Instead of using DNSSEC.Secure, DNSSEC.Failed, etc, just use boolean results.
This means we lose the idea of Insecure, but that wasn't effectively being used anyway. Further, remove any use of the DNSJava Cache class -- that also wasn't being used.
This commit is contained in:
parent
25cc81d46a
commit
ca7f10bd07
@ -28,7 +28,6 @@ import java.util.List;
|
|||||||
import org.apache.commons.cli.CommandLine;
|
import org.apache.commons.cli.CommandLine;
|
||||||
import org.apache.commons.cli.OptionBuilder;
|
import org.apache.commons.cli.OptionBuilder;
|
||||||
import org.apache.commons.cli.Options;
|
import org.apache.commons.cli.Options;
|
||||||
import org.xbill.DNS.DNSSEC;
|
|
||||||
import org.xbill.DNS.Name;
|
import org.xbill.DNS.Name;
|
||||||
import org.xbill.DNS.RRSIGRecord;
|
import org.xbill.DNS.RRSIGRecord;
|
||||||
import org.xbill.DNS.RRset;
|
import org.xbill.DNS.RRset;
|
||||||
@ -186,11 +185,11 @@ public class SignKeyset extends CLBase
|
|||||||
// skip unsigned rrsets.
|
// skip unsigned rrsets.
|
||||||
if (!rrset.sigs().hasNext()) continue;
|
if (!rrset.sigs().hasNext()) continue;
|
||||||
|
|
||||||
int result = verifier.verify(rrset, null);
|
boolean result = verifier.verify(rrset);
|
||||||
|
|
||||||
if (result != DNSSEC.Secure)
|
if (!result)
|
||||||
{
|
{
|
||||||
log.fine("Signatures did not verify for RRset: (" + result + "): " + rrset);
|
log.fine("Signatures did not verify for RRset: " + rrset);
|
||||||
secure = false;
|
secure = false;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -28,7 +28,6 @@ import org.apache.commons.cli.CommandLine;
|
|||||||
import org.apache.commons.cli.OptionBuilder;
|
import org.apache.commons.cli.OptionBuilder;
|
||||||
import org.apache.commons.cli.Options;
|
import org.apache.commons.cli.Options;
|
||||||
|
|
||||||
import org.xbill.DNS.DNSSEC;
|
|
||||||
import org.xbill.DNS.Name;
|
import org.xbill.DNS.Name;
|
||||||
import org.xbill.DNS.RRSIGRecord;
|
import org.xbill.DNS.RRSIGRecord;
|
||||||
import org.xbill.DNS.RRset;
|
import org.xbill.DNS.RRset;
|
||||||
@ -185,11 +184,11 @@ public class SignRRset extends CLBase
|
|||||||
// skip unsigned rrsets.
|
// skip unsigned rrsets.
|
||||||
if (!rrset.sigs().hasNext()) continue;
|
if (!rrset.sigs().hasNext()) continue;
|
||||||
|
|
||||||
int result = verifier.verify(rrset, null);
|
boolean result = verifier.verify(rrset);
|
||||||
|
|
||||||
if (result != DNSSEC.Secure)
|
if (!result)
|
||||||
{
|
{
|
||||||
log.fine("Signatures did not verify for RRset: (" + result + "): " + rrset);
|
log.fine("Signatures did not verify for RRset: " + rrset);
|
||||||
secure = false;
|
secure = false;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -34,7 +34,6 @@ import org.apache.commons.cli.Options;
|
|||||||
import org.apache.commons.cli.ParseException;
|
import org.apache.commons.cli.ParseException;
|
||||||
|
|
||||||
import org.xbill.DNS.DNSKEYRecord;
|
import org.xbill.DNS.DNSKEYRecord;
|
||||||
import org.xbill.DNS.DNSSEC;
|
|
||||||
import org.xbill.DNS.DSRecord;
|
import org.xbill.DNS.DSRecord;
|
||||||
import org.xbill.DNS.Name;
|
import org.xbill.DNS.Name;
|
||||||
import org.xbill.DNS.RRset;
|
import org.xbill.DNS.RRset;
|
||||||
@ -343,11 +342,11 @@ public class SignZone extends CLBase
|
|||||||
// skip unsigned rrsets.
|
// skip unsigned rrsets.
|
||||||
if (!rrset.sigs().hasNext()) continue;
|
if (!rrset.sigs().hasNext()) continue;
|
||||||
|
|
||||||
int result = verifier.verify(rrset, null);
|
boolean result = verifier.verify(rrset);
|
||||||
|
|
||||||
if (result != DNSSEC.Secure)
|
if (!result)
|
||||||
{
|
{
|
||||||
log.fine("Signatures did not verify for RRset: (" + result + "): " + rrset);
|
log.fine("Signatures did not verify for RRset: " + rrset);
|
||||||
secure = false;
|
secure = false;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -45,8 +45,6 @@ import javax.crypto.spec.DHPrivateKeySpec;
|
|||||||
|
|
||||||
import org.xbill.DNS.DNSKEYRecord;
|
import org.xbill.DNS.DNSKEYRecord;
|
||||||
import org.xbill.DNS.Name;
|
import org.xbill.DNS.Name;
|
||||||
import org.xbill.DNS.Record;
|
|
||||||
import org.xbill.DNS.Type;
|
|
||||||
import org.xbill.DNS.utils.base64;
|
import org.xbill.DNS.utils.base64;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -43,7 +43,7 @@ import org.xbill.DNS.*;
|
|||||||
* @author $Author$
|
* @author $Author$
|
||||||
* @version $Revision$
|
* @version $Revision$
|
||||||
*/
|
*/
|
||||||
public class DnsSecVerifier implements Verifier
|
public class DnsSecVerifier
|
||||||
{
|
{
|
||||||
|
|
||||||
private class TrustedKeyStore
|
private class TrustedKeyStore
|
||||||
@ -157,47 +157,19 @@ public class DnsSecVerifier implements Verifier
|
|||||||
mIgnoreTime = v;
|
mIgnoreTime = v;
|
||||||
}
|
}
|
||||||
|
|
||||||
@SuppressWarnings("unchecked")
|
private DnsKeyPair findKey(Name name, int algorithm, int footprint)
|
||||||
private DnsKeyPair findCachedKey(Cache cache, Name name, int algorithm, int footprint)
|
|
||||||
{
|
{
|
||||||
RRset[] keysets = cache.findAnyRecords(name, Type.KEY);
|
return mKeyStore.find(name, algorithm, footprint);
|
||||||
if (keysets == null) return null;
|
|
||||||
|
|
||||||
// look for the particular key
|
|
||||||
// FIXME: this assumes that name+alg+footprint is unique.
|
|
||||||
for (Iterator<Record> i = keysets[0].rrs(); i.hasNext();)
|
|
||||||
{
|
|
||||||
Record r = i.next();
|
|
||||||
if (r.getType() != Type.DNSKEY) continue;
|
|
||||||
DNSKEYRecord keyrec = (DNSKEYRecord) r;
|
|
||||||
if (keyrec.getAlgorithm() == algorithm && keyrec.getFootprint() == footprint)
|
|
||||||
{
|
|
||||||
return new DnsKeyPair(keyrec, (PrivateKey) null);
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
return null;
|
private boolean validateSignature(RRset rrset, RRSIGRecord sigrec, List<String> reasons)
|
||||||
}
|
|
||||||
|
|
||||||
private DnsKeyPair findKey(Cache cache, Name name, int algorithm, int footprint)
|
|
||||||
{
|
{
|
||||||
DnsKeyPair pair = mKeyStore.find(name, algorithm, footprint);
|
if (rrset == null || sigrec == null) return false;
|
||||||
if (pair == null && cache != null)
|
|
||||||
{
|
|
||||||
pair = findCachedKey(cache, name, algorithm, footprint);
|
|
||||||
}
|
|
||||||
|
|
||||||
return pair;
|
|
||||||
}
|
|
||||||
|
|
||||||
private byte validateSignature(RRset rrset, RRSIGRecord sigrec, List<String> reasons)
|
|
||||||
{
|
|
||||||
if (rrset == null || sigrec == null) return DNSSEC.Failed;
|
|
||||||
if (!rrset.getName().equals(sigrec.getName()))
|
if (!rrset.getName().equals(sigrec.getName()))
|
||||||
{
|
{
|
||||||
log.fine("Signature name does not match RRset name");
|
log.fine("Signature name does not match RRset name");
|
||||||
if (reasons != null) reasons.add("Signature name does not match RRset name");
|
if (reasons != null) reasons.add("Signature name does not match RRset name");
|
||||||
return DNSSEC.Failed;
|
return false;
|
||||||
}
|
}
|
||||||
if (rrset.getType() != sigrec.getTypeCovered())
|
if (rrset.getType() != sigrec.getTypeCovered())
|
||||||
{
|
{
|
||||||
@ -205,7 +177,7 @@ public class DnsSecVerifier implements Verifier
|
|||||||
if (reasons != null) reasons.add("Signature type does not match RRset type");
|
if (reasons != null) reasons.add("Signature type does not match RRset type");
|
||||||
}
|
}
|
||||||
|
|
||||||
if (mIgnoreTime) return DNSSEC.Secure;
|
if (mIgnoreTime) return true;
|
||||||
|
|
||||||
Date now = new Date();
|
Date now = new Date();
|
||||||
Date start = sigrec.getTimeSigned();
|
Date start = sigrec.getTimeSigned();
|
||||||
@ -221,7 +193,7 @@ public class DnsSecVerifier implements Verifier
|
|||||||
{
|
{
|
||||||
log.fine("Signature is not yet valid");
|
log.fine("Signature is not yet valid");
|
||||||
if (reasons != null) reasons.add("Signature not yet valid");
|
if (reasons != null) reasons.add("Signature not yet valid");
|
||||||
return DNSSEC.Failed;
|
return false;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -235,39 +207,37 @@ public class DnsSecVerifier implements Verifier
|
|||||||
{
|
{
|
||||||
log.fine("Signature has expired (now = " + now + ", sig expires = " + expire);
|
log.fine("Signature has expired (now = " + now + ", sig expires = " + expire);
|
||||||
if (reasons != null) reasons.add("Signature has expired.");
|
if (reasons != null) reasons.add("Signature has expired.");
|
||||||
return DNSSEC.Failed;
|
return false;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
return DNSSEC.Secure;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
public byte verifySignature(RRset rrset, RRSIGRecord sigrec, Cache cache)
|
public boolean verifySignature(RRset rrset, RRSIGRecord sigrec)
|
||||||
{
|
{
|
||||||
return verifySignature(rrset, sigrec, cache, null);
|
return verifySignature(rrset, sigrec, null);
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Verify an RRset against a particular signature.
|
* Verify an RRset against a particular signature.
|
||||||
*
|
*
|
||||||
* @return DNSSEC.Secure if the signature verified, DNSSEC.Failed if it did
|
* @return true if the signature verified, false if it did
|
||||||
* not verify (for any reason), and DNSSEC.Insecure if verification
|
* not verify (for any reason, including not finding the DNSKEY.)
|
||||||
* could not be completed (usually because the public key was not
|
|
||||||
* available).
|
|
||||||
*/
|
*/
|
||||||
public byte verifySignature(RRset rrset, RRSIGRecord sigrec, Cache cache, List<String> reasons)
|
public boolean verifySignature(RRset rrset, RRSIGRecord sigrec, List<String> reasons)
|
||||||
{
|
{
|
||||||
byte result = validateSignature(rrset, sigrec, reasons);
|
boolean result = validateSignature(rrset, sigrec, reasons);
|
||||||
if (result != DNSSEC.Secure) return result;
|
if (!result) return result;
|
||||||
|
|
||||||
DnsKeyPair keypair = findKey(cache, sigrec.getSigner(), sigrec.getAlgorithm(),
|
DnsKeyPair keypair = findKey(sigrec.getSigner(), sigrec.getAlgorithm(),
|
||||||
sigrec.getFootprint());
|
sigrec.getFootprint());
|
||||||
|
|
||||||
if (keypair == null)
|
if (keypair == null)
|
||||||
{
|
{
|
||||||
if (reasons != null) reasons.add("Could not find matching trusted key");
|
if (reasons != null) reasons.add("Could not find matching trusted key");
|
||||||
log.fine("could not find matching trusted key");
|
log.fine("could not find matching trusted key");
|
||||||
return DNSSEC.Insecure;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
try
|
try
|
||||||
@ -290,10 +260,10 @@ public class DnsSecVerifier implements Verifier
|
|||||||
{
|
{
|
||||||
if (reasons != null) reasons.add("Signature failed to verify cryptographically");
|
if (reasons != null) reasons.add("Signature failed to verify cryptographically");
|
||||||
log.fine("Signature failed to verify cryptographically");
|
log.fine("Signature failed to verify cryptographically");
|
||||||
return DNSSEC.Failed;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
return DNSSEC.Secure;
|
return true;
|
||||||
}
|
}
|
||||||
catch (IOException e)
|
catch (IOException e)
|
||||||
{
|
{
|
||||||
@ -305,39 +275,38 @@ public class DnsSecVerifier implements Verifier
|
|||||||
}
|
}
|
||||||
if (reasons != null) reasons.add("Signature failed to verify due to exception");
|
if (reasons != null) reasons.add("Signature failed to verify due to exception");
|
||||||
log.fine("Signature failed to verify due to exception");
|
log.fine("Signature failed to verify due to exception");
|
||||||
return DNSSEC.Insecure;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Verifies an RRset. This routine does not modify the RRset.
|
* Verifies an RRset. This routine does not modify the RRset.
|
||||||
*
|
*
|
||||||
* @return DNSSEC.Secure if the set verified, DNSSEC.Failed if it did not, and
|
* @return true if the set verified, false if it did not.
|
||||||
* DNSSEC.Insecure if verification could not complete.
|
|
||||||
*/
|
*/
|
||||||
@SuppressWarnings("unchecked")
|
@SuppressWarnings("unchecked")
|
||||||
public int verify(RRset rrset, Cache cache)
|
public boolean verify(RRset rrset)
|
||||||
{
|
{
|
||||||
int result = mVerifyAllSigs ? DNSSEC.Secure : DNSSEC.Insecure;
|
boolean result = mVerifyAllSigs ? true : false;
|
||||||
|
|
||||||
Iterator i = rrset.sigs();
|
Iterator i = rrset.sigs();
|
||||||
|
|
||||||
if (!i.hasNext())
|
if (!i.hasNext())
|
||||||
{
|
{
|
||||||
log.fine("RRset failed to verify due to lack of signatures");
|
log.fine("RRset failed to verify due to lack of signatures");
|
||||||
return DNSSEC.Insecure;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
while (i.hasNext())
|
while (i.hasNext())
|
||||||
{
|
{
|
||||||
RRSIGRecord sigrec = (RRSIGRecord) i.next();
|
RRSIGRecord sigrec = (RRSIGRecord) i.next();
|
||||||
|
|
||||||
byte res = verifySignature(rrset, sigrec, cache);
|
boolean res = verifySignature(rrset, sigrec);
|
||||||
|
|
||||||
if (!mVerifyAllSigs && res == DNSSEC.Secure) return res;
|
// If not requiring all signature to validate, then any successful validation is sufficient.
|
||||||
|
if (!mVerifyAllSigs && res) return res;
|
||||||
|
|
||||||
if (!mVerifyAllSigs && res < result) result = res;
|
// Otherwise, note if a signature failed to validate.
|
||||||
|
if (mVerifyAllSigs && !res)
|
||||||
if (mVerifyAllSigs && res != DNSSEC.Secure && res < result)
|
|
||||||
{
|
{
|
||||||
result = res;
|
result = res;
|
||||||
}
|
}
|
||||||
|
@ -33,7 +33,6 @@ import java.util.TreeMap;
|
|||||||
import java.util.logging.Logger;
|
import java.util.logging.Logger;
|
||||||
|
|
||||||
import org.xbill.DNS.DNSKEYRecord;
|
import org.xbill.DNS.DNSKEYRecord;
|
||||||
import org.xbill.DNS.DNSSEC;
|
|
||||||
import org.xbill.DNS.NSEC3PARAMRecord;
|
import org.xbill.DNS.NSEC3PARAMRecord;
|
||||||
import org.xbill.DNS.NSEC3Record;
|
import org.xbill.DNS.NSEC3Record;
|
||||||
import org.xbill.DNS.NSECRecord;
|
import org.xbill.DNS.NSECRecord;
|
||||||
@ -354,24 +353,24 @@ public class ZoneVerifier
|
|||||||
private int processRRset(RRset rrset)
|
private int processRRset(RRset rrset)
|
||||||
{
|
{
|
||||||
List<String> reasons = new ArrayList<String>();
|
List<String> reasons = new ArrayList<String>();
|
||||||
int result = DNSSEC.Failed;
|
boolean result = false;
|
||||||
|
|
||||||
for (Iterator<Record> i = rrset.sigs(); i.hasNext();)
|
for (Iterator<Record> i = rrset.sigs(); i.hasNext();)
|
||||||
{
|
{
|
||||||
RRSIGRecord sigrec = (RRSIGRecord) i.next();
|
RRSIGRecord sigrec = (RRSIGRecord) i.next();
|
||||||
byte res = mVerifier.verifySignature(rrset, sigrec, null, reasons);
|
boolean res = mVerifier.verifySignature(rrset, sigrec, reasons);
|
||||||
if (res != DNSSEC.Secure)
|
if (!res)
|
||||||
{
|
{
|
||||||
log.warning("Signature failed to verify RRset:\n rr: "
|
log.warning("Signature failed to verify RRset:\n rr: "
|
||||||
+ ZoneUtils.rrsetToString(rrset, false) + "\n sig: " + sigrec + "\n"
|
+ ZoneUtils.rrsetToString(rrset, false) + "\n sig: " + sigrec + "\n"
|
||||||
+ reasonListToString(reasons));
|
+ reasonListToString(reasons));
|
||||||
}
|
}
|
||||||
|
|
||||||
if (res > result) result = res;
|
if (res) result = res;
|
||||||
}
|
}
|
||||||
|
|
||||||
String rrsetname = rrset.getName() + "/" + Type.string(rrset.getType());
|
String rrsetname = rrset.getName() + "/" + Type.string(rrset.getType());
|
||||||
if (result == DNSSEC.Secure)
|
if (result)
|
||||||
{
|
{
|
||||||
log.fine("RRset " + rrsetname + " verified.");
|
log.fine("RRset " + rrsetname + " verified.");
|
||||||
}
|
}
|
||||||
@ -380,7 +379,7 @@ public class ZoneVerifier
|
|||||||
log.warning("RRset " + rrsetname + " did not verify.");
|
log.warning("RRset " + rrsetname + " did not verify.");
|
||||||
}
|
}
|
||||||
|
|
||||||
return result == DNSSEC.Secure ? 0 : 1;
|
return result ? 0 : 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
private String typesToString(int[] types)
|
private String typesToString(int[] types)
|
||||||
|
Loading…
Reference in New Issue
Block a user