davidb/jdnssec-tools
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 1 Wiki Activity

sonarlint and formatting for the rest

Browse Source
This commit is contained in:
David Blacka 2024-03-29 22:19:58 -04:00
parent 15eb319b26
commit 1e342b1fb6
11 changed files with 149 additions and 191 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
src/main/java/com/verisignlabs/dnssec/cl/DSTool.java
View File

@ -71,7 +71,8 @@ public class DSTool extends CLBase {
protected void setupOptions(Options opts) { protected void setupOptions(Options opts) {
opts.addOption(Option.builder("D").longOpt("dlv").desc("Generate a DLV record instead.").build()); opts.addOption(Option.builder("D").longOpt("dlv").desc("Generate a DLV record instead.").build());
opts.addOption(Option.builder("C").longOpt("cds").desc("Generate a CDS record instead").build()); opts.addOption(Option.builder("C").longOpt("cds").desc("Generate a CDS record instead").build());
opts.addOption(Option.builder("d").hasArg().argName("id").longOpt("digest").desc("The digest algorithm to use").build()); opts.addOption(
Option.builder("d").hasArg().argName("id").longOpt("digest").desc("The digest algorithm to use").build());
opts.addOption(Option.builder("f").hasArg().argName("file").longOpt("output").desc("output to file").build()); opts.addOption(Option.builder("f").hasArg().argName("file").longOpt("output").desc("output to file").build());
} }
@ -120,7 +121,7 @@ public class DSTool extends CLBase {
log.fine("creating CDS."); log.fine("creating CDS.");
CDSRecord cds = new CDSRecord(ds.getName(), ds.getDClass(), ds.getTTL(), ds.getFootprint(), ds.getAlgorithm(), CDSRecord cds = new CDSRecord(ds.getName(), ds.getDClass(), ds.getTTL(), ds.getFootprint(), ds.getAlgorithm(),
ds.getDClass(), ds.getDigest()); ds.getDClass(), ds.getDigest());
res = cds; res = cds;
} }
if (state.outputfile != null && !state.outputfile.equals("-")) { if (state.outputfile != null && !state.outputfile.equals("-")) {

37
src/main/java/com/verisignlabs/dnssec/cl/SignKeyset.java
View File

@ -75,10 +75,14 @@ public class SignKeyset extends CLBase {
opts.addOption("a", "verify", false, "verify generated signatures>"); opts.addOption("a", "verify", false, "verify generated signatures>");
// Argument options // Argument options
opts.addOption(Option.builder("D").hasArg().argName("dir").longOpt("key-directory").desc("directory where key files are found (default '.').").build()); opts.addOption(Option.builder("D").hasArg().argName("dir").longOpt("key-directory")
opts.addOption(Option.builder("s").hasArg().argName("time/offset").longOpt("start-time").desc("signature starting time (default is now - 1 hour)").build()); .desc("directory where key files are found (default '.').").build());
opts.addOption(Option.builder("e").hasArg().argName("time/offset").longOpt("expire-time").desc("signature expiration time (default is start-time + 30 days)").build()); opts.addOption(Option.builder("s").hasArg().argName("time/offset").longOpt("start-time")
opts.addOption(Option.builder("f").hasArg().argName("outfile").desc("file the signed keyset is written to").build()); .desc("signature starting time (default is now - 1 hour)").build());
opts.addOption(Option.builder("e").hasArg().argName("time/offset").longOpt("expire-time")
.desc("signature expiration time (default is start-time + 30 days)").build());
opts.addOption(
Option.builder("f").hasArg().argName("outfile").desc("file the signed keyset is written to").build());
} }
@Override @Override
@ -130,10 +134,8 @@ public class SignKeyset extends CLBase {
/** /**
* Verify the generated signatures. * Verify the generated signatures.
* *
* @param records * @param records a list of {@link org.xbill.DNS.Record}s.
* a list of {@link org.xbill.DNS.Record}s. * @param keypairs a list of keypairs used the sign the zone.
* @param keypairs
* a list of keypairs used the sign the zone.
* @return true if all of the signatures validated. * @return true if all of the signatures validated.
*/ */
private static boolean verifySigs(List<Record> records, private static boolean verifySigs(List<Record> records,
@ -169,15 +171,12 @@ public class SignKeyset extends CLBase {
/** /**
* Load the key pairs from the key files. * Load the key pairs from the key files.
* *
* @param keyfiles * @param keyfiles a string array containing the base names or paths of the
* a string array containing the base names or paths of the * keys to be loaded.
* keys * @param startIndex the starting index of keyfiles string array to use. This
* to be loaded. * allows us to use the straight command line argument
* @param startIndex * array.
* the starting index of keyfiles string array to use. This * @param inDirectory the directory to look in (may be null).
* allows us to use the straight command line argument array.
* @param inDirectory
* the directory to look in (may be null).
* @return a list of keypair objects. * @return a list of keypair objects.
*/ */
private static List<DnsKeyPair> getKeys(String[] keyfiles, int startIndex, private static List<DnsKeyPair> getKeys(String[] keyfiles, int startIndex,
@ -244,8 +243,8 @@ public class SignKeyset extends CLBase {
} }
// Make sure that all records are DNSKEYs with the same name. // Make sure that all records are DNSKEYs with the same name.
Name keysetName = null; Name keysetName = null;
RRset keyset = new RRset(); RRset keyset = new RRset();
for (Record r : records) { for (Record r : records) {
if (r.getType() != Type.DNSKEY) { if (r.getType() != Type.DNSKEY) {

37
src/main/java/com/verisignlabs/dnssec/cl/SignRRset.java
View File

@ -55,14 +55,14 @@ public class SignRRset extends CLBase {
* This is an inner class used to hold all of the command line option state. * This is an inner class used to hold all of the command line option state.
*/ */
protected static class CLIState extends CLIStateBase { protected static class CLIState extends CLIStateBase {
private File keyDirectory = null; private File keyDirectory = null;
public String[] keyFiles = null; public String[] keyFiles = null;
public Instant start = null; public Instant start = null;
public Instant expire = null; public Instant expire = null;
public String inputfile = null; public String inputfile = null;
public String outputfile = null; public String outputfile = null;
public boolean verifySigs = false; public boolean verifySigs = false;
public boolean verboseSigning = false; public boolean verboseSigning = false;
public CLIState() { public CLIState() {
super("jdnssec-signrrset [..options..] rrset_file key_file [key_file ...]"); super("jdnssec-signrrset [..options..] rrset_file key_file [key_file ...]");
@ -137,10 +137,8 @@ public class SignRRset extends CLBase {
/** /**
* Verify the generated signatures. * Verify the generated signatures.
* *
* @param records * @param records a list of {@link org.xbill.DNS.Record}s.
* a list of {@link org.xbill.DNS.Record}s. * @param keypairs a list of keypairs used the sign the zone.
* @param keypairs
* a list of keypairs used the sign the zone.
* @return true if all of the signatures validated. * @return true if all of the signatures validated.
*/ */
private static boolean verifySigs(List<Record> records, List<DnsKeyPair> keypairs) { private static boolean verifySigs(List<Record> records, List<DnsKeyPair> keypairs) {
@ -176,15 +174,12 @@ public class SignRRset extends CLBase {
/** /**
* Load the key pairs from the key files. * Load the key pairs from the key files.
* *
* @param keyfiles * @param keyfiles a string array containing the base names or paths of the
* a string array containing the base names or paths of the * keys to be loaded.
* keys * @param startIndex the starting index of keyfiles string array to use. This
* to be loaded. * allows us to use the straight command line argument
* @param startIndex * array.
* the starting index of keyfiles string array to use. This * @param inDirectory the directory to look in (may be null).
* allows us to use the straight command line argument array.
* @param inDirectory
* the directory to look in (may be null).
* @return a list of keypair objects. * @return a list of keypair objects.
*/ */
private static List<DnsKeyPair> getKeys(String[] keyfiles, int startIndex, private static List<DnsKeyPair> getKeys(String[] keyfiles, int startIndex,

1
src/main/java/com/verisignlabs/dnssec/cl/ZoneFormat.java
View File

@ -100,7 +100,6 @@ public class ZoneFormat extends CLBase {
private static void formatZone(List<Record> zone) { private static void formatZone(List<Record> zone) {
for (Record r : zone) { for (Record r : zone) {
System.out.println(r.toString()); System.out.println(r.toString());
} }

84
src/main/java/com/verisignlabs/dnssec/security/BINDKeyUtils.java
View File

@ -107,17 +107,12 @@ public class BINDKeyUtils {
* Given the information necessary to construct the path to a BIND9 generated * Given the information necessary to construct the path to a BIND9 generated
* key pair, load the key pair. * key pair, load the key pair.
* *
* @param signer * @param signer the DNS name of the key.
* the DNS name of the key. * @param algorithm the DNSSEC algorithm of the key.
* @param algorithm * @param keyid the DNSSEC key footprint.
* the DNSSEC algorithm of the key. * @param inDirectory the directory to look for the files (may be null).
* @param keyid
* the DNSSEC key footprint.
* @param inDirectory
* the directory to look for the files (may be null).
* @return the loaded key pair. * @return the loaded key pair.
* @throws IOException * @throws IOException if there was a problem reading the BIND9 files.
* if there was a problem reading the BIND9 files.
*/ */
public static DnsKeyPair loadKeyPair(Name signer, int algorithm, int keyid, public static DnsKeyPair loadKeyPair(Name signer, int algorithm, int keyid,
File inDirectory) throws IOException { File inDirectory) throws IOException {
@ -129,16 +124,12 @@ public class BINDKeyUtils {
/** /**
* Given a base path to a BIND9 key pair, load the key pair. * Given a base path to a BIND9 key pair, load the key pair.
* *
* @param keyFileBasePath * @param keyFileBasePath the base filename (or real filename for either the
* the base filename (or real filename for either the * public or private key) of the key.
* public or * @param inDirectory the directory to look in, if the keyFileBasePath is
* private key) of the key.
* @param inDirectory
* the directory to look in, if the keyFileBasePath is
* relative. * relative.
* @return the loaded key pair. * @return the loaded key pair.
* @throws IOException * @throws IOException if there was a problem reading the files
* if there was a problem reading the files
*/ */
public static DnsKeyPair loadKeyPair(String keyFileBasePath, File inDirectory) public static DnsKeyPair loadKeyPair(String keyFileBasePath, File inDirectory)
throws IOException { throws IOException {
@ -163,15 +154,12 @@ public class BINDKeyUtils {
* Given a base path to a BIND9 key pair, load the public part (only) of the * Given a base path to a BIND9 key pair, load the public part (only) of the
* key pair * key pair
* *
* @param keyFileBasePath * @param keyFileBasePath the base or real path to the public part of a key
* the base or real path to the public part of a key
* pair. * pair.
* @param inDirectory * @param inDirectory the directory to look in if the path is relative
* the directory to look in if the path is relative (may * (may be null).
* be null).
* @return a {@link DnsKeyPair} containing just the public key information. * @return a {@link DnsKeyPair} containing just the public key information.
* @throws IOException * @throws IOException if there was a problem reading the public key file.
* if there was a problem reading the public key file.
*/ */
public static DnsKeyPair loadKey(String keyFileBasePath, File inDirectory) public static DnsKeyPair loadKey(String keyFileBasePath, File inDirectory)
throws IOException { throws IOException {
@ -191,15 +179,11 @@ public class BINDKeyUtils {
* "keyset-[signer]." where [signer] is the DNS owner name of the key. The * "keyset-[signer]." where [signer] is the DNS owner name of the key. The
* keyset may be signed, but doesn't have to be. * keyset may be signed, but doesn't have to be.
* *
* @param keysetFileName * @param keysetFileName the name of the keyset file.
* the name of the keyset file. * @param inDirectory the directory to look in if the path is relative (may
* @param inDirectory * be null, defaults to the current working directory).
* the directory to look in if the path is relative (may
* be null,
* defaults to the current working directory).
* @return a RRset contain the KEY records and any associated SIG records. * @return a RRset contain the KEY records and any associated SIG records.
* @throws IOException * @throws IOException if there was a problem reading the keyset file.
* if there was a problem reading the keyset file.
*/ */
public static RRset loadKeySet(String keysetFileName, File inDirectory) public static RRset loadKeySet(String keysetFileName, File inDirectory)
throws IOException { throws IOException {
@ -219,8 +203,8 @@ public class BINDKeyUtils {
/** /**
* Calculate the key file base for this key pair. * Calculate the key file base for this key pair.
* *
* @param pair * @param pair the {@link DnsKeyPair} to work from. It only needs a public
* the {@link DnsKeyPair} to work from. It only needs a public key. * key.
* @return the base name of the key files. * @return the base name of the key files.
*/ */
public static String keyFileBase(DnsKeyPair pair) { public static String keyFileBase(DnsKeyPair pair) {
@ -260,8 +244,7 @@ public class BINDKeyUtils {
* Given a the contents of a BIND9 private key file, convert it into a native * Given a the contents of a BIND9 private key file, convert it into a native
* {@link java.security.PrivateKey} object. * {@link java.security.PrivateKey} object.
* *
* @param privateKeyString * @param privateKeyString the contents of a BIND9 key file in string form.
* the contents of a BIND9 key file in string form.
* @return a {@link java.security.PrivateKey} * @return a {@link java.security.PrivateKey}
*/ */
public static PrivateKey convertPrivateKeyString(String privateKeyString) { public static PrivateKey convertPrivateKeyString(String privateKeyString) {
@ -284,10 +267,8 @@ public class BINDKeyUtils {
* Given a native private key, convert it into a BIND9 private key file * Given a native private key, convert it into a BIND9 private key file
* format. * format.
* *
* @param priv * @param priv the private key to convert.
* the private key to convert. * @param pub the private key's corresponding public key. Some algorithms
* @param pub
* the private key's corresponding public key. Some algorithms
* require information from both. * require information from both.
* @return a string containing the contents of a BIND9 private key file. * @return a string containing the contents of a BIND9 private key file.
*/ */
@ -328,16 +309,11 @@ public class BINDKeyUtils {
/** /**
* This routine will write out the BIND9 dnssec-* tool compatible files. * This routine will write out the BIND9 dnssec-* tool compatible files.
* *
* @param baseFileName * @param baseFileName use this base file name. If null, the standard BIND9
* use this base file name. If null, the standard BIND9 base * base file name will be computed.
* file * @param pair the keypair in question.
* name will be computed. * @param inDirectory the directory to write to (may be null).
* @param pair * @throws IOException if there is a problem writing the files.
* the keypair in question.
* @param inDirectory
* the directory to write to (may be null).
* @throws IOException
* if there is a problem writing the files.
*/ */
public static void writeKeyFiles(String baseFileName, DnsKeyPair pair, public static void writeKeyFiles(String baseFileName, DnsKeyPair pair,
File inDirectory) throws IOException { File inDirectory) throws IOException {
@ -370,10 +346,8 @@ public class BINDKeyUtils {
* This routine will write out the BIND9 dnssec-* tool compatible files to the * This routine will write out the BIND9 dnssec-* tool compatible files to the
* standard file names. * standard file names.
* *
* @param pair * @param pair the key pair in question.
* the key pair in question. * @param inDirectory the directory to write to (may be null).
* @param inDirectory
* the directory to write to (may be null).
*/ */
public static void writeKeyFiles(DnsKeyPair pair, File inDirectory) public static void writeKeyFiles(DnsKeyPair pair, File inDirectory)
throws IOException { throws IOException {

2
src/main/java/com/verisignlabs/dnssec/security/ByteArrayComparator.java
View File

@ -27,7 +27,7 @@ import java.util.logging.Logger;
* @author David Blacka * @author David Blacka
*/ */
public class ByteArrayComparator implements Comparator<byte[]> { public class ByteArrayComparator implements Comparator<byte[]> {
private int mOffset = 0; private int mOffset = 0;
private boolean mDebug = false; private boolean mDebug = false;
private Logger log; private Logger log;

62
src/main/java/com/verisignlabs/dnssec/security/DnsKeyAlgorithm.java
View File

@ -279,19 +279,19 @@ public class DnsKeyAlgorithm {
mIdToMnemonicMap.computeIfAbsent(alg, k -> m); mIdToMnemonicMap.computeIfAbsent(alg, k -> m);
} }
public void addAlias(int alias, String mnemonic, int original_algorithm) { public void addAlias(int alias, String mnemonic, int origAlgorithm) {
if (mAlgorithmMap.containsKey(alias)) { if (mAlgorithmMap.containsKey(alias)) {
log.warning("Unable to alias algorithm " + alias + " because it already exists."); log.warning("Unable to alias algorithm " + alias + " because it already exists.");
return; return;
} }
if (!mAlgorithmMap.containsKey(original_algorithm)) { if (!mAlgorithmMap.containsKey(origAlgorithm)) {
log.warning("Unable to alias algorithm " + alias log.warning("Unable to alias algorithm " + alias
+ " to unknown algorithm identifier " + original_algorithm); + " to unknown algorithm identifier " + origAlgorithm);
return; return;
} }
mAlgorithmMap.put(alias, mAlgorithmMap.get(original_algorithm)); mAlgorithmMap.put(alias, mAlgorithmMap.get(origAlgorithm));
if (mnemonic != null) { if (mnemonic != null) {
addMnemonic(mnemonic, alias); addMnemonic(mnemonic, alias);
@ -325,8 +325,8 @@ public class DnsKeyAlgorithm {
private ECParameterSpec ECSpecFromName(String stdName) { private ECParameterSpec ECSpecFromName(String stdName) {
try { try {
AlgorithmParameters ap = AlgorithmParameters.getInstance("EC"); AlgorithmParameters ap = AlgorithmParameters.getInstance("EC");
ECGenParameterSpec ecg_spec = new ECGenParameterSpec(stdName); ECGenParameterSpec ecgSpec = new ECGenParameterSpec(stdName);
ap.init(ecg_spec); ap.init(ecgSpec);
return ap.getParameterSpec(ECParameterSpec.class); return ap.getParameterSpec(ECParameterSpec.class);
} catch (NoSuchAlgorithmException e) { } catch (NoSuchAlgorithmException e) {
log.info("Elliptic Curve not supported by any crypto provider: " + e.getMessage()); log.info("Elliptic Curve not supported by any crypto provider: " + e.getMessage());
@ -343,12 +343,7 @@ public class DnsKeyAlgorithm {
if (spec != null) if (spec != null)
return spec; return spec;
throw new InvalidParameterSpecException("Edwards Curve " + stdName + " not found."); throw new InvalidParameterSpecException("Edwards Curve " + stdName + " not found.");
} } catch (InvalidParameterSpecException e) {
// catch (NoSuchAlgorithmException e) {
// log.info("Edwards Curve not supported by any crypto provider: " +
// e.getMessage());
// }
catch (InvalidParameterSpecException e) {
log.info("Edwards Curve " + stdName + " not supported"); log.info("Edwards Curve " + stdName + " not supported");
} }
return null; return null;
@ -391,11 +386,10 @@ public class DnsKeyAlgorithm {
} }
/** /**
* Given one of the ECDSA algorithms (ECDSAP256SHA256, etc.) return * Given one of the ECDSA algorithms (ECDSAP256SHA256, etc.) return the
* the elliptic curve parameters. * elliptic curve parameters.
* *
* @param algorithm * @param algorithm The DNSSEC algorithm number.
* The DNSSEC algorithm number.
* @return The calculated JCA ECParameterSpec for that DNSSEC algorithm, or * @return The calculated JCA ECParameterSpec for that DNSSEC algorithm, or
* null if not a recognized/supported EC algorithm. * null if not a recognized/supported EC algorithm.
*/ */
@ -405,19 +399,18 @@ public class DnsKeyAlgorithm {
return null; return null;
if (!(entry instanceof ECAlgEntry)) if (!(entry instanceof ECAlgEntry))
return null; return null;
ECAlgEntry ec_entry = (ECAlgEntry) entry; ECAlgEntry ecEntry = (ECAlgEntry) entry;
return ec_entry.ecSpec; return ecEntry.ecSpec;
} }
/** /**
* Given one of the EdDSA algorithms (Ed25519, Ed448) return the * Given one of the EdDSA algorithms (Ed25519, Ed448) return the elliptic
* elliptic curve parameters. * curve parameters.
* *
* @param algorithm * @param algorithm The DNSSEC algorithm number.
* The DNSSEC algorithm number. * @return The stored EdDSAParameterSpec for that algorithm, or null if not a
* @return The stored EdDSAParameterSpec for that algorithm, or * recognized/supported EdDSA algorithm.
* null if not a recognized/supported EdDSA algorithm.
*/ */
public EdDSAParameterSpec getEdwardsCurveParams(int algorithm) { public EdDSAParameterSpec getEdwardsCurveParams(int algorithm) {
AlgEntry entry = getEntry(algorithm); AlgEntry entry = getEntry(algorithm);
@ -425,17 +418,16 @@ public class DnsKeyAlgorithm {
return null; return null;
if (!(entry instanceof EdAlgEntry)) if (!(entry instanceof EdAlgEntry))
return null; return null;
EdAlgEntry ed_entry = (EdAlgEntry) entry; EdAlgEntry edEntry = (EdAlgEntry) entry;
return ed_entry.edSpec; return edEntry.edSpec;
} }
/** /**
* Translate a possible algorithm alias back to the original DNSSEC algorithm * Translate a possible algorithm alias back to the original DNSSEC algorithm
* number * number
* *
* @param algorithm * @param algorithm a DNSSEC algorithm that may be an alias.
* a DNSSEC algorithm that may be an alias.
* @return -1 if the algorithm isn't recognised, the orignal algorithm number * @return -1 if the algorithm isn't recognised, the orignal algorithm number
* if it is. * if it is.
*/ */
@ -461,8 +453,7 @@ public class DnsKeyAlgorithm {
* Given an algorithm mnemonic, convert the mnemonic to a DNSSEC algorithm * Given an algorithm mnemonic, convert the mnemonic to a DNSSEC algorithm
* number. * number.
* *
* @param s * @param s The mnemonic string. This is case-insensitive.
* The mnemonic string. This is case-insensitive.
* @return -1 if the mnemonic isn't recognized or supported, the algorithm * @return -1 if the mnemonic isn't recognized or supported, the algorithm
* number if it is. * number if it is.
*/ */
@ -476,8 +467,7 @@ public class DnsKeyAlgorithm {
/** /**
* Given a DNSSEC algorithm number, return the "preferred" mnemonic. * Given a DNSSEC algorithm number, return the "preferred" mnemonic.
* *
* @param algorithm * @param algorithm A DNSSEC algorithm number.
* A DNSSEC algorithm number.
* @return The preferred mnemonic string, or null if not supported or * @return The preferred mnemonic string, or null if not supported or
* recognized. * recognized.
*/ */
@ -505,14 +495,14 @@ public class DnsKeyAlgorithm {
mRSAKeyGenerator = KeyPairGenerator.getInstance("RSA"); mRSAKeyGenerator = KeyPairGenerator.getInstance("RSA");
} }
RSAKeyGenParameterSpec rsa_spec; RSAKeyGenParameterSpec rsaSpec;
if (useLargeExp) { if (useLargeExp) {
rsa_spec = new RSAKeyGenParameterSpec(keysize, RSAKeyGenParameterSpec.F4); rsaSpec = new RSAKeyGenParameterSpec(keysize, RSAKeyGenParameterSpec.F4);
} else { } else {
rsa_spec = new RSAKeyGenParameterSpec(keysize, RSAKeyGenParameterSpec.F0); rsaSpec = new RSAKeyGenParameterSpec(keysize, RSAKeyGenParameterSpec.F0);
} }
try { try {
mRSAKeyGenerator.initialize(rsa_spec); mRSAKeyGenerator.initialize(rsaSpec);
} catch (InvalidAlgorithmParameterException e) { } catch (InvalidAlgorithmParameterException e) {
// Fold the InvalidAlgorithmParameterException into our existing // Fold the InvalidAlgorithmParameterException into our existing
// thrown exception. Ugly, but requires less code change. // thrown exception. Ugly, but requires less code change.

67
src/main/java/com/verisignlabs/dnssec/security/DnsKeyConverter.java
View File

@ -154,10 +154,10 @@ public class DnsKeyConverter {
private DNSKEYRecord generateEdDSADNSKEYRecord(Name name, int dclass, long ttl, private DNSKEYRecord generateEdDSADNSKEYRecord(Name name, int dclass, long ttl,
int flags, int alg, PublicKey key) { int flags, int alg, PublicKey key) {
EdDSAPublicKey ed_key = (EdDSAPublicKey) key; EdDSAPublicKey edKey = (EdDSAPublicKey) key;
byte[] key_data = ed_key.getAbyte(); byte[] keyData = edKey.getAbyte();
return new DNSKEYRecord(name, dclass, ttl, flags, DNSKEYRecord.Protocol.DNSSEC, alg, return new DNSKEYRecord(name, dclass, ttl, flags, DNSKEYRecord.Protocol.DNSSEC, alg,
key_data); keyData);
} }
// Private Key Specific Parsing routines // Private Key Specific Parsing routines
@ -272,12 +272,12 @@ public class DnsKeyConverter {
private PrivateKey parsePrivateRSA(StringTokenizer lines) private PrivateKey parsePrivateRSA(StringTokenizer lines)
throws NoSuchAlgorithmException { throws NoSuchAlgorithmException {
BigInteger modulus = null; BigInteger modulus = null;
BigInteger public_exponent = null; BigInteger publicExponent = null;
BigInteger private_exponent = null; BigInteger privateExponent = null;
BigInteger prime_p = null; BigInteger primeP = null;
BigInteger prime_q = null; BigInteger primeQ = null;
BigInteger prime_p_exponent = null; BigInteger primePExponent = null;
BigInteger prime_q_exponent = null; BigInteger primeQExponent = null;
BigInteger coefficient = null; BigInteger coefficient = null;
while (lines.hasMoreTokens()) { while (lines.hasMoreTokens()) {
@ -296,33 +296,28 @@ public class DnsKeyConverter {
if (line.startsWith("Modulus: ")) { if (line.startsWith("Modulus: ")) {
modulus = new BigInteger(1, data); modulus = new BigInteger(1, data);
// printBigIntCompare(data, modulus);
} else if (line.startsWith("PublicExponent: ")) { } else if (line.startsWith("PublicExponent: ")) {
public_exponent = new BigInteger(1, data); publicExponent = new BigInteger(1, data);
// printBigIntCompare(data, public_exponent);
} else if (line.startsWith("PrivateExponent: ")) { } else if (line.startsWith("PrivateExponent: ")) {
private_exponent = new BigInteger(1, data); privateExponent = new BigInteger(1, data);
// printBigIntCompare(data, private_exponent);
} else if (line.startsWith("Prime1: ")) { } else if (line.startsWith("Prime1: ")) {
prime_p = new BigInteger(1, data); primeP = new BigInteger(1, data);
// printBigIntCompare(data, prime_p);
} else if (line.startsWith("Prime2: ")) { } else if (line.startsWith("Prime2: ")) {
prime_q = new BigInteger(1, data); primeQ = new BigInteger(1, data);
// printBigIntCompare(data, prime_q);
} else if (line.startsWith("Exponent1: ")) { } else if (line.startsWith("Exponent1: ")) {
prime_p_exponent = new BigInteger(1, data); primePExponent = new BigInteger(1, data);
} else if (line.startsWith("Exponent2: ")) { } else if (line.startsWith("Exponent2: ")) {
prime_q_exponent = new BigInteger(1, data); primeQExponent = new BigInteger(1, data);
} else if (line.startsWith("Coefficient: ")) { } else if (line.startsWith("Coefficient: ")) {
coefficient = new BigInteger(1, data); coefficient = new BigInteger(1, data);
} }
} }
try { try {
KeySpec spec = new RSAPrivateCrtKeySpec(modulus, public_exponent, KeySpec spec = new RSAPrivateCrtKeySpec(modulus, publicExponent,
private_exponent, prime_p, privateExponent, primeP,
prime_q, prime_p_exponent, primeQ, primePExponent,
prime_q_exponent, coefficient); primeQExponent, coefficient);
if (mRSAKeyFactory == null) { if (mRSAKeyFactory == null) {
mRSAKeyFactory = KeyFactory.getInstance("RSA"); mRSAKeyFactory = KeyFactory.getInstance("RSA");
} }
@ -466,13 +461,13 @@ public class DnsKeyConverter {
if (mECKeyFactory == null) { if (mECKeyFactory == null) {
mECKeyFactory = KeyFactory.getInstance("EC"); mECKeyFactory = KeyFactory.getInstance("EC");
} }
ECParameterSpec ec_spec = mAlgorithms.getEllipticCurveParams(algorithm); ECParameterSpec ecSpec = mAlgorithms.getEllipticCurveParams(algorithm);
if (ec_spec == null) { if (ecSpec == null) {
throw new NoSuchAlgorithmException("DNSSEC algorithm " + algorithm + throw new NoSuchAlgorithmException("DNSSEC algorithm " + algorithm +
" is not a recognized Elliptic Curve algorithm"); " is not a recognized Elliptic Curve algorithm");
} }
KeySpec spec = new ECPrivateKeySpec(s, ec_spec); KeySpec spec = new ECPrivateKeySpec(s, ecSpec);
try { try {
return mECKeyFactory.generatePrivate(spec); return mECKeyFactory.generatePrivate(spec);
@ -516,13 +511,13 @@ public class DnsKeyConverter {
if (mEdKeyFactory == null) { if (mEdKeyFactory == null) {
mEdKeyFactory = KeyFactory.getInstance("EdDSA"); mEdKeyFactory = KeyFactory.getInstance("EdDSA");
} }
EdDSAParameterSpec ed_spec = mAlgorithms.getEdwardsCurveParams(algorithm); EdDSAParameterSpec edSpec = mAlgorithms.getEdwardsCurveParams(algorithm);
if (ed_spec == null) { if (edSpec == null) {
throw new NoSuchAlgorithmException("DNSSEC algorithm " + algorithm + throw new NoSuchAlgorithmException("DNSSEC algorithm " + algorithm +
" is not a recognized Edwards Curve algorithm"); " is not a recognized Edwards Curve algorithm");
} }
KeySpec spec = new EdDSAPrivateKeySpec(seed, ed_spec); KeySpec spec = new EdDSAPrivateKeySpec(seed, edSpec);
try { try {
return mEdKeyFactory.generatePrivate(spec); return mEdKeyFactory.generatePrivate(spec);
@ -556,16 +551,16 @@ public class DnsKeyConverter {
* Convert from 'unsigned' big integer to original 'signed format' in Base64 * Convert from 'unsigned' big integer to original 'signed format' in Base64
*/ */
private static String b64BigInt(BigInteger i) { private static String b64BigInt(BigInteger i) {
byte[] orig_bytes = i.toByteArray(); byte[] origBytes = i.toByteArray();
if (orig_bytes[0] != 0 || orig_bytes.length == 1) { if (origBytes[0] != 0 || origBytes.length == 1) {
return base64.toString(orig_bytes); return base64.toString(origBytes);
} }
byte[] signed_bytes = new byte[orig_bytes.length - 1]; byte[] signedBytes = new byte[origBytes.length - 1];
System.arraycopy(orig_bytes, 1, signed_bytes, 0, signed_bytes.length); System.arraycopy(origBytes, 1, signedBytes, 0, signedBytes.length);
return base64.toString(signed_bytes); return base64.toString(signedBytes);
} }
/** /**

12
src/main/java/com/verisignlabs/dnssec/security/DnsKeyPair.java
View File

@ -264,7 +264,8 @@ public class DnsKeyPair {
* @throws NoSuchAlgorithmException * @throws NoSuchAlgorithmException
*/ */
public Signature getVerifier() { public Signature getVerifier() {
if (mVerifier != null) return mVerifier; if (mVerifier != null)
return mVerifier;
mVerifier = getSignature(); mVerifier = getSignature();
PublicKey pk = getPublic(); PublicKey pk = getPublic();
@ -330,15 +331,16 @@ public class DnsKeyPair {
return -1; return -1;
} }
// This is from a StackOverflow answer. There are number of bytes-to-hex // This is from a StackOverflow answer. There are number of bytes-to-hex
// converters in the ecosystem, but this avoid extra dependencies // converters in the ecosystem, but this avoid extra dependencies
private static final byte[] HEX_ARRAY = "0123456789ABCDEF".getBytes(StandardCharsets.US_ASCII); private static final byte[] HEX_ARRAY = "0123456789ABCDEF".getBytes(StandardCharsets.US_ASCII);
public static String toHex(byte[] bytes) { public static String toHex(byte[] bytes) {
byte[] hexChars = new byte[bytes.length * 2]; byte[] hexChars = new byte[bytes.length * 2];
for (int j = 0; j < bytes.length; j++) { for (int j = 0; j < bytes.length; j++) {
int v = bytes[j] & 0xFF; int v = bytes[j] & 0xFF;
hexChars[j * 2] = HEX_ARRAY[v >>> 4]; hexChars[j * 2] = HEX_ARRAY[v >>> 4];
hexChars[j * 2 + 1] = HEX_ARRAY[v & 0x0F]; hexChars[j * 2 + 1] = HEX_ARRAY[v & 0x0F];
} }
return new String(hexChars, StandardCharsets.UTF_8); return new String(hexChars, StandardCharsets.UTF_8);
} }

17
src/main/java/com/verisignlabs/dnssec/security/ZoneVerifier.java
View File

@ -88,10 +88,12 @@ public class ZoneVerifier {
public boolean equals(Object o) { public boolean equals(Object o) {
return super.equals(o); return super.equals(o);
} }
@Override @Override
public int hashCode() { public int hashCode() {
return super.hashCode(); return super.hashCode();
} }
boolean getMark() { boolean getMark() {
return mIsMarked; return mIsMarked;
} }
@ -148,7 +150,8 @@ public class ZoneVerifier {
/** /**
* Add a record to the various maps. * Add a record to the various maps.
* *
* @return true if the RR was added, false if it wasn't (because it was a duplicate) * @return true if the RR was added, false if it wasn't (because it was a
* duplicate)
*/ */
private boolean addRR(Record r) { private boolean addRR(Record r) {
Name n = r.getName(); Name n = r.getName();
@ -206,7 +209,7 @@ public class ZoneVerifier {
* Given an unsorted list of records, load the node and rrset maps, as well as * Given an unsorted list of records, load the node and rrset maps, as well as
* determine the NSEC3 parameters and signing type. * determine the NSEC3 parameters and signing type.
* *
* @param records * @param records an unsorted list of {@link org.xbill.DNS.Record} objects.
* @return the number of errors encountered. * @return the number of errors encountered.
*/ */
private int calculateNodes(List<Record> records) { private int calculateNodes(List<Record> records) {
@ -251,7 +254,7 @@ public class ZoneVerifier {
* Given a name, typeset, and name of the last zone cut, determine the node * Given a name, typeset, and name of the last zone cut, determine the node
* type. * type.
*/ */
private NodeType determineNodeType(Name n, Set<Integer> typeset, Name last_cut) { private NodeType determineNodeType(Name n, Set<Integer> typeset, Name lastCut) {
// All RRs at the zone apex are normal // All RRs at the zone apex are normal
if (n.equals(mZoneName)) if (n.equals(mZoneName))
return NodeType.NORMAL; return NodeType.NORMAL;
@ -263,7 +266,7 @@ public class ZoneVerifier {
} }
// If the node is below a zone cut (either a delegation or DNAME), it is // If the node is below a zone cut (either a delegation or DNAME), it is
// glue. // glue.
if (last_cut != null && n.subdomain(last_cut) && !n.equals(last_cut)) { if (lastCut != null && n.subdomain(lastCut) && !n.equals(lastCut)) {
return NodeType.GLUE; return NodeType.GLUE;
} }
@ -294,13 +297,13 @@ public class ZoneVerifier {
*/ */
private int processNodes() throws NoSuchAlgorithmException, TextParseException { private int processNodes() throws NoSuchAlgorithmException, TextParseException {
int errors = 0; int errors = 0;
Name last_cut = null; Name lastCut = null;
for (Map.Entry<Name, Set<Integer>> entry : mNodeMap.entrySet()) { for (Map.Entry<Name, Set<Integer>> entry : mNodeMap.entrySet()) {
Name n = entry.getKey(); Name n = entry.getKey();
Set<Integer> typeset = entry.getValue(); Set<Integer> typeset = entry.getValue();
NodeType ntype = determineNodeType(n, typeset, last_cut); NodeType ntype = determineNodeType(n, typeset, lastCut);
log.finest("Node " + n + " is type " + ntype); log.finest("Node " + n + " is type " + ntype);
// we can ignore glue/invalid RRs. // we can ignore glue/invalid RRs.
@ -309,7 +312,7 @@ public class ZoneVerifier {
// record the last zone cut if this node is a zone cut. // record the last zone cut if this node is a zone cut.
if (ntype == NodeType.DELEGATION || typeset.contains(Type.DNAME)) { if (ntype == NodeType.DELEGATION || typeset.contains(Type.DNAME)) {
last_cut = n; lastCut = n;
} }
// check all of the RRsets that should be signed // check all of the RRsets that should be signed