Cli improvements (#17)

* add config file processing, refactor CLIBase some

* fix algorithm aliases with key generation

* Refactor to remove CLIState et al, move CLI common statics to new Utils

* only use usage() for help, otherwise fail()

* add a universal command line client, build a one-jar to use it.

* bump the version

* update ChangeLog, README, README.TODO, minor fixes

* undo overzealous find/replace. sigh.

* fix use_large_exponent logic in KeyGen

* more fixes, minor improvements
This commit is contained in:
David Blacka 2024-04-07 21:12:56 -04:00 committed by GitHub
parent 2876649a4e
commit 1727d7c7d8
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
28 changed files with 1364 additions and 1152 deletions

1
.gitignore vendored
View File

@ -1,5 +1,6 @@
build build
bin/main bin/main
dist/
.classpath .classpath
.project .project
.gradle .gradle

View File

@ -1,3 +1,18 @@
2024-04-07 David Blacka <david@blacka.com>
* Released version 0.20
* Removed support for Gradle builds since the gradle config was
out-of-date
* Requires Java 15 or later for EdDSA support
* Supports DNSSEC algorithm 16 using the SunEC provider
* Supports a java properties-formatted config file. See
jdnssec-tools.properties.example for an example
* Updated to dnsjava 3.5.3
* Updated to commons-cli 1.6.0
* Added a "one-jar" distribution method, and a "univeral" CLI to
use with it.
* Formatting and linter suggestions
2024-03-25 David Blacka <davidb@verisign.com> 2024-03-25 David Blacka <davidb@verisign.com>
* Released version 0.19 * Released version 0.19

View File

@ -11,5 +11,3 @@ This bit of code has been around since approximately 2005, and has been in "mini
* allowing for an external sort once the data is shown to be larger than X, and/or * allowing for an external sort once the data is shown to be larger than X, and/or
* allowing for a memory-constrained internal sort that uses disk, and/or, * allowing for a memory-constrained internal sort that uses disk, and/or,
* figuring out how to let the JVM use *a lot* of memory. * figuring out how to let the JVM use *a lot* of memory.
* Add support for algorithm 16, perhaps refactor algorithm 15 support using bouncycastle.
* Note that our current dnsjava version, 3.5.1 has some support, although it isn't clear if it has sign/verify support.

View File

@ -8,9 +8,13 @@ This is a collection of DNSSEC tools written in Java. They are intended to be a
These tools depend upon DNSjava (<https://github.com/dnsjava/dnsjava>), the Jakarta Commons CLI and Logging libraries (<https://commons.apache.org/proper/commons-cli>), slf4j (<https://www.slf4j.org>), and Sun's Java Cryptography extensions. A copy of each of these libraries is included in the distribution. These tools depend upon DNSjava (<https://github.com/dnsjava/dnsjava>), the Jakarta Commons CLI and Logging libraries (<https://commons.apache.org/proper/commons-cli>), slf4j (<https://www.slf4j.org>), and Sun's Java Cryptography extensions. A copy of each of these libraries is included in the distribution.
See the "licenses" directory for the licensing information of this package and the other packages that are distributed with it. See the "[licenses](https://github.com/dblacka/jdnssec-tools/tree/master/licenses)" directory for the licensing information of this package and the other packages that are distributed with it.
Getting started: ## Getting Started
### Using the binary distribution
The binary distributions can be downloaded from the [releases](https://github.com/dblacka/jdnssec-tools/releases) page. To use it;
1. Unpack the binary distribution: 1. Unpack the binary distribution:
@ -21,9 +25,11 @@ Getting started:
cd java-dnssec-tools-x.x.x cd java-dnssec-tools-x.x.x
./bin/jdnssec-signzone -h ./bin/jdnssec-signzone -h
Building from source: ### Building from source
1. Unpack the source distribution, preferably into the same directory that the binary distribution was unpacked. There is a source distribution also downloadable from the [releases](https://github.com/dblacka/jdnssec-tools/releases) page, but this should work with a clone of this repo.
1. (If downloaded) Unpack the source distribution, preferably into the same directory that the binary distribution was unpacked.
tar zxvf java-dnssec-tools-x.x.x-src.tar.gz tar zxvf java-dnssec-tools-x.x.x-src.tar.gz
@ -32,17 +38,19 @@ Building from source:
ant ant
4. You can build the distribution tarballs with 'ant dist'. You can run the tools directly from the build area (without building the jdnssec-tools.jar file) by using the ./bin/\_jdnssec_* wrappers. 4. You can build the distribution tarballs with 'ant dist', although the main `ant` build command will have built the primary jar file.
5. Alternatively, build the project using gradle:
gradlew clean
gradlew assemble -i
The resulting jar file gets generated in build/libs.
The source for this project is available in git on github: <https://github.com/dblacka/jdnssec-tools> The source for this project is available in git on github: <https://github.com/dblacka/jdnssec-tools>
### Using the one-jar distribution
As of version 0.20, there is a one-jar (aka an executable jar) as part of the distribution. It can also be downloaded from the [releases](https://github.com/dblacka/jdnssec-tools/releases) page.
1. Fetch the one-jar distribution.
2. Invoke with `java -jar jdnssec-tools-x.x.x.jar`
java -jar jdnssec-tools-x.x.x.jar signzone -h
--- ---
Questions or comments may be directed to the author (<mailto:davidb@verisign.com>), or by creating issues in the [github issue tracker](https://github.com/dblacka/jdnssec-tools/issues). Questions or comments may be directed to the author (<mailto:davidb@verisign.com>), or by creating issues in the [github issue tracker](https://github.com/dblacka/jdnssec-tools/issues).

View File

@ -1 +1 @@
version=0.19 version=0.20

View File

@ -1,19 +0,0 @@
#! /bin/sh
thisdir=`dirname $0`
basedir=`cd $thisdir/..; pwd`
ulimit_max=`ulimit -H -n`
if [ $ulimit_max != "unlimited" ]; then
ulimit -n $ulimit_max
fi
# set the classpath
CLASSPATH=$CLASSPATH:$basedir/build/classes
for i in $basedir/lib/*.jar $basedir/lib/*.zip; do
CLASSPATH="$CLASSPATH":"$i"
done
export CLASSPATH
exec java com.verisignlabs.dnssec.cl.DSTool "$@"

View File

@ -1,19 +0,0 @@
#! /bin/sh
thisdir=`dirname $0`
basedir=`cd $thisdir/..; pwd`
ulimit_max=`ulimit -H -n`
if [ $ulimit_max != "unlimited" ]; then
ulimit -n $ulimit_max
fi
# set the classpath
CLASSPATH=$CLASSPATH:$basedir/build/classes
for i in $basedir/lib/*.jar $basedir/lib/*.zip; do
CLASSPATH="$CLASSPATH":"$i"
done
export CLASSPATH
exec java com.verisignlabs.dnssec.cl.KeyGen "$@"

View File

@ -1,19 +0,0 @@
#! /bin/sh
thisdir=`dirname $0`
basedir=`cd $thisdir/..; pwd`
ulimit_max=`ulimit -H -n`
if [ $ulimit_max != "unlimited" ]; then
ulimit -n $ulimit_max
fi
# set the classpath
CLASSPATH=$CLASSPATH:$basedir/build/classes
for i in $basedir/lib/*.jar $basedir/lib/*.zip; do
CLASSPATH="$CLASSPATH":"$i"
done
export CLASSPATH
exec java com.verisignlabs.dnssec.cl.KeyInfoTool "$@"

View File

@ -1,19 +0,0 @@
#! /bin/sh
thisdir=`dirname $0`
basedir=`cd $thisdir/..; pwd`
ulimit_max=`ulimit -H -n`
if [ $ulimit_max != "unlimited" ]; then
ulimit -n $ulimit_max
fi
# set the classpath
CLASSPATH=$CLASSPATH:$basedir/build/classes
for i in $basedir/lib/*.jar $basedir/lib/*.zip; do
CLASSPATH="$CLASSPATH":"$i"
done
export CLASSPATH
exec java com.verisignlabs.dnssec.cl.SignKeyset "$@"

View File

@ -1,19 +0,0 @@
#! /bin/sh
thisdir=`dirname $0`
basedir=`cd $thisdir/..; pwd`
ulimit_max=`ulimit -H -n`
if [ $ulimit_max != "unlimited" ]; then
ulimit -n $ulimit_max
fi
# set the classpath
CLASSPATH=$CLASSPATH:$basedir/build/classes
for i in $basedir/lib/*.jar $basedir/lib/*.zip; do
CLASSPATH="$CLASSPATH":"$i"
done
export CLASSPATH
exec java com.verisignlabs.dnssec.cl.SignZone "$@"

View File

@ -1,19 +0,0 @@
#! /bin/sh
thisdir=`dirname $0`
basedir=`cd $thisdir/..; pwd`
ulimit_max=`ulimit -H -n`
if [ $ulimit_max != "unlimited" ]; then
ulimit -n $ulimit_max
fi
# set the classpath
CLASSPATH=$CLASSPATH:$basedir/build/classes
for i in $basedir/lib/*.jar $basedir/lib/*.zip; do
CLASSPATH="$CLASSPATH":"$i"
done
export CLASSPATH
exec java com.verisignlabs.dnssec.cl.VerifyZone "$@"

View File

@ -1,19 +0,0 @@
#! /bin/sh
thisdir=`dirname $0`
basedir=`cd $thisdir/..; pwd`
ulimit_max=`ulimit -H -n`
if [ $ulimit_max != "unlimited" ]; then
ulimit -n $ulimit_max
fi
# set the classpath
CLASSPATH=$CLASSPATH:$basedir/build/classes
for i in $basedir/lib/*.jar $basedir/lib/*.zip; do
CLASSPATH="$CLASSPATH":"$i"
done
export CLASSPATH
exec java com.verisignlabs.dnssec.cl.ZoneFormat "$@"

22
bin/jdnssec-tools Executable file
View File

@ -0,0 +1,22 @@
#! /bin/sh
thisdir=$(dirname $0)
basedir=$(cd $thisdir/.. || exit; pwd)
ulimit_max=$(ulimit -H -n)
if [ $ulimit_max != "unlimited" ]; then
ulimit -n $ulimit_max
fi
# set the classpath
for i in "$basedir"/lib/*.jar "$basedir"/lib/*.zip "$basedir"/build/libs/*.jar; do
if ! [ -f $i ]; then continue; fi
if [ -z "$CLASSPATH" ]; then
CLASSPATH=$i
else
CLASSPATH="$CLASSPATH":"$i"
fi
done
export CLASSPATH
exec java com.verisignlabs.dnssec.cl.CLI "$@"

View File

@ -10,18 +10,20 @@
--> -->
<project default="compile" basedir="."> <project default="build" basedir=".">
<property file="build.properties" /> <property file="build.properties" />
<property file="VERSION" /> <property file="VERSION" />
<property name="sectools-distname" value="jdnssec-tools-${version}" />
<property name="build.dir" value="build" /> <property name="build.dir" value="build" />
<property name="build.dest" value="${build.dir}/classes" /> <property name="build.dest" value="${build.dir}/classes" />
<property name="build.lib.dest" value="${build.dir}/libs" /> <property name="build.lib.dest" value="${build.dir}/libs" />
<property name="build.src" value="src/main/java" /> <property name="build.src" value="src/main/java" />
<property name="dist.dir" value="dist"/>
<property name="dist.name" value="jdnssec-tools-${version}" />
<property name="packages" value="com.verisignlabs.dnssec.*" /> <property name="packages" value="com.verisignlabs.dnssec.*" />
<property name="doc.dir" value="docs" /> <property name="doc.dir" value="docs" />
<property name="javadoc.dest" value="${doc.dir}/javadoc" /> <property name="javadoc.dest" value="${doc.dir}/javadoc" />
@ -33,6 +35,7 @@
<pathelement location="${build.dest}" /> <pathelement location="${build.dest}" />
<fileset dir="${lib.dir}" includes="*.jar,*.zip" /> <fileset dir="${lib.dir}" includes="*.jar,*.zip" />
</path> </path>
<property name="project.classpath" refid="project.classpath" /> <property name="project.classpath" refid="project.classpath" />
<target name="prepare-src"> <target name="prepare-src">
@ -40,7 +43,7 @@
<mkdir dir="${build.lib.dest}" /> <mkdir dir="${build.lib.dest}" />
</target> </target>
<target name="sectools" depends="prepare-src" > <target name="compile" depends="prepare-src" >
<javac srcdir="${build.src}" <javac srcdir="${build.src}"
destdir="${build.dest}" destdir="${build.dest}"
classpathref="project.classpath" classpathref="project.classpath"
@ -51,14 +54,29 @@
release="${build.java_version}" /> release="${build.java_version}" />
</target> </target>
<target name="sectools-jar" depends="usage,sectools"> <target name="build-jar" depends="usage, compile">
<jar jarfile="${build.lib.dest}/jdnssec-tools.jar" <jar jarfile="${build.lib.dest}/jdnssec-tools.jar"
basedir="${build.dest}" basedir="${build.dest}"
includes="com/verisignlabs/dnssec/" /> includes="com/verisignlabs/dnssec/" />
</target> </target>
<target name="compile" <target name="build"
depends="usage,sectools-jar"> depends="usage,build-jar">
</target>
<target name="build-onejar" depends="compile">
<jar destfile="${dist.dir}/${dist.name}.jar">
<zipfileset dir="${build.dest}" includes="**/*.class" />
<zipfileset src="${lib.dir}/dnsjava-3.5.3.jar" />
<zipfileset src="${lib.dir}/commons-cli-1.6.0.jar" />
<zipfileset src="${lib.dir}/slf4j-api-1.7.36.jar" />
<zipfileset src="${lib.dir}/slf4j-simple-1.7.36.jar" />
<manifest>
<attribute name="Main-Class"
value="com.verisignlabs.dnssec.cl.CLI" />
</manifest>
</jar>
</target> </target>
<target name="javadoc" depends="usage"> <target name="javadoc" depends="usage">
@ -75,16 +93,21 @@
</javadoc> </javadoc>
</target> </target>
<target name="clean" depends="usage"> <target name="clean" depends="usage">
<delete dir="${build.dest}" /> <delete dir="${build.dest}" />
<delete dir="${build.lib.dest}" /> <delete dir="${build.lib.dest}" />
<delete dir="${dist.dir}" />
</target> </target>
<target name="sectools-dist-prepare" depends="usage, compile, javadoc"> <target name="dist-clean" depends="usage">
<mkdir dir="${sectools-distname}" /> <delete dir="${dist.name}" />
</target>
<copy todir="${sectools-distname}"> <target name="dist-prepare" depends="usage, build, javadoc">
<mkdir dir="${dist.dir}" />
<mkdir dir="${dist.name}" />
<copy todir="${dist.name}">
<fileset dir="."> <fileset dir=".">
<include name="bin/jdnssec-*" /> <include name="bin/jdnssec-*" />
<include name="lib/*.jar" /> <include name="lib/*.jar" />
@ -99,37 +122,33 @@
</fileset> </fileset>
</copy> </copy>
<copy todir="${sectools-distname}/lib"> <copy todir="${dist.name}/lib">
<fileset dir="${build.lib.dest}"> <fileset dir="${build.lib.dest}">
<include name="*.jar" /> <include name="*.jar" />
</fileset> </fileset>
</copy> </copy>
</target> </target>
<target name="sectools-dist-clean">
<delete dir="${sectools-distname}" />
</target>
<patternset id="exec.files"> <patternset id="exec.files">
<include name="${sectools-distname}/bin/jdnssec-*" /> <include name="${dist.name}/bin/jdnssec-*" />
</patternset> </patternset>
<patternset id="src.files"> <patternset id="src.files">
<include name="${sectools-distname}/src/" /> <include name="${dist.name}/src/" />
<include name="${sectools-distname}/build.xml" /> <include name="${dist.name}/build.xml" />
<include name="${sectools-distname}/build.properties" /> <include name="${dist.name}/build.properties" />
</patternset> </patternset>
<patternset id="bin.files"> <patternset id="bin.files">
<include name="${sectools-distname}/doc/" /> <include name="${dist.name}/doc/" />
<include name="${sectools-distname}/lib/" /> <include name="${dist.name}/lib/" />
<include name="${sectools-distname}/licenses/" /> <include name="${dist.name}/licenses/" />
<include name="${sectools-distname}/VERSION" /> <include name="${dist.name}/VERSION" />
<include name="${sectools-distname}/README" /> <include name="${dist.name}/README" />
</patternset> </patternset>
<target name="sectools-bin-dist" depends="sectools-dist-prepare"> <target name="bin-dist" depends="dist-prepare">
<tar destfile="${sectools-distname}.tar.gz" compression="gzip"> <tar destfile="${dist.dir}/${dist.name}.tar.gz" compression="gzip">
<tarfileset mode="755" dir="."> <tarfileset mode="755" dir=".">
<patternset refid="exec.files" /> <patternset refid="exec.files" />
</tarfileset> </tarfileset>
@ -139,21 +158,16 @@
</tar> </tar>
</target> </target>
<target name="sectools-src-dist" depends="sectools-dist-prepare"> <target name="src-dist" depends="dist-prepare">
<tar destfile="${sectools-distname}-src.tar.gz" <tar destfile="${dist.dir}/${dist.name}-src.tar.gz" compression="gzip">
compression="gzip">
<tarfileset dir="."> <tarfileset dir=".">
<patternset refid="src.files" /> <patternset refid="src.files" />
</tarfileset> </tarfileset>
</tar> </tar>
</target> </target>
<target name="sectools-dist" <target name="dist"
depends="sectools-bin-dist,sectools-src-dist, sectools-dist-clean"> depends="bin-dist, src-dist, build-onejar, dist-clean">
</target>
<target name="dist" depends="sectools-dist">
</target> </target>
<target name="usage"> <target name="usage">
@ -161,10 +175,11 @@
<echo message="jdnssec-tools v. ${version} Build System" /> <echo message="jdnssec-tools v. ${version} Build System" />
<echo message="--------------------------------" /> <echo message="--------------------------------" />
<echo message="Available Targets:" /> <echo message="Available Targets:" />
<echo message=" compile (default) - compiles the source code, creates jar" /> <echo message=" build (default) - compiles the source code, creates main jar" />
<echo message=" javadoc - create javadoc from source" /> <echo message=" javadoc - create javadoc from source" />
<echo message=" clean - delete class files" /> <echo message=" clean - delete class files" />
<echo message=" dist - package it up" /> <echo message=" dist - package it up" />
<echo message=" onejar - build the executable jar" />
<echo message=" usage - this help message" /> <echo message=" usage - this help message" />
<echo message=" " /> <echo message=" " />
</target> </target>

View File

@ -0,0 +1,93 @@
# An example properties file for jdnssec-tools
# Properties may be be scoped by the tool name, which is the name minus "jdnssec-"
# If unscoped, the same named property will be used by multiple tools
# Common properties
# log_level = warning
# verbose = true # same as log_level = fine (true) or log_level = warning (false)
# multiline = false
# algorithm aliasing is <scope>.alias.<new-mnemonic> = <orig-alg-id>:<alias-alg-id>
# alias.NEWALG = 8:100
# jdnssec-dstool properties
## These are all equivalent. Unscoped properties might apply to other tools
# dstool.digest_algorithm = 4
# digest_algorithm = 4 # applies to jdnssec-signzone, too
# dstool.digest_id = 4
# jdnssec-keygen properties
# keygen.use_large_exponent = true
# keygen.key_directory = .
# key_directory = /path/to/dnskey_files # applies to jdnssec-sign*
# keygen.algorithm = ED448
# keygen.keylength = 2048
# keygen.keylen = 2048 # same thing
# keygen.ttl = 3600
# jdnssec-keyinfotool
# no additional keys
# jdnssec-signkeyset
# signkeyset.verify = false
# signkeyset.key_directory = .
# signkeyset.start = -300
# signkeyset.inception = 1712424863
# signkeyset.expire = +604800
# jdnssec-signrrset
# signrrset.verify_signatures = false
# signrrset.verify = false # same thing
# signrrset.key_directory = .
# signrrset.start = now
# signrrset.inception = now # same thing
# signrrset.expire = now+3600
# jdnssec-signzone
# signzone.verify_signatures = false
# signzone.verify = false # same thing
# signzone.use_nsec3 = false
# signzone.nsec3 = false # same thing
# signzone.use_opt_out = false
# signzone.opt_out = false # same thing
# signzone.verbose_signing = false
# signzone.fully_sign_keyset = false
# signzone.fully_sign = false # same thing
# signzone.key_directory = .
# signzone.keydir = . # same thing
# signzone.start = now
# signzone.inception = now
# signzone.expire = now+3600
# signzone.nsec3_salt = DEADBEEF
# signzone.salt = DEADBEEF # same thing
# signzone.nsec3_random_salt_length = 6
# signzone.nsec3_salt_length = 6 # same thing
# signzone.random_salt_length = 6 # same thing
# signzone.nsec3_iterations = 0
# signzone.iterations = 0 # same thing
# signzone.digest_algorithm = 4
# signzone.digest_id = 4 # same thing
# signzone.nsec3param_ttl = 86400
# signzone.include_names_file = /path/to/include-names
# signzone.include_names = /path/to/include-names # same thing
# jdnssec-verifyzone
# verifyzone.ignore_time = false
# verifyzone.ignore_duplicate_rrs = false
# verifyzone.ignore_duplicates = false # same thing
# verifyzone.start_fudge = 0
# verifyzone.expire_fudge = 0
# verifyzone.current_time = now
# jdnssec-zoneformat
# zoneformat.assign_nsec3_owners = false
# zoneformat.assign_owners = false # same thing

View File

@ -17,11 +17,11 @@
package com.verisignlabs.dnssec.cl; package com.verisignlabs.dnssec.cl;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.PrintWriter; import java.io.PrintWriter;
import java.text.SimpleDateFormat; import java.util.Properties;
import java.time.Instant;
import java.util.Date;
import java.util.TimeZone;
import java.util.logging.Formatter; import java.util.logging.Formatter;
import java.util.logging.Handler; import java.util.logging.Handler;
import java.util.logging.Level; import java.util.logging.Level;
@ -48,8 +48,19 @@ import com.verisignlabs.dnssec.security.DnsKeyAlgorithm;
* subclass variant of the CLIState and call run(). * subclass variant of the CLIState and call run().
*/ */
public abstract class CLBase { public abstract class CLBase {
protected static Logger staticLog = Logger.getLogger(CLBase.class.getName()); protected Logger log = Logger.getLogger(this.getClass().toString());
protected Logger log; protected Options opts;
protected String name;
protected String usageStr;
protected Properties props;
protected CommandLine cli;
protected CLBase(String name, String usageStr) {
this.name = name;
this.usageStr = usageStr;
setup();
}
/** /**
* This is a very simple log formatter that simply outputs the log level and * This is a very simple log formatter that simply outputs the log level and
@ -70,136 +81,151 @@ public abstract class CLBase {
} }
} }
/**
* This is a base class for command line parsing state. Subclasses should
* override setupOptions and processOptions.
*/
public static class CLIStateBase {
protected Options opts;
protected String usageStr;
/**
* The base constructor. This will setup the command line options.
*
* @param usage
* The command line usage string (e.g.,
* "jdnssec-foo [..options..] zonefile")
*/
public CLIStateBase(String usage) {
usageStr = usage;
setup();
}
/** This is the base set of command line options provided to all subclasses. */ /** This is the base set of command line options provided to all subclasses. */
private void setup() { private void setupCommonOptions() {
// Set up the standard set of options that all jdnssec command line tools will // Set up the standard set of options that all jdnssec command line tools will
// implement. // implement.
opts = new Options();
// boolean options // boolean options
opts.addOption("h", "help", false, "Print this message."); opts.addOption("h", "help", false, "Print this message.");
opts.addOption("m", "multiline", false, opts.addOption("m", "multiline", false,
"Output DNS records using 'multiline' format"); "Output DNS records using 'multiline' format");
opts.addOption(Option.builder("v").longOpt("verbose").argName("level").hasArg().desc( opts.addOption(Option.builder("l").longOpt("log-level").argName("level").hasArg()
"verbosity level -- 0: silence, 1: error, 2: warning, 3: info, 4/5: fine, 6: finest; default: 2 (warning)") .desc("set the logging level with either java.util.logging levels, or 0-6").build());
.build()); opts.addOption(Option.builder("v").longOpt("verbose").desc(
"set as verbose (log-level = fine)").build());
opts.addOption(Option.builder("c").longOpt("config").argName("file").hasArg()
.desc("configuration file (format: java properties)").build());
opts.addOption(Option.builder("A").hasArg().argName("alias:original:mnemonic").longOpt("alg-alias") opts.addOption(Option.builder("A").hasArg().argName("alias:original:mnemonic").longOpt("alg-alias")
.desc("Define an alias for an algorithm").build()); .desc("Define an alias for an algorithm").build());
setupOptions(opts);
} }
/** /**
* This is an overridable method for subclasses to add their own command * This is an overridable method for subclasses to add their own command line
* line options.
*
* @param opts
* the options object to add (via OptionBuilder, typically) new
* options to.
*/
protected void setupOptions(Options opts) {
// Subclasses generally override this.
}
/**
* This is the main method for parsing the command line arguments.
* Subclasses generally override processOptions() rather than this method.
* This method create the parsing objects and processes the standard
* options. * options.
*
* @param args
* The command line arguments.
* @throws ParseException
*/ */
public void parseCommandLine(String[] args) throws ParseException { protected abstract void setupOptions();
/**
* Initialize the command line options
*/
public void setup() {
opts = new Options();
setupCommonOptions();
setupOptions();
}
/**
* This is the main method for parsing the command line arguments. Subclasses
* generally override processOptions() rather than this method. This method
* creates the parsing objects and processes the common options.
*
* @param args The command line arguments.
*/
public void parseCommandLine(String[] args) {
String[] logLevelOptionKeys = { "log_level", "log-level" };
String[] multilineOptionKeys = { "multiline" };
CommandLineParser parser = new DefaultParser(); CommandLineParser parser = new DefaultParser();
CommandLine cli = parser.parse(opts, args);
try {
cli = parser.parse(opts, args);
} catch (UnrecognizedOptionException e) {
fail("unknown option encountered: " + e.getMessage());
} catch (AlreadySelectedException e) {
fail("mutually exclusive options have been selected:\n " + e.getMessage());
} catch (ParseException e) {
fail("unable to parse command line: " + e);
}
if (cli.hasOption('h')) { if (cli.hasOption('h')) {
usage(); usage();
} }
String loadedConfig = loadConfig(cli.getOptionValue('c'));
Logger rootLogger = Logger.getLogger(""); Logger rootLogger = Logger.getLogger("");
int value = parseInt(cli.getOptionValue('v'), -1);
switch (value) { // we set log level with both --log-level and -v/--verbose.
case 0: String logLevel = cliOption("log-level", logLevelOptionKeys, null);
rootLogger.setLevel(Level.OFF); if (logLevel == null) {
break; logLevel = cli.hasOption("v") ? "fine" : "warning";
case 1:
rootLogger.setLevel(Level.SEVERE);
break;
case 2:
default:
rootLogger.setLevel(Level.WARNING);
break;
case 3:
rootLogger.setLevel(Level.INFO);
break;
case 4:
rootLogger.setLevel(Level.CONFIG);
case 5:
rootLogger.setLevel(Level.FINE);
break;
case 6:
rootLogger.setLevel(Level.ALL);
break;
} }
setLogLevel(rootLogger, logLevel);
// I hate java.util.logging, btw.
for (Handler h : rootLogger.getHandlers()) { for (Handler h : rootLogger.getHandlers()) {
h.setLevel(rootLogger.getLevel()); h.setLevel(rootLogger.getLevel());
h.setFormatter(new BareLogFormatter()); h.setFormatter(new BareLogFormatter());
} }
if (cli.hasOption('m')) { if (loadedConfig != null) {
log.info("Loaded config file: " + loadedConfig);
}
if (cliBooleanOption("m", multilineOptionKeys, false)) {
org.xbill.DNS.Options.set("multiline"); org.xbill.DNS.Options.set("multiline");
} }
String[] optstrs = null; processAliasOptions();
if ((optstrs = cli.getOptionValues('A')) != null) {
for (int i = 0; i < optstrs.length; i++) {
addArgAlias(optstrs[i]);
}
}
processOptions(cli); processOptions();
} }
/** /**
* Process additional tool-specific options. Subclasses generally override * Process additional tool-specific options. Subclasses generally override
* this. * this.
*
* @param cli
* The {@link CommandLine} object containing the parsed command
* line state.
*/ */
protected void processOptions(CommandLine cli) throws ParseException { protected abstract void processOptions();
// Subclasses generally override this.
/**
* Load a configuration (java properties) file for jdnssec-tools. Returns
* the path of the loaded file.
*
* @param configFile a given path to a config file. This will be considered
* first.
* @return The path of the file that was actually loaded, or null if no config
* file was loaded.
*/
protected String loadConfig(String configFile) {
// Do not load config files twice
if (props != null) {
return null;
}
props = new Properties();
String[] configFiles = { configFile, "jdnssec-tools.properties", ".jdnssec-tools.properties",
System.getProperty("user.home") + "/.jdnssec-tools.properties" };
File f = null;
for (String fname : configFiles) {
if (fname == null) {
continue;
}
f = new File(fname);
if (!f.canRead()) {
continue;
} }
try (FileInputStream stream = new FileInputStream(f)) {
props.load(stream);
break; // load the first config file found in our list
} catch (IOException e) {
log.warning("Could not read config file " + f.getName() + ": " + e);
}
}
if (f != null) {
return f.getPath();
}
return null;
}
protected void fail(String errorMessage) {
log.severe(errorMessage);
System.exit(64);
}
/** Print out the usage and help statements, then quit. */ /** Print out the usage and help statements, then quit. */
public void usage() { public void usage() {
HelpFormatter f = new HelpFormatter(); HelpFormatter f = new HelpFormatter();
@ -207,116 +233,167 @@ public abstract class CLBase {
PrintWriter out = new PrintWriter(System.err); PrintWriter out = new PrintWriter(System.err);
// print our own usage statement: // print our own usage statement:
f.printHelp(out, 75, usageStr, null, opts, HelpFormatter.DEFAULT_LEFT_PAD, f.printHelp(out, 120, usageStr, null, opts, HelpFormatter.DEFAULT_LEFT_PAD,
HelpFormatter.DEFAULT_DESC_PAD, null); HelpFormatter.DEFAULT_DESC_PAD, null);
out.flush(); out.flush();
System.exit(64); System.exit(0);
} }
protected void addArgAlias(String s) { /**
if (s == null) * Set the logging level based on a string value
return; *
* @param logger The logger to set -- usually the rootLogger
* @param levelStr A level string that is either an integer from 0 to 6, or a
* java.util.logging log level string (severe, warning, info,
* fine, finer,
* finest).
*/
private void setLogLevel(Logger logger, String levelStr) {
Level level;
int internalLogLevel = Utils.parseInt(levelStr, -1);
if (internalLogLevel != -1) {
switch (internalLogLevel) {
case 0:
level = Level.OFF;
break;
case 1:
level = Level.SEVERE;
break;
case 2:
default:
level = Level.WARNING;
break;
case 3:
level = Level.INFO;
break;
case 4:
level = Level.FINE;
break;
case 5:
case 6:
level = Level.ALL;
}
} else {
try {
level = Level.parse(levelStr.toUpperCase());
} catch (IllegalArgumentException e) {
System.err.println("Verbosity level '" + levelStr + "' not recognized");
level = Level.WARNING;
}
}
logger.setLevel(level);
}
/**
* Process both property file based alias definitions and command line alias
* definitions
*/
protected void processAliasOptions() {
DnsKeyAlgorithm algs = DnsKeyAlgorithm.getInstance(); DnsKeyAlgorithm algs = DnsKeyAlgorithm.getInstance();
// First parse any command line options
// those look like '-A <alias-num>:<orig-num>:<mnemonic>', e.g., '-A
// 21:13:ECDSAP256-NSEC6'
String[] optstrs = null;
if ((optstrs = cli.getOptionValues('A')) != null) {
for (String value : optstrs) {
String[] valueComponents = value.split(":");
int aliasAlg = Utils.parseInt(valueComponents[0], -1);
int origAlg = Utils.parseInt(valueComponents[1], -1);
String mnemonic = valueComponents[2];
String[] v = s.split(":"); if (mnemonic != null && origAlg >= 0 && aliasAlg >= 0) {
if (v.length < 2) algs.addAlias(aliasAlg, mnemonic, origAlg);
return; }
int alias = parseInt(v[0], -1);
if (alias <= 0)
return;
int orig = parseInt(v[1], -1);
if (orig <= 0)
return;
String mn = null;
if (v.length > 2)
mn = v[2];
algs.addAlias(alias, mn, orig);
} }
} }
public static int parseInt(String s, int def) { // Next see if we have any alias options in properties
try { // Those look like 'signzone.alias.<alias-mnemonic> =
return Integer.parseInt(s); // <orig-alg-num>:<alias-alg-num>'
} catch (NumberFormatException e) { for (String key : props.stringPropertyNames()) {
return def; if (key.startsWith(name + ".alias.") || key.startsWith("alias.")) {
} String[] keyComponents = key.split("\\.");
} String mnemonic = keyComponents[keyComponents.length - 1];
String[] valueComponents = props.getProperty(key).split(":");
int origAlg = Utils.parseInt(valueComponents[0], -1);
int aliasAlg = Utils.parseInt(valueComponents[1], -1);
public static long parseLong(String s, long def) { if (mnemonic != null && origAlg >= 0 && aliasAlg >= 0) {
try { algs.addAlias(aliasAlg, mnemonic, origAlg);
return Long.parseLong(s); }
} catch (NumberFormatException e) { }
return def;
} }
} }
/** /**
* Calculate a date/time from a command line time/offset duration string. * Given a parsed command line, option, and list of possible config
* properties, and a default value, determine value for the option
* *
* @param start * @param option The option name
* the start time to calculate offsets from. * @param properties A list of configuration parameters that we would like
* @param duration * to use for this option, from most preferred to least.
* the time/offset string to parse. * @param defaultValue A default value to return if either the option or
* @return the calculated time. * config value cannot be parsed, or neither are present.
* @return The found value, or the default value.
*/ */
public static Instant convertDuration(Instant start, String duration) throws ParseException { protected String cliOption(String option, String[] properties, String defaultValue) {
if (start == null) { if (cli.hasOption(option)) {
start = Instant.now(); return cli.getOptionValue(option);
}
for (String property : properties) {
// first look up the scoped version of the property
String value = props.getProperty(name + "." + property);
if (value != null) {
return value;
}
value = props.getProperty(property);
if (value != null) {
return value;
}
}
return defaultValue;
} }
if (duration.startsWith("now")) { /**
start = Instant.now(); * Given a parsed command line, option, and list of possible config
if (duration.indexOf("+") < 0) * properties, determine the value for the option, converting the value to
return start; * long.
*/
duration = duration.substring(3); protected long cliLongOption(String option, String[] properties, long defaultValue) {
String value = cliOption(option, properties, Long.toString(defaultValue));
return Utils.parseLong(value, defaultValue);
} }
if (duration.startsWith("+")) { /**
long offset = parseLong(duration.substring(1), 0); * Given a parsed command line, option, and list of possible config
return start.plusSeconds(offset); * properties, determine the value for the option, converting the value to
* int.
*/
protected int cliIntOption(String option, String[] properties, int defaultValue) {
String value = cliOption(option, properties, Integer.toString(defaultValue));
return Utils.parseInt(value, defaultValue);
} }
// This is a heuristic to distinguish UNIX epoch times from the zone file /**
// format standard (which is length == 14) * Given a parsed command line, option, and list of possible config
if (duration.length() <= 10) { * properties, determine the value for the option, converting the value to
long epoch = parseLong(duration, 0); * a boolean.
return Instant.ofEpochSecond(epoch); */
} protected boolean cliBooleanOption(String option, String[] properties, boolean defaultValue) {
if (cli.hasOption(option)) {
SimpleDateFormat dateFormatter = new SimpleDateFormat("yyyyMMddHHmmss"); return true;
dateFormatter.setTimeZone(TimeZone.getTimeZone("GMT"));
try {
Date parsedDate = dateFormatter.parse(duration);
return parsedDate.toInstant();
} catch (java.text.ParseException e) {
throw new ParseException(e.getMessage());
} }
String value = cliOption(option, properties, Boolean.toString(defaultValue));
return Boolean.parseBoolean(value);
} }
public abstract void execute() throws Exception; public abstract void execute() throws Exception;
public void run(CLIStateBase state, String[] args) { public void run(String[] args) {
try {
state.parseCommandLine(args);
} catch (UnrecognizedOptionException e) {
System.err.println("error: unknown option encountered: " + e.getMessage());
state.usage();
} catch (AlreadySelectedException e) {
System.err.println("error: mutually exclusive options have "
+ "been selected:\n " + e.getMessage());
state.usage();
} catch (Exception e) {
System.err.println("error: unknown command line parsing exception:");
e.printStackTrace();
state.usage();
}
parseCommandLine(args);
log = Logger.getLogger(this.getClass().toString()); log = Logger.getLogger(this.getClass().toString());
try { try {

View File

@ -0,0 +1,84 @@
package com.verisignlabs.dnssec.cl;
public class CLI {
private SubCommandType subCommand = null;
private String commandSetStr = null;
enum SubCommandType {
DSTOOL, KEYGEN, KEYINFO, SIGNKEYSET, SIGNRRSET, SIGNZONE, VERIFYZONE, ZONEFORMAT;
}
public CLI(String name, String usageStr) {
StringBuilder sb = new StringBuilder();
for (SubCommandType type : SubCommandType.class.getEnumConstants()) {
sb.append(type.toString().toLowerCase());
sb.append(" ");
}
commandSetStr = sb.toString().trim();
}
private void fail(String errorMessage){
System.err.println("ERROR: " + errorMessage);
System.exit(2);
}
public void run(String[] args) {
String[] subCommandArgs = null;
if (args.length < 1) {
fail("missing command: must be one of: " + commandSetStr);
}
String command = args[0];
if (command.equals("-h")) {
System.err.println("usage: jdnssec-tools <command> <command args..>");
System.err.println(" <command> is one of: " + commandSetStr);
System.exit(0);
}
try {
subCommand = SubCommandType.valueOf(command.toUpperCase());
} catch (IllegalArgumentException e) {
fail("unrecognized command '" + command + "': must be one of: " + commandSetStr);
}
subCommandArgs = new String[args.length - 1];
System.arraycopy(args, 1, subCommandArgs, 0, args.length - 1);
CLBase cmd = null;
switch(subCommand) {
case DSTOOL:
cmd = new DSTool("dstool", "jdnssec-tools dstool [..options..] keyfile [keyfile..]");
break;
case KEYGEN:
cmd = new KeyGen("keygen", "jdnssec-tools keygen [..options..] zonename");
break;
case KEYINFO:
cmd = new KeyInfoTool("keyinfotool", "jdnssec-tools keyinfo [..options..] keyfile");
break;
case SIGNKEYSET:
cmd = new SignKeyset("signkeyset", "jdnssec-tools signkeyset [..options..] dnskeyset_file [key_file ...]");
break;
case SIGNRRSET:
cmd = new SignRRset("signrrset", "jdnssec-tools signrrset [..options..] rrset_file key_file [key_file ...]");
break;
case SIGNZONE:
cmd = new SignZone("signzone", "jdnssec-tools signzone [..options..] zone_file [key_file ...]");
break;
case VERIFYZONE:
cmd = new VerifyZone("verifyzone", "jdnssec-tools verifyzone [..options..] zonefile");
break;
case ZONEFORMAT:
cmd = new ZoneFormat("zoneformat", "jdnssec-tools zoneformat [..options..] zonefile");
break;
default:
fail("commmand " + command + " has not been implemented.");
break;
}
cmd.run(subCommandArgs);
}
public static void main(String[] args) {
CLI cli = new CLI("cli", "jdnssec-tools <command> [..args..]");
cli.run(args);
}
}

View File

@ -18,11 +18,10 @@
package com.verisignlabs.dnssec.cl; package com.verisignlabs.dnssec.cl;
import java.io.FileWriter; import java.io.FileWriter;
import java.io.IOException;
import java.io.PrintWriter; import java.io.PrintWriter;
import org.apache.commons.cli.CommandLine;
import org.apache.commons.cli.Option; import org.apache.commons.cli.Option;
import org.apache.commons.cli.Options;
import org.xbill.DNS.CDSRecord; import org.xbill.DNS.CDSRecord;
import org.xbill.DNS.DLVRecord; import org.xbill.DNS.DLVRecord;
import org.xbill.DNS.DNSKEYRecord; import org.xbill.DNS.DNSKEYRecord;
@ -40,7 +39,15 @@ import com.verisignlabs.dnssec.security.SignUtils;
* @author David Blacka * @author David Blacka
*/ */
public class DSTool extends CLBase { public class DSTool extends CLBase {
private CLIState state; private dsType createType = dsType.DS;
private String outputfile = null;
private String[] keynames = null;
private int digestId = DNSSEC.Digest.SHA256;
private long dsTTL = -1;
public DSTool(String name, String usageStr) {
super(name, usageStr);
}
/** There are several records that are based on DS. */ /** There are several records that are based on DS. */
protected enum dsType { protected enum dsType {
@ -52,80 +59,77 @@ public class DSTool extends CLBase {
* state. * state.
*/ */
protected static class CLIState extends CLIStateBase {
public dsType createType = dsType.DS;
public String outputfile = null;
public String keyname = null;
public int digestId = DNSSEC.Digest.SHA256;
public CLIState() {
super("jdnssec-dstool [..options..] keyfile");
}
/** /**
* Set up the command line options. * Set up the command line options.
* *
* @return a set of command line options. * @return a set of command line options.
*/ */
@Override protected void setupOptions() {
protected void setupOptions(Options opts) {
opts.addOption(Option.builder("D").longOpt("dlv").desc("Generate a DLV record instead.").build()); opts.addOption(Option.builder("D").longOpt("dlv").desc("Generate a DLV record instead.").build());
opts.addOption(Option.builder("C").longOpt("cds").desc("Generate a CDS record instead").build()); opts.addOption(Option.builder("C").longOpt("cds").desc("Generate a CDS record instead").build());
opts.addOption( opts.addOption(
Option.builder("d").hasArg().argName("id").longOpt("digest").desc("The digest algorithm to use").build()); Option.builder("d").hasArg().argName("id").longOpt("digest").desc("The digest algorithm to use").build());
opts.addOption(Option.builder("f").hasArg().argName("file").longOpt("output").desc("output to file").build()); opts.addOption(Option.builder("f").hasArg().argName("file").longOpt("output").desc("output to file").build());
opts.addOption(Option.builder("T").longOpt("ttl").hasArg().desc("TTL to use for generated DS/CDS record").build());
} }
@Override protected void processOptions() {
protected void processOptions(CommandLine cli) String[] digestAlgOptionKeys = { "digest_algorithm", "digest_id" };
throws org.apache.commons.cli.ParseException { String[] dsTTLOptionKeys = { "ds_ttl", "ttl" };
outputfile = cli.getOptionValue('f'); outputfile = cli.getOptionValue('f');
if (cli.hasOption("dlv")) { if (cli.hasOption("dlv")) {
createType = dsType.DLV; createType = dsType.DLV;
} else if (cli.hasOption("cds")) { } else if (cli.hasOption("cds")) {
createType = dsType.CDS; createType = dsType.CDS;
} }
String optstr = cli.getOptionValue('d'); String digestValue = cliOption("d", digestAlgOptionKeys, Integer.toString(digestId));
if (optstr != null) digestId = DNSSEC.Digest.value(digestValue);
digestId = DNSSEC.Digest.value(optstr);
dsTTL = cliLongOption("ttl", dsTTLOptionKeys, dsTTL);
String[] args = cli.getArgs(); String[] args = cli.getArgs();
if (args.length < 1) { if (args.length < 1) {
System.err.println("error: missing key file "); fail("missing key file");
usage();
} }
keyname = args[0]; keynames = args;
} }
} public void createDS(String keyname) throws IOException {
DnsKeyPair key = BINDKeyUtils.loadKey(keyname, null);
public void execute() throws Exception {
DnsKeyPair key = BINDKeyUtils.loadKey(state.keyname, null);
DNSKEYRecord dnskey = key.getDNSKEYRecord(); DNSKEYRecord dnskey = key.getDNSKEYRecord();
if ((dnskey.getFlags() & DNSKEYRecord.Flags.SEP_KEY) == 0) { if ((dnskey.getFlags() & DNSKEYRecord.Flags.SEP_KEY) == 0) {
log.warning("DNSKEY is not an SEP-flagged key."); log.warning("DNSKEY " + keyname + " is not an SEP-flagged key.");
} }
DSRecord ds = SignUtils.calculateDSRecord(dnskey, state.digestId, dnskey.getTTL()); long ttl = dsTTL < 0 ? dnskey.getTTL() : dsTTL;
Record res = ds; DSRecord ds = SignUtils.calculateDSRecord(dnskey, digestId, ttl);
Record res;
if (state.createType == dsType.DLV) { switch (createType) {
case DLV:
log.fine("creating DLV."); log.fine("creating DLV.");
DLVRecord dlv = new DLVRecord(ds.getName(), ds.getDClass(), ds.getTTL(), ds.getFootprint(), ds.getAlgorithm(), DLVRecord dlv = new DLVRecord(ds.getName(), ds.getDClass(), ds.getTTL(), ds.getFootprint(), ds.getAlgorithm(),
ds.getDigestID(), ds.getDigest()); ds.getDigestID(), ds.getDigest());
res = dlv; res = dlv;
} else if (state.createType == dsType.CDS) { break;
case CDS:
log.fine("creating CDS."); log.fine("creating CDS.");
CDSRecord cds = new CDSRecord(ds.getName(), ds.getDClass(), ds.getTTL(), ds.getFootprint(), ds.getAlgorithm(), CDSRecord cds = new CDSRecord(ds.getName(), ds.getDClass(), ds.getTTL(), ds.getFootprint(), ds.getAlgorithm(),
ds.getDClass(), ds.getDigest()); ds.getDClass(), ds.getDigest());
res = cds; res = cds;
break;
default:
res = ds;
break;
} }
if (state.outputfile != null && !state.outputfile.equals("-")) { if (outputfile != null && !outputfile.equals("-")) {
try (PrintWriter out = new PrintWriter(new FileWriter(state.outputfile))) { try (PrintWriter out = new PrintWriter(new FileWriter(outputfile))) {
out.println(res); out.println(res);
} }
} else { } else {
@ -133,10 +137,15 @@ public class DSTool extends CLBase {
} }
} }
public static void main(String[] args) { public void execute() throws Exception {
DSTool tool = new DSTool(); for (String keyname : keynames){
tool.state = new CLIState(); createDS(keyname);
}
}
tool.run(tool.state, args); public static void main(String[] args) {
DSTool tool = new DSTool("dstool", "jdnssec-dstool [..options..] keyfile [keyfile..]");
tool.run(args);
} }
} }

View File

@ -19,9 +19,7 @@ package com.verisignlabs.dnssec.cl;
import java.io.File; import java.io.File;
import org.apache.commons.cli.CommandLine;
import org.apache.commons.cli.Option; import org.apache.commons.cli.Option;
import org.apache.commons.cli.Options;
import org.xbill.DNS.DClass; import org.xbill.DNS.DClass;
import org.xbill.DNS.DNSKEYRecord; import org.xbill.DNS.DNSKEYRecord;
import org.xbill.DNS.Name; import org.xbill.DNS.Name;
@ -37,33 +35,25 @@ import com.verisignlabs.dnssec.security.JCEDnsSecSigner;
* @author David Blacka * @author David Blacka
*/ */
public class KeyGen extends CLBase { public class KeyGen extends CLBase {
private CLIState state; private int algorithm = 13;
private int keylength = 2048;
private boolean useLargeE = true;
private String outputfile = null;
private File keydir = null;
private boolean zoneKey = true;
private boolean kskFlag = false;
private String owner = null;
private long ttl = 86400;
private int givenKeyTag = -1;
/** public KeyGen(String name, String usageStr) {
* This is a small inner class used to hold all of the command line option super(name, usageStr);
* state.
*/
protected static class CLIState extends CLIStateBase {
public int algorithm = 13;
public int keylength = 2048;
public boolean useLargeE = true;
public String outputfile = null;
public File keydir = null;
public boolean zoneKey = true;
public boolean kskFlag = false;
public String owner = null;
public long ttl = 86400;
public int givenKeyTag = -1;
public CLIState() {
super("jdnssec-keygen [..options..] name");
} }
/** /**
* Set up the command line options. * Set up the command line options.
*/ */
@Override protected void setupOptions() {
protected void setupOptions(Options opts) {
// boolean options // boolean options
opts.addOption("k", "kskflag", false, opts.addOption("k", "kskflag", false,
"Key is a key-signing-key (sets the SEP flag)."); "Key is a key-signing-key (sets the SEP flag).");
@ -93,121 +83,96 @@ public class KeyGen extends CLBase {
} }
@Override protected void processOptions() {
protected void processOptions(CommandLine cli) String[] useLargeEOptionKeys = { "use_large_exponent", "use_large_e" };
throws org.apache.commons.cli.ParseException { String[] keyDirectoryOptionKeys = { "key_directory", "keydir" };
String optstr = null; String[] algorithmOptionKeys = { "algorithm", "alg " };
String[] optstrs = null; String[] keyLengthOptionKeys = { "key_length", "keylen" };
String[] ttlOptionKeys = { "dnskey_ttl", "ttl" };
if (cli.hasOption('k')) if (cli.hasOption('k')) {
kskFlag = true; kskFlag = true;
if (cli.hasOption('e')) }
useLargeE = true; useLargeE = cli.hasOption('e'); // explicit command line option for the large exponent
useLargeE = !cli.hasOption('E'); // explicit command line option for the small exponent
String optstr = cliOption("e", useLargeEOptionKeys, Boolean.toString(useLargeE)); // get any config file properties
if (optstr != null) {
useLargeE = Boolean.parseBoolean(optstr);
}
outputfile = cli.getOptionValue('f'); outputfile = cli.getOptionValue('f');
if ((optstr = cli.getOptionValue('d')) != null) { String keydirName = cliOption("d", keyDirectoryOptionKeys, null);
keydir = new File(optstr); if (keydirName != null) {
keydir = new File(keydirName);
} }
if ((optstr = cli.getOptionValue('n')) != null && !optstr.equalsIgnoreCase("ZONE")) { String algString = cliOption("a", algorithmOptionKeys, Integer.toString(algorithm));
zoneKey = false; algorithm = Utils.parseAlg(algString);
}
if ((optstrs = cli.getOptionValues('A')) != null) {
for (int i = 0; i < optstrs.length; i++) {
addArgAlias(optstrs[i]);
}
}
if ((optstr = cli.getOptionValue('a')) != null) {
algorithm = CLIState.parseAlg(optstr);
if (algorithm < 0) { if (algorithm < 0) {
System.err.println("DNSSEC algorithm " + optstr + " is not supported"); fail("DNSSEC algorithm " + algString + " is not supported");
usage();
}
} }
if ((optstr = cli.getOptionValue('b')) != null) { keylength = cliIntOption("b", keyLengthOptionKeys, keylength);
keylength = parseInt(optstr, 1024); ttl = cliLongOption("ttl", ttlOptionKeys, ttl);
} givenKeyTag = Utils.parseInt(cli.getOptionValue("with-tag"), -1);
if ((optstr = cli.getOptionValue("ttl")) != null) {
ttl = parseInt(optstr, 86400);
}
if ((optstr = cli.getOptionValue("with-tag")) != null) {
givenKeyTag = parseInt(optstr, -1);
}
String[] args = cli.getArgs(); String[] args = cli.getArgs();
if (args.length < 1) { if (args.length < 1) {
System.err.println("error: missing key owner name"); fail("missing key owner name");
usage();
} }
owner = args[0]; owner = args[0];
}
private static int parseAlg(String s) { log.fine("keygen options => algorithm: " + algorithm + ", keylength: " + keylength +
DnsKeyAlgorithm algs = DnsKeyAlgorithm.getInstance(); ", useLargeE: " + useLargeE + ", kskFlag: " + kskFlag + ", ttl: " + ttl + ", givenKeyTag: " + givenKeyTag);
int alg = parseInt(s, -1);
if (alg > 0) {
if (algs.supportedAlgorithm(alg))
return alg;
return -1;
}
return algs.stringToAlgorithm(s);
}
} }
public void execute() throws Exception { public void execute() throws Exception {
JCEDnsSecSigner signer = new JCEDnsSecSigner(); JCEDnsSecSigner signer = new JCEDnsSecSigner();
// Minor hack to make the owner name absolute. // Minor hack to make the owner name absolute.
if (!state.owner.endsWith(".")) { if (!owner.endsWith(".")) {
state.owner = state.owner + "."; owner = owner + ".";
} }
Name ownerName = Name.fromString(state.owner); Name ownerName = Name.fromString(owner);
// Calculate our flags // Calculate our flags
int flags = 0; int flags = 0;
if (state.zoneKey) { if (zoneKey) {
flags |= DNSKEYRecord.Flags.ZONE_KEY; flags |= DNSKEYRecord.Flags.ZONE_KEY;
} }
if (state.kskFlag) { if (kskFlag) {
flags |= DNSKEYRecord.Flags.SEP_KEY; flags |= DNSKEYRecord.Flags.SEP_KEY;
} }
log.fine("create key pair with (name = " + ownerName + ", ttl = " + state.ttl log.fine("create key pair with (name = " + ownerName + ", ttl = " + ttl
+ ", alg = " + state.algorithm + ", flags = " + flags + ", length = " + ", alg = " + algorithm + ", flags = " + flags + ", length = "
+ state.keylength + ")"); + keylength + ")");
DnsKeyPair pair = signer.generateKey(ownerName, state.ttl, DClass.IN, DnsKeyPair pair = signer.generateKey(ownerName, ttl, DClass.IN,
state.algorithm, flags, state.keylength, algorithm, flags, keylength,
state.useLargeE); useLargeE);
// If we were asked to generate a duplicate keytag, keep trying until we get one // If we were asked to generate a duplicate keytag, keep trying until we get one
while (state.givenKeyTag >= 0 && pair.getDNSKEYFootprint() != state.givenKeyTag) { // This can take a long time, depending on our key generation speed
pair = signer.generateKey(ownerName, state.ttl, DClass.IN, state.algorithm, flags, state.keylength, while (givenKeyTag >= 0 && pair.getDNSKEYFootprint() != givenKeyTag) {
state.useLargeE); pair = signer.generateKey(ownerName, ttl, DClass.IN, algorithm, flags, keylength,
useLargeE);
} }
if (state.outputfile != null) { if (outputfile != null) {
BINDKeyUtils.writeKeyFiles(state.outputfile, pair, state.keydir); BINDKeyUtils.writeKeyFiles(outputfile, pair, keydir);
} else { } else {
BINDKeyUtils.writeKeyFiles(pair, state.keydir); BINDKeyUtils.writeKeyFiles(pair, keydir);
System.out.println(BINDKeyUtils.keyFileBase(pair)); System.out.println(BINDKeyUtils.keyFileBase(pair));
} }
} }
public static void main(String[] args) { public static void main(String[] args) {
KeyGen tool = new KeyGen(); KeyGen tool = new KeyGen("keygen", "jdnssec-keygen [..options..] zonename");
tool.state = new CLIState();
tool.run(tool.state, args); tool.run(args);
} }
} }

View File

@ -20,9 +20,6 @@ package com.verisignlabs.dnssec.cl;
import java.security.interfaces.DSAPublicKey; import java.security.interfaces.DSAPublicKey;
import java.security.interfaces.RSAPublicKey; import java.security.interfaces.RSAPublicKey;
import org.apache.commons.cli.CommandLine;
import org.apache.commons.cli.Options;
import org.apache.commons.cli.ParseException;
import org.xbill.DNS.DNSKEYRecord; import org.xbill.DNS.DNSKEYRecord;
import com.verisignlabs.dnssec.security.BINDKeyUtils; import com.verisignlabs.dnssec.security.BINDKeyUtils;
@ -35,41 +32,32 @@ import com.verisignlabs.dnssec.security.DnsKeyPair;
* @author David Blacka * @author David Blacka
*/ */
public class KeyInfoTool extends CLBase { public class KeyInfoTool extends CLBase {
private CLIState state; private String[] keynames = null;
/** public KeyInfoTool(String name, String usageStr) {
* This is a small inner class used to hold all of the command line option super(name, usageStr);
* state.
*/
protected static class CLIState extends CLIStateBase {
public String[] keynames = null;
public CLIState() {
super("jdnssec-keyinfo [..options..] keyfile");
} }
/** /**
* Set up the command line options. * Set up the command line options.
*/ */
@Override protected void setupOptions() {
protected void setupOptions(Options opts) {
// no special options at the moment. // no special options at the moment.
} }
@Override
protected void processOptions(CommandLine cli) throws ParseException { protected void processOptions() {
keynames = cli.getArgs(); keynames = cli.getArgs();
if (keynames.length < 1) { if (keynames.length < 1) {
System.err.println("error: missing key file "); fail("missing key file");
usage();
}
} }
} }
public void execute() throws Exception { public void execute() throws Exception {
for (int i = 0; i < state.keynames.length; ++i) { for (int i = 0; i < keynames.length; ++i) {
String keyname = state.keynames[i]; String keyname = keynames[i];
DnsKeyPair key = BINDKeyUtils.loadKey(keyname, null); DnsKeyPair key = BINDKeyUtils.loadKey(keyname, null);
DNSKEYRecord dnskey = key.getDNSKEYRecord(); DNSKEYRecord dnskey = key.getDNSKEYRecord();
DnsKeyAlgorithm dnskeyalg = DnsKeyAlgorithm.getInstance(); DnsKeyAlgorithm dnskeyalg = DnsKeyAlgorithm.getInstance();
@ -97,16 +85,15 @@ public class KeyInfoTool extends CLBase {
System.out.println("DSA subprime (Q): " + pub.getParams().getQ()); System.out.println("DSA subprime (Q): " + pub.getParams().getQ());
System.out.println("DSA public (Y): " + pub.getY()); System.out.println("DSA public (Y): " + pub.getY());
} }
if (state.keynames.length - i > 1) { if (keynames.length - i > 1) {
System.out.println(); System.out.println();
} }
} }
} }
public static void main(String[] args) { public static void main(String[] args) {
KeyInfoTool tool = new KeyInfoTool(); KeyInfoTool tool = new KeyInfoTool("keyinfotool", "jdnssec-keyinfo [..options..] keyfile");
tool.state = new CLIState();
tool.run(tool.state, args); tool.run(args);
} }
} }

View File

@ -24,9 +24,7 @@ import java.time.Instant;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.List; import java.util.List;
import org.apache.commons.cli.CommandLine;
import org.apache.commons.cli.Option; import org.apache.commons.cli.Option;
import org.apache.commons.cli.Options;
import org.xbill.DNS.Name; import org.xbill.DNS.Name;
import org.xbill.DNS.RRSIGRecord; import org.xbill.DNS.RRSIGRecord;
import org.xbill.DNS.RRset; import org.xbill.DNS.RRset;
@ -48,29 +46,24 @@ import com.verisignlabs.dnssec.security.ZoneUtils;
* @author David Blacka * @author David Blacka
*/ */
public class SignKeyset extends CLBase { public class SignKeyset extends CLBase {
private CLIState state; private File keyDirectory = null;
private String[] keyFiles = null;
private Instant start = null;
private Instant expire = null;
private String inputfile = null;
private String outputfile = null;
private boolean verifySigs = false;
/** public SignKeyset(String name, String usageStr) {
* This is an inner class used to hold all of the command line option state. super(name, usageStr);
*/
protected static class CLIState extends CLIStateBase {
public File keyDirectory = null;
public String[] keyFiles = null;
public Instant start = null;
public Instant expire = null;
public String inputfile = null;
public String outputfile = null;
public boolean verifySigs = false;
public CLIState() {
super("jdnssec-signkeyset [..options..] dnskeyset_file [key_file ...]");
} }
/** /**
* Set up the command line options. * Set up the command line options.
*/ */
@Override
protected void setupOptions(Options opts) { protected void setupOptions() {
// boolean options // boolean options
opts.addOption("a", "verify", false, "verify generated signatures>"); opts.addOption("a", "verify", false, "verify generated signatures>");
@ -85,33 +78,46 @@ public class SignKeyset extends CLBase {
Option.builder("f").hasArg().argName("outfile").desc("file the signed keyset is written to").build()); Option.builder("f").hasArg().argName("outfile").desc("file the signed keyset is written to").build());
} }
@Override
protected void processOptions(CommandLine cli) protected void processOptions() {
throws org.apache.commons.cli.ParseException { String[] verifyOptionKeys = { "verify_signatures", "verify" };
String[] keyDirectoryOptionKeys = { "key_directory", "keydir" };
String[] inceptionOptionKeys = { "inception", "start" };
String[] expireOptionKeys = { "expire" };
String optstr = null; String optstr = null;
if (cli.hasOption('a')) verifySigs = cliBooleanOption("a", verifyOptionKeys, false);
verifySigs = true;
if ((optstr = cli.getOptionValue('D')) != null) { String keyDirectoryName = cliOption("D", keyDirectoryOptionKeys, null);
if (keyDirectoryName != null) {
keyDirectory = new File(optstr); keyDirectory = new File(optstr);
if (!keyDirectory.isDirectory()) { if (!keyDirectory.isDirectory()) {
System.err.println("error: " + optstr + " is not a directory"); fail("key directory " + optstr + " is not a directory");
usage();
} }
} }
if ((optstr = cli.getOptionValue('s')) != null) { try {
start = convertDuration(null, optstr); optstr = cliOption("s", inceptionOptionKeys, null);
if (optstr != null) {
start = Utils.convertDuration(null, optstr);
} else { } else {
// default is now - 1 hour. // default is now - 1 hour.
start = Instant.now().minusSeconds(3600); start = Instant.now().minusSeconds(3600);
} }
} catch (java.text.ParseException e) {
fail("Unable to parse start time specifiction: " + e);
}
if ((optstr = cli.getOptionValue('e')) != null) { try {
expire = convertDuration(start, optstr); optstr = cliOption("e", expireOptionKeys, null);
if (optstr != null) {
expire = Utils.convertDuration(start, optstr);
} else { } else {
expire = convertDuration(start, "+2592000"); // 30 days expire = Utils.convertDuration(start, "+2592000"); // 30 days
}
} catch (java.text.ParseException e) {
fail("Unable to parse expire time specification: " + e);
} }
outputfile = cli.getOptionValue('f'); outputfile = cli.getOptionValue('f');
@ -119,8 +125,7 @@ public class SignKeyset extends CLBase {
String[] files = cli.getArgs(); String[] files = cli.getArgs();
if (files.length < 1) { if (files.length < 1) {
System.err.println("error: missing zone file and/or key files"); fail("missing zone file and/or key files");
usage();
} }
inputfile = files[0]; inputfile = files[0];
@ -129,7 +134,6 @@ public class SignKeyset extends CLBase {
System.arraycopy(files, 1, keyFiles, 0, files.length - 1); System.arraycopy(files, 1, keyFiles, 0, files.length - 1);
} }
} }
}
/** /**
* Verify the generated signatures. * Verify the generated signatures.
@ -138,7 +142,7 @@ public class SignKeyset extends CLBase {
* @param keypairs a list of keypairs used the sign the zone. * @param keypairs a list of keypairs used the sign the zone.
* @return true if all of the signatures validated. * @return true if all of the signatures validated.
*/ */
private static boolean verifySigs(List<Record> records, private boolean verifySigs(List<Record> records,
List<DnsKeyPair> keypairs) { List<DnsKeyPair> keypairs) {
boolean secure = true; boolean secure = true;
@ -160,7 +164,7 @@ public class SignKeyset extends CLBase {
boolean result = verifier.verify(rrset); boolean result = verifier.verify(rrset);
if (!result) { if (!result) {
staticLog.fine("Signatures did not verify for RRset: " + rrset); log.fine("Signatures did not verify for RRset: " + rrset);
secure = false; secure = false;
} }
} }
@ -179,7 +183,7 @@ public class SignKeyset extends CLBase {
* @param inDirectory the directory to look in (may be null). * @param inDirectory the directory to look in (may be null).
* @return a list of keypair objects. * @return a list of keypair objects.
*/ */
private static List<DnsKeyPair> getKeys(String[] keyfiles, int startIndex, private List<DnsKeyPair> getKeys(String[] keyfiles, int startIndex,
File inDirectory) throws IOException { File inDirectory) throws IOException {
if (keyfiles == null) if (keyfiles == null)
return new ArrayList<>(); return new ArrayList<>();
@ -236,10 +240,9 @@ public class SignKeyset extends CLBase {
public void execute() throws Exception { public void execute() throws Exception {
// Read in the zone // Read in the zone
List<Record> records = ZoneUtils.readZoneFile(state.inputfile, null); List<Record> records = ZoneUtils.readZoneFile(inputfile, null);
if (records == null || records.isEmpty()) { if (records == null || records.isEmpty()) {
System.err.println("error: empty keyset file"); fail("empty keyset file");
state.usage();
} }
// Make sure that all records are DNSKEYs with the same name. // Make sure that all records are DNSKEYs with the same name.
@ -255,46 +258,42 @@ public class SignKeyset extends CLBase {
keysetName = r.getName(); keysetName = r.getName();
} }
if (!r.getName().equals(keysetName)) { if (!r.getName().equals(keysetName)) {
System.err.println("error: DNSKEY with a different name found!"); fail("DNSKEY with a different name found!");
state.usage();
} }
keyset.addRR(r); keyset.addRR(r);
} }
if (keyset.size() == 0) { if (keyset.size() == 0) {
System.err.println("error: No DNSKEYs found in keyset file"); fail("error: No DNSKEYs found in keyset file");
state.usage();
} }
// Load the key pairs. // Load the key pairs.
List<DnsKeyPair> keypairs = getKeys(state.keyFiles, 0, state.keyDirectory); List<DnsKeyPair> keypairs = getKeys(keyFiles, 0, keyDirectory);
// If we *still* don't have any key pairs, look for keys the key // If we *still* don't have any key pairs, look for keys the key
// directory // directory
// that match // that match
if (keypairs == null) { if (keypairs == null) {
keypairs = findZoneKeys(state.keyDirectory, keysetName); keypairs = findZoneKeys(keyDirectory, keysetName);
} }
// If there *still* aren't any ZSKs defined, bail. // If there *still* aren't any ZSKs defined, bail.
if (keypairs == null || keypairs.isEmpty() || keysetName == null) { if (keypairs == null || keypairs.isEmpty() || keysetName == null) {
System.err.println("error: No signing keys could be determined."); fail("no signing keys could be determined.");
state.usage();
return;
} }
// default the output file, if not set. // default the output file, if not set.
if (state.outputfile == null) { if (outputfile == null) {
if (keysetName.isAbsolute()) { if (keysetName.isAbsolute()) {
state.outputfile = keysetName + "signed_keyset"; outputfile = keysetName + "signed_keyset";
} else { } else {
state.outputfile = keysetName + ".signed_keyset"; outputfile = keysetName + ".signed_keyset";
} }
} }
JCEDnsSecSigner signer = new JCEDnsSecSigner(); JCEDnsSecSigner signer = new JCEDnsSecSigner();
List<RRSIGRecord> sigs = signer.signRRset(keyset, keypairs, state.start, state.expire); List<RRSIGRecord> sigs = signer.signRRset(keyset, keypairs, start, expire);
for (RRSIGRecord s : sigs) { for (RRSIGRecord s : sigs) {
keyset.addRR(s); keyset.addRR(s);
} }
@ -309,9 +308,9 @@ public class SignKeyset extends CLBase {
} }
// write out the signed zone // write out the signed zone
ZoneUtils.writeZoneFile(signedRecords, state.outputfile); ZoneUtils.writeZoneFile(signedRecords, outputfile);
if (state.verifySigs) { if (verifySigs) {
log.fine("verifying generated signatures"); log.fine("verifying generated signatures");
boolean res = verifySigs(signedRecords, keypairs); boolean res = verifySigs(signedRecords, keypairs);
@ -325,9 +324,8 @@ public class SignKeyset extends CLBase {
} }
public static void main(String[] args) { public static void main(String[] args) {
SignKeyset tool = new SignKeyset(); SignKeyset tool = new SignKeyset("signkeyset", "jdnssec-signkeyset [..options..] dnskeyset_file [key_file ...]");
tool.state = new CLIState();
tool.run(tool.state, args); tool.run(args);
} }
} }

View File

@ -23,9 +23,7 @@ import java.time.Instant;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.List; import java.util.List;
import org.apache.commons.cli.CommandLine;
import org.apache.commons.cli.Option; import org.apache.commons.cli.Option;
import org.apache.commons.cli.Options;
import org.xbill.DNS.Name; import org.xbill.DNS.Name;
import org.xbill.DNS.RRSIGRecord; import org.xbill.DNS.RRSIGRecord;
import org.xbill.DNS.RRset; import org.xbill.DNS.RRset;
@ -49,30 +47,26 @@ import com.verisignlabs.dnssec.security.ZoneUtils;
* @author David Blacka * @author David Blacka
*/ */
public class SignRRset extends CLBase { public class SignRRset extends CLBase {
private CLIState state;
/**
* This is an inner class used to hold all of the command line option state.
*/
protected static class CLIState extends CLIStateBase {
private File keyDirectory = null; private File keyDirectory = null;
public String[] keyFiles = null; private String[] keyFiles = null;
public Instant start = null; private Instant start = null;
public Instant expire = null; private Instant expire = null;
public String inputfile = null; private String inputfile = null;
public String outputfile = null; private String outputfile = null;
public boolean verifySigs = false; private boolean verifySigs = false;
public boolean verboseSigning = false; private boolean verboseSigning = false;
public CLIState() {
super("jdnssec-signrrset [..options..] rrset_file key_file [key_file ...]"); public SignRRset(String name, String usageStr) {
super(name, usageStr);
} }
/** /**
* Set up the command line options. * Set up the command line options.
*/ */
@Override protected void setupOptions() {
protected void setupOptions(Options opts) {
// boolean options // boolean options
opts.addOption("a", "verify", false, "verify generated signatures>"); opts.addOption("a", "verify", false, "verify generated signatures>");
opts.addOption("V", "verbose-signing", false, "Display verbose signing activity."); opts.addOption("V", "verbose-signing", false, "Display verbose signing activity.");
@ -87,34 +81,48 @@ public class SignRRset extends CLBase {
Option.builder("f").hasArg().argName("outfile").desc("file the the signed rrset is written to").build()); Option.builder("f").hasArg().argName("outfile").desc("file the the signed rrset is written to").build());
} }
@Override protected void processOptions() {
protected void processOptions(CommandLine cli) throws org.apache.commons.cli.ParseException { String[] verifyOptionKeys = { "verify_signatures", "verify" };
String[] verboseSigningOptionKeys = { "verbose_signing" };
String[] keyDirectoryOptionKeys = { "key_directory", "keydir" };
String[] inceptionOptionKeys = { "inception", "start" };
String[] expireOptionKeys = { "expire" };
String optstr = null; String optstr = null;
if (cli.hasOption('a')) verifySigs = cliBooleanOption("a", verifyOptionKeys, false);
verifySigs = true;
if (cli.hasOption('V'))
verboseSigning = true;
if ((optstr = cli.getOptionValue('D')) != null) { verboseSigning = cliBooleanOption("V", verboseSigningOptionKeys, false);
optstr = cliOption("D", keyDirectoryOptionKeys, null);
if (optstr != null) {
keyDirectory = new File(optstr); keyDirectory = new File(optstr);
if (!keyDirectory.isDirectory()) { if (!keyDirectory.isDirectory()) {
System.err.println("error: " + optstr + " is not a directory"); fail("key directory " + optstr + " is not a directory");
usage();
} }
} }
if ((optstr = cli.getOptionValue('s')) != null) { try {
start = convertDuration(null, optstr); optstr = cliOption("s", inceptionOptionKeys, null);
if (optstr != null) {
start = Utils.convertDuration(null, optstr);
} else { } else {
// default is now - 1 hour. // default is now - 1 hour.
start = Instant.now().minusSeconds(3600); start = Instant.now().minusSeconds(3600);
} }
} catch (java.text.ParseException e) {
fail("unable to parse start time specifiction: " + e);
}
if ((optstr = cli.getOptionValue('e')) != null) { try {
expire = convertDuration(start, optstr); optstr = cliOption("e", expireOptionKeys, null);
if (optstr != null) {
expire = Utils.convertDuration(start, optstr);
} else { } else {
expire = convertDuration(start, "+2592000"); // 30 days expire = Utils.convertDuration(start, "+2592000"); // 30 days
}
} catch (java.text.ParseException e) {
fail("Unable to parse expire time specification: " + e);
} }
outputfile = cli.getOptionValue('f'); outputfile = cli.getOptionValue('f');
@ -122,8 +130,7 @@ public class SignRRset extends CLBase {
String[] files = cli.getArgs(); String[] files = cli.getArgs();
if (files.length < 1) { if (files.length < 1) {
System.err.println("error: missing zone file and/or key files"); fail("missing zone file and/or key files");
usage();
} }
inputfile = files[0]; inputfile = files[0];
@ -132,7 +139,7 @@ public class SignRRset extends CLBase {
System.arraycopy(files, 1, keyFiles, 0, files.length - 1); System.arraycopy(files, 1, keyFiles, 0, files.length - 1);
} }
} }
}
/** /**
* Verify the generated signatures. * Verify the generated signatures.
@ -141,7 +148,7 @@ public class SignRRset extends CLBase {
* @param keypairs a list of keypairs used the sign the zone. * @param keypairs a list of keypairs used the sign the zone.
* @return true if all of the signatures validated. * @return true if all of the signatures validated.
*/ */
private static boolean verifySigs(List<Record> records, List<DnsKeyPair> keypairs) { private boolean verifySigs(List<Record> records, List<DnsKeyPair> keypairs) {
boolean secure = true; boolean secure = true;
DnsSecVerifier verifier = new DnsSecVerifier(); DnsSecVerifier verifier = new DnsSecVerifier();
@ -163,7 +170,7 @@ public class SignRRset extends CLBase {
boolean result = verifier.verify(rrset); boolean result = verifier.verify(rrset);
if (!result) { if (!result) {
staticLog.fine("Signatures did not verify for RRset: " + rrset); log.fine("Signatures did not verify for RRset: " + rrset);
secure = false; secure = false;
} }
} }
@ -182,7 +189,7 @@ public class SignRRset extends CLBase {
* @param inDirectory the directory to look in (may be null). * @param inDirectory the directory to look in (may be null).
* @return a list of keypair objects. * @return a list of keypair objects.
*/ */
private static List<DnsKeyPair> getKeys(String[] keyfiles, int startIndex, private List<DnsKeyPair> getKeys(String[] keyfiles, int startIndex,
File inDirectory) throws IOException { File inDirectory) throws IOException {
if (keyfiles == null) if (keyfiles == null)
return new ArrayList<>(); return new ArrayList<>();
@ -204,10 +211,9 @@ public class SignRRset extends CLBase {
public void execute() throws Exception { public void execute() throws Exception {
// Read in the zone // Read in the zone
List<Record> records = ZoneUtils.readZoneFile(state.inputfile, null); List<Record> records = ZoneUtils.readZoneFile(inputfile, null);
if (records == null || records.isEmpty()) { if (records == null || records.isEmpty()) {
System.err.println("error: empty RRset file"); fail("empty RRset file");
state.usage();
} }
// Construct the RRset. Complain if the records in the input file // Construct the RRset. Complain if the records in the input file
// consist of more than one RRset. // consist of more than one RRset.
@ -230,25 +236,21 @@ public class SignRRset extends CLBase {
&& rrset.getDClass() == r.getDClass()) { && rrset.getDClass() == r.getDClass()) {
rrset.addRR(r); rrset.addRR(r);
} else { } else {
System.err.println("Records do not all belong to the same RRset."); fail("records do not all belong to the same RRset");
state.usage();
} }
} }
if (rrset == null || rrset.size() == 0) { if (rrset == null || rrset.size() == 0) {
System.err.println("No records found in inputfile."); fail("no records found in inputfile");
state.usage();
return;
} }
// Load the key pairs. // Load the key pairs.
if (state.keyFiles.length == 0) { if (keyFiles.length == 0) {
System.err.println("error: at least one keyfile must be specified"); fail("at least one keyfile must be specified");
state.usage();
} }
List<DnsKeyPair> keypairs = getKeys(state.keyFiles, 0, state.keyDirectory); List<DnsKeyPair> keypairs = getKeys(keyFiles, 0, keyDirectory);
// Make sure that all the keypairs have the same name. // Make sure that all the keypairs have the same name.
// This will be used as the zone name, too. // This will be used as the zone name, too.
@ -260,19 +262,18 @@ public class SignRRset extends CLBase {
continue; continue;
} }
if (!pair.getDNSKEYName().equals(keysetName)) { if (!pair.getDNSKEYName().equals(keysetName)) {
System.err.println("Keys do not all have the same name."); fail("keys do not all have the same name");
state.usage();
} }
} }
// default the output file, if not set. // default the output file, if not set.
if (state.outputfile == null && !state.inputfile.equals("-")) { if (outputfile == null && !inputfile.equals("-")) {
state.outputfile = state.inputfile + ".signed"; outputfile = inputfile + ".signed";
} }
JCEDnsSecSigner signer = new JCEDnsSecSigner(state.verboseSigning); JCEDnsSecSigner signer = new JCEDnsSecSigner(verboseSigning);
List<RRSIGRecord> sigs = signer.signRRset(rrset, keypairs, state.start, state.expire); List<RRSIGRecord> sigs = signer.signRRset(rrset, keypairs, start, expire);
for (RRSIGRecord s : sigs) { for (RRSIGRecord s : sigs) {
rrset.addRR(s); rrset.addRR(s);
} }
@ -287,9 +288,9 @@ public class SignRRset extends CLBase {
} }
// write out the signed zone // write out the signed zone
ZoneUtils.writeZoneFile(signedRecords, state.outputfile); ZoneUtils.writeZoneFile(signedRecords, outputfile);
if (state.verifySigs) { if (verifySigs) {
log.fine("verifying generated signatures"); log.fine("verifying generated signatures");
boolean res = verifySigs(signedRecords, keypairs); boolean res = verifySigs(signedRecords, keypairs);
@ -303,9 +304,8 @@ public class SignRRset extends CLBase {
} }
public static void main(String[] args) { public static void main(String[] args) {
SignRRset tool = new SignRRset(); SignRRset tool = new SignRRset("signrrset", "jdnssec-signrrset [..options..] rrset_file key_file [key_file ...]");
tool.state = new CLIState();
tool.run(tool.state, args); tool.run(args);
} }
} }

View File

@ -28,10 +28,7 @@ import java.util.Iterator;
import java.util.List; import java.util.List;
import java.util.Random; import java.util.Random;
import org.apache.commons.cli.CommandLine;
import org.apache.commons.cli.Option; import org.apache.commons.cli.Option;
import org.apache.commons.cli.Options;
import org.apache.commons.cli.ParseException;
import org.xbill.DNS.DNSKEYRecord; import org.xbill.DNS.DNSKEYRecord;
import org.xbill.DNS.DNSSEC; import org.xbill.DNS.DNSSEC;
import org.xbill.DNS.Name; import org.xbill.DNS.Name;
@ -54,39 +51,32 @@ import com.verisignlabs.dnssec.security.ZoneUtils;
* @author David Blacka * @author David Blacka
*/ */
public class SignZone extends CLBase { public class SignZone extends CLBase {
private CLIState state; private File keyDirectory = null;
private File keysetDirectory = null;
/** private String[] kskFiles = null;
* This is an inner class used to hold all of the command line option state. private String[] keyFiles = null;
*/ private String zonefile = null;
private static class CLIState extends CLIStateBase { private Instant start = null;
public File keyDirectory = null; private Instant expire = null;
public File keysetDirectory = null; private String outputfile = null;
public String[] kskFiles = null; private boolean verifySigs = false;
public String[] keyFiles = null; private boolean useOptOut = false;
public String zonefile = null; private boolean fullySignKeyset = false;
public Instant start = null; private List<Name> includeNames = null;
public Instant expire = null; private boolean useNsec3 = false;
public String outputfile = null; private byte[] salt = null;
public boolean verifySigs = false; private int iterations = 0;
public boolean useOptOut = false; private int digestId = DNSSEC.Digest.SHA256;
public boolean fullySignKeyset = false; private long nsec3paramttl = -1;
public List<Name> includeNames = null; private boolean verboseSigning = false;
public boolean useNsec3 = false;
public byte[] salt = null;
public int iterations = 0;
public int digestId = DNSSEC.Digest.SHA1;
public long nsec3paramttl = -1;
public boolean verboseSigning = false;
private static final Random rand = new Random(); private static final Random rand = new Random();
public CLIState() { public SignZone(String name, String usageStr) {
super("jdnssec-signzone [..options..] zone_file [key_file ...]"); super(name, usageStr);
} }
@Override protected void setupOptions() {
protected void setupOptions(Options opts) {
// boolean options // boolean options
opts.addOption("a", "verify", false, "verify generated signatures>"); opts.addOption("a", "verify", false, "verify generated signatures>");
opts.addOption("F", "fully-sign-keyset", false, opts.addOption("F", "fully-sign-keyset", false,
@ -122,114 +112,115 @@ public class SignZone extends CLBase {
.desc("Use this TTL for the NSEC3PARAM record (default is min(soa.min, soa.ttl))").build()); .desc("Use this TTL for the NSEC3PARAM record (default is min(soa.min, soa.ttl))").build());
opts.addOption(Option.builder().hasArg().argName("id").longOpt("ds-digest") opts.addOption(Option.builder().hasArg().argName("id").longOpt("ds-digest")
.desc("Digest algorithm to use for generated DS records").build()); .desc("Digest algorithm to use for generated DS records").build());
} }
@Override protected void processOptions() {
protected void processOptions(CommandLine cli) throws ParseException { String[] verifyOptionKeys = { "verify_signatures", "verify" };
String[] nsec3OptionKeys = { "use_nsec3", "nsec3" };
String[] optOutOptionKeys = { "use_opt_out", "opt_out" };
String[] verboseSigningOptionKeys = { "verbose_signing" };
String[] fullySignKeysetOptionKeys = { "fully_sign_keyset", "fully_sign" };
String[] keyDirectoryOptionKeys = { "key_directory", "keydir" };
String[] inceptionOptionKeys = { "inception", "start" };
String[] expireOptionKeys = { "expire" };
String[] nsec3SaltOptionKeys = { "nsec3_salt", "salt" };
String[] randomSaltOptionKeys = { "nsec3_random_salt_length", "nsec3_salt_length", "random_salt_length" };
String[] nsec3IterationsOptionKeys = { "nsec3_iterations", "iterations" };
String[] digestAlgOptionKeys = { "digest_algorithm", "digest_id" };
String[] nsec3paramTTLOptionKeys = { "nsec3param_ttl" };
String[] incudeNamesOptionKeys = { "include_names_file", "include_names" };
String optstr = null; String optstr = null;
if (cli.hasOption('a')) verifySigs = cliBooleanOption("a", verifyOptionKeys, false);
verifySigs = true; useNsec3 = cliBooleanOption("3", nsec3OptionKeys, false);
if (cli.hasOption('3')) useOptOut = cliBooleanOption("O", optOutOptionKeys, false);
useNsec3 = true; verboseSigning = cliBooleanOption("V", verboseSigningOptionKeys, false);
if (cli.hasOption('O'))
useOptOut = true;
if (cli.hasOption('V'))
verboseSigning = true;
if (useOptOut && !useNsec3) { if (useOptOut && !useNsec3) {
System.err.println("Opt-Out not supported without NSEC3 -- ignored."); System.err.println("Opt-Out not supported without NSEC3 -- ignored.");
useOptOut = false; useOptOut = false;
} }
if (cli.hasOption('F')) fullySignKeyset = cliBooleanOption("F", fullySignKeysetOptionKeys, false);
fullySignKeyset = true;
if ((optstr = cli.getOptionValue('d')) != null) { optstr = cliOption("D", keyDirectoryOptionKeys, null);
keysetDirectory = new File(optstr); if (optstr != null) {
if (!keysetDirectory.isDirectory()) {
System.err.println("error: " + optstr + " is not a directory");
usage();
}
}
if ((optstr = cli.getOptionValue('D')) != null) {
keyDirectory = new File(optstr); keyDirectory = new File(optstr);
if (!keyDirectory.isDirectory()) { if (!keyDirectory.isDirectory()) {
System.err.println("error: " + optstr + " is not a directory"); fail("key directory " + optstr + " is not a directory");
usage();
} }
} }
if ((optstr = cli.getOptionValue('s')) != null) { try {
start = CLBase.convertDuration(null, optstr); optstr = cliOption("s", inceptionOptionKeys, null);
if (optstr != null) {
start = Utils.convertDuration(null, optstr);
} else { } else {
// default is now - 1 hour. // default is now - 1 hour.
start = Instant.now().minusSeconds(3600); start = Instant.now().minusSeconds(3600);
} }
} catch (java.text.ParseException e) {
fail("unable to parse start time specifiction: " + e);
}
if ((optstr = cli.getOptionValue('e')) != null) { try {
expire = CLBase.convertDuration(start, optstr); optstr = cliOption("e", expireOptionKeys, null);
if (optstr != null) {
expire = Utils.convertDuration(start, optstr);
} else { } else {
expire = CLBase.convertDuration(start, "+2592000"); // 30 days expire = Utils.convertDuration(start, "+2592000"); // 30 days
}
} catch (java.text.ParseException e) {
fail("missing zone file and/or key files");
} }
outputfile = cli.getOptionValue('f'); outputfile = cli.getOptionValue('f');
kskFiles = cli.getOptionValues('k'); kskFiles = cli.getOptionValues('k');
if ((optstr = cli.getOptionValue('I')) != null) { optstr = cliOption("S", nsec3SaltOptionKeys, null);
File includeNamesFile = new File(optstr); if (optstr != null) {
try {
includeNames = CLIState.getNameList(includeNamesFile);
} catch (IOException e) {
throw new ParseException(e.getMessage());
}
}
if ((optstr = cli.getOptionValue('S')) != null) {
salt = base16.fromString(optstr); salt = base16.fromString(optstr);
if (salt == null && !optstr.equals("-")) { if (salt == null && !optstr.equals("-")) {
System.err.println("error: salt is not valid hexidecimal."); fail("salt is not valid hexidecimal");
usage();
} }
} }
if ((optstr = cli.getOptionValue('R')) != null) { optstr = cliOption("R", randomSaltOptionKeys, null);
int length = parseInt(optstr, 0); if (optstr != null) {
int length = Utils.parseInt(optstr, 0);
if (length > 0 && length <= 255) { if (length > 0 && length <= 255) {
salt = new byte[length]; salt = new byte[length];
rand.nextBytes(salt); rand.nextBytes(salt);
} }
} }
if ((optstr = cli.getOptionValue("iterations")) != null) { iterations = cliIntOption("iterations", nsec3IterationsOptionKeys, 0);
iterations = parseInt(optstr, iterations); if (iterations > 150) {
if (iterations < 0 || iterations > 8388607) { log.warning("NSEC3 iterations value is too high for normal use: " + iterations
System.err.println("error: iterations value is invalid"); + " is greater than current accepted threshold of 150");
usage();
}
} }
if ((optstr = cli.getOptionValue("ds-digest")) != null) { optstr = cliOption("ds-digest", digestAlgOptionKeys, Integer.toString(digestId));
digestId = parseInt(optstr, -1); digestId = DNSSEC.Digest.value(optstr);
if (digestId < 0) {
System.err.println("error: DS digest ID is not a valid identifier");
usage();
}
}
if ((optstr = cli.getOptionValue("nsec3paramttl")) != null) { nsec3paramttl = cliIntOption("nsec3paramttl", nsec3paramTTLOptionKeys, -1);
nsec3paramttl = parseInt(optstr, -1);
optstr = cliOption("I", incudeNamesOptionKeys, null);
if (optstr != null) {
File includeNamesFile = new File(optstr);
try {
includeNames = getNameList(includeNamesFile);
} catch (IOException e) {
fail("unable to load include-names file: " + e);
}
} }
String[] files = cli.getArgs(); String[] files = cli.getArgs();
if (files.length < 1) { if (files.length < 1) {
System.err.println("error: missing zone file and/or key files"); fail("missing zone file and/or key files");
usage();
} }
zonefile = files[0]; zonefile = files[0];
@ -237,6 +228,20 @@ public class SignZone extends CLBase {
keyFiles = new String[files.length - 1]; keyFiles = new String[files.length - 1];
System.arraycopy(files, 1, keyFiles, 0, files.length - 1); System.arraycopy(files, 1, keyFiles, 0, files.length - 1);
} }
log.fine("SignZone settings => key_directory: " + keyDirectory +
", keyset_directory: " + keysetDirectory +
", start: " + start.getEpochSecond() +
", expire: " + expire.getEpochSecond() +
", verify_sigs: " + verifySigs +
", use_nsec3: " + useNsec3 +
", use_opt_out = " + useOptOut +
", salt: " + DnsKeyPair.toHex(salt) +
", iterations: " + iterations +
", nsec3param_ttl: " + nsec3paramttl +
", fully_sign_keyset: " + fullySignKeyset +
", digest_id: " + digestId +
", verbose_signing: " + verboseSigning);
} }
/** /**
@ -246,7 +251,7 @@ public class SignZone extends CLBase {
* names. * names.
* @return a list of {@link org.xbill.DNS.Name} objects. * @return a list of {@link org.xbill.DNS.Name} objects.
*/ */
private static List<Name> getNameList(File nameListFile) throws IOException { private List<Name> getNameList(File nameListFile) throws IOException {
try (BufferedReader br = new BufferedReader(new FileReader(nameListFile))) { try (BufferedReader br = new BufferedReader(new FileReader(nameListFile))) {
List<Name> res = new ArrayList<>(); List<Name> res = new ArrayList<>();
@ -260,14 +265,13 @@ public class SignZone extends CLBase {
res.add(n); res.add(n);
} catch (TextParseException e) { } catch (TextParseException e) {
staticLog.severe("DNS Name parsing error:" + e); log.severe("DNS Name parsing error:" + e);
} }
} }
return res; return res;
} }
} }
}
/** /**
* Verify the generated signatures. * Verify the generated signatures.
@ -276,7 +280,7 @@ public class SignZone extends CLBase {
* @param keypairs a list of keypairs used the sign the zone. * @param keypairs a list of keypairs used the sign the zone.
* @return true if all of the signatures validated. * @return true if all of the signatures validated.
*/ */
private static boolean verifyZoneSigs(List<Record> records, private boolean verifyZoneSigs(List<Record> records,
List<DnsKeyPair> keypairs, List<DnsKeyPair> kskpairs) { List<DnsKeyPair> keypairs, List<DnsKeyPair> kskpairs) {
boolean secure = true; boolean secure = true;
@ -302,7 +306,7 @@ public class SignZone extends CLBase {
if (!result) { if (!result) {
System.err.println("Signatures did not verify for RRset: " + rrset); System.err.println("Signatures did not verify for RRset: " + rrset);
staticLog.fine("Signatures did not verify for RRset: " + rrset); log.fine("Signatures did not verify for RRset: " + rrset);
secure = false; secure = false;
} }
} }
@ -321,7 +325,7 @@ public class SignZone extends CLBase {
* @param inDirectory the directory to look in (may be null). * @param inDirectory the directory to look in (may be null).
* @return a list of keypair objects. * @return a list of keypair objects.
*/ */
private static List<DnsKeyPair> getKeys(String[] keyfiles, int startIndex, private List<DnsKeyPair> getKeys(String[] keyfiles, int startIndex,
File inDirectory) throws IOException { File inDirectory) throws IOException {
if (keyfiles == null) if (keyfiles == null)
return new ArrayList<>(); return new ArrayList<>();
@ -342,7 +346,7 @@ public class SignZone extends CLBase {
return keys; return keys;
} }
private static List<DnsKeyPair> getKeys(List<Record> dnskeyrrs, File inDirectory) private List<DnsKeyPair> getKeys(List<Record> dnskeyrrs, File inDirectory)
throws IOException { throws IOException {
List<DnsKeyPair> res = new ArrayList<>(); List<DnsKeyPair> res = new ArrayList<>();
for (Record r : dnskeyrrs) { for (Record r : dnskeyrrs) {
@ -376,7 +380,7 @@ public class SignZone extends CLBase {
} }
} }
private static List<DnsKeyPair> findZoneKeys(File inDirectory, Name zonename) private List<DnsKeyPair> findZoneKeys(File inDirectory, Name zonename)
throws IOException { throws IOException {
if (inDirectory == null) { if (inDirectory == null) {
inDirectory = new File("."); inDirectory = new File(".");
@ -419,7 +423,7 @@ public class SignZone extends CLBase {
* keysets that do not belong in the zone. * keysets that do not belong in the zone.
* @return a list of {@link org.xbill.DNS.Record}s found in the keyset files. * @return a list of {@link org.xbill.DNS.Record}s found in the keyset files.
*/ */
private static List<Record> getKeysets(File inDirectory, Name zonename) private List<Record> getKeysets(File inDirectory, Name zonename)
throws IOException { throws IOException {
if (inDirectory == null) { if (inDirectory == null) {
inDirectory = new File("."); inDirectory = new File(".");
@ -470,38 +474,42 @@ public class SignZone extends CLBase {
} }
public void execute() throws Exception { public void execute() throws Exception {
// Do a basic existence check for the zonefile first.
if (!zonefile.equals("-")) {
File f = new File(zonefile);
if (!f.exists()) {
fail("zonefile '" + zonefile + "' does not exist");
}
}
// Read in the zone // Read in the zone
List<Record> records = ZoneUtils.readZoneFile(state.zonefile, null); List<Record> records = ZoneUtils.readZoneFile(zonefile, null);
if (records == null || records.isEmpty()) { if (records == null || records.isEmpty()) {
System.err.println("error: empty zone file"); fail("empty zone file");
state.usage();
return;
} }
// calculate the zone name. // calculate the zone name.
Name zonename = ZoneUtils.findZoneName(records); Name zonename = ZoneUtils.findZoneName(records);
if (zonename == null) { if (zonename == null) {
System.err.println("error: invalid zone file - no SOA"); fail("invalid zone file - no SOA");
state.usage();
return;
} }
// Load the key pairs. Note that getKeys() always returns an ArrayList, // Load the key pairs. Note that getKeys() always returns an ArrayList,
// which may be empty. // which may be empty.
List<DnsKeyPair> keypairs = getKeys(state.keyFiles, 0, state.keyDirectory); List<DnsKeyPair> keypairs = getKeys(keyFiles, 0, keyDirectory);
List<DnsKeyPair> kskpairs = getKeys(state.kskFiles, 0, state.keyDirectory); List<DnsKeyPair> kskpairs = getKeys(kskFiles, 0, keyDirectory);
// If we didn't get any keys on the command line, look at the zone apex for // If we didn't get any keys on the command line, look at the zone apex for
// any public keys. // any public keys.
if (keypairs.isEmpty()) { if (keypairs.isEmpty()) {
List<Record> dnskeys = ZoneUtils.findRRs(records, zonename, Type.DNSKEY); List<Record> dnskeys = ZoneUtils.findRRs(records, zonename, Type.DNSKEY);
keypairs = getKeys(dnskeys, state.keyDirectory); keypairs = getKeys(dnskeys, keyDirectory);
} }
// If we *still* don't have any key pairs, look for keys the key directory // If we *still* don't have any key pairs, look for keys the key directory
// that match // that match
if (keypairs.isEmpty()) { if (keypairs.isEmpty()) {
keypairs = findZoneKeys(state.keyDirectory, zonename); keypairs = findZoneKeys(keyDirectory, zonename);
} }
// If we don't have any KSKs, but we do have more than one zone // If we don't have any KSKs, but we do have more than one zone
@ -521,9 +529,7 @@ public class SignZone extends CLBase {
// If we have zero keypairs at all, we are stuck. // If we have zero keypairs at all, we are stuck.
if (keypairs.isEmpty() && kskpairs.isEmpty()) { if (keypairs.isEmpty() && kskpairs.isEmpty()) {
System.err.println("No zone signing keys could be determined."); fail("no zone signing keys could be determined");
state.usage();
return;
} }
// If we only have one type of key (all ZSKs or all KSKs), then these are // If we only have one type of key (all ZSKs or all KSKs), then these are
@ -552,19 +558,18 @@ public class SignZone extends CLBase {
} }
// default the output file, if not set. // default the output file, if not set.
if (state.outputfile == null && !state.zonefile.equals("-")) { if (outputfile == null && !zonefile.equals("-")) {
if (zonename.isAbsolute()) { if (zonename.isAbsolute()) {
state.outputfile = zonename + "signed"; outputfile = zonename + "signed";
} else { } else {
state.outputfile = zonename + ".signed"; outputfile = zonename + ".signed";
} }
} }
// Verify that the keys can be in the zone. // Verify that the keys can be in the zone.
if (!keyPairsValidForZone(zonename, keypairs) if (!keyPairsValidForZone(zonename, keypairs)
|| !keyPairsValidForZone(zonename, kskpairs)) { || !keyPairsValidForZone(zonename, kskpairs)) {
System.err.println("error: specified keypairs are not valid for the zone."); fail("specified keypairs are not valid for the zone.");
state.usage();
} }
// We force the signing keys to be in the zone by just appending // We force the signing keys to be in the zone by just appending
@ -582,34 +587,34 @@ public class SignZone extends CLBase {
} }
// read in the keysets, if any. // read in the keysets, if any.
List<Record> keysetrecs = getKeysets(state.keysetDirectory, zonename); List<Record> keysetrecs = getKeysets(keysetDirectory, zonename);
if (keysetrecs != null) { if (keysetrecs != null) {
records.addAll(keysetrecs); records.addAll(keysetrecs);
} }
JCEDnsSecSigner signer = new JCEDnsSecSigner(state.verboseSigning); JCEDnsSecSigner signer = new JCEDnsSecSigner(verboseSigning);
// Sign the zone. // Sign the zone.
List<Record> signedRecords; List<Record> signedRecords;
if (state.useNsec3) { if (useNsec3) {
signedRecords = signer.signZoneNSEC3(zonename, records, kskpairs, keypairs, signedRecords = signer.signZoneNSEC3(zonename, records, kskpairs, keypairs,
state.start, state.expire, start, expire,
state.fullySignKeyset, state.useOptOut, fullySignKeyset, useOptOut,
state.includeNames, state.salt, includeNames, salt,
state.iterations, state.digestId, iterations, digestId,
state.nsec3paramttl); nsec3paramttl);
} else { } else {
signedRecords = signer.signZone(zonename, records, kskpairs, keypairs, signedRecords = signer.signZone(zonename, records, kskpairs, keypairs,
state.start, state.expire, state.fullySignKeyset, start, expire, fullySignKeyset,
state.digestId); digestId);
} }
// write out the signed zone // write out the signed zone
ZoneUtils.writeZoneFile(signedRecords, state.outputfile); ZoneUtils.writeZoneFile(signedRecords, outputfile);
System.out.println("zone signing complete"); System.out.println("zone signing complete");
if (state.verifySigs) { if (verifySigs) {
log.fine("verifying generated signatures"); log.fine("verifying generated signatures");
boolean res = verifyZoneSigs(signedRecords, keypairs, kskpairs); boolean res = verifyZoneSigs(signedRecords, keypairs, kskpairs);
@ -622,9 +627,8 @@ public class SignZone extends CLBase {
} }
public static void main(String[] args) { public static void main(String[] args) {
SignZone tool = new SignZone(); SignZone tool = new SignZone("signzone", "jdnssec-signzone [..options..] zone_file [key_file ...]");
tool.state = new CLIState();
tool.run(tool.state, args); tool.run(args);
} }
} }

View File

@ -0,0 +1,103 @@
package com.verisignlabs.dnssec.cl;
import java.text.SimpleDateFormat;
import java.time.Instant;
import java.util.Date;
import java.util.TimeZone;
import com.verisignlabs.dnssec.security.DnsKeyAlgorithm;
public class Utils {
private Utils() {
}
/**
* Parse a string into an integer safely, using a default if the value does not
* parse cleanly
*
* @param s The string to parse
* @param def The default value
* @return either the parsed int or the default
*/
public static int parseInt(String s, int def) {
try {
return Integer.parseInt(s);
} catch (NumberFormatException e) {
return def;
}
}
/**
* Parse a string into a long safely, using a default if the value does not
* parse cleanly
*
* @param s The string to parse
* @param def The default value
* @return either the parsed long or the default
*/
public static long parseLong(String s, long def) {
try {
return Long.parseLong(s);
} catch (NumberFormatException e) {
return def;
}
}
/**
* Parse a DNSSEC algorithm number of mnemonic into the official algorithm number.
* @param s The arge value
* @return A DNSSEC algorithm number, or -1 if unrecognized.
*/
public static int parseAlg(String s) {
DnsKeyAlgorithm algs = DnsKeyAlgorithm.getInstance();
int alg = Utils.parseInt(s, -1);
if (alg > 0) {
if (algs.supportedAlgorithm(alg))
return alg;
return -1;
}
return algs.stringToAlgorithm(s);
}
/**
* Calculate a date/time from a command line time/offset duration string.
*
* @param start the start time to calculate offsets from.
* @param duration the time/offset string to parse.
* @return the calculated time.
*/
public static Instant convertDuration(Instant start, String duration) throws java.text.ParseException {
if (start == null) {
start = Instant.now();
}
if (duration.startsWith("now")) {
start = Instant.now();
if (duration.indexOf("+") < 0)
return start;
duration = duration.substring(3);
}
if (duration.startsWith("+")) {
long offset = parseLong(duration.substring(1), 0);
return start.plusSeconds(offset);
}
// This is a heuristic to distinguish UNIX epoch times from the zone file
// format standard (which is length == 14)
if (duration.length() <= 10) {
long epoch = parseLong(duration, 0);
return Instant.ofEpochSecond(epoch);
}
SimpleDateFormat dateFormatter = new SimpleDateFormat("yyyyMMddHHmmss");
dateFormatter.setTimeZone(TimeZone.getTimeZone("GMT"));
Date parsedDate = dateFormatter.parse(duration);
return parsedDate.toInstant();
}
}

View File

@ -20,10 +20,7 @@ package com.verisignlabs.dnssec.cl;
import java.time.Instant; import java.time.Instant;
import java.util.List; import java.util.List;
import org.apache.commons.cli.CommandLine;
import org.apache.commons.cli.Options;
import org.apache.commons.cli.Option; import org.apache.commons.cli.Option;
import org.apache.commons.cli.ParseException;
import org.xbill.DNS.Record; import org.xbill.DNS.Record;
import com.verisignlabs.dnssec.security.ZoneUtils; import com.verisignlabs.dnssec.security.ZoneUtils;
@ -35,28 +32,19 @@ import com.verisignlabs.dnssec.security.ZoneVerifier;
* @author David Blacka * @author David Blacka
*/ */
public class VerifyZone extends CLBase { public class VerifyZone extends CLBase {
private String zonefile = null;
private String[] keyfiles = null;
private int startfudge = 0;
private int expirefudge = 0;
private boolean ignoreTime = false;
private boolean ignoreDups = false;
private Instant currentTime = null;
private CLIState state; public VerifyZone(String name, String usageStr) {
super(name, usageStr);
/**
* This is a small inner class used to hold all of the command line option
* state.
*/
protected static class CLIState extends CLIStateBase {
public String zonefile = null;
public String[] keyfiles = null;
public int startfudge = 0;
public int expirefudge = 0;
public boolean ignoreTime = false;
public boolean ignoreDups = false;
public Instant currentTime = null;
public CLIState() {
super("jdnssec-verifyzone [..options..] zonefile");
} }
@Override protected void setupOptions() {
protected void setupOptions(Options opts) {
opts.addOption(Option.builder("S").hasArg().argName("seconds").longOpt("sig-start-fudge") opts.addOption(Option.builder("S").hasArg().argName("seconds").longOpt("sig-start-fudge")
.desc("'fudge' RRSIG inception ties by 'seconds'").build()); .desc("'fudge' RRSIG inception ties by 'seconds'").build());
opts.addOption(Option.builder("E").hasArg().argName("seconds").longOpt("sig-expire-fudge") opts.addOption(Option.builder("E").hasArg().argName("seconds").longOpt("sig-expire-fudge")
@ -69,46 +57,31 @@ public class VerifyZone extends CLBase {
opts.addOption(Option.builder().longOpt("ignore-duplicate-rrs").desc("Ignore duplicate record errors.").build()); opts.addOption(Option.builder().longOpt("ignore-duplicate-rrs").desc("Ignore duplicate record errors.").build());
} }
@Override protected void processOptions() {
protected void processOptions(CommandLine cli) { String[] ignoreTimeOptionKeys = { "ignore_time" };
if (cli.hasOption("ignore-time")) { String[] ignoreDuplicateOptionKeys = { "ingore_duplicate_rrs", "ignore_duplicates" };
ignoreTime = true; String[] startFudgeOptionKeys = { "start_fudge" };
} String[] expireFudgeOptionKeys = { "expire_fudge" };
String[] currentTimeOptionKeys = { "current_time" };
if (cli.hasOption("ignore-duplicate-rrs")) { ignoreTime = cliBooleanOption("ignore-time", ignoreTimeOptionKeys, false);
ignoreDups = true; ignoreDups = cliBooleanOption("ignore-duplicate-rrs", ignoreDuplicateOptionKeys, false);
} startfudge = cliIntOption("S", startFudgeOptionKeys, 0);
expirefudge = cliIntOption("E", expireFudgeOptionKeys, 0);
String optstr = null; String optstr = cliOption("t", currentTimeOptionKeys, null);
if ((optstr = cli.getOptionValue('S')) != null) { if (optstr != null) {
startfudge = parseInt(optstr, 0);
}
if ((optstr = cli.getOptionValue('E')) != null) {
expirefudge = parseInt(optstr, 0);
}
if ((optstr = cli.getOptionValue('t')) != null) {
try { try {
currentTime = convertDuration(null, optstr); currentTime = Utils.convertDuration(null, optstr);
} catch (ParseException e) { } catch (java.text.ParseException e) {
System.err.println("error: could not parse timespec"); fail("could not parse timespec");
usage();
}
}
String[] optstrs = null;
if ((optstrs = cli.getOptionValues('A')) != null) {
for (int i = 0; i < optstrs.length; i++) {
addArgAlias(optstrs[i]);
} }
} }
String[] args = cli.getArgs(); String[] args = cli.getArgs();
if (args.length < 1) { if (args.length < 1) {
System.err.println("error: missing zone file"); fail("missing zone file");
usage();
} }
zonefile = args[0]; zonefile = args[0];
@ -118,17 +91,16 @@ public class VerifyZone extends CLBase {
System.arraycopy(args, 1, keyfiles, 0, keyfiles.length); System.arraycopy(args, 1, keyfiles, 0, keyfiles.length);
} }
} }
}
public void execute() throws Exception { public void execute() throws Exception {
ZoneVerifier zoneverifier = new ZoneVerifier(); ZoneVerifier zoneverifier = new ZoneVerifier();
zoneverifier.getVerifier().setStartFudge(state.startfudge); zoneverifier.getVerifier().setStartFudge(startfudge);
zoneverifier.getVerifier().setExpireFudge(state.expirefudge); zoneverifier.getVerifier().setExpireFudge(expirefudge);
zoneverifier.getVerifier().setIgnoreTime(state.ignoreTime); zoneverifier.getVerifier().setIgnoreTime(ignoreTime);
zoneverifier.getVerifier().setCurrentTime(state.currentTime); zoneverifier.getVerifier().setCurrentTime(currentTime);
zoneverifier.setIgnoreDuplicateRRs(state.ignoreDups); zoneverifier.setIgnoreDuplicateRRs(ignoreDups);
List<Record> records = ZoneUtils.readZoneFile(state.zonefile, null); List<Record> records = ZoneUtils.readZoneFile(zonefile, null);
log.fine("verifying zone..."); log.fine("verifying zone...");
int errors = zoneverifier.verifyZone(records); int errors = zoneverifier.verifyZone(records);
@ -144,9 +116,8 @@ public class VerifyZone extends CLBase {
} }
public static void main(String[] args) { public static void main(String[] args) {
VerifyZone tool = new VerifyZone(); VerifyZone tool = new VerifyZone("verifyzone", "jdnssec-verifyzone [..options..] zonefile");
tool.state = new CLIState();
tool.run(tool.state, args); tool.run(args);
} }
} }

View File

@ -24,9 +24,6 @@ import java.util.Collections;
import java.util.HashMap; import java.util.HashMap;
import java.util.List; import java.util.List;
import org.apache.commons.cli.CommandLine;
import org.apache.commons.cli.Options;
import org.apache.commons.cli.ParseException;
import org.xbill.DNS.Master; import org.xbill.DNS.Master;
import org.xbill.DNS.NSEC3PARAMRecord; import org.xbill.DNS.NSEC3PARAMRecord;
import org.xbill.DNS.NSEC3Record; import org.xbill.DNS.NSEC3Record;
@ -45,43 +42,33 @@ import com.verisignlabs.dnssec.security.RecordComparator;
* @author David Blacka * @author David Blacka
*/ */
public class ZoneFormat extends CLBase { public class ZoneFormat extends CLBase {
private CLIState state; private String file;
private boolean assignNSEC3;
/** public ZoneFormat(String name, String usageStr) {
* This is a small inner class used to hold all of the command line option super(name, usageStr);
* state.
*/
protected static class CLIState extends CLIStateBase {
public String file;
public boolean assignNSEC3;
public CLIState() {
super("jdnssec-zoneformat [..options..] zonefile");
} }
@Override protected void setupOptions() {
protected void setupOptions(Options opts) {
opts.addOption("N", "nsec3", false, opts.addOption("N", "nsec3", false,
"attempt to determine the original ownernames for NSEC3 RRs."); "attempt to determine the original ownernames for NSEC3 RRs.");
} }
@Override protected void processOptions() {
protected void processOptions(CommandLine cli) throws ParseException { String[] assignNsec3OwnersOptionKeys = { "assign_nsec3_owners", "assign_owners" };
if (cli.hasOption('N'))
assignNSEC3 = true; assignNSEC3 = cliBooleanOption("N", assignNsec3OwnersOptionKeys, false);
String[] args = cli.getArgs(); String[] args = cli.getArgs();
if (args.length < 1) { if (args.length < 1) {
System.err.println("error: must specify a zone file"); fail("must specify a zone file");
usage();
} }
file = args[0]; file = args[0];
} }
}
private static List<Record> readZoneFile(String filename) throws IOException { private List<Record> readZoneFile(String filename) throws IOException {
try (Master master = new Master(filename)) { try (Master master = new Master(filename)) {
List<Record> res = new ArrayList<>(); List<Record> res = new ArrayList<>();
Record r = null; Record r = null;
@ -98,14 +85,14 @@ public class ZoneFormat extends CLBase {
} }
} }
private static void formatZone(List<Record> zone) { private void formatZone(List<Record> zone) {
for (Record r : zone) { for (Record r : zone) {
System.out.println(r.toString()); System.out.println(r.toString());
} }
} }
private static void determineNSEC3Owners(List<Record> zone) private void determineNSEC3Owners(List<Record> zone)
throws NoSuchAlgorithmException { throws NoSuchAlgorithmException {
// first, find the NSEC3PARAM record -- this is an inefficient linear // first, find the NSEC3PARAM record -- this is an inefficient linear
@ -173,11 +160,11 @@ public class ZoneFormat extends CLBase {
} }
public void execute() throws IOException, NoSuchAlgorithmException { public void execute() throws IOException, NoSuchAlgorithmException {
List<Record> z = readZoneFile(state.file); List<Record> z = readZoneFile(file);
// Put the zone into a consistent (name and RR type) order. // Put the zone into a consistent (name and RR type) order.
Collections.sort(z, new RecordComparator()); Collections.sort(z, new RecordComparator());
if (state.assignNSEC3) { if (assignNSEC3) {
determineNSEC3Owners(z); determineNSEC3Owners(z);
} else { } else {
formatZone(z); formatZone(z);
@ -185,10 +172,9 @@ public class ZoneFormat extends CLBase {
} }
public static void main(String[] args) { public static void main(String[] args) {
ZoneFormat tool = new ZoneFormat(); ZoneFormat tool = new ZoneFormat("zoneformat", "jdnssec-zoneformat [..options..] zonefile");
tool.state = new CLIState();
tool.run(tool.state, args); tool.run(args);
} }
} }

View File

@ -43,6 +43,7 @@ import java.security.spec.NamedParameterSpec;
import java.security.spec.PKCS8EncodedKeySpec; import java.security.spec.PKCS8EncodedKeySpec;
import java.security.spec.RSAPrivateCrtKeySpec; import java.security.spec.RSAPrivateCrtKeySpec;
import java.util.StringTokenizer; import java.util.StringTokenizer;
import java.util.logging.Logger;
import javax.crypto.interfaces.DHPrivateKey; import javax.crypto.interfaces.DHPrivateKey;
import javax.crypto.interfaces.DHPublicKey; import javax.crypto.interfaces.DHPublicKey;
@ -68,6 +69,8 @@ public class DnsKeyConverter {
private KeyFactory mEdKeyFactory; private KeyFactory mEdKeyFactory;
private DnsKeyAlgorithm mAlgorithms; private DnsKeyAlgorithm mAlgorithms;
private Logger log = Logger.getLogger(this.getClass().toString());
public DnsKeyConverter() { public DnsKeyConverter() {
mAlgorithms = DnsKeyAlgorithm.getInstance(); mAlgorithms = DnsKeyAlgorithm.getInstance();
} }
@ -111,10 +114,16 @@ public class DnsKeyConverter {
public DNSKEYRecord generateDNSKEYRecord(Name name, int dclass, long ttl, public DNSKEYRecord generateDNSKEYRecord(Name name, int dclass, long ttl,
int flags, int alg, PublicKey key) { int flags, int alg, PublicKey key) {
try { try {
return new DNSKEYRecord(name, dclass, ttl, flags, DNSKEYRecord.Protocol.DNSSEC, alg, int origAlgorithm = mAlgorithms.originalAlgorithm(alg);
DNSKEYRecord keyrec = new DNSKEYRecord(name, dclass, ttl, flags, DNSKEYRecord.Protocol.DNSSEC, origAlgorithm,
key); key);
if (origAlgorithm == alg) {
return keyrec;
}
return new DNSKEYRecord(name, dclass, ttl, flags, DNSKEYRecord.Protocol.DNSSEC, alg, keyrec.getKey());
} catch (DNSSECException e) { } catch (DNSSECException e) {
// FIXME: this mimics the behavior of KEYConverter.buildRecord(), which would log.severe("Unable to generated a DNSKEYRecord: " + e);
// This mimics the behavior of KEYConverter.buildRecord(), which would
// return null if the algorithm was unknown. // return null if the algorithm was unknown.
return null; return null;
} }

View File

@ -178,7 +178,7 @@ public class SignUtils {
if (n.labels() != labels) { if (n.labels() != labels) {
n = n.wild(n.labels() - labels); n = n.wild(n.labels() - labels);
wildcardName = true; wildcardName = true;
log.fine("Detected wildcard expansion: " + rrset.getName() + " changed to " + n); log.finer("Detected wildcard expansion: " + rrset.getName() + " changed to " + n);
} }
// now convert the wire format records in the RRset into a // now convert the wire format records in the RRset into a
@ -1063,7 +1063,7 @@ public class SignUtils {
int ldiff = node.name.labels() - zonename.labels(); int ldiff = node.name.labels() - zonename.labels();
for (int i = 1; i < ldiff; i++) { for (int i = 1; i < ldiff; i++) {
Name n = new Name(node.name, i); Name n = new Name(node.name, i);
log.fine("Generating ENT NSEC3 for " + n); log.finer("Generating ENT NSEC3 for " + n);
ProtoNSEC3 nsec3 = generateNSEC3(n, zonename, node.ttl, salt, iterations, optIn, ProtoNSEC3 nsec3 = generateNSEC3(n, zonename, node.ttl, salt, iterations, optIn,
null); null);
nsec3s.add(nsec3); nsec3s.add(nsec3);
@ -1127,11 +1127,11 @@ public class SignUtils {
// check to see if cur is a duplicate (by name) // check to see if cur is a duplicate (by name)
if (prevNSEC3 != null if (prevNSEC3 != null
&& Arrays.equals(prevNSEC3.getOwner(), curNSEC3.getOwner())) { && Arrays.equals(prevNSEC3.getOwner(), curNSEC3.getOwner())) {
log.fine("found duplicate NSEC3 (by name) -- merging type maps: " log.finer("found duplicate NSEC3 (by name) -- merging type maps: "
+ prevNSEC3.getTypemap() + " and " + curNSEC3.getTypemap()); + prevNSEC3.getTypemap() + " and " + curNSEC3.getTypemap());
i.remove(); i.remove();
prevNSEC3.mergeTypes(curNSEC3.getTypemap()); prevNSEC3.mergeTypes(curNSEC3.getTypemap());
log.fine("merged type map: " + prevNSEC3.getTypemap()); log.finer("merged type map: " + prevNSEC3.getTypemap());
continue; continue;
} }