diff --git a/src/main/java/com/verisignlabs/dnssec/security/SignUtils.java b/src/main/java/com/verisignlabs/dnssec/security/SignUtils.java index 384ee2c..2f4d46e 100644 --- a/src/main/java/com/verisignlabs/dnssec/security/SignUtils.java +++ b/src/main/java/com/verisignlabs/dnssec/security/SignUtils.java @@ -77,28 +77,25 @@ public class SignUtils { log = v; } + private SignUtils() { + } + /** * Generate from some basic information a prototype RRSIG RR containing * everything but the actual signature itself. - * - * @param rrset - * the RRset being signed. - * @param key - * the public DNSKEY RR counterpart to the key being used to sign - * the - * RRset - * @param start - * the RRSIG inception time. - * @param expire - * the RRSIG expiration time. - * @param sig_ttl - * the TTL of the resulting RRSIG record. - * + * + * @param rrset the RRset being signed. + * @param key the public DNSKEY RR counterpart to the key being used to sign + * the RRset + * @param start the RRSIG inception time. + * @param expire the RRSIG expiration time. + * @param sigTTL the TTL of the resulting RRSIG record. + * * @return a prototype signature based on the RRset and key information. */ public static RRSIGRecord generatePreRRSIG(RRset rrset, DNSKEYRecord key, Instant start, - Instant expire, long sig_ttl) { - return new RRSIGRecord(rrset.getName(), rrset.getDClass(), sig_ttl, rrset.getType(), + Instant expire, long sigTTL) { + return new RRSIGRecord(rrset.getName(), rrset.getDClass(), sigTTL, rrset.getType(), key.getAlgorithm(), (int) rrset.getTTL(), expire, start, key.getFootprint(), key.getName(), null); } @@ -106,43 +103,36 @@ public class SignUtils { /** * Generate from some basic information a prototype RRSIG RR containing * everything but the actual signature itself. - * - * @param rec - * the DNS record being signed (forming an entire RRset). - * @param key - * the public DNSKEY RR counterpart to the key signing the - * record. - * @param start - * the RRSIG inception time. - * @param expire - * the RRSIG expiration time. - * @param sig_ttl - * the TTL of the result RRSIG record. - * + * + * @param rec the DNS record being signed (forming an entire RRset). + * @param key the public DNSKEY RR counterpart to the key signing the record. + * @param start the RRSIG inception time. + * @param expire the RRSIG expiration time. + * @param sigTTL the TTL of the result RRSIG record. + * * @return a prototype signature based on the Record and key information. */ public static RRSIGRecord generatePreRRSIG(Record rec, DNSKEYRecord key, Instant start, - Instant expire, long sig_ttl) { - return new RRSIGRecord(rec.getName(), rec.getDClass(), sig_ttl, rec.getType(), + Instant expire, long sigTTL) { + return new RRSIGRecord(rec.getName(), rec.getDClass(), sigTTL, rec.getType(), key.getAlgorithm(), rec.getTTL(), expire, start, key.getFootprint(), key.getName(), null); } /** * Generate the binary image of the prototype RRSIG RR. - * - * @param presig - * the RRSIG RR prototype. + * + * @param presig the RRSIG RR prototype. * @return the RDATA portion of the prototype RRSIG record. This forms the * first part of the data to be signed. */ private static byte[] generatePreSigRdata(RRSIGRecord presig) { - // Generate the binary image; + // Generate the binary image DNSOutput image = new DNSOutput(); // precalc some things - long start_time = presig.getTimeSigned().getEpochSecond(); - long expire_time = presig.getExpire().getEpochSecond(); + long startTime = presig.getTimeSigned().getEpochSecond(); + long expireTime = presig.getExpire().getEpochSecond(); Name signer = presig.getSigner(); // first write out the partial SIG record (this is the SIG RDATA @@ -151,8 +141,8 @@ public class SignUtils { image.writeU8(presig.getAlgorithm()); image.writeU8(presig.getLabels()); image.writeU32((int) presig.getOrigTTL()); - image.writeU32(expire_time); - image.writeU32(start_time); + image.writeU32(expireTime); + image.writeU32(startTime); image.writeU16(presig.getFootprint()); image.writeByteArray(signer.toWireCanonical()); @@ -161,15 +151,12 @@ public class SignUtils { /** * Calculate the canonical wire line format of the RRset. - * - * @param rrset - * the RRset to convert. - * @param ttl - * the TTL to use when canonicalizing -- this is generally the - * TTL of the signature if there is a pre-existing signature. If - * not it is just the ttl of the rrset itself. - * @param labels - * the labels field of the signature, or 0. + * + * @param rrset the RRset to convert. + * @param ttl the TTL to use when canonicalizing -- this is generally the TTL + * of the signature if there is a pre-existing signature. If not + * it is just the ttl of the rrset itself. + * @param labels the labels field of the signature, or 0. * @return the canonical wire line format of the rrset. This is the second * part of data to be signed. */ @@ -196,7 +183,7 @@ public class SignUtils { // now convert the wire format records in the RRset into a // list of byte arrays. - ArrayList canonical_rrs = new ArrayList(); + ArrayList canonicalRRs = new ArrayList<>(); for (Record r : rrset.rrs()) { if (r.getTTL() != ttl || wildcardName) { // If necessary, we need to create a new record with a new ttl @@ -205,8 +192,8 @@ public class SignUtils { // response. r = Record.newRecord(n, r.getType(), r.getDClass(), ttl, r.rdataToWireCanonical()); } - byte[] wire_fmt = r.toWireCanonical(); - canonical_rrs.add(wire_fmt); + byte[] wireFmt = r.toWireCanonical(); + canonicalRRs.add(wireFmt); } // put the records into the correct ordering. @@ -216,9 +203,9 @@ public class SignUtils { int offset = rrset.getName().toWireCanonical().length + 10; ByteArrayComparator bac = new ByteArrayComparator(offset, false); - Collections.sort(canonical_rrs, bac); + Collections.sort(canonicalRRs, bac); - for (byte[] wire_fmt_rec : canonical_rrs) { + for (byte[] wire_fmt_rec : canonicalRRs) { image.writeByteArray(wire_fmt_rec); } @@ -228,44 +215,38 @@ public class SignUtils { /** * Given an RRset and the prototype signature, generate the canonical data * that is to be signed. - * - * @param rrset - * the RRset to be signed. - * @param presig - * a prototype SIG RR created using the same RRset. + * + * @param rrset the RRset to be signed. + * @param presig a prototype SIG RR created using the same RRset. * @return a block of data ready to be signed. */ public static byte[] generateSigData(RRset rrset, RRSIGRecord presig) throws IOException { - byte[] rrset_data = generateCanonicalRRsetData(rrset, presig.getOrigTTL(), + byte[] rrsetData = generateCanonicalRRsetData(rrset, presig.getOrigTTL(), presig.getLabels()); - return generateSigData(rrset_data, presig); + return generateSigData(rrsetData, presig); } /** * Given an RRset and the prototype signature, generate the canonical data * that is to be signed. - * - * @param rrset_data - * the RRset converted into canonical wire line format (as per - * the - * canonicalization rules in RFC 2535). - * @param presig - * the prototype signature based on the same RRset represented - * in - * rrset_data. + * + * @param rrsetData the RRset converted into canonical wire line format (as + * per the canonicalization rules in RFC 2535). + * @param presig the prototype signature based on the same RRset represented + * in rrset_data. * @return a block of data ready to be signed. */ - public static byte[] generateSigData(byte[] rrset_data, RRSIGRecord presig) + public static byte[] generateSigData(byte[] rrsetData, RRSIGRecord presig) throws IOException { - byte[] sig_rdata = generatePreSigRdata(presig); + byte[] sigRdata = generatePreSigRdata(presig); - ByteArrayOutputStream image = new ByteArrayOutputStream(sig_rdata.length - + rrset_data.length); + ByteArrayOutputStream image = new ByteArrayOutputStream(sigRdata.length + + rrsetData.length); - image.write(sig_rdata); - image.write(rrset_data); + image.write(sigRdata); + image.write(rrsetData); return image.toByteArray(); } @@ -273,11 +254,9 @@ public class SignUtils { /** * Given the actual signature and the prototype signature, combine them and * return the fully formed RRSIGRecord. - * - * @param signature - * the cryptographic signature, in DNSSEC format. - * @param presig - * the prototype RRSIG RR to add the signature to. + * + * @param signature the cryptographic signature, in DNSSEC format. + * @param presig the prototype RRSIG RR to add the signature to. * @return the fully formed RRSIG RR. */ public static RRSIGRecord generateRRSIG(byte[] signature, RRSIGRecord presig) { @@ -291,61 +270,58 @@ public class SignUtils { /** * Converts from a RFC 2536 formatted DSA signature to a JCE (ASN.1) formatted * signature. - * + * *

* ASN.1 format = ASN1_SEQ . seq_length . ASN1_INT . Rlength . R . ANS1_INT . * Slength . S *

- * + * * The integers R and S may have a leading null byte to force the integer * positive. - * - * @param signature - * the RFC 2536 formatted DSA signature. + * + * @param signature the RFC 2536 formatted DSA signature. * @return The ASN.1 formatted DSA signature. - * @throws SignatureException - * if there was something wrong with the RFC 2536 - * formatted - * signature. + * @throws SignatureException if there was something wrong with the RFC 2536 + * formatted signature. */ public static byte[] convertDSASignature(byte[] signature) throws SignatureException { if (signature.length != 41) throw new SignatureException("RFC 2536 signature not expected length."); - byte r_pad = 0; - byte s_pad = 0; + byte rPad = 0; + byte sPad = 0; // handle initial null byte padding. if (signature[1] < 0) - r_pad++; + rPad++; if (signature[21] < 0) - s_pad++; + sPad++; // ASN.1 length = R length + S length + (2 + 2 + 2), where each 2 // is for a ASN.1 type-length byte pair of which there are three // (SEQ, INT, INT). - byte sig_length = (byte) (40 + r_pad + s_pad + 6); + byte sigLength = (byte) (40 + rPad + sPad + 6); - byte sig[] = new byte[sig_length]; + byte[] sig = new byte[sigLength]; byte pos = 0; sig[pos++] = ASN1_SEQ; - sig[pos++] = (byte) (sig_length - 2); // all but the SEQ type+length. + sig[pos++] = (byte) (sigLength - 2); // all but the SEQ type+length. sig[pos++] = ASN1_INT; - sig[pos++] = (byte) (20 + r_pad); + sig[pos++] = (byte) (20 + rPad); // copy the value of R, leaving a null byte if necessary - if (r_pad == 1) + if (rPad == 1) sig[pos++] = 0; System.arraycopy(signature, 1, sig, pos, 20); pos += 20; sig[pos++] = ASN1_INT; - sig[pos++] = (byte) (20 + s_pad); + sig[pos++] = (byte) (20 + sPad); // copy the value of S, leaving a null byte if necessary - if (s_pad == 1) + if (sPad == 1) sig[pos++] = 0; System.arraycopy(signature, 21, sig, pos, 20); @@ -356,24 +332,20 @@ public class SignUtils { /** * Converts from a JCE (ASN.1) formatted DSA signature to a RFC 2536 compliant * signature. - * + * *

* rfc2536 format = T . R . S *

- * + * * where T is a number between 0 and 8, which is based on the DSA key length, * and R & S are formatted to be exactly 20 bytes each (no leading null * bytes). - * - * @param params - * the DSA parameters associated with the DSA key used to - * generate - * the signature. - * @param signature - * the ASN.1 formatted DSA signature. + * + * @param params the DSA parameters associated with the DSA key used to + * generate the signature. + * @param signature the ASN.1 formatted DSA signature. * @return a RFC 2536 formatted DSA signature. - * @throws SignatureException - * if something is wrong with the ASN.1 format. + * @throws SignatureException if something is wrong with the ASN.1 format. */ public static byte[] convertDSASignature(DSAParams params, byte[] signature) throws SignatureException { @@ -381,16 +353,16 @@ public class SignUtils { throw new SignatureException("Invalid ASN.1 signature format: expected SEQ, INT"); } - byte r_pad = (byte) (signature[3] - 20); + byte rPad = (byte) (signature[3] - 20); - if (signature[24 + r_pad] != ASN1_INT) { + if (signature[24 + rPad] != ASN1_INT) { throw new SignatureException( "Invalid ASN.1 signature format: expected SEQ, INT, INT"); } log.finer("(start) ASN.1 DSA Sig:\n" + base64.toString(signature)); - byte s_pad = (byte) (signature[25 + r_pad] - 20); + byte sPad = (byte) (signature[25 + rPad] - 20); byte[] sig = new byte[41]; // all rfc2536 signatures are 41 bytes. @@ -398,26 +370,26 @@ public class SignUtils { sig[0] = (byte) ((params.getP().bitLength() - 512) / 64); // copy R value - if (r_pad >= 0) { - System.arraycopy(signature, 4 + r_pad, sig, 1, 20); + if (rPad >= 0) { + System.arraycopy(signature, 4 + rPad, sig, 1, 20); } else { // R is shorter than 20 bytes, so right justify the number // (r_pad is negative here, remember?). - Arrays.fill(sig, 1, 1 - r_pad, (byte) 0); - System.arraycopy(signature, 4, sig, 1 - r_pad, 20 + r_pad); + Arrays.fill(sig, 1, 1 - rPad, (byte) 0); + System.arraycopy(signature, 4, sig, 1 - rPad, 20 + rPad); } // copy S value - if (s_pad >= 0) { - System.arraycopy(signature, 26 + r_pad + s_pad, sig, 21, 20); + if (sPad >= 0) { + System.arraycopy(signature, 26 + rPad + sPad, sig, 21, 20); } else { // S is shorter than 20 bytes, so right justify the number // (s_pad is negative here). - Arrays.fill(sig, 21, 21 - s_pad, (byte) 0); - System.arraycopy(signature, 26 + r_pad, sig, 21 - s_pad, 20 + s_pad); + Arrays.fill(sig, 21, 21 - sPad, (byte) 0); + System.arraycopy(signature, 26 + rPad, sig, 21 - sPad, 20 + sPad); } - if (r_pad < 0 || s_pad < 0) { + if (rPad < 0 || sPad < 0) { log.finer("(finish ***) RFC 2536 DSA Sig:\n" + base64.toString(sig)); } else { @@ -444,103 +416,107 @@ public class SignUtils { /** * Convert a JCE standard ECDSA signature (which is a ASN.1 encoding) into a * standard DNS signature. - * + * * The format of the ASN.1 signature is - * + * * ASN1_SEQ . seq_length . ASN1_INT . r_length . R . ANS1_INT . s_length . S - * + * * where R and S may have a leading zero byte if without it the values would * be negative. * * The format of the DNSSEC signature is just R . S where R and S are both * exactly "length" bytes. - * - * @param signature - * The output of a ECDSA signature object. + * + * @param signature The output of a ECDSA signature object. * @return signature data formatted for use in DNSSEC. * @throws SignatureException if the ASN.1 encoding appears to be corrupt. */ public static byte[] convertECDSASignature(int algorithm, byte[] signature) throws SignatureException { - int exp_length = ecdsaLength(algorithm); - byte[] sig = new byte[exp_length * 2]; + int expLength = ecdsaLength(algorithm); + byte[] sig = new byte[expLength * 2]; if (signature[0] != ASN1_SEQ || signature[2] != ASN1_INT) { throw new SignatureException("Invalid ASN.1 signature format: expected SEQ, INT"); } - int r_len = signature[3]; - int r_pos = 4; + int rLen = signature[3]; + int rPos = 4; - if (signature[r_pos + r_len] != ASN1_INT) { + if (signature[rPos + rLen] != ASN1_INT) { throw new SignatureException("Invalid ASN.1 signature format: expected SEQ, INT, INT"); } - int s_pos = r_pos + r_len + 2; - int s_len = signature[r_pos + r_len + 1]; + int sPos = rPos + rLen + 2; + int sLen = signature[rPos + rLen + 1]; // Adjust for leading zeros on both R and S - if (signature[r_pos] == 0) { - r_pos++; - r_len--; + if (signature[rPos] == 0) { + rPos++; + rLen--; } - if (signature[s_pos] == 0) { - s_pos++; - s_len--; + if (signature[sPos] == 0) { + sPos++; + sLen--; } - System.arraycopy(signature, r_pos, sig, 0 + (exp_length - r_len), r_len); - System.arraycopy(signature, s_pos, sig, exp_length + (exp_length - s_len), s_len); + System.arraycopy(signature, rPos, sig, 0 + (expLength - rLen), rLen); + System.arraycopy(signature, sPos, sig, expLength + (expLength - sLen), sLen); return sig; } /** - * Convert a DNS standard ECDSA signature (defined in RFC 6605) into a - * JCE standard ECDSA signature, which is encoded in ASN.1. - * + * Convert a DNS standard ECDSA signature (defined in RFC 6605) into a JCE + * standard ECDSA signature, which is encoded in ASN.1. + * * The format of the ASN.1 signature is - * + * * ASN1_SEQ . seq_length . ASN1_INT . r_length . R . ANS1_INT . s_length . S - * + * * where R and S may have a leading zero byte if without it the values would * be negative. * * The format of the DNSSEC signature is just R . S where R and S are both * exactly "length" bytes. - * - * @param signature - * The binary signature data from an RRSIG record. + * + * @param signature The binary signature data from an RRSIG record. * @return signature data that may be used in a JCE Signature object for * verification purposes. */ public static byte[] convertECDSASignature(byte[] signature) { - byte r_src_pos, r_src_len, r_pad, s_src_pos, s_src_len, s_pad, len; + byte rSrcPos; + byte rSrcLen; + byte rPad; + byte sSrcPos; + byte sSrcLen; + byte sPad; + byte len; - r_src_len = s_src_len = (byte) (signature.length / 2); - r_src_pos = 0; - r_pad = 0; - s_src_pos = (byte) (r_src_pos + r_src_len); - s_pad = 0; - len = (byte) (6 + r_src_len + s_src_len); + rSrcLen = sSrcLen = (byte) (signature.length / 2); + rSrcPos = 0; + rPad = 0; + sSrcPos = (byte) (rSrcPos + rSrcLen); + sPad = 0; + len = (byte) (6 + rSrcLen + sSrcLen); // leading zeroes are forbidden - while (signature[r_src_pos] == 0 && r_src_len > 0) { - r_src_pos++; - r_src_len--; + while (signature[rSrcPos] == 0 && rSrcLen > 0) { + rSrcPos++; + rSrcLen--; len--; } - while (signature[s_src_pos] == 0 && s_src_len > 0) { - s_src_pos++; - s_src_len--; + while (signature[sSrcPos] == 0 && sSrcLen > 0) { + sSrcPos++; + sSrcLen--; len--; } // except when they are mandatory - if (r_src_len > 0 && signature[r_src_pos] < 0) { - r_pad = 1; + if (rSrcLen > 0 && signature[rSrcPos] < 0) { + rPad = 1; len++; } - if (s_src_len > 0 && signature[s_src_pos] < 0) { - s_pad = 1; + if (sSrcLen > 0 && signature[sSrcPos] < 0) { + sPad = 1; len++; } byte[] sig = new byte[len]; @@ -549,60 +525,56 @@ public class SignUtils { sig[pos++] = ASN1_SEQ; sig[pos++] = (byte) (len - 2); sig[pos++] = ASN1_INT; - sig[pos++] = (byte) (r_src_len + r_pad); - pos += r_pad; - System.arraycopy(signature, r_src_pos, sig, pos, r_src_len); - pos += r_src_len; + sig[pos++] = (byte) (rSrcLen + rPad); + pos += rPad; + System.arraycopy(signature, rSrcPos, sig, pos, rSrcLen); + pos += rSrcLen; sig[pos++] = ASN1_INT; - sig[pos++] = (byte) (s_src_len + s_pad); - pos += s_pad; - System.arraycopy(signature, s_src_pos, sig, pos, s_src_len); + sig[pos++] = (byte) (sSrcLen + sPad); + pos += sPad; + System.arraycopy(signature, sSrcPos, sig, pos, sSrcLen); return sig; } /** * This is a convenience routine to help us classify records/RRsets. - * + * * It characterizes a record/RRset as one of the following classes:
*
- * + * *
NORMAL
*
This record/set is properly within the zone an subject to all NXT and * SIG processing.
- * + * *
DELEGATION
*
This is a zone delegation point (or cut). It is used in NXT processing * but is not signed.
- * + * *
GLUE
*
This is a glue record and therefore not properly within the zone. It is * not included in NXT or SIG processing. Normally glue records are A records, * but this routine calls anything that is below a zone delegation glue.
- * + * *
INVALID
*
This record doesn't even belong in the zone.
- * + * *
*
- * + * * This method must be called successively on records in the canonical name * ordering, and the caller must maintain the last_cut parameter. - * - * @param zonename - * the name of the zone that is being processed. - * @param name - * the name of the record/set under consideration. - * @param type - * the type of the record/set under consideration. - * @param last_cut - * the name of the last DELEGATION record/set that was - * encountered - * while iterating over the zone in canonical order. + * + * @param zonename the name of the zone that is being processed. + * @param name the name of the record/set under consideration. + * @param type the type of the record/set under consideration. + * @param lastCut the name of the last DELEGATION record/set that was + * encountered while iterating over the zone in canonical + * order. */ - public static int recordSecType(Name zonename, Name name, int type, Name last_cut, - Name last_dname) { + public static int recordSecType(Name zonename, Name name, int type, Name lastCut, + Name lastDname) { // records not even in the zone itself are invalid. if (!name.subdomain(zonename)) return RR_INVALID; @@ -611,11 +583,11 @@ public class SignUtils { if (name.equals(zonename)) return RR_NORMAL; - if (last_cut != null && name.subdomain(last_cut)) { + if (lastCut != null && name.subdomain(lastCut)) { // if we are at the same level as a delegation point, but not one of a set of // types allowed at // a delegation point (NS, DS, NSEC), this is glue. - if (name.equals(last_cut)) { + if (name.equals(lastCut)) { if (type != Type.NS && type != Type.DS && type != Type.NXT && type != Type.NSEC) { return RR_GLUE; } @@ -628,8 +600,8 @@ public class SignUtils { } // if we are below a DNAME, then the RR is invalid. - if (last_dname != null && name.subdomain(last_dname) - && name.labels() > last_dname.labels()) { + if (lastDname != null && name.subdomain(lastDname) + && name.labels() > lastDname.labels()) { return RR_INVALID; } @@ -652,7 +624,7 @@ public class SignUtils { */ public static List assembleIntoRRsets(List records) { RRset rrset = new RRset(); - ArrayList rrsets = new ArrayList(); + ArrayList rrsets = new ArrayList<>(); for (Record r : records) { // First record @@ -702,7 +674,7 @@ public class SignUtils { this.type = nodeType; this.ttl = r.getTTL(); this.dclass = r.getDClass(); - this.typemap = new HashSet(); + this.typemap = new HashSet<>(); this.isSecureNode = false; this.hasOptInSpan = false; addType(r.getType()); @@ -723,7 +695,7 @@ public class SignUtils { } public String toString() { - StringBuffer sb = new StringBuffer(name.toString()); + StringBuilder sb = new StringBuilder(name.toString()); if (isSecureNode) sb.append("(S)"); if (hasOptInSpan) @@ -745,83 +717,79 @@ public class SignUtils { /** * Given a canonical (by name) ordered list of records in a zone, generate the * NSEC records in place. - * + * * Note that the list that the records are stored in must support the * listIterator.add() operation. - * - * @param zonename - * the name of the zone (used to distinguish between zone apex - * NS - * RRsets and delegations). - * @param records - * a list of {@link org.xbill.DNS.Record} objects in DNSSEC - * canonical - * order. + * + * @param zonename the name of the zone (used to distinguish between zone apex + * NS RRsets and delegations). + * @param records a list of {@link org.xbill.DNS.Record} objects in DNSSEC + * canonical order. */ public static void generateNSECRecords(Name zonename, List records) { // This works by iterating over a known sorted list of records. - NodeInfo last_node = null; - NodeInfo current_node = null; + NodeInfo lastNode = null; + NodeInfo currentNode = null; - Name last_cut = null; - Name last_dname = null; + Name lastCut = null; + Name lastDname = null; int backup; - long nsec_ttl = 0; + long nsecTTL = 0; // First find the SOA record -- it should be near the beginning -- and get // the soa minimum for (Record r : records) { if (r.getType() == Type.SOA) { SOARecord soa = (SOARecord) r; - nsec_ttl = Math.min(soa.getMinimum(), soa.getTTL()); + nsecTTL = Math.min(soa.getMinimum(), soa.getTTL()); break; } } - if (nsec_ttl == 0) { + if (nsecTTL == 0) { throw new IllegalArgumentException("Zone did not contain a SOA record"); } for (ListIterator i = records.listIterator(); i.hasNext();) { Record r = i.next(); - Name r_name = r.getName(); - int r_type = r.getType(); - int r_sectype = recordSecType(zonename, r_name, r_type, last_cut, last_dname); + Name rName = r.getName(); + int rType = r.getType(); + int rSecType = recordSecType(zonename, rName, rType, lastCut, lastDname); // skip irrelevant records - if (r_sectype == RR_INVALID || r_sectype == RR_GLUE) + if (rSecType == RR_INVALID || rSecType == RR_GLUE) continue; // note our last delegation point so we can recognize glue. - if (r_sectype == RR_DELEGATION) - last_cut = r_name; + if (rSecType == RR_DELEGATION) + lastCut = rName; // if this is a DNAME, note it so we can recognize junk - if (r_type == Type.DNAME) - last_dname = r_name; + if (rType == Type.DNAME) + lastDname = rName; // first node -- initialize - if (current_node == null) { - current_node = new NodeInfo(r, r_sectype); - current_node.addType(Type.RRSIG); - current_node.addType(Type.NSEC); + if (currentNode == null) { + currentNode = new NodeInfo(r, rSecType); + currentNode.addType(Type.RRSIG); + currentNode.addType(Type.NSEC); continue; } // record name hasn't changed, so we are still on the same node. - if (r_name.equals(current_node.name)) { - current_node.addType(r_type); + if (rName.equals(currentNode.name)) { + currentNode.addType(rType); continue; } - if (last_node != null) { - NSECRecord nsec = new NSECRecord(last_node.name, last_node.dclass, nsec_ttl, - current_node.name, last_node.getTypes()); + if (lastNode != null) { + NSECRecord nsec = new NSECRecord(lastNode.name, lastNode.dclass, nsecTTL, + currentNode.name, lastNode.getTypes()); // Note: we have to add this through the iterator, otherwise // the next access via the iterator will generate a // ConcurrencyModificationException. - backup = i.nextIndex() - last_node.nsecIndex; + backup = i.nextIndex() - lastNode.nsecIndex; for (int j = 0; j < backup; j++) i.previous(); i.add(nsec); @@ -831,25 +799,25 @@ public class SignUtils { log.finer("Generated: " + nsec); } - last_node = current_node; + lastNode = currentNode; - current_node.nsecIndex = i.previousIndex(); - current_node = new NodeInfo(r, r_sectype); - current_node.addType(Type.RRSIG); - current_node.addType(Type.NSEC); + currentNode.nsecIndex = i.previousIndex(); + currentNode = new NodeInfo(r, rSecType); + currentNode.addType(Type.RRSIG); + currentNode.addType(Type.NSEC); } // Generate next to last NSEC - if (last_node != null) { - NSECRecord nsec = new NSECRecord(last_node.name, last_node.dclass, nsec_ttl, - current_node.name, last_node.getTypes()); - records.add(last_node.nsecIndex - 1, nsec); + if (lastNode != null) { + NSECRecord nsec = new NSECRecord(lastNode.name, lastNode.dclass, nsecTTL, + currentNode.name, lastNode.getTypes()); + records.add(lastNode.nsecIndex - 1, nsec); log.finer("Generated: " + nsec); } // Generate last NSEC - NSECRecord nsec = new NSECRecord(current_node.name, current_node.dclass, nsec_ttl, - zonename, current_node.getTypes()); + NSECRecord nsec = new NSECRecord(currentNode.name, currentNode.dclass, nsecTTL, + zonename, currentNode.getTypes()); records.add(nsec); log.finer("Generated: " + nsec); @@ -858,100 +826,92 @@ public class SignUtils { /** * Given a canonical (by name) ordered list of records in a zone, generate the * NSEC3 records in place. - * + * * Note that the list that the records are stored in must support the * listIterator.add() operation. - * - * @param zonename - * the name of the zone (used to distinguish between zone - * apex NS - * RRsets and delegations). - * @param records - * a list of {@link org.xbill.DNS.Record} objects in - * DNSSEC canonical - * order. - * @param salt - * The NSEC3 salt to use (may be null or empty for no - * salt). - * @param iterations - * The number of hash iterations to use. - * @param nsec3param_ttl - * The TTL to use for the generated NSEC3PARAM records - * (NSEC3 records - * will use the SOA minimum) + * + * @param zonename the name of the zone (used to distinguish between zone + * apex NS RRsets and delegations). + * @param records a list of {@link org.xbill.DNS.Record} objects in + * DNSSEC canonical order. + * @param salt The NSEC3 salt to use (may be null or empty for no + * salt). + * @param iterations The number of hash iterations to use. + * @param nsec3paramTTL The TTL to use for the generated NSEC3PARAM records + * (NSEC3 records will use the SOA minimum) * @throws NoSuchAlgorithmException */ public static void generateNSEC3Records(Name zonename, List records, - byte[] salt, int iterations, long nsec3param_ttl) + byte[] salt, int iterations, long nsec3paramTTL) throws NoSuchAlgorithmException { - List proto_nsec3s = new ArrayList(); - NodeInfo current_node = null; - NodeInfo last_node = null; + List protoNSEC3s = new ArrayList<>(); + NodeInfo currentNode = null; + NodeInfo lastNode = null; // For detecting glue. - Name last_cut = null; + Name lastCut = null; // For detecting junk below a DNAME - Name last_dname = null; + Name lastDname = null; - long nsec3_ttl = 0; + long nsec3TTL = 0; for (Record r : records) { - Name r_name = r.getName(); - int r_type = r.getType(); + Name rName = r.getName(); + int rType = r.getType(); // Classify this record so we know if we can skip it. - int r_sectype = recordSecType(zonename, r_name, r_type, last_cut, last_dname); + int rSecType = recordSecType(zonename, rName, rType, lastCut, lastDname); // skip irrelevant records - if (r_sectype == RR_INVALID || r_sectype == RR_GLUE) + if (rSecType == RR_INVALID || rSecType == RR_GLUE) continue; // note our last delegation point so we can recognize glue. - if (r_sectype == RR_DELEGATION) - last_cut = r_name; + if (rSecType == RR_DELEGATION) + lastCut = rName; // note our last DNAME point, so we can recognize junk. - if (r_type == Type.DNAME) - last_dname = r_name; + if (rType == Type.DNAME) + lastDname = rName; - if (r_type == Type.SOA) { + if (rType == Type.SOA) { SOARecord soa = (SOARecord) r; - nsec3_ttl = Math.min(soa.getMinimum(), soa.getTTL()); - if (nsec3param_ttl < 0) { - nsec3param_ttl = nsec3_ttl; + nsec3TTL = Math.min(soa.getMinimum(), soa.getTTL()); + if (nsec3paramTTL < 0) { + nsec3paramTTL = nsec3TTL; } } // For the first iteration, we create our current node. - if (current_node == null) { - current_node = new NodeInfo(r, r_sectype); + if (currentNode == null) { + currentNode = new NodeInfo(r, rSecType); continue; } // If we are at the same name, we are on the same node. - if (r_name.equals(current_node.name)) { - current_node.addType(r_type); + if (rName.equals(currentNode.name)) { + currentNode.addType(rType); continue; } // At this point, r represents the start of a new node. // So we move current_node to last_node and generate a new current node. // But first, we need to do something with the last node. - generateNSEC3ForNode(last_node, zonename, salt, iterations, false, proto_nsec3s); + generateNSEC3ForNode(lastNode, zonename, salt, iterations, false, protoNSEC3s); - last_node = current_node; - current_node = new NodeInfo(r, r_sectype); + lastNode = currentNode; + currentNode = new NodeInfo(r, rSecType); } // process last two nodes. - generateNSEC3ForNode(last_node, zonename, salt, iterations, false, proto_nsec3s); - generateNSEC3ForNode(current_node, zonename, salt, iterations, false, proto_nsec3s); + generateNSEC3ForNode(lastNode, zonename, salt, iterations, false, protoNSEC3s); + generateNSEC3ForNode(currentNode, zonename, salt, iterations, false, protoNSEC3s); - List nsec3s = finishNSEC3s(proto_nsec3s, nsec3_ttl); + List nsec3s = finishNSEC3s(protoNSEC3s, nsec3TTL); records.addAll(nsec3s); NSEC3PARAMRecord nsec3param = new NSEC3PARAMRecord(zonename, DClass.IN, - nsec3param_ttl, + nsec3paramTTL, NSEC3Record.SHA1_DIGEST_ID, (byte) 0, iterations, salt); records.add(nsec3param); @@ -963,118 +923,108 @@ public class SignUtils { * NSEC3 records in place using Opt-Out NSEC3 records. This means that * non-apex NS RRs (and glue below those delegations) will, by default, not be * included in the NSEC3 chain. - * + * * Note that the list that the records are stored in must support the * listIterator.add() operation. - * - * @param zonename - * the name of the zone (used to distinguish between zone - * apex NS - * RRsets and delegations). - * @param records - * a list of {@link org.xbill.DNS.Record} objects in - * DNSSEC canonical - * order. - * @param includedNames - * A list of {@link org.xbill.DNS.Name} objects. These - * names will be - * included in the NSEC3 chain (if they exist in the zone) - * regardless. - * @param salt - * The NSEC3 salt to use (may be null or empty for no - * salt). - * @param iterations - * The number of hash iterations to use. - * @param nsec3param_ttl - * The TTL to use for the generated NSEC3PARAM records - * (NSEC3 records - * will use the SOA minimum) + * + * @param zonename the name of the zone (used to distinguish between zone + * apex NS RRsets and delegations). + * @param records a list of {@link org.xbill.DNS.Record} objects in + * DNSSEC canonical order. + * @param includedNames A list of {@link org.xbill.DNS.Name} objects. These + * names will be included in the NSEC3 chain (if they + * exist in the zone) regardless. + * @param salt The NSEC3 salt to use (may be null or empty for no + * salt). + * @param iterations The number of hash iterations to use. + * @param nsec3paramTTL The TTL to use for the generated NSEC3PARAM records + * (NSEC3 records will use the SOA minimum) * @throws NoSuchAlgorithmException */ public static void generateOptOutNSEC3Records(Name zonename, List records, List includedNames, byte[] salt, - int iterations, long nsec3param_ttl) + int iterations, long nsec3paramTTL) throws NoSuchAlgorithmException { - List proto_nsec3s = new ArrayList(); - NodeInfo current_node = null; - NodeInfo last_node = null; + List protoNSEC3s = new ArrayList<>(); + NodeInfo currentNode = null; + NodeInfo lastNode = null; // For detecting glue. - Name last_cut = null; + Name lastCut = null; // For detecting out-of-zone records below a DNAME - Name last_dname = null; + Name lastDname = null; - long nsec3_ttl = 0; + long nsec3TTL = 0; HashSet includeSet = null; if (includedNames != null) { - includeSet = new HashSet(includedNames); + includeSet = new HashSet<>(includedNames); } for (Record r : records) { - Name r_name = r.getName(); - int r_type = r.getType(); + Name rName = r.getName(); + int rType = r.getType(); // Classify this record so we know if we can skip it. - int r_sectype = recordSecType(zonename, r_name, r_type, last_cut, last_dname); + int rSecType = recordSecType(zonename, rName, rType, lastCut, lastDname); // skip irrelevant records - if (r_sectype == RR_INVALID || r_sectype == RR_GLUE) + if (rSecType == RR_INVALID || rSecType == RR_GLUE) continue; // note our last delegation point so we can recognize glue. - if (r_sectype == RR_DELEGATION) - last_cut = r_name; + if (rSecType == RR_DELEGATION) + lastCut = rName; - if (r_type == Type.DNAME) - last_dname = r_name; + if (rType == Type.DNAME) + lastDname = rName; - if (r_type == Type.SOA) { + if (rType == Type.SOA) { SOARecord soa = (SOARecord) r; - nsec3_ttl = Math.min(soa.getMinimum(), soa.getTTL()); - if (nsec3param_ttl < 0) { - nsec3param_ttl = nsec3_ttl; + nsec3TTL = Math.min(soa.getMinimum(), soa.getTTL()); + if (nsec3paramTTL < 0) { + nsec3paramTTL = nsec3TTL; } } // For the first iteration, we create our current node. - if (current_node == null) { - current_node = new NodeInfo(r, r_sectype); + if (currentNode == null) { + currentNode = new NodeInfo(r, rSecType); continue; } // If we are at the same name, we are on the same node. - if (r_name.equals(current_node.name)) { - current_node.addType(r_type); + if (rName.equals(currentNode.name)) { + currentNode.addType(rType); continue; } - if (includeSet != null && includeSet.contains(current_node.name)) { - current_node.isSecureNode = true; + if (includeSet != null && includeSet.contains(currentNode.name)) { + currentNode.isSecureNode = true; } // At this point, r represents the start of a new node. // So we move current_node to last_node and generate a new current node. // But first, we need to do something with the last node. - generateNSEC3ForNode(last_node, zonename, salt, iterations, true, proto_nsec3s); + generateNSEC3ForNode(lastNode, zonename, salt, iterations, true, protoNSEC3s); - if (current_node.isSecureNode) { - last_node = current_node; + if (currentNode.isSecureNode) { + lastNode = currentNode; } else { - last_node.hasOptInSpan = true; + lastNode.hasOptInSpan = true; } - current_node = new NodeInfo(r, r_sectype); + currentNode = new NodeInfo(r, rSecType); } // process last two nodes. - generateNSEC3ForNode(last_node, zonename, salt, iterations, true, proto_nsec3s); - generateNSEC3ForNode(current_node, zonename, salt, iterations, true, proto_nsec3s); + generateNSEC3ForNode(lastNode, zonename, salt, iterations, true, protoNSEC3s); + generateNSEC3ForNode(currentNode, zonename, salt, iterations, true, protoNSEC3s); - List nsec3s = finishNSEC3s(proto_nsec3s, nsec3_ttl); + List nsec3s = finishNSEC3s(protoNSEC3s, nsec3TTL); records.addAll(nsec3s); NSEC3PARAMRecord nsec3param = new NSEC3PARAMRecord(zonename, DClass.IN, - nsec3param_ttl, + nsec3paramTTL, NSEC3Record.SHA1_DIGEST_ID, (byte) 0, iterations, salt); records.add(nsec3param); @@ -1084,19 +1034,13 @@ public class SignUtils { * For a given node (representing all of the RRsets at a given name), generate * all of the necessary NSEC3 records for it. That is, generate the NSEC3 for * the node itself, and for any potential empty non-terminals. - * - * @param node - * The node in question. - * @param zonename - * The zonename. - * @param salt - * The salt to use for the NSEC3 RRs - * @param iterations - * The iterations to use for the NSEC3 RRs. - * @param optIn - * If true, the NSEC3 will have the Opt-Out flag set. - * @param nsec3s - * The current list of NSEC3s -- this will be updated. + * + * @param node The node in question. + * @param zonename The zonename. + * @param salt The salt to use for the NSEC3 RRs + * @param iterations The iterations to use for the NSEC3 RRs. + * @param optIn If true, the NSEC3 will have the Opt-Out flag set. + * @param nsec3s The current list of NSEC3s -- this will be updated. * @throws NoSuchAlgorithmException */ private static void generateNSEC3ForNode(NodeInfo node, Name zonename, byte[] salt, @@ -1132,23 +1076,16 @@ public class SignUtils { /** * Create a "prototype" NSEC3 record. Basically, a mutable NSEC3 record. - * - * @param name - * The original ownername to use. - * @param zonename - * The zonename to use. - * @param ttl - * The TTL to use. - * @param salt - * The salt to use. - * @param iterations - * The number of hash iterations to use. - * @param optIn - * The value of the Opt-Out flag. - * @param types - * The typecodes present at this name. + * + * @param name The original ownername to use. + * @param zonename The zonename to use. + * @param ttl The TTL to use. + * @param salt The salt to use. + * @param iterations The number of hash iterations to use. + * @param optIn The value of the Opt-Out flag. + * @param types The typecodes present at this name. * @return A mutable NSEC3 record. - * + * * @throws NoSuchAlgorithmException */ private static ProtoNSEC3 generateNSEC3(Name name, Name zonename, long ttl, @@ -1169,62 +1106,59 @@ public class SignUtils { * Given a list of {@link ProtoNSEC3} object (mutable NSEC3 RRs), convert the * list into the set of actual {@link org.xbill.DNS.NSEC3Record} objects. This * will remove duplicates and finalize the records. - * - * @param nsec3s - * The list of ProtoNSEC3 objects - * @param ttl - * The TTL to assign to the finished NSEC3 records. In general, - * this - * should match the SOA minimum value for the zone. + * + * @param nsec3s The list of ProtoNSEC3 objects + * @param ttl The TTL to assign to the finished NSEC3 records. In general, + * this should match the SOA minimum value for the zone. * @return The list of {@link org.xbill.DNS.NSEC3Record} objects. */ private static List finishNSEC3s(List nsec3s, long ttl) { if (nsec3s == null) - return null; + return new ArrayList<>(); Collections.sort(nsec3s, new ProtoNSEC3.Comparator()); - ProtoNSEC3 prev_nsec3 = null; - ProtoNSEC3 cur_nsec3 = null; - byte[] first_nsec3_hash = null; + ProtoNSEC3 prevNSEC3 = null; + ProtoNSEC3 curNSEC3 = null; + byte[] firstNSEC3Hash = null; for (ListIterator i = nsec3s.listIterator(); i.hasNext();) { - cur_nsec3 = i.next(); + curNSEC3 = i.next(); // check to see if cur is a duplicate (by name) - if (prev_nsec3 != null - && Arrays.equals(prev_nsec3.getOwner(), cur_nsec3.getOwner())) { + if (prevNSEC3 != null + && Arrays.equals(prevNSEC3.getOwner(), curNSEC3.getOwner())) { log.fine("found duplicate NSEC3 (by name) -- merging type maps: " - + prev_nsec3.getTypemap() + " and " + cur_nsec3.getTypemap()); + + prevNSEC3.getTypemap() + " and " + curNSEC3.getTypemap()); i.remove(); - prev_nsec3.mergeTypes(cur_nsec3.getTypemap()); - log.fine("merged type map: " + prev_nsec3.getTypemap()); + prevNSEC3.mergeTypes(curNSEC3.getTypemap()); + log.fine("merged type map: " + prevNSEC3.getTypemap()); continue; } - byte[] next = cur_nsec3.getOwner(); + byte[] next = curNSEC3.getOwner(); - if (prev_nsec3 == null) { - prev_nsec3 = cur_nsec3; - first_nsec3_hash = next; + if (prevNSEC3 == null) { + prevNSEC3 = curNSEC3; + firstNSEC3Hash = next; continue; } - prev_nsec3.setNext(next); - prev_nsec3 = cur_nsec3; + prevNSEC3.setNext(next); + prevNSEC3 = curNSEC3; } // Handle last NSEC3. - if (prev_nsec3.getNext() == null) { + if (prevNSEC3.getNext() == null) { // if prev_nsec3's next field hasn't been set, then it is the last // record (i.e., all remaining records were duplicates.) - prev_nsec3.setNext(first_nsec3_hash); + prevNSEC3.setNext(firstNSEC3Hash); } else { // otherwise, cur_nsec3 is the last record. - cur_nsec3.setNext(first_nsec3_hash); + curNSEC3.setNext(firstNSEC3Hash); } // Convert our ProtoNSEC3s to actual (immutable) NSEC3Record objects. - List res = new ArrayList(nsec3s.size()); + List res = new ArrayList<>(nsec3s.size()); for (ProtoNSEC3 p : nsec3s) { p.setTTL(ttl); res.add(p.getNSEC3Record()); @@ -1236,90 +1170,85 @@ public class SignUtils { /** * Given a canonical (by name) ordered list of records in a zone, generate the * NSEC records in place. - * + * * Note that the list that the records are stored in must support the * listIterator.add operation. - * - * @param zonename - * the name of the zone apex, used to distinguish between - * authoritative and delegation NS RRsets. - * @param records - * a list of {@link org.xbill.DNS.Record}s in DNSSEC + * + * @param zonename the name of the zone apex, used to distinguish + * between authoritative and delegation NS RRsets. + * @param records a list of {@link org.xbill.DNS.Record}s in DNSSEC * canonical order. - * @param includeNames - * a list of names that should be in the NXT chain - * regardless. This - * may be null. - * @param beConservative - * if true, then Opt-In NXTs will only be generated where - * there is - * actually a span of insecure delegations. + * @param includeNames a list of names that should be in the NXT chain + * regardless. This may be null. + * @param beConservative if true, then Opt-In NXTs will only be generated + * where there is actually a span of insecure + * delegations. */ public static void generateOptInNSECRecords(Name zonename, List records, List includeNames, boolean beConservative) { // This works by iterating over a known sorted list of records. - NodeInfo last_node = null; - NodeInfo current_node = null; + NodeInfo lastNode = null; + NodeInfo currentNode = null; - Name last_cut = null; - Name last_dname = null; + Name lastCut = null; + Name lastDname = null; int backup; HashSet includeSet = null; if (includeNames != null) { - includeSet = new HashSet(includeNames); + includeSet = new HashSet<>(includeNames); } for (ListIterator i = records.listIterator(); i.hasNext();) { Record r = i.next(); - Name r_name = r.getName(); - int r_type = r.getType(); - int r_sectype = recordSecType(zonename, r_name, r_type, last_cut, last_dname); + Name rName = r.getName(); + int rType = r.getType(); + int rSecType = recordSecType(zonename, rName, rType, lastCut, lastDname); // skip irrelevant records - if (r_sectype == RR_INVALID || r_sectype == RR_GLUE) + if (rSecType == RR_INVALID || rSecType == RR_GLUE) continue; // note our last delegation point so we can recognize glue. - if (r_sectype == RR_DELEGATION) - last_cut = r_name; + if (rSecType == RR_DELEGATION) + lastCut = rName; - if (r_type == Type.DNAME) - last_dname = r_name; + if (rType == Type.DNAME) + lastDname = rName; // first node -- initialize - if (current_node == null) { - current_node = new NodeInfo(r, r_sectype); - current_node.addType(Type.RRSIG); + if (currentNode == null) { + currentNode = new NodeInfo(r, rSecType); + currentNode.addType(Type.RRSIG); continue; } // record name hasn't changed, so we are still on the same node. - if (r_name.equals(current_node.name)) { - current_node.addType(r_type); + if (rName.equals(currentNode.name)) { + currentNode.addType(rType); continue; } // If the name is in the set of included names, mark it as // secure. - if (includeSet != null && includeSet.contains(current_node.name)) { - current_node.isSecureNode = true; + if (includeSet != null && includeSet.contains(currentNode.name)) { + currentNode.isSecureNode = true; } - if (last_node != null && current_node.isSecureNode) { + if (lastNode != null && currentNode.isSecureNode) { // generate a NSEC record. - if (beConservative && !last_node.hasOptInSpan) { - last_node.addType(Type.NSEC); + if (beConservative && !lastNode.hasOptInSpan) { + lastNode.addType(Type.NSEC); } - NSECRecord nsec = new NSECRecord(last_node.name, last_node.dclass, last_node.ttl, - current_node.name, last_node.getTypes()); + NSECRecord nsec = new NSECRecord(lastNode.name, lastNode.dclass, lastNode.ttl, + currentNode.name, lastNode.getTypes()); // Note: we have to add this through the iterator, otherwise // the next access via the iterator will generate a // ConcurrencyModificationException. - backup = i.nextIndex() - last_node.nsecIndex; + backup = i.nextIndex() - lastNode.nsecIndex; for (int j = 0; j < backup; j++) i.previous(); i.add(nsec); @@ -1329,49 +1258,49 @@ public class SignUtils { log.finer("Generated: " + nsec); } - if (current_node.isSecureNode) { - last_node = current_node; - } else if (last_node != null) { + if (currentNode.isSecureNode) { + lastNode = currentNode; + } else if (lastNode != null) { // last_node does not change -- last_node is essentially the // last *secure* node, and current_node is not secure. // However, we need to note the passing of the insecure node. - last_node.hasOptInSpan = true; + lastNode.hasOptInSpan = true; } - current_node.nsecIndex = i.previousIndex(); - current_node = new NodeInfo(r, r_sectype); - current_node.addType(Type.RRSIG); + currentNode.nsecIndex = i.previousIndex(); + currentNode = new NodeInfo(r, rSecType); + currentNode.addType(Type.RRSIG); } // Generate next to last NSEC - if (last_node != null && current_node.isSecureNode) { + if (lastNode != null && currentNode.isSecureNode) { // generate a NSEC record. - if (beConservative && !last_node.hasOptInSpan) { - last_node.addType(Type.NSEC); + if (beConservative && !lastNode.hasOptInSpan) { + lastNode.addType(Type.NSEC); } - NSECRecord nsec = new NSECRecord(last_node.name, last_node.dclass, last_node.ttl, - current_node.name, last_node.getTypes()); - records.add(last_node.nsecIndex - 1, nsec); + NSECRecord nsec = new NSECRecord(lastNode.name, lastNode.dclass, lastNode.ttl, + currentNode.name, lastNode.getTypes()); + records.add(lastNode.nsecIndex - 1, nsec); log.finer("Generated: " + nsec); } // Generate last NSEC NSECRecord nsec; - if (current_node.isSecureNode) { + if (currentNode.isSecureNode) { if (beConservative) { - current_node.addType(Type.NSEC); + currentNode.addType(Type.NSEC); } - nsec = new NSECRecord(current_node.name, current_node.dclass, current_node.ttl, - zonename, current_node.getTypes()); + nsec = new NSECRecord(currentNode.name, currentNode.dclass, currentNode.ttl, + zonename, currentNode.getTypes()); // we can just tack this on the end as we are working on the // last node. records.add(nsec); } else { - nsec = new NSECRecord(last_node.name, last_node.dclass, last_node.ttl, zonename, - last_node.getTypes()); + nsec = new NSECRecord(lastNode.name, lastNode.dclass, lastNode.ttl, zonename, + lastNode.getTypes()); // We need to tack this on after the last secure node, not the // end of the whole list. - records.add(last_node.nsecIndex, nsec); + records.add(lastNode.nsecIndex, nsec); } log.finer("Generated: " + nsec); @@ -1380,30 +1309,26 @@ public class SignUtils { /** * Given a zone with DNSKEY records at delegation points, convert those KEY * records into their corresponding DS records in place. - * - * @param zonename - * the name of the zone, used to reliably distinguish the zone - * apex - * from other records. - * @param records - * a list of {@link org.xbill.DNS.Record} objects. - * @param digest_alg - * The digest algorithm to use. + * + * @param zonename the name of the zone, used to reliably distinguish the + * zone apex from other records. + * @param records a list of {@link org.xbill.DNS.Record} objects. + * @param digestAlg The digest algorithm to use. */ - public static void generateDSRecords(Name zonename, List records, int digest_alg) { + public static void generateDSRecords(Name zonename, List records, int digestAlg) { for (ListIterator i = records.listIterator(); i.hasNext();) { Record r = i.next(); if (r == null) continue; // this should never be true. - Name r_name = r.getName(); - if (r_name == null) + Name rName = r.getName(); + if (rName == null) continue; // this should never be true. // Convert non-zone level KEY records into DS records. - if (r.getType() == Type.DNSKEY && !r_name.equals(zonename)) { - DSRecord ds = calculateDSRecord((DNSKEYRecord) r, digest_alg, r.getTTL()); + if (r.getType() == Type.DNSKEY && !rName.equals(zonename)) { + DSRecord ds = calculateDSRecord((DNSKEYRecord) r, digestAlg, r.getTTL()); i.set(ds); } @@ -1412,15 +1337,13 @@ public class SignUtils { /** * Given a zone, remove all records that are generated. - * - * @param zonename - * the name of the zone. - * @param records - * a list of {@link org.xbill.DNS.Record} objects. + * + * @param zonename the name of the zone. + * @param records a list of {@link org.xbill.DNS.Record} objects. */ public static void removeGeneratedRecords(Name zonename, List records) { for (Iterator i = records.iterator(); i.hasNext();) { - Record r = (Record) i.next(); + Record r = i.next(); if (r.getType() == Type.RRSIG || r.getType() == Type.NSEC || r.getType() == Type.NSEC3 || r.getType() == Type.NSEC3PARAM) { @@ -1433,9 +1356,8 @@ public class SignUtils { * Remove duplicate records from a list of records. This routine presumes the * list of records is in a canonical sorted order, at least on name and RR * type. - * - * @param records - * a list of {@link org.xbill.DNS.Record} object, in sorted + * + * @param records a list of {@link org.xbill.DNS.Record} object, in sorted * order. */ public static void removeDuplicateRecords(List records) { @@ -1456,18 +1378,14 @@ public class SignUtils { /** * Given a DNSKEY record, generate the DS record from it. - * - * @param keyrec - * the KEY record in question. - * @param digest_alg - * The digest algorithm (SHA-1, SHA-256, etc.). - * @param ttl - * the desired TTL for the generated DS record. If zero, or - * negative, - * the original KEY RR's TTL will be used. + * + * @param keyrec the KEY record in question. + * @param digestAlg The digest algorithm (SHA-1, SHA-256, etc.). + * @param ttl the desired TTL for the generated DS record. If zero, or + * negative, the original KEY RR's TTL will be used. * @return the corresponding {@link org.xbill.DNS.DSRecord} */ - public static DSRecord calculateDSRecord(DNSKEYRecord keyrec, int digest_alg, long ttl) { + public static DSRecord calculateDSRecord(DNSKEYRecord keyrec, int digestAlg, long ttl) { if (keyrec == null) return null; @@ -1483,7 +1401,7 @@ public class SignUtils { byte[] digest; MessageDigest md; - switch (digest_alg) { + switch (digestAlg) { case DNSSEC.Digest.SHA1: md = MessageDigest.getInstance("SHA"); digest = md.digest(os.toByteArray()); @@ -1493,11 +1411,11 @@ public class SignUtils { digest = md.digest(os.toByteArray()); break; default: - throw new IllegalArgumentException("Unknown digest id: " + digest_alg); + throw new IllegalArgumentException("Unknown digest id: " + digestAlg); } return new DSRecord(keyrec.getName(), keyrec.getDClass(), ttl, - keyrec.getFootprint(), keyrec.getAlgorithm(), digest_alg, + keyrec.getFootprint(), keyrec.getAlgorithm(), digestAlg, digest); } catch (NoSuchAlgorithmException e) { @@ -1508,35 +1426,26 @@ public class SignUtils { /** * Calculate an NSEC3 hash based on a DNS name and NSEC3 hash parameters. - * - * @param n - * The name to hash. - * @param hash_algorithm - * The hash algorithm to use. - * @param iterations - * The number of iterations to do. - * @param salt - * The salt to use. + * + * @param n The name to hash. + * @param hashAlgorithm The hash algorithm to use. + * @param iterations The number of iterations to do. + * @param salt The salt to use. * @return The calculated hash as a byte array. - * @throws NoSuchAlgorithmException - * If the hash algorithm is unrecognized. + * @throws NoSuchAlgorithmException If the hash algorithm is unrecognized. */ - public static byte[] nsec3hash(Name n, int hash_algorithm, int iterations, byte[] salt) + public static byte[] nsec3hash(Name n, int hashAlgorithm, int iterations, byte[] salt) throws NoSuchAlgorithmException { MessageDigest md; - switch (hash_algorithm) { - case NSEC3Record.SHA1_DIGEST_ID: - md = MessageDigest.getInstance("SHA1"); - break; - default: - throw new NoSuchAlgorithmException("Unknown NSEC3 algorithm identifier: " - + hash_algorithm); + if (hashAlgorithm != NSEC3Record.SHA1_DIGEST_ID) { + throw new NoSuchAlgorithmException("Unknown NSEC3 algorithm identifier: " + hashAlgorithm); } + md = MessageDigest.getInstance("SHA1"); // Construct our wire form. - byte[] wire_name = n.toWireCanonical(); - byte[] res = wire_name; // for the first iteration. + byte[] wireName = n.toWireCanonical(); + byte[] res = wireName; // for the first iteration. for (int i = 0; i <= iterations; i++) { // Concatenate the salt, if it exists. if (salt != null) {