLOptionKeys = { "ds_ttl", "ttl" };
|
||||||
|
|
||||||
outputfile = cli.getOptionValue('f');
|
outputfile = cli.getOptionValue('f');
|
||||||
if (cli.hasOption("dlv")) {
|
if (cli.hasOption("dlv")) {
|
||||||
createType = dsType.DLV;
|
createType = dsType.DLV;
|
||||||
} else if (cli.hasOption("cds")) {
|
} else if (cli.hasOption("cds")) {
|
||||||
createType = dsType.CDS;
|
createType = dsType.CDS;
|
||||||
}
|
}
|
||||||
String optstr = cli.getOptionValue('d');
|
String digestValue = cliOption("d", digestAlgOptionKeys, Integer.toString(digestId));
|
||||||
if (optstr != null)
|
digestId = DNSSEC.Digest.value(digestValue);
|
||||||
digestId = DNSSEC.Digest.value(optstr);
|
|
||||||
|
dsTTL = cliLongOption("ttl", dsTTLOptionKeys, dsTTL);
|
||||||
|
|
||||||
String[] args = cli.getArgs();
|
String[] args = cli.getArgs();
|
||||||
|
|
||||||
if (args.length < 1) {
|
if (args.length < 1) {
|
||||||
System.err.println("error: missing key file ");
|
fail("missing key file");
|
||||||
usage();
|
|
||||||
}
|
}
|
||||||
|
|
||||||
keyname = args[0];
|
keynames = args;
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
public void createDS(String keyname) throws IOException {
|
||||||
|
DnsKeyPair key = BINDKeyUtils.loadKey(keyname, null);
|
||||||
public void execute() throws Exception {
|
|
||||||
DnsKeyPair key = BINDKeyUtils.loadKey(state.keyname, null);
|
|
||||||
DNSKEYRecord dnskey = key.getDNSKEYRecord();
|
DNSKEYRecord dnskey = key.getDNSKEYRecord();
|
||||||
|
|
||||||
if ((dnskey.getFlags() & DNSKEYRecord.Flags.SEP_KEY) == 0) {
|
if ((dnskey.getFlags() & DNSKEYRecord.Flags.SEP_KEY) == 0) {
|
||||||
log.warning("DNSKEY is not an SEP-flagged key.");
|
log.warning("DNSKEY " + keyname + " is not an SEP-flagged key.");
|
||||||
}
|
}
|
||||||
|
|
||||||
DSRecord ds = SignUtils.calculateDSRecord(dnskey, state.digestId, dnskey.getTTL());
|
long ttl = dsTTL < 0 ? dnskey.getTTL() : dsTTL;
|
||||||
Record res = ds;
|
DSRecord ds = SignUtils.calculateDSRecord(dnskey, digestId, ttl);
|
||||||
|
Record res;
|
||||||
|
|
||||||
if (state.createType == dsType.DLV) {
|
switch (createType) {
|
||||||
|
case DLV:
|
||||||
log.fine("creating DLV.");
|
log.fine("creating DLV.");
|
||||||
DLVRecord dlv = new DLVRecord(ds.getName(), ds.getDClass(), ds.getTTL(), ds.getFootprint(), ds.getAlgorithm(),
|
DLVRecord dlv = new DLVRecord(ds.getName(), ds.getDClass(), ds.getTTL(), ds.getFootprint(), ds.getAlgorithm(),
|
||||||
ds.getDigestID(), ds.getDigest());
|
ds.getDigestID(), ds.getDigest());
|
||||||
res = dlv;
|
res = dlv;
|
||||||
} else if (state.createType == dsType.CDS) {
|
break;
|
||||||
|
case CDS:
|
||||||
log.fine("creating CDS.");
|
log.fine("creating CDS.");
|
||||||
CDSRecord cds = new CDSRecord(ds.getName(), ds.getDClass(), ds.getTTL(), ds.getFootprint(), ds.getAlgorithm(),
|
CDSRecord cds = new CDSRecord(ds.getName(), ds.getDClass(), ds.getTTL(), ds.getFootprint(), ds.getAlgorithm(),
|
||||||
ds.getDClass(), ds.getDigest());
|
ds.getDClass(), ds.getDigest());
|
||||||
res = cds;
|
res = cds;
|
||||||
|
break;
|
||||||
|
default:
|
||||||
|
res = ds;
|
||||||
|
break;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (state.outputfile != null && !state.outputfile.equals("-")) {
|
if (outputfile != null && !outputfile.equals("-")) {
|
||||||
try (PrintWriter out = new PrintWriter(new FileWriter(state.outputfile))) {
|
try (PrintWriter out = new PrintWriter(new FileWriter(outputfile))) {
|
||||||
out.println(res);
|
out.println(res);
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
@ -133,10 +137,15 @@ public class DSTool extends CLBase {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
public static void main(String[] args) {
|
public void execute() throws Exception {
|
||||||
DSTool tool = new DSTool();
|
for (String keyname : keynames){
|
||||||
tool.state = new CLIState();
|
createDS(keyname);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
tool.run(tool.state, args);
|
public static void main(String[] args) {
|
||||||
|
DSTool tool = new DSTool("dstool", "jdnssec-dstool [..options..] keyfile [keyfile..]");
|
||||||
|
|
||||||
|
tool.run(args);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -19,9 +19,7 @@ package com.verisignlabs.dnssec.cl;
|
|||||||
|
|
||||||
import java.io.File;
|
import java.io.File;
|
||||||
|
|
||||||
import org.apache.commons.cli.CommandLine;
|
|
||||||
import org.apache.commons.cli.Option;
|
import org.apache.commons.cli.Option;
|
||||||
import org.apache.commons.cli.Options;
|
|
||||||
import org.xbill.DNS.DClass;
|
import org.xbill.DNS.DClass;
|
||||||
import org.xbill.DNS.DNSKEYRecord;
|
import org.xbill.DNS.DNSKEYRecord;
|
||||||
import org.xbill.DNS.Name;
|
import org.xbill.DNS.Name;
|
||||||
@ -37,33 +35,25 @@ import com.verisignlabs.dnssec.security.JCEDnsSecSigner;
|
|||||||
* @author David Blacka
|
* @author David Blacka
|
||||||
*/
|
*/
|
||||||
public class KeyGen extends CLBase {
|
public class KeyGen extends CLBase {
|
||||||
private CLIState state;
|
private int algorithm = 13;
|
||||||
|
private int keylength = 2048;
|
||||||
|
private boolean useLargeE = true;
|
||||||
|
private String outputfile = null;
|
||||||
|
private File keydir = null;
|
||||||
|
private boolean zoneKey = true;
|
||||||
|
private boolean kskFlag = false;
|
||||||
|
private String owner = null;
|
||||||
|
private long ttl = 86400;
|
||||||
|
private int givenKeyTag = -1;
|
||||||
|
|
||||||
/**
|
public KeyGen(String name, String usageStr) {
|
||||||
* This is a small inner class used to hold all of the command line option
|
super(name, usageStr);
|
||||||
* state.
|
|
||||||
*/
|
|
||||||
protected static class CLIState extends CLIStateBase {
|
|
||||||
public int algorithm = 13;
|
|
||||||
public int keylength = 2048;
|
|
||||||
public boolean useLargeE = true;
|
|
||||||
public String outputfile = null;
|
|
||||||
public File keydir = null;
|
|
||||||
public boolean zoneKey = true;
|
|
||||||
public boolean kskFlag = false;
|
|
||||||
public String owner = null;
|
|
||||||
public long ttl = 86400;
|
|
||||||
public int givenKeyTag = -1;
|
|
||||||
|
|
||||||
public CLIState() {
|
|
||||||
super("jdnssec-keygen [..options..] name");
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Set up the command line options.
|
* Set up the command line options.
|
||||||
*/
|
*/
|
||||||
@Override
|
protected void setupOptions() {
|
||||||
protected void setupOptions(Options opts) {
|
|
||||||
// boolean options
|
// boolean options
|
||||||
opts.addOption("k", "kskflag", false,
|
opts.addOption("k", "kskflag", false,
|
||||||
"Key is a key-signing-key (sets the SEP flag).");
|
"Key is a key-signing-key (sets the SEP flag).");
|
||||||
@ -93,121 +83,96 @@ public class KeyGen extends CLBase {
|
|||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
protected void processOptions() {
|
||||||
protected void processOptions(CommandLine cli)
|
String[] useLargeEOptionKeys = { "use_large_exponent", "use_large_e" };
|
||||||
throws org.apache.commons.cli.ParseException {
|
String[] keyDirectoryOptionKeys = { "key_directory", "keydir" };
|
||||||
String optstr = null;
|
String[] algorithmOptionKeys = { "algorithm", "alg " };
|
||||||
String[] optstrs = null;
|
String[] keyLengthOptionKeys = { "key_length", "keylen" };
|
||||||
|
String[] ttlOptionKeys = { "dnskey_ttl", "ttl" };
|
||||||
|
|
||||||
if (cli.hasOption('k'))
|
if (cli.hasOption('k')) {
|
||||||
kskFlag = true;
|
kskFlag = true;
|
||||||
if (cli.hasOption('e'))
|
}
|
||||||
useLargeE = true;
|
useLargeE = cli.hasOption('e'); // explicit command line option for the large exponent
|
||||||
|
useLargeE = !cli.hasOption('E'); // explicit command line option for the small exponent
|
||||||
|
String optstr = cliOption("e", useLargeEOptionKeys, Boolean.toString(useLargeE)); // get any config file properties
|
||||||
|
if (optstr != null) {
|
||||||
|
useLargeE = Boolean.parseBoolean(optstr);
|
||||||
|
}
|
||||||
|
|
||||||
outputfile = cli.getOptionValue('f');
|
outputfile = cli.getOptionValue('f');
|
||||||
|
|
||||||
if ((optstr = cli.getOptionValue('d')) != null) {
|
String keydirName = cliOption("d", keyDirectoryOptionKeys, null);
|
||||||
keydir = new File(optstr);
|
if (keydirName != null) {
|
||||||
|
keydir = new File(keydirName);
|
||||||
}
|
}
|
||||||
|
|
||||||
if ((optstr = cli.getOptionValue('n')) != null && !optstr.equalsIgnoreCase("ZONE")) {
|
String algString = cliOption("a", algorithmOptionKeys, Integer.toString(algorithm));
|
||||||
zoneKey = false;
|
algorithm = Utils.parseAlg(algString);
|
||||||
}
|
|
||||||
|
|
||||||
if ((optstrs = cli.getOptionValues('A')) != null) {
|
|
||||||
for (int i = 0; i < optstrs.length; i++) {
|
|
||||||
addArgAlias(optstrs[i]);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
if ((optstr = cli.getOptionValue('a')) != null) {
|
|
||||||
algorithm = CLIState.parseAlg(optstr);
|
|
||||||
if (algorithm < 0) {
|
if (algorithm < 0) {
|
||||||
System.err.println("DNSSEC algorithm " + optstr + " is not supported");
|
fail("DNSSEC algorithm " + algString + " is not supported");
|
||||||
usage();
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if ((optstr = cli.getOptionValue('b')) != null) {
|
keylength = cliIntOption("b", keyLengthOptionKeys, keylength);
|
||||||
keylength = parseInt(optstr, 1024);
|
ttl = cliLongOption("ttl", ttlOptionKeys, ttl);
|
||||||
}
|
givenKeyTag = Utils.parseInt(cli.getOptionValue("with-tag"), -1);
|
||||||
|
|
||||||
if ((optstr = cli.getOptionValue("ttl")) != null) {
|
|
||||||
ttl = parseInt(optstr, 86400);
|
|
||||||
}
|
|
||||||
|
|
||||||
if ((optstr = cli.getOptionValue("with-tag")) != null) {
|
|
||||||
givenKeyTag = parseInt(optstr, -1);
|
|
||||||
}
|
|
||||||
|
|
||||||
String[] args = cli.getArgs();
|
String[] args = cli.getArgs();
|
||||||
|
|
||||||
if (args.length < 1) {
|
if (args.length < 1) {
|
||||||
System.err.println("error: missing key owner name");
|
fail("missing key owner name");
|
||||||
usage();
|
|
||||||
}
|
}
|
||||||
|
|
||||||
owner = args[0];
|
owner = args[0];
|
||||||
}
|
|
||||||
|
|
||||||
private static int parseAlg(String s) {
|
log.fine("keygen options => algorithm: " + algorithm + ", keylength: " + keylength +
|
||||||
DnsKeyAlgorithm algs = DnsKeyAlgorithm.getInstance();
|
", useLargeE: " + useLargeE + ", kskFlag: " + kskFlag + ", ttl: " + ttl + ", givenKeyTag: " + givenKeyTag);
|
||||||
|
|
||||||
int alg = parseInt(s, -1);
|
|
||||||
if (alg > 0) {
|
|
||||||
if (algs.supportedAlgorithm(alg))
|
|
||||||
return alg;
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
|
|
||||||
return algs.stringToAlgorithm(s);
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
public void execute() throws Exception {
|
public void execute() throws Exception {
|
||||||
JCEDnsSecSigner signer = new JCEDnsSecSigner();
|
JCEDnsSecSigner signer = new JCEDnsSecSigner();
|
||||||
|
|
||||||
// Minor hack to make the owner name absolute.
|
// Minor hack to make the owner name absolute.
|
||||||
if (!state.owner.endsWith(".")) {
|
if (!owner.endsWith(".")) {
|
||||||
state.owner = state.owner + ".";
|
owner = owner + ".";
|
||||||
}
|
}
|
||||||
|
|
||||||
Name ownerName = Name.fromString(state.owner);
|
Name ownerName = Name.fromString(owner);
|
||||||
|
|
||||||
// Calculate our flags
|
// Calculate our flags
|
||||||
int flags = 0;
|
int flags = 0;
|
||||||
if (state.zoneKey) {
|
if (zoneKey) {
|
||||||
flags |= DNSKEYRecord.Flags.ZONE_KEY;
|
flags |= DNSKEYRecord.Flags.ZONE_KEY;
|
||||||
}
|
}
|
||||||
if (state.kskFlag) {
|
if (kskFlag) {
|
||||||
flags |= DNSKEYRecord.Flags.SEP_KEY;
|
flags |= DNSKEYRecord.Flags.SEP_KEY;
|
||||||
}
|
}
|
||||||
log.fine("create key pair with (name = " + ownerName + ", ttl = " + state.ttl
|
log.fine("create key pair with (name = " + ownerName + ", ttl = " + ttl
|
||||||
+ ", alg = " + state.algorithm + ", flags = " + flags + ", length = "
|
+ ", alg = " + algorithm + ", flags = " + flags + ", length = "
|
||||||
+ state.keylength + ")");
|
+ keylength + ")");
|
||||||
|
|
||||||
DnsKeyPair pair = signer.generateKey(ownerName, state.ttl, DClass.IN,
|
DnsKeyPair pair = signer.generateKey(ownerName, ttl, DClass.IN,
|
||||||
state.algorithm, flags, state.keylength,
|
algorithm, flags, keylength,
|
||||||
state.useLargeE);
|
useLargeE);
|
||||||
|
|
||||||
// If we were asked to generate a duplicate keytag, keep trying until we get one
|
// If we were asked to generate a duplicate keytag, keep trying until we get one
|
||||||
while (state.givenKeyTag >= 0 && pair.getDNSKEYFootprint() != state.givenKeyTag) {
|
// This can take a long time, depending on our key generation speed
|
||||||
pair = signer.generateKey(ownerName, state.ttl, DClass.IN, state.algorithm, flags, state.keylength,
|
while (givenKeyTag >= 0 && pair.getDNSKEYFootprint() != givenKeyTag) {
|
||||||
state.useLargeE);
|
pair = signer.generateKey(ownerName, ttl, DClass.IN, algorithm, flags, keylength,
|
||||||
|
useLargeE);
|
||||||
}
|
}
|
||||||
|
|
||||||
if (state.outputfile != null) {
|
if (outputfile != null) {
|
||||||
BINDKeyUtils.writeKeyFiles(state.outputfile, pair, state.keydir);
|
BINDKeyUtils.writeKeyFiles(outputfile, pair, keydir);
|
||||||
} else {
|
} else {
|
||||||
BINDKeyUtils.writeKeyFiles(pair, state.keydir);
|
BINDKeyUtils.writeKeyFiles(pair, keydir);
|
||||||
System.out.println(BINDKeyUtils.keyFileBase(pair));
|
System.out.println(BINDKeyUtils.keyFileBase(pair));
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
public static void main(String[] args) {
|
public static void main(String[] args) {
|
||||||
KeyGen tool = new KeyGen();
|
KeyGen tool = new KeyGen("keygen", "jdnssec-keygen [..options..] zonename");
|
||||||
tool.state = new CLIState();
|
|
||||||
|
|
||||||
tool.run(tool.state, args);
|
tool.run(args);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -20,9 +20,6 @@ package com.verisignlabs.dnssec.cl;
|
|||||||
import java.security.interfaces.DSAPublicKey;
|
import java.security.interfaces.DSAPublicKey;
|
||||||
import java.security.interfaces.RSAPublicKey;
|
import java.security.interfaces.RSAPublicKey;
|
||||||
|
|
||||||
import org.apache.commons.cli.CommandLine;
|
|
||||||
import org.apache.commons.cli.Options;
|
|
||||||
import org.apache.commons.cli.ParseException;
|
|
||||||
import org.xbill.DNS.DNSKEYRecord;
|
import org.xbill.DNS.DNSKEYRecord;
|
||||||
|
|
||||||
import com.verisignlabs.dnssec.security.BINDKeyUtils;
|
import com.verisignlabs.dnssec.security.BINDKeyUtils;
|
||||||
@ -35,41 +32,32 @@ import com.verisignlabs.dnssec.security.DnsKeyPair;
|
|||||||
* @author David Blacka
|
* @author David Blacka
|
||||||
*/
|
*/
|
||||||
public class KeyInfoTool extends CLBase {
|
public class KeyInfoTool extends CLBase {
|
||||||
private CLIState state;
|
private String[] keynames = null;
|
||||||
|
|
||||||
/**
|
public KeyInfoTool(String name, String usageStr) {
|
||||||
* This is a small inner class used to hold all of the command line option
|
super(name, usageStr);
|
||||||
* state.
|
|
||||||
*/
|
|
||||||
protected static class CLIState extends CLIStateBase {
|
|
||||||
public String[] keynames = null;
|
|
||||||
|
|
||||||
public CLIState() {
|
|
||||||
super("jdnssec-keyinfo [..options..] keyfile");
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Set up the command line options.
|
* Set up the command line options.
|
||||||
*/
|
*/
|
||||||
@Override
|
protected void setupOptions() {
|
||||||
protected void setupOptions(Options opts) {
|
|
||||||
// no special options at the moment.
|
// no special options at the moment.
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
|
||||||
protected void processOptions(CommandLine cli) throws ParseException {
|
protected void processOptions() {
|
||||||
keynames = cli.getArgs();
|
keynames = cli.getArgs();
|
||||||
|
|
||||||
if (keynames.length < 1) {
|
if (keynames.length < 1) {
|
||||||
System.err.println("error: missing key file ");
|
fail("missing key file");
|
||||||
usage();
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
public void execute() throws Exception {
|
public void execute() throws Exception {
|
||||||
for (int i = 0; i < state.keynames.length; ++i) {
|
for (int i = 0; i < keynames.length; ++i) {
|
||||||
String keyname = state.keynames[i];
|
String keyname = keynames[i];
|
||||||
DnsKeyPair key = BINDKeyUtils.loadKey(keyname, null);
|
DnsKeyPair key = BINDKeyUtils.loadKey(keyname, null);
|
||||||
DNSKEYRecord dnskey = key.getDNSKEYRecord();
|
DNSKEYRecord dnskey = key.getDNSKEYRecord();
|
||||||
DnsKeyAlgorithm dnskeyalg = DnsKeyAlgorithm.getInstance();
|
DnsKeyAlgorithm dnskeyalg = DnsKeyAlgorithm.getInstance();
|
||||||
@ -97,16 +85,15 @@ public class KeyInfoTool extends CLBase {
|
|||||||
System.out.println("DSA subprime (Q): " + pub.getParams().getQ());
|
System.out.println("DSA subprime (Q): " + pub.getParams().getQ());
|
||||||
System.out.println("DSA public (Y): " + pub.getY());
|
System.out.println("DSA public (Y): " + pub.getY());
|
||||||
}
|
}
|
||||||
if (state.keynames.length - i > 1) {
|
if (keynames.length - i > 1) {
|
||||||
System.out.println();
|
System.out.println();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
public static void main(String[] args) {
|
public static void main(String[] args) {
|
||||||
KeyInfoTool tool = new KeyInfoTool();
|
KeyInfoTool tool = new KeyInfoTool("keyinfotool", "jdnssec-keyinfo [..options..] keyfile");
|
||||||
tool.state = new CLIState();
|
|
||||||
|
|
||||||
tool.run(tool.state, args);
|
tool.run(args);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -24,9 +24,7 @@ import java.time.Instant;
|
|||||||
import java.util.ArrayList;
|
import java.util.ArrayList;
|
||||||
import java.util.List;
|
import java.util.List;
|
||||||
|
|
||||||
import org.apache.commons.cli.CommandLine;
|
|
||||||
import org.apache.commons.cli.Option;
|
import org.apache.commons.cli.Option;
|
||||||
import org.apache.commons.cli.Options;
|
|
||||||
import org.xbill.DNS.Name;
|
import org.xbill.DNS.Name;
|
||||||
import org.xbill.DNS.RRSIGRecord;
|
import org.xbill.DNS.RRSIGRecord;
|
||||||
import org.xbill.DNS.RRset;
|
import org.xbill.DNS.RRset;
|
||||||
@ -48,29 +46,24 @@ import com.verisignlabs.dnssec.security.ZoneUtils;
|
|||||||
* @author David Blacka
|
* @author David Blacka
|
||||||
*/
|
*/
|
||||||
public class SignKeyset extends CLBase {
|
public class SignKeyset extends CLBase {
|
||||||
private CLIState state;
|
private File keyDirectory = null;
|
||||||
|
private String[] keyFiles = null;
|
||||||
|
private Instant start = null;
|
||||||
|
private Instant expire = null;
|
||||||
|
private String inputfile = null;
|
||||||
|
private String outputfile = null;
|
||||||
|
private boolean verifySigs = false;
|
||||||
|
|
||||||
/**
|
public SignKeyset(String name, String usageStr) {
|
||||||
* This is an inner class used to hold all of the command line option state.
|
super(name, usageStr);
|
||||||
*/
|
|
||||||
protected static class CLIState extends CLIStateBase {
|
|
||||||
public File keyDirectory = null;
|
|
||||||
public String[] keyFiles = null;
|
|
||||||
public Instant start = null;
|
|
||||||
public Instant expire = null;
|
|
||||||
public String inputfile = null;
|
|
||||||
public String outputfile = null;
|
|
||||||
public boolean verifySigs = false;
|
|
||||||
|
|
||||||
public CLIState() {
|
|
||||||
super("jdnssec-signkeyset [..options..] dnskeyset_file [key_file ...]");
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Set up the command line options.
|
* Set up the command line options.
|
||||||
*/
|
*/
|
||||||
@Override
|
|
||||||
protected void setupOptions(Options opts) {
|
protected void setupOptions() {
|
||||||
// boolean options
|
// boolean options
|
||||||
opts.addOption("a", "verify", false, "verify generated signatures>");
|
opts.addOption("a", "verify", false, "verify generated signatures>");
|
||||||
|
|
||||||
@ -85,33 +78,46 @@ public class SignKeyset extends CLBase {
|
|||||||
Option.builder("f").hasArg().argName("outfile").desc("file the signed keyset is written to").build());
|
Option.builder("f").hasArg().argName("outfile").desc("file the signed keyset is written to").build());
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
|
||||||
protected void processOptions(CommandLine cli)
|
protected void processOptions() {
|
||||||
throws org.apache.commons.cli.ParseException {
|
String[] verifyOptionKeys = { "verify_signatures", "verify" };
|
||||||
|
String[] keyDirectoryOptionKeys = { "key_directory", "keydir" };
|
||||||
|
String[] inceptionOptionKeys = { "inception", "start" };
|
||||||
|
String[] expireOptionKeys = { "expire" };
|
||||||
|
|
||||||
String optstr = null;
|
String optstr = null;
|
||||||
|
|
||||||
if (cli.hasOption('a'))
|
verifySigs = cliBooleanOption("a", verifyOptionKeys, false);
|
||||||
verifySigs = true;
|
|
||||||
|
|
||||||
if ((optstr = cli.getOptionValue('D')) != null) {
|
String keyDirectoryName = cliOption("D", keyDirectoryOptionKeys, null);
|
||||||
|
if (keyDirectoryName != null) {
|
||||||
keyDirectory = new File(optstr);
|
keyDirectory = new File(optstr);
|
||||||
if (!keyDirectory.isDirectory()) {
|
if (!keyDirectory.isDirectory()) {
|
||||||
System.err.println("error: " + optstr + " is not a directory");
|
fail("key directory " + optstr + " is not a directory");
|
||||||
usage();
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if ((optstr = cli.getOptionValue('s')) != null) {
|
try {
|
||||||
start = convertDuration(null, optstr);
|
optstr = cliOption("s", inceptionOptionKeys, null);
|
||||||
|
if (optstr != null) {
|
||||||
|
start = Utils.convertDuration(null, optstr);
|
||||||
} else {
|
} else {
|
||||||
// default is now - 1 hour.
|
// default is now - 1 hour.
|
||||||
start = Instant.now().minusSeconds(3600);
|
start = Instant.now().minusSeconds(3600);
|
||||||
}
|
}
|
||||||
|
} catch (java.text.ParseException e) {
|
||||||
|
fail("Unable to parse start time specifiction: " + e);
|
||||||
|
}
|
||||||
|
|
||||||
if ((optstr = cli.getOptionValue('e')) != null) {
|
try {
|
||||||
expire = convertDuration(start, optstr);
|
optstr = cliOption("e", expireOptionKeys, null);
|
||||||
|
if (optstr != null) {
|
||||||
|
expire = Utils.convertDuration(start, optstr);
|
||||||
} else {
|
} else {
|
||||||
expire = convertDuration(start, "+2592000"); // 30 days
|
expire = Utils.convertDuration(start, "+2592000"); // 30 days
|
||||||
|
}
|
||||||
|
} catch (java.text.ParseException e) {
|
||||||
|
fail("Unable to parse expire time specification: " + e);
|
||||||
}
|
}
|
||||||
|
|
||||||
outputfile = cli.getOptionValue('f');
|
outputfile = cli.getOptionValue('f');
|
||||||
@ -119,8 +125,7 @@ public class SignKeyset extends CLBase {
|
|||||||
String[] files = cli.getArgs();
|
String[] files = cli.getArgs();
|
||||||
|
|
||||||
if (files.length < 1) {
|
if (files.length < 1) {
|
||||||
System.err.println("error: missing zone file and/or key files");
|
fail("missing zone file and/or key files");
|
||||||
usage();
|
|
||||||
}
|
}
|
||||||
|
|
||||||
inputfile = files[0];
|
inputfile = files[0];
|
||||||
@ -129,7 +134,6 @@ public class SignKeyset extends CLBase {
|
|||||||
System.arraycopy(files, 1, keyFiles, 0, files.length - 1);
|
System.arraycopy(files, 1, keyFiles, 0, files.length - 1);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Verify the generated signatures.
|
* Verify the generated signatures.
|
||||||
@ -138,7 +142,7 @@ public class SignKeyset extends CLBase {
|
|||||||
* @param keypairs a list of keypairs used the sign the zone.
|
* @param keypairs a list of keypairs used the sign the zone.
|
||||||
* @return true if all of the signatures validated.
|
* @return true if all of the signatures validated.
|
||||||
*/
|
*/
|
||||||
private static boolean verifySigs(List<Record> records,
|
private boolean verifySigs(List<Record> records,
|
||||||
List<DnsKeyPair> keypairs) {
|
List<DnsKeyPair> keypairs) {
|
||||||
boolean secure = true;
|
boolean secure = true;
|
||||||
|
|
||||||
@ -160,7 +164,7 @@ public class SignKeyset extends CLBase {
|
|||||||
boolean result = verifier.verify(rrset);
|
boolean result = verifier.verify(rrset);
|
||||||
|
|
||||||
if (!result) {
|
if (!result) {
|
||||||
staticLog.fine("Signatures did not verify for RRset: " + rrset);
|
log.fine("Signatures did not verify for RRset: " + rrset);
|
||||||
secure = false;
|
secure = false;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -179,7 +183,7 @@ public class SignKeyset extends CLBase {
|
|||||||
* @param inDirectory the directory to look in (may be null).
|
* @param inDirectory the directory to look in (may be null).
|
||||||
* @return a list of keypair objects.
|
* @return a list of keypair objects.
|
||||||
*/
|
*/
|
||||||
private static List<DnsKeyPair> getKeys(String[] keyfiles, int startIndex,
|
private List<DnsKeyPair> getKeys(String[] keyfiles, int startIndex,
|
||||||
File inDirectory) throws IOException {
|
File inDirectory) throws IOException {
|
||||||
if (keyfiles == null)
|
if (keyfiles == null)
|
||||||
return new ArrayList<>();
|
return new ArrayList<>();
|
||||||
@ -236,10 +240,9 @@ public class SignKeyset extends CLBase {
|
|||||||
|
|
||||||
public void execute() throws Exception {
|
public void execute() throws Exception {
|
||||||
// Read in the zone
|
// Read in the zone
|
||||||
List<Record> records = ZoneUtils.readZoneFile(state.inputfile, null);
|
List<Record> records = ZoneUtils.readZoneFile(inputfile, null);
|
||||||
if (records == null || records.isEmpty()) {
|
if (records == null || records.isEmpty()) {
|
||||||
System.err.println("error: empty keyset file");
|
fail("empty keyset file");
|
||||||
state.usage();
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// Make sure that all records are DNSKEYs with the same name.
|
// Make sure that all records are DNSKEYs with the same name.
|
||||||
@ -255,46 +258,42 @@ public class SignKeyset extends CLBase {
|
|||||||
keysetName = r.getName();
|
keysetName = r.getName();
|
||||||
}
|
}
|
||||||
if (!r.getName().equals(keysetName)) {
|
if (!r.getName().equals(keysetName)) {
|
||||||
System.err.println("error: DNSKEY with a different name found!");
|
fail("DNSKEY with a different name found!");
|
||||||
state.usage();
|
|
||||||
}
|
}
|
||||||
keyset.addRR(r);
|
keyset.addRR(r);
|
||||||
}
|
}
|
||||||
|
|
||||||
if (keyset.size() == 0) {
|
if (keyset.size() == 0) {
|
||||||
System.err.println("error: No DNSKEYs found in keyset file");
|
fail("error: No DNSKEYs found in keyset file");
|
||||||
state.usage();
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// Load the key pairs.
|
// Load the key pairs.
|
||||||
List<DnsKeyPair> keypairs = getKeys(state.keyFiles, 0, state.keyDirectory);
|
List<DnsKeyPair> keypairs = getKeys(keyFiles, 0, keyDirectory);
|
||||||
|
|
||||||
// If we *still* don't have any key pairs, look for keys the key
|
// If we *still* don't have any key pairs, look for keys the key
|
||||||
// directory
|
// directory
|
||||||
// that match
|
// that match
|
||||||
if (keypairs == null) {
|
if (keypairs == null) {
|
||||||
keypairs = findZoneKeys(state.keyDirectory, keysetName);
|
keypairs = findZoneKeys(keyDirectory, keysetName);
|
||||||
}
|
}
|
||||||
|
|
||||||
// If there *still* aren't any ZSKs defined, bail.
|
// If there *still* aren't any ZSKs defined, bail.
|
||||||
if (keypairs == null || keypairs.isEmpty() || keysetName == null) {
|
if (keypairs == null || keypairs.isEmpty() || keysetName == null) {
|
||||||
System.err.println("error: No signing keys could be determined.");
|
fail("no signing keys could be determined.");
|
||||||
state.usage();
|
|
||||||
return;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// default the output file, if not set.
|
// default the output file, if not set.
|
||||||
if (state.outputfile == null) {
|
if (outputfile == null) {
|
||||||
if (keysetName.isAbsolute()) {
|
if (keysetName.isAbsolute()) {
|
||||||
state.outputfile = keysetName + "signed_keyset";
|
outputfile = keysetName + "signed_keyset";
|
||||||
} else {
|
} else {
|
||||||
state.outputfile = keysetName + ".signed_keyset";
|
outputfile = keysetName + ".signed_keyset";
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
JCEDnsSecSigner signer = new JCEDnsSecSigner();
|
JCEDnsSecSigner signer = new JCEDnsSecSigner();
|
||||||
|
|
||||||
List<RRSIGRecord> sigs = signer.signRRset(keyset, keypairs, state.start, state.expire);
|
List<RRSIGRecord> sigs = signer.signRRset(keyset, keypairs, start, expire);
|
||||||
for (RRSIGRecord s : sigs) {
|
for (RRSIGRecord s : sigs) {
|
||||||
keyset.addRR(s);
|
keyset.addRR(s);
|
||||||
}
|
}
|
||||||
@ -309,9 +308,9 @@ public class SignKeyset extends CLBase {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// write out the signed zone
|
// write out the signed zone
|
||||||
ZoneUtils.writeZoneFile(signedRecords, state.outputfile);
|
ZoneUtils.writeZoneFile(signedRecords, outputfile);
|
||||||
|
|
||||||
if (state.verifySigs) {
|
if (verifySigs) {
|
||||||
log.fine("verifying generated signatures");
|
log.fine("verifying generated signatures");
|
||||||
boolean res = verifySigs(signedRecords, keypairs);
|
boolean res = verifySigs(signedRecords, keypairs);
|
||||||
|
|
||||||
@ -325,9 +324,8 @@ public class SignKeyset extends CLBase {
|
|||||||
}
|
}
|
||||||
|
|
||||||
public static void main(String[] args) {
|
public static void main(String[] args) {
|
||||||
SignKeyset tool = new SignKeyset();
|
SignKeyset tool = new SignKeyset("signkeyset", "jdnssec-signkeyset [..options..] dnskeyset_file [key_file ...]");
|
||||||
tool.state = new CLIState();
|
|
||||||
|
|
||||||
tool.run(tool.state, args);
|
tool.run(args);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -23,9 +23,7 @@ import java.time.Instant;
|
|||||||
import java.util.ArrayList;
|
import java.util.ArrayList;
|
||||||
import java.util.List;
|
import java.util.List;
|
||||||
|
|
||||||
import org.apache.commons.cli.CommandLine;
|
|
||||||
import org.apache.commons.cli.Option;
|
import org.apache.commons.cli.Option;
|
||||||
import org.apache.commons.cli.Options;
|
|
||||||
import org.xbill.DNS.Name;
|
import org.xbill.DNS.Name;
|
||||||
import org.xbill.DNS.RRSIGRecord;
|
import org.xbill.DNS.RRSIGRecord;
|
||||||
import org.xbill.DNS.RRset;
|
import org.xbill.DNS.RRset;
|
||||||
@ -49,30 +47,26 @@ import com.verisignlabs.dnssec.security.ZoneUtils;
|
|||||||
* @author David Blacka
|
* @author David Blacka
|
||||||
*/
|
*/
|
||||||
public class SignRRset extends CLBase {
|
public class SignRRset extends CLBase {
|
||||||
private CLIState state;
|
|
||||||
|
|
||||||
/**
|
|
||||||
* This is an inner class used to hold all of the command line option state.
|
|
||||||
*/
|
|
||||||
protected static class CLIState extends CLIStateBase {
|
|
||||||
private File keyDirectory = null;
|
private File keyDirectory = null;
|
||||||
public String[] keyFiles = null;
|
private String[] keyFiles = null;
|
||||||
public Instant start = null;
|
private Instant start = null;
|
||||||
public Instant expire = null;
|
private Instant expire = null;
|
||||||
public String inputfile = null;
|
private String inputfile = null;
|
||||||
public String outputfile = null;
|
private String outputfile = null;
|
||||||
public boolean verifySigs = false;
|
private boolean verifySigs = false;
|
||||||
public boolean verboseSigning = false;
|
private boolean verboseSigning = false;
|
||||||
|
|
||||||
public CLIState() {
|
|
||||||
super("jdnssec-signrrset [..options..] rrset_file key_file [key_file ...]");
|
public SignRRset(String name, String usageStr) {
|
||||||
|
super(name, usageStr);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Set up the command line options.
|
* Set up the command line options.
|
||||||
*/
|
*/
|
||||||
@Override
|
protected void setupOptions() {
|
||||||
protected void setupOptions(Options opts) {
|
|
||||||
// boolean options
|
// boolean options
|
||||||
opts.addOption("a", "verify", false, "verify generated signatures>");
|
opts.addOption("a", "verify", false, "verify generated signatures>");
|
||||||
opts.addOption("V", "verbose-signing", false, "Display verbose signing activity.");
|
opts.addOption("V", "verbose-signing", false, "Display verbose signing activity.");
|
||||||
@ -87,34 +81,48 @@ public class SignRRset extends CLBase {
|
|||||||
Option.builder("f").hasArg().argName("outfile").desc("file the the signed rrset is written to").build());
|
Option.builder("f").hasArg().argName("outfile").desc("file the the signed rrset is written to").build());
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
protected void processOptions() {
|
||||||
protected void processOptions(CommandLine cli) throws org.apache.commons.cli.ParseException {
|
String[] verifyOptionKeys = { "verify_signatures", "verify" };
|
||||||
|
String[] verboseSigningOptionKeys = { "verbose_signing" };
|
||||||
|
String[] keyDirectoryOptionKeys = { "key_directory", "keydir" };
|
||||||
|
String[] inceptionOptionKeys = { "inception", "start" };
|
||||||
|
String[] expireOptionKeys = { "expire" };
|
||||||
|
|
||||||
String optstr = null;
|
String optstr = null;
|
||||||
|
|
||||||
if (cli.hasOption('a'))
|
verifySigs = cliBooleanOption("a", verifyOptionKeys, false);
|
||||||
verifySigs = true;
|
|
||||||
if (cli.hasOption('V'))
|
|
||||||
verboseSigning = true;
|
|
||||||
|
|
||||||
if ((optstr = cli.getOptionValue('D')) != null) {
|
verboseSigning = cliBooleanOption("V", verboseSigningOptionKeys, false);
|
||||||
|
|
||||||
|
optstr = cliOption("D", keyDirectoryOptionKeys, null);
|
||||||
|
if (optstr != null) {
|
||||||
keyDirectory = new File(optstr);
|
keyDirectory = new File(optstr);
|
||||||
if (!keyDirectory.isDirectory()) {
|
if (!keyDirectory.isDirectory()) {
|
||||||
System.err.println("error: " + optstr + " is not a directory");
|
fail("key directory " + optstr + " is not a directory");
|
||||||
usage();
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if ((optstr = cli.getOptionValue('s')) != null) {
|
try {
|
||||||
start = convertDuration(null, optstr);
|
optstr = cliOption("s", inceptionOptionKeys, null);
|
||||||
|
if (optstr != null) {
|
||||||
|
start = Utils.convertDuration(null, optstr);
|
||||||
} else {
|
} else {
|
||||||
// default is now - 1 hour.
|
// default is now - 1 hour.
|
||||||
start = Instant.now().minusSeconds(3600);
|
start = Instant.now().minusSeconds(3600);
|
||||||
}
|
}
|
||||||
|
} catch (java.text.ParseException e) {
|
||||||
|
fail("unable to parse start time specifiction: " + e);
|
||||||
|
}
|
||||||
|
|
||||||
if ((optstr = cli.getOptionValue('e')) != null) {
|
try {
|
||||||
expire = convertDuration(start, optstr);
|
optstr = cliOption("e", expireOptionKeys, null);
|
||||||
|
if (optstr != null) {
|
||||||
|
expire = Utils.convertDuration(start, optstr);
|
||||||
} else {
|
} else {
|
||||||
expire = convertDuration(start, "+2592000"); // 30 days
|
expire = Utils.convertDuration(start, "+2592000"); // 30 days
|
||||||
|
}
|
||||||
|
} catch (java.text.ParseException e) {
|
||||||
|
fail("Unable to parse expire time specification: " + e);
|
||||||
}
|
}
|
||||||
|
|
||||||
outputfile = cli.getOptionValue('f');
|
outputfile = cli.getOptionValue('f');
|
||||||
@ -122,8 +130,7 @@ public class SignRRset extends CLBase {
|
|||||||
String[] files = cli.getArgs();
|
String[] files = cli.getArgs();
|
||||||
|
|
||||||
if (files.length < 1) {
|
if (files.length < 1) {
|
||||||
System.err.println("error: missing zone file and/or key files");
|
fail("missing zone file and/or key files");
|
||||||
usage();
|
|
||||||
}
|
}
|
||||||
|
|
||||||
inputfile = files[0];
|
inputfile = files[0];
|
||||||
@ -132,7 +139,7 @@ public class SignRRset extends CLBase {
|
|||||||
System.arraycopy(files, 1, keyFiles, 0, files.length - 1);
|
System.arraycopy(files, 1, keyFiles, 0, files.length - 1);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Verify the generated signatures.
|
* Verify the generated signatures.
|
||||||
@ -141,7 +148,7 @@ public class SignRRset extends CLBase {
|
|||||||
* @param keypairs a list of keypairs used the sign the zone.
|
* @param keypairs a list of keypairs used the sign the zone.
|
||||||
* @return true if all of the signatures validated.
|
* @return true if all of the signatures validated.
|
||||||
*/
|
*/
|
||||||
private static boolean verifySigs(List<Record> records, List<DnsKeyPair> keypairs) {
|
private boolean verifySigs(List<Record> records, List<DnsKeyPair> keypairs) {
|
||||||
boolean secure = true;
|
boolean secure = true;
|
||||||
|
|
||||||
DnsSecVerifier verifier = new DnsSecVerifier();
|
DnsSecVerifier verifier = new DnsSecVerifier();
|
||||||
@ -163,7 +170,7 @@ public class SignRRset extends CLBase {
|
|||||||
boolean result = verifier.verify(rrset);
|
boolean result = verifier.verify(rrset);
|
||||||
|
|
||||||
if (!result) {
|
if (!result) {
|
||||||
staticLog.fine("Signatures did not verify for RRset: " + rrset);
|
log.fine("Signatures did not verify for RRset: " + rrset);
|
||||||
secure = false;
|
secure = false;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -182,7 +189,7 @@ public class SignRRset extends CLBase {
|
|||||||
* @param inDirectory the directory to look in (may be null).
|
* @param inDirectory the directory to look in (may be null).
|
||||||
* @return a list of keypair objects.
|
* @return a list of keypair objects.
|
||||||
*/
|
*/
|
||||||
private static List<DnsKeyPair> getKeys(String[] keyfiles, int startIndex,
|
private List<DnsKeyPair> getKeys(String[] keyfiles, int startIndex,
|
||||||
File inDirectory) throws IOException {
|
File inDirectory) throws IOException {
|
||||||
if (keyfiles == null)
|
if (keyfiles == null)
|
||||||
return new ArrayList<>();
|
return new ArrayList<>();
|
||||||
@ -204,10 +211,9 @@ public class SignRRset extends CLBase {
|
|||||||
|
|
||||||
public void execute() throws Exception {
|
public void execute() throws Exception {
|
||||||
// Read in the zone
|
// Read in the zone
|
||||||
List<Record> records = ZoneUtils.readZoneFile(state.inputfile, null);
|
List<Record> records = ZoneUtils.readZoneFile(inputfile, null);
|
||||||
if (records == null || records.isEmpty()) {
|
if (records == null || records.isEmpty()) {
|
||||||
System.err.println("error: empty RRset file");
|
fail("empty RRset file");
|
||||||
state.usage();
|
|
||||||
}
|
}
|
||||||
// Construct the RRset. Complain if the records in the input file
|
// Construct the RRset. Complain if the records in the input file
|
||||||
// consist of more than one RRset.
|
// consist of more than one RRset.
|
||||||
@ -230,25 +236,21 @@ public class SignRRset extends CLBase {
|
|||||||
&& rrset.getDClass() == r.getDClass()) {
|
&& rrset.getDClass() == r.getDClass()) {
|
||||||
rrset.addRR(r);
|
rrset.addRR(r);
|
||||||
} else {
|
} else {
|
||||||
System.err.println("Records do not all belong to the same RRset.");
|
fail("records do not all belong to the same RRset");
|
||||||
state.usage();
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if (rrset == null || rrset.size() == 0) {
|
if (rrset == null || rrset.size() == 0) {
|
||||||
System.err.println("No records found in inputfile.");
|
fail("no records found in inputfile");
|
||||||
state.usage();
|
|
||||||
return;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// Load the key pairs.
|
// Load the key pairs.
|
||||||
|
|
||||||
if (state.keyFiles.length == 0) {
|
if (keyFiles.length == 0) {
|
||||||
System.err.println("error: at least one keyfile must be specified");
|
fail("at least one keyfile must be specified");
|
||||||
state.usage();
|
|
||||||
}
|
}
|
||||||
|
|
||||||
List<DnsKeyPair> keypairs = getKeys(state.keyFiles, 0, state.keyDirectory);
|
List<DnsKeyPair> keypairs = getKeys(keyFiles, 0, keyDirectory);
|
||||||
|
|
||||||
// Make sure that all the keypairs have the same name.
|
// Make sure that all the keypairs have the same name.
|
||||||
// This will be used as the zone name, too.
|
// This will be used as the zone name, too.
|
||||||
@ -260,19 +262,18 @@ public class SignRRset extends CLBase {
|
|||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
if (!pair.getDNSKEYName().equals(keysetName)) {
|
if (!pair.getDNSKEYName().equals(keysetName)) {
|
||||||
System.err.println("Keys do not all have the same name.");
|
fail("keys do not all have the same name");
|
||||||
state.usage();
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// default the output file, if not set.
|
// default the output file, if not set.
|
||||||
if (state.outputfile == null && !state.inputfile.equals("-")) {
|
if (outputfile == null && !inputfile.equals("-")) {
|
||||||
state.outputfile = state.inputfile + ".signed";
|
outputfile = inputfile + ".signed";
|
||||||
}
|
}
|
||||||
|
|
||||||
JCEDnsSecSigner signer = new JCEDnsSecSigner(state.verboseSigning);
|
JCEDnsSecSigner signer = new JCEDnsSecSigner(verboseSigning);
|
||||||
|
|
||||||
List<RRSIGRecord> sigs = signer.signRRset(rrset, keypairs, state.start, state.expire);
|
List<RRSIGRecord> sigs = signer.signRRset(rrset, keypairs, start, expire);
|
||||||
for (RRSIGRecord s : sigs) {
|
for (RRSIGRecord s : sigs) {
|
||||||
rrset.addRR(s);
|
rrset.addRR(s);
|
||||||
}
|
}
|
||||||
@ -287,9 +288,9 @@ public class SignRRset extends CLBase {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// write out the signed zone
|
// write out the signed zone
|
||||||
ZoneUtils.writeZoneFile(signedRecords, state.outputfile);
|
ZoneUtils.writeZoneFile(signedRecords, outputfile);
|
||||||
|
|
||||||
if (state.verifySigs) {
|
if (verifySigs) {
|
||||||
log.fine("verifying generated signatures");
|
log.fine("verifying generated signatures");
|
||||||
boolean res = verifySigs(signedRecords, keypairs);
|
boolean res = verifySigs(signedRecords, keypairs);
|
||||||
|
|
||||||
@ -303,9 +304,8 @@ public class SignRRset extends CLBase {
|
|||||||
}
|
}
|
||||||
|
|
||||||
public static void main(String[] args) {
|
public static void main(String[] args) {
|
||||||
SignRRset tool = new SignRRset();
|
SignRRset tool = new SignRRset("signrrset", "jdnssec-signrrset [..options..] rrset_file key_file [key_file ...]");
|
||||||
tool.state = new CLIState();
|
|
||||||
|
|
||||||
tool.run(tool.state, args);
|
tool.run(args);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -28,10 +28,7 @@ import java.util.Iterator;
|
|||||||
import java.util.List;
|
import java.util.List;
|
||||||
import java.util.Random;
|
import java.util.Random;
|
||||||
|
|
||||||
import org.apache.commons.cli.CommandLine;
|
|
||||||
import org.apache.commons.cli.Option;
|
import org.apache.commons.cli.Option;
|
||||||
import org.apache.commons.cli.Options;
|
|
||||||
import org.apache.commons.cli.ParseException;
|
|
||||||
import org.xbill.DNS.DNSKEYRecord;
|
import org.xbill.DNS.DNSKEYRecord;
|
||||||
import org.xbill.DNS.DNSSEC;
|
import org.xbill.DNS.DNSSEC;
|
||||||
import org.xbill.DNS.Name;
|
import org.xbill.DNS.Name;
|
||||||
@ -54,39 +51,32 @@ import com.verisignlabs.dnssec.security.ZoneUtils;
|
|||||||
* @author David Blacka
|
* @author David Blacka
|
||||||
*/
|
*/
|
||||||
public class SignZone extends CLBase {
|
public class SignZone extends CLBase {
|
||||||
private CLIState state;
|
private File keyDirectory = null;
|
||||||
|
private File keysetDirectory = null;
|
||||||
/**
|
private String[] kskFiles = null;
|
||||||
* This is an inner class used to hold all of the command line option state.
|
private String[] keyFiles = null;
|
||||||
*/
|
private String zonefile = null;
|
||||||
private static class CLIState extends CLIStateBase {
|
private Instant start = null;
|
||||||
public File keyDirectory = null;
|
private Instant expire = null;
|
||||||
public File keysetDirectory = null;
|
private String outputfile = null;
|
||||||
public String[] kskFiles = null;
|
private boolean verifySigs = false;
|
||||||
public String[] keyFiles = null;
|
private boolean useOptOut = false;
|
||||||
public String zonefile = null;
|
private boolean fullySignKeyset = false;
|
||||||
public Instant start = null;
|
private List<Name> includeNames = null;
|
||||||
public Instant expire = null;
|
private boolean useNsec3 = false;
|
||||||
public String outputfile = null;
|
private byte[] salt = null;
|
||||||
public boolean verifySigs = false;
|
private int iterations = 0;
|
||||||
public boolean useOptOut = false;
|
private int digestId = DNSSEC.Digest.SHA256;
|
||||||
public boolean fullySignKeyset = false;
|
private long nsec3paramttl = -1;
|
||||||
public List<Name> includeNames = null;
|
private boolean verboseSigning = false;
|
||||||
public boolean useNsec3 = false;
|
|
||||||
public byte[] salt = null;
|
|
||||||
public int iterations = 0;
|
|
||||||
public int digestId = DNSSEC.Digest.SHA1;
|
|
||||||
public long nsec3paramttl = -1;
|
|
||||||
public boolean verboseSigning = false;
|
|
||||||
|
|
||||||
private static final Random rand = new Random();
|
private static final Random rand = new Random();
|
||||||
|
|
||||||
public CLIState() {
|
public SignZone(String name, String usageStr) {
|
||||||
super("jdnssec-signzone [..options..] zone_file [key_file ...]");
|
super(name, usageStr);
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
protected void setupOptions() {
|
||||||
protected void setupOptions(Options opts) {
|
|
||||||
// boolean options
|
// boolean options
|
||||||
opts.addOption("a", "verify", false, "verify generated signatures>");
|
opts.addOption("a", "verify", false, "verify generated signatures>");
|
||||||
opts.addOption("F", "fully-sign-keyset", false,
|
opts.addOption("F", "fully-sign-keyset", false,
|
||||||
@ -122,114 +112,115 @@ public class SignZone extends CLBase {
|
|||||||
.desc("Use this TTL for the NSEC3PARAM record (default is min(soa.min, soa.ttl))").build());
|
.desc("Use this TTL for the NSEC3PARAM record (default is min(soa.min, soa.ttl))").build());
|
||||||
opts.addOption(Option.builder().hasArg().argName("id").longOpt("ds-digest")
|
opts.addOption(Option.builder().hasArg().argName("id").longOpt("ds-digest")
|
||||||
.desc("Digest algorithm to use for generated DS records").build());
|
.desc("Digest algorithm to use for generated DS records").build());
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
protected void processOptions() {
|
||||||
protected void processOptions(CommandLine cli) throws ParseException {
|
String[] verifyOptionKeys = { "verify_signatures", "verify" };
|
||||||
|
String[] nsec3OptionKeys = { "use_nsec3", "nsec3" };
|
||||||
|
String[] optOutOptionKeys = { "use_opt_out", "opt_out" };
|
||||||
|
String[] verboseSigningOptionKeys = { "verbose_signing" };
|
||||||
|
String[] fullySignKeysetOptionKeys = { "fully_sign_keyset", "fully_sign" };
|
||||||
|
String[] keyDirectoryOptionKeys = { "key_directory", "keydir" };
|
||||||
|
String[] inceptionOptionKeys = { "inception", "start" };
|
||||||
|
String[] expireOptionKeys = { "expire" };
|
||||||
|
String[] nsec3SaltOptionKeys = { "nsec3_salt", "salt" };
|
||||||
|
String[] randomSaltOptionKeys = { "nsec3_random_salt_length", "nsec3_salt_length", "random_salt_length" };
|
||||||
|
String[] nsec3IterationsOptionKeys = { "nsec3_iterations", "iterations" };
|
||||||
|
String[] digestAlgOptionKeys = { "digest_algorithm", "digest_id" };
|
||||||
|
String[] nsec3paramTTLOptionKeys = { "nsec3param_ttl" };
|
||||||
|
String[] incudeNamesOptionKeys = { "include_names_file", "include_names" };
|
||||||
|
|
||||||
String optstr = null;
|
String optstr = null;
|
||||||
|
|
||||||
if (cli.hasOption('a'))
|
verifySigs = cliBooleanOption("a", verifyOptionKeys, false);
|
||||||
verifySigs = true;
|
useNsec3 = cliBooleanOption("3", nsec3OptionKeys, false);
|
||||||
if (cli.hasOption('3'))
|
useOptOut = cliBooleanOption("O", optOutOptionKeys, false);
|
||||||
useNsec3 = true;
|
verboseSigning = cliBooleanOption("V", verboseSigningOptionKeys, false);
|
||||||
if (cli.hasOption('O'))
|
|
||||||
useOptOut = true;
|
|
||||||
if (cli.hasOption('V'))
|
|
||||||
verboseSigning = true;
|
|
||||||
|
|
||||||
if (useOptOut && !useNsec3) {
|
if (useOptOut && !useNsec3) {
|
||||||
System.err.println("Opt-Out not supported without NSEC3 -- ignored.");
|
System.err.println("Opt-Out not supported without NSEC3 -- ignored.");
|
||||||
useOptOut = false;
|
useOptOut = false;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (cli.hasOption('F'))
|
fullySignKeyset = cliBooleanOption("F", fullySignKeysetOptionKeys, false);
|
||||||
fullySignKeyset = true;
|
|
||||||
|
|
||||||
if ((optstr = cli.getOptionValue('d')) != null) {
|
optstr = cliOption("D", keyDirectoryOptionKeys, null);
|
||||||
keysetDirectory = new File(optstr);
|
if (optstr != null) {
|
||||||
if (!keysetDirectory.isDirectory()) {
|
|
||||||
System.err.println("error: " + optstr + " is not a directory");
|
|
||||||
usage();
|
|
||||||
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
if ((optstr = cli.getOptionValue('D')) != null) {
|
|
||||||
keyDirectory = new File(optstr);
|
keyDirectory = new File(optstr);
|
||||||
if (!keyDirectory.isDirectory()) {
|
if (!keyDirectory.isDirectory()) {
|
||||||
System.err.println("error: " + optstr + " is not a directory");
|
fail("key directory " + optstr + " is not a directory");
|
||||||
usage();
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if ((optstr = cli.getOptionValue('s')) != null) {
|
try {
|
||||||
start = CLBase.convertDuration(null, optstr);
|
optstr = cliOption("s", inceptionOptionKeys, null);
|
||||||
|
if (optstr != null) {
|
||||||
|
start = Utils.convertDuration(null, optstr);
|
||||||
} else {
|
} else {
|
||||||
// default is now - 1 hour.
|
// default is now - 1 hour.
|
||||||
start = Instant.now().minusSeconds(3600);
|
start = Instant.now().minusSeconds(3600);
|
||||||
}
|
}
|
||||||
|
} catch (java.text.ParseException e) {
|
||||||
|
fail("unable to parse start time specifiction: " + e);
|
||||||
|
}
|
||||||
|
|
||||||
if ((optstr = cli.getOptionValue('e')) != null) {
|
try {
|
||||||
expire = CLBase.convertDuration(start, optstr);
|
optstr = cliOption("e", expireOptionKeys, null);
|
||||||
|
if (optstr != null) {
|
||||||
|
expire = Utils.convertDuration(start, optstr);
|
||||||
} else {
|
} else {
|
||||||
expire = CLBase.convertDuration(start, "+2592000"); // 30 days
|
expire = Utils.convertDuration(start, "+2592000"); // 30 days
|
||||||
|
}
|
||||||
|
} catch (java.text.ParseException e) {
|
||||||
|
fail("missing zone file and/or key files");
|
||||||
}
|
}
|
||||||
|
|
||||||
outputfile = cli.getOptionValue('f');
|
outputfile = cli.getOptionValue('f');
|
||||||
|
|
||||||
kskFiles = cli.getOptionValues('k');
|
kskFiles = cli.getOptionValues('k');
|
||||||
|
|
||||||
if ((optstr = cli.getOptionValue('I')) != null) {
|
optstr = cliOption("S", nsec3SaltOptionKeys, null);
|
||||||
File includeNamesFile = new File(optstr);
|
if (optstr != null) {
|
||||||
try {
|
|
||||||
includeNames = CLIState.getNameList(includeNamesFile);
|
|
||||||
} catch (IOException e) {
|
|
||||||
throw new ParseException(e.getMessage());
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
if ((optstr = cli.getOptionValue('S')) != null) {
|
|
||||||
salt = base16.fromString(optstr);
|
salt = base16.fromString(optstr);
|
||||||
if (salt == null && !optstr.equals("-")) {
|
if (salt == null && !optstr.equals("-")) {
|
||||||
System.err.println("error: salt is not valid hexidecimal.");
|
fail("salt is not valid hexidecimal");
|
||||||
usage();
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if ((optstr = cli.getOptionValue('R')) != null) {
|
optstr = cliOption("R", randomSaltOptionKeys, null);
|
||||||
int length = parseInt(optstr, 0);
|
if (optstr != null) {
|
||||||
|
int length = Utils.parseInt(optstr, 0);
|
||||||
if (length > 0 && length <= 255) {
|
if (length > 0 && length <= 255) {
|
||||||
salt = new byte[length];
|
salt = new byte[length];
|
||||||
rand.nextBytes(salt);
|
rand.nextBytes(salt);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if ((optstr = cli.getOptionValue("iterations")) != null) {
|
iterations = cliIntOption("iterations", nsec3IterationsOptionKeys, 0);
|
||||||
iterations = parseInt(optstr, iterations);
|
if (iterations > 150) {
|
||||||
if (iterations < 0 || iterations > 8388607) {
|
log.warning("NSEC3 iterations value is too high for normal use: " + iterations
|
||||||
System.err.println("error: iterations value is invalid");
|
+ " is greater than current accepted threshold of 150");
|
||||||
usage();
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if ((optstr = cli.getOptionValue("ds-digest")) != null) {
|
optstr = cliOption("ds-digest", digestAlgOptionKeys, Integer.toString(digestId));
|
||||||
digestId = parseInt(optstr, -1);
|
digestId = DNSSEC.Digest.value(optstr);
|
||||||
if (digestId < 0) {
|
|
||||||
System.err.println("error: DS digest ID is not a valid identifier");
|
|
||||||
usage();
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
if ((optstr = cli.getOptionValue("nsec3paramttl")) != null) {
|
nsec3paramttl = cliIntOption("nsec3paramttl", nsec3paramTTLOptionKeys, -1);
|
||||||
nsec3paramttl = parseInt(optstr, -1);
|
|
||||||
|
optstr = cliOption("I", incudeNamesOptionKeys, null);
|
||||||
|
if (optstr != null) {
|
||||||
|
File includeNamesFile = new File(optstr);
|
||||||
|
try {
|
||||||
|
includeNames = getNameList(includeNamesFile);
|
||||||
|
} catch (IOException e) {
|
||||||
|
fail("unable to load include-names file: " + e);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
String[] files = cli.getArgs();
|
String[] files = cli.getArgs();
|
||||||
|
|
||||||
if (files.length < 1) {
|
if (files.length < 1) {
|
||||||
System.err.println("error: missing zone file and/or key files");
|
fail("missing zone file and/or key files");
|
||||||
usage();
|
|
||||||
}
|
}
|
||||||
|
|
||||||
zonefile = files[0];
|
zonefile = files[0];
|
||||||
@ -237,6 +228,20 @@ public class SignZone extends CLBase {
|
|||||||
keyFiles = new String[files.length - 1];
|
keyFiles = new String[files.length - 1];
|
||||||
System.arraycopy(files, 1, keyFiles, 0, files.length - 1);
|
System.arraycopy(files, 1, keyFiles, 0, files.length - 1);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
log.fine("SignZone settings => key_directory: " + keyDirectory +
|
||||||
|
", keyset_directory: " + keysetDirectory +
|
||||||
|
", start: " + start.getEpochSecond() +
|
||||||
|
", expire: " + expire.getEpochSecond() +
|
||||||
|
", verify_sigs: " + verifySigs +
|
||||||
|
", use_nsec3: " + useNsec3 +
|
||||||
|
", use_opt_out = " + useOptOut +
|
||||||
|
", salt: " + DnsKeyPair.toHex(salt) +
|
||||||
|
", iterations: " + iterations +
|
||||||
|
", nsec3param_ttl: " + nsec3paramttl +
|
||||||
|
", fully_sign_keyset: " + fullySignKeyset +
|
||||||
|
", digest_id: " + digestId +
|
||||||
|
", verbose_signing: " + verboseSigning);
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@ -246,7 +251,7 @@ public class SignZone extends CLBase {
|
|||||||
* names.
|
* names.
|
||||||
* @return a list of {@link org.xbill.DNS.Name} objects.
|
* @return a list of {@link org.xbill.DNS.Name} objects.
|
||||||
*/
|
*/
|
||||||
private static List<Name> getNameList(File nameListFile) throws IOException {
|
private List<Name> getNameList(File nameListFile) throws IOException {
|
||||||
try (BufferedReader br = new BufferedReader(new FileReader(nameListFile))) {
|
try (BufferedReader br = new BufferedReader(new FileReader(nameListFile))) {
|
||||||
List<Name> res = new ArrayList<>();
|
List<Name> res = new ArrayList<>();
|
||||||
|
|
||||||
@ -260,14 +265,13 @@ public class SignZone extends CLBase {
|
|||||||
|
|
||||||
res.add(n);
|
res.add(n);
|
||||||
} catch (TextParseException e) {
|
} catch (TextParseException e) {
|
||||||
staticLog.severe("DNS Name parsing error:" + e);
|
log.severe("DNS Name parsing error:" + e);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
return res;
|
return res;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Verify the generated signatures.
|
* Verify the generated signatures.
|
||||||
@ -276,7 +280,7 @@ public class SignZone extends CLBase {
|
|||||||
* @param keypairs a list of keypairs used the sign the zone.
|
* @param keypairs a list of keypairs used the sign the zone.
|
||||||
* @return true if all of the signatures validated.
|
* @return true if all of the signatures validated.
|
||||||
*/
|
*/
|
||||||
private static boolean verifyZoneSigs(List<Record> records,
|
private boolean verifyZoneSigs(List<Record> records,
|
||||||
List<DnsKeyPair> keypairs, List<DnsKeyPair> kskpairs) {
|
List<DnsKeyPair> keypairs, List<DnsKeyPair> kskpairs) {
|
||||||
boolean secure = true;
|
boolean secure = true;
|
||||||
|
|
||||||
@ -302,7 +306,7 @@ public class SignZone extends CLBase {
|
|||||||
|
|
||||||
if (!result) {
|
if (!result) {
|
||||||
System.err.println("Signatures did not verify for RRset: " + rrset);
|
System.err.println("Signatures did not verify for RRset: " + rrset);
|
||||||
staticLog.fine("Signatures did not verify for RRset: " + rrset);
|
log.fine("Signatures did not verify for RRset: " + rrset);
|
||||||
secure = false;
|
secure = false;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -321,7 +325,7 @@ public class SignZone extends CLBase {
|
|||||||
* @param inDirectory the directory to look in (may be null).
|
* @param inDirectory the directory to look in (may be null).
|
||||||
* @return a list of keypair objects.
|
* @return a list of keypair objects.
|
||||||
*/
|
*/
|
||||||
private static List<DnsKeyPair> getKeys(String[] keyfiles, int startIndex,
|
private List<DnsKeyPair> getKeys(String[] keyfiles, int startIndex,
|
||||||
File inDirectory) throws IOException {
|
File inDirectory) throws IOException {
|
||||||
if (keyfiles == null)
|
if (keyfiles == null)
|
||||||
return new ArrayList<>();
|
return new ArrayList<>();
|
||||||
@ -342,7 +346,7 @@ public class SignZone extends CLBase {
|
|||||||
return keys;
|
return keys;
|
||||||
}
|
}
|
||||||
|
|
||||||
private static List<DnsKeyPair> getKeys(List<Record> dnskeyrrs, File inDirectory)
|
private List<DnsKeyPair> getKeys(List<Record> dnskeyrrs, File inDirectory)
|
||||||
throws IOException {
|
throws IOException {
|
||||||
List<DnsKeyPair> res = new ArrayList<>();
|
List<DnsKeyPair> res = new ArrayList<>();
|
||||||
for (Record r : dnskeyrrs) {
|
for (Record r : dnskeyrrs) {
|
||||||
@ -376,7 +380,7 @@ public class SignZone extends CLBase {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
private static List<DnsKeyPair> findZoneKeys(File inDirectory, Name zonename)
|
private List<DnsKeyPair> findZoneKeys(File inDirectory, Name zonename)
|
||||||
throws IOException {
|
throws IOException {
|
||||||
if (inDirectory == null) {
|
if (inDirectory == null) {
|
||||||
inDirectory = new File(".");
|
inDirectory = new File(".");
|
||||||
@ -419,7 +423,7 @@ public class SignZone extends CLBase {
|
|||||||
* keysets that do not belong in the zone.
|
* keysets that do not belong in the zone.
|
||||||
* @return a list of {@link org.xbill.DNS.Record}s found in the keyset files.
|
* @return a list of {@link org.xbill.DNS.Record}s found in the keyset files.
|
||||||
*/
|
*/
|
||||||
private static List<Record> getKeysets(File inDirectory, Name zonename)
|
private List<Record> getKeysets(File inDirectory, Name zonename)
|
||||||
throws IOException {
|
throws IOException {
|
||||||
if (inDirectory == null) {
|
if (inDirectory == null) {
|
||||||
inDirectory = new File(".");
|
inDirectory = new File(".");
|
||||||
@ -470,38 +474,42 @@ public class SignZone extends CLBase {
|
|||||||
}
|
}
|
||||||
|
|
||||||
public void execute() throws Exception {
|
public void execute() throws Exception {
|
||||||
|
// Do a basic existence check for the zonefile first.
|
||||||
|
if (!zonefile.equals("-")) {
|
||||||
|
File f = new File(zonefile);
|
||||||
|
if (!f.exists()) {
|
||||||
|
fail("zonefile '" + zonefile + "' does not exist");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
// Read in the zone
|
// Read in the zone
|
||||||
List<Record> records = ZoneUtils.readZoneFile(state.zonefile, null);
|
List<Record> records = ZoneUtils.readZoneFile(zonefile, null);
|
||||||
if (records == null || records.isEmpty()) {
|
if (records == null || records.isEmpty()) {
|
||||||
System.err.println("error: empty zone file");
|
fail("empty zone file");
|
||||||
state.usage();
|
|
||||||
return;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// calculate the zone name.
|
// calculate the zone name.
|
||||||
Name zonename = ZoneUtils.findZoneName(records);
|
Name zonename = ZoneUtils.findZoneName(records);
|
||||||
if (zonename == null) {
|
if (zonename == null) {
|
||||||
System.err.println("error: invalid zone file - no SOA");
|
fail("invalid zone file - no SOA");
|
||||||
state.usage();
|
|
||||||
return;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// Load the key pairs. Note that getKeys() always returns an ArrayList,
|
// Load the key pairs. Note that getKeys() always returns an ArrayList,
|
||||||
// which may be empty.
|
// which may be empty.
|
||||||
List<DnsKeyPair> keypairs = getKeys(state.keyFiles, 0, state.keyDirectory);
|
List<DnsKeyPair> keypairs = getKeys(keyFiles, 0, keyDirectory);
|
||||||
List<DnsKeyPair> kskpairs = getKeys(state.kskFiles, 0, state.keyDirectory);
|
List<DnsKeyPair> kskpairs = getKeys(kskFiles, 0, keyDirectory);
|
||||||
|
|
||||||
// If we didn't get any keys on the command line, look at the zone apex for
|
// If we didn't get any keys on the command line, look at the zone apex for
|
||||||
// any public keys.
|
// any public keys.
|
||||||
if (keypairs.isEmpty()) {
|
if (keypairs.isEmpty()) {
|
||||||
List<Record> dnskeys = ZoneUtils.findRRs(records, zonename, Type.DNSKEY);
|
List<Record> dnskeys = ZoneUtils.findRRs(records, zonename, Type.DNSKEY);
|
||||||
keypairs = getKeys(dnskeys, state.keyDirectory);
|
keypairs = getKeys(dnskeys, keyDirectory);
|
||||||
}
|
}
|
||||||
|
|
||||||
// If we *still* don't have any key pairs, look for keys the key directory
|
// If we *still* don't have any key pairs, look for keys the key directory
|
||||||
// that match
|
// that match
|
||||||
if (keypairs.isEmpty()) {
|
if (keypairs.isEmpty()) {
|
||||||
keypairs = findZoneKeys(state.keyDirectory, zonename);
|
keypairs = findZoneKeys(keyDirectory, zonename);
|
||||||
}
|
}
|
||||||
|
|
||||||
// If we don't have any KSKs, but we do have more than one zone
|
// If we don't have any KSKs, but we do have more than one zone
|
||||||
@ -521,9 +529,7 @@ public class SignZone extends CLBase {
|
|||||||
|
|
||||||
// If we have zero keypairs at all, we are stuck.
|
// If we have zero keypairs at all, we are stuck.
|
||||||
if (keypairs.isEmpty() && kskpairs.isEmpty()) {
|
if (keypairs.isEmpty() && kskpairs.isEmpty()) {
|
||||||
System.err.println("No zone signing keys could be determined.");
|
fail("no zone signing keys could be determined");
|
||||||
state.usage();
|
|
||||||
return;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// If we only have one type of key (all ZSKs or all KSKs), then these are
|
// If we only have one type of key (all ZSKs or all KSKs), then these are
|
||||||
@ -552,19 +558,18 @@ public class SignZone extends CLBase {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// default the output file, if not set.
|
// default the output file, if not set.
|
||||||
if (state.outputfile == null && !state.zonefile.equals("-")) {
|
if (outputfile == null && !zonefile.equals("-")) {
|
||||||
if (zonename.isAbsolute()) {
|
if (zonename.isAbsolute()) {
|
||||||
state.outputfile = zonename + "signed";
|
outputfile = zonename + "signed";
|
||||||
} else {
|
} else {
|
||||||
state.outputfile = zonename + ".signed";
|
outputfile = zonename + ".signed";
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// Verify that the keys can be in the zone.
|
// Verify that the keys can be in the zone.
|
||||||
if (!keyPairsValidForZone(zonename, keypairs)
|
if (!keyPairsValidForZone(zonename, keypairs)
|
||||||
|| !keyPairsValidForZone(zonename, kskpairs)) {
|
|| !keyPairsValidForZone(zonename, kskpairs)) {
|
||||||
System.err.println("error: specified keypairs are not valid for the zone.");
|
fail("specified keypairs are not valid for the zone.");
|
||||||
state.usage();
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// We force the signing keys to be in the zone by just appending
|
// We force the signing keys to be in the zone by just appending
|
||||||
@ -582,34 +587,34 @@ public class SignZone extends CLBase {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// read in the keysets, if any.
|
// read in the keysets, if any.
|
||||||
List<Record> keysetrecs = getKeysets(state.keysetDirectory, zonename);
|
List<Record> keysetrecs = getKeysets(keysetDirectory, zonename);
|
||||||
if (keysetrecs != null) {
|
if (keysetrecs != null) {
|
||||||
records.addAll(keysetrecs);
|
records.addAll(keysetrecs);
|
||||||
}
|
}
|
||||||
|
|
||||||
JCEDnsSecSigner signer = new JCEDnsSecSigner(state.verboseSigning);
|
JCEDnsSecSigner signer = new JCEDnsSecSigner(verboseSigning);
|
||||||
|
|
||||||
// Sign the zone.
|
// Sign the zone.
|
||||||
List<Record> signedRecords;
|
List<Record> signedRecords;
|
||||||
|
|
||||||
if (state.useNsec3) {
|
if (useNsec3) {
|
||||||
signedRecords = signer.signZoneNSEC3(zonename, records, kskpairs, keypairs,
|
signedRecords = signer.signZoneNSEC3(zonename, records, kskpairs, keypairs,
|
||||||
state.start, state.expire,
|
start, expire,
|
||||||
state.fullySignKeyset, state.useOptOut,
|
fullySignKeyset, useOptOut,
|
||||||
state.includeNames, state.salt,
|
includeNames, salt,
|
||||||
state.iterations, state.digestId,
|
iterations, digestId,
|
||||||
state.nsec3paramttl);
|
nsec3paramttl);
|
||||||
} else {
|
} else {
|
||||||
signedRecords = signer.signZone(zonename, records, kskpairs, keypairs,
|
signedRecords = signer.signZone(zonename, records, kskpairs, keypairs,
|
||||||
state.start, state.expire, state.fullySignKeyset,
|
start, expire, fullySignKeyset,
|
||||||
state.digestId);
|
digestId);
|
||||||
}
|
}
|
||||||
|
|
||||||
// write out the signed zone
|
// write out the signed zone
|
||||||
ZoneUtils.writeZoneFile(signedRecords, state.outputfile);
|
ZoneUtils.writeZoneFile(signedRecords, outputfile);
|
||||||
System.out.println("zone signing complete");
|
System.out.println("zone signing complete");
|
||||||
|
|
||||||
if (state.verifySigs) {
|
if (verifySigs) {
|
||||||
log.fine("verifying generated signatures");
|
log.fine("verifying generated signatures");
|
||||||
boolean res = verifyZoneSigs(signedRecords, keypairs, kskpairs);
|
boolean res = verifyZoneSigs(signedRecords, keypairs, kskpairs);
|
||||||
|
|
||||||
@ -622,9 +627,8 @@ public class SignZone extends CLBase {
|
|||||||
}
|
}
|
||||||
|
|
||||||
public static void main(String[] args) {
|
public static void main(String[] args) {
|
||||||
SignZone tool = new SignZone();
|
SignZone tool = new SignZone("signzone", "jdnssec-signzone [..options..] zone_file [key_file ...]");
|
||||||
tool.state = new CLIState();
|
|
||||||
|
|
||||||
tool.run(tool.state, args);
|
tool.run(args);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
103
src/main/java/com/verisignlabs/dnssec/cl/Utils.java
Normal file
103
src/main/java/com/verisignlabs/dnssec/cl/Utils.java
Normal file
@ -0,0 +1,103 @@
|
|||||||
|
package com.verisignlabs.dnssec.cl;
|
||||||
|
|
||||||
|
import java.text.SimpleDateFormat;
|
||||||
|
import java.time.Instant;
|
||||||
|
import java.util.Date;
|
||||||
|
import java.util.TimeZone;
|
||||||
|
|
||||||
|
import com.verisignlabs.dnssec.security.DnsKeyAlgorithm;
|
||||||
|
|
||||||
|
public class Utils {
|
||||||
|
|
||||||
|
private Utils() {
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Parse a string into an integer safely, using a default if the value does not
|
||||||
|
* parse cleanly
|
||||||
|
*
|
||||||
|
* @param s The string to parse
|
||||||
|
* @param def The default value
|
||||||
|
* @return either the parsed int or the default
|
||||||
|
*/
|
||||||
|
public static int parseInt(String s, int def) {
|
||||||
|
try {
|
||||||
|
return Integer.parseInt(s);
|
||||||
|
} catch (NumberFormatException e) {
|
||||||
|
return def;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Parse a string into a long safely, using a default if the value does not
|
||||||
|
* parse cleanly
|
||||||
|
*
|
||||||
|
* @param s The string to parse
|
||||||
|
* @param def The default value
|
||||||
|
* @return either the parsed long or the default
|
||||||
|
*/
|
||||||
|
public static long parseLong(String s, long def) {
|
||||||
|
try {
|
||||||
|
return Long.parseLong(s);
|
||||||
|
} catch (NumberFormatException e) {
|
||||||
|
return def;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Parse a DNSSEC algorithm number of mnemonic into the official algorithm number.
|
||||||
|
* @param s The arge value
|
||||||
|
* @return A DNSSEC algorithm number, or -1 if unrecognized.
|
||||||
|
*/
|
||||||
|
public static int parseAlg(String s) {
|
||||||
|
DnsKeyAlgorithm algs = DnsKeyAlgorithm.getInstance();
|
||||||
|
|
||||||
|
int alg = Utils.parseInt(s, -1);
|
||||||
|
if (alg > 0) {
|
||||||
|
if (algs.supportedAlgorithm(alg))
|
||||||
|
return alg;
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
return algs.stringToAlgorithm(s);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Calculate a date/time from a command line time/offset duration string.
|
||||||
|
*
|
||||||
|
* @param start the start time to calculate offsets from.
|
||||||
|
* @param duration the time/offset string to parse.
|
||||||
|
* @return the calculated time.
|
||||||
|
*/
|
||||||
|
public static Instant convertDuration(Instant start, String duration) throws java.text.ParseException {
|
||||||
|
if (start == null) {
|
||||||
|
start = Instant.now();
|
||||||
|
}
|
||||||
|
|
||||||
|
if (duration.startsWith("now")) {
|
||||||
|
start = Instant.now();
|
||||||
|
if (duration.indexOf("+") < 0)
|
||||||
|
return start;
|
||||||
|
|
||||||
|
duration = duration.substring(3);
|
||||||
|
}
|
||||||
|
|
||||||
|
if (duration.startsWith("+")) {
|
||||||
|
long offset = parseLong(duration.substring(1), 0);
|
||||||
|
return start.plusSeconds(offset);
|
||||||
|
}
|
||||||
|
|
||||||
|
// This is a heuristic to distinguish UNIX epoch times from the zone file
|
||||||
|
// format standard (which is length == 14)
|
||||||
|
if (duration.length() <= 10) {
|
||||||
|
long epoch = parseLong(duration, 0);
|
||||||
|
return Instant.ofEpochSecond(epoch);
|
||||||
|
}
|
||||||
|
|
||||||
|
SimpleDateFormat dateFormatter = new SimpleDateFormat("yyyyMMddHHmmss");
|
||||||
|
dateFormatter.setTimeZone(TimeZone.getTimeZone("GMT"));
|
||||||
|
Date parsedDate = dateFormatter.parse(duration);
|
||||||
|
return parsedDate.toInstant();
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
@ -20,10 +20,7 @@ package com.verisignlabs.dnssec.cl;
|
|||||||
import java.time.Instant;
|
import java.time.Instant;
|
||||||
import java.util.List;
|
import java.util.List;
|
||||||
|
|
||||||
import org.apache.commons.cli.CommandLine;
|
|
||||||
import org.apache.commons.cli.Options;
|
|
||||||
import org.apache.commons.cli.Option;
|
import org.apache.commons.cli.Option;
|
||||||
import org.apache.commons.cli.ParseException;
|
|
||||||
import org.xbill.DNS.Record;
|
import org.xbill.DNS.Record;
|
||||||
|
|
||||||
import com.verisignlabs.dnssec.security.ZoneUtils;
|
import com.verisignlabs.dnssec.security.ZoneUtils;
|
||||||
@ -35,28 +32,19 @@ import com.verisignlabs.dnssec.security.ZoneVerifier;
|
|||||||
* @author David Blacka
|
* @author David Blacka
|
||||||
*/
|
*/
|
||||||
public class VerifyZone extends CLBase {
|
public class VerifyZone extends CLBase {
|
||||||
|
private String zonefile = null;
|
||||||
|
private String[] keyfiles = null;
|
||||||
|
private int startfudge = 0;
|
||||||
|
private int expirefudge = 0;
|
||||||
|
private boolean ignoreTime = false;
|
||||||
|
private boolean ignoreDups = false;
|
||||||
|
private Instant currentTime = null;
|
||||||
|
|
||||||
private CLIState state;
|
public VerifyZone(String name, String usageStr) {
|
||||||
|
super(name, usageStr);
|
||||||
/**
|
|
||||||
* This is a small inner class used to hold all of the command line option
|
|
||||||
* state.
|
|
||||||
*/
|
|
||||||
protected static class CLIState extends CLIStateBase {
|
|
||||||
public String zonefile = null;
|
|
||||||
public String[] keyfiles = null;
|
|
||||||
public int startfudge = 0;
|
|
||||||
public int expirefudge = 0;
|
|
||||||
public boolean ignoreTime = false;
|
|
||||||
public boolean ignoreDups = false;
|
|
||||||
public Instant currentTime = null;
|
|
||||||
|
|
||||||
public CLIState() {
|
|
||||||
super("jdnssec-verifyzone [..options..] zonefile");
|
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
protected void setupOptions() {
|
||||||
protected void setupOptions(Options opts) {
|
|
||||||
opts.addOption(Option.builder("S").hasArg().argName("seconds").longOpt("sig-start-fudge")
|
opts.addOption(Option.builder("S").hasArg().argName("seconds").longOpt("sig-start-fudge")
|
||||||
.desc("'fudge' RRSIG inception ties by 'seconds'").build());
|
.desc("'fudge' RRSIG inception ties by 'seconds'").build());
|
||||||
opts.addOption(Option.builder("E").hasArg().argName("seconds").longOpt("sig-expire-fudge")
|
opts.addOption(Option.builder("E").hasArg().argName("seconds").longOpt("sig-expire-fudge")
|
||||||
@ -69,46 +57,31 @@ public class VerifyZone extends CLBase {
|
|||||||
opts.addOption(Option.builder().longOpt("ignore-duplicate-rrs").desc("Ignore duplicate record errors.").build());
|
opts.addOption(Option.builder().longOpt("ignore-duplicate-rrs").desc("Ignore duplicate record errors.").build());
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
protected void processOptions() {
|
||||||
protected void processOptions(CommandLine cli) {
|
String[] ignoreTimeOptionKeys = { "ignore_time" };
|
||||||
if (cli.hasOption("ignore-time")) {
|
String[] ignoreDuplicateOptionKeys = { "ingore_duplicate_rrs", "ignore_duplicates" };
|
||||||
ignoreTime = true;
|
String[] startFudgeOptionKeys = { "start_fudge" };
|
||||||
}
|
String[] expireFudgeOptionKeys = { "expire_fudge" };
|
||||||
|
String[] currentTimeOptionKeys = { "current_time" };
|
||||||
|
|
||||||
if (cli.hasOption("ignore-duplicate-rrs")) {
|
ignoreTime = cliBooleanOption("ignore-time", ignoreTimeOptionKeys, false);
|
||||||
ignoreDups = true;
|
ignoreDups = cliBooleanOption("ignore-duplicate-rrs", ignoreDuplicateOptionKeys, false);
|
||||||
}
|
startfudge = cliIntOption("S", startFudgeOptionKeys, 0);
|
||||||
|
expirefudge = cliIntOption("E", expireFudgeOptionKeys, 0);
|
||||||
|
|
||||||
String optstr = null;
|
String optstr = cliOption("t", currentTimeOptionKeys, null);
|
||||||
if ((optstr = cli.getOptionValue('S')) != null) {
|
if (optstr != null) {
|
||||||
startfudge = parseInt(optstr, 0);
|
|
||||||
}
|
|
||||||
|
|
||||||
if ((optstr = cli.getOptionValue('E')) != null) {
|
|
||||||
expirefudge = parseInt(optstr, 0);
|
|
||||||
}
|
|
||||||
|
|
||||||
if ((optstr = cli.getOptionValue('t')) != null) {
|
|
||||||
try {
|
try {
|
||||||
currentTime = convertDuration(null, optstr);
|
currentTime = Utils.convertDuration(null, optstr);
|
||||||
} catch (ParseException e) {
|
} catch (java.text.ParseException e) {
|
||||||
System.err.println("error: could not parse timespec");
|
fail("could not parse timespec");
|
||||||
usage();
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
String[] optstrs = null;
|
|
||||||
if ((optstrs = cli.getOptionValues('A')) != null) {
|
|
||||||
for (int i = 0; i < optstrs.length; i++) {
|
|
||||||
addArgAlias(optstrs[i]);
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
String[] args = cli.getArgs();
|
String[] args = cli.getArgs();
|
||||||
|
|
||||||
if (args.length < 1) {
|
if (args.length < 1) {
|
||||||
System.err.println("error: missing zone file");
|
fail("missing zone file");
|
||||||
usage();
|
|
||||||
}
|
}
|
||||||
|
|
||||||
zonefile = args[0];
|
zonefile = args[0];
|
||||||
@ -118,17 +91,16 @@ public class VerifyZone extends CLBase {
|
|||||||
System.arraycopy(args, 1, keyfiles, 0, keyfiles.length);
|
System.arraycopy(args, 1, keyfiles, 0, keyfiles.length);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
|
||||||
|
|
||||||
public void execute() throws Exception {
|
public void execute() throws Exception {
|
||||||
ZoneVerifier zoneverifier = new ZoneVerifier();
|
ZoneVerifier zoneverifier = new ZoneVerifier();
|
||||||
zoneverifier.getVerifier().setStartFudge(state.startfudge);
|
zoneverifier.getVerifier().setStartFudge(startfudge);
|
||||||
zoneverifier.getVerifier().setExpireFudge(state.expirefudge);
|
zoneverifier.getVerifier().setExpireFudge(expirefudge);
|
||||||
zoneverifier.getVerifier().setIgnoreTime(state.ignoreTime);
|
zoneverifier.getVerifier().setIgnoreTime(ignoreTime);
|
||||||
zoneverifier.getVerifier().setCurrentTime(state.currentTime);
|
zoneverifier.getVerifier().setCurrentTime(currentTime);
|
||||||
zoneverifier.setIgnoreDuplicateRRs(state.ignoreDups);
|
zoneverifier.setIgnoreDuplicateRRs(ignoreDups);
|
||||||
|
|
||||||
List<Record> records = ZoneUtils.readZoneFile(state.zonefile, null);
|
List<Record> records = ZoneUtils.readZoneFile(zonefile, null);
|
||||||
|
|
||||||
log.fine("verifying zone...");
|
log.fine("verifying zone...");
|
||||||
int errors = zoneverifier.verifyZone(records);
|
int errors = zoneverifier.verifyZone(records);
|
||||||
@ -144,9 +116,8 @@ public class VerifyZone extends CLBase {
|
|||||||
}
|
}
|
||||||
|
|
||||||
public static void main(String[] args) {
|
public static void main(String[] args) {
|
||||||
VerifyZone tool = new VerifyZone();
|
VerifyZone tool = new VerifyZone("verifyzone", "jdnssec-verifyzone [..options..] zonefile");
|
||||||
tool.state = new CLIState();
|
|
||||||
|
|
||||||
tool.run(tool.state, args);
|
tool.run(args);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -24,9 +24,6 @@ import java.util.Collections;
|
|||||||
import java.util.HashMap;
|
import java.util.HashMap;
|
||||||
import java.util.List;
|
import java.util.List;
|
||||||
|
|
||||||
import org.apache.commons.cli.CommandLine;
|
|
||||||
import org.apache.commons.cli.Options;
|
|
||||||
import org.apache.commons.cli.ParseException;
|
|
||||||
import org.xbill.DNS.Master;
|
import org.xbill.DNS.Master;
|
||||||
import org.xbill.DNS.NSEC3PARAMRecord;
|
import org.xbill.DNS.NSEC3PARAMRecord;
|
||||||
import org.xbill.DNS.NSEC3Record;
|
import org.xbill.DNS.NSEC3Record;
|
||||||
@ -45,43 +42,33 @@ import com.verisignlabs.dnssec.security.RecordComparator;
|
|||||||
* @author David Blacka
|
* @author David Blacka
|
||||||
*/
|
*/
|
||||||
public class ZoneFormat extends CLBase {
|
public class ZoneFormat extends CLBase {
|
||||||
private CLIState state;
|
private String file;
|
||||||
|
private boolean assignNSEC3;
|
||||||
|
|
||||||
/**
|
public ZoneFormat(String name, String usageStr) {
|
||||||
* This is a small inner class used to hold all of the command line option
|
super(name, usageStr);
|
||||||
* state.
|
|
||||||
*/
|
|
||||||
protected static class CLIState extends CLIStateBase {
|
|
||||||
public String file;
|
|
||||||
public boolean assignNSEC3;
|
|
||||||
|
|
||||||
public CLIState() {
|
|
||||||
super("jdnssec-zoneformat [..options..] zonefile");
|
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
protected void setupOptions() {
|
||||||
protected void setupOptions(Options opts) {
|
|
||||||
opts.addOption("N", "nsec3", false,
|
opts.addOption("N", "nsec3", false,
|
||||||
"attempt to determine the original ownernames for NSEC3 RRs.");
|
"attempt to determine the original ownernames for NSEC3 RRs.");
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
protected void processOptions() {
|
||||||
protected void processOptions(CommandLine cli) throws ParseException {
|
String[] assignNsec3OwnersOptionKeys = { "assign_nsec3_owners", "assign_owners" };
|
||||||
if (cli.hasOption('N'))
|
|
||||||
assignNSEC3 = true;
|
assignNSEC3 = cliBooleanOption("N", assignNsec3OwnersOptionKeys, false);
|
||||||
|
|
||||||
String[] args = cli.getArgs();
|
String[] args = cli.getArgs();
|
||||||
|
|
||||||
if (args.length < 1) {
|
if (args.length < 1) {
|
||||||
System.err.println("error: must specify a zone file");
|
fail("must specify a zone file");
|
||||||
usage();
|
|
||||||
}
|
}
|
||||||
|
|
||||||
file = args[0];
|
file = args[0];
|
||||||
}
|
}
|
||||||
}
|
|
||||||
|
|
||||||
private static List<Record> readZoneFile(String filename) throws IOException {
|
private List<Record> readZoneFile(String filename) throws IOException {
|
||||||
try (Master master = new Master(filename)) {
|
try (Master master = new Master(filename)) {
|
||||||
List<Record> res = new ArrayList<>();
|
List<Record> res = new ArrayList<>();
|
||||||
Record r = null;
|
Record r = null;
|
||||||
@ -98,14 +85,14 @@ public class ZoneFormat extends CLBase {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
private static void formatZone(List<Record> zone) {
|
private void formatZone(List<Record> zone) {
|
||||||
|
|
||||||
for (Record r : zone) {
|
for (Record r : zone) {
|
||||||
System.out.println(r.toString());
|
System.out.println(r.toString());
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
private static void determineNSEC3Owners(List<Record> zone)
|
private void determineNSEC3Owners(List<Record> zone)
|
||||||
throws NoSuchAlgorithmException {
|
throws NoSuchAlgorithmException {
|
||||||
|
|
||||||
// first, find the NSEC3PARAM record -- this is an inefficient linear
|
// first, find the NSEC3PARAM record -- this is an inefficient linear
|
||||||
@ -173,11 +160,11 @@ public class ZoneFormat extends CLBase {
|
|||||||
}
|
}
|
||||||
|
|
||||||
public void execute() throws IOException, NoSuchAlgorithmException {
|
public void execute() throws IOException, NoSuchAlgorithmException {
|
||||||
List<Record> z = readZoneFile(state.file);
|
List<Record> z = readZoneFile(file);
|
||||||
// Put the zone into a consistent (name and RR type) order.
|
// Put the zone into a consistent (name and RR type) order.
|
||||||
Collections.sort(z, new RecordComparator());
|
Collections.sort(z, new RecordComparator());
|
||||||
|
|
||||||
if (state.assignNSEC3) {
|
if (assignNSEC3) {
|
||||||
determineNSEC3Owners(z);
|
determineNSEC3Owners(z);
|
||||||
} else {
|
} else {
|
||||||
formatZone(z);
|
formatZone(z);
|
||||||
@ -185,10 +172,9 @@ public class ZoneFormat extends CLBase {
|
|||||||
}
|
}
|
||||||
|
|
||||||
public static void main(String[] args) {
|
public static void main(String[] args) {
|
||||||
ZoneFormat tool = new ZoneFormat();
|
ZoneFormat tool = new ZoneFormat("zoneformat", "jdnssec-zoneformat [..options..] zonefile");
|
||||||
tool.state = new CLIState();
|
|
||||||
|
|
||||||
tool.run(tool.state, args);
|
tool.run(args);
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
@ -43,6 +43,7 @@ import java.security.spec.NamedParameterSpec;
|
|||||||
import java.security.spec.PKCS8EncodedKeySpec;
|
import java.security.spec.PKCS8EncodedKeySpec;
|
||||||
import java.security.spec.RSAPrivateCrtKeySpec;
|
import java.security.spec.RSAPrivateCrtKeySpec;
|
||||||
import java.util.StringTokenizer;
|
import java.util.StringTokenizer;
|
||||||
|
import java.util.logging.Logger;
|
||||||
|
|
||||||
import javax.crypto.interfaces.DHPrivateKey;
|
import javax.crypto.interfaces.DHPrivateKey;
|
||||||
import javax.crypto.interfaces.DHPublicKey;
|
import javax.crypto.interfaces.DHPublicKey;
|
||||||
@ -68,6 +69,8 @@ public class DnsKeyConverter {
|
|||||||
private KeyFactory mEdKeyFactory;
|
private KeyFactory mEdKeyFactory;
|
||||||
private DnsKeyAlgorithm mAlgorithms;
|
private DnsKeyAlgorithm mAlgorithms;
|
||||||
|
|
||||||
|
private Logger log = Logger.getLogger(this.getClass().toString());
|
||||||
|
|
||||||
public DnsKeyConverter() {
|
public DnsKeyConverter() {
|
||||||
mAlgorithms = DnsKeyAlgorithm.getInstance();
|
mAlgorithms = DnsKeyAlgorithm.getInstance();
|
||||||
}
|
}
|
||||||
@ -111,10 +114,16 @@ public class DnsKeyConverter {
|
|||||||
public DNSKEYRecord generateDNSKEYRecord(Name name, int dclass, long ttl,
|
public DNSKEYRecord generateDNSKEYRecord(Name name, int dclass, long ttl,
|
||||||
int flags, int alg, PublicKey key) {
|
int flags, int alg, PublicKey key) {
|
||||||
try {
|
try {
|
||||||
return new DNSKEYRecord(name, dclass, ttl, flags, DNSKEYRecord.Protocol.DNSSEC, alg,
|
int origAlgorithm = mAlgorithms.originalAlgorithm(alg);
|
||||||
|
DNSKEYRecord keyrec = new DNSKEYRecord(name, dclass, ttl, flags, DNSKEYRecord.Protocol.DNSSEC, origAlgorithm,
|
||||||
key);
|
key);
|
||||||
|
if (origAlgorithm == alg) {
|
||||||
|
return keyrec;
|
||||||
|
}
|
||||||
|
return new DNSKEYRecord(name, dclass, ttl, flags, DNSKEYRecord.Protocol.DNSSEC, alg, keyrec.getKey());
|
||||||
} catch (DNSSECException e) {
|
} catch (DNSSECException e) {
|
||||||
// FIXME: this mimics the behavior of KEYConverter.buildRecord(), which would
|
log.severe("Unable to generated a DNSKEYRecord: " + e);
|
||||||
|
// This mimics the behavior of KEYConverter.buildRecord(), which would
|
||||||
// return null if the algorithm was unknown.
|
// return null if the algorithm was unknown.
|
||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
|
@ -178,7 +178,7 @@ public class SignUtils {
|
|||||||
if (n.labels() != labels) {
|
if (n.labels() != labels) {
|
||||||
n = n.wild(n.labels() - labels);
|
n = n.wild(n.labels() - labels);
|
||||||
wildcardName = true;
|
wildcardName = true;
|
||||||
log.fine("Detected wildcard expansion: " + rrset.getName() + " changed to " + n);
|
log.finer("Detected wildcard expansion: " + rrset.getName() + " changed to " + n);
|
||||||
}
|
}
|
||||||
|
|
||||||
// now convert the wire format records in the RRset into a
|
// now convert the wire format records in the RRset into a
|
||||||
@ -1063,7 +1063,7 @@ public class SignUtils {
|
|||||||
int ldiff = node.name.labels() - zonename.labels();
|
int ldiff = node.name.labels() - zonename.labels();
|
||||||
for (int i = 1; i < ldiff; i++) {
|
for (int i = 1; i < ldiff; i++) {
|
||||||
Name n = new Name(node.name, i);
|
Name n = new Name(node.name, i);
|
||||||
log.fine("Generating ENT NSEC3 for " + n);
|
log.finer("Generating ENT NSEC3 for " + n);
|
||||||
ProtoNSEC3 nsec3 = generateNSEC3(n, zonename, node.ttl, salt, iterations, optIn,
|
ProtoNSEC3 nsec3 = generateNSEC3(n, zonename, node.ttl, salt, iterations, optIn,
|
||||||
null);
|
null);
|
||||||
nsec3s.add(nsec3);
|
nsec3s.add(nsec3);
|
||||||
@ -1127,11 +1127,11 @@ public class SignUtils {
|
|||||||
// check to see if cur is a duplicate (by name)
|
// check to see if cur is a duplicate (by name)
|
||||||
if (prevNSEC3 != null
|
if (prevNSEC3 != null
|
||||||
&& Arrays.equals(prevNSEC3.getOwner(), curNSEC3.getOwner())) {
|
&& Arrays.equals(prevNSEC3.getOwner(), curNSEC3.getOwner())) {
|
||||||
log.fine("found duplicate NSEC3 (by name) -- merging type maps: "
|
log.finer("found duplicate NSEC3 (by name) -- merging type maps: "
|
||||||
+ prevNSEC3.getTypemap() + " and " + curNSEC3.getTypemap());
|
+ prevNSEC3.getTypemap() + " and " + curNSEC3.getTypemap());
|
||||||
i.remove();
|
i.remove();
|
||||||
prevNSEC3.mergeTypes(curNSEC3.getTypemap());
|
prevNSEC3.mergeTypes(curNSEC3.getTypemap());
|
||||||
log.fine("merged type map: " + prevNSEC3.getTypemap());
|
log.finer("merged type map: " + prevNSEC3.getTypemap());
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user