canonicalRRs = new ArrayList<>();
for (Record r : rrset.rrs()) {
if (r.getTTL() != ttl || wildcardName) {
// If necessary, we need to create a new record with a new ttl
@@ -205,8 +192,8 @@ public class SignUtils {
// response.
r = Record.newRecord(n, r.getType(), r.getDClass(), ttl, r.rdataToWireCanonical());
}
- byte[] wire_fmt = r.toWireCanonical();
- canonical_rrs.add(wire_fmt);
+ byte[] wireFmt = r.toWireCanonical();
+ canonicalRRs.add(wireFmt);
}
// put the records into the correct ordering.
@@ -216,9 +203,9 @@ public class SignUtils {
int offset = rrset.getName().toWireCanonical().length + 10;
ByteArrayComparator bac = new ByteArrayComparator(offset, false);
- Collections.sort(canonical_rrs, bac);
+ Collections.sort(canonicalRRs, bac);
- for (byte[] wire_fmt_rec : canonical_rrs) {
+ for (byte[] wire_fmt_rec : canonicalRRs) {
image.writeByteArray(wire_fmt_rec);
}
@@ -228,44 +215,38 @@ public class SignUtils {
/**
* Given an RRset and the prototype signature, generate the canonical data
* that is to be signed.
- *
- * @param rrset
- * the RRset to be signed.
- * @param presig
- * a prototype SIG RR created using the same RRset.
+ *
+ * @param rrset the RRset to be signed.
+ * @param presig a prototype SIG RR created using the same RRset.
* @return a block of data ready to be signed.
*/
public static byte[] generateSigData(RRset rrset, RRSIGRecord presig)
throws IOException {
- byte[] rrset_data = generateCanonicalRRsetData(rrset, presig.getOrigTTL(),
+ byte[] rrsetData = generateCanonicalRRsetData(rrset, presig.getOrigTTL(),
presig.getLabels());
- return generateSigData(rrset_data, presig);
+ return generateSigData(rrsetData, presig);
}
/**
* Given an RRset and the prototype signature, generate the canonical data
* that is to be signed.
- *
- * @param rrset_data
- * the RRset converted into canonical wire line format (as per
- * the
- * canonicalization rules in RFC 2535).
- * @param presig
- * the prototype signature based on the same RRset represented
- * in
- * rrset_data
.
+ *
+ * @param rrsetData the RRset converted into canonical wire line format (as
+ * per the canonicalization rules in RFC 2535).
+ * @param presig the prototype signature based on the same RRset represented
+ * in rrset_data
.
* @return a block of data ready to be signed.
*/
- public static byte[] generateSigData(byte[] rrset_data, RRSIGRecord presig)
+ public static byte[] generateSigData(byte[] rrsetData, RRSIGRecord presig)
throws IOException {
- byte[] sig_rdata = generatePreSigRdata(presig);
+ byte[] sigRdata = generatePreSigRdata(presig);
- ByteArrayOutputStream image = new ByteArrayOutputStream(sig_rdata.length
- + rrset_data.length);
+ ByteArrayOutputStream image = new ByteArrayOutputStream(sigRdata.length
+ + rrsetData.length);
- image.write(sig_rdata);
- image.write(rrset_data);
+ image.write(sigRdata);
+ image.write(rrsetData);
return image.toByteArray();
}
@@ -273,11 +254,9 @@ public class SignUtils {
/**
* Given the actual signature and the prototype signature, combine them and
* return the fully formed RRSIGRecord.
- *
- * @param signature
- * the cryptographic signature, in DNSSEC format.
- * @param presig
- * the prototype RRSIG RR to add the signature to.
+ *
+ * @param signature the cryptographic signature, in DNSSEC format.
+ * @param presig the prototype RRSIG RR to add the signature to.
* @return the fully formed RRSIG RR.
*/
public static RRSIGRecord generateRRSIG(byte[] signature, RRSIGRecord presig) {
@@ -291,61 +270,58 @@ public class SignUtils {
/**
* Converts from a RFC 2536 formatted DSA signature to a JCE (ASN.1) formatted
* signature.
- *
+ *
*
* ASN.1 format = ASN1_SEQ . seq_length . ASN1_INT . Rlength . R . ANS1_INT .
* Slength . S
*
- *
+ *
* The integers R and S may have a leading null byte to force the integer
* positive.
- *
- * @param signature
- * the RFC 2536 formatted DSA signature.
+ *
+ * @param signature the RFC 2536 formatted DSA signature.
* @return The ASN.1 formatted DSA signature.
- * @throws SignatureException
- * if there was something wrong with the RFC 2536
- * formatted
- * signature.
+ * @throws SignatureException if there was something wrong with the RFC 2536
+ * formatted signature.
*/
public static byte[] convertDSASignature(byte[] signature) throws SignatureException {
if (signature.length != 41)
throw new SignatureException("RFC 2536 signature not expected length.");
- byte r_pad = 0;
- byte s_pad = 0;
+ byte rPad = 0;
+ byte sPad = 0;
// handle initial null byte padding.
if (signature[1] < 0)
- r_pad++;
+ rPad++;
if (signature[21] < 0)
- s_pad++;
+ sPad++;
// ASN.1 length = R length + S length + (2 + 2 + 2), where each 2
// is for a ASN.1 type-length byte pair of which there are three
// (SEQ, INT, INT).
- byte sig_length = (byte) (40 + r_pad + s_pad + 6);
+ byte sigLength = (byte) (40 + rPad + sPad + 6);
- byte sig[] = new byte[sig_length];
+ byte[] sig = new byte[sigLength];
byte pos = 0;
sig[pos++] = ASN1_SEQ;
- sig[pos++] = (byte) (sig_length - 2); // all but the SEQ type+length.
+ sig[pos++] = (byte) (sigLength - 2); // all but the SEQ type+length.
sig[pos++] = ASN1_INT;
- sig[pos++] = (byte) (20 + r_pad);
+ sig[pos++] = (byte) (20 + rPad);
// copy the value of R, leaving a null byte if necessary
- if (r_pad == 1)
+ if (rPad == 1)
sig[pos++] = 0;
System.arraycopy(signature, 1, sig, pos, 20);
pos += 20;
sig[pos++] = ASN1_INT;
- sig[pos++] = (byte) (20 + s_pad);
+ sig[pos++] = (byte) (20 + sPad);
// copy the value of S, leaving a null byte if necessary
- if (s_pad == 1)
+ if (sPad == 1)
sig[pos++] = 0;
System.arraycopy(signature, 21, sig, pos, 20);
@@ -356,24 +332,20 @@ public class SignUtils {
/**
* Converts from a JCE (ASN.1) formatted DSA signature to a RFC 2536 compliant
* signature.
- *
+ *
*
* rfc2536 format = T . R . S
*
- *
+ *
* where T is a number between 0 and 8, which is based on the DSA key length,
* and R & S are formatted to be exactly 20 bytes each (no leading null
* bytes).
- *
- * @param params
- * the DSA parameters associated with the DSA key used to
- * generate
- * the signature.
- * @param signature
- * the ASN.1 formatted DSA signature.
+ *
+ * @param params the DSA parameters associated with the DSA key used to
+ * generate the signature.
+ * @param signature the ASN.1 formatted DSA signature.
* @return a RFC 2536 formatted DSA signature.
- * @throws SignatureException
- * if something is wrong with the ASN.1 format.
+ * @throws SignatureException if something is wrong with the ASN.1 format.
*/
public static byte[] convertDSASignature(DSAParams params, byte[] signature)
throws SignatureException {
@@ -381,16 +353,16 @@ public class SignUtils {
throw new SignatureException("Invalid ASN.1 signature format: expected SEQ, INT");
}
- byte r_pad = (byte) (signature[3] - 20);
+ byte rPad = (byte) (signature[3] - 20);
- if (signature[24 + r_pad] != ASN1_INT) {
+ if (signature[24 + rPad] != ASN1_INT) {
throw new SignatureException(
"Invalid ASN.1 signature format: expected SEQ, INT, INT");
}
log.finer("(start) ASN.1 DSA Sig:\n" + base64.toString(signature));
- byte s_pad = (byte) (signature[25 + r_pad] - 20);
+ byte sPad = (byte) (signature[25 + rPad] - 20);
byte[] sig = new byte[41]; // all rfc2536 signatures are 41 bytes.
@@ -398,26 +370,26 @@ public class SignUtils {
sig[0] = (byte) ((params.getP().bitLength() - 512) / 64);
// copy R value
- if (r_pad >= 0) {
- System.arraycopy(signature, 4 + r_pad, sig, 1, 20);
+ if (rPad >= 0) {
+ System.arraycopy(signature, 4 + rPad, sig, 1, 20);
} else {
// R is shorter than 20 bytes, so right justify the number
// (r_pad is negative here, remember?).
- Arrays.fill(sig, 1, 1 - r_pad, (byte) 0);
- System.arraycopy(signature, 4, sig, 1 - r_pad, 20 + r_pad);
+ Arrays.fill(sig, 1, 1 - rPad, (byte) 0);
+ System.arraycopy(signature, 4, sig, 1 - rPad, 20 + rPad);
}
// copy S value
- if (s_pad >= 0) {
- System.arraycopy(signature, 26 + r_pad + s_pad, sig, 21, 20);
+ if (sPad >= 0) {
+ System.arraycopy(signature, 26 + rPad + sPad, sig, 21, 20);
} else {
// S is shorter than 20 bytes, so right justify the number
// (s_pad is negative here).
- Arrays.fill(sig, 21, 21 - s_pad, (byte) 0);
- System.arraycopy(signature, 26 + r_pad, sig, 21 - s_pad, 20 + s_pad);
+ Arrays.fill(sig, 21, 21 - sPad, (byte) 0);
+ System.arraycopy(signature, 26 + rPad, sig, 21 - sPad, 20 + sPad);
}
- if (r_pad < 0 || s_pad < 0) {
+ if (rPad < 0 || sPad < 0) {
log.finer("(finish ***) RFC 2536 DSA Sig:\n" + base64.toString(sig));
} else {
@@ -444,103 +416,107 @@ public class SignUtils {
/**
* Convert a JCE standard ECDSA signature (which is a ASN.1 encoding) into a
* standard DNS signature.
- *
+ *
* The format of the ASN.1 signature is
- *
+ *
* ASN1_SEQ . seq_length . ASN1_INT . r_length . R . ANS1_INT . s_length . S
- *
+ *
* where R and S may have a leading zero byte if without it the values would
* be negative.
*
* The format of the DNSSEC signature is just R . S where R and S are both
* exactly "length" bytes.
- *
- * @param signature
- * The output of a ECDSA signature object.
+ *
+ * @param signature The output of a ECDSA signature object.
* @return signature data formatted for use in DNSSEC.
* @throws SignatureException if the ASN.1 encoding appears to be corrupt.
*/
public static byte[] convertECDSASignature(int algorithm, byte[] signature)
throws SignatureException {
- int exp_length = ecdsaLength(algorithm);
- byte[] sig = new byte[exp_length * 2];
+ int expLength = ecdsaLength(algorithm);
+ byte[] sig = new byte[expLength * 2];
if (signature[0] != ASN1_SEQ || signature[2] != ASN1_INT) {
throw new SignatureException("Invalid ASN.1 signature format: expected SEQ, INT");
}
- int r_len = signature[3];
- int r_pos = 4;
+ int rLen = signature[3];
+ int rPos = 4;
- if (signature[r_pos + r_len] != ASN1_INT) {
+ if (signature[rPos + rLen] != ASN1_INT) {
throw new SignatureException("Invalid ASN.1 signature format: expected SEQ, INT, INT");
}
- int s_pos = r_pos + r_len + 2;
- int s_len = signature[r_pos + r_len + 1];
+ int sPos = rPos + rLen + 2;
+ int sLen = signature[rPos + rLen + 1];
// Adjust for leading zeros on both R and S
- if (signature[r_pos] == 0) {
- r_pos++;
- r_len--;
+ if (signature[rPos] == 0) {
+ rPos++;
+ rLen--;
}
- if (signature[s_pos] == 0) {
- s_pos++;
- s_len--;
+ if (signature[sPos] == 0) {
+ sPos++;
+ sLen--;
}
- System.arraycopy(signature, r_pos, sig, 0 + (exp_length - r_len), r_len);
- System.arraycopy(signature, s_pos, sig, exp_length + (exp_length - s_len), s_len);
+ System.arraycopy(signature, rPos, sig, 0 + (expLength - rLen), rLen);
+ System.arraycopy(signature, sPos, sig, expLength + (expLength - sLen), sLen);
return sig;
}
/**
- * Convert a DNS standard ECDSA signature (defined in RFC 6605) into a
- * JCE standard ECDSA signature, which is encoded in ASN.1.
- *
+ * Convert a DNS standard ECDSA signature (defined in RFC 6605) into a JCE
+ * standard ECDSA signature, which is encoded in ASN.1.
+ *
* The format of the ASN.1 signature is
- *
+ *
* ASN1_SEQ . seq_length . ASN1_INT . r_length . R . ANS1_INT . s_length . S
- *
+ *
* where R and S may have a leading zero byte if without it the values would
* be negative.
*
* The format of the DNSSEC signature is just R . S where R and S are both
* exactly "length" bytes.
- *
- * @param signature
- * The binary signature data from an RRSIG record.
+ *
+ * @param signature The binary signature data from an RRSIG record.
* @return signature data that may be used in a JCE Signature object for
* verification purposes.
*/
public static byte[] convertECDSASignature(byte[] signature) {
- byte r_src_pos, r_src_len, r_pad, s_src_pos, s_src_len, s_pad, len;
+ byte rSrcPos;
+ byte rSrcLen;
+ byte rPad;
+ byte sSrcPos;
+ byte sSrcLen;
+ byte sPad;
+ byte len;
- r_src_len = s_src_len = (byte) (signature.length / 2);
- r_src_pos = 0;
- r_pad = 0;
- s_src_pos = (byte) (r_src_pos + r_src_len);
- s_pad = 0;
- len = (byte) (6 + r_src_len + s_src_len);
+ rSrcLen = sSrcLen = (byte) (signature.length / 2);
+ rSrcPos = 0;
+ rPad = 0;
+ sSrcPos = (byte) (rSrcPos + rSrcLen);
+ sPad = 0;
+ len = (byte) (6 + rSrcLen + sSrcLen);
// leading zeroes are forbidden
- while (signature[r_src_pos] == 0 && r_src_len > 0) {
- r_src_pos++;
- r_src_len--;
+ while (signature[rSrcPos] == 0 && rSrcLen > 0) {
+ rSrcPos++;
+ rSrcLen--;
len--;
}
- while (signature[s_src_pos] == 0 && s_src_len > 0) {
- s_src_pos++;
- s_src_len--;
+ while (signature[sSrcPos] == 0 && sSrcLen > 0) {
+ sSrcPos++;
+ sSrcLen--;
len--;
}
// except when they are mandatory
- if (r_src_len > 0 && signature[r_src_pos] < 0) {
- r_pad = 1;
+ if (rSrcLen > 0 && signature[rSrcPos] < 0) {
+ rPad = 1;
len++;
}
- if (s_src_len > 0 && signature[s_src_pos] < 0) {
- s_pad = 1;
+ if (sSrcLen > 0 && signature[sSrcPos] < 0) {
+ sPad = 1;
len++;
}
byte[] sig = new byte[len];
@@ -549,60 +525,56 @@ public class SignUtils {
sig[pos++] = ASN1_SEQ;
sig[pos++] = (byte) (len - 2);
sig[pos++] = ASN1_INT;
- sig[pos++] = (byte) (r_src_len + r_pad);
- pos += r_pad;
- System.arraycopy(signature, r_src_pos, sig, pos, r_src_len);
- pos += r_src_len;
+ sig[pos++] = (byte) (rSrcLen + rPad);
+ pos += rPad;
+ System.arraycopy(signature, rSrcPos, sig, pos, rSrcLen);
+ pos += rSrcLen;
sig[pos++] = ASN1_INT;
- sig[pos++] = (byte) (s_src_len + s_pad);
- pos += s_pad;
- System.arraycopy(signature, s_src_pos, sig, pos, s_src_len);
+ sig[pos++] = (byte) (sSrcLen + sPad);
+ pos += sPad;
+ System.arraycopy(signature, sSrcPos, sig, pos, sSrcLen);
return sig;
}
/**
* This is a convenience routine to help us classify records/RRsets.
- *
+ *
* It characterizes a record/RRset as one of the following classes:
*
- *
+ *
* - NORMAL
* - This record/set is properly within the zone an subject to all NXT and
* SIG processing.
- *
+ *
* - DELEGATION
* - This is a zone delegation point (or cut). It is used in NXT processing
* but is not signed.
- *
+ *
* - GLUE
* - This is a glue record and therefore not properly within the zone. It is
* not included in NXT or SIG processing. Normally glue records are A records,
* but this routine calls anything that is below a zone delegation glue.
- *
+ *
* - INVALID
* - This record doesn't even belong in the zone.
- *
+ *
*
*
- *
+ *
* This method must be called successively on records in the canonical name
* ordering, and the caller must maintain the last_cut parameter.
- *
- * @param zonename
- * the name of the zone that is being processed.
- * @param name
- * the name of the record/set under consideration.
- * @param type
- * the type of the record/set under consideration.
- * @param last_cut
- * the name of the last DELEGATION record/set that was
- * encountered
- * while iterating over the zone in canonical order.
+ *
+ * @param zonename the name of the zone that is being processed.
+ * @param name the name of the record/set under consideration.
+ * @param type the type of the record/set under consideration.
+ * @param lastCut the name of the last DELEGATION record/set that was
+ * encountered while iterating over the zone in canonical
+ * order.
*/
- public static int recordSecType(Name zonename, Name name, int type, Name last_cut,
- Name last_dname) {
+ public static int recordSecType(Name zonename, Name name, int type, Name lastCut,
+ Name lastDname) {
// records not even in the zone itself are invalid.
if (!name.subdomain(zonename))
return RR_INVALID;
@@ -611,11 +583,11 @@ public class SignUtils {
if (name.equals(zonename))
return RR_NORMAL;
- if (last_cut != null && name.subdomain(last_cut)) {
+ if (lastCut != null && name.subdomain(lastCut)) {
// if we are at the same level as a delegation point, but not one of a set of
// types allowed at
// a delegation point (NS, DS, NSEC), this is glue.
- if (name.equals(last_cut)) {
+ if (name.equals(lastCut)) {
if (type != Type.NS && type != Type.DS && type != Type.NXT && type != Type.NSEC) {
return RR_GLUE;
}
@@ -628,8 +600,8 @@ public class SignUtils {
}
// if we are below a DNAME, then the RR is invalid.
- if (last_dname != null && name.subdomain(last_dname)
- && name.labels() > last_dname.labels()) {
+ if (lastDname != null && name.subdomain(lastDname)
+ && name.labels() > lastDname.labels()) {
return RR_INVALID;
}
@@ -652,7 +624,7 @@ public class SignUtils {
*/
public static List assembleIntoRRsets(List records) {
RRset rrset = new RRset();
- ArrayList rrsets = new ArrayList();
+ ArrayList rrsets = new ArrayList<>();
for (Record r : records) {
// First record
@@ -702,7 +674,7 @@ public class SignUtils {
this.type = nodeType;
this.ttl = r.getTTL();
this.dclass = r.getDClass();
- this.typemap = new HashSet();
+ this.typemap = new HashSet<>();
this.isSecureNode = false;
this.hasOptInSpan = false;
addType(r.getType());
@@ -723,7 +695,7 @@ public class SignUtils {
}
public String toString() {
- StringBuffer sb = new StringBuffer(name.toString());
+ StringBuilder sb = new StringBuilder(name.toString());
if (isSecureNode)
sb.append("(S)");
if (hasOptInSpan)
@@ -745,83 +717,79 @@ public class SignUtils {
/**
* Given a canonical (by name) ordered list of records in a zone, generate the
* NSEC records in place.
- *
+ *
* Note that the list that the records are stored in must support the
* listIterator.add() operation.
- *
- * @param zonename
- * the name of the zone (used to distinguish between zone apex
- * NS
- * RRsets and delegations).
- * @param records
- * a list of {@link org.xbill.DNS.Record} objects in DNSSEC
- * canonical
- * order.
+ *
+ * @param zonename the name of the zone (used to distinguish between zone apex
+ * NS RRsets and delegations).
+ * @param records a list of {@link org.xbill.DNS.Record} objects in DNSSEC
+ * canonical order.
*/
public static void generateNSECRecords(Name zonename, List records) {
// This works by iterating over a known sorted list of records.
- NodeInfo last_node = null;
- NodeInfo current_node = null;
+ NodeInfo lastNode = null;
+ NodeInfo currentNode = null;
- Name last_cut = null;
- Name last_dname = null;
+ Name lastCut = null;
+ Name lastDname = null;
int backup;
- long nsec_ttl = 0;
+ long nsecTTL = 0;
// First find the SOA record -- it should be near the beginning -- and get
// the soa minimum
for (Record r : records) {
if (r.getType() == Type.SOA) {
SOARecord soa = (SOARecord) r;
- nsec_ttl = Math.min(soa.getMinimum(), soa.getTTL());
+ nsecTTL = Math.min(soa.getMinimum(), soa.getTTL());
break;
}
}
- if (nsec_ttl == 0) {
+ if (nsecTTL == 0) {
throw new IllegalArgumentException("Zone did not contain a SOA record");
}
for (ListIterator i = records.listIterator(); i.hasNext();) {
Record r = i.next();
- Name r_name = r.getName();
- int r_type = r.getType();
- int r_sectype = recordSecType(zonename, r_name, r_type, last_cut, last_dname);
+ Name rName = r.getName();
+ int rType = r.getType();
+ int rSecType = recordSecType(zonename, rName, rType, lastCut, lastDname);
// skip irrelevant records
- if (r_sectype == RR_INVALID || r_sectype == RR_GLUE)
+ if (rSecType == RR_INVALID || rSecType == RR_GLUE)
continue;
// note our last delegation point so we can recognize glue.
- if (r_sectype == RR_DELEGATION)
- last_cut = r_name;
+ if (rSecType == RR_DELEGATION)
+ lastCut = rName;
// if this is a DNAME, note it so we can recognize junk
- if (r_type == Type.DNAME)
- last_dname = r_name;
+ if (rType == Type.DNAME)
+ lastDname = rName;
// first node -- initialize
- if (current_node == null) {
- current_node = new NodeInfo(r, r_sectype);
- current_node.addType(Type.RRSIG);
- current_node.addType(Type.NSEC);
+ if (currentNode == null) {
+ currentNode = new NodeInfo(r, rSecType);
+ currentNode.addType(Type.RRSIG);
+ currentNode.addType(Type.NSEC);
continue;
}
// record name hasn't changed, so we are still on the same node.
- if (r_name.equals(current_node.name)) {
- current_node.addType(r_type);
+ if (rName.equals(currentNode.name)) {
+ currentNode.addType(rType);
continue;
}
- if (last_node != null) {
- NSECRecord nsec = new NSECRecord(last_node.name, last_node.dclass, nsec_ttl,
- current_node.name, last_node.getTypes());
+ if (lastNode != null) {
+ NSECRecord nsec = new NSECRecord(lastNode.name, lastNode.dclass, nsecTTL,
+ currentNode.name, lastNode.getTypes());
// Note: we have to add this through the iterator, otherwise
// the next access via the iterator will generate a
// ConcurrencyModificationException.
- backup = i.nextIndex() - last_node.nsecIndex;
+ backup = i.nextIndex() - lastNode.nsecIndex;
for (int j = 0; j < backup; j++)
i.previous();
i.add(nsec);
@@ -831,25 +799,25 @@ public class SignUtils {
log.finer("Generated: " + nsec);
}
- last_node = current_node;
+ lastNode = currentNode;
- current_node.nsecIndex = i.previousIndex();
- current_node = new NodeInfo(r, r_sectype);
- current_node.addType(Type.RRSIG);
- current_node.addType(Type.NSEC);
+ currentNode.nsecIndex = i.previousIndex();
+ currentNode = new NodeInfo(r, rSecType);
+ currentNode.addType(Type.RRSIG);
+ currentNode.addType(Type.NSEC);
}
// Generate next to last NSEC
- if (last_node != null) {
- NSECRecord nsec = new NSECRecord(last_node.name, last_node.dclass, nsec_ttl,
- current_node.name, last_node.getTypes());
- records.add(last_node.nsecIndex - 1, nsec);
+ if (lastNode != null) {
+ NSECRecord nsec = new NSECRecord(lastNode.name, lastNode.dclass, nsecTTL,
+ currentNode.name, lastNode.getTypes());
+ records.add(lastNode.nsecIndex - 1, nsec);
log.finer("Generated: " + nsec);
}
// Generate last NSEC
- NSECRecord nsec = new NSECRecord(current_node.name, current_node.dclass, nsec_ttl,
- zonename, current_node.getTypes());
+ NSECRecord nsec = new NSECRecord(currentNode.name, currentNode.dclass, nsecTTL,
+ zonename, currentNode.getTypes());
records.add(nsec);
log.finer("Generated: " + nsec);
@@ -858,100 +826,92 @@ public class SignUtils {
/**
* Given a canonical (by name) ordered list of records in a zone, generate the
* NSEC3 records in place.
- *
+ *
* Note that the list that the records are stored in must support the
* listIterator.add() operation.
- *
- * @param zonename
- * the name of the zone (used to distinguish between zone
- * apex NS
- * RRsets and delegations).
- * @param records
- * a list of {@link org.xbill.DNS.Record} objects in
- * DNSSEC canonical
- * order.
- * @param salt
- * The NSEC3 salt to use (may be null or empty for no
- * salt).
- * @param iterations
- * The number of hash iterations to use.
- * @param nsec3param_ttl
- * The TTL to use for the generated NSEC3PARAM records
- * (NSEC3 records
- * will use the SOA minimum)
+ *
+ * @param zonename the name of the zone (used to distinguish between zone
+ * apex NS RRsets and delegations).
+ * @param records a list of {@link org.xbill.DNS.Record} objects in
+ * DNSSEC canonical order.
+ * @param salt The NSEC3 salt to use (may be null or empty for no
+ * salt).
+ * @param iterations The number of hash iterations to use.
+ * @param nsec3paramTTL The TTL to use for the generated NSEC3PARAM records
+ * (NSEC3 records will use the SOA minimum)
* @throws NoSuchAlgorithmException
*/
public static void generateNSEC3Records(Name zonename, List records,
- byte[] salt, int iterations, long nsec3param_ttl)
+ byte[] salt, int iterations, long nsec3paramTTL)
throws NoSuchAlgorithmException {
- List proto_nsec3s = new ArrayList();
- NodeInfo current_node = null;
- NodeInfo last_node = null;
+ List protoNSEC3s = new ArrayList<>();
+ NodeInfo currentNode = null;
+ NodeInfo lastNode = null;
// For detecting glue.
- Name last_cut = null;
+ Name lastCut = null;
// For detecting junk below a DNAME
- Name last_dname = null;
+ Name lastDname = null;
- long nsec3_ttl = 0;
+ long nsec3TTL = 0;
for (Record r : records) {
- Name r_name = r.getName();
- int r_type = r.getType();
+ Name rName = r.getName();
+ int rType = r.getType();
// Classify this record so we know if we can skip it.
- int r_sectype = recordSecType(zonename, r_name, r_type, last_cut, last_dname);
+ int rSecType = recordSecType(zonename, rName, rType, lastCut, lastDname);
// skip irrelevant records
- if (r_sectype == RR_INVALID || r_sectype == RR_GLUE)
+ if (rSecType == RR_INVALID || rSecType == RR_GLUE)
continue;
// note our last delegation point so we can recognize glue.
- if (r_sectype == RR_DELEGATION)
- last_cut = r_name;
+ if (rSecType == RR_DELEGATION)
+ lastCut = rName;
// note our last DNAME point, so we can recognize junk.
- if (r_type == Type.DNAME)
- last_dname = r_name;
+ if (rType == Type.DNAME)
+ lastDname = rName;
- if (r_type == Type.SOA) {
+ if (rType == Type.SOA) {
SOARecord soa = (SOARecord) r;
- nsec3_ttl = Math.min(soa.getMinimum(), soa.getTTL());
- if (nsec3param_ttl < 0) {
- nsec3param_ttl = nsec3_ttl;
+ nsec3TTL = Math.min(soa.getMinimum(), soa.getTTL());
+ if (nsec3paramTTL < 0) {
+ nsec3paramTTL = nsec3TTL;
}
}
// For the first iteration, we create our current node.
- if (current_node == null) {
- current_node = new NodeInfo(r, r_sectype);
+ if (currentNode == null) {
+ currentNode = new NodeInfo(r, rSecType);
continue;
}
// If we are at the same name, we are on the same node.
- if (r_name.equals(current_node.name)) {
- current_node.addType(r_type);
+ if (rName.equals(currentNode.name)) {
+ currentNode.addType(rType);
continue;
}
// At this point, r represents the start of a new node.
// So we move current_node to last_node and generate a new current node.
// But first, we need to do something with the last node.
- generateNSEC3ForNode(last_node, zonename, salt, iterations, false, proto_nsec3s);
+ generateNSEC3ForNode(lastNode, zonename, salt, iterations, false, protoNSEC3s);
- last_node = current_node;
- current_node = new NodeInfo(r, r_sectype);
+ lastNode = currentNode;
+ currentNode = new NodeInfo(r, rSecType);
}
// process last two nodes.
- generateNSEC3ForNode(last_node, zonename, salt, iterations, false, proto_nsec3s);
- generateNSEC3ForNode(current_node, zonename, salt, iterations, false, proto_nsec3s);
+ generateNSEC3ForNode(lastNode, zonename, salt, iterations, false, protoNSEC3s);
+ generateNSEC3ForNode(currentNode, zonename, salt, iterations, false, protoNSEC3s);
- List nsec3s = finishNSEC3s(proto_nsec3s, nsec3_ttl);
+ List nsec3s = finishNSEC3s(protoNSEC3s, nsec3TTL);
records.addAll(nsec3s);
NSEC3PARAMRecord nsec3param = new NSEC3PARAMRecord(zonename, DClass.IN,
- nsec3param_ttl,
+ nsec3paramTTL,
NSEC3Record.SHA1_DIGEST_ID,
(byte) 0, iterations, salt);
records.add(nsec3param);
@@ -963,118 +923,108 @@ public class SignUtils {
* NSEC3 records in place using Opt-Out NSEC3 records. This means that
* non-apex NS RRs (and glue below those delegations) will, by default, not be
* included in the NSEC3 chain.
- *
+ *
* Note that the list that the records are stored in must support the
* listIterator.add() operation.
- *
- * @param zonename
- * the name of the zone (used to distinguish between zone
- * apex NS
- * RRsets and delegations).
- * @param records
- * a list of {@link org.xbill.DNS.Record} objects in
- * DNSSEC canonical
- * order.
- * @param includedNames
- * A list of {@link org.xbill.DNS.Name} objects. These
- * names will be
- * included in the NSEC3 chain (if they exist in the zone)
- * regardless.
- * @param salt
- * The NSEC3 salt to use (may be null or empty for no
- * salt).
- * @param iterations
- * The number of hash iterations to use.
- * @param nsec3param_ttl
- * The TTL to use for the generated NSEC3PARAM records
- * (NSEC3 records
- * will use the SOA minimum)
+ *
+ * @param zonename the name of the zone (used to distinguish between zone
+ * apex NS RRsets and delegations).
+ * @param records a list of {@link org.xbill.DNS.Record} objects in
+ * DNSSEC canonical order.
+ * @param includedNames A list of {@link org.xbill.DNS.Name} objects. These
+ * names will be included in the NSEC3 chain (if they
+ * exist in the zone) regardless.
+ * @param salt The NSEC3 salt to use (may be null or empty for no
+ * salt).
+ * @param iterations The number of hash iterations to use.
+ * @param nsec3paramTTL The TTL to use for the generated NSEC3PARAM records
+ * (NSEC3 records will use the SOA minimum)
* @throws NoSuchAlgorithmException
*/
public static void generateOptOutNSEC3Records(Name zonename, List records,
List includedNames, byte[] salt,
- int iterations, long nsec3param_ttl)
+ int iterations, long nsec3paramTTL)
throws NoSuchAlgorithmException {
- List proto_nsec3s = new ArrayList();
- NodeInfo current_node = null;
- NodeInfo last_node = null;
+ List protoNSEC3s = new ArrayList<>();
+ NodeInfo currentNode = null;
+ NodeInfo lastNode = null;
// For detecting glue.
- Name last_cut = null;
+ Name lastCut = null;
// For detecting out-of-zone records below a DNAME
- Name last_dname = null;
+ Name lastDname = null;
- long nsec3_ttl = 0;
+ long nsec3TTL = 0;
HashSet includeSet = null;
if (includedNames != null) {
- includeSet = new HashSet(includedNames);
+ includeSet = new HashSet<>(includedNames);
}
for (Record r : records) {
- Name r_name = r.getName();
- int r_type = r.getType();
+ Name rName = r.getName();
+ int rType = r.getType();
// Classify this record so we know if we can skip it.
- int r_sectype = recordSecType(zonename, r_name, r_type, last_cut, last_dname);
+ int rSecType = recordSecType(zonename, rName, rType, lastCut, lastDname);
// skip irrelevant records
- if (r_sectype == RR_INVALID || r_sectype == RR_GLUE)
+ if (rSecType == RR_INVALID || rSecType == RR_GLUE)
continue;
// note our last delegation point so we can recognize glue.
- if (r_sectype == RR_DELEGATION)
- last_cut = r_name;
+ if (rSecType == RR_DELEGATION)
+ lastCut = rName;
- if (r_type == Type.DNAME)
- last_dname = r_name;
+ if (rType == Type.DNAME)
+ lastDname = rName;
- if (r_type == Type.SOA) {
+ if (rType == Type.SOA) {
SOARecord soa = (SOARecord) r;
- nsec3_ttl = Math.min(soa.getMinimum(), soa.getTTL());
- if (nsec3param_ttl < 0) {
- nsec3param_ttl = nsec3_ttl;
+ nsec3TTL = Math.min(soa.getMinimum(), soa.getTTL());
+ if (nsec3paramTTL < 0) {
+ nsec3paramTTL = nsec3TTL;
}
}
// For the first iteration, we create our current node.
- if (current_node == null) {
- current_node = new NodeInfo(r, r_sectype);
+ if (currentNode == null) {
+ currentNode = new NodeInfo(r, rSecType);
continue;
}
// If we are at the same name, we are on the same node.
- if (r_name.equals(current_node.name)) {
- current_node.addType(r_type);
+ if (rName.equals(currentNode.name)) {
+ currentNode.addType(rType);
continue;
}
- if (includeSet != null && includeSet.contains(current_node.name)) {
- current_node.isSecureNode = true;
+ if (includeSet != null && includeSet.contains(currentNode.name)) {
+ currentNode.isSecureNode = true;
}
// At this point, r represents the start of a new node.
// So we move current_node to last_node and generate a new current node.
// But first, we need to do something with the last node.
- generateNSEC3ForNode(last_node, zonename, salt, iterations, true, proto_nsec3s);
+ generateNSEC3ForNode(lastNode, zonename, salt, iterations, true, protoNSEC3s);
- if (current_node.isSecureNode) {
- last_node = current_node;
+ if (currentNode.isSecureNode) {
+ lastNode = currentNode;
} else {
- last_node.hasOptInSpan = true;
+ lastNode.hasOptInSpan = true;
}
- current_node = new NodeInfo(r, r_sectype);
+ currentNode = new NodeInfo(r, rSecType);
}
// process last two nodes.
- generateNSEC3ForNode(last_node, zonename, salt, iterations, true, proto_nsec3s);
- generateNSEC3ForNode(current_node, zonename, salt, iterations, true, proto_nsec3s);
+ generateNSEC3ForNode(lastNode, zonename, salt, iterations, true, protoNSEC3s);
+ generateNSEC3ForNode(currentNode, zonename, salt, iterations, true, protoNSEC3s);
- List nsec3s = finishNSEC3s(proto_nsec3s, nsec3_ttl);
+ List nsec3s = finishNSEC3s(protoNSEC3s, nsec3TTL);
records.addAll(nsec3s);
NSEC3PARAMRecord nsec3param = new NSEC3PARAMRecord(zonename, DClass.IN,
- nsec3param_ttl,
+ nsec3paramTTL,
NSEC3Record.SHA1_DIGEST_ID,
(byte) 0, iterations, salt);
records.add(nsec3param);
@@ -1084,19 +1034,13 @@ public class SignUtils {
* For a given node (representing all of the RRsets at a given name), generate
* all of the necessary NSEC3 records for it. That is, generate the NSEC3 for
* the node itself, and for any potential empty non-terminals.
- *
- * @param node
- * The node in question.
- * @param zonename
- * The zonename.
- * @param salt
- * The salt to use for the NSEC3 RRs
- * @param iterations
- * The iterations to use for the NSEC3 RRs.
- * @param optIn
- * If true, the NSEC3 will have the Opt-Out flag set.
- * @param nsec3s
- * The current list of NSEC3s -- this will be updated.
+ *
+ * @param node The node in question.
+ * @param zonename The zonename.
+ * @param salt The salt to use for the NSEC3 RRs
+ * @param iterations The iterations to use for the NSEC3 RRs.
+ * @param optIn If true, the NSEC3 will have the Opt-Out flag set.
+ * @param nsec3s The current list of NSEC3s -- this will be updated.
* @throws NoSuchAlgorithmException
*/
private static void generateNSEC3ForNode(NodeInfo node, Name zonename, byte[] salt,
@@ -1132,23 +1076,16 @@ public class SignUtils {
/**
* Create a "prototype" NSEC3 record. Basically, a mutable NSEC3 record.
- *
- * @param name
- * The original ownername to use.
- * @param zonename
- * The zonename to use.
- * @param ttl
- * The TTL to use.
- * @param salt
- * The salt to use.
- * @param iterations
- * The number of hash iterations to use.
- * @param optIn
- * The value of the Opt-Out flag.
- * @param types
- * The typecodes present at this name.
+ *
+ * @param name The original ownername to use.
+ * @param zonename The zonename to use.
+ * @param ttl The TTL to use.
+ * @param salt The salt to use.
+ * @param iterations The number of hash iterations to use.
+ * @param optIn The value of the Opt-Out flag.
+ * @param types The typecodes present at this name.
* @return A mutable NSEC3 record.
- *
+ *
* @throws NoSuchAlgorithmException
*/
private static ProtoNSEC3 generateNSEC3(Name name, Name zonename, long ttl,
@@ -1169,62 +1106,59 @@ public class SignUtils {
* Given a list of {@link ProtoNSEC3} object (mutable NSEC3 RRs), convert the
* list into the set of actual {@link org.xbill.DNS.NSEC3Record} objects. This
* will remove duplicates and finalize the records.
- *
- * @param nsec3s
- * The list of ProtoNSEC3 objects
- * @param ttl
- * The TTL to assign to the finished NSEC3 records. In general,
- * this
- * should match the SOA minimum value for the zone.
+ *
+ * @param nsec3s The list of ProtoNSEC3 objects
+ * @param ttl The TTL to assign to the finished NSEC3 records. In general,
+ * this should match the SOA minimum value for the zone.
* @return The list of {@link org.xbill.DNS.NSEC3Record} objects.
*/
private static List finishNSEC3s(List nsec3s, long ttl) {
if (nsec3s == null)
- return null;
+ return new ArrayList<>();
Collections.sort(nsec3s, new ProtoNSEC3.Comparator());
- ProtoNSEC3 prev_nsec3 = null;
- ProtoNSEC3 cur_nsec3 = null;
- byte[] first_nsec3_hash = null;
+ ProtoNSEC3 prevNSEC3 = null;
+ ProtoNSEC3 curNSEC3 = null;
+ byte[] firstNSEC3Hash = null;
for (ListIterator i = nsec3s.listIterator(); i.hasNext();) {
- cur_nsec3 = i.next();
+ curNSEC3 = i.next();
// check to see if cur is a duplicate (by name)
- if (prev_nsec3 != null
- && Arrays.equals(prev_nsec3.getOwner(), cur_nsec3.getOwner())) {
+ if (prevNSEC3 != null
+ && Arrays.equals(prevNSEC3.getOwner(), curNSEC3.getOwner())) {
log.fine("found duplicate NSEC3 (by name) -- merging type maps: "
- + prev_nsec3.getTypemap() + " and " + cur_nsec3.getTypemap());
+ + prevNSEC3.getTypemap() + " and " + curNSEC3.getTypemap());
i.remove();
- prev_nsec3.mergeTypes(cur_nsec3.getTypemap());
- log.fine("merged type map: " + prev_nsec3.getTypemap());
+ prevNSEC3.mergeTypes(curNSEC3.getTypemap());
+ log.fine("merged type map: " + prevNSEC3.getTypemap());
continue;
}
- byte[] next = cur_nsec3.getOwner();
+ byte[] next = curNSEC3.getOwner();
- if (prev_nsec3 == null) {
- prev_nsec3 = cur_nsec3;
- first_nsec3_hash = next;
+ if (prevNSEC3 == null) {
+ prevNSEC3 = curNSEC3;
+ firstNSEC3Hash = next;
continue;
}
- prev_nsec3.setNext(next);
- prev_nsec3 = cur_nsec3;
+ prevNSEC3.setNext(next);
+ prevNSEC3 = curNSEC3;
}
// Handle last NSEC3.
- if (prev_nsec3.getNext() == null) {
+ if (prevNSEC3.getNext() == null) {
// if prev_nsec3's next field hasn't been set, then it is the last
// record (i.e., all remaining records were duplicates.)
- prev_nsec3.setNext(first_nsec3_hash);
+ prevNSEC3.setNext(firstNSEC3Hash);
} else {
// otherwise, cur_nsec3 is the last record.
- cur_nsec3.setNext(first_nsec3_hash);
+ curNSEC3.setNext(firstNSEC3Hash);
}
// Convert our ProtoNSEC3s to actual (immutable) NSEC3Record objects.
- List res = new ArrayList(nsec3s.size());
+ List res = new ArrayList<>(nsec3s.size());
for (ProtoNSEC3 p : nsec3s) {
p.setTTL(ttl);
res.add(p.getNSEC3Record());
@@ -1236,90 +1170,85 @@ public class SignUtils {
/**
* Given a canonical (by name) ordered list of records in a zone, generate the
* NSEC records in place.
- *
+ *
* Note that the list that the records are stored in must support the
* listIterator.add
operation.
- *
- * @param zonename
- * the name of the zone apex, used to distinguish between
- * authoritative and delegation NS RRsets.
- * @param records
- * a list of {@link org.xbill.DNS.Record}s in DNSSEC
+ *
+ * @param zonename the name of the zone apex, used to distinguish
+ * between authoritative and delegation NS RRsets.
+ * @param records a list of {@link org.xbill.DNS.Record}s in DNSSEC
* canonical order.
- * @param includeNames
- * a list of names that should be in the NXT chain
- * regardless. This
- * may be null.
- * @param beConservative
- * if true, then Opt-In NXTs will only be generated where
- * there is
- * actually a span of insecure delegations.
+ * @param includeNames a list of names that should be in the NXT chain
+ * regardless. This may be null.
+ * @param beConservative if true, then Opt-In NXTs will only be generated
+ * where there is actually a span of insecure
+ * delegations.
*/
public static void generateOptInNSECRecords(Name zonename, List records,
List includeNames,
boolean beConservative) {
// This works by iterating over a known sorted list of records.
- NodeInfo last_node = null;
- NodeInfo current_node = null;
+ NodeInfo lastNode = null;
+ NodeInfo currentNode = null;
- Name last_cut = null;
- Name last_dname = null;
+ Name lastCut = null;
+ Name lastDname = null;
int backup;
HashSet includeSet = null;
if (includeNames != null) {
- includeSet = new HashSet(includeNames);
+ includeSet = new HashSet<>(includeNames);
}
for (ListIterator i = records.listIterator(); i.hasNext();) {
Record r = i.next();
- Name r_name = r.getName();
- int r_type = r.getType();
- int r_sectype = recordSecType(zonename, r_name, r_type, last_cut, last_dname);
+ Name rName = r.getName();
+ int rType = r.getType();
+ int rSecType = recordSecType(zonename, rName, rType, lastCut, lastDname);
// skip irrelevant records
- if (r_sectype == RR_INVALID || r_sectype == RR_GLUE)
+ if (rSecType == RR_INVALID || rSecType == RR_GLUE)
continue;
// note our last delegation point so we can recognize glue.
- if (r_sectype == RR_DELEGATION)
- last_cut = r_name;
+ if (rSecType == RR_DELEGATION)
+ lastCut = rName;
- if (r_type == Type.DNAME)
- last_dname = r_name;
+ if (rType == Type.DNAME)
+ lastDname = rName;
// first node -- initialize
- if (current_node == null) {
- current_node = new NodeInfo(r, r_sectype);
- current_node.addType(Type.RRSIG);
+ if (currentNode == null) {
+ currentNode = new NodeInfo(r, rSecType);
+ currentNode.addType(Type.RRSIG);
continue;
}
// record name hasn't changed, so we are still on the same node.
- if (r_name.equals(current_node.name)) {
- current_node.addType(r_type);
+ if (rName.equals(currentNode.name)) {
+ currentNode.addType(rType);
continue;
}
// If the name is in the set of included names, mark it as
// secure.
- if (includeSet != null && includeSet.contains(current_node.name)) {
- current_node.isSecureNode = true;
+ if (includeSet != null && includeSet.contains(currentNode.name)) {
+ currentNode.isSecureNode = true;
}
- if (last_node != null && current_node.isSecureNode) {
+ if (lastNode != null && currentNode.isSecureNode) {
// generate a NSEC record.
- if (beConservative && !last_node.hasOptInSpan) {
- last_node.addType(Type.NSEC);
+ if (beConservative && !lastNode.hasOptInSpan) {
+ lastNode.addType(Type.NSEC);
}
- NSECRecord nsec = new NSECRecord(last_node.name, last_node.dclass, last_node.ttl,
- current_node.name, last_node.getTypes());
+ NSECRecord nsec = new NSECRecord(lastNode.name, lastNode.dclass, lastNode.ttl,
+ currentNode.name, lastNode.getTypes());
// Note: we have to add this through the iterator, otherwise
// the next access via the iterator will generate a
// ConcurrencyModificationException.
- backup = i.nextIndex() - last_node.nsecIndex;
+ backup = i.nextIndex() - lastNode.nsecIndex;
for (int j = 0; j < backup; j++)
i.previous();
i.add(nsec);
@@ -1329,49 +1258,49 @@ public class SignUtils {
log.finer("Generated: " + nsec);
}
- if (current_node.isSecureNode) {
- last_node = current_node;
- } else if (last_node != null) {
+ if (currentNode.isSecureNode) {
+ lastNode = currentNode;
+ } else if (lastNode != null) {
// last_node does not change -- last_node is essentially the
// last *secure* node, and current_node is not secure.
// However, we need to note the passing of the insecure node.
- last_node.hasOptInSpan = true;
+ lastNode.hasOptInSpan = true;
}
- current_node.nsecIndex = i.previousIndex();
- current_node = new NodeInfo(r, r_sectype);
- current_node.addType(Type.RRSIG);
+ currentNode.nsecIndex = i.previousIndex();
+ currentNode = new NodeInfo(r, rSecType);
+ currentNode.addType(Type.RRSIG);
}
// Generate next to last NSEC
- if (last_node != null && current_node.isSecureNode) {
+ if (lastNode != null && currentNode.isSecureNode) {
// generate a NSEC record.
- if (beConservative && !last_node.hasOptInSpan) {
- last_node.addType(Type.NSEC);
+ if (beConservative && !lastNode.hasOptInSpan) {
+ lastNode.addType(Type.NSEC);
}
- NSECRecord nsec = new NSECRecord(last_node.name, last_node.dclass, last_node.ttl,
- current_node.name, last_node.getTypes());
- records.add(last_node.nsecIndex - 1, nsec);
+ NSECRecord nsec = new NSECRecord(lastNode.name, lastNode.dclass, lastNode.ttl,
+ currentNode.name, lastNode.getTypes());
+ records.add(lastNode.nsecIndex - 1, nsec);
log.finer("Generated: " + nsec);
}
// Generate last NSEC
NSECRecord nsec;
- if (current_node.isSecureNode) {
+ if (currentNode.isSecureNode) {
if (beConservative) {
- current_node.addType(Type.NSEC);
+ currentNode.addType(Type.NSEC);
}
- nsec = new NSECRecord(current_node.name, current_node.dclass, current_node.ttl,
- zonename, current_node.getTypes());
+ nsec = new NSECRecord(currentNode.name, currentNode.dclass, currentNode.ttl,
+ zonename, currentNode.getTypes());
// we can just tack this on the end as we are working on the
// last node.
records.add(nsec);
} else {
- nsec = new NSECRecord(last_node.name, last_node.dclass, last_node.ttl, zonename,
- last_node.getTypes());
+ nsec = new NSECRecord(lastNode.name, lastNode.dclass, lastNode.ttl, zonename,
+ lastNode.getTypes());
// We need to tack this on after the last secure node, not the
// end of the whole list.
- records.add(last_node.nsecIndex, nsec);
+ records.add(lastNode.nsecIndex, nsec);
}
log.finer("Generated: " + nsec);
@@ -1380,30 +1309,26 @@ public class SignUtils {
/**
* Given a zone with DNSKEY records at delegation points, convert those KEY
* records into their corresponding DS records in place.
- *
- * @param zonename
- * the name of the zone, used to reliably distinguish the zone
- * apex
- * from other records.
- * @param records
- * a list of {@link org.xbill.DNS.Record} objects.
- * @param digest_alg
- * The digest algorithm to use.
+ *
+ * @param zonename the name of the zone, used to reliably distinguish the
+ * zone apex from other records.
+ * @param records a list of {@link org.xbill.DNS.Record} objects.
+ * @param digestAlg The digest algorithm to use.
*/
- public static void generateDSRecords(Name zonename, List records, int digest_alg) {
+ public static void generateDSRecords(Name zonename, List records, int digestAlg) {
for (ListIterator i = records.listIterator(); i.hasNext();) {
Record r = i.next();
if (r == null)
continue; // this should never be true.
- Name r_name = r.getName();
- if (r_name == null)
+ Name rName = r.getName();
+ if (rName == null)
continue; // this should never be true.
// Convert non-zone level KEY records into DS records.
- if (r.getType() == Type.DNSKEY && !r_name.equals(zonename)) {
- DSRecord ds = calculateDSRecord((DNSKEYRecord) r, digest_alg, r.getTTL());
+ if (r.getType() == Type.DNSKEY && !rName.equals(zonename)) {
+ DSRecord ds = calculateDSRecord((DNSKEYRecord) r, digestAlg, r.getTTL());
i.set(ds);
}
@@ -1412,15 +1337,13 @@ public class SignUtils {
/**
* Given a zone, remove all records that are generated.
- *
- * @param zonename
- * the name of the zone.
- * @param records
- * a list of {@link org.xbill.DNS.Record} objects.
+ *
+ * @param zonename the name of the zone.
+ * @param records a list of {@link org.xbill.DNS.Record} objects.
*/
public static void removeGeneratedRecords(Name zonename, List records) {
for (Iterator i = records.iterator(); i.hasNext();) {
- Record r = (Record) i.next();
+ Record r = i.next();
if (r.getType() == Type.RRSIG || r.getType() == Type.NSEC
|| r.getType() == Type.NSEC3 || r.getType() == Type.NSEC3PARAM) {
@@ -1433,9 +1356,8 @@ public class SignUtils {
* Remove duplicate records from a list of records. This routine presumes the
* list of records is in a canonical sorted order, at least on name and RR
* type.
- *
- * @param records
- * a list of {@link org.xbill.DNS.Record} object, in sorted
+ *
+ * @param records a list of {@link org.xbill.DNS.Record} object, in sorted
* order.
*/
public static void removeDuplicateRecords(List records) {
@@ -1456,18 +1378,14 @@ public class SignUtils {
/**
* Given a DNSKEY record, generate the DS record from it.
- *
- * @param keyrec
- * the KEY record in question.
- * @param digest_alg
- * The digest algorithm (SHA-1, SHA-256, etc.).
- * @param ttl
- * the desired TTL for the generated DS record. If zero, or
- * negative,
- * the original KEY RR's TTL will be used.
+ *
+ * @param keyrec the KEY record in question.
+ * @param digestAlg The digest algorithm (SHA-1, SHA-256, etc.).
+ * @param ttl the desired TTL for the generated DS record. If zero, or
+ * negative, the original KEY RR's TTL will be used.
* @return the corresponding {@link org.xbill.DNS.DSRecord}
*/
- public static DSRecord calculateDSRecord(DNSKEYRecord keyrec, int digest_alg, long ttl) {
+ public static DSRecord calculateDSRecord(DNSKEYRecord keyrec, int digestAlg, long ttl) {
if (keyrec == null)
return null;
@@ -1483,7 +1401,7 @@ public class SignUtils {
byte[] digest;
MessageDigest md;
- switch (digest_alg) {
+ switch (digestAlg) {
case DNSSEC.Digest.SHA1:
md = MessageDigest.getInstance("SHA");
digest = md.digest(os.toByteArray());
@@ -1493,11 +1411,11 @@ public class SignUtils {
digest = md.digest(os.toByteArray());
break;
default:
- throw new IllegalArgumentException("Unknown digest id: " + digest_alg);
+ throw new IllegalArgumentException("Unknown digest id: " + digestAlg);
}
return new DSRecord(keyrec.getName(), keyrec.getDClass(), ttl,
- keyrec.getFootprint(), keyrec.getAlgorithm(), digest_alg,
+ keyrec.getFootprint(), keyrec.getAlgorithm(), digestAlg,
digest);
} catch (NoSuchAlgorithmException e) {
@@ -1508,35 +1426,26 @@ public class SignUtils {
/**
* Calculate an NSEC3 hash based on a DNS name and NSEC3 hash parameters.
- *
- * @param n
- * The name to hash.
- * @param hash_algorithm
- * The hash algorithm to use.
- * @param iterations
- * The number of iterations to do.
- * @param salt
- * The salt to use.
+ *
+ * @param n The name to hash.
+ * @param hashAlgorithm The hash algorithm to use.
+ * @param iterations The number of iterations to do.
+ * @param salt The salt to use.
* @return The calculated hash as a byte array.
- * @throws NoSuchAlgorithmException
- * If the hash algorithm is unrecognized.
+ * @throws NoSuchAlgorithmException If the hash algorithm is unrecognized.
*/
- public static byte[] nsec3hash(Name n, int hash_algorithm, int iterations, byte[] salt)
+ public static byte[] nsec3hash(Name n, int hashAlgorithm, int iterations, byte[] salt)
throws NoSuchAlgorithmException {
MessageDigest md;
- switch (hash_algorithm) {
- case NSEC3Record.SHA1_DIGEST_ID:
- md = MessageDigest.getInstance("SHA1");
- break;
- default:
- throw new NoSuchAlgorithmException("Unknown NSEC3 algorithm identifier: "
- + hash_algorithm);
+ if (hashAlgorithm != NSEC3Record.SHA1_DIGEST_ID) {
+ throw new NoSuchAlgorithmException("Unknown NSEC3 algorithm identifier: " + hashAlgorithm);
}
+ md = MessageDigest.getInstance("SHA1");
// Construct our wire form.
- byte[] wire_name = n.toWireCanonical();
- byte[] res = wire_name; // for the first iteration.
+ byte[] wireName = n.toWireCanonical();
+ byte[] res = wireName; // for the first iteration.
for (int i = 0; i <= iterations; i++) {
// Concatenate the salt, if it exists.
if (salt != null) {
diff --git a/src/main/java/com/verisignlabs/dnssec/security/TypeMap.java b/src/main/java/com/verisignlabs/dnssec/security/TypeMap.java
index 84542cd..d4a8bea 100644
--- a/src/main/java/com/verisignlabs/dnssec/security/TypeMap.java
+++ b/src/main/java/com/verisignlabs/dnssec/security/TypeMap.java
@@ -37,7 +37,7 @@ public class TypeMap {
private Set typeSet;
public TypeMap() {
- this.typeSet = new HashSet();
+ this.typeSet = new HashSet<>();
}
/** Add the given type to the typemap. */
@@ -78,20 +78,20 @@ public class TypeMap {
TypeMap typemap = new TypeMap();
int page;
- int byte_length;
+ int byteLength;
while (m < map.length) {
page = map[m++];
- byte_length = map[m++];
+ byteLength = map[m++];
- for (int i = 0; i < byte_length; i++) {
+ for (int i = 0; i < byteLength; i++) {
for (int j = 0; j < 8; j++) {
- if ((map[m + i] & (1 << (7 - j))) != 0) {
+ if (((map[m + i] & 0xFF) & (1 << (7 - j))) != 0) {
typemap.set((page << 8) + (i * 8) + j);
}
}
}
- m += byte_length;
+ m += byteLength;
}
return typemap;
@@ -115,7 +115,7 @@ public class TypeMap {
int[] types = getTypes();
Arrays.sort(types);
- StringBuffer sb = new StringBuffer();
+ StringBuilder sb = new StringBuilder();
for (int i = 0; i < types.length; i++) {
if (i > 0)
@@ -129,16 +129,16 @@ public class TypeMap {
protected static void mapToWire(DNSOutput out, int[] types, int base, int start, int end) {
// calculate the length of this map by looking at the largest
// typecode in this section.
- int max_type = types[end - 1] & 0xFF;
- int map_length = (max_type / 8) + 1;
+ int maxType = types[end - 1] & 0xFF;
+ int mapLength = (maxType / 8) + 1;
// write the map "header" -- the base and the length of the map.
out.writeU8(base & 0xFF);
- out.writeU8(map_length & 0xFF);
+ out.writeU8(mapLength & 0xFF);
// allocate a temporary scratch space for caculating the actual
// bitmap.
- byte[] map = new byte[map_length];
+ byte[] map = new byte[mapLength];
// for each type in our sub-array, set its corresponding bit in the map.
for (int i = start; i < end; i++) {
@@ -179,7 +179,7 @@ public class TypeMap {
}
public int[] getTypes() {
- Integer[] a = (Integer[]) typeSet.toArray(integerArray);
+ Integer[] a = typeSet.toArray(integerArray);
int[] res = new int[a.length];
for (int i = 0; i < res.length; i++) {
@@ -189,8 +189,8 @@ public class TypeMap {
return res;
}
- public static int[] fromWireToTypes(byte[] wire_fmt) {
- return TypeMap.fromBytes(wire_fmt).getTypes();
+ public static int[] fromWireToTypes(byte[] wireFmt) {
+ return TypeMap.fromBytes(wireFmt).getTypes();
}
public static byte[] fromTypesToWire(int[] types) {
diff --git a/src/main/java/com/verisignlabs/dnssec/security/ZoneUtils.java b/src/main/java/com/verisignlabs/dnssec/security/ZoneUtils.java
index 209c27d..5729197 100644
--- a/src/main/java/com/verisignlabs/dnssec/security/ZoneUtils.java
+++ b/src/main/java/com/verisignlabs/dnssec/security/ZoneUtils.java
@@ -39,6 +39,10 @@ import org.xbill.DNS.Type;
*/
public class ZoneUtils {
+
+ private ZoneUtils() {
+ }
+
/**
* Load a zone file.
*
@@ -53,19 +57,10 @@ public class ZoneUtils {
* if something goes wrong reading the zone file.
*/
public static List readZoneFile(String zonefile, Name origin) throws IOException {
- ArrayList records = new ArrayList();
- Master m;
- try {
- if (zonefile.equals("-")) {
- m = new Master(System.in);
- } else {
- m = new Master(zonefile, origin);
- }
-
+ ArrayList records = new ArrayList<>();
+ try (Master m = zonefile.equals("-") ? new Master(System.in) : new Master(zonefile, origin)) {
Record r = null;
-
while ((r = m.nextRecord()) != null) {
-
records.add(r);
}
} catch (IOException e) {
@@ -120,7 +115,7 @@ public class ZoneUtils {
}
public static List findRRs(List records, Name name, int type) {
- List res = new ArrayList();
+ List res = new ArrayList<>();
for (Record r : records) {
if (r.getName().equals(name) && r.getType() == type) {
res.add(r);
diff --git a/src/main/java/com/verisignlabs/dnssec/security/ZoneVerifier.java b/src/main/java/com/verisignlabs/dnssec/security/ZoneVerifier.java
index be2ab22..d7eaa9b 100644
--- a/src/main/java/com/verisignlabs/dnssec/security/ZoneVerifier.java
+++ b/src/main/java/com/verisignlabs/dnssec/security/ZoneVerifier.java
@@ -88,10 +88,12 @@ public class ZoneVerifier {
public boolean equals(Object o) {
return super.equals(o);
}
+
@Override
public int hashCode() {
return super.hashCode();
}
+
boolean getMark() {
return mIsMarked;
}
@@ -148,7 +150,8 @@ public class ZoneVerifier {
/**
* Add a record to the various maps.
*
- * @return true if the RR was added, false if it wasn't (because it was a duplicate)
+ * @return true if the RR was added, false if it wasn't (because it was a
+ * duplicate)
*/
private boolean addRR(Record r) {
Name n = r.getName();
@@ -206,7 +209,7 @@ public class ZoneVerifier {
* Given an unsorted list of records, load the node and rrset maps, as well as
* determine the NSEC3 parameters and signing type.
*
- * @param records
+ * @param records an unsorted list of {@link org.xbill.DNS.Record} objects.
* @return the number of errors encountered.
*/
private int calculateNodes(List records) {
@@ -251,7 +254,7 @@ public class ZoneVerifier {
* Given a name, typeset, and name of the last zone cut, determine the node
* type.
*/
- private NodeType determineNodeType(Name n, Set typeset, Name last_cut) {
+ private NodeType determineNodeType(Name n, Set typeset, Name lastCut) {
// All RRs at the zone apex are normal
if (n.equals(mZoneName))
return NodeType.NORMAL;
@@ -263,7 +266,7 @@ public class ZoneVerifier {
}
// If the node is below a zone cut (either a delegation or DNAME), it is
// glue.
- if (last_cut != null && n.subdomain(last_cut) && !n.equals(last_cut)) {
+ if (lastCut != null && n.subdomain(lastCut) && !n.equals(lastCut)) {
return NodeType.GLUE;
}
@@ -294,13 +297,13 @@ public class ZoneVerifier {
*/
private int processNodes() throws NoSuchAlgorithmException, TextParseException {
int errors = 0;
- Name last_cut = null;
+ Name lastCut = null;
for (Map.Entry> entry : mNodeMap.entrySet()) {
Name n = entry.getKey();
Set typeset = entry.getValue();
- NodeType ntype = determineNodeType(n, typeset, last_cut);
+ NodeType ntype = determineNodeType(n, typeset, lastCut);
log.finest("Node " + n + " is type " + ntype);
// we can ignore glue/invalid RRs.
@@ -309,7 +312,7 @@ public class ZoneVerifier {
// record the last zone cut if this node is a zone cut.
if (ntype == NodeType.DELEGATION || typeset.contains(Type.DNAME)) {
- last_cut = n;
+ lastCut = n;
}
// check all of the RRsets that should be signed