From 88cc729312e643a2549e084c3f881453a152819f Mon Sep 17 00:00:00 2001 From: David Blacka Date: Fri, 29 Mar 2024 21:18:14 -0400 Subject: [PATCH] sonarlint, formatting for RecordComparitor and JCEDnsSecSigner --- .gitattributes | 6 - .../dnssec/security/JCEDnsSecSigner.java | 359 +++++++----------- .../dnssec/security/RecordComparator.java | 37 +- 3 files changed, 159 insertions(+), 243 deletions(-) delete mode 100644 .gitattributes diff --git a/.gitattributes b/.gitattributes deleted file mode 100644 index 00a51af..0000000 --- a/.gitattributes +++ /dev/null @@ -1,6 +0,0 @@ -# -# https://help.github.com/articles/dealing-with-line-endings/ -# -# These are explicitly windows files and should use crlf -*.bat text eol=crlf - diff --git a/src/main/java/com/verisignlabs/dnssec/security/JCEDnsSecSigner.java b/src/main/java/com/verisignlabs/dnssec/security/JCEDnsSecSigner.java index f618eda..cc5de8f 100644 --- a/src/main/java/com/verisignlabs/dnssec/security/JCEDnsSecSigner.java +++ b/src/main/java/com/verisignlabs/dnssec/security/JCEDnsSecSigner.java @@ -68,21 +68,15 @@ public class JCEDnsSecSigner { /** * Cryptographically generate a new DNSSEC key. * - * @param owner - * the KEY RR's owner name. - * @param ttl - * the KEY RR's TTL. - * @param dclass - * the KEY RR's DNS class. - * @param algorithm - * the DNSSEC algorithm (RSASHA258, RSASHA512, - * ECDSAP256, etc.) - * @param flags - * any flags for the KEY RR. - * @param keysize - * the size of the key to generate. - * @param useLargeExponent - * if generating an RSA key, use the large exponent. + * @param owner the KEY RR's owner name. + * @param ttl the KEY RR's TTL. + * @param dclass the KEY RR's DNS class. + * @param algorithm the DNSSEC algorithm (RSASHA258, RSASHA512, + * ECDSAP256, + * etc.) + * @param flags any flags for the KEY RR. + * @param keysize the size of the key to generate. + * @param useLargeExponent if generating an RSA key, use the large exponent. * @return a DnsKeyPair with the public and private keys populated. */ public DnsKeyPair generateKey(Name owner, long ttl, int dclass, int algorithm, @@ -113,29 +107,25 @@ public class JCEDnsSecSigner { /** * Sign an RRset. * - * @param rrset - * the RRset to sign -- any existing signatures are ignored. - * @param keypars - * a list of DnsKeyPair objects containing private keys. - * @param start - * the inception time for the resulting RRSIG records. - * @param expire - * the expiration time for the resulting RRSIG records. + * @param rrset the RRset to sign -- any existing signatures are ignored. + * @param keypars a list of DnsKeyPair objects containing private keys. + * @param start the inception time for the resulting RRSIG records. + * @param expire the expiration time for the resulting RRSIG records. * @return a list of RRSIGRecord objects. */ public List signRRset(RRset rrset, List keypairs, Instant start, Instant expire) throws IOException, GeneralSecurityException { if (rrset == null || keypairs == null) - return null; + return new ArrayList<>(); // default start to now, expire to start + 1 second. if (start == null) start = Instant.now(); if (expire == null) expire = start.plusSeconds(1); - if (keypairs.size() == 0) - return null; + if (keypairs.isEmpty()) + return new ArrayList<>(); if (mVerboseSigning) { log.info("Signing RRset:"); @@ -143,9 +133,9 @@ public class JCEDnsSecSigner { } // first, pre-calculate the RRset bytes. - byte[] rrset_data = SignUtils.generateCanonicalRRsetData(rrset, 0, 0); + byte[] rrsetData = SignUtils.generateCanonicalRRsetData(rrset, 0, 0); - ArrayList sigs = new ArrayList(keypairs.size()); + ArrayList sigs = new ArrayList<>(keypairs.size()); // for each keypair, sign the RRset. for (DnsKeyPair pair : keypairs) { @@ -155,13 +145,13 @@ public class JCEDnsSecSigner { RRSIGRecord presig = SignUtils.generatePreRRSIG(rrset, keyrec, start, expire, rrset.getTTL()); - byte[] sign_data = SignUtils.generateSigData(rrset_data, presig); + byte[] signData = SignUtils.generateSigData(rrsetData, presig); if (mVerboseSigning) { log.info("Canonical pre-signature data to sign with key " + keyrec.getName().toString() + "/" + keyrec.getAlgorithm() + "/" + keyrec.getFootprint() + ":"); - log.info(hexdump.dump(null, sign_data)); + log.info(hexdump.dump(null, signData)); } Signature signer = pair.getSigner(); @@ -174,7 +164,7 @@ public class JCEDnsSecSigner { } // sign the data. - signer.update(sign_data); + signer.update(signData); byte[] sig = signer.sign(); if (mVerboseSigning) { @@ -206,12 +196,9 @@ public class JCEDnsSecSigner { /** * Create a completely self-signed DNSKEY RRset. * - * @param keypairs - * the public & private keypairs to use in the keyset. - * @param start - * the RRSIG inception time. - * @param expire - * the RRSIG expiration time. + * @param keypairs the public & private keypairs to use in the keyset. + * @param start the RRSIG inception time. + * @param expire the RRSIG expiration time. * @return a signed RRset. */ public RRset makeKeySet(List keypairs, Instant start, Instant expire) @@ -236,67 +223,55 @@ public class JCEDnsSecSigner { /** * Conditionally sign an RRset and add it to the toList. * - * @param toList - * the list to which we are adding the processed RRsets. - * @param zonename - * the zone apex name. - * @param rrset - * the RRset under consideration. - * @param kskpairs - * the List of KSKs.. - * @param zskpairs - * the List of zone keys. - * @param start - * the RRSIG inception time. - * @param expire - * the RRSIG expiration time. - * @param fullySignKeyset - * if true, sign the zone apex keyset with both KSKs and - * ZSKs. - * @param last_cut - * the name of the last delegation point encountered. + * @param toList the list to which we are adding the processed RRsets. + * @param zonename the zone apex name. + * @param rrset the RRset under consideration. + * @param kskpairs the List of KSKs.. + * @param zskpairs the List of zone keys. + * @param start the RRSIG inception time. + * @param expire the RRSIG expiration time. + * @param fullySignKeyset if true, sign the zone apex keyset with both KSKs + * and ZSKs. + * @param lastCut the name of the last delegation point encountered. * * @return the name of the new last_cut. */ private Name addRRset(List toList, Name zonename, RRset rrset, List kskpairs, List zskpairs, Instant start, - Instant expire, boolean fullySignKeyset, Name last_cut, - Name last_dname) throws IOException, GeneralSecurityException { + Instant expire, boolean fullySignKeyset, Name lastCut, + Name lastDname) throws IOException, GeneralSecurityException { // add the records themselves - rrset.rrs().forEach(record -> { - toList.add(record); - }); + rrset.rrs().forEach(toList::add); int type = SignUtils.recordSecType(zonename, rrset.getName(), rrset.getType(), - last_cut, last_dname); + lastCut, lastDname); // we don't sign non-normal sets (delegations, glue, invalid). if (type == SignUtils.RR_DELEGATION) { return rrset.getName(); } if (type == SignUtils.RR_GLUE || type == SignUtils.RR_INVALID) { - return last_cut; + return lastCut; } // check for the zone apex keyset. - if (rrset.getName().equals(zonename) && rrset.getType() == Type.DNSKEY) { + if (rrset.getName().equals(zonename) && rrset.getType() == Type.DNSKEY && kskpairs != null && !kskpairs.isEmpty()) { // if we have ksks, sign the keyset with them, otherwise we will just sign // them with the zsks. - if (kskpairs != null && kskpairs.size() > 0) { - List sigs = signRRset(rrset, kskpairs, start, expire); - toList.addAll(sigs); + List sigs = signRRset(rrset, kskpairs, start, expire); + toList.addAll(sigs); + + // If we aren't going to sign with all the keys, bail out now. + if (!fullySignKeyset) + return lastCut; - // If we aren't going to sign with all the keys, bail out now. - if (!fullySignKeyset) - return last_cut; - } } // otherwise, we are OK to sign this set. List sigs = signRRset(rrset, zskpairs, start, expire); toList.addAll(sigs); - return last_cut; + return lastCut; } // Various NSEC/NSEC3 generation modes @@ -311,49 +286,31 @@ public class JCEDnsSecSigner { * Opt-Out, etc.) External users of this class are expected to use the * appropriate public signZone* methods instead of this. * - * @param zonename - * The name of the zone - * @param records - * The records comprising the zone. They do not have to - * be in any - * particular order, as this method will order them as - * necessary. - * @param kskpairs - * The key pairs designated as "key signing keys" - * @param zskpairs - * The key pairs designated as "zone signing keys" - * @param start - * The RRSIG inception time - * @param expire - * The RRSIG expiration time - * @param fullySignKeyset - * If true, all keys (ksk or zsk) will sign the DNSKEY - * RRset. If - * false, only the ksks will sign it. - * @param ds_digest_alg - * The hash algorithm to use for generating DS records + * @param zonename The name of the zone + * @param records The records comprising the zone. They do not have to + * be in any particular order, as this method will + * order them as necessary. + * @param kskpairs The key pairs designated as "key signing keys" + * @param zskpairs The key pairs designated as "zone signing keys" + * @param start The RRSIG inception time + * @param expire The RRSIG expiration time + * @param fullySignKeyset If true, all keys (ksk or zsk) will sign the DNSKEY + * RRset. If false, only the ksks will sign it. + * @param dsDigestAlg The hash algorithm to use for generating DS records * (DSRecord.SHA1_DIGEST_ID, e.g.) - * @param mode - * The NSEC/NSEC3 generation mode: NSEC_MODE, NSEC3_MODE, - * NSEC3_OPTOUT_MODE, etc. - * @param includedNames - * When using an Opt-In/Opt-Out mode, the names listed - * here will be - * included in the NSEC/NSEC3 chain regardless - * @param salt - * When using an NSEC3 mode, use this salt. - * @param iterations - * When using an NSEC3 mode, use this number of + * @param mode The NSEC/NSEC3 generation mode: NSEC_MODE, + * NSEC3_MODE, NSEC3_OPTOUT_MODE, etc. + * @param includedNames When using an Opt-In/Opt-Out mode, the names listed + * here will be included in the NSEC/NSEC3 chain + * regardless + * @param salt When using an NSEC3 mode, use this salt. + * @param iterations When using an NSEC3 mode, use this number of * iterations - * @param beConservative - * If true, then only turn on the Opt-In flag when there - * are insecure - * delegations in the span. Currently this only works for - * NSEC_EXP_OPT_IN mode. - * @param nsec3paramttl - * The TTL to use for the generated NSEC3PARAM record. - * Negative - * values will use the SOA TTL. + * @param beConservative If true, then only turn on the Opt-In flag when + * there are insecure delegations in the span. + * Currently this only works for NSEC_EXP_OPT_IN mode. + * @param nsec3paramttl The TTL to use for the generated NSEC3PARAM record. + * Negative values will use the SOA TTL. * @return an ordered list of {@link org.xbill.DNS.Record} objects, * representing the signed zone. * @@ -363,7 +320,7 @@ public class JCEDnsSecSigner { private List signZone(Name zonename, List records, List kskpairs, List zskpairs, Instant start, Instant expire, boolean fullySignKeyset, - int ds_digest_alg, int mode, List includedNames, + int dsDigestAlg, int mode, List includedNames, byte[] salt, int iterations, long nsec3paramttl, boolean beConservative) throws IOException, GeneralSecurityException { @@ -380,7 +337,7 @@ public class JCEDnsSecSigner { // Generate DS records. This replaces any non-zone-apex DNSKEY RRs with DS // RRs. - SignUtils.generateDSRecords(zonename, records, ds_digest_alg); + SignUtils.generateDSRecords(zonename, records, dsDigestAlg); // Generate the NSEC or NSEC3 records based on 'mode' switch (mode) { @@ -398,6 +355,8 @@ public class JCEDnsSecSigner { SignUtils.generateOptInNSECRecords(zonename, records, includedNames, beConservative); break; + default: + throw new NoSuchAlgorithmException("Unknown NSEC/NSEC3 mode: " + mode); } // Re-sort so we can assemble into rrsets. @@ -405,9 +364,9 @@ public class JCEDnsSecSigner { // Assemble into RRsets and sign. RRset rrset = new RRset(); - ArrayList signed_records = new ArrayList(); - Name last_cut = null; - Name last_dname = null; + ArrayList signedRecords = new ArrayList<>(); + Name lastCut = null; + Name lastDname = null; for (ListIterator i = records.listIterator(); i.hasNext();) { Record r = i.next(); @@ -430,48 +389,38 @@ public class JCEDnsSecSigner { // add the RRset to the list of signed_records, regardless of // whether or not we actually end up signing the set. - last_cut = addRRset(signed_records, zonename, rrset, kskpairs, zskpairs, start, - expire, fullySignKeyset, last_cut, last_dname); + lastCut = addRRset(signedRecords, zonename, rrset, kskpairs, zskpairs, start, + expire, fullySignKeyset, lastCut, lastDname); if (rrset.getType() == Type.DNAME) - last_dname = rrset.getName(); + lastDname = rrset.getName(); rrset.clear(); rrset.addRR(r); } // add the last RR set - addRRset(signed_records, zonename, rrset, kskpairs, zskpairs, start, expire, - fullySignKeyset, last_cut, last_dname); + addRRset(signedRecords, zonename, rrset, kskpairs, zskpairs, start, expire, + fullySignKeyset, lastCut, lastDname); - return signed_records; + return signedRecords; } /** * Given a zone, sign it using standard NSEC records. * - * @param zonename - * The name of the zone. - * @param records - * The records comprising the zone. They do not have to - * be in any - * particular order, as this method will order them as - * necessary. - * @param kskpairs - * The key pairs that are designated as "key signing + * @param zonename The name of the zone. + * @param records The records comprising the zone. They do not have to + * be in any particular order, as this method will + * order them as necessary. + * @param kskpairs The key pairs that are designated as "key signing * keys". - * @param zskpairs - * This key pairs that are designated as "zone signing + * @param zskpairs This key pairs that are designated as "zone signing * keys". - * @param start - * The RRSIG inception time. - * @param expire - * The RRSIG expiration time. - * @param fullySignKeyset - * Sign the zone apex keyset with all available keys - * (instead of just - * the key signing keys). - * @param ds_digest_alg - * The digest algorithm to use when generating DS + * @param start The RRSIG inception time. + * @param expire The RRSIG expiration time. + * @param fullySignKeyset Sign the zone apex keyset with all available keys + * (instead of just the key signing keys). + * @param dsDigestAlg The digest algorithm to use when generating DS * records. * * @return an ordered list of {@link org.xbill.DNS.Record} objects, @@ -480,58 +429,42 @@ public class JCEDnsSecSigner { public List signZone(Name zonename, List records, List kskpairs, List zskpairs, Instant start, Instant expire, boolean fullySignKeyset, - int ds_digest_alg) throws IOException, + int dsDigestAlg) throws IOException, GeneralSecurityException { return signZone(zonename, records, kskpairs, zskpairs, start, expire, - fullySignKeyset, ds_digest_alg, NSEC_MODE, null, null, 0, 0, false); + fullySignKeyset, dsDigestAlg, NSEC_MODE, null, null, 0, 0, false); } /** * Given a zone, sign it using NSEC3 records. * - * @param signer - * A signer (utility) object used to actually sign stuff. - * @param zonename - * The name of the zone being signed. - * @param records - * The records comprising the zone. They do not have to - * be in any - * particular order, as this method will order them as - * necessary. - * @param kskpairs - * The key pairs that are designated as "key signing + * @param signer A signer (utility) object used to actually sign + * stuff. + * @param zonename The name of the zone being signed. + * @param records The records comprising the zone. They do not have to + * be in any particular order, as this method will + * order them as necessary. + * @param kskpairs The key pairs that are designated as "key signing * keys". - * @param zskpairs - * This key pairs that are designated as "zone signing + * @param zskpairs This key pairs that are designated as "zone signing * keys". - * @param start - * The RRSIG inception time. - * @param expire - * The RRSIG expiration time. - * @param fullySignKeyset - * If true then the DNSKEY RRset will be signed by all - * available - * keys, if false, only the key signing keys. - * @param useOptOut - * If true, insecure delegations will be omitted from the - * NSEC3 - * chain, and all NSEC3 records will have the Opt-Out - * flag set. - * @param includedNames - * A list of names to include in the NSEC3 chain + * @param start The RRSIG inception time. + * @param expire The RRSIG expiration time. + * @param fullySignKeyset If true then the DNSKEY RRset will be signed by all + * available keys, if false, only the key signing keys. + * @param useOptOut If true, insecure delegations will be omitted from + * the NSEC3 chain, and all NSEC3 records will have the + * Opt-Out flag set. + * @param includedNames A list of names to include in the NSEC3 chain * regardless. - * @param salt - * The salt to use for the NSEC3 hashing. null means no + * @param salt The salt to use for the NSEC3 hashing. null means no * salt. - * @param iterations - * The number of iterations to use for the NSEC3 hashing. - * @param ds_digest_alg - * The digest algorithm to use when generating DS + * @param iterations The number of iterations to use for the NSEC3 + * hashing. + * @param dsDigestAlg The digest algorithm to use when generating DS * records. - * @param nsec3paramttl - * The TTL to use for the generated NSEC3PARAM record. - * Negative - * values will use the SOA TTL. + * @param nsec3paramttl The TTL to use for the generated NSEC3PARAM record. + * Negative values will use the SOA TTL. * @return an ordered list of {@link org.xbill.DNS.Record} objects, * representing the signed zone. * @@ -542,16 +475,16 @@ public class JCEDnsSecSigner { List kskpairs, List zskpairs, Instant start, Instant expire, boolean fullySignKeyset, boolean useOptOut, List includedNames, - byte[] salt, int iterations, int ds_digest_alg, + byte[] salt, int iterations, int dsDigestAlg, long nsec3paramttl) throws IOException, GeneralSecurityException { if (useOptOut) { return signZone(zonename, records, kskpairs, zskpairs, start, expire, - fullySignKeyset, ds_digest_alg, NSEC3_OPTOUT_MODE, includedNames, + fullySignKeyset, dsDigestAlg, NSEC3_OPTOUT_MODE, includedNames, salt, iterations, nsec3paramttl, false); } else { return signZone(zonename, records, kskpairs, zskpairs, start, expire, - fullySignKeyset, ds_digest_alg, NSEC3_MODE, null, salt, iterations, + fullySignKeyset, dsDigestAlg, NSEC3_MODE, null, salt, iterations, nsec3paramttl, false); } } @@ -560,37 +493,25 @@ public class JCEDnsSecSigner { * Given a zone, sign it using experimental Opt-In NSEC records (see RFC * 4956). * - * @param zonename - * the name of the zone. - * @param records - * the records comprising the zone. They do not have - * to be in any - * particular order, as this method will order them - * as necessary. - * @param kskpairs - * the key pairs that are designated as "key signing - * keys". - * @param zskpairs - * this key pairs that are designated as "zone + * @param zonename the name of the zone. + * @param records the records comprising the zone. They do not + * have to be in any particular order, as this + * method will order them as necessary. + * @param kskpairs the key pairs that are designated as "key * signing keys". - * @param start - * the RRSIG inception time. - * @param expire - * the RRSIG expiration time. - * @param useConservativeOptIn - * if true, Opt-In NSEC records will only be - * generated if there are - * insecure, unsigned delegations in the span. - * @param fullySignKeyset - * sign the zone apex keyset with all available + * @param zskpairs this key pairs that are designated as "zone + * signing keys". + * @param start the RRSIG inception time. + * @param expire the RRSIG expiration time. + * @param useConservativeOptIn if true, Opt-In NSEC records will only be + * generated if there are insecure, unsigned + * delegations in the span. + * @param fullySignKeyset sign the zone apex keyset with all available * keys. - * @param ds_digest_alg - * The digest algorithm to use when generating DS + * @param dsDigestAlg The digest algorithm to use when generating DS * records. - * @param NSECIncludeNames - * names that are to be included in the NSEC chain - * regardless. This - * may be null. + * @param nsecIncludeNames names that are to be included in the NSEC chain + * regardless. This may be null. * @return an ordered list of {@link org.xbill.DNS.Record} objects, * representing the signed zone. */ @@ -598,12 +519,12 @@ public class JCEDnsSecSigner { List kskpairs, List zskpairs, Instant start, Instant expire, boolean useConservativeOptIn, - boolean fullySignKeyset, List NSECIncludeNames, - int ds_digest_alg) throws IOException, + boolean fullySignKeyset, List nsecIncludeNames, + int dsDigestAlg) throws IOException, GeneralSecurityException { return signZone(zonename, records, kskpairs, zskpairs, start, expire, - fullySignKeyset, ds_digest_alg, NSEC_EXP_OPT_IN, NSECIncludeNames, + fullySignKeyset, dsDigestAlg, NSEC_EXP_OPT_IN, nsecIncludeNames, null, 0, 0, useConservativeOptIn); } } diff --git a/src/main/java/com/verisignlabs/dnssec/security/RecordComparator.java b/src/main/java/com/verisignlabs/dnssec/security/RecordComparator.java index 9f6b312..cba43b5 100644 --- a/src/main/java/com/verisignlabs/dnssec/security/RecordComparator.java +++ b/src/main/java/com/verisignlabs/dnssec/security/RecordComparator.java @@ -33,6 +33,7 @@ import org.xbill.DNS.Type; public class RecordComparator implements Comparator { public RecordComparator() { + // nothing to initialize } /** @@ -65,15 +66,15 @@ public class RecordComparator implements Comparator { } private int compareRDATA(Record a, Record b) { - byte[] a_rdata = a.rdataToWireCanonical(); - byte[] b_rdata = b.rdataToWireCanonical(); + byte[] aRdata = a.rdataToWireCanonical(); + byte[] bRdata = b.rdataToWireCanonical(); - for (int i = 0; i < a_rdata.length && i < b_rdata.length; i++) { - int n = (a_rdata[i] & 0xFF) - (b_rdata[i] & 0xFF); + for (int i = 0; i < aRdata.length && i < bRdata.length; i++) { + int n = (aRdata[i] & 0xFF) - (bRdata[i] & 0xFF); if (n != 0) return n; } - return (a_rdata.length - b_rdata.length); + return (aRdata.length - bRdata.length); } public int compare(Record a, Record b) { @@ -88,27 +89,27 @@ public class RecordComparator implements Comparator { if (res != 0) return res; - int a_type = a.getType(); - int b_type = b.getType(); - int sig_type = 0; + int aType = a.getType(); + int bType = b.getType(); + int sigType = 0; - if (a_type == Type.RRSIG) { - a_type = ((RRSIGRecord) a).getTypeCovered(); - if (b_type != Type.RRSIG) - sig_type = 1; + if (aType == Type.RRSIG) { + aType = ((RRSIGRecord) a).getTypeCovered(); + if (bType != Type.RRSIG) + sigType = 1; } - if (b_type == Type.RRSIG) { - b_type = ((RRSIGRecord) b).getTypeCovered(); + if (bType == Type.RRSIG) { + bType = ((RRSIGRecord) b).getTypeCovered(); if (a.getType() != Type.RRSIG) - sig_type = -1; + sigType = -1; } - res = compareTypes(a_type, b_type); + res = compareTypes(aType, bType); if (res != 0) return res; - if (sig_type != 0) - return sig_type; + if (sigType != 0) + return sigType; return compareRDATA(a, b); }