Elliptic curve support.

Improve usage, unknown algorithm error handling in jdnssec-keygen Use the bouncycastle crypto provider for ECCGOST if available
2016-12-02 17:49:09 -05:00 · 2016-12-02 17:49:09 -05:00 · f170bd170a
parent 6bbcf38fe1
commit f170bd170a
9 changed files with 773 additions and 321 deletions
--- a/432
+++ b/432
@ -1,388 +1,406 @@
 2016-12-05  David Blacka  <davidb@verisign.com>
        * Add key generation, signing, verification support for elliptic
        curve algorithms: ECC-GOST (12), ECDSA P-256 (13) and ECDSA P-384 (15).
 2016-08-22  David Blacka  <davidb@verisign.com>
        * Update internal dnsjava to 2.1.7-vrsn-1.
 2014-04-22  David Blacka  <davidb@verisign.com>
        * ZoneFormat: Make -N also compute original ownernames for empty
        non-terminal NSEC3 records.
        * ZoneVerifier: Improve the zone verifiers handling of "junk" in a
        zone (i.e., ignore resource records that aren't actually in the
        zone itself.)
 2012-07-16  David Blacka  <davidb@verisign.com>
-	* Released version 0.12.
+        * Released version 0.12.
-	* TypeMap: fix the fromBytes() method, which was incorrect and add
+        * TypeMap: fix the fromBytes() method, which was incorrect and add
-	a static fromString() method.
+        a static fromString() method.
-	* ProtoNSEC3: use TypeMap's toString method, rather than fetching
+        * ProtoNSEC3: use TypeMap's toString method, rather than fetching
-	the array of types and rendering them directly.
+        the array of types and rendering them directly.
 2012-05-29  David Blacka  <davidb@verisign.com>
-	* Released version 0.11.
+        * Released version 0.11.
 2012-05-26  David Blacka  <davidb@verisign.com>
-	* Update dnsjava to dnsjava-2.1.3-vrsn-1.  Update the code to
+        * Update dnsjava to dnsjava-2.1.3-vrsn-1.  Update the code to
-	adjust for API changes in dnsjava-2.1.x.  Highlights:
+        adjust for API changes in dnsjava-2.1.x.  Highlights:
-	- no longer use DNSSEC.Failed, DNSSEC.Secure as those constants
+        - no longer use DNSSEC.Failed, DNSSEC.Secure as those constants
-	are now gone.  Instead, any methods returning those constants now
+        are now gone.  Instead, any methods returning those constants now
-	return a boolean, true for DNSSEC.Secure, false for DNSSEC.Failed
+        return a boolean, true for DNSSEC.Secure, false for DNSSEC.Failed
-	or DNSSEC.Insecure.
+        or DNSSEC.Insecure.
-	- No longer use KEYConverter.  Instead, uses the new DNSKEYRecord
+        - No longer use KEYConverter.  Instead, uses the new DNSKEYRecord
-	constructor.
+        constructor.
-	- The NSEC3 digest type is now an int (rather than a byte)
+        - The NSEC3 digest type is now an int (rather than a byte)
-	- Algorithm references are now DNSSEC.Algorithm.<alg>
+        - Algorithm references are now DNSSEC.Algorithm.<alg>
-	* jdnssec-verifyzone: Add duplicate RR detection (on by default)
+        * jdnssec-verifyzone: Add duplicate RR detection (on by default)
-	and a command line option to disable it.
+        and a command line option to disable it.
 2011-02-14  David Blacka  <davidb@verisign.com>
-	* Released version 0.10.1.
+        * Released version 0.10.1.
 2011-02-12  David Blacka  <davidb@verisign.com>
-	* Use Java 1.5 generic types when possible.  DNSJava itself still
+        * Use Java 1.5 generic types when possible.  DNSJava itself still
-	doesn't use them, so we have to suppress warnings when we use
+        doesn't use them, so we have to suppress warnings when we use
-	RRset.rrs(), etc.
+        RRset.rrs(), etc.
-	* Update commons-cli to version 1.2.
+        * Update commons-cli to version 1.2.
-	* Refactor all of the command line classes.  A new command line
+        * Refactor all of the command line classes.  A new command line
-	base class has been created to eliminate much of the duplicated
+        base class has been created to eliminate much of the duplicated
-	code.
+        code.
 2011-02-09  David Blacka  <davidb@verisign.com>
-	* Enable reading and writing from stdin/stdout for most tools.  To
+        * Enable reading and writing from stdin/stdout for most tools.  To
-	do this, use '-' as the zonefile name.
+        do this, use '-' as the zonefile name.
-	* jdnssec-signzone, jdnssec-signrrset: remove 'multiline' output
+        * jdnssec-signzone, jdnssec-signrrset: remove 'multiline' output
-	as the default and add a command line switch (-m) to enable it.
+        as the default and add a command line switch (-m) to enable it.
-	That is, these tools will output each RR on a single line by
+        That is, these tools will output each RR on a single line by
-	default, adding -m will restore the prior behavior.
+        default, adding -m will restore the prior behavior.
 2011-02-08  David Blacka  <davidb@verisign.com>
-	* Minor cleanups to usage statement printing across most of the tools.
+        * Minor cleanups to usage statement printing across most of the tools.
 2011-02-03  David Blacka  <davidb@verisign.com>
-	* Released version 0.10
+        * Released version 0.10
-	* jdnssec-keygen: update the default algorithm to 8 (instead of 5).
+        * jdnssec-keygen: update the default algorithm to 8 (instead of 5).
-	* Update logging across all command line tools to use a consistent
+        * Update logging across all command line tools to use a consistent
-	'-v' option, and consistent, simpler log formatting.
+        '-v' option, and consistent, simpler log formatting.
-	* jdnssec-verifyzone: resume logging the key information at INFO,
+        * jdnssec-verifyzone: resume logging the key information at INFO,
-	but make the default log level WARNING.  To see the old logging
+        but make the default log level WARNING.  To see the old logging
-	behavior, use -v 4.
+        behavior, use -v 4.
 2011-02-02  David Blacka  <davidb@verisign.com>
-	* DnsKeyConverter: support the new BIND 9.7 private key format,
+        * DnsKeyConverter: support the new BIND 9.7 private key format,
-	which only entails recognizing the new version string, since the
+        which only entails recognizing the new version string, since the
-	new format is a superset of the old format.
+        new format is a superset of the old format.
 2011-01-11  David Blacka  <davidb@verisign.com>
-	* jdnssec-zoneformat: add a -m option for formatting as
+        * jdnssec-zoneformat: add a -m option for formatting as
-	multiline.  Add a -N option for determining the original
+        multiline.  Add a -N option for determining the original
-	ownernames for NSEC3 signed zones.
+        ownernames for NSEC3 signed zones.
 2010-12-14  David Blacka  <davidb@verisign.com>
-	* jdnssec-verifyzone: Add options to either fudge or ignore RRSIG
+        * jdnssec-verifyzone: Add options to either fudge or ignore RRSIG
-	inception and expiration times.
+        inception and expiration times.
 2010-12-06  David Blacka  <davidb@verisign.com>
-	* jdnssec-verifyzone: Complete refactored the verification code to
+        * jdnssec-verifyzone: Complete refactored the verification code to
-	more comprehensively check a zone for DNSSEC validity.  Instead of
+        more comprehensively check a zone for DNSSEC validity.  Instead of
-	just verifying signatures, it will also check to see if the NSEC
+        just verifying signatures, it will also check to see if the NSEC
-	or NSEC3 chains are valid.
+        or NSEC3 chains are valid.
 2010-12-05  David Blacka  <davidb@verisign.com>
-	* jdnssec-signzone: Fix a bug that would incorrectly handle
+        * jdnssec-signzone: Fix a bug that would incorrectly handle
-	delgations below delegations (those should be ignored.)
+        delgations below delegations (those should be ignored.)
-	* jdnssec-signzone: Make the signer ignore junk below a DNAME.
+        * jdnssec-signzone: Make the signer ignore junk below a DNAME.
-	This differs from BIND's dnssec-signzone behavior (currently), but
+        This differs from BIND's dnssec-signzone behavior (currently), but
-	is the correct behavior, as stuff below a DNAME doesn't actually
+        is the correct behavior, as stuff below a DNAME doesn't actually
-	exist in DNS.  Note that if a name in a zone has both a DNAME and
+        exist in DNS.  Note that if a name in a zone has both a DNAME and
-	a NS RRset (and is not at the apex), then the behavior is a bit
+        a NS RRset (and is not at the apex), then the behavior is a bit
-	undefined.
+        undefined.
-	* jdnssec-signzone: Fix a bug that would incorrectly set the RRSIG
+        * jdnssec-signzone: Fix a bug that would incorrectly set the RRSIG
-	bit for NSEC3 RRs corresponding to insecure delegations.
+        bit for NSEC3 RRs corresponding to insecure delegations.
-	* jdnssec-signzone: add a "verbose signing" option.  This will
+        * jdnssec-signzone: add a "verbose signing" option.  This will
-	cause the pre-signed bytes and the raw signature bytes to be
+        cause the pre-signed bytes and the raw signature bytes to be
-	output when signing.
+        output when signing.
-	* Other fixes: some minor tweaks and comment fixes.
+        * Other fixes: some minor tweaks and comment fixes.
-	Unfortunately, also a lot of rewrapping and whitespace changes due
+        Unfortunately, also a lot of rewrapping and whitespace changes due
-	to Eclipse.  Sigh.
+        to Eclipse.  Sigh.
 2010-01-14  David Blacka  <davidb@verisign.com>
-	* Released version 0.9.6
+        * Released version 0.9.6
 2010-01-09  David Blacka  <davidb@verisign.com>
-	* Upgrade to DNSJava 2.0.8 (plus a few local changes).  2.0.8
+        * Upgrade to DNSJava 2.0.8 (plus a few local changes).  2.0.8
-	fixes a major bug in typemap wire conversion.
+        fixes a major bug in typemap wire conversion.
 2009-11-02  David Blacka  <davidb@verisign.com>
-	* Released version 0.9.5
+        * Released version 0.9.5
 2009-11-01  David Blacka  <davidb@verisign.com>
-	* Upgrade to DNSJava 2.0.7 (plus a few local changes).
+        * Upgrade to DNSJava 2.0.7 (plus a few local changes).
-	* DnsKeyAlogorithm: change the RSASHA512 number to 10.
+        * DnsKeyAlogorithm: change the RSASHA512 number to 10.
 2009-08-23  David Blacka  <davidb@verisign.com>
-	* Released version 0.9.4
+        * Released version 0.9.4
 2009-07-15  David Blacka  <davidb@verisign.com>
-	* SignUtils: Fix major issue where the code that generates that
+        * SignUtils: Fix major issue where the code that generates that
-	canonical RRset given signature data wasn't obeying the "Orig TTL"
+        canonical RRset given signature data wasn't obeying the "Orig TTL"
-	and "Labels" fields.  This is a major issue with verification,
+        and "Labels" fields.  This is a major issue with verification,
-	although it doesn't affect signature generation.
+        although it doesn't affect signature generation.
-	* VerifyZone:  Fix bug where the whole-zone security status was
+        * VerifyZone:  Fix bug where the whole-zone security status was
-	still wrong: unsigned RRsets shouldn't make the zone Bogus.
+        still wrong: unsigned RRsets shouldn't make the zone Bogus.
 2009-06-12  David Blacka  <davidb@verisign.com>
-	* VerifyZone: Fix bug in verification logic so that RRsets that
+        * VerifyZone: Fix bug in verification logic so that RRsets that
-	never find a valid signature (i.e., only have signatures by keys
+        never find a valid signature (i.e., only have signatures by keys
-	that aren't in the zone) are considered Bogus.  Note that
+        that aren't in the zone) are considered Bogus.  Note that
-	VerifyZone still can't tell if a RRset that should be signed
+        VerifyZone still can't tell if a RRset that should be signed
-	wasn't (or vice versa).
+        wasn't (or vice versa).
-	* dnsjava: Update local copy of dnsjava library.  This version
+        * dnsjava: Update local copy of dnsjava library.  This version
-	adds NSEC3 agorithms to DNSSECVerifier and KEYConverter, emulates
+        adds NSEC3 agorithms to DNSSECVerifier and KEYConverter, emulates
-	DiG's "OPT PSEUDOSECTION" formatting in Message.toString(), and
+        DiG's "OPT PSEUDOSECTION" formatting in Message.toString(), and
-	adds a minimal DHCIDRecord type.  Note that the DNSjava trunk has
+        adds a minimal DHCIDRecord type.  Note that the DNSjava trunk has
-	a different (although functional similar) version of this type.
+        a different (although functional similar) version of this type.
 2009-06-09  David Blacka  <davidb@verisign.com>
-	* VerifyZone: Improve the output.
+        * VerifyZone: Improve the output.
-	* SignKeyset: Add a command line tool for just signing DNSKEY RRsets.
+        * SignKeyset: Add a command line tool for just signing DNSKEY RRsets.
 2009-02-10  David Blacka  <davidb@verisign.com>
-	* Released version 0.9.0
+        * Released version 0.9.0
 2009-02-08  David Blacka  <davidb@verisign.com>
-	* KeyGen: make RSA large exponent the default.  Make it possible
+        * KeyGen: make RSA large exponent the default.  Make it possible
-	to select small exponent.
+        to select small exponent.
-	* KeyInfoTool: add more info to the output, handle multiple files
+        * KeyInfoTool: add more info to the output, handle multiple files
-	on the command line.
+        on the command line.
-	* DnsKeyAlgorithm: use DNSjava constants, BIND 9.6 mnemonics for
+        * DnsKeyAlgorithm: use DNSjava constants, BIND 9.6 mnemonics for
-	NSEC3 key aliases.
+        NSEC3 key aliases.
 2009-02-07  David Blacka  <davidb@verisign.com>
-	* SignZone: add argument for setting the TTL of the NSEC3PARAM
+        * SignZone: add argument for setting the TTL of the NSEC3PARAM
-	record.  This is so we can match current dnssec-signzone
+        record.  This is so we can match current dnssec-signzone
-	(9.6.0-p1) behavior of using a TTL of zero.
+        (9.6.0-p1) behavior of using a TTL of zero.
-	* Update dnsjava to 2.0.6-vrsn-2, commons-cli to 1.1
+        * Update dnsjava to 2.0.6-vrsn-2, commons-cli to 1.1
-	* SignUtils: fix bug where NSEC3 algorithm and flags were transposed.
+        * SignUtils: fix bug where NSEC3 algorithm and flags were transposed.
-	* SignUtils: Make sure to use the SOA minimum value for NSEC TTLs,
+        * SignUtils: Make sure to use the SOA minimum value for NSEC TTLs,
-	instead of the ttl of the "node".
+        instead of the ttl of the "node".
 2009-02-04  David Blacka  <davidb@verisign.com>
-	* update to dnsjava-2.0.1-vrsn-4 (updated typecodes for
+        * update to dnsjava-2.0.1-vrsn-4 (updated typecodes for
-	NSEC3/NSEC3PARAM).
+        NSEC3/NSEC3PARAM).
-	* SignUtils: use JDK-native SHA-256 code instead of broken
+        * SignUtils: use JDK-native SHA-256 code instead of broken
-	contributed implementation.
+        contributed implementation.
-	* DnsKeyAlgorithm: Add RSASHA256 and RSASHA512 algorithm, guessing
+        * DnsKeyAlgorithm: Add RSASHA256 and RSASHA512 algorithm, guessing
-	at the code points.  Note, these require Java 5 or later, or an
+        at the code points.  Note, these require Java 5 or later, or an
-	alternate crypto provider.
+        alternate crypto provider.
-	* ZoneUtils: add a method to find specific RRs in a list of RRs
+        * ZoneUtils: add a method to find specific RRs in a list of RRs
-	or RRsets.
+        or RRsets.
-	* SignZone: make jdnssec-signzone a bit more aggressive in finding
+        * SignZone: make jdnssec-signzone a bit more aggressive in finding
-	keys. Now it will look for keyfiles matching keys at the zone
+        keys. Now it will look for keyfiles matching keys at the zone
-	apex, and, failing that, just look for keyfiles named after the
+        apex, and, failing that, just look for keyfiles named after the
-	zone.  Specifying any keys at all on the command line will
+        zone.  Specifying any keys at all on the command line will
-	override this behavior.
+        override this behavior.
 2009-02-01  David Blacka  <davidb@verisign.com>
-	* DnsKeyAlgorithm: add official aliases from RFC 5155.
+        * DnsKeyAlgorithm: add official aliases from RFC 5155.
-	* JCEDnsSecSigner: refactor zone signing methods to remove
+        * JCEDnsSecSigner: refactor zone signing methods to remove
-	duplicate code.
+        duplicate code.
-	* SignZone: move the signZone() methods to JCEDnsSecSigner
+        * SignZone: move the signZone() methods to JCEDnsSecSigner
-	* BINDKeyUtils: close the private key file after reading it.
+        * BINDKeyUtils: close the private key file after reading it.
-	Patch by Wolfgang Nagele.
+        Patch by Wolfgang Nagele.
 2006-12-15  David Blacka  <davidb@verisignlabs.com>
-	* Release version 0.8.4
+        * Release version 0.8.4
-	* SignZone: updated internals (and dnsjava lib) to match wire
+        * SignZone: updated internals (and dnsjava lib) to match wire
-	format changes introduced by the nsec3-08 draft.
+        format changes introduced by the nsec3-08 draft.
 2006-10-10  David Blacka  <davidb@verisignlabs.com>
-	* Released version 0.8.3
+        * Released version 0.8.3
-	* ZoneFormat: fix RRSIG ordering issue when dealing with multiple
+        * ZoneFormat: fix RRSIG ordering issue when dealing with multiple
-	RRSIGs for a given RRset.
+        RRSIGs for a given RRset.
-	* ZoneFormat: lowercase all names in the zone.
+        * ZoneFormat: lowercase all names in the zone.
-	* Fix packaging errors.
+        * Fix packaging errors.
 2006-09-12  David Blacka  <davidb@verisignlabs.com>
-	* Released version 0.8.0.
+        * Released version 0.8.0.
 2006-09-10  David Blacka  <davidb@fury.blacka.com>
-	* Added the "KeyInfoTool" command line tool as the start of a tool
+        * Added the "KeyInfoTool" command line tool as the start of a tool
-	for decoding DNSKEY information.  Right now, mostly just useful
+        for decoding DNSKEY information.  Right now, mostly just useful
-	for checking the public exponenent of RSA keys.
+        for checking the public exponenent of RSA keys.
-	* Added the "-e" option to jdnssec-keygen, to instruct the key
+        * Added the "-e" option to jdnssec-keygen, to instruct the key
-	generator to use the (common) large exponent in RSA key
+        generator to use the (common) large exponent in RSA key
-	generation.
+        generation.
 2006-08-31  David Blacka  <davidb@fury.blacka.com>
-	* Modified jdnssec-signzone to set the ttls of NSEC3 records (so
+        * Modified jdnssec-signzone to set the ttls of NSEC3 records (so
-	far) to the SOA minimum value.
+        far) to the SOA minimum value.
-	* Add NSEC3PARAM support for compatibility with the -07 NSEC3
+        * Add NSEC3PARAM support for compatibility with the -07 NSEC3
-	draft.
+        draft.
 2006-05-24  David Blacka  <davidb@verisignlabs.com>
-	* Add some error checking for the NSEC3 command line parameters
+        * Add some error checking for the NSEC3 command line parameters
-	for jdnssec-signzone.
+        for jdnssec-signzone.
-	* Update local dnsjava build to 2.0.1.  This also contains a
+        * Update local dnsjava build to 2.0.1.  This also contains a
-	change to the NSEC3 rdata format (as per the -06pre NSEC3 draft).
+        change to the NSEC3 rdata format (as per the -06pre NSEC3 draft).
-	The change is the addition of a "next hashed owner name" length
+        The change is the addition of a "next hashed owner name" length
-	octet.
+        octet.
-	* Modified the jdnssec-* shell wrappers to also use the local
+        * Modified the jdnssec-* shell wrappers to also use the local
-	build area version of the jdnssec-tools.jar file.  This allows the
+        build area version of the jdnssec-tools.jar file.  This allows the
-	standard jdnssec-* wrappers to work right from the build area.
+        standard jdnssec-* wrappers to work right from the build area.
-	* Add support of the SHA256 algorithm for DS records.  This uses
+        * Add support of the SHA256 algorithm for DS records.  This uses
-	the SHA256 class that I obtained from Scott Rose (thanks Scott!).
+        the SHA256 class that I obtained from Scott Rose (thanks Scott!).
-	* Change the name of the package and jar file to jdnssec-tools
+        * Change the name of the package and jar file to jdnssec-tools
-	(from java-dnssec-tools) for consistency.
+        (from java-dnssec-tools) for consistency.
-	* release version 0.7.0.
+        * release version 0.7.0.
 2006-05-23  David Blacka  <davidb@verisignlabs.com>
-	* Add support for algorithm aliases.  This feature is so that the
+        * Add support for algorithm aliases.  This feature is so that the
-	user can declare the DNSKEY algorithm x is the same as algorithm 5
+        user can declare the DNSKEY algorithm x is the same as algorithm 5
-	(e.g.).  So far, this only works with straight integer algorithm
+        (e.g.).  So far, this only works with straight integer algorithm
-	identifiers (no private alg support yet).
+        identifiers (no private alg support yet).
-	* Fix jdnssec-signzone so that you can specify multiple KSKs on
+        * Fix jdnssec-signzone so that you can specify multiple KSKs on
-	the command line.  Apparently, commons-cli actually does handle
+        the command line.  Apparently, commons-cli actually does handle
-	repeating command line options correctly.
+        repeating command line options correctly.
 2006-05-03  David Blacka  <davidb@verisignlabs.com>
-	* Add preliminary implementation of jdnssec-dstool.  This is a
+        * Add preliminary implementation of jdnssec-dstool.  This is a
-	simple command line tool that takes a DNSKEY record and converts
+        simple command line tool that takes a DNSKEY record and converts
-	it into a DS record (or a DLV record).  Right now, it requires
+        it into a DS record (or a DLV record).  Right now, it requires
-	that the key is stored in a file ending with '.key'.
+        that the key is stored in a file ending with '.key'.
-	* release version 0.6.0.
+        * release version 0.6.0.
 2006-03-15  David Blacka  <davidb@verisignlabs.com>
-	* Type map changes for NSEC3, corresponding to changes in draft
+        * Type map changes for NSEC3, corresponding to changes in draft
-	-05pre.  Essentially: NSEC3 and RRSIG bits are not set for most
+        -05pre.  Essentially: NSEC3 and RRSIG bits are not set for most
-	(all) NSEC3 records any longer.
+        (all) NSEC3 records any longer.
 2006-03-06  David Blacka  <davidb@verisignlabs.com>
-	* release version 0.5.0.
+        * release version 0.5.0.
 2006-02-16  David Blacka  <davidb@verisignlabs.com>
-	* Make RecordComparator also compare RDATA so the removeDuplicates
+        * Make RecordComparator also compare RDATA so the removeDuplicates
-	step actually works reliabled.  This was masked by the dupicate
+        step actually works reliabled.  This was masked by the dupicate
-	suppression in org.xbill.DNS.RRset.
+        suppression in org.xbill.DNS.RRset.
-	* Only allow one command line specified KSK since commons-cli
+        * Only allow one command line specified KSK since commons-cli
-	doesn't seem to handle multi-arg options correctly.
+        doesn't seem to handle multi-arg options correctly.
-	* Do not croak on the lack of the command-line keys for now.
+        * Do not croak on the lack of the command-line keys for now.
-	* New version of local dnsjava build containing NSEC3 changes
+        * New version of local dnsjava build containing NSEC3 changes
-	corresponding to the -04pre draft.
+        corresponding to the -04pre draft.
 2005-11-16  David Blacka  <davidb@verisignlabs.com>
-	* Make jdnssec-verifyzone work with just the zone (which is
+        * Make jdnssec-verifyzone work with just the zone (which is
-	self-signed anyway).
+        self-signed anyway).
-	* release version 0.4.2.
+        * release version 0.4.2.
 2005-11-09  David Blacka  <davidb@verisignlabs.com>
-	* Add original ownername comments to the NSEC3 generation.
+        * Add original ownername comments to the NSEC3 generation.
 2005-11-08  David Blacka  <davidb@verisignlabs.com>
-	* New zone formatter.
+        * New zone formatter.
-	* Misc bug fixes.
+        * Misc bug fixes.
-	* release version 0.4.1.
+        * release version 0.4.1.
 2005-11-07  David Blacka  <davidb@verisignlabs.com>
-	* Update the local dnsjava build with a bugfix.
+        * Update the local dnsjava build with a bugfix.
-	* Fix ordering problem with ProtoNSEC3s.
+        * Fix ordering problem with ProtoNSEC3s.
 2005-11-06  David Blacka  <davidb@verisignlabs.com>
-	* Actually use the --iterations command line option of
+        * Actually use the --iterations command line option of
-	jdnssec-signzone.
+        jdnssec-signzone.
 2005-10-27  David Blacka  <davidb@verisignlabs.com>
-	* Add NSEC3 support for jdnssec-signzone.
+        * Add NSEC3 support for jdnssec-signzone.
-	* Remove support for plain Opt-In (until private algorithms work).
+        * Remove support for plain Opt-In (until private algorithms work).
-	* release version 0.4.0.
+        * release version 0.4.0.
 2005-08-14  David Blacka  <davidb@verisignlabs.com>
-	* Move the signZone function into the SignZone class (from the
+        * Move the signZone function into the SignZone class (from the
-	SignUtils) class.
+        SignUtils) class.
-	* General cleanup.
+        * General cleanup.
-	* Add local _jdnssec-* shell wrappers.  These use build/classes in
+        * Add local _jdnssec-* shell wrappers.  These use build/classes in
-	the classpath so can be used to run the tools right out of the
+        the classpath so can be used to run the tools right out of the
-	build area.
+        build area.
 2005-08-13  David Blacka  <davidb@verisignlabs.com>
-	* Update to DNSjava 2.0.0
+        * Update to DNSjava 2.0.0
-	* Refactor command line parsing.
+        * Refactor command line parsing.
-	* Switch to using java.util.logging for logging.
+        * Switch to using java.util.logging for logging.
--- a/build.xml
+++ b/build.xml
@ -14,7 +14,7 @@
  <property file="build.properties" />
  <property file="VERSION" />
-  
+
  <property name="sectools-distname" value="jdnssec-tools-${version}" />
  <property name="build.dir" value="build" />
@ -41,12 +41,10 @@
  </target>
  <target name="sectools" depends="prepare-src" >
-    <javac srcdir="${build.src}" 
+    <javac srcdir="${build.src}"
           destdir="${build.dest}"
           classpathref="project.classpath"
-           source="1.5"
+           deprecation="true"
           target="1.5"
           deprecation="true" 
           includeantruntime="false"
           includes="com/verisignlabs/dnssec/" />
  </target>
@ -57,20 +55,20 @@
         includes="com/verisignlabs/dnssec/" />
  </target>
-  <target name="compile" 
+  <target name="compile"
          depends="usage,sectools-jar">
  </target>
  <target name="javadoc" depends="usage">
    <mkdir dir="${javadoc.dest}"/>
-    <javadoc packagenames="${packages}" 
+    <javadoc packagenames="${packages}"
             classpath="${project.classpath}"
-             sourcepath="${build.src}" 
+             sourcepath="${build.src}"
             destdir="${javadoc.dest}"
-             verbose="true" author="true" 
+             verbose="true" author="true"
-             windowtitle="jdnssec-tools-${version}" 
+             windowtitle="jdnssec-tools-${version}"
             use="true">
-      <link href="http://java.sun.com/j2se/1.4.2/docs/api/" />
+      <link href="https://docs.oracle.com/javase/8/docs/api/" />
      <link href="http://www.xbill.org/dnsjava/doc/" />
    </javadoc>
  </target>
@ -148,7 +146,7 @@
    </tar>
  </target>
-  <target name="sectools-dist" 
+  <target name="sectools-dist"
         depends="sectools-bin-dist,sectools-src-dist, sectools-dist-clean">
  </target>
@ -172,4 +170,3 @@
  </target>
 </project>
--- a/src/com/verisignlabs/dnssec/cl/KeyGen.java
+++ b/src/com/verisignlabs/dnssec/cl/KeyGen.java
@ -74,17 +74,18 @@ public class KeyGen extends CLBase
      OptionBuilder.withDescription("ZONE | OTHER (default ZONE)");
      opts.addOption(OptionBuilder.create('n'));
      String[] algStrings = DnsKeyAlgorithm.getInstance().supportedAlgMnemonics();
      OptionBuilder.hasArg();
      OptionBuilder.withArgName("algorithm");
-      OptionBuilder.withDescription("RSA | RSASHA1 | RSAMD5 | DH | DSA "
+      OptionBuilder.withDescription(String.join(" | ", algStrings) +
-          + "| RSA-NSEC3-SHA1 | DSA-NSEC3-SHA1 "
+                                    " | alias, RSASHA256 is default.");
          + "| RSASHA256 | RSASHA512 | alias, RSASHA1 is default.");
      opts.addOption(OptionBuilder.create('a'));
      OptionBuilder.hasArg();
      OptionBuilder.withArgName("size");
-      OptionBuilder.withDescription("key size, in bits. (default = 1024)\n"
+      OptionBuilder.withDescription("key size, in bits. default is 1024. "
-          + "RSA: [512..4096]\n" + "DSA: [512..1024]\n" + "DH:  [128..4096]");
+          + "RSA: [512..4096], DSA: [512..1024], DH:  [128..4096], "
          + "ECDSA: ignored");
      opts.addOption(OptionBuilder.create('b'));
      OptionBuilder.hasArg();
@ -98,7 +99,6 @@ public class KeyGen extends CLBase
      OptionBuilder.withArgName("dir");
      OptionBuilder.withDescription("place generated key files in this " + "directory");
      opts.addOption(OptionBuilder.create('d'));
      opts.addOption(OptionBuilder.create('A'));
    }
    protected void processOptions(CommandLine cli)
@ -106,7 +106,7 @@ public class KeyGen extends CLBase
    {
      String optstr = null;
      String[] optstrs = null;
-      
+
      if (cli.hasOption('k')) kskFlag = true;
      if (cli.hasOption('e')) useLargeE = true;
@ -136,6 +136,11 @@ public class KeyGen extends CLBase
      if ((optstr = cli.getOptionValue('a')) != null)
      {
        algorithm = parseAlg(optstr);
        if (algorithm < 0)
        {
          System.err.println("DNSSEC algorithm " + optstr + " is not supported");
          usage();
        }
      }
      if ((optstr = cli.getOptionValue('b')) != null)
@ -166,7 +171,11 @@ public class KeyGen extends CLBase
    DnsKeyAlgorithm algs = DnsKeyAlgorithm.getInstance();
    int alg = parseInt(s, -1);
-    if (alg > 0) return alg;
+    if (alg > 0)
    {
      if (algs.supportedAlgorithm(alg)) return alg;
      return -1;
    }
    return algs.stringToAlgorithm(s);
  }
@ -211,7 +220,7 @@ public class KeyGen extends CLBase
  {
    KeyGen tool = new KeyGen();
    tool.state = new CLIState();
-    
+
    tool.run(tool.state, args);
  }
 }
--- a/src/com/verisignlabs/dnssec/cl/SignZone.java
+++ b/src/com/verisignlabs/dnssec/cl/SignZone.java
@ -546,6 +546,7 @@ public class SignZone extends CLBase
      }
    }
    br.close();
    if (res.size() == 0) return null;
    return res;
  }
--- a/src/com/verisignlabs/dnssec/security/DnsKeyAlgorithm.java
+++ b/src/com/verisignlabs/dnssec/security/DnsKeyAlgorithm.java
@ -29,13 +29,12 @@
 package com.verisignlabs.dnssec.security;
-import java.security.InvalidAlgorithmParameterException;
+import java.math.BigInteger;
-import java.security.KeyPair;
+import java.security.*;
-import java.security.KeyPairGenerator;
+import java.security.spec.*;
-import java.security.NoSuchAlgorithmException;
+import java.util.Arrays;
 import java.security.Signature;
 import java.security.spec.RSAKeyGenParameterSpec;
 import java.util.HashMap;
 import java.util.Set;
 import java.util.logging.Logger;
 import org.xbill.DNS.DNSSEC;
@ -56,20 +55,38 @@ import org.xbill.DNS.DNSSEC;
 public class DnsKeyAlgorithm
 {
-  public static final int UNKNOWN = -1;
+  // Our base algorithm numbers. This is a normalization of the DNSSEC
-  public static final int RSA     = 1;
+  // algorithms (which are really signature algorithms). Thus RSASHA1,
-  public static final int DH      = 2;
+  // RSASHA256, etc. all boil down to 'RSA' here.
-  public static final int DSA     = 3;
+  public static final int UNKNOWN    = -1;
  public static final int RSA        = 1;
  public static final int DH         = 2;
  public static final int DSA        = 3;
  public static final int ECC_GOST   = 4;
  public static final int ECDSA      = 5;
-  private static class Entry
+  private static class AlgEntry
  {
    public int    dnssecAlgorithm;
    public String sigName;
    public int    baseType;
-    public Entry(String sigName, int baseType)
+    public AlgEntry(int algorithm, String sigName, int baseType)
    {
-      this.sigName = sigName;
+      this.dnssecAlgorithm = algorithm;
-      this.baseType = baseType;
+      this.sigName         = sigName;
      this.baseType        = baseType;
    }
  }
  private static class ECAlgEntry extends AlgEntry
  {
    public ECParameterSpec ec_spec;
    public ECAlgEntry(int algorithm, String sigName, int baseType, ECParameterSpec spec)
    {
      super(algorithm, sigName, baseType);
      this.ec_spec = spec;
    }
  }
@ -77,7 +94,7 @@ public class DnsKeyAlgorithm
   * This is a mapping of algorithm identifier to Entry. The Entry contains the
   * data needed to map the algorithm to the various crypto implementations.
   */
-  private HashMap<Integer, Entry>  mAlgorithmMap;
+  private HashMap<Integer, AlgEntry>  mAlgorithmMap;
  /**
   * This is a mapping of algorithm mnemonics to algorithm identifiers.
   */
@ -90,31 +107,51 @@ public class DnsKeyAlgorithm
  /** This is a cached key pair generator for RSA keys. */
  private KeyPairGenerator         mRSAKeyGenerator;
-  /** This is a cache key pair generator for DSA keys. */
+  /** This is a cached key pair generator for DSA keys. */
  private KeyPairGenerator         mDSAKeyGenerator;
  /** This is a cached key pair generator for ECC GOST keys. */
  private KeyPairGenerator         mECGOSTKeyGenerator;
  /** This is a cached key pair generator for ECDSA_P256 keys. */
  private KeyPairGenerator         mECKeyGenerator;
-  private Logger                   log       = Logger.getLogger(this.getClass().toString());
+  private Logger                   log = Logger.getLogger(this.getClass().toString());
  /** This is the global instance for this class. */
  private static DnsKeyAlgorithm   mInstance = null;
  public DnsKeyAlgorithm()
  {
-    mAlgorithmMap = new HashMap<Integer, Entry>();
+    // Attempt to add the bouncycastle provider.
    // This is so we can use this provider if it is available, but not require
    // the user to add it as one of the java.security providers.
    try
    {
      Class<?> bc_provider_class = Class.forName("org.bouncycastle.jce.provider.BouncyCastleProvider");
      Provider bc_provider = (Provider) bc_provider_class.newInstance();
      Security.addProvider(bc_provider);
    }
    catch (ReflectiveOperationException e) { }
    initialize();
  }
  private void initialize()
  {
    mAlgorithmMap    = new HashMap<Integer, AlgEntry>();
    mMnemonicToIdMap = new HashMap<String, Integer>();
    mIdToMnemonicMap = new HashMap<Integer, String>();
    // Load the standard DNSSEC algorithms.
-    addAlgorithm(DNSSEC.Algorithm.RSAMD5, new Entry("MD5withRSA", RSA));
+    addAlgorithm(DNSSEC.Algorithm.RSAMD5, "MD5withRSA", RSA);
    addMnemonic("RSAMD5", DNSSEC.Algorithm.RSAMD5);
-    addAlgorithm(DNSSEC.Algorithm.DH, new Entry("", DH));
+    addAlgorithm(DNSSEC.Algorithm.DH, "", DH);
    addMnemonic("DH", DNSSEC.Algorithm.DH);
-    addAlgorithm(DNSSEC.Algorithm.DSA, new Entry("SHA1withDSA", DSA));
+    addAlgorithm(DNSSEC.Algorithm.DSA, "SHA1withDSA", DSA);
    addMnemonic("DSA", DNSSEC.Algorithm.DSA);
-    addAlgorithm(DNSSEC.Algorithm.RSASHA1, new Entry("SHA1withRSA", RSA));
+    addAlgorithm(DNSSEC.Algorithm.RSASHA1, "SHA1withRSA", RSA);
    addMnemonic("RSASHA1", DNSSEC.Algorithm.RSASHA1);
    addMnemonic("RSA", DNSSEC.Algorithm.RSASHA1);
@ -126,22 +163,56 @@ public class DnsKeyAlgorithm
    addMnemonic("NSEC3RSASHA1", DNSSEC.Algorithm.RSA_NSEC3_SHA1);
    // Algorithms added by RFC 5702.
-    // NOTE: these algorithms aren't available in Java 1.4's sunprovider
+    addAlgorithm(DNSSEC.Algorithm.RSASHA256, "SHA256withRSA", RSA);
-    // implementation (but are in java 1.5's and later).
+    addMnemonic("RSASHA256", DNSSEC.Algorithm.RSASHA256);
    addAlgorithm(8, new Entry("SHA256withRSA", RSA));
    addMnemonic("RSASHA256", 8);
-    addAlgorithm(10, new Entry("SHA512withRSA", RSA));
+    addAlgorithm(DNSSEC.Algorithm.RSASHA512, "SHA512withRSA", RSA);
-    addMnemonic("RSASHA512", 10);
+    addMnemonic("RSASHA512", DNSSEC.Algorithm.RSASHA512);
    // ECC-GOST is not supported by Java 1.8's Sun crypto provider. The
    // bouncycastle.org provider, however, does.
    // GostR3410-2001-CryptoPro-A is the named curve in the BC provider, but we
    // will get the parameters directly.
    addAlgorithm(DNSSEC.Algorithm.ECC_GOST, "GOST3411withECGOST3410", ECC_GOST, null);
    addMnemonic("ECCGOST", DNSSEC.Algorithm.ECC_GOST);
    addMnemonic("ECC-GOST", DNSSEC.Algorithm.ECC_GOST);
    addAlgorithm(DNSSEC.Algorithm.ECDSAP256SHA256, "SHA256withECDSA", ECDSA, "secp256r1");
    addMnemonic("ECDSAP256SHA256", DNSSEC.Algorithm.ECDSAP256SHA256);
    addMnemonic("ECDSA-P256", DNSSEC.Algorithm.ECDSAP256SHA256);
    addAlgorithm(DNSSEC.Algorithm.ECDSAP384SHA384, "SHA384withECDSA", ECDSA, "secp384r1");
    addMnemonic("ECDSAP384SHA384", DNSSEC.Algorithm.ECDSAP384SHA384);
    addMnemonic("ECDSA-P384", DNSSEC.Algorithm.ECDSAP384SHA384);
  }
-  private void addAlgorithm(int algorithm, Entry entry)
+  private void addAlgorithm(int algorithm, String sigName, int baseType)
  {
    mAlgorithmMap.put(algorithm, new AlgEntry(algorithm, sigName, baseType));
  }
  private void addAlgorithm(int algorithm, String sigName, int baseType, String curveName)
  {
    ECParameterSpec ec_spec = ECSpecFromAlgorithm(algorithm);
    if (ec_spec == null) ec_spec = ECSpecFromName(curveName);
    if (ec_spec == null) return;
    // Check to see if we can get a Signature object for this algorithm.
    try {
      Signature.getInstance(sigName);
    } catch (NoSuchAlgorithmException e) {
      // If not, do not add the algorithm.
      return;
    }
    ECAlgEntry entry = new ECAlgEntry(algorithm, sigName, baseType, ec_spec);
    mAlgorithmMap.put(algorithm, entry);
  }
  private void addMnemonic(String m, int alg)
  {
    // Do not add mnemonics for algorithms that ended up not actually being supported.
    if (!mAlgorithmMap.containsKey(alg)) return;
    mMnemonicToIdMap.put(m.toUpperCase(), alg);
    if (!mIdToMnemonicMap.containsKey(alg))
    {
@ -172,14 +243,77 @@ public class DnsKeyAlgorithm
    }
  }
-  private Entry getEntry(int alg)
+  private AlgEntry getEntry(int alg)
  {
    return mAlgorithmMap.get(alg);
  }
  // For curves where we don't (or can't) get the parameters from a standard
  // name, we can construct the parameters here. For now, we only do this for
  // the ECC-GOST curve.
  private ECParameterSpec ECSpecFromAlgorithm(int algorithm)
  {
    switch (algorithm)
    {
      case DNSSEC.Algorithm.ECC_GOST:
      {
        // From RFC 4357 Section 11.4
        BigInteger p  = new BigInteger("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFD97", 16);
        BigInteger a  = new BigInteger("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFD94", 16);
        BigInteger b  = new BigInteger("A6", 16);
        BigInteger gx = new BigInteger("1", 16);
        BigInteger gy = new BigInteger("8D91E471E0989CDA27DF505A453F2B7635294F2DDF23E3B122ACC99C9E9F1E14", 16);
        BigInteger n  = new BigInteger( "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF6C611070995AD10045841B09B761B893", 16);
        EllipticCurve curve = new EllipticCurve(new ECFieldFp(p), a, b);
        return new ECParameterSpec(curve, new ECPoint(gx, gy), n, 1);
      }
      default:
        return null;
    }
  }
  // Fetch the curve parameters from a named curve.
  private ECParameterSpec ECSpecFromName(String stdName)
  {
    try
    {
      AlgorithmParameters ap = AlgorithmParameters.getInstance("EC");
      ECGenParameterSpec ecg_spec = new ECGenParameterSpec(stdName);
      ap.init(ecg_spec);
      return ap.getParameterSpec(ECParameterSpec.class);
    }
    catch (NoSuchAlgorithmException e) {
      log.info("Elliptic Curve not supported by any crypto provider: " + e.getMessage());
    }
    catch (InvalidParameterSpecException e) {
      log.info("Elliptic Curve " + stdName + " not supported");
    }
    return null;
  }
  public String[] supportedAlgMnemonics()
  {
    Set<Integer> keyset = mAlgorithmMap.keySet();
    Integer[] algs = keyset.toArray(new Integer[keyset.size()]);
    Arrays.sort(algs);
    String[] result = new String[algs.length];
    for (int i = 0; i < algs.length; i++)
    {
      result[i] = mIdToMnemonicMap.get(algs[i]);
    }
    return result;
  }
  /**
   * Return a Signature object for the specified DNSSEC algorithm.
   * @param algorithm The DNSSEC algorithm (by number).
   * @return a Signature object.
   */
  public Signature getSignature(int algorithm)
  {
-    Entry entry = getEntry(algorithm);
+    AlgEntry entry = getEntry(algorithm);
    if (entry == null) return null;
    Signature s = null;
@ -197,6 +331,62 @@ public class DnsKeyAlgorithm
    return s;
  }
  /**
   * Given one of the ECDSA algorithms (ECDSAP256SHA256, etc.) return
   * the elliptic curve parameters.
   *
   * @param algorithm
   *          The DNSSEC algorithm number.
   * @return The calculated JCA ECParameterSpec for that DNSSEC algorithm, or
   *         null if not a recognized/supported EC algorithm.
   */
  public ECParameterSpec getEllipticCurveParams(int algorithm)
  {
    AlgEntry entry = getEntry(algorithm);
    if (entry == null) return null;
    if (!(entry instanceof ECAlgEntry)) return null;
    ECAlgEntry ec_entry = (ECAlgEntry) entry;
    return ec_entry.ec_spec;
  }
  /**
   * Translate a possible algorithm alias back to the original DNSSEC algorithm
   * number
   * 
   * @param algorithm
   *          a DNSSEC algorithm that may be an alias.
   * @return -1 if the algorithm isn't recognised, the orignal algorithm number
   *         if it is.
   */
  public int originalAlgorithm(int algorithm)
  {
    AlgEntry entry = getEntry(algorithm);
    if (entry == null) return -1;
    return entry.dnssecAlgorithm;
  }
  /**
   * Test if a given algorithm is supported.
   * 
   * @param algorithm The DNSSEC algorithm number.
   * @return true if the algorithm is a recognized and supported algorithm or alias.
   */
  public boolean supportedAlgorithm(int algorithm)
  {
    if (mAlgorithmMap.containsKey(algorithm)) return true;
    return false;
  }
  /**
   * Given an algorithm mnemonic, convert the mnemonic to a DNSSEC algorithm
   * number.
   * 
   * @param s
   *          The mnemonic string. This is case-insensitive.
   * @return -1 if the mnemonic isn't recognized or supported, the algorithm
   *         number if it is.
   */
  public int stringToAlgorithm(String s)
  {
    Integer alg = mMnemonicToIdMap.get(s.toUpperCase());
@ -204,6 +394,14 @@ public class DnsKeyAlgorithm
    return -1;
  }
  /**
   * Given a DNSSEC algorithm number, return the "preferred" mnemonic.
   * 
   * @param algorithm
   *          A DNSSEC algorithm number.
   * @return The preferred mnemonic string, or null if not supported or
   *         recognized.
   */
  public String algToString(int algorithm)
  {
    return mIdToMnemonicMap.get(algorithm);
@ -211,26 +409,11 @@ public class DnsKeyAlgorithm
  public int baseType(int algorithm)
  {
-    Entry entry = getEntry(algorithm);
+    AlgEntry entry = getEntry(algorithm);
    if (entry != null) return entry.baseType;
    return UNKNOWN;
  }
  public int standardAlgorithm(int algorithm)
  {
    switch (baseType(algorithm))
    {
      case RSA:
        return DNSSEC.Algorithm.RSASHA1;
      case DSA:
        return DNSSEC.Algorithm.DSA;
      case DH:
        return DNSSEC.Algorithm.DH;
      default:
        return UNKNOWN;
    }
  }
  public boolean isDSA(int algorithm)
  {
    return (baseType(algorithm) == DSA);
@ -243,6 +426,7 @@ public class DnsKeyAlgorithm
    switch (baseType(algorithm))
    {
      case RSA:
      {
        if (mRSAKeyGenerator == null)
        {
          mRSAKeyGenerator = KeyPairGenerator.getInstance("RSA");
@ -270,7 +454,9 @@ public class DnsKeyAlgorithm
        pair = mRSAKeyGenerator.generateKeyPair();
        break;
      }
      case DSA:
      {
        if (mDSAKeyGenerator == null)
        {
          mDSAKeyGenerator = KeyPairGenerator.getInstance("DSA");
@ -278,6 +464,49 @@ public class DnsKeyAlgorithm
        mDSAKeyGenerator.initialize(keysize);
        pair = mDSAKeyGenerator.generateKeyPair();
        break;
      }
      case ECC_GOST:
      {
        if (mECGOSTKeyGenerator == null)
        {
          mECGOSTKeyGenerator = KeyPairGenerator.getInstance("ECGOST3410");
        }
        ECParameterSpec ec_spec = getEllipticCurveParams(algorithm);
        try
        {
          mECGOSTKeyGenerator.initialize(ec_spec);
        }
        catch (InvalidAlgorithmParameterException e)
        {
          // Fold the InvalidAlgorithmParameterException into our existing
          // thrown exception. Ugly, but requires less code change.
          throw new NoSuchAlgorithmException("invalid key parameter spec");
        }
        pair = mECGOSTKeyGenerator.generateKeyPair();
        break;
      }
      case ECDSA:
      {
        if (mECKeyGenerator == null)
        {
          mECKeyGenerator = KeyPairGenerator.getInstance("EC");
        }
        ECParameterSpec ec_spec = getEllipticCurveParams(algorithm);
        try
        {
          mECKeyGenerator.initialize(ec_spec);
        }
        catch (InvalidAlgorithmParameterException e)
        {
          // Fold the InvalidAlgorithmParameterException into our existing
          // thrown exception. Ugly, but requires less code change.
          throw new NoSuchAlgorithmException("invalid key parameter spec");
        }
        pair = mECKeyGenerator.generateKeyPair();
        break;
      }
      default:
        throw new NoSuchAlgorithmException("Alg " + algorithm);
    }
--- a/src/com/verisignlabs/dnssec/security/DnsKeyConverter.java
+++ b/src/com/verisignlabs/dnssec/security/DnsKeyConverter.java
@ -27,15 +27,8 @@ import java.security.KeyFactory;
 import java.security.NoSuchAlgorithmException;
 import java.security.PrivateKey;
 import java.security.PublicKey;
-import java.security.interfaces.DSAParams;
+import java.security.interfaces.*;
-import java.security.interfaces.DSAPrivateKey;
+import java.security.spec.*;
 import java.security.interfaces.DSAPublicKey;
 import java.security.interfaces.RSAPrivateCrtKey;
 import java.security.spec.DSAPrivateKeySpec;
 import java.security.spec.InvalidKeySpecException;
 import java.security.spec.KeySpec;
 import java.security.spec.PKCS8EncodedKeySpec;
 import java.security.spec.RSAPrivateCrtKeySpec;
 import java.util.StringTokenizer;
 import javax.crypto.interfaces.DHPrivateKey;
@ -44,6 +37,7 @@ import javax.crypto.spec.DHParameterSpec;
 import javax.crypto.spec.DHPrivateKeySpec;
 import org.xbill.DNS.DNSKEYRecord;
 import org.xbill.DNS.DNSSEC;
 import org.xbill.DNS.DNSSEC.DNSSECException;
 import org.xbill.DNS.Name;
 import org.xbill.DNS.utils.base64;
@ -61,9 +55,12 @@ public class DnsKeyConverter
  private KeyFactory mRSAKeyFactory;
  private KeyFactory mDSAKeyFactory;
  private KeyFactory mDHKeyFactory;
  private KeyFactory mECKeyFactory;
  private DnsKeyAlgorithm mAlgorithms;
-  public DnsKeyConverter()
+  public DnsKeyConverter() 
  {
    mAlgorithms = DnsKeyAlgorithm.getInstance();
  }
  /**
@ -76,23 +73,19 @@ public class DnsKeyConverter
  {
    if (pKeyRecord.getKey() == null) return null;
-    // For now, instead of re-implementing parseRecord (or adding this stuff
+    // Because we have arbitrarily aliased algorithms, we need to possibly
-    // to DNSjava), we will just translate the algorithm back to a standard
+    // translate the aliased algorithm back to the actual algorithm.
    // algorithm. Note that this will unnecessarily convert RSAMD5 to RSASHA1.
-    DnsKeyAlgorithm algs = DnsKeyAlgorithm.getInstance();
+    int originalAlgorithm = mAlgorithms.originalAlgorithm(pKeyRecord.getAlgorithm());
    int standard_alg = algs.standardAlgorithm(pKeyRecord.getAlgorithm());
-    if (standard_alg <= 0)
+    if (originalAlgorithm <= 0) throw new NoSuchAlgorithmException("DNSKEY algorithm "
-      throw new NoSuchAlgorithmException("DNSKEY algorithm "
+        + pKeyRecord.getAlgorithm() + " is unrecognized");
          + pKeyRecord.getAlgorithm() + " is unrecognized");
-    if (pKeyRecord.getAlgorithm() != standard_alg)
+    if (pKeyRecord.getAlgorithm() != originalAlgorithm)
    {
-      pKeyRecord = new DNSKEYRecord(pKeyRecord.getName(),
+      pKeyRecord = new DNSKEYRecord(pKeyRecord.getName(), pKeyRecord.getDClass(),
                                    pKeyRecord.getDClass(),
                                    pKeyRecord.getTTL(), pKeyRecord.getFlags(),
-                                    pKeyRecord.getProtocol(), standard_alg,
+                                    pKeyRecord.getProtocol(), originalAlgorithm,
                                    pKeyRecord.getKey());
    }
@ -132,11 +125,9 @@ public class DnsKeyConverter
  public PrivateKey convertEncodedPrivateKey(byte[] key, int algorithm)
  {
    PKCS8EncodedKeySpec spec = new PKCS8EncodedKeySpec(key);
    DnsKeyAlgorithm algs = DnsKeyAlgorithm.getInstance();
    try
    {
-      switch (algs.baseType(algorithm))
+      switch (mAlgorithms.baseType(algorithm))
      {
        case DnsKeyAlgorithm.RSA:
          return mRSAKeyFactory.generatePrivate(spec);
@ -146,12 +137,17 @@ public class DnsKeyConverter
    }
    catch (GeneralSecurityException e)
    {
      e.printStackTrace();
    }
    return null;
  }
-  private int parseInt(String s, int def)
+  /**
   * A simple wrapper for parsing integers; parse failures result in the
   * supplied default.
   */
  private static int parseInt(String s, int def)
  {
    try
    {
@ -195,9 +191,8 @@ public class DnsKeyConverter
        String[] toks = val.split("\\s", 2);
        val = toks[0];
        int alg = parseInt(val, -1);
        DnsKeyAlgorithm algs = DnsKeyAlgorithm.getInstance();
-        switch (algs.baseType(alg))
+        switch (mAlgorithms.baseType(alg))
        {
          case DnsKeyAlgorithm.RSA:
            return parsePrivateRSA(lines);
@ -205,6 +200,10 @@ public class DnsKeyConverter
            return parsePrivateDSA(lines);
          case DnsKeyAlgorithm.DH:
            return parsePrivateDH(lines);
          case DnsKeyAlgorithm.ECC_GOST:
            return parsePrivateECDSA(lines, alg);
          case DnsKeyAlgorithm.ECDSA:
            return parsePrivateECDSA(lines, alg);
          default:
            throw new IOException("unsupported private key algorithm: " + val);
        }
@ -216,7 +215,7 @@ public class DnsKeyConverter
  /**
   * @return the value part of an "attribute:value" pair. The value is trimmed.
   */
-  private String value(String av)
+  private static String value(String av)
  {
    if (av == null) return null;
@ -434,6 +433,60 @@ public class DnsKeyConverter
    }
  }
  /**
   * Given the remaining lines in a BIND9-style ECDSA private key, parse the key
   * info and translate it into a JCA private key object.
   * @param lines The remaining lines in a private key file (after
   * @throws NoSuchAlgorithmException
   *           If elliptic curve is not available.
   */
  private PrivateKey parsePrivateECDSA(StringTokenizer lines, int algorithm)
      throws NoSuchAlgorithmException
  {
    BigInteger s = null;
    while (lines.hasMoreTokens())
    {
      String line = lines.nextToken();
      if (line == null) continue;
      if (line.startsWith("#")) continue;
      String val = value(line);
      if (val == null) continue;
      byte[] data = base64.fromString(val);
      if (line.startsWith("PrivateKey: "))
      {
        s = new BigInteger(1, data);
      }
    }
    if (mECKeyFactory == null)
    {
      mECKeyFactory = KeyFactory.getInstance("EC");
    }
    ECParameterSpec ec_spec = mAlgorithms.getEllipticCurveParams(algorithm);
    if (ec_spec == null)
    {
      throw new NoSuchAlgorithmException("DNSSEC algorithm " + algorithm +
                                         " is not a recognized Elliptic Curve algorithm");
    }
    KeySpec spec = new ECPrivateKeySpec(s, ec_spec);
    try
    {
      return mECKeyFactory.generatePrivate(spec);
    }
    catch (InvalidKeySpecException e)
    {
      e.printStackTrace();
      return null;
    }
  }
  /**
   * Given a private key and public key, generate the BIND9 style private key
   * format.
@ -452,14 +505,17 @@ public class DnsKeyConverter
    {
      return generatePrivateDH((DHPrivateKey) priv, (DHPublicKey) pub, alg);
    }
-
+    else if (priv instanceof ECPrivateKey && pub instanceof ECPublicKey)
    {
      return generatePrivateEC((ECPrivateKey) priv, (ECPublicKey) pub, alg);
    }
    return null;
  }
  /**
   * Convert from 'unsigned' big integer to original 'signed format' in Base64
   */
-  private String b64BigInt(BigInteger i)
+  private static String b64BigInt(BigInteger i)
  {
    byte[] orig_bytes = i.toByteArray();
@ -482,10 +538,9 @@ public class DnsKeyConverter
  {
    StringWriter sw = new StringWriter();
    PrintWriter out = new PrintWriter(sw);
    DnsKeyAlgorithm algs = DnsKeyAlgorithm.getInstance();
    out.println("Private-key-format: v1.2");
-    out.println("Algorithm: " + algorithm + " (" + algs.algToString(algorithm)
+    out.println("Algorithm: " + algorithm + " (" + mAlgorithms.algToString(algorithm)
        + ")");
    out.print("Modulus: ");
    out.println(b64BigInt(key.getModulus()));
@ -513,12 +568,11 @@ public class DnsKeyConverter
  {
    StringWriter sw = new StringWriter();
    PrintWriter out = new PrintWriter(sw);
    DnsKeyAlgorithm algs = DnsKeyAlgorithm.getInstance();
    DHParameterSpec p = key.getParams();
    out.println("Private-key-format: v1.2");
-    out.println("Algorithm: " + algorithm + " (" + algs.algToString(algorithm)
+    out.println("Algorithm: " + algorithm + " (" + mAlgorithms.algToString(algorithm)
        + ")");
    out.print("Prime(p): ");
    out.println(b64BigInt(p.getP()));
@ -538,12 +592,11 @@ public class DnsKeyConverter
  {
    StringWriter sw = new StringWriter();
    PrintWriter out = new PrintWriter(sw);
    DnsKeyAlgorithm algs = DnsKeyAlgorithm.getInstance();
    DSAParams p = key.getParams();
    out.println("Private-key-format: v1.2");
-    out.println("Algorithm: " + algorithm + " (" + algs.algToString(algorithm)
+    out.println("Algorithm: " + algorithm + " (" + mAlgorithms.algToString(algorithm)
        + ")");
    out.print("Prime(p): ");
    out.println(b64BigInt(p.getP()));
@ -558,4 +611,23 @@ public class DnsKeyConverter
    return sw.toString();
  }
  /**
   * Given an elliptic curve key pair, and the actual algorithm (which will
   * describe the curve used), return the BIND9-style text encoding.
   */
  private String generatePrivateEC(ECPrivateKey priv, ECPublicKey pub, int alg)
  {
    StringWriter sw = new StringWriter();
    PrintWriter out = new PrintWriter(sw);
    out.println("Private-key-format: v1.2");
    out.println("Algorithm: " + alg + " (" + mAlgorithms.algToString(alg)
        + ")");
    out.print("PrivateKey: ");
    out.println(b64BigInt(priv.getS()));
    return sw.toString();
  }
 }
--- a/src/com/verisignlabs/dnssec/security/DnsSecVerifier.java
+++ b/src/com/verisignlabs/dnssec/security/DnsSecVerifier.java
@ -256,6 +256,12 @@ public class DnsSecVerifier
        sig = SignUtils.convertDSASignature(sig);
      }
      if (sigrec.getAlgorithm() == DNSSEC.Algorithm.ECDSAP256SHA256 || 
          sigrec.getAlgorithm() == DNSSEC.Algorithm.ECDSAP384SHA384) 
      {
        sig = SignUtils.convertECDSASignature(sig);
      }
      if (!signer.verify(sig))
      {
        if (reasons != null) reasons.add("Signature failed to verify cryptographically");
@ -283,7 +289,6 @@ public class DnsSecVerifier
   * 
   * @return true if the set verified, false if it did not.
   */
  @SuppressWarnings("unchecked")
  public boolean verify(RRset rrset)
  {
    boolean result = mVerifyAllSigs ? true : false;
--- a/src/com/verisignlabs/dnssec/security/JCEDnsSecSigner.java
+++ b/src/com/verisignlabs/dnssec/security/JCEDnsSecSigner.java
@ -33,12 +33,7 @@ import java.util.List;
 import java.util.ListIterator;
 import java.util.logging.Logger;
-import org.xbill.DNS.DNSKEYRecord;
+import org.xbill.DNS.*;
 import org.xbill.DNS.Name;
 import org.xbill.DNS.RRSIGRecord;
 import org.xbill.DNS.RRset;
 import org.xbill.DNS.Record;
 import org.xbill.DNS.Type;
 import org.xbill.DNS.utils.hexdump;
 /**
@ -58,7 +53,7 @@ public class JCEDnsSecSigner
  private DnsKeyConverter mKeyConverter;
  private boolean         mVerboseSigning = false;
-  private Logger          log;
+  private Logger          log = Logger.getLogger(this.getClass().toString());
  public JCEDnsSecSigner()
  {
@ -197,6 +192,12 @@ public class JCEDnsSecSigner
        DSAPublicKey pk = (DSAPublicKey) pair.getPublic();
        sig = SignUtils.convertDSASignature(pk.getParams(), sig);
      }
      // Convert to RFC 6605, etc format
      if (pair.getDNSKEYAlgorithm() == DNSSEC.Algorithm.ECDSAP256SHA256 ||
          pair.getDNSKEYAlgorithm() == DNSSEC.Algorithm.ECDSAP384SHA384)
      {
        sig = SignUtils.convertECDSASignature(pair.getDNSKEYAlgorithm(), sig);
      }
      RRSIGRecord sigrec = SignUtils.generateRRSIG(sig, presig);
      if (mVerboseSigning)
      {
--- a/src/com/verisignlabs/dnssec/security/SignUtils.java
+++ b/src/com/verisignlabs/dnssec/security/SignUtils.java
@ -429,6 +429,126 @@ public class SignUtils
    return sig;
  }
  // Given one of the ECDSA algorithms determine the "length", which is the
  // length, in bytes, of both 'r' and 's' in the ECDSA signature.
  private static int ecdsaLength(int algorithm) throws SignatureException
  {
    switch (algorithm)
    {
      case DNSSEC.Algorithm.ECDSAP256SHA256: return 32;
      case DNSSEC.Algorithm.ECDSAP384SHA384: return 48;
      default:
        throw new SignatureException("Algorithm " + algorithm + 
                                     " is not a supported ECDSA signature algorithm.");
    }
  }
  /**
   * Convert a JCE standard ECDSA signature (which is a ASN.1 encoding) into a
   * standard DNS signature.
   * 
   * The format of the ASN.1 signature is
   * 
   * ASN1_SEQ . seq_length . ASN1_INT . r_length . R . ANS1_INT . s_length . S
   * 
   * where R and S may have a leading zero byte if without it the values would
   * be negative.
   *
   * The format of the DNSSEC signature is just R . S where R and S are both
   * exactly "length" bytes.
   * 
   * @param signature
   *          The output of a ECDSA signature object.
   * @return signature data formatted for use in DNSSEC.
   * @throws SignatureException if the ASN.1 encoding appears to be corrupt.
   */
  public static byte[] convertECDSASignature(int algorithm, byte[] signature) 
      throws SignatureException
  {
    int exp_length = ecdsaLength(algorithm);
    byte[] sig = new byte[exp_length * 2];
    if (signature[0] != ASN1_SEQ || signature[2] != ASN1_INT)
    {
      throw new SignatureException("Invalid ASN.1 signature format: expected SEQ, INT");
    }
    int r_len = signature[3];
    int r_pos = 4;
    if (signature[r_pos + r_len] != ASN1_INT)
    {
      throw new SignatureException("Invalid ASN.1 signature format: expected SEQ, INT, INT");
    }
    int s_pos = r_pos + r_len + 2;
    int s_len = signature[r_pos + r_len + 1];
    // Adjust for leading zeros on both R and S
    if (signature[r_pos] == 0) {
      r_pos++;
    }
    if (signature[s_pos] == 0) {
      s_pos++;
    }
    System.arraycopy(signature, r_pos, sig, 0, exp_length);
    System.arraycopy(signature, s_pos, sig, exp_length, exp_length);
    return sig;
  }
  /**
   * Convert a DNS standard ECDSA signature (defined in RFC 6605) into a
   * JCE standard ECDSA signature, which is encoded in ASN.1.
   * 
   * The format of the ASN.1 signature is
   * 
   * ASN1_SEQ . seq_length . ASN1_INT . r_length . R . ANS1_INT . s_length . S
   * 
   * where R and S may have a leading zero byte if without it the values would
   * be negative.
   *
   * The format of the DNSSEC signature is just R . S where R and S are both
   * exactly "length" bytes.
   * 
   * @param signature
   *          The binary signature data from an RRSIG record.
   * @return signature data that may be used in a JCE Signature object for
   *         verification purposes.
   */
  public static byte[] convertECDSASignature(byte[] signature)
  {
    byte r_src_pos, r_src_len, r_pad, s_src_pos, s_src_len, s_pad, len;
    r_src_len = s_src_len = (byte) (signature.length / 2);
    r_src_pos = 0; r_pad = 0;
    s_src_pos = (byte) (r_src_pos + r_src_len); s_pad = 0;
    len = (byte) (6 + r_src_len + s_src_len);
    if (signature[r_src_pos] < 0) {
        r_pad = 1; len++;
    }
    if (signature[s_src_pos] < 0) {
      s_pad = 1; len++;
    }
    byte[] sig = new byte[len];
    byte pos = 0;
    sig[pos++] = ASN1_SEQ;
    sig[pos++] = (byte) (len - 2);
    sig[pos++] = ASN1_INT;
    sig[pos++] = (byte) (r_src_len + r_pad);
    pos += r_pad;
    System.arraycopy(signature, r_src_pos, sig, pos, r_src_len);
    pos += r_src_len;
    sig[pos++] = ASN1_INT;
    sig[pos++] = (byte) (s_src_len + s_pad);
    pos += s_pad;
    System.arraycopy(signature, s_src_pos, sig, pos, s_src_len);
    return sig;
  }
  /**
   * This is a convenience routine to help us classify records/RRsets.
   *