davidb
/
jdnssec-tools
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 1 Wiki Activity

Use generic types when possible. 

git-svn-id: https://svn.verisignlabs.com/jdnssec/tools/trunk@246 4cbd57fe-54e5-0310-bd9a-f30fe5ea5e6e
This commit is contained in:
David Blacka 2011-02-12 21:25:42 +00:00
parent 91207aeed2
commit fb75a5419f
17 changed files with 427 additions and 520 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
ChangeLog
View File

@ -1,5 +1,8 @@
2011-02-12 David Blacka <davidb@verisignlabs.com>
* Use Java 1.5 generic types when possible. DNSJava itself still
doesn't use them, so we have to suppress warnings when we use
RRset.rrs(), etc.
* Update commons-cli to version 1.2.
* Refactor all of the command line classes. A new command line
base class has been created to eliminate much of the duplicated

56
src/com/verisignlabs/dnssec/cl/SignKeyset.java
View File

@ -25,12 +25,12 @@ import java.util.Date;
import java.util.Iterator;
import java.util.List;
import org.apache.commons.cli.CommandLine;
import org.apache.commons.cli.OptionBuilder;
import org.apache.commons.cli.Options;
import org.xbill.DNS.DNSSEC;
import org.xbill.DNS.Name;
import org.xbill.DNS.RRSIGRecord;
import org.xbill.DNS.RRset;
import org.xbill.DNS.Record;
import org.xbill.DNS.Type;
@ -53,7 +53,7 @@ public class SignKeyset extends CLBase
*/
protected static class CLIState extends CLIStateBase
{
public File keyDirectory = null;
public File keyDirectory = null;
public String[] keyFiles = null;
public Date start = null;
public Date expire = null;
@ -99,7 +99,8 @@ public class SignKeyset extends CLBase
opts.addOption(OptionBuilder.create('f'));
}
protected void processOptions(CommandLine cli) throws org.apache.commons.cli.ParseException
protected void processOptions(CommandLine cli)
throws org.apache.commons.cli.ParseException
{
String optstr = null;
@ -164,25 +165,24 @@ public class SignKeyset extends CLBase
* a list of keypairs used the sign the zone.
* @return true if all of the signatures validated.
*/
private static boolean verifySigs(Name zonename, List records, List keypairs)
private static boolean verifySigs(Name zonename, List<Record> records,
List<DnsKeyPair> keypairs)
{
boolean secure = true;
DnsSecVerifier verifier = new DnsSecVerifier();
for (Iterator i = keypairs.iterator(); i.hasNext();)
for (DnsKeyPair pair : keypairs)
{
verifier.addTrustedKey((DnsKeyPair) i.next());
verifier.addTrustedKey(pair);
}
verifier.setVerifyAllSigs(true);
List rrsets = SignUtils.assembleIntoRRsets(records);
List<RRset> rrsets = SignUtils.assembleIntoRRsets(records);
for (Iterator i = rrsets.iterator(); i.hasNext();)
for (RRset rrset : rrsets)
{
RRset rrset = (RRset) i.next();
// skip unsigned rrsets.
if (!rrset.sigs().hasNext()) continue;
@ -211,15 +211,15 @@ public class SignKeyset extends CLBase
* the directory to look in (may be null).
* @return a list of keypair objects.
*/
private static List getKeys(String[] keyfiles, int start_index, File inDirectory)
throws IOException
private static List<DnsKeyPair> getKeys(String[] keyfiles, int start_index,
File inDirectory) throws IOException
{
if (keyfiles == null) return null;
int len = keyfiles.length - start_index;
if (len <= 0) return null;
ArrayList keys = new ArrayList(len);
ArrayList<DnsKeyPair> keys = new ArrayList<DnsKeyPair>(len);
for (int i = start_index; i < keyfiles.length; i++)
{
@ -248,7 +248,8 @@ public class SignKeyset extends CLBase
}
}
private static List findZoneKeys(File inDirectory, Name zonename) throws IOException
private static List<DnsKeyPair> findZoneKeys(File inDirectory, Name zonename)
throws IOException
{
if (inDirectory == null)
{
@ -260,7 +261,7 @@ public class SignKeyset extends CLBase
File[] files = inDirectory.listFiles(filter);
// read in all of the records
ArrayList keys = new ArrayList();
ArrayList<DnsKeyPair> keys = new ArrayList<DnsKeyPair>();
for (int i = 0; i < files.length; i++)
{
DnsKeyPair p = BINDKeyUtils.loadKeyPair(files[i].getName(), inDirectory);
@ -271,10 +272,11 @@ public class SignKeyset extends CLBase
return null;
}
@SuppressWarnings("unchecked")
public void execute() throws Exception
{
// Read in the zone
List records = ZoneUtils.readZoneFile(state.inputfile, null);
List<Record> records = ZoneUtils.readZoneFile(state.inputfile, null);
if (records == null || records.size() == 0)
{
System.err.println("error: empty keyset file");
@ -284,9 +286,9 @@ public class SignKeyset extends CLBase
// Make sure that all records are DNSKEYs with the same name.
Name keysetName = null;
RRset keyset = new RRset();
for (Iterator i = records.iterator(); i.hasNext();)
for (Record r : records)
{
Record r = (Record) i.next();
if (r.getType() != Type.DNSKEY)
{
System.err.println("error: Non DNSKEY RR found in keyset: " + r);
@ -311,7 +313,7 @@ public class SignKeyset extends CLBase
}
// Load the key pairs.
List keypairs = getKeys(state.keyFiles, 0, state.keyDirectory);
List<DnsKeyPair> keypairs = getKeys(state.keyFiles, 0, state.keyDirectory);
// If we *still* don't have any key pairs, look for keys the key
// directory
@ -343,26 +345,24 @@ public class SignKeyset extends CLBase
JCEDnsSecSigner signer = new JCEDnsSecSigner();
List sigs = signer.signRRset(keyset, keypairs, state.start, state.expire);
for (Iterator i = sigs.iterator(); i.hasNext();)
List<RRSIGRecord> sigs = signer.signRRset(keyset, keypairs, state.start, state.expire);
for (RRSIGRecord s : sigs)
{
keyset.addRR((Record) i.next());
keyset.addRR(s);
}
// write out the signed RRset
List signed_records = new ArrayList();
for (Iterator i = keyset.rrs(); i.hasNext();)
List<Record> signed_records = new ArrayList<Record>();
for (Iterator<Record> i = keyset.rrs(); i.hasNext();)
{
signed_records.add(i.next());
}
for (Iterator i = keyset.sigs(); i.hasNext();)
for (Iterator<Record> i = keyset.sigs(); i.hasNext();)
{
signed_records.add(i.next());
}
// write out the signed zone
// force multiline mode for now
org.xbill.DNS.Options.set("multiline");
ZoneUtils.writeZoneFile(signed_records, state.outputfile);
if (state.verifySigs)
@ -388,7 +388,7 @@ public class SignKeyset extends CLBase
{
SignKeyset tool = new SignKeyset();
tool.state = new CLIState();
tool.run(tool.state, args);
}
}

33
src/com/verisignlabs/dnssec/cl/SignRRset.java
View File

@ -30,6 +30,7 @@ import org.apache.commons.cli.Options;
import org.xbill.DNS.DNSSEC;
import org.xbill.DNS.Name;
import org.xbill.DNS.RRSIGRecord;
import org.xbill.DNS.RRset;
import org.xbill.DNS.Record;
import org.xbill.DNS.Type;
@ -164,25 +165,23 @@ public class SignRRset extends CLBase
* a list of keypairs used the sign the zone.
* @return true if all of the signatures validated.
*/
private static boolean verifySigs(Name zonename, List records, List keypairs)
private static boolean verifySigs(Name zonename, List<Record> records, List<DnsKeyPair> keypairs)
{
boolean secure = true;
DnsSecVerifier verifier = new DnsSecVerifier();
for (Iterator i = keypairs.iterator(); i.hasNext();)
for (DnsKeyPair pair : keypairs)
{
verifier.addTrustedKey((DnsKeyPair) i.next());
verifier.addTrustedKey(pair);
}
verifier.setVerifyAllSigs(true);
List rrsets = SignUtils.assembleIntoRRsets(records);
List<RRset> rrsets = SignUtils.assembleIntoRRsets(records);
for (Iterator i = rrsets.iterator(); i.hasNext();)
for (RRset rrset : rrsets)
{
RRset rrset = (RRset) i.next();
// skip unsigned rrsets.
if (!rrset.sigs().hasNext()) continue;
@ -230,10 +229,11 @@ public class SignRRset extends CLBase
return keys;
}
@SuppressWarnings("unchecked")
public void execute() throws Exception
{
// Read in the zone
List records = ZoneUtils.readZoneFile(state.inputfile, null);
List<Record> records = ZoneUtils.readZoneFile(state.inputfile, null);
if (records == null || records.size() == 0)
{
System.err.println("error: empty RRset file");
@ -242,10 +242,9 @@ public class SignRRset extends CLBase
// Construct the RRset. Complain if the records in the input file
// consist of more than one RRset.
RRset rrset = null;
for (Iterator i = records.iterator(); i.hasNext();)
{
Record r = (Record) i.next();
for (Record r : records)
{
// skip RRSIGs
if (r.getType() == Type.RRSIG || r.getType() == Type.SIG)
{
@ -314,19 +313,19 @@ public class SignRRset extends CLBase
JCEDnsSecSigner signer = new JCEDnsSecSigner();
List sigs = signer.signRRset(rrset, keypairs, state.start, state.expire);
for (Iterator i = sigs.iterator(); i.hasNext();)
List<RRSIGRecord> sigs = signer.signRRset(rrset, keypairs, state.start, state.expire);
for (RRSIGRecord s : sigs)
{
rrset.addRR((Record) i.next());
rrset.addRR(s);
}
// write out the signed RRset
List signed_records = new ArrayList();
for (Iterator i = rrset.rrs(); i.hasNext();)
List<Record> signed_records = new ArrayList<Record>();
for (Iterator<Record> i = rrset.rrs(); i.hasNext();)
{
signed_records.add(i.next());
}
for (Iterator i = rrset.sigs(); i.hasNext();)
for (Iterator<Record> i = rrset.sigs(); i.hasNext();)
{
signed_records.add(i.next());
}

120
src/com/verisignlabs/dnssec/cl/SignZone.java
View File

@ -64,24 +64,24 @@ public class SignZone extends CLBase
*/
private static class CLIState extends CLIStateBase
{
public File keyDirectory = null;
public File keysetDirectory = null;
public String[] kskFiles = null;
public String[] keyFiles = null;
public String zonefile = null;
public Date start = null;
public Date expire = null;
public String outputfile = null;
public boolean verifySigs = false;
public boolean useOptOut = false;
public boolean fullySignKeyset = false;
public List includeNames = null;
public boolean useNsec3 = false;
public byte[] salt = null;
public int iterations = 0;
public int digest_id = DSRecord.SHA1_DIGEST_ID;
public long nsec3paramttl = -1;
public boolean verboseSigning = false;
public File keyDirectory = null;
public File keysetDirectory = null;
public String[] kskFiles = null;
public String[] keyFiles = null;
public String zonefile = null;
public Date start = null;
public Date expire = null;
public String outputfile = null;
public boolean verifySigs = false;
public boolean useOptOut = false;
public boolean fullySignKeyset = false;
public List<Name> includeNames = null;
public boolean useNsec3 = false;
public byte[] salt = null;
public int iterations = 0;
public int digest_id = DSRecord.SHA1_DIGEST_ID;
public long nsec3paramttl = -1;
public boolean verboseSigning = false;
public CLIState()
{
@ -176,8 +176,7 @@ public class SignZone extends CLBase
protected void processOptions(CommandLine cli) throws ParseException
{
String optstr;
String[] optstrs;
String optstr = null;
if (cli.hasOption('a')) verifySigs = true;
if (cli.hasOption('3')) useNsec3 = true;
@ -323,25 +322,24 @@ public class SignZone extends CLBase
* a list of keypairs used the sign the zone.
* @return true if all of the signatures validated.
*/
private static boolean verifyZoneSigs(Name zonename, List records, List keypairs)
private static boolean verifyZoneSigs(Name zonename, List<Record> records,
List<DnsKeyPair> keypairs)
{
boolean secure = true;
DnsSecVerifier verifier = new DnsSecVerifier();
for (Iterator i = keypairs.iterator(); i.hasNext();)
for (DnsKeyPair pair : keypairs)
{
verifier.addTrustedKey((DnsKeyPair) i.next());
verifier.addTrustedKey(pair);
}
verifier.setVerifyAllSigs(true);
List rrsets = SignUtils.assembleIntoRRsets(records);
List<RRset> rrsets = SignUtils.assembleIntoRRsets(records);
for (Iterator i = rrsets.iterator(); i.hasNext();)
for (RRset rrset : rrsets)
{
RRset rrset = (RRset) i.next();
// skip unsigned rrsets.
if (!rrset.sigs().hasNext()) continue;
@ -371,15 +369,15 @@ public class SignZone extends CLBase
* the directory to look in (may be null).
* @return a list of keypair objects.
*/
private static List getKeys(String[] keyfiles, int start_index, File inDirectory)
throws IOException
private static List<DnsKeyPair> getKeys(String[] keyfiles, int start_index,
File inDirectory) throws IOException
{
if (keyfiles == null) return null;
int len = keyfiles.length - start_index;
if (len <= 0) return null;
ArrayList keys = new ArrayList(len);
ArrayList<DnsKeyPair> keys = new ArrayList<DnsKeyPair>(len);
for (int i = start_index; i < keyfiles.length; i++)
{
@ -390,14 +388,17 @@ public class SignZone extends CLBase
return keys;
}
private static List getKeys(List dnskeyrrs, File inDirectory) throws IOException
private static List<DnsKeyPair> getKeys(List<Record> dnskeyrrs, File inDirectory)
throws IOException
{
List res = new ArrayList();
for (Iterator i = dnskeyrrs.iterator(); i.hasNext();)
List<DnsKeyPair> res = new ArrayList<DnsKeyPair>();
for (Record r : dnskeyrrs)
{
if (r.getType() != Type.DNSKEY) continue;
// Construct a public-key-only DnsKeyPair just so we can calculate the
// base name.
DnsKeyPair pub = new DnsKeyPair((DNSKEYRecord) i.next());
DnsKeyPair pub = new DnsKeyPair((DNSKEYRecord) r);
DnsKeyPair pair = BINDKeyUtils.loadKeyPair(BINDKeyUtils.keyFileBase(pub),
inDirectory);
if (pair != null)
@ -428,7 +429,8 @@ public class SignZone extends CLBase
}
}
private static List findZoneKeys(File inDirectory, Name zonename) throws IOException
private static List<DnsKeyPair> findZoneKeys(File inDirectory, Name zonename)
throws IOException
{
if (inDirectory == null)
{
@ -440,7 +442,7 @@ public class SignZone extends CLBase
File[] files = inDirectory.listFiles(filter);
// read in all of the records
ArrayList keys = new ArrayList();
ArrayList<DnsKeyPair> keys = new ArrayList<DnsKeyPair>();
for (int i = 0; i < files.length; i++)
{
DnsKeyPair p = BINDKeyUtils.loadKeyPair(files[i].getName(), inDirectory);
@ -480,7 +482,8 @@ public class SignZone extends CLBase
* @return a list of {@link org.xbill.DNS.Record}s found in the keyset
* files.
*/
private static List getKeysets(File inDirectory, Name zonename) throws IOException
private static List<Record> getKeysets(File inDirectory, Name zonename)
throws IOException
{
if (inDirectory == null)
{
@ -492,17 +495,17 @@ public class SignZone extends CLBase
File[] files = inDirectory.listFiles(filter);
// read in all of the records
ArrayList keysetRecords = new ArrayList();
ArrayList<Record> keysetRecords = new ArrayList<Record>();
for (int i = 0; i < files.length; i++)
{
List l = ZoneUtils.readZoneFile(files[i].getAbsolutePath(), zonename);
List<Record> l = ZoneUtils.readZoneFile(files[i].getAbsolutePath(), zonename);
keysetRecords.addAll(l);
}
// discard records that do not belong to the zone in question.
for (Iterator i = keysetRecords.iterator(); i.hasNext();)
for (Iterator<Record> i = keysetRecords.iterator(); i.hasNext();)
{
Record r = (Record) i.next();
Record r = i.next();
if (!r.getName().subdomain(zonename))
{
i.remove();
@ -519,10 +522,10 @@ public class SignZone extends CLBase
* the path of a file containing a bare list of DNS names.
* @return a list of {@link org.xbill.DNS.Name} objects.
*/
private static List getNameList(File nameListFile) throws IOException
private static List<Name> getNameList(File nameListFile) throws IOException
{
BufferedReader br = new BufferedReader(new FileReader(nameListFile));
List res = new ArrayList();
List<Name> res = new ArrayList<Name>();
String line = null;
while ((line = br.readLine()) != null)
@ -559,13 +562,12 @@ public class SignZone extends CLBase
* zone.
* @return true if the keypairs valid.
*/
private static boolean keyPairsValidForZone(Name zonename, List keypairs)
private static boolean keyPairsValidForZone(Name zonename, List<DnsKeyPair> keypairs)
{
if (keypairs == null) return true; // technically true, I guess.
for (Iterator i = keypairs.iterator(); i.hasNext();)
for (DnsKeyPair kp : keypairs)
{
DnsKeyPair kp = (DnsKeyPair) i.next();
Name keyname = kp.getDNSKEYRecord().getName();
if (!keyname.equals(zonename))
{
@ -579,7 +581,7 @@ public class SignZone extends CLBase
public void execute() throws Exception
{
// Read in the zone
List records = ZoneUtils.readZoneFile(state.zonefile, null);
List<Record> records = ZoneUtils.readZoneFile(state.zonefile, null);
if (records == null || records.size() == 0)
{
System.err.println("error: empty zone file");
@ -596,14 +598,14 @@ public class SignZone extends CLBase
// Load the key pairs.
List keypairs = getKeys(state.keyFiles, 0, state.keyDirectory);
List kskpairs = getKeys(state.kskFiles, 0, state.keyDirectory);
List<DnsKeyPair> keypairs = getKeys(state.keyFiles, 0, state.keyDirectory);
List<DnsKeyPair> kskpairs = getKeys(state.kskFiles, 0, state.keyDirectory);
// If we didn't get any keys on the command line, look at the zone apex for
// any public keys.
if (keypairs == null && kskpairs == null)
{
List dnskeys = ZoneUtils.findRRs(records, zonename, Type.DNSKEY);
List<Record> dnskeys = ZoneUtils.findRRs(records, zonename, Type.DNSKEY);
keypairs = getKeys(dnskeys, state.keyDirectory);
}
@ -621,13 +623,13 @@ public class SignZone extends CLBase
if ((kskpairs == null || kskpairs.size() == 0) && keypairs != null
&& keypairs.size() > 1)
{
for (Iterator i = keypairs.iterator(); i.hasNext();)
for (Iterator<DnsKeyPair> i = keypairs.iterator(); i.hasNext();)
{
DnsKeyPair pair = (DnsKeyPair) i.next();
DnsKeyPair pair = i.next();
DNSKEYRecord kr = pair.getDNSKEYRecord();
if ((kr.getFlags() & DNSKEYRecord.Flags.SEP_KEY) != 0)
{
if (kskpairs == null) kskpairs = new ArrayList();
if (kskpairs == null) kskpairs = new ArrayList<DnsKeyPair>();
kskpairs.add(pair);
i.remove();
}
@ -674,21 +676,21 @@ public class SignZone extends CLBase
// removes duplicate records.
if (kskpairs != null)
{
for (Iterator i = kskpairs.iterator(); i.hasNext();)
for (DnsKeyPair pair : kskpairs)
{
records.add(((DnsKeyPair) i.next()).getDNSKEYRecord());
records.add(pair.getDNSKEYRecord());
}
}
if (keypairs != null)
{
for (Iterator i = keypairs.iterator(); i.hasNext();)
for (DnsKeyPair pair : keypairs)
{
records.add(((DnsKeyPair) i.next()).getDNSKEYRecord());
records.add(pair.getDNSKEYRecord());
}
}
// read in the keysets, if any.
List keysetrecs = getKeysets(state.keysetDirectory, zonename);
List<Record> keysetrecs = getKeysets(state.keysetDirectory, zonename);
if (keysetrecs != null)
{
records.addAll(keysetrecs);
@ -697,7 +699,7 @@ public class SignZone extends CLBase
JCEDnsSecSigner signer = new JCEDnsSecSigner(state.verboseSigning);
// Sign the zone.
List signed_records;
List<Record> signed_records;
if (state.useNsec3)
{

3
src/com/verisignlabs/dnssec/cl/VerifyZone.java
View File

@ -22,6 +22,7 @@ import java.util.List;
import org.apache.commons.cli.CommandLine;
import org.apache.commons.cli.OptionBuilder;
import org.apache.commons.cli.Options;
import org.xbill.DNS.Record;
import com.verisignlabs.dnssec.security.ZoneUtils;
import com.verisignlabs.dnssec.security.ZoneVerifier;
@ -126,7 +127,7 @@ public class VerifyZone extends CLBase
zoneverifier.getVerifier().setExpireFudge(state.expirefudge);
zoneverifier.getVerifier().setIgnoreTime(state.ignoreTime);
List records = ZoneUtils.readZoneFile(state.zonefile, null);
List<Record> records = ZoneUtils.readZoneFile(state.zonefile, null);
log.fine("verifying zone...");
int errors = zoneverifier.verifyZone(records);

49
src/com/verisignlabs/dnssec/cl/ZoneFormat.java
View File

@ -18,16 +18,23 @@
package com.verisignlabs.dnssec.cl;
import java.io.IOException;
import java.io.PrintWriter;
import java.security.NoSuchAlgorithmException;
import java.util.*;
import java.util.logging.Handler;
import java.util.logging.Level;
import java.util.logging.Logger;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.ListIterator;
import org.apache.commons.cli.*;
import org.apache.commons.cli.CommandLine;
import org.apache.commons.cli.Options;
import org.xbill.DNS.*;
import org.apache.commons.cli.ParseException;
import org.xbill.DNS.Master;
import org.xbill.DNS.NSEC3PARAMRecord;
import org.xbill.DNS.NSEC3Record;
import org.xbill.DNS.Name;
import org.xbill.DNS.Record;
import org.xbill.DNS.Section;
import org.xbill.DNS.Type;
import org.xbill.DNS.utils.base32;
import com.verisignlabs.dnssec.security.RecordComparator;
@ -80,11 +87,11 @@ public class ZoneFormat extends CLBase
}
}
private static List readZoneFile(String filename) throws IOException
private static List<Record> readZoneFile(String filename) throws IOException
{
Master master = new Master(filename);
List res = new ArrayList();
List<Record> res = new ArrayList<Record>();
Record r = null;
while ((r = master.nextRecord()) != null)
@ -99,21 +106,21 @@ public class ZoneFormat extends CLBase
return res;
}
private static void formatZone(List zone)
private static void formatZone(List<Record> zone)
{
// Put the zone into a consistent (name and RR type) order.
RecordComparator cmp = new RecordComparator();
Collections.sort(zone, cmp);
for (Iterator i = zone.iterator(); i.hasNext();)
for (Record r : zone)
{
Record r = (Record) i.next();
System.out.println(r.toString());
}
}
private static void determineNSEC3Owners(List zone) throws NoSuchAlgorithmException
private static void determineNSEC3Owners(List<Record> zone)
throws NoSuchAlgorithmException
{
// Put the zone into a consistent (name and RR type) order.
Collections.sort(zone, new RecordComparator());
@ -121,12 +128,11 @@ public class ZoneFormat extends CLBase
// first, find the NSEC3PARAM record -- this is an inefficient linear
// search.
NSEC3PARAMRecord nsec3param = null;
HashMap map = new HashMap();
HashMap<String, String> map = new HashMap<String, String>();
base32 b32 = new base32(base32.Alphabet.BASE32HEX, false, true);
for (Iterator i = zone.iterator(); i.hasNext();)
for (Record r : zone)
{
Record r = (Record) i.next();
if (r.getType() == Type.NSEC3PARAM)
{
nsec3param = (NSEC3PARAMRecord) r;
@ -139,9 +145,8 @@ public class ZoneFormat extends CLBase
// Next pass, calculate a mapping between ownernames and hashnames
Name last_name = null;
for (Iterator i = zone.iterator(); i.hasNext();)
for (Record r : zone)
{
Record r = (Record) i.next();
if (r.getName().equals(last_name)) continue;
if (r.getType() == Type.NSEC3) continue;
@ -152,9 +157,9 @@ public class ZoneFormat extends CLBase
}
// Final pass, assign the names if we can
for (ListIterator i = zone.listIterator(); i.hasNext();)
for (ListIterator<Record> i = zone.listIterator(); i.hasNext();)
{
Record r = (Record) i.next();
Record r = i.next();
if (r.getType() != Type.NSEC3) continue;
NSEC3Record nsec3 = (NSEC3Record) r;
String hashname = nsec3.getName().getLabelString(0).toLowerCase();
@ -171,7 +176,7 @@ public class ZoneFormat extends CLBase
public void execute() throws IOException, NoSuchAlgorithmException
{
List z = readZoneFile(state.file);
List<Record> z = readZoneFile(state.file);
if (state.assignNSEC3) determineNSEC3Owners(z);
formatZone(z);
}
@ -180,7 +185,7 @@ public class ZoneFormat extends CLBase
{
ZoneFormat tool = new ZoneFormat();
tool.state = new CLIState();
tool.run(tool.state, args);
}

24
src/com/verisignlabs/dnssec/security/BareLogFormatter.java
View File

@ -1,24 +0,0 @@
package com.verisignlabs.dnssec.security;
import java.util.logging.LogRecord;
/**
* This is a very simple log formatter that simply outputs the log level and log
* string.
*/
public class BareLogFormatter extends java.util.logging.Formatter
{
@Override
public String format(LogRecord arg0)
{
StringBuilder out = new StringBuilder();
String lvl = arg0.getLevel().getName();
out.append(lvl);
out.append(": ");
out.append(arg0.getMessage());
out.append("\n");
return out.toString();
}
}

7
src/com/verisignlabs/dnssec/security/ByteArrayComparator.java
View File

@ -30,7 +30,7 @@ import java.util.logging.Logger;
* @author $Author$
* @version $Revision$
*/
public class ByteArrayComparator implements Comparator
public class ByteArrayComparator implements Comparator<byte[]>
{
private int mOffset = 0;
private boolean mDebug = false;
@ -46,11 +46,8 @@ public class ByteArrayComparator implements Comparator
mDebug = debug;
}
public int compare(Object o1, Object o2) throws ClassCastException
public int compare(byte[] b1, byte[] b2)
{
byte[] b1 = (byte[]) o1;
byte[] b2 = (byte[]) o2;
for (int i = mOffset; i < b1.length && i < b2.length; i++)
{
if (b1[i] != b2[i])

58
src/com/verisignlabs/dnssec/security/DnsKeyAlgorithm.java
View File

@ -77,32 +77,32 @@ public class DnsKeyAlgorithm
* This is a mapping of algorithm identifier to Entry. The Entry contains the
* data needed to map the algorithm to the various crypto implementations.
*/
private HashMap mAlgorithmMap;
private HashMap<Integer, Entry> mAlgorithmMap;
/**
* This is a mapping of algorithm mnemonics to algorithm identifiers.
*/
private HashMap mMnemonicToIdMap;
private HashMap<String, Integer> mMnemonicToIdMap;
/**
* This is a mapping of identifiers to preferred mnemonic -- the preferred one
* is the first defined one
*/
private HashMap mIdToMnemonicMap;
private HashMap<Integer, String> mIdToMnemonicMap;
/** This is a cached key pair generator for RSA keys. */
private KeyPairGenerator mRSAKeyGenerator;
private KeyPairGenerator mRSAKeyGenerator;
/** This is a cache key pair generator for DSA keys. */
private KeyPairGenerator mDSAKeyGenerator;
private KeyPairGenerator mDSAKeyGenerator;
private Logger log = Logger.getLogger(this.getClass().toString());
private Logger log = Logger.getLogger(this.getClass().toString());
/** This is the global instance for this class. */
private static DnsKeyAlgorithm mInstance = null;
private static DnsKeyAlgorithm mInstance = null;
public DnsKeyAlgorithm()
{
mAlgorithmMap = new HashMap();
mMnemonicToIdMap = new HashMap();
mIdToMnemonicMap = new HashMap();
mAlgorithmMap = new HashMap<Integer, Entry>();
mMnemonicToIdMap = new HashMap<String, Integer>();
mIdToMnemonicMap = new HashMap<Integer, String>();
// Load the standard DNSSEC algorithms.
addAlgorithm(DNSSEC.RSAMD5, new Entry("MD5withRSA", RSA));
@ -137,40 +137,34 @@ public class DnsKeyAlgorithm
private void addAlgorithm(int algorithm, Entry entry)
{
Integer a = new Integer(algorithm);
mAlgorithmMap.put(a, entry);
mAlgorithmMap.put(algorithm, entry);
}
private void addMnemonic(String m, int alg)
{
Integer a = new Integer(alg);
mMnemonicToIdMap.put(m.toUpperCase(), a);
if (!mIdToMnemonicMap.containsKey(a))
mMnemonicToIdMap.put(m.toUpperCase(), alg);
if (!mIdToMnemonicMap.containsKey(alg))
{
mIdToMnemonicMap.put(a, m);
mIdToMnemonicMap.put(alg, m);
}
}
public void addAlias(int alias, String mnemonic, int original_algorithm)
{
Integer a = new Integer(alias);
Integer o = new Integer(original_algorithm);
if (mAlgorithmMap.containsKey(a))
if (mAlgorithmMap.containsKey(alias))
{
log.warning("Unable to alias algorithm " + alias
+ " because it already exists.");
log.warning("Unable to alias algorithm " + alias + " because it already exists.");
return;
}
if (!mAlgorithmMap.containsKey(o))
if (!mAlgorithmMap.containsKey(original_algorithm))
{
log.warning("Unable to alias algorith " + alias
+ " to unknown algorithm identifier " + original_algorithm);
return;
}
mAlgorithmMap.put(a, mAlgorithmMap.get(o));
mAlgorithmMap.put(alias, mAlgorithmMap.get(original_algorithm));
if (mnemonic != null)
{
@ -180,7 +174,7 @@ public class DnsKeyAlgorithm
private Entry getEntry(int alg)
{
return (Entry) mAlgorithmMap.get(new Integer(alg));
return mAlgorithmMap.get(alg);
}
public Signature getSignature(int algorithm)
@ -196,8 +190,8 @@ public class DnsKeyAlgorithm
}
catch (NoSuchAlgorithmException e)
{
log.severe("Unable to get signature implementation for algorithm "
+ algorithm + ": " + e);
log.severe("Unable to get signature implementation for algorithm " + algorithm
+ ": " + e);
}
return s;
@ -205,14 +199,14 @@ public class DnsKeyAlgorithm
public int stringToAlgorithm(String s)
{
Integer alg = (Integer) mMnemonicToIdMap.get(s.toUpperCase());
Integer alg = mMnemonicToIdMap.get(s.toUpperCase());
if (alg != null) return alg.intValue();
return -1;
}
public String algToString(int algorithm)
{
return (String) mIdToMnemonicMap.get(new Integer(algorithm));
return mIdToMnemonicMap.get(algorithm);
}
public int baseType(int algorithm)
@ -257,13 +251,11 @@ public class DnsKeyAlgorithm
RSAKeyGenParameterSpec rsa_spec;
if (useLargeExp)
{
rsa_spec = new RSAKeyGenParameterSpec(keysize,
RSAKeyGenParameterSpec.F4);
rsa_spec = new RSAKeyGenParameterSpec(keysize, RSAKeyGenParameterSpec.F4);
}
else
{
rsa_spec = new RSAKeyGenParameterSpec(keysize,
RSAKeyGenParameterSpec.F0);
rsa_spec = new RSAKeyGenParameterSpec(keysize, RSAKeyGenParameterSpec.F0);
}
try
{

29
src/com/verisignlabs/dnssec/security/DnsSecVerifier.java
View File

@ -48,23 +48,23 @@ public class DnsSecVerifier implements Verifier
private class TrustedKeyStore
{
// for now, this is implemented as a hashtable of lists of
// for now, this is implemented as a hash table of lists of
// DnsKeyPair objects (obviously, all of them will not have
// private keys).
private HashMap mKeyMap;
private HashMap<String, List<DnsKeyPair>> mKeyMap;
public TrustedKeyStore()
{
mKeyMap = new HashMap();
mKeyMap = new HashMap<String, List<DnsKeyPair>>();
}
public void add(DnsKeyPair pair)
{
String n = pair.getDNSKEYName().toString().toLowerCase();
List l = (List) mKeyMap.get(n);
List<DnsKeyPair> l = mKeyMap.get(n);
if (l == null)
{
l = new ArrayList();
l = new ArrayList<DnsKeyPair>();
mKeyMap.put(n, l);
}
@ -86,14 +86,13 @@ public class DnsSecVerifier implements Verifier
public DnsKeyPair find(Name name, int algorithm, int keyid)
{
String n = name.toString().toLowerCase();
List l = (List) mKeyMap.get(n);
List<DnsKeyPair> l = mKeyMap.get(n);
if (l == null) return null;
// FIXME: this algorithm assumes that name+alg+footprint is
// unique, which isn't necessarily true.
for (Iterator i = l.iterator(); i.hasNext();)
for (DnsKeyPair p : l)
{
DnsKeyPair p = (DnsKeyPair) i.next();
if (p.getDNSKEYAlgorithm() == algorithm && p.getDNSKEYFootprint() == keyid)
{
return p;
@ -158,6 +157,7 @@ public class DnsSecVerifier implements Verifier
mIgnoreTime = v;
}
@SuppressWarnings("unchecked")
private DnsKeyPair findCachedKey(Cache cache, Name name, int algorithm, int footprint)
{
RRset[] keysets = cache.findAnyRecords(name, Type.KEY);
@ -165,11 +165,11 @@ public class DnsSecVerifier implements Verifier
// look for the particular key
// FIXME: this assumes that name+alg+footprint is unique.
for (Iterator i = keysets[0].rrs(); i.hasNext();)
for (Iterator<Record> i = keysets[0].rrs(); i.hasNext();)
{
Object o = i.next();
if (!(o instanceof DNSKEYRecord)) continue;
DNSKEYRecord keyrec = (DNSKEYRecord) o;
Record r = i.next();
if (r.getType() != Type.DNSKEY) continue;
DNSKEYRecord keyrec = (DNSKEYRecord) r;
if (keyrec.getAlgorithm() == algorithm && keyrec.getFootprint() == footprint)
{
return new DnsKeyPair(keyrec, (PrivateKey) null);
@ -190,7 +190,7 @@ public class DnsSecVerifier implements Verifier
return pair;
}
private byte validateSignature(RRset rrset, RRSIGRecord sigrec, List reasons)
private byte validateSignature(RRset rrset, RRSIGRecord sigrec, List<String> reasons)
{
if (rrset == null || sigrec == null) return DNSSEC.Failed;
if (!rrset.getName().equals(sigrec.getName()))
@ -255,7 +255,7 @@ public class DnsSecVerifier implements Verifier
* could not be completed (usually because the public key was not
* available).
*/
public byte verifySignature(RRset rrset, RRSIGRecord sigrec, Cache cache, List reasons)
public byte verifySignature(RRset rrset, RRSIGRecord sigrec, Cache cache, List<String> reasons)
{
byte result = validateSignature(rrset, sigrec, reasons);
if (result != DNSSEC.Secure) return result;
@ -314,6 +314,7 @@ public class DnsSecVerifier implements Verifier
* @return DNSSEC.Secure if the set verified, DNSSEC.Failed if it did not, and
* DNSSEC.Insecure if verification could not complete.
*/
@SuppressWarnings("unchecked")
public int verify(RRset rrset, Cache cache)
{
int result = mVerifyAllSigs ? DNSSEC.Secure : DNSSEC.Insecure;

97
src/com/verisignlabs/dnssec/security/JCEDnsSecSigner.java
View File

@ -57,8 +57,8 @@ public class JCEDnsSecSigner
{
private DnsKeyConverter mKeyConverter;
private boolean mVerboseSigning = false;
private Logger log;
private Logger log;
public JCEDnsSecSigner()
{
@ -130,8 +130,9 @@ public class JCEDnsSecSigner
* the expiration time for the resulting RRSIG records.
* @return a list of RRSIGRecord objects.
*/
public List signRRset(RRset rrset, List keypairs, Date start, Date expire)
throws IOException, GeneralSecurityException
public List<RRSIGRecord> signRRset(RRset rrset, List<DnsKeyPair> keypairs, Date start,
Date expire) throws IOException,
GeneralSecurityException
{
if (rrset == null || keypairs == null) return null;
@ -149,12 +150,11 @@ public class JCEDnsSecSigner
// first, pre-calculate the RRset bytes.
byte[] rrset_data = SignUtils.generateCanonicalRRsetData(rrset, 0, 0);
ArrayList sigs = new ArrayList(keypairs.size());
ArrayList<RRSIGRecord> sigs = new ArrayList<RRSIGRecord>(keypairs.size());
// for each keypair, sign the RRset.
for (Iterator i = keypairs.iterator(); i.hasNext();)
for (DnsKeyPair pair : keypairs)
{
DnsKeyPair pair = (DnsKeyPair) i.next();
DNSKEYRecord keyrec = pair.getDNSKEYRecord();
if (keyrec == null) continue;
@ -164,8 +164,9 @@ public class JCEDnsSecSigner
if (mVerboseSigning)
{
log.info("Canonical pre-signature data to sign with key " + keyrec.getName().toString() + "/"
+ keyrec.getAlgorithm() + "/" + keyrec.getFootprint() + ":");
log.info("Canonical pre-signature data to sign with key "
+ keyrec.getName().toString() + "/" + keyrec.getAlgorithm() + "/"
+ keyrec.getFootprint() + ":");
log.info(hexdump.dump(null, sign_data));
}
@ -174,8 +175,7 @@ public class JCEDnsSecSigner
if (signer == null)
{
// debug
log.fine("missing private key that goes with:\n"
+ pair.getDNSKEYRecord());
log.fine("missing private key that goes with:\n" + pair.getDNSKEYRecord());
throw new GeneralSecurityException("cannot sign without a valid Signer "
+ "(probably missing private key)");
}
@ -219,24 +219,23 @@ public class JCEDnsSecSigner
* the RRSIG expiration time.
* @return a signed RRset.
*/
public RRset makeKeySet(List keypairs, Date start, Date expire) throws IOException,
GeneralSecurityException
public RRset makeKeySet(List<DnsKeyPair> keypairs, Date start, Date expire)
throws IOException, GeneralSecurityException
{
// Generate a KEY RR set to sign.
RRset keyset = new RRset();
for (Iterator i = keypairs.iterator(); i.hasNext();)
for (DnsKeyPair pair : keypairs)
{
DnsKeyPair pair = (DnsKeyPair) i.next();
keyset.addRR(pair.getDNSKEYRecord());
}
List records = signRRset(keyset, keypairs, start, expire);
List<RRSIGRecord> records = signRRset(keyset, keypairs, start, expire);
for (Iterator i = records.iterator(); i.hasNext();)
for (RRSIGRecord r : records)
{
keyset.addRR((Record) i.next());
keyset.addRR(r);
}
return keyset;
@ -266,12 +265,14 @@ public class JCEDnsSecSigner
*
* @return the name of the new last_cut.
*/
private Name addRRset(List toList, Name zonename, RRset rrset, List kskpairs,
List zskpairs, Date start, Date expire, boolean fullySignKeyset,
Name last_cut, Name last_dname) throws IOException, GeneralSecurityException
@SuppressWarnings("unchecked")
private Name addRRset(List<Record> toList, Name zonename, RRset rrset,
List<DnsKeyPair> kskpairs, List<DnsKeyPair> zskpairs, Date start,
Date expire, boolean fullySignKeyset, Name last_cut,
Name last_dname) throws IOException, GeneralSecurityException
{
// add the records themselves
for (Iterator i = rrset.rrs(); i.hasNext();)
for (Iterator<Record> i = rrset.rrs(); i.hasNext();)
{
toList.add(i.next());
}
@ -296,7 +297,7 @@ public class JCEDnsSecSigner
// them with the zsks.
if (kskpairs != null && kskpairs.size() > 0)
{
List sigs = signRRset(rrset, kskpairs, start, expire);
List<RRSIGRecord> sigs = signRRset(rrset, kskpairs, start, expire);
toList.addAll(sigs);
// If we aren't going to sign with all the keys, bail out now.
@ -305,7 +306,7 @@ public class JCEDnsSecSigner
}
// otherwise, we are OK to sign this set.
List sigs = signRRset(rrset, zskpairs, start, expire);
List<RRSIGRecord> sigs = signRRset(rrset, zskpairs, start, expire);
toList.addAll(sigs);
return last_cut;
@ -365,11 +366,13 @@ public class JCEDnsSecSigner
* @throws IOException
* @throws GeneralSecurityException
*/
private List signZone(Name zonename, List records, List kskpairs, List zskpairs,
Date start, Date expire, boolean fullySignKeyset,
int ds_digest_alg, int mode, List includedNames, byte[] salt,
int iterations, long nsec3paramttl, boolean beConservative)
throws IOException, GeneralSecurityException
private List<Record> signZone(Name zonename, List<Record> records,
List<DnsKeyPair> kskpairs, List<DnsKeyPair> zskpairs,
Date start, Date expire, boolean fullySignKeyset,
int ds_digest_alg, int mode, List<Name> includedNames,
byte[] salt, int iterations, long nsec3paramttl,
boolean beConservative) throws IOException,
GeneralSecurityException
{
// Remove any existing generated DNSSEC records (NSEC, NSEC3, NSEC3PARAM,
// RRSIG)
@ -410,13 +413,13 @@ public class JCEDnsSecSigner
// Assemble into RRsets and sign.
RRset rrset = new RRset();
ArrayList signed_records = new ArrayList();
ArrayList<Record> signed_records = new ArrayList<Record>();
Name last_cut = null;
Name last_dname = null;
for (ListIterator i = records.listIterator(); i.hasNext();)
for (ListIterator<Record> i = records.listIterator(); i.hasNext();)
{
Record r = (Record) i.next();
Record r = i.next();
// First record
if (rrset.size() == 0)
@ -478,9 +481,11 @@ public class JCEDnsSecSigner
* @return an ordered list of {@link org.xbill.DNS.Record} objects,
* representing the signed zone.
*/
public List signZone(Name zonename, List records, List kskpairs, List zskpairs,
Date start, Date expire, boolean fullySignKeyset, int ds_digest_alg)
throws IOException, GeneralSecurityException
public List<Record> signZone(Name zonename, List<Record> records,
List<DnsKeyPair> kskpairs, List<DnsKeyPair> zskpairs,
Date start, Date expire, boolean fullySignKeyset,
int ds_digest_alg) throws IOException,
GeneralSecurityException
{
return signZone(zonename, records, kskpairs, zskpairs, start, expire,
fullySignKeyset, ds_digest_alg, NSEC_MODE, null, null, 0, 0, false);
@ -527,11 +532,13 @@ public class JCEDnsSecSigner
* @throws IOException
* @throws GeneralSecurityException
*/
public List signZoneNSEC3(Name zonename, List records, List kskpairs, List zskpairs,
Date start, Date expire, boolean fullySignKeyset,
boolean useOptOut, List includedNames, byte[] salt,
int iterations, int ds_digest_alg, long nsec3paramttl)
throws IOException, GeneralSecurityException
public List<Record> signZoneNSEC3(Name zonename, List<Record> records,
List<DnsKeyPair> kskpairs, List<DnsKeyPair> zskpairs,
Date start, Date expire, boolean fullySignKeyset,
boolean useOptOut, List<Name> includedNames,
byte[] salt, int iterations, int ds_digest_alg,
long nsec3paramttl) throws IOException,
GeneralSecurityException
{
if (useOptOut)
{
@ -577,10 +584,12 @@ public class JCEDnsSecSigner
* @return an ordered list of {@link org.xbill.DNS.Record} objects,
* representing the signed zone.
*/
public List signZoneOptIn(Name zonename, List records, List kskpairs, List zskpairs,
Date start, Date expire, boolean useConservativeOptIn,
boolean fullySignKeyset, List NSECIncludeNames,
int ds_digest_alg) throws IOException,
public List<Record> signZoneOptIn(Name zonename, List<Record> records,
List<DnsKeyPair> kskpairs, List<DnsKeyPair> zskpairs,
Date start, Date expire,
boolean useConservativeOptIn,
boolean fullySignKeyset, List<Name> NSECIncludeNames,
int ds_digest_alg) throws IOException,
GeneralSecurityException
{

7
src/com/verisignlabs/dnssec/security/ProtoNSEC3.java
View File

@ -254,12 +254,11 @@ public class ProtoNSEC3
return sb.toString();
}
public static class Comparator implements java.util.Comparator
public static class Comparator implements java.util.Comparator<ProtoNSEC3>
{
public int compare(Object o1, Object o2)
public int compare(ProtoNSEC3 a, ProtoNSEC3 b)
{
return ((ProtoNSEC3) o1).compareTo((ProtoNSEC3) o2);
return a.compareTo(b);
}
}

7
src/com/verisignlabs/dnssec/security/RecordComparator.java
View File

@ -35,7 +35,7 @@ import org.xbill.DNS.Type;
* @version $Revision$
*/
public class RecordComparator implements Comparator
public class RecordComparator implements Comparator<Record>
{
public RecordComparator()
{
@ -75,11 +75,8 @@ public class RecordComparator implements Comparator
return (a_rdata.length - b_rdata.length);
}
public int compare(Object o1, Object o2) throws ClassCastException
public int compare(Record a, Record b)
{
Record a = (Record) o1;
Record b = (Record) o2;
if (a == null && b == null) return 0;
if (a == null) return 1;
if (b == null) return -1;

352
src/com/verisignlabs/dnssec/security/SignUtils.java
View File

@ -81,13 +81,11 @@ public class SignUtils
*
* @return a prototype signature based on the RRset and key information.
*/
public static RRSIGRecord generatePreRRSIG(RRset rrset, DNSKEYRecord key,
Date start, Date expire,
long sig_ttl)
public static RRSIGRecord generatePreRRSIG(RRset rrset, DNSKEYRecord key, Date start,
Date expire, long sig_ttl)
{
return new RRSIGRecord(rrset.getName(), rrset.getDClass(), sig_ttl,
rrset.getType(), key.getAlgorithm(),
(int) rrset.getTTL(), expire, start,
return new RRSIGRecord(rrset.getName(), rrset.getDClass(), sig_ttl, rrset.getType(),
key.getAlgorithm(), (int) rrset.getTTL(), expire, start,
key.getFootprint(), key.getName(), null);
}
@ -108,14 +106,12 @@ public class SignUtils
*
* @return a prototype signature based on the Record and key information.
*/
public static RRSIGRecord generatePreRRSIG(Record rec, DNSKEYRecord key,
Date start, Date expire,
long sig_ttl)
public static RRSIGRecord generatePreRRSIG(Record rec, DNSKEYRecord key, Date start,
Date expire, long sig_ttl)
{
return new RRSIGRecord(rec.getName(), rec.getDClass(), sig_ttl,
rec.getType(), key.getAlgorithm(), rec.getTTL(),
expire, start, key.getFootprint(), key.getName(),
null);
return new RRSIGRecord(rec.getName(), rec.getDClass(), sig_ttl, rec.getType(),
key.getAlgorithm(), rec.getTTL(), expire, start,
key.getFootprint(), key.getName(), null);
}
/**
@ -150,23 +146,22 @@ public class SignUtils
return image.toByteArray();
}
/**
* Calculate the canonical wire line format of the RRset.
*
* @param rrset
* the RRset to convert.
* the RRset to convert.
* @param ttl
* the TTL to use when canonicalizing -- this is generally the
* TTL of the signature if there is a pre-existing signature. If
* not it is just the ttl of the rrset itself.
* the TTL to use when canonicalizing -- this is generally the
* TTL of the signature if there is a pre-existing signature. If
* not it is just the ttl of the rrset itself.
* @param labels
* the labels field of the signature, or 0.
* the labels field of the signature, or 0.
* @return the canonical wire line format of the rrset. This is the second
* part of data to be signed.
*/
public static byte[] generateCanonicalRRsetData(RRset rrset, long ttl,
int labels)
@SuppressWarnings("unchecked")
public static byte[] generateCanonicalRRsetData(RRset rrset, long ttl, int labels)
{
DNSOutput image = new DNSOutput();
@ -186,24 +181,22 @@ public class SignUtils
{
n = n.wild(n.labels() - labels);
wildcardName = true;
log.fine("Detected wildcard expansion: " + rrset.getName()
+ " changed to " + n);
log.fine("Detected wildcard expansion: " + rrset.getName() + " changed to " + n);
}
// now convert the wire format records in the RRset into a
// list of byte arrays.
ArrayList canonical_rrs = new ArrayList();
for (Iterator i = rrset.rrs(); i.hasNext();)
ArrayList<byte[]> canonical_rrs = new ArrayList<byte[]>();
for (Iterator<Record> i = rrset.rrs(); i.hasNext();)
{
Record r = (Record) i.next();
Record r = i.next();
if (r.getTTL() != ttl || wildcardName)
{
// If necessary, we need to create a new record with a new ttl
// or ownername.
// In the TTL case, this avoids changing the ttl in the
// response.
r = Record.newRecord(n, r.getType(), r.getDClass(), ttl, r
.rdataToWireCanonical());
r = Record.newRecord(n, r.getType(), r.getDClass(), ttl, r.rdataToWireCanonical());
}
byte[] wire_fmt = r.toWireCanonical();
canonical_rrs.add(wire_fmt);
@ -218,9 +211,8 @@ public class SignUtils
Collections.sort(canonical_rrs, bac);
for (Iterator i = canonical_rrs.iterator(); i.hasNext();)
for (byte[] wire_fmt_rec : canonical_rrs)
{
byte[] wire_fmt_rec = (byte[]) i.next();
image.writeByteArray(wire_fmt_rec);
}
@ -240,8 +232,7 @@ public class SignUtils
public static byte[] generateSigData(RRset rrset, RRSIGRecord presig)
throws IOException
{
byte[] rrset_data = generateCanonicalRRsetData(rrset,
presig.getOrigTTL(),
byte[] rrset_data = generateCanonicalRRsetData(rrset, presig.getOrigTTL(),
presig.getLabels());
return generateSigData(rrset_data, presig);
@ -285,11 +276,11 @@ public class SignUtils
*/
public static RRSIGRecord generateRRSIG(byte[] signature, RRSIGRecord presig)
{
return new RRSIGRecord(presig.getName(), presig.getDClass(),
presig.getTTL(), presig.getTypeCovered(),
presig.getAlgorithm(), presig.getOrigTTL(),
presig.getExpire(), presig.getTimeSigned(),
presig.getFootprint(), presig.getSigner(), signature);
return new RRSIGRecord(presig.getName(), presig.getDClass(), presig.getTTL(),
presig.getTypeCovered(), presig.getAlgorithm(),
presig.getOrigTTL(), presig.getExpire(),
presig.getTimeSigned(), presig.getFootprint(),
presig.getSigner(), signature);
}
/**
@ -311,8 +302,7 @@ public class SignUtils
* if there was something wrong with the RFC 2536 formatted
* signature.
*/
public static byte[] convertDSASignature(byte[] signature)
throws SignatureException
public static byte[] convertDSASignature(byte[] signature) throws SignatureException
{
if (signature.length != 41)
throw new SignatureException("RFC 2536 signature not expected length.");
@ -380,8 +370,7 @@ public class SignUtils
{
if (signature[0] != ASN1_SEQ || signature[2] != ASN1_INT)
{
throw new SignatureException(
"Invalid ASN.1 signature format: expected SEQ, INT");
throw new SignatureException("Invalid ASN.1 signature format: expected SEQ, INT");
}
byte r_pad = (byte) (signature[3] - 20);
@ -478,8 +467,8 @@ public class SignUtils
* the name of the last DELEGATION record/set that was encountered
* while iterating over the zone in canonical order.
*/
public static int recordSecType(Name zonename, Name name, int type,
Name last_cut, Name last_dname)
public static int recordSecType(Name zonename, Name name, int type, Name last_cut,
Name last_dname)
{
// records not even in the zone itself are invalid.
if (!name.subdomain(zonename)) return RR_INVALID;
@ -493,7 +482,7 @@ public class SignUtils
// a delegation point (NS, DS, NSEC), this is glue.
if (name.equals(last_cut))
{
if (type != Type.NS && type != Type.DS && type != Type.NXT && type != Type.NSEC)
if (type != Type.NS && type != Type.DS && type != Type.NXT && type != Type.NSEC)
{
return RR_GLUE;
}
@ -503,18 +492,19 @@ public class SignUtils
{
return RR_GLUE;
}
}
// if we are below a DNAME, then the RR is invalid.
if (last_dname != null && name.subdomain(last_dname) && name.labels() > last_dname.labels())
if (last_dname != null && name.subdomain(last_dname)
&& name.labels() > last_dname.labels())
{
return RR_INVALID;
}
// since we are not at zone level, any NS records are delegations
if (type == Type.NS) return RR_DELEGATION;
// and everything else is normal
return RR_NORMAL;
}
@ -528,24 +518,13 @@ public class SignUtils
* canonical order.
* @return a List of {@link org.xbill.DNS.RRset} objects.
*/
public static List assembleIntoRRsets(List records)
public static List<RRset> assembleIntoRRsets(List<Record> records)
{
RRset rrset = new RRset();
ArrayList rrsets = new ArrayList();
ArrayList<RRset> rrsets = new ArrayList<RRset>();
for (Iterator i = records.iterator(); i.hasNext();)
for (Record r : records)
{
Object o = i.next();
if (!(o instanceof Record))
{
log.warning("assembleIntoRRsets: a non-record object was "
+ "encountered and skipped: " + o + " (" + o.getClass() + ")");
continue;
}
Record r = (Record) o;
// First record
if (rrset.size() == 0)
{
@ -581,14 +560,14 @@ public class SignUtils
*/
private static class NodeInfo
{
public Name name;
public int type;
public long ttl;
public int dclass;
public Set typemap;
public boolean isSecureNode; // opt-in support.
public boolean hasOptInSpan; // opt-in support.
public int nsecIndex;
public Name name;
public int type;
public long ttl;
public int dclass;
public Set<Integer> typemap;
public boolean isSecureNode; // opt-in support.
public boolean hasOptInSpan; // opt-in support.
public int nsecIndex;
public NodeInfo(Record r, int nodeType)
{
@ -596,7 +575,7 @@ public class SignUtils
this.type = nodeType;
this.ttl = r.getTTL();
this.dclass = r.getDClass();
this.typemap = new HashSet();
this.typemap = new HashSet<Integer>();
this.isSecureNode = false;
this.hasOptInSpan = false;
addType(r.getType());
@ -613,9 +592,10 @@ public class SignUtils
isSecureNode = true;
}
}
public boolean hasType(int type) {
return this.typemap.contains(new Integer(type));
public boolean hasType(int type)
{
return this.typemap.contains(type);
}
public String toString()
@ -653,7 +633,7 @@ public class SignUtils
* a list of {@link org.xbill.DNS.Record} objects in DNSSEC canonical
* order.
*/
public static void generateNSECRecords(Name zonename, List records)
public static void generateNSECRecords(Name zonename, List<Record> records)
{
// This works by iterating over a known sorted list of records.
@ -667,24 +647,24 @@ public class SignUtils
// First find the SOA record -- it should be near the beginning -- and get
// the soa minimum
for (Iterator i = records.iterator(); i.hasNext();)
for (Record r : records)
{
Object o = i.next();
if (o instanceof SOARecord)
if (r.getType() == Type.SOA)
{
SOARecord soa = (SOARecord) o;
SOARecord soa = (SOARecord) r;
nsec_ttl = soa.getMinimum();
break;
}
}
if (nsec_ttl == 0)
{
throw new IllegalArgumentException("Zone did not contain a SOA record");
}
for (ListIterator i = records.listIterator(); i.hasNext();)
for (ListIterator<Record> i = records.listIterator(); i.hasNext();)
{
Record r = (Record) i.next();
Record r = i.next();
Name r_name = r.getName();
int r_type = r.getType();
int r_sectype = recordSecType(zonename, r_name, r_type, last_cut, last_dname);
@ -697,7 +677,7 @@ public class SignUtils
// if this is a DNAME, note it so we can recognize junk
if (r_type == Type.DNAME) last_dname = r_name;
// first node -- initialize
if (current_node == null)
{
@ -716,9 +696,8 @@ public class SignUtils
if (last_node != null)
{
NSECRecord nsec = new NSECRecord(last_node.name, last_node.dclass,
nsec_ttl, current_node.name,
last_node.getTypes());
NSECRecord nsec = new NSECRecord(last_node.name, last_node.dclass, nsec_ttl,
current_node.name, last_node.getTypes());
// Note: we have to add this through the iterator, otherwise
// the next access via the iterator will generate a
// ConcurrencyModificationException.
@ -743,17 +722,15 @@ public class SignUtils
// Generate next to last NSEC
if (last_node != null)
{
NSECRecord nsec = new NSECRecord(last_node.name, last_node.dclass,
nsec_ttl, current_node.name,
last_node.getTypes());
NSECRecord nsec = new NSECRecord(last_node.name, last_node.dclass, nsec_ttl,
current_node.name, last_node.getTypes());
records.add(last_node.nsecIndex - 1, nsec);
log.finer("Generated: " + nsec);
}
// Generate last NSEC
NSECRecord nsec = new NSECRecord(current_node.name, current_node.dclass,
nsec_ttl, zonename,
current_node.getTypes());
NSECRecord nsec = new NSECRecord(current_node.name, current_node.dclass, nsec_ttl,
zonename, current_node.getTypes());
records.add(nsec);
log.finer("Generated: " + nsec);
@ -781,12 +758,11 @@ public class SignUtils
* will use the SOA minimum)
* @throws NoSuchAlgorithmException
*/
public static void generateNSEC3Records(Name zonename, List records,
byte[] salt, int iterations,
long nsec3param_ttl)
public static void generateNSEC3Records(Name zonename, List<Record> records,
byte[] salt, int iterations, long nsec3param_ttl)
throws NoSuchAlgorithmException
{
List proto_nsec3s = new ArrayList();
List<ProtoNSEC3> proto_nsec3s = new ArrayList<ProtoNSEC3>();
NodeInfo current_node = null;
NodeInfo last_node = null;
// For detecting glue.
@ -796,9 +772,8 @@ public class SignUtils
long nsec3_ttl = 0;
for (Iterator i = records.iterator(); i.hasNext();)
for (Record r : records)
{
Record r = (Record) i.next();
Name r_name = r.getName();
int r_type = r.getType();
@ -813,7 +788,7 @@ public class SignUtils
// note our last DNAME point, so we can recognize junk.
if (r_type == Type.DNAME) last_dname = r_name;
if (r_type == Type.SOA)
{
SOARecord soa = (SOARecord) r;
@ -841,30 +816,24 @@ public class SignUtils
// At this point, r represents the start of a new node.
// So we move current_node to last_node and generate a new current node.
// But first, we need to do something with the last node.
generateNSEC3ForNode(last_node, zonename, salt, iterations, false,
proto_nsec3s);
generateNSEC3ForNode(last_node, zonename, salt, iterations, false, proto_nsec3s);
last_node = current_node;
current_node = new NodeInfo(r, r_sectype);
}
// process last two nodes.
generateNSEC3ForNode(last_node, zonename, salt, iterations, false,
proto_nsec3s);
generateNSEC3ForNode(current_node, zonename, salt, iterations, false,
proto_nsec3s);
generateNSEC3ForNode(last_node, zonename, salt, iterations, false, proto_nsec3s);
generateNSEC3ForNode(current_node, zonename, salt, iterations, false, proto_nsec3s);
List nsec3s = finishNSEC3s(proto_nsec3s, nsec3_ttl);
List<NSEC3Record> nsec3s = finishNSEC3s(proto_nsec3s, nsec3_ttl);
records.addAll(nsec3s);
NSEC3PARAMRecord nsec3param = new NSEC3PARAMRecord(
zonename,
DClass.IN,
NSEC3PARAMRecord nsec3param = new NSEC3PARAMRecord(zonename, DClass.IN,
nsec3param_ttl,
NSEC3Record.SHA1_DIGEST_ID,
(byte) 0, iterations,
salt);
(byte) 0, iterations, salt);
records.add(nsec3param);
}
@ -897,13 +866,12 @@ public class SignUtils
* will use the SOA minimum)
* @throws NoSuchAlgorithmException
*/
public static void generateOptOutNSEC3Records(Name zonename, List records,
List includedNames,
byte[] salt, int iterations,
long nsec3param_ttl)
public static void generateOptOutNSEC3Records(Name zonename, List<Record> records,
List<Name> includedNames, byte[] salt,
int iterations, long nsec3param_ttl)
throws NoSuchAlgorithmException
{
List proto_nsec3s = new ArrayList();
List<ProtoNSEC3> proto_nsec3s = new ArrayList<ProtoNSEC3>();
NodeInfo current_node = null;
NodeInfo last_node = null;
// For detecting glue.
@ -913,15 +881,14 @@ public class SignUtils
long nsec3_ttl = 0;
HashSet includeSet = null;
HashSet<Name> includeSet = null;
if (includedNames != null)
{
includeSet = new HashSet(includedNames);
includeSet = new HashSet<Name>(includedNames);
}
for (Iterator i = records.iterator(); i.hasNext();)
for (Record r : records)
{
Record r = (Record) i.next();
Name r_name = r.getName();
int r_type = r.getType();
@ -935,7 +902,7 @@ public class SignUtils
if (r_sectype == RR_DELEGATION) last_cut = r_name;
if (r_type == Type.DNAME) last_dname = r_name;
if (r_type == Type.SOA)
{
SOARecord soa = (SOARecord) r;
@ -968,8 +935,7 @@ public class SignUtils
// At this point, r represents the start of a new node.
// So we move current_node to last_node and generate a new current node.
// But first, we need to do something with the last node.
generateNSEC3ForNode(last_node, zonename, salt, iterations, true,
proto_nsec3s);
generateNSEC3ForNode(last_node, zonename, salt, iterations, true, proto_nsec3s);
if (current_node.isSecureNode)
{
@ -984,21 +950,16 @@ public class SignUtils
}
// process last two nodes.
generateNSEC3ForNode(last_node, zonename, salt, iterations, true,
proto_nsec3s);
generateNSEC3ForNode(current_node, zonename, salt, iterations, true,
proto_nsec3s);
generateNSEC3ForNode(last_node, zonename, salt, iterations, true, proto_nsec3s);
generateNSEC3ForNode(current_node, zonename, salt, iterations, true, proto_nsec3s);
List nsec3s = finishNSEC3s(proto_nsec3s, nsec3_ttl);
List<NSEC3Record> nsec3s = finishNSEC3s(proto_nsec3s, nsec3_ttl);
records.addAll(nsec3s);
NSEC3PARAMRecord nsec3param = new NSEC3PARAMRecord(
zonename,
DClass.IN,
NSEC3PARAMRecord nsec3param = new NSEC3PARAMRecord(zonename, DClass.IN,
nsec3param_ttl,
NSEC3Record.SHA1_DIGEST_ID,
(byte) 0, iterations,
salt);
(byte) 0, iterations, salt);
records.add(nsec3param);
}
@ -1021,16 +982,16 @@ public class SignUtils
* The current list of NSEC3s -- this will be updated.
* @throws NoSuchAlgorithmException
*/
private static void generateNSEC3ForNode(NodeInfo node, Name zonename,
byte[] salt, int iterations,
boolean optIn, List nsec3s)
private static void generateNSEC3ForNode(NodeInfo node, Name zonename, byte[] salt,
int iterations, boolean optIn, List<ProtoNSEC3> nsec3s)
throws NoSuchAlgorithmException
{
if (node == null) return;
if (optIn && !node.isSecureNode) return;
// Add our default types.
if (node.type == RR_NORMAL || (node.type == RR_DELEGATION && node.hasType(Type.DS))) {
if (node.type == RR_NORMAL || (node.type == RR_DELEGATION && node.hasType(Type.DS)))
{
node.addType(Type.RRSIG);
}
if (node.name.equals(zonename)) node.addType(Type.NSEC3PARAM);
@ -1042,13 +1003,13 @@ public class SignUtils
{
Name n = new Name(node.name, i);
log.fine("Generating ENT NSEC3 for " + n);
ProtoNSEC3 nsec3 = generateNSEC3(n, zonename, node.ttl, salt, iterations,
optIn, null);
ProtoNSEC3 nsec3 = generateNSEC3(n, zonename, node.ttl, salt, iterations, optIn,
null);
nsec3s.add(nsec3);
}
ProtoNSEC3 nsec3 = generateNSEC3(node.name, zonename, node.ttl, salt,
iterations, optIn, node.getTypes());
ProtoNSEC3 nsec3 = generateNSEC3(node.name, zonename, node.ttl, salt, iterations,
optIn, node.getTypes());
nsec3s.add(nsec3);
}
@ -1074,17 +1035,15 @@ public class SignUtils
* @throws NoSuchAlgorithmException
*/
private static ProtoNSEC3 generateNSEC3(Name name, Name zonename, long ttl,
byte[] salt, int iterations,
boolean optIn, int[] types)
throws NoSuchAlgorithmException
byte[] salt, int iterations, boolean optIn,
int[] types) throws NoSuchAlgorithmException
{
byte[] hash = nsec3hash(name, NSEC3Record.SHA1_DIGEST_ID,
iterations, salt);
byte[] hash = nsec3hash(name, NSEC3Record.SHA1_DIGEST_ID, iterations, salt);
byte flags = (byte) (optIn ? 0x01 : 0x00);
ProtoNSEC3 r = new ProtoNSEC3(hash, name, zonename, DClass.IN, ttl,
NSEC3Record.SHA1_DIGEST_ID, flags,
iterations, salt, null, types);
NSEC3Record.SHA1_DIGEST_ID, flags, iterations, salt,
null, types);
log.finer("Generated: " + r);
return r;
@ -1102,7 +1061,7 @@ public class SignUtils
* should match the SOA minimum value for the zone.
* @return The list of {@link org.xbill.DNS.NSEC3Record} objects.
*/
private static List finishNSEC3s(List nsec3s, long ttl)
private static List<NSEC3Record> finishNSEC3s(List<ProtoNSEC3> nsec3s, long ttl)
{
if (nsec3s == null) return null;
Collections.sort(nsec3s, new ProtoNSEC3.Comparator());
@ -1111,9 +1070,9 @@ public class SignUtils
ProtoNSEC3 cur_nsec3 = null;
byte[] first_nsec3_hash = null;
for (ListIterator i = nsec3s.listIterator(); i.hasNext();)
for (ListIterator<ProtoNSEC3> i = nsec3s.listIterator(); i.hasNext();)
{
cur_nsec3 = (ProtoNSEC3) i.next();
cur_nsec3 = i.next();
// check to see if cur is a duplicate (by name)
if (prev_nsec3 != null
@ -1154,10 +1113,9 @@ public class SignUtils
}
// Convert our ProtoNSEC3s to actual (immutable) NSEC3Record objects.
List res = new ArrayList(nsec3s.size());
for (Iterator i = nsec3s.iterator(); i.hasNext();)
List<NSEC3Record> res = new ArrayList<NSEC3Record>(nsec3s.size());
for (ProtoNSEC3 p : nsec3s)
{
ProtoNSEC3 p = (ProtoNSEC3) i.next();
p.setTTL(ttl);
res.add(p.getNSEC3Record());
}
@ -1184,8 +1142,8 @@ public class SignUtils
* if true, then Opt-In NXTs will only be generated where there is
* actually a span of insecure delegations.
*/
public static void generateOptInNSECRecords(Name zonename, List records,
List includeNames,
public static void generateOptInNSECRecords(Name zonename, List<Record> records,
List<Name> includeNames,
boolean beConservative)
{
// This works by iterating over a known sorted list of records.
@ -1195,18 +1153,18 @@ public class SignUtils
Name last_cut = null;
Name last_dname = null;
int backup;
HashSet includeSet = null;
HashSet<Name> includeSet = null;
if (includeNames != null)
{
includeSet = new HashSet(includeNames);
includeSet = new HashSet<Name>(includeNames);
}
for (ListIterator i = records.listIterator(); i.hasNext();)
for (ListIterator<Record> i = records.listIterator(); i.hasNext();)
{
Record r = (Record) i.next();
Record r = i.next();
Name r_name = r.getName();
int r_type = r.getType();
int r_sectype = recordSecType(zonename, r_name, r_type, last_cut, last_dname);
@ -1218,7 +1176,7 @@ public class SignUtils
if (r_sectype == RR_DELEGATION) last_cut = r_name;
if (r_type == Type.DNAME) last_dname = r_name;
// first node -- initialize
if (current_node == null)
{
@ -1248,9 +1206,8 @@ public class SignUtils
{
last_node.addType(Type.NSEC);
}
NSECRecord nsec = new NSECRecord(last_node.name, last_node.dclass,
last_node.ttl, current_node.name,
last_node.getTypes());
NSECRecord nsec = new NSECRecord(last_node.name, last_node.dclass, last_node.ttl,
current_node.name, last_node.getTypes());
// Note: we have to add this through the iterator, otherwise
// the next access via the iterator will generate a
// ConcurrencyModificationException.
@ -1289,9 +1246,8 @@ public class SignUtils
{
last_node.addType(Type.NSEC);
}
NSECRecord nsec = new NSECRecord(last_node.name, last_node.dclass,
last_node.ttl, current_node.name,
last_node.getTypes());
NSECRecord nsec = new NSECRecord(last_node.name, last_node.dclass, last_node.ttl,
current_node.name, last_node.getTypes());
records.add(last_node.nsecIndex - 1, nsec);
log.finer("Generated: " + nsec);
}
@ -1304,16 +1260,16 @@ public class SignUtils
{
current_node.addType(Type.NSEC);
}
nsec = new NSECRecord(current_node.name, current_node.dclass,
current_node.ttl, zonename, current_node.getTypes());
nsec = new NSECRecord(current_node.name, current_node.dclass, current_node.ttl,
zonename, current_node.getTypes());
// we can just tack this on the end as we are working on the
// last node.
records.add(nsec);
}
else
{
nsec = new NSECRecord(last_node.name, last_node.dclass, last_node.ttl,
zonename, last_node.getTypes());
nsec = new NSECRecord(last_node.name, last_node.dclass, last_node.ttl, zonename,
last_node.getTypes());
// We need to tack this on after the last secure node, not the
// end of the whole list.
records.add(last_node.nsecIndex, nsec);
@ -1334,13 +1290,12 @@ public class SignUtils
* @param digest_alg
* The digest algorithm to use.
*/
public static void generateDSRecords(Name zonename, List records,
int digest_alg)
public static void generateDSRecords(Name zonename, List<Record> records, int digest_alg)
{
for (ListIterator i = records.listIterator(); i.hasNext();)
for (ListIterator<Record> i = records.listIterator(); i.hasNext();)
{
Record r = (Record) i.next();
Record r = i.next();
if (r == null) continue; // this should never be true.
Name r_name = r.getName();
@ -1349,8 +1304,7 @@ public class SignUtils
// Convert non-zone level KEY records into DS records.
if (r.getType() == Type.DNSKEY && !r_name.equals(zonename))
{
DSRecord ds = calculateDSRecord((DNSKEYRecord) r, digest_alg,
r.getTTL());
DSRecord ds = calculateDSRecord((DNSKEYRecord) r, digest_alg, r.getTTL());
i.set(ds);
}
@ -1365,9 +1319,9 @@ public class SignUtils
* @param records
* a list of {@link org.xbill.DNS.Record} objects.
*/
public static void removeGeneratedRecords(Name zonename, List records)
public static void removeGeneratedRecords(Name zonename, List<Record> records)
{
for (Iterator i = records.iterator(); i.hasNext();)
for (Iterator<Record> i = records.iterator(); i.hasNext();)
{
Record r = (Record) i.next();
@ -1387,12 +1341,12 @@ public class SignUtils
* @param records
* a list of {@link org.xbill.DNS.Record} object, in sorted order.
*/
public static void removeDuplicateRecords(List records)
public static void removeDuplicateRecords(List<Record> records)
{
Record lastrec = null;
for (Iterator i = records.iterator(); i.hasNext();)
for (Iterator<Record> i = records.iterator(); i.hasNext();)
{
Record r = (Record) i.next();
Record r = i.next();
if (lastrec == null)
{
lastrec = r;
@ -1419,8 +1373,7 @@ public class SignUtils
* the original KEY RR's TTL will be used.
* @return the corresponding {@link org.xbill.DNS.DSRecord}
*/
public static DSRecord calculateDSRecord(DNSKEYRecord keyrec, int digest_alg,
long ttl)
public static DSRecord calculateDSRecord(DNSKEYRecord keyrec, int digest_alg, long ttl)
{
if (keyrec == null) return null;
@ -1451,8 +1404,8 @@ public class SignUtils
}
return new DSRecord(keyrec.getName(), keyrec.getDClass(), ttl,
keyrec.getFootprint(), keyrec.getAlgorithm(),
digest_alg, digest);
keyrec.getFootprint(), keyrec.getAlgorithm(), digest_alg,
digest);
}
catch (NoSuchAlgorithmException e)
@ -1464,16 +1417,21 @@ public class SignUtils
/**
* Calculate an NSEC3 hash based on a DNS name and NSEC3 hash parameters.
*
* @param n The name to hash.
* @param hash_algorithm The hash algorithm to use.
* @param iterations The number of iterations to do.
* @param salt The salt to use.
*
* @param n
* The name to hash.
* @param hash_algorithm
* The hash algorithm to use.
* @param iterations
* The number of iterations to do.
* @param salt
* The salt to use.
* @return The calculated hash as a byte array.
* @throws NoSuchAlgorithmException If the hash algorithm is unrecognized.
* @throws NoSuchAlgorithmException
* If the hash algorithm is unrecognized.
*/
public static byte[] nsec3hash(Name n, byte hash_algorithm, int iterations,
byte[] salt) throws NoSuchAlgorithmException
public static byte[] nsec3hash(Name n, byte hash_algorithm, int iterations, byte[] salt)
throws NoSuchAlgorithmException
{
MessageDigest md;
@ -1482,9 +1440,9 @@ public class SignUtils
case NSEC3Record.SHA1_DIGEST_ID:
md = MessageDigest.getInstance("SHA1");
break;
default :
throw new NoSuchAlgorithmException(
"Unknown NSEC3 algorithm identifier: " + hash_algorithm);
default:
throw new NoSuchAlgorithmException("Unknown NSEC3 algorithm identifier: "
+ hash_algorithm);
}
// Construct our wire form.

13
src/com/verisignlabs/dnssec/security/TypeMap.java
View File

@ -22,29 +22,29 @@ public class TypeMap
{
private static final Integer[] integerArray = new Integer[0];
private Set typeSet;
private Set<Integer> typeSet;
public TypeMap()
{
this.typeSet = new HashSet();
this.typeSet = new HashSet<Integer>();
}
/** Add the given type to the typemap. */
public void set(int type)
{
typeSet.add(new Integer(type));
typeSet.add(type);
}
/** Remove the given type from the type map. */
public void clear(int type)
{
typeSet.remove(new Integer(type));
typeSet.remove(type);
}
/** @return true if the given type is present in the type map. */
public boolean get(int type)
{
return typeSet.contains(new Integer(type));
return typeSet.contains(type);
}
public static TypeMap fromTypes(int[] types)
@ -109,8 +109,7 @@ public class TypeMap
return sb.toString();
}
protected static void mapToWire(DNSOutput out, int[] types, int base,
int start, int end)
protected static void mapToWire(DNSOutput out, int[] types, int base, int start, int end)
{
// calculate the length of this map by looking at the largest
// typecode in this section.

74
src/com/verisignlabs/dnssec/security/ZoneUtils.java
View File

@ -56,9 +56,9 @@ public class ZoneUtils
* @throws IOException
* if something goes wrong reading the zone file.
*/
public static List readZoneFile(String zonefile, Name origin) throws IOException
public static List<Record> readZoneFile(String zonefile, Name origin) throws IOException
{
ArrayList records = new ArrayList();
ArrayList<Record> records = new ArrayList<Record>();
Master m;
if (zonefile.equals("-"))
{
@ -88,7 +88,7 @@ public class ZoneUtils
* @param zonefile
* the file to write to. If null or equal to "-", System.out is used.
*/
public static void writeZoneFile(List records, String zonefile) throws IOException
public static void writeZoneFile(List<Record> records, String zonefile) throws IOException
{
PrintWriter out = null;
@ -101,9 +101,9 @@ public class ZoneUtils
out = new PrintWriter(new BufferedWriter(new FileWriter(zonefile)));
}
for (Iterator i = records.iterator(); i.hasNext();)
for (Record r : records)
{
out.println(i.next());
out.println(r);
}
out.close();
@ -113,63 +113,29 @@ public class ZoneUtils
* Given just the list of records, determine the zone name (origin).
*
* @param records
* a list of {@link org.xbill.DNS.Record} or
* {@link org.xbill.DNS.RRset} objects.
* a list of {@link org.xbill.DNS.Record} objects.
* @return the zone name, if found. null if one couldn't be found.
*/
public static Name findZoneName(List records)
public static Name findZoneName(List<Record> records)
{
for (Iterator i = records.iterator(); i.hasNext();)
for (Record r : records)
{
int type = 0;
Name n = null;
int type = r.getType();
Object o = i.next();
if (o instanceof Record)
{
Record r = (Record) o;
type = r.getType();
n = r.getName();
}
else if (o instanceof RRset)
{
RRset r = (RRset) o;
type = r.getType();
n = r.getName();
}
if (type == Type.SOA) return n;
if (type == Type.SOA) return r.getName();
}
return null;
}
public static List findRRs(List records, Name name, int type)
public static List<Record> findRRs(List<Record> records, Name name, int type)
{
List res = new ArrayList();
for (Iterator i = records.iterator(); i.hasNext();)
List<Record> res = new ArrayList<Record>();
for (Record r : records)
{
Object o = i.next();
if (o instanceof Record)
if (r.getName().equals(name) && r.getType() == type)
{
Record r = (Record) o;
if (r.getName().equals(name) && r.getType() == type)
{
res.add(r);
}
}
else if (o instanceof RRset)
{
RRset r = (RRset) o;
if (r.getName().equals(name) && r.getType() == type)
{
for (Iterator j = r.rrs(); j.hasNext();)
{
res.add(j.next());
}
}
res.add(r);
}
}
@ -177,21 +143,23 @@ public class ZoneUtils
}
/** This is an alternate way to format an RRset into a string */
@SuppressWarnings("unchecked")
public static String rrsetToString(RRset rrset, boolean includeSigs)
{
StringBuilder out = new StringBuilder();
for (Iterator i = rrset.rrs(false); i.hasNext();)
for (Iterator<Record> i = rrset.rrs(false); i.hasNext();)
{
Record r = (Record) i.next();
Record r = i.next();
out.append(r.toString());
out.append("\n");
}
if (includeSigs)
{
for (Iterator i = rrset.sigs(); i.hasNext();)
for (Iterator<Record> i = rrset.sigs(); i.hasNext();)
{
Record r = (Record) i.next();
Record r = i.next();
out.append(r.toString());
out.append("\n");
}

15
src/com/verisignlabs/dnssec/security/ZoneVerifier.java
View File

@ -337,25 +337,26 @@ public class ZoneVerifier
return errors;
}
private static String reasonListToString(List reasons)
private static String reasonListToString(List<String> reasons)
{
if (reasons == null) return "";
StringBuffer out = new StringBuffer();
for (Iterator i = reasons.iterator(); i.hasNext();)
for (Iterator<String> i = reasons.iterator(); i.hasNext();)
{
out.append("Reason: ");
out.append((String) i.next());
out.append(i.next());
if (i.hasNext()) out.append("\n");
}
return out.toString();
}
@SuppressWarnings("unchecked")
private int processRRset(RRset rrset)
{
List reasons = new ArrayList();
List<String> reasons = new ArrayList<String>();
int result = DNSSEC.Failed;
for (Iterator i = rrset.sigs(); i.hasNext();)
for (Iterator<Record> i = rrset.sigs(); i.hasNext();)
{
RRSIGRecord sigrec = (RRSIGRecord) i.next();
byte res = mVerifier.verifySignature(rrset, sigrec, null, reasons);
@ -415,7 +416,7 @@ public class ZoneVerifier
// should be empty.
if (typeset == null) return types.length == 0;
Set compareTypeset = new HashSet();
Set<Integer> compareTypeset = new HashSet<Integer>();
for (int i = 0; i < types.length; ++i)
{
compareTypeset.add(types[i]);
@ -705,7 +706,7 @@ public class ZoneVerifier
return errors;
}
public int verifyZone(List records) throws NoSuchAlgorithmException, TextParseException
public int verifyZone(List<Record> records) throws NoSuchAlgorithmException, TextParseException
{
int errors = 0;