Instead of using DNSSEC.Secure, DNSSEC.Failed, etc, just use boolean results.

This means we lose the idea of Insecure, but that wasn't effectively being used anyway.
Further, remove any use of the DNSJava Cache class -- that also wasn't being used.
This commit is contained in:
David Blacka 2012-05-26 15:40:15 -04:00
parent 25cc81d46a
commit ca7f10bd07
6 changed files with 46 additions and 83 deletions

View File

@ -28,7 +28,6 @@ import java.util.List;
import org.apache.commons.cli.CommandLine;
import org.apache.commons.cli.OptionBuilder;
import org.apache.commons.cli.Options;
import org.xbill.DNS.DNSSEC;
import org.xbill.DNS.Name;
import org.xbill.DNS.RRSIGRecord;
import org.xbill.DNS.RRset;
@ -186,11 +185,11 @@ public class SignKeyset extends CLBase
// skip unsigned rrsets.
if (!rrset.sigs().hasNext()) continue;
int result = verifier.verify(rrset, null);
boolean result = verifier.verify(rrset);
if (result != DNSSEC.Secure)
if (!result)
{
log.fine("Signatures did not verify for RRset: (" + result + "): " + rrset);
log.fine("Signatures did not verify for RRset: " + rrset);
secure = false;
}
}

View File

@ -28,7 +28,6 @@ import org.apache.commons.cli.CommandLine;
import org.apache.commons.cli.OptionBuilder;
import org.apache.commons.cli.Options;
import org.xbill.DNS.DNSSEC;
import org.xbill.DNS.Name;
import org.xbill.DNS.RRSIGRecord;
import org.xbill.DNS.RRset;
@ -185,11 +184,11 @@ public class SignRRset extends CLBase
// skip unsigned rrsets.
if (!rrset.sigs().hasNext()) continue;
int result = verifier.verify(rrset, null);
boolean result = verifier.verify(rrset);
if (result != DNSSEC.Secure)
if (!result)
{
log.fine("Signatures did not verify for RRset: (" + result + "): " + rrset);
log.fine("Signatures did not verify for RRset: " + rrset);
secure = false;
}
}

View File

@ -34,7 +34,6 @@ import org.apache.commons.cli.Options;
import org.apache.commons.cli.ParseException;
import org.xbill.DNS.DNSKEYRecord;
import org.xbill.DNS.DNSSEC;
import org.xbill.DNS.DSRecord;
import org.xbill.DNS.Name;
import org.xbill.DNS.RRset;
@ -343,11 +342,11 @@ public class SignZone extends CLBase
// skip unsigned rrsets.
if (!rrset.sigs().hasNext()) continue;
int result = verifier.verify(rrset, null);
boolean result = verifier.verify(rrset);
if (result != DNSSEC.Secure)
if (!result)
{
log.fine("Signatures did not verify for RRset: (" + result + "): " + rrset);
log.fine("Signatures did not verify for RRset: " + rrset);
secure = false;
}
}

View File

@ -45,8 +45,6 @@ import javax.crypto.spec.DHPrivateKeySpec;
import org.xbill.DNS.DNSKEYRecord;
import org.xbill.DNS.Name;
import org.xbill.DNS.Record;
import org.xbill.DNS.Type;
import org.xbill.DNS.utils.base64;
/**

View File

@ -43,7 +43,7 @@ import org.xbill.DNS.*;
* @author $Author$
* @version $Revision$
*/
public class DnsSecVerifier implements Verifier
public class DnsSecVerifier
{
private class TrustedKeyStore
@ -157,47 +157,19 @@ public class DnsSecVerifier implements Verifier
mIgnoreTime = v;
}
@SuppressWarnings("unchecked")
private DnsKeyPair findCachedKey(Cache cache, Name name, int algorithm, int footprint)
private DnsKeyPair findKey(Name name, int algorithm, int footprint)
{
RRset[] keysets = cache.findAnyRecords(name, Type.KEY);
if (keysets == null) return null;
// look for the particular key
// FIXME: this assumes that name+alg+footprint is unique.
for (Iterator<Record> i = keysets[0].rrs(); i.hasNext();)
{
Record r = i.next();
if (r.getType() != Type.DNSKEY) continue;
DNSKEYRecord keyrec = (DNSKEYRecord) r;
if (keyrec.getAlgorithm() == algorithm && keyrec.getFootprint() == footprint)
{
return new DnsKeyPair(keyrec, (PrivateKey) null);
}
}
return null;
return mKeyStore.find(name, algorithm, footprint);
}
private DnsKeyPair findKey(Cache cache, Name name, int algorithm, int footprint)
private boolean validateSignature(RRset rrset, RRSIGRecord sigrec, List<String> reasons)
{
DnsKeyPair pair = mKeyStore.find(name, algorithm, footprint);
if (pair == null && cache != null)
{
pair = findCachedKey(cache, name, algorithm, footprint);
}
return pair;
}
private byte validateSignature(RRset rrset, RRSIGRecord sigrec, List<String> reasons)
{
if (rrset == null || sigrec == null) return DNSSEC.Failed;
if (rrset == null || sigrec == null) return false;
if (!rrset.getName().equals(sigrec.getName()))
{
log.fine("Signature name does not match RRset name");
if (reasons != null) reasons.add("Signature name does not match RRset name");
return DNSSEC.Failed;
return false;
}
if (rrset.getType() != sigrec.getTypeCovered())
{
@ -205,7 +177,7 @@ public class DnsSecVerifier implements Verifier
if (reasons != null) reasons.add("Signature type does not match RRset type");
}
if (mIgnoreTime) return DNSSEC.Secure;
if (mIgnoreTime) return true;
Date now = new Date();
Date start = sigrec.getTimeSigned();
@ -221,7 +193,7 @@ public class DnsSecVerifier implements Verifier
{
log.fine("Signature is not yet valid");
if (reasons != null) reasons.add("Signature not yet valid");
return DNSSEC.Failed;
return false;
}
}
@ -235,39 +207,37 @@ public class DnsSecVerifier implements Verifier
{
log.fine("Signature has expired (now = " + now + ", sig expires = " + expire);
if (reasons != null) reasons.add("Signature has expired.");
return DNSSEC.Failed;
return false;
}
}
return DNSSEC.Secure;
return true;
}
public byte verifySignature(RRset rrset, RRSIGRecord sigrec, Cache cache)
public boolean verifySignature(RRset rrset, RRSIGRecord sigrec)
{
return verifySignature(rrset, sigrec, cache, null);
return verifySignature(rrset, sigrec, null);
}
/**
* Verify an RRset against a particular signature.
*
* @return DNSSEC.Secure if the signature verified, DNSSEC.Failed if it did
* not verify (for any reason), and DNSSEC.Insecure if verification
* could not be completed (usually because the public key was not
* available).
* @return true if the signature verified, false if it did
* not verify (for any reason, including not finding the DNSKEY.)
*/
public byte verifySignature(RRset rrset, RRSIGRecord sigrec, Cache cache, List<String> reasons)
public boolean verifySignature(RRset rrset, RRSIGRecord sigrec, List<String> reasons)
{
byte result = validateSignature(rrset, sigrec, reasons);
if (result != DNSSEC.Secure) return result;
boolean result = validateSignature(rrset, sigrec, reasons);
if (!result) return result;
DnsKeyPair keypair = findKey(cache, sigrec.getSigner(), sigrec.getAlgorithm(),
DnsKeyPair keypair = findKey(sigrec.getSigner(), sigrec.getAlgorithm(),
sigrec.getFootprint());
if (keypair == null)
{
if (reasons != null) reasons.add("Could not find matching trusted key");
log.fine("could not find matching trusted key");
return DNSSEC.Insecure;
return false;
}
try
@ -290,10 +260,10 @@ public class DnsSecVerifier implements Verifier
{
if (reasons != null) reasons.add("Signature failed to verify cryptographically");
log.fine("Signature failed to verify cryptographically");
return DNSSEC.Failed;
return false;
}
return DNSSEC.Secure;
return true;
}
catch (IOException e)
{
@ -305,39 +275,38 @@ public class DnsSecVerifier implements Verifier
}
if (reasons != null) reasons.add("Signature failed to verify due to exception");
log.fine("Signature failed to verify due to exception");
return DNSSEC.Insecure;
return false;
}
/**
* Verifies an RRset. This routine does not modify the RRset.
*
* @return DNSSEC.Secure if the set verified, DNSSEC.Failed if it did not, and
* DNSSEC.Insecure if verification could not complete.
* @return true if the set verified, false if it did not.
*/
@SuppressWarnings("unchecked")
public int verify(RRset rrset, Cache cache)
public boolean verify(RRset rrset)
{
int result = mVerifyAllSigs ? DNSSEC.Secure : DNSSEC.Insecure;
boolean result = mVerifyAllSigs ? true : false;
Iterator i = rrset.sigs();
if (!i.hasNext())
{
log.fine("RRset failed to verify due to lack of signatures");
return DNSSEC.Insecure;
return false;
}
while (i.hasNext())
{
RRSIGRecord sigrec = (RRSIGRecord) i.next();
byte res = verifySignature(rrset, sigrec, cache);
boolean res = verifySignature(rrset, sigrec);
if (!mVerifyAllSigs && res == DNSSEC.Secure) return res;
// If not requiring all signature to validate, then any successful validation is sufficient.
if (!mVerifyAllSigs && res) return res;
if (!mVerifyAllSigs && res < result) result = res;
if (mVerifyAllSigs && res != DNSSEC.Secure && res < result)
// Otherwise, note if a signature failed to validate.
if (mVerifyAllSigs && !res)
{
result = res;
}

View File

@ -33,7 +33,6 @@ import java.util.TreeMap;
import java.util.logging.Logger;
import org.xbill.DNS.DNSKEYRecord;
import org.xbill.DNS.DNSSEC;
import org.xbill.DNS.NSEC3PARAMRecord;
import org.xbill.DNS.NSEC3Record;
import org.xbill.DNS.NSECRecord;
@ -354,24 +353,24 @@ public class ZoneVerifier
private int processRRset(RRset rrset)
{
List<String> reasons = new ArrayList<String>();
int result = DNSSEC.Failed;
boolean result = false;
for (Iterator<Record> i = rrset.sigs(); i.hasNext();)
{
RRSIGRecord sigrec = (RRSIGRecord) i.next();
byte res = mVerifier.verifySignature(rrset, sigrec, null, reasons);
if (res != DNSSEC.Secure)
boolean res = mVerifier.verifySignature(rrset, sigrec, reasons);
if (!res)
{
log.warning("Signature failed to verify RRset:\n rr: "
+ ZoneUtils.rrsetToString(rrset, false) + "\n sig: " + sigrec + "\n"
+ reasonListToString(reasons));
}
if (res > result) result = res;
if (res) result = res;
}
String rrsetname = rrset.getName() + "/" + Type.string(rrset.getType());
if (result == DNSSEC.Secure)
if (result)
{
log.fine("RRset " + rrsetname + " verified.");
}
@ -380,7 +379,7 @@ public class ZoneVerifier
log.warning("RRset " + rrsetname + " did not verify.");
}
return result == DNSSEC.Secure ? 0 : 1;
return result ? 0 : 1;
}
private String typesToString(int[] types)