use baseAlgorithm enum instead of static ints

This commit is contained in:
David Blacka 2024-03-29 20:20:15 -04:00
parent c80595b118
commit 39d938c4e1
5 changed files with 56 additions and 53 deletions

View File

@ -84,13 +84,13 @@ public class KeyInfoTool extends CLBase {
+ " (" + dnskey.getAlgorithm() + ")"); + " (" + dnskey.getAlgorithm() + ")");
System.out.println("ID: " + dnskey.getFootprint()); System.out.println("ID: " + dnskey.getFootprint());
System.out.println("KeyFileBase: " + BINDKeyUtils.keyFileBase(key)); System.out.println("KeyFileBase: " + BINDKeyUtils.keyFileBase(key));
int basetype = dnskeyalg.baseType(dnskey.getAlgorithm()); DnsKeyAlgorithm.BaseAlgorithm basetype = dnskeyalg.baseType(dnskey.getAlgorithm());
if (basetype == DnsKeyAlgorithm.RSA) { if (basetype == DnsKeyAlgorithm.BaseAlgorithm.RSA) {
RSAPublicKey pub = (RSAPublicKey) key.getPublic(); RSAPublicKey pub = (RSAPublicKey) key.getPublic();
System.out.println("RSA Public Exponent: " + pub.getPublicExponent()); System.out.println("RSA Public Exponent: " + pub.getPublicExponent());
System.out.println("RSA Modulus: " + pub.getModulus()); System.out.println("RSA Modulus: " + pub.getModulus());
} else if (basetype == DnsKeyAlgorithm.DSA) { } else if (basetype == DnsKeyAlgorithm.BaseAlgorithm.DSA) {
DSAPublicKey pub = (DSAPublicKey) key.getPublic(); DSAPublicKey pub = (DSAPublicKey) key.getPublic();
System.out.println("DSA base (G): " + pub.getParams().getG()); System.out.println("DSA base (G): " + pub.getParams().getG());
System.out.println("DSA prime (P): " + pub.getParams().getP()); System.out.println("DSA prime (P): " + pub.getParams().getP());

View File

@ -72,21 +72,24 @@ public class DnsKeyAlgorithm {
// Our base algorithm numbers. This is a normalization of the DNSSEC // Our base algorithm numbers. This is a normalization of the DNSSEC
// algorithms (which are really signature algorithms). Thus RSASHA1, // algorithms (which are really signature algorithms). Thus RSASHA1,
// RSASHA256, etc. all boil down to 'RSA' here. // RSASHA256, etc. all boil down to 'RSA' here. Similary, ECDSAP256SHA256 and
public static final int UNKNOWN = -1; // ECDSAP384SHA384 both become 'ECDSA'.
public static final int RSA = 1; public enum BaseAlgorithm {
public static final int DH = 2; UNKNOWN,
public static final int DSA = 3; RSA,
public static final int ECC_GOST = 4; DH,
public static final int ECDSA = 5; DSA,
public static final int EDDSA = 6; ECC_GOST,
ECDSA,
EDDSA;
}
private static class AlgEntry { private static class AlgEntry {
public int dnssecAlgorithm; public int dnssecAlgorithm;
public String sigName; public String sigName;
public int baseType; public BaseAlgorithm baseType;
public AlgEntry(int algorithm, String sigName, int baseType) { public AlgEntry(int algorithm, String sigName, BaseAlgorithm baseType) {
this.dnssecAlgorithm = algorithm; this.dnssecAlgorithm = algorithm;
this.sigName = sigName; this.sigName = sigName;
this.baseType = baseType; this.baseType = baseType;
@ -96,7 +99,7 @@ public class DnsKeyAlgorithm {
private static class ECAlgEntry extends AlgEntry { private static class ECAlgEntry extends AlgEntry {
public ECParameterSpec ecSpec; public ECParameterSpec ecSpec;
public ECAlgEntry(int algorithm, String sigName, int baseType, ECParameterSpec spec) { public ECAlgEntry(int algorithm, String sigName, BaseAlgorithm baseType, ECParameterSpec spec) {
super(algorithm, sigName, baseType); super(algorithm, sigName, baseType);
this.ecSpec = spec; this.ecSpec = spec;
} }
@ -105,7 +108,7 @@ public class DnsKeyAlgorithm {
private static class EdAlgEntry extends AlgEntry { private static class EdAlgEntry extends AlgEntry {
public EdDSAParameterSpec edSpec; public EdDSAParameterSpec edSpec;
public EdAlgEntry(int algorithm, String sigName, int baseType, EdDSAParameterSpec spec) { public EdAlgEntry(int algorithm, String sigName, BaseAlgorithm baseType, EdDSAParameterSpec spec) {
super(algorithm, sigName, baseType); super(algorithm, sigName, baseType);
this.edSpec = spec; this.edSpec = spec;
} }
@ -172,16 +175,16 @@ public class DnsKeyAlgorithm {
mIdToMnemonicMap = new HashMap<>(); mIdToMnemonicMap = new HashMap<>();
// Load the standard DNSSEC algorithms. // Load the standard DNSSEC algorithms.
addAlgorithm(DNSSEC.Algorithm.RSAMD5, "MD5withRSA", RSA); addAlgorithm(DNSSEC.Algorithm.RSAMD5, "MD5withRSA", BaseAlgorithm.RSA);
addMnemonic("RSAMD5", DNSSEC.Algorithm.RSAMD5); addMnemonic("RSAMD5", DNSSEC.Algorithm.RSAMD5);
addAlgorithm(DNSSEC.Algorithm.DH, "", DH); addAlgorithm(DNSSEC.Algorithm.DH, "", BaseAlgorithm.DH);
addMnemonic("DH", DNSSEC.Algorithm.DH); addMnemonic("DH", DNSSEC.Algorithm.DH);
addAlgorithm(DNSSEC.Algorithm.DSA, "SHA1withDSA", DSA); addAlgorithm(DNSSEC.Algorithm.DSA, "SHA1withDSA", BaseAlgorithm.DSA);
addMnemonic("DSA", DNSSEC.Algorithm.DSA); addMnemonic("DSA", DNSSEC.Algorithm.DSA);
addAlgorithm(DNSSEC.Algorithm.RSASHA1, "SHA1withRSA", RSA); addAlgorithm(DNSSEC.Algorithm.RSASHA1, "SHA1withRSA", BaseAlgorithm.RSA);
addMnemonic("RSASHA1", DNSSEC.Algorithm.RSASHA1); addMnemonic("RSASHA1", DNSSEC.Algorithm.RSASHA1);
addMnemonic("RSA", DNSSEC.Algorithm.RSASHA1); addMnemonic("RSA", DNSSEC.Algorithm.RSASHA1);
@ -193,25 +196,25 @@ public class DnsKeyAlgorithm {
addMnemonic("NSEC3RSASHA1", DNSSEC.Algorithm.RSA_NSEC3_SHA1); addMnemonic("NSEC3RSASHA1", DNSSEC.Algorithm.RSA_NSEC3_SHA1);
// Algorithms added by RFC 5702. // Algorithms added by RFC 5702.
addAlgorithm(DNSSEC.Algorithm.RSASHA256, "SHA256withRSA", RSA); addAlgorithm(DNSSEC.Algorithm.RSASHA256, "SHA256withRSA", BaseAlgorithm.RSA);
addMnemonic("RSASHA256", DNSSEC.Algorithm.RSASHA256); addMnemonic("RSASHA256", DNSSEC.Algorithm.RSASHA256);
addAlgorithm(DNSSEC.Algorithm.RSASHA512, "SHA512withRSA", RSA); addAlgorithm(DNSSEC.Algorithm.RSASHA512, "SHA512withRSA", BaseAlgorithm.RSA);
addMnemonic("RSASHA512", DNSSEC.Algorithm.RSASHA512); addMnemonic("RSASHA512", DNSSEC.Algorithm.RSASHA512);
// ECC-GOST is not supported by Java 1.8's Sun crypto provider. The // ECC-GOST is not supported by Java 1.8's Sun crypto provider. The
// bouncycastle.org provider, however, does support it. // bouncycastle.org provider, however, does support it.
// GostR3410-2001-CryptoPro-A is the named curve in the BC provider, but we // GostR3410-2001-CryptoPro-A is the named curve in the BC provider, but we
// will get the parameters directly. // will get the parameters directly.
addAlgorithm(DNSSEC.Algorithm.ECC_GOST, "GOST3411withECGOST3410", ECC_GOST, null); addAlgorithm(DNSSEC.Algorithm.ECC_GOST, "GOST3411withECGOST3410", BaseAlgorithm.ECC_GOST, null);
addMnemonic("ECCGOST", DNSSEC.Algorithm.ECC_GOST); addMnemonic("ECCGOST", DNSSEC.Algorithm.ECC_GOST);
addMnemonic("ECC-GOST", DNSSEC.Algorithm.ECC_GOST); addMnemonic("ECC-GOST", DNSSEC.Algorithm.ECC_GOST);
addAlgorithm(DNSSEC.Algorithm.ECDSAP256SHA256, "SHA256withECDSA", ECDSA, "secp256r1"); addAlgorithm(DNSSEC.Algorithm.ECDSAP256SHA256, "SHA256withECDSA", BaseAlgorithm.ECDSA, "secp256r1");
addMnemonic("ECDSAP256SHA256", DNSSEC.Algorithm.ECDSAP256SHA256); addMnemonic("ECDSAP256SHA256", DNSSEC.Algorithm.ECDSAP256SHA256);
addMnemonic("ECDSA-P256", DNSSEC.Algorithm.ECDSAP256SHA256); addMnemonic("ECDSA-P256", DNSSEC.Algorithm.ECDSAP256SHA256);
addAlgorithm(DNSSEC.Algorithm.ECDSAP384SHA384, "SHA384withECDSA", ECDSA, "secp384r1"); addAlgorithm(DNSSEC.Algorithm.ECDSAP384SHA384, "SHA384withECDSA", BaseAlgorithm.ECDSA, "secp384r1");
addMnemonic("ECDSAP384SHA384", DNSSEC.Algorithm.ECDSAP384SHA384); addMnemonic("ECDSAP384SHA384", DNSSEC.Algorithm.ECDSAP384SHA384);
addMnemonic("ECDSA-P384", DNSSEC.Algorithm.ECDSAP384SHA384); addMnemonic("ECDSA-P384", DNSSEC.Algorithm.ECDSAP384SHA384);
@ -219,16 +222,16 @@ public class DnsKeyAlgorithm {
// provider or bouncycastle. It is added by the Ed25519-Java // provider or bouncycastle. It is added by the Ed25519-Java
// library. We don't have a corresponding constant in // library. We don't have a corresponding constant in
// org.xbill.DNS.DNSSEC yet, though. // org.xbill.DNS.DNSSEC yet, though.
addAlgorithm(15, "NONEwithEdDSA", EDDSA, "Ed25519"); addAlgorithm(15, "NONEwithEdDSA", BaseAlgorithm.EDDSA, "Ed25519");
addMnemonic("ED25519", 15); addMnemonic("ED25519", 15);
} }
private void addAlgorithm(int algorithm, String sigName, int baseType) { private void addAlgorithm(int algorithm, String sigName, BaseAlgorithm baseType) {
mAlgorithmMap.put(algorithm, new AlgEntry(algorithm, sigName, baseType)); mAlgorithmMap.put(algorithm, new AlgEntry(algorithm, sigName, baseType));
} }
private void addAlgorithm(int algorithm, String sigName, int baseType, String curveName) { private void addAlgorithm(int algorithm, String sigName, BaseAlgorithm baseType, String curveName) {
if (baseType == ECDSA) { if (baseType == BaseAlgorithm.ECDSA) {
ECParameterSpec ecSpec = ECSpecFromAlgorithm(algorithm); ECParameterSpec ecSpec = ECSpecFromAlgorithm(algorithm);
if (ecSpec == null) if (ecSpec == null)
ecSpec = ECSpecFromName(curveName); ecSpec = ECSpecFromName(curveName);
@ -246,7 +249,7 @@ public class DnsKeyAlgorithm {
} }
ECAlgEntry entry = new ECAlgEntry(algorithm, sigName, baseType, ecSpec); ECAlgEntry entry = new ECAlgEntry(algorithm, sigName, baseType, ecSpec);
mAlgorithmMap.put(algorithm, entry); mAlgorithmMap.put(algorithm, entry);
} else if (baseType == EDDSA) { } else if (baseType == BaseAlgorithm.EDDSA) {
EdDSAParameterSpec edSpec = EdDSASpecFromName(curveName); EdDSAParameterSpec edSpec = EdDSASpecFromName(curveName);
if (edSpec == null) if (edSpec == null)
return; return;
@ -304,16 +307,16 @@ public class DnsKeyAlgorithm {
// the ECC-GOST curve. // the ECC-GOST curve.
private ECParameterSpec ECSpecFromAlgorithm(int algorithm) { private ECParameterSpec ECSpecFromAlgorithm(int algorithm) {
if (algorithm == DNSSEC.Algorithm.ECC_GOST) { if (algorithm == DNSSEC.Algorithm.ECC_GOST) {
// From RFC 4357 Section 11.4 // From RFC 4357 Section 11.4
BigInteger p = new BigInteger("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFD97", 16); BigInteger p = new BigInteger("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFD97", 16);
BigInteger a = new BigInteger("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFD94", 16); BigInteger a = new BigInteger("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFD94", 16);
BigInteger b = new BigInteger("A6", 16); BigInteger b = new BigInteger("A6", 16);
BigInteger gx = new BigInteger("1", 16); BigInteger gx = new BigInteger("1", 16);
BigInteger gy = new BigInteger("8D91E471E0989CDA27DF505A453F2B7635294F2DDF23E3B122ACC99C9E9F1E14", 16); BigInteger gy = new BigInteger("8D91E471E0989CDA27DF505A453F2B7635294F2DDF23E3B122ACC99C9E9F1E14", 16);
BigInteger n = new BigInteger("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF6C611070995AD10045841B09B761B893", 16); BigInteger n = new BigInteger("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF6C611070995AD10045841B09B761B893", 16);
EllipticCurve curve = new EllipticCurve(new ECFieldFp(p), a, b); EllipticCurve curve = new EllipticCurve(new ECFieldFp(p), a, b);
return new ECParameterSpec(curve, new ECPoint(gx, gy), n, 1); return new ECParameterSpec(curve, new ECPoint(gx, gy), n, 1);
} }
return null; return null;
} }
@ -482,15 +485,15 @@ public class DnsKeyAlgorithm {
return mIdToMnemonicMap.get(algorithm); return mIdToMnemonicMap.get(algorithm);
} }
public int baseType(int algorithm) { public BaseAlgorithm baseType(int algorithm) {
AlgEntry entry = getEntry(algorithm); AlgEntry entry = getEntry(algorithm);
if (entry != null) if (entry != null)
return entry.baseType; return entry.baseType;
return UNKNOWN; return BaseAlgorithm.UNKNOWN;
} }
public boolean isDSA(int algorithm) { public boolean isDSA(int algorithm) {
return (baseType(algorithm) == DSA); return (baseType(algorithm) == BaseAlgorithm.DSA);
} }
public KeyPair generateKeyPair(int algorithm, int keysize, boolean useLargeExp) public KeyPair generateKeyPair(int algorithm, int keysize, boolean useLargeExp)

View File

@ -102,7 +102,7 @@ public class DnsKeyConverter {
} }
// do not rely on DNSJava's method for EdDSA for now. // do not rely on DNSJava's method for EdDSA for now.
if (mAlgorithms.baseType(originalAlgorithm) == DnsKeyAlgorithm.EDDSA) { if (mAlgorithms.baseType(originalAlgorithm) == DnsKeyAlgorithm.BaseAlgorithm.EDDSA) {
try { try {
return parseEdDSADNSKEYRecord(pKeyRecord); return parseEdDSADNSKEYRecord(pKeyRecord);
} catch (InvalidKeySpecException e) { } catch (InvalidKeySpecException e) {
@ -140,7 +140,7 @@ public class DnsKeyConverter {
public DNSKEYRecord generateDNSKEYRecord(Name name, int dclass, long ttl, public DNSKEYRecord generateDNSKEYRecord(Name name, int dclass, long ttl,
int flags, int alg, PublicKey key) { int flags, int alg, PublicKey key) {
try { try {
if (mAlgorithms.baseType(alg) == DnsKeyAlgorithm.EDDSA) { if (mAlgorithms.baseType(alg) == DnsKeyAlgorithm.BaseAlgorithm.EDDSA) {
return generateEdDSADNSKEYRecord(name, dclass, ttl, flags, alg, key); return generateEdDSADNSKEYRecord(name, dclass, ttl, flags, alg, key);
} }
return new DNSKEYRecord(name, dclass, ttl, flags, DNSKEYRecord.Protocol.DNSSEC, alg, return new DNSKEYRecord(name, dclass, ttl, flags, DNSKEYRecord.Protocol.DNSSEC, alg,
@ -168,9 +168,9 @@ public class DnsKeyConverter {
PKCS8EncodedKeySpec spec = new PKCS8EncodedKeySpec(key); PKCS8EncodedKeySpec spec = new PKCS8EncodedKeySpec(key);
try { try {
switch (mAlgorithms.baseType(algorithm)) { switch (mAlgorithms.baseType(algorithm)) {
case DnsKeyAlgorithm.RSA: case RSA:
return mRSAKeyFactory.generatePrivate(spec); return mRSAKeyFactory.generatePrivate(spec);
case DnsKeyAlgorithm.DSA: case DSA:
return mDSAKeyFactory.generatePrivate(spec); return mDSAKeyFactory.generatePrivate(spec);
default: default:
return null; return null;
@ -225,17 +225,17 @@ public class DnsKeyConverter {
int alg = parseInt(val, -1); int alg = parseInt(val, -1);
switch (mAlgorithms.baseType(alg)) { switch (mAlgorithms.baseType(alg)) {
case DnsKeyAlgorithm.RSA: case RSA:
return parsePrivateRSA(lines); return parsePrivateRSA(lines);
case DnsKeyAlgorithm.DSA: case DSA:
return parsePrivateDSA(lines); return parsePrivateDSA(lines);
case DnsKeyAlgorithm.DH: case DH:
return parsePrivateDH(lines); return parsePrivateDH(lines);
case DnsKeyAlgorithm.ECC_GOST: case ECC_GOST:
return parsePrivateECDSA(lines, alg); return parsePrivateECDSA(lines, alg);
case DnsKeyAlgorithm.ECDSA: case ECDSA:
return parsePrivateECDSA(lines, alg); return parsePrivateECDSA(lines, alg);
case DnsKeyAlgorithm.EDDSA: case EDDSA:
return parsePrivateEdDSA(lines, alg); return parsePrivateEdDSA(lines, alg);
default: default:
throw new IOException("unsupported private key algorithm: " + val); throw new IOException("unsupported private key algorithm: " + val);

View File

@ -241,7 +241,7 @@ public class DnsSecVerifier {
byte[] sig = sigrec.getSignature(); byte[] sig = sigrec.getSignature();
if (algs.baseType(sigrec.getAlgorithm()) == DnsKeyAlgorithm.DSA) { if (algs.baseType(sigrec.getAlgorithm()) == DnsKeyAlgorithm.BaseAlgorithm.DSA) {
sig = SignUtils.convertDSASignature(sig); sig = SignUtils.convertDSASignature(sig);
} }

View File

@ -184,7 +184,7 @@ public class JCEDnsSecSigner {
DnsKeyAlgorithm algs = DnsKeyAlgorithm.getInstance(); DnsKeyAlgorithm algs = DnsKeyAlgorithm.getInstance();
// Convert to RFC 2536 format, if necessary. // Convert to RFC 2536 format, if necessary.
if (algs.baseType(pair.getDNSKEYAlgorithm()) == DnsKeyAlgorithm.DSA) { if (algs.baseType(pair.getDNSKEYAlgorithm()) == DnsKeyAlgorithm.BaseAlgorithm.DSA) {
DSAPublicKey pk = (DSAPublicKey) pair.getPublic(); DSAPublicKey pk = (DSAPublicKey) pair.getPublic();
sig = SignUtils.convertDSASignature(pk.getParams(), sig); sig = SignUtils.convertDSASignature(pk.getParams(), sig);
} }