Instead of using DNSSEC.Secure, DNSSEC.Failed, etc, just use boolean results.

This means we lose the idea of Insecure, but that wasn't effectively being used anyway. Further, remove any use of the DNSJava Cache class -- that also wasn't being used.
2012-05-26 15:40:15 -04:00 · 2012-05-26 15:40:15 -04:00 · ca7f10bd07
parent 25cc81d46a
commit ca7f10bd07
6 changed files with 46 additions and 83 deletions
--- a/src/com/verisignlabs/dnssec/cl/SignKeyset.java
+++ b/src/com/verisignlabs/dnssec/cl/SignKeyset.java
@ -28,7 +28,6 @@ import java.util.List;
 import org.apache.commons.cli.CommandLine;
 import org.apache.commons.cli.OptionBuilder;
 import org.apache.commons.cli.Options;
 import org.xbill.DNS.DNSSEC;
 import org.xbill.DNS.Name;
 import org.xbill.DNS.RRSIGRecord;
 import org.xbill.DNS.RRset;
@ -186,11 +185,11 @@ public class SignKeyset extends CLBase
      // skip unsigned rrsets.
      if (!rrset.sigs().hasNext()) continue;
-      int result = verifier.verify(rrset, null);
+      boolean result = verifier.verify(rrset);
-      if (result != DNSSEC.Secure)
+      if (!result)
      {
-        log.fine("Signatures did not verify for RRset: (" + result + "): " + rrset);
+        log.fine("Signatures did not verify for RRset: " + rrset);
        secure = false;
      }
    }
--- a/src/com/verisignlabs/dnssec/cl/SignRRset.java
+++ b/src/com/verisignlabs/dnssec/cl/SignRRset.java
@ -28,7 +28,6 @@ import org.apache.commons.cli.CommandLine;
 import org.apache.commons.cli.OptionBuilder;
 import org.apache.commons.cli.Options;
 import org.xbill.DNS.DNSSEC;
 import org.xbill.DNS.Name;
 import org.xbill.DNS.RRSIGRecord;
 import org.xbill.DNS.RRset;
@ -185,11 +184,11 @@ public class SignRRset extends CLBase
      // skip unsigned rrsets.
      if (!rrset.sigs().hasNext()) continue;
-      int result = verifier.verify(rrset, null);
+      boolean result = verifier.verify(rrset);
-      if (result != DNSSEC.Secure)
+      if (!result)
      {
-        log.fine("Signatures did not verify for RRset: (" + result + "): " + rrset);
+        log.fine("Signatures did not verify for RRset: " + rrset);
        secure = false;
      }
    }
--- a/src/com/verisignlabs/dnssec/cl/SignZone.java
+++ b/src/com/verisignlabs/dnssec/cl/SignZone.java
@ -34,7 +34,6 @@ import org.apache.commons.cli.Options;
 import org.apache.commons.cli.ParseException;
 import org.xbill.DNS.DNSKEYRecord;
 import org.xbill.DNS.DNSSEC;
 import org.xbill.DNS.DSRecord;
 import org.xbill.DNS.Name;
 import org.xbill.DNS.RRset;
@ -343,11 +342,11 @@ public class SignZone extends CLBase
      // skip unsigned rrsets.
      if (!rrset.sigs().hasNext()) continue;
-      int result = verifier.verify(rrset, null);
+      boolean result = verifier.verify(rrset);
-      if (result != DNSSEC.Secure)
+      if (!result)
      {
-        log.fine("Signatures did not verify for RRset: (" + result + "): " + rrset);
+        log.fine("Signatures did not verify for RRset: " + rrset);
        secure = false;
      }
    }
--- a/src/com/verisignlabs/dnssec/security/DnsKeyConverter.java
+++ b/src/com/verisignlabs/dnssec/security/DnsKeyConverter.java
@ -45,8 +45,6 @@ import javax.crypto.spec.DHPrivateKeySpec;
 import org.xbill.DNS.DNSKEYRecord;
 import org.xbill.DNS.Name;
 import org.xbill.DNS.Record;
 import org.xbill.DNS.Type;
 import org.xbill.DNS.utils.base64;
 /**
--- a/src/com/verisignlabs/dnssec/security/DnsSecVerifier.java
+++ b/src/com/verisignlabs/dnssec/security/DnsSecVerifier.java
@ -43,7 +43,7 @@ import org.xbill.DNS.*;
 * @author $Author$
 * @version $Revision$
 */
-public class DnsSecVerifier implements Verifier
+public class DnsSecVerifier
 {
  private class TrustedKeyStore
@ -157,47 +157,19 @@ public class DnsSecVerifier implements Verifier
    mIgnoreTime = v;
  }
-  @SuppressWarnings("unchecked")
+  private DnsKeyPair findKey(Name name, int algorithm, int footprint)
  private DnsKeyPair findCachedKey(Cache cache, Name name, int algorithm, int footprint)
  {
-    RRset[] keysets = cache.findAnyRecords(name, Type.KEY);
+    return mKeyStore.find(name, algorithm, footprint);
    if (keysets == null) return null;
    // look for the particular key
    // FIXME: this assumes that name+alg+footprint is unique.
    for (Iterator<Record> i = keysets[0].rrs(); i.hasNext();)
    {
      Record r = i.next();
      if (r.getType() != Type.DNSKEY) continue;
      DNSKEYRecord keyrec = (DNSKEYRecord) r;
      if (keyrec.getAlgorithm() == algorithm && keyrec.getFootprint() == footprint)
      {
        return new DnsKeyPair(keyrec, (PrivateKey) null);
      }
    }
    return null;
  }
-  private DnsKeyPair findKey(Cache cache, Name name, int algorithm, int footprint)
+  private boolean validateSignature(RRset rrset, RRSIGRecord sigrec, List<String> reasons)
  {
-    DnsKeyPair pair = mKeyStore.find(name, algorithm, footprint);
+    if (rrset == null || sigrec == null) return false;
    if (pair == null && cache != null)
    {
      pair = findCachedKey(cache, name, algorithm, footprint);
    }
    return pair;
  }
  private byte validateSignature(RRset rrset, RRSIGRecord sigrec, List<String> reasons)
  {
    if (rrset == null || sigrec == null) return DNSSEC.Failed;
    if (!rrset.getName().equals(sigrec.getName()))
    {
      log.fine("Signature name does not match RRset name");
      if (reasons != null) reasons.add("Signature name does not match RRset name");
-      return DNSSEC.Failed;
+      return false;
    }
    if (rrset.getType() != sigrec.getTypeCovered())
    {
@ -205,7 +177,7 @@ public class DnsSecVerifier implements Verifier
      if (reasons != null) reasons.add("Signature type does not match RRset type");
    }
-    if (mIgnoreTime) return DNSSEC.Secure;
+    if (mIgnoreTime) return true;
    Date now = new Date();
    Date start = sigrec.getTimeSigned();
@ -221,7 +193,7 @@ public class DnsSecVerifier implements Verifier
      {
        log.fine("Signature is not yet valid");
        if (reasons != null) reasons.add("Signature not yet valid");
-        return DNSSEC.Failed;
+        return false;
      }
    }
@ -235,39 +207,37 @@ public class DnsSecVerifier implements Verifier
      {
        log.fine("Signature has expired (now = " + now + ", sig expires = " + expire);
        if (reasons != null) reasons.add("Signature has expired.");
-        return DNSSEC.Failed;
+        return false;
      }
    }
-    return DNSSEC.Secure;
+    return true;
  }
-  public byte verifySignature(RRset rrset, RRSIGRecord sigrec, Cache cache)
+  public boolean verifySignature(RRset rrset, RRSIGRecord sigrec)
  {
-    return verifySignature(rrset, sigrec, cache, null);
+    return verifySignature(rrset, sigrec, null);
  }
  /**
   * Verify an RRset against a particular signature.
   * 
-   * @return DNSSEC.Secure if the signature verified, DNSSEC.Failed if it did
+   * @return true if the signature verified, false if it did
-   *         not verify (for any reason), and DNSSEC.Insecure if verification
+   *         not verify (for any reason, including not finding the DNSKEY.)
   *         could not be completed (usually because the public key was not
   *         available).
   */
-  public byte verifySignature(RRset rrset, RRSIGRecord sigrec, Cache cache, List<String> reasons)
+  public boolean verifySignature(RRset rrset, RRSIGRecord sigrec, List<String> reasons)
  {
-    byte result = validateSignature(rrset, sigrec, reasons);
+    boolean result = validateSignature(rrset, sigrec, reasons);
-    if (result != DNSSEC.Secure) return result;
+    if (!result) return result;
-    DnsKeyPair keypair = findKey(cache, sigrec.getSigner(), sigrec.getAlgorithm(),
+    DnsKeyPair keypair = findKey(sigrec.getSigner(), sigrec.getAlgorithm(),
                                 sigrec.getFootprint());
    if (keypair == null)
    {
      if (reasons != null) reasons.add("Could not find matching trusted key");
      log.fine("could not find matching trusted key");
-      return DNSSEC.Insecure;
+      return false;
    }
    try
@ -290,10 +260,10 @@ public class DnsSecVerifier implements Verifier
      {
        if (reasons != null) reasons.add("Signature failed to verify cryptographically");
        log.fine("Signature failed to verify cryptographically");
-        return DNSSEC.Failed;
+        return false;
      }
-      return DNSSEC.Secure;
+      return true;
    }
    catch (IOException e)
    {
@ -305,39 +275,38 @@ public class DnsSecVerifier implements Verifier
    }
    if (reasons != null) reasons.add("Signature failed to verify due to exception");
    log.fine("Signature failed to verify due to exception");
-    return DNSSEC.Insecure;
+    return false;
  }
  /**
   * Verifies an RRset. This routine does not modify the RRset.
   * 
-   * @return DNSSEC.Secure if the set verified, DNSSEC.Failed if it did not, and
+   * @return true if the set verified, false if it did not.
   *         DNSSEC.Insecure if verification could not complete.
   */
  @SuppressWarnings("unchecked")
-  public int verify(RRset rrset, Cache cache)
+  public boolean verify(RRset rrset)
  {
-    int result = mVerifyAllSigs ? DNSSEC.Secure : DNSSEC.Insecure;
+    boolean result = mVerifyAllSigs ? true : false;
    Iterator i = rrset.sigs();
    if (!i.hasNext())
    {
      log.fine("RRset failed to verify due to lack of signatures");
-      return DNSSEC.Insecure;
+      return false;
    }
    while (i.hasNext())
    {
      RRSIGRecord sigrec = (RRSIGRecord) i.next();
-      byte res = verifySignature(rrset, sigrec, cache);
+      boolean res = verifySignature(rrset, sigrec);
-      if (!mVerifyAllSigs && res == DNSSEC.Secure) return res;
+      // If not requiring all signature to validate, then any successful validation is sufficient.
      if (!mVerifyAllSigs && res) return res;
-      if (!mVerifyAllSigs && res < result) result = res;
+      // Otherwise, note if a signature failed to validate.
-
+      if (mVerifyAllSigs && !res)
      if (mVerifyAllSigs && res != DNSSEC.Secure && res < result)
      {
        result = res;
      }
--- a/src/com/verisignlabs/dnssec/security/ZoneVerifier.java
+++ b/src/com/verisignlabs/dnssec/security/ZoneVerifier.java
@ -33,7 +33,6 @@ import java.util.TreeMap;
 import java.util.logging.Logger;
 import org.xbill.DNS.DNSKEYRecord;
 import org.xbill.DNS.DNSSEC;
 import org.xbill.DNS.NSEC3PARAMRecord;
 import org.xbill.DNS.NSEC3Record;
 import org.xbill.DNS.NSECRecord;
@ -354,24 +353,24 @@ public class ZoneVerifier
  private int processRRset(RRset rrset)
  {
    List<String> reasons = new ArrayList<String>();
-    int result = DNSSEC.Failed;
+    boolean result = false;
    for (Iterator<Record> i = rrset.sigs(); i.hasNext();)
    {
      RRSIGRecord sigrec = (RRSIGRecord) i.next();
-      byte res = mVerifier.verifySignature(rrset, sigrec, null, reasons);
+      boolean res = mVerifier.verifySignature(rrset, sigrec, reasons);
-      if (res != DNSSEC.Secure)
+      if (!res)
      {
        log.warning("Signature failed to verify RRset:\n  rr:  "
            + ZoneUtils.rrsetToString(rrset, false) + "\n  sig: " + sigrec + "\n"
            + reasonListToString(reasons));
      }
-      if (res > result) result = res;
+      if (res) result = res;
    }
    String rrsetname = rrset.getName() + "/" + Type.string(rrset.getType());
-    if (result == DNSSEC.Secure)
+    if (result)
    {
      log.fine("RRset " + rrsetname + " verified.");
    }
@ -380,7 +379,7 @@ public class ZoneVerifier
      log.warning("RRset " + rrsetname + " did not verify.");
    }
-    return result == DNSSEC.Secure ? 0 : 1;
+    return result ? 0 : 1;
  }
  private String typesToString(int[] types)