From ca7f10bd07df8130e9f0d5f7cfc43ca37461064d Mon Sep 17 00:00:00 2001 From: David Blacka Date: Sat, 26 May 2012 15:40:15 -0400 Subject: [PATCH] Instead of using DNSSEC.Secure, DNSSEC.Failed, etc, just use boolean results. This means we lose the idea of Insecure, but that wasn't effectively being used anyway. Further, remove any use of the DNSJava Cache class -- that also wasn't being used. --- .../verisignlabs/dnssec/cl/SignKeyset.java | 7 +- src/com/verisignlabs/dnssec/cl/SignRRset.java | 7 +- src/com/verisignlabs/dnssec/cl/SignZone.java | 7 +- .../dnssec/security/DnsKeyConverter.java | 2 - .../dnssec/security/DnsSecVerifier.java | 93 +++++++------------ .../dnssec/security/ZoneVerifier.java | 13 ++- 6 files changed, 46 insertions(+), 83 deletions(-) diff --git a/src/com/verisignlabs/dnssec/cl/SignKeyset.java b/src/com/verisignlabs/dnssec/cl/SignKeyset.java index 552844e..bdc395d 100644 --- a/src/com/verisignlabs/dnssec/cl/SignKeyset.java +++ b/src/com/verisignlabs/dnssec/cl/SignKeyset.java @@ -28,7 +28,6 @@ import java.util.List; import org.apache.commons.cli.CommandLine; import org.apache.commons.cli.OptionBuilder; import org.apache.commons.cli.Options; -import org.xbill.DNS.DNSSEC; import org.xbill.DNS.Name; import org.xbill.DNS.RRSIGRecord; import org.xbill.DNS.RRset; @@ -186,11 +185,11 @@ public class SignKeyset extends CLBase // skip unsigned rrsets. if (!rrset.sigs().hasNext()) continue; - int result = verifier.verify(rrset, null); + boolean result = verifier.verify(rrset); - if (result != DNSSEC.Secure) + if (!result) { - log.fine("Signatures did not verify for RRset: (" + result + "): " + rrset); + log.fine("Signatures did not verify for RRset: " + rrset); secure = false; } } diff --git a/src/com/verisignlabs/dnssec/cl/SignRRset.java b/src/com/verisignlabs/dnssec/cl/SignRRset.java index e27ae8d..b92898e 100644 --- a/src/com/verisignlabs/dnssec/cl/SignRRset.java +++ b/src/com/verisignlabs/dnssec/cl/SignRRset.java @@ -28,7 +28,6 @@ import org.apache.commons.cli.CommandLine; import org.apache.commons.cli.OptionBuilder; import org.apache.commons.cli.Options; -import org.xbill.DNS.DNSSEC; import org.xbill.DNS.Name; import org.xbill.DNS.RRSIGRecord; import org.xbill.DNS.RRset; @@ -185,11 +184,11 @@ public class SignRRset extends CLBase // skip unsigned rrsets. if (!rrset.sigs().hasNext()) continue; - int result = verifier.verify(rrset, null); + boolean result = verifier.verify(rrset); - if (result != DNSSEC.Secure) + if (!result) { - log.fine("Signatures did not verify for RRset: (" + result + "): " + rrset); + log.fine("Signatures did not verify for RRset: " + rrset); secure = false; } } diff --git a/src/com/verisignlabs/dnssec/cl/SignZone.java b/src/com/verisignlabs/dnssec/cl/SignZone.java index 87700ca..47cbe04 100644 --- a/src/com/verisignlabs/dnssec/cl/SignZone.java +++ b/src/com/verisignlabs/dnssec/cl/SignZone.java @@ -34,7 +34,6 @@ import org.apache.commons.cli.Options; import org.apache.commons.cli.ParseException; import org.xbill.DNS.DNSKEYRecord; -import org.xbill.DNS.DNSSEC; import org.xbill.DNS.DSRecord; import org.xbill.DNS.Name; import org.xbill.DNS.RRset; @@ -343,11 +342,11 @@ public class SignZone extends CLBase // skip unsigned rrsets. if (!rrset.sigs().hasNext()) continue; - int result = verifier.verify(rrset, null); + boolean result = verifier.verify(rrset); - if (result != DNSSEC.Secure) + if (!result) { - log.fine("Signatures did not verify for RRset: (" + result + "): " + rrset); + log.fine("Signatures did not verify for RRset: " + rrset); secure = false; } } diff --git a/src/com/verisignlabs/dnssec/security/DnsKeyConverter.java b/src/com/verisignlabs/dnssec/security/DnsKeyConverter.java index 053fc48..6de283e 100644 --- a/src/com/verisignlabs/dnssec/security/DnsKeyConverter.java +++ b/src/com/verisignlabs/dnssec/security/DnsKeyConverter.java @@ -45,8 +45,6 @@ import javax.crypto.spec.DHPrivateKeySpec; import org.xbill.DNS.DNSKEYRecord; import org.xbill.DNS.Name; -import org.xbill.DNS.Record; -import org.xbill.DNS.Type; import org.xbill.DNS.utils.base64; /** diff --git a/src/com/verisignlabs/dnssec/security/DnsSecVerifier.java b/src/com/verisignlabs/dnssec/security/DnsSecVerifier.java index bd1120b..68c480c 100644 --- a/src/com/verisignlabs/dnssec/security/DnsSecVerifier.java +++ b/src/com/verisignlabs/dnssec/security/DnsSecVerifier.java @@ -43,7 +43,7 @@ import org.xbill.DNS.*; * @author $Author$ * @version $Revision$ */ -public class DnsSecVerifier implements Verifier +public class DnsSecVerifier { private class TrustedKeyStore @@ -157,47 +157,19 @@ public class DnsSecVerifier implements Verifier mIgnoreTime = v; } - @SuppressWarnings("unchecked") - private DnsKeyPair findCachedKey(Cache cache, Name name, int algorithm, int footprint) + private DnsKeyPair findKey(Name name, int algorithm, int footprint) { - RRset[] keysets = cache.findAnyRecords(name, Type.KEY); - if (keysets == null) return null; - - // look for the particular key - // FIXME: this assumes that name+alg+footprint is unique. - for (Iterator i = keysets[0].rrs(); i.hasNext();) - { - Record r = i.next(); - if (r.getType() != Type.DNSKEY) continue; - DNSKEYRecord keyrec = (DNSKEYRecord) r; - if (keyrec.getAlgorithm() == algorithm && keyrec.getFootprint() == footprint) - { - return new DnsKeyPair(keyrec, (PrivateKey) null); - } - } - - return null; + return mKeyStore.find(name, algorithm, footprint); } - private DnsKeyPair findKey(Cache cache, Name name, int algorithm, int footprint) + private boolean validateSignature(RRset rrset, RRSIGRecord sigrec, List reasons) { - DnsKeyPair pair = mKeyStore.find(name, algorithm, footprint); - if (pair == null && cache != null) - { - pair = findCachedKey(cache, name, algorithm, footprint); - } - - return pair; - } - - private byte validateSignature(RRset rrset, RRSIGRecord sigrec, List reasons) - { - if (rrset == null || sigrec == null) return DNSSEC.Failed; + if (rrset == null || sigrec == null) return false; if (!rrset.getName().equals(sigrec.getName())) { log.fine("Signature name does not match RRset name"); if (reasons != null) reasons.add("Signature name does not match RRset name"); - return DNSSEC.Failed; + return false; } if (rrset.getType() != sigrec.getTypeCovered()) { @@ -205,7 +177,7 @@ public class DnsSecVerifier implements Verifier if (reasons != null) reasons.add("Signature type does not match RRset type"); } - if (mIgnoreTime) return DNSSEC.Secure; + if (mIgnoreTime) return true; Date now = new Date(); Date start = sigrec.getTimeSigned(); @@ -221,7 +193,7 @@ public class DnsSecVerifier implements Verifier { log.fine("Signature is not yet valid"); if (reasons != null) reasons.add("Signature not yet valid"); - return DNSSEC.Failed; + return false; } } @@ -235,39 +207,37 @@ public class DnsSecVerifier implements Verifier { log.fine("Signature has expired (now = " + now + ", sig expires = " + expire); if (reasons != null) reasons.add("Signature has expired."); - return DNSSEC.Failed; + return false; } } - return DNSSEC.Secure; + return true; } - public byte verifySignature(RRset rrset, RRSIGRecord sigrec, Cache cache) + public boolean verifySignature(RRset rrset, RRSIGRecord sigrec) { - return verifySignature(rrset, sigrec, cache, null); + return verifySignature(rrset, sigrec, null); } /** * Verify an RRset against a particular signature. * - * @return DNSSEC.Secure if the signature verified, DNSSEC.Failed if it did - * not verify (for any reason), and DNSSEC.Insecure if verification - * could not be completed (usually because the public key was not - * available). + * @return true if the signature verified, false if it did + * not verify (for any reason, including not finding the DNSKEY.) */ - public byte verifySignature(RRset rrset, RRSIGRecord sigrec, Cache cache, List reasons) + public boolean verifySignature(RRset rrset, RRSIGRecord sigrec, List reasons) { - byte result = validateSignature(rrset, sigrec, reasons); - if (result != DNSSEC.Secure) return result; + boolean result = validateSignature(rrset, sigrec, reasons); + if (!result) return result; - DnsKeyPair keypair = findKey(cache, sigrec.getSigner(), sigrec.getAlgorithm(), + DnsKeyPair keypair = findKey(sigrec.getSigner(), sigrec.getAlgorithm(), sigrec.getFootprint()); if (keypair == null) { if (reasons != null) reasons.add("Could not find matching trusted key"); log.fine("could not find matching trusted key"); - return DNSSEC.Insecure; + return false; } try @@ -290,10 +260,10 @@ public class DnsSecVerifier implements Verifier { if (reasons != null) reasons.add("Signature failed to verify cryptographically"); log.fine("Signature failed to verify cryptographically"); - return DNSSEC.Failed; + return false; } - return DNSSEC.Secure; + return true; } catch (IOException e) { @@ -305,39 +275,38 @@ public class DnsSecVerifier implements Verifier } if (reasons != null) reasons.add("Signature failed to verify due to exception"); log.fine("Signature failed to verify due to exception"); - return DNSSEC.Insecure; + return false; } /** * Verifies an RRset. This routine does not modify the RRset. * - * @return DNSSEC.Secure if the set verified, DNSSEC.Failed if it did not, and - * DNSSEC.Insecure if verification could not complete. + * @return true if the set verified, false if it did not. */ @SuppressWarnings("unchecked") - public int verify(RRset rrset, Cache cache) + public boolean verify(RRset rrset) { - int result = mVerifyAllSigs ? DNSSEC.Secure : DNSSEC.Insecure; + boolean result = mVerifyAllSigs ? true : false; Iterator i = rrset.sigs(); if (!i.hasNext()) { log.fine("RRset failed to verify due to lack of signatures"); - return DNSSEC.Insecure; + return false; } while (i.hasNext()) { RRSIGRecord sigrec = (RRSIGRecord) i.next(); - byte res = verifySignature(rrset, sigrec, cache); + boolean res = verifySignature(rrset, sigrec); - if (!mVerifyAllSigs && res == DNSSEC.Secure) return res; + // If not requiring all signature to validate, then any successful validation is sufficient. + if (!mVerifyAllSigs && res) return res; - if (!mVerifyAllSigs && res < result) result = res; - - if (mVerifyAllSigs && res != DNSSEC.Secure && res < result) + // Otherwise, note if a signature failed to validate. + if (mVerifyAllSigs && !res) { result = res; } diff --git a/src/com/verisignlabs/dnssec/security/ZoneVerifier.java b/src/com/verisignlabs/dnssec/security/ZoneVerifier.java index 1aff75d..f376643 100644 --- a/src/com/verisignlabs/dnssec/security/ZoneVerifier.java +++ b/src/com/verisignlabs/dnssec/security/ZoneVerifier.java @@ -33,7 +33,6 @@ import java.util.TreeMap; import java.util.logging.Logger; import org.xbill.DNS.DNSKEYRecord; -import org.xbill.DNS.DNSSEC; import org.xbill.DNS.NSEC3PARAMRecord; import org.xbill.DNS.NSEC3Record; import org.xbill.DNS.NSECRecord; @@ -354,24 +353,24 @@ public class ZoneVerifier private int processRRset(RRset rrset) { List reasons = new ArrayList(); - int result = DNSSEC.Failed; + boolean result = false; for (Iterator i = rrset.sigs(); i.hasNext();) { RRSIGRecord sigrec = (RRSIGRecord) i.next(); - byte res = mVerifier.verifySignature(rrset, sigrec, null, reasons); - if (res != DNSSEC.Secure) + boolean res = mVerifier.verifySignature(rrset, sigrec, reasons); + if (!res) { log.warning("Signature failed to verify RRset:\n rr: " + ZoneUtils.rrsetToString(rrset, false) + "\n sig: " + sigrec + "\n" + reasonListToString(reasons)); } - if (res > result) result = res; + if (res) result = res; } String rrsetname = rrset.getName() + "/" + Type.string(rrset.getType()); - if (result == DNSSEC.Secure) + if (result) { log.fine("RRset " + rrsetname + " verified."); } @@ -380,7 +379,7 @@ public class ZoneVerifier log.warning("RRset " + rrsetname + " did not verify."); } - return result == DNSSEC.Secure ? 0 : 1; + return result ? 0 : 1; } private String typesToString(int[] types)