davidb/jdnssec-tools
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 1 Wiki Activity

sonarlint, formatting for RecordComparitor and JCEDnsSecSigner

Browse Source
This commit is contained in:
David Blacka 2024-03-29 21:18:14 -04:00
parent 75ff297c09
commit 88cc729312
3 changed files with 159 additions and 243 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
.gitattributes vendored
View File

@ -1,6 +0,0 @@
#
# https://help.github.com/articles/dealing-with-line-endings/
#
# These are explicitly windows files and should use crlf
*.bat text eol=crlf

359
src/main/java/com/verisignlabs/dnssec/security/JCEDnsSecSigner.java
View File

@ -68,21 +68,15 @@ public class JCEDnsSecSigner {
/** /**
* Cryptographically generate a new DNSSEC key. * Cryptographically generate a new DNSSEC key.
* *
* @param owner * @param owner the KEY RR's owner name.
* the KEY RR's owner name. * @param ttl the KEY RR's TTL.
* @param ttl * @param dclass the KEY RR's DNS class.
* the KEY RR's TTL. * @param algorithm the DNSSEC algorithm (RSASHA258, RSASHA512,
* @param dclass * ECDSAP256,
* the KEY RR's DNS class. * etc.)
* @param algorithm * @param flags any flags for the KEY RR.
* the DNSSEC algorithm (RSASHA258, RSASHA512, * @param keysize the size of the key to generate.
* ECDSAP256, etc.) * @param useLargeExponent if generating an RSA key, use the large exponent.
* @param flags
* any flags for the KEY RR.
* @param keysize
* the size of the key to generate.
* @param useLargeExponent
* if generating an RSA key, use the large exponent.
* @return a DnsKeyPair with the public and private keys populated. * @return a DnsKeyPair with the public and private keys populated.
*/ */
public DnsKeyPair generateKey(Name owner, long ttl, int dclass, int algorithm, public DnsKeyPair generateKey(Name owner, long ttl, int dclass, int algorithm,
@ -113,29 +107,25 @@ public class JCEDnsSecSigner {
/** /**
* Sign an RRset. * Sign an RRset.
* *
* @param rrset * @param rrset the RRset to sign -- any existing signatures are ignored.
* the RRset to sign -- any existing signatures are ignored. * @param keypars a list of DnsKeyPair objects containing private keys.
* @param keypars * @param start the inception time for the resulting RRSIG records.
* a list of DnsKeyPair objects containing private keys. * @param expire the expiration time for the resulting RRSIG records.
* @param start
* the inception time for the resulting RRSIG records.
* @param expire
* the expiration time for the resulting RRSIG records.
* @return a list of RRSIGRecord objects. * @return a list of RRSIGRecord objects.
*/ */
public List<RRSIGRecord> signRRset(RRset rrset, List<DnsKeyPair> keypairs, Instant start, public List<RRSIGRecord> signRRset(RRset rrset, List<DnsKeyPair> keypairs, Instant start,
Instant expire) throws IOException, Instant expire) throws IOException,
GeneralSecurityException { GeneralSecurityException {
if (rrset == null || keypairs == null) if (rrset == null || keypairs == null)
return null; return new ArrayList<>();
// default start to now, expire to start + 1 second. // default start to now, expire to start + 1 second.
if (start == null) if (start == null)
start = Instant.now(); start = Instant.now();
if (expire == null) if (expire == null)
expire = start.plusSeconds(1); expire = start.plusSeconds(1);
if (keypairs.size() == 0) if (keypairs.isEmpty())
return null; return new ArrayList<>();
if (mVerboseSigning) { if (mVerboseSigning) {
log.info("Signing RRset:"); log.info("Signing RRset:");
@ -143,9 +133,9 @@ public class JCEDnsSecSigner {
} }
// first, pre-calculate the RRset bytes. // first, pre-calculate the RRset bytes.
byte[] rrset_data = SignUtils.generateCanonicalRRsetData(rrset, 0, 0); byte[] rrsetData = SignUtils.generateCanonicalRRsetData(rrset, 0, 0);
ArrayList<RRSIGRecord> sigs = new ArrayList<RRSIGRecord>(keypairs.size()); ArrayList<RRSIGRecord> sigs = new ArrayList<>(keypairs.size());
// for each keypair, sign the RRset. // for each keypair, sign the RRset.
for (DnsKeyPair pair : keypairs) { for (DnsKeyPair pair : keypairs) {
@ -155,13 +145,13 @@ public class JCEDnsSecSigner {
RRSIGRecord presig = SignUtils.generatePreRRSIG(rrset, keyrec, start, expire, RRSIGRecord presig = SignUtils.generatePreRRSIG(rrset, keyrec, start, expire,
rrset.getTTL()); rrset.getTTL());
byte[] sign_data = SignUtils.generateSigData(rrset_data, presig); byte[] signData = SignUtils.generateSigData(rrsetData, presig);
if (mVerboseSigning) { if (mVerboseSigning) {
log.info("Canonical pre-signature data to sign with key " log.info("Canonical pre-signature data to sign with key "
+ keyrec.getName().toString() + "/" + keyrec.getAlgorithm() + "/" + keyrec.getName().toString() + "/" + keyrec.getAlgorithm() + "/"
+ keyrec.getFootprint() + ":"); + keyrec.getFootprint() + ":");
log.info(hexdump.dump(null, sign_data)); log.info(hexdump.dump(null, signData));
} }
Signature signer = pair.getSigner(); Signature signer = pair.getSigner();
@ -174,7 +164,7 @@ public class JCEDnsSecSigner {
} }
// sign the data. // sign the data.
signer.update(sign_data); signer.update(signData);
byte[] sig = signer.sign(); byte[] sig = signer.sign();
if (mVerboseSigning) { if (mVerboseSigning) {
@ -206,12 +196,9 @@ public class JCEDnsSecSigner {
/** /**
* Create a completely self-signed DNSKEY RRset. * Create a completely self-signed DNSKEY RRset.
* *
* @param keypairs * @param keypairs the public & private keypairs to use in the keyset.
* the public & private keypairs to use in the keyset. * @param start the RRSIG inception time.
* @param start * @param expire the RRSIG expiration time.
* the RRSIG inception time.
* @param expire
* the RRSIG expiration time.
* @return a signed RRset. * @return a signed RRset.
*/ */
public RRset makeKeySet(List<DnsKeyPair> keypairs, Instant start, Instant expire) public RRset makeKeySet(List<DnsKeyPair> keypairs, Instant start, Instant expire)
@ -236,67 +223,55 @@ public class JCEDnsSecSigner {
/** /**
* Conditionally sign an RRset and add it to the toList. * Conditionally sign an RRset and add it to the toList.
* *
* @param toList * @param toList the list to which we are adding the processed RRsets.
* the list to which we are adding the processed RRsets. * @param zonename the zone apex name.
* @param zonename * @param rrset the RRset under consideration.
* the zone apex name. * @param kskpairs the List of KSKs..
* @param rrset * @param zskpairs the List of zone keys.
* the RRset under consideration. * @param start the RRSIG inception time.
* @param kskpairs * @param expire the RRSIG expiration time.
* the List of KSKs.. * @param fullySignKeyset if true, sign the zone apex keyset with both KSKs
* @param zskpairs * and ZSKs.
* the List of zone keys. * @param lastCut the name of the last delegation point encountered.
* @param start
* the RRSIG inception time.
* @param expire
* the RRSIG expiration time.
* @param fullySignKeyset
* if true, sign the zone apex keyset with both KSKs and
* ZSKs.
* @param last_cut
* the name of the last delegation point encountered.
* *
* @return the name of the new last_cut. * @return the name of the new last_cut.
*/ */
private Name addRRset(List<Record> toList, Name zonename, RRset rrset, private Name addRRset(List<Record> toList, Name zonename, RRset rrset,
List<DnsKeyPair> kskpairs, List<DnsKeyPair> zskpairs, Instant start, List<DnsKeyPair> kskpairs, List<DnsKeyPair> zskpairs, Instant start,
Instant expire, boolean fullySignKeyset, Name last_cut, Instant expire, boolean fullySignKeyset, Name lastCut,
Name last_dname) throws IOException, GeneralSecurityException { Name lastDname) throws IOException, GeneralSecurityException {
// add the records themselves // add the records themselves
rrset.rrs().forEach(record -> { rrset.rrs().forEach(toList::add);
toList.add(record);
});
int type = SignUtils.recordSecType(zonename, rrset.getName(), rrset.getType(), int type = SignUtils.recordSecType(zonename, rrset.getName(), rrset.getType(),
last_cut, last_dname); lastCut, lastDname);
// we don't sign non-normal sets (delegations, glue, invalid). // we don't sign non-normal sets (delegations, glue, invalid).
if (type == SignUtils.RR_DELEGATION) { if (type == SignUtils.RR_DELEGATION) {
return rrset.getName(); return rrset.getName();
} }
if (type == SignUtils.RR_GLUE || type == SignUtils.RR_INVALID) { if (type == SignUtils.RR_GLUE || type == SignUtils.RR_INVALID) {
return last_cut; return lastCut;
} }
// check for the zone apex keyset. // check for the zone apex keyset.
if (rrset.getName().equals(zonename) && rrset.getType() == Type.DNSKEY) { if (rrset.getName().equals(zonename) && rrset.getType() == Type.DNSKEY && kskpairs != null && !kskpairs.isEmpty()) {
// if we have ksks, sign the keyset with them, otherwise we will just sign // if we have ksks, sign the keyset with them, otherwise we will just sign
// them with the zsks. // them with the zsks.
if (kskpairs != null && kskpairs.size() > 0) { List<RRSIGRecord> sigs = signRRset(rrset, kskpairs, start, expire);
List<RRSIGRecord> sigs = signRRset(rrset, kskpairs, start, expire); toList.addAll(sigs);
toList.addAll(sigs);
// If we aren't going to sign with all the keys, bail out now.
if (!fullySignKeyset)
return lastCut;
// If we aren't going to sign with all the keys, bail out now.
if (!fullySignKeyset)
return last_cut;
}
} }
// otherwise, we are OK to sign this set. // otherwise, we are OK to sign this set.
List<RRSIGRecord> sigs = signRRset(rrset, zskpairs, start, expire); List<RRSIGRecord> sigs = signRRset(rrset, zskpairs, start, expire);
toList.addAll(sigs); toList.addAll(sigs);
return last_cut; return lastCut;
} }
// Various NSEC/NSEC3 generation modes // Various NSEC/NSEC3 generation modes
@ -311,49 +286,31 @@ public class JCEDnsSecSigner {
* Opt-Out, etc.) External users of this class are expected to use the * Opt-Out, etc.) External users of this class are expected to use the
* appropriate public signZone* methods instead of this. * appropriate public signZone* methods instead of this.
* *
* @param zonename * @param zonename The name of the zone
* The name of the zone * @param records The records comprising the zone. They do not have to
* @param records * be in any particular order, as this method will
* The records comprising the zone. They do not have to * order them as necessary.
* be in any * @param kskpairs The key pairs designated as "key signing keys"
* particular order, as this method will order them as * @param zskpairs The key pairs designated as "zone signing keys"
* necessary. * @param start The RRSIG inception time
* @param kskpairs * @param expire The RRSIG expiration time
* The key pairs designated as "key signing keys" * @param fullySignKeyset If true, all keys (ksk or zsk) will sign the DNSKEY
* @param zskpairs * RRset. If false, only the ksks will sign it.
* The key pairs designated as "zone signing keys" * @param dsDigestAlg The hash algorithm to use for generating DS records
* @param start
* The RRSIG inception time
* @param expire
* The RRSIG expiration time
* @param fullySignKeyset
* If true, all keys (ksk or zsk) will sign the DNSKEY
* RRset. If
* false, only the ksks will sign it.
* @param ds_digest_alg
* The hash algorithm to use for generating DS records
* (DSRecord.SHA1_DIGEST_ID, e.g.) * (DSRecord.SHA1_DIGEST_ID, e.g.)
* @param mode * @param mode The NSEC/NSEC3 generation mode: NSEC_MODE,
* The NSEC/NSEC3 generation mode: NSEC_MODE, NSEC3_MODE, * NSEC3_MODE, NSEC3_OPTOUT_MODE, etc.
* NSEC3_OPTOUT_MODE, etc. * @param includedNames When using an Opt-In/Opt-Out mode, the names listed
* @param includedNames * here will be included in the NSEC/NSEC3 chain
* When using an Opt-In/Opt-Out mode, the names listed * regardless
* here will be * @param salt When using an NSEC3 mode, use this salt.
* included in the NSEC/NSEC3 chain regardless * @param iterations When using an NSEC3 mode, use this number of
* @param salt
* When using an NSEC3 mode, use this salt.
* @param iterations
* When using an NSEC3 mode, use this number of
* iterations * iterations
* @param beConservative * @param beConservative If true, then only turn on the Opt-In flag when
* If true, then only turn on the Opt-In flag when there * there are insecure delegations in the span.
* are insecure * Currently this only works for NSEC_EXP_OPT_IN mode.
* delegations in the span. Currently this only works for * @param nsec3paramttl The TTL to use for the generated NSEC3PARAM record.
* NSEC_EXP_OPT_IN mode. * Negative values will use the SOA TTL.
* @param nsec3paramttl
* The TTL to use for the generated NSEC3PARAM record.
* Negative
* values will use the SOA TTL.
* @return an ordered list of {@link org.xbill.DNS.Record} objects, * @return an ordered list of {@link org.xbill.DNS.Record} objects,
* representing the signed zone. * representing the signed zone.
* *
@ -363,7 +320,7 @@ public class JCEDnsSecSigner {
private List<Record> signZone(Name zonename, List<Record> records, private List<Record> signZone(Name zonename, List<Record> records,
List<DnsKeyPair> kskpairs, List<DnsKeyPair> zskpairs, List<DnsKeyPair> kskpairs, List<DnsKeyPair> zskpairs,
Instant start, Instant expire, boolean fullySignKeyset, Instant start, Instant expire, boolean fullySignKeyset,
int ds_digest_alg, int mode, List<Name> includedNames, int dsDigestAlg, int mode, List<Name> includedNames,
byte[] salt, int iterations, long nsec3paramttl, byte[] salt, int iterations, long nsec3paramttl,
boolean beConservative) throws IOException, boolean beConservative) throws IOException,
GeneralSecurityException { GeneralSecurityException {
@ -380,7 +337,7 @@ public class JCEDnsSecSigner {
// Generate DS records. This replaces any non-zone-apex DNSKEY RRs with DS // Generate DS records. This replaces any non-zone-apex DNSKEY RRs with DS
// RRs. // RRs.
SignUtils.generateDSRecords(zonename, records, ds_digest_alg); SignUtils.generateDSRecords(zonename, records, dsDigestAlg);
// Generate the NSEC or NSEC3 records based on 'mode' // Generate the NSEC or NSEC3 records based on 'mode'
switch (mode) { switch (mode) {
@ -398,6 +355,8 @@ public class JCEDnsSecSigner {
SignUtils.generateOptInNSECRecords(zonename, records, includedNames, SignUtils.generateOptInNSECRecords(zonename, records, includedNames,
beConservative); beConservative);
break; break;
default:
throw new NoSuchAlgorithmException("Unknown NSEC/NSEC3 mode: " + mode);
} }
// Re-sort so we can assemble into rrsets. // Re-sort so we can assemble into rrsets.
@ -405,9 +364,9 @@ public class JCEDnsSecSigner {
// Assemble into RRsets and sign. // Assemble into RRsets and sign.
RRset rrset = new RRset(); RRset rrset = new RRset();
ArrayList<Record> signed_records = new ArrayList<Record>(); ArrayList<Record> signedRecords = new ArrayList<>();
Name last_cut = null; Name lastCut = null;
Name last_dname = null; Name lastDname = null;
for (ListIterator<Record> i = records.listIterator(); i.hasNext();) { for (ListIterator<Record> i = records.listIterator(); i.hasNext();) {
Record r = i.next(); Record r = i.next();
@ -430,48 +389,38 @@ public class JCEDnsSecSigner {
// add the RRset to the list of signed_records, regardless of // add the RRset to the list of signed_records, regardless of
// whether or not we actually end up signing the set. // whether or not we actually end up signing the set.
last_cut = addRRset(signed_records, zonename, rrset, kskpairs, zskpairs, start, lastCut = addRRset(signedRecords, zonename, rrset, kskpairs, zskpairs, start,
expire, fullySignKeyset, last_cut, last_dname); expire, fullySignKeyset, lastCut, lastDname);
if (rrset.getType() == Type.DNAME) if (rrset.getType() == Type.DNAME)
last_dname = rrset.getName(); lastDname = rrset.getName();
rrset.clear(); rrset.clear();
rrset.addRR(r); rrset.addRR(r);
} }
// add the last RR set // add the last RR set
addRRset(signed_records, zonename, rrset, kskpairs, zskpairs, start, expire, addRRset(signedRecords, zonename, rrset, kskpairs, zskpairs, start, expire,
fullySignKeyset, last_cut, last_dname); fullySignKeyset, lastCut, lastDname);
return signed_records; return signedRecords;
} }
/** /**
* Given a zone, sign it using standard NSEC records. * Given a zone, sign it using standard NSEC records.
* *
* @param zonename * @param zonename The name of the zone.
* The name of the zone. * @param records The records comprising the zone. They do not have to
* @param records * be in any particular order, as this method will
* The records comprising the zone. They do not have to * order them as necessary.
* be in any * @param kskpairs The key pairs that are designated as "key signing
* particular order, as this method will order them as
* necessary.
* @param kskpairs
* The key pairs that are designated as "key signing
* keys". * keys".
* @param zskpairs * @param zskpairs This key pairs that are designated as "zone signing
* This key pairs that are designated as "zone signing
* keys". * keys".
* @param start * @param start The RRSIG inception time.
* The RRSIG inception time. * @param expire The RRSIG expiration time.
* @param expire * @param fullySignKeyset Sign the zone apex keyset with all available keys
* The RRSIG expiration time. * (instead of just the key signing keys).
* @param fullySignKeyset * @param dsDigestAlg The digest algorithm to use when generating DS
* Sign the zone apex keyset with all available keys
* (instead of just
* the key signing keys).
* @param ds_digest_alg
* The digest algorithm to use when generating DS
* records. * records.
* *
* @return an ordered list of {@link org.xbill.DNS.Record} objects, * @return an ordered list of {@link org.xbill.DNS.Record} objects,
@ -480,58 +429,42 @@ public class JCEDnsSecSigner {
public List<Record> signZone(Name zonename, List<Record> records, public List<Record> signZone(Name zonename, List<Record> records,
List<DnsKeyPair> kskpairs, List<DnsKeyPair> zskpairs, List<DnsKeyPair> kskpairs, List<DnsKeyPair> zskpairs,
Instant start, Instant expire, boolean fullySignKeyset, Instant start, Instant expire, boolean fullySignKeyset,
int ds_digest_alg) throws IOException, int dsDigestAlg) throws IOException,
GeneralSecurityException { GeneralSecurityException {
return signZone(zonename, records, kskpairs, zskpairs, start, expire, return signZone(zonename, records, kskpairs, zskpairs, start, expire,
fullySignKeyset, ds_digest_alg, NSEC_MODE, null, null, 0, 0, false); fullySignKeyset, dsDigestAlg, NSEC_MODE, null, null, 0, 0, false);
} }
/** /**
* Given a zone, sign it using NSEC3 records. * Given a zone, sign it using NSEC3 records.
* *
* @param signer * @param signer A signer (utility) object used to actually sign
* A signer (utility) object used to actually sign stuff. * stuff.
* @param zonename * @param zonename The name of the zone being signed.
* The name of the zone being signed. * @param records The records comprising the zone. They do not have to
* @param records * be in any particular order, as this method will
* The records comprising the zone. They do not have to * order them as necessary.
* be in any * @param kskpairs The key pairs that are designated as "key signing
* particular order, as this method will order them as
* necessary.
* @param kskpairs
* The key pairs that are designated as "key signing
* keys". * keys".
* @param zskpairs * @param zskpairs This key pairs that are designated as "zone signing
* This key pairs that are designated as "zone signing
* keys". * keys".
* @param start * @param start The RRSIG inception time.
* The RRSIG inception time. * @param expire The RRSIG expiration time.
* @param expire * @param fullySignKeyset If true then the DNSKEY RRset will be signed by all
* The RRSIG expiration time. * available keys, if false, only the key signing keys.
* @param fullySignKeyset * @param useOptOut If true, insecure delegations will be omitted from
* If true then the DNSKEY RRset will be signed by all * the NSEC3 chain, and all NSEC3 records will have the
* available * Opt-Out flag set.
* keys, if false, only the key signing keys. * @param includedNames A list of names to include in the NSEC3 chain
* @param useOptOut
* If true, insecure delegations will be omitted from the
* NSEC3
* chain, and all NSEC3 records will have the Opt-Out
* flag set.
* @param includedNames
* A list of names to include in the NSEC3 chain
* regardless. * regardless.
* @param salt * @param salt The salt to use for the NSEC3 hashing. null means no
* The salt to use for the NSEC3 hashing. null means no
* salt. * salt.
* @param iterations * @param iterations The number of iterations to use for the NSEC3
* The number of iterations to use for the NSEC3 hashing. * hashing.
* @param ds_digest_alg * @param dsDigestAlg The digest algorithm to use when generating DS
* The digest algorithm to use when generating DS
* records. * records.
* @param nsec3paramttl * @param nsec3paramttl The TTL to use for the generated NSEC3PARAM record.
* The TTL to use for the generated NSEC3PARAM record. * Negative values will use the SOA TTL.
* Negative
* values will use the SOA TTL.
* @return an ordered list of {@link org.xbill.DNS.Record} objects, * @return an ordered list of {@link org.xbill.DNS.Record} objects,
* representing the signed zone. * representing the signed zone.
* *
@ -542,16 +475,16 @@ public class JCEDnsSecSigner {
List<DnsKeyPair> kskpairs, List<DnsKeyPair> zskpairs, List<DnsKeyPair> kskpairs, List<DnsKeyPair> zskpairs,
Instant start, Instant expire, boolean fullySignKeyset, Instant start, Instant expire, boolean fullySignKeyset,
boolean useOptOut, List<Name> includedNames, boolean useOptOut, List<Name> includedNames,
byte[] salt, int iterations, int ds_digest_alg, byte[] salt, int iterations, int dsDigestAlg,
long nsec3paramttl) throws IOException, long nsec3paramttl) throws IOException,
GeneralSecurityException { GeneralSecurityException {
if (useOptOut) { if (useOptOut) {
return signZone(zonename, records, kskpairs, zskpairs, start, expire, return signZone(zonename, records, kskpairs, zskpairs, start, expire,
fullySignKeyset, ds_digest_alg, NSEC3_OPTOUT_MODE, includedNames, fullySignKeyset, dsDigestAlg, NSEC3_OPTOUT_MODE, includedNames,
salt, iterations, nsec3paramttl, false); salt, iterations, nsec3paramttl, false);
} else { } else {
return signZone(zonename, records, kskpairs, zskpairs, start, expire, return signZone(zonename, records, kskpairs, zskpairs, start, expire,
fullySignKeyset, ds_digest_alg, NSEC3_MODE, null, salt, iterations, fullySignKeyset, dsDigestAlg, NSEC3_MODE, null, salt, iterations,
nsec3paramttl, false); nsec3paramttl, false);
} }
} }
@ -560,37 +493,25 @@ public class JCEDnsSecSigner {
* Given a zone, sign it using experimental Opt-In NSEC records (see RFC * Given a zone, sign it using experimental Opt-In NSEC records (see RFC
* 4956). * 4956).
* *
* @param zonename * @param zonename the name of the zone.
* the name of the zone. * @param records the records comprising the zone. They do not
* @param records * have to be in any particular order, as this
* the records comprising the zone. They do not have * method will order them as necessary.
* to be in any * @param kskpairs the key pairs that are designated as "key
* particular order, as this method will order them
* as necessary.
* @param kskpairs
* the key pairs that are designated as "key signing
* keys".
* @param zskpairs
* this key pairs that are designated as "zone
* signing keys". * signing keys".
* @param start * @param zskpairs this key pairs that are designated as "zone
* the RRSIG inception time. * signing keys".
* @param expire * @param start the RRSIG inception time.
* the RRSIG expiration time. * @param expire the RRSIG expiration time.
* @param useConservativeOptIn * @param useConservativeOptIn if true, Opt-In NSEC records will only be
* if true, Opt-In NSEC records will only be * generated if there are insecure, unsigned
* generated if there are * delegations in the span.
* insecure, unsigned delegations in the span. * @param fullySignKeyset sign the zone apex keyset with all available
* @param fullySignKeyset
* sign the zone apex keyset with all available
* keys. * keys.
* @param ds_digest_alg * @param dsDigestAlg The digest algorithm to use when generating DS
* The digest algorithm to use when generating DS
* records. * records.
* @param NSECIncludeNames * @param nsecIncludeNames names that are to be included in the NSEC chain
* names that are to be included in the NSEC chain * regardless. This may be null.
* regardless. This
* may be null.
* @return an ordered list of {@link org.xbill.DNS.Record} objects, * @return an ordered list of {@link org.xbill.DNS.Record} objects,
* representing the signed zone. * representing the signed zone.
*/ */
@ -598,12 +519,12 @@ public class JCEDnsSecSigner {
List<DnsKeyPair> kskpairs, List<DnsKeyPair> zskpairs, List<DnsKeyPair> kskpairs, List<DnsKeyPair> zskpairs,
Instant start, Instant expire, Instant start, Instant expire,
boolean useConservativeOptIn, boolean useConservativeOptIn,
boolean fullySignKeyset, List<Name> NSECIncludeNames, boolean fullySignKeyset, List<Name> nsecIncludeNames,
int ds_digest_alg) throws IOException, int dsDigestAlg) throws IOException,
GeneralSecurityException { GeneralSecurityException {
return signZone(zonename, records, kskpairs, zskpairs, start, expire, return signZone(zonename, records, kskpairs, zskpairs, start, expire,
fullySignKeyset, ds_digest_alg, NSEC_EXP_OPT_IN, NSECIncludeNames, fullySignKeyset, dsDigestAlg, NSEC_EXP_OPT_IN, nsecIncludeNames,
null, 0, 0, useConservativeOptIn); null, 0, 0, useConservativeOptIn);
} }
} }

37
src/main/java/com/verisignlabs/dnssec/security/RecordComparator.java
View File

@ -33,6 +33,7 @@ import org.xbill.DNS.Type;
public class RecordComparator implements Comparator<Record> { public class RecordComparator implements Comparator<Record> {
public RecordComparator() { public RecordComparator() {
// nothing to initialize
} }
/** /**
@ -65,15 +66,15 @@ public class RecordComparator implements Comparator<Record> {
} }
private int compareRDATA(Record a, Record b) { private int compareRDATA(Record a, Record b) {
byte[] a_rdata = a.rdataToWireCanonical(); byte[] aRdata = a.rdataToWireCanonical();
byte[] b_rdata = b.rdataToWireCanonical(); byte[] bRdata = b.rdataToWireCanonical();
for (int i = 0; i < a_rdata.length && i < b_rdata.length; i++) { for (int i = 0; i < aRdata.length && i < bRdata.length; i++) {
int n = (a_rdata[i] & 0xFF) - (b_rdata[i] & 0xFF); int n = (aRdata[i] & 0xFF) - (bRdata[i] & 0xFF);
if (n != 0) if (n != 0)
return n; return n;
} }
return (a_rdata.length - b_rdata.length); return (aRdata.length - bRdata.length);
} }
public int compare(Record a, Record b) { public int compare(Record a, Record b) {
@ -88,27 +89,27 @@ public class RecordComparator implements Comparator<Record> {
if (res != 0) if (res != 0)
return res; return res;
int a_type = a.getType(); int aType = a.getType();
int b_type = b.getType(); int bType = b.getType();
int sig_type = 0; int sigType = 0;
if (a_type == Type.RRSIG) { if (aType == Type.RRSIG) {
a_type = ((RRSIGRecord) a).getTypeCovered(); aType = ((RRSIGRecord) a).getTypeCovered();
if (b_type != Type.RRSIG) if (bType != Type.RRSIG)
sig_type = 1; sigType = 1;
} }
if (b_type == Type.RRSIG) { if (bType == Type.RRSIG) {
b_type = ((RRSIGRecord) b).getTypeCovered(); bType = ((RRSIGRecord) b).getTypeCovered();
if (a.getType() != Type.RRSIG) if (a.getType() != Type.RRSIG)
sig_type = -1; sigType = -1;
} }
res = compareTypes(a_type, b_type); res = compareTypes(aType, bType);
if (res != 0) if (res != 0)
return res; return res;
if (sig_type != 0) if (sigType != 0)
return sig_type; return sigType;
return compareRDATA(a, b); return compareRDATA(a, b);
} }