Merge changes from experimental branch 2255:2273.

git-svn-id: https://svn.verisignlabs.com/jdnssec/tools/trunk@172 4cbd57fe-54e5-0310-bd9a-f30fe5ea5e6e

src/com/verisignlabs/dnssec/security/DnsSecVerifier.java

@@ -95,7 +95,10 @@ public class DnsSecVerifier implements Verifier
       {
         DnsKeyPair p = (DnsKeyPair) i.next();
         if (p.getDNSKEYAlgorithm() == algorithm
-            && p.getDNSKEYFootprint() == keyid) { return p; }
+            && p.getDNSKEYFootprint() == keyid)
+        {
+          return p;
+        }
       }
       return null;
     }
@@ -164,8 +167,10 @@ public class DnsSecVerifier implements Verifier
       if (!(o instanceof DNSKEYRecord)) continue;
       DNSKEYRecord keyrec = (DNSKEYRecord) o;
       if (keyrec.getAlgorithm() == algorithm
-          && keyrec.getFootprint() == footprint) { return new DnsKeyPair(
-          keyrec, (PrivateKey) null); }
+          && keyrec.getFootprint() == footprint)
+      {
+        return new DnsKeyPair(keyrec, (PrivateKey) null);
+      }
     }
 
     return null;
@@ -183,17 +188,21 @@ public class DnsSecVerifier implements Verifier
     return pair;
   }
 
-  private byte validateSignature(RRset rrset, RRSIGRecord sigrec)
+  private byte validateSignature(RRset rrset, RRSIGRecord sigrec, List reasons)
   {
     if (rrset == null || sigrec == null) return DNSSEC.Failed;
     if (!rrset.getName().equals(sigrec.getName()))
     {
-      log.info("Signature name does not match RRset name");
+      log.fine("Signature name does not match RRset name");
+      if (reasons != null)
+        reasons.add("Signature name does not match RRset name");
       return DNSSEC.Failed;
     }
     if (rrset.getType() != sigrec.getTypeCovered())
     {
-      log.info("Signature type does not match RRset type");
+      log.fine("Signature type does not match RRset type");
+      if (reasons != null)
+        reasons.add("Signature type does not match RRset type");
     }
 
     Date now = new Date();
@@ -208,7 +217,8 @@ public class DnsSecVerifier implements Verifier
       }
       if (now.before(start))
       {
-        log.info("Signature is not yet valid");
+        log.fine("Signature is not yet valid");
+        if (reasons != null) reasons.add("Signature not yet valid");
         return DNSSEC.Failed;
       }
     }
@@ -221,8 +231,9 @@ public class DnsSecVerifier implements Verifier
       }
       if (now.after(expire))
       {
-        log.info("Signature has expired (now = " + now + ", sig expires = "
+        log.fine("Signature has expired (now = " + now + ", sig expires = "
             + expire);
+        if (reasons != null) reasons.add("Signature has expired.");
         return DNSSEC.Failed;
       }
     }
@@ -230,25 +241,32 @@ public class DnsSecVerifier implements Verifier
     return DNSSEC.Secure;
   }
 
+  public byte verifySignature(RRset rrset, RRSIGRecord sigrec, Cache cache)
+  {
+    return verifySignature(rrset, sigrec, cache, null);
+  }
+
   /**
    * Verify an RRset against a particular signature.
    * 
-   * @return DNSSEC.Secure if the signature verfied, DNSSEC.Failed if it did not
-   *         verify (for any reason), and DNSSEC.Insecure if verification could
-   *         not be completed (usually because the public key was not
+   * @return DNSSEC.Secure if the signature verified, DNSSEC.Failed if it did
+   *         not verify (for any reason), and DNSSEC.Insecure if verification
+   *         could not be completed (usually because the public key was not
    *         available).
    */
-  public byte verifySignature(RRset rrset, RRSIGRecord sigrec, Cache cache)
+  public byte verifySignature(RRset rrset, RRSIGRecord sigrec, Cache cache,
+                              List reasons)
   {
-    byte result = validateSignature(rrset, sigrec);
+    byte result = validateSignature(rrset, sigrec, reasons);
     if (result != DNSSEC.Secure) return result;
 
-    DnsKeyPair keypair = findKey(cache, sigrec.getSigner(),
-                                 sigrec.getAlgorithm(), sigrec.getFootprint());
+    DnsKeyPair keypair = findKey(cache, sigrec.getSigner(), sigrec
+        .getAlgorithm(), sigrec.getFootprint());
 
     if (keypair == null)
     {
-      log.info("could not find appropriate key");
+      if (reasons != null) reasons.add("Could not find matching trusted key");
+      log.fine("could not find matching trusted key");
       return DNSSEC.Insecure;
     }
 
@@ -270,7 +288,9 @@ public class DnsSecVerifier implements Verifier
 
       if (!signer.verify(sig))
       {
-        log.info("Signature failed to verify cryptographically");
+        if (reasons != null)
+          reasons.add("Signature failed to verify cryptographically");
+        log.fine("Signature failed to verify cryptographically");
         return DNSSEC.Failed;
       }
 
@@ -284,7 +304,8 @@ public class DnsSecVerifier implements Verifier
     {
       log.severe("Security error: " + e);
     }
-
+    if (reasons != null)
+      reasons.add("Signature failed to verify due to exception");
     log.fine("Signature failed to verify due to exception");
     return DNSSEC.Insecure;
   }
@@ -303,7 +324,7 @@ public class DnsSecVerifier implements Verifier
 
     if (!i.hasNext())
     {
-      log.info("RRset failed to verify due to lack of signatures");
+      log.fine("RRset failed to verify due to lack of signatures");
       return DNSSEC.Insecure;
     }
 

src/com/verisignlabs/dnssec/security/JCEDnsSecSigner.java

@@ -128,7 +128,7 @@ public class JCEDnsSecSigner
     if (keypairs.size() == 0) return null;
 
     // first, pre-calculate the RRset bytes.
-    byte[] rrset_data = SignUtils.generateCanonicalRRsetData(rrset);
+    byte[] rrset_data = SignUtils.generateCanonicalRRsetData(rrset, 0, 0);
 
     ArrayList sigs = new ArrayList(keypairs.size());
 

src/com/verisignlabs/dnssec/security/SignUtils.java

@@ -149,24 +149,61 @@ public class SignUtils
     return image.toByteArray();
   }
 
+
   /**
    * Calculate the canonical wire line format of the RRset.
    * 
    * @param rrset
-   *          the RRset to convert.
-   * @return the canonical wire line format of the RRset. This is the second
+   *            the RRset to convert.
+   * @param ttl
+   *            the TTL to use when canonicalizing -- this is generally the
+   *            TTL of the signature if there is a pre-existing signature. If
+   *            not it is just the ttl of the rrset itself.
+   * @param labels
+   *            the labels field of the signature, or 0.
+   * @return the canonical wire line format of the rrset. This is the second
    *         part of data to be signed.
    */
-  public static byte[] generateCanonicalRRsetData(RRset rrset)
+  public static byte[] generateCanonicalRRsetData(RRset rrset, long ttl,
+                                                  int labels)
   {
     DNSOutput image = new DNSOutput();
 
-    // now convert load the wire format records in the RRset into a
+    if (ttl == 0) ttl = rrset.getTTL();
+    Name n = rrset.getName();
+    if (labels == 0)
+    {
+      labels = n.labels();
+    }
+    else
+    {
+      // correct for Name()'s conception of label count.
+      labels++;
+    }
+    boolean wildcardName = false;
+    if (n.labels() != labels)
+    {
+      n = n.wild(n.labels() - labels);
+      wildcardName = true;
+      log.fine("Detected wildcard expansion: " + rrset.getName()
+          + " changed to " + n);
+    }
+
+    // now convert the wire format records in the RRset into a
     // list of byte arrays.
     ArrayList canonical_rrs = new ArrayList();
     for (Iterator i = rrset.rrs(); i.hasNext();)
     {
       Record r = (Record) i.next();
+      if (r.getTTL() != ttl || wildcardName)
+      {
+        // If necessary, we need to create a new record with a new ttl
+        // or ownername.
+        // In the TTL case, this avoids changing the ttl in the
+        // response.
+        r = Record.newRecord(n, r.getType(), r.getDClass(), ttl, r
+            .rdataToWireCanonical());
+      }
       byte[] wire_fmt = r.toWireCanonical();
       canonical_rrs.add(wire_fmt);
     }
@@ -202,7 +239,9 @@ public class SignUtils
   public static byte[] generateSigData(RRset rrset, RRSIGRecord presig)
       throws IOException
   {
-    byte[] rrset_data = generateCanonicalRRsetData(rrset);
+    byte[] rrset_data = generateCanonicalRRsetData(rrset,
+                                                   presig.getOrigTTL(),
+                                                   presig.getLabels());
 
     return generateSigData(rrset_data, presig);
   }

src/com/verisignlabs/dnssec/security/ZoneUtils.java

@@ -138,23 +138,23 @@ public class ZoneUtils
 
     return null;
   }
-  
+
   public static List findRRs(List records, Name name, int type)
   {
     List res = new ArrayList();
     for (Iterator i = records.iterator(); i.hasNext();)
     {
       Object o = i.next();
-      
+
       if (o instanceof Record)
       {
         Record r = (Record) o;
-        if (r.getName().equals(name) && r.getType() == type) 
+        if (r.getName().equals(name) && r.getType() == type)
         {
           res.add(r);
         }
-              }
-      else if (o instanceof RRset) 
+      }
+      else if (o instanceof RRset)
       {
         RRset r = (RRset) o;
         if (r.getName().equals(name) && r.getType() == type)
@@ -166,9 +166,30 @@ public class ZoneUtils
         }
       }
     }
-    
+
     return res;
   }
-  
-}
 
+  /** This is an alternate way to format an RRset into a string */
+  public static String rrsetToString(RRset rrset, boolean includeSigs)
+  {
+    StringBuffer out = new StringBuffer();
+
+    for (Iterator i = rrset.rrs(false); i.hasNext();)
+    {
+      Record r = (Record) i.next();
+      out.append(r.toString());
+      out.append("\n");
+    }
+    if (includeSigs)
+    {
+      for (Iterator i = rrset.sigs(); i.hasNext();)
+      {
+        Record r = (Record) i.next();
+        out.append(r.toString());
+        out.append("\n");
+      }
+    }
+    return out.toString();
+  }
+}