Port to DNSJava 3.5.1, Java 8, linter fixes (#13)

* Initial port to dnsjava 3.5.1

* java.util.Date -> java.time.Instant
* for (Iterator ..) to for ( Object : List )
* DSRecord.<digest type> -> DNSSEC.Digest.<type>
* source to java 8

* formatting overhaul; copyright; author

* add slf4j jars for dnsjava 3.5.1

* NSEC/NSEC3 ttls are now min(soa.min, soa.ttl)

* Upgrade to commons-cli-1.5; some linter fixes

* Add CDS support of jdnssec-dstool

* linter suggestions

* add a TODO list

* Add a TODO list
This commit is contained in:
David Blacka 2022-09-21 14:24:42 -04:00 committed by GitHub
parent ce1189703f
commit e322186112
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
36 changed files with 2627 additions and 3332 deletions

6
.gitattributes vendored Normal file
View File

@ -0,0 +1,6 @@
#
# https://help.github.com/articles/dealing-with-line-endings/
#
# These are explicitly windows files and should use crlf
*.bat text eol=crlf

3
.gitignore vendored
View File

@ -1,4 +1,5 @@
build
bin/main
.classpath
.project
.gradle
@ -6,4 +7,4 @@ jdnssec-tools*.tar.gz
docs
test-zones
settings.json
.settings
.settings

15
README.TODO.md Normal file
View File

@ -0,0 +1,15 @@
# jdnssec-tools TODO List
This bit of code has been around since approximately 2005, and has been in "minimal maintenance" mode for much of that time. But that doesn't mean there aren't features that we *want* to do, if we could arrange time and attention. Here is a partial list:
* More feature parity with the current BIND 9 tools
* Support the "v1.3" private key format. This basically means supporting the timing parameters that BiND 9 added.
* Have `jdnssec-signzone` support incremental signing, including key rollovers
* Rewrite `jdnssec-signzone` to use a "TreeMap" and arrange the data into a map of RRsets, rather than a sorted list of Record objects. This wouldn't be more efficient, but might be easier to understand.
* Allow `jdnssec-signzone` to scale by either:
* Allowing for pre-sorted zone data, and/or
* allowing for an external sort once the data is shown to be larger than X, and/or
* allowing for a memory-constrained internal sort that uses disk, and/or,
* figuring out how to let the JVM use *a lot* of memory.
* Add support for algorithm 16, perhaps refactor algorithm 15 support using bouncycastle.
* Note that our current dnsjava version, 3.5.1 has some support, although it isn't clear if it has sign/verify support.

View File

@ -1,12 +1,12 @@
# jdnssec-tools
* https://github.com/dblacka/jdnssec-tools/wiki
* <https://github.com/dblacka/jdnssec-tools/wiki>
Author: David Blacka (davidb@verisign.com)
This is a collection of DNSSEC tools written in Java. They are intended to be an addition or replacement for the DNSSEC tools that are part of BIND 9.
These tools depend upon DNSjava (https://github.com/dnsjava/dnsjava), the Jakarta Commons CLI and Logging libraries (https://commons.apache.org/proper/commons-cli), and Sun's Java Cryptography extensions. A copy of each of these libraries is included in the distribution. Currently, these tools use a custom version of the DNSjava library with minor modifications, which is provided.
These tools depend upon DNSjava (<https://github.com/dnsjava/dnsjava>), the Jakarta Commons CLI and Logging libraries (<https://commons.apache.org/proper/commons-cli>), slf4j (<https://www.slf4j.org>), and Sun's Java Cryptography extensions. A copy of each of these libraries is included in the distribution.
See the "licenses" directory for the licensing information of this package and the other packages that are distributed with it.
@ -21,7 +21,6 @@ Getting started:
cd java-dnssec-tools-x.x.x
./bin/jdnssec-signzone -h
Building from source:
1. Unpack the source distribution, preferably into the same directory that the binary distribution was unpacked.
@ -29,7 +28,7 @@ Building from source:
tar zxvf java-dnssec-tools-x.x.x-src.tar.gz
2. Edit the build.properties file to suit your environment.
3. Run Ant (see http://ant.apache.org for information about the Ant build tool).
3. Run Ant (see <http://ant.apache.org> for information about the Ant build tool).
ant
@ -42,9 +41,7 @@ Building from source:
The resulting jar file gets generated in build/libs.
The source for this project is available in git on github: https://github.com/dblacka/jdnssec-tools
Source for the modified DNSjava library can be found on github as well: https://github.com/dblacka/jdnssec-dnsjava
The source for this project is available in git on github: <https://github.com/dblacka/jdnssec-tools>
---

View File

@ -1 +1 @@
version=0.16.1
version=0.17

View File

@ -10,15 +10,15 @@ apply plugin: 'idea'
jar {
baseName = 'jdnssec-tools'
version = '0.16'
version = '0.17'
}
repositories {
mavenCentral()
}
sourceCompatibility = 1.7
targetCompatibility = 1.7
sourceCompatibility = 1.8
targetCompatibility = 1.8
dependencies {
compile fileTree(dir: 'lib', include: '*.jar')

View File

@ -47,8 +47,8 @@
deprecation="true"
includeantruntime="false"
includes="com/verisignlabs/dnssec/"
source="1.7"
target="1.7" />
source="8"
target="8" />
</target>
<target name="sectools-jar" depends="usage,sectools">

Binary file not shown.

BIN
lib/commons-cli-1.5.0.jar Normal file

Binary file not shown.

Binary file not shown.

BIN
lib/dnsjava-3.5.1.jar Normal file

Binary file not shown.

BIN
lib/slf4j-api-1.7.36.jar Normal file

Binary file not shown.

BIN
lib/slf4j-simple-1.7.36.jar Normal file

Binary file not shown.

View File

@ -0,0 +1,21 @@
Copyright (c) 2004-2017 QOS.ch
All rights reserved.
Permission is hereby granted, free of charge, to any person obtaining
a copy of this software and associated documentation files (the
"Software"), to deal in the Software without restriction, including
without limitation the rights to use, copy, modify, merge, publish,
distribute, sublicense, and/or sell copies of the Software, and to
permit persons to whom the Software is furnished to do so, subject to
the following conditions:
The above copyright notice and this permission notice shall be
included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

View File

@ -1,7 +1,25 @@
// Copyright (C) 2022 Verisign, Inc.
//
// This library is free software; you can redistribute it and/or
// modify it under the terms of the GNU Lesser General Public
// License as published by the Free Software Foundation; either
// version 2.1 of the License, or (at your option) any later version.
//
// This library is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
// Lesser General Public License for more details.
//
// You should have received a copy of the GNU Lesser General Public
// License along with this library; if not, write to the Free Software
// Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
// USA
package com.verisignlabs.dnssec.cl;
import java.io.PrintWriter;
import java.text.SimpleDateFormat;
import java.time.Instant;
import java.util.Date;
import java.util.TimeZone;
import java.util.logging.Formatter;
@ -13,11 +31,11 @@ import java.util.logging.Logger;
import org.apache.commons.cli.AlreadySelectedException;
import org.apache.commons.cli.CommandLine;
import org.apache.commons.cli.CommandLineParser;
import org.apache.commons.cli.DefaultParser;
import org.apache.commons.cli.HelpFormatter;
import org.apache.commons.cli.OptionBuilder;
import org.apache.commons.cli.Option;
import org.apache.commons.cli.Options;
import org.apache.commons.cli.ParseException;
import org.apache.commons.cli.PosixParser;
import org.apache.commons.cli.UnrecognizedOptionException;
import com.verisignlabs.dnssec.security.DnsKeyAlgorithm;
@ -29,19 +47,17 @@ import com.verisignlabs.dnssec.security.DnsKeyAlgorithm;
* Subclasses also have their own main() methods, which should just create the
* subclass variant of the CLIState and call run().
*/
public abstract class CLBase
{
protected static Logger log;
public abstract class CLBase {
protected static Logger staticLog = Logger.getLogger(CLBase.class.getName());
protected Logger log;
/**
* This is a very simple log formatter that simply outputs the log level and
* log string.
*/
public static class BareLogFormatter extends Formatter
{
@Override
public String format(LogRecord arg0)
{
public static class BareLogFormatter extends Formatter {
public String format(LogRecord arg0) {
StringBuilder out = new StringBuilder();
String lvl = arg0.getLevel().getName();
@ -58,47 +74,39 @@ public abstract class CLBase
* This is a base class for command line parsing state. Subclasses should
* override setupOptions and processOptions.
*/
public static class CLIStateBase
{
public static class CLIStateBase {
protected Options opts;
protected String usageStr;
protected String usageStr;
/**
* The base constructor. This will setup the command line options.
*
* @param usage
* The command line usage string (e.g.,
* "jdnssec-foo [..options..] zonefile")
* The command line usage string (e.g.,
* "jdnssec-foo [..options..] zonefile")
*/
public CLIStateBase(String usage)
{
public CLIStateBase(String usage) {
usageStr = usage;
setup();
}
/** This is the base set of command line options provided to all subclasses. */
private void setup()
{
// Set up the standard set of options that all jdnssec command line tools will implement.
private void setup() {
// Set up the standard set of options that all jdnssec command line tools will
// implement.
opts = new Options();
// boolean options
opts.addOption("h", "help", false, "Print this message.");
opts.addOption("m", "multiline", false,
"Output DNS records using 'multiline' format");
"Output DNS records using 'multiline' format");
OptionBuilder.hasOptionalArg();
OptionBuilder.withLongOpt("verbose");
OptionBuilder.withArgName("level");
OptionBuilder.withDescription("verbosity level -- 0 is silence, 3 is info, "
+ "5 is debug information, 6 is trace information. default is level 2 (warning)");
opts.addOption(OptionBuilder.create('v'));
opts.addOption(Option.builder("v").longOpt("verbose").argName("level").optionalArg(true).desc(
"verbosity level -- 0 is silence, 3 is info, 5 is debug information, 6 is trace information. default is level 2 (warning)")
.build());
OptionBuilder.hasArg();
OptionBuilder.withArgName("alias:original:mnemonic");
OptionBuilder.withLongOpt("alg-alias");
OptionBuilder.withDescription("Define an alias for an algorithm");
opts.addOption(OptionBuilder.create('A'));
opts.addOption(Option.builder("A").hasArg().argName("alias:original:mnemonic").longOpt("alg-alias")
.desc("Define an alias for an algorithm").build());
setupOptions(opts);
}
@ -108,11 +116,10 @@ public abstract class CLBase
* line options.
*
* @param opts
* the options object to add (via OptionBuilder, typically) new
* options to.
* the options object to add (via OptionBuilder, typically) new
* options to.
*/
protected void setupOptions(Options opts)
{
protected void setupOptions(Options opts) {
// Subclasses generally override this.
}
@ -123,21 +130,21 @@ public abstract class CLBase
* options.
*
* @param args
* The command line arguments.
* The command line arguments.
* @throws ParseException
*/
public void parseCommandLine(String args[]) throws ParseException
{
CommandLineParser cli_parser = new PosixParser();
CommandLine cli = cli_parser.parse(opts, args);
public void parseCommandLine(String[] args) throws ParseException {
CommandLineParser parser = new DefaultParser();
CommandLine cli = parser.parse(opts, args);
if (cli.hasOption('h')) usage();
if (cli.hasOption('h')) {
usage();
}
Logger rootLogger = Logger.getLogger("");
int value = parseInt(cli.getOptionValue('v'), -1);
switch (value)
{
switch (value) {
case 0:
rootLogger.setLevel(Level.OFF);
break;
@ -162,22 +169,18 @@ public abstract class CLBase
}
// I hate java.util.logging, btw.
for (Handler h : rootLogger.getHandlers())
{
for (Handler h : rootLogger.getHandlers()) {
h.setLevel(rootLogger.getLevel());
h.setFormatter(new BareLogFormatter());
}
if (cli.hasOption('m'))
{
if (cli.hasOption('m')) {
org.xbill.DNS.Options.set("multiline");
}
String[] optstrs = null;
if ((optstrs = cli.getOptionValues('A')) != null)
{
for (int i = 0; i < optstrs.length; i++)
{
if ((optstrs = cli.getOptionValues('A')) != null) {
for (int i = 0; i < optstrs.length; i++) {
addArgAlias(optstrs[i]);
}
}
@ -190,72 +193,64 @@ public abstract class CLBase
* this.
*
* @param cli
* The {@link CommandLine} object containing the parsed command
* line state.
* The {@link CommandLine} object containing the parsed command
* line state.
*/
protected void processOptions(CommandLine cli) throws ParseException
{
protected void processOptions(CommandLine cli) throws ParseException {
// Subclasses generally override this.
}
/** Print out the usage and help statements, then quit. */
public void usage()
{
public void usage() {
HelpFormatter f = new HelpFormatter();
PrintWriter out = new PrintWriter(System.err);
// print our own usage statement:
f.printHelp(out, 75, usageStr, null, opts, HelpFormatter.DEFAULT_LEFT_PAD,
HelpFormatter.DEFAULT_DESC_PAD, null);
HelpFormatter.DEFAULT_DESC_PAD, null);
out.flush();
System.exit(64);
}
protected void addArgAlias(String s)
{
if (s == null) return;
protected void addArgAlias(String s) {
if (s == null)
return;
DnsKeyAlgorithm algs = DnsKeyAlgorithm.getInstance();
String[] v = s.split(":");
if (v.length < 2) return;
if (v.length < 2)
return;
int alias = parseInt(v[0], -1);
if (alias <= 0) return;
if (alias <= 0)
return;
int orig = parseInt(v[1], -1);
if (orig <= 0) return;
if (orig <= 0)
return;
String mn = null;
if (v.length > 2) mn = v[2];
if (v.length > 2)
mn = v[2];
algs.addAlias(alias, mn, orig);
}
}
public static int parseInt(String s, int def)
{
try
{
int v = Integer.parseInt(s);
return v;
}
catch (NumberFormatException e)
{
public static int parseInt(String s, int def) {
try {
return Integer.parseInt(s);
} catch (NumberFormatException e) {
return def;
}
}
public static long parseLong(String s, long def)
{
try
{
long v = Long.parseLong(s);
return v;
}
catch (NumberFormatException e)
{
public static long parseLong(String s, long def) {
try {
return Long.parseLong(s);
} catch (NumberFormatException e) {
return def;
}
}
@ -264,66 +259,59 @@ public abstract class CLBase
* Calculate a date/time from a command line time/offset duration string.
*
* @param start
* the start time to calculate offsets from.
* the start time to calculate offsets from.
* @param duration
* the time/offset string to parse.
* the time/offset string to parse.
* @return the calculated time.
*/
public static Date convertDuration(Date start, String duration) throws ParseException
{
if (start == null) start = new Date();
if (duration.startsWith("now"))
{
start = new Date();
if (duration.indexOf("+") < 0) return start;
public static Instant convertDuration(Instant start, String duration) throws ParseException {
if (start == null) {
start = Instant.now();
}
if (duration.startsWith("now")) {
start = Instant.now();
if (duration.indexOf("+") < 0)
return start;
duration = duration.substring(3);
}
if (duration.startsWith("+"))
{
long offset = (long) parseInt(duration.substring(1), 0) * 1000;
return new Date(start.getTime() + offset);
if (duration.startsWith("+")) {
long offset = parseLong(duration.substring(1), 0);
return start.plusSeconds(offset);
}
if (duration.length() <= 10)
{
long epoch = parseLong(duration, 0) * 1000;
return new Date(epoch);
// This is a heuristic to distinguish UNIX epoch times from the zone file
// format standard (which is length == 14)
if (duration.length() <= 10) {
long epoch = parseLong(duration, 0);
return Instant.ofEpochSecond(epoch);
}
SimpleDateFormat dateFormatter = new SimpleDateFormat("yyyyMMddHHmmss");
dateFormatter.setTimeZone(TimeZone.getTimeZone("GMT"));
try
{
return dateFormatter.parse(duration);
}
catch (java.text.ParseException e)
{
try {
Date parsedDate = dateFormatter.parse(duration);
return parsedDate.toInstant();
} catch (java.text.ParseException e) {
throw new ParseException(e.getMessage());
}
}
public abstract void execute() throws Exception;
public void run(CLIStateBase state, String[] args)
{
try
{
public void run(CLIStateBase state, String[] args) {
try {
state.parseCommandLine(args);
}
catch (UnrecognizedOptionException e)
{
} catch (UnrecognizedOptionException e) {
System.err.println("error: unknown option encountered: " + e.getMessage());
state.usage();
}
catch (AlreadySelectedException e)
{
} catch (AlreadySelectedException e) {
System.err.println("error: mutually exclusive options have "
+ "been selected:\n " + e.getMessage());
state.usage();
}
catch (Exception e)
{
} catch (Exception e) {
System.err.println("error: unknown command line parsing exception:");
e.printStackTrace();
state.usage();
@ -331,12 +319,9 @@ public abstract class CLBase
log = Logger.getLogger(this.getClass().toString());
try
{
try {
execute();
}
catch (Exception e)
{
} catch (Exception e) {
e.printStackTrace();
System.exit(1);
}

View File

@ -1,4 +1,4 @@
// Copyright (C) 2001-2003, 2011 VeriSign, Inc.
// Copyright (C) 2001-2003, 2011, 2022 VeriSign, Inc.
//
// This library is free software; you can redistribute it and/or
// modify it under the terms of the GNU Lesser General Public
@ -20,36 +20,45 @@ package com.verisignlabs.dnssec.cl;
import java.io.FileWriter;
import java.io.PrintWriter;
import org.apache.commons.cli.*;
import org.apache.commons.cli.CommandLine;
import org.apache.commons.cli.Option;
import org.apache.commons.cli.Options;
import org.xbill.DNS.CDSRecord;
import org.xbill.DNS.DLVRecord;
import org.xbill.DNS.DNSKEYRecord;
import org.xbill.DNS.DNSSEC;
import org.xbill.DNS.DSRecord;
import org.xbill.DNS.Record;
import com.verisignlabs.dnssec.security.*;
import com.verisignlabs.dnssec.security.BINDKeyUtils;
import com.verisignlabs.dnssec.security.DnsKeyPair;
import com.verisignlabs.dnssec.security.SignUtils;
/**
* This class forms the command line implementation of a DNSSEC DS/DLV generator
*
* @author David Blacka
*/
public class DSTool extends CLBase
{
public class DSTool extends CLBase {
private CLIState state;
/** There are several records that are based on DS. */
protected enum dsType {
DS, CDS, DLV;
}
/**
* This is a small inner class used to hold all of the command line option
* state.
*/
protected static class CLIState extends CLIStateBase
{
public boolean createDLV = false;
public String outputfile = null;
public String keyname = null;
public int digest_id = DSRecord.SHA1_DIGEST_ID;
public CLIState()
{
protected static class CLIState extends CLIStateBase {
public dsType createType = dsType.DS;
public String outputfile = null;
public String keyname = null;
public int digestId = DNSSEC.Digest.SHA1;
public CLIState() {
super("jdnssec-dstool [..options..] keyfile");
}
@ -58,76 +67,72 @@ public class DSTool extends CLBase
*
* @return a set of command line options.
*/
protected void setupOptions(Options opts)
{
OptionBuilder.withLongOpt("dlv");
OptionBuilder.withDescription("Generate a DLV record instead.");
opts.addOption(OptionBuilder.create());
OptionBuilder.hasArg();
OptionBuilder.withLongOpt("digest");
OptionBuilder.withArgName("id");
OptionBuilder.withDescription("The Digest ID to use (numerically): either 1 for SHA1 or 2 for SHA256");
opts.addOption(OptionBuilder.create('d'));
@Override
protected void setupOptions(Options opts) {
opts.addOption(Option.builder("D").longOpt("dlv").desc("Generate a DLV record instead.").build());
opts.addOption(Option.builder("C").longOpt("cds").desc("Generate a CDS record instead").build());
opts.addOption(Option.builder("d").hasArg().argName("id").longOpt("digest").desc("The digest algorithm to use").build());
opts.addOption(Option.builder("f").hasArg().argName("file").longOpt("output").desc("output to file").build());
}
@Override
protected void processOptions(CommandLine cli)
throws org.apache.commons.cli.ParseException
{
throws org.apache.commons.cli.ParseException {
outputfile = cli.getOptionValue('f');
createDLV = cli.hasOption("dlv");
if (cli.hasOption("dlv")) {
createType = dsType.DLV;
} else if (cli.hasOption("cds")) {
createType = dsType.CDS;
}
String optstr = cli.getOptionValue('d');
if (optstr != null) digest_id = parseInt(optstr, digest_id);
if (optstr != null)
digestId = DNSSEC.Digest.value(optstr);
String[] cl_args = cli.getArgs();
String[] args = cli.getArgs();
if (cl_args.length < 1)
{
if (args.length < 1) {
System.err.println("error: missing key file ");
usage();
}
keyname = cl_args[0];
keyname = args[0];
}
}
public void execute() throws Exception
{
public void execute() throws Exception {
DnsKeyPair key = BINDKeyUtils.loadKey(state.keyname, null);
DNSKEYRecord dnskey = key.getDNSKEYRecord();
if ((dnskey.getFlags() & DNSKEYRecord.Flags.SEP_KEY) == 0)
{
if ((dnskey.getFlags() & DNSKEYRecord.Flags.SEP_KEY) == 0) {
log.warning("DNSKEY is not an SEP-flagged key.");
}
DSRecord ds = SignUtils.calculateDSRecord(dnskey, state.digest_id, dnskey.getTTL());
DSRecord ds = SignUtils.calculateDSRecord(dnskey, state.digestId, dnskey.getTTL());
Record res = ds;
if (state.createDLV)
{
if (state.createType == dsType.DLV) {
log.fine("creating DLV.");
DLVRecord dlv = new DLVRecord(ds.getName(), ds.getDClass(), ds.getTTL(),
ds.getFootprint(), ds.getAlgorithm(),
ds.getDigestID(), ds.getDigest());
DLVRecord dlv = new DLVRecord(ds.getName(), ds.getDClass(), ds.getTTL(), ds.getFootprint(), ds.getAlgorithm(),
ds.getDigestID(), ds.getDigest());
res = dlv;
} else if (state.createType == dsType.CDS) {
log.fine("creating CDS.");
CDSRecord cds = new CDSRecord(ds.getName(), ds.getDClass(), ds.getTTL(), ds.getFootprint(), ds.getAlgorithm(),
ds.getDClass(), ds.getDigest());
res = cds;
}
if (state.outputfile != null)
{
PrintWriter out = new PrintWriter(new FileWriter(state.outputfile));
out.println(res);
out.close();
}
else
{
if (state.outputfile != null && !state.outputfile.equals("-")) {
try (PrintWriter out = new PrintWriter(new FileWriter(state.outputfile))) {
out.println(res);
}
} else {
System.out.println(res);
}
}
public static void main(String[] args)
{
public static void main(String[] args) {
DSTool tool = new DSTool();
tool.state = new CLIState();

View File

@ -1,4 +1,4 @@
// Copyright (C) 2001-2003, 2011 VeriSign, Inc.
// Copyright (C) 2001-2003, 2011, 2022 VeriSign, Inc.
//
// This library is free software; you can redistribute it and/or
// modify it under the terms of the GNU Lesser General Public
@ -19,205 +19,178 @@ package com.verisignlabs.dnssec.cl;
import java.io.File;
import org.apache.commons.cli.*;
import org.apache.commons.cli.CommandLine;
import org.apache.commons.cli.Option;
import org.apache.commons.cli.Options;
import org.xbill.DNS.DClass;
import org.xbill.DNS.DNSKEYRecord;
import org.xbill.DNS.Name;
import com.verisignlabs.dnssec.security.*;
import com.verisignlabs.dnssec.security.BINDKeyUtils;
import com.verisignlabs.dnssec.security.DnsKeyAlgorithm;
import com.verisignlabs.dnssec.security.DnsKeyPair;
import com.verisignlabs.dnssec.security.JCEDnsSecSigner;
/**
* This class forms the command line implementation of a DNSSEC key generator
*
*
* @author David Blacka
*/
public class KeyGen extends CLBase
{
public class KeyGen extends CLBase {
private CLIState state;
/**
* This is a small inner class used to hold all of the command line option
* state.
*/
protected static class CLIState extends CLIStateBase
{
public int algorithm = 8;
public int keylength = 1024;
public boolean useLargeE = true;
public String outputfile = null;
public File keydir = null;
public boolean zoneKey = true;
public boolean kskFlag = false;
public String owner = null;
public long ttl = 86400;
protected static class CLIState extends CLIStateBase {
public int algorithm = 8;
public int keylength = 1024;
public boolean useLargeE = true;
public String outputfile = null;
public File keydir = null;
public boolean zoneKey = true;
public boolean kskFlag = false;
public String owner = null;
public long ttl = 86400;
public CLIState()
{
public CLIState() {
super("jdnssec-keygen [..options..] name");
}
/**
* Set up the command line options.
*/
protected void setupOptions(Options opts)
{
@Override
protected void setupOptions(Options opts) {
// boolean options
opts.addOption("k", "kskflag", false,
"Key is a key-signing-key (sets the SEP flag).");
"Key is a key-signing-key (sets the SEP flag).");
opts.addOption("e", "large-exponent", false, "Use large RSA exponent (default)");
opts.addOption("E", "small-exponent", false, "Use small RSA exponent");
// Argument options
OptionBuilder.hasArg();
OptionBuilder.withLongOpt("nametype");
OptionBuilder.withArgName("type");
OptionBuilder.withDescription("ZONE | OTHER (default ZONE)");
opts.addOption(OptionBuilder.create('n'));
opts.addOption(
Option.builder("n").longOpt("nametype").hasArg().argName("type").desc("ZONE | OTHER (default ZONE)").build());
String[] algStrings = DnsKeyAlgorithm.getInstance().supportedAlgMnemonics();
OptionBuilder.hasArg();
OptionBuilder.withArgName("algorithm");
OptionBuilder.withDescription(String.join(" | ", algStrings) +
" | alias, RSASHA256 is default.");
opts.addOption(OptionBuilder.create('a'));
String algStringSet = String.join(" | ", algStrings);
opts.addOption(Option.builder("a").hasArg().argName("algorithm")
.desc(algStringSet + " | alias, RSASHA256 is default.").build());
OptionBuilder.hasArg();
OptionBuilder.withArgName("size");
OptionBuilder.withDescription("key size, in bits. default is 1024. "
+ "RSA: [512..4096], DSA: [512..1024], DH: [128..4096], "
+ "ECDSA: ignored");
opts.addOption(OptionBuilder.create('b'));
opts.addOption(Option.builder("b").hasArg().argName("size").desc(
"key size, in bits (default 1024). RSA: [512..4096], DSA: [512..1024], DH: [128..4096], ECDSA: ignored, EdDSA: ignored")
.build());
opts.addOption(Option.builder("f").hasArg().argName("file").longOpt("output-file")
.desc("base filename from the public/private key files").build());
opts.addOption(Option.builder("d").hasArg().argName("dir").longOpt("keydir")
.desc("generated keyfiles are written to this directory").build());
opts.addOption(Option.builder("T").hasArg().argName("ttl").longOpt("ttl")
.desc("use this TTL for the generated DNSKEY records (default: 86400").build());
OptionBuilder.hasArg();
OptionBuilder.withArgName("file");
OptionBuilder.withLongOpt("output-file");
OptionBuilder.withDescription("base filename for the public/private key files");
opts.addOption(OptionBuilder.create('f'));
OptionBuilder.hasArg();
OptionBuilder.withLongOpt("keydir");
OptionBuilder.withArgName("dir");
OptionBuilder.withDescription("place generated key files in this " + "directory");
opts.addOption(OptionBuilder.create('d'));
}
@Override
protected void processOptions(CommandLine cli)
throws org.apache.commons.cli.ParseException
{
throws org.apache.commons.cli.ParseException {
String optstr = null;
String[] optstrs = null;
if (cli.hasOption('k')) kskFlag = true;
if (cli.hasOption('e')) useLargeE = true;
if (cli.hasOption('k'))
kskFlag = true;
if (cli.hasOption('e'))
useLargeE = true;
outputfile = cli.getOptionValue('f');
if ((optstr = cli.getOptionValue('d')) != null)
{
if ((optstr = cli.getOptionValue('d')) != null) {
keydir = new File(optstr);
}
if ((optstr = cli.getOptionValue('n')) != null)
{
if (!optstr.equalsIgnoreCase("ZONE"))
{
zoneKey = false;
}
if ((optstr = cli.getOptionValue('n')) != null && !optstr.equalsIgnoreCase("ZONE")) {
zoneKey = false;
}
if ((optstrs = cli.getOptionValues('A')) != null)
{
for (int i = 0; i < optstrs.length; i++)
{
if ((optstrs = cli.getOptionValues('A')) != null) {
for (int i = 0; i < optstrs.length; i++) {
addArgAlias(optstrs[i]);
}
}
if ((optstr = cli.getOptionValue('a')) != null)
{
algorithm = parseAlg(optstr);
if (algorithm < 0)
{
if ((optstr = cli.getOptionValue('a')) != null) {
algorithm = CLIState.parseAlg(optstr);
if (algorithm < 0) {
System.err.println("DNSSEC algorithm " + optstr + " is not supported");
usage();
}
}
if ((optstr = cli.getOptionValue('b')) != null)
{
if ((optstr = cli.getOptionValue('b')) != null) {
keylength = parseInt(optstr, 1024);
}
if ((optstr = cli.getOptionValue("ttl")) != null)
{
if ((optstr = cli.getOptionValue("ttl")) != null) {
ttl = parseInt(optstr, 86400);
}
String[] cl_args = cli.getArgs();
String[] args = cli.getArgs();
if (cl_args.length < 1)
{
if (args.length < 1) {
System.err.println("error: missing key owner name");
usage();
}
owner = cl_args[0];
owner = args[0];
}
private static int parseAlg(String s) {
DnsKeyAlgorithm algs = DnsKeyAlgorithm.getInstance();
int alg = parseInt(s, -1);
if (alg > 0) {
if (algs.supportedAlgorithm(alg))
return alg;
return -1;
}
return algs.stringToAlgorithm(s);
}
}
private static int parseAlg(String s)
{
DnsKeyAlgorithm algs = DnsKeyAlgorithm.getInstance();
int alg = parseInt(s, -1);
if (alg > 0)
{
if (algs.supportedAlgorithm(alg)) return alg;
return -1;
}
return algs.stringToAlgorithm(s);
}
public void execute() throws Exception
{
public void execute() throws Exception {
JCEDnsSecSigner signer = new JCEDnsSecSigner();
// Minor hack to make the owner name absolute.
if (!state.owner.endsWith("."))
{
if (!state.owner.endsWith(".")) {
state.owner = state.owner + ".";
}
Name owner_name = Name.fromString(state.owner);
Name ownerName = Name.fromString(state.owner);
// Calculate our flags
int flags = 0;
if (state.zoneKey) flags |= DNSKEYRecord.Flags.ZONE_KEY;
if (state.kskFlag) flags |= DNSKEYRecord.Flags.SEP_KEY;
if (state.zoneKey)
flags |= DNSKEYRecord.Flags.ZONE_KEY;
if (state.kskFlag)
flags |= DNSKEYRecord.Flags.SEP_KEY;
log.fine("create key pair with (name = " + owner_name + ", ttl = " + state.ttl
log.fine("create key pair with (name = " + ownerName + ", ttl = " + state.ttl
+ ", alg = " + state.algorithm + ", flags = " + flags + ", length = "
+ state.keylength + ")");
DnsKeyPair pair = signer.generateKey(owner_name, state.ttl, DClass.IN,
state.algorithm, flags, state.keylength,
state.useLargeE);
DnsKeyPair pair = signer.generateKey(ownerName, state.ttl, DClass.IN,
state.algorithm, flags, state.keylength,
state.useLargeE);
if (state.outputfile != null)
{
if (state.outputfile != null) {
BINDKeyUtils.writeKeyFiles(state.outputfile, pair, state.keydir);
}
else
{
} else {
BINDKeyUtils.writeKeyFiles(pair, state.keydir);
System.out.println(BINDKeyUtils.keyFileBase(pair));
}
}
public static void main(String[] args)
{
public static void main(String[] args) {
KeyGen tool = new KeyGen();
tool.state = new CLIState();

View File

@ -1,4 +1,4 @@
// Copyright (C) 2001-2003, 2011 VeriSign, Inc.
// Copyright (C) 2001-2003, 2011, 2022 VeriSign, Inc.
//
// This library is free software; you can redistribute it and/or
// modify it under the terms of the GNU Lesser General Public
@ -20,60 +20,58 @@ package com.verisignlabs.dnssec.cl;
import java.security.interfaces.DSAPublicKey;
import java.security.interfaces.RSAPublicKey;
import org.apache.commons.cli.*;
import org.apache.commons.cli.CommandLine;
import org.apache.commons.cli.Options;
import org.apache.commons.cli.ParseException;
import org.xbill.DNS.DNSKEYRecord;
import com.verisignlabs.dnssec.security.*;
import com.verisignlabs.dnssec.security.BINDKeyUtils;
import com.verisignlabs.dnssec.security.DnsKeyAlgorithm;
import com.verisignlabs.dnssec.security.DnsKeyPair;
/**
* This class forms the command line implementation of a key introspection tool.
*
*
* @author David Blacka
*/
public class KeyInfoTool extends CLBase
{
public class KeyInfoTool extends CLBase {
private CLIState state;
/**
* This is a small inner class used to hold all of the command line option
* state.
*/
protected static class CLIState extends CLIStateBase
{
protected static class CLIState extends CLIStateBase {
public String[] keynames = null;
public CLIState()
{
public CLIState() {
super("jdnssec-keyinfo [..options..] keyfile");
}
/**
* Set up the command line options.
*/
protected void setupOptions(Options opts)
{
@Override
protected void setupOptions(Options opts) {
// no special options at the moment.
}
protected void processOptions(CommandLine cli) throws ParseException
{
@Override
protected void processOptions(CommandLine cli) throws ParseException {
keynames = cli.getArgs();
if (keynames.length < 1)
{
if (keynames.length < 1) {
System.err.println("error: missing key file ");
usage();
}
}
}
public void execute() throws Exception
{
for (int i = 0; i < state.keynames.length; ++i)
{
String keyname = state.keynames[i];
DnsKeyPair key = BINDKeyUtils.loadKey(keyname, null);
DNSKEYRecord dnskey = key.getDNSKEYRecord();
public void execute() throws Exception {
for (int i = 0; i < state.keynames.length; ++i) {
String keyname = state.keynames[i];
DnsKeyPair key = BINDKeyUtils.loadKey(keyname, null);
DNSKEYRecord dnskey = key.getDNSKEYRecord();
DnsKeyAlgorithm dnskeyalg = DnsKeyAlgorithm.getInstance();
boolean isSEP = (dnskey.getFlags() & DNSKEYRecord.Flags.SEP_KEY) != 0;
@ -87,32 +85,25 @@ public class KeyInfoTool extends CLBase
System.out.println("ID: " + dnskey.getFootprint());
System.out.println("KeyFileBase: " + BINDKeyUtils.keyFileBase(key));
int basetype = dnskeyalg.baseType(dnskey.getAlgorithm());
switch (basetype)
{
case DnsKeyAlgorithm.RSA: {
RSAPublicKey pub = (RSAPublicKey) key.getPublic();
System.out.println("RSA Public Exponent: " + pub.getPublicExponent());
System.out.println("RSA Modulus: " + pub.getModulus());
break;
}
case DnsKeyAlgorithm.DSA: {
DSAPublicKey pub = (DSAPublicKey) key.getPublic();
System.out.println("DSA base (G): " + pub.getParams().getG());
System.out.println("DSA prime (P): " + pub.getParams().getP());
System.out.println("DSA subprime (Q): " + pub.getParams().getQ());
System.out.println("DSA public (Y): " + pub.getY());
break;
}
if (basetype == DnsKeyAlgorithm.RSA) {
RSAPublicKey pub = (RSAPublicKey) key.getPublic();
System.out.println("RSA Public Exponent: " + pub.getPublicExponent());
System.out.println("RSA Modulus: " + pub.getModulus());
} else if (basetype == DnsKeyAlgorithm.DSA) {
DSAPublicKey pub = (DSAPublicKey) key.getPublic();
System.out.println("DSA base (G): " + pub.getParams().getG());
System.out.println("DSA prime (P): " + pub.getParams().getP());
System.out.println("DSA subprime (Q): " + pub.getParams().getQ());
System.out.println("DSA public (Y): " + pub.getY());
}
if (state.keynames.length - i > 1)
{
if (state.keynames.length - i > 1) {
System.out.println();
}
}
}
public static void main(String[] args)
{
public static void main(String[] args) {
KeyInfoTool tool = new KeyInfoTool();
tool.state = new CLIState();

View File

@ -1,4 +1,4 @@
// Copyright (C) 2001-2003, 2011 VeriSign, Inc.
// Copyright (C) 2001-2003, 2011, 2022 VeriSign, Inc.
//
// This library is free software; you can redistribute it and/or
// modify it under the terms of the GNU Lesser General Public
@ -20,13 +20,13 @@ package com.verisignlabs.dnssec.cl;
import java.io.File;
import java.io.FileFilter;
import java.io.IOException;
import java.time.Instant;
import java.util.ArrayList;
import java.util.Date;
import java.util.Iterator;
import java.util.Collections;
import java.util.List;
import org.apache.commons.cli.CommandLine;
import org.apache.commons.cli.OptionBuilder;
import org.apache.commons.cli.Option;
import org.apache.commons.cli.Options;
import org.xbill.DNS.Name;
import org.xbill.DNS.RRSIGRecord;
@ -34,7 +34,12 @@ import org.xbill.DNS.RRset;
import org.xbill.DNS.Record;
import org.xbill.DNS.Type;
import com.verisignlabs.dnssec.security.*;
import com.verisignlabs.dnssec.security.BINDKeyUtils;
import com.verisignlabs.dnssec.security.DnsKeyPair;
import com.verisignlabs.dnssec.security.DnsSecVerifier;
import com.verisignlabs.dnssec.security.JCEDnsSecSigner;
import com.verisignlabs.dnssec.security.SignUtils;
import com.verisignlabs.dnssec.security.ZoneUtils;
/**
* This class forms the command line implementation of a DNSSEC keyset signer.
@ -43,94 +48,66 @@ import com.verisignlabs.dnssec.security.*;
*
* @author David Blacka
*/
public class SignKeyset extends CLBase
{
public class SignKeyset extends CLBase {
private CLIState state;
/**
* This is an inner class used to hold all of the command line option state.
*/
protected static class CLIState extends CLIStateBase
{
public File keyDirectory = null;
public String[] keyFiles = null;
public Date start = null;
public Date expire = null;
public String inputfile = null;
public String outputfile = null;
public boolean verifySigs = false;
protected static class CLIState extends CLIStateBase {
public File keyDirectory = null;
public String[] keyFiles = null;
public Instant start = null;
public Instant expire = null;
public String inputfile = null;
public String outputfile = null;
public boolean verifySigs = false;
public CLIState()
{
public CLIState() {
super("jdnssec-signkeyset [..options..] dnskeyset_file [key_file ...]");
}
/**
* Set up the command line options.
*/
protected void setupOptions(Options opts)
{
@Override
protected void setupOptions(Options opts) {
// boolean options
opts.addOption("a", "verify", false, "verify generated signatures>");
// Argument options
OptionBuilder.hasArg();
OptionBuilder.withArgName("dir");
OptionBuilder.withLongOpt("key-directory");
OptionBuilder.withDescription("directory to find key files (default '.').");
opts.addOption(OptionBuilder.create('D'));
OptionBuilder.hasArg();
OptionBuilder.withArgName("time/offset");
OptionBuilder.withLongOpt("start-time");
OptionBuilder.withDescription("signature starting time (default is now - 1 hour)");
opts.addOption(OptionBuilder.create('s'));
OptionBuilder.hasArg();
OptionBuilder.withArgName("time/offset");
OptionBuilder.withLongOpt("expire-time");
OptionBuilder.withDescription("signature expiration time (default is start-time + 30 days).");
opts.addOption(OptionBuilder.create('e'));
OptionBuilder.hasArg();
OptionBuilder.withArgName("outfile");
OptionBuilder.withDescription("file the signed keyset is written to.");
opts.addOption(OptionBuilder.create('f'));
opts.addOption(Option.builder("D").hasArg().argName("dir").longOpt("key-directory").desc("directory where key files are found (default '.').").build());
opts.addOption(Option.builder("s").hasArg().argName("time/offset").longOpt("start-time").desc("signature starting time (default is now - 1 hour)").build());
opts.addOption(Option.builder("e").hasArg().argName("time/offset").longOpt("expire-time").desc("signature expiration time (default is start-time + 30 days)").build());
opts.addOption(Option.builder("f").hasArg().argName("outfile").desc("file the signed keyset is written to").build());
}
@Override
protected void processOptions(CommandLine cli)
throws org.apache.commons.cli.ParseException
{
throws org.apache.commons.cli.ParseException {
String optstr = null;
if (cli.hasOption('a')) verifySigs = true;
if (cli.hasOption('a'))
verifySigs = true;
if ((optstr = cli.getOptionValue('D')) != null)
{
if ((optstr = cli.getOptionValue('D')) != null) {
keyDirectory = new File(optstr);
if (!keyDirectory.isDirectory())
{
if (!keyDirectory.isDirectory()) {
System.err.println("error: " + optstr + " is not a directory");
usage();
}
}
if ((optstr = cli.getOptionValue('s')) != null)
{
if ((optstr = cli.getOptionValue('s')) != null) {
start = convertDuration(null, optstr);
}
else
{
} else {
// default is now - 1 hour.
start = new Date(System.currentTimeMillis() - (3600 * 1000));
start = Instant.now().minusSeconds(3600);
}
if ((optstr = cli.getOptionValue('e')) != null)
{
if ((optstr = cli.getOptionValue('e')) != null) {
expire = convertDuration(start, optstr);
}
else
{
} else {
expire = convertDuration(start, "+2592000"); // 30 days
}
@ -138,15 +115,13 @@ public class SignKeyset extends CLBase
String[] files = cli.getArgs();
if (files.length < 1)
{
if (files.length < 1) {
System.err.println("error: missing zone file and/or key files");
usage();
}
inputfile = files[0];
if (files.length > 1)
{
if (files.length > 1) {
keyFiles = new String[files.length - 1];
System.arraycopy(files, 1, keyFiles, 0, files.length - 1);
}
@ -156,23 +131,19 @@ public class SignKeyset extends CLBase
/**
* Verify the generated signatures.
*
* @param zonename
* the origin name of the zone.
* @param records
* a list of {@link org.xbill.DNS.Record}s.
* a list of {@link org.xbill.DNS.Record}s.
* @param keypairs
* a list of keypairs used the sign the zone.
* a list of keypairs used the sign the zone.
* @return true if all of the signatures validated.
*/
private static boolean verifySigs(Name zonename, List<Record> records,
List<DnsKeyPair> keypairs)
{
private static boolean verifySigs(List<Record> records,
List<DnsKeyPair> keypairs) {
boolean secure = true;
DnsSecVerifier verifier = new DnsSecVerifier();
for (DnsKeyPair pair : keypairs)
{
for (DnsKeyPair pair : keypairs) {
verifier.addTrustedKey(pair);
}
@ -180,16 +151,15 @@ public class SignKeyset extends CLBase
List<RRset> rrsets = SignUtils.assembleIntoRRsets(records);
for (RRset rrset : rrsets)
{
for (RRset rrset : rrsets) {
// skip unsigned rrsets.
if (!rrset.sigs().hasNext()) continue;
if (rrset.sigs().isEmpty())
continue;
boolean result = verifier.verify(rrset);
if (!result)
{
log.fine("Signatures did not verify for RRset: " + rrset);
if (!result) {
staticLog.fine("Signatures did not verify for RRset: " + rrset);
secure = false;
}
}
@ -201,57 +171,54 @@ public class SignKeyset extends CLBase
* Load the key pairs from the key files.
*
* @param keyfiles
* a string array containing the base names or paths of the keys
* to be loaded.
* @param start_index
* the starting index of keyfiles string array to use. This
* allows us to use the straight command line argument array.
* a string array containing the base names or paths of the
* keys
* to be loaded.
* @param startIndex
* the starting index of keyfiles string array to use. This
* allows us to use the straight command line argument array.
* @param inDirectory
* the directory to look in (may be null).
* the directory to look in (may be null).
* @return a list of keypair objects.
*/
private static List<DnsKeyPair> getKeys(String[] keyfiles, int start_index,
File inDirectory) throws IOException
{
if (keyfiles == null) return null;
private static List<DnsKeyPair> getKeys(String[] keyfiles, int startIndex,
File inDirectory) throws IOException {
if (keyfiles == null)
return Collections.emptyList();
int len = keyfiles.length - start_index;
if (len <= 0) return null;
int len = keyfiles.length - startIndex;
if (len <= 0)
return Collections.emptyList();
ArrayList<DnsKeyPair> keys = new ArrayList<DnsKeyPair>(len);
ArrayList<DnsKeyPair> keys = new ArrayList<>(len);
for (int i = start_index; i < keyfiles.length; i++)
{
for (int i = startIndex; i < keyfiles.length; i++) {
DnsKeyPair k = BINDKeyUtils.loadKeyPair(keyfiles[i], inDirectory);
if (k != null) keys.add(k);
if (k != null)
keys.add(k);
}
return keys;
}
private static class KeyFileFilter implements FileFilter
{
private static class KeyFileFilter implements FileFilter {
private String prefix;
public KeyFileFilter(Name origin)
{
public KeyFileFilter(Name origin) {
prefix = "K" + origin.toString();
}
public boolean accept(File pathname)
{
if (!pathname.isFile()) return false;
public boolean accept(File pathname) {
if (!pathname.isFile())
return false;
String name = pathname.getName();
if (name.startsWith(prefix) && name.endsWith(".private")) return true;
return false;
return (name.startsWith(prefix) && name.endsWith(".private"));
}
}
private static List<DnsKeyPair> findZoneKeys(File inDirectory, Name zonename)
throws IOException
{
if (inDirectory == null)
{
throws IOException {
if (inDirectory == null) {
inDirectory = new File(".");
}
@ -260,53 +227,43 @@ public class SignKeyset extends CLBase
File[] files = inDirectory.listFiles(filter);
// read in all of the records
ArrayList<DnsKeyPair> keys = new ArrayList<DnsKeyPair>();
for (int i = 0; i < files.length; i++)
{
ArrayList<DnsKeyPair> keys = new ArrayList<>();
for (int i = 0; i < files.length; i++) {
DnsKeyPair p = BINDKeyUtils.loadKeyPair(files[i].getName(), inDirectory);
keys.add(p);
}
if (keys.size() > 0) return keys;
return null;
return keys;
}
@SuppressWarnings("unchecked")
public void execute() throws Exception
{
public void execute() throws Exception {
// Read in the zone
List<Record> records = ZoneUtils.readZoneFile(state.inputfile, null);
if (records == null || records.size() == 0)
{
if (records == null || records.isEmpty()) {
System.err.println("error: empty keyset file");
state.usage();
}
// Make sure that all records are DNSKEYs with the same name.
Name keysetName = null;
RRset keyset = new RRset();
Name keysetName = null;
RRset keyset = new RRset();
for (Record r : records)
{
if (r.getType() != Type.DNSKEY)
{
for (Record r : records) {
if (r.getType() != Type.DNSKEY) {
System.err.println("error: Non DNSKEY RR found in keyset: " + r);
continue;
}
if (keysetName == null)
{
if (keysetName == null) {
keysetName = r.getName();
}
if (!r.getName().equals(keysetName))
{
if (!r.getName().equals(keysetName)) {
System.err.println("error: DNSKEY with a different name found!");
state.usage();
}
keyset.addRR(r);
}
if (keyset.size() == 0)
{
if (keyset.size() == 0) {
System.err.println("error: No DNSKEYs found in keyset file");
state.usage();
}
@ -317,27 +274,22 @@ public class SignKeyset extends CLBase
// If we *still* don't have any key pairs, look for keys the key
// directory
// that match
if (keypairs == null)
{
if (keypairs == null) {
keypairs = findZoneKeys(state.keyDirectory, keysetName);
}
// If there *still* aren't any ZSKs defined, bail.
if (keypairs == null || keypairs.size() == 0)
{
if (keypairs == null || keypairs.isEmpty() || keysetName == null) {
System.err.println("error: No signing keys could be determined.");
state.usage();
return;
}
// default the output file, if not set.
if (state.outputfile == null)
{
if (keysetName.isAbsolute())
{
if (state.outputfile == null) {
if (keysetName.isAbsolute()) {
state.outputfile = keysetName + "signed_keyset";
}
else
{
} else {
state.outputfile = keysetName + ".signed_keyset";
}
}
@ -345,46 +297,36 @@ public class SignKeyset extends CLBase
JCEDnsSecSigner signer = new JCEDnsSecSigner();
List<RRSIGRecord> sigs = signer.signRRset(keyset, keypairs, state.start, state.expire);
for (RRSIGRecord s : sigs)
{
for (RRSIGRecord s : sigs) {
keyset.addRR(s);
}
// write out the signed RRset
List<Record> signed_records = new ArrayList<Record>();
for (Iterator<Record> i = keyset.rrs(); i.hasNext();)
{
signed_records.add(i.next());
List<Record> signedRecords = new ArrayList<>();
for (Record r : keyset.rrs()) {
signedRecords.add(r);
}
for (Iterator<Record> i = keyset.sigs(); i.hasNext();)
{
signed_records.add(i.next());
for (RRSIGRecord s : keyset.sigs()) {
signedRecords.add(s);
}
// write out the signed zone
ZoneUtils.writeZoneFile(signed_records, state.outputfile);
ZoneUtils.writeZoneFile(signedRecords, state.outputfile);
if (state.verifySigs)
{
if (state.verifySigs) {
log.fine("verifying generated signatures");
boolean res = verifySigs(keysetName, signed_records, keypairs);
boolean res = verifySigs(signedRecords, keypairs);
if (res)
{
if (res) {
System.out.println("Generated signatures verified");
// log.info("Generated signatures verified");
}
else
{
} else {
System.out.println("Generated signatures did not verify.");
// log.warn("Generated signatures did not verify.");
}
}
}
public static void main(String[] args)
{
public static void main(String[] args) {
SignKeyset tool = new SignKeyset();
tool.state = new CLIState();

View File

@ -1,4 +1,4 @@
// Copyright (C) 2001-2003, 2011 VeriSign, Inc.
// Copyright (C) 2001-2003, 2011, 2022 VeriSign, Inc.
//
// This library is free software; you can redistribute it and/or
// modify it under the terms of the GNU Lesser General Public
@ -19,22 +19,26 @@ package com.verisignlabs.dnssec.cl;
import java.io.File;
import java.io.IOException;
import java.time.Instant;
import java.util.ArrayList;
import java.util.Date;
import java.util.Iterator;
import java.util.Collections;
import java.util.List;
import org.apache.commons.cli.CommandLine;
import org.apache.commons.cli.OptionBuilder;
import org.apache.commons.cli.Option;
import org.apache.commons.cli.Options;
import org.xbill.DNS.Name;
import org.xbill.DNS.RRSIGRecord;
import org.xbill.DNS.RRset;
import org.xbill.DNS.Record;
import org.xbill.DNS.Type;
import com.verisignlabs.dnssec.security.*;
import com.verisignlabs.dnssec.security.BINDKeyUtils;
import com.verisignlabs.dnssec.security.DnsKeyPair;
import com.verisignlabs.dnssec.security.DnsSecVerifier;
import com.verisignlabs.dnssec.security.JCEDnsSecSigner;
import com.verisignlabs.dnssec.security.SignUtils;
import com.verisignlabs.dnssec.security.ZoneUtils;
/**
* This class forms the command line implementation of a DNSSEC RRset signer.
@ -45,95 +49,72 @@ import com.verisignlabs.dnssec.security.*;
*
* @author David Blacka
*/
public class SignRRset extends CLBase
{
public class SignRRset extends CLBase {
private CLIState state;
/**
* This is an inner class used to hold all of the command line option state.
*/
protected static class CLIState extends CLIStateBase
{
private File keyDirectory = null;
public String[] keyFiles = null;
public Date start = null;
public Date expire = null;
public String inputfile = null;
public String outputfile = null;
public boolean verifySigs = false;
public boolean verboseSigning = false;
protected static class CLIState extends CLIStateBase {
private File keyDirectory = null;
public String[] keyFiles = null;
public Instant start = null;
public Instant expire = null;
public String inputfile = null;
public String outputfile = null;
public boolean verifySigs = false;
public boolean verboseSigning = false;
public CLIState()
{
public CLIState() {
super("jdnssec-signrrset [..options..] rrset_file key_file [key_file ...]");
}
/**
* Set up the command line options.
*/
protected void setupOptions(Options opts)
{
@Override
protected void setupOptions(Options opts) {
// boolean options
opts.addOption("a", "verify", false, "verify generated signatures>");
opts.addOption("V", "verbose-signing", false, "Display verbose signing activity.");
OptionBuilder.hasArg();
OptionBuilder.withArgName("dir");
OptionBuilder.withLongOpt("key-directory");
OptionBuilder.withDescription("directory to find key files (default '.').");
opts.addOption(OptionBuilder.create('D'));
OptionBuilder.hasArg();
OptionBuilder.withArgName("time/offset");
OptionBuilder.withLongOpt("start-time");
OptionBuilder.withDescription("signature starting time (default is now - 1 hour)");
opts.addOption(OptionBuilder.create('s'));
OptionBuilder.hasArg();
OptionBuilder.withArgName("time/offset");
OptionBuilder.withLongOpt("expire-time");
OptionBuilder.withDescription("signature expiration time (default is start-time + 30 days).");
opts.addOption(OptionBuilder.create('e'));
OptionBuilder.hasArg();
OptionBuilder.withArgName("outfile");
OptionBuilder.withDescription("file the signed rrset is written to.");
opts.addOption(OptionBuilder.create('f'));
opts.addOption(Option.builder("D").hasArg().argName("dir").longOpt("key-directory")
.desc("directory to find key files (default '.'").build());
opts.addOption(Option.builder("s").hasArg().argName("time/offset").longOpt("start-time")
.desc("signature starting time (default is now - 1 hour)").build());
opts.addOption(Option.builder("e").hasArg().argName("time/offset").longOpt("expire-time")
.desc("signature expiration time (default is start-time + 30 days)").build());
opts.addOption(
Option.builder("f").hasArg().argName("outfile").desc("file the the signed rrset is written to").build());
}
protected void processOptions(CommandLine cli) throws org.apache.commons.cli.ParseException
{
@Override
protected void processOptions(CommandLine cli) throws org.apache.commons.cli.ParseException {
String optstr = null;
if (cli.hasOption('a')) verifySigs = true;
if (cli.hasOption('V')) verboseSigning = true;
if (cli.hasOption('a'))
verifySigs = true;
if (cli.hasOption('V'))
verboseSigning = true;
if ((optstr = cli.getOptionValue('D')) != null)
{
if ((optstr = cli.getOptionValue('D')) != null) {
keyDirectory = new File(optstr);
if (!keyDirectory.isDirectory())
{
if (!keyDirectory.isDirectory()) {
System.err.println("error: " + optstr + " is not a directory");
usage();
}
}
if ((optstr = cli.getOptionValue('s')) != null)
{
if ((optstr = cli.getOptionValue('s')) != null) {
start = convertDuration(null, optstr);
}
else
{
} else {
// default is now - 1 hour.
start = new Date(System.currentTimeMillis() - (3600 * 1000));
start = Instant.now().minusSeconds(3600);
}
if ((optstr = cli.getOptionValue('e')) != null)
{
if ((optstr = cli.getOptionValue('e')) != null) {
expire = convertDuration(start, optstr);
}
else
{
} else {
expire = convertDuration(start, "+2592000"); // 30 days
}
@ -141,15 +122,13 @@ public class SignRRset extends CLBase
String[] files = cli.getArgs();
if (files.length < 1)
{
if (files.length < 1) {
System.err.println("error: missing zone file and/or key files");
usage();
}
inputfile = files[0];
if (files.length > 1)
{
if (files.length > 1) {
keyFiles = new String[files.length - 1];
System.arraycopy(files, 1, keyFiles, 0, files.length - 1);
}
@ -159,22 +138,18 @@ public class SignRRset extends CLBase
/**
* Verify the generated signatures.
*
* @param zonename
* the origin name of the zone.
* @param records
* a list of {@link org.xbill.DNS.Record}s.
* a list of {@link org.xbill.DNS.Record}s.
* @param keypairs
* a list of keypairs used the sign the zone.
* a list of keypairs used the sign the zone.
* @return true if all of the signatures validated.
*/
private static boolean verifySigs(Name zonename, List<Record> records, List<DnsKeyPair> keypairs)
{
private static boolean verifySigs(List<Record> records, List<DnsKeyPair> keypairs) {
boolean secure = true;
DnsSecVerifier verifier = new DnsSecVerifier();
for (DnsKeyPair pair : keypairs)
{
for (DnsKeyPair pair : keypairs) {
verifier.addTrustedKey(pair);
}
@ -182,16 +157,16 @@ public class SignRRset extends CLBase
List<RRset> rrsets = SignUtils.assembleIntoRRsets(records);
for (RRset rrset : rrsets)
{
for (RRset rrset : rrsets) {
// skip unsigned rrsets.
if (!rrset.sigs().hasNext()) continue;
if (rrset.sigs().isEmpty()) {
continue;
}
boolean result = verifier.verify(rrset);
if (!result)
{
log.fine("Signatures did not verify for RRset: " + rrset);
if (!result) {
staticLog.fine("Signatures did not verify for RRset: " + rrset);
secure = false;
}
}
@ -203,41 +178,40 @@ public class SignRRset extends CLBase
* Load the key pairs from the key files.
*
* @param keyfiles
* a string array containing the base names or paths of the keys
* to be loaded.
* @param start_index
* the starting index of keyfiles string array to use. This
* allows us to use the straight command line argument array.
* a string array containing the base names or paths of the
* keys
* to be loaded.
* @param startIndex
* the starting index of keyfiles string array to use. This
* allows us to use the straight command line argument array.
* @param inDirectory
* the directory to look in (may be null).
* the directory to look in (may be null).
* @return a list of keypair objects.
*/
private static List<DnsKeyPair> getKeys(String[] keyfiles, int start_index,
File inDirectory) throws IOException
{
if (keyfiles == null) return null;
private static List<DnsKeyPair> getKeys(String[] keyfiles, int startIndex,
File inDirectory) throws IOException {
if (keyfiles == null)
return Collections.emptyList();
int len = keyfiles.length - start_index;
if (len <= 0) return null;
int len = keyfiles.length - startIndex;
if (len <= 0)
return Collections.emptyList();
ArrayList<DnsKeyPair> keys = new ArrayList<DnsKeyPair>(len);
ArrayList<DnsKeyPair> keys = new ArrayList<>(len);
for (int i = start_index; i < keyfiles.length; i++)
{
for (int i = startIndex; i < keyfiles.length; i++) {
DnsKeyPair k = BINDKeyUtils.loadKeyPair(keyfiles[i], inDirectory);
if (k != null) keys.add(k);
if (k != null)
keys.add(k);
}
return keys;
}
@SuppressWarnings("unchecked")
public void execute() throws Exception
{
public void execute() throws Exception {
// Read in the zone
List<Record> records = ZoneUtils.readZoneFile(state.inputfile, null);
if (records == null || records.size() == 0)
{
if (records == null || records.isEmpty()) {
System.err.println("error: empty RRset file");
state.usage();
}
@ -245,44 +219,37 @@ public class SignRRset extends CLBase
// consist of more than one RRset.
RRset rrset = null;
for (Record r : records)
{
for (Record r : records) {
// skip RRSIGs
if (r.getType() == Type.RRSIG || r.getType() == Type.SIG)
{
if (r.getType() == Type.RRSIG || r.getType() == Type.SIG) {
continue;
}
// Handle the first record.
if (rrset == null)
{
if (rrset == null) {
rrset = new RRset();
rrset.addRR(r);
continue;
}
// Ensure that the remaining records all belong to the same rrset.
if (rrset.getName().equals(r.getName()) && rrset.getType() == r.getType()
&& rrset.getDClass() == r.getDClass())
{
&& rrset.getDClass() == r.getDClass()) {
rrset.addRR(r);
}
else
{
} else {
System.err.println("Records do not all belong to the same RRset.");
state.usage();
}
}
if (rrset.size() == 0)
{
if (rrset == null || rrset.size() == 0) {
System.err.println("No records found in inputfile.");
state.usage();
return;
}
// Load the key pairs.
if (state.keyFiles.length == 0)
{
if (state.keyFiles.length == 0) {
System.err.println("error: at least one keyfile must be specified");
state.usage();
}
@ -293,69 +260,55 @@ public class SignRRset extends CLBase
// This will be used as the zone name, too.
Name keysetName = null;
for (DnsKeyPair pair : keypairs)
{
if (keysetName == null)
{
for (DnsKeyPair pair : keypairs) {
if (keysetName == null) {
keysetName = pair.getDNSKEYName();
continue;
}
if (!pair.getDNSKEYName().equals(keysetName))
{
if (!pair.getDNSKEYName().equals(keysetName)) {
System.err.println("Keys do not all have the same name.");
state.usage();
}
}
// default the output file, if not set.
if (state.outputfile == null && !state.inputfile.equals("-"))
{
if (state.outputfile == null && !state.inputfile.equals("-")) {
state.outputfile = state.inputfile + ".signed";
}
JCEDnsSecSigner signer = new JCEDnsSecSigner(state.verboseSigning);
List<RRSIGRecord> sigs = signer.signRRset(rrset, keypairs, state.start, state.expire);
for (RRSIGRecord s : sigs)
{
for (RRSIGRecord s : sigs) {
rrset.addRR(s);
}
// write out the signed RRset
List<Record> signed_records = new ArrayList<Record>();
for (Iterator<Record> i = rrset.rrs(); i.hasNext();)
{
signed_records.add(i.next());
List<Record> signedRecords = new ArrayList<>();
for (Record r : rrset.rrs()) {
signedRecords.add(r);
}
for (Iterator<Record> i = rrset.sigs(); i.hasNext();)
{
signed_records.add(i.next());
for (RRSIGRecord sigrec : rrset.sigs()) {
signedRecords.add(sigrec);
}
// write out the signed zone
ZoneUtils.writeZoneFile(signed_records, state.outputfile);
ZoneUtils.writeZoneFile(signedRecords, state.outputfile);
if (state.verifySigs)
{
if (state.verifySigs) {
log.fine("verifying generated signatures");
boolean res = verifySigs(keysetName, signed_records, keypairs);
boolean res = verifySigs(signedRecords, keypairs);
if (res)
{
if (res) {
System.out.println("Generated signatures verified");
// log.info("Generated signatures verified");
}
else
{
} else {
System.out.println("Generated signatures did not verify.");
// log.warn("Generated signatures did not verify.");
}
}
}
public static void main(String[] args)
{
public static void main(String[] args) {
SignRRset tool = new SignRRset();
tool.state = new CLIState();

View File

@ -1,4 +1,4 @@
// Copyright (C) 2001-2003, 2011 VeriSign, Inc.
// Copyright (C) 2001-2003, 2011, 2022 VeriSign, Inc.
//
// This library is free software; you can redistribute it and/or
// modify it under the terms of the GNU Lesser General Public
@ -22,19 +22,19 @@ import java.io.File;
import java.io.FileFilter;
import java.io.FileReader;
import java.io.IOException;
import java.time.Instant;
import java.util.ArrayList;
import java.util.Date;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.Random;
import org.apache.commons.cli.CommandLine;
import org.apache.commons.cli.OptionBuilder;
import org.apache.commons.cli.Option;
import org.apache.commons.cli.Options;
import org.apache.commons.cli.ParseException;
import org.xbill.DNS.DNSKEYRecord;
import org.xbill.DNS.DSRecord;
import org.xbill.DNS.DNSSEC;
import org.xbill.DNS.Name;
import org.xbill.DNS.RRset;
import org.xbill.DNS.Record;
@ -51,182 +51,127 @@ import com.verisignlabs.dnssec.security.ZoneUtils;
/**
* This class forms the command line implementation of a DNSSEC zone signer.
*
*
* @author David Blacka
*/
public class SignZone extends CLBase
{
public class SignZone extends CLBase {
private CLIState state;
/**
* This is an inner class used to hold all of the command line option state.
*/
private static class CLIState extends CLIStateBase
{
public File keyDirectory = null;
public File keysetDirectory = null;
public String[] kskFiles = null;
public String[] keyFiles = null;
public String zonefile = null;
public Date start = null;
public Date expire = null;
public String outputfile = null;
public boolean verifySigs = false;
public boolean useOptOut = false;
public boolean fullySignKeyset = false;
public List<Name> includeNames = null;
public boolean useNsec3 = false;
public byte[] salt = null;
public int iterations = 0;
public int digest_id = DSRecord.SHA1_DIGEST_ID;
public long nsec3paramttl = -1;
public boolean verboseSigning = false;
private static class CLIState extends CLIStateBase {
public File keyDirectory = null;
public File keysetDirectory = null;
public String[] kskFiles = null;
public String[] keyFiles = null;
public String zonefile = null;
public Instant start = null;
public Instant expire = null;
public String outputfile = null;
public boolean verifySigs = false;
public boolean useOptOut = false;
public boolean fullySignKeyset = false;
public List<Name> includeNames = null;
public boolean useNsec3 = false;
public byte[] salt = null;
public int iterations = 0;
public int digestId = DNSSEC.Digest.SHA1;
public long nsec3paramttl = -1;
public boolean verboseSigning = false;
public CLIState()
{
public CLIState() {
super("jdnssec-signzone [..options..] zone_file [key_file ...]");
}
protected void setupOptions(Options opts)
{
@Override
protected void setupOptions(Options opts) {
// boolean options
opts.addOption("a", "verify", false, "verify generated signatures>");
opts.addOption("F", "fully-sign-keyset", false,
"sign the zone apex keyset with all available keys.");
"sign the zone apex keyset with all available keys.");
opts.addOption("V", "verbose-signing", false, "Display verbose signing activity.");
// Argument options
OptionBuilder.hasArg();
OptionBuilder.withArgName("dir");
OptionBuilder.withLongOpt("keyset-directory");
OptionBuilder.withDescription("directory to find keyset files (default '.').");
opts.addOption(OptionBuilder.create('d'));
OptionBuilder.hasArg();
OptionBuilder.withArgName("dir");
OptionBuilder.withLongOpt("key-directory");
OptionBuilder.withDescription("directory to find key files (default '.').");
opts.addOption(OptionBuilder.create('D'));
OptionBuilder.hasArg();
OptionBuilder.withArgName("time/offset");
OptionBuilder.withLongOpt("start-time");
OptionBuilder.withDescription("signature starting time (default is now - 1 hour)");
opts.addOption(OptionBuilder.create('s'));
OptionBuilder.hasArg();
OptionBuilder.withArgName("time/offset");
OptionBuilder.withLongOpt("expire-time");
OptionBuilder.withDescription("signature expiration time (default is start-time + 30 days).");
opts.addOption(OptionBuilder.create('e'));
OptionBuilder.hasArg();
OptionBuilder.withArgName("outfile");
OptionBuilder.withDescription("file the signed zone is written to (default is <origin>.signed).");
opts.addOption(OptionBuilder.create('f'));
OptionBuilder.hasArgs();
OptionBuilder.withArgName("KSK file");
OptionBuilder.withLongOpt("ksk-file");
OptionBuilder.withDescription("this key is a key signing key (may repeat).");
opts.addOption(OptionBuilder.create('k'));
OptionBuilder.hasArg();
OptionBuilder.withArgName("file");
OptionBuilder.withLongOpt("include-file");
OptionBuilder.withDescription("include names in this file in the NSEC/NSEC3 chain.");
opts.addOption(OptionBuilder.create('I'));
opts.addOption(Option.builder("d").hasArg().argName("dir").longOpt("keyset-directory")
.desc("directory to find keyset files (default '.')").build());
opts.addOption(Option.builder("D").hasArg().argName("dir").longOpt("key-directory")
.desc("directory to find key files (default '.'").build());
opts.addOption(Option.builder("s").hasArg().argName("time/offset").longOpt("start-time")
.desc("signature starting time (default is now - 1 hour)").build());
opts.addOption(Option.builder("e").hasArg().argName("time/offset").longOpt("expire-time")
.desc("signature expiration time (default is start-time + 30 days)").build());
opts.addOption(
Option.builder("f").hasArg().argName("outfile").desc("file the the signed rrset is written to").build());
opts.addOption(Option.builder("k").hasArgs().argName("KSK file").longOpt("ksk-file")
.desc("This key is a Key-Signing Key (may repeat)").build());
opts.addOption(Option.builder("I").hasArg().argName("file").longOpt("include-file")
.desc("include names in the file in the NSEC/NSEC3 chain").build());
// NSEC3 options
opts.addOption("3", "use-nsec3", false, "use NSEC3 instead of NSEC");
opts.addOption("O", "use-opt-out", false,
"generate a fully Opt-Out zone (only valid with NSEC3).");
"generate a fully Opt-Out zone (only valid with NSEC3).");
opts.addOption(
Option.builder("S").hasArg().argName("hex value").longOpt("salt").desc("Supply a salt value").build());
opts.addOption(Option.builder("R").hasArg().argName("length").longOpt("random-salt")
.desc("Generate a random salt of <length>").build());
opts.addOption(Option.builder("H").hasArg().argName("count").longOpt("iterations")
.desc("Use this many addtional iterations in NSEC3 (default 0)").build());
opts.addOption(Option.builder().hasArg().longOpt("nsec3paramttl").argName("ttl")
.desc("Use this TTL for the NSEC3PARAM record (default is min(soa.min, soa.ttl))").build());
opts.addOption(Option.builder().hasArg().argName("id").longOpt("ds-digest")
.desc("Digest algorithm to use for generated DS records").build());
OptionBuilder.hasArg();
OptionBuilder.withLongOpt("salt");
OptionBuilder.withArgName("hex value");
OptionBuilder.withDescription("supply a salt value.");
opts.addOption(OptionBuilder.create('S'));
OptionBuilder.hasArg();
OptionBuilder.withLongOpt("random-salt");
OptionBuilder.withArgName("length");
OptionBuilder.withDescription("generate a random salt.");
opts.addOption(OptionBuilder.create('R'));
OptionBuilder.hasArg();
OptionBuilder.withLongOpt("iterations");
OptionBuilder.withArgName("value");
OptionBuilder.withDescription("use this value for the iterations in NSEC3.");
opts.addOption(OptionBuilder.create());
OptionBuilder.hasArg();
OptionBuilder.withLongOpt("nsec3paramttl");
OptionBuilder.withArgName("ttl");
OptionBuilder.withDescription("use this value for the NSEC3PARAM RR ttl");
opts.addOption(OptionBuilder.create());
OptionBuilder.hasArg();
OptionBuilder.withArgName("id");
OptionBuilder.withLongOpt("ds-digest");
OptionBuilder.withDescription("Digest algorithm to use for generated DSs");
opts.addOption(OptionBuilder.create());
}
protected void processOptions(CommandLine cli) throws ParseException
{
@Override
protected void processOptions(CommandLine cli) throws ParseException {
String optstr = null;
if (cli.hasOption('a')) verifySigs = true;
if (cli.hasOption('3')) useNsec3 = true;
if (cli.hasOption('O')) useOptOut = true;
if (cli.hasOption('V')) verboseSigning = true;
if (cli.hasOption('a'))
verifySigs = true;
if (cli.hasOption('3'))
useNsec3 = true;
if (cli.hasOption('O'))
useOptOut = true;
if (cli.hasOption('V'))
verboseSigning = true;
if (useOptOut && !useNsec3)
{
if (useOptOut && !useNsec3) {
System.err.println("Opt-Out not supported without NSEC3 -- ignored.");
useOptOut = false;
}
if (cli.hasOption('F')) fullySignKeyset = true;
if (cli.hasOption('F'))
fullySignKeyset = true;
if ((optstr = cli.getOptionValue('d')) != null)
{
if ((optstr = cli.getOptionValue('d')) != null) {
keysetDirectory = new File(optstr);
if (!keysetDirectory.isDirectory())
{
if (!keysetDirectory.isDirectory()) {
System.err.println("error: " + optstr + " is not a directory");
usage();
}
}
if ((optstr = cli.getOptionValue('D')) != null)
{
if ((optstr = cli.getOptionValue('D')) != null) {
keyDirectory = new File(optstr);
if (!keyDirectory.isDirectory())
{
if (!keyDirectory.isDirectory()) {
System.err.println("error: " + optstr + " is not a directory");
usage();
}
}
if ((optstr = cli.getOptionValue('s')) != null)
{
if ((optstr = cli.getOptionValue('s')) != null) {
start = CLBase.convertDuration(null, optstr);
}
else
{
} else {
// default is now - 1 hour.
start = new Date(System.currentTimeMillis() - (3600 * 1000));
start = Instant.now().minusSeconds(3600);
}
if ((optstr = cli.getOptionValue('e')) != null)
{
if ((optstr = cli.getOptionValue('e')) != null) {
expire = CLBase.convertDuration(start, optstr);
}
else
{
} else {
expire = CLBase.convertDuration(start, "+2592000"); // 30 days
}
@ -234,102 +179,115 @@ public class SignZone extends CLBase
kskFiles = cli.getOptionValues('k');
if ((optstr = cli.getOptionValue('I')) != null)
{
if ((optstr = cli.getOptionValue('I')) != null) {
File includeNamesFile = new File(optstr);
try
{
includeNames = getNameList(includeNamesFile);
}
catch (IOException e)
{
try {
includeNames = CLIState.getNameList(includeNamesFile);
} catch (IOException e) {
throw new ParseException(e.getMessage());
}
}
if ((optstr = cli.getOptionValue('S')) != null)
{
if ((optstr = cli.getOptionValue('S')) != null) {
salt = base16.fromString(optstr);
if (salt == null && !optstr.equals("-"))
{
if (salt == null && !optstr.equals("-")) {
System.err.println("error: salt is not valid hexidecimal.");
usage();
}
}
if ((optstr = cli.getOptionValue('R')) != null)
{
if ((optstr = cli.getOptionValue('R')) != null) {
int length = parseInt(optstr, 0);
if (length > 0 && length <= 255)
{
if (length > 0 && length <= 255) {
Random random = new Random();
salt = new byte[length];
random.nextBytes(salt);
}
}
if ((optstr = cli.getOptionValue("iterations")) != null)
{
if ((optstr = cli.getOptionValue("iterations")) != null) {
iterations = parseInt(optstr, iterations);
if (iterations < 0 || iterations > 8388607)
{
if (iterations < 0 || iterations > 8388607) {
System.err.println("error: iterations value is invalid");
usage();
}
}
if ((optstr = cli.getOptionValue("ds-digest")) != null)
{
digest_id = parseInt(optstr, -1);
if (digest_id < 0)
{
if ((optstr = cli.getOptionValue("ds-digest")) != null) {
digestId = parseInt(optstr, -1);
if (digestId < 0) {
System.err.println("error: DS digest ID is not a valid identifier");
usage();
}
}
if ((optstr = cli.getOptionValue("nsec3paramttl")) != null)
{
if ((optstr = cli.getOptionValue("nsec3paramttl")) != null) {
nsec3paramttl = parseInt(optstr, -1);
}
String[] files = cli.getArgs();
if (files.length < 1)
{
if (files.length < 1) {
System.err.println("error: missing zone file and/or key files");
usage();
}
zonefile = files[0];
if (files.length > 1)
{
if (files.length > 1) {
keyFiles = new String[files.length - 1];
System.arraycopy(files, 1, keyFiles, 0, files.length - 1);
}
}
/**
* Load a list of DNS names from a file.
*
* @param nameListFile
* the path of a file containing a bare list of DNS names.
* @return a list of {@link org.xbill.DNS.Name} objects.
*/
private static List<Name> getNameList(File nameListFile) throws IOException {
try (BufferedReader br = new BufferedReader(new FileReader(nameListFile))) {
List<Name> res = new ArrayList<>();
String line = null;
while ((line = br.readLine()) != null) {
try {
Name n = Name.fromString(line);
// force the name to be absolute.
// FIXME: we should probably get some fancy logic here to
// detect if the name needs the origin appended, or just the
// root.
if (!n.isAbsolute())
n = Name.concatenate(n, Name.root);
res.add(n);
} catch (TextParseException e) {
staticLog.severe("DNS Name parsing error:" + e);
}
}
return res;
}
}
}
/**
* Verify the generated signatures.
*
* @param zonename
* the origin name of the zone.
*
* @param records
* a list of {@link org.xbill.DNS.Record}s.
* a list of {@link org.xbill.DNS.Record}s.
* @param keypairs
* a list of keypairs used the sign the zone.
* a list of keypairs used the sign the zone.
* @return true if all of the signatures validated.
*/
private static boolean verifyZoneSigs(Name zonename, List<Record> records,
List<DnsKeyPair> keypairs)
{
private static boolean verifyZoneSigs(List<Record> records,
List<DnsKeyPair> keypairs) {
boolean secure = true;
DnsSecVerifier verifier = new DnsSecVerifier();
for (DnsKeyPair pair : keypairs)
{
for (DnsKeyPair pair : keypairs) {
verifier.addTrustedKey(pair);
}
@ -337,16 +295,16 @@ public class SignZone extends CLBase
List<RRset> rrsets = SignUtils.assembleIntoRRsets(records);
for (RRset rrset : rrsets)
{
for (RRset rrset : rrsets) {
// skip unsigned rrsets.
if (!rrset.sigs().hasNext()) continue;
if (rrset.sigs().isEmpty()) {
continue;
}
boolean result = verifier.verify(rrset);
if (!result)
{
log.fine("Signatures did not verify for RRset: " + rrset);
if (!result) {
staticLog.fine("Signatures did not verify for RRset: " + rrset);
secure = false;
}
}
@ -356,83 +314,78 @@ public class SignZone extends CLBase
/**
* Load the key pairs from the key files.
*
*
* @param keyfiles
* a string array containing the base names or paths of the keys to
* be loaded.
* @param start_index
* the starting index of keyfiles string array to use. This allows
* us
* to use the straight command line argument array.
* a string array containing the base names or paths of the
* keys to
* be loaded.
* @param startIndex
* the starting index of keyfiles string array to use. This
* allows
* us
* to use the straight command line argument array.
* @param inDirectory
* the directory to look in (may be null).
* the directory to look in (may be null).
* @return a list of keypair objects.
*/
private static List<DnsKeyPair> getKeys(String[] keyfiles, int start_index,
File inDirectory) throws IOException
{
if (keyfiles == null) return null;
private static List<DnsKeyPair> getKeys(String[] keyfiles, int startIndex,
File inDirectory) throws IOException {
if (keyfiles == null)
return Collections.emptyList();
int len = keyfiles.length - start_index;
if (len <= 0) return null;
int len = keyfiles.length - startIndex;
if (len <= 0)
return Collections.emptyList();
ArrayList<DnsKeyPair> keys = new ArrayList<DnsKeyPair>(len);
ArrayList<DnsKeyPair> keys = new ArrayList<>(len);
for (int i = start_index; i < keyfiles.length; i++)
{
for (int i = startIndex; i < keyfiles.length; i++) {
DnsKeyPair k = BINDKeyUtils.loadKeyPair(keyfiles[i], inDirectory);
if (k != null) keys.add(k);
if (k != null) {
keys.add(k);
}
}
return keys;
}
private static List<DnsKeyPair> getKeys(List<Record> dnskeyrrs, File inDirectory)
throws IOException
{
List<DnsKeyPair> res = new ArrayList<DnsKeyPair>();
for (Record r : dnskeyrrs)
{
if (r.getType() != Type.DNSKEY) continue;
throws IOException {
List<DnsKeyPair> res = new ArrayList<>();
for (Record r : dnskeyrrs) {
if (r.getType() != Type.DNSKEY)
continue;
// Construct a public-key-only DnsKeyPair just so we can calculate the
// base name.
DnsKeyPair pub = new DnsKeyPair((DNSKEYRecord) r);
DnsKeyPair pair = BINDKeyUtils.loadKeyPair(BINDKeyUtils.keyFileBase(pub),
inDirectory);
if (pair != null)
{
inDirectory);
if (pair != null) {
res.add(pair);
}
}
if (res.size() > 0) return res;
return null;
return res;
}
private static class KeyFileFilter implements FileFilter
{
private static class KeyFileFilter implements FileFilter {
private String prefix;
public KeyFileFilter(Name origin)
{
public KeyFileFilter(Name origin) {
prefix = "K" + origin.toString();
}
public boolean accept(File pathname)
{
if (!pathname.isFile()) return false;
public boolean accept(File pathname) {
if (!pathname.isFile())
return false;
String name = pathname.getName();
if (name.startsWith(prefix) && name.endsWith(".private")) return true;
return false;
return (name.startsWith(prefix) && name.endsWith(".private"));
}
}
private static List<DnsKeyPair> findZoneKeys(File inDirectory, Name zonename)
throws IOException
{
if (inDirectory == null)
{
throws IOException {
if (inDirectory == null) {
inDirectory = new File(".");
}
@ -441,51 +394,48 @@ public class SignZone extends CLBase
File[] files = inDirectory.listFiles(filter);
// read in all of the records
ArrayList<DnsKeyPair> keys = new ArrayList<DnsKeyPair>();
for (int i = 0; i < files.length; i++)
{
ArrayList<DnsKeyPair> keys = new ArrayList<>();
for (int i = 0; i < files.length; i++) {
DnsKeyPair p = BINDKeyUtils.loadKeyPair(files[i].getName(), inDirectory);
keys.add(p);
}
if (keys.size() > 0) return keys;
return null;
return keys;
}
/**
* This is an implementation of a file filter used for finding BIND 9-style
* keyset-* files.
*/
private static class KeysetFileFilter implements FileFilter
{
public boolean accept(File pathname)
{
if (!pathname.isFile()) return false;
private static class KeysetFileFilter implements FileFilter {
public boolean accept(File pathname) {
if (!pathname.isFile())
return false;
String name = pathname.getName();
if (name.startsWith("keyset-")) return true;
return false;
return (name.startsWith("keyset-"));
}
}
/**
* Load keysets (which contain delegation point security info).
*
*
* @param inDirectory
* the directory to look for the keyset files (may be null, in
* which
* case it defaults to looking in the current working directory).
* the directory to look for the keyset files (may be null,
* in
* which
* case it defaults to looking in the current working
* directory).
* @param zonename
* the name of the zone we are signing, so we can ignore keysets
* that
* do not belong in the zone.
* the name of the zone we are signing, so we can ignore
* keysets
* that
* do not belong in the zone.
* @return a list of {@link org.xbill.DNS.Record}s found in the keyset
* files.
*/
private static List<Record> getKeysets(File inDirectory, Name zonename)
throws IOException
{
if (inDirectory == null)
{
throws IOException {
if (inDirectory == null) {
inDirectory = new File(".");
}
@ -494,19 +444,16 @@ public class SignZone extends CLBase
File[] files = inDirectory.listFiles(filter);
// read in all of the records
ArrayList<Record> keysetRecords = new ArrayList<Record>();
for (int i = 0; i < files.length; i++)
{
ArrayList<Record> keysetRecords = new ArrayList<>();
for (int i = 0; i < files.length; i++) {
List<Record> l = ZoneUtils.readZoneFile(files[i].getAbsolutePath(), zonename);
keysetRecords.addAll(l);
}
// discard records that do not belong to the zone in question.
for (Iterator<Record> i = keysetRecords.iterator(); i.hasNext();)
{
for (Iterator<Record> i = keysetRecords.iterator(); i.hasNext();) {
Record r = i.next();
if (!r.getName().subdomain(zonename))
{
if (!r.getName().subdomain(zonename)) {
i.remove();
}
}
@ -514,63 +461,25 @@ public class SignZone extends CLBase
return keysetRecords;
}
/**
* Load a list of DNS names from a file.
*
* @param nameListFile
* the path of a file containing a bare list of DNS names.
* @return a list of {@link org.xbill.DNS.Name} objects.
*/
private static List<Name> getNameList(File nameListFile) throws IOException
{
BufferedReader br = new BufferedReader(new FileReader(nameListFile));
List<Name> res = new ArrayList<Name>();
String line = null;
while ((line = br.readLine()) != null)
{
try
{
Name n = Name.fromString(line);
// force the name to be absolute.
// FIXME: we should probably get some fancy logic here to
// detect if the name needs the origin appended, or just the
// root.
if (!n.isAbsolute()) n = Name.concatenate(n, Name.root);
res.add(n);
}
catch (TextParseException e)
{
log.severe("DNS Name parsing error:" + e);
}
}
br.close();
if (res.size() == 0) return null;
return res;
}
/**
* Determine if the given keypairs can be used to sign the zone.
*
*
* @param zonename
* the zone origin.
* the zone origin.
* @param keypairs
* a list of {@link DnsKeyPair} objects that will be used to sign
* the
* zone.
* a list of {@link DnsKeyPair} objects that will be used to
* sign
* the
* zone.
* @return true if the keypairs valid.
*/
private static boolean keyPairsValidForZone(Name zonename, List<DnsKeyPair> keypairs)
{
if (keypairs == null) return true; // technically true, I guess.
private static boolean keyPairsValidForZone(Name zonename, List<DnsKeyPair> keypairs) {
if (keypairs == null)
return true; // technically true, I guess.
for (DnsKeyPair kp : keypairs)
{
for (DnsKeyPair kp : keypairs) {
Name keyname = kp.getDNSKEYRecord().getName();
if (!keyname.equals(zonename))
{
if (!keyname.equals(zonename)) {
return false;
}
}
@ -578,22 +487,21 @@ public class SignZone extends CLBase
return true;
}
public void execute() throws Exception
{
public void execute() throws Exception {
// Read in the zone
List<Record> records = ZoneUtils.readZoneFile(state.zonefile, null);
if (records == null || records.size() == 0)
{
if (records == null || records.isEmpty()) {
System.err.println("error: empty zone file");
state.usage();
return;
}
// calculate the zone name.
Name zonename = ZoneUtils.findZoneName(records);
if (zonename == null)
{
if (zonename == null) {
System.err.println("error: invalid zone file - no SOA");
state.usage();
return;
}
// Load the key pairs.
@ -603,16 +511,14 @@ public class SignZone extends CLBase
// If we didn't get any keys on the command line, look at the zone apex for
// any public keys.
if (keypairs == null && kskpairs == null)
{
if (keypairs == null && kskpairs == null) {
List<Record> dnskeys = ZoneUtils.findRRs(records, zonename, Type.DNSKEY);
keypairs = getKeys(dnskeys, state.keyDirectory);
}
// If we *still* don't have any key pairs, look for keys the key directory
// that match
if (keypairs == null && kskpairs == null)
{
if (keypairs == null && kskpairs == null) {
keypairs = findZoneKeys(state.keyDirectory, zonename);
}
@ -620,16 +526,14 @@ public class SignZone extends CLBase
// signing key (presumably), presume that the zone signing keys
// are just not differentiated and try to figure out which keys
// are actually ksks by looking at the SEP flag.
if ((kskpairs == null || kskpairs.size() == 0) && keypairs != null
&& keypairs.size() > 1)
{
for (Iterator<DnsKeyPair> i = keypairs.iterator(); i.hasNext();)
{
if ((kskpairs == null || kskpairs.isEmpty()) && keypairs != null
&& keypairs.size() > 1) {
for (Iterator<DnsKeyPair> i = keypairs.iterator(); i.hasNext();) {
DnsKeyPair pair = i.next();
DNSKEYRecord kr = pair.getDNSKEYRecord();
if ((kr.getFlags() & DNSKEYRecord.Flags.SEP_KEY) != 0)
{
if (kskpairs == null) kskpairs = new ArrayList<DnsKeyPair>();
if ((kr.getFlags() & DNSKEYRecord.Flags.SEP_KEY) != 0) {
if (kskpairs == null)
kskpairs = new ArrayList<>();
kskpairs.add(pair);
i.remove();
}
@ -638,35 +542,29 @@ public class SignZone extends CLBase
// If there are no ZSKs defined at this point (yet there are KSKs
// provided), all KSKs will be treated as ZSKs, as well.
if (keypairs == null || keypairs.size() == 0)
{
if (keypairs == null || keypairs.isEmpty()) {
keypairs = kskpairs;
}
// If there *still* aren't any ZSKs defined, bail.
if (keypairs == null || keypairs.size() == 0)
{
if (keypairs == null || keypairs.isEmpty()) {
System.err.println("No zone signing keys could be determined.");
state.usage();
return;
}
// default the output file, if not set.
if (state.outputfile == null && !state.zonefile.equals("-"))
{
if (zonename.isAbsolute())
{
if (state.outputfile == null && !state.zonefile.equals("-")) {
if (zonename.isAbsolute()) {
state.outputfile = zonename + "signed";
}
else
{
} else {
state.outputfile = zonename + ".signed";
}
}
// Verify that the keys can be in the zone.
if (!keyPairsValidForZone(zonename, keypairs)
|| !keyPairsValidForZone(zonename, kskpairs))
{
|| !keyPairsValidForZone(zonename, kskpairs)) {
System.err.println("error: specified keypairs are not valid for the zone.");
state.usage();
}
@ -674,79 +572,63 @@ public class SignZone extends CLBase
// We force the signing keys to be in the zone by just appending
// them to the zone here. Currently JCEDnsSecSigner.signZone
// removes duplicate records.
if (kskpairs != null)
{
for (DnsKeyPair pair : kskpairs)
{
if (kskpairs != null) {
for (DnsKeyPair pair : kskpairs) {
records.add(pair.getDNSKEYRecord());
}
}
if (keypairs != null)
{
for (DnsKeyPair pair : keypairs)
{
if (keypairs != null) {
for (DnsKeyPair pair : keypairs) {
records.add(pair.getDNSKEYRecord());
}
}
// read in the keysets, if any.
List<Record> keysetrecs = getKeysets(state.keysetDirectory, zonename);
if (keysetrecs != null)
{
if (keysetrecs != null) {
records.addAll(keysetrecs);
}
JCEDnsSecSigner signer = new JCEDnsSecSigner(state.verboseSigning);
// Sign the zone.
List<Record> signed_records;
List<Record> signedRecords;
if (state.useNsec3)
{
signed_records = signer.signZoneNSEC3(zonename, records, kskpairs, keypairs,
state.start, state.expire,
state.fullySignKeyset, state.useOptOut,
state.includeNames, state.salt,
state.iterations, state.digest_id,
state.nsec3paramttl);
}
else
{
signed_records = signer.signZone(zonename, records, kskpairs, keypairs,
state.start, state.expire, state.fullySignKeyset,
state.digest_id);
if (state.useNsec3) {
signedRecords = signer.signZoneNSEC3(zonename, records, kskpairs, keypairs,
state.start, state.expire,
state.fullySignKeyset, state.useOptOut,
state.includeNames, state.salt,
state.iterations, state.digestId,
state.nsec3paramttl);
} else {
signedRecords = signer.signZone(zonename, records, kskpairs, keypairs,
state.start, state.expire, state.fullySignKeyset,
state.digestId);
}
// write out the signed zone
ZoneUtils.writeZoneFile(signed_records, state.outputfile);
ZoneUtils.writeZoneFile(signedRecords, state.outputfile);
if (state.verifySigs)
{
if (state.verifySigs) {
// FIXME: ugh.
if (kskpairs != null)
{
if (kskpairs != null) {
keypairs.addAll(kskpairs);
}
log.fine("verifying generated signatures");
boolean res = verifyZoneSigs(zonename, signed_records, keypairs);
boolean res = verifyZoneSigs(signedRecords, keypairs);
if (res)
{
if (res) {
System.out.println("Generated signatures verified");
// log.info("Generated signatures verified");
}
else
{
} else {
System.out.println("Generated signatures did not verify.");
// log.warn("Generated signatures did not verify.");
}
}
}
public static void main(String[] args)
{
public static void main(String[] args) {
SignZone tool = new SignZone();
tool.state = new CLIState();

View File

@ -1,4 +1,4 @@
// Copyright (C) 2011 VeriSign, Inc.
// Copyright (C) 2011, 2022 VeriSign, Inc.
//
// This library is free software; you can redistribute it and/or
// modify it under the terms of the GNU Lesser General Public
@ -20,8 +20,8 @@ package com.verisignlabs.dnssec.cl;
import java.util.List;
import org.apache.commons.cli.CommandLine;
import org.apache.commons.cli.OptionBuilder;
import org.apache.commons.cli.Options;
import org.apache.commons.cli.Option;
import org.xbill.DNS.Record;
import com.verisignlabs.dnssec.security.ZoneUtils;
@ -32,106 +32,80 @@ import com.verisignlabs.dnssec.security.ZoneVerifier;
*
* @author David Blacka
*/
public class VerifyZone extends CLBase
{
public class VerifyZone extends CLBase {
private CLIState state;
/**
* This is a small inner class used to hold all of the command line option
* state.
*/
protected static class CLIState extends CLIStateBase
{
public String zonefile = null;
public String[] keyfiles = null;
public int startfudge = 0;
public int expirefudge = 0;
public boolean ignoreTime = false;
public boolean ignoreDups = false;
protected static class CLIState extends CLIStateBase {
public String zonefile = null;
public String[] keyfiles = null;
public int startfudge = 0;
public int expirefudge = 0;
public boolean ignoreTime = false;
public boolean ignoreDups = false;
public CLIState()
{
public CLIState() {
super("jdnssec-verifyzone [..options..] zonefile");
}
protected void setupOptions(Options opts)
{
OptionBuilder.hasOptionalArg();
OptionBuilder.withLongOpt("sig-start-fudge");
OptionBuilder.withArgName("seconds");
OptionBuilder.withDescription("'fudge' RRSIG inception times by 'seconds' seconds.");
opts.addOption(OptionBuilder.create('S'));
OptionBuilder.hasOptionalArg();
OptionBuilder.withLongOpt("sig-expire-fudge");
OptionBuilder.withArgName("seconds");
OptionBuilder.withDescription("'fudge' RRSIG expiration times by 'seconds' seconds.");
opts.addOption(OptionBuilder.create('E'));
OptionBuilder.withLongOpt("ignore-time");
OptionBuilder.withDescription("Ignore RRSIG inception and expiration time errors.");
opts.addOption(OptionBuilder.create());
OptionBuilder.withLongOpt("ignore-duplicate-rrs");
OptionBuilder.withDescription("Ignore duplicate record errors.");
opts.addOption(OptionBuilder.create());
@Override
protected void setupOptions(Options opts) {
opts.addOption(Option.builder("S").optionalArg(true).argName("seconds").longOpt("sig-start-fudge")
.desc("'fudge' RRSIG inception ties by 'seconds'").build());
opts.addOption(Option.builder("E").optionalArg(true).argName("seconds").longOpt("sig-expire-fudge")
.desc("'fudge' RRSIG expiration times by 'seconds'").build());
opts.addOption(
Option.builder().longOpt("ignore-time").desc("Ignore RRSIG inception and expiration time errors.").build());
opts.addOption(Option.builder().longOpt("ignore-duplicate-rrs").desc("Ignore duplicate record errors.").build());
}
protected void processOptions(CommandLine cli)
{
if (cli.hasOption("ignore-time"))
{
@Override
protected void processOptions(CommandLine cli) {
if (cli.hasOption("ignore-time")) {
ignoreTime = true;
}
if (cli.hasOption("ignore-duplicate-rrs"))
{
if (cli.hasOption("ignore-duplicate-rrs")) {
ignoreDups = true;
}
String optstr = null;
if ((optstr = cli.getOptionValue('S')) != null)
{
if ((optstr = cli.getOptionValue('S')) != null) {
startfudge = parseInt(optstr, 0);
}
if ((optstr = cli.getOptionValue('E')) != null)
{
if ((optstr = cli.getOptionValue('E')) != null) {
expirefudge = parseInt(optstr, 0);
}
String[] optstrs = null;
if ((optstrs = cli.getOptionValues('A')) != null)
{
for (int i = 0; i < optstrs.length; i++)
{
if ((optstrs = cli.getOptionValues('A')) != null) {
for (int i = 0; i < optstrs.length; i++) {
addArgAlias(optstrs[i]);
}
}
String[] cl_args = cli.getArgs();
String[] args = cli.getArgs();
if (cl_args.length < 1)
{
if (args.length < 1) {
System.err.println("error: missing zone file");
usage();
}
zonefile = cl_args[0];
zonefile = args[0];
if (cl_args.length >= 2)
{
keyfiles = new String[cl_args.length - 1];
System.arraycopy(cl_args, 1, keyfiles, 0, keyfiles.length);
if (args.length >= 2) {
keyfiles = new String[args.length - 1];
System.arraycopy(args, 1, keyfiles, 0, keyfiles.length);
}
}
}
public void execute() throws Exception
{
public void execute() throws Exception {
ZoneVerifier zoneverifier = new ZoneVerifier();
zoneverifier.getVerifier().setStartFudge(state.startfudge);
zoneverifier.getVerifier().setExpireFudge(state.expirefudge);
@ -144,23 +118,19 @@ public class VerifyZone extends CLBase
int errors = zoneverifier.verifyZone(records);
log.fine("completed verification process.");
if (errors > 0)
{
if (errors > 0) {
System.out.println("zone did not verify.");
System.exit(1);
}
else
{
} else {
System.out.println("zone verified.");
System.exit(0);
}
}
public static void main(String[] args)
{
public static void main(String[] args) {
VerifyZone tool = new VerifyZone();
tool.state = new CLIState();
tool.run(tool.state, args);
}
}

View File

@ -1,4 +1,4 @@
// Copyright (C) 2011 VeriSign, Inc.
// Copyright (C) 2011, 2022 VeriSign, Inc.
//
// This library is free software; you can redistribute it and/or
// modify it under the terms of the GNU Lesser General Public
@ -23,7 +23,6 @@ import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.ListIterator;
import org.apache.commons.cli.CommandLine;
import org.apache.commons.cli.Options;
@ -43,168 +42,150 @@ import com.verisignlabs.dnssec.security.RecordComparator;
* This class forms the command line implementation of a zone file normalizer.
* That is, a tool to rewrite zones in a consistent, comparable format.
*
* @author David Blacka (original)
* @author $Author: davidb $
* @version $Revision: 2218 $
* @author David Blacka
*/
public class ZoneFormat extends CLBase
{
public class ZoneFormat extends CLBase {
private CLIState state;
/**
* This is a small inner class used to hold all of the command line option
* state.
*/
protected static class CLIState extends CLIStateBase
{
public String file;
protected static class CLIState extends CLIStateBase {
public String file;
public boolean assignNSEC3;
public CLIState()
{
public CLIState() {
super("jdnssec-zoneformat [..options..] zonefile");
}
protected void setupOptions(Options opts)
{
@Override
protected void setupOptions(Options opts) {
opts.addOption("N", "nsec3", false,
"attempt to determine the original ownernames for NSEC3 RRs.");
"attempt to determine the original ownernames for NSEC3 RRs.");
}
protected void processOptions(CommandLine cli) throws ParseException
{
if (cli.hasOption('N')) assignNSEC3 = true;
@Override
protected void processOptions(CommandLine cli) throws ParseException {
if (cli.hasOption('N'))
assignNSEC3 = true;
String[] cl_args = cli.getArgs();
String[] args = cli.getArgs();
if (cl_args.length < 1)
{
if (args.length < 1) {
System.err.println("error: must specify a zone file");
usage();
}
file = cl_args[0];
file = args[0];
}
}
private static List<Record> readZoneFile(String filename) throws IOException
{
Master master = new Master(filename);
private static List<Record> readZoneFile(String filename) throws IOException {
try (Master master = new Master(filename)) {
List<Record> res = new ArrayList<>();
Record r = null;
List<Record> res = new ArrayList<Record>();
Record r = null;
while ((r = master.nextRecord()) != null) {
// Normalize each record by round-tripping it through canonical wire line
// format. Mostly this just lowercases names that are subject to it.
byte[] wire = r.toWireCanonical();
Record canonRec = Record.fromWire(wire, Section.ANSWER);
res.add(canonRec);
}
while ((r = master.nextRecord()) != null)
{
// Normalize each record by round-tripping it through canonical wire line
// format. Mostly this just lowercases names that are subject to it.
byte[] wire = r.toWireCanonical();
Record canon_record = Record.fromWire(wire, Section.ANSWER);
res.add(canon_record);
return res;
}
return res;
}
private static void formatZone(List<Record> zone)
{
// Put the zone into a consistent (name and RR type) order.
RecordComparator cmp = new RecordComparator();
private static void formatZone(List<Record> zone) {
Collections.sort(zone, cmp);
for (Record r : zone)
{
for (Record r : zone) {
System.out.println(r.toString());
}
}
private static void determineNSEC3Owners(List<Record> zone)
throws NoSuchAlgorithmException
{
// Put the zone into a consistent (name and RR type) order.
Collections.sort(zone, new RecordComparator());
throws NoSuchAlgorithmException {
// first, find the NSEC3PARAM record -- this is an inefficient linear
// search, although it should be near the head of the list.
NSEC3PARAMRecord nsec3param = null;
HashMap<String, String> map = new HashMap<String, String>();
HashMap<String, String> map = new HashMap<>();
base32 b32 = new base32(base32.Alphabet.BASE32HEX, false, true);
Name zonename = null;
for (Record r : zone)
{
if (r.getType() == Type.SOA)
{
for (Record r : zone) {
if (r.getType() == Type.SOA) {
zonename = r.getName();
continue;
}
if (r.getType() == Type.NSEC3PARAM)
{
if (r.getType() == Type.NSEC3PARAM) {
nsec3param = (NSEC3PARAMRecord) r;
break;
}
}
// If we couldn't determine a zone name, we have an issue.
if (zonename == null) return;
// If there wasn't one, we have nothing to do.
if (nsec3param == null) return;
if (zonename == null || nsec3param == null) {
formatZone(zone);
return;
}
// Next pass, calculate a mapping between ownernames and hashnames
Name last_name = null;
for (Record r : zone)
{
if (r.getName().equals(last_name)) continue;
if (r.getType() == Type.NSEC3) continue;
Name lastName = null;
for (Record r : zone) {
if (r.getName().equals(lastName))
continue;
if (r.getType() == Type.NSEC3)
continue;
Name n = r.getName();
byte[] hash = nsec3param.hashName(n);
String hashname = b32.toString(hash);
map.put(hashname, n.toString().toLowerCase());
last_name = n;
lastName = n;
// inefficiently create hashes for the possible ancestor ENTs
for (int i = zonename.labels() + 1; i < n.labels(); ++i)
{
for (int i = zonename.labels() + 1; i < n.labels(); ++i) {
Name parent = new Name(n, n.labels() - i);
byte[] parent_hash = nsec3param.hashName(parent);
String parent_hashname = b32.toString(parent_hash);
if (!map.containsKey(parent_hashname))
{
map.put(parent_hashname, parent.toString().toLowerCase());
byte[] parentHash = nsec3param.hashName(parent);
String parentHashName = b32.toString(parentHash);
if (!map.containsKey(parentHashName)) {
map.put(parentHashName, parent.toString().toLowerCase());
}
}
}
// Final pass, assign the names if we can
for (ListIterator<Record> i = zone.listIterator(); i.hasNext();)
{
Record r = i.next();
if (r.getType() != Type.NSEC3) continue;
// Final pass, output the zone with added comments for the NSEC3 records
for (Record r : zone) {
if (r.getType() != Type.NSEC3) {
System.out.println(r.toString());
continue;
}
NSEC3Record nsec3 = (NSEC3Record) r;
String hashname = nsec3.getName().getLabelString(0).toLowerCase();
String ownername = (String) map.get(hashname);
NSEC3Record new_nsec3 = new NSEC3Record(nsec3.getName(), nsec3.getDClass(),
nsec3.getTTL(), nsec3.getHashAlgorithm(),
nsec3.getFlags(), nsec3.getIterations(),
nsec3.getSalt(), nsec3.getNext(),
nsec3.getTypes(), ownername);
i.set(new_nsec3);
String ownername = map.get(hashname);
System.out.println(r.toString() + " ; " + ownername);
}
}
public void execute() throws IOException, NoSuchAlgorithmException
{
public void execute() throws IOException, NoSuchAlgorithmException {
List<Record> z = readZoneFile(state.file);
if (state.assignNSEC3) determineNSEC3Owners(z);
formatZone(z);
// Put the zone into a consistent (name and RR type) order.
Collections.sort(z, new RecordComparator());
if (state.assignNSEC3) {
determineNSEC3Owners(z);
} else {
formatZone(z);
}
}
public static void main(String[] args)
{
public static void main(String[] args) {
ZoneFormat tool = new ZoneFormat();
tool.state = new CLIState();

View File

@ -1,6 +1,4 @@
// $Id$
//
// Copyright (C) 2001-2003 VeriSign, Inc.
// Copyright (C) 2001-2003, 2022 VeriSign, Inc.
//
// This library is free software; you can redistribute it and/or
// modify it under the terms of the GNU Lesser General Public
@ -28,7 +26,6 @@ import java.io.PrintWriter;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.text.NumberFormat;
import org.xbill.DNS.DNSKEYRecord;
import org.xbill.DNS.Master;
@ -41,62 +38,35 @@ import org.xbill.DNS.utils.base64;
/**
* This class contains a series of static methods used for manipulating BIND
* 9.x.x-style DNSSEC key files.
*
*
* In this class, the "base" key path or name is the file name without the
* trailing ".key" or ".private".
*
* @author David Blacka (original)
* @author $Author$
* @version $Revision$
*
* @author David Blacka
*/
public class BINDKeyUtils
{
// formatters used to generated the BIND key file names
private static NumberFormat mAlgNumberFormatter;
private static NumberFormat mKeyIdNumberFormatter;
public class BINDKeyUtils {
private BINDKeyUtils() { }
/**
* Calculate the BIND9 key file base name (i.e., without the ".key" or
* ".private" extensions)
*/
private static String getKeyFileBase(Name signer, int algorithm, int keyid)
{
if (mAlgNumberFormatter == null)
{
mAlgNumberFormatter = NumberFormat.getNumberInstance();
mAlgNumberFormatter.setMaximumIntegerDigits(3);
mAlgNumberFormatter.setMinimumIntegerDigits(3);
}
if (mKeyIdNumberFormatter == null)
{
mKeyIdNumberFormatter = NumberFormat.getNumberInstance();
mKeyIdNumberFormatter.setMaximumIntegerDigits(5);
mKeyIdNumberFormatter.setMinimumIntegerDigits(5);
mKeyIdNumberFormatter.setGroupingUsed(false);
}
private static String getKeyFileBase(Name signer, int algorithm, int keyid) {
keyid &= 0xFFFF;
String fn = "K" + signer + "+" + mAlgNumberFormatter.format(algorithm)
+ "+" + mKeyIdNumberFormatter.format(keyid);
return fn;
return String.format("K%1$s+%2$03d+%3$05d", signer, algorithm, keyid);
}
/** Reads in the DNSKEYRecord from the public key file */
private static DNSKEYRecord loadPublicKeyFile(File publicKeyFile)
throws IOException
{
throws IOException {
Master m = new Master(publicKeyFile.getAbsolutePath(), null, 600);
Record r;
DNSKEYRecord result = null;
while ((r = m.nextRecord()) != null)
{
if (r.getType() == Type.DNSKEY)
{
while ((r = m.nextRecord()) != null) {
if (r.getType() == Type.DNSKEY) {
result = (DNSKEYRecord) r;
}
}
@ -106,31 +76,26 @@ public class BINDKeyUtils
/** Reads in the private key verbatim from the private key file */
private static String loadPrivateKeyFile(File privateKeyFile)
throws IOException
{
BufferedReader in = new BufferedReader(new FileReader(privateKeyFile));
StringBuffer key_buf = new StringBuffer();
throws IOException {
try (BufferedReader in = new BufferedReader(new FileReader(privateKeyFile))) {
StringBuilder keybuf = new StringBuilder();
String line;
String line;
while ((line = in.readLine()) != null)
{
key_buf.append(line);
key_buf.append('\n');
while ((line = in.readLine()) != null) {
keybuf.append(line);
keybuf.append('\n');
}
return keybuf.toString().trim();
}
in.close();
return key_buf.toString().trim();
}
/**
* Given an actual path for one of the key files, return the base name
*/
private static String fixKeyFileBasePath(String basePath)
{
if (basePath == null) throw new IllegalArgumentException();
if (basePath.endsWith(".key") || basePath.endsWith(".private"))
{
private static String fixKeyFileBasePath(String basePath) {
if (basePath == null)
throw new IllegalArgumentException();
if (basePath.endsWith(".key") || basePath.endsWith(".private")) {
basePath = basePath.substring(0, basePath.lastIndexOf("."));
}
@ -140,22 +105,21 @@ public class BINDKeyUtils
/**
* Given the information necessary to construct the path to a BIND9 generated
* key pair, load the key pair.
*
*
* @param signer
* the DNS name of the key.
* the DNS name of the key.
* @param algorithm
* the DNSSEC algorithm of the key.
* the DNSSEC algorithm of the key.
* @param keyid
* the DNSSEC key footprint.
* the DNSSEC key footprint.
* @param inDirectory
* the directory to look for the files (may be null).
* the directory to look for the files (may be null).
* @return the loaded key pair.
* @throws IOException
* if there was a problem reading the BIND9 files.
* if there was a problem reading the BIND9 files.
*/
public static DnsKeyPair loadKeyPair(Name signer, int algorithm, int keyid,
File inDirectory) throws IOException
{
File inDirectory) throws IOException {
String keyFileBase = getKeyFileBase(signer, algorithm, keyid);
return loadKeyPair(keyFileBase, inDirectory);
@ -163,19 +127,20 @@ public class BINDKeyUtils
/**
* Given a base path to a BIND9 key pair, load the key pair.
*
*
* @param keyFileBasePath
* the base filename (or real filename for either the public or
* private key) of the key.
* the base filename (or real filename for either the
* public or
* private key) of the key.
* @param inDirectory
* the directory to look in, if the keyFileBasePath is relative.
* the directory to look in, if the keyFileBasePath is
* relative.
* @return the loaded key pair.
* @throws IOException
* if there was a problem reading the files
* if there was a problem reading the files
*/
public static DnsKeyPair loadKeyPair(String keyFileBasePath, File inDirectory)
throws IOException
{
throws IOException {
keyFileBasePath = fixKeyFileBasePath(keyFileBasePath);
// FIXME: should we throw the IOException when one of the files
// cannot be found, or just when both cannot be found?
@ -196,18 +161,19 @@ public class BINDKeyUtils
/**
* Given a base path to a BIND9 key pair, load the public part (only) of the
* key pair
*
*
* @param keyFileBasePath
* the base or real path to the public part of a key pair.
* the base or real path to the public part of a key
* pair.
* @param inDirectory
* the directory to look in if the path is relative (may be null).
* the directory to look in if the path is relative (may
* be null).
* @return a {@link DnsKeyPair} containing just the public key information.
* @throws IOException
* if there was a problem reading the public key file.
* if there was a problem reading the public key file.
*/
public static DnsKeyPair loadKey(String keyFileBasePath, File inDirectory)
throws IOException
{
throws IOException {
keyFileBasePath = fixKeyFileBasePath(keyFileBasePath);
File publicKeyFile = new File(inDirectory, keyFileBasePath + ".key");
@ -223,57 +189,56 @@ public class BINDKeyUtils
* Load a BIND keyset file. The BIND 9 dnssec tools typically call these files
* "keyset-[signer]." where [signer] is the DNS owner name of the key. The
* keyset may be signed, but doesn't have to be.
*
*
* @param keysetFileName
* the name of the keyset file.
* the name of the keyset file.
* @param inDirectory
* the directory to look in if the path is relative (may be null,
* defaults to the current working directory).
* the directory to look in if the path is relative (may
* be null,
* defaults to the current working directory).
* @return a RRset contain the KEY records and any associated SIG records.
* @throws IOException
* if there was a problem reading the keyset file.
* if there was a problem reading the keyset file.
*/
public static RRset loadKeySet(String keysetFileName, File inDirectory)
throws IOException
{
throws IOException {
File keysetFile = new File(inDirectory, keysetFileName);
Master m = new Master(keysetFile.getAbsolutePath());
try (Master m = new Master(keysetFile.getAbsolutePath())) {
Record r;
RRset keyset = new RRset();
while ((r = m.nextRecord()) != null) {
keyset.addRR(r);
}
Record r;
RRset keyset = new RRset();
while ((r = m.nextRecord()) != null)
{
keyset.addRR(r);
return keyset;
}
return keyset;
}
/**
* Calculate the key file base for this key pair.
*
*
* @param pair
* the {@link DnsKeyPair} to work from. It only needs a public key.
* the {@link DnsKeyPair} to work from. It only needs a public key.
* @return the base name of the key files.
*/
public static String keyFileBase(DnsKeyPair pair)
{
public static String keyFileBase(DnsKeyPair pair) {
DNSKEYRecord keyrec = pair.getDNSKEYRecord();
if (keyrec == null) return null;
if (keyrec == null)
return null;
return getKeyFileBase(keyrec.getName(), keyrec.getAlgorithm(),
keyrec.getFootprint());
keyrec.getFootprint());
}
/**
* @return a {@link java.io.File} object representing the BIND9 public key
* file.
*/
public static File getPublicKeyFile(DnsKeyPair pair, File inDirectory)
{
public static File getPublicKeyFile(DnsKeyPair pair, File inDirectory) {
String keyfilebase = keyFileBase(pair);
if (keyfilebase == null) return null;
if (keyfilebase == null)
return null;
return new File(inDirectory, keyfilebase + ".key");
}
@ -282,10 +247,10 @@ public class BINDKeyUtils
* @return a {@link java.io.File} object representing the BIND9 private key
* file
*/
public static File getPrivateKeyFile(DnsKeyPair pair, File inDirectory)
{
public static File getPrivateKeyFile(DnsKeyPair pair, File inDirectory) {
String keyfilebase = keyFileBase(pair);
if (keyfilebase == null) return null;
if (keyfilebase == null)
return null;
return new File(inDirectory, keyfilebase + ".private");
}
@ -293,28 +258,21 @@ public class BINDKeyUtils
/**
* Given a the contents of a BIND9 private key file, convert it into a native
* {@link java.security.PrivateKey} object.
*
*
* @param privateKeyString
* the contents of a BIND9 key file in string form.
* the contents of a BIND9 key file in string form.
* @return a {@link java.security.PrivateKey}
*/
public static PrivateKey convertPrivateKeyString(String privateKeyString)
{
if (privateKeyString == null) return null;
public static PrivateKey convertPrivateKeyString(String privateKeyString) {
if (privateKeyString == null)
return null;
// FIXME: should this swallow exceptions or actually propagate
// them?
try
{
try {
DnsKeyConverter conv = new DnsKeyConverter();
return conv.parsePrivateKeyString(privateKeyString);
}
catch (IOException e)
{
e.printStackTrace();
}
catch (NoSuchAlgorithmException e)
{
} catch (IOException|NoSuchAlgorithmException e) {
e.printStackTrace();
}
@ -324,22 +282,18 @@ public class BINDKeyUtils
/**
* Given a native private key, convert it into a BIND9 private key file
* format.
*
*
* @param priv
* the private key to convert.
* the private key to convert.
* @param pub
* the private key's corresponding public key. Some algorithms
* require information from both.
* the private key's corresponding public key. Some algorithms
* require information from both.
* @return a string containing the contents of a BIND9 private key file.
*/
public static String convertPrivateKey(PrivateKey priv, PublicKey pub, int alg)
{
if (priv != null)
{
public static String convertPrivateKey(PrivateKey priv, PublicKey pub, int alg) {
if (priv != null) {
DnsKeyConverter keyconv = new DnsKeyConverter();
String priv_string = keyconv.generatePrivateKeyString(priv, pub, alg);
return priv_string;
return keyconv.generatePrivateKeyString(priv, pub, alg);
}
return null;
@ -350,13 +304,14 @@ public class BINDKeyUtils
* routines need. Currently, the DNSJAVA package uses a multiline mode for its
* record formatting. The BIND9 tools require everything on a single line.
*/
private static String DNSKEYtoString(DNSKEYRecord rec)
{
StringBuffer buf = new StringBuffer();
private static String DNSKEYtoString(DNSKEYRecord rec) {
StringBuilder buf = new StringBuilder();
buf.append(rec.getName());
buf.append(" ");
buf.append(rec.getTTL());
if (rec.getTTL() > 0) {
buf.append(" ");
buf.append(rec.getTTL());
}
buf.append(" IN DNSKEY ");
buf.append(rec.getFlags() & 0xFFFF);
buf.append(" ");
@ -371,30 +326,30 @@ public class BINDKeyUtils
/**
* This routine will write out the BIND9 dnssec-* tool compatible files.
*
*
* @param baseFileName
* use this base file name. If null, the standard BIND9 base file
* name will be computed.
* use this base file name. If null, the standard BIND9 base
* file
* name will be computed.
* @param pair
* the keypair in question.
* the keypair in question.
* @param inDirectory
* the directory to write to (may be null).
* the directory to write to (may be null).
* @throws IOException
* if there is a problem writing the files.
* if there is a problem writing the files.
*/
public static void writeKeyFiles(String baseFileName, DnsKeyPair pair,
File inDirectory) throws IOException
{
File inDirectory) throws IOException {
DNSKEYRecord pub = pair.getDNSKEYRecord();
String priv = pair.getPrivateKeyString();
if (priv == null)
{
if (priv == null) {
priv = convertPrivateKey(pair.getPrivate(), pair.getPublic(),
pair.getDNSKEYAlgorithm());
pair.getDNSKEYAlgorithm());
}
if (pub == null || priv == null) return;
if (pub == null || priv == null)
return;
// Write the public key file
File pubkeyfile = new File(inDirectory, baseFileName + ".key");
@ -413,15 +368,14 @@ public class BINDKeyUtils
/**
* This routine will write out the BIND9 dnssec-* tool compatible files to the
* standard file names.
*
*
* @param pair
* the key pair in question.
* the key pair in question.
* @param inDirectory
* the directory to write to (may be null).
* the directory to write to (may be null).
*/
public static void writeKeyFiles(DnsKeyPair pair, File inDirectory)
throws IOException
{
throws IOException {
String base = keyFileBase(pair);
writeKeyFiles(base, pair, inDirectory);
}

View File

@ -1,6 +1,4 @@
// $Id$
//
// Copyright (C) 2001-2003 VeriSign, Inc.
// Copyright (C) 2001-2003, 2022 VeriSign, Inc.
//
// This library is free software; you can redistribute it and/or
// modify it under the terms of the GNU Lesser General Public
@ -26,34 +24,25 @@ import java.util.logging.Logger;
* useful for comparing RDATA portions of DNS records in doing DNSSEC canonical
* ordering.
*
* @author David Blacka (original)
* @author $Author$
* @version $Revision$
* @author David Blacka
*/
public class ByteArrayComparator implements Comparator<byte[]>
{
private int mOffset = 0;
private boolean mDebug = false;
public class ByteArrayComparator implements Comparator<byte[]> {
private int mOffset = 0;
private boolean mDebug = false;
private Logger log;
public ByteArrayComparator()
{
public ByteArrayComparator() {
}
public ByteArrayComparator(int offset, boolean debug)
{
public ByteArrayComparator(int offset, boolean debug) {
mOffset = offset;
mDebug = debug;
}
public int compare(byte[] b1, byte[] b2)
{
for (int i = mOffset; i < b1.length && i < b2.length; i++)
{
if (b1[i] != b2[i])
{
if (mDebug)
{
public int compare(byte[] b1, byte[] b2) {
for (int i = mOffset; i < b1.length && i < b2.length; i++) {
if (b1[i] != b2[i]) {
if (mDebug) {
log.info("offset " + i + " differs (this is "
+ (i - mOffset) + " bytes in from our offset.)");
}

View File

@ -1,7 +1,5 @@
/*
* $Id$
*
* Copyright (c) 2006 VeriSign. All rights reserved.
* Copyright (c) 2006, 2022 Verisign. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
@ -30,8 +28,22 @@
package com.verisignlabs.dnssec.security;
import java.math.BigInteger;
import java.security.*;
import java.security.spec.*;
import java.security.AlgorithmParameters;
import java.security.InvalidAlgorithmParameterException;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.NoSuchAlgorithmException;
import java.security.Provider;
import java.security.SecureRandom;
import java.security.Security;
import java.security.Signature;
import java.security.spec.ECFieldFp;
import java.security.spec.ECGenParameterSpec;
import java.security.spec.ECParameterSpec;
import java.security.spec.ECPoint;
import java.security.spec.EllipticCurve;
import java.security.spec.InvalidParameterSpecException;
import java.security.spec.RSAKeyGenParameterSpec;
import java.util.Arrays;
import java.util.HashMap;
import java.util.Set;
@ -39,10 +51,11 @@ import java.util.logging.Logger;
import org.xbill.DNS.DNSSEC;
import net.i2p.crypto.eddsa.spec.EdDSANamedCurveTable;
// for now, we need to import the EdDSA parameter spec classes
// because they have no generic form in java.security.spec.*
// sadly, this will currently fail if you don't have the lib.
import net.i2p.crypto.eddsa.spec.*;
import net.i2p.crypto.eddsa.spec.EdDSAParameterSpec;
/**
* This class handles translating DNS signing algorithm identifiers into various
@ -53,57 +66,48 @@ import net.i2p.crypto.eddsa.spec.*;
* aliasing -- that is, defining a new algorithm identifier to be equivalent to
* an existing identifier.
*
* @author David Blacka (orig)
* @author $Author: davidb $ (latest)
* @version $Revision: 2098 $
* @author David Blacka
*/
public class DnsKeyAlgorithm
{
public class DnsKeyAlgorithm {
// Our base algorithm numbers. This is a normalization of the DNSSEC
// algorithms (which are really signature algorithms). Thus RSASHA1,
// RSASHA256, etc. all boil down to 'RSA' here.
public static final int UNKNOWN = -1;
public static final int RSA = 1;
public static final int DH = 2;
public static final int DSA = 3;
public static final int ECC_GOST = 4;
public static final int ECDSA = 5;
public static final int EDDSA = 6;
public static final int UNKNOWN = -1;
public static final int RSA = 1;
public static final int DH = 2;
public static final int DSA = 3;
public static final int ECC_GOST = 4;
public static final int ECDSA = 5;
public static final int EDDSA = 6;
private static class AlgEntry
{
public int dnssecAlgorithm;
private static class AlgEntry {
public int dnssecAlgorithm;
public String sigName;
public int baseType;
public int baseType;
public AlgEntry(int algorithm, String sigName, int baseType)
{
public AlgEntry(int algorithm, String sigName, int baseType) {
this.dnssecAlgorithm = algorithm;
this.sigName = sigName;
this.baseType = baseType;
this.sigName = sigName;
this.baseType = baseType;
}
}
private static class ECAlgEntry extends AlgEntry
{
public ECParameterSpec ec_spec;
private static class ECAlgEntry extends AlgEntry {
public ECParameterSpec ecSpec;
public ECAlgEntry(int algorithm, String sigName, int baseType, ECParameterSpec spec)
{
public ECAlgEntry(int algorithm, String sigName, int baseType, ECParameterSpec spec) {
super(algorithm, sigName, baseType);
this.ec_spec = spec;
this.ecSpec = spec;
}
}
private static class EdAlgEntry extends AlgEntry
{
public EdDSAParameterSpec ed_spec;
private static class EdAlgEntry extends AlgEntry {
public EdDSAParameterSpec edSpec;
public EdAlgEntry(int algorithm, String sigName, int baseType, EdDSAParameterSpec spec)
{
public EdAlgEntry(int algorithm, String sigName, int baseType, EdDSAParameterSpec spec) {
super(algorithm, sigName, baseType);
this.ed_spec = spec;
this.edSpec = spec;
}
}
@ -111,7 +115,7 @@ public class DnsKeyAlgorithm
* This is a mapping of algorithm identifier to Entry. The Entry contains the
* data needed to map the algorithm to the various crypto implementations.
*/
private HashMap<Integer, AlgEntry> mAlgorithmMap;
private HashMap<Integer, AlgEntry> mAlgorithmMap;
/**
* This is a mapping of algorithm mnemonics to algorithm identifiers.
*/
@ -123,53 +127,50 @@ public class DnsKeyAlgorithm
private HashMap<Integer, String> mIdToMnemonicMap;
/** This is a cached key pair generator for RSA keys. */
private KeyPairGenerator mRSAKeyGenerator;
private KeyPairGenerator mRSAKeyGenerator;
/** This is a cached key pair generator for DSA keys. */
private KeyPairGenerator mDSAKeyGenerator;
private KeyPairGenerator mDSAKeyGenerator;
/** This is a cached key pair generator for ECC GOST keys. */
private KeyPairGenerator mECGOSTKeyGenerator;
private KeyPairGenerator mECGOSTKeyGenerator;
/** This is a cached key pair generator for ECDSA_P256 keys. */
private KeyPairGenerator mECKeyGenerator;
private KeyPairGenerator mECKeyGenerator;
/** This is a cached key pair generator for EdDSA keys. */
private KeyPairGenerator mEdKeyGenerator;
private KeyPairGenerator mEdKeyGenerator;
private Logger log = Logger.getLogger(this.getClass().toString());
private Logger log = Logger.getLogger(this.getClass().toString());
/** This is the global instance for this class. */
private static DnsKeyAlgorithm mInstance = null;
private static DnsKeyAlgorithm mInstance = null;
public DnsKeyAlgorithm()
{
public DnsKeyAlgorithm() {
// Attempt to add the bouncycastle provider.
// This is so we can use this provider if it is available, but not require
// the user to add it as one of the java.security providers.
try
{
try {
Class<?> bc_provider_class = Class.forName("org.bouncycastle.jce.provider.BouncyCastleProvider");
Provider bc_provider = (Provider) bc_provider_class.newInstance();
// Provider bc_provider = (Provider) bc_provider_class.newInstance();
Provider bc_provider = (Provider) bc_provider_class.getDeclaredConstructor().newInstance();
Security.addProvider(bc_provider);
} catch (ReflectiveOperationException e) {
}
catch (ReflectiveOperationException e) { }
// Attempt to add the EdDSA-Java provider.
try
{
try {
Class<?> eddsa_provider_class = Class.forName("net.i2p.crypto.eddsa.EdDSASecurityProvider");
Provider eddsa_provider = (Provider) eddsa_provider_class.newInstance();
// Provider eddsa_provider = (Provider) eddsa_provider_class.newInstance();
Provider eddsa_provider = (Provider) eddsa_provider_class.getDeclaredConstructor().newInstance();
Security.addProvider(eddsa_provider);
}
catch (ReflectiveOperationException e) {
} catch (ReflectiveOperationException e) {
log.warning("Unable to load EdDSA provider");
}
initialize();
}
private void initialize()
{
mAlgorithmMap = new HashMap<Integer, AlgEntry>();
mMnemonicToIdMap = new HashMap<String, Integer>();
mIdToMnemonicMap = new HashMap<Integer, String>();
private void initialize() {
mAlgorithmMap = new HashMap<>();
mMnemonicToIdMap = new HashMap<>();
mIdToMnemonicMap = new HashMap<>();
// Load the standard DNSSEC algorithms.
addAlgorithm(DNSSEC.Algorithm.RSAMD5, "MD5withRSA", RSA);
@ -216,25 +217,24 @@ public class DnsKeyAlgorithm
addMnemonic("ECDSA-P384", DNSSEC.Algorithm.ECDSAP384SHA384);
// EdDSA is not supported by either the Java 1.8 Sun crypto
// provider or bouncycastle. It is added by the Ed25519-Java
// library. We don't have a corresponding constant in
// provider or bouncycastle. It is added by the Ed25519-Java
// library. We don't have a corresponding constant in
// org.xbill.DNS.DNSSEC yet, though.
addAlgorithm(15, "NONEwithEdDSA", EDDSA, "Ed25519");
addMnemonic("ED25519", 15);
}
private void addAlgorithm(int algorithm, String sigName, int baseType)
{
private void addAlgorithm(int algorithm, String sigName, int baseType) {
mAlgorithmMap.put(algorithm, new AlgEntry(algorithm, sigName, baseType));
}
private void addAlgorithm(int algorithm, String sigName, int baseType, String curveName)
{
if (baseType == ECDSA)
{
ECParameterSpec ec_spec = ECSpecFromAlgorithm(algorithm);
if (ec_spec == null) ec_spec = ECSpecFromName(curveName);
if (ec_spec == null) return;
private void addAlgorithm(int algorithm, String sigName, int baseType, String curveName) {
if (baseType == ECDSA) {
ECParameterSpec ecSpec = ECSpecFromAlgorithm(algorithm);
if (ecSpec == null)
ecSpec = ECSpecFromName(curveName);
if (ecSpec == null)
return;
// Check to see if we can get a Signature object for this algorithm.
try {
@ -245,13 +245,12 @@ public class DnsKeyAlgorithm
// If not, do not add the algorithm.
return;
}
ECAlgEntry entry = new ECAlgEntry(algorithm, sigName, baseType, ec_spec);
ECAlgEntry entry = new ECAlgEntry(algorithm, sigName, baseType, ecSpec);
mAlgorithmMap.put(algorithm, entry);
}
else if (baseType == EDDSA)
{
EdDSAParameterSpec ed_spec = EdDSASpecFromName(curveName);
if (ed_spec == null) return;
} else if (baseType == EDDSA) {
EdDSAParameterSpec edSpec = EdDSASpecFromName(curveName);
if (edSpec == null)
return;
// Check to see if we can get a Signature object for this algorithm.
try {
@ -262,35 +261,29 @@ public class DnsKeyAlgorithm
// If not, do not add the algorithm.
return;
}
EdAlgEntry entry = new EdAlgEntry(algorithm, sigName, baseType, ed_spec);
EdAlgEntry entry = new EdAlgEntry(algorithm, sigName, baseType, edSpec);
mAlgorithmMap.put(algorithm, entry);
}
}
private void addMnemonic(String m, int alg)
{
// Do not add mnemonics for algorithms that ended up not actually being supported.
if (!mAlgorithmMap.containsKey(alg)) return;
private void addMnemonic(String m, int alg) {
// Do not add mnemonics for algorithms that ended up not actually being
// supported.
if (!mAlgorithmMap.containsKey(alg))
return;
mMnemonicToIdMap.put(m.toUpperCase(), alg);
if (!mIdToMnemonicMap.containsKey(alg))
{
mIdToMnemonicMap.put(alg, m);
}
mIdToMnemonicMap.computeIfAbsent(alg, k -> m);
}
public void addAlias(int alias, String mnemonic, int original_algorithm)
{
if (mAlgorithmMap.containsKey(alias))
{
public void addAlias(int alias, String mnemonic, int original_algorithm) {
if (mAlgorithmMap.containsKey(alias)) {
log.warning("Unable to alias algorithm " + alias + " because it already exists.");
return;
}
if (!mAlgorithmMap.containsKey(original_algorithm))
{
if (!mAlgorithmMap.containsKey(original_algorithm)) {
log.warning("Unable to alias algorithm " + alias
+ " to unknown algorithm identifier " + original_algorithm);
return;
@ -298,33 +291,28 @@ public class DnsKeyAlgorithm
mAlgorithmMap.put(alias, mAlgorithmMap.get(original_algorithm));
if (mnemonic != null)
{
if (mnemonic != null) {
addMnemonic(mnemonic, alias);
}
}
private AlgEntry getEntry(int alg)
{
private AlgEntry getEntry(int alg) {
return mAlgorithmMap.get(alg);
}
// For curves where we don't (or can't) get the parameters from a standard
// name, we can construct the parameters here. For now, we only do this for
// the ECC-GOST curve.
private ECParameterSpec ECSpecFromAlgorithm(int algorithm)
{
switch (algorithm)
{
case DNSSEC.Algorithm.ECC_GOST:
{
private ECParameterSpec ECSpecFromAlgorithm(int algorithm) {
switch (algorithm) {
case DNSSEC.Algorithm.ECC_GOST: {
// From RFC 4357 Section 11.4
BigInteger p = new BigInteger("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFD97", 16);
BigInteger a = new BigInteger("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFD94", 16);
BigInteger b = new BigInteger("A6", 16);
BigInteger p = new BigInteger("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFD97", 16);
BigInteger a = new BigInteger("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFD94", 16);
BigInteger b = new BigInteger("A6", 16);
BigInteger gx = new BigInteger("1", 16);
BigInteger gy = new BigInteger("8D91E471E0989CDA27DF505A453F2B7635294F2DDF23E3B122ACC99C9E9F1E14", 16);
BigInteger n = new BigInteger( "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF6C611070995AD10045841B09B761B893", 16);
BigInteger n = new BigInteger("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF6C611070995AD10045841B09B761B893", 16);
EllipticCurve curve = new EllipticCurve(new ECFieldFp(p), a, b);
return new ECParameterSpec(curve, new ECPoint(gx, gy), n, 1);
@ -335,35 +323,31 @@ public class DnsKeyAlgorithm
}
// Fetch the curve parameters from a named ECDSA curve.
private ECParameterSpec ECSpecFromName(String stdName)
{
try
{
private ECParameterSpec ECSpecFromName(String stdName) {
try {
AlgorithmParameters ap = AlgorithmParameters.getInstance("EC");
ECGenParameterSpec ecg_spec = new ECGenParameterSpec(stdName);
ap.init(ecg_spec);
return ap.getParameterSpec(ECParameterSpec.class);
}
catch (NoSuchAlgorithmException e) {
} catch (NoSuchAlgorithmException e) {
log.info("Elliptic Curve not supported by any crypto provider: " + e.getMessage());
}
catch (InvalidParameterSpecException e) {
} catch (InvalidParameterSpecException e) {
log.info("Elliptic Curve " + stdName + " not supported");
}
return null;
}
// Fetch the curve parameters from a named EdDSA curve.
private EdDSAParameterSpec EdDSASpecFromName(String stdName)
{
try
{
private EdDSAParameterSpec EdDSASpecFromName(String stdName) {
try {
EdDSAParameterSpec spec = EdDSANamedCurveTable.getByName(stdName);
if (spec != null) return spec;
if (spec != null)
return spec;
throw new InvalidParameterSpecException("Edwards Curve " + stdName + " not found.");
}
// catch (NoSuchAlgorithmException e) {
// log.info("Edwards Curve not supported by any crypto provider: " + e.getMessage());
// log.info("Edwards Curve not supported by any crypto provider: " +
// e.getMessage());
// }
catch (InvalidParameterSpecException e) {
log.info("Edwards Curve " + stdName + " not supported");
@ -371,15 +355,13 @@ public class DnsKeyAlgorithm
return null;
}
public String[] supportedAlgMnemonics()
{
public String[] supportedAlgMnemonics() {
Set<Integer> keyset = mAlgorithmMap.keySet();
Integer[] algs = keyset.toArray(new Integer[keyset.size()]);
Arrays.sort(algs);
String[] result = new String[algs.length];
for (int i = 0; i < algs.length; i++)
{
for (int i = 0; i < algs.length; i++) {
result[i] = mIdToMnemonicMap.get(algs[i]);
}
@ -388,22 +370,20 @@ public class DnsKeyAlgorithm
/**
* Return a Signature object for the specified DNSSEC algorithm.
*
* @param algorithm The DNSSEC algorithm (by number).
* @return a Signature object.
*/
public Signature getSignature(int algorithm)
{
public Signature getSignature(int algorithm) {
AlgEntry entry = getEntry(algorithm);
if (entry == null) return null;
if (entry == null)
return null;
Signature s = null;
try
{
try {
s = Signature.getInstance(entry.sigName);
}
catch (NoSuchAlgorithmException e)
{
} catch (NoSuchAlgorithmException e) {
log.severe("Unable to get signature implementation for algorithm " + algorithm
+ ": " + e);
}
@ -416,36 +396,39 @@ public class DnsKeyAlgorithm
* the elliptic curve parameters.
*
* @param algorithm
* The DNSSEC algorithm number.
* The DNSSEC algorithm number.
* @return The calculated JCA ECParameterSpec for that DNSSEC algorithm, or
* null if not a recognized/supported EC algorithm.
*/
public ECParameterSpec getEllipticCurveParams(int algorithm)
{
public ECParameterSpec getEllipticCurveParams(int algorithm) {
AlgEntry entry = getEntry(algorithm);
if (entry == null) return null;
if (!(entry instanceof ECAlgEntry)) return null;
if (entry == null)
return null;
if (!(entry instanceof ECAlgEntry))
return null;
ECAlgEntry ec_entry = (ECAlgEntry) entry;
return ec_entry.ec_spec;
return ec_entry.ecSpec;
}
/** Given one of the EdDSA algorithms (Ed25519, Ed448) return the
/**
* Given one of the EdDSA algorithms (Ed25519, Ed448) return the
* elliptic curve parameters.
*
* @param algorithm
* The DNSSEC algorithm number.
* The DNSSEC algorithm number.
* @return The stored EdDSAParameterSpec for that algorithm, or
* null if not a recognized/supported EdDSA algorithm.
*/
public EdDSAParameterSpec getEdwardsCurveParams(int algorithm)
{
public EdDSAParameterSpec getEdwardsCurveParams(int algorithm) {
AlgEntry entry = getEntry(algorithm);
if (entry == null) return null;
if (!(entry instanceof EdAlgEntry)) return null;
if (entry == null)
return null;
if (!(entry instanceof EdAlgEntry))
return null;
EdAlgEntry ed_entry = (EdAlgEntry) entry;
return ed_entry.ed_spec;
return ed_entry.edSpec;
}
/**
@ -453,14 +436,14 @@ public class DnsKeyAlgorithm
* number
*
* @param algorithm
* a DNSSEC algorithm that may be an alias.
* a DNSSEC algorithm that may be an alias.
* @return -1 if the algorithm isn't recognised, the orignal algorithm number
* if it is.
*/
public int originalAlgorithm(int algorithm)
{
public int originalAlgorithm(int algorithm) {
AlgEntry entry = getEntry(algorithm);
if (entry == null) return -1;
if (entry == null)
return -1;
return entry.dnssecAlgorithm;
}
@ -468,11 +451,12 @@ public class DnsKeyAlgorithm
* Test if a given algorithm is supported.
*
* @param algorithm The DNSSEC algorithm number.
* @return true if the algorithm is a recognized and supported algorithm or alias.
* @return true if the algorithm is a recognized and supported algorithm or
* alias.
*/
public boolean supportedAlgorithm(int algorithm)
{
if (mAlgorithmMap.containsKey(algorithm)) return true;
public boolean supportedAlgorithm(int algorithm) {
if (mAlgorithmMap.containsKey(algorithm))
return true;
return false;
}
@ -485,10 +469,10 @@ public class DnsKeyAlgorithm
* @return -1 if the mnemonic isn't recognized or supported, the algorithm
* number if it is.
*/
public int stringToAlgorithm(String s)
{
public int stringToAlgorithm(String s) {
Integer alg = mMnemonicToIdMap.get(s.toUpperCase());
if (alg != null) return alg.intValue();
if (alg != null)
return alg.intValue();
return -1;
}
@ -496,55 +480,43 @@ public class DnsKeyAlgorithm
* Given a DNSSEC algorithm number, return the "preferred" mnemonic.
*
* @param algorithm
* A DNSSEC algorithm number.
* A DNSSEC algorithm number.
* @return The preferred mnemonic string, or null if not supported or
* recognized.
*/
public String algToString(int algorithm)
{
public String algToString(int algorithm) {
return mIdToMnemonicMap.get(algorithm);
}
public int baseType(int algorithm)
{
public int baseType(int algorithm) {
AlgEntry entry = getEntry(algorithm);
if (entry != null) return entry.baseType;
if (entry != null)
return entry.baseType;
return UNKNOWN;
}
public boolean isDSA(int algorithm)
{
public boolean isDSA(int algorithm) {
return (baseType(algorithm) == DSA);
}
public KeyPair generateKeyPair(int algorithm, int keysize, boolean useLargeExp)
throws NoSuchAlgorithmException
{
throws NoSuchAlgorithmException {
KeyPair pair = null;
switch (baseType(algorithm))
{
case RSA:
{
if (mRSAKeyGenerator == null)
{
switch (baseType(algorithm)) {
case RSA: {
if (mRSAKeyGenerator == null) {
mRSAKeyGenerator = KeyPairGenerator.getInstance("RSA");
}
RSAKeyGenParameterSpec rsa_spec;
if (useLargeExp)
{
if (useLargeExp) {
rsa_spec = new RSAKeyGenParameterSpec(keysize, RSAKeyGenParameterSpec.F4);
}
else
{
} else {
rsa_spec = new RSAKeyGenParameterSpec(keysize, RSAKeyGenParameterSpec.F0);
}
try
{
try {
mRSAKeyGenerator.initialize(rsa_spec);
}
catch (InvalidAlgorithmParameterException e)
{
} catch (InvalidAlgorithmParameterException e) {
// Fold the InvalidAlgorithmParameterException into our existing
// thrown exception. Ugly, but requires less code change.
throw new NoSuchAlgorithmException("invalid key parameter spec");
@ -553,30 +525,23 @@ public class DnsKeyAlgorithm
pair = mRSAKeyGenerator.generateKeyPair();
break;
}
case DSA:
{
if (mDSAKeyGenerator == null)
{
case DSA: {
if (mDSAKeyGenerator == null) {
mDSAKeyGenerator = KeyPairGenerator.getInstance("DSA");
}
mDSAKeyGenerator.initialize(keysize);
pair = mDSAKeyGenerator.generateKeyPair();
break;
}
case ECC_GOST:
{
if (mECGOSTKeyGenerator == null)
{
case ECC_GOST: {
if (mECGOSTKeyGenerator == null) {
mECGOSTKeyGenerator = KeyPairGenerator.getInstance("ECGOST3410");
}
ECParameterSpec ec_spec = getEllipticCurveParams(algorithm);
try
{
mECGOSTKeyGenerator.initialize(ec_spec);
}
catch (InvalidAlgorithmParameterException e)
{
ECParameterSpec ecSpec = getEllipticCurveParams(algorithm);
try {
mECGOSTKeyGenerator.initialize(ecSpec);
} catch (InvalidAlgorithmParameterException e) {
// Fold the InvalidAlgorithmParameterException into our existing
// thrown exception. Ugly, but requires less code change.
throw new NoSuchAlgorithmException("invalid key parameter spec");
@ -584,20 +549,15 @@ public class DnsKeyAlgorithm
pair = mECGOSTKeyGenerator.generateKeyPair();
break;
}
case ECDSA:
{
if (mECKeyGenerator == null)
{
case ECDSA: {
if (mECKeyGenerator == null) {
mECKeyGenerator = KeyPairGenerator.getInstance("EC");
}
ECParameterSpec ec_spec = getEllipticCurveParams(algorithm);
try
{
mECKeyGenerator.initialize(ec_spec);
}
catch (InvalidAlgorithmParameterException e)
{
ECParameterSpec ecSpec = getEllipticCurveParams(algorithm);
try {
mECKeyGenerator.initialize(ecSpec);
} catch (InvalidAlgorithmParameterException e) {
// Fold the InvalidAlgorithmParameterException into our existing
// thrown exception. Ugly, but requires less code change.
throw new NoSuchAlgorithmException("invalid key parameter spec");
@ -605,20 +565,15 @@ public class DnsKeyAlgorithm
pair = mECKeyGenerator.generateKeyPair();
break;
}
case EDDSA:
{
if (mEdKeyGenerator == null)
{
case EDDSA: {
if (mEdKeyGenerator == null) {
mEdKeyGenerator = KeyPairGenerator.getInstance("EdDSA");
}
EdDSAParameterSpec ed_spec = getEdwardsCurveParams(algorithm);
try
{
mEdKeyGenerator.initialize(ed_spec, new SecureRandom());
}
catch (InvalidAlgorithmParameterException e)
{
EdDSAParameterSpec edSpec = getEdwardsCurveParams(algorithm);
try {
mEdKeyGenerator.initialize(edSpec, new SecureRandom());
} catch (InvalidAlgorithmParameterException e) {
// Fold the InvalidAlgorithmParameterException into our existing
// thrown exception. Ugly, but requires less code change.
throw new NoSuchAlgorithmException("invalid key parameter spec");
@ -626,22 +581,21 @@ public class DnsKeyAlgorithm
pair = mEdKeyGenerator.generateKeyPair();
break;
}
default:
throw new NoSuchAlgorithmException("Alg " + algorithm);
default:
throw new NoSuchAlgorithmException("Alg " + algorithm);
}
return pair;
}
public KeyPair generateKeyPair(int algorithm, int keysize)
throws NoSuchAlgorithmException
{
throws NoSuchAlgorithmException {
return generateKeyPair(algorithm, keysize, false);
}
public static DnsKeyAlgorithm getInstance()
{
if (mInstance == null) mInstance = new DnsKeyAlgorithm();
public static DnsKeyAlgorithm getInstance() {
if (mInstance == null)
mInstance = new DnsKeyAlgorithm();
return mInstance;
}
}

View File

@ -1,6 +1,4 @@
// $Id$
//
// Copyright (C) 2001-2003 VeriSign, Inc.
// Copyright (C) 2001-2003, 2022 VeriSign, Inc.
//
// This library is free software; you can redistribute it and/or
// modify it under the terms of the GNU Lesser General Public
@ -27,8 +25,19 @@ import java.security.KeyFactory;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.interfaces.*;
import java.security.spec.*;
import java.security.interfaces.DSAParams;
import java.security.interfaces.DSAPrivateKey;
import java.security.interfaces.DSAPublicKey;
import java.security.interfaces.ECPrivateKey;
import java.security.interfaces.ECPublicKey;
import java.security.interfaces.RSAPrivateCrtKey;
import java.security.spec.DSAPrivateKeySpec;
import java.security.spec.ECParameterSpec;
import java.security.spec.ECPrivateKeySpec;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.KeySpec;
import java.security.spec.PKCS8EncodedKeySpec;
import java.security.spec.RSAPrivateCrtKeySpec;
import java.util.StringTokenizer;
import javax.crypto.interfaces.DHPrivateKey;
@ -36,27 +45,25 @@ import javax.crypto.interfaces.DHPublicKey;
import javax.crypto.spec.DHParameterSpec;
import javax.crypto.spec.DHPrivateKeySpec;
// For now, just import the native EdDSA classes
import net.i2p.crypto.eddsa.EdDSAPublicKey;
import net.i2p.crypto.eddsa.EdDSAPrivateKey;
import net.i2p.crypto.eddsa.spec.*;
import org.xbill.DNS.DNSKEYRecord;
import org.xbill.DNS.DNSSEC;
import org.xbill.DNS.DNSSEC.DNSSECException;
import org.xbill.DNS.Name;
import org.xbill.DNS.utils.base64;
import net.i2p.crypto.eddsa.EdDSAPrivateKey;
// For now, just import the native EdDSA classes
import net.i2p.crypto.eddsa.EdDSAPublicKey;
import net.i2p.crypto.eddsa.spec.EdDSAParameterSpec;
import net.i2p.crypto.eddsa.spec.EdDSAPrivateKeySpec;
import net.i2p.crypto.eddsa.spec.EdDSAPublicKeySpec;
/**
* This class handles conversions between JCA key formats and DNSSEC and BIND9
* key formats.
*
* @author David Blacka (original)
* @author $Author$ (latest)
* @version $Revision$
* @author David Blacka
*/
public class DnsKeyConverter
{
public class DnsKeyConverter {
private KeyFactory mRSAKeyFactory;
private KeyFactory mDSAKeyFactory;
private KeyFactory mDHKeyFactory;
@ -64,8 +71,7 @@ public class DnsKeyConverter
private KeyFactory mEdKeyFactory;
private DnsKeyAlgorithm mAlgorithms;
public DnsKeyConverter()
{
public DnsKeyConverter() {
mAlgorithms = DnsKeyAlgorithm.getInstance();
}
@ -75,29 +81,28 @@ public class DnsKeyConverter
* @throws NoSuchAlgorithmException
*/
public PublicKey parseDNSKEYRecord(DNSKEYRecord pKeyRecord)
throws NoSuchAlgorithmException
{
if (pKeyRecord.getKey() == null) return null;
throws NoSuchAlgorithmException {
if (pKeyRecord.getKey() == null)
return null;
// Because we have arbitrarily aliased algorithms, we need to possibly
// translate the aliased algorithm back to the actual algorithm.
int originalAlgorithm = mAlgorithms.originalAlgorithm(pKeyRecord.getAlgorithm());
if (originalAlgorithm <= 0) throw new NoSuchAlgorithmException("DNSKEY algorithm "
+ pKeyRecord.getAlgorithm() + " is unrecognized");
if (originalAlgorithm <= 0)
throw new NoSuchAlgorithmException("DNSKEY algorithm "
+ pKeyRecord.getAlgorithm() + " is unrecognized");
if (pKeyRecord.getAlgorithm() != originalAlgorithm)
{
if (pKeyRecord.getAlgorithm() != originalAlgorithm) {
pKeyRecord = new DNSKEYRecord(pKeyRecord.getName(), pKeyRecord.getDClass(),
pKeyRecord.getTTL(), pKeyRecord.getFlags(),
pKeyRecord.getProtocol(), originalAlgorithm,
pKeyRecord.getKey());
pKeyRecord.getTTL(), pKeyRecord.getFlags(),
pKeyRecord.getProtocol(), originalAlgorithm,
pKeyRecord.getKey());
}
// do not rely on DNSJava's method for EdDSA for now.
if (mAlgorithms.baseType(originalAlgorithm) == DnsKeyAlgorithm.EDDSA)
{
if (mAlgorithms.baseType(originalAlgorithm) == DnsKeyAlgorithm.EDDSA) {
try {
return parseEdDSADNSKEYRecord(pKeyRecord);
} catch (InvalidKeySpecException e) {
@ -106,26 +111,24 @@ public class DnsKeyConverter
}
}
try
{
try {
// This uses DNSJava's DNSSEC.toPublicKey() method.
return pKeyRecord.getPublicKey();
}
catch (DNSSECException e)
{
} catch (DNSSECException e) {
throw new NoSuchAlgorithmException(e);
}
}
/** Since we don't (yet) have support in DNSJava for parsing the
newer EdDSA algorithms, here is a local version. */
/**
* Since we don't (yet) have support in DNSJava for parsing the
* newer EdDSA algorithms, here is a local version.
*/
private PublicKey parseEdDSADNSKEYRecord(DNSKEYRecord pKeyRecord)
throws IllegalArgumentException, NoSuchAlgorithmException, InvalidKeySpecException
{
throws IllegalArgumentException, NoSuchAlgorithmException, InvalidKeySpecException {
byte[] seed = pKeyRecord.getKey();
EdDSAPublicKeySpec spec = new EdDSAPublicKeySpec
(seed, mAlgorithms.getEdwardsCurveParams(pKeyRecord.getAlgorithm()));
EdDSAPublicKeySpec spec = new EdDSAPublicKeySpec(seed,
mAlgorithms.getEdwardsCurveParams(pKeyRecord.getAlgorithm()));
KeyFactory factory = KeyFactory.getInstance("EdDSA");
return factory.generatePublic(spec);
@ -135,52 +138,44 @@ public class DnsKeyConverter
* Given a JCA public key and the ancillary data, generate a DNSKEY record.
*/
public DNSKEYRecord generateDNSKEYRecord(Name name, int dclass, long ttl,
int flags, int alg, PublicKey key)
{
try
{
int flags, int alg, PublicKey key) {
try {
if (mAlgorithms.baseType(alg) == DnsKeyAlgorithm.EDDSA) {
return generateEdDSADNSKEYRecord(name, dclass, ttl, flags, alg, key);
}
return new DNSKEYRecord(name, dclass, ttl, flags, DNSKEYRecord.Protocol.DNSSEC, alg,
key);
}
catch (DNSSECException e)
{
// FIXME: this mimics the behavior of KEYConverter.buildRecord(), which would return null if the algorithm was unknown.
key);
} catch (DNSSECException e) {
// FIXME: this mimics the behavior of KEYConverter.buildRecord(), which would
// return null if the algorithm was unknown.
return null;
}
}
private DNSKEYRecord generateEdDSADNSKEYRecord(Name name, int dclass, long ttl,
int flags, int alg, PublicKey key)
{
int flags, int alg, PublicKey key) {
EdDSAPublicKey ed_key = (EdDSAPublicKey) key;
byte[] key_data = ed_key.getAbyte();
return new DNSKEYRecord(name, dclass, ttl, flags, DNSKEYRecord.Protocol.DNSSEC, alg,
key_data);
key_data);
}
// Private Key Specific Parsing routines
/**
* Convert a PKCS#8 encoded private key into a PrivateKey object.
*/
public PrivateKey convertEncodedPrivateKey(byte[] key, int algorithm)
{
public PrivateKey convertEncodedPrivateKey(byte[] key, int algorithm) {
PKCS8EncodedKeySpec spec = new PKCS8EncodedKeySpec(key);
try
{
switch (mAlgorithms.baseType(algorithm))
{
try {
switch (mAlgorithms.baseType(algorithm)) {
case DnsKeyAlgorithm.RSA:
return mRSAKeyFactory.generatePrivate(spec);
case DnsKeyAlgorithm.DSA:
return mDSAKeyFactory.generatePrivate(spec);
default:
return null;
}
}
catch (GeneralSecurityException e)
{
} catch (GeneralSecurityException e) {
e.printStackTrace();
}
@ -191,14 +186,10 @@ public class DnsKeyConverter
* A simple wrapper for parsing integers; parse failures result in the
* supplied default.
*/
private static int parseInt(String s, int def)
{
try
{
private static int parseInt(String s, int def) {
try {
return Integer.parseInt(s);
}
catch (NumberFormatException e)
{
} catch (NumberFormatException e) {
return def;
}
}
@ -207,37 +198,33 @@ public class DnsKeyConverter
* @return a JCA private key, given a BIND9-style textual encoding
*/
public PrivateKey parsePrivateKeyString(String key)
throws IOException, NoSuchAlgorithmException
{
throws IOException, NoSuchAlgorithmException {
StringTokenizer lines = new StringTokenizer(key, "\n");
while (lines.hasMoreTokens())
{
while (lines.hasMoreTokens()) {
String line = lines.nextToken();
if (line == null) continue;
if (line == null)
continue;
if (line.startsWith("#")) continue;
if (line.startsWith("#"))
continue;
String val = value(line);
if (val == null) continue;
if (val == null)
continue;
if (line.startsWith("Private-key-format: "))
{
if (!val.equals("v1.2") && !val.equals("v1.3"))
{
if (line.startsWith("Private-key-format: ")) {
if (!val.equals("v1.2") && !val.equals("v1.3")) {
throw new IOException("unsupported private key format: " + val);
}
}
else if (line.startsWith("Algorithm: "))
{
} else if (line.startsWith("Algorithm: ")) {
// here we assume that the value looks like # (MNEM) or just the
// number.
String[] toks = val.split("\\s", 2);
val = toks[0];
int alg = parseInt(val, -1);
switch (mAlgorithms.baseType(alg))
{
switch (mAlgorithms.baseType(alg)) {
case DnsKeyAlgorithm.RSA:
return parsePrivateRSA(lines);
case DnsKeyAlgorithm.DSA:
@ -261,14 +248,16 @@ public class DnsKeyConverter
/**
* @return the value part of an "attribute:value" pair. The value is trimmed.
*/
private static String value(String av)
{
if (av == null) return null;
private static String value(String av) {
if (av == null)
return null;
int pos = av.indexOf(':');
if (pos < 0) return av;
if (pos < 0)
return av;
if (pos >= av.length()) return null;
if (pos >= av.length())
return null;
return av.substring(pos + 1).trim();
}
@ -278,11 +267,10 @@ public class DnsKeyConverter
* translate into a JCA private key
*
* @throws NoSuchAlgorithmException
* if the RSA algorithm is not available.
* if the RSA algorithm is not available.
*/
private PrivateKey parsePrivateRSA(StringTokenizer lines)
throws NoSuchAlgorithmException
{
throws NoSuchAlgorithmException {
BigInteger modulus = null;
BigInteger public_exponent = null;
BigInteger private_exponent = null;
@ -292,71 +280,54 @@ public class DnsKeyConverter
BigInteger prime_q_exponent = null;
BigInteger coefficient = null;
while (lines.hasMoreTokens())
{
while (lines.hasMoreTokens()) {
String line = lines.nextToken();
if (line == null) continue;
if (line == null)
continue;
if (line.startsWith("#")) continue;
if (line.startsWith("#"))
continue;
String val = value(line);
if (val == null) continue;
if (val == null)
continue;
byte[] data = base64.fromString(val);
if (line.startsWith("Modulus: "))
{
if (line.startsWith("Modulus: ")) {
modulus = new BigInteger(1, data);
// printBigIntCompare(data, modulus);
}
else if (line.startsWith("PublicExponent: "))
{
} else if (line.startsWith("PublicExponent: ")) {
public_exponent = new BigInteger(1, data);
// printBigIntCompare(data, public_exponent);
}
else if (line.startsWith("PrivateExponent: "))
{
} else if (line.startsWith("PrivateExponent: ")) {
private_exponent = new BigInteger(1, data);
// printBigIntCompare(data, private_exponent);
}
else if (line.startsWith("Prime1: "))
{
} else if (line.startsWith("Prime1: ")) {
prime_p = new BigInteger(1, data);
// printBigIntCompare(data, prime_p);
}
else if (line.startsWith("Prime2: "))
{
} else if (line.startsWith("Prime2: ")) {
prime_q = new BigInteger(1, data);
// printBigIntCompare(data, prime_q);
}
else if (line.startsWith("Exponent1: "))
{
} else if (line.startsWith("Exponent1: ")) {
prime_p_exponent = new BigInteger(1, data);
}
else if (line.startsWith("Exponent2: "))
{
} else if (line.startsWith("Exponent2: ")) {
prime_q_exponent = new BigInteger(1, data);
}
else if (line.startsWith("Coefficient: "))
{
} else if (line.startsWith("Coefficient: ")) {
coefficient = new BigInteger(1, data);
}
}
try
{
try {
KeySpec spec = new RSAPrivateCrtKeySpec(modulus, public_exponent,
private_exponent, prime_p,
prime_q, prime_p_exponent,
prime_q_exponent, coefficient);
if (mRSAKeyFactory == null)
{
private_exponent, prime_p,
prime_q, prime_p_exponent,
prime_q_exponent, coefficient);
if (mRSAKeyFactory == null) {
mRSAKeyFactory = KeyFactory.getInstance("RSA");
}
return mRSAKeyFactory.generatePrivate(spec);
}
catch (InvalidKeySpecException e)
{
} catch (InvalidKeySpecException e) {
e.printStackTrace();
return null;
}
@ -367,52 +338,44 @@ public class DnsKeyConverter
* info and translate it into a JCA private key.
*
* @throws NoSuchAlgorithmException
* if the DH algorithm is not available.
* if the DH algorithm is not available.
*/
private PrivateKey parsePrivateDH(StringTokenizer lines)
throws NoSuchAlgorithmException
{
throws NoSuchAlgorithmException {
BigInteger p = null;
BigInteger x = null;
BigInteger g = null;
while (lines.hasMoreTokens())
{
while (lines.hasMoreTokens()) {
String line = lines.nextToken();
if (line == null) continue;
if (line == null)
continue;
if (line.startsWith("#")) continue;
if (line.startsWith("#"))
continue;
String val = value(line);
if (val == null) continue;
if (val == null)
continue;
byte[] data = base64.fromString(val);
if (line.startsWith("Prime(p): "))
{
if (line.startsWith("Prime(p): ")) {
p = new BigInteger(1, data);
}
else if (line.startsWith("Generator(g): "))
{
} else if (line.startsWith("Generator(g): ")) {
g = new BigInteger(1, data);
}
else if (line.startsWith("Private_value(x): "))
{
} else if (line.startsWith("Private_value(x): ")) {
x = new BigInteger(1, data);
}
}
try
{
try {
KeySpec spec = new DHPrivateKeySpec(x, p, g);
if (mDHKeyFactory == null)
{
if (mDHKeyFactory == null) {
mDHKeyFactory = KeyFactory.getInstance("DH");
}
return mDHKeyFactory.generatePrivate(spec);
}
catch (InvalidKeySpecException e)
{
} catch (InvalidKeySpecException e) {
e.printStackTrace();
return null;
}
@ -423,57 +386,47 @@ public class DnsKeyConverter
* info and translate it into a JCA private key.
*
* @throws NoSuchAlgorithmException
* if the DSA algorithm is not available.
* if the DSA algorithm is not available.
*/
private PrivateKey parsePrivateDSA(StringTokenizer lines)
throws NoSuchAlgorithmException
{
throws NoSuchAlgorithmException {
BigInteger p = null;
BigInteger q = null;
BigInteger g = null;
BigInteger x = null;
while (lines.hasMoreTokens())
{
while (lines.hasMoreTokens()) {
String line = lines.nextToken();
if (line == null) continue;
if (line == null)
continue;
if (line.startsWith("#")) continue;
if (line.startsWith("#"))
continue;
String val = value(line);
if (val == null) continue;
if (val == null)
continue;
byte[] data = base64.fromString(val);
if (line.startsWith("Prime(p): "))
{
if (line.startsWith("Prime(p): ")) {
p = new BigInteger(1, data);
}
else if (line.startsWith("Subprime(q): "))
{
} else if (line.startsWith("Subprime(q): ")) {
q = new BigInteger(1, data);
}
else if (line.startsWith("Base(g): "))
{
} else if (line.startsWith("Base(g): ")) {
g = new BigInteger(1, data);
}
else if (line.startsWith("Private_value(x): "))
{
} else if (line.startsWith("Private_value(x): ")) {
x = new BigInteger(1, data);
}
}
try
{
try {
KeySpec spec = new DSAPrivateKeySpec(x, p, q, g);
if (mDSAKeyFactory == null)
{
if (mDSAKeyFactory == null) {
mDSAKeyFactory = KeyFactory.getInstance("DSA");
}
return mDSAKeyFactory.generatePrivate(spec);
}
catch (InvalidKeySpecException e)
{
} catch (InvalidKeySpecException e) {
e.printStackTrace();
return null;
}
@ -482,52 +435,48 @@ public class DnsKeyConverter
/**
* Given the remaining lines in a BIND9-style ECDSA private key, parse the key
* info and translate it into a JCA private key object.
*
* @param lines The remaining lines in a private key file (after
* @throws NoSuchAlgorithmException
* If elliptic curve is not available.
* If elliptic curve is not available.
*/
private PrivateKey parsePrivateECDSA(StringTokenizer lines, int algorithm)
throws NoSuchAlgorithmException
{
throws NoSuchAlgorithmException {
BigInteger s = null;
while (lines.hasMoreTokens())
{
while (lines.hasMoreTokens()) {
String line = lines.nextToken();
if (line == null) continue;
if (line == null)
continue;
if (line.startsWith("#")) continue;
if (line.startsWith("#"))
continue;
String val = value(line);
if (val == null) continue;
if (val == null)
continue;
byte[] data = base64.fromString(val);
if (line.startsWith("PrivateKey: "))
{
if (line.startsWith("PrivateKey: ")) {
s = new BigInteger(1, data);
}
}
if (mECKeyFactory == null)
{
if (mECKeyFactory == null) {
mECKeyFactory = KeyFactory.getInstance("EC");
}
ECParameterSpec ec_spec = mAlgorithms.getEllipticCurveParams(algorithm);
if (ec_spec == null)
{
if (ec_spec == null) {
throw new NoSuchAlgorithmException("DNSSEC algorithm " + algorithm +
" is not a recognized Elliptic Curve algorithm");
" is not a recognized Elliptic Curve algorithm");
}
KeySpec spec = new ECPrivateKeySpec(s, ec_spec);
try
{
try {
return mECKeyFactory.generatePrivate(spec);
}
catch (InvalidKeySpecException e)
{
} catch (InvalidKeySpecException e) {
e.printStackTrace();
return null;
}
@ -536,52 +485,48 @@ public class DnsKeyConverter
/**
* Given the remaining lines in a BIND9-style ECDSA private key, parse the key
* info and translate it into a JCA private key object.
*
* @param lines The remaining lines in a private key file (after
* @throws NoSuchAlgorithmException
* If elliptic curve is not available.
* If elliptic curve is not available.
*/
private PrivateKey parsePrivateEdDSA(StringTokenizer lines, int algorithm)
throws NoSuchAlgorithmException
{
throws NoSuchAlgorithmException {
byte[] seed = null;
while (lines.hasMoreTokens())
{
while (lines.hasMoreTokens()) {
String line = lines.nextToken();
if (line == null) continue;
if (line == null)
continue;
if (line.startsWith("#")) continue;
if (line.startsWith("#"))
continue;
String val = value(line);
if (val == null) continue;
if (val == null)
continue;
byte[] data = base64.fromString(val);
if (line.startsWith("PrivateKey: "))
{
if (line.startsWith("PrivateKey: ")) {
seed = data;
}
}
if (mEdKeyFactory == null)
{
if (mEdKeyFactory == null) {
mEdKeyFactory = KeyFactory.getInstance("EdDSA");
}
EdDSAParameterSpec ed_spec = mAlgorithms.getEdwardsCurveParams(algorithm);
if (ed_spec == null)
{
if (ed_spec == null) {
throw new NoSuchAlgorithmException("DNSSEC algorithm " + algorithm +
" is not a recognized Edwards Curve algorithm");
" is not a recognized Edwards Curve algorithm");
}
KeySpec spec = new EdDSAPrivateKeySpec(seed, ed_spec);
try
{
try {
return mEdKeyFactory.generatePrivate(spec);
}
catch (InvalidKeySpecException e)
{
} catch (InvalidKeySpecException e) {
e.printStackTrace();
return null;
}
@ -591,26 +536,16 @@ public class DnsKeyConverter
* Given a private key and public key, generate the BIND9 style private key
* format.
*/
public String generatePrivateKeyString(PrivateKey priv, PublicKey pub, int alg)
{
if (priv instanceof RSAPrivateCrtKey)
{
public String generatePrivateKeyString(PrivateKey priv, PublicKey pub, int alg) {
if (priv instanceof RSAPrivateCrtKey) {
return generatePrivateRSA((RSAPrivateCrtKey) priv, alg);
}
else if (priv instanceof DSAPrivateKey && pub instanceof DSAPublicKey)
{
} else if (priv instanceof DSAPrivateKey && pub instanceof DSAPublicKey) {
return generatePrivateDSA((DSAPrivateKey) priv, (DSAPublicKey) pub, alg);
}
else if (priv instanceof DHPrivateKey && pub instanceof DHPublicKey)
{
} else if (priv instanceof DHPrivateKey && pub instanceof DHPublicKey) {
return generatePrivateDH((DHPrivateKey) priv, (DHPublicKey) pub, alg);
}
else if (priv instanceof ECPrivateKey && pub instanceof ECPublicKey)
{
} else if (priv instanceof ECPrivateKey && pub instanceof ECPublicKey) {
return generatePrivateEC((ECPrivateKey) priv, (ECPublicKey) pub, alg);
}
else if (priv instanceof EdDSAPrivateKey && pub instanceof EdDSAPublicKey)
{
} else if (priv instanceof EdDSAPrivateKey && pub instanceof EdDSAPublicKey) {
return generatePrivateED((EdDSAPrivateKey) priv, (EdDSAPublicKey) pub, alg);
}
@ -620,12 +555,10 @@ public class DnsKeyConverter
/**
* Convert from 'unsigned' big integer to original 'signed format' in Base64
*/
private static String b64BigInt(BigInteger i)
{
private static String b64BigInt(BigInteger i) {
byte[] orig_bytes = i.toByteArray();
if (orig_bytes[0] != 0 || orig_bytes.length == 1)
{
if (orig_bytes[0] != 0 || orig_bytes.length == 1) {
return base64.toString(orig_bytes);
}
@ -639,8 +572,7 @@ public class DnsKeyConverter
* Given a RSA private key (in Crt format), return the BIND9-style text
* encoding.
*/
private String generatePrivateRSA(RSAPrivateCrtKey key, int algorithm)
{
private String generatePrivateRSA(RSAPrivateCrtKey key, int algorithm) {
StringWriter sw = new StringWriter();
PrintWriter out = new PrintWriter(sw);
@ -669,8 +601,7 @@ public class DnsKeyConverter
/** Given a DH key pair, return the BIND9-style text encoding */
private String generatePrivateDH(DHPrivateKey key, DHPublicKey pub,
int algorithm)
{
int algorithm) {
StringWriter sw = new StringWriter();
PrintWriter out = new PrintWriter(sw);
@ -693,8 +624,7 @@ public class DnsKeyConverter
/** Given a DSA key pair, return the BIND9-style text encoding */
private String generatePrivateDSA(DSAPrivateKey key, DSAPublicKey pub,
int algorithm)
{
int algorithm) {
StringWriter sw = new StringWriter();
PrintWriter out = new PrintWriter(sw);
@ -721,8 +651,7 @@ public class DnsKeyConverter
* Given an elliptic curve key pair, and the actual algorithm (which will
* describe the curve used), return the BIND9-style text encoding.
*/
private String generatePrivateEC(ECPrivateKey priv, ECPublicKey pub, int alg)
{
private String generatePrivateEC(ECPrivateKey priv, ECPublicKey pub, int alg) {
StringWriter sw = new StringWriter();
PrintWriter out = new PrintWriter(sw);
@ -739,8 +668,7 @@ public class DnsKeyConverter
* Given an edwards curve key pair, and the actual algorithm (which will
* describe the curve used), return the BIND9-style text encoding.
*/
private String generatePrivateED(EdDSAPrivateKey priv, EdDSAPublicKey pub, int alg)
{
private String generatePrivateED(EdDSAPrivateKey priv, EdDSAPublicKey pub, int alg) {
StringWriter sw = new StringWriter();
PrintWriter out = new PrintWriter(sw);

View File

@ -1,6 +1,4 @@
// $Id$
//
// Copyright (C) 2001-2003 VeriSign, Inc.
// Copyright (C) 2001-2003, 2022 VeriSign, Inc.
//
// This library is free software; you can redistribute it and/or
// modify it under the terms of the GNU Lesser General Public
@ -18,11 +16,21 @@
package com.verisignlabs.dnssec.security;
import java.security.*;
import java.security.interfaces.*;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.Signature;
import java.security.interfaces.DSAPrivateKey;
import java.security.interfaces.DSAPublicKey;
import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey;
import java.util.logging.Logger;
import org.xbill.DNS.*;
import org.xbill.DNS.DClass;
import org.xbill.DNS.DNSKEYRecord;
import org.xbill.DNS.DNSSEC;
import org.xbill.DNS.Name;
/**
* This class forms the basis for representing public/private key pairs in a
@ -33,36 +41,33 @@ import org.xbill.DNS.*;
*
* JCA == Java Cryptography Architecture.
*
* @author David Blacka (orig)
* @author $Author$ (latest)
* @version $Revision$
* @author David Blacka
*/
// NOTE: this class is designed to do "lazy" evaluation of it's
// various cached objects and format conversions, so methods should
// avoid direct access to the member variables.
public class DnsKeyPair
{
public class DnsKeyPair {
/** This is the real (base) encoding of the public key. */
protected DNSKEYRecord mPublicKeyRecord;
protected DNSKEYRecord mPublicKeyRecord;
/**
* This is a pre-calculated cache of the DNSKEYRecord converted into a JCA
* public key.
*/
private PublicKey mPublicKey;
private PublicKey mPublicKey;
/**
* The private key in Base64 encoded format. This version is presumed to be
* opaque, so no attempts will be made to convert it to a JCA private key.
*/
protected String mPrivateKeyString;
protected String mPrivateKeyString;
/**
* The private key in JCA format. This is the base encoding for instances where
* JCA private keys are used.
*/
protected PrivateKey mPrivateKey;
protected PrivateKey mPrivateKey;
/** The local key converter. */
protected DnsKeyConverter mKeyConverter;
@ -70,57 +75,51 @@ public class DnsKeyPair
/**
* a cached Signature used for signing (initialized with the private key)
*/
protected Signature mSigner;
protected Signature mSigner;
/**
* a caches Signature used for verifying (initialized with the public key)
*/
protected Signature mVerifier;
protected Signature mVerifier;
private Logger log;
private Logger log;
public DnsKeyPair()
{
public DnsKeyPair() {
log = Logger.getLogger(this.getClass().toString());
}
public DnsKeyPair(DNSKEYRecord keyRecord, PrivateKey privateKey)
{
public DnsKeyPair(DNSKEYRecord keyRecord, PrivateKey privateKey) {
this();
setDNSKEYRecord(keyRecord);
setPrivate(privateKey);
}
public DnsKeyPair(DNSKEYRecord keyRecord, String privateKeyString)
{
public DnsKeyPair(DNSKEYRecord keyRecord, String privateKeyString) {
this();
setDNSKEYRecord(keyRecord);
setPrivateKeyString(privateKeyString);
}
public DnsKeyPair(DNSKEYRecord keyRecord)
{
public DnsKeyPair(DNSKEYRecord keyRecord) {
this();
setDNSKEYRecord(keyRecord);
setPrivateKeyString(null);
}
public DnsKeyPair(Name keyName, int algorithm, PublicKey publicKey,
PrivateKey privateKey)
{
PrivateKey privateKey) {
this();
DnsKeyConverter conv = new DnsKeyConverter();
DNSKEYRecord keyrec = conv.generateDNSKEYRecord(keyName, DClass.IN, 0, 0,
algorithm, publicKey);
algorithm, publicKey);
setDNSKEYRecord(keyrec);
setPrivate(privateKey);
}
public DnsKeyPair(DnsKeyPair pair)
{
public DnsKeyPair(DnsKeyPair pair) {
this();
setDNSKEYRecord(pair.getDNSKEYRecord());
@ -129,10 +128,8 @@ public class DnsKeyPair
}
/** @return cached DnsKeyConverter object. */
protected DnsKeyConverter getKeyConverter()
{
if (mKeyConverter == null)
{
protected DnsKeyConverter getKeyConverter() {
if (mKeyConverter == null) {
mKeyConverter = new DnsKeyConverter();
}
@ -140,8 +137,7 @@ public class DnsKeyPair
}
/** @return the appropriate Signature object for this keypair. */
protected Signature getSignature()
{
protected Signature getSignature() {
DnsKeyAlgorithm algorithms = DnsKeyAlgorithm.getInstance();
return algorithms.getSignature(getDNSKEYAlgorithm());
}
@ -149,17 +145,12 @@ public class DnsKeyPair
/**
* @return the public key, translated from the KEYRecord, if necessary.
*/
public PublicKey getPublic()
{
if (mPublicKey == null && getDNSKEYRecord() != null)
{
try
{
public PublicKey getPublic() {
if (mPublicKey == null && getDNSKEYRecord() != null) {
try {
DnsKeyConverter conv = getKeyConverter();
setPublic(conv.parseDNSKEYRecord(getDNSKEYRecord()));
}
catch (NoSuchAlgorithmException e)
{
} catch (NoSuchAlgorithmException e) {
log.severe(e.toString());
return null;
}
@ -171,18 +162,15 @@ public class DnsKeyPair
/**
* sets the public key. This method is generally not used directly.
*/
protected void setPublic(PublicKey k)
{
protected void setPublic(PublicKey k) {
mPublicKey = k;
}
/** @return the private key. */
public PrivateKey getPrivate()
{
public PrivateKey getPrivate() {
// attempt to convert the private key string format into a JCA
// private key.
if (mPrivateKey == null && mPrivateKeyString != null)
{
if (mPrivateKey == null && mPrivateKeyString != null) {
mPrivateKey = BINDKeyUtils.convertPrivateKeyString(mPrivateKeyString);
}
@ -190,8 +178,7 @@ public class DnsKeyPair
}
/** sets the private key */
public void setPrivate(PrivateKey k)
{
public void setPrivate(PrivateKey k) {
mPrivateKey = k;
}
@ -199,30 +186,27 @@ public class DnsKeyPair
* @return the opaque private key string, null if one doesn't exist.
* @throws NoSuchAlgorithmException
*/
public String getPrivateKeyString()
{
if (mPrivateKeyString == null && mPrivateKey != null)
{
public String getPrivateKeyString() {
if (mPrivateKeyString == null && mPrivateKey != null) {
PublicKey pub = getPublic();
mPrivateKeyString = BINDKeyUtils.convertPrivateKey(mPrivateKey, pub,
getDNSKEYAlgorithm());
getDNSKEYAlgorithm());
}
return mPrivateKeyString;
}
/** sets the opaque private key string. */
public void setPrivateKeyString(String p)
{
public void setPrivateKeyString(String p) {
mPrivateKeyString = p;
}
/** @return the private key in an encoded form (normally PKCS#8). */
public byte[] getEncodedPrivate()
{
public byte[] getEncodedPrivate() {
PrivateKey priv = getPrivate();
if (priv != null) return priv.getEncoded();
return null;
if (priv != null)
return priv.getEncoded();
return new byte[0];
}
/**
@ -230,20 +214,17 @@ public class DnsKeyPair
* that the public key already be assigned. Currently it can only handle DSA
* and RSA keys.
*/
public void setEncodedPrivate(byte[] encoded)
{
public void setEncodedPrivate(byte[] encoded) {
int alg = getDNSKEYAlgorithm();
if (alg >= 0)
{
if (alg >= 0) {
DnsKeyConverter conv = getKeyConverter();
setPrivate(conv.convertEncodedPrivateKey(encoded, alg));
}
}
/** @return the public DNSKEY record */
public DNSKEYRecord getDNSKEYRecord()
{
public DNSKEYRecord getDNSKEYRecord() {
return mPublicKeyRecord;
}
@ -251,25 +232,17 @@ public class DnsKeyPair
* @return a Signature object initialized for signing, or null if this key
* pair does not have a valid private key.
*/
public Signature getSigner()
{
if (mSigner == null)
{
public Signature getSigner() {
if (mSigner == null) {
mSigner = getSignature();
PrivateKey priv = getPrivate();
if (mSigner != null && priv != null)
{
try
{
if (mSigner != null && priv != null) {
try {
mSigner.initSign(priv);
}
catch (InvalidKeyException e)
{
} catch (InvalidKeyException e) {
log.severe("Signature error: " + e);
}
}
else
{
} else {
// do not return an uninitialized signer.
return null;
}
@ -283,24 +256,16 @@ public class DnsKeyPair
* pair does not have a valid public key.
* @throws NoSuchAlgorithmException
*/
public Signature getVerifier()
{
if (mVerifier == null)
{
public Signature getVerifier() {
if (mVerifier == null) {
mVerifier = getSignature();
PublicKey pk = getPublic();
if (mVerifier != null && pk != null)
{
try
{
if (mVerifier != null && pk != null) {
try {
mVerifier.initVerify(pk);
} catch (InvalidKeyException e) {
}
catch (InvalidKeyException e)
{
}
}
else
{
} else {
// do not return an uninitialized verifier
return null;
}
@ -310,47 +275,48 @@ public class DnsKeyPair
}
/** sets the public key record */
public void setDNSKEYRecord(DNSKEYRecord r)
{
public void setDNSKEYRecord(DNSKEYRecord r) {
mPublicKeyRecord = r;
// force the conversion to PublicKey:
mPublicKey = null;
}
public Name getDNSKEYName()
{
public Name getDNSKEYName() {
DNSKEYRecord kr = getDNSKEYRecord();
if (kr != null) return kr.getName();
if (kr != null)
return kr.getName();
return null;
}
public int getDNSKEYAlgorithm()
{
public int getDNSKEYAlgorithm() {
DNSKEYRecord kr = getDNSKEYRecord();
if (kr != null) return kr.getAlgorithm();
if (kr != null)
return kr.getAlgorithm();
PublicKey pk = getPublic();
if (pk != null)
{
if (pk != null) {
// currently, alg 5 is the default over alg 1 (RSASHA1).
if (pk instanceof RSAPublicKey) return DNSSEC.Algorithm.RSASHA1;
if (pk instanceof DSAPublicKey) return DNSSEC.Algorithm.DSA;
if (pk instanceof RSAPublicKey)
return DNSSEC.Algorithm.RSASHA1;
if (pk instanceof DSAPublicKey)
return DNSSEC.Algorithm.DSA;
}
PrivateKey priv = getPrivate();
if (priv != null)
{
if (priv instanceof RSAPrivateKey) return DNSSEC.Algorithm.RSASHA1;
if (priv instanceof DSAPrivateKey) return DNSSEC.Algorithm.DSA;
if (priv != null) {
if (priv instanceof RSAPrivateKey)
return DNSSEC.Algorithm.RSASHA1;
if (priv instanceof DSAPrivateKey)
return DNSSEC.Algorithm.DSA;
}
return -1;
}
public int getDNSKEYFootprint()
{
public int getDNSKEYFootprint() {
DNSKEYRecord kr = getDNSKEYRecord();
if (kr != null) return kr.getFootprint();
if (kr != null)
return kr.getFootprint();
return -1;
}
}

View File

@ -1,6 +1,4 @@
// $Id$
//
// Copyright (C) 2001-2003 VeriSign, Inc.
// Copyright (C) 2001-2003, 2022 VeriSign, Inc.
//
// This library is free software; you can redistribute it and/or
// modify it under the terms of the GNU Lesser General Public
@ -24,14 +22,17 @@ import java.security.GeneralSecurityException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.Signature;
import java.time.Instant;
import java.util.ArrayList;
import java.util.Date;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.logging.Logger;
import org.xbill.DNS.*;
import org.xbill.DNS.DNSKEYRecord;
import org.xbill.DNS.DNSSEC;
import org.xbill.DNS.Name;
import org.xbill.DNS.RRSIGRecord;
import org.xbill.DNS.RRset;
/**
* A class for performing basic DNSSEC verification. The DNSJAVA package
@ -39,62 +40,46 @@ import org.xbill.DNS.*;
* timing "fudge" factors and logging more specifically why an RRset did not
* validate.
*
* @author David Blacka (original)
* @author $Author$
* @version $Revision$
* @author David Blacka
*/
public class DnsSecVerifier
{
public class DnsSecVerifier {
private class TrustedKeyStore
{
private class TrustedKeyStore {
// for now, this is implemented as a hash table of lists of
// DnsKeyPair objects (obviously, all of them will not have
// private keys).
private HashMap<String, List<DnsKeyPair>> mKeyMap;
public TrustedKeyStore()
{
mKeyMap = new HashMap<String, List<DnsKeyPair>>();
public TrustedKeyStore() {
mKeyMap = new HashMap<>();
}
public void add(DnsKeyPair pair)
{
public void add(DnsKeyPair pair) {
String n = pair.getDNSKEYName().toString().toLowerCase();
List<DnsKeyPair> l = mKeyMap.get(n);
if (l == null)
{
l = new ArrayList<DnsKeyPair>();
mKeyMap.put(n, l);
}
List<DnsKeyPair> l = mKeyMap.computeIfAbsent(n, k -> new ArrayList<>());
l.add(pair);
}
public void add(DNSKEYRecord keyrec)
{
public void add(DNSKEYRecord keyrec) {
DnsKeyPair pair = new DnsKeyPair(keyrec, (PrivateKey) null);
add(pair);
}
public void add(Name name, int algorithm, PublicKey key)
{
public void add(Name name, int algorithm, PublicKey key) {
DnsKeyPair pair = new DnsKeyPair(name, algorithm, key, null);
add(pair);
}
public DnsKeyPair find(Name name, int algorithm, int keyid)
{
public DnsKeyPair find(Name name, int algorithm, int keyid) {
String n = name.toString().toLowerCase();
List<DnsKeyPair> l = mKeyMap.get(n);
if (l == null) return null;
if (l == null)
return null;
// FIXME: this algorithm assumes that name+alg+footprint is
// unique, which isn't necessarily true.
for (DnsKeyPair p : l)
{
if (p.getDNSKEYAlgorithm() == algorithm && p.getDNSKEYFootprint() == keyid)
{
for (DnsKeyPair p : l) {
if (p.getDNSKEYAlgorithm() == algorithm && p.getDNSKEYFootprint() == keyid) {
return p;
}
}
@ -103,126 +88,112 @@ public class DnsSecVerifier
}
private TrustedKeyStore mKeyStore;
private int mStartFudge = 0;
private int mExpireFudge = 0;
private boolean mVerifyAllSigs = false;
private boolean mIgnoreTime = false;
private int mStartFudge = 0;
private int mExpireFudge = 0;
private boolean mVerifyAllSigs = false;
private boolean mIgnoreTime = false;
private Logger log;
private Logger log;
public DnsSecVerifier()
{
public DnsSecVerifier() {
log = Logger.getLogger(this.getClass().toString());
mKeyStore = new TrustedKeyStore();
}
public void addTrustedKey(DNSKEYRecord keyrec)
{
public void addTrustedKey(DNSKEYRecord keyrec) {
mKeyStore.add(keyrec);
}
public void addTrustedKey(DnsKeyPair pair)
{
public void addTrustedKey(DnsKeyPair pair) {
mKeyStore.add(pair);
}
public void addTrustedKey(Name name, int algorithm, PublicKey key)
{
public void addTrustedKey(Name name, int algorithm, PublicKey key) {
mKeyStore.add(name, algorithm, key);
}
public void addTrustedKey(Name name, PublicKey key)
{
public void addTrustedKey(Name name, PublicKey key) {
mKeyStore.add(name, 0, key);
}
public void setExpireFudge(int fudge)
{
public void setExpireFudge(int fudge) {
mExpireFudge = fudge;
}
public void setStartFudge(int fudge)
{
public void setStartFudge(int fudge) {
mStartFudge = fudge;
}
public void setVerifyAllSigs(boolean v)
{
public void setVerifyAllSigs(boolean v) {
mVerifyAllSigs = v;
}
public void setIgnoreTime(boolean v)
{
public void setIgnoreTime(boolean v) {
mIgnoreTime = v;
}
private DnsKeyPair findKey(Name name, int algorithm, int footprint)
{
private DnsKeyPair findKey(Name name, int algorithm, int footprint) {
return mKeyStore.find(name, algorithm, footprint);
}
private boolean validateSignature(RRset rrset, RRSIGRecord sigrec, List<String> reasons)
{
if (rrset == null || sigrec == null) return false;
if (!rrset.getName().equals(sigrec.getName()))
{
private boolean validateSignature(RRset rrset, RRSIGRecord sigrec, List<String> reasons) {
if (rrset == null || sigrec == null)
return false;
if (!rrset.getName().equals(sigrec.getName())) {
log.fine("Signature name does not match RRset name");
if (reasons != null) reasons.add("Signature name does not match RRset name");
if (reasons != null)
reasons.add("Signature name does not match RRset name");
return false;
}
if (rrset.getType() != sigrec.getTypeCovered())
{
if (rrset.getType() != sigrec.getTypeCovered()) {
log.fine("Signature type does not match RRset type");
if (reasons != null) reasons.add("Signature type does not match RRset type");
if (reasons != null)
reasons.add("Signature type does not match RRset type");
}
if (mIgnoreTime) return true;
if (mIgnoreTime)
return true;
Date now = new Date();
Date start = sigrec.getTimeSigned();
Date expire = sigrec.getExpire();
Instant now = Instant.now();
Instant start = sigrec.getTimeSigned();
Instant expire = sigrec.getExpire();
if (mStartFudge >= 0)
{
if (mStartFudge > 0)
{
start = new Date(start.getTime() - ((long) mStartFudge * 1000));
if (mStartFudge >= 0) {
if (mStartFudge > 0) {
start = start.minusSeconds(mStartFudge);
}
if (now.before(start))
{
if (now.isBefore(start)) {
log.fine("Signature is not yet valid");
if (reasons != null) reasons.add("Signature not yet valid");
if (reasons != null)
reasons.add("Signature not yet valid");
return false;
}
}
if (mExpireFudge >= 0)
{
if (mExpireFudge > 0)
{
expire = new Date(expire.getTime() + ((long) mExpireFudge * 1000));
if (mExpireFudge >= 0) {
if (mExpireFudge > 0) {
expire = expire.plusSeconds(mExpireFudge);
}
if (now.after(expire))
{
if (now.isAfter(expire)) {
log.fine("Signature has expired (now = " + now + ", sig expires = " + expire);
if (reasons != null) reasons.add("Signature has expired.");
if (reasons != null)
reasons.add("Signature has expired.");
return false;
}
}
if (rrset.getTTL() > sigrec.getOrigTTL())
{
if (rrset.getTTL() > sigrec.getOrigTTL()) {
log.fine("RRset's TTL is greater than the Signature's orignal TTL");
if (reasons != null) reasons.add("RRset TTL greater than RRSIG origTTL");
if (reasons != null)
reasons.add("RRset TTL greater than RRSIG origTTL");
return false;
}
return true;
}
public boolean verifySignature(RRset rrset, RRSIGRecord sigrec)
{
public boolean verifySignature(RRset rrset, RRSIGRecord sigrec) {
return verifySignature(rrset, sigrec, null);
}
@ -232,23 +203,22 @@ public class DnsSecVerifier
* @return true if the signature verified, false if it did
* not verify (for any reason, including not finding the DNSKEY.)
*/
public boolean verifySignature(RRset rrset, RRSIGRecord sigrec, List<String> reasons)
{
public boolean verifySignature(RRset rrset, RRSIGRecord sigrec, List<String> reasons) {
boolean result = validateSignature(rrset, sigrec, reasons);
if (!result) return result;
if (!result)
return result;
DnsKeyPair keypair = findKey(sigrec.getSigner(), sigrec.getAlgorithm(),
sigrec.getFootprint());
sigrec.getFootprint());
if (keypair == null)
{
if (reasons != null) reasons.add("Could not find matching trusted key");
if (keypair == null) {
if (reasons != null)
reasons.add("Could not find matching trusted key");
log.fine("could not find matching trusted key");
return false;
}
try
{
try {
byte[] data = SignUtils.generateSigData(rrset, sigrec);
DnsKeyAlgorithm algs = DnsKeyAlgorithm.getInstance();
@ -258,35 +228,30 @@ public class DnsSecVerifier
byte[] sig = sigrec.getSignature();
if (algs.baseType(sigrec.getAlgorithm()) == DnsKeyAlgorithm.DSA)
{
if (algs.baseType(sigrec.getAlgorithm()) == DnsKeyAlgorithm.DSA) {
sig = SignUtils.convertDSASignature(sig);
}
if (sigrec.getAlgorithm() == DNSSEC.Algorithm.ECDSAP256SHA256 ||
sigrec.getAlgorithm() == DNSSEC.Algorithm.ECDSAP384SHA384)
{
if (sigrec.getAlgorithm() == DNSSEC.Algorithm.ECDSAP256SHA256 ||
sigrec.getAlgorithm() == DNSSEC.Algorithm.ECDSAP384SHA384) {
sig = SignUtils.convertECDSASignature(sig);
}
if (!signer.verify(sig))
{
if (reasons != null) reasons.add("Signature failed to verify cryptographically");
if (!signer.verify(sig)) {
if (reasons != null)
reasons.add("Signature failed to verify cryptographically");
log.fine("Signature failed to verify cryptographically");
return false;
}
return true;
}
catch (IOException e)
{
} catch (IOException e) {
log.severe("I/O error: " + e);
}
catch (GeneralSecurityException e)
{
} catch (GeneralSecurityException e) {
log.severe("Security error: " + e);
}
if (reasons != null) reasons.add("Signature failed to verify due to exception");
if (reasons != null)
reasons.add("Signature failed to verify due to exception");
log.fine("Signature failed to verify due to exception");
return false;
}
@ -296,30 +261,24 @@ public class DnsSecVerifier
*
* @return true if the set verified, false if it did not.
*/
public boolean verify(RRset rrset)
{
public boolean verify(RRset rrset) {
boolean result = mVerifyAllSigs ? true : false;
Iterator i = rrset.sigs();
if (!i.hasNext())
{
if (rrset.sigs().isEmpty()) {
log.fine("RRset failed to verify due to lack of signatures");
return false;
}
while (i.hasNext())
{
RRSIGRecord sigrec = (RRSIGRecord) i.next();
for (RRSIGRecord sigrec : rrset.sigs()) {
boolean res = verifySignature(rrset, sigrec);
// If not requiring all signature to validate, then any successful validation is sufficient.
if (!mVerifyAllSigs && res) return res;
// If not requiring all signature to validate, then any successful validation is
// sufficient.
if (!mVerifyAllSigs && res)
return res;
// Otherwise, note if a signature failed to validate.
if (mVerifyAllSigs && !res)
{
if (mVerifyAllSigs && !res) {
result = res;
}
}

View File

@ -1,6 +1,4 @@
// $Id$
//
// Copyright (C) 2001-2003, 2009 VeriSign, Inc.
// Copyright (C) 2001-2003, 2009, 2022 Verisign, Inc.
//
// This library is free software; you can redistribute it and/or
// modify it under the terms of the GNU Lesser General Public
@ -25,15 +23,20 @@ import java.security.KeyPair;
import java.security.NoSuchAlgorithmException;
import java.security.Signature;
import java.security.interfaces.DSAPublicKey;
import java.time.Instant;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import java.util.ListIterator;
import java.util.logging.Logger;
import org.xbill.DNS.*;
import org.xbill.DNS.DNSKEYRecord;
import org.xbill.DNS.DNSSEC;
import org.xbill.DNS.Name;
import org.xbill.DNS.RRSIGRecord;
import org.xbill.DNS.RRset;
import org.xbill.DNS.Record;
import org.xbill.DNS.Type;
import org.xbill.DNS.utils.hexdump;
/**
@ -43,26 +46,21 @@ import org.xbill.DNS.utils.hexdump;
* the ability to sign an entire zone. It primarily glues together the more
* basic primitives found in {@link SignUtils}.
*
* @author David Blacka (original)
* @author $Author$
* @version $Revision$
* @author David Blacka
*/
public class JCEDnsSecSigner
{
public class JCEDnsSecSigner {