Instead of using DNSSEC.Secure, DNSSEC.Failed, etc, just use boolean results.
This means we lose the idea of Insecure, but that wasn't effectively being used anyway. Further, remove any use of the DNSJava Cache class -- that also wasn't being used.
This commit is contained in:
parent
25cc81d46a
commit
ca7f10bd07
@ -28,7 +28,6 @@ import java.util.List;
|
||||
import org.apache.commons.cli.CommandLine;
|
||||
import org.apache.commons.cli.OptionBuilder;
|
||||
import org.apache.commons.cli.Options;
|
||||
import org.xbill.DNS.DNSSEC;
|
||||
import org.xbill.DNS.Name;
|
||||
import org.xbill.DNS.RRSIGRecord;
|
||||
import org.xbill.DNS.RRset;
|
||||
@ -186,11 +185,11 @@ public class SignKeyset extends CLBase
|
||||
// skip unsigned rrsets.
|
||||
if (!rrset.sigs().hasNext()) continue;
|
||||
|
||||
int result = verifier.verify(rrset, null);
|
||||
boolean result = verifier.verify(rrset);
|
||||
|
||||
if (result != DNSSEC.Secure)
|
||||
if (!result)
|
||||
{
|
||||
log.fine("Signatures did not verify for RRset: (" + result + "): " + rrset);
|
||||
log.fine("Signatures did not verify for RRset: " + rrset);
|
||||
secure = false;
|
||||
}
|
||||
}
|
||||
|
@ -28,7 +28,6 @@ import org.apache.commons.cli.CommandLine;
|
||||
import org.apache.commons.cli.OptionBuilder;
|
||||
import org.apache.commons.cli.Options;
|
||||
|
||||
import org.xbill.DNS.DNSSEC;
|
||||
import org.xbill.DNS.Name;
|
||||
import org.xbill.DNS.RRSIGRecord;
|
||||
import org.xbill.DNS.RRset;
|
||||
@ -185,11 +184,11 @@ public class SignRRset extends CLBase
|
||||
// skip unsigned rrsets.
|
||||
if (!rrset.sigs().hasNext()) continue;
|
||||
|
||||
int result = verifier.verify(rrset, null);
|
||||
boolean result = verifier.verify(rrset);
|
||||
|
||||
if (result != DNSSEC.Secure)
|
||||
if (!result)
|
||||
{
|
||||
log.fine("Signatures did not verify for RRset: (" + result + "): " + rrset);
|
||||
log.fine("Signatures did not verify for RRset: " + rrset);
|
||||
secure = false;
|
||||
}
|
||||
}
|
||||
|
@ -34,7 +34,6 @@ import org.apache.commons.cli.Options;
|
||||
import org.apache.commons.cli.ParseException;
|
||||
|
||||
import org.xbill.DNS.DNSKEYRecord;
|
||||
import org.xbill.DNS.DNSSEC;
|
||||
import org.xbill.DNS.DSRecord;
|
||||
import org.xbill.DNS.Name;
|
||||
import org.xbill.DNS.RRset;
|
||||
@ -343,11 +342,11 @@ public class SignZone extends CLBase
|
||||
// skip unsigned rrsets.
|
||||
if (!rrset.sigs().hasNext()) continue;
|
||||
|
||||
int result = verifier.verify(rrset, null);
|
||||
boolean result = verifier.verify(rrset);
|
||||
|
||||
if (result != DNSSEC.Secure)
|
||||
if (!result)
|
||||
{
|
||||
log.fine("Signatures did not verify for RRset: (" + result + "): " + rrset);
|
||||
log.fine("Signatures did not verify for RRset: " + rrset);
|
||||
secure = false;
|
||||
}
|
||||
}
|
||||
|
@ -45,8 +45,6 @@ import javax.crypto.spec.DHPrivateKeySpec;
|
||||
|
||||
import org.xbill.DNS.DNSKEYRecord;
|
||||
import org.xbill.DNS.Name;
|
||||
import org.xbill.DNS.Record;
|
||||
import org.xbill.DNS.Type;
|
||||
import org.xbill.DNS.utils.base64;
|
||||
|
||||
/**
|
||||
|
@ -43,7 +43,7 @@ import org.xbill.DNS.*;
|
||||
* @author $Author$
|
||||
* @version $Revision$
|
||||
*/
|
||||
public class DnsSecVerifier implements Verifier
|
||||
public class DnsSecVerifier
|
||||
{
|
||||
|
||||
private class TrustedKeyStore
|
||||
@ -157,47 +157,19 @@ public class DnsSecVerifier implements Verifier
|
||||
mIgnoreTime = v;
|
||||
}
|
||||
|
||||
@SuppressWarnings("unchecked")
|
||||
private DnsKeyPair findCachedKey(Cache cache, Name name, int algorithm, int footprint)
|
||||
private DnsKeyPair findKey(Name name, int algorithm, int footprint)
|
||||
{
|
||||
RRset[] keysets = cache.findAnyRecords(name, Type.KEY);
|
||||
if (keysets == null) return null;
|
||||
|
||||
// look for the particular key
|
||||
// FIXME: this assumes that name+alg+footprint is unique.
|
||||
for (Iterator<Record> i = keysets[0].rrs(); i.hasNext();)
|
||||
{
|
||||
Record r = i.next();
|
||||
if (r.getType() != Type.DNSKEY) continue;
|
||||
DNSKEYRecord keyrec = (DNSKEYRecord) r;
|
||||
if (keyrec.getAlgorithm() == algorithm && keyrec.getFootprint() == footprint)
|
||||
{
|
||||
return new DnsKeyPair(keyrec, (PrivateKey) null);
|
||||
}
|
||||
}
|
||||
|
||||
return null;
|
||||
return mKeyStore.find(name, algorithm, footprint);
|
||||
}
|
||||
|
||||
private DnsKeyPair findKey(Cache cache, Name name, int algorithm, int footprint)
|
||||
private boolean validateSignature(RRset rrset, RRSIGRecord sigrec, List<String> reasons)
|
||||
{
|
||||
DnsKeyPair pair = mKeyStore.find(name, algorithm, footprint);
|
||||
if (pair == null && cache != null)
|
||||
{
|
||||
pair = findCachedKey(cache, name, algorithm, footprint);
|
||||
}
|
||||
|
||||
return pair;
|
||||
}
|
||||
|
||||
private byte validateSignature(RRset rrset, RRSIGRecord sigrec, List<String> reasons)
|
||||
{
|
||||
if (rrset == null || sigrec == null) return DNSSEC.Failed;
|
||||
if (rrset == null || sigrec == null) return false;
|
||||
if (!rrset.getName().equals(sigrec.getName()))
|
||||
{
|
||||
log.fine("Signature name does not match RRset name");
|
||||
if (reasons != null) reasons.add("Signature name does not match RRset name");
|
||||
return DNSSEC.Failed;
|
||||
return false;
|
||||
}
|
||||
if (rrset.getType() != sigrec.getTypeCovered())
|
||||
{
|
||||
@ -205,7 +177,7 @@ public class DnsSecVerifier implements Verifier
|
||||
if (reasons != null) reasons.add("Signature type does not match RRset type");
|
||||
}
|
||||
|
||||
if (mIgnoreTime) return DNSSEC.Secure;
|
||||
if (mIgnoreTime) return true;
|
||||
|
||||
Date now = new Date();
|
||||
Date start = sigrec.getTimeSigned();
|
||||
@ -221,7 +193,7 @@ public class DnsSecVerifier implements Verifier
|
||||
{
|
||||
log.fine("Signature is not yet valid");
|
||||
if (reasons != null) reasons.add("Signature not yet valid");
|
||||
return DNSSEC.Failed;
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
@ -235,39 +207,37 @@ public class DnsSecVerifier implements Verifier
|
||||
{
|
||||
log.fine("Signature has expired (now = " + now + ", sig expires = " + expire);
|
||||
if (reasons != null) reasons.add("Signature has expired.");
|
||||
return DNSSEC.Failed;
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
return DNSSEC.Secure;
|
||||
return true;
|
||||
}
|
||||
|
||||
public byte verifySignature(RRset rrset, RRSIGRecord sigrec, Cache cache)
|
||||
public boolean verifySignature(RRset rrset, RRSIGRecord sigrec)
|
||||
{
|
||||
return verifySignature(rrset, sigrec, cache, null);
|
||||
return verifySignature(rrset, sigrec, null);
|
||||
}
|
||||
|
||||
/**
|
||||
* Verify an RRset against a particular signature.
|
||||
*
|
||||
* @return DNSSEC.Secure if the signature verified, DNSSEC.Failed if it did
|
||||
* not verify (for any reason), and DNSSEC.Insecure if verification
|
||||
* could not be completed (usually because the public key was not
|
||||
* available).
|
||||
* @return true if the signature verified, false if it did
|
||||
* not verify (for any reason, including not finding the DNSKEY.)
|
||||
*/
|
||||
public byte verifySignature(RRset rrset, RRSIGRecord sigrec, Cache cache, List<String> reasons)
|
||||
public boolean verifySignature(RRset rrset, RRSIGRecord sigrec, List<String> reasons)
|
||||
{
|
||||
byte result = validateSignature(rrset, sigrec, reasons);
|
||||
if (result != DNSSEC.Secure) return result;
|
||||
boolean result = validateSignature(rrset, sigrec, reasons);
|
||||
if (!result) return result;
|
||||
|
||||
DnsKeyPair keypair = findKey(cache, sigrec.getSigner(), sigrec.getAlgorithm(),
|
||||
DnsKeyPair keypair = findKey(sigrec.getSigner(), sigrec.getAlgorithm(),
|
||||
sigrec.getFootprint());
|
||||
|
||||
if (keypair == null)
|
||||
{
|
||||
if (reasons != null) reasons.add("Could not find matching trusted key");
|
||||
log.fine("could not find matching trusted key");
|
||||
return DNSSEC.Insecure;
|
||||
return false;
|
||||
}
|
||||
|
||||
try
|
||||
@ -290,10 +260,10 @@ public class DnsSecVerifier implements Verifier
|
||||
{
|
||||
if (reasons != null) reasons.add("Signature failed to verify cryptographically");
|
||||
log.fine("Signature failed to verify cryptographically");
|
||||
return DNSSEC.Failed;
|
||||
return false;
|
||||
}
|
||||
|
||||
return DNSSEC.Secure;
|
||||
return true;
|
||||
}
|
||||
catch (IOException e)
|
||||
{
|
||||
@ -305,39 +275,38 @@ public class DnsSecVerifier implements Verifier
|
||||
}
|
||||
if (reasons != null) reasons.add("Signature failed to verify due to exception");
|
||||
log.fine("Signature failed to verify due to exception");
|
||||
return DNSSEC.Insecure;
|
||||
return false;
|
||||
}
|
||||
|
||||
/**
|
||||
* Verifies an RRset. This routine does not modify the RRset.
|
||||
*
|
||||
* @return DNSSEC.Secure if the set verified, DNSSEC.Failed if it did not, and
|
||||
* DNSSEC.Insecure if verification could not complete.
|
||||
* @return true if the set verified, false if it did not.
|
||||
*/
|
||||
@SuppressWarnings("unchecked")
|
||||
public int verify(RRset rrset, Cache cache)
|
||||
public boolean verify(RRset rrset)
|
||||
{
|
||||
int result = mVerifyAllSigs ? DNSSEC.Secure : DNSSEC.Insecure;
|
||||
boolean result = mVerifyAllSigs ? true : false;
|
||||
|
||||
Iterator i = rrset.sigs();
|
||||
|
||||
if (!i.hasNext())
|
||||
{
|
||||
log.fine("RRset failed to verify due to lack of signatures");
|
||||
return DNSSEC.Insecure;
|
||||
return false;
|
||||
}
|
||||
|
||||
while (i.hasNext())
|
||||
{
|
||||
RRSIGRecord sigrec = (RRSIGRecord) i.next();
|
||||
|
||||
byte res = verifySignature(rrset, sigrec, cache);
|
||||
boolean res = verifySignature(rrset, sigrec);
|
||||
|
||||
if (!mVerifyAllSigs && res == DNSSEC.Secure) return res;
|
||||
// If not requiring all signature to validate, then any successful validation is sufficient.
|
||||
if (!mVerifyAllSigs && res) return res;
|
||||
|
||||
if (!mVerifyAllSigs && res < result) result = res;
|
||||
|
||||
if (mVerifyAllSigs && res != DNSSEC.Secure && res < result)
|
||||
// Otherwise, note if a signature failed to validate.
|
||||
if (mVerifyAllSigs && !res)
|
||||
{
|
||||
result = res;
|
||||
}
|
||||
|
@ -33,7 +33,6 @@ import java.util.TreeMap;
|
||||
import java.util.logging.Logger;
|
||||
|
||||
import org.xbill.DNS.DNSKEYRecord;
|
||||
import org.xbill.DNS.DNSSEC;
|
||||
import org.xbill.DNS.NSEC3PARAMRecord;
|
||||
import org.xbill.DNS.NSEC3Record;
|
||||
import org.xbill.DNS.NSECRecord;
|
||||
@ -354,24 +353,24 @@ public class ZoneVerifier
|
||||
private int processRRset(RRset rrset)
|
||||
{
|
||||
List<String> reasons = new ArrayList<String>();
|
||||
int result = DNSSEC.Failed;
|
||||
boolean result = false;
|
||||
|
||||
for (Iterator<Record> i = rrset.sigs(); i.hasNext();)
|
||||
{
|
||||
RRSIGRecord sigrec = (RRSIGRecord) i.next();
|
||||
byte res = mVerifier.verifySignature(rrset, sigrec, null, reasons);
|
||||
if (res != DNSSEC.Secure)
|
||||
boolean res = mVerifier.verifySignature(rrset, sigrec, reasons);
|
||||
if (!res)
|
||||
{
|
||||
log.warning("Signature failed to verify RRset:\n rr: "
|
||||
+ ZoneUtils.rrsetToString(rrset, false) + "\n sig: " + sigrec + "\n"
|
||||
+ reasonListToString(reasons));
|
||||
}
|
||||
|
||||
if (res > result) result = res;
|
||||
if (res) result = res;
|
||||
}
|
||||
|
||||
String rrsetname = rrset.getName() + "/" + Type.string(rrset.getType());
|
||||
if (result == DNSSEC.Secure)
|
||||
if (result)
|
||||
{
|
||||
log.fine("RRset " + rrsetname + " verified.");
|
||||
}
|
||||
@ -380,7 +379,7 @@ public class ZoneVerifier
|
||||
log.warning("RRset " + rrsetname + " did not verify.");
|
||||
}
|
||||
|
||||
return result == DNSSEC.Secure ? 0 : 1;
|
||||
return result ? 0 : 1;
|
||||
}
|
||||
|
||||
private String typesToString(int[] types)
|
||||
|
Loading…
Reference in New Issue
Block a user