diff --git a/src/com/verisignlabs/dnssec/cl/SignKeyset.java b/src/com/verisignlabs/dnssec/cl/SignKeyset.java index 552844e..bdc395d 100644 --- a/src/com/verisignlabs/dnssec/cl/SignKeyset.java +++ b/src/com/verisignlabs/dnssec/cl/SignKeyset.java @@ -28,7 +28,6 @@ import java.util.List; import org.apache.commons.cli.CommandLine; import org.apache.commons.cli.OptionBuilder; import org.apache.commons.cli.Options; -import org.xbill.DNS.DNSSEC; import org.xbill.DNS.Name; import org.xbill.DNS.RRSIGRecord; import org.xbill.DNS.RRset; @@ -186,11 +185,11 @@ public class SignKeyset extends CLBase // skip unsigned rrsets. if (!rrset.sigs().hasNext()) continue; - int result = verifier.verify(rrset, null); + boolean result = verifier.verify(rrset); - if (result != DNSSEC.Secure) + if (!result) { - log.fine("Signatures did not verify for RRset: (" + result + "): " + rrset); + log.fine("Signatures did not verify for RRset: " + rrset); secure = false; } } diff --git a/src/com/verisignlabs/dnssec/cl/SignRRset.java b/src/com/verisignlabs/dnssec/cl/SignRRset.java index e27ae8d..b92898e 100644 --- a/src/com/verisignlabs/dnssec/cl/SignRRset.java +++ b/src/com/verisignlabs/dnssec/cl/SignRRset.java @@ -28,7 +28,6 @@ import org.apache.commons.cli.CommandLine; import org.apache.commons.cli.OptionBuilder; import org.apache.commons.cli.Options; -import org.xbill.DNS.DNSSEC; import org.xbill.DNS.Name; import org.xbill.DNS.RRSIGRecord; import org.xbill.DNS.RRset; @@ -185,11 +184,11 @@ public class SignRRset extends CLBase // skip unsigned rrsets. if (!rrset.sigs().hasNext()) continue; - int result = verifier.verify(rrset, null); + boolean result = verifier.verify(rrset); - if (result != DNSSEC.Secure) + if (!result) { - log.fine("Signatures did not verify for RRset: (" + result + "): " + rrset); + log.fine("Signatures did not verify for RRset: " + rrset); secure = false; } } diff --git a/src/com/verisignlabs/dnssec/cl/SignZone.java b/src/com/verisignlabs/dnssec/cl/SignZone.java index 87700ca..47cbe04 100644 --- a/src/com/verisignlabs/dnssec/cl/SignZone.java +++ b/src/com/verisignlabs/dnssec/cl/SignZone.java @@ -34,7 +34,6 @@ import org.apache.commons.cli.Options; import org.apache.commons.cli.ParseException; import org.xbill.DNS.DNSKEYRecord; -import org.xbill.DNS.DNSSEC; import org.xbill.DNS.DSRecord; import org.xbill.DNS.Name; import org.xbill.DNS.RRset; @@ -343,11 +342,11 @@ public class SignZone extends CLBase // skip unsigned rrsets. if (!rrset.sigs().hasNext()) continue; - int result = verifier.verify(rrset, null); + boolean result = verifier.verify(rrset); - if (result != DNSSEC.Secure) + if (!result) { - log.fine("Signatures did not verify for RRset: (" + result + "): " + rrset); + log.fine("Signatures did not verify for RRset: " + rrset); secure = false; } } diff --git a/src/com/verisignlabs/dnssec/security/DnsKeyConverter.java b/src/com/verisignlabs/dnssec/security/DnsKeyConverter.java index 053fc48..6de283e 100644 --- a/src/com/verisignlabs/dnssec/security/DnsKeyConverter.java +++ b/src/com/verisignlabs/dnssec/security/DnsKeyConverter.java @@ -45,8 +45,6 @@ import javax.crypto.spec.DHPrivateKeySpec; import org.xbill.DNS.DNSKEYRecord; import org.xbill.DNS.Name; -import org.xbill.DNS.Record; -import org.xbill.DNS.Type; import org.xbill.DNS.utils.base64; /** diff --git a/src/com/verisignlabs/dnssec/security/DnsSecVerifier.java b/src/com/verisignlabs/dnssec/security/DnsSecVerifier.java index bd1120b..68c480c 100644 --- a/src/com/verisignlabs/dnssec/security/DnsSecVerifier.java +++ b/src/com/verisignlabs/dnssec/security/DnsSecVerifier.java @@ -43,7 +43,7 @@ import org.xbill.DNS.*; * @author $Author$ * @version $Revision$ */ -public class DnsSecVerifier implements Verifier +public class DnsSecVerifier { private class TrustedKeyStore @@ -157,47 +157,19 @@ public class DnsSecVerifier implements Verifier mIgnoreTime = v; } - @SuppressWarnings("unchecked") - private DnsKeyPair findCachedKey(Cache cache, Name name, int algorithm, int footprint) + private DnsKeyPair findKey(Name name, int algorithm, int footprint) { - RRset[] keysets = cache.findAnyRecords(name, Type.KEY); - if (keysets == null) return null; - - // look for the particular key - // FIXME: this assumes that name+alg+footprint is unique. - for (Iterator i = keysets[0].rrs(); i.hasNext();) - { - Record r = i.next(); - if (r.getType() != Type.DNSKEY) continue; - DNSKEYRecord keyrec = (DNSKEYRecord) r; - if (keyrec.getAlgorithm() == algorithm && keyrec.getFootprint() == footprint) - { - return new DnsKeyPair(keyrec, (PrivateKey) null); - } - } - - return null; + return mKeyStore.find(name, algorithm, footprint); } - private DnsKeyPair findKey(Cache cache, Name name, int algorithm, int footprint) + private boolean validateSignature(RRset rrset, RRSIGRecord sigrec, List reasons) { - DnsKeyPair pair = mKeyStore.find(name, algorithm, footprint); - if (pair == null && cache != null) - { - pair = findCachedKey(cache, name, algorithm, footprint); - } - - return pair; - } - - private byte validateSignature(RRset rrset, RRSIGRecord sigrec, List reasons) - { - if (rrset == null || sigrec == null) return DNSSEC.Failed; + if (rrset == null || sigrec == null) return false; if (!rrset.getName().equals(sigrec.getName())) { log.fine("Signature name does not match RRset name"); if (reasons != null) reasons.add("Signature name does not match RRset name"); - return DNSSEC.Failed; + return false; } if (rrset.getType() != sigrec.getTypeCovered()) { @@ -205,7 +177,7 @@ public class DnsSecVerifier implements Verifier if (reasons != null) reasons.add("Signature type does not match RRset type"); } - if (mIgnoreTime) return DNSSEC.Secure; + if (mIgnoreTime) return true; Date now = new Date(); Date start = sigrec.getTimeSigned(); @@ -221,7 +193,7 @@ public class DnsSecVerifier implements Verifier { log.fine("Signature is not yet valid"); if (reasons != null) reasons.add("Signature not yet valid"); - return DNSSEC.Failed; + return false; } } @@ -235,39 +207,37 @@ public class DnsSecVerifier implements Verifier { log.fine("Signature has expired (now = " + now + ", sig expires = " + expire); if (reasons != null) reasons.add("Signature has expired."); - return DNSSEC.Failed; + return false; } } - return DNSSEC.Secure; + return true; } - public byte verifySignature(RRset rrset, RRSIGRecord sigrec, Cache cache) + public boolean verifySignature(RRset rrset, RRSIGRecord sigrec) { - return verifySignature(rrset, sigrec, cache, null); + return verifySignature(rrset, sigrec, null); } /** * Verify an RRset against a particular signature. * - * @return DNSSEC.Secure if the signature verified, DNSSEC.Failed if it did - * not verify (for any reason), and DNSSEC.Insecure if verification - * could not be completed (usually because the public key was not - * available). + * @return true if the signature verified, false if it did + * not verify (for any reason, including not finding the DNSKEY.) */ - public byte verifySignature(RRset rrset, RRSIGRecord sigrec, Cache cache, List reasons) + public boolean verifySignature(RRset rrset, RRSIGRecord sigrec, List reasons) { - byte result = validateSignature(rrset, sigrec, reasons); - if (result != DNSSEC.Secure) return result; + boolean result = validateSignature(rrset, sigrec, reasons); + if (!result) return result; - DnsKeyPair keypair = findKey(cache, sigrec.getSigner(), sigrec.getAlgorithm(), + DnsKeyPair keypair = findKey(sigrec.getSigner(), sigrec.getAlgorithm(), sigrec.getFootprint()); if (keypair == null) { if (reasons != null) reasons.add("Could not find matching trusted key"); log.fine("could not find matching trusted key"); - return DNSSEC.Insecure; + return false; } try @@ -290,10 +260,10 @@ public class DnsSecVerifier implements Verifier { if (reasons != null) reasons.add("Signature failed to verify cryptographically"); log.fine("Signature failed to verify cryptographically"); - return DNSSEC.Failed; + return false; } - return DNSSEC.Secure; + return true; } catch (IOException e) { @@ -305,39 +275,38 @@ public class DnsSecVerifier implements Verifier } if (reasons != null) reasons.add("Signature failed to verify due to exception"); log.fine("Signature failed to verify due to exception"); - return DNSSEC.Insecure; + return false; } /** * Verifies an RRset. This routine does not modify the RRset. * - * @return DNSSEC.Secure if the set verified, DNSSEC.Failed if it did not, and - * DNSSEC.Insecure if verification could not complete. + * @return true if the set verified, false if it did not. */ @SuppressWarnings("unchecked") - public int verify(RRset rrset, Cache cache) + public boolean verify(RRset rrset) { - int result = mVerifyAllSigs ? DNSSEC.Secure : DNSSEC.Insecure; + boolean result = mVerifyAllSigs ? true : false; Iterator i = rrset.sigs(); if (!i.hasNext()) { log.fine("RRset failed to verify due to lack of signatures"); - return DNSSEC.Insecure; + return false; } while (i.hasNext()) { RRSIGRecord sigrec = (RRSIGRecord) i.next(); - byte res = verifySignature(rrset, sigrec, cache); + boolean res = verifySignature(rrset, sigrec); - if (!mVerifyAllSigs && res == DNSSEC.Secure) return res; + // If not requiring all signature to validate, then any successful validation is sufficient. + if (!mVerifyAllSigs && res) return res; - if (!mVerifyAllSigs && res < result) result = res; - - if (mVerifyAllSigs && res != DNSSEC.Secure && res < result) + // Otherwise, note if a signature failed to validate. + if (mVerifyAllSigs && !res) { result = res; } diff --git a/src/com/verisignlabs/dnssec/security/ZoneVerifier.java b/src/com/verisignlabs/dnssec/security/ZoneVerifier.java index 1aff75d..f376643 100644 --- a/src/com/verisignlabs/dnssec/security/ZoneVerifier.java +++ b/src/com/verisignlabs/dnssec/security/ZoneVerifier.java @@ -33,7 +33,6 @@ import java.util.TreeMap; import java.util.logging.Logger; import org.xbill.DNS.DNSKEYRecord; -import org.xbill.DNS.DNSSEC; import org.xbill.DNS.NSEC3PARAMRecord; import org.xbill.DNS.NSEC3Record; import org.xbill.DNS.NSECRecord; @@ -354,24 +353,24 @@ public class ZoneVerifier private int processRRset(RRset rrset) { List reasons = new ArrayList(); - int result = DNSSEC.Failed; + boolean result = false; for (Iterator i = rrset.sigs(); i.hasNext();) { RRSIGRecord sigrec = (RRSIGRecord) i.next(); - byte res = mVerifier.verifySignature(rrset, sigrec, null, reasons); - if (res != DNSSEC.Secure) + boolean res = mVerifier.verifySignature(rrset, sigrec, reasons); + if (!res) { log.warning("Signature failed to verify RRset:\n rr: " + ZoneUtils.rrsetToString(rrset, false) + "\n sig: " + sigrec + "\n" + reasonListToString(reasons)); } - if (res > result) result = res; + if (res) result = res; } String rrsetname = rrset.getName() + "/" + Type.string(rrset.getType()); - if (result == DNSSEC.Secure) + if (result) { log.fine("RRset " + rrsetname + " verified."); } @@ -380,7 +379,7 @@ public class ZoneVerifier log.warning("RRset " + rrsetname + " did not verify."); } - return result == DNSSEC.Secure ? 0 : 1; + return result ? 0 : 1; } private String typesToString(int[] types)