sonarlint, formatting for RecordComparitor and JCEDnsSecSigner
This commit is contained in:
parent
75ff297c09
commit
88cc729312
6
.gitattributes
vendored
6
.gitattributes
vendored
@ -1,6 +0,0 @@
|
|||||||
#
|
|
||||||
# https://help.github.com/articles/dealing-with-line-endings/
|
|
||||||
#
|
|
||||||
# These are explicitly windows files and should use crlf
|
|
||||||
*.bat text eol=crlf
|
|
||||||
|
|
@ -68,21 +68,15 @@ public class JCEDnsSecSigner {
|
|||||||
/**
|
/**
|
||||||
* Cryptographically generate a new DNSSEC key.
|
* Cryptographically generate a new DNSSEC key.
|
||||||
*
|
*
|
||||||
* @param owner
|
* @param owner the KEY RR's owner name.
|
||||||
* the KEY RR's owner name.
|
* @param ttl the KEY RR's TTL.
|
||||||
* @param ttl
|
* @param dclass the KEY RR's DNS class.
|
||||||
* the KEY RR's TTL.
|
* @param algorithm the DNSSEC algorithm (RSASHA258, RSASHA512,
|
||||||
* @param dclass
|
* ECDSAP256,
|
||||||
* the KEY RR's DNS class.
|
* etc.)
|
||||||
* @param algorithm
|
* @param flags any flags for the KEY RR.
|
||||||
* the DNSSEC algorithm (RSASHA258, RSASHA512,
|
* @param keysize the size of the key to generate.
|
||||||
* ECDSAP256, etc.)
|
* @param useLargeExponent if generating an RSA key, use the large exponent.
|
||||||
* @param flags
|
|
||||||
* any flags for the KEY RR.
|
|
||||||
* @param keysize
|
|
||||||
* the size of the key to generate.
|
|
||||||
* @param useLargeExponent
|
|
||||||
* if generating an RSA key, use the large exponent.
|
|
||||||
* @return a DnsKeyPair with the public and private keys populated.
|
* @return a DnsKeyPair with the public and private keys populated.
|
||||||
*/
|
*/
|
||||||
public DnsKeyPair generateKey(Name owner, long ttl, int dclass, int algorithm,
|
public DnsKeyPair generateKey(Name owner, long ttl, int dclass, int algorithm,
|
||||||
@ -113,29 +107,25 @@ public class JCEDnsSecSigner {
|
|||||||
/**
|
/**
|
||||||
* Sign an RRset.
|
* Sign an RRset.
|
||||||
*
|
*
|
||||||
* @param rrset
|
* @param rrset the RRset to sign -- any existing signatures are ignored.
|
||||||
* the RRset to sign -- any existing signatures are ignored.
|
* @param keypars a list of DnsKeyPair objects containing private keys.
|
||||||
* @param keypars
|
* @param start the inception time for the resulting RRSIG records.
|
||||||
* a list of DnsKeyPair objects containing private keys.
|
* @param expire the expiration time for the resulting RRSIG records.
|
||||||
* @param start
|
|
||||||
* the inception time for the resulting RRSIG records.
|
|
||||||
* @param expire
|
|
||||||
* the expiration time for the resulting RRSIG records.
|
|
||||||
* @return a list of RRSIGRecord objects.
|
* @return a list of RRSIGRecord objects.
|
||||||
*/
|
*/
|
||||||
public List<RRSIGRecord> signRRset(RRset rrset, List<DnsKeyPair> keypairs, Instant start,
|
public List<RRSIGRecord> signRRset(RRset rrset, List<DnsKeyPair> keypairs, Instant start,
|
||||||
Instant expire) throws IOException,
|
Instant expire) throws IOException,
|
||||||
GeneralSecurityException {
|
GeneralSecurityException {
|
||||||
if (rrset == null || keypairs == null)
|
if (rrset == null || keypairs == null)
|
||||||
return null;
|
return new ArrayList<>();
|
||||||
|
|
||||||
// default start to now, expire to start + 1 second.
|
// default start to now, expire to start + 1 second.
|
||||||
if (start == null)
|
if (start == null)
|
||||||
start = Instant.now();
|
start = Instant.now();
|
||||||
if (expire == null)
|
if (expire == null)
|
||||||
expire = start.plusSeconds(1);
|
expire = start.plusSeconds(1);
|
||||||
if (keypairs.size() == 0)
|
if (keypairs.isEmpty())
|
||||||
return null;
|
return new ArrayList<>();
|
||||||
|
|
||||||
if (mVerboseSigning) {
|
if (mVerboseSigning) {
|
||||||
log.info("Signing RRset:");
|
log.info("Signing RRset:");
|
||||||
@ -143,9 +133,9 @@ public class JCEDnsSecSigner {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// first, pre-calculate the RRset bytes.
|
// first, pre-calculate the RRset bytes.
|
||||||
byte[] rrset_data = SignUtils.generateCanonicalRRsetData(rrset, 0, 0);
|
byte[] rrsetData = SignUtils.generateCanonicalRRsetData(rrset, 0, 0);
|
||||||
|
|
||||||
ArrayList<RRSIGRecord> sigs = new ArrayList<RRSIGRecord>(keypairs.size());
|
ArrayList<RRSIGRecord> sigs = new ArrayList<>(keypairs.size());
|
||||||
|
|
||||||
// for each keypair, sign the RRset.
|
// for each keypair, sign the RRset.
|
||||||
for (DnsKeyPair pair : keypairs) {
|
for (DnsKeyPair pair : keypairs) {
|
||||||
@ -155,13 +145,13 @@ public class JCEDnsSecSigner {
|
|||||||
|
|
||||||
RRSIGRecord presig = SignUtils.generatePreRRSIG(rrset, keyrec, start, expire,
|
RRSIGRecord presig = SignUtils.generatePreRRSIG(rrset, keyrec, start, expire,
|
||||||
rrset.getTTL());
|
rrset.getTTL());
|
||||||
byte[] sign_data = SignUtils.generateSigData(rrset_data, presig);
|
byte[] signData = SignUtils.generateSigData(rrsetData, presig);
|
||||||
|
|
||||||
if (mVerboseSigning) {
|
if (mVerboseSigning) {
|
||||||
log.info("Canonical pre-signature data to sign with key "
|
log.info("Canonical pre-signature data to sign with key "
|
||||||
+ keyrec.getName().toString() + "/" + keyrec.getAlgorithm() + "/"
|
+ keyrec.getName().toString() + "/" + keyrec.getAlgorithm() + "/"
|
||||||
+ keyrec.getFootprint() + ":");
|
+ keyrec.getFootprint() + ":");
|
||||||
log.info(hexdump.dump(null, sign_data));
|
log.info(hexdump.dump(null, signData));
|
||||||
}
|
}
|
||||||
|
|
||||||
Signature signer = pair.getSigner();
|
Signature signer = pair.getSigner();
|
||||||
@ -174,7 +164,7 @@ public class JCEDnsSecSigner {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// sign the data.
|
// sign the data.
|
||||||
signer.update(sign_data);
|
signer.update(signData);
|
||||||
byte[] sig = signer.sign();
|
byte[] sig = signer.sign();
|
||||||
|
|
||||||
if (mVerboseSigning) {
|
if (mVerboseSigning) {
|
||||||
@ -206,12 +196,9 @@ public class JCEDnsSecSigner {
|
|||||||
/**
|
/**
|
||||||
* Create a completely self-signed DNSKEY RRset.
|
* Create a completely self-signed DNSKEY RRset.
|
||||||
*
|
*
|
||||||
* @param keypairs
|
* @param keypairs the public & private keypairs to use in the keyset.
|
||||||
* the public & private keypairs to use in the keyset.
|
* @param start the RRSIG inception time.
|
||||||
* @param start
|
* @param expire the RRSIG expiration time.
|
||||||
* the RRSIG inception time.
|
|
||||||
* @param expire
|
|
||||||
* the RRSIG expiration time.
|
|
||||||
* @return a signed RRset.
|
* @return a signed RRset.
|
||||||
*/
|
*/
|
||||||
public RRset makeKeySet(List<DnsKeyPair> keypairs, Instant start, Instant expire)
|
public RRset makeKeySet(List<DnsKeyPair> keypairs, Instant start, Instant expire)
|
||||||
@ -236,67 +223,55 @@ public class JCEDnsSecSigner {
|
|||||||
/**
|
/**
|
||||||
* Conditionally sign an RRset and add it to the toList.
|
* Conditionally sign an RRset and add it to the toList.
|
||||||
*
|
*
|
||||||
* @param toList
|
* @param toList the list to which we are adding the processed RRsets.
|
||||||
* the list to which we are adding the processed RRsets.
|
* @param zonename the zone apex name.
|
||||||
* @param zonename
|
* @param rrset the RRset under consideration.
|
||||||
* the zone apex name.
|
* @param kskpairs the List of KSKs..
|
||||||
* @param rrset
|
* @param zskpairs the List of zone keys.
|
||||||
* the RRset under consideration.
|
* @param start the RRSIG inception time.
|
||||||
* @param kskpairs
|
* @param expire the RRSIG expiration time.
|
||||||
* the List of KSKs..
|
* @param fullySignKeyset if true, sign the zone apex keyset with both KSKs
|
||||||
* @param zskpairs
|
* and ZSKs.
|
||||||
* the List of zone keys.
|
* @param lastCut the name of the last delegation point encountered.
|
||||||
* @param start
|
|
||||||
* the RRSIG inception time.
|
|
||||||
* @param expire
|
|
||||||
* the RRSIG expiration time.
|
|
||||||
* @param fullySignKeyset
|
|
||||||
* if true, sign the zone apex keyset with both KSKs and
|
|
||||||
* ZSKs.
|
|
||||||
* @param last_cut
|
|
||||||
* the name of the last delegation point encountered.
|
|
||||||
*
|
*
|
||||||
* @return the name of the new last_cut.
|
* @return the name of the new last_cut.
|
||||||
*/
|
*/
|
||||||
private Name addRRset(List<Record> toList, Name zonename, RRset rrset,
|
private Name addRRset(List<Record> toList, Name zonename, RRset rrset,
|
||||||
List<DnsKeyPair> kskpairs, List<DnsKeyPair> zskpairs, Instant start,
|
List<DnsKeyPair> kskpairs, List<DnsKeyPair> zskpairs, Instant start,
|
||||||
Instant expire, boolean fullySignKeyset, Name last_cut,
|
Instant expire, boolean fullySignKeyset, Name lastCut,
|
||||||
Name last_dname) throws IOException, GeneralSecurityException {
|
Name lastDname) throws IOException, GeneralSecurityException {
|
||||||
// add the records themselves
|
// add the records themselves
|
||||||
rrset.rrs().forEach(record -> {
|
rrset.rrs().forEach(toList::add);
|
||||||
toList.add(record);
|
|
||||||
});
|
|
||||||
|
|
||||||
int type = SignUtils.recordSecType(zonename, rrset.getName(), rrset.getType(),
|
int type = SignUtils.recordSecType(zonename, rrset.getName(), rrset.getType(),
|
||||||
last_cut, last_dname);
|
lastCut, lastDname);
|
||||||
|
|
||||||
// we don't sign non-normal sets (delegations, glue, invalid).
|
// we don't sign non-normal sets (delegations, glue, invalid).
|
||||||
if (type == SignUtils.RR_DELEGATION) {
|
if (type == SignUtils.RR_DELEGATION) {
|
||||||
return rrset.getName();
|
return rrset.getName();
|
||||||
}
|
}
|
||||||
if (type == SignUtils.RR_GLUE || type == SignUtils.RR_INVALID) {
|
if (type == SignUtils.RR_GLUE || type == SignUtils.RR_INVALID) {
|
||||||
return last_cut;
|
return lastCut;
|
||||||
}
|
}
|
||||||
|
|
||||||
// check for the zone apex keyset.
|
// check for the zone apex keyset.
|
||||||
if (rrset.getName().equals(zonename) && rrset.getType() == Type.DNSKEY) {
|
if (rrset.getName().equals(zonename) && rrset.getType() == Type.DNSKEY && kskpairs != null && !kskpairs.isEmpty()) {
|
||||||
// if we have ksks, sign the keyset with them, otherwise we will just sign
|
// if we have ksks, sign the keyset with them, otherwise we will just sign
|
||||||
// them with the zsks.
|
// them with the zsks.
|
||||||
if (kskpairs != null && kskpairs.size() > 0) {
|
|
||||||
List<RRSIGRecord> sigs = signRRset(rrset, kskpairs, start, expire);
|
List<RRSIGRecord> sigs = signRRset(rrset, kskpairs, start, expire);
|
||||||
toList.addAll(sigs);
|
toList.addAll(sigs);
|
||||||
|
|
||||||
// If we aren't going to sign with all the keys, bail out now.
|
// If we aren't going to sign with all the keys, bail out now.
|
||||||
if (!fullySignKeyset)
|
if (!fullySignKeyset)
|
||||||
return last_cut;
|
return lastCut;
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// otherwise, we are OK to sign this set.
|
// otherwise, we are OK to sign this set.
|
||||||
List<RRSIGRecord> sigs = signRRset(rrset, zskpairs, start, expire);
|
List<RRSIGRecord> sigs = signRRset(rrset, zskpairs, start, expire);
|
||||||
toList.addAll(sigs);
|
toList.addAll(sigs);
|
||||||
|
|
||||||
return last_cut;
|
return lastCut;
|
||||||
}
|
}
|
||||||
|
|
||||||
// Various NSEC/NSEC3 generation modes
|
// Various NSEC/NSEC3 generation modes
|
||||||
@ -311,49 +286,31 @@ public class JCEDnsSecSigner {
|
|||||||
* Opt-Out, etc.) External users of this class are expected to use the
|
* Opt-Out, etc.) External users of this class are expected to use the
|
||||||
* appropriate public signZone* methods instead of this.
|
* appropriate public signZone* methods instead of this.
|
||||||
*
|
*
|
||||||
* @param zonename
|
* @param zonename The name of the zone
|
||||||
* The name of the zone
|
* @param records The records comprising the zone. They do not have to
|
||||||
* @param records
|
* be in any particular order, as this method will
|
||||||
* The records comprising the zone. They do not have to
|
* order them as necessary.
|
||||||
* be in any
|
* @param kskpairs The key pairs designated as "key signing keys"
|
||||||
* particular order, as this method will order them as
|
* @param zskpairs The key pairs designated as "zone signing keys"
|
||||||
* necessary.
|
* @param start The RRSIG inception time
|
||||||
* @param kskpairs
|
* @param expire The RRSIG expiration time
|
||||||
* The key pairs designated as "key signing keys"
|
* @param fullySignKeyset If true, all keys (ksk or zsk) will sign the DNSKEY
|
||||||
* @param zskpairs
|
* RRset. If false, only the ksks will sign it.
|
||||||
* The key pairs designated as "zone signing keys"
|
* @param dsDigestAlg The hash algorithm to use for generating DS records
|
||||||
* @param start
|
|
||||||
* The RRSIG inception time
|
|
||||||
* @param expire
|
|
||||||
* The RRSIG expiration time
|
|
||||||
* @param fullySignKeyset
|
|
||||||
* If true, all keys (ksk or zsk) will sign the DNSKEY
|
|
||||||
* RRset. If
|
|
||||||
* false, only the ksks will sign it.
|
|
||||||
* @param ds_digest_alg
|
|
||||||
* The hash algorithm to use for generating DS records
|
|
||||||
* (DSRecord.SHA1_DIGEST_ID, e.g.)
|
* (DSRecord.SHA1_DIGEST_ID, e.g.)
|
||||||
* @param mode
|
* @param mode The NSEC/NSEC3 generation mode: NSEC_MODE,
|
||||||
* The NSEC/NSEC3 generation mode: NSEC_MODE, NSEC3_MODE,
|
* NSEC3_MODE, NSEC3_OPTOUT_MODE, etc.
|
||||||
* NSEC3_OPTOUT_MODE, etc.
|
* @param includedNames When using an Opt-In/Opt-Out mode, the names listed
|
||||||
* @param includedNames
|
* here will be included in the NSEC/NSEC3 chain
|
||||||
* When using an Opt-In/Opt-Out mode, the names listed
|
* regardless
|
||||||
* here will be
|
* @param salt When using an NSEC3 mode, use this salt.
|
||||||
* included in the NSEC/NSEC3 chain regardless
|
* @param iterations When using an NSEC3 mode, use this number of
|
||||||
* @param salt
|
|
||||||
* When using an NSEC3 mode, use this salt.
|
|
||||||
* @param iterations
|
|
||||||
* When using an NSEC3 mode, use this number of
|
|
||||||
* iterations
|
* iterations
|
||||||
* @param beConservative
|
* @param beConservative If true, then only turn on the Opt-In flag when
|
||||||
* If true, then only turn on the Opt-In flag when there
|
* there are insecure delegations in the span.
|
||||||
* are insecure
|
* Currently this only works for NSEC_EXP_OPT_IN mode.
|
||||||
* delegations in the span. Currently this only works for
|
* @param nsec3paramttl The TTL to use for the generated NSEC3PARAM record.
|
||||||
* NSEC_EXP_OPT_IN mode.
|
* Negative values will use the SOA TTL.
|
||||||
* @param nsec3paramttl
|
|
||||||
* The TTL to use for the generated NSEC3PARAM record.
|
|
||||||
* Negative
|
|
||||||
* values will use the SOA TTL.
|
|
||||||
* @return an ordered list of {@link org.xbill.DNS.Record} objects,
|
* @return an ordered list of {@link org.xbill.DNS.Record} objects,
|
||||||
* representing the signed zone.
|
* representing the signed zone.
|
||||||
*
|
*
|
||||||
@ -363,7 +320,7 @@ public class JCEDnsSecSigner {
|
|||||||
private List<Record> signZone(Name zonename, List<Record> records,
|
private List<Record> signZone(Name zonename, List<Record> records,
|
||||||
List<DnsKeyPair> kskpairs, List<DnsKeyPair> zskpairs,
|
List<DnsKeyPair> kskpairs, List<DnsKeyPair> zskpairs,
|
||||||
Instant start, Instant expire, boolean fullySignKeyset,
|
Instant start, Instant expire, boolean fullySignKeyset,
|
||||||
int ds_digest_alg, int mode, List<Name> includedNames,
|
int dsDigestAlg, int mode, List<Name> includedNames,
|
||||||
byte[] salt, int iterations, long nsec3paramttl,
|
byte[] salt, int iterations, long nsec3paramttl,
|
||||||
boolean beConservative) throws IOException,
|
boolean beConservative) throws IOException,
|
||||||
GeneralSecurityException {
|
GeneralSecurityException {
|
||||||
@ -380,7 +337,7 @@ public class JCEDnsSecSigner {
|
|||||||
|
|
||||||
// Generate DS records. This replaces any non-zone-apex DNSKEY RRs with DS
|
// Generate DS records. This replaces any non-zone-apex DNSKEY RRs with DS
|
||||||
// RRs.
|
// RRs.
|
||||||
SignUtils.generateDSRecords(zonename, records, ds_digest_alg);
|
SignUtils.generateDSRecords(zonename, records, dsDigestAlg);
|
||||||
|
|
||||||
// Generate the NSEC or NSEC3 records based on 'mode'
|
// Generate the NSEC or NSEC3 records based on 'mode'
|
||||||
switch (mode) {
|
switch (mode) {
|
||||||
@ -398,6 +355,8 @@ public class JCEDnsSecSigner {
|
|||||||
SignUtils.generateOptInNSECRecords(zonename, records, includedNames,
|
SignUtils.generateOptInNSECRecords(zonename, records, includedNames,
|
||||||
beConservative);
|
beConservative);
|
||||||
break;
|
break;
|
||||||
|
default:
|
||||||
|
throw new NoSuchAlgorithmException("Unknown NSEC/NSEC3 mode: " + mode);
|
||||||
}
|
}
|
||||||
|
|
||||||
// Re-sort so we can assemble into rrsets.
|
// Re-sort so we can assemble into rrsets.
|
||||||
@ -405,9 +364,9 @@ public class JCEDnsSecSigner {
|
|||||||
|
|
||||||
// Assemble into RRsets and sign.
|
// Assemble into RRsets and sign.
|
||||||
RRset rrset = new RRset();
|
RRset rrset = new RRset();
|
||||||
ArrayList<Record> signed_records = new ArrayList<Record>();
|
ArrayList<Record> signedRecords = new ArrayList<>();
|
||||||
Name last_cut = null;
|
Name lastCut = null;
|
||||||
Name last_dname = null;
|
Name lastDname = null;
|
||||||
|
|
||||||
for (ListIterator<Record> i = records.listIterator(); i.hasNext();) {
|
for (ListIterator<Record> i = records.listIterator(); i.hasNext();) {
|
||||||
Record r = i.next();
|
Record r = i.next();
|
||||||
@ -430,48 +389,38 @@ public class JCEDnsSecSigner {
|
|||||||
|
|
||||||
// add the RRset to the list of signed_records, regardless of
|
// add the RRset to the list of signed_records, regardless of
|
||||||
// whether or not we actually end up signing the set.
|
// whether or not we actually end up signing the set.
|
||||||
last_cut = addRRset(signed_records, zonename, rrset, kskpairs, zskpairs, start,
|
lastCut = addRRset(signedRecords, zonename, rrset, kskpairs, zskpairs, start,
|
||||||
expire, fullySignKeyset, last_cut, last_dname);
|
expire, fullySignKeyset, lastCut, lastDname);
|
||||||
if (rrset.getType() == Type.DNAME)
|
if (rrset.getType() == Type.DNAME)
|
||||||
last_dname = rrset.getName();
|
lastDname = rrset.getName();
|
||||||
|
|
||||||
rrset.clear();
|
rrset.clear();
|
||||||
rrset.addRR(r);
|
rrset.addRR(r);
|
||||||
}
|
}
|
||||||
|
|
||||||
// add the last RR set
|
// add the last RR set
|
||||||
addRRset(signed_records, zonename, rrset, kskpairs, zskpairs, start, expire,
|
addRRset(signedRecords, zonename, rrset, kskpairs, zskpairs, start, expire,
|
||||||
fullySignKeyset, last_cut, last_dname);
|
fullySignKeyset, lastCut, lastDname);
|
||||||
|
|
||||||
return signed_records;
|
return signedRecords;
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Given a zone, sign it using standard NSEC records.
|
* Given a zone, sign it using standard NSEC records.
|
||||||
*
|
*
|
||||||
* @param zonename
|
* @param zonename The name of the zone.
|
||||||
* The name of the zone.
|
* @param records The records comprising the zone. They do not have to
|
||||||
* @param records
|
* be in any particular order, as this method will
|
||||||
* The records comprising the zone. They do not have to
|
* order them as necessary.
|
||||||
* be in any
|
* @param kskpairs The key pairs that are designated as "key signing
|
||||||
* particular order, as this method will order them as
|
|
||||||
* necessary.
|
|
||||||
* @param kskpairs
|
|
||||||
* The key pairs that are designated as "key signing
|
|
||||||
* keys".
|
* keys".
|
||||||
* @param zskpairs
|
* @param zskpairs This key pairs that are designated as "zone signing
|
||||||
* This key pairs that are designated as "zone signing
|
|
||||||
* keys".
|
* keys".
|
||||||
* @param start
|
* @param start The RRSIG inception time.
|
||||||
* The RRSIG inception time.
|
* @param expire The RRSIG expiration time.
|
||||||
* @param expire
|
* @param fullySignKeyset Sign the zone apex keyset with all available keys
|
||||||
* The RRSIG expiration time.
|
* (instead of just the key signing keys).
|
||||||
* @param fullySignKeyset
|
* @param dsDigestAlg The digest algorithm to use when generating DS
|
||||||
* Sign the zone apex keyset with all available keys
|
|
||||||
* (instead of just
|
|
||||||
* the key signing keys).
|
|
||||||
* @param ds_digest_alg
|
|
||||||
* The digest algorithm to use when generating DS
|
|
||||||
* records.
|
* records.
|
||||||
*
|
*
|
||||||
* @return an ordered list of {@link org.xbill.DNS.Record} objects,
|
* @return an ordered list of {@link org.xbill.DNS.Record} objects,
|
||||||
@ -480,58 +429,42 @@ public class JCEDnsSecSigner {
|
|||||||
public List<Record> signZone(Name zonename, List<Record> records,
|
public List<Record> signZone(Name zonename, List<Record> records,
|
||||||
List<DnsKeyPair> kskpairs, List<DnsKeyPair> zskpairs,
|
List<DnsKeyPair> kskpairs, List<DnsKeyPair> zskpairs,
|
||||||
Instant start, Instant expire, boolean fullySignKeyset,
|
Instant start, Instant expire, boolean fullySignKeyset,
|
||||||
int ds_digest_alg) throws IOException,
|
int dsDigestAlg) throws IOException,
|
||||||
GeneralSecurityException {
|
GeneralSecurityException {
|
||||||
return signZone(zonename, records, kskpairs, zskpairs, start, expire,
|
return signZone(zonename, records, kskpairs, zskpairs, start, expire,
|
||||||
fullySignKeyset, ds_digest_alg, NSEC_MODE, null, null, 0, 0, false);
|
fullySignKeyset, dsDigestAlg, NSEC_MODE, null, null, 0, 0, false);
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Given a zone, sign it using NSEC3 records.
|
* Given a zone, sign it using NSEC3 records.
|
||||||
*
|
*
|
||||||
* @param signer
|
* @param signer A signer (utility) object used to actually sign
|
||||||
* A signer (utility) object used to actually sign stuff.
|
* stuff.
|
||||||
* @param zonename
|
* @param zonename The name of the zone being signed.
|
||||||
* The name of the zone being signed.
|
* @param records The records comprising the zone. They do not have to
|
||||||
* @param records
|
* be in any particular order, as this method will
|
||||||
* The records comprising the zone. They do not have to
|
* order them as necessary.
|
||||||
* be in any
|
* @param kskpairs The key pairs that are designated as "key signing
|
||||||
* particular order, as this method will order them as
|
|
||||||
* necessary.
|
|
||||||
* @param kskpairs
|
|
||||||
* The key pairs that are designated as "key signing
|
|
||||||
* keys".
|
* keys".
|
||||||
* @param zskpairs
|
* @param zskpairs This key pairs that are designated as "zone signing
|
||||||
* This key pairs that are designated as "zone signing
|
|
||||||
* keys".
|
* keys".
|
||||||
* @param start
|
* @param start The RRSIG inception time.
|
||||||
* The RRSIG inception time.
|
* @param expire The RRSIG expiration time.
|
||||||
* @param expire
|
* @param fullySignKeyset If true then the DNSKEY RRset will be signed by all
|
||||||
* The RRSIG expiration time.
|
* available keys, if false, only the key signing keys.
|
||||||
* @param fullySignKeyset
|
* @param useOptOut If true, insecure delegations will be omitted from
|
||||||
* If true then the DNSKEY RRset will be signed by all
|
* the NSEC3 chain, and all NSEC3 records will have the
|
||||||
* available
|
* Opt-Out flag set.
|
||||||
* keys, if false, only the key signing keys.
|
* @param includedNames A list of names to include in the NSEC3 chain
|
||||||
* @param useOptOut
|
|
||||||
* If true, insecure delegations will be omitted from the
|
|
||||||
* NSEC3
|
|
||||||
* chain, and all NSEC3 records will have the Opt-Out
|
|
||||||
* flag set.
|
|
||||||
* @param includedNames
|
|
||||||
* A list of names to include in the NSEC3 chain
|
|
||||||
* regardless.
|
* regardless.
|
||||||
* @param salt
|
* @param salt The salt to use for the NSEC3 hashing. null means no
|
||||||
* The salt to use for the NSEC3 hashing. null means no
|
|
||||||
* salt.
|
* salt.
|
||||||
* @param iterations
|
* @param iterations The number of iterations to use for the NSEC3
|
||||||
* The number of iterations to use for the NSEC3 hashing.
|
* hashing.
|
||||||
* @param ds_digest_alg
|
* @param dsDigestAlg The digest algorithm to use when generating DS
|
||||||
* The digest algorithm to use when generating DS
|
|
||||||
* records.
|
* records.
|
||||||
* @param nsec3paramttl
|
* @param nsec3paramttl The TTL to use for the generated NSEC3PARAM record.
|
||||||
* The TTL to use for the generated NSEC3PARAM record.
|
* Negative values will use the SOA TTL.
|
||||||
* Negative
|
|
||||||
* values will use the SOA TTL.
|
|
||||||
* @return an ordered list of {@link org.xbill.DNS.Record} objects,
|
* @return an ordered list of {@link org.xbill.DNS.Record} objects,
|
||||||
* representing the signed zone.
|
* representing the signed zone.
|
||||||
*
|
*
|
||||||
@ -542,16 +475,16 @@ public class JCEDnsSecSigner {
|
|||||||
List<DnsKeyPair> kskpairs, List<DnsKeyPair> zskpairs,
|
List<DnsKeyPair> kskpairs, List<DnsKeyPair> zskpairs,
|
||||||
Instant start, Instant expire, boolean fullySignKeyset,
|
Instant start, Instant expire, boolean fullySignKeyset,
|
||||||
boolean useOptOut, List<Name> includedNames,
|
boolean useOptOut, List<Name> includedNames,
|
||||||
byte[] salt, int iterations, int ds_digest_alg,
|
byte[] salt, int iterations, int dsDigestAlg,
|
||||||
long nsec3paramttl) throws IOException,
|
long nsec3paramttl) throws IOException,
|
||||||
GeneralSecurityException {
|
GeneralSecurityException {
|
||||||
if (useOptOut) {
|
if (useOptOut) {
|
||||||
return signZone(zonename, records, kskpairs, zskpairs, start, expire,
|
return signZone(zonename, records, kskpairs, zskpairs, start, expire,
|
||||||
fullySignKeyset, ds_digest_alg, NSEC3_OPTOUT_MODE, includedNames,
|
fullySignKeyset, dsDigestAlg, NSEC3_OPTOUT_MODE, includedNames,
|
||||||
salt, iterations, nsec3paramttl, false);
|
salt, iterations, nsec3paramttl, false);
|
||||||
} else {
|
} else {
|
||||||
return signZone(zonename, records, kskpairs, zskpairs, start, expire,
|
return signZone(zonename, records, kskpairs, zskpairs, start, expire,
|
||||||
fullySignKeyset, ds_digest_alg, NSEC3_MODE, null, salt, iterations,
|
fullySignKeyset, dsDigestAlg, NSEC3_MODE, null, salt, iterations,
|
||||||
nsec3paramttl, false);
|
nsec3paramttl, false);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -560,37 +493,25 @@ public class JCEDnsSecSigner {
|
|||||||
* Given a zone, sign it using experimental Opt-In NSEC records (see RFC
|
* Given a zone, sign it using experimental Opt-In NSEC records (see RFC
|
||||||
* 4956).
|
* 4956).
|
||||||
*
|
*
|
||||||
* @param zonename
|
* @param zonename the name of the zone.
|
||||||
* the name of the zone.
|
* @param records the records comprising the zone. They do not
|
||||||
* @param records
|
* have to be in any particular order, as this
|
||||||
* the records comprising the zone. They do not have
|
* method will order them as necessary.
|
||||||
* to be in any
|
* @param kskpairs the key pairs that are designated as "key
|
||||||
* particular order, as this method will order them
|
|
||||||
* as necessary.
|
|
||||||
* @param kskpairs
|
|
||||||
* the key pairs that are designated as "key signing
|
|
||||||
* keys".
|
|
||||||
* @param zskpairs
|
|
||||||
* this key pairs that are designated as "zone
|
|
||||||
* signing keys".
|
* signing keys".
|
||||||
* @param start
|
* @param zskpairs this key pairs that are designated as "zone
|
||||||
* the RRSIG inception time.
|
* signing keys".
|
||||||
* @param expire
|
* @param start the RRSIG inception time.
|
||||||
* the RRSIG expiration time.
|
* @param expire the RRSIG expiration time.
|
||||||
* @param useConservativeOptIn
|
* @param useConservativeOptIn if true, Opt-In NSEC records will only be
|
||||||
* if true, Opt-In NSEC records will only be
|
* generated if there are insecure, unsigned
|
||||||
* generated if there are
|
* delegations in the span.
|
||||||
* insecure, unsigned delegations in the span.
|
* @param fullySignKeyset sign the zone apex keyset with all available
|
||||||
* @param fullySignKeyset
|
|
||||||
* sign the zone apex keyset with all available
|
|
||||||
* keys.
|
* keys.
|
||||||
* @param ds_digest_alg
|
* @param dsDigestAlg The digest algorithm to use when generating DS
|
||||||
* The digest algorithm to use when generating DS
|
|
||||||
* records.
|
* records.
|
||||||
* @param NSECIncludeNames
|
* @param nsecIncludeNames names that are to be included in the NSEC chain
|
||||||
* names that are to be included in the NSEC chain
|
* regardless. This may be null.
|
||||||
* regardless. This
|
|
||||||
* may be null.
|
|
||||||
* @return an ordered list of {@link org.xbill.DNS.Record} objects,
|
* @return an ordered list of {@link org.xbill.DNS.Record} objects,
|
||||||
* representing the signed zone.
|
* representing the signed zone.
|
||||||
*/
|
*/
|
||||||
@ -598,12 +519,12 @@ public class JCEDnsSecSigner {
|
|||||||
List<DnsKeyPair> kskpairs, List<DnsKeyPair> zskpairs,
|
List<DnsKeyPair> kskpairs, List<DnsKeyPair> zskpairs,
|
||||||
Instant start, Instant expire,
|
Instant start, Instant expire,
|
||||||
boolean useConservativeOptIn,
|
boolean useConservativeOptIn,
|
||||||
boolean fullySignKeyset, List<Name> NSECIncludeNames,
|
boolean fullySignKeyset, List<Name> nsecIncludeNames,
|
||||||
int ds_digest_alg) throws IOException,
|
int dsDigestAlg) throws IOException,
|
||||||
GeneralSecurityException {
|
GeneralSecurityException {
|
||||||
|
|
||||||
return signZone(zonename, records, kskpairs, zskpairs, start, expire,
|
return signZone(zonename, records, kskpairs, zskpairs, start, expire,
|
||||||
fullySignKeyset, ds_digest_alg, NSEC_EXP_OPT_IN, NSECIncludeNames,
|
fullySignKeyset, dsDigestAlg, NSEC_EXP_OPT_IN, nsecIncludeNames,
|
||||||
null, 0, 0, useConservativeOptIn);
|
null, 0, 0, useConservativeOptIn);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -33,6 +33,7 @@ import org.xbill.DNS.Type;
|
|||||||
|
|
||||||
public class RecordComparator implements Comparator<Record> {
|
public class RecordComparator implements Comparator<Record> {
|
||||||
public RecordComparator() {
|
public RecordComparator() {
|
||||||
|
// nothing to initialize
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@ -65,15 +66,15 @@ public class RecordComparator implements Comparator<Record> {
|
|||||||
}
|
}
|
||||||
|
|
||||||
private int compareRDATA(Record a, Record b) {
|
private int compareRDATA(Record a, Record b) {
|
||||||
byte[] a_rdata = a.rdataToWireCanonical();
|
byte[] aRdata = a.rdataToWireCanonical();
|
||||||
byte[] b_rdata = b.rdataToWireCanonical();
|
byte[] bRdata = b.rdataToWireCanonical();
|
||||||
|
|
||||||
for (int i = 0; i < a_rdata.length && i < b_rdata.length; i++) {
|
for (int i = 0; i < aRdata.length && i < bRdata.length; i++) {
|
||||||
int n = (a_rdata[i] & 0xFF) - (b_rdata[i] & 0xFF);
|
int n = (aRdata[i] & 0xFF) - (bRdata[i] & 0xFF);
|
||||||
if (n != 0)
|
if (n != 0)
|
||||||
return n;
|
return n;
|
||||||
}
|
}
|
||||||
return (a_rdata.length - b_rdata.length);
|
return (aRdata.length - bRdata.length);
|
||||||
}
|
}
|
||||||
|
|
||||||
public int compare(Record a, Record b) {
|
public int compare(Record a, Record b) {
|
||||||
@ -88,27 +89,27 @@ public class RecordComparator implements Comparator<Record> {
|
|||||||
if (res != 0)
|
if (res != 0)
|
||||||
return res;
|
return res;
|
||||||
|
|
||||||
int a_type = a.getType();
|
int aType = a.getType();
|
||||||
int b_type = b.getType();
|
int bType = b.getType();
|
||||||
int sig_type = 0;
|
int sigType = 0;
|
||||||
|
|
||||||
if (a_type == Type.RRSIG) {
|
if (aType == Type.RRSIG) {
|
||||||
a_type = ((RRSIGRecord) a).getTypeCovered();
|
aType = ((RRSIGRecord) a).getTypeCovered();
|
||||||
if (b_type != Type.RRSIG)
|
if (bType != Type.RRSIG)
|
||||||
sig_type = 1;
|
sigType = 1;
|
||||||
}
|
}
|
||||||
if (b_type == Type.RRSIG) {
|
if (bType == Type.RRSIG) {
|
||||||
b_type = ((RRSIGRecord) b).getTypeCovered();
|
bType = ((RRSIGRecord) b).getTypeCovered();
|
||||||
if (a.getType() != Type.RRSIG)
|
if (a.getType() != Type.RRSIG)
|
||||||
sig_type = -1;
|
sigType = -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
res = compareTypes(a_type, b_type);
|
res = compareTypes(aType, bType);
|
||||||
if (res != 0)
|
if (res != 0)
|
||||||
return res;
|
return res;
|
||||||
|
|
||||||
if (sig_type != 0)
|
if (sigType != 0)
|
||||||
return sig_type;
|
return sigType;
|
||||||
|
|
||||||
return compareRDATA(a, b);
|
return compareRDATA(a, b);
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user